@westbayberry/dg 1.1.5 → 1.2.1

package/dist/index.mjs

@@ -910,15 +910,15 @@ var require_route = __commonJS({
       };
     }
     function wrapConversion(toModel, graph) {
-      const path2 = [graph[toModel].parent, toModel];
+      const path = [graph[toModel].parent, toModel];
       let fn = conversions[graph[toModel].parent][toModel];
       let cur = graph[toModel].parent;
       while (graph[cur].parent) {
-        path2.unshift(graph[cur].parent);
+        path.unshift(graph[cur].parent);
         fn = link2(conversions[graph[cur].parent][cur], fn);
         cur = graph[cur].parent;
       }
-      fn.conversion = path2;
+      fn.conversion = path;
       return fn;
     }
     module.exports = function(fromModel) {
@@ -1590,8 +1590,8 @@ var require_source = __commonJS({
 // src/telemetry.ts
 import { platform, arch } from "node:os";
 function telemetryEnabled() {
-  if (process.env.DG_TELEMETRY === "0") return false;
   if (process.env.DO_NOT_TRACK === "1") return false;
+  if (process.env.DG_TELEMETRY === "0") return false;
   return true;
 }
 function classifyError(err) {
@@ -1894,6 +1894,7 @@ __export(auth_exports, {
   pollAuthSession: () => pollAuthSession,
   preflightAuthCheck: () => preflightAuthCheck,
   readTermsAcceptedAt: () => readTermsAcceptedAt,
+  recordScanCapReached: () => recordScanCapReached,
   recordScanNoticeShown: () => recordScanNoticeShown,
   saveCredentials: () => saveCredentials,
   saveCredentialsFromToken: () => saveCredentialsFromToken,
@@ -2004,17 +2005,17 @@ function ensureConfigDir() {
     mkdirSync(dir, { recursive: true, mode: 448 });
   }
 }
-function ensureConfigPerms(path2) {
+function ensureConfigPerms(path) {
   let st;
   try {
-    st = lstatSync(path2);
+    st = lstatSync(path);
   } catch {
     return;
   }
   if (!st || typeof st.isSymbolicLink !== "function") return;
   if (st.isSymbolicLink()) {
     process.stderr.write(
-      `Warning: ${path2} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
+      `Warning: ${path} is a symlink; refusing to chmod (would affect the symlink target). Replace with a regular file to enforce 0o600.
 `
     );
     return;
@@ -2023,12 +2024,12 @@ function ensureConfigPerms(path2) {
   const mode = (st.mode ?? 384) & 511;
   if (mode === 384) return;
   process.stderr.write(
-    `Warning: ${path2} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
+    `Warning: ${path} has perms 0o${mode.toString(8)} (expected 0o600); re-tightening.
 `
   );
   let fd;
   try {
-    fd = openSync(path2, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
+    fd = openSync(path, fsConstants.O_RDONLY | fsConstants.O_NOFOLLOW);
     fchmodSync(fd, 384);
   } catch {
   } finally {
@@ -2185,11 +2186,11 @@ async function fetchCliPolicy(opts) {
     return null;
   }
 }
-async function postCliEvent(path2, body, apiUrl, apiKey, timeoutMs = 3e3) {
+async function postCliEvent(path, body, apiUrl, apiKey, timeoutMs = 3e3) {
   try {
     const ctrl = new AbortController();
     const timer = setTimeout(() => ctrl.abort(), timeoutMs);
-    await globalThis.fetch(`${apiUrl}${path2}`, {
+    await globalThis.fetch(`${apiUrl}${path}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -2263,9 +2264,9 @@ function authStatusCachePath() {
 }
 function readCachedAuthStatus() {
   try {
-    const path2 = authStatusCachePath();
-    if (!existsSync(path2)) return null;
-    const raw = readFileSync(path2, "utf-8");
+    const path = authStatusCachePath();
+    if (!existsSync(path)) return null;
+    const raw = readFileSync(path, "utf-8");
     const cached = JSON.parse(raw);
     if (typeof cached.fetchedAt !== "number") return null;
     if (Date.now() - cached.fetchedAt > AUTH_STATUS_TTL_MS) return null;
@@ -2276,25 +2277,35 @@ function readCachedAuthStatus() {
 }
 function writeCachedAuthStatus(status) {
   try {
-    const path2 = authStatusCachePath();
-    const dir = dirname(path2);
+    const path = authStatusCachePath();
+    const dir = dirname(path);
     if (!existsSync(dir)) mkdirSync(dir, { recursive: true, mode: 448 });
-    writeFileSync(path2, JSON.stringify(status), { mode: 384 });
+    writeFileSync(path, JSON.stringify(status), { mode: 384 });
   } catch {
   }
 }
+function recordScanCapReached(scansUsed, maxScans, reason) {
+  writeCachedAuthStatus({
+    authenticated: !!getStoredApiKey(),
+    freeTierCapReached: true,
+    scansUsed,
+    scansLimit: maxScans,
+    capReason: reason,
+    fetchedAt: Date.now()
+  });
+}
 async function preflightAuthCheck(apiUrl) {
   if (process.env.DG_SIMULATE_FREE_CAP_REACHED === "1") {
     throw new PreflightFreeCapReachedError(5, 5);
   }
+  const apiKey = getStoredApiKey();
   const cached = readCachedAuthStatus();
-  if (cached) {
+  if (cached && cached.authenticated === !!apiKey) {
     if (cached.freeTierCapReached) {
       throw new PreflightFreeCapReachedError(cached.scansUsed, cached.scansLimit ?? cached.scansUsed, cached.capReason ?? "monthly_limit");
     }
     return cached;
   }
-  const apiKey = getStoredApiKey();
   const headers = {};
   if (apiKey) {
     headers["Authorization"] = `Bearer ${apiKey}`;
@@ -2324,17 +2335,17 @@ async function preflightAuthCheck(apiUrl) {
     } catch {
     }
     if (body.freeTierCapReached) {
-      const capReason = body.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
+      const capReason2 = body.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
       const status2 = {
         authenticated: !!apiKey,
         freeTierCapReached: true,
         scansUsed: body.scansUsed ?? 0,
         scansLimit: body.maxScans ?? 0,
-        capReason,
+        capReason: capReason2,
         fetchedAt: Date.now()
       };
       writeCachedAuthStatus(status2);
-      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0, capReason);
+      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0, capReason2);
     }
   }
   if (!resp.ok) {
@@ -2352,25 +2363,27 @@ async function preflightAuthCheck(apiUrl) {
     data = await resp.json();
   } catch {
   }
+  const capReason = data.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
   const status = {
     authenticated: !!apiKey,
     freeTierCapReached: !!data.freeTierCapReached,
     scansUsed: data.scansUsed ?? 0,
     scansLimit: data.scansLimit ?? null,
+    capReason,
     tier: data.tier,
     name: data.name,
     fetchedAt: Date.now()
   };
   writeCachedAuthStatus(status);
   if (status.freeTierCapReached) {
-    throw new PreflightFreeCapReachedError(status.scansUsed, status.scansLimit ?? 0);
+    throw new PreflightFreeCapReachedError(status.scansUsed, status.scansLimit ?? 0, capReason);
   }
   return status;
 }
 function clearAuthStatusCache() {
   try {
-    const path2 = authStatusCachePath();
-    if (existsSync(path2)) unlinkSync(path2);
+    const path = authStatusCachePath();
+    if (existsSync(path)) unlinkSync(path);
   } catch {
   }
 }
@@ -2816,7 +2829,7 @@ var init_config = __esm({
     DG_DEBUG=1               Enable debug output
     DG_QUIET=1               Same as passing --quiet
     DG_WORKSPACE             Workspace subdirectory to scan
-    DG_TELEMETRY=1           Opt in to anonymous crash reports (off by default)
+    DG_TELEMETRY=0           Opt out of anonymous crash reports (on by default; DO_NOT_TRACK=1 also opts out)
     DG_FORCE_POSTINSTALL=1   Force postinstall to run even outside a TTY
                              (useful for re-running setup manually)
     DG_NO_RC_EDIT=1          Postinstall installs shims but does not edit
@@ -2865,23 +2878,23 @@ function cacheFile() {
   return dgCachePath("update-check.json");
 }
 function readCache() {
-  const path2 = cacheFile();
+  const path = cacheFile();
   let stat = null;
   try {
-    stat = lstatSync2(path2, { throwIfNoEntry: false }) ?? null;
+    stat = lstatSync2(path, { throwIfNoEntry: false }) ?? null;
   } catch {
     return null;
   }
   if (!stat) return null;
   if (!stat.isFile() || stat.size > MAX_CACHE_BYTES) {
     try {
-      unlinkSync2(path2);
+      unlinkSync2(path);
     } catch {
     }
     return null;
   }
   try {
-    const raw = readFileSync3(path2, "utf-8");
+    const raw = readFileSync3(path, "utf-8");
     const data = JSON.parse(raw);
     if (typeof data.latest === "string" && typeof data.checkedAt === "number") {
       return data;
@@ -2892,14 +2905,14 @@ function readCache() {
 }
 function writeCache(entry) {
   try {
-    const path2 = cacheFile();
-    const parent = dirname3(path2);
+    const path = cacheFile();
+    const parent = dirname3(path);
     if (!existsSync3(parent)) mkdirSync2(parent, { recursive: true, mode: 448 });
     const serialized = JSON.stringify(entry);
     if (serialized.length > MAX_CACHE_BYTES) return;
-    writeFileSync2(path2, serialized, { encoding: "utf-8", mode: 384 });
+    writeFileSync2(path, serialized, { encoding: "utf-8", mode: 384 });
     try {
-      chmodSync2(path2, 384);
+      chmodSync2(path, 384);
     } catch {
     }
   } catch {
@@ -3050,17 +3063,17 @@ function ensureUnderHome(target) {
     throw new UnsafePathError(`refusing to operate on path outside $HOME: ${target}`, target);
   }
 }
-function lstatNoSymlink(path2) {
+function lstatNoSymlink(path) {
   let st;
   try {
-    st = lstatSync3(path2);
+    st = lstatSync3(path);
   } catch (e) {
     const code = e.code;
     if (code === "ENOENT") return;
     throw e;
   }
   if (st.isSymbolicLink()) {
-    throw new UnsafePathError(`refusing: ${path2} is a symlink`, path2);
+    throw new UnsafePathError(`refusing: ${path} is a symlink`, path);
   }
 }
 function safeMkdirRecursive(target, mode = 493) {
@@ -3090,9 +3103,9 @@ function atomicWriteFile(target, content, mode = 420) {
   writeFileSync3(tmp, content, { mode });
   renameSync(tmp, target);
 }
-function isExecutable(path2) {
+function isExecutable(path) {
   try {
-    const st = statSync(path2);
+    const st = statSync(path);
     return st.isFile() && (st.mode & 73) !== 0;
   } catch {
     return false;
@@ -3117,9 +3130,9 @@ var init_safe_fs = __esm({
   "src/shims/safe-fs.ts"() {
     "use strict";
     UnsafePathError = class extends Error {
-      constructor(message, path2) {
+      constructor(message, path) {
         super(message);
-        this.path = path2;
+        this.path = path;
         this.name = "UnsafePathError";
       }
     };
@@ -3151,16 +3164,29 @@ var init_templates = __esm({
       "mamba"
     ];
     UNIX_SHIM_BODY = `#!/bin/sh
+nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
 if [ -n "\${DG_SHIM_ACTIVE:-}" ]; then
   cleaned_path=$(printf '%s' "$PATH" | awk -v RS=':' -v ORS=':' '$0 != ENVIRON["HOME"]"/.dg/shims"' | sed 's/:$//')
-  real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
-  if [ -n "$real_bin" ]; then
-    exec "$real_bin" "$@"
+  # Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the
+  # on-disk nonce \u2014 that is the value our own wrapper sets before running the
+  # real installer. A non-matching value was set outside dg (stale or a
+  # bypass attempt) and must NOT skip scanning.
+  if [ -n "$nonce" ] && [ "$DG_SHIM_ACTIVE" = "$nonce" ]; then
+    real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
+    if [ -n "$real_bin" ]; then
+      exec "$real_bin" "$@"
+    fi
+    echo "dg: real __ECOSYSTEM__ not found on PATH" >&2
+    exit 127
+  fi
+  if [ -z "$nonce" ]; then
+    echo "dg: shim nonce missing (reinstall dg) \u2014 cannot verify; passing through __ECOSYSTEM__ UNSCANNED." >&2
+    real_bin=$(PATH="$cleaned_path" command -v __ECOSYSTEM__)
+    if [ -n "$real_bin" ]; then exec "$real_bin" "$@"; fi
+    exit 127
   fi
-  echo "dg: real __ECOSYSTEM__ not found on PATH" >&2
-  exit 127
+  echo "dg: ignoring externally-set DG_SHIM_ACTIVE (nonce mismatch); scanning __ECOSYSTEM__." >&2
 fi
-nonce=$(cat "$HOME/.dg/state/shim-nonce" 2>/dev/null)
 dg_entry=$(cat "$HOME/.dg/state/dg-entry" 2>/dev/null)
 if [ -n "$dg_entry" ] && [ -x "$dg_entry" ]; then
   DG_SHIM_ACTIVE="$nonce" DG_SHIM_PARENT_PATH="$PATH" exec "$dg_entry" __wrap __ECOSYSTEM__ "$@"
@@ -3180,6 +3206,8 @@ exit 127
 `;
     WINDOWS_SHIM_BODY = `@echo off
 setlocal enabledelayedexpansion
+set "DG_SHIM_NONCE="
+if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
 if not "%DG_SHIM_ACTIVE%"=="" (
   set "_dg_realpath="
   for /f "tokens=*" %%i in ('where __ECOSYSTEM__ 2^>nul') do (
@@ -3187,15 +3215,25 @@ if not "%DG_SHIM_ACTIVE%"=="" (
       if not defined _dg_realpath set "_dg_realpath=%%i"
     )
   )
-  if defined _dg_realpath (
-    "!_dg_realpath!" %*
-    exit /b !errorlevel!
+  rem Only honor DG_SHIM_ACTIVE as the recursion guard when it equals the nonce.
+  if "%DG_SHIM_ACTIVE%"=="!DG_SHIM_NONCE!" (
+    if defined _dg_realpath (
+      "!_dg_realpath!" %*
+      exit /b !errorlevel!
+    )
+    echo dg: real __ECOSYSTEM__ not found on PATH 1>&2
+    exit /b 127
   )
-  echo dg: real __ECOSYSTEM__ not found on PATH 1>&2
-  exit /b 127
+  if "!DG_SHIM_NONCE!"=="" (
+    echo dg: shim nonce missing ^(reinstall dg^) -- passing through __ECOSYSTEM__ UNSCANNED. 1>&2
+    if defined _dg_realpath (
+      "!_dg_realpath!" %*
+      exit /b !errorlevel!
+    )
+    exit /b 127
+  )
+  echo dg: ignoring externally-set DG_SHIM_ACTIVE ^(nonce mismatch^); scanning __ECOSYSTEM__. 1>&2
 )
-set "DG_SHIM_NONCE="
-if exist "%USERPROFILE%\\.dg\\state\\shim-nonce" set /p DG_SHIM_NONCE=<"%USERPROFILE%\\.dg\\state\\shim-nonce"
 set "DG_ENTRY="
 if exist "%USERPROFILE%\\.dg\\state\\dg-entry" set /p DG_ENTRY=<"%USERPROFILE%\\.dg\\state\\dg-entry"
 set "DG_SHIM_ACTIVE=!DG_SHIM_NONCE!"
@@ -3237,9 +3275,9 @@ exit /b 127
 import { homedir as homedir3 } from "node:os";
 import { join as join3 } from "node:path";
 import { existsSync as existsSync5, readFileSync as readFileSync4, lstatSync as lstatSync4, appendFileSync, writeFileSync as writeFileSync4 } from "node:fs";
-function expandHome(path2) {
-  if (path2.startsWith("~/")) return join3(homedir3(), path2.slice(2));
-  return path2;
+function expandHome(path) {
+  if (path.startsWith("~/")) return join3(homedir3(), path.slice(2));
+  return path;
 }
 function detectShellKind(envShell) {
   const s = (envShell ?? "").toLowerCase();
@@ -3463,6 +3501,7 @@ var init_resolve = __esm({
 var install_exports = {};
 __export(install_exports, {
   bypassLogPath: () => bypassLogPath,
+  childInstallEnv: () => childInstallEnv,
   currentDgEntry: () => currentDgEntry,
   dgShimDir: () => dgShimDir,
   ensureDgEntryRecorded: () => ensureDgEntryRecorded,
@@ -3509,15 +3548,15 @@ function ensureDgEntryRecorded(targetHome = homedir5()) {
   try {
     const entry = currentDgEntry();
     if (!entry) return;
-    const path2 = dgEntryStatePath(targetHome);
+    const path = dgEntryStatePath(targetHome);
     let existing = null;
     try {
-      existing = readFileSync6(path2, "utf-8").trim();
+      existing = readFileSync6(path, "utf-8").trim();
     } catch {
     }
     if (existing === entry) return;
-    safeMkdirRecursive(dirname5(path2), 493);
-    safeWriteFile(path2, entry + "\n", 420);
+    safeMkdirRecursive(dirname5(path), 493);
+    safeWriteFile(path, entry + "\n", 420);
   } catch {
   }
 }
@@ -3529,11 +3568,21 @@ function readNonce() {
     return null;
   }
 }
-function chownIfNeeded(path2, uid, gid) {
+function childInstallEnv() {
+  const env3 = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (k.startsWith("DG_")) continue;
+    env3[k] = v;
+  }
+  const nonce = readNonce();
+  if (nonce) env3.DG_SHIM_ACTIVE = nonce;
+  return env3;
+}
+function chownIfNeeded(path, uid, gid) {
   if (uid === void 0 || gid === void 0) return;
   if (process.platform === "win32") return;
   try {
-    chownSync(path2, uid, gid);
+    chownSync(path, uid, gid);
   } catch {
   }
 }
@@ -28803,10 +28852,10 @@ var require_react_reconciler_development = __commonJS({
         var setErrorHandler = null;
         var setSuspenseHandler = null;
         {
-          var copyWithDeleteImpl = function(obj, path2, index2) {
-            var key = path2[index2];
+          var copyWithDeleteImpl = function(obj, path, index2) {
+            var key = path[index2];
             var updated = isArray(obj) ? obj.slice() : assign({}, obj);
-            if (index2 + 1 === path2.length) {
+            if (index2 + 1 === path.length) {
               if (isArray(updated)) {
                 updated.splice(key, 1);
               } else {
@@ -28814,11 +28863,11 @@ var require_react_reconciler_development = __commonJS({
               }
               return updated;
             }
-            updated[key] = copyWithDeleteImpl(obj[key], path2, index2 + 1);
+            updated[key] = copyWithDeleteImpl(obj[key], path, index2 + 1);
             return updated;
           };
-          var copyWithDelete = function(obj, path2) {
-            return copyWithDeleteImpl(obj, path2, 0);
+          var copyWithDelete = function(obj, path) {
+            return copyWithDeleteImpl(obj, path, 0);
           };
           var copyWithRenameImpl = function(obj, oldPath, newPath, index2) {
             var oldKey = oldPath[index2];
@@ -28856,17 +28905,17 @@ var require_react_reconciler_development = __commonJS({
             }
             return copyWithRenameImpl(obj, oldPath, newPath, 0);
           };
-          var copyWithSetImpl = function(obj, path2, index2, value) {
-            if (index2 >= path2.length) {
+          var copyWithSetImpl = function(obj, path, index2, value) {
+            if (index2 >= path.length) {
               return value;
             }
-            var key = path2[index2];
+            var key = path[index2];
             var updated = isArray(obj) ? obj.slice() : assign({}, obj);
-            updated[key] = copyWithSetImpl(obj[key], path2, index2 + 1, value);
+            updated[key] = copyWithSetImpl(obj[key], path, index2 + 1, value);
             return updated;
           };
-          var copyWithSet = function(obj, path2, value) {
-            return copyWithSetImpl(obj, path2, 0, value);
+          var copyWithSet = function(obj, path, value) {
+            return copyWithSetImpl(obj, path, 0, value);
           };
           var findHook = function(fiber, id) {
             var currentHook2 = fiber.memoizedState;
@@ -28876,10 +28925,10 @@ var require_react_reconciler_development = __commonJS({
             }
             return currentHook2;
           };
-          overrideHookState = function(fiber, id, path2, value) {
+          overrideHookState = function(fiber, id, path, value) {
             var hook = findHook(fiber, id);
             if (hook !== null) {
-              var newState = copyWithSet(hook.memoizedState, path2, value);
+              var newState = copyWithSet(hook.memoizedState, path, value);
               hook.memoizedState = newState;
               hook.baseState = newState;
               fiber.memoizedProps = assign({}, fiber.memoizedProps);
@@ -28889,10 +28938,10 @@ var require_react_reconciler_development = __commonJS({
               }
             }
           };
-          overrideHookStateDeletePath = function(fiber, id, path2) {
+          overrideHookStateDeletePath = function(fiber, id, path) {
             var hook = findHook(fiber, id);
             if (hook !== null) {
-              var newState = copyWithDelete(hook.memoizedState, path2);
+              var newState = copyWithDelete(hook.memoizedState, path);
               hook.memoizedState = newState;
               hook.baseState = newState;
               fiber.memoizedProps = assign({}, fiber.memoizedProps);
@@ -28915,8 +28964,8 @@ var require_react_reconciler_development = __commonJS({
               }
             }
           };
-          overrideProps = function(fiber, path2, value) {
-            fiber.pendingProps = copyWithSet(fiber.memoizedProps, path2, value);
+          overrideProps = function(fiber, path, value) {
+            fiber.pendingProps = copyWithSet(fiber.memoizedProps, path, value);
             if (fiber.alternate) {
               fiber.alternate.pendingProps = fiber.pendingProps;
             }
@@ -28925,8 +28974,8 @@ var require_react_reconciler_development = __commonJS({
               scheduleUpdateOnFiber(root, fiber, SyncLane, NoTimestamp);
             }
           };
-          overridePropsDeletePath = function(fiber, path2) {
-            fiber.pendingProps = copyWithDelete(fiber.memoizedProps, path2);
+          overridePropsDeletePath = function(fiber, path) {
+            fiber.pendingProps = copyWithDelete(fiber.memoizedProps, path);
             if (fiber.alternate) {
               fiber.alternate.pendingProps = fiber.pendingProps;
             }
@@ -36994,8 +37043,8 @@ var init_ErrorOverview = __esm({
     init_dist3();
     init_Box();
     init_Text();
-    cleanupPath = (path2) => {
-      return path2?.replace(`file://${cwd()}/`, "");
+    cleanupPath = (path) => {
+      return path?.replace(`file://${cwd()}/`, "");
     };
     stackUtils = new import_stack_utils.default({
       cwd: cwd(),
@@ -41664,18 +41713,19 @@ async function readNdjsonAnalyzeResponse(response, onPackageProgress) {
   }
   buf += decoder.decode();
   if (buf.trim()) processLine(buf);
-  if (!finalPayload) {
+  const payload = finalPayload;
+  if (!payload) {
     throw new APIError(
       "Streaming response ended without a result event",
       0,
       ""
     );
   }
-  if (typeof finalPayload.score !== "number" || !Array.isArray(finalPayload.packages)) {
+  if (typeof payload.score !== "number" || !Array.isArray(payload.packages)) {
     throw new APIError("Invalid streamed result payload", 0, "");
   }
-  checkVersionFloor(finalPayload);
-  return sanitizeResponse(finalPayload);
+  checkVersionFloor(payload);
+  return sanitizeResponse(payload);
 }
 async function callPyPIAnalyzeAPI(packages, config, onProgress) {
   const batchSize = config.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
@@ -41992,9 +42042,9 @@ function parseLockfile(content) {
   const lockfileVersion = json.lockfileVersion ?? 1;
   const packages = /* @__PURE__ */ new Map();
   if (lockfileVersion >= 2 && json.packages) {
-    for (const [path2, entry] of Object.entries(json.packages)) {
-      if (path2 === "") continue;
-      const pathName = extractPackageName(path2);
+    for (const [path, entry] of Object.entries(json.packages)) {
+      if (path === "") continue;
+      const pathName = extractPackageName(path);
       if (!pathName) continue;
       const e = entry;
       const entryName = typeof e.name === "string" && e.name.length > 0 ? e.name : void 0;
@@ -42266,12 +42316,12 @@ var init_parse_package_json = __esm({
 // src/lockfile/index.ts
 import { readFileSync as readFileSync8, existsSync as existsSync11, statSync as statSync3 } from "node:fs";
 import { join as join6 } from "node:path";
-function readFileSafe(path2) {
-  const size = statSync3(path2).size;
+function readFileSafe(path) {
+  const size = statSync3(path).size;
   if (size > MAX_LOCKFILE_BYTES) {
-    throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path2}`);
+    throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path}`);
   }
-  return readFileSync8(path2, "utf-8");
+  return readFileSync8(path, "utf-8");
 }
 function discoverChanges(cwd2, config) {
   if (config.workspace) {
@@ -42537,6 +42587,12 @@ var init_lockfile = __esm({
 });
 
 // src/commands/wrapper-shared.ts
+function injectIgnoreScripts(args, opts) {
+  if (!opts.isNpmFamily) return args;
+  if (!(opts.strict || opts.dgNoScripts)) return args;
+  if (args.includes("--ignore-scripts")) return args;
+  return [...args, "--ignore-scripts"];
+}
 function stripDgFlags(args) {
   let dgForce = false;
   let dgForceReason;
@@ -42619,9 +42675,7 @@ function realNpmBinary() {
   return real;
 }
 function shimSentinelEnv() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 function parseNpmArgs(args) {
   const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
@@ -42889,9 +42943,9 @@ function readLockfilePins(cwd2) {
       ...Object.keys(root.optionalDependencies ?? {}),
       ...Object.keys(root.peerDependencies ?? {})
     ]);
-    for (const [path2, entry] of Object.entries(lock.packages ?? {})) {
-      if (path2 === "") continue;
-      const m = path2.match(/^node_modules\/((?:@[^/]+\/)?[^/]+)$/);
+    for (const [path, entry] of Object.entries(lock.packages ?? {})) {
+      if (path === "") continue;
+      const m = path.match(/^node_modules\/((?:@[^/]+\/)?[^/]+)$/);
       if (!m) continue;
       const name = m[1];
       if (!directDeps.has(name)) continue;
@@ -43067,6 +43121,22 @@ function parsePipSpec(spec) {
     versionSpec: match[2] ?? null
   };
 }
+function pinPipArgs(rawArgs, userSpecs, resolved) {
+  const specNames = new Set(userSpecs.map((s) => parsePipSpec(s).name.toLowerCase()));
+  const pinByName = /* @__PURE__ */ new Map();
+  for (const p of resolved) {
+    const key = p.name.toLowerCase();
+    if (specNames.has(key) && !pinByName.has(key)) {
+      pinByName.set(key, `${p.name}==${p.version}`);
+    }
+  }
+  const specSet = new Set(userSpecs);
+  return rawArgs.map((a) => {
+    if (!specSet.has(a)) return a;
+    const { name } = parsePipSpec(a);
+    return pinByName.get(name.toLowerCase()) ?? a;
+  });
+}
 async function resolvePipVersion(spec) {
   const { name, versionSpec } = parsePipSpec(spec);
   if (versionSpec?.startsWith("==")) {
@@ -43128,9 +43198,7 @@ async function resolvePackages2(specs) {
   return { resolved, failed };
 }
 function shimSentinelEnv2() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 async function detectPipBinary() {
   const py3 = walkPathExcludingShimDir("python3");
@@ -43333,6 +43401,153 @@ var init_pip_wrapper = __esm({
   }
 });
 
+// src/wrapper/route.ts
+function routeVerdict(input) {
+  const { verdict, mode, strict, dgForce } = input;
+  const refuseHard = mode === "block" || strict;
+  const refuseWarn = strict;
+  const D = (outcome, refuseExitCode, extra) => ({
+    verdict,
+    outcome,
+    refuseExitCode,
+    bypassed: false,
+    ...extra
+  });
+  if (verdict === "free_cap") return D("refuse", 1);
+  if (verdict === "pass") return D("install", 0);
+  if (dgForce && (verdict === "warn" || verdict === "block")) {
+    return D("install", 0, { audit: "override", bypassed: true });
+  }
+  switch (verdict) {
+    case "warn":
+      if (mode === "off") return D("install", 0);
+      if (refuseWarn) return D("refuse", 1);
+      return D("prompt", 1);
+    // warn/block mode → prompt; decline → 1
+    case "block":
+      if (mode === "off") return D("install", 0);
+      return D("refuse", 2, { audit: "block" });
+    case "analysis_incomplete":
+      if (dgForce) return D("install", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 4);
+      return D("install", 0);
+    // off/warn → install with a "could not verify" notice
+    case "scan_failed":
+    case "tree_failed":
+      if (dgForce) return D("install", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 2);
+      return D("install", 0);
+    // best-effort under off/warn
+    case "resolve_failed":
+      if (dgForce) return D("passthrough", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 2);
+      return D("passthrough", 0);
+    // nothing resolved to scan → hand off to the installer
+    default: {
+      const _never = verdict;
+      void _never;
+      return D(refuseHard ? "refuse" : "install", refuseHard ? 4 : 0);
+    }
+  }
+}
+var init_route = __esm({
+  "src/wrapper/route.ts"() {
+    "use strict";
+  }
+});
+
+// src/wrapper/run.ts
+function verdictFromResult(result, gates = {}) {
+  if (gates.scanFailed) return "scan_failed";
+  if (gates.treeFailed) return "tree_failed";
+  if (gates.resolveFailed) return "resolve_failed";
+  const action = result?.action;
+  if (action === "pass" || action === "warn" || action === "block") return action;
+  return "analysis_incomplete";
+}
+function scanVerdictOf(decision) {
+  if (decision.bypassed && (decision.verdict === "warn" || decision.verdict === "block")) {
+    return "override";
+  }
+  switch (decision.verdict) {
+    case "pass":
+      return "pass";
+    case "warn":
+      return "warn";
+    case "block":
+      return "block";
+    case "analysis_incomplete":
+      return "analysis_incomplete";
+    case "scan_failed":
+    case "tree_failed":
+    case "resolve_failed":
+      return "scan_failed";
+    default:
+      return "skipped";
+  }
+}
+async function executeDecision(decision, ctx, presenter) {
+  await presenter.announce(decision, ctx);
+  if (decision.audit) {
+    await presenter.audit(decision.audit, ctx);
+  }
+  const scanVerdict = scanVerdictOf(decision);
+  const base = (installRan, installExitCode) => ({
+    scanVerdict,
+    installRan,
+    installExitCode,
+    error: ctx.error,
+    suppressedByAllowlist: ctx.suppressedCount > 0 ? ctx.suppressedCount : void 0
+  });
+  switch (decision.outcome) {
+    case "refuse":
+      presenter.emit(base(false, null));
+      return decision.refuseExitCode;
+    case "install": {
+      const code = await presenter.runInstall(ctx.installArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    case "passthrough": {
+      const code = await presenter.runInstall(ctx.passthroughArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    case "prompt": {
+      const proceed = await presenter.confirmProceed(ctx);
+      if (!proceed) {
+        presenter.emit(base(false, null));
+        return decision.refuseExitCode;
+      }
+      if (presenter.onPromptAccepted) await presenter.onPromptAccepted(ctx);
+      const code = await presenter.runInstall(ctx.installArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    default: {
+      const _never = decision.outcome;
+      void _never;
+      return 1;
+    }
+  }
+}
+var init_run = __esm({
+  "src/wrapper/run.ts"() {
+    "use strict";
+  }
+});
+
+// src/wrapper/json.ts
+function emitWrapperJson(config, result) {
+  if (!config.json) return;
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+var init_json = __esm({
+  "src/wrapper/json.ts"() {
+    "use strict";
+  }
+});
+
 // src/security/artifact_integrity.ts
 function normalize(h, algo) {
   if (!h) return void 0;
@@ -43427,16 +43642,16 @@ function collectNpmLockSha512Hashes(packageLock) {
   const root = packageLock;
   const packages = root["packages"];
   if (packages && typeof packages === "object") {
-    for (const [path2, raw] of Object.entries(packages)) {
-      if (path2 === "") continue;
+    for (const [path, raw] of Object.entries(packages)) {
+      if (path === "") continue;
       if (!raw || typeof raw !== "object") continue;
       const entry = raw;
       const version = typeof entry.version === "string" ? entry.version : void 0;
       const integrity = typeof entry.integrity === "string" ? entry.integrity : void 0;
       if (!version || !integrity) continue;
-      const idx = path2.lastIndexOf("node_modules/");
+      const idx = path.lastIndexOf("node_modules/");
       if (idx < 0) continue;
-      const name = path2.slice(idx + "node_modules/".length);
+      const name = path.slice(idx + "node_modules/".length);
       if (!name) continue;
       const hex = npmIntegrityToSha512Hex(integrity);
       if (hex) out.set(`${name}@${version}`, hex);
@@ -43678,7 +43893,7 @@ var init_FileSavePrompt = __esm({
           return;
         }
         if ((key.backspace || key.delete) && !state.filterText) {
-          const parentDir = path.dirname(state.directory);
+          const parentDir = dirname8(state.directory);
           if (parentDir !== state.directory) {
             dispatch({ type: "SET_DIRECTORY", directory: parentDir, entries: listDirectory(parentDir) });
           }
@@ -43691,7 +43906,7 @@ var init_FileSavePrompt = __esm({
         if (key.return) {
           const entry = filteredEntries[state.browserCursor];
           if (!entry || !entry.isDirectory) return;
-          const newDir = entry.name === ".." ? path.dirname(state.directory) : path.join(state.directory, entry.name);
+          const newDir = entry.name === ".." ? dirname8(state.directory) : join8(state.directory, entry.name);
           dispatch({ type: "SET_DIRECTORY", directory: newDir, entries: listDirectory(newDir) });
           return;
         }
@@ -43967,9 +44182,9 @@ async function scanDir(dir, depth, _root) {
   }
   return { subdirs, lockfileHits };
 }
-async function isSafeRegularFile(path2) {
+async function isSafeRegularFile(path) {
   try {
-    const st = await lstat(path2);
+    const st = await lstat(path);
     return st.isFile() && !st.isSymbolicLink();
   } catch {
     return false;
@@ -44104,9 +44319,9 @@ function discoverProjectsConsolidated(projectPaths, config) {
   const seenPy = /* @__PURE__ */ new Set();
   const unparseable = [];
   let rawCount = 0;
-  for (const path2 of projectPaths) {
+  for (const path of projectPaths) {
     try {
-      const d = discoverChanges(path2, config);
+      const d = discoverChanges(path, config);
       for (const pkg of d.packages) {
         rawCount++;
         const key = `${pkg.name}@${pkg.version}`;
@@ -44122,7 +44337,7 @@ function discoverProjectsConsolidated(projectPaths, config) {
         pythonPackages.push(pkg);
       }
     } catch {
-      unparseable.push(path2);
+      unparseable.push(path);
     }
   }
   return {
@@ -44371,21 +44586,21 @@ function validateAllowlist(raw) {
   return { ok: true, allowlist: { schemaVersion: 1, rules, packages } };
 }
 function loadAllowlist(cwd2) {
-  const path2 = findAllowlistFile(cwd2);
-  if (!path2) return null;
+  const path = findAllowlistFile(cwd2);
+  if (!path) return null;
   let raw;
   try {
-    raw = JSON.parse(readFileSync10(path2, "utf-8"));
+    raw = JSON.parse(readFileSync10(path, "utf-8"));
   } catch (e) {
     process.stderr.write(
-      `dg: .dg-allowlist.json at ${path2} is not valid JSON (${e.message}). Ignoring.
+      `dg: .dg-allowlist.json at ${path} is not valid JSON (${e.message}). Ignoring.
 `
     );
     return null;
   }
   const validation = validateAllowlist(raw);
   if (!validation.ok) {
-    process.stderr.write(`dg: .dg-allowlist.json at ${path2} failed validation:
+    process.stderr.write(`dg: .dg-allowlist.json at ${path} failed validation:
 `);
     for (const err of validation.errors) {
       process.stderr.write(`  ${err.path}: ${err.message}
@@ -44395,7 +44610,7 @@ function loadAllowlist(cwd2) {
 `);
     return null;
   }
-  return { ...validation.allowlist, sourcePath: path2 };
+  return { ...validation.allowlist, sourcePath: path };
 }
 function findingRuleId(f) {
   return (f.category ?? f.title ?? "").toString();
@@ -44540,6 +44755,7 @@ function buildSarif(response, opts = {}) {
       });
     }
     const findings = pkg.findings ?? [];
+    let pkgResultCount = 0;
     for (const f of findings) {
       const id = findingId(f);
       const level = severityToLevel(f.severity);
@@ -44563,6 +44779,32 @@ function buildSarif(response, opts = {}) {
         }],
         partialFingerprints: { dg_finding: findingFingerprint(pkg, f) }
       });
+      pkgResultCount++;
+    }
+    if (pkgResultCount === 0 && (pkg.action === "block" || pkg.action === "warn")) {
+      const ruleId = pkg.action === "block" ? "dg.block" : "dg.warn";
+      const level = pkg.action === "block" ? "error" : "warning";
+      if (!ruleMap.has(ruleId)) {
+        ruleMap.set(ruleId, {
+          id: ruleId,
+          name: ruleId,
+          shortDescription: {
+            text: pkg.action === "block" ? "Package blocked by Dependency Guardian" : "Package flagged (warn) by Dependency Guardian"
+          },
+          defaultConfiguration: { level }
+        });
+      }
+      results.push({
+        ruleId,
+        level,
+        message: { text: `${pkg.name} ${pkg.version}: ${pkg.action} verdict from Dependency Guardian (no individual findings surfaced at this tier).` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: opts.lockfileUri ?? `dg:${pkg.name}@${pkg.version}` }
+          }
+        }],
+        partialFingerprints: { dg_finding: `${pkg.name}@${pkg.version}#${ruleId}`.slice(0, 240) }
+      });
     }
   }
   return {
@@ -44699,7 +44941,7 @@ function shouldFireAudit(policy, decisionAction) {
   return false;
 }
 function flagPackages(packages) {
-  return packages.filter((p) => p.score >= 60);
+  return packages.filter((p) => (p.action ?? "pass") !== "pass");
 }
 async function dispatchPublishCheckAudit(opts) {
   try {
@@ -44726,8 +44968,8 @@ function bypassLogPath2() {
 }
 function recordBypassLocally(record) {
   try {
-    const path2 = bypassLogPath2();
-    const dir = dirname10(path2);
+    const path = bypassLogPath2();
+    const dir = dirname10(path);
     if (!existsSync16(dir)) mkdirSync6(dir, { recursive: true, mode: 448 });
     const full = {
       ts: (/* @__PURE__ */ new Date()).toISOString(),
@@ -44738,7 +44980,7 @@ function recordBypassLocally(record) {
       reason: record.reason,
       packages: record.packages
     };
-    appendFileSync3(path2, JSON.stringify(full) + "\n", { mode: 384 });
+    appendFileSync3(path, JSON.stringify(full) + "\n", { mode: 384 });
   } catch {
   }
 }
@@ -44797,10 +45039,6 @@ function note(config, text) {
   if (config.quiet) return;
   process.stderr.write(text);
 }
-function emitWrapperJson(config, result) {
-  if (!config.json) return;
-  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
-}
 function wrapperPackagesFromResult(result, topLevelNames) {
   return result.packages.map((p) => ({
     name: p.name,
@@ -44811,13 +45049,13 @@ function wrapperPackagesFromResult(result, topLevelNames) {
   }));
 }
 function loadPackageLockJson(cwd2 = process.cwd()) {
-  const path2 = resolvePath(cwd2, "package-lock.json");
-  if (!existsSync17(path2)) return null;
+  const path = resolvePath(cwd2, "package-lock.json");
+  if (!existsSync17(path)) return null;
   try {
-    const st = lstatSync5(path2);
+    const st = lstatSync5(path);
     if (!st.isFile()) return null;
     if (st.size > MAX_PACKAGE_LOCK_BYTES) return null;
-    return JSON.parse(readFileSync11(path2, "utf8"));
+    return JSON.parse(readFileSync11(path, "utf8"));
   } catch {
     return null;
   }
@@ -44897,7 +45135,7 @@ function maybePrintFirstScanNotice(config) {
     if (getScanNoticeShownAt2() !== null) return;
     process.stderr.write(
       import_chalk5.default.dim(
-        "  Dependency Guardian sends package names + versions to api.westbayberry.com.\n  Anonymous crash reports are on; set DG_TELEMETRY=0 to opt out.\n  Terms: https://westbayberry.com/terms \xB7 Privacy: https://westbayberry.com/privacy\n"
+        "  Dependency Guardian sends package names + versions to api.westbayberry.com.\n  Anonymous crash reports are on to help us fix early bugs (no source, paths, or package names);\n  opt out with DG_TELEMETRY=0 or DO_NOT_TRACK=1.\n  Terms: https://westbayberry.com/terms \xB7 Privacy: https://westbayberry.com/privacy\n"
       )
     );
     recordScanNoticeShown2();
@@ -45228,14 +45466,7 @@ async function runStatic(config) {
     }
     if (discovery.pythonPackages.length > 0) {
       const pyResult = await callPyPIAnalyzeAPI(discovery.pythonPackages, config);
-      result.packages.push(...pyResult.packages);
-      result.score = Math.max(result.score, pyResult.score);
-      if (pyResult.action === "block" || pyResult.action === "warn" && result.action === "pass") {
-        result.action = pyResult.action;
-      }
-      if (pyResult.freeScansRemaining !== void 0) {
-        result.freeScansRemaining = pyResult.freeScansRemaining;
-      }
+      result = mergeResponses([result, pyResult]);
     }
     clearSpinner();
     dbg(
@@ -45292,11 +45523,7 @@ async function runStatic(config) {
   printTrialBanner(result, config);
   process.exit(scanExitCode(result.action, config.mode));
 }
-function mergeProjectConfig(config, _argv) {
-  return config;
-}
 async function runStaticNpm(npmArgs, config) {
-  config = mergeProjectConfig(config, process.argv.slice(2));
   const parsed = parseNpmArgs(npmArgs);
   if (!parsed.shouldScan) {
     const code = await runNpm(parsed.rawArgs);
@@ -45399,11 +45626,11 @@ function buildInstallArgs(parsed, topLevelSpecs, tree, config) {
   if (tree.length > 0 && topLevelSpecs.length > 0) {
     args = pinTopLevelArgs(args, topLevelSpecs, tree);
   }
-  const wantsNoScripts = parsed.dgNoScripts || config.strict;
-  if (wantsNoScripts && !args.includes("--ignore-scripts")) {
-    args = [...args, "--ignore-scripts"];
-  }
-  return args;
+  return injectIgnoreScripts(args, {
+    isNpmFamily: true,
+    strict: config.strict,
+    dgNoScripts: parsed.dgNoScripts
+  });
 }
 async function scanAndInstallStatic(resolved, parsed, config) {
   const topLevelSpecs = resolved.map((p) => `${p.name}@${p.version}`);
@@ -45432,6 +45659,14 @@ async function scanAndInstallStatic(resolved, parsed, config) {
       process.stderr.write(
         import_chalk5.default.dim("  Only top-level packages would be scanned; transitive deps would slip through. Use --dg-force to bypass.\n\n")
       );
+      emitWrapperJson(config, {
+        ecosystem: "npm",
+        packages: [],
+        scanVerdict: "scan_failed",
+        installRan: false,
+        installExitCode: null,
+        error: { code: "tree_resolution_failed", message: treeError }
+      });
       process.exit(2);
     }
     process.stderr.write(
@@ -45540,120 +45775,110 @@ async function scanAndInstallStatic(resolved, parsed, config) {
       );
     }
   }
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    process.stderr.write(`${passLine}
+  const npmInstallArgs = buildInstallArgs(parsed, topLevelSpecs, tree.packages, config);
+  const npmTopLevelNames = new Set(resolved.map((p) => p.name));
+  const npmDecision = routeVerdict({
+    verdict: verdictFromResult(result),
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const npmPresenter = {
+    async announce(d) {
+      if (d.verdict === "pass") {
+        const topLevel2 = resolved.map((p) => `${p.name} ${p.version}`);
+        const passLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2.length} packages safe`;
+        const installLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2.join(", ")}`;
+        process.stderr.write(`${passLine}
 ${installLine}
 `);
-    if (parsed.dgNoScripts || config.strict) {
-      const why = config.strict ? "--strict" : "--dg-no-scripts";
-      process.stderr.write(import_chalk5.default.dim(`  ${why}: lifecycle scripts will be suppressed during install.
+        if (parsed.dgNoScripts || config.strict) {
+          const why = config.strict ? "--strict" : "--dg-no-scripts";
+          process.stderr.write(import_chalk5.default.dim(`  ${why}: lifecycle scripts will be suppressed during install.
 `));
-    }
-    printTrialBanner(result, config);
-    process.stderr.write("\n");
-    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  const output = renderResultStatic(result, config);
-  (config.json ? process.stderr : process.stdout).write(output + "\n");
-  printTrialBanner(result, config);
-  if (result.action === "warn") {
-    const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    process.stderr.write(
-      `  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
-`
-    );
-    const proceed = await promptYesNo2({
-      defaultAnswer: "y",
-      message: `  Proceed?`
-    });
-    if (!proceed) {
-      process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
-      emitWrapperJson(config, {
-        ecosystem: "npm",
-        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-        scanVerdict: "warn",
-        installRan: false,
-        installExitCode: null
-      });
-      process.exit(1);
-    }
-    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
-      const { dispatchInstallAudit: dispatchInstallAudit3 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-      await dispatchInstallAudit3({
+        }
+        printTrialBanner(result, config);
+        process.stderr.write("\n");
+        return;
+      }
+      const output = renderResultStatic(result, config);
+      (config.json ? process.stderr : process.stdout).write(output + "\n");
+      printTrialBanner(result, config);
+      const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+      if (d.verdict === "warn") {
+        process.stderr.write(`  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
+`);
+      } else if (d.verdict === "block") {
+        if (d.outcome === "install") {
+          process.stderr.write(import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+        } else {
+          const blockedSpecArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : topLevel.split(", ").map((s) => s.replace(/ /g, "@")).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
+  Real install was NOT run. To override:
+` + import_chalk5.default.dim(`    npm install ${blockedSpecArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+          );
+        }
+      } else if (d.verdict === "analysis_incomplete") {
+        if (d.outcome === "refuse") {
+          const specArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : resolved.map((p) => `${p.name}@${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
+  Real install was NOT run (--mode block). To override:
+` + import_chalk5.default.dim(`    npm install ${specArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+          );
+        } else {
+          process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
+
+`));
+        }
+      }
+    },
+    async confirmProceed() {
+      const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
+      const proceed = await promptYesNo2({ defaultAnswer: "y", message: `  Proceed?` });
+      if (!proceed) process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args) => runNpm(args, { stdoutToStderr: !!config.json }),
+    async audit(kind) {
+      const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+      await dispatchInstallAudit2({
         ecosystem: "npm",
         packages: result.packages,
-        decisionAction: "override",
-        bypassed: true,
-        bypassReason: parsed.dgForceReason
+        decisionAction: kind,
+        bypassed: kind === "override",
+        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
       });
-      process.stderr.write(
-        import_chalk5.default.yellow(
-          import_chalk5.default.bold(
-            "  --dg-force: Bypassing block. Install at your own risk.\n\n"
-          )
-        )
-      );
-      const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
+    },
+    emit(record) {
       emitWrapperJson(config, {
         ecosystem: "npm",
-        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code
+        packages: wrapperPackagesFromResult(result, npmTopLevelNames),
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error
       });
-      process.exit(code);
     }
-    const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-    await dispatchInstallAudit2({
-      ecosystem: "npm",
-      packages: result.packages,
-      decisionAction: "block",
-      bypassed: false
-    });
-    const topLevelBlocked = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const blockedSpecArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : topLevelBlocked.split(", ").map((s) => s.replace(/ /g, "@")).join(" ");
-    process.stderr.write(
-      `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevelBlocked}.
-  Real install was NOT run. To override:
-` + import_chalk5.default.dim(`    npm install ${blockedSpecArg} --dg-force --dg-force-reason="<reason>"
-
-`)
-    );
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    process.exit(2);
-  }
+  };
+  const npmCtx = {
+    ecosystem: "npm",
+    apiKind: "npm",
+    installArgs: npmInstallArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount: 0,
+    dgForceReason: parsed.dgForceReason
+  };
+  process.exit(await executeDecision(npmDecision, npmCtx, npmPresenter));
 }
 async function runStaticPip(pipArgs, config) {
-  config = mergeProjectConfig(config, process.argv.slice(2));
   const parsed = parsePipArgs(pipArgs);
   if (!parsed.shouldScan) {
     const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
@@ -45740,6 +45965,17 @@ async function runStaticPip(pipArgs, config) {
       )
     );
   }
+  const isRequirementsInstall = !!parsed.requirementsFile;
+  if (isRequirementsInstall && !(pipTreeOk && pipTree.hashes.size > 0) && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    process.stderr.write(
+      import_chalk5.default.red(import_chalk5.default.bold("  BLOCKED: ")) + import_chalk5.default.red(`a -r requirements install cannot be pinned to exact versions and no dry-run hashes are available to verify the artifacts.
+`) + import_chalk5.default.dim(`  Install aborted${config.strict ? " in --strict" : " in --mode block"} (resolve\u2192install mismatch risk). Use --mode warn or --dg-force to bypass.
+
+`)
+    );
+    process.exit(2);
+  }
+  const pipInstallArgs = pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
   note(
     config,
     import_chalk5.default.dim(
@@ -45768,14 +46004,14 @@ async function runStaticPip(pipArgs, config) {
       process.stderr.write(
         import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n"))
       );
-      const code2 = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+      const code2 = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
       process.exit(code2);
     }
     process.stderr.write(
       import_chalk5.default.yellow(`  Warning: Scan failed (${msg}). Proceeding with install (mode=${config.mode}).
 `)
     );
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
     process.exit(code);
     return;
   }
@@ -45803,105 +46039,101 @@ async function runStaticPip(pipArgs, config) {
     }
   }
   const pipTopLevelNames = new Set(resolved.map((p) => p.name));
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    process.stderr.write(`${passLine}
+  const pipDecision = routeVerdict({
+    verdict: verdictFromResult(result),
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const pipPresenter = {
+    async announce(d) {
+      if (d.verdict === "pass") {
+        const topLevel2 = resolved.map((p) => `${p.name} ${p.version}`);
+        const passLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2.length} packages safe`;
+        const installLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2.join(", ")}`;
+        process.stderr.write(`${passLine}
 ${installLine}
 `);
-    printTrialBanner(result, config);
-    process.stderr.write("\n");
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  const output = renderResultStatic(result, config);
-  (config.json ? process.stderr : process.stdout).write(output + "\n");
-  printTrialBanner(result, config);
-  if (result.action === "warn") {
-    const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    process.stderr.write(
-      `  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
-`
-    );
-    const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
-    if (!proceed) {
-      process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
-      emitWrapperJson(config, {
-        ecosystem: "pypi",
-        packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-        scanVerdict: "warn",
-        installRan: false,
-        installExitCode: null
-      });
-      process.exit(1);
-    }
-    const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
-      const { dispatchInstallAudit: dispatchInstallAudit3 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-      await dispatchInstallAudit3({
+        printTrialBanner(result, config);
+        process.stderr.write("\n");
+        return;
+      }
+      const output = renderResultStatic(result, config);
+      (config.json ? process.stderr : process.stdout).write(output + "\n");
+      printTrialBanner(result, config);
+      const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+      if (d.verdict === "warn") {
+        process.stderr.write(`  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
+`);
+      } else if (d.verdict === "block") {
+        if (d.outcome === "install") {
+          process.stderr.write(import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+        } else {
+          const pipBlockedSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
+  Real install was NOT run. To override:
+` + import_chalk5.default.dim(`    pip install ${pipBlockedSpecArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+          );
+        }
+      } else if (d.verdict === "analysis_incomplete") {
+        if (d.outcome === "refuse") {
+          const pipSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
+  Real install was NOT run (--mode block). To override:
+` + import_chalk5.default.dim(`    pip install ${pipSpecArg} --dg-force --dg-force-reason="<reason>"
+
+`)
+          );
+        } else {
+          process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
+
+`));
+        }
+      }
+    },
+    async confirmProceed() {
+      const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
+      const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
+      if (!proceed) process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args) => runPip(args, { stdoutToStderr: !!config.json }),
+    async audit(kind) {
+      const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+      await dispatchInstallAudit2({
         ecosystem: "pypi",
         packages: result.packages,
-        decisionAction: "override",
-        bypassed: true,
-        bypassReason: parsed.dgForceReason
+        decisionAction: kind,
+        bypassed: kind === "override",
+        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
       });
-      process.stderr.write(
-        import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n"))
-      );
-      const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
+    },
+    emit(record) {
       emitWrapperJson(config, {
         ecosystem: "pypi",
         packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error
       });
-      process.exit(code);
     }
-    const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-    await dispatchInstallAudit2({
-      ecosystem: "pypi",
-      packages: result.packages,
-      decisionAction: "block",
-      bypassed: false
-    });
-    const pipTopLevelBlocked = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const pipBlockedSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
-    process.stderr.write(
-      `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${pipTopLevelBlocked}.
-  Real install was NOT run. To override:
-` + import_chalk5.default.dim(`    pip install ${pipBlockedSpecArg} --dg-force --dg-force-reason="<reason>"
-
-`)
-    );
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    process.exit(2);
-  }
+  };
+  const pipCtx = {
+    ecosystem: "pypi",
+    apiKind: "pypi",
+    installArgs: pipInstallArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount: 0,
+    dgForceReason: parsed.dgForceReason
+  };
+  process.exit(await executeDecision(pipDecision, pipCtx, pipPresenter));
 }
 async function runStaticLogin() {
   const {
@@ -46014,6 +46246,10 @@ var init_static_output = __esm({
     init_lockfile();
     init_npm_wrapper();
     init_pip_wrapper();
+    init_wrapper_shared();
+    init_route();
+    init_run();
+    init_json();
     init_artifact_integrity();
     init_sanitize();
     init_format_helpers();
@@ -46808,11 +47044,11 @@ var init_InteractiveResultsView = __esm({
       const scanUsage = usageDisplay ? usageDisplay.text : result.freeScansRemaining !== void 0 ? `${result.freeScansRemaining.toLocaleString()} packages left` : scanUsageProp;
       const usageNearLimit = usageDisplay?.nearLimit ?? false;
       const flagged = (0, import_react30.useMemo)(
-        () => result.packages.filter((p) => p.score > 0 || p.action === "analysis_incomplete"),
+        () => result.packages.filter((p) => (p.action ?? "pass") !== "pass"),
         [result.packages]
       );
       const clean = (0, import_react30.useMemo)(
-        () => result.packages.filter((p) => p.score === 0 && p.action !== "analysis_incomplete"),
+        () => result.packages.filter((p) => (p.action ?? "pass") === "pass"),
         [result.packages]
       );
       const total = result.packages.length;
@@ -47108,8 +47344,8 @@ var init_InteractiveResultsView = __esm({
           const { body, ext } = formatExport(payload, scope, format);
           const scopeTag = scope === "current-license" && currentLicenseIdx !== null ? `${(licenseGroups[currentLicenseIdx]?.spdx ?? "license").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 32)}` : scope;
           const filename = `dg-scan-${ts}-${scopeTag}.${ext}`;
-          const path2 = resolvePath2(process.cwd(), filename);
-          writeFileSync11(path2, body, "utf-8");
+          const path = resolvePath2(process.cwd(), filename);
+          writeFileSync11(path, body, "utf-8");
           showExportMsg(`\u2713 Exported to ${filename}`);
         } catch (e) {
           showExportMsg(`Export failed: ${e.message}`);
@@ -48506,6 +48742,7 @@ var publish_check_exports = {};
 __export(publish_check_exports, {
   findPypiArtifacts: () => findPypiArtifacts,
   npmPackDryRun: () => npmPackDryRun,
+  publishCheckExitCode: () => publishCheckExitCode,
   renderPublishCheckResult: () => renderPublishCheckResult,
   runNpmPublishCheck: () => runNpmPublishCheck,
   runPypiPublishCheck: () => runPypiPublishCheck,
@@ -48642,6 +48879,12 @@ function summarize(ecosystem, artifact, files, findings) {
     action
   };
 }
+function publishCheckExitCode(action, force) {
+  if (force) return 0;
+  if (action === "block") return 2;
+  if (action === "warn") return 1;
+  return 0;
+}
 async function runNpmPublishCheck(cwd2 = process.cwd()) {
   const pack = await npmPackDryRun(cwd2);
   if (!pack.ok) return { ok: false, errorMessage: pack.errorMessage };
@@ -48703,10 +48946,10 @@ function parseTar(buf) {
   }
   return out;
 }
-async function readGzipped(path2) {
+async function readGzipped(path) {
   return new Promise((resolve3, reject) => {
     const chunks = [];
-    const stream = createReadStream(path2).pipe(createGunzip());
+    const stream = createReadStream(path).pipe(createGunzip());
     stream.on("data", (c) => chunks.push(c));
     stream.on("end", () => resolve3(Buffer.concat(chunks)));
     stream.on("error", reject);
@@ -48939,11 +49182,11 @@ function validateEntry(raw) {
   };
 }
 function readRegistry() {
-  const path2 = registryPath();
-  if (!existsSync20(path2)) return [];
+  const path = registryPath();
+  if (!existsSync20(path)) return [];
   let raw;
   try {
-    raw = readFileSync14(path2, "utf-8");
+    raw = readFileSync14(path, "utf-8");
   } catch {
     return [];
   }
@@ -48964,13 +49207,13 @@ function readRegistry() {
   return out;
 }
 function writeRegistry(entries) {
-  const path2 = registryPath();
-  const parent = dirname12(path2);
+  const path = registryPath();
+  const parent = dirname12(path);
   if (!existsSync20(parent)) mkdirSync8(parent, { recursive: true, mode: 448 });
   const payload = { version: 1, entries };
-  writeFileSync12(path2, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
+  writeFileSync12(path, JSON.stringify(payload, null, 2) + "\n", { encoding: "utf-8", mode: 384 });
   try {
-    chmodSync4(path2, 384);
+    chmodSync4(path, 384);
   } catch {
   }
 }
@@ -49569,9 +49812,9 @@ function installPrefix(resolvedBinPath) {
   if (idx < 0) return null;
   return resolvedBinPath.slice(0, idx);
 }
-function canWrite(path2) {
+function canWrite(path) {
   try {
-    accessSync(path2, constants2.W_OK);
+    accessSync(path, constants2.W_OK);
     return true;
   } catch {
     return false;
@@ -49994,9 +50237,9 @@ async function revokeApiKey(apiKey) {
     return { ok: false, reason: e.message };
   }
 }
-function rmFile(path2) {
+function rmFile(path) {
   try {
-    unlinkSync7(path2);
+    unlinkSync7(path);
     return { ok: true };
   } catch (e) {
     const code = e.code;
@@ -50004,9 +50247,9 @@ function rmFile(path2) {
     return { ok: false, reason: e.message };
   }
 }
-function rmTree(path2) {
+function rmTree(path) {
   try {
-    rmSync2(path2, { recursive: true, force: true });
+    rmSync2(path, { recursive: true, force: true });
     return { ok: true };
   } catch (e) {
     return { ok: false, reason: e.message };
@@ -50673,6 +50916,11 @@ async function runNpmScan(packages, skippedCount, config, dispatch) {
     dispatch({ type: "SCAN_COMPLETE", result, durationMs: Date.now() - startMs, skippedCount });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
+      try {
+        const { recordScanCapReached: recordScanCapReached2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+        recordScanCapReached2(error.scansUsed, error.maxScans, error.reason);
+      } catch {
+      }
       dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
@@ -50752,6 +51000,11 @@ async function scanProjects(projects, config, dispatch) {
     dispatch({ type: "SCAN_COMPLETE", result: merged, durationMs: merged.durationMs, skippedCount: 0, discoveredTotal });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
+      try {
+        const { recordScanCapReached: recordScanCapReached2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+        recordScanCapReached2(error.scansUsed, error.maxScans, error.reason);
+      } catch {
+      }
       dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
@@ -50995,8 +51248,8 @@ var init_ProjectSelector = __esm({
           const ecoCountPlainLen = `${proj.ecosystem} ${proj.packageCount} packages`.length;
           const fixedPrefixLen = 4;
           const pathColWidth = Math.max(20, termCols - fixedPrefixLen - ecoCountPlainLen - 3);
-          const path2 = sanitize(proj.relativePath);
-          const pathTruncated = path2.length > pathColWidth ? path2.slice(0, Math.max(1, pathColWidth - 1)) + "\u2026" : path2.padEnd(pathColWidth);
+          const path = sanitize(proj.relativePath);
+          const pathTruncated = path.length > pathColWidth ? path.slice(0, Math.max(1, pathColWidth - 1)) + "\u2026" : path.padEnd(pathColWidth);
           return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(Text, { backgroundColor: isCursor ? "#1a1a2e" : void 0, wrap: "truncate-end", children: [
             prefix,
             check,
@@ -51091,6 +51344,7 @@ var init_App2 = __esm({
     await init_ProjectSelector();
     await init_SetupBanner();
     await init_useTerminalSize();
+    init_static_output();
     init_terminal_state();
     import_jsx_runtime13 = __toESM(require_jsx_runtime(), 1);
     App2 = ({ config, userStatus, scanUsage, setupIssues = [] }) => {
@@ -51129,16 +51383,7 @@ var init_App2 = __esm({
       }, []);
       const handleResultsExit = (0, import_react36.useCallback)(() => {
         if (state.phase === "results") {
-          const { result } = state;
-          if (result.action === "block" && config.mode === "block") {
-            process.exitCode = 2;
-          } else if (result.action === "block" || result.action === "warn") {
-            process.exitCode = 1;
-          } else if (result.action === "analysis_incomplete") {
-            process.exitCode = 4;
-          } else {
-            process.exitCode = 0;
-          }
+          process.exitCode = scanExitCode(state.result.action, config.mode);
         }
         leaveAltScreen();
         exit();
@@ -51167,7 +51412,10 @@ var init_App2 = __esm({
 `, 3);
           return () => clearTimeout(timer);
         }
-      }, [state, exitWithMessage]);
+        if (state.phase === "results") {
+          process.exitCode = scanExitCode(state.result.action, config.mode);
+        }
+      }, [state, config, exitWithMessage]);
       use_input_default((input, key) => {
         if (state.phase === "discovering" || state.phase === "scanning") {
           if (input === "q" || key.escape) {
@@ -51317,9 +51565,9 @@ function locateInkInstancesPath() {
 async function initInkInstances() {
   if (realInstances) return;
   try {
-    const path2 = locateInkInstancesPath();
-    if (!path2) return;
-    const mod = await import(path2);
+    const path = locateInkInstancesPath();
+    if (!path) return;
+    const mod = await import(path);
     realInstances = mod.default ?? null;
   } catch {
     realInstances = null;
@@ -51569,6 +51817,10 @@ function reducer4(_state, action) {
       return { phase: "warn", result: action.result, dgForce: action.dgForce };
     case "BLOCKED":
       return { phase: "blocked", result: action.result, dgForce: action.dgForce };
+    case "INCOMPLETE":
+      return { phase: "incomplete", result: action.result, message: action.message, proceed: action.proceed };
+    case "REFUSED":
+      return { phase: "refused", result: action.result, message: action.message };
     case "INSTALLING":
       return { phase: "installing" };
     case "DONE":
@@ -51603,12 +51855,13 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
     if (started.current) return;
     started.current = true;
     const parsed = parsedRef.current;
+    let installArgs = parsed.rawArgs;
     (async () => {
       try {
         if (!parsed.shouldScan) {
           dispatch({ type: "PASSTHROUGH" });
-          const code = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
+          const code2 = await opts.runInstall(parsed.rawArgs);
+          dispatch({ type: "DONE", exitCode: code2 });
           return;
         }
         let specs;
@@ -51616,8 +51869,8 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
           specs = opts.inferSpecsFromContext(parsed);
           if (specs.length === 0) {
             dispatch({ type: "PASSTHROUGH" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
+            const code2 = await opts.runInstall(parsed.rawArgs);
+            dispatch({ type: "DONE", exitCode: code2 });
             return;
           }
         } else {
@@ -51627,95 +51880,130 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         const { resolved } = await opts.resolvePackages(specs);
         if (resolved.length === 0) {
           dispatch({ type: "PASSTHROUGH" });
-          const code = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
+          const code2 = await opts.runInstall(parsed.rawArgs);
+          dispatch({ type: "DONE", exitCode: code2 });
           return;
         }
-        dispatch({ type: "SCANNING", count: resolved.length });
-        const result = await opts.callAnalyze(resolved, config);
+        const isRequirementsInstall = opts.ecosystem === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
+        if (isRequirementsInstall && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+          dispatch({
+            type: "ERROR",
+            message: `A -r requirements install cannot be pinned to the exact scanned versions; refusing in ${config.strict ? "--strict" : "--mode block"} (resolve\u2192install mismatch risk). Use --mode warn or --dg-force to bypass.`,
+            proceed: false
+          });
+          dispatch({ type: "DONE", exitCode: 2 });
+          return;
+        }
+        const pinnedArgs = isRequirementsInstall ? parsed.rawArgs : opts.ecosystem === "npm" ? pinTopLevelArgs(parsed.rawArgs, parsed.packages, resolved) : pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
+        installArgs = injectIgnoreScripts(pinnedArgs, {
+          isNpmFamily: opts.ecosystem === "npm",
+          strict: config.strict,
+          dgNoScripts: parsed.dgNoScripts
+        });
+        let scanSet = resolved;
+        if (opts.resolveTree) {
+          const tree = await opts.resolveTree(specs);
+          if (tree.ok && tree.packages.length > 0) {
+            scanSet = tree.packages;
+          } else if ((config.mode === "block" || config.strict) && !parsed.dgForce) {
+            dispatch({
+              type: "ERROR",
+              message: `Could not enumerate the dependency tree (${tree.errorMessage ?? "dry-run produced no tree"}); transitive deps would install unscanned. Install aborted in ${config.strict ? "--strict" : "--mode block"}. Use --dg-force to bypass.`,
+              proceed: false
+            });
+            dispatch({ type: "DONE", exitCode: 2 });
+            return;
+          }
+        }
+        dispatch({ type: "SCANNING", count: scanSet.length });
+        const result = await opts.callAnalyze(scanSet, config);
         if (result.action === "pass") {
           if (exit) exit();
           const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
           const line = formatPassLine(result, chalk18);
           process.stderr.write("  " + line + "\n\n");
-          const code = await opts.runInstall(parsed.rawArgs);
-          process.exit(code);
+          const code2 = await opts.runInstall(installArgs);
+          process.exit(code2);
           return;
         }
-        if (result.action === "warn") {
-          if (parsed.dgForce) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "warn",
-              trigger: "dg-force",
-              reason: parsed.dgForceReason,
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "WARN", result, dgForce: true });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
-            return;
-          }
-          dispatch({ type: "WARN", result, dgForce: false });
-          const shouldProceed = await new Promise((resolve3) => {
-            pendingInstall.current = () => resolve3(true);
-            rejectRef.current = () => resolve3(false);
+        const verdict = verdictFromResult(result);
+        const decision = routeVerdict({
+          verdict,
+          mode: config.mode,
+          strict: config.strict,
+          dgForce: parsed.dgForce
+        });
+        const bypassVerdict = decision.verdict === "block" ? "block" : "warn";
+        const recordBypass = async (trigger) => {
+          const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+          recordBypassLocally2({
+            ecosystem: opts.ecosystem,
+            verdict: bypassVerdict,
+            trigger,
+            reason: trigger === "dg-force" ? parsed.dgForceReason : void 0,
+            packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
           });
-          if (shouldProceed) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "warn",
-              trigger: "interactive-confirm",
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
-          } else {
-            dispatch({ type: "DONE", exitCode: 1 });
+        };
+        const refusedMessage = () => {
+          const list = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          if (decision.verdict === "block") {
+            return `DG blocked ${list}. Real install was NOT run. Re-run with --dg-force --dg-force-reason="<reason>" to override.`;
           }
-          return;
-        }
-        if (result.action === "block") {
-          if (parsed.dgForce) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "block",
-              trigger: "dg-force",
-              reason: parsed.dgForceReason,
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "BLOCKED", result, dgForce: true });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
-            return;
+          if (decision.verdict === "analysis_incomplete") {
+            return `DG could not fully analyze ${list} (analysis incomplete). Refusing in ${config.strict ? "--strict" : "--mode block"} \u2014 unverified is not safe. Use --mode warn or --dg-force to bypass.`;
           }
-          dispatch({ type: "BLOCKED", result, dgForce: false });
-          const shouldProceed = await new Promise((resolve3) => {
-            pendingInstall.current = () => resolve3(true);
-            rejectRef.current = () => resolve3(false);
-          });
-          if (shouldProceed) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "block",
-              trigger: "interactive-confirm",
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
+          return `DG flagged ${list}. Refusing in --strict. Use --mode warn or --dg-force to proceed.`;
+        };
+        const presenter = {
+          announce(d) {
+            if (d.outcome === "refuse") {
+              dispatch({ type: "REFUSED", result, message: refusedMessage() });
+              return;
+            }
+            switch (d.verdict) {
+              case "warn":
+                dispatch({ type: "WARN", result, dgForce: d.bypassed });
+                return;
+              case "block":
+                dispatch({ type: "BLOCKED", result, dgForce: d.bypassed });
+                return;
+              case "analysis_incomplete":
+                dispatch({ type: "INCOMPLETE", result, proceed: true, message: "DG could not fully analyze the install set (analysis incomplete)." });
+                return;
+              default:
+                return;
+            }
+          },
+          confirmProceed() {
+            return new Promise((resolve3) => {
+              pendingInstall.current = () => resolve3(true);
+              rejectRef.current = () => resolve3(false);
             });
+          },
+          async runInstall(args) {
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
-          } else {
-            dispatch({ type: "DONE", exitCode: 2 });
+            return opts.runInstall(args);
+          },
+          async audit(kind) {
+            if (kind === "override") await recordBypass("dg-force");
+          },
+          onPromptAccepted: () => recordBypass("interactive-confirm"),
+          emit() {
           }
-          return;
-        }
+        };
+        const ctx = {
+          ecosystem: opts.ecosystem,
+          apiKind: opts.ecosystem,
+          installArgs,
+          passthroughArgs: parsed.rawArgs,
+          result,
+          resolved,
+          suppressedCount: 0,
+          dgForceReason: parsed.dgForceReason
+        };
+        const code = await executeDecision(decision, ctx, presenter);
+        dispatch({ type: "DONE", exitCode: code });
+        return;
       } catch (error) {
         if (error instanceof FreeCapReachedError) {
           dispatch({ type: "FREE_CAP_REACHED" });
@@ -51733,7 +52021,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         }
         dispatch({ type: "ERROR", message, proceed: true });
         dispatch({ type: "INSTALLING" });
-        const code = await opts.runInstall(parsedRef.current.rawArgs);
+        const code = await opts.runInstall(installArgs);
         dispatch({ type: "DONE", exitCode: code });
       }
     })();
@@ -51756,11 +52044,15 @@ var init_useWrapperBase = __esm({
     "use strict";
     import_react37 = __toESM(require_react(), 1);
     init_client();
+    init_wrapper_shared();
+    init_route();
+    init_run();
     init_npm_wrapper();
     init_pip_wrapper();
     NPM_OPTIONS = {
       parseArgs: parseNpmArgs,
       resolvePackages,
+      resolveTree: resolveTreeNpm,
       callAnalyze: callAnalyzeAPI,
       runInstall: runNpm,
       inferSpecsFromContext: () => readBareInstallPackages(process.cwd()),
@@ -51769,6 +52061,7 @@ var init_useWrapperBase = __esm({
     PIP_OPTIONS = {
       parseArgs: parsePipArgs,
       resolvePackages: resolvePackages2,
+      resolveTree: resolveTreePip,
       callAnalyze: callPyPIAnalyzeAPI,
       runInstall: runPip,
       inferSpecsFromContext: (parsed) => {
@@ -51832,8 +52125,8 @@ var init_ResultsView = __esm({
       config: _config,
       durationMs
     }) => {
-      const flagged = result.packages.filter((p) => p.score > 0 || p.action === "analysis_incomplete");
-      const clean = result.packages.filter((p) => p.score === 0 && p.action !== "analysis_incomplete");
+      const flagged = result.packages.filter((p) => (p.action ?? "pass") !== "pass");
+      const clean = result.packages.filter((p) => (p.action ?? "pass") === "pass");
       const total = result.packages.length;
       const groups = groupPackages(flagged);
       return /* @__PURE__ */ (0, import_jsx_runtime15.jsxs)(Box_default, { flexDirection: "column", paddingLeft: 2, children: [
@@ -51877,7 +52170,7 @@ var init_ResultsView = __esm({
           import_chalk16.default.dim(`package${clean.length !== 1 ? "s" : ""} passed with score 0`)
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime15.jsx)(Newline, {}),
-        groups.filter((g) => g.packages[0].score > 0).map((group) => {
+        groups.filter((g) => (g.packages[0].action ?? "pass") !== "pass").map((group) => {
           const rep = group.packages[0];
           const names = group.packages.length === 1 ? `${rep.name}@${rep.version}` : group.packages.length <= 3 ? group.packages.map((p) => `${p.name}@${p.version}`).join(", ") : `${rep.name}@${rep.version} + ${group.packages.length - 1} identical packages`;
           const visibleFindings = rep.findings.filter((f) => f.severity > 1).sort((a, b) => b.severity - a.severity);
@@ -52163,9 +52456,18 @@ var init_WrapperApp = __esm({
         case "blocked":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Box_default, { flexDirection: "column", children: [
             /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "block", dgForce: state.dgForce }),
-            showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) }),
-            !state.dgForce && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ConfirmPrompt, { message: "", onConfirm: handleConfirm, onReject: handleReject })
+            showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) })
           ] });
+        case "refused":
+          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
+        case "incomplete":
+          if (state.proceed) {
+            return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { color: "yellow", children: [
+              state.message,
+              " Proceeding with install."
+            ] });
+          }
+          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
         case "installing":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Spinner2, { label: labels.installing });
         case "done":
@@ -52245,26 +52547,33 @@ function parseCondaArgs(args) {
 async function resolveTopLevel(_parsed) {
   return { resolved: [], failed: [] };
 }
-async function runStaticConda(args) {
+async function runStaticConda(args, ecosystem, config) {
   const parsed = parseCondaArgs(args);
-  if (process.stderr.isTTY && parsed.shouldScan) {
+  if (parsed.shouldScan && (config.mode === "block" || config.strict) && !parsed.dgForce) {
     process.stderr.write(
-      import_chalk18.default.yellow(`\u2139\uFE0F  DG: conda packages aren't yet scanned (conda-forge isn't supported in the scanner backend yet).
-`) + import_chalk18.default.dim(`   Passing through to real conda. Use \`dg verify\` for individual pypi-known packages.
+      import_chalk18.default.red(import_chalk18.default.bold("  \u2717 BLOCKED: ")) + import_chalk18.default.red(`${ecosystem} packages cannot be scanned (the scanner backend does not support this ecosystem).
+`) + import_chalk18.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing to install unscanned packages. Use --mode warn or --dg-force to bypass.
 
 `)
     );
+    return 2;
   }
-  const real = resolveRealBinary("conda");
+  if (parsed.shouldScan && process.stderr.isTTY) {
+    process.stderr.write(
+      import_chalk18.default.yellow(`\u2139\uFE0F  DG: ${ecosystem} packages aren't yet scanned (the scanner backend doesn't support this ecosystem yet).
+`) + import_chalk18.default.dim(`   Passing through to real ${ecosystem}. Use \`dg verify\` for individual pypi-known packages.
+
+`)
+    );
+  }
+  const real = resolveRealBinary(ecosystem);
   if (!real) {
-    process.stderr.write(`dg: real conda not found on PATH
+    process.stderr.write(`dg: real ${ecosystem} not found on PATH
 `);
     return 127;
   }
-  const nonce = readNonce();
-  const env3 = nonce ? { ...process.env, DG_SHIM_ACTIVE: nonce } : { ...process.env };
   return await new Promise((resolve3) => {
-    const child = spawn5(real, parsed.rawArgs, { stdio: "inherit", env: env3 });
+    const child = spawn5(real, parsed.rawArgs, { stdio: "inherit", env: childInstallEnv() });
     child.on("close", (code) => resolve3(code ?? 1));
     child.on("error", () => resolve3(1));
   });
@@ -52644,7 +52953,11 @@ function parseUvArgs(args) {
     for (let i = argStart; i < filtered.length; i++) {
       const arg = filtered[i];
       if (arg === "-r" || arg === "--requirement") {
-        if (i + 1 < filtered.length) i++;
+        const file = filtered[i + 1];
+        if (file !== void 0) {
+          i++;
+          packages.push(...parseRequirementsFile(file));
+        }
         continue;
       }
       if (arg.startsWith("-")) {
@@ -52671,7 +52984,6 @@ async function resolveTopLevel5(parsed) {
     if (at <= 0) return s;
     return `${s.slice(0, at)}==${s.slice(at + 1)}`;
   });
-  void parsePipSpec;
   return await resolvePackages2(normalized);
 }
 async function resolveTransitive4(parsed) {
@@ -52800,14 +53112,8 @@ __export(wrapper_factory_exports, {
   runEcosystemWrapper: () => runEcosystemWrapper
 });
 import { spawn as spawn6 } from "node:child_process";
-function emitJson(config, result) {
-  if (!config.json) return;
-  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
-}
 function shimSentinelEnv3() {
-  const nonce = readNonce();
-  if (!nonce) return process.env;
-  return { ...process.env, DG_SHIM_ACTIVE: nonce };
+  return childInstallEnv();
 }
 async function spawnRealBinary(adapter7, args) {
   const real = resolveRealBinary(adapter7.realBinaryName);
@@ -52852,8 +53158,46 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
     );
   }
+  const isRequirementsInstall = adapter7.apiKind === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
+  let pinnedArgs = parsed.rawArgs;
+  if (adapter7.apiKind === "npm") {
+    pinnedArgs = pinTopLevelArgs(parsed.rawArgs, parsed.packages, resolved);
+  } else if (!isRequirementsInstall) {
+    pinnedArgs = pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
+  }
+  if (isRequirementsInstall && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    if (!config.json && !config.quiet) {
+      process.stderr.write(
+        import_chalk19.default.red(import_chalk19.default.bold("  \u2717 BLOCKED: ")) + import_chalk19.default.red(`a -r requirements install cannot be pinned to the exact scanned versions.
+`) + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing (would risk a resolve\u2192install mismatch). Use --mode warn or --dg-force to bypass.
+
+`)
+      );
+    }
+    emitWrapperJson(config, {
+      ecosystem: adapter7.ecosystem,
+      packages: [],
+      scanVerdict: "scan_failed",
+      installRan: false,
+      installExitCode: null,
+      error: { code: "unpinnable_requirements", message: "-r requirements install cannot be pinned to exact versions" }
+    });
+    return 2;
+  }
+  if (isRequirementsInstall && !config.json && !config.quiet) {
+    process.stderr.write(
+      import_chalk19.default.dim(`  Note: -r requirements install cannot be pinned to exact versions; installing as specified.
+`)
+    );
+  }
+  const installArgs = injectIgnoreScripts(pinnedArgs, {
+    isNpmFamily: adapter7.apiKind === "npm",
+    strict: config.strict,
+    dgNoScripts: parsed.dgNoScripts
+  });
   let scanSet = resolved;
   let treeOk = true;
+  let treeError;
   if (adapter7.resolveTransitive) {
     const tree = await adapter7.resolveTransitive(parsed);
     if (tree.ok && tree.packages.length > 0) {
@@ -52873,15 +53217,36 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
         );
       }
-    } else if (!tree.ok && !config.json && !config.quiet) {
+    } else if (!tree.ok) {
       treeOk = false;
+      treeError = tree.errorMessage ?? "unknown";
+    }
+  }
+  if (!treeOk && (config.mode === "block" || config.strict) && !parsed.dgForce) {
+    if (!config.json && !config.quiet) {
       process.stderr.write(
-        import_chalk19.default.dim(`  Transitive resolution unavailable (${tree.errorMessage ?? "unknown"}); scanning top-level only.
+        import_chalk19.default.red(import_chalk19.default.bold("  \u2717 BLOCKED: ")) + import_chalk19.default.red(`could not enumerate transitive dependencies (${treeError}); they would install unscanned.
+`) + import_chalk19.default.dim(`  --mode block \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
+
 `)
       );
     }
+    emitWrapperJson(config, {
+      ecosystem: adapter7.ecosystem,
+      packages: [],
+      scanVerdict: "scan_failed",
+      installRan: false,
+      installExitCode: null,
+      error: { code: "tree_resolution_failed", message: treeError ?? "transitive resolution failed" }
+    });
+    return 2;
+  }
+  if (!treeOk && !config.json && !config.quiet) {
+    process.stderr.write(
+      import_chalk19.default.dim(`  Transitive resolution unavailable (${treeError}); scanning top-level only.
+`)
+    );
   }
-  void treeOk;
   let result;
   try {
     if (adapter7.apiKind === "npm") {
@@ -52897,7 +53262,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 
 `)
       );
-      emitJson(config, {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: [],
         scanVerdict: "scan_failed",
@@ -52907,14 +53272,14 @@ async function runEcosystemWrapper(adapter7, args, config) {
       });
       return 1;
     }
-    if (config.mode === "block" && !parsed.dgForce) {
+    if ((config.mode === "block" || config.strict) && !parsed.dgForce) {
       process.stderr.write(
         import_chalk19.default.red(`  \u2717 DG scan failed: ${err.message}
-`) + import_chalk19.default.dim(`  --mode block + scan failure \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
+`) + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} + scan failure \u21D2 refusing install. Use --mode warn or --dg-force to bypass.
 
 `)
       );
-      emitJson(config, {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: [],
         scanVerdict: "scan_failed",
@@ -52922,7 +53287,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
         installExitCode: null,
         error: { code: "scan_failed", message: err.message }
       });
-      return 3;
+      return 2;
     }
     if (!config.json && !config.quiet) {
       process.stderr.write(
@@ -52930,157 +53295,155 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
       );
     }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
-    emitJson(config, {
+    const code = await spawnRealBinary(adapter7, installArgs);
+    emitWrapperJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: [],
       scanVerdict: "scan_failed",
       installRan: true,
-      installExitCode: code2,
+      installExitCode: code,
       error: { code: "scan_failed", message: err.message }
     });
-    return code2;
+    return code;
   }
   const allowlist = loadAllowlist(process.cwd());
   const { result: filteredResult, suppressedCount } = applyAllowlist(allowlist, result, adapter7.apiKind);
   result = filteredResult;
   const topLevelNames = new Set(resolved.map((p) => p.name));
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    if (!config.json && !config.quiet) {
-      process.stderr.write(`${passLine}
+  const verdict = verdictFromResult(result);
+  const decision = routeVerdict({
+    verdict,
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const ctx = {
+    ecosystem: adapter7.ecosystem,
+    apiKind: adapter7.apiKind,
+    installArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount,
+    dgForceReason: parsed.dgForceReason,
+    error: verdict === "analysis_incomplete" && decision.outcome === "refuse" ? { code: "analysis_incomplete", message: "scanner could not fully analyze the install set" } : void 0
+  };
+  const presenter = {
+    announce(d) {
+      switch (d.verdict) {
+        case "pass": {
+          if (config.json || config.quiet) return;
+          const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
+          const passLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel.length} packages safe`;
+          const installLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
+          process.stderr.write(`${passLine}
 ${installLine}
 `);
-      if (suppressedCount > 0) {
-        process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
+          if (suppressedCount > 0) {
+            process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
 `));
-      }
-      process.stderr.write("\n");
-    }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code2,
-      suppressedByAllowlist: suppressedCount > 0 ? suppressedCount : void 0
-    });
-    return code2;
-  }
-  if (result.action === "warn") {
-    if (!config.json && !config.quiet) {
-      const topLevelList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-      process.stderr.write(`  ${import_chalk19.default.yellow("\u26A0")} ${import_chalk19.default.bold("DG flagged")} ${topLevelList}.
+          }
+          process.stderr.write("\n");
+          return;
+        }
+        case "warn": {
+          if (config.json || config.quiet) return;
+          const topLevelList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          process.stderr.write(`  ${import_chalk19.default.yellow("\u26A0")} ${import_chalk19.default.bold("DG flagged")} ${topLevelList}.
 `);
-      const blockedPkgs = result.packages.filter((p) => derivePackageActionPublic(p) === "warn");
-      for (const p of blockedPkgs.slice(0, 5)) {
-        if (p.findings && p.findings.length > 0) {
-          for (const f of p.findings.slice(0, 3)) {
-            process.stderr.write(import_chalk19.default.dim(`    \u2022 ${f.title ?? "finding"}
+          const flaggedPkgs = result.packages.filter((p) => derivePackageActionPublic(p) === "warn");
+          for (const p of flaggedPkgs.slice(0, 5)) {
+            if (p.findings && p.findings.length > 0) {
+              for (const f of p.findings.slice(0, 3)) {
+                process.stderr.write(import_chalk19.default.dim(`    \u2022 ${f.title ?? "finding"}
+`));
+              }
+            }
+          }
+          if (suppressedCount > 0) {
+            process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} additional finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
 `));
           }
+          return;
         }
-      }
-      if (suppressedCount > 0) {
-        process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} additional finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
+        case "block": {
+          if (d.outcome === "install") {
+            if (!config.json && !config.quiet) {
+              process.stderr.write(import_chalk19.default.yellow.bold(`  --dg-force: bypassing block. Install at your own risk.
+
 `));
+            }
+          } else if (!config.json) {
+            const blockedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+            process.stderr.write(
+              `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG blocked")} ${blockedList}.
+  Real install was NOT run. To override:
+` + import_chalk19.default.dim(`    ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force --dg-force-reason="<reason>"
+
+`)
+            );
+          }
+          return;
+        }
+        case "analysis_incomplete": {
+          const list = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          if (d.outcome === "refuse") {
+            if (!config.json) {
+              process.stderr.write(
+                `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG could not verify")} ${list} \u2014 analysis incomplete.
+` + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing install (unverified is not safe). Use --mode warn or --dg-force to bypass.
+
+`)
+              );
+            }
+          } else if (!config.json && !config.quiet) {
+            process.stderr.write(
+              import_chalk19.default.yellow(`  \u26A0 DG could not fully verify ${list} (analysis incomplete). Proceeding with install (mode=${config.mode}).
+`)
+            );
+          }
+          return;
+        }
+        default:
+          return;
+      }
+    },
+    async confirmProceed() {
+      if (!(process.stderr.isTTY && !process.env.CI && !config.json)) {
+        if (!config.json && !config.quiet) process.stderr.write(import_chalk19.default.dim("  Proceeding (non-interactive).\n"));
+        return true;
       }
-    }
-    if (process.stderr.isTTY && !process.env.CI && !config.json) {
       const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
       const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
-      if (!proceed) {
-        process.stderr.write(import_chalk19.default.dim("  Install cancelled by user.\n\n"));
-        emitJson(config, {
-          ecosystem: adapter7.ecosystem,
-          packages: packagesFromResult(result, topLevelNames),
-          scanVerdict: "warn",
-          installRan: false,
-          installExitCode: null
-        });
-        return 1;
-      }
-    } else if (!config.json && !config.quiet) {
-      process.stderr.write(import_chalk19.default.dim("  Proceeding (non-interactive).\n"));
-    }
-    const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code2,
-      suppressedByAllowlist: suppressedCount > 0 ? suppressedCount : void 0
-    });
-    return code2;
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
+      if (!proceed) process.stderr.write(import_chalk19.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args2) => spawnRealBinary(adapter7, args2),
+    async audit(kind) {
       try {
         await dispatchInstallAudit({
           ecosystem: adapter7.apiKind,
           packages: result.packages,
-          decisionAction: "override",
-          bypassed: true,
-          bypassReason: parsed.dgForceReason
+          decisionAction: kind,
+          bypassed: kind === "override",
+          bypassReason: kind === "override" ? parsed.dgForceReason : void 0
         });
       } catch {
       }
-      if (!config.json && !config.quiet) {
-        process.stderr.write(import_chalk19.default.yellow.bold(`  --dg-force: bypassing block. Install at your own risk.
-
-`));
-      }
-      const code2 = await spawnRealBinary(adapter7, parsed.rawArgs);
-      emitJson(config, {
+    },
+    emit(record) {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: packagesFromResult(result, topLevelNames),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code2
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error,
+        suppressedByAllowlist: record.suppressedByAllowlist
       });
-      return code2;
     }
-    try {
-      await dispatchInstallAudit({
-        ecosystem: adapter7.apiKind,
-        packages: result.packages,
-        decisionAction: "block",
-        bypassed: false
-      });
-    } catch {
-    }
-    const blockedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    if (!config.json) {
-      process.stderr.write(
-        `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG blocked")} ${blockedList}.
-  Real install was NOT run. To override:
-` + import_chalk19.default.dim(`    ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force --dg-force-reason="<reason>"
-
-`)
-      );
-    }
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    return 2;
-  }
-  const code = await spawnRealBinary(adapter7, parsed.rawArgs);
-  emitJson(config, {
-    ecosystem: adapter7.ecosystem,
-    packages: packagesFromResult(result, topLevelNames),
-    scanVerdict: "skipped",
-    installRan: true,
-    installExitCode: code
-  });
-  return code;
+  };
+  return await executeDecision(decision, ctx, presenter);
 }
 var import_chalk19;
 var init_wrapper_factory = __esm({
@@ -53092,6 +53455,12 @@ var init_wrapper_factory = __esm({
     init_install();
     init_audit_dispatcher();
     init_allowlist();
+    init_wrapper_shared();
+    init_npm_wrapper();
+    init_pip_wrapper();
+    init_route();
+    init_run();
+    init_json();
   }
 });
 
@@ -53312,7 +53681,7 @@ async function main() {
       const v = args[ecoArgIdx + 1];
       if (v === "npm" || v === "pypi") ecosystem = v;
     }
-    const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
+    const { runNpmPublishCheck: runNpmPublishCheck2, runPypiPublishCheck: runPypiPublishCheck2, renderPublishCheckResult: renderPublishCheckResult2, publishCheckExitCode: publishCheckExitCode2 } = await Promise.resolve().then(() => (init_publish_check(), publish_check_exports));
     const { existsSync: existsSync25 } = await import("node:fs");
     const { join: join15 } = await import("node:path");
     if (ecosystem === "auto") {
@@ -53342,7 +53711,7 @@ async function main() {
     } else {
       process.stderr.write(renderPublishCheckResult2(result));
     }
-    if (result.action === "block" || result.action === "block" && force) {
+    if (result.action === "block") {
       try {
         const reasonIdx = args.indexOf("--dg-force-reason");
         const bypassReason = reasonIdx >= 0 ? args[reasonIdx + 1] : void 0;
@@ -53362,9 +53731,7 @@ async function main() {
       } catch {
       }
     }
-    if (result.action === "block" && !force) process.exit(2);
-    if (result.action === "analysis_incomplete") process.exit(4);
-    process.exit(0);
+    process.exit(publishCheckExitCode2(result.action, force));
   }
   if (rawCommand === "hook") {
     const { handleHookCommand: handleHookCommand2 } = await Promise.resolve().then(() => (init_hook(), hook_exports));
@@ -53568,10 +53935,8 @@ async function handleWrapInternal(argv) {
   const ecoTyped = ecosystem;
   const spawnReal = async (real, args) => {
     const { spawn: spawn7 } = await import("node:child_process");
-    const { readNonce: readNonce3 } = await Promise.resolve().then(() => (init_install(), install_exports));
-    const nonce = readNonce3();
-    const env3 = nonce ? { ...process.env, DG_SHIM_ACTIVE: nonce } : { ...process.env };
-    const child = spawn7(real, args, { stdio: "inherit", env: env3 });
+    const { childInstallEnv: childInstallEnv2 } = await Promise.resolve().then(() => (init_install(), install_exports));
+    const child = spawn7(real, args, { stdio: "inherit", env: childInstallEnv2() });
     return await new Promise((resolve3) => {
       child.on("close", (code) => resolve3(code ?? 1));
       child.on("error", () => resolve3(1));
@@ -53621,7 +53986,7 @@ async function handleWrapInternal(argv) {
   }
   if (ecosystem === "conda" || ecosystem === "mamba") {
     const { runStaticConda: runStaticConda2 } = await Promise.resolve().then(() => (init_conda_wrapper(), conda_wrapper_exports));
-    return await runStaticConda2(wrapperArgs);
+    return await runStaticConda2(wrapperArgs, ecosystem, config);
   }
   const adapterImports = {
     pnpm: () => Promise.resolve().then(() => (init_pnpm_wrapper(), pnpm_wrapper_exports)),