@westbayberry/dg 2.0.7 → 2.0.10

package/dist/config/settings.js

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
 import { randomUUID } from "node:crypto";
 import { dirname, join } from "node:path";
-import { resolveDgPaths } from "../state/index.js";
+import { acquireLockSyncWithRetry, resolveDgPaths } from "../state/index.js";
 export const CONFIG_KEYS = Object.freeze([
     "api.baseUrl",
     "org.id",
@@ -59,10 +59,12 @@ export function loadUserConfig(env = process.env) {
         return DEFAULT_CONFIG;
     }
     try {
-        const parsed = JSON.parse(readFileSync(path, "utf8"));
-        return normalizeConfig(parsed);
+        return normalizeConfig(JSON.parse(readFileSync(path, "utf8")));
     }
     catch (error) {
+        if (error instanceof ConfigError) {
+            throw new ConfigError(`Invalid dg config at ${path}: ${error.message}`);
+        }
         throw new ConfigError(`Malformed dg config at ${path}: ${error instanceof Error ? error.message : "unknown error"}`);
     }
 }
@@ -70,6 +72,28 @@ export function saveUserConfig(config, env = process.env) {
     const paths = resolveDgPaths(env);
     writeJsonAtomic(userConfigPath(paths), config);
 }
+export const USER_CONFIG_LOCK = "user-config";
+const USER_CONFIG_LOCK_TIMEOUT_MS = 5_000;
+const USER_CONFIG_LOCK_STALE_MS = 60_000;
+export function withUserConfigLock(env, action) {
+    const lock = acquireLockSyncWithRetry(resolveDgPaths(env), USER_CONFIG_LOCK, {
+        staleMs: USER_CONFIG_LOCK_STALE_MS,
+        timeoutMs: USER_CONFIG_LOCK_TIMEOUT_MS
+    });
+    try {
+        return action();
+    }
+    finally {
+        lock.release();
+    }
+}
+export function updateUserConfig(apply, env = process.env) {
+    return withUserConfigLock(env, () => {
+        const next = apply(loadUserConfig(env));
+        saveUserConfig(next, env);
+        return next;
+    });
+}
 export function getConfigValue(config, key) {
     if (key === "api.baseUrl") {
         return config.api.baseUrl;
@@ -166,7 +190,7 @@ export function setConfigValue(config, key, rawValue) {
         return {
             ...config,
             audit: {
-                upload: parseBoolean(rawValue)
+                upload: parseBoolean(rawValue, key)
             }
         };
     }
@@ -174,14 +198,14 @@ export function setConfigValue(config, key, rawValue) {
         return {
             ...config,
             telemetry: {
-                enabled: parseBoolean(rawValue)
+                enabled: parseBoolean(rawValue, key)
             }
         };
     }
     return {
         ...config,
         webhooks: {
-            enabled: parseBoolean(rawValue)
+            enabled: parseBoolean(rawValue, key)
         }
     };
 }
@@ -192,38 +216,93 @@ export function isConfigKey(value) {
     return CONFIG_KEYS.includes(value);
 }
 function normalizeConfig(raw) {
+    if (!isPlainObject(raw)) {
+        throw new ConfigError(`config must be a JSON object, got ${describeJsonType(raw)}`);
+    }
     if (raw.version !== undefined && raw.version !== 1) {
         throw new ConfigError("unsupported config version");
     }
+    const api = fieldObject(raw, "api");
+    const org = fieldObject(raw, "org");
+    const policy = fieldObject(raw, "policy");
+    const gitHook = fieldObject(raw, "gitHook");
+    const audit = fieldObject(raw, "audit");
+    const telemetry = fieldObject(raw, "telemetry");
+    const webhooks = fieldObject(raw, "webhooks");
     return {
         version: 1,
         api: {
-            baseUrl: parseUrl(raw.api?.baseUrl ?? DEFAULT_CONFIG.api.baseUrl)
+            baseUrl: parseUrl(fieldString(api, "api.baseUrl", "baseUrl") ?? DEFAULT_CONFIG.api.baseUrl)
         },
         org: {
-            id: raw.org?.id ?? DEFAULT_CONFIG.org.id
+            id: fieldString(org, "org.id", "id") ?? DEFAULT_CONFIG.org.id
         },
         policy: {
-            mode: parsePolicyMode(raw.policy?.mode ?? DEFAULT_CONFIG.policy.mode),
-            trustProjectAllowlists: raw.policy?.trustProjectAllowlists ?? DEFAULT_CONFIG.policy.trustProjectAllowlists,
-            allowForceOverride: raw.policy?.allowForceOverride ?? DEFAULT_CONFIG.policy.allowForceOverride,
-            scriptHardening: raw.policy?.scriptHardening ?? DEFAULT_CONFIG.policy.scriptHardening
+            mode: parsePolicyMode(fieldString(policy, "policy.mode", "mode") ?? DEFAULT_CONFIG.policy.mode),
+            trustProjectAllowlists: fieldBoolean(policy, "policy.trustProjectAllowlists", "trustProjectAllowlists") ?? DEFAULT_CONFIG.policy.trustProjectAllowlists,
+            allowForceOverride: fieldBoolean(policy, "policy.allowForceOverride", "allowForceOverride") ?? DEFAULT_CONFIG.policy.allowForceOverride,
+            scriptHardening: fieldBoolean(policy, "policy.scriptHardening", "scriptHardening") ?? DEFAULT_CONFIG.policy.scriptHardening
         },
         gitHook: {
-            onWarn: parseOnWarn(raw.gitHook?.onWarn ?? DEFAULT_CONFIG.gitHook.onWarn),
-            onIncomplete: parseOnIncomplete(raw.gitHook?.onIncomplete ?? DEFAULT_CONFIG.gitHook.onIncomplete)
+            onWarn: parseOnWarn(fieldString(gitHook, "gitHook.onWarn", "onWarn") ?? DEFAULT_CONFIG.gitHook.onWarn),
+            onIncomplete: parseOnIncomplete(fieldString(gitHook, "gitHook.onIncomplete", "onIncomplete") ?? DEFAULT_CONFIG.gitHook.onIncomplete)
         },
         audit: {
-            upload: raw.audit?.upload ?? DEFAULT_CONFIG.audit.upload
+            upload: fieldBoolean(audit, "audit.upload", "upload") ?? DEFAULT_CONFIG.audit.upload
         },
         telemetry: {
-            enabled: raw.telemetry?.enabled ?? DEFAULT_CONFIG.telemetry.enabled
+            enabled: fieldBoolean(telemetry, "telemetry.enabled", "enabled") ?? DEFAULT_CONFIG.telemetry.enabled
         },
         webhooks: {
-            enabled: raw.webhooks?.enabled ?? DEFAULT_CONFIG.webhooks.enabled
+            enabled: fieldBoolean(webhooks, "webhooks.enabled", "enabled") ?? DEFAULT_CONFIG.webhooks.enabled
         }
     };
 }
+function fieldObject(root, field) {
+    const value = root[field];
+    if (value === undefined) {
+        return {};
+    }
+    if (!isPlainObject(value)) {
+        throw new ConfigError(`${field} must be a JSON object, got ${describeJsonType(value)}`);
+    }
+    return value;
+}
+function fieldBoolean(section, field, key) {
+    const value = section[key];
+    if (value === undefined) {
+        return undefined;
+    }
+    if (typeof value === "boolean") {
+        return value;
+    }
+    throw new ConfigError(`${field} must be a JSON boolean (true or false), got ${describeJsonType(value)}`);
+}
+function fieldString(section, field, key) {
+    const value = section[key];
+    if (value === undefined) {
+        return undefined;
+    }
+    if (typeof value === "string") {
+        return value;
+    }
+    throw new ConfigError(`${field} must be a string, got ${describeJsonType(value)}`);
+}
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function describeJsonType(value) {
+    if (value === null) {
+        return "null";
+    }
+    if (Array.isArray(value)) {
+        return "an array";
+    }
+    if (typeof value === "string") {
+        return `the string "${value.length > 32 ? `${value.slice(0, 32)}…` : value}"`;
+    }
+    return `a ${typeof value}`;
+}
 function withPolicyBoolean(config, key, rawValue) {
     if (key === "mode") {
         return config;
@@ -232,7 +311,7 @@ function withPolicyBoolean(config, key, rawValue) {
         ...config,
         policy: {
             ...config.policy,
-            [key]: parseBoolean(rawValue)
+            [key]: parseBoolean(rawValue, `policy.${key}`)
         }
     };
 }
@@ -254,21 +333,22 @@ function parseOnIncomplete(value) {
     }
     throw new ConfigError("gitHook.onIncomplete must be one of: allow, block");
 }
-function parseBoolean(value) {
+function parseBoolean(value, field) {
     if (value === "true") {
         return true;
     }
     if (value === "false") {
         return false;
     }
-    throw new ConfigError("boolean config values must be true or false");
+    throw new ConfigError(`${field} must be true or false`);
 }
 function parseUrl(value) {
     const trimmed = value.trim();
     try {
         const url = new URL(trimmed);
-        if (url.protocol !== "https:" && url.hostname !== "localhost" && url.hostname !== "127.0.0.1") {
-            throw new ConfigError("api.baseUrl must use https unless it targets localhost");
+        const localhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+        if (url.protocol !== "https:" && !(url.protocol === "http:" && localhost)) {
+            throw new ConfigError("api.baseUrl must use https, or http for localhost");
         }
         return url.toString().replace(/\/$/, "");
     }

package/dist/install-ui/prompt.js

@@ -6,16 +6,19 @@ export function defaultPromptIo() {
         isTTY: Boolean(process.stdin.isTTY && process.stderr.isTTY)
     };
 }
-export async function promptYesNo(question, io) {
+export async function promptYesNo(question, io, defaultYes = false) {
     if (!io.isTTY) {
         return false;
     }
     const rl = createInterface({ input: io.input, output: io.output });
     try {
         const answer = await new Promise((resolve) => {
-            rl.question(`${question} [y/N] `, resolve);
+            rl.question(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `, resolve);
         });
         const normalized = answer.trim().toLowerCase();
+        if (normalized === "") {
+            return defaultYes;
+        }
         return normalized === "y" || normalized === "yes";
     }
     finally {

package/dist/launcher/install-preflight.js

@@ -0,0 +1,158 @@
+import { spawn } from "node:child_process";
+import { createInterface } from "node:readline";
+import { analyzePackages } from "../api/analyze.js";
+import { defaultPromptIo } from "../install-ui/prompt.js";
+import { parsePipReportInstallCount, parsePipReportInstallSet } from "./pip-report.js";
+const PROCEED = { proceed: true };
+const UNRESOLVED = { set: undefined, count: undefined };
+const approvedFlagRanks = new Map();
+const pipResolutions = new Map();
+export function resetInstallPreflightSession() {
+    approvedFlagRanks.clear();
+    pipResolutions.clear();
+}
+export function actionRank(action) {
+    return { pass: 0, analysis_incomplete: 1, warn: 2, block: 3 }[action];
+}
+export function recordPreflightApprovals(packages) {
+    for (const pkg of packages) {
+        const key = `${pkg.name}@${pkg.version}`;
+        const rank = actionRank(pkg.action);
+        if ((approvedFlagRanks.get(key) ?? -1) < rank) {
+            approvedFlagRanks.set(key, rank);
+        }
+    }
+}
+function isPreflightApproved(pkg) {
+    return (approvedFlagRanks.get(`${pkg.name}@${pkg.version}`) ?? -1) >= actionRank(pkg.action);
+}
+export function cachedPipResolution(binary, args) {
+    return pipResolutions.get(pipResolutionKey(binary, args));
+}
+function pipResolutionKey(binary, args) {
+    return JSON.stringify([binary, ...args]);
+}
+function resolvePipInstallSet(binary, args, env) {
+    if (!binary)
+        return Promise.resolve(UNRESOLVED);
+    return new Promise((resolve) => {
+        let stdout = "";
+        let settled = false;
+        let timer;
+        const finish = (value) => {
+            if (settled)
+                return;
+            settled = true;
+            if (timer)
+                clearTimeout(timer);
+            resolve(value);
+        };
+        let child;
+        try {
+            child = spawn(binary, [...args, "--dry-run", "--report", "-", "--quiet"], {
+                env,
+                stdio: ["ignore", "pipe", "ignore"]
+            });
+        }
+        catch {
+            finish(UNRESOLVED);
+            return;
+        }
+        timer = setTimeout(() => {
+            try {
+                child.kill();
+            }
+            catch { /* already exited */ }
+            finish(UNRESOLVED);
+        }, 30_000);
+        child.stdout?.on("data", (chunk) => { stdout += chunk.toString("utf8"); });
+        child.on("error", () => finish(UNRESOLVED));
+        child.on("close", (code) => finish(code === 0
+            ? { set: parsePipReportInstallSet(stdout), count: parsePipReportInstallCount(stdout) }
+            : UNRESOLVED));
+    });
+}
+function findingSummary(pkg) {
+    return pkg.reasons[0] ?? pkg.findings[0]?.title ?? pkg.findings[0]?.id ?? "flagged";
+}
+function renderPreflight(flagged, out) {
+    const blocks = flagged.filter((pkg) => pkg.action === "block").length;
+    const noun = flagged.length === 1 ? "package" : "packages";
+    const tail = blocks > 0 ? ` (${blocks} blocked)` : "";
+    out.write(`\n  DG flagged ${flagged.length} ${noun} before install${tail}:\n`);
+    for (const pkg of flagged) {
+        const tag = pkg.action === "block" ? "block" : "warn";
+        out.write(`    ${pkg.name}@${pkg.version}   ${tag}   ${findingSummary(pkg)}\n`);
+    }
+    out.write("\n");
+}
+export async function runInstallPreflight(manager, binary, childArgs, env) {
+    if (manager !== "pip" || !binary) {
+        return PROCEED;
+    }
+    const key = pipResolutionKey(binary, childArgs);
+    let resolution = pipResolutions.get(key);
+    if (!resolution) {
+        resolution = await resolvePipInstallSet(binary, childArgs, env);
+        pipResolutions.set(key, resolution);
+    }
+    const set = resolution.set;
+    if (!set || set.length === 0) {
+        return PROCEED;
+    }
+    let verdicts;
+    try {
+        verdicts = await analyzePackages(set.map((pkg) => ({ name: pkg.name, version: pkg.version })), { ecosystem: "pypi", env });
+    }
+    catch {
+        return PROCEED;
+    }
+    return decideFromVerdicts(verdicts.packages, defaultPromptIo());
+}
+export async function decideFromVerdicts(packages, io) {
+    const flagged = packages.filter((pkg) => (pkg.action === "warn" || pkg.action === "block") && !isPreflightApproved({ name: pkg.name, version: pkg.version, action: pkg.action }));
+    if (flagged.length === 0 || !io.isTTY) {
+        return PROCEED;
+    }
+    renderPreflight(flagged, io.output);
+    const hasBlock = flagged.some((pkg) => pkg.action === "block");
+    const accepted = await promptPreflightYesNo(hasBlock ? "  Override and install anyway?" : "  Proceed?", io, false);
+    if (!accepted) {
+        return { proceed: false };
+    }
+    recordPreflightApprovals(flagged.map((pkg) => ({ name: pkg.name, version: pkg.version, action: pkg.action ?? "warn" })));
+    return hasBlock ? { proceed: true, forceOverride: { force: true } } : PROCEED;
+}
+export async function promptPreflightYesNo(question, io, defaultYes) {
+    if (!io.isTTY) {
+        return false;
+    }
+    const rl = createInterface({ input: io.input, output: io.output });
+    try {
+        const answer = await new Promise((resolve) => {
+            rl.once("SIGINT", () => resolve(undefined));
+            rl.question(`${question} ${defaultYes ? "[Y/n]" : "[y/N]"} `, resolve);
+        });
+        if (answer === undefined) {
+            rl.close();
+            restoreRawInput(io.input);
+            io.output.write("\n");
+            process.exit(130);
+        }
+        const normalized = answer.trim().toLowerCase();
+        if (normalized === "") {
+            return defaultYes;
+        }
+        return normalized === "y" || normalized === "yes";
+    }
+    finally {
+        rl.close();
+        restoreRawInput(io.input);
+    }
+}
+function restoreRawInput(input) {
+    const stream = input;
+    if (stream.isTTY && typeof stream.setRawMode === "function") {
+        stream.setRawMode(false);
+    }
+}

package/dist/launcher/live-install.js

@@ -1,4 +1,5 @@
-import { createLaunchPlan, runWithProductionProxyLive } from "./run.js";
+import { createLaunchPlan, runWithProductionProxyLive, EXIT_INSTALL_BLOCKED } from "./run.js";
+import { runInstallPreflight } from "./install-preflight.js";
 import { isSupportedPackageManager } from "./classify.js";
 import { isCiEnv, resolvePresentation } from "../presentation/mode.js";
 const FALL_THROUGH = { handled: false };
@@ -16,9 +17,17 @@ export async function maybeRunLiveInstall(args, options = {}) {
     if (plan.classification.kind !== "protected" || !plan.realBinary.path) {
         return FALL_THROUGH;
     }
+    let effectiveOverride = forceOverride;
+    if (!forceOverride) {
+        const preflight = await runInstallPreflight(manager, plan.realBinary.path, childArgs, env);
+        if (!preflight.proceed) {
+            return { handled: true, result: { exitCode: EXIT_INSTALL_BLOCKED, stdout: "", stderr: "  Install cancelled.\n" } };
+        }
+        effectiveOverride = preflight.forceOverride;
+    }
     const runOptions = {
         env,
-        ...(forceOverride ? { forceOverride } : {})
+        ...(effectiveOverride ? { forceOverride: effectiveOverride } : {})
     };
     const { renderLiveInstall } = await import("../install-ui/live-install-app.js");
     try {

package/dist/launcher/output-redaction.js

@@ -1,21 +1,23 @@
 const credentialUrlPattern = /\b([a-z][a-z0-9+.-]{0,31}:\/\/)([^/\s:@]+):([^/\s@]+)@/gi;
 const authHeaderPattern = /\b(proxy-authorization|authorization):\s*[^\r\n]+/gi;
-const tokenAssignmentPattern = /\b((?:npm_|pypi_|dg_)?(?:token|authToken|password|secret))=([^\s]+)/gi;
+const tokenAssignmentPattern = /(?<![A-Za-z0-9])([A-Za-z0-9_-]*(?:secret[_-]key|access[_-]key|api[_-]key|token|password|secret))=([^\s]+)/gi;
 const npmrcAuthPattern = /(_authToken|_auth|_password)\s*=\s*("[^"]*"|[^\s;,]+)/gi;
+const jsonSecretPattern = /("[A-Za-z0-9_.$-]*(?:secret[_-]key|access[_-]key|api[_-]key|token|password|secret)"\s*:\s*)"(?:[^"\\]|\\.)*"/gi;
 const bearerPattern = /\bBearer\s+[A-Za-z0-9._~+/=-]{8,}/g;
-const knownTokenShapePattern = /\b(npm_[A-Za-z0-9]{36}|gh[pousr]_[A-Za-z0-9]{36,255}|pypi-[A-Za-z0-9_-]{20,})\b/g;
+const knownTokenShapePattern = /\b(npm_[A-Za-z0-9]{36}|gh[pousr]_[A-Za-z0-9]{36,255}|pypi-[A-Za-z0-9_-]{20,}|glpat-[A-Za-z0-9_-]{20,}|xox[bp]-[A-Za-z0-9-]{10,})\b/g;
 export function redactSecrets(text) {
     return text
         .replace(credentialUrlPattern, "$1<redacted>@")
         .replace(authHeaderPattern, (_match, header) => `${header}: <redacted>`)
         .replace(npmrcAuthPattern, "$1=<redacted>")
+        .replace(jsonSecretPattern, '$1"<redacted>"')
         .replace(tokenAssignmentPattern, "$1=<redacted>")
         .replace(bearerPattern, "Bearer <redacted>")
         .replace(knownTokenShapePattern, "<redacted>");
 }
 const STREAM_FLUSH_QUIET_MS = 80;
 const SECRET_TAIL_SCAN_CHARS = 80;
-const secretTailPattern = /(Bearer\s+[\w.~+/=-]*|npm_[A-Za-z0-9]*|gh[pousr]_[A-Za-z0-9]*|pypi-[\w-]*|(?:_authToken|_auth|_password|token|authToken|password|secret)=\S*)$/i;
+const secretTailPattern = /(Bearer\s+[\w.~+/=-]*|npm_[A-Za-z0-9]*|gh[pousr]_[A-Za-z0-9]*|pypi-[\w-]*|glpat-[\w-]*|xox[bp]-[\w-]*|[\w-]*(?:_authToken|_auth|_password|secret[_-]key|access[_-]key|api[_-]key|token|password|secret)=\S*|"[\w.$-]*(?:secret[_-]key|access[_-]key|api[_-]key|token|password|secret)"\s*:\s*"?[^"\n]*)$/i;
 export function createStreamRedactor(emit) {
     let pending = "";
     let timer;

package/dist/launcher/pip-report.js

@@ -1,4 +1,4 @@
-export function parsePipReportInstallCount(stdout) {
+function parseInstallArray(stdout) {
     const trimmed = stdout.trim();
     if (!trimmed)
         return undefined;
@@ -10,7 +10,7 @@ export function parsePipReportInstallCount(stdout) {
         try {
             const parsed = JSON.parse(candidate);
             if (Array.isArray(parsed.install)) {
-                return parsed.install.length;
+                return parsed.install;
             }
         }
         catch {
@@ -19,3 +19,19 @@ export function parsePipReportInstallCount(stdout) {
     }
     return undefined;
 }
+export function parsePipReportInstallCount(stdout) {
+    return parseInstallArray(stdout)?.length;
+}
+export function parsePipReportInstallSet(stdout) {
+    const install = parseInstallArray(stdout);
+    if (!install)
+        return undefined;
+    const set = [];
+    for (const entry of install) {
+        const metadata = entry.metadata;
+        if (metadata && typeof metadata.name === "string" && typeof metadata.version === "string") {
+            set.push({ name: metadata.name, version: metadata.version });
+        }
+    }
+    return set;
+}

package/dist/launcher/preflight-prompt.js

@@ -1,9 +1,10 @@
 import { analyzePackages } from "../api/analyze.js";
 import { isCiEnv } from "../presentation/mode.js";
 import { renderInstallDecision } from "../install-ui/block-render.js";
-import { promptYesNo, defaultPromptIo } from "../install-ui/prompt.js";
+import { defaultPromptIo } from "../install-ui/prompt.js";
 import { enforceProtectedInstall } from "../proxy/enforcement.js";
 import { classifyPackageManagerInvocation, isSupportedPackageManager } from "./classify.js";
+import { actionRank, promptPreflightYesNo, recordPreflightApprovals } from "./install-preflight.js";
 import { redactSecrets } from "./output-redaction.js";
 const ECOSYSTEM_BY_MANAGER = {
     npm: "npm",
@@ -37,25 +38,27 @@ export async function maybePreflightInstallPrompt(args, options = {}) {
     if (specs.length === 0) {
         return FALL_THROUGH;
     }
-    let worst;
+    const flagged = [];
     try {
         const response = await (options.analyze ?? analyzePackages)(specs.map((spec) => ({ name: spec.name, version: spec.version })), { ecosystem, env });
         for (const spec of specs) {
             const pkg = response.packages.find((entry) => entry.name === spec.name && entry.version === spec.version);
             const action = pkg?.action ?? "pass";
-            if (!worst || rank(action) > rank(worst.action)) {
-                worst = {
-                    action,
-                    spec,
-                    reason: pkg?.reasons[0] ?? pkg?.findings[0]?.title ?? "flagged by the scanner"
-                };
+            if (action === "pass") {
+                continue;
             }
+            flagged.push({
+                action,
+                spec,
+                reason: pkg?.reasons[0] ?? pkg?.findings[0]?.title ?? "flagged by the scanner"
+            });
         }
     }
     catch {
         return FALL_THROUGH;
     }
-    if (!worst || worst.action === "pass") {
+    const worst = flagged.reduce((top, entry) => (!top || actionRank(entry.action) > actionRank(top.action) ? entry : top), undefined);
+    if (!worst) {
         return FALL_THROUGH;
     }
     if (worst.action === "block") {
@@ -80,8 +83,20 @@ export async function maybePreflightInstallPrompt(args, options = {}) {
         return FALL_THROUGH;
     }
     const label = `${worst.spec.name}@${worst.spec.version}`;
-    const proceed = await promptYesNo(`⚠ DG flagged ${label} (warn) — ${worst.reason}. Proceed?`, io);
+    if (worst.action === "analysis_incomplete") {
+        const proceed = await promptPreflightYesNo(`? DG could not fully analyze ${label} (analysis incomplete) — ${worst.reason}. Proceed?`, io, true);
+        if (proceed) {
+            recordPreflightApprovals(flagged.map(asFlaggedPackage));
+            return FALL_THROUGH;
+        }
+        return {
+            handled: true,
+            result: { exitCode: 4, stdout: "", stderr: "Declined. Nothing was installed.\n" }
+        };
+    }
+    const proceed = await promptPreflightYesNo(`⚠ DG flagged ${label} (warn) — ${worst.reason}. Proceed?`, io, false);
     if (proceed) {
+        recordPreflightApprovals(flagged.map(asFlaggedPackage));
         return FALL_THROUGH;
     }
     return {
@@ -89,8 +104,12 @@ export async function maybePreflightInstallPrompt(args, options = {}) {
         result: { exitCode: 1, stdout: "", stderr: "Declined. Nothing was installed.\n" }
     };
 }
-function rank(action) {
-    return { pass: 0, analysis_incomplete: 1, warn: 2, block: 3 }[action];
+function asFlaggedPackage(entry) {
+    return {
+        name: entry.spec.name,
+        version: entry.spec.version,
+        action: entry.action
+    };
 }
 function stripControlArgs(args) {
     const childArgs = [];