audit-trace 0.1.0

package/dist/core/models.d.ts

@@ -0,0 +1,88 @@
+/** Unified vulnerability after normalizing npm/pnpm/yarn audit output */
+export type Severity = "info" | "low" | "moderate" | "high" | "critical";
+export interface VulnerabilityFinding {
+    id: string;
+    packageName: string;
+    /** Installed version(s) observed in audit if known */
+    versions?: string[];
+    /** Semver range affected per advisory */
+    vulnerableRange?: string;
+    /** Suggested patched range or version if known */
+    patchedRange?: string;
+    severity: Severity;
+    title?: string;
+    url?: string;
+    cveIds?: string[];
+    /** Raw paths from audit e.g. node_refs */
+    nodePaths?: string[];
+}
+export interface DependencyNode {
+    id: string;
+    /** logical path in lockfile / graph id */
+    pathKey: string;
+    name: string;
+    version: string;
+    dev: boolean;
+    optional: boolean;
+    peer: boolean;
+}
+export interface DependencyEdge {
+    from: string;
+    to: string;
+    depType: "dependencies" | "devDependencies" | "optionalDependencies" | "peerDependencies";
+}
+export interface DependencyGraphSnapshot {
+    nodes: Map<string, DependencyNode>;
+    edges: DependencyEdge[];
+    rootIds: string[];
+    lockfileKind: "npm" | "pnpm" | "yarn-classic" | "unknown";
+    /** package name -> node ids (same name may appear multiple times) */
+    byPackageName: Map<string, string[]>;
+}
+export type CiDiagnosticSeverity = "info" | "warn" | "error";
+export interface CiDiagnostic {
+    severity: CiDiagnosticSeverity;
+    /** Stable machine-readable code */
+    code: string;
+    message: string;
+    detail?: string;
+    relatedPackages?: string[];
+    remediationHint?: string;
+    policy?: Record<string, unknown>;
+}
+export interface AuditReport {
+    findings: VulnerabilityFinding[];
+    graph: DependencyGraphSnapshot | null;
+    diagnostics: CiDiagnostic[];
+    remediation: RemediationSuggestion[];
+}
+export interface RemediationSuggestion {
+    kind: "overrides" | "resolutions" | "upgrade";
+    reason: string;
+    targetPackage: string;
+    /** JSON snippet or semver constraint */
+    constraint?: string;
+    /** Example package.json patch */
+    manifestPatch?: Record<string, unknown>;
+}
+export interface WorkspaceInfo {
+    isMonorepo: boolean;
+    rootDir: string;
+    packagePaths: string[];
+    tools: {
+        nx?: boolean;
+        turbo?: boolean;
+        pnpmWorkspace?: boolean;
+        npmWorkspaces?: boolean;
+        yarnWorkspaces?: boolean;
+    };
+}
+export declare const CI_CODES: {
+    readonly FAIL_POLICY: "FAIL_POLICY";
+    readonly FAIL_HIGH_PROD: "FAIL_HIGH_PROD";
+    readonly VULN_FOUND: "VULN_FOUND";
+    readonly AUDIT_SOURCE_FALLBACK: "AUDIT_SOURCE_FALLBACK";
+    readonly NO_LOCKFILE: "NO_LOCKFILE";
+    readonly GRAPH_BUILD_WARN: "GRAPH_BUILD_WARN";
+};
+//# sourceMappingURL=models.d.ts.map

package/dist/core/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/core/models.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,CAAC;AAEzE,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,sDAAsD;IACtD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,yCAAyC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kDAAkD;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,0CAA0C;IAC1C,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,OAAO,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,cAAc,GAAG,iBAAiB,GAAG,sBAAsB,GAAG,kBAAkB,CAAC;CAC3F;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACnC,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,YAAY,EAAE,KAAK,GAAG,MAAM,GAAG,cAAc,GAAG,SAAS,CAAC;IAC1D,qEAAqE;IACrE,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACtC;AAED,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;AAE7D,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,mCAAmC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,oBAAoB,EAAE,CAAC;IACjC,KAAK,EAAE,uBAAuB,GAAG,IAAI,CAAC;IACtC,WAAW,EAAE,YAAY,EAAE,CAAC;IAC5B,WAAW,EAAE,qBAAqB,EAAE,CAAC;CACtC;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,WAAW,GAAG,aAAa,GAAG,SAAS,CAAC;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,KAAK,EAAE;QAAE,EAAE,CAAC,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAC;QAAC,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,aAAa,CAAC,EAAE,OAAO,CAAC;QAAC,cAAc,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CACtH;AAED,eAAO,MAAM,QAAQ;;;;;;;CAOX,CAAC"}

package/dist/core/models.js

@@ -0,0 +1,9 @@
+export const CI_CODES = {
+    FAIL_POLICY: "FAIL_POLICY",
+    FAIL_HIGH_PROD: "FAIL_HIGH_PROD",
+    VULN_FOUND: "VULN_FOUND",
+    AUDIT_SOURCE_FALLBACK: "AUDIT_SOURCE_FALLBACK",
+    NO_LOCKFILE: "NO_LOCKFILE",
+    GRAPH_BUILD_WARN: "GRAPH_BUILD_WARN",
+};
+//# sourceMappingURL=models.js.map

package/dist/core/models.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.js","sourceRoot":"","sources":["../../src/core/models.ts"],"names":[],"mappings":"AAmFA,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,WAAW,EAAE,aAAa;IAC1B,cAAc,EAAE,gBAAgB;IAChC,UAAU,EAAE,YAAY;IACxB,qBAAqB,EAAE,uBAAuB;IAC9C,WAAW,EAAE,aAAa;IAC1B,gBAAgB,EAAE,kBAAkB;CAC5B,CAAC"}

package/dist/core/ownership/tracer.d.ts

@@ -0,0 +1,16 @@
+import type { DependencyGraphSnapshot, DependencyNode, VulnerabilityFinding } from "../models.js";
+export interface OwnershipPath {
+    findingId: string;
+    packageName: string;
+    severity: VulnerabilityFinding["severity"];
+    nodeId: string;
+    pathNodeIds: string[];
+    topLevelNames: string[];
+    isDevDependency: boolean;
+    isOptional: boolean;
+    isPeer: boolean;
+}
+export declare function matchNodesForFinding(graph: DependencyGraphSnapshot, finding: VulnerabilityFinding): DependencyNode[];
+export declare function traceOwnership(graph: DependencyGraphSnapshot, findings: VulnerabilityFinding[]): OwnershipPath[];
+export declare function duplicatePackageReport(graph: DependencyGraphSnapshot): Map<string, Set<string>>;
+//# sourceMappingURL=tracer.d.ts.map

package/dist/core/ownership/tracer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracer.d.ts","sourceRoot":"","sources":["../../../src/core/ownership/tracer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,uBAAuB,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAGlG,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB,UAAU,EAAE,OAAO,CAAC;IACpB,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,uBAAuB,EAC9B,OAAO,EAAE,oBAAoB,GAC5B,cAAc,EAAE,CAsBlB;AAED,wBAAgB,cAAc,CAC5B,KAAK,EAAE,uBAAuB,EAC9B,QAAQ,EAAE,oBAAoB,EAAE,GAC/B,aAAa,EAAE,CA0BjB;AAcD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,uBAAuB,4BAEpE"}

package/dist/core/ownership/tracer.js

@@ -0,0 +1,65 @@
+import semver from "semver";
+import { buildIndexes, duplicateVersions, shortestPathFromRoots } from "../graph-engine/traverse.js";
+export function matchNodesForFinding(graph, finding) {
+    const names = graph.byPackageName.get(finding.packageName) ?? [];
+    const nodes = names.map((id) => graph.nodes.get(id)).filter(Boolean);
+    const range = finding.vulnerableRange;
+    const filtered = range
+        ? nodes.filter((n) => {
+            try {
+                return semver.satisfies(n.version, range, { includePrerelease: true });
+            }
+            catch {
+                return true;
+            }
+        })
+        : nodes;
+    if (finding.nodePaths?.length) {
+        const pathMatches = nodes.filter((n) => finding.nodePaths.some((p) => n.pathKey === p || p.endsWith(n.pathKey) || n.pathKey.endsWith(p)));
+        if (pathMatches.length)
+            return pathMatches;
+    }
+    return filtered;
+}
+export function traceOwnership(graph, findings) {
+    const indexes = buildIndexes(graph);
+    const out = [];
+    for (const f of findings) {
+        const matched = matchNodesForFinding(graph, f);
+        for (const node of matched) {
+            const sp = shortestPathFromRoots(graph, indexes, node.id);
+            if (!sp || sp.length < 2)
+                continue;
+            const topNode = sp.length >= 2 ? graph.nodes.get(sp[1]) : undefined;
+            const topNames = topNode ? [topNode.name] : [];
+            out.push({
+                findingId: f.id,
+                packageName: f.packageName,
+                severity: f.severity,
+                nodeId: node.id,
+                pathNodeIds: sp,
+                topLevelNames: topNames,
+                isDevDependency: node.dev,
+                isOptional: node.optional,
+                isPeer: node.peer,
+            });
+        }
+    }
+    return dedupeOwnership(out);
+}
+function dedupeOwnership(rows) {
+    const k = new Set();
+    const out = [];
+    for (const r of rows) {
+        const key = `${r.findingId}::${r.nodeId}`;
+        if (k.has(key))
+            continue;
+        k.add(key);
+        out.push(r);
+    }
+    return out;
+}
+export function duplicatePackageReport(graph) {
+    return duplicateVersions(graph);
+}
+//# sourceMappingURL=tracer.js.map

package/dist/core/ownership/tracer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracer.js","sourceRoot":"","sources":["../../../src/core/ownership/tracer.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAcrG,MAAM,UAAU,oBAAoB,CAClC,KAA8B,EAC9B,OAA6B;IAE7B,MAAM,KAAK,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;IACjE,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACtE,MAAM,KAAK,GAAG,OAAO,CAAC,eAAe,CAAC;IACtC,MAAM,QAAQ,GAAG,KAAK;QACpB,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACjB,IAAI,CAAC;gBACH,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,CAAC,CAAC;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC,CAAC;QACJ,CAAC,CAAC,KAAK,CAAC;IAEV,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;QAC9B,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACrC,OAAO,CAAC,SAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAClG,CAAC;QACF,IAAI,WAAW,CAAC,MAAM;YAAE,OAAO,WAAW,CAAC;IAC7C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,KAA8B,EAC9B,QAAgC;IAEhC,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,GAAG,GAAoB,EAAE,CAAC;IAEhC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/C,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAS;YACnC,MAAM,OAAO,GAAG,EAAE,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,IAAI,CAAC;gBACP,SAAS,EAAE,CAAC,CAAC,EAAE;gBACf,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,WAAW,EAAE,EAAE;gBACf,aAAa,EAAE,QAAQ;gBACvB,eAAe,EAAE,IAAI,CAAC,GAAG;gBACzB,UAAU,EAAE,IAAI,CAAC,QAAQ;gBACzB,MAAM,EAAE,IAAI,CAAC,IAAI;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,eAAe,CAAC,IAAqB;IAC5C,MAAM,CAAC,GAAG,IAAI,GAAG,EAAU,CAAC;IAC5B,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1C,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACzB,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACX,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,KAA8B;IACnE,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC"}

package/dist/core/remediation-engine/engine.d.ts

@@ -0,0 +1,3 @@
+import type { RemediationSuggestion, VulnerabilityFinding } from "../models.js";
+export declare function suggestRemediation(findings: VulnerabilityFinding[]): RemediationSuggestion[];
+//# sourceMappingURL=engine.d.ts.map

package/dist/core/remediation-engine/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/core/remediation-engine/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAGhF,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,oBAAoB,EAAE,GAAG,qBAAqB,EAAE,CAqB5F"}

package/dist/core/remediation-engine/engine.js

@@ -0,0 +1,42 @@
+import semver from "semver";
+export function suggestRemediation(findings) {
+    const out = [];
+    for (const f of findings) {
+        if (f.patchedRange) {
+            const constraint = coerceConstraint(f.patchedRange);
+            out.push({
+                kind: "overrides",
+                reason: `Advisory suggests patched versions: ${f.patchedRange}`,
+                targetPackage: f.packageName,
+                constraint,
+                manifestPatch: { overrides: { [f.packageName]: constraint } },
+            });
+            continue;
+        }
+        out.push({
+            kind: "upgrade",
+            reason: "No patched range in audit data; upgrade transitive chain or add an override after verifying compatibility.",
+            targetPackage: f.packageName,
+        });
+    }
+    return dedupeRem(out);
+}
+function coerceConstraint(patched) {
+    const first = patched.split(",").map((s) => s.trim()).filter(Boolean)[0];
+    if (!first)
+        return patched;
+    if (semver.validRange(first))
+        return first;
+    const v = semver.coerce(first);
+    return v ? `>=${v.version}` : patched;
+}
+function dedupeRem(s) {
+    const m = new Map();
+    for (const x of s) {
+        const k = `${x.kind}:${x.targetPackage}`;
+        if (!m.has(k))
+            m.set(k, x);
+    }
+    return [...m.values()];
+}
+//# sourceMappingURL=engine.js.map

package/dist/core/remediation-engine/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/core/remediation-engine/engine.ts"],"names":[],"mappings":"AACA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,MAAM,UAAU,kBAAkB,CAAC,QAAgC;IACjE,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;YACnB,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;YACpD,GAAG,CAAC,IAAI,CAAC;gBACP,IAAI,EAAE,WAAW;gBACjB,MAAM,EAAE,uCAAuC,CAAC,CAAC,YAAY,EAAE;gBAC/D,aAAa,EAAE,CAAC,CAAC,WAAW;gBAC5B,UAAU;gBACV,aAAa,EAAE,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,UAAU,EAAE,EAAE;aAC9D,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,4GAA4G;YACpH,aAAa,EAAE,CAAC,CAAC,WAAW;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC;IAC3B,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;AACxC,CAAC;AAED,SAAS,SAAS,CAAC,CAA0B;IAC3C,MAAM,CAAC,GAAG,IAAI,GAAG,EAAiC,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,aAAa,EAAE,CAAC;QACzC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACzB,CAAC"}

package/dist/core/risk-engine/scripts.d.ts

@@ -0,0 +1,6 @@
+/** Lightweight package.json read for risk hints (root workspace). */
+export declare function loadLocalPackageScripts(rootDir: string): Promise<{
+    installScripts: string[];
+}>;
+export declare function scriptExecutesShell(script: string): boolean;
+//# sourceMappingURL=scripts.d.ts.map

package/dist/core/risk-engine/scripts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scripts.d.ts","sourceRoot":"","sources":["../../../src/core/risk-engine/scripts.ts"],"names":[],"mappings":"AAGA,qEAAqE;AACrE,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,cAAc,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAYvC;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE3D"}

package/dist/core/risk-engine/scripts.js

@@ -0,0 +1,19 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+/** Lightweight package.json read for risk hints (root workspace). */
+export async function loadLocalPackageScripts(rootDir) {
+    try {
+        const raw = await readFile(join(rootDir, "package.json"), "utf8");
+        const pkg = JSON.parse(raw);
+        const s = pkg.scripts ?? {};
+        const keys = ["postinstall", "preinstall", "install", "prepare"].filter((k) => typeof s[k] === "string" && s[k]);
+        return { installScripts: keys };
+    }
+    catch {
+        return { installScripts: [] };
+    }
+}
+export function scriptExecutesShell(script) {
+    return /(\bsh\b|\bbash\b|curl\b|wget\b|node-gyp|prebuild)/i.test(script);
+}
+//# sourceMappingURL=scripts.js.map

package/dist/core/risk-engine/scripts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scripts.js","sourceRoot":"","sources":["../../../src/core/risk-engine/scripts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,qEAAqE;AACrE,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAe;IAEf,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyC,CAAC;QACpE,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,CAAC,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,MAAM,CACrE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,CACxC,CAAC;QACF,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,cAAc,EAAE,EAAE,EAAE,CAAC;IAChC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,OAAO,oDAAoD,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC3E,CAAC"}

package/dist/core/risk-engine/workspace-risk.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=workspace-risk.d.ts.map

package/dist/core/risk-engine/workspace-risk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-risk.d.ts","sourceRoot":"","sources":["../../../src/core/risk-engine/workspace-risk.ts"],"names":[],"mappings":""}

package/dist/core/risk-engine/workspace-risk.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=workspace-risk.js.map

package/dist/core/risk-engine/workspace-risk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-risk.js","sourceRoot":"","sources":["../../../src/core/risk-engine/workspace-risk.ts"],"names":[],"mappings":""}

package/dist/core/workspace-engine/detect.d.ts

@@ -0,0 +1,3 @@
+import type { WorkspaceInfo } from "../models.js";
+export declare function detectWorkspaces(rootDir: string): Promise<WorkspaceInfo>;
+//# sourceMappingURL=detect.d.ts.map

package/dist/core/workspace-engine/detect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../../../src/core/workspace-engine/detect.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAElD,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAoD9E"}

package/dist/core/workspace-engine/detect.js

@@ -0,0 +1,53 @@
+import { readFile, access } from "node:fs/promises";
+import { join } from "node:path";
+export async function detectWorkspaces(rootDir) {
+    const pkgPath = join(rootDir, "package.json");
+    const tools = {};
+    let pkg = {};
+    try {
+        pkg = JSON.parse(await readFile(pkgPath, "utf8"));
+    }
+    catch {
+        return {
+            isMonorepo: false,
+            rootDir,
+            packagePaths: [pkgPath],
+            tools,
+        };
+    }
+    const workspaces = pkg.workspaces;
+    const hasNpmWs = Array.isArray(workspaces) || (typeof workspaces === "object" && workspaces !== null);
+    if (hasNpmWs)
+        tools.npmWorkspaces = true;
+    let pnpmWs = false;
+    try {
+        await access(join(rootDir, "pnpm-workspace.yaml"));
+        pnpmWs = true;
+        tools.pnpmWorkspace = true;
+    }
+    catch {
+        /* no */
+    }
+    try {
+        await access(join(rootDir, "nx.json"));
+        tools.nx = true;
+    }
+    catch {
+        /* no */
+    }
+    try {
+        await access(join(rootDir, "turbo.json"));
+        tools.turbo = true;
+    }
+    catch {
+        /* no */
+    }
+    const isMonorepo = Boolean(tools.npmWorkspaces || tools.pnpmWorkspace || tools.nx || tools.turbo);
+    return {
+        isMonorepo,
+        rootDir,
+        packagePaths: [pkgPath],
+        tools,
+    };
+}
+//# sourceMappingURL=detect.js.map

package/dist/core/workspace-engine/detect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"detect.js","sourceRoot":"","sources":["../../../src/core/workspace-engine/detect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAe;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAC9C,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,IAAI,GAAG,GAA4B,EAAE,CAAC;IACtC,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAA4B,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,OAAO;YACP,YAAY,EAAE,CAAC,OAAO,CAAC;YACvB,KAAK;SACN,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC;IAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,CAAC,CAAC;IACtG,IAAI,QAAQ;QAAE,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC;IAEzC,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC,CAAC;QACnD,MAAM,GAAG,IAAI,CAAC;QACd,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ;IACV,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;QACvC,KAAK,CAAC,EAAE,GAAG,IAAI,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ;IACV,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;QAC1C,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ;IACV,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,CACxB,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,EAAE,IAAI,KAAK,CAAC,KAAK,CACtE,CAAC;IAEF,OAAO;QACL,UAAU;QACV,OAAO;QACP,YAAY,EAAE,CAAC,OAAO,CAAC;QACvB,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./core/models.js";
+export { analyze } from "./lib/analyze.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export * from "./core/models.js";
+export { analyze } from "./lib/analyze.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/ink/ReportTui.d.ts

@@ -0,0 +1,8 @@
+import React from "react";
+import type { AuditReport } from "../core/models.js";
+import type { OwnershipPath } from "../core/ownership/tracer.js";
+export declare function ReportTui(props: {
+    report: AuditReport;
+    ownership: OwnershipPath[];
+}): React.ReactElement;
+//# sourceMappingURL=ReportTui.d.ts.map

package/dist/ink/ReportTui.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReportTui.d.ts","sourceRoot":"","sources":["../../src/ink/ReportTui.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAmB,MAAM,OAAO,CAAC;AAExC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAC;AAEjE,wBAAgB,SAAS,CAAC,KAAK,EAAE;IAC/B,MAAM,EAAE,WAAW,CAAC;IACpB,SAAS,EAAE,aAAa,EAAE,CAAC;CAC5B,GAAG,KAAK,CAAC,YAAY,CAwCrB"}

package/dist/ink/ReportTui.js

@@ -0,0 +1,20 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from "react";
+import { Box, Text, useInput } from "ink";
+export function ReportTui(props) {
+    const [idx, setIdx] = useState(0);
+    useInput((input, key) => {
+        if (key.upArrow)
+            setIdx((i) => Math.max(0, i - 1));
+        if (key.downArrow)
+            setIdx((i) => Math.min(props.report.findings.length - 1, i + 1));
+        if (input === "q" || key.escape)
+            process.exit(0);
+    });
+    const f = props.report.findings[idx];
+    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, children: "audit-trace \u2014 interactive (\u2191/\u2193 navigate, q quit)" }), _jsx(Box, { marginTop: 1, children: _jsxs(Text, { dimColor: true, children: ["Finding ", idx + 1, "/", props.report.findings.length] }) }), f ? (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsxs(Text, { color: f.severity === "critical" ? "red" : "yellow", children: ["[", f.severity, "] ", f.packageName] }), _jsx(Text, { children: f.title ?? f.id }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { bold: true, children: "Owners / paths sample" }), props.ownership
+                                .filter((o) => o.packageName === f.packageName)
+                                .slice(0, 5)
+                                .map((o, i) => (_jsxs(Text, { children: ["via ", o.topLevelNames.join(", ") || "?", " \u2014 dev:", String(o.isDevDependency)] }, i)))] })] })) : (_jsx(Text, { children: "No findings." }))] }));
+}
+//# sourceMappingURL=ReportTui.js.map

package/dist/ink/ReportTui.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReportTui.js","sourceRoot":"","sources":["../../src/ink/ReportTui.tsx"],"names":[],"mappings":";AAAA,OAAc,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACxC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAI1C,MAAM,UAAU,SAAS,CAAC,KAGzB;IACC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAClC,QAAQ,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtB,IAAI,GAAG,CAAC,OAAO;YAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,GAAG,CAAC,SAAS;YAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACpF,IAAI,KAAK,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAErC,OAAO,CACL,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,EAAC,OAAO,EAAE,CAAC,aACpC,KAAC,IAAI,IAAC,IAAI,sFAAwD,EAClE,KAAC,GAAG,IAAC,SAAS,EAAE,CAAC,YACf,MAAC,IAAI,IAAC,QAAQ,+BACH,GAAG,GAAG,CAAC,OAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,IAC1C,GACH,EACL,CAAC,CAAC,CAAC,CAAC,CACH,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,EAAC,SAAS,EAAE,CAAC,aACtC,MAAC,IAAI,IAAC,KAAK,EAAE,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,kBACrD,CAAC,CAAC,QAAQ,QAAI,CAAC,CAAC,WAAW,IACxB,EACP,KAAC,IAAI,cAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,GAAQ,EAC9B,MAAC,GAAG,IAAC,SAAS,EAAE,CAAC,EAAE,aAAa,EAAC,QAAQ,aACvC,KAAC,IAAI,IAAC,IAAI,4CAA6B,EACtC,KAAK,CAAC,SAAS;iCACb,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,CAAC;iCAC9C,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;iCACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CACb,MAAC,IAAI,uBACE,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,kBAAS,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,KAD/D,CAAC,CAEL,CACR,CAAC,IACA,IACF,CACP,CAAC,CAAC,CAAC,CACF,KAAC,IAAI,+BAAoB,CAC1B,IACG,CACP,CAAC;AACJ,CAAC"}

package/dist/integrations/ci-mode/policy.d.ts

@@ -0,0 +1,17 @@
+import type { CiDiagnostic, VulnerabilityFinding } from "../../core/models.js";
+export interface CiPolicy {
+    failOn: "critical" | "high" | "moderate" | "low" | "info" | "none";
+    prodOnly: boolean;
+    runtimeReachableOnly: boolean;
+}
+export declare const rank: Record<string, number>;
+export declare function evaluateExit(findings: VulnerabilityFinding[], policy: CiPolicy, opts: {
+    noLockfile?: boolean;
+    auditFallback?: boolean;
+    filteredCount?: number;
+}): {
+    exitCode: number;
+    diagnostics: CiDiagnostic[];
+};
+export declare function mergeDiagnostics(a: CiDiagnostic[], b: CiDiagnostic[]): CiDiagnostic[];
+//# sourceMappingURL=policy.d.ts.map

package/dist/integrations/ci-mode/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../../src/integrations/ci-mode/policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAG/E,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;IACnE,QAAQ,EAAE,OAAO,CAAC;IAClB,oBAAoB,EAAE,OAAO,CAAC;CAC/B;AAED,eAAO,MAAM,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAMvC,CAAC;AAEF,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,oBAAoB,EAAE,EAChC,MAAM,EAAE,QAAQ,EAChB,IAAI,EAAE;IACJ,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GACA;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,YAAY,EAAE,CAAA;CAAE,CAoEnD;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,YAAY,EAAE,EAAE,CAAC,EAAE,YAAY,EAAE,GAAG,YAAY,EAAE,CAErF"}

package/dist/integrations/ci-mode/policy.js

@@ -0,0 +1,71 @@
+import { CI_CODES } from "../../core/models.js";
+export const rank = {
+    critical: 4,
+    high: 3,
+    moderate: 2,
+    low: 1,
+    info: 0,
+};
+export function evaluateExit(findings, policy, opts) {
+    const diagnostics = [];
+    if (opts.noLockfile) {
+        diagnostics.push({
+            severity: "warn",
+            code: CI_CODES.NO_LOCKFILE,
+            message: "No supported lockfile found; graph ownership is limited.",
+            remediationHint: "Commit package-lock.json, pnpm-lock.yaml, or yarn.lock at the repository root.",
+        });
+    }
+    if (opts.auditFallback) {
+        diagnostics.push({
+            severity: "info",
+            code: CI_CODES.AUDIT_SOURCE_FALLBACK,
+            message: "Audit output may be partial; verify package manager version.",
+        });
+    }
+    if (opts.filteredCount && opts.filteredCount > 0) {
+        diagnostics.push({
+            severity: "info",
+            code: "FILTER_CONTEXT",
+            message: `${opts.filteredCount} finding(s) excluded by policy filters.`,
+            policy: { prodOnly: policy.prodOnly, runtimeReachableOnly: policy.runtimeReachableOnly },
+        });
+    }
+    let relevant = findings;
+    if (policy.failOn === "none") {
+        return { exitCode: 0, diagnostics };
+    }
+    const threshold = rank[policy.failOn] ?? 0;
+    relevant = relevant.filter((f) => (rank[f.severity] ?? 0) >= threshold);
+    if (relevant.length === 0) {
+        return { exitCode: 0, diagnostics };
+    }
+    const names = [...new Set(relevant.map((r) => r.packageName))];
+    const highSeverity = relevant.filter((f) => f.severity === "high" || f.severity === "critical");
+    if (highSeverity.length && (policy.failOn === "high" || policy.failOn === "critical")) {
+        diagnostics.push({
+            severity: "error",
+            code: CI_CODES.FAIL_HIGH_PROD,
+            message: "High or critical severity vulnerabilities matched the failure threshold.",
+            relatedPackages: [...new Set(highSeverity.map((h) => h.packageName))],
+        });
+    }
+    diagnostics.push({
+        severity: "error",
+        code: CI_CODES.FAIL_POLICY,
+        message: `Dependency audit policy failed (fail-on=${policy.failOn}).`,
+        detail: names.slice(0, 20).join(", ") + (names.length > 20 ? "…" : ""),
+        relatedPackages: names,
+        remediationHint: "Apply overrides/upgrades from the report or adjust --fail-on / filters.",
+        policy: {
+            failOn: policy.failOn,
+            prodOnly: policy.prodOnly,
+            runtimeReachableOnly: policy.runtimeReachableOnly,
+        },
+    });
+    return { exitCode: 1, diagnostics };
+}
+export function mergeDiagnostics(a, b) {
+    return [...a, ...b];
+}
+//# sourceMappingURL=policy.js.map

package/dist/integrations/ci-mode/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../src/integrations/ci-mode/policy.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAQhD,MAAM,CAAC,MAAM,IAAI,GAA2B;IAC1C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF,MAAM,UAAU,YAAY,CAC1B,QAAgC,EAChC,MAAgB,EAChB,IAIC;IAED,MAAM,WAAW,GAAmB,EAAE,CAAC;IAEvC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,WAAW,CAAC,IAAI,CAAC;YACf,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,QAAQ,CAAC,WAAW;YAC1B,OAAO,EAAE,0DAA0D;YACnE,eAAe,EAAE,gFAAgF;SAClG,CAAC,CAAC;IACL,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,WAAW,CAAC,IAAI,CAAC;YACf,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,QAAQ,CAAC,qBAAqB;YACpC,OAAO,EAAE,8DAA8D;SACxE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;QACjD,WAAW,CAAC,IAAI,CAAC;YACf,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,GAAG,IAAI,CAAC,aAAa,yCAAyC;YACvE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,oBAAoB,EAAE,MAAM,CAAC,oBAAoB,EAAE;SACzF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,QAAQ,GAAG,QAAQ,CAAC;IACxB,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3C,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;IAExE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IAE/D,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IAChG,IAAI,YAAY,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,CAAC,EAAE,CAAC;QACtF,WAAW,CAAC,IAAI,CAAC;YACf,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,QAAQ,CAAC,cAAc;YAC7B,OAAO,EAAE,0EAA0E;YACnF,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;SACtE,CAAC,CAAC;IACL,CAAC;IAED,WAAW,CAAC,IAAI,CAAC;QACf,QAAQ,EAAE,OAAO;QACjB,IAAI,EAAE,QAAQ,CAAC,WAAW;QAC1B,OAAO,EAAE,2CAA2C,MAAM,CAAC,MAAM,IAAI;QACrE,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,eAAe,EAAE,KAAK;QACtB,eAAe,EAAE,yEAAyE;QAC1F,MAAM,EAAE;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;SAClD;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,WAAW,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAiB,EAAE,CAAiB;IACnE,OAAO,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;AACtB,CAAC"}

package/dist/integrations/lockfile-diff/compare.d.ts

@@ -0,0 +1,11 @@
+export interface LockDiffSummary {
+    addedPackages: string[];
+    removedPackages: string[];
+    versionChanges: {
+        name: string;
+        from: string;
+        to: string;
+    }[];
+}
+export declare function diffLockfiles(beforeText: string, afterText: string, kind: "npm" | "pnpm"): LockDiffSummary;
+//# sourceMappingURL=compare.d.ts.map

package/dist/integrations/lockfile-diff/compare.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compare.d.ts","sourceRoot":"","sources":["../../../src/integrations/lockfile-diff/compare.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAC9D;AAmCD,wBAAgB,aAAa,CAC3B,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,KAAK,GAAG,MAAM,GACnB,eAAe,CAOjB"}

package/dist/integrations/lockfile-diff/compare.js

@@ -0,0 +1,44 @@
+import { parse as parseYaml } from "yaml";
+function listNpmPackages(text) {
+    const m = new Map();
+    try {
+        const j = JSON.parse(text);
+        const pk = j.packages ?? {};
+        for (const [path, ent] of Object.entries(pk)) {
+            if (path === "")
+                continue;
+            const name = ent.name ?? path.split("node_modules/").pop() ?? path;
+            const v = ent.version ?? "";
+            if (name && v)
+                m.set(`${name}@${v}`, `${name}@${v}`);
+        }
+    }
+    catch {
+        /* ignore */
+    }
+    return m;
+}
+function listPnpmPackages(text) {
+    const m = new Map();
+    try {
+        const doc = parseYaml(text);
+        const pk = doc.packages ?? {};
+        for (const k of Object.keys(pk)) {
+            if (k.startsWith("/"))
+                m.set(k, k);
+        }
+    }
+    catch {
+        /* ignore */
+    }
+    return m;
+}
+export function diffLockfiles(beforeText, afterText, kind) {
+    const a = kind === "npm" ? listNpmPackages(beforeText) : listPnpmPackages(beforeText);
+    const b = kind === "npm" ? listNpmPackages(afterText) : listPnpmPackages(afterText);
+    const addedPackages = [...b.keys()].filter((k) => !a.has(k));
+    const removedPackages = [...a.keys()].filter((k) => !b.has(k));
+    const versionChanges = [];
+    return { addedPackages, removedPackages, versionChanges };
+}
+//# sourceMappingURL=compare.js.map

package/dist/integrations/lockfile-diff/compare.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compare.js","sourceRoot":"","sources":["../../../src/integrations/lockfile-diff/compare.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAQ1C,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,CAAC,GAAG,IAAI,GAAG,EAAkB,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAExB,CAAC;QACF,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC;QAC5B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;YAC7C,IAAI,IAAI,KAAK,EAAE;gBAAE,SAAS;YAC1B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;YACnE,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;YAC5B,IAAI,IAAI,IAAI,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,CAAC,GAAG,IAAI,GAAG,EAAkB,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAA2C,CAAC;QACtE,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,UAAkB,EAClB,SAAiB,EACjB,IAAoB;IAEpB,MAAM,CAAC,GAAG,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACtF,MAAM,CAAC,GAAG,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACpF,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,eAAe,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,MAAM,cAAc,GAAsC,EAAE,CAAC;IAC7D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC;AAC5D,CAAC"}

package/dist/integrations/reachability/madge-check.d.ts

@@ -0,0 +1,12 @@
+export type ReachabilityResult = {
+    status: "reachable" | "not_reachable";
+    evidence: string;
+} | {
+    status: "unknown";
+    evidence: string;
+};
+/**
+ * Best-effort: if madge dependency graph includes the package name under node_modules, treat as reachable.
+ */
+export declare function checkRuntimeReachable(entryFile: string, packageName: string, cwd: string): Promise<ReachabilityResult>;
+//# sourceMappingURL=madge-check.d.ts.map

package/dist/integrations/reachability/madge-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"madge-check.d.ts","sourceRoot":"","sources":["../../../src/integrations/reachability/madge-check.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,kBAAkB,GAC1B;IAAE,MAAM,EAAE,WAAW,GAAG,eAAe,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC3D;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5C;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,EACnB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,kBAAkB,CAAC,CAiC7B"}