@westbayberry/dg 2.0.10 → 2.1.0

package/dist/decisions/apply.js

@@ -0,0 +1,128 @@
+export function packageKey(name, version) {
+    return `${name}@${version}`;
+}
+export function findingCategory(finding) {
+    return finding.category ?? finding.id ?? "unknown";
+}
+export function findingFingerprint(findings) {
+    const fingerprint = {};
+    for (const finding of findings) {
+        const category = findingCategory(finding);
+        fingerprint[category] = Math.max(fingerprint[category] ?? 0, finding.severity);
+    }
+    return fingerprint;
+}
+export function matchDecision(pkg, ecosystem, entries, now = new Date()) {
+    if ((pkg.action ?? "pass") !== "warn") {
+        return { acknowledged: false };
+    }
+    const fingerprint = findingFingerprint(pkg.findings);
+    let nearestUncovered;
+    for (const entry of entries) {
+        if (entry.ecosystem !== ecosystem || entry.name !== pkg.name) {
+            continue;
+        }
+        if (!scopeMatches(entry, pkg.version)) {
+            continue;
+        }
+        if (isExpired(entry, now)) {
+            continue;
+        }
+        const uncovered = uncoveredFindings(fingerprint, entry.findings);
+        if (uncovered.length === 0) {
+            return { acknowledged: true, entry };
+        }
+        if (!nearestUncovered || uncovered.length < nearestUncovered.length) {
+            nearestUncovered = uncovered;
+        }
+    }
+    return nearestUncovered ? { acknowledged: false, newFindings: nearestUncovered } : { acknowledged: false };
+}
+export function applyDecisions(packages, ecosystemOf, file, rawAction, now = new Date()) {
+    const annotations = {};
+    let acknowledgedCount = 0;
+    let worst = 0;
+    for (const pkg of packages) {
+        const action = pkg.action ?? "pass";
+        if (action === "pass") {
+            continue;
+        }
+        const ecosystem = ecosystemOf(pkg);
+        if (!ecosystem) {
+            worst = Math.max(worst, actionSeverity(action));
+            continue;
+        }
+        const match = file.readable ? matchDecision(pkg, ecosystem, file.decisions, now) : { acknowledged: false };
+        const key = packageKey(pkg.name, pkg.version);
+        if (match.acknowledged) {
+            acknowledgedCount += 1;
+            annotations[key] = {
+                ecosystem,
+                acknowledged: {
+                    decisionId: match.entry.id,
+                    by: match.entry.acceptedBy,
+                    at: match.entry.acceptedAt,
+                    reason: match.entry.reason
+                }
+            };
+        }
+        else {
+            annotations[key] = {
+                ecosystem,
+                ...(match.newFindings ? { newFindings: match.newFindings } : {})
+            };
+            worst = Math.max(worst, actionSeverity(action));
+        }
+    }
+    const effectiveAction = acknowledgedCount === 0 || worst >= actionSeverity(rawAction) ? rawAction : actionFromSeverity(worst);
+    return {
+        file: file.path,
+        acknowledgedCount,
+        effectiveAction,
+        packages: annotations
+    };
+}
+const ACTION_SEVERITY = {
+    pass: 0,
+    analysis_incomplete: 1,
+    warn: 2,
+    block: 3
+};
+function actionSeverity(action) {
+    return ACTION_SEVERITY[action] ?? 0;
+}
+function actionFromSeverity(severity) {
+    if (severity >= 3) {
+        return "block";
+    }
+    if (severity === 2) {
+        return "warn";
+    }
+    if (severity === 1) {
+        return "analysis_incomplete";
+    }
+    return "pass";
+}
+function scopeMatches(entry, version) {
+    if (entry.scope.kind === "any") {
+        return true;
+    }
+    return entry.scope.version === version;
+}
+function isExpired(entry, now) {
+    if (!entry.expiresAt) {
+        return false;
+    }
+    const expiry = Date.parse(entry.expiresAt);
+    return !Number.isFinite(expiry) || expiry <= now.getTime();
+}
+function uncoveredFindings(fingerprint, accepted) {
+    const uncovered = [];
+    for (const [category, severity] of Object.entries(fingerprint)) {
+        const acceptedSeverity = accepted[category];
+        if (acceptedSeverity === undefined || severity > acceptedSeverity) {
+            uncovered.push(`${category}:${severity}`);
+        }
+    }
+    return uncovered.sort();
+}

package/dist/decisions/remember-prompt.js

@@ -0,0 +1,97 @@
+import { emitWebhookEvent, recordAuditEvent } from "../audit/events.js";
+import { loadUserConfig } from "../config/settings.js";
+import { promptText, promptYesNo } from "../install-ui/prompt.js";
+import { appendDecisions, saveDgFile } from "../project/dgfile.js";
+import { promptLine as ttyPromptLine, promptYesNo as ttyPromptYesNo } from "../util/tty-prompt.js";
+import { findingFingerprint, packageKey } from "./apply.js";
+const defaultSyncPrompts = {
+    yesNo: (question, defaultYes) => ttyPromptYesNo(question, defaultYes),
+    line: (question) => ttyPromptLine(question),
+    write: (text) => process.stderr.write(text)
+};
+export async function offerRememberOnIo(options) {
+    const { io, file, packages } = options;
+    if (!io.isTTY || !file.readable || packages.length === 0) {
+        return false;
+    }
+    const choice = (await promptText("  Remember this acceptance? [v] this version / [o] just once: ", io)).trim().toLowerCase();
+    if (choice !== "v" && choice !== "version") {
+        return false;
+    }
+    if (!file.exists) {
+        const create = await promptYesNo(`  Create ${file.path}?`, io, false);
+        if (!create) {
+            return false;
+        }
+    }
+    const reason = (await promptText("  Reason (Enter to skip): ", io)).trim();
+    persistRemembered(file, packages, {
+        reason: reason || `accepted at ${options.surface}`,
+        acceptedBy: options.acceptedBy,
+        env: options.env ?? process.env
+    });
+    io.output.write(`  ✓ remembered in ${file.path} — review with 'dg decisions'\n`);
+    return true;
+}
+export function offerRememberSync(options) {
+    const { file, packages } = options;
+    const prompts = options.prompts ?? defaultSyncPrompts;
+    if (!file.readable || packages.length === 0) {
+        return false;
+    }
+    const remember = prompts.yesNo("  Remember this acceptance in dg.json for future commits?", false);
+    if (remember !== true) {
+        return false;
+    }
+    if (!file.exists) {
+        const create = prompts.yesNo(`  Create ${file.path}?`, false);
+        if (create !== true) {
+            return false;
+        }
+    }
+    const reason = (prompts.line("  Reason (Enter to skip): ") ?? "").trim();
+    persistRemembered(file, packages, {
+        reason: reason || `accepted at ${options.surface}`,
+        acceptedBy: options.acceptedBy,
+        env: options.env ?? process.env
+    });
+    prompts.write(`  ✓ remembered in ${file.path} — review with 'dg decisions'\n`);
+    return true;
+}
+export function persistRemembered(file, packages, options) {
+    const additions = packages.map((pkg) => ({
+        ecosystem: pkg.ecosystem,
+        name: pkg.name,
+        scope: { kind: "exact", version: pkg.version },
+        findings: findingFingerprint(pkg.findings),
+        reason: options.reason,
+        acceptedBy: options.acceptedBy
+    }));
+    saveDgFile(appendDecisions(file, additions));
+    recordDecisionEvents("decision.accepted", packages.map((pkg) => `${pkg.ecosystem}:${packageKey(pkg.name, pkg.version)}`), options.reason, options.env);
+}
+export function recordDecisionEvents(type, packageNames, reason, env) {
+    let policyMode = "unknown";
+    try {
+        policyMode = loadUserConfig(env).policy.mode;
+    }
+    catch {
+        // a corrupt user config must not block recording the decision trail
+    }
+    for (const packageName of packageNames) {
+        const event = {
+            type,
+            packageName,
+            reason,
+            policyMode,
+            createdAt: new Date().toISOString()
+        };
+        try {
+            recordAuditEvent(event, env);
+            emitWebhookEvent(event, env);
+        }
+        catch {
+            // audit trail is best-effort; the decision write already succeeded
+        }
+    }
+}

package/dist/install-ui/block-render.js

@@ -1,3 +1,4 @@
+import { formatCooldownDuration, formatPackageAge } from "../policy/cooldown.js";
 const VERIFIED_BAD = new Set([
     "malware",
     "policy",
@@ -19,6 +20,7 @@ const HEADLINES = {
     "api-timeout": "scanner timed out",
     "registry-timeout": "registry timed out",
     "analysis-incomplete": "analysis incomplete",
+    cooldown: "release too new (cooldown)",
     "unsupported-manager": "unsupported package manager",
     "proxy-setup-failure": "protection unavailable"
 };
@@ -29,14 +31,24 @@ const NEXT_STEP = {
     "hash-mismatch": "Clear your package cache and retry. If it persists, do not install.",
     "private-upload-disabled": "Enable private artifact scanning to verify this package.",
     "needs-login": "Run 'dg login' (free) to check packages from the registry before they install.",
-    "quota-exceeded": "Upgrade your plan or wait for your monthly limit to reset. See westbayberry.com/pricing."
+    "quota-exceeded": "Upgrade your plan or wait for your monthly limit to reset. See westbayberry.com/pricing.",
+    cooldown: "Wait for the cooldown, pin an older version, or exempt it: dg config set cooldown.exempt <name>"
 };
+function cooldownDetailLine(cooldown) {
+    const window = formatCooldownDuration(cooldown.requiredDays);
+    const eligible = formatResetDate(cooldown.eligibleAt);
+    const suffix = eligible ? ` (eligible ${eligible})` : "";
+    if (cooldown.ageDays === undefined) {
+        return `publish time unknown; your cooldown is ${window}${suffix}`;
+    }
+    return `published ${formatPackageAge(cooldown.ageDays)}; your cooldown is ${window}${suffix}`;
+}
 export function describeBlockedInstall(decision) {
     const verifiedBad = VERIFIED_BAD.has(decision.cause);
     const override = decision.forceOverride && !decision.forceOverride.allowed
         ? "not allowed by your policy"
         : "re-run with --dg-force-install";
-    const nextStep = verifiedBad || decision.cause === "needs-login"
+    const nextStep = verifiedBad || decision.cause === "needs-login" || decision.cause === "cooldown"
         ? NEXT_STEP[decision.cause]
         : "Re-check later with 'dg verify', or override if you accept the risk.";
     return {
@@ -85,9 +97,14 @@ export function renderInstallDecision(decision) {
     const lines = [
         verifiedBad
             ? `✘ DG blocked install — ${headline}`
-            : `? DG could not verify ${decision.packageName} — ${headline}`,
+            : decision.cause === "cooldown"
+                ? `? DG quarantined ${decision.packageName} — ${headline}`
+                : `? DG could not verify ${decision.packageName} — ${headline}`,
         `  ${decision.packageName}   ${decision.reason}`
     ];
+    if (decision.cause === "cooldown" && decision.cooldown) {
+        lines.push(`  ${cooldownDetailLine(decision.cooldown)}`);
+    }
     if (decision.dashboardUrl) {
         lines.push(`  Evidence: ${decision.dashboardUrl}`);
     }
@@ -97,7 +114,7 @@ export function renderInstallDecision(decision) {
     lines.push(decision.forceOverride && !decision.forceOverride.allowed
         ? "  Override: not allowed by your policy"
         : "  Override: re-run with --dg-force-install");
-    const next = verifiedBad || decision.cause === "needs-login"
+    const next = verifiedBad || decision.cause === "needs-login" || decision.cause === "cooldown"
         ? NEXT_STEP[decision.cause]
         : "Re-check later with 'dg verify', or override if you accept the risk.";
     if (next) {

package/dist/install-ui/prompt.js

@@ -6,6 +6,20 @@ export function defaultPromptIo() {
         isTTY: Boolean(process.stdin.isTTY && process.stderr.isTTY)
     };
 }
+export async function promptText(question, io) {
+    if (!io.isTTY) {
+        return "";
+    }
+    const rl = createInterface({ input: io.input, output: io.output });
+    try {
+        return await new Promise((resolve) => {
+            rl.question(question, resolve);
+        });
+    }
+    finally {
+        rl.close();
+    }
+}
 export async function promptYesNo(question, io, defaultYes = false) {
     if (!io.isTTY) {
         return false;

package/dist/launcher/install-preflight.js

@@ -1,8 +1,46 @@
 import { spawn } from "node:child_process";
 import { createInterface } from "node:readline";
 import { analyzePackages } from "../api/analyze.js";
+import { loadUserConfig } from "../config/settings.js";
+import { matchDecision, packageKey } from "../decisions/apply.js";
+import { offerRememberOnIo } from "../decisions/remember-prompt.js";
+import { provenanceDowngradeLine } from "../presentation/provenance.js";
 import { defaultPromptIo } from "../install-ui/prompt.js";
+import { cooldownRequestParam, formatCooldownDuration, formatPackageAge, isCooldownExempt } from "../policy/cooldown.js";
+import { findProjectRoot, loadDgFile, resolveAcceptedBy, warnUnreadableDgFile } from "../project/dgfile.js";
 import { parsePipReportInstallCount, parsePipReportInstallSet } from "./pip-report.js";
+export function resolvePreflightCooldown(env) {
+    try {
+        const config = loadUserConfig(env);
+        const param = cooldownRequestParam(config, env, "pypi", "");
+        return param ? { param, exempt: config.cooldown.exempt } : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function isQuarantined(pkg, context) {
+    if (!context || !pkg.cooldown) {
+        return false;
+    }
+    if (isCooldownExempt(pkg.name, context.exempt, "pypi")) {
+        return false;
+    }
+    return pkg.cooldown.status === "quarantine"
+        || (pkg.cooldown.status === "unknown" && context.param.onUnknown === "block");
+}
+export function resolvePreflightDecisions(ecosystem, cwd, env = process.env) {
+    const root = findProjectRoot(cwd, env);
+    if (!root) {
+        return null;
+    }
+    const file = loadDgFile(root);
+    warnUnreadableDgFile(file);
+    if (!file.readable) {
+        return null;
+    }
+    return { root, file, ecosystem, env };
+}
 const PROCEED = { proceed: true };
 const UNRESOLVED = { set: undefined, count: undefined };
 const approvedFlagRanks = new Map();
@@ -75,18 +113,48 @@ function resolvePipInstallSet(binary, args, env) {
 function findingSummary(pkg) {
     return pkg.reasons[0] ?? pkg.findings[0]?.title ?? pkg.findings[0]?.id ?? "flagged";
 }
+function cooldownSummary(pkg) {
+    const cooldown = pkg.cooldown;
+    if (!cooldown) {
+        return "release too new";
+    }
+    const window = cooldown.requiredDays !== undefined ? formatCooldownDuration(cooldown.requiredDays) : "your cooldown";
+    if (cooldown.ageDays === undefined) {
+        return `publish time unknown; cooldown ${window}`;
+    }
+    return `published ${formatPackageAge(cooldown.ageDays)}; cooldown ${window}`;
+}
 function renderPreflight(flagged, out) {
-    const blocks = flagged.filter((pkg) => pkg.action === "block").length;
+    const blocks = flagged.filter((entry) => entry.action === "block").length;
     const noun = flagged.length === 1 ? "package" : "packages";
     const tail = blocks > 0 ? ` (${blocks} blocked)` : "";
     out.write(`\n  DG flagged ${flagged.length} ${noun} before install${tail}:\n`);
-    for (const pkg of flagged) {
-        const tag = pkg.action === "block" ? "block" : "warn";
-        out.write(`    ${pkg.name}@${pkg.version}   ${tag}   ${findingSummary(pkg)}\n`);
+    for (const entry of flagged) {
+        const tag = entry.viaCooldown ? "cooldown" : entry.action === "block" ? "block" : "warn";
+        const summary = entry.viaCooldown ? cooldownSummary(entry.pkg) : findingSummary(entry.pkg);
+        out.write(`    ${entry.pkg.name}@${entry.pkg.version}   ${tag}   ${summary}${provenanceSuffix(entry.pkg)}\n`);
     }
     out.write("\n");
 }
-export async function runInstallPreflight(manager, binary, childArgs, env) {
+function provenanceSuffix(pkg) {
+    const prov = pkg.provenance;
+    if (!prov || prov.status === "unknown") {
+        return "";
+    }
+    return `   provenance: ${prov.status}`;
+}
+export function renderProvenanceDowngrades(packages, out) {
+    const downgraded = packages.filter((pkg) => pkg.provenance?.downgrade);
+    if (downgraded.length === 0) {
+        return;
+    }
+    out.write("\n");
+    for (const pkg of downgraded) {
+        const line = provenanceDowngradeLine(pkg.version, pkg.provenance);
+        out.write(`  ⚠ ${pkg.name}@${pkg.version}: ${line} (display only, verdict unchanged)\n`);
+    }
+}
+export async function runInstallPreflight(manager, binary, childArgs, env, cwd = process.cwd()) {
     if (manager !== "pip" || !binary) {
         return PROCEED;
     }
@@ -100,29 +168,74 @@ export async function runInstallPreflight(manager, binary, childArgs, env) {
     if (!set || set.length === 0) {
         return PROCEED;
     }
+    const cooldownContext = resolvePreflightCooldown(env);
     let verdicts;
     try {
-        verdicts = await analyzePackages(set.map((pkg) => ({ name: pkg.name, version: pkg.version })), { ecosystem: "pypi", env });
+        verdicts = await analyzePackages(set.map((pkg) => ({ name: pkg.name, version: pkg.version })), { ecosystem: "pypi", env, ...(cooldownContext ? { cooldown: cooldownContext.param } : {}) });
     }
     catch {
         return PROCEED;
     }
-    return decideFromVerdicts(verdicts.packages, defaultPromptIo());
+    return decideFromVerdicts(verdicts.packages, defaultPromptIo(), cooldownContext, resolvePreflightDecisions("pypi", cwd, env));
 }
-export async function decideFromVerdicts(packages, io) {
-    const flagged = packages.filter((pkg) => (pkg.action === "warn" || pkg.action === "block") && !isPreflightApproved({ name: pkg.name, version: pkg.version, action: pkg.action }));
-    if (flagged.length === 0 || !io.isTTY) {
+export async function decideFromVerdicts(packages, io, cooldownContext, decisions = null) {
+    if (io.isTTY) {
+        renderProvenanceDowngrades(packages, io.output);
+    }
+    const covered = [];
+    const entries = packages
+        .map((pkg) => {
+        const viaCooldown = isQuarantined(pkg, cooldownContext) && pkg.action !== "block";
+        const action = viaCooldown ? "block" : pkg.action ?? "pass";
+        return { pkg, action, viaCooldown };
+    })
+        .filter((entry) => {
+        if ((entry.action !== "warn" && entry.action !== "block")
+            || isPreflightApproved({ name: entry.pkg.name, version: entry.pkg.version, action: entry.action })) {
+            return false;
+        }
+        if (decisions && entry.action === "warn" && matchDecision(entry.pkg, decisions.ecosystem, decisions.file.decisions).acknowledged) {
+            covered.push(entry.pkg);
+            return false;
+        }
+        return true;
+    });
+    if (covered.length > 0 && io.isTTY) {
+        renderCoveredWarns(covered, decisions, io.output);
+        recordPreflightApprovals(covered.map((pkg) => ({ name: pkg.name, version: pkg.version, action: "warn" })));
+    }
+    if (entries.length === 0 || !io.isTTY) {
         return PROCEED;
     }
-    renderPreflight(flagged, io.output);
-    const hasBlock = flagged.some((pkg) => pkg.action === "block");
+    renderPreflight(entries, io.output);
+    const hasBlock = entries.some((entry) => entry.action === "block");
     const accepted = await promptPreflightYesNo(hasBlock ? "  Override and install anyway?" : "  Proceed?", io, false);
     if (!accepted) {
         return { proceed: false };
     }
-    recordPreflightApprovals(flagged.map((pkg) => ({ name: pkg.name, version: pkg.version, action: pkg.action ?? "warn" })));
+    recordPreflightApprovals(entries.map((entry) => ({ name: entry.pkg.name, version: entry.pkg.version, action: entry.action })));
+    if (!hasBlock && decisions) {
+        await offerRememberOnIo({
+            io,
+            file: decisions.file,
+            packages: entries
+                .filter((entry) => entry.action === "warn")
+                .map((entry) => ({ ecosystem: decisions.ecosystem, name: entry.pkg.name, version: entry.pkg.version, findings: entry.pkg.findings })),
+            acceptedBy: resolveAcceptedBy(decisions.root, decisions.env ?? process.env),
+            surface: "install preflight",
+            env: decisions.env ?? process.env
+        });
+    }
     return hasBlock ? { proceed: true, forceOverride: { force: true } } : PROCEED;
 }
+export function renderCoveredWarns(covered, decisions, out) {
+    for (const pkg of covered) {
+        const match = decisions ? matchDecision(pkg, decisions.ecosystem, decisions.file.decisions) : { acknowledged: false };
+        const who = match.acknowledged ? match.entry.acceptedBy : "dg.json";
+        const when = match.acknowledged && match.entry.acceptedAt ? ` on ${match.entry.acceptedAt.slice(0, 10)}` : "";
+        out.write(`  ⚠ ${packageKey(pkg.name, pkg.version)} warn previously accepted by ${who}${when} — see 'dg decisions'\n`);
+    }
+}
 export async function promptPreflightYesNo(question, io, defaultYes) {
     if (!io.isTTY) {
         return false;

package/dist/launcher/preflight-prompt.js

@@ -1,10 +1,13 @@
 import { analyzePackages } from "../api/analyze.js";
 import { isCiEnv } from "../presentation/mode.js";
+import { matchDecision } from "../decisions/apply.js";
+import { offerRememberOnIo } from "../decisions/remember-prompt.js";
 import { renderInstallDecision } from "../install-ui/block-render.js";
 import { defaultPromptIo } from "../install-ui/prompt.js";
+import { resolveAcceptedBy } from "../project/dgfile.js";
 import { enforceProtectedInstall } from "../proxy/enforcement.js";
 import { classifyPackageManagerInvocation, isSupportedPackageManager } from "./classify.js";
-import { actionRank, promptPreflightYesNo, recordPreflightApprovals } from "./install-preflight.js";
+import { actionRank, promptPreflightYesNo, recordPreflightApprovals, renderCoveredWarns, renderProvenanceDowngrades, resolvePreflightDecisions } from "./install-preflight.js";
 import { redactSecrets } from "./output-redaction.js";
 const ECOSYSTEM_BY_MANAGER = {
     npm: "npm",
@@ -38,25 +41,37 @@ export async function maybePreflightInstallPrompt(args, options = {}) {
     if (specs.length === 0) {
         return FALL_THROUGH;
     }
+    const decisions = options.decisionsCwd ? resolvePreflightDecisions(ecosystem, options.decisionsCwd, env) : null;
     const flagged = [];
+    const covered = [];
     try {
         const response = await (options.analyze ?? analyzePackages)(specs.map((spec) => ({ name: spec.name, version: spec.version })), { ecosystem, env });
+        renderProvenanceDowngrades(response.packages, io.output);
         for (const spec of specs) {
             const pkg = response.packages.find((entry) => entry.name === spec.name && entry.version === spec.version);
             const action = pkg?.action ?? "pass";
             if (action === "pass") {
                 continue;
             }
+            if (decisions && pkg && action === "warn" && matchDecision(pkg, decisions.ecosystem, decisions.file.decisions).acknowledged) {
+                covered.push(pkg);
+                continue;
+            }
             flagged.push({
                 action,
                 spec,
-                reason: pkg?.reasons[0] ?? pkg?.findings[0]?.title ?? "flagged by the scanner"
+                reason: pkg?.reasons[0] ?? pkg?.findings[0]?.title ?? "flagged by the scanner",
+                findings: pkg?.findings ?? []
             });
         }
     }
     catch {
         return FALL_THROUGH;
     }
+    if (covered.length > 0) {
+        renderCoveredWarns(covered, decisions, io.output);
+        recordPreflightApprovals(covered.map((pkg) => ({ name: pkg.name, version: pkg.version, action: "warn" })));
+    }
     const worst = flagged.reduce((top, entry) => (!top || actionRank(entry.action) > actionRank(top.action) ? entry : top), undefined);
     if (!worst) {
         return FALL_THROUGH;
@@ -97,6 +112,18 @@ export async function maybePreflightInstallPrompt(args, options = {}) {
     const proceed = await promptPreflightYesNo(`⚠ DG flagged ${label} (warn) — ${worst.reason}. Proceed?`, io, false);
     if (proceed) {
         recordPreflightApprovals(flagged.map(asFlaggedPackage));
+        if (decisions) {
+            await offerRememberOnIo({
+                io,
+                file: decisions.file,
+                packages: flagged
+                    .filter((entry) => entry.action === "warn")
+                    .map((entry) => ({ ecosystem, name: entry.spec.name, version: entry.spec.version, findings: entry.findings })),
+                acceptedBy: resolveAcceptedBy(decisions.root, env),
+                surface: "install preflight",
+                env
+            });
+        }
         return FALL_THROUGH;
     }
     return {

package/dist/launcher/run.js

@@ -16,6 +16,7 @@ import { cachedPipResolution } from "./install-preflight.js";
 import { parsePipReportInstallCount } from "./pip-report.js";
 import { createStreamRedactor, redactSecrets } from "./output-redaction.js";
 import { resolveRealBinary } from "./resolve-real-binary.js";
+import { runScriptGateAfterInstall } from "../scripts/gate.js";
 export const EXIT_INSTALL_BLOCKED = 2;
 const CMD_SCRIPT_PATTERN = /\.(cmd|bat)$/i;
 const CMD_META_CHARS = /([()\][%!^"`<>&|;, *?])/g;
@@ -129,7 +130,7 @@ export async function runPackageManager(manager, args, options = {}) {
         return {
             exitCode: child.exitCode,
             stdout: streamedOut(child.stdout, options),
-            stderr: `${rendered}${streamedErr(child.stderr, options)}`
+            stderr: `${rendered}${streamedErr(child.stderr, options)}${scriptGateLine(plan, child.exitCode, options)}`
         };
     }
     const child = await spawnPackageManager(plan, args, options);
@@ -195,7 +196,7 @@ async function runWithProductionProxy(plan, args, options) {
         return {
             exitCode: child.exitCode,
             stdout: streamedOut(child.stdout, options),
-            stderr: `${rendered}${streamedErr(child.stderr, options)}`
+            stderr: `${rendered}${streamedErr(child.stderr, options)}${scriptGateLine(plan, child.exitCode, options)}`
         };
     }
     finally {
@@ -203,6 +204,16 @@ async function runWithProductionProxy(plan, args, options) {
         stopProxyWorker(proxy);
     }
 }
+function scriptGateLine(plan, exitCode, options) {
+    if (exitCode !== 0) {
+        return "";
+    }
+    return runScriptGateAfterInstall({
+        classification: plan.classification,
+        env: options.env ?? process.env,
+        ...(options.projectDir ? { projectDir: options.projectDir } : {})
+    });
+}
 export function deriveLiveView(state, phase, resolvedTotal) {
     const verified = state.decisions.filter((decision) => decision.action === "pass").length;
     const warnDecisions = state.decisions.filter((decision) => decision.action === "warn");
@@ -331,7 +342,7 @@ export async function runWithProductionProxyLive(plan, args, options, onView) {
             const outcome = installOutcome(finished.stdout);
             return { exitCode: EXIT_INSTALL_BLOCKED, stdout: outcome, stderr: cacheOnlyNotice(outcome.length > 0) };
         }
-        return { exitCode: finished.exitCode, stdout: installOutcome(finished.stdout), stderr: "" };
+        return { exitCode: finished.exitCode, stdout: installOutcome(finished.stdout), stderr: scriptGateLine(plan, finished.exitCode, options) };
     }
     finally {
         restoreSignalHandlers();