@westbayberry/dg 2.0.11 → 2.1.0

package/dist/api/analyze.js

@@ -103,7 +103,8 @@ export async function analyzePackages(packages, options) {
         scanId: options.scanId ?? randomUUID(),
         fetchImpl: options.fetchImpl ?? fetch,
         timeoutMs: options.timeoutMs ?? DEFAULT_TIMEOUT_MS,
-        ...(options.signal ? { signal: options.signal } : {})
+        ...(options.signal ? { signal: options.signal } : {}),
+        ...(options.cooldown ? { cooldown: options.cooldown } : {})
     };
     const total = packages.length;
     const batches = [];
@@ -178,7 +179,7 @@ function delay(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
 async function analyzeBatch(context, batch, onBatchProgress) {
-    const { url, token, deviceId, scanId, fetchImpl, timeoutMs, signal } = context;
+    const { url, token, deviceId, scanId, fetchImpl, timeoutMs, signal, cooldown } = context;
     const controller = new AbortController();
     let timedOut = false;
     let silenceTimer;
@@ -207,7 +208,8 @@ async function analyzeBatch(context, batch, onBatchProgress) {
                 ...(token ? { Authorization: `Bearer ${token}` } : {})
             },
             body: JSON.stringify({
-                packages: batch.map((entry) => ({ name: entry.name, version: entry.version }))
+                packages: batch.map((entry) => ({ name: entry.name, version: entry.version })),
+                ...(cooldown ? { cooldown } : {})
             }),
             signal: controller.signal
         });

package/dist/bin/dg.js

@@ -53,7 +53,7 @@ else if (audit.handled) {
     writeCliResult(audit.result);
 }
 else {
-    const preflight = await maybePreflightInstallPrompt(args);
+    const preflight = await maybePreflightInstallPrompt(args, { decisionsCwd: process.cwd() });
     if (preflight.handled) {
         writeCliResult(preflight.result);
     }

package/dist/commands/completion.js

@@ -2,7 +2,7 @@ import { commandCatalog } from "./router.js";
 import { packageManagerCommandNames } from "./wrap.js";
 import { EXIT_USAGE } from "./types.js";
 const SHELLS = ["bash", "zsh", "fish"];
-const COMMON_FLAGS = ["--help", "--version", "--json", "--sarif", "--output", "--yes", "--check", "--staged", "--dg-force-install"];
+const COMMON_FLAGS = ["--help", "--version", "--json", "--sarif", "--output", "--yes", "--check", "--staged", "--no-decisions", "--dg-force-install"];
 const FISH_FLAG_DESCRIPTIONS = {
     "--help": "Show help",
     "--version": "Show version",
@@ -12,6 +12,7 @@ const FISH_FLAG_DESCRIPTIONS = {
     "--yes": "Apply a confirmed mutation",
     "--check": "Report without mutating",
     "--staged": "Limit to staged files",
+    "--no-decisions": "Ignore dg.json decision memory",
     "--dg-force-install": "Install despite a block, where policy allows"
 };
 function completionCommands() {

package/dist/commands/config.js

@@ -6,13 +6,21 @@ export const configCommand = {
     usage: "dg config <get|set|unset|list> [key] [value] [--json]",
     args: [
         { name: "<action>", summary: "list | get <key> | set <key> <value> | unset <key>." },
-        { name: "[key]", summary: "e.g. policy.mode, gitHook.onWarn, gitHook.onIncomplete, api.baseUrl." }
+        { name: "[key]", summary: "e.g. policy.mode, gitHook.onWarn, cooldown.age, cooldown.exempt, api.baseUrl." }
     ],
     flags: [{ flag: "--json", summary: "Machine-readable output for list/get." }],
-    examples: ["dg config list", "dg config get policy.mode", "dg config set gitHook.onWarn allow", "dg config unset api.baseUrl"],
+    examples: [
+        "dg config list",
+        "dg config get policy.mode",
+        "dg config set gitHook.onWarn allow",
+        "dg config set cooldown.age 7d",
+        "dg config set cooldown.exempt '@myorg/*,typescript'",
+        "dg config unset api.baseUrl"
+    ],
     details: [
         "Reads and writes user-global dg configuration only.",
-        "Project-local config and allowlists remain untrusted for install-time firewall enforcement by default."
+        "Project-local config and allowlists remain untrusted for install-time firewall enforcement by default.",
+        "cooldown.age quarantines registry releases younger than the window on new installs (default 24h; 0 disables; per-ecosystem overrides via cooldown.npm.age / cooldown.pypi.age / cooldown.cargo.age; DG_COOLDOWN_AGE overrides for CI)."
     ],
     handler: (context) => configHandler(context.args)
 };

package/dist/commands/decisions.js

@@ -0,0 +1,155 @@
+import { recordDecisionEvents } from "../decisions/remember-prompt.js";
+import { packageKey } from "../decisions/apply.js";
+import { findProjectRoot, loadDgFile, removeDecisions, saveDgFile } from "../project/dgfile.js";
+import { EXIT_USAGE } from "./types.js";
+export const decisionsCommand = {
+    name: "decisions",
+    summary: "List or revoke remembered warn acceptances stored in dg.json.",
+    usage: "dg decisions [list] [--json] | dg decisions revoke <id|name[@version]>",
+    subcommands: [
+        { name: "list", summary: "Show every remembered acceptance (default).", usage: "dg decisions list [--json]", details: [], handler: () => unreachable() },
+        { name: "revoke", summary: "Remove an acceptance by id prefix, name, or name@version.", usage: "dg decisions revoke <id|name[@version]>", details: [], handler: () => unreachable() }
+    ],
+    flags: [{ flag: "--json", summary: "Machine-readable listing." }],
+    examples: ["dg decisions", "dg decisions list --json", "dg decisions revoke left-pad@1.3.0"],
+    details: [
+        "Acceptances live in dg.json at the git root and only ever soften how an acknowledged warn is presented — a block verdict is never suppressible. Revoking makes the warn surface again on the next scan."
+    ],
+    handler: (context) => runDecisionsCommand(context)
+};
+function unreachable() {
+    throw new Error("subcommand handled by the decisions router");
+}
+export function runDecisionsCommand(context, cwd = process.cwd(), env = process.env) {
+    const [first, ...rest] = context.args;
+    if (first === undefined || first === "list" || first === "--json") {
+        const json = first === "--json" || rest.includes("--json");
+        const extras = (first === undefined || first === "--json" ? [] : rest).filter((arg) => arg !== "--json");
+        if (extras.length > 0) {
+            return usage(`unexpected argument '${extras[0]}'`);
+        }
+        return listDecisions(cwd, env, json);
+    }
+    if (first === "revoke") {
+        const [selector, ...extra] = rest;
+        if (!selector || extra.length > 0) {
+            return usage("revoke takes exactly one <id|name[@version]>");
+        }
+        return revokeDecisions(selector, cwd, env);
+    }
+    return usage(`unknown subcommand '${first}'`);
+}
+function listDecisions(cwd, env, json) {
+    const located = locateDgFile(cwd, env);
+    if ("error" in located) {
+        return located.error;
+    }
+    const file = located.file;
+    if (json) {
+        return {
+            exitCode: 0,
+            stdout: `${JSON.stringify({ path: file.path, decisions: file.decisions.map((entry) => entryJson(entry)) }, null, 2)}\n`,
+            stderr: ""
+        };
+    }
+    if (file.decisions.length === 0) {
+        return { exitCode: 0, stdout: `No remembered acceptances in ${file.path}.\n`, stderr: "" };
+    }
+    const rows = file.decisions.map((entry) => [
+        entry.id.slice(0, 8),
+        `${entry.ecosystem}:${entry.name}@${scopeLabel(entry)}`,
+        findingsLabel(entry),
+        entry.acceptedBy,
+        entry.acceptedAt.slice(0, 10) || "-",
+        entry.expiresAt ? entry.expiresAt.slice(0, 10) : "-",
+        isExpired(entry) ? "expired" : "active"
+    ]);
+    const header = ["ID", "PACKAGE", "ACCEPTED FINDINGS", "BY", "WHEN", "EXPIRES", "STATUS"];
+    const widths = header.map((label, column) => Math.max(label.length, ...rows.map((row) => row[column]?.length ?? 0)));
+    const renderRow = (row) => row.map((cell, column) => cell.padEnd(widths[column] ?? 0)).join("  ").trimEnd();
+    const lines = [
+        `Remembered acceptances in ${file.path} (warns only — blocks are never suppressible):`,
+        "",
+        renderRow(header),
+        ...rows.map(renderRow),
+        "",
+        `Revoke with: dg decisions revoke <id|name[@version]>`
+    ];
+    return { exitCode: 0, stdout: `${lines.join("\n")}\n`, stderr: "" };
+}
+function revokeDecisions(selector, cwd, env) {
+    const located = locateDgFile(cwd, env);
+    if ("error" in located) {
+        return located.error;
+    }
+    const file = located.file;
+    const matched = file.decisions.filter((entry) => matchesSelector(entry, selector));
+    if (matched.length === 0) {
+        return { exitCode: 1, stdout: "", stderr: `dg decisions: nothing matches '${selector}' in ${file.path}.\n` };
+    }
+    saveDgFile(removeDecisions(file, new Set(matched.map((entry) => entry.id))));
+    recordDecisionEvents("decision.revoked", matched.map((entry) => `${entry.ecosystem}:${packageKey(entry.name, scopeLabel(entry))}`), `revoked via dg decisions (${selector})`, env);
+    const lines = matched.map((entry) => `Revoked ${entry.ecosystem}:${entry.name}@${scopeLabel(entry)} (${entry.id.slice(0, 8)}) — the warn will surface again.`);
+    return { exitCode: 0, stdout: `${lines.join("\n")}\n`, stderr: "" };
+}
+function locateDgFile(cwd, env) {
+    const root = findProjectRoot(cwd, env);
+    if (!root) {
+        return { error: { exitCode: EXIT_USAGE, stdout: "", stderr: "dg decisions: not inside a git repository.\n" } };
+    }
+    const file = loadDgFile(root);
+    if (!file.exists) {
+        return { error: { exitCode: 0, stdout: `No dg.json at ${root} — nothing remembered yet.\n`, stderr: "" } };
+    }
+    if (!file.readable) {
+        return { error: { exitCode: 1, stdout: "", stderr: `dg decisions: cannot use ${file.path} — ${file.failure ?? "unreadable"}.\n` } };
+    }
+    return { file };
+}
+function matchesSelector(entry, selector) {
+    if (selector.length >= 4 && entry.id.startsWith(selector)) {
+        return true;
+    }
+    const at = selector.lastIndexOf("@");
+    if (at > 0) {
+        const name = selector.slice(0, at);
+        const version = selector.slice(at + 1);
+        return entry.name === name && entry.scope.kind === "exact" && entry.scope.version === version;
+    }
+    return entry.name === selector;
+}
+function scopeLabel(entry) {
+    return entry.scope.kind === "exact" ? entry.scope.version : "*";
+}
+function findingsLabel(entry) {
+    const pairs = Object.entries(entry.findings).map(([category, severity]) => `${category}:${severity}`);
+    return pairs.length > 0 ? pairs.sort().join(",") : "(action-only warn)";
+}
+function isExpired(entry) {
+    if (!entry.expiresAt) {
+        return false;
+    }
+    const expiry = Date.parse(entry.expiresAt);
+    return !Number.isFinite(expiry) || expiry <= Date.now();
+}
+function entryJson(entry) {
+    return {
+        id: entry.id,
+        ecosystem: entry.ecosystem,
+        name: entry.name,
+        scope: entry.scope,
+        findings: entry.findings,
+        reason: entry.reason,
+        acceptedBy: entry.acceptedBy,
+        acceptedAt: entry.acceptedAt,
+        ...(entry.expiresAt ? { expiresAt: entry.expiresAt } : {}),
+        status: isExpired(entry) ? "expired" : "active"
+    };
+}
+function usage(message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg decisions: ${message}. Usage: ${decisionsCommand.usage}\n`
+    };
+}

package/dist/commands/explain.js

@@ -3,7 +3,11 @@ import { closestCommand } from "./suggest.js";
 export const EXPLANATIONS = {
     "npm-lifecycle-script": {
         what: "The package declares an install lifecycle script (preinstall/install/postinstall/prepare) that runs arbitrary code on your machine during 'npm install'.",
-        next: "Review the script in the package source. Prefer a version without install scripts, or install with --ignore-scripts."
+        next: "Review the script in the package source and prefer a version without install scripts. Raw --ignore-scripts also skips your own project's lifecycle and leaves native modules unbuilt (recover with 'npm rebuild <pkg>'); see 'dg explain script-gate' for how dg tracks this layer."
+    },
+    "script-gate": {
+        what: "dg watches protected npm and yarn-classic installs and reports which installed packages ran install lifecycle scripts (preinstall/install/postinstall or an implicit node-gyp build) — the layer most npm supply-chain attacks execute through. Observe mode reports without blocking; when a dg.json exists at the project root the observations are recorded under scriptApprovals.observed. pnpm already blocks dependency build scripts natively ('pnpm approve-builds'); pip has no install-script analog, so there is nothing to gate there.",
+        next: "Review the reported packages. Per-package script approvals with dg.json persistence and 'npm rebuild' recovery ship in an upcoming release; 'dg config set scriptGate.mode off' silences the report."
     },
     "unverified-network-dependency": {
         what: "A dependency is fetched from a raw URL (http/git) instead of the registry, so it has no registry identity or integrity to verify.",
@@ -67,7 +71,7 @@ export const EXPLANATIONS = {
     },
     lifecycle: {
         what: "The scanner flagged an install lifecycle script (preinstall/install/postinstall) that runs arbitrary code during install.",
-        next: "Review the script in the package source, or install with --ignore-scripts."
+        next: "Review the script in the package source before installing; see 'dg explain script-gate' for how dg tracks install scripts and why raw --ignore-scripts has no recovery story."
     },
     "install-script": {
         what: "The scanner found an install-time script in this package that executes code on your machine during install.",

package/dist/commands/router.js

@@ -1,6 +1,7 @@
 import { configCommand } from "./config.js";
 import { completionCommand } from "./completion.js";
 import { auditCommand } from "./audit.js";
+import { decisionsCommand } from "./decisions.js";
 import { doctorCommand } from "./doctor.js";
 import { explainCommand } from "./explain.js";
 import { guardCommitCommand } from "./guard-commit.js";
@@ -24,6 +25,7 @@ export const commandCatalog = [
     verifyCommand,
     setupCommand,
     guardCommitCommand,
+    decisionsCommand,
     uninstallCommand,
     doctorCommand,
     statusCommand,

package/dist/commands/scan.js

@@ -8,7 +8,8 @@ export const scanCommand = {
         { flag: "--json", summary: "Machine-readable JSON report." },
         { flag: "--sarif", summary: "SARIF report for code-scanning tools." },
         { flag: "--output", value: "<path>", summary: "Write the report to a file instead of stdout (alias -o)." },
-        { flag: "--staged", summary: "Scan only the git-staged lockfile changes (what dg guard-commit runs)." }
+        { flag: "--staged", summary: "Scan only the git-staged lockfile changes (what dg guard-commit runs)." },
+        { flag: "--no-decisions", summary: "Ignore acceptances remembered in dg.json (see dg decisions)." }
     ],
     examples: ["dg scan", "dg scan ./packages/api", "dg scan --json -o scan.json", "dg scan --staged"],
     details: [

package/dist/commands/status.js

@@ -3,6 +3,7 @@ import { envAuthToken } from "../auth/env-token.js";
 import { fetchAccountStatus } from "../auth/device-login.js";
 import { formatUsage } from "../scan-ui/format-helpers.js";
 import { loadUserConfig } from "../config/settings.js";
+import { describeCooldownSettings } from "../policy/cooldown.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { createTheme } from "../presentation/theme.js";
 import { currentShellActivation, doctorReport } from "../setup/plan.js";
@@ -49,14 +50,15 @@ async function buildStatusReport(io) {
     const checks = doctorReport().checks;
     const checkPassed = (name) => checks.find((check) => check.name === name)?.status === "pass";
     const auth = safeAuthStatus();
-    const policy = loadUserConfig().policy;
+    const config = loadUserConfig();
     return {
         account: auth,
         usage: await fetchStatusUsage(auth.connected, io),
         protection: { shims: checkPassed("shims"), path: checkPassed("path"), configured: checkPassed("shell-rc") },
         reloadHint: currentShellActivation(),
         commitGuard: safeCommitGuard(),
-        policy: { mode: policy.mode, trustProjectAllowlists: policy.trustProjectAllowlists }
+        policy: { mode: config.policy.mode, trustProjectAllowlists: config.policy.trustProjectAllowlists },
+        cooldown: describeCooldownSettings(config, process.env)
     };
 }
 async function fetchStatusUsage(connected, io) {
@@ -123,6 +125,7 @@ function renderStatus(report, theme) {
         lines.push(`  Commit guard ${guard}`);
     }
     lines.push(`  Policy       ${report.policy.mode} mode; project allowlists ${report.policy.trustProjectAllowlists ? "trusted" : "untrusted"}`);
+    lines.push(`  Cooldown     ${report.cooldown === "off" ? "off — new releases install immediately" : `${report.cooldown} release-age gate on new installs`}`);
     lines.push("");
     lines.push(`Full diagnostics: ${theme.paint("accent", "dg doctor")}`);
     return `${lines.join("\n")}\n`;

package/dist/config/settings.js

@@ -1,6 +1,6 @@
-import { existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
-import { randomUUID } from "node:crypto";
-import { dirname, join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { writeJsonAtomic } from "../util/json-file.js";
 import { acquireLockSyncWithRetry, resolveDgPaths } from "../state/index.js";
 export const CONFIG_KEYS = Object.freeze([
     "api.baseUrl",
@@ -9,8 +9,16 @@ export const CONFIG_KEYS = Object.freeze([
     "policy.trustProjectAllowlists",
     "policy.allowForceOverride",
     "policy.scriptHardening",
+    "scriptGate.mode",
+    "scriptGate.observe",
     "gitHook.onWarn",
     "gitHook.onIncomplete",
+    "cooldown.age",
+    "cooldown.npm.age",
+    "cooldown.pypi.age",
+    "cooldown.cargo.age",
+    "cooldown.onUnknown",
+    "cooldown.exempt",
     "audit.upload",
     "telemetry.enabled",
     "webhooks.enabled"
@@ -29,10 +37,22 @@ export const DEFAULT_CONFIG = Object.freeze({
         allowForceOverride: true,
         scriptHardening: false
     },
+    scriptGate: {
+        mode: "observe",
+        observe: false
+    },
     gitHook: {
         onWarn: "prompt",
         onIncomplete: "allow"
     },
+    cooldown: {
+        age: "24h",
+        npmAge: "",
+        pypiAge: "",
+        cargoAge: "",
+        onUnknown: "allow",
+        exempt: ""
+    },
     audit: {
         upload: false
     },
@@ -113,12 +133,36 @@ export function getConfigValue(config, key) {
     if (key === "policy.scriptHardening") {
         return String(config.policy.scriptHardening);
     }
+    if (key === "scriptGate.mode") {
+        return config.scriptGate.mode;
+    }
+    if (key === "scriptGate.observe") {
+        return String(config.scriptGate.observe);
+    }
     if (key === "gitHook.onWarn") {
         return config.gitHook.onWarn;
     }
     if (key === "gitHook.onIncomplete") {
         return config.gitHook.onIncomplete;
     }
+    if (key === "cooldown.age") {
+        return config.cooldown.age;
+    }
+    if (key === "cooldown.npm.age") {
+        return config.cooldown.npmAge;
+    }
+    if (key === "cooldown.pypi.age") {
+        return config.cooldown.pypiAge;
+    }
+    if (key === "cooldown.cargo.age") {
+        return config.cooldown.cargoAge;
+    }
+    if (key === "cooldown.onUnknown") {
+        return config.cooldown.onUnknown;
+    }
+    if (key === "cooldown.exempt") {
+        return config.cooldown.exempt;
+    }
     if (key === "audit.upload") {
         return String(config.audit.upload);
     }
@@ -168,6 +212,24 @@ export function setConfigValue(config, key, rawValue) {
     if (key === "policy.scriptHardening") {
         return withPolicyBoolean(config, "scriptHardening", rawValue);
     }
+    if (key === "scriptGate.mode") {
+        return {
+            ...config,
+            scriptGate: {
+                ...config.scriptGate,
+                mode: parseScriptGateMode(rawValue)
+            }
+        };
+    }
+    if (key === "scriptGate.observe") {
+        return {
+            ...config,
+            scriptGate: {
+                ...config.scriptGate,
+                observe: parseBoolean(rawValue, key)
+            }
+        };
+    }
     if (key === "gitHook.onWarn") {
         return {
             ...config,
@@ -186,6 +248,24 @@ export function setConfigValue(config, key, rawValue) {
             }
         };
     }
+    if (key === "cooldown.age") {
+        return withCooldown(config, { age: parseCooldownAge(rawValue, key, false) });
+    }
+    if (key === "cooldown.npm.age") {
+        return withCooldown(config, { npmAge: parseCooldownAge(rawValue, key, true) });
+    }
+    if (key === "cooldown.pypi.age") {
+        return withCooldown(config, { pypiAge: parseCooldownAge(rawValue, key, true) });
+    }
+    if (key === "cooldown.cargo.age") {
+        return withCooldown(config, { cargoAge: parseCooldownAge(rawValue, key, true) });
+    }
+    if (key === "cooldown.onUnknown") {
+        return withCooldown(config, { onUnknown: parseCooldownOnUnknown(rawValue) });
+    }
+    if (key === "cooldown.exempt") {
+        return withCooldown(config, { exempt: parseCooldownExempt(rawValue) });
+    }
     if (key === "audit.upload") {
         return {
             ...config,
@@ -225,10 +305,13 @@ function normalizeConfig(raw) {
     const api = fieldObject(raw, "api");
     const org = fieldObject(raw, "org");
     const policy = fieldObject(raw, "policy");
+    const scriptGate = fieldObject(raw, "scriptGate");
     const gitHook = fieldObject(raw, "gitHook");
+    const cooldown = fieldObject(raw, "cooldown");
     const audit = fieldObject(raw, "audit");
     const telemetry = fieldObject(raw, "telemetry");
     const webhooks = fieldObject(raw, "webhooks");
+    const scriptHardening = fieldBoolean(policy, "policy.scriptHardening", "scriptHardening") ?? DEFAULT_CONFIG.policy.scriptHardening;
     return {
         version: 1,
         api: {
@@ -241,12 +324,24 @@ function normalizeConfig(raw) {
             mode: parsePolicyMode(fieldString(policy, "policy.mode", "mode") ?? DEFAULT_CONFIG.policy.mode),
             trustProjectAllowlists: fieldBoolean(policy, "policy.trustProjectAllowlists", "trustProjectAllowlists") ?? DEFAULT_CONFIG.policy.trustProjectAllowlists,
             allowForceOverride: fieldBoolean(policy, "policy.allowForceOverride", "allowForceOverride") ?? DEFAULT_CONFIG.policy.allowForceOverride,
-            scriptHardening: fieldBoolean(policy, "policy.scriptHardening", "scriptHardening") ?? DEFAULT_CONFIG.policy.scriptHardening
+            scriptHardening
+        },
+        scriptGate: {
+            mode: parseScriptGateMode(fieldString(scriptGate, "scriptGate.mode", "mode") ?? (scriptHardening ? "enforce" : DEFAULT_CONFIG.scriptGate.mode)),
+            observe: fieldBoolean(scriptGate, "scriptGate.observe", "observe") ?? DEFAULT_CONFIG.scriptGate.observe
         },
         gitHook: {
             onWarn: parseOnWarn(fieldString(gitHook, "gitHook.onWarn", "onWarn") ?? DEFAULT_CONFIG.gitHook.onWarn),
             onIncomplete: parseOnIncomplete(fieldString(gitHook, "gitHook.onIncomplete", "onIncomplete") ?? DEFAULT_CONFIG.gitHook.onIncomplete)
         },
+        cooldown: {
+            age: parseCooldownAge(fieldString(cooldown, "cooldown.age", "age") ?? DEFAULT_CONFIG.cooldown.age, "cooldown.age", false),
+            npmAge: parseCooldownAge(fieldString(cooldown, "cooldown.npm.age", "npmAge") ?? DEFAULT_CONFIG.cooldown.npmAge, "cooldown.npm.age", true),
+            pypiAge: parseCooldownAge(fieldString(cooldown, "cooldown.pypi.age", "pypiAge") ?? DEFAULT_CONFIG.cooldown.pypiAge, "cooldown.pypi.age", true),
+            cargoAge: parseCooldownAge(fieldString(cooldown, "cooldown.cargo.age", "cargoAge") ?? DEFAULT_CONFIG.cooldown.cargoAge, "cooldown.cargo.age", true),
+            onUnknown: parseCooldownOnUnknown(fieldString(cooldown, "cooldown.onUnknown", "onUnknown") ?? DEFAULT_CONFIG.cooldown.onUnknown),
+            exempt: parseCooldownExempt(fieldString(cooldown, "cooldown.exempt", "exempt") ?? DEFAULT_CONFIG.cooldown.exempt)
+        },
         audit: {
             upload: fieldBoolean(audit, "audit.upload", "upload") ?? DEFAULT_CONFIG.audit.upload
         },
@@ -321,6 +416,12 @@ function parsePolicyMode(value) {
     }
     throw new ConfigError("policy.mode must be one of: off, warn, block, strict");
 }
+function parseScriptGateMode(value) {
+    if (value === "observe" || value === "enforce" || value === "off") {
+        return value;
+    }
+    throw new ConfigError("scriptGate.mode must be one of: observe, enforce, off");
+}
 function parseOnWarn(value) {
     if (value === "prompt" || value === "allow" || value === "block") {
         return value;
@@ -333,6 +434,45 @@ function parseOnIncomplete(value) {
     }
     throw new ConfigError("gitHook.onIncomplete must be one of: allow, block");
 }
+const COOLDOWN_AGE_RE = /^([1-9]\d{0,3})(h|d)$/;
+const COOLDOWN_EXEMPT_ENTRY_RE = /^[@A-Za-z0-9][@A-Za-z0-9._/-]*\*?$/;
+export function parseCooldownAge(value, field, allowEmpty) {
+    const trimmed = value.trim();
+    if (trimmed === "" && allowEmpty) {
+        return "";
+    }
+    if (trimmed === "0" || trimmed === "off") {
+        return "0";
+    }
+    if (COOLDOWN_AGE_RE.test(trimmed)) {
+        return trimmed;
+    }
+    throw new ConfigError(`${field} must be a duration like 24h or 7d, or 0 to disable${allowEmpty ? ", or empty to inherit cooldown.age" : ""}`);
+}
+function parseCooldownOnUnknown(value) {
+    if (value === "allow" || value === "block") {
+        return value;
+    }
+    throw new ConfigError("cooldown.onUnknown must be one of: allow, block");
+}
+function parseCooldownExempt(value) {
+    const entries = value.split(",").map((entry) => entry.trim()).filter(Boolean);
+    for (const entry of entries) {
+        if (!COOLDOWN_EXEMPT_ENTRY_RE.test(entry)) {
+            throw new ConfigError(`cooldown.exempt entry '${entry}' is not a valid package name or pattern (use names or globs like @org/*)`);
+        }
+    }
+    return entries.join(",");
+}
+function withCooldown(config, patch) {
+    return {
+        ...config,
+        cooldown: {
+            ...config.cooldown,
+            ...patch
+        }
+    };
+}
 function parseBoolean(value, field) {
     if (value === "true") {
         return true;
@@ -359,24 +499,3 @@ function parseUrl(value) {
         throw new ConfigError("api.baseUrl must be an absolute URL");
     }
 }
-function writeJsonAtomic(path, value) {
-    mkdirSync(dirname(path), {
-        recursive: true,
-        mode: 0o700
-    });
-    const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
-    try {
-        writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, {
-            encoding: "utf8",
-            flag: "wx",
-            mode: 0o600
-        });
-        renameSync(tempPath, path);
-    }
-    catch (error) {
-        rmSync(tempPath, {
-            force: true
-        });
-        throw error;
-    }
-}