@westbayberry/dg 2.0.11 → 2.1.0

package/dist/scan/render.js

@@ -21,17 +21,23 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     const cleanProjects = report.projects.filter((project) => project.findings.length === 0);
     const findingProjects = report.projects.filter((project) => project.findings.length > 0);
     const shouldCollapseProjects = report.projects.length > DETAIL_PROJECT_LIMIT;
+    const acknowledgedCount = report.decisions?.acknowledgedCount ?? 0;
+    const activeFindings = report.findings.filter((finding) => !finding.acknowledged);
     const lines = [
         "Dependency Guardian scan",
         `Target: ${report.target}`,
         `Scanning: checked ${report.summary.projectCount} project manifest${report.summary.projectCount === 1 ? "" : "s"}.`,
-        `Status: ${theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report))}`,
+        `Status: ${paintEffectiveStatus(report, theme)}`,
         `Projects: ${report.summary.projectCount}`,
         `Dependencies: ${report.summary.dependencyCount}`,
-        `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)`,
+        `Findings: ${report.summary.findingCount} (${report.summary.warnCount} warn, ${report.summary.blockCount} block)${acknowledgedCount > 0 ? ` · ${acknowledgedCount} acknowledged` : ""}`,
+        ...(acknowledgedCount > 0
+            ? [`Acknowledged: ${acknowledgedCount} warn verdict${acknowledgedCount === 1 ? "" : "s"} accepted in dg.json — run 'dg decisions' to review`]
+            : []),
         ...(report.scanner
             ? [`Scanner: score ${report.scanner.score}, ${report.scanner.packages.length} packages verified`]
             : []),
+        ...(report.scanner ? provenanceDowngradeLines(report.scanner.packages, theme) : []),
         ""
     ];
     if (report.scannerError) {
@@ -52,7 +58,7 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     }
     if (findingProjects.length > 0) {
         lines.push("Finding groups:");
-        for (const group of groupFindings(report.findings)) {
+        for (const group of groupFindings(activeFindings)) {
             const severityLabel = theme.paint(group.severity === "block" ? "block" : "warn", group.severity.toUpperCase());
             lines.push(`  ${severityLabel} ${group.id}: ${group.count} finding${group.count === 1 ? "" : "s"} across ${group.projectCount} project${group.projectCount === 1 ? "" : "s"}`);
             for (const finding of group.examples) {
@@ -94,6 +100,21 @@ export function renderTextReport(report, terminalWidth = terminalWidthFromEnv(),
     }
     return `${lines.join("\n").replace(/\n{3,}/g, "\n\n").trimEnd()}\n`;
 }
+function provenanceDowngradeLines(packages, theme) {
+    return packages
+        .filter((pkg) => pkg.provenance?.downgrade)
+        .map((pkg) => theme.paint("warn", `Provenance downgrades: ${pkg.name}@${pkg.version} (was attested at ${pkg.provenance.downgrade.fromVersion})`));
+}
+function paintEffectiveStatus(report, theme) {
+    if (report.scanner && report.decisions && !report.scannerError) {
+        const action = report.decisions.effectiveAction;
+        if (action === "analysis_incomplete") {
+            return theme.paint("unknown", "analysis_incomplete");
+        }
+        return theme.paint(SCAN_STATUS_ROLE[action], action);
+    }
+    return theme.paint(SCAN_STATUS_ROLE[report.status], displayScanStatus(report));
+}
 function formatProject(project, width) {
     const lines = [];
     const version = project.version ? `@${project.version}` : "";
@@ -154,7 +175,17 @@ export function renderSarifReport(report) {
                                 }
                             }
                         }
-                    ]
+                    ],
+                    ...(finding.acknowledged
+                        ? {
+                            suppressions: [
+                                {
+                                    kind: "external",
+                                    justification: finding.acknowledged.reason || `accepted by ${finding.acknowledged.by}`
+                                }
+                            ]
+                        }
+                        : {})
                 }))
             }
         ]

package/dist/scan/scanner-report.js

@@ -3,6 +3,7 @@ import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import { resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { applyDecisions, packageKey } from "../decisions/apply.js";
 import { sanitize } from "../security/sanitize.js";
 import { collectScanPackages, discoverScanProjects } from "./collect.js";
 const WORKER_TIMEOUT_BASE_MS = 180_000;
@@ -12,7 +13,7 @@ const WORKER_MAX_BUFFER = 64 * 1024 * 1024;
 export function scanWorkerTimeoutMs(packageCount) {
     return WORKER_TIMEOUT_BASE_MS + packageCount * Math.ceil(SERVER_PER_PACKAGE_WORST_CASE_MS / SERVER_SCAN_CONCURRENCY);
 }
-export function runScannerScan(targetPath, localReport, env = process.env) {
+export function runScannerScan(targetPath, localReport, env = process.env, decisionsFile = null) {
     const projects = discoverScanProjects(resolve(targetPath));
     if (projects.length === 0) {
         return { kind: "skipped", reason: "no_lockfiles" };
@@ -58,12 +59,38 @@ export function runScannerScan(targetPath, localReport, env = process.env) {
             error: { kind: "invalid_response", message: "scanner worker returned unreadable output" }
         };
     }
-    return { kind: "report", report: buildScannerReport(localReport, response, total) };
+    const report = buildScannerReport(localReport, response, total);
+    if (!decisionsFile?.readable) {
+        return { kind: "report", report };
+    }
+    const ecosystems = new Map();
+    for (const group of groups) {
+        for (const pkg of group.packages) {
+            ecosystems.set(packageKey(pkg.name, pkg.version), group.ecosystem);
+        }
+    }
+    return { kind: "report", report: annotateReportWithDecisions(report, decisionsFile, ecosystems) };
 }
-export function tryScannerScan(targetPath, localReport, env = process.env) {
-    const outcome = runScannerScan(targetPath, localReport, env);
+export function tryScannerScan(targetPath, localReport, env = process.env, decisionsFile = null) {
+    const outcome = runScannerScan(targetPath, localReport, env, decisionsFile);
     return outcome.kind === "report" ? outcome.report : null;
 }
+export function annotateReportWithDecisions(report, decisionsFile, ecosystems) {
+    if (!report.scanner || !decisionsFile.readable) {
+        return report;
+    }
+    const applied = applyDecisions(report.scanner.packages, (pkg) => ecosystems.get(packageKey(pkg.name, pkg.version)), decisionsFile, report.scanner.action);
+    const findings = report.findings.map((finding) => {
+        const acknowledged = applied.packages[finding.location]?.acknowledged;
+        return acknowledged && finding.severity === "warn" ? { ...finding, acknowledged } : finding;
+    });
+    return {
+        ...report,
+        findings,
+        summary: { ...report.summary, acknowledgedCount: applied.acknowledgedCount },
+        decisions: applied
+    };
+}
 export function workerFailure(worker, timeoutMs, packageCount) {
     if (worker.error?.code === "ETIMEDOUT") {
         return {

package/dist/scan/staged.js

@@ -4,6 +4,9 @@ import { basename, dirname, isAbsolute, join, relative, resolve, sep } from "nod
 import { createTheme } from "../presentation/theme.js";
 import { resolvePresentation } from "../presentation/mode.js";
 import { loadUserConfig } from "../config/settings.js";
+import { offerRememberSync } from "../decisions/remember-prompt.js";
+import { packageKey } from "../decisions/apply.js";
+import { loadDgFile, resolveAcceptedBy, warnUnreadableDgFile } from "../project/dgfile.js";
 import { gitSync, gitTrimmed } from "../util/git.js";
 import { promptYesNo } from "../util/tty-prompt.js";
 import { GUARD_SELFTEST_ENV } from "../setup/git-hook.js";
@@ -85,16 +88,21 @@ export function runStagedScan(options) {
     if (scoped.length === 0) {
         return { exitCode: 0, stdout: "", stderr: "" };
     }
+    const dgFile = options.useDecisions === false ? null : loadDgFile(root);
+    if (dgFile) {
+        warnUnreadableDgFile(dgFile);
+    }
+    const usableDgFile = dgFile?.readable ? dgFile : null;
     const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return failOpen(theme, "could not read the staged lockfile contents");
         }
-        const report = tryScannerScan(dir, emptyLocalReport(dir), env);
+        const report = tryScannerScan(dir, emptyLocalReport(dir), env, usableDgFile);
         if (!report || !report.scanner) {
             return failOpen(theme, "could not reach the scanner");
         }
-        return decideStagedVerdict(report, env, options.hook);
+        return decideStagedVerdict(report, env, options.hook, usableDgFile ? { root, file: usableDgFile } : undefined);
     }
     finally {
         rmSync(dir, { recursive: true, force: true });
@@ -119,12 +127,16 @@ export function stagedScanReport(options) {
     if (scoped.length === 0) {
         return { report: base, outcome: { kind: "skipped", reason: "no_lockfiles" } };
     }
+    const dgFile = options.useDecisions === false ? null : loadDgFile(root);
+    if (dgFile) {
+        warnUnreadableDgFile(dgFile);
+    }
     const { dir, count } = materializeStaged(scoped, cwd, env);
     try {
         if (count === 0) {
             return { report: base, outcome: { kind: "failed", error: { kind: "worker", message: "could not read the staged lockfile contents" } } };
         }
-        return { report: base, outcome: runScannerScan(dir, base, env) };
+        return { report: base, outcome: runScannerScan(dir, base, env, dgFile?.readable ? dgFile : null) };
     }
     finally {
         rmSync(dir, { recursive: true, force: true });
@@ -144,11 +156,13 @@ function notARepoResult() {
 function outsideRepoResult(targetPath) {
     return { exitCode: EXIT_USAGE_VERDICT, stdout: "", stderr: `dg scan --staged: ${targetPath} is outside this repository.\n` };
 }
-export function decideStagedVerdict(report, env = process.env, hook = false) {
+export function decideStagedVerdict(report, env = process.env, hook = false, decisionContext) {
     const theme = createTheme(resolvePresentation().color);
     const action = report.scanner?.action ?? report.status;
     const config = loadUserConfig(env);
     const count = report.summary.dependencyCount;
+    const effective = config.policy.mode === "strict" ? action : report.decisions?.effectiveAction ?? action;
+    const acknowledgedCount = report.decisions?.acknowledgedCount ?? 0;
     if (action === "block") {
         return { exitCode: 2, stdout: "", stderr: renderBlock(report.findings, theme) };
     }
@@ -156,17 +170,61 @@ export function decideStagedVerdict(report, env = process.env, hook = false) {
         return scannerUnavailable(theme);
     }
     if (action === "warn") {
-        return decideWarn(report.findings, theme, config.gitHook.onWarn, config.policy.mode, hook);
+        if (acknowledgedCount > 0 && effective === "pass") {
+            return {
+                exitCode: 0,
+                stdout: "",
+                stderr: `  ${theme.paint("pass", "✓")} ${theme.paint("muted", `DG verified ${count} staged package${count === 1 ? "" : "s"} — ${acknowledgedCount} warning${acknowledgedCount === 1 ? "" : "s"} previously accepted (dg.json)`)}\n`
+            };
+        }
+        if (acknowledgedCount > 0 && effective === "analysis_incomplete") {
+            return decideIncomplete(config.gitHook.onIncomplete, theme);
+        }
+        const activeFindings = report.findings.filter((finding) => !finding.acknowledged);
+        return decideWarn(activeFindings, theme, config.gitHook.onWarn, config.policy.mode, hook, stagedRememberOffer(report, decisionContext, env));
     }
     if (action === "analysis_incomplete") {
-        if (config.gitHook.onIncomplete === "block") {
-            return { exitCode: 1, stdout: "", stderr: incompleteNotice(theme, true) };
-        }
-        return { exitCode: 0, stdout: "", stderr: incompleteNotice(theme, false) };
+        return decideIncomplete(config.gitHook.onIncomplete, theme);
     }
     return { exitCode: 0, stdout: "", stderr: `  ${theme.paint("pass", "✓")} ${theme.paint("muted", `DG verified ${count} staged package${count === 1 ? "" : "s"} — clean`)}\n` };
 }
-function decideWarn(findings, theme, onWarn, policyMode, hook) {
+function decideIncomplete(onIncomplete, theme) {
+    if (onIncomplete === "block") {
+        return { exitCode: 1, stdout: "", stderr: incompleteNotice(theme, true) };
+    }
+    return { exitCode: 0, stdout: "", stderr: incompleteNotice(theme, false) };
+}
+export function stagedRememberOffer(report, decisionContext, env) {
+    if (!decisionContext || !report.scanner || !report.decisions) {
+        return undefined;
+    }
+    const annotations = report.decisions.packages;
+    const packages = [];
+    for (const pkg of report.scanner.packages) {
+        if ((pkg.action ?? "pass") !== "warn") {
+            continue;
+        }
+        const annotation = annotations[packageKey(pkg.name, pkg.version)];
+        if (!annotation || annotation.acknowledged) {
+            continue;
+        }
+        packages.push({ ecosystem: annotation.ecosystem, name: pkg.name, version: pkg.version, findings: pkg.findings });
+    }
+    if (packages.length === 0) {
+        return undefined;
+    }
+    return () => {
+        offerRememberSync({
+            file: decisionContext.file,
+            packages,
+            acceptedBy: resolveAcceptedBy(decisionContext.root, env),
+            surface: "guard-commit",
+            env,
+            ...(decisionContext.prompts ? { prompts: decisionContext.prompts } : {})
+        });
+    };
+}
+function decideWarn(findings, theme, onWarn, policyMode, hook, onAccepted) {
     const summary = warnSummary(findings, theme);
     if (onWarn === "allow") {
         return { exitCode: 0, stdout: "", stderr: `${summary}  ${theme.paint("muted", "proceeding (gitHook.onWarn=allow)")}\n` };
@@ -183,6 +241,7 @@ function decideWarn(findings, theme, onWarn, policyMode, hook) {
         return { exitCode: 1, stdout: "", stderr: `${summary}  ${theme.paint("muted", `commit blocked (no terminal; policy ${policyMode}). Use`)} ${theme.paint("accent", "git commit --no-verify")} ${theme.paint("muted", "to override.")}\n` };
     }
     if (answer) {
+        onAccepted?.();
         return { exitCode: 0, stdout: "", stderr: "" };
     }
     return { exitCode: 1, stdout: "", stderr: `  ${theme.paint("muted", "Nothing was committed.")}\n` };

package/dist/scan-ui/LegacyApp.js

@@ -9,7 +9,7 @@ import { ErrorView } from "./components/ErrorView.js";
 import { ProjectSelector } from "./components/ProjectSelector.js";
 import { SetupBanner } from "./components/SetupBanner.js";
 import { useTerminalSize } from "./hooks/useTerminalSize.js";
-import { scanExitCode } from "./shims.js";
+import { effectiveScanAction, scanExitCode } from "./shims.js";
 import { leaveTui, showCursor, tuiIsActive } from "./alt-screen.js";
 import { formatResetDate } from "../install-ui/block-render.js";
 export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialView, updateAvailable }) => {
@@ -27,7 +27,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
     useEffect(() => () => leaveAltScreen(), [leaveAltScreen]);
     const handleResultsExit = useCallback(() => {
         if (state.phase === "results") {
-            process.exitCode = scanExitCode(state.result.action, config.mode);
+            process.exitCode = scanExitCode(effectiveScanAction(state.result.action, state.decisions?.effectiveAction, config.mode), config.mode);
         }
         leaveAltScreen();
         exit();
@@ -62,7 +62,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
         // not only when the user dismisses the view — a piped/killed/non-TTY exit
         // must still carry the right code (an unverified scan is never a silent 0).
         if (state.phase === "results") {
-            process.exitCode = scanExitCode(state.result.action, config.mode);
+            process.exitCode = scanExitCode(effectiveScanAction(state.result.action, state.decisions?.effectiveAction, config.mode), config.mode);
         }
     }, [state, config, exitWithMessage]);
     useInput((input, key) => {
@@ -97,7 +97,7 @@ export const App = ({ config, userStatus, scanUsage, setupIssues = [], initialVi
                         ? `batch ${state.batchIndex}/${state.batchCount}`
                         : undefined }));
             case "results":
-                return (_jsx(InteractiveResultsView, { result: state.result, config: config, durationMs: state.durationMs, onExit: handleResultsExit, onBack: restartSelection ?? undefined, discoveredTotal: state.discoveredTotal, userStatus: userStatus, scanUsage: scanUsage, initialView: initialView }));
+                return (_jsx(InteractiveResultsView, { result: state.result, config: config, durationMs: state.durationMs, onExit: handleResultsExit, onBack: restartSelection ?? undefined, discoveredTotal: state.discoveredTotal, userStatus: userStatus, scanUsage: scanUsage, initialView: initialView, decisions: state.decisions }));
             case "empty":
                 return _jsx(Text, { dimColor: true, children: state.message });
             case "error":

package/dist/scan-ui/components/InteractiveResultsView.js

@@ -5,11 +5,14 @@ import chalk from "chalk";
 import { writeFileSync } from "node:fs";
 import { resolve as resolvePath } from "node:path";
 import { isLoggedIn } from "../shims.js";
+import { packageKey } from "../../decisions/apply.js";
 import { ScoreHeader, COMPACT_ROWS } from "./ScoreHeader.js";
 import { useExpandAnimation } from "../hooks/useExpandAnimation.js";
 import { useTerminalSize } from "../hooks/useTerminalSize.js";
 import { clearScreen } from "../alt-screen.js";
 import { pad, truncate, groupPackages as sharedGroupPackages, formatUsage } from "../format-helpers.js";
+import { provenanceLabel, provenanceDowngradeLine } from "../../presentation/provenance.js";
+const ACK_PREVIEW_LIMIT = 3;
 function groupPackages(packages) {
     return sharedGroupPackages(packages, "fingerprint");
 }
@@ -50,6 +53,19 @@ export function packageBadge(pkg) {
         return { label: "Unverified", color: chalk.yellow };
     return actionBadge(pkg.action);
 }
+export function provenanceMarker(pkg) {
+    const prov = pkg.provenance;
+    if (!prov)
+        return "  ";
+    if (prov.downgrade)
+        return chalk.yellow("◇ ");
+    if (prov.status === "attested")
+        return chalk.dim("◆ ");
+    return "  ";
+}
+function packageDowngradeLine(pkg) {
+    return pkg.provenance ? provenanceDowngradeLine(pkg.version, pkg.provenance) : null;
+}
 const EVIDENCE_LIMIT = 2;
 const BADGE_COL = "Unverified".length + 1;
 // Fixed lines outside the scrollable group area:
@@ -80,6 +96,8 @@ function findingsSummaryHeight(group) {
     let h = 0;
     if (rep.license)
         h += 1;
+    if (packageDowngradeLine(rep))
+        h += 1;
     if (isFree) {
         h += 1;
     }
@@ -140,6 +158,14 @@ function buildDetailLines(group, safeVersion, maxWidth) {
         lines.push(_jsxs(Text, { dimColor: true, children: ["Score: ", rep.score, "/100"] }, "score-info"));
         lines.push(_jsx(Text, { children: "" }, "score-gap"));
     }
+    if (rep.provenance) {
+        lines.push(_jsxs(Text, { dimColor: true, children: ["Provenance: ", provenanceLabel(rep.provenance)] }, "provenance"));
+        const downgrade = packageDowngradeLine(rep);
+        if (downgrade) {
+            lines.push(_jsx(Text, { wrap: "truncate-end", children: chalk.yellow(downgrade) }, "provenance-downgrade"));
+        }
+        lines.push(_jsx(Text, { children: "" }, "provenance-gap"));
+    }
     if (visibleFindings.length > 0) {
         for (let i = 0; i < visibleFindings.length; i++) {
             const f = visibleFindings[i];
@@ -194,7 +220,7 @@ function viewReducer(_state, action) {
             return { ..._state, expandedKey: action.expandedKey, expandLevel: action.expandLevel, viewport: action.viewport };
     }
 }
-export const InteractiveResultsView = ({ result, config: _config, durationMs, onExit, onBack, discoveredTotal, userStatus, scanUsage: scanUsageProp, initialView, }) => {
+export const InteractiveResultsView = ({ result, config: _config, durationMs, onExit, onBack, discoveredTotal, userStatus, scanUsage: scanUsageProp, initialView, decisions, }) => {
     // Prefer the server's uniform usage block ("used / limit packages this
     // month"); fall back to the legacy freeScansRemaining field, then to the
     // generic placeholder from bin.ts. usageNearLimit drives the yellow + nudge.
@@ -212,7 +238,20 @@ export const InteractiveResultsView = ({ result, config: _config, durationMs, on
     const clean = useMemo(() => result.packages.filter((p) => (p.action ?? "pass") === "pass"), [result.packages]);
     const total = result.packages.length;
     const [searchQuery, setSearchQuery] = useState("");
-    const allGroups = useMemo(() => groupPackages(flagged), [flagged]);
+    const ackByKey = useMemo(() => {
+        const map = new Map();
+        if (decisions) {
+            for (const [key, annotation] of Object.entries(decisions.packages)) {
+                if (annotation.acknowledged)
+                    map.set(key, annotation.acknowledged);
+            }
+        }
+        return map;
+    }, [decisions]);
+    const activeFlagged = useMemo(() => flagged.filter((p) => !ackByKey.has(packageKey(p.name, p.version))), [flagged, ackByKey]);
+    const acked = useMemo(() => flagged.filter((p) => ackByKey.has(packageKey(p.name, p.version))), [flagged, ackByKey]);
+    const ackGroups = useMemo(() => groupPackages(acked), [acked]);
+    const allGroups = useMemo(() => groupPackages(activeFlagged), [activeFlagged]);
     const groups = useMemo(() => {
         if (!searchQuery)
             return allGroups;
@@ -223,13 +262,18 @@ export const InteractiveResultsView = ({ result, config: _config, durationMs, on
             if (members.length > 0)
                 matched.push({ packages: members, key: g.key });
         }
+        for (const p of acked) {
+            if (p.name.toLowerCase().includes(q)) {
+                matched.push({ packages: [p], key: `ack|${p.name}@${p.version ?? ""}` });
+            }
+        }
         for (const p of clean) {
             if (p.name.toLowerCase().includes(q)) {
                 matched.push({ packages: [p], key: `pass|${p.name}@${p.version ?? ""}` });
             }
         }
         return matched;
-    }, [allGroups, clean, searchQuery]);
+    }, [allGroups, acked, clean, searchQuery]);
     const matchCount = useMemo(() => groups.reduce((n, g) => n + g.packages.length, 0), [groups]);
     const [view, dispatchView] = useReducer(viewReducer, {
         cursor: 0,
@@ -619,7 +663,10 @@ export const InteractiveResultsView = ({ result, config: _config, durationMs, on
     searchModeRef.current = searchMode;
     const { rows: termRows, cols: termCols } = useTerminalSize();
     const compact = termRows < COMPACT_ROWS;
-    const availableRows = Math.max(5, termRows - (compact ? FIXED_CHROME_COMPACT : FIXED_CHROME));
+    const ackSectionLines = acked.length > 0
+        ? 2 + Math.min(ackGroups.length, ACK_PREVIEW_LIMIT) + (ackGroups.length > ACK_PREVIEW_LIMIT ? 1 : 0)
+        : 0;
+    const availableRows = Math.max(5, termRows - (compact ? FIXED_CHROME_COMPACT : FIXED_CHROME) - ackSectionLines);
     const innerWidth = Math.max(40, termCols - 6);
     const detailGroup = useMemo(() => {
         if (!detailPane)
@@ -1014,7 +1061,7 @@ export const InteractiveResultsView = ({ result, config: _config, durationMs, on
     const aboveCount = view.viewport;
     const belowCount = groups.length - visibleEnd;
     const lcCol = 16; // fixed width for license column
-    const nameCol = Math.max(20, innerWidth - BADGE_COL - 14 - lcCol);
+    const nameCol = Math.max(20, innerWidth - BADGE_COL - 16 - lcCol);
     // Clamp cursor to valid range (groups may shrink via search filter)
     const clampedCursor = groups.length > 0 ? Math.min(view.cursor, groups.length - 1) : 0;
     // ── Export menu overlay ──
@@ -1156,8 +1203,14 @@ export const InteractiveResultsView = ({ result, config: _config, durationMs, on
                                         : (lcInfo.riskCategory === "no-license" || lcInfo.riskCategory === "unlicensed" || lcInfo.riskCategory === "network-copyleft") ? chalk.red
                                             : chalk.yellow;
                                 const arrow = level === "summary" ? "\u25BE" : "\u25B8"; // ▾ expanded, ▸ collapsed
-                                return (_jsxs(Box, { flexDirection: "column", children: [isCursor ? (_jsxs(Text, { backgroundColor: "#1a1a2e", wrap: "truncate-end", children: [chalk.cyan("\u258C"), " ", chalk.cyan(arrow), " ", ` `, color(pad(label, BADGE_COL)), chalk.bold(pad(truncate(names, nameCol - 2), nameCol)), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3)), "  "] })) : (_jsxs(Text, { wrap: "truncate-end", children: [`  ${chalk.dim(arrow)}  `, color(pad(label, BADGE_COL)), pad(truncate(names, nameCol - 2), nameCol), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3))] })), level === "summary" && (_jsx(FindingsSummary, { group: group, maxWidth: innerWidth - 8, maxLines: group.key === view.expandedKey ? animVisibleLines : undefined }))] }, group.key));
-                            }), belowCount > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2193"), " ", belowCount, " more below"] }))] })] })), searchQuery && groups.length === 0 && (_jsx(Text, { dimColor: true, children: `  No packages match "${searchQuery}"` })), !compact && _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [discoveredTotal !== undefined && discoveredTotal > total && (_jsxs(Text, { dimColor: true, children: ["Scanned ", total, " of ", discoveredTotal, " packages"] })), _jsxs(Box, { justifyContent: "space-between", children: [clean.length > 0 ? (_jsxs(Text, { wrap: "truncate-end", children: [chalk.green("\u2713"), " ", chalk.green.bold(String(clean.length)), " ", chalk.dim(`package${clean.length !== 1 ? "s" : ""} passed`), " ", chalk.dim(`\u00b7 ${(durationMs / 1000).toFixed(1)}s`)] })) : (_jsxs(Text, { dimColor: true, children: [(durationMs / 1000).toFixed(1), "s"] })), result.freeScansRemaining !== undefined && (_jsx(Text, { dimColor: true, children: "Free tier \u00B7 dg login for higher scan limits" }))] })] }), !compact && _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), searchMode ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.bold.cyan("/"), " ", searchQuery, chalk.cyan("\u2588"), "   ", chalk.dim("Esc clear")] })) : exportMsg ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.green(exportMsg)] })) : searchQuery ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.bold.cyan("/"), " ", searchQuery, "   ", chalk.dim(`${matchCount} of ${total} packages`), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("clear"), "   ", chalk.bold.cyan("q"), " ", chalk.dim("quit")] })) : (_jsxs(Text, { wrap: "truncate-end", children: [" ", groups.length > 0 && (_jsxs(_Fragment, { children: [chalk.bold.cyan("\u2191\u2193"), " ", chalk.dim("navigate"), "   ", chalk.bold.cyan("\u23CE"), " ", chalk.dim("expand"), "   "] })), total > 0 && (_jsxs(_Fragment, { children: [chalk.bold.cyan("/"), " ", chalk.dim("search"), "   "] })), chalk.bold.cyan("l"), " ", chalk.dim("licenses"), "   ", chalk.bold.cyan("e"), " ", chalk.dim("export"), "   ", onBack && _jsxs(_Fragment, { children: [chalk.bold.cyan("Esc"), " ", chalk.dim("back"), "   "] }), chalk.bold.cyan("q"), " ", chalk.dim("quit")] }))] }));
+                                return (_jsxs(Box, { flexDirection: "column", children: [isCursor ? (_jsxs(Text, { backgroundColor: "#1a1a2e", wrap: "truncate-end", children: [chalk.cyan("\u258C"), " ", chalk.cyan(arrow), " ", ` `, color(pad(label, BADGE_COL)), chalk.bold(pad(truncate(names, nameCol - 2), nameCol)), provenanceMarker(rep), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3)), "  "] })) : (_jsxs(Text, { wrap: "truncate-end", children: [`  ${chalk.dim(arrow)}  `, color(pad(label, BADGE_COL)), pad(truncate(names, nameCol - 2), nameCol), provenanceMarker(rep), lcColor(pad(lcStr, lcCol)), color(scoreStr.padStart(3))] })), level === "summary" && (_jsx(FindingsSummary, { group: group, maxWidth: innerWidth - 8, maxLines: group.key === view.expandedKey ? animVisibleLines : undefined }))] }, group.key));
+                            }), belowCount > 0 && (_jsxs(Text, { dimColor: true, children: [chalk.cyan(" \u2193"), " ", belowCount, " more below"] }))] })] })), searchQuery && groups.length === 0 && (_jsx(Text, { dimColor: true, children: `  No packages match "${searchQuery}"` })), acked.length > 0 && !searchQuery && (_jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [_jsxs(Text, { bold: true, dimColor: true, children: ["Acknowledged (", acked.length, ") \\u00b7 dg.json"] }), ackGroups.slice(0, ACK_PREVIEW_LIMIT).map((group) => {
+                        const rep = firstPackage(group);
+                        const ack = ackByKey.get(packageKey(rep.name, rep.version));
+                        const who = ack?.by ?? "unknown";
+                        const when = ack?.at ? ` on ${ack.at.slice(0, 10)}` : "";
+                        return (_jsxs(Text, { dimColor: true, wrap: "truncate-end", children: ["  ", chalk.yellow("\u25b8"), " ", groupNames(group), "  ", chalk.dim(`accepted by ${who}${when}`)] }, `ack-${group.key}`));
+                    }), ackGroups.length > ACK_PREVIEW_LIMIT && (_jsx(Text, { dimColor: true, children: `  +${ackGroups.length - ACK_PREVIEW_LIMIT} more \u2014 dg decisions` }))] })), !compact && _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), _jsxs(Box, { flexDirection: "column", paddingLeft: 1, paddingRight: 1, width: "100%", children: [discoveredTotal !== undefined && discoveredTotal > total && (_jsxs(Text, { dimColor: true, children: ["Scanned ", total, " of ", discoveredTotal, " packages"] })), acked.length > 0 && (_jsxs(Text, { wrap: "truncate-end", children: [chalk.yellow("\u26a0"), " ", chalk.yellow(String(acked.length)), " ", chalk.dim(`acknowledged warn${acked.length !== 1 ? "s" : ""} \u00b7 dg.json \u00b7 review with 'dg decisions'`)] })), _jsxs(Box, { justifyContent: "space-between", children: [clean.length > 0 ? (_jsxs(Text, { wrap: "truncate-end", children: [chalk.green("\u2713"), " ", chalk.green.bold(String(clean.length)), " ", chalk.dim(`package${clean.length !== 1 ? "s" : ""} passed`), " ", chalk.dim(`\u00b7 ${(durationMs / 1000).toFixed(1)}s`)] })) : (_jsxs(Text, { dimColor: true, children: [(durationMs / 1000).toFixed(1), "s"] })), result.freeScansRemaining !== undefined && (_jsx(Text, { dimColor: true, children: "Free tier \u00B7 dg login for higher scan limits" }))] })] }), !compact && _jsx(Text, { dimColor: true, children: chalk.dim("\u2500".repeat(Math.max(20, termCols - 4))) }), searchMode ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.bold.cyan("/"), " ", searchQuery, chalk.cyan("\u2588"), "   ", chalk.dim("Esc clear")] })) : exportMsg ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.green(exportMsg)] })) : searchQuery ? (_jsxs(Text, { wrap: "truncate-end", children: [" ", chalk.bold.cyan("/"), " ", searchQuery, "   ", chalk.dim(`${matchCount} of ${total} packages`), "   ", chalk.bold.cyan("Esc"), " ", chalk.dim("clear"), "   ", chalk.bold.cyan("q"), " ", chalk.dim("quit")] })) : (_jsxs(Text, { wrap: "truncate-end", children: [" ", groups.length > 0 && (_jsxs(_Fragment, { children: [chalk.bold.cyan("\u2191\u2193"), " ", chalk.dim("navigate"), "   ", chalk.bold.cyan("\u23CE"), " ", chalk.dim("expand"), "   "] })), total > 0 && (_jsxs(_Fragment, { children: [chalk.bold.cyan("/"), " ", chalk.dim("search"), "   "] })), chalk.bold.cyan("l"), " ", chalk.dim("licenses"), "   ", chalk.bold.cyan("e"), " ", chalk.dim("export"), "   ", onBack && _jsxs(_Fragment, { children: [chalk.bold.cyan("Esc"), " ", chalk.dim("back"), "   "] }), chalk.bold.cyan("q"), " ", chalk.dim("quit")] }))] }));
 };
 const T = {
     branch: chalk.dim("\u251C\u2500\u2500"),
@@ -1197,6 +1250,10 @@ const FindingsSummary = ({ group, maxWidth, maxLines }) => {
     const lcLine = licenseLine(rep);
     if (lcLine)
         allLines.push(lcLine);
+    const downgrade = packageDowngradeLine(rep);
+    if (downgrade) {
+        allLines.push(_jsxs(Text, { wrap: "truncate-end", children: [T.branch, " ", chalk.yellow(downgrade)] }, "provenance-downgrade"));
+    }
     // Render findings — API returns tier-gated data:
     //   Free: { category, severity } — don't show raw IDs, just upgrade prompt
     //   Pro:  { category, severity, title } — show category + title

package/dist/scan-ui/hooks/useScan.js

@@ -1,6 +1,8 @@
 import { randomUUID } from "node:crypto";
 import { useReducer, useEffect, useRef, useCallback, useState } from "react";
 import { analyzePackages, AnalyzeError, mergeAnalyzeResponses } from "../../api/analyze.js";
+import { applyDecisions, packageKey } from "../../decisions/apply.js";
+import { findProjectRoot, loadDgFile } from "../../project/dgfile.js";
 import { collectScanPackages, discoverScanProjectsAsync } from "../../scan/collect.js";
 function reducer(_state, action) {
     switch (action.type) {
@@ -21,7 +23,8 @@ function reducer(_state, action) {
                 result: action.result,
                 durationMs: action.durationMs,
                 skippedCount: action.skippedCount,
-                ...(action.discoveredTotal !== undefined ? { discoveredTotal: action.discoveredTotal } : {})
+                ...(action.discoveredTotal !== undefined ? { discoveredTotal: action.discoveredTotal } : {}),
+                ...(action.decisions !== undefined ? { decisions: action.decisions } : {})
             };
         case "ERROR":
             return { phase: "error", error: action.error };
@@ -79,6 +82,28 @@ export function useScan(config) {
         restartSelection: multiProjects ? restartSelection : null
     };
 }
+function computeProjectDecisions(result, entries) {
+    try {
+        const root = findProjectRoot(process.cwd());
+        if (!root) {
+            return undefined;
+        }
+        const file = loadDgFile(root);
+        if (!file.readable) {
+            return undefined;
+        }
+        const ecosystems = new Map();
+        for (const [ecosystem, packages] of entries) {
+            for (const pkg of packages) {
+                ecosystems.set(packageKey(pkg.name, pkg.version), ecosystem);
+            }
+        }
+        return applyDecisions(result.packages, (pkg) => ecosystems.get(packageKey(pkg.name, pkg.version)), file, result.action);
+    }
+    catch {
+        return undefined;
+    }
+}
 async function scanProjects(projects, dispatch, signal) {
     const startMs = Date.now();
     let skipped = 0;
@@ -134,12 +159,15 @@ async function scanProjects(projects, dispatch, signal) {
         const firstFailure = outcomes.find((outcome) => "error" in outcome);
         if (responses.length > 0) {
             const merged = mergeAnalyzeResponses(responses);
+            const result = firstFailure && merged.action === "pass" ? { ...merged, action: "analysis_incomplete" } : merged;
+            const decisions = computeProjectDecisions(result, entries);
             dispatch({
                 type: "SCAN_COMPLETE",
-                result: firstFailure && merged.action === "pass" ? { ...merged, action: "analysis_incomplete" } : merged,
+                result,
                 durationMs: Date.now() - startMs,
                 skippedCount: skipped,
-                discoveredTotal: total
+                discoveredTotal: total,
+                ...(decisions ? { decisions } : {})
             });
             return;
         }

package/dist/scan-ui/shims.js

@@ -16,6 +16,9 @@ export function getStoredApiKey() {
         return null;
     }
 }
+export function effectiveScanAction(raw, effective, mode) {
+    return mode === "strict" || effective === undefined ? raw : effective;
+}
 export function scanExitCode(action, mode) {
     if (action === "block") {
         return 2;