@westbayberry/dg 1.2.1 → 1.3.1

package/dist/index.mjs

@@ -2568,9 +2568,9 @@ function loadDgrc() {
 `);
     }
   }
-  if (cwdPath !== homePath && existsSync2(cwdPath) && process.env.DG_QUIET !== "1") {
+  if (cwdPath !== homePath && existsSync2(cwdPath)) {
     process.stderr.write(
-      `dg: note: ./.dgrc.json is ignored (repo-controlled config is no longer honored). Use ~/.dg/.dgrc.json, env vars (DG_MODE, DG_API_URL), or CLI flags.
+      `dg: note: ./.dgrc.json is ignored (repo-controlled config is no longer honored). Use ~/.dg/.dgrc.json or CLI flags.
 `
     );
   }
@@ -2668,7 +2668,7 @@ function parseConfig(argv, strictFlags = true) {
   const apiKey = dgrc.apiKey && typeof dgrc.apiKey === "string" && (dgrc.apiKey.startsWith("dg_live_") || dgrc.apiKey.startsWith("dg_test_")) ? dgrc.apiKey : null;
   const isProtectiveWrapper = command === "npm" || command === "pip";
   const defaultMode = isProtectiveWrapper ? "block" : "warn";
-  const modeRaw = values.mode ?? process.env.DG_MODE ?? dgrc.mode ?? defaultMode;
+  const modeRaw = values.mode ?? dgrc.mode ?? defaultMode;
   if (!["block", "warn", "off"].includes(modeRaw)) {
     process.stderr.write(
       `Error: Invalid mode "${modeRaw}". Must be block, warn, or off.
@@ -2696,7 +2696,7 @@ function parseConfig(argv, strictFlags = true) {
     sarif: values.sarif || false,
     scanAll: !values["changed-only"],
     baseLockfile: values["base-lockfile"] ?? null,
-    workspace: values.workspace ?? process.env.DG_WORKSPACE ?? null,
+    workspace: values.workspace ?? null,
     outputFile: values.output ?? null,
     command,
     debug,
@@ -2705,7 +2705,6 @@ function parseConfig(argv, strictFlags = true) {
     quiet: (() => {
       if (values["no-quiet"]) return false;
       if (values.quiet) return true;
-      if (process.env.DG_QUIET === "1") return true;
       if (process.env.CI === "1" || process.env.CI === "true") return true;
       return false;
     })(),
@@ -2814,8 +2813,7 @@ var init_config = __esm({
     --api-url <url>          API base URL (default: https://api.westbayberry.com)
 
   Install-wrapper flags (work on \`npm install\`, \`pip install\`, etc.):
-    --dg-force               Bypass a block (audit-visible \u2014 record it)
-    --dg-force-reason "..."  Reason recorded with the override
+    --dg-force               Bypass a block (audit-visible)
     --dg-no-scripts          Add \`--ignore-scripts\` to the real install
     --strict                 Strongest protection: implies --dg-no-scripts and
                              refuses any partial-coverage scan
@@ -2824,16 +2822,11 @@ var init_config = __esm({
     DG_API_KEY               CI auth token (dg_live_* or dg_test_*).
                              Used when ~/.dg/config.json is absent.
                              File beats env if both are present.
-    DG_API_URL               API base URL
-    DG_MODE                  Mode (block | warn | off)
-    DG_DEBUG=1               Enable debug output
-    DG_QUIET=1               Same as passing --quiet
-    DG_WORKSPACE             Workspace subdirectory to scan
-    DG_TELEMETRY=0           Opt out of anonymous crash reports (on by default; DO_NOT_TRACK=1 also opts out)
-    DG_FORCE_POSTINSTALL=1   Force postinstall to run even outside a TTY
-                             (useful for re-running setup manually)
+    DG_TELEMETRY=0           Opt out of anonymous crash reports (on by default;
+                             DO_NOT_TRACK=1 also opts out)
     DG_NO_RC_EDIT=1          Postinstall installs shims but does not edit
                              shell rc files; you set PATH yourself
+    NO_COLOR=1               Disable colored output
     CI=1                     Auto-enables --ci output mode + --quiet
 
   Exit Codes:
@@ -2850,8 +2843,8 @@ var init_config = __esm({
       if the verdict permits. Top-level versions are pinned to the
       exact version we scanned (TOCTOU defense).
     - Warn verdict in a TTY: shows findings and prompts \`Proceed? (Y/n)\`.
-    - Block verdict: refuses install, prints the override command.
-      Override always requires \`--dg-force-reason\`.
+    - Block verdict: refuses install, prints the override command
+      (re-run with \`--dg-force\` to install anyway).
     - Read-only subcommands (npm view, pip show, pnpm list, etc.) skip
       the wrapper entirely \u2014 fast pass-through to the real binary.
     - \`dg scan\` is read-only and never blocks. It does not consume
@@ -2864,7 +2857,7 @@ var init_config = __esm({
     bun add some-pkg
     uv pip install numpy
     pipx install black
-    npm install risky-pkg --dg-force --dg-force-reason="emergency hotfix"
+    npm install risky-pkg --dg-force
     dg scan --json | jq                     # CI-friendly
     dg status                               # see what's protected
 `.trimStart();
@@ -4006,7 +3999,6 @@ dg publish-check \u2014 scan a package about to be published
 
 Usage:
   dg publish-check [--ecosystem npm|pypi] [--json] [--dg-force]
-                   [--dg-force-reason <text>]
 
 What it does:
   Scans the package artifact you're about to publish for bundled secrets,
@@ -4018,7 +4010,6 @@ Flags:
   --ecosystem <npm|pypi>    Force ecosystem detection
   --json                    JSON output to stdout
   --dg-force                Bypass block verdict (audited)
-  --dg-force-reason <text>  Reason string stored with override
 
 Exit codes:
   0  pass    No risks detected
@@ -14039,7 +14030,7 @@ var require_react_reconciler_development = __commonJS({
         var HostPortal = 4;
         var HostComponent = 5;
         var HostText = 6;
-        var Fragment6 = 7;
+        var Fragment7 = 7;
         var Mode = 8;
         var ContextConsumer = 9;
         var ContextProvider = 10;
@@ -14179,7 +14170,7 @@ var require_react_reconciler_development = __commonJS({
               return "DehydratedFragment";
             case ForwardRef:
               return getWrappedName$1(type, type.render, "ForwardRef");
-            case Fragment6:
+            case Fragment7:
               return "Fragment";
             case HostComponent:
               return type;
@@ -17313,7 +17304,7 @@ var require_react_reconciler_development = __commonJS({
             }
           }
           function updateFragment2(returnFiber, current2, fragment, lanes, key) {
-            if (current2 === null || current2.tag !== Fragment6) {
+            if (current2 === null || current2.tag !== Fragment7) {
               var created = createFiberFromFragment(fragment, returnFiber.mode, lanes, key);
               created.return = returnFiber;
               return created;
@@ -17716,7 +17707,7 @@ var require_react_reconciler_development = __commonJS({
               if (child.key === key) {
                 var elementType = element.type;
                 if (elementType === REACT_FRAGMENT_TYPE) {
-                  if (child.tag === Fragment6) {
+                  if (child.tag === Fragment7) {
                     deleteRemainingChildren(returnFiber, child.sibling);
                     var existing = useFiber(child, element.props.children);
                     existing.return = returnFiber;
@@ -23207,7 +23198,7 @@ var require_react_reconciler_development = __commonJS({
               var _resolvedProps2 = workInProgress2.elementType === type ? _unresolvedProps2 : resolveDefaultProps(type, _unresolvedProps2);
               return updateForwardRef(current2, workInProgress2, type, _resolvedProps2, renderLanes2);
             }
-            case Fragment6:
+            case Fragment7:
               return updateFragment(current2, workInProgress2, renderLanes2);
             case Mode:
               return updateMode(current2, workInProgress2, renderLanes2);
@@ -23644,7 +23635,7 @@ var require_react_reconciler_development = __commonJS({
             case SimpleMemoComponent:
             case FunctionComponent:
             case ForwardRef:
-            case Fragment6:
+            case Fragment7:
             case Mode:
             case Profiler:
             case ContextConsumer:
@@ -28412,7 +28403,7 @@ var require_react_reconciler_development = __commonJS({
           return fiber;
         }
         function createFiberFromFragment(elements, mode, lanes, key) {
-          var fiber = createFiber(Fragment6, elements, key, mode);
+          var fiber = createFiber(Fragment7, elements, key, mode);
           fiber.lanes = lanes;
           return fiber;
         }
@@ -42587,6 +42578,24 @@ var init_lockfile = __esm({
 });
 
 // src/commands/wrapper-shared.ts
+import { spawn as spawn2 } from "node:child_process";
+function spawnTrimmed(bin, args, env3) {
+  return new Promise((resolve3) => {
+    const child = spawn2(bin, args, { stdio: ["inherit", "pipe", "pipe"], shell: false, env: { ...env3, FORCE_COLOR: "1" } });
+    let buf = "";
+    const onData = (c) => {
+      buf += c.toString();
+    };
+    child.stdout?.on("data", onData);
+    child.stderr?.on("data", onData);
+    child.on("error", () => resolve3(1));
+    child.on("close", (code) => {
+      const lines = buf.split("\n").filter((l) => l.replace(ANSI_RE, "").trim() !== "");
+      if (lines.length) process.stdout.write(lines.join("\n") + "\n");
+      resolve3(code ?? 1);
+    });
+  });
+}
 function injectIgnoreScripts(args, opts) {
   if (!opts.isNpmFamily) return args;
   if (!(opts.strict || opts.dgNoScripts)) return args;
@@ -42595,7 +42604,6 @@ function injectIgnoreScripts(args, opts) {
 }
 function stripDgFlags(args) {
   let dgForce = false;
-  let dgForceReason;
   let dgNoScripts = false;
   const filtered = [];
   for (let i = 0; i < args.length; i++) {
@@ -42604,15 +42612,6 @@ function stripDgFlags(args) {
       dgForce = true;
       continue;
     }
-    if (arg === "--dg-force-reason") {
-      dgForceReason = (args[i + 1] ?? "").slice(0, 500);
-      i++;
-      continue;
-    }
-    if (arg.startsWith("--dg-force-reason=")) {
-      dgForceReason = arg.slice("--dg-force-reason=".length).slice(0, 500);
-      continue;
-    }
     if (arg === "--dg-no-scripts") {
       dgNoScripts = true;
       continue;
@@ -42632,12 +42631,13 @@ function stripDgFlags(args) {
     if (consumed) continue;
     filtered.push(arg);
   }
-  return { filtered, dgForce, dgForceReason, dgNoScripts };
+  return { filtered, dgForce, dgNoScripts };
 }
-var DG_VALUE_FLAGS, DG_BOOLEAN_FLAGS;
+var ANSI_RE, DG_VALUE_FLAGS, DG_BOOLEAN_FLAGS;
 var init_wrapper_shared = __esm({
   "src/commands/wrapper-shared.ts"() {
     "use strict";
+    ANSI_RE = /\x1b\[[0-9;]*m/g;
     DG_VALUE_FLAGS = /* @__PURE__ */ new Set([
       "--mode",
       "--api-url",
@@ -42646,6 +42646,8 @@ var init_wrapper_shared = __esm({
       "--workspace",
       "--output",
       "-o",
+      // Removed flag: still consumed (with its value) so a legacy invocation is
+      // silently stripped rather than leaking to the real installer as a package.
       "--dg-force-reason"
     ]);
     DG_BOOLEAN_FLAGS = /* @__PURE__ */ new Set([
@@ -42663,7 +42665,7 @@ var init_wrapper_shared = __esm({
 });
 
 // src/commands/npm-wrapper.ts
-import { spawn as spawn2 } from "node:child_process";
+import { spawn as spawn3 } from "node:child_process";
 import { readFileSync as readFileSync9, existsSync as existsSync12, mkdtempSync, writeFileSync as writeFileSync8, rmSync } from "node:fs";
 import { join as join7 } from "node:path";
 import { tmpdir } from "node:os";
@@ -42678,7 +42680,7 @@ function shimSentinelEnv() {
   return childInstallEnv();
 }
 function parseNpmArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS.has(command);
   const packages = [];
@@ -42699,7 +42701,6 @@ function parseNpmArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -42755,7 +42756,7 @@ async function resolveVersion(spec) {
     return null;
   }
   return new Promise((resolve3) => {
-    const child = spawn2(realNpmBinary(), ["view", spec, "version", "--json"], {
+    const child = spawn3(realNpmBinary(), ["view", spec, "version", "--json"], {
       stdio: ["pipe", "pipe", "pipe"],
       env: shimSentinelEnv()
     });
@@ -42831,9 +42832,12 @@ async function resolvePackages(specs) {
   return { resolved, failed };
 }
 function runNpm(args, opts) {
+  if (opts?.trim) {
+    return spawnTrimmed(realNpmBinary(), args, shimSentinelEnv());
+  }
   return new Promise((resolve3) => {
     const stdio = opts?.stdoutToStderr ? ["inherit", "pipe", "inherit"] : ["inherit", "inherit", "inherit"];
-    const child = spawn2(realNpmBinary(), args, { stdio, shell: false, env: shimSentinelEnv() });
+    const child = spawn3(realNpmBinary(), args, { stdio, shell: false, env: shimSentinelEnv() });
     if (opts?.stdoutToStderr && child.stdout) {
       child.stdout.on("data", (chunk) => {
         process.stderr.write(chunk);
@@ -42853,7 +42857,7 @@ async function resolveTreeNpm(specs) {
   try {
     writeFileSync8(join7(dir, "package.json"), '{"name":"_dg_resolve","version":"1.0.0","private":true}');
     const stdout = await new Promise((resolve3) => {
-      const child = spawn2(
+      const child = spawn3(
         realNpmBinary(),
         [
           "install",
@@ -43013,10 +43017,10 @@ var init_npm_wrapper = __esm({
 });
 
 // src/commands/pip-wrapper.ts
-import { spawn as spawn3 } from "node:child_process";
+import { spawn as spawn4 } from "node:child_process";
 import { existsSync as existsSync13 } from "node:fs";
 function parsePipArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS2.has(command);
   const packages = [];
@@ -43043,7 +43047,6 @@ function parsePipArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan,
     requirementsFile
@@ -43215,7 +43218,7 @@ async function detectPipBinary() {
     try {
       const parts = cmd.split(" ");
       const code = await new Promise((resolve3) => {
-        const child = spawn3(parts[0], [...parts.slice(1), "--version"], {
+        const child = spawn4(parts[0], [...parts.slice(1), "--version"], {
           stdio: ["pipe", "pipe", "pipe"],
           timeout: 5e3,
           env: shimSentinelEnv2()
@@ -43234,9 +43237,12 @@ async function detectPipBinary() {
 async function runPip(args, opts) {
   const pipCmd = await detectPipBinary();
   const parts = pipCmd.split(" ");
+  if (opts?.trim) {
+    return spawnTrimmed(parts[0], [...parts.slice(1), ...args], shimSentinelEnv2());
+  }
   return new Promise((resolve3) => {
     const stdio = opts?.stdoutToStderr ? ["inherit", "pipe", "inherit"] : ["inherit", "inherit", "inherit"];
-    const child = spawn3(parts[0], [...parts.slice(1), ...args], { stdio, shell: false, env: shimSentinelEnv2() });
+    const child = spawn4(parts[0], [...parts.slice(1), ...args], { stdio, shell: false, env: shimSentinelEnv2() });
     if (opts?.stdoutToStderr && child.stdout) {
       child.stdout.on("data", (chunk) => {
         process.stderr.write(chunk);
@@ -43251,7 +43257,7 @@ async function pipVersion() {
     const pipCmd = await detectPipBinary();
     const parts = pipCmd.split(" ");
     return await new Promise((resolve3) => {
-      const child = spawn3(parts[0], [...parts.slice(1), "--version"], {
+      const child = spawn4(parts[0], [...parts.slice(1), "--version"], {
         stdio: ["pipe", "pipe", "pipe"],
         timeout: 5e3,
         env: shimSentinelEnv2()
@@ -43309,7 +43315,7 @@ async function resolveTreePip(specs) {
   const pipCmd = await detectPipBinary();
   const parts = pipCmd.split(" ");
   const runDryRun = (extraFlags) => new Promise((resolve3) => {
-    const child = spawn3(
+    const child = spawn4(
       parts[0],
       [
         ...parts.slice(1),
@@ -44955,7 +44961,6 @@ async function dispatchPublishCheckAudit(opts) {
         score: opts.score,
         action: opts.decisionAction,
         bypassed: opts.bypassed,
-        bypass_reason: opts.bypassReason,
         event_kind: "publish_check"
       },
       { apiUrl: opts.apiUrl }
@@ -44977,7 +44982,6 @@ function recordBypassLocally(record) {
       ecosystem: record.ecosystem,
       verdict: record.verdict,
       trigger: record.trigger,
-      reason: record.reason,
       packages: record.packages
     };
     appendFileSync3(path, JSON.stringify(full) + "\n", { mode: 384 });
@@ -45000,7 +45004,6 @@ async function dispatchInstallAudit(opts) {
             score: p.score,
             action: opts.decisionAction,
             bypassed: opts.bypassed,
-            bypass_reason: opts.bypassReason,
             project_hash: opts.projectHash
           },
           { apiUrl: opts.apiUrl }
@@ -45815,21 +45818,19 @@ ${installLine}
           const blockedSpecArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : topLevel.split(", ").map((s) => s.replace(/ /g, "@")).join(" ");
           process.stderr.write(
             `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
-  Real install was NOT run. To override:
-` + import_chalk5.default.dim(`    npm install ${blockedSpecArg} --dg-force --dg-force-reason="<reason>"
+  ${import_chalk5.default.dim(`install anyway: npm install ${blockedSpecArg} --dg-force`)}
 
-`)
+`
           );
         }
       } else if (d.verdict === "analysis_incomplete") {
         if (d.outcome === "refuse") {
           const specArg = topLevelSpecs.length > 0 ? topLevelSpecs.join(" ") : resolved.map((p) => `${p.name}@${p.version}`).join(" ");
           process.stderr.write(
-            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
-  Real install was NOT run (--mode block). To override:
-` + import_chalk5.default.dim(`    npm install ${specArg} --dg-force --dg-force-reason="<reason>"
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG couldn't verify")} ${topLevel} \u2014 unverified, not safe.
+  ${import_chalk5.default.dim(`install anyway: npm install ${specArg} --dg-force`)}
 
-`)
+`
           );
         } else {
           process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
@@ -45851,8 +45852,7 @@ ${installLine}
         ecosystem: "npm",
         packages: result.packages,
         decisionAction: kind,
-        bypassed: kind === "override",
-        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
+        bypassed: kind === "override"
       });
     },
     emit(record) {
@@ -45873,8 +45873,7 @@ ${installLine}
     passthroughArgs: parsed.rawArgs,
     result,
     resolved,
-    suppressedCount: 0,
-    dgForceReason: parsed.dgForceReason
+    suppressedCount: 0
   };
   process.exit(await executeDecision(npmDecision, npmCtx, npmPresenter));
 }
@@ -46072,21 +46071,19 @@ ${installLine}
           const pipBlockedSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
           process.stderr.write(
             `  ${import_chalk5.default.red("\u2717")} ${import_chalk5.default.bold("DG blocked")} ${topLevel}.
-  Real install was NOT run. To override:
-` + import_chalk5.default.dim(`    pip install ${pipBlockedSpecArg} --dg-force --dg-force-reason="<reason>"
+  ${import_chalk5.default.dim(`install anyway: pip install ${pipBlockedSpecArg} --dg-force`)}
 
-`)
+`
           );
         }
       } else if (d.verdict === "analysis_incomplete") {
         if (d.outcome === "refuse") {
           const pipSpecArg = resolved.map((p) => `${p.name}==${p.version}`).join(" ");
           process.stderr.write(
-            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG could not verify")} ${topLevel} \u2014 treating as unverified, not safe.
-  Real install was NOT run (--mode block). To override:
-` + import_chalk5.default.dim(`    pip install ${pipSpecArg} --dg-force --dg-force-reason="<reason>"
+            `  ${import_chalk5.default.cyan("?")} ${import_chalk5.default.bold("DG couldn't verify")} ${topLevel} \u2014 unverified, not safe.
+  ${import_chalk5.default.dim(`install anyway: pip install ${pipSpecArg} --dg-force`)}
 
-`)
+`
           );
         } else {
           process.stderr.write(import_chalk5.default.dim(`  DG could not fully verify ${topLevel}; proceeding (mode is not block).
@@ -46108,8 +46105,7 @@ ${installLine}
         ecosystem: "pypi",
         packages: result.packages,
         decisionAction: kind,
-        bypassed: kind === "override",
-        bypassReason: kind === "override" ? parsed.dgForceReason : void 0
+        bypassed: kind === "override"
       });
     },
     emit(record) {
@@ -46130,8 +46126,7 @@ ${installLine}
     passthroughArgs: parsed.rawArgs,
     result,
     resolved,
-    suppressedCount: 0,
-    dgForceReason: parsed.dgForceReason
+    suppressedCount: 0
   };
   process.exit(await executeDecision(pipDecision, pipCtx, pipPresenter));
 }
@@ -46262,7 +46257,8 @@ var init_static_output = __esm({
 var status_exports = {};
 __export(status_exports, {
   collectStatusSnapshot: () => collectStatusSnapshot,
-  handleStatusCommand: () => handleStatusCommand
+  handleStatusCommand: () => handleStatusCommand,
+  renderStatusHuman: () => renderStatusHuman
 });
 import { existsSync as existsSync18, readFileSync as readFileSync12 } from "node:fs";
 import { join as join11 } from "node:path";
@@ -46322,6 +46318,7 @@ async function collectStatusSnapshot(cliVersion2) {
     };
   });
   const engineResolvable = isEngineResolvable();
+  const dirOnPath = (process.env.PATH ?? "").split(":").includes(shimDir2);
   const pythonHooks = readPythonReceipt();
   const cwd2 = process.cwd();
   const hookPart = { installed: false };
@@ -46353,7 +46350,7 @@ async function collectStatusSnapshot(cliVersion2) {
   }
   return {
     auth: authPart,
-    shims: { rows: shimRows, engineResolvable },
+    shims: { rows: shimRows, engineResolvable, dirOnPath },
     pythonHooks,
     hook: hookPart,
     update: updatePart
@@ -46403,6 +46400,11 @@ async function renderStatusHuman(s) {
   if (protectedRows.length > 0 && !s.shims.engineResolvable) {
     protectedGlyph = chalk18.yellow("!");
     protectedLine = `${protectedRows.join(", ")} \u2014 engine unresolved, installs pass through unscanned (run \`dg status\` to repair)`;
+  } else if (protectedRows.length > 0 && !s.shims.dirOnPath) {
+    const shell = process.env.SHELL ?? "";
+    const rcHint = shell.includes("zsh") ? "~/.zshrc" : shell.includes("bash") ? "~/.bashrc" : "your shell rc";
+    protectedGlyph = chalk18.yellow("!");
+    protectedLine = `wired but not active in this shell \u2014 run \`source ${rcHint}\` or open a new terminal (installs here run unscanned until you do)`;
   } else if (missingRows.length === 0) {
     protectedGlyph = chalk18.green("\u2713");
     protectedLine = protectedRows.join(", ");
@@ -48749,7 +48751,7 @@ __export(publish_check_exports, {
   scanPayload: () => scanPayload,
   summarize: () => summarize
 });
-import { spawn as spawn4 } from "node:child_process";
+import { spawn as spawn5 } from "node:child_process";
 import { readFileSync as readFileSync13, existsSync as existsSync19, readdirSync as readdirSync3 } from "node:fs";
 import { join as join12, basename as basename2 } from "node:path";
 import { createGunzip } from "node:zlib";
@@ -48761,7 +48763,7 @@ function sanitizeSnippet(s, max = 40) {
 }
 async function npmPackDryRun(cwd2 = process.cwd()) {
   return new Promise((resolve3) => {
-    const child = spawn4("npm", ["pack", "--dry-run", "--json"], {
+    const child = spawn5("npm", ["pack", "--dry-run", "--json"], {
       cwd: cwd2,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -51805,24 +51807,18 @@ var init_readonly = __esm({
 // src/ui/hooks/useWrapperBase.ts
 function reducer4(_state, action) {
   switch (action.type) {
-    case "PASSTHROUGH":
-      return { phase: "passthrough" };
     case "RESOLVING":
       return { phase: "resolving", count: action.count };
     case "SCANNING":
       return { phase: "scanning", count: action.count };
-    case "PASS":
-      return { phase: "pass", count: action.count, result: action.result };
     case "WARN":
-      return { phase: "warn", result: action.result, dgForce: action.dgForce };
-    case "BLOCKED":
-      return { phase: "blocked", result: action.result, dgForce: action.dgForce };
-    case "INCOMPLETE":
-      return { phase: "incomplete", result: action.result, message: action.message, proceed: action.proceed };
+      return { phase: "warn", result: action.result };
     case "REFUSED":
-      return { phase: "refused", result: action.result, message: action.message };
+      return { phase: "refused", result: action.result, verdict: action.verdict, cmd: action.cmd, exitCode: action.exitCode };
+    case "DECLINED":
+      return { phase: "declined", line: action.line, exitCode: action.exitCode };
     case "INSTALLING":
-      return { phase: "installing" };
+      return { phase: "installing", line: action.line };
     case "DONE":
       return { phase: "done", exitCode: action.exitCode };
     case "ERROR":
@@ -51831,12 +51827,17 @@ function reducer4(_state, action) {
       return { phase: "free_cap_reached" };
   }
 }
-function useInstallWrapper(rawArgs, config, opts, exit) {
+function useInstallWrapper(rawArgs, config, opts, handoff) {
   const [state, dispatch] = (0, import_react37.useReducer)(reducer4, { phase: "resolving", count: 0 });
   const started = (0, import_react37.useRef)(false);
   const parsedRef = (0, import_react37.useRef)(opts.parseArgs(rawArgs));
   const pendingInstall = (0, import_react37.useRef)(null);
   const rejectRef = (0, import_react37.useRef)(null);
+  const ho = handoff ?? { install: null };
+  const requestInstall = (args, line) => {
+    ho.install = { run: opts.runInstall, args };
+    dispatch({ type: "INSTALLING", line });
+  };
   const confirmInstall = () => {
     if (pendingInstall.current) {
       pendingInstall.current();
@@ -51859,18 +51860,14 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
     (async () => {
       try {
         if (!parsed.shouldScan) {
-          dispatch({ type: "PASSTHROUGH" });
-          const code2 = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code2 });
+          requestInstall(parsed.rawArgs, null);
           return;
         }
         let specs;
         if (parsed.packages.length === 0) {
           specs = opts.inferSpecsFromContext(parsed);
           if (specs.length === 0) {
-            dispatch({ type: "PASSTHROUGH" });
-            const code2 = await opts.runInstall(parsed.rawArgs);
-            dispatch({ type: "DONE", exitCode: code2 });
+            requestInstall(parsed.rawArgs, null);
             return;
           }
         } else {
@@ -51879,9 +51876,7 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
         dispatch({ type: "RESOLVING", count: specs.length });
         const { resolved } = await opts.resolvePackages(specs);
         if (resolved.length === 0) {
-          dispatch({ type: "PASSTHROUGH" });
-          const code2 = await opts.runInstall(parsed.rawArgs);
-          dispatch({ type: "DONE", exitCode: code2 });
+          requestInstall(parsed.rawArgs, null);
           return;
         }
         const isRequirementsInstall = opts.ecosystem === "pypi" && (parsed.rawArgs.includes("-r") || parsed.rawArgs.includes("--requirement"));
@@ -51891,7 +51886,6 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
             message: `A -r requirements install cannot be pinned to the exact scanned versions; refusing in ${config.strict ? "--strict" : "--mode block"} (resolve\u2192install mismatch risk). Use --mode warn or --dg-force to bypass.`,
             proceed: false
           });
-          dispatch({ type: "DONE", exitCode: 2 });
           return;
         }
         const pinnedArgs = isRequirementsInstall ? parsed.rawArgs : opts.ecosystem === "npm" ? pinTopLevelArgs(parsed.rawArgs, parsed.packages, resolved) : pinPipArgs(parsed.rawArgs, parsed.packages, resolved);
@@ -51911,98 +51905,60 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
               message: `Could not enumerate the dependency tree (${tree.errorMessage ?? "dry-run produced no tree"}); transitive deps would install unscanned. Install aborted in ${config.strict ? "--strict" : "--mode block"}. Use --dg-force to bypass.`,
               proceed: false
             });
-            dispatch({ type: "DONE", exitCode: 2 });
             return;
           }
         }
         dispatch({ type: "SCANNING", count: scanSet.length });
         const result = await opts.callAnalyze(scanSet, config);
-        if (result.action === "pass") {
-          if (exit) exit();
-          const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
-          const line = formatPassLine(result, chalk18);
-          process.stderr.write("  " + line + "\n\n");
-          const code2 = await opts.runInstall(installArgs);
-          process.exit(code2);
-          return;
-        }
-        const verdict = verdictFromResult(result);
         const decision = routeVerdict({
-          verdict,
+          verdict: verdictFromResult(result),
           mode: config.mode,
           strict: config.strict,
           dgForce: parsed.dgForce
         });
-        const bypassVerdict = decision.verdict === "block" ? "block" : "warn";
+        if (decision.outcome === "refuse") {
+          const cmd = `${opts.ecosystem === "npm" ? "npm" : "pip"} ${parsed.rawArgs.join(" ")} --dg-force`;
+          const v = decision.verdict === "analysis_incomplete" ? "incomplete" : decision.verdict === "block" ? "block" : "warn";
+          dispatch({ type: "REFUSED", result, verdict: v, cmd, exitCode: decision.refuseExitCode });
+          return;
+        }
         const recordBypass = async (trigger) => {
           const { recordBypassLocally: recordBypassLocally2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
           recordBypassLocally2({
             ecosystem: opts.ecosystem,
-            verdict: bypassVerdict,
+            verdict: decision.verdict === "block" ? "block" : "warn",
             trigger,
-            reason: trigger === "dg-force" ? parsed.dgForceReason : void 0,
             packages: result.packages.map((p) => ({ name: p.name, version: p.version, score: p.score }))
           });
         };
-        const refusedMessage = () => {
-          const list = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
-          if (decision.verdict === "block") {
-            return `DG blocked ${list}. Real install was NOT run. Re-run with --dg-force --dg-force-reason="<reason>" to override.`;
-          }
-          if (decision.verdict === "analysis_incomplete") {
-            return `DG could not fully analyze ${list} (analysis incomplete). Refusing in ${config.strict ? "--strict" : "--mode block"} \u2014 unverified is not safe. Use --mode warn or --dg-force to bypass.`;
-          }
-          return `DG flagged ${list}. Refusing in --strict. Use --mode warn or --dg-force to proceed.`;
-        };
-        const presenter = {
-          announce(d) {
-            if (d.outcome === "refuse") {
-              dispatch({ type: "REFUSED", result, message: refusedMessage() });
-              return;
-            }
-            switch (d.verdict) {
-              case "warn":
-                dispatch({ type: "WARN", result, dgForce: d.bypassed });
-                return;
-              case "block":
-                dispatch({ type: "BLOCKED", result, dgForce: d.bypassed });
-                return;
-              case "analysis_incomplete":
-                dispatch({ type: "INCOMPLETE", result, proceed: true, message: "DG could not fully analyze the install set (analysis incomplete)." });
-                return;
-              default:
-                return;
-            }
-          },
-          confirmProceed() {
-            return new Promise((resolve3) => {
-              pendingInstall.current = () => resolve3(true);
-              rejectRef.current = () => resolve3(false);
-            });
-          },
-          async runInstall(args) {
-            dispatch({ type: "INSTALLING" });
-            return opts.runInstall(args);
-          },
-          async audit(kind) {
-            if (kind === "override") await recordBypass("dg-force");
-          },
-          onPromptAccepted: () => recordBypass("interactive-confirm"),
-          emit() {
+        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
+        const top = result.packages.length === 1 ? result.packages[0] : null;
+        const name = top ? `${top.name}@${top.version}` : `${result.packages.length} packages`;
+        const pinnedLine = (() => {
+          if (decision.bypassed) {
+            const sig = decision.verdict === "block" ? chalk18.red("\u2718") : chalk18.yellow("\u26A0");
+            return `  ${sig} ${name} ${chalk18.dim(`(${decision.verdict}) \u2014 --dg-force override, installing`)}`;
+          }
+          if (decision.verdict === "analysis_incomplete") return `  ${chalk18.cyan("?")} ${name} ${chalk18.dim("\u2014 could not verify; proceeding")}`;
+          if (decision.verdict === "pass") return `  ${chalk18.green("\u2713")} ${name} ${chalk18.dim("\u2014 clean")}`;
+          return null;
+        })();
+        if (decision.outcome === "prompt") {
+          dispatch({ type: "WARN", result });
+          const accepted = await new Promise((resolve3) => {
+            pendingInstall.current = () => resolve3(true);
+            rejectRef.current = () => resolve3(false);
+          });
+          if (!accepted) {
+            dispatch({ type: "DECLINED", line: `  ${chalk18.yellow("\u2717")} ${name} ${chalk18.dim("\u2014 not installed")}`, exitCode: decision.refuseExitCode });
+            return;
           }
-        };
-        const ctx = {
-          ecosystem: opts.ecosystem,
-          apiKind: opts.ecosystem,
-          installArgs,
-          passthroughArgs: parsed.rawArgs,
-          result,
-          resolved,
-          suppressedCount: 0,
-          dgForceReason: parsed.dgForceReason
-        };
-        const code = await executeDecision(decision, ctx, presenter);
-        dispatch({ type: "DONE", exitCode: code });
+          await recordBypass("interactive-confirm");
+          requestInstall(installArgs, null);
+          return;
+        }
+        if (decision.bypassed) await recordBypass("dg-force");
+        requestInstall(decision.outcome === "passthrough" ? parsed.rawArgs : installArgs, pinnedLine);
         return;
       } catch (error) {
         if (error instanceof FreeCapReachedError) {
@@ -52016,27 +51972,17 @@ function useInstallWrapper(rawArgs, config, opts, exit) {
             message: `Scan failed (${message}) and --mode is block. Install aborted. Use --dg-force to bypass.`,
             proceed: false
           });
-          dispatch({ type: "DONE", exitCode: 2 });
           return;
         }
-        dispatch({ type: "ERROR", message, proceed: true });
-        dispatch({ type: "INSTALLING" });
-        const code = await opts.runInstall(installArgs);
-        dispatch({ type: "DONE", exitCode: code });
+        const chalk18 = (await Promise.resolve().then(() => __toESM(require_source(), 1))).default;
+        requestInstall(installArgs, `  ${chalk18.yellow("\u26A0")} ${chalk18.dim(`scan failed (${message}); proceeding`)}`);
       }
     })();
   }, [rawArgs, config]);
   return { state, confirmInstall, rejectInstall };
 }
-function formatPassLine(result, chalk18) {
-  if (result.packages.length === 1) {
-    const p = result.packages[0];
-    return chalk18.green("\u2713 ") + `${p.name}@${p.version}` + chalk18.dim(" \u2014 clean. Installing.");
-  }
-  return chalk18.green("\u2713 ") + `${result.packages.length} packages` + chalk18.dim(" \u2014 all clean. Installing.");
-}
-function useWrapper(args, config, ecosystem, exit) {
-  return useInstallWrapper(args, config, ecosystem === "npm" ? NPM_OPTIONS : PIP_OPTIONS, exit);
+function useWrapper(args, config, ecosystem, handoff) {
+  return useInstallWrapper(args, config, ecosystem === "npm" ? NPM_OPTIONS : PIP_OPTIONS, handoff);
 }
 var import_react37, NPM_OPTIONS, PIP_OPTIONS;
 var init_useWrapperBase = __esm({
@@ -52054,7 +52000,7 @@ var init_useWrapperBase = __esm({
       resolvePackages,
       resolveTree: resolveTreeNpm,
       callAnalyze: callAnalyzeAPI,
-      runInstall: runNpm,
+      runInstall: (args) => runNpm(args, { trim: true }),
       inferSpecsFromContext: () => readBareInstallPackages(process.cwd()),
       ecosystem: "npm"
     };
@@ -52063,7 +52009,7 @@ var init_useWrapperBase = __esm({
       resolvePackages: resolvePackages2,
       resolveTree: resolveTreePip,
       callAnalyze: callPyPIAnalyzeAPI,
-      runInstall: runPip,
+      runInstall: (args) => runPip(args, { trim: true }),
       inferSpecsFromContext: (parsed) => {
         const file = parsed.requirementsFile;
         return file ? parseRequirementsFile(file) : [];
@@ -52245,6 +52191,7 @@ var init_ConfirmPrompt = __esm({
           onReject();
         }
       });
+      if (!message) return null;
       return /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Box_default, { flexDirection: "column", children: [
         /* @__PURE__ */ (0, import_jsx_runtime16.jsxs)(Text, { children: [
           import_chalk17.default.red.bold("\u26A0"),
@@ -52300,7 +52247,8 @@ var init_WrapperVerdictLine = __esm({
     WrapperVerdictLine = ({
       result,
       verdict,
-      dgForce
+      dgForce,
+      refusal
     }) => {
       const total = result.packages.length;
       const counts = countSummary(result);
@@ -52326,12 +52274,13 @@ var init_WrapperVerdictLine = __esm({
           /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { dimColor: true, children: " \u2014 all clean. Installing." })
         ] });
       }
-      const sigil = verdict === "block" ? "\u2718" : "\u26A0";
-      const color = verdict === "block" ? "red" : "yellow";
+      const sigil = verdict === "block" ? "\u2718" : verdict === "incomplete" ? "?" : "\u26A0";
+      const color = verdict === "block" ? "red" : verdict === "incomplete" ? "cyan" : "yellow";
       const prompt = verdict === "block" ? "install anyway?" : "install?";
       if (total === 1) {
         const p = topPackage(result);
         const score = p ? p.score : result.score;
+        const meta = verdict === "incomplete" ? `(could not verify)${reasonTag(p)}` : `(${verdict}, score ${score})${reasonTag(p)}`;
         return /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Box_default, { flexDirection: "row", children: [
           /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { color, children: [
             sigil,
@@ -52342,18 +52291,23 @@ var init_WrapperVerdictLine = __esm({
             "@",
             p?.version
           ] }),
-          /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
-            " (",
-            verdict,
-            ", score ",
-            score,
-            ")",
-            reasonTag(p),
-            " \u2014 "
-          ] }),
-          dgForce ? /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color, bold: true, children: "--dg-force: bypassing. Installing." }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { bold: true, children: [
-            prompt,
-            " [y/N]"
+          refusal ? /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
+            " ",
+            meta
+          ] }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(import_jsx_runtime17.Fragment, { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
+              " ",
+              meta,
+              " \u2014 "
+            ] }),
+            dgForce ? /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color, bold: true, children: "--dg-force: bypassing. Installing." }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { bold: true, children: [
+              prompt,
+              " [",
+              /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color: "green", children: "y" }),
+              "/",
+              /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color: "red", children: "N" }),
+              "]"
+            ] })
           ] })
         ] });
       }
@@ -52371,14 +52325,23 @@ var init_WrapperVerdictLine = __esm({
           total,
           " packages"
         ] }),
-        /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
+        refusal ? /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
           ": ",
-          parts.join(", "),
-          " \u2014 "
-        ] }),
-        dgForce ? /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color, bold: true, children: "--dg-force: bypassing. Installing." }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { bold: true, children: [
-          prompt,
-          " [y/N]  [d] details"
+          parts.join(", ")
+        ] }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(import_jsx_runtime17.Fragment, { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { dimColor: true, children: [
+            ": ",
+            parts.join(", "),
+            " \u2014 "
+          ] }),
+          dgForce ? /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color, bold: true, children: "--dg-force: bypassing. Installing." }) : /* @__PURE__ */ (0, import_jsx_runtime17.jsxs)(Text, { bold: true, children: [
+            prompt,
+            " [",
+            /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color: "green", children: "y" }),
+            "/",
+            /* @__PURE__ */ (0, import_jsx_runtime17.jsx)(Text, { color: "red", children: "N" }),
+            "]  [d] details"
+          ] })
         ] })
       ] });
     };
@@ -52416,21 +52379,30 @@ var init_WrapperApp = __esm({
         installing: "Installing with pip..."
       }
     };
-    WrapperApp = ({ args, config, ecosystem }) => {
+    WrapperApp = ({ args, config, ecosystem, handoff }) => {
       const { exit } = use_app_default();
-      const { state, confirmInstall, rejectInstall } = useWrapper(args, config, ecosystem, exit);
+      const { state, confirmInstall, rejectInstall } = useWrapper(args, config, ecosystem, handoff);
       const [showDetails, setShowDetails] = (0, import_react38.useState)(false);
       use_input_default((input) => {
-        if (input === "d" && (state.phase === "warn" || state.phase === "blocked")) {
+        if (input === "d" && state.phase === "warn") {
           setShowDetails((v) => !v);
         }
       });
       (0, import_react38.useEffect)(() => {
-        if (state.phase === "done") {
+        if (state.phase === "done" || state.phase === "refused" || state.phase === "declined") {
           process.exitCode = state.exitCode;
           const timer = setTimeout(() => exit(), 0);
           return () => clearTimeout(timer);
         }
+        if (state.phase === "installing") {
+          const timer = setTimeout(() => exit(), 0);
+          return () => clearTimeout(timer);
+        }
+        if (state.phase === "error") {
+          process.exitCode = 2;
+          const timer = setTimeout(() => exit(), 0);
+          return () => clearTimeout(timer);
+        }
         if (state.phase === "free_cap_reached") {
           process.exitCode = 1;
           const timer = setTimeout(() => exit(), 0);
@@ -52445,44 +52417,30 @@ var init_WrapperApp = __esm({
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Spinner2, { label: labels.resolving(state.count, state.count !== 1 ? "s" : "") });
         case "scanning":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Spinner2, { label: labels.scanning(state.count, state.count !== 1 ? "s" : "") });
-        case "pass":
-          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "pass" });
         case "warn":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Box_default, { flexDirection: "column", children: [
-            /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "warn", dgForce: state.dgForce }),
+            /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "warn" }),
             showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) }),
-            !state.dgForce && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ConfirmPrompt, { message: "", onConfirm: handleConfirm, onReject: handleReject })
+            /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ConfirmPrompt, { message: "", onConfirm: handleConfirm, onReject: handleReject })
           ] });
-        case "blocked":
+        case "refused":
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Box_default, { flexDirection: "column", children: [
-            /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: "block", dgForce: state.dgForce }),
-            showDetails && /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Box_default, { marginTop: 1, children: /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ResultsView, { result: state.result, config, durationMs: state.result.durationMs }) })
+            /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(WrapperVerdictLine, { result: state.result, verdict: state.verdict, refusal: true }),
+            /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { dimColor: true, children: [
+              "  install anyway: ",
+              state.cmd
+            ] })
           ] });
-        case "refused":
-          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
-        case "incomplete":
-          if (state.proceed) {
-            return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { color: "yellow", children: [
-              state.message,
-              " Proceeding with install."
-            ] });
-          }
-          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
+        case "declined":
+          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Text, { children: state.line });
+        // The verdict line is Ink's final frame; it stays on screen after unmount and
+        // the installer's (trimmed) output is printed under it by bin.ts.
         case "installing":
-          return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Spinner2, { label: labels.installing });
+          return state.line ? /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(Text, { children: state.line }) : null;
         case "done":
           return null;
         case "error":
-          if (state.proceed) {
-            return /* @__PURE__ */ (0, import_jsx_runtime18.jsxs)(Text, { color: "yellow", children: [
-              "Warning: Scan failed (",
-              state.message,
-              "). Proceeding with install."
-            ] });
-          }
           return /* @__PURE__ */ (0, import_jsx_runtime18.jsx)(ErrorView, { error: new Error(state.message) });
-        case "passthrough":
-          return null;
         case "free_cap_reached": {
           let hasKey = false;
           try {
@@ -52518,9 +52476,9 @@ __export(conda_wrapper_exports, {
   adapter: () => adapter,
   runStaticConda: () => runStaticConda
 });
-import { spawn as spawn5 } from "node:child_process";
+import { spawn as spawn6 } from "node:child_process";
 function parseCondaArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS3.has(command);
   const packages = [];
@@ -52539,7 +52497,6 @@ function parseCondaArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -52573,7 +52530,7 @@ async function runStaticConda(args, ecosystem, config) {
     return 127;
   }
   return await new Promise((resolve3) => {
-    const child = spawn5(real, parsed.rawArgs, { stdio: "inherit", env: childInstallEnv() });
+    const child = spawn6(real, parsed.rawArgs, { stdio: "inherit", env: childInstallEnv() });
     child.on("close", (code) => resolve3(code ?? 1));
     child.on("error", () => resolve3(1));
   });
@@ -52620,7 +52577,7 @@ function pnpmFlagTakesValue(flag) {
   return valueFlagPrefixes.includes(flag);
 }
 function parsePnpmArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS4.has(command);
   const packages = [];
@@ -52639,7 +52596,6 @@ function parsePnpmArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -52718,7 +52674,7 @@ function yarnFlagTakesValue(flag) {
   return valueFlagPrefixes.includes(flag);
 }
 function parseYarnArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS5.has(command);
   const packages = [];
@@ -52737,7 +52693,6 @@ function parseYarnArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -52817,7 +52772,7 @@ function bunFlagTakesValue(flag) {
   return valueFlagPrefixes.includes(flag);
 }
 function parseBunArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS6.has(command);
   const packages = [];
@@ -52836,7 +52791,6 @@ function parseBunArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -52923,7 +52877,7 @@ function uvFlagTakesValue(flag) {
   return valueFlagPrefixes.includes(flag);
 }
 function parseUvArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const first = filtered[0] ?? "";
   let command = "";
   let argStart = 1;
@@ -52972,7 +52926,6 @@ function parseUvArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -53034,7 +52987,7 @@ function pipxFlagTakesValue(flag) {
   return valueFlagPrefixes.includes(flag);
 }
 function parsePipxArgs(args) {
-  const { filtered, dgForce, dgForceReason, dgNoScripts } = stripDgFlags(args);
+  const { filtered, dgForce, dgNoScripts } = stripDgFlags(args);
   const command = filtered[0] ?? "";
   const shouldScan = INSTALL_COMMANDS7.has(command) && command !== "upgrade-all";
   const packages = [];
@@ -53057,7 +53010,6 @@ function parsePipxArgs(args) {
     packages,
     rawArgs: filtered,
     dgForce,
-    dgForceReason,
     dgNoScripts,
     shouldScan
   };
@@ -53111,7 +53063,7 @@ var wrapper_factory_exports = {};
 __export(wrapper_factory_exports, {
   runEcosystemWrapper: () => runEcosystemWrapper
 });
-import { spawn as spawn6 } from "node:child_process";
+import { spawn as spawn7 } from "node:child_process";
 function shimSentinelEnv3() {
   return childInstallEnv();
 }
@@ -53123,7 +53075,7 @@ async function spawnRealBinary(adapter7, args) {
     return 127;
   }
   return await new Promise((resolve3) => {
-    const child = spawn6(real, args, { stdio: "inherit", env: shimSentinelEnv3() });
+    const child = spawn7(real, args, { stdio: "inherit", env: shimSentinelEnv3() });
     child.on("close", (code) => resolve3(code ?? 1));
     child.on("error", () => resolve3(1));
   });
@@ -53325,7 +53277,6 @@ async function runEcosystemWrapper(adapter7, args, config) {
     result,
     resolved,
     suppressedCount,
-    dgForceReason: parsed.dgForceReason,
     error: verdict === "analysis_incomplete" && decision.outcome === "refuse" ? { code: "analysis_incomplete", message: "scanner could not fully analyze the install set" } : void 0
   };
   const presenter = {
@@ -53377,10 +53328,9 @@ ${installLine}
             const blockedList = resolved.map((p) => `${p.name} ${p.version}`).join(", ");
             process.stderr.write(
               `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG blocked")} ${blockedList}.
-  Real install was NOT run. To override:
-` + import_chalk19.default.dim(`    ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force --dg-force-reason="<reason>"
+  ${import_chalk19.default.dim(`install anyway: ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force`)}
 
-`)
+`
             );
           }
           return;
@@ -53390,10 +53340,10 @@ ${installLine}
           if (d.outcome === "refuse") {
             if (!config.json) {
               process.stderr.write(
-                `  ${import_chalk19.default.red("\u2717")} ${import_chalk19.default.bold("DG could not verify")} ${list} \u2014 analysis incomplete.
-` + import_chalk19.default.dim(`  --mode ${config.strict ? "strict" : "block"} \u21D2 refusing install (unverified is not safe). Use --mode warn or --dg-force to bypass.
+                `  ${import_chalk19.default.cyan("?")} ${import_chalk19.default.bold("DG couldn't verify")} ${list} \u2014 unverified, not safe.
+  ${import_chalk19.default.dim(`install anyway: ${adapter7.realBinaryName} ${parsed.rawArgs.join(" ")} --dg-force`)}
 
-`)
+`
               );
             }
           } else if (!config.json && !config.quiet) {
@@ -53425,8 +53375,7 @@ ${installLine}
           ecosystem: adapter7.apiKind,
           packages: result.packages,
           decisionAction: kind,
-          bypassed: kind === "override",
-          bypassReason: kind === "override" ? parsed.dgForceReason : void 0
+          bypassed: kind === "override"
         });
       } catch {
       }
@@ -53713,8 +53662,6 @@ async function main() {
     }
     if (result.action === "block") {
       try {
-        const reasonIdx = args.indexOf("--dg-force-reason");
-        const bypassReason = reasonIdx >= 0 ? args[reasonIdx + 1] : void 0;
         const { dispatchPublishCheckAudit: dispatchPublishCheckAudit2 } = await Promise.resolve().then(() => (init_audit_dispatcher(), audit_dispatcher_exports));
         const at = result.artifact.lastIndexOf("@");
         const pkgName = at > 0 ? result.artifact.slice(0, at) : result.artifact;
@@ -53725,8 +53672,7 @@ async function main() {
           packageVersion: pkgVersion,
           score: result.score,
           decisionAction: force ? "override" : "block",
-          bypassed: !!force,
-          bypassReason
+          bypassed: !!force
         });
       } catch {
       }
@@ -53898,6 +53844,12 @@ async function main() {
     return;
   }
 }
+async function runHandoff(handoff) {
+  if (!handoff.install) {
+    return typeof process.exitCode === "number" ? process.exitCode : 0;
+  }
+  return handoff.install.run(handoff.install.args);
+}
 async function handleWrapInternal(argv) {
   let ecosystem = argv[0];
   if (!ecosystem) {
@@ -53934,9 +53886,9 @@ async function handleWrapInternal(argv) {
   const { isReadonlySubcommand: isReadonlySubcommand2 } = await Promise.resolve().then(() => (init_readonly(), readonly_exports));
   const ecoTyped = ecosystem;
   const spawnReal = async (real, args) => {
-    const { spawn: spawn7 } = await import("node:child_process");
+    const { spawn: spawn8 } = await import("node:child_process");
     const { childInstallEnv: childInstallEnv2 } = await Promise.resolve().then(() => (init_install(), install_exports));
-    const child = spawn7(real, args, { stdio: "inherit", env: childInstallEnv2() });
+    const child = spawn8(real, args, { stdio: "inherit", env: childInstallEnv2() });
     return await new Promise((resolve3) => {
       child.on("close", (code) => resolve3(code ?? 1));
       child.on("error", () => resolve3(1));
@@ -53963,11 +53915,12 @@ async function handleWrapInternal(argv) {
     const { render: render2 } = await init_build2().then(() => build_exports);
     const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
     const { WrapperApp: WrapperApp2 } = await init_WrapperApp().then(() => WrapperApp_exports);
+    const handoff = { install: null };
     const { waitUntilExit } = render2(
-      React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "npm" })
+      React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "npm", handoff })
     );
     await waitUntilExit();
-    return 0;
+    return runHandoff(handoff);
   }
   if (ecosystem === "pip" || ecosystem === "pip3") {
     if (config.json || !process.stdout.isTTY) {
@@ -53978,11 +53931,12 @@ async function handleWrapInternal(argv) {
     const { render: render2 } = await init_build2().then(() => build_exports);
     const React22 = await Promise.resolve().then(() => __toESM(require_react(), 1));
     const { WrapperApp: WrapperApp2 } = await init_WrapperApp().then(() => WrapperApp_exports);
+    const handoff = { install: null };
     const { waitUntilExit } = render2(
-      React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "pypi" })
+      React22.createElement(WrapperApp2, { config, args: wrapperArgs, ecosystem: "pypi", handoff })
     );
     await waitUntilExit();
-    return 0;
+    return runHandoff(handoff);
   }
   if (ecosystem === "conda" || ecosystem === "mamba") {
     const { runStaticConda: runStaticConda2 } = await Promise.resolve().then(() => (init_conda_wrapper(), conda_wrapper_exports));

package/dist/postinstall.mjs

@@ -703,22 +703,26 @@ async function main() {
     } catch {
     }
     void ecosystemsWired;
+    const rcPath = rcAppended[0] ?? result.rcOutcomes.find((o) => o.status === "already-present")?.path ?? null;
+    const shimDir2 = `${targetHome}/.dg/shims`;
+    const activeNow = (process.env.PATH ?? "").split(":").includes(shimDir2);
     emit("\u2713 Dependency Guardian installed.");
-    emit("\u2713 Protected: npm, pnpm, yarn, bun, pip, pip3, uv, pipx, conda, mamba.");
+    emit("\u2713 Wired: npm, pnpm, yarn, bun, pip, pip3, uv, pipx, conda, mamba.");
     if (pythonVersions.length > 0) {
-      emit(`\u2713 python -m pip \u2014 protected on ${pythonVersions.join(", ")}.`);
-    }
-    if (rcAppended.length > 0) {
-      for (const p of rcAppended) emit(`\u2713 Updated: ${p}`);
-    } else {
-      emit("\u2139\uFE0F  Shell rc not modified (already wired or not detected).");
+      emit(`\u2713 python -m pip \u2014 wired on ${pythonVersions.join(", ")}.`);
     }
+    if (rcPath) emit(`\u2713 Added ${shimDir2} to PATH in ${rcPath}.`);
     emit("");
-    emit("\u2728 Dependency Guardian is active. Happy scanning.");
-    emit("");
-    emit("  Run `dg login` to authenticate your account.");
-    emit("  Run `dg status` to see what's protected.");
-    emit("  Run `dg uninstall` to remove everything.");
+    if (!activeNow) {
+      emit("  \u26A0 One more step \u2014 activate it in your shell:");
+      emit(rcPath ? `      source ${rcPath}      (or just open a new terminal)` : "      open a new terminal");
+      emit("    Until you do, installs in THIS shell still run unscanned.");
+      emit("");
+    }
+    emit("  Then:");
+    emit("    dg login      authenticate your account");
+    emit("    dg status     see what's protected (and if this shell is active)");
+    emit("    dg uninstall  remove everything");
   } catch (err) {
     emit("\u2139\uFE0F  Dependency Guardian installed.");
     emit(`   Setup did not complete: ${err.message}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.2.1",
+  "version": "1.3.1",
   "type": "module",
   "description": "Supply chain security scanner for npm and Python dependencies",
   "bin": {