@westbayberry/dg 1.2.0 → 1.2.1

package/dist/index.mjs

@@ -1894,6 +1894,7 @@ __export(auth_exports, {
   pollAuthSession: () => pollAuthSession,
   preflightAuthCheck: () => preflightAuthCheck,
   readTermsAcceptedAt: () => readTermsAcceptedAt,
+  recordScanCapReached: () => recordScanCapReached,
   recordScanNoticeShown: () => recordScanNoticeShown,
   saveCredentials: () => saveCredentials,
   saveCredentialsFromToken: () => saveCredentialsFromToken,
@@ -2283,18 +2284,28 @@ function writeCachedAuthStatus(status) {
   } catch {
   }
 }
+function recordScanCapReached(scansUsed, maxScans, reason) {
+  writeCachedAuthStatus({
+    authenticated: !!getStoredApiKey(),
+    freeTierCapReached: true,
+    scansUsed,
+    scansLimit: maxScans,
+    capReason: reason,
+    fetchedAt: Date.now()
+  });
+}
 async function preflightAuthCheck(apiUrl) {
   if (process.env.DG_SIMULATE_FREE_CAP_REACHED === "1") {
     throw new PreflightFreeCapReachedError(5, 5);
   }
+  const apiKey = getStoredApiKey();
   const cached = readCachedAuthStatus();
-  if (cached) {
+  if (cached && cached.authenticated === !!apiKey) {
     if (cached.freeTierCapReached) {
       throw new PreflightFreeCapReachedError(cached.scansUsed, cached.scansLimit ?? cached.scansUsed, cached.capReason ?? "monthly_limit");
     }
     return cached;
   }
-  const apiKey = getStoredApiKey();
   const headers = {};
   if (apiKey) {
     headers["Authorization"] = `Bearer ${apiKey}`;
@@ -2324,17 +2335,17 @@ async function preflightAuthCheck(apiUrl) {
     } catch {
     }
     if (body.freeTierCapReached) {
-      const capReason = body.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
+      const capReason2 = body.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
       const status2 = {
         authenticated: !!apiKey,
         freeTierCapReached: true,
         scansUsed: body.scansUsed ?? 0,
         scansLimit: body.maxScans ?? 0,
-        capReason,
+        capReason: capReason2,
         fetchedAt: Date.now()
       };
       writeCachedAuthStatus(status2);
-      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0, capReason);
+      throw new PreflightFreeCapReachedError(status2.scansUsed, status2.scansLimit ?? 0, capReason2);
     }
   }
   if (!resp.ok) {
@@ -2352,18 +2363,20 @@ async function preflightAuthCheck(apiUrl) {
     data = await resp.json();
   } catch {
   }
+  const capReason = data.capReason === "prefix_cap" ? "prefix_cap" : "monthly_limit";
   const status = {
     authenticated: !!apiKey,
     freeTierCapReached: !!data.freeTierCapReached,
     scansUsed: data.scansUsed ?? 0,
     scansLimit: data.scansLimit ?? null,
+    capReason,
     tier: data.tier,
     name: data.name,
     fetchedAt: Date.now()
   };
   writeCachedAuthStatus(status);
   if (status.freeTierCapReached) {
-    throw new PreflightFreeCapReachedError(status.scansUsed, status.scansLimit ?? 0);
+    throw new PreflightFreeCapReachedError(status.scansUsed, status.scansLimit ?? 0, capReason);
   }
   return status;
 }
@@ -43388,6 +43401,153 @@ var init_pip_wrapper = __esm({
   }
 });
 
+// src/wrapper/route.ts
+function routeVerdict(input) {
+  const { verdict, mode, strict, dgForce } = input;
+  const refuseHard = mode === "block" || strict;
+  const refuseWarn = strict;
+  const D = (outcome, refuseExitCode, extra) => ({
+    verdict,
+    outcome,
+    refuseExitCode,
+    bypassed: false,
+    ...extra
+  });
+  if (verdict === "free_cap") return D("refuse", 1);
+  if (verdict === "pass") return D("install", 0);
+  if (dgForce && (verdict === "warn" || verdict === "block")) {
+    return D("install", 0, { audit: "override", bypassed: true });
+  }
+  switch (verdict) {
+    case "warn":
+      if (mode === "off") return D("install", 0);
+      if (refuseWarn) return D("refuse", 1);
+      return D("prompt", 1);
+    // warn/block mode → prompt; decline → 1
+    case "block":
+      if (mode === "off") return D("install", 0);
+      return D("refuse", 2, { audit: "block" });
+    case "analysis_incomplete":
+      if (dgForce) return D("install", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 4);
+      return D("install", 0);
+    // off/warn → install with a "could not verify" notice
+    case "scan_failed":
+    case "tree_failed":
+      if (dgForce) return D("install", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 2);
+      return D("install", 0);
+    // best-effort under off/warn
+    case "resolve_failed":
+      if (dgForce) return D("passthrough", 0, { bypassed: true });
+      if (refuseHard) return D("refuse", 2);
+      return D("passthrough", 0);
+    // nothing resolved to scan → hand off to the installer
+    default: {
+      const _never = verdict;
+      void _never;
+      return D(refuseHard ? "refuse" : "install", refuseHard ? 4 : 0);
+    }
+  }
+}
+var init_route = __esm({
+  "src/wrapper/route.ts"() {
+    "use strict";
+  }
+});
+
+// src/wrapper/run.ts
+function verdictFromResult(result, gates = {}) {
+  if (gates.scanFailed) return "scan_failed";
+  if (gates.treeFailed) return "tree_failed";
+  if (gates.resolveFailed) return "resolve_failed";
+  const action = result?.action;
+  if (action === "pass" || action === "warn" || action === "block") return action;
+  return "analysis_incomplete";
+}
+function scanVerdictOf(decision) {
+  if (decision.bypassed && (decision.verdict === "warn" || decision.verdict === "block")) {
+    return "override";
+  }
+  switch (decision.verdict) {
+    case "pass":
+      return "pass";
+    case "warn":
+      return "warn";
+    case "block":
+      return "block";
+    case "analysis_incomplete":
+      return "analysis_incomplete";
+    case "scan_failed":
+    case "tree_failed":
+    case "resolve_failed":
+      return "scan_failed";
+    default:
+      return "skipped";
+  }
+}
+async function executeDecision(decision, ctx, presenter) {
+  await presenter.announce(decision, ctx);
+  if (decision.audit) {
+    await presenter.audit(decision.audit, ctx);
+  }
+  const scanVerdict = scanVerdictOf(decision);
+  const base = (installRan, installExitCode) => ({
+    scanVerdict,
+    installRan,
+    installExitCode,
+    error: ctx.error,
+    suppressedByAllowlist: ctx.suppressedCount > 0 ? ctx.suppressedCount : void 0
+  });
+  switch (decision.outcome) {
+    case "refuse":
+      presenter.emit(base(false, null));
+      return decision.refuseExitCode;
+    case "install": {
+      const code = await presenter.runInstall(ctx.installArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    case "passthrough": {
+      const code = await presenter.runInstall(ctx.passthroughArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    case "prompt": {
+      const proceed = await presenter.confirmProceed(ctx);
+      if (!proceed) {
+        presenter.emit(base(false, null));
+        return decision.refuseExitCode;
+      }
+      if (presenter.onPromptAccepted) await presenter.onPromptAccepted(ctx);
+      const code = await presenter.runInstall(ctx.installArgs);
+      presenter.emit(base(true, code));
+      return code;
+    }
+    default: {
+      const _never = decision.outcome;
+      void _never;
+      return 1;
+    }
+  }
+}
+var init_run = __esm({
+  "src/wrapper/run.ts"() {
+    "use strict";
+  }
+});
+
+// src/wrapper/json.ts
+function emitWrapperJson(config, result) {
+  if (!config.json) return;
+  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
+}
+var init_json = __esm({
+  "src/wrapper/json.ts"() {
+    "use strict";
+  }
+});
+
 // src/security/artifact_integrity.ts
 function normalize(h, algo) {
   if (!h) return void 0;
@@ -44879,10 +45039,6 @@ function note(config, text) {
   if (config.quiet) return;
   process.stderr.write(text);
 }
-function emitWrapperJson(config, result) {
-  if (!config.json) return;
-  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
-}
 function wrapperPackagesFromResult(result, topLevelNames) {
   return result.packages.map((p) => ({
     name: p.name,
@@ -45367,11 +45523,7 @@ async function runStatic(config) {
   printTrialBanner(result, config);
   process.exit(scanExitCode(result.action, config.mode));
 }
-function mergeProjectConfig(config, _argv) {
-  return config;
-}
 async function runStaticNpm(npmArgs, config) {
-  config = mergeProjectConfig(config, process.argv.slice(2));
   const parsed = parseNpmArgs(npmArgs);
   if (!parsed.shouldScan) {
     const code = await runNpm(parsed.rawArgs);
@@ -45623,156 +45775,110 @@ async function scanAndInstallStatic(resolved, parsed, config) {
       );
     }
   }
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    process.stderr.write(`${passLine}
+  const npmInstallArgs = buildInstallArgs(parsed, topLevelSpecs, tree.packages, config);
+  const npmTopLevelNames = new Set(resolved.map((p) => p.name));
+  const npmDecision = routeVerdict({
+    verdict: verdictFromResult(result),
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const npmPresenter = {
+    async announce(d) {
+      if (d.verdict === "pass") {
+        const topLevel2 = resolved.map((p) => `${p.name} ${p.version}`);
+        const passLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2.length} packages safe`;
+        const installLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2.join(", ")}`;
+        process.stderr.write(`${passLine}
 ${installLine}
 `);
-    if (parsed.dgNoScripts || config.strict) {
-      const why = config.strict ? "--strict" : "--dg-no-scripts";
-      process.stderr.write(import_chalk5.default.dim(`  ${why}: lifecycle scripts will be suppressed during install.
+        if (parsed.dgNoScripts || config.strict) {
+          const why = config.strict ? "--strict" : "--dg-no-scripts";
+          process.stderr.write(import_chalk5.default.dim(`  ${why}: lifecycle scripts will be suppressed during install.
 `));
-    }
-    printTrialBanner(result, config);
-    process.stderr.write("\n");
-    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  const output = renderResultStatic(result, config);
-  (config.json ? process.stderr : process.stdout).write(output + "\n");
-  printTrialBanner(result, config);
-  if (result.action === "warn") {
-    const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    process.stderr.write(
-      `  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
-`
-    );
-    const proceed = await promptYesNo2({
-      defaultAnswer: "y",
-      message: `  Proceed?`
-    });
-    if (!proceed) {
-      process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
-      emitWrapperJson(config, {
-        ecosystem: "npm",
-        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-        scanVerdict: "warn",
-        installRan: false,
-        installExitCode: null
-      });
-      process.exit(1);
-    }
-    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
-      const { dispatchInstallAudit: dispatchInstallAudit3 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-      await dispatchInstallAudit3({
-        ecosystem: "npm",
-        packages: result.packages,
-        decisionAction: "override",
-        bypassed: true,
-        bypassReason: parsed.dgForceReason
-      });
-      process.stderr.write(
-        import_chalk5.default.yellow(
-          import_chalk5.default.bold(
-            "  --dg-force: Bypassing block. Install at your own risk.\n\n"
-          )
-        )
-      );
-      const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-      emitWrapperJson(config, {
-        ecosystem: "npm",
-        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code
-      });
-      process.exit(code);
-    }
-    const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-    await dispatchInstallAudit2({
-      ecosystem: "npm",
-      packages: result.packages,
-      decisionAction: "block",
-      bypassed: false
-    });
-    const topLevelBlocked = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const blockedSpecArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : topLevelBlocked.split(", ").map((s) => s.replace(/ /g, "@")).join(" ");
-    process.stderr.write(
-      `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevelBlocked}.
+        }
+        printTrialBanner(result, config);
+        process.stderr.write("\n");
+        return;
+      }
+      const output = renderResultStatic(result, config);
+      (config.json ? process.stderr : process.stdout).write(output + "\n");
+      printTrialBanner(result, config);
+      const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+      if (d.verdict === "warn") {
+        process.stderr.write(`  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
+`);
+      } else if (d.verdict === "block") {
+        if (d.outcome === "install") {
+          process.stderr.write(import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+        } else {
+          const blockedSpecArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : topLevel.split(", ").map((s) => s.replace(/ /g, "@")).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
   Real install was NOT run. To override:
 ` + import_chalk5.default.dim(`    npm install ${blockedSpecArg} --dg-force --dg-force-reason="<reason>"
 
 `)
-    );
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    process.exit(2);
-  }
-  if (result.action === "analysis_incomplete") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const refuse = (config.mode === "block" || config.strict) && !parsed.dgForce;
-    if (refuse) {
-      const specArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : resolved.map((p) => `${p.name}@${p.version}`).join(" ");
-      process.stderr.write(
-        `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
+          );
+        }
+      } else if (d.verdict === "analysis_incomplete") {
+        if (d.outcome === "refuse") {
+          const specArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : resolved.map((p) => `${p.name}@${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
   Real install was NOT run (--mode block). To override:
 ` + import_chalk5.default.dim(`    npm install ${specArg} --dg-force --dg-force-reason="<reason>"
 
 `)
-      );
+          );
+        } else {
+          process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
+
+`));
+        }
+      }
+    },
+    async confirmProceed() {
+      const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
+      const proceed = await promptYesNo2({ defaultAnswer: "y", message: `  Proceed?` });
+      if (!proceed) process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args) => runNpm(args, { stdoutToStderr: !!config.json }),
+    async audit(kind) {
+      const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+      await dispatchInstallAudit2({
+        ecosystem: "npm",
+        packages: result.packages,
+        decisionAction: kind,
+        bypassed: kind === "override",
+        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
+      });
+    },
+    emit(record) {
       emitWrapperJson(config, {
         ecosystem: "npm",
-        packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-        scanVerdict: "analysis_incomplete",
-        installRan: false,
-        installExitCode: null
+        packages: wrapperPackagesFromResult(result, npmTopLevelNames),
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error
       });
-      process.exit(4);
     }
-    process.stderr.write(
-      import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
-
-`)
-    );
-    const code = await runNpm(buildInstallArgs(parsed, topLevelSpecs, tree.packages, config), { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "npm",
-      packages: wrapperPackagesFromResult(result, new Set(resolved.map((p) => p.name))),
-      scanVerdict: "analysis_incomplete",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
+  };
+  const npmCtx = {
+    ecosystem: "npm",
+    apiKind: "npm",
+    installArgs: npmInstallArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount: 0,
+    dgForceReason: parsed.dgForceReason
+  };
+  process.exit(await executeDecision(npmDecision, npmCtx, npmPresenter));
 }
 async function runStaticPip(pipArgs, config) {
-  config = mergeProjectConfig(config, process.argv.slice(2));
   const parsed = parsePipArgs(pipArgs);
   if (!parsed.shouldScan) {
     const code = await runPip(parsed.rawArgs, { stdoutToStderr: !!config.json });
@@ -45933,141 +46039,101 @@ async function runStaticPip(pipArgs, config) {
     }
   }
   const pipTopLevelNames = new Set(resolved.map((p) => p.name));
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    process.stderr.write(`${passLine}
+  const pipDecision = routeVerdict({
+    verdict: verdictFromResult(result),
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const pipPresenter = {
+    async announce(d) {
+      if (d.verdict === "pass") {
+        const topLevel2 = resolved.map((p) => `${p.name} ${p.version}`);
+        const passLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2[0]} is safe` : `  ${import_chalk5.default.green("\u2713")} ${import_chalk5.default.bold("DG verified:")} ${topLevel2.length} packages safe`;
+        const installLine = topLevel2.length === 1 ? `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2[0]}` : `  ${import_chalk5.default.green("\u2713")} Installing ${topLevel2.join(", ")}`;
+        process.stderr.write(`${passLine}
 ${installLine}
 `);
-    printTrialBanner(result, config);
-    process.stderr.write("\n");
-    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  const output = renderResultStatic(result, config);
-  (config.json ? process.stderr : process.stdout).write(output + "\n");
-  printTrialBanner(result, config);
-  if (result.action === "warn") {
-    const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    process.stderr.write(
-      `  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
-`
-    );
-    const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
-    if (!proceed) {
-      process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
-      emitWrapperJson(config, {
-        ecosystem: "pypi",
-        packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-        scanVerdict: "warn",
-        installRan: false,
-        installExitCode: null
-      });
-      process.exit(1);
-    }
-    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
-      const { dispatchInstallAudit: dispatchInstallAudit3 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-      await dispatchInstallAudit3({
-        ecosystem: "pypi",
-        packages: result.packages,
-        decisionAction: "override",
-        bypassed: true,
-        bypassReason: parsed.dgForceReason
-      });
-      process.stderr.write(
-        import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n"))
-      );
-      const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
-      emitWrapperJson(config, {
-        ecosystem: "pypi",
-        packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code
-      });
-      process.exit(code);
-    }
-    const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-    await dispatchInstallAudit2({
-      ecosystem: "pypi",
-      packages: result.packages,
-      decisionAction: "block",
-      bypassed: false
-    });
-    const pipTopLevelBlocked = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const pipBlockedSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
-    process.stderr.write(
-      `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${pipTopLevelBlocked}.
+        printTrialBanner(result, config);
+        process.stderr.write("\n");
+        return;
+      }
+      const output = renderResultStatic(result, config);
+      (config.json ? process.stderr : process.stdout).write(output + "\n");
+      printTrialBanner(result, config);
+      const topLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+      if (d.verdict === "warn") {
+        process.stderr.write(`  ${import_chalk5.default.yellow("\u26A0")} ${import_chalk5.default.bold("DG flagged")} ${topLevel}.
+`);
+      } else if (d.verdict === "block") {
+        if (d.outcome === "install") {
+          process.stderr.write(import_chalk5.default.yellow(import_chalk5.default.bold("  --dg-force: Bypassing block. Install at your own risk.\n\n")));
+        } else {
+          const pipBlockedSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
   Real install was NOT run. To override:
 ` + import_chalk5.default.dim(`    pip install ${pipBlockedSpecArg} --dg-force --dg-force-reason="<reason>"
 
 `)
-    );
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    process.exit(2);
-  }
-  if (result.action === "analysis_incomplete") {
-    const pipTopLevel = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    const refuse = (config.mode === "block" || config.strict) && !parsed.dgForce;
-    if (refuse) {
-      const pipSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
-      process.stderr.write(
-        `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${pipTopLevel} \u2014 treating as unverified, not safe.
+          );
+        }
+      } else if (d.verdict === "analysis_incomplete") {
+        if (d.outcome === "refuse") {
+          const pipSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
+          process.stderr.write(
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
   Real install was NOT run (--mode block). To override:
 ` + import_chalk5.default.dim(`    pip install ${pipSpecArg} --dg-force --dg-force-reason="<reason>"
 
 `)
-      );
+          );
+        } else {
+          process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
+
+`));
+        }
+      }
+    },
+    async confirmProceed() {
+      const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
+      const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
+      if (!proceed) process.stderr.write(import_chalk5.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args) => runPip(args, { stdoutToStderr: !!config.json }),
+    async audit(kind) {
+      const { dispatchInstallAudit: dispatchInstallAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+      await dispatchInstallAudit2({
+        ecosystem: "pypi",
+        packages: result.packages,
+        decisionAction: kind,
+        bypassed: kind === "override",
+        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
+      });
+    },
+    emit(record) {
       emitWrapperJson(config, {
         ecosystem: "pypi",
         packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-        scanVerdict: "analysis_incomplete",
-        installRan: false,
-        installExitCode: null
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error
       });
-      process.exit(4);
     }
-    process.stderr.write(
-      import_chalk5.default.dim(`  DG could not fully verify ${pipTopLevel}; proceeding (mode is not block).
-
-`)
-    );
-    const code = await runPip(pipInstallArgs, { stdoutToStderr: !!config.json });
-    emitWrapperJson(config, {
-      ecosystem: "pypi",
-      packages: wrapperPackagesFromResult(result, pipTopLevelNames),
-      scanVerdict: "analysis_incomplete",
-      installRan: true,
-      installExitCode: code
-    });
-    process.exit(code);
-  }
+  };
+  const pipCtx = {
+    ecosystem: "pypi",
+    apiKind: "pypi",
+    installArgs: pipInstallArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount: 0,
+    dgForceReason: parsed.dgForceReason
+  };
+  process.exit(await executeDecision(pipDecision, pipCtx, pipPresenter));
 }
 async function runStaticLogin() {
   const {
@@ -46181,6 +46247,9 @@ var init_static_output = __esm({
     init_npm_wrapper();
     init_pip_wrapper();
     init_wrapper_shared();
+    init_route();
+    init_run();
+    init_json();
     init_artifact_integrity();
     init_sanitize();
     init_format_helpers();
@@ -50847,6 +50916,11 @@ async function runNpmScan(packages, skippedCount, config, dispatch) {
     dispatch({ type: "SCAN_COMPLETE", result, durationMs: Date.now() - startMs, skippedCount });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
+      try {
+        const { recordScanCapReached: recordScanCapReached2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+        recordScanCapReached2(error.scansUsed, error.maxScans, error.reason);
+      } catch {
+      }
       dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
@@ -50926,6 +51000,11 @@ async function scanProjects(projects, config, dispatch) {
     dispatch({ type: "SCAN_COMPLETE", result: merged, durationMs: merged.durationMs, skippedCount: 0, discoveredTotal });
   } catch (error) {
     if (error instanceof FreeCapReachedError) {
+      try {
+        const { recordScanCapReached: recordScanCapReached2 } = await Promise.resolve().then(() => (init_auth(), auth_exports));
+        recordScanCapReached2(error.scansUsed, error.maxScans, error.reason);
+      } catch {
+      }
       dispatch({ type: "FREE_CAP_REACHED", scansUsed: error.scansUsed, maxScans: error.maxScans, capReason: error.reason });
       return;
     }
@@ -51740,6 +51819,8 @@ function reducer4(_state, action) {
       return { phase: "blocked", result: action.result, dgForce: action.dgForce };
     case "INCOMPLETE":
       return { phase: "incomplete", result: action.result, message: action.message, proceed: action.proceed };
+    case "REFUSED":
+      return { phase: "refused", result: action.result, message: action.message };
     case "INSTALLING":
       return { phase: "installing" };
     case "DONE":
@@ -51779,8 +51860,8 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
       try {
         if (!parsed.shouldScan) {
           dispatch({ type: "PASSTHROUGH" });
-          const code = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
+          const code2 = await opts.runInstall(parsed.rawArgs);
+          dispatch({ type: "DONE", exitCode: code2 });
           return;
         }
         let specs;
@@ -51788,8 +51869,8 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
           specs = opts.inferSpecsFromContext(parsed);
           if (specs.length === 0) {
             dispatch({ type: "PASSTHROUGH" });
-            const code = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code });
+            const code2 = await opts.runInstall(parsed.rawArgs);
+            dispatch({ type: "DONE", exitCode: code2 });
             return;
           }
         } else {
@@ -51799,8 +51880,8 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         const { resolved } = await opts.resolvePackages(specs);
         if (resolved.length === 0) {
           dispatch({ type: "PASSTHROUGH" });
-          const code = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code });
+          const code2 = await opts.runInstall(parsed.rawArgs);
+          dispatch({ type: "DONE", exitCode: code2 });
           return;
         }
         const isRequirementsInstall = opts.ecosystem === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
@@ -51841,103 +51922,88 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
           const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
           const line = formatPassLine(result, chalk18);
           process.stderr.write("  " + line + "\n\n");
-          const code = await opts.runInstall(installArgs);
-          process.exit(code);
+          const code2 = await opts.runInstall(installArgs);
+          process.exit(code2);
           return;
         }
-        if (result.action === "warn") {
-          if (parsed.dgForce) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "warn",
-              trigger: "dg-force",
-              reason: parsed.dgForceReason,
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "WARN", result, dgForce: true });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(installArgs);
-            dispatch({ type: "DONE", exitCode: code });
-            return;
-          }
-          dispatch({ type: "WARN", result, dgForce: false });
-          const shouldProceed = await new Promise((resolve3) => {
-            pendingInstall.current = () => resolve3(true);
-            rejectRef.current = () => resolve3(false);
+        const verdict = verdictFromResult(result);
+        const decision = routeVerdict({
+          verdict,
+          mode: config.mode,
+          strict: config.strict,
+          dgForce: parsed.dgForce
+        });
+        const bypassVerdict = decision.verdict === "block" ? "block" : "warn";
+        const recordBypass = async (trigger) => {
+          const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
+          recordBypassLocally2({
+            ecosystem: opts.ecosystem,
+            verdict: bypassVerdict,
+            trigger,
+            reason: trigger === "dg-force" ? parsed.dgForceReason : void 0,
+            packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
           });
-          if (shouldProceed) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "warn",
-              trigger: "interactive-confirm",
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(installArgs);
-            dispatch({ type: "DONE", exitCode: code });
-          } else {
-            dispatch({ type: "DONE", exitCode: 1 });
+        };
+        const refusedMessage = () => {
+          const list = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          if (decision.verdict === "block") {
+            return `DG blocked ${list}. Real install was NOT run. Re-run with --dg-force --dg-force-reason="<reason>" to override.`;
           }
-          return;
-        }
-        if (result.action === "block") {
-          if (parsed.dgForce) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "block",
-              trigger: "dg-force",
-              reason: parsed.dgForceReason,
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
-            });
-            dispatch({ type: "BLOCKED", result, dgForce: true });
-            dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(installArgs);
-            dispatch({ type: "DONE", exitCode: code });
-            return;
+          if (decision.verdict === "analysis_incomplete") {
+            return `DG could not fully analyze ${list} (analysis incomplete). Refusing in ${config.strict ? "--strict" : "--mode block"} \u2014 unverified is not safe. Use --mode warn or --dg-force to bypass.`;
           }
-          dispatch({ type: "BLOCKED", result, dgForce: false });
-          const shouldProceed = await new Promise((resolve3) => {
-            pendingInstall.current = () => resolve3(true);
-            rejectRef.current = () => resolve3(false);
-          });
-          if (shouldProceed) {
-            const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
-            recordBypassLocally2({
-              ecosystem: opts.ecosystem,
-              verdict: "block",
-              trigger: "interactive-confirm",
-              packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
+          return `DG flagged ${list}. Refusing in --strict. Use --mode warn or --dg-force to proceed.`;
+        };
+        const presenter = {
+          announce(d) {
+            if (d.outcome === "refuse") {
+              dispatch({ type: "REFUSED", result, message: refusedMessage() });
+              return;
+            }
+            switch (d.verdict) {
+              case "warn":
+                dispatch({ type: "WARN", result, dgForce: d.bypassed });
+                return;
+              case "block":
+                dispatch({ type: "BLOCKED", result, dgForce: d.bypassed });
+                return;
+              case "analysis_incomplete":
+                dispatch({ type: "INCOMPLETE", result, proceed: true, message: "DG could not fully analyze the install set (analysis incomplete)." });
+                return;
+              default:
+                return;
+            }
+          },
+          confirmProceed() {
+            return new Promise((resolve3) => {
+              pendingInstall.current = () => resolve3(true);
+              rejectRef.current = () => resolve3(false);
             });
+          },
+          async runInstall(args) {
             dispatch({ type: "INSTALLING" });
-            const code = await opts.runInstall(installArgs);
-            dispatch({ type: "DONE", exitCode: code });
-          } else {
-            dispatch({ type: "DONE", exitCode: 2 });
-          }
-          return;
-        }
-        {
-          const refuseHard = config.mode === "block" || config.strict;
-          const baseMsg = "DG could not fully analyze the install set (analysis incomplete).";
-          if (refuseHard && !parsed.dgForce) {
-            dispatch({
-              type: "INCOMPLETE",
-              result,
-              proceed: false,
-              message: `${baseMsg} Refusing install in ${config.strict ? "--strict" : "--mode block"} \u2014 unverified is not safe. Use --mode warn or --dg-force to bypass.`
-            });
-            dispatch({ type: "DONE", exitCode: 4 });
-            return;
+            return opts.runInstall(args);
+          },
+          async audit(kind) {
+            if (kind === "override") await recordBypass("dg-force");
+          },
+          onPromptAccepted: () => recordBypass("interactive-confirm"),
+          emit() {
           }
-          dispatch({ type: "INCOMPLETE", result, proceed: true, message: baseMsg });
-          dispatch({ type: "INSTALLING" });
-          const code = await opts.runInstall(installArgs);
-          dispatch({ type: "DONE", exitCode: code });
-          return;
-        }
+        };
+        const ctx = {
+          ecosystem: opts.ecosystem,
+          apiKind: opts.ecosystem,
+          installArgs,
+          passthroughArgs: parsed.rawArgs,
+          result,
+          resolved,
+          suppressedCount: 0,
+          dgForceReason: parsed.dgForceReason
+        };
+        const code = await executeDecision(decision, ctx, presenter);
+        dispatch({ type: "DONE", exitCode: code });
+        return;
       } catch (error) {
         if (error instanceof FreeCapReachedError) {
           dispatch({ type: "FREE_CAP_REACHED" });
@@ -51979,6 +52045,8 @@ var init_useWrapperBase = __esm({
     import_react37 = __toESM(require_react(), 1);
     init_client();
     init_wrapper_shared();
+    init_route();
+    init_run();
     init_npm_wrapper();
     init_pip_wrapper();
     NPM_OPTIONS = {
@@ -52388,9 +52456,10 @@ var init_WrapperApp = __esm({
         case "blocked":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Box_default, { flexDirection: "column", children: [
             /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "block", dgForce: state.dgForce }),
-            showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) }),
-            !state.dgForce && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ConfirmPrompt, { message: "", onConfirm: handleConfirm, onReject: handleReject })
+            showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) })
           ] });
+        case "refused":
+          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
         case "incomplete":
           if (state.proceed) {
             return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { color: "yellow", children: [
@@ -52915,7 +52984,6 @@ async function resolveTopLevel5(parsed) {
     if (at <= 0) return s;
     return `${s.slice(0, at)}==${s.slice(at + 1)}`;
   });
-  void parsePipSpec;
   return await resolvePackages2(normalized);
 }
 async function resolveTransitive4(parsed) {
@@ -53044,10 +53112,6 @@ __export(wrapper_factory_exports, {
   runEcosystemWrapper: () => runEcosystemWrapper
 });
 import { spawn as spawn6 } from "node:child_process";
-function emitJson(config, result) {
-  if (!config.json) return;
-  process.stdout.write(JSON.stringify(result, null, 2) + "\n");
-}
 function shimSentinelEnv3() {
   return childInstallEnv();
 }
@@ -53110,7 +53174,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
       );
     }
-    emitJson(config, {
+    emitWrapperJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: [],
       scanVerdict: "scan_failed",
@@ -53167,7 +53231,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
       );
     }
-    emitJson(config, {
+    emitWrapperJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: [],
       scanVerdict: "scan_failed",
@@ -53198,7 +53262,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 
 `)
       );
-      emitJson(config, {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: [],
         scanVerdict: "scan_failed",
@@ -53215,7 +53279,7 @@ async function runEcosystemWrapper(adapter7, args, config) {
 
 `)
       );
-      emitJson(config, {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: [],
         scanVerdict: "scan_failed",
@@ -53231,184 +53295,155 @@ async function runEcosystemWrapper(adapter7, args, config) {
 `)
       );
     }
-    const code2 = await spawnRealBinary(adapter7, installArgs);
-    emitJson(config, {
+    const code = await spawnRealBinary(adapter7, installArgs);
+    emitWrapperJson(config, {
       ecosystem: adapter7.ecosystem,
       packages: [],
       scanVerdict: "scan_failed",
       installRan: true,
-      installExitCode: code2,
+      installExitCode: code,
       error: { code: "scan_failed", message: err.message }
     });
-    return code2;
+    return code;
   }
   const allowlist = loadAllowlist(process.cwd());
   const { result: filteredResult, suppressedCount } = applyAllowlist(allowlist, result, adapter7.apiKind);
   result = filteredResult;
   const topLevelNames = new Set(resolved.map((p) => p.name));
-  if (result.action === "pass") {
-    const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
-    const passLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel.length} packages safe`;
-    const installLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
-    if (!config.json && !config.quiet) {
-      process.stderr.write(`${passLine}
+  const verdict = verdictFromResult(result);
+  const decision = routeVerdict({
+    verdict,
+    mode: config.mode,
+    strict: config.strict,
+    dgForce: parsed.dgForce
+  });
+  const ctx = {
+    ecosystem: adapter7.ecosystem,
+    apiKind: adapter7.apiKind,
+    installArgs,
+    passthroughArgs: parsed.rawArgs,
+    result,
+    resolved,
+    suppressedCount,
+    dgForceReason: parsed.dgForceReason,
+    error: verdict === "analysis_incomplete" && decision.outcome === "refuse" ? { code: "analysis_incomplete", message: "scanner could not fully analyze the install set" } : void 0
+  };
+  const presenter = {
+    announce(d) {
+      switch (d.verdict) {
+        case "pass": {
+          if (config.json || config.quiet) return;
+          const topLevel = resolved.map((p) => `${p.name} ${p.version}`);
+          const passLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel[0]} is safe` : `  ${import_chalk19.default.green("\u2713")} ${import_chalk19.default.bold("DG verified:")} ${topLevel.length} packages safe`;
+          const installLine = topLevel.length === 1 ? `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel[0]}` : `  ${import_chalk19.default.green("\u2713")} Installing ${topLevel.join(", ")}`;
+          process.stderr.write(`${passLine}
 ${installLine}
 `);
-      if (suppressedCount > 0) {
-        process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
+          if (suppressedCount > 0) {
+            process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
 `));
-      }
-      process.stderr.write("\n");
-    }
-    const code2 = await spawnRealBinary(adapter7, installArgs);
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "pass",
-      installRan: true,
-      installExitCode: code2,
-      suppressedByAllowlist: suppressedCount > 0 ? suppressedCount : void 0
-    });
-    return code2;
-  }
-  if (result.action === "warn") {
-    if (!config.json && !config.quiet) {
-      const topLevelList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-      process.stderr.write(`  ${import_chalk19.default.yellow("\u26A0")} ${import_chalk19.default.bold("DG flagged")} ${topLevelList}.
+          }
+          process.stderr.write("\n");
+          return;
+        }
+        case "warn": {
+          if (config.json || config.quiet) return;
+          const topLevelList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          process.stderr.write(`  ${import_chalk19.default.yellow("\u26A0")} ${import_chalk19.default.bold("DG flagged")} ${topLevelList}.
 `);
-      const blockedPkgs = result.packages.filter((p) => derivePackageActionPublic(p) === "warn");
-      for (const p of blockedPkgs.slice(0, 5)) {
-        if (p.findings && p.findings.length > 0) {
-          for (const f of p.findings.slice(0, 3)) {
-            process.stderr.write(import_chalk19.default.dim(`    \u2022 ${f.title ?? "finding"}
+          const flaggedPkgs = result.packages.filter((p) => derivePackageActionPublic(p) === "warn");
+          for (const p of flaggedPkgs.slice(0, 5)) {
+            if (p.findings && p.findings.length > 0) {
+              for (const f of p.findings.slice(0, 3)) {
+                process.stderr.write(import_chalk19.default.dim(`    \u2022 ${f.title ?? "finding"}
+`));
+              }
+            }
+          }
+          if (suppressedCount > 0) {
+            process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} additional finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
 `));
           }
+          return;
         }
-      }
-      if (suppressedCount > 0) {
-        process.stderr.write(import_chalk19.default.dim(`  (${suppressedCount} additional finding${suppressedCount === 1 ? "" : "s"} suppressed by .dg-allowlist.json)
+        case "block": {
+          if (d.outcome === "install") {
+            if (!config.json && !config.quiet) {
+              process.stderr.write(import_chalk19.default.yellow.bold(`  --dg-force: bypassing block. Install at your own risk.
+
 `));
+            }
+          } else if (!config.json) {
+            const blockedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+            process.stderr.write(
+              `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG blocked")} ${blockedList}.
+  Real install was NOT run. To override:
+` + import_chalk19.default.dim(`    ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force --dg-force-reason="<reason>"
+
+`)
+            );
+          }
+          return;
+        }
+        case "analysis_incomplete": {
+          const list = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
+          if (d.outcome === "refuse") {
+            if (!config.json) {
+              process.stderr.write(
+                `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG could not verify")} ${list} \u2014 analysis incomplete.
+` + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing install (unverified is not safe). Use --mode warn or --dg-force to bypass.
+
+`)
+              );
+            }
+          } else if (!config.json && !config.quiet) {
+            process.stderr.write(
+              import_chalk19.default.yellow(`  \u26A0 DG could not fully verify ${list} (analysis incomplete). Proceeding with install (mode=${config.mode}).
+`)
+            );
+          }
+          return;
+        }
+        default:
+          return;
+      }
+    },
+    async confirmProceed() {
+      if (!(process.stderr.isTTY && !process.env.CI && !config.json)) {
+        if (!config.json && !config.quiet) process.stderr.write(import_chalk19.default.dim("  Proceeding (non-interactive).\n"));
+        return true;
       }
-    }
-    if (process.stderr.isTTY && !process.env.CI && !config.json) {
       const { promptYesNo: promptYesNo2 } = await Promise.resolve().then(() => (init_prompt(), prompt_exports));
       const proceed = await promptYesNo2({ defaultAnswer: "y", message: "  Proceed?" });
-      if (!proceed) {
-        process.stderr.write(import_chalk19.default.dim("  Install cancelled by user.\n\n"));
-        emitJson(config, {
-          ecosystem: adapter7.ecosystem,
-          packages: packagesFromResult(result, topLevelNames),
-          scanVerdict: "warn",
-          installRan: false,
-          installExitCode: null
-        });
-        return 1;
-      }
-    } else if (!config.json && !config.quiet) {
-      process.stderr.write(import_chalk19.default.dim("  Proceeding (non-interactive).\n"));
-    }
-    const code2 = await spawnRealBinary(adapter7, installArgs);
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "warn",
-      installRan: true,
-      installExitCode: code2,
-      suppressedByAllowlist: suppressedCount > 0 ? suppressedCount : void 0
-    });
-    return code2;
-  }
-  if (result.action === "block") {
-    if (parsed.dgForce) {
+      if (!proceed) process.stderr.write(import_chalk19.default.dim("  Install cancelled by user.\n\n"));
+      return proceed;
+    },
+    runInstall: (args2) => spawnRealBinary(adapter7, args2),
+    async audit(kind) {
       try {
         await dispatchInstallAudit({
           ecosystem: adapter7.apiKind,
           packages: result.packages,
-          decisionAction: "override",
-          bypassed: true,
-          bypassReason: parsed.dgForceReason
+          decisionAction: kind,
+          bypassed: kind === "override",
+          bypassReason: kind === "override" ? parsed.dgForceReason : void 0
         });
       } catch {
       }
-      if (!config.json && !config.quiet) {
-        process.stderr.write(import_chalk19.default.yellow.bold(`  --dg-force: bypassing block. Install at your own risk.
-
-`));
-      }
-      const code2 = await spawnRealBinary(adapter7, installArgs);
-      emitJson(config, {
+    },
+    emit(record) {
+      emitWrapperJson(config, {
         ecosystem: adapter7.ecosystem,
         packages: packagesFromResult(result, topLevelNames),
-        scanVerdict: "override",
-        installRan: true,
-        installExitCode: code2
-      });
-      return code2;
-    }
-    try {
-      await dispatchInstallAudit({
-        ecosystem: adapter7.apiKind,
-        packages: result.packages,
-        decisionAction: "block",
-        bypassed: false
+        scanVerdict: record.scanVerdict,
+        installRan: record.installRan,
+        installExitCode: record.installExitCode,
+        error: record.error,
+        suppressedByAllowlist: record.suppressedByAllowlist
       });
-    } catch {
     }
-    const blockedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-    if (!config.json) {
-      process.stderr.write(
-        `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG blocked")} ${blockedList}.
-  Real install was NOT run. To override:
-` + import_chalk19.default.dim(`    ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force --dg-force-reason="<reason>"
-
-`)
-      );
-    }
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "block",
-      installRan: false,
-      installExitCode: null
-    });
-    return 2;
-  }
-  const refuseHard = config.mode === "block" || config.strict;
-  const unverifiedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-  if (refuseHard && !parsed.dgForce) {
-    if (!config.json) {
-      process.stderr.write(
-        `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG could not verify")} ${unverifiedList} \u2014 analysis incomplete.
-` + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing install (unverified is not safe). Use --mode warn or --dg-force to bypass.
-
-`)
-      );
-    }
-    emitJson(config, {
-      ecosystem: adapter7.ecosystem,
-      packages: packagesFromResult(result, topLevelNames),
-      scanVerdict: "analysis_incomplete",
-      installRan: false,
-      installExitCode: null,
-      error: { code: "analysis_incomplete", message: "scanner could not fully analyze the install set" }
-    });
-    return 4;
-  }
-  if (!config.json && !config.quiet) {
-    process.stderr.write(
-      import_chalk19.default.yellow(`  \u26A0 DG could not fully verify ${unverifiedList} (analysis incomplete). Proceeding with install (mode=${config.mode}).
-`)
-    );
-  }
-  const code = await spawnRealBinary(adapter7, installArgs);
-  emitJson(config, {
-    ecosystem: adapter7.ecosystem,
-    packages: packagesFromResult(result, topLevelNames),
-    scanVerdict: "analysis_incomplete",
-    installRan: true,
-    installExitCode: code
-  });
-  return code;
+  };
+  return await executeDecision(decision, ctx, presenter);
 }
 var import_chalk19;
 var init_wrapper_factory = __esm({
@@ -53423,6 +53458,9 @@ var init_wrapper_factory = __esm({
     init_wrapper_shared();
     init_npm_wrapper();
     init_pip_wrapper();
+    init_route();
+    init_run();
+    init_json();
   }
 });