dep-brain 1.2.0 → 1.4.0

package/dist/core/analyzer.js

@@ -9,7 +9,7 @@ import { buildDependencyGraph } from "./graph-builder.js";
 import { PluginManager } from "./plugin-manager.js";
 import { calculateHealthScore, calculateScoreDeductions } from "./scorer.js";
 import { buildAnalysisContext } from "./context.js";
-export const OUTPUT_VERSION = "1.4";
+export const OUTPUT_VERSION = "1.5";
 export async function analyzeProject(options = {}) {
     const rootDir = path.resolve(options.rootDir ?? process.cwd());
     const loadedConfig = await loadDepBrainConfig(rootDir, options.configPath);
@@ -143,7 +143,12 @@ function mergeConfig(base, overrides) {
         },
         risk: {
             transitiveBloatThreshold: overrides.risk?.transitiveBloatThreshold ?? base.risk.transitiveBloatThreshold,
-            typosquattingDistanceThreshold: overrides.risk?.typosquattingDistanceThreshold ?? base.risk.typosquattingDistanceThreshold
+            typosquattingDistanceThreshold: overrides.risk?.typosquattingDistanceThreshold ?? base.risk.typosquattingDistanceThreshold,
+            staleReleaseDays: overrides.risk?.staleReleaseDays ?? base.risk.staleReleaseDays,
+            agingReleaseDays: overrides.risk?.agingReleaseDays ?? base.risk.agingReleaseDays,
+            lowDownloadThreshold: overrides.risk?.lowDownloadThreshold ?? base.risk.lowDownloadThreshold,
+            lowTrustWeightThreshold: overrides.risk?.lowTrustWeightThreshold ?? base.risk.lowTrustWeightThreshold,
+            mediumTrustWeightThreshold: overrides.risk?.mediumTrustWeightThreshold ?? base.risk.mediumTrustWeightThreshold
         },
         dashboard: {
             outputPath: overrides.dashboard?.outputPath ?? base.dashboard.outputPath
@@ -187,7 +192,7 @@ function evaluatePolicy(summary, config) {
 }
 async function analyzeSingleProject(rootDir, config, options = {}) {
     const context = await buildAnalysisContext(rootDir, config);
-    const results = await runChecks(context, options.focus ?? "all");
+    const results = await runChecks(context, options.focus ?? "all", config);
     const issueGroups = normalizeIssues(results, config);
     const duplicates = mapDuplicateIssues(issueGroups.duplicates);
     const unused = mapUnusedIssues(issueGroups.unused);
@@ -280,7 +285,7 @@ function shouldIgnorePackage(name, bucket, config) {
         }
     });
 }
-async function runChecks(context, focus) {
+async function runChecks(context, focus, config) {
     const checks = [
         {
             name: "duplicate",
@@ -296,7 +301,7 @@ async function runChecks(context, focus) {
         },
         {
             name: "risk",
-            run: () => runRiskCheck(context.graph)
+            run: () => runRiskCheck(context.graph, { thresholds: config.risk })
         }
     ];
     const results = [];
@@ -391,6 +396,10 @@ function mapRiskIssues(issues) {
         explanation: normalizeStringArray(issue.explanation),
         trustScore: normalizeTrustScore(issue.meta?.trustScore),
         riskFactors: normalizeRiskFactors(issue.meta?.riskFactors),
+        transitiveRiskScore: typeof issue.meta?.transitiveRiskScore === "number"
+            ? issue.meta.transitiveRiskScore
+            : 0,
+        riskyTransitiveDeps: normalizeRiskTransitiveDependencies(issue.meta?.riskyTransitiveDeps),
         recommendation: buildRiskRecommendation(issue)
     }));
 }
@@ -454,13 +463,18 @@ function buildRiskRecommendation(issue) {
     const reasons = normalizeStringArray(issue.explanation);
     const confidence = normalizeConfidence(issue.confidence);
     const trustScore = normalizeTrustScore(issue.meta?.trustScore);
+    const riskyTransitiveDeps = normalizeRiskTransitiveDependencies(issue.meta?.riskyTransitiveDeps);
     return {
         action: "review",
-        priority: trustScore === "low" || confidence >= 0.79 ? "high" : "medium",
+        priority: trustScore === "low" || confidence >= 0.79 || riskyTransitiveDeps.length >= 2
+            ? "high"
+            : "medium",
         safety: "caution",
-        summary: trustScore === "low"
-            ? "Low trust package; review whether to replace, pin, or monitor it closely."
-            : "Review package trust signals and decide whether to keep, replace, or monitor it.",
+        summary: riskyTransitiveDeps.length > 0
+            ? "Review this direct dependency and its transitive chain before upgrading or keeping it."
+            : trustScore === "low"
+                ? "Low trust package; review whether to replace, pin, or monitor it closely."
+                : "Review package trust signals and decide whether to keep, replace, or monitor it.",
         reasons
     };
 }
@@ -599,7 +613,9 @@ function normalizeRiskFactors(value) {
             versionCount: null,
             recentReleaseCount: null,
             hasRepository: false,
-            dependencyType: "unknown"
+            dependencyType: "unknown",
+            transitiveDependencyCount: 0,
+            riskyTransitiveCount: 0
         };
     }
     const factors = value;
@@ -612,9 +628,38 @@ function normalizeRiskFactors(value) {
         hasRepository: factors.hasRepository === true,
         dependencyType: factors.dependencyType === "dependencies" || factors.dependencyType === "devDependencies"
             ? factors.dependencyType
-            : "unknown"
+            : "unknown",
+        transitiveDependencyCount: typeof factors.transitiveDependencyCount === "number" ? factors.transitiveDependencyCount : 0,
+        riskyTransitiveCount: typeof factors.riskyTransitiveCount === "number" ? factors.riskyTransitiveCount : 0
     };
 }
+function normalizeRiskTransitiveDependencies(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .map((entry) => {
+        if (!entry || typeof entry !== "object") {
+            return null;
+        }
+        const item = entry;
+        if (typeof item.name !== "string" ||
+            (item.trustScore !== "high" && item.trustScore !== "medium" && item.trustScore !== "low") ||
+            typeof item.confidence !== "number" ||
+            !Array.isArray(item.reasons) ||
+            !Array.isArray(item.introducedByPaths)) {
+            return null;
+        }
+        return {
+            name: item.name,
+            trustScore: item.trustScore,
+            confidence: normalizeConfidence(item.confidence),
+            reasons: item.reasons.filter((reason) => typeof reason === "string"),
+            introducedByPaths: item.introducedByPaths.filter((trace) => typeof trace === "string")
+        };
+    })
+        .filter((entry) => entry !== null);
+}
 function normalizeWorkspaceUsage(value) {
     if (!Array.isArray(value)) {
         return [];

package/dist/core/graph-builder.d.ts

@@ -11,5 +11,6 @@ export interface DependencyGraph {
     overrides: Record<string, unknown>;
     scripts: Record<string, string>;
     lockPackages: Record<string, LockPackageInstance[]>;
+    lockDependencies: Record<string, string[]>;
 }
 export declare function buildDependencyGraph(rootDir: string): Promise<DependencyGraph>;

package/dist/core/graph-builder.js

@@ -7,32 +7,29 @@ export async function buildDependencyGraph(rootDir) {
     const pnpmLockfilePath = path.join(rootDir, "pnpm-lock.yaml");
     const yarnLockfilePath = path.join(rootDir, "yarn.lock");
     const packageJson = await readJsonFile(packageJsonPath);
-    const lockPackages = new Map();
     try {
         const packageLock = await readJsonFile(lockfilePath);
-        for (const [packagePath, details] of Object.entries(packageLock.packages ?? {})) {
-            const name = extractPackageName(packagePath);
-            const version = details.version;
-            if (!name || !version) {
-                continue;
-            }
-            const instances = lockPackages.get(name) ?? new Map();
-            const normalizedPath = packagePath || "node_modules/" + name;
-            instances.set(normalizedPath, { path: normalizedPath, version });
-            lockPackages.set(name, instances);
-        }
-        for (const [name, details] of Object.entries(packageLock.dependencies ?? {})) {
-            if (!details.version) {
-                continue;
-            }
-            const instances = lockPackages.get(name) ?? new Map();
-            const normalizedPath = `node_modules/${name}`;
-            instances.set(normalizedPath, { path: normalizedPath, version: details.version });
-            lockPackages.set(name, instances);
-        }
+        const parsed = parseNpmLockfile(packageLock, {
+            ...packageJson.dependencies,
+            ...packageJson.devDependencies
+        });
+        return {
+            rootDir,
+            packageJsonPath,
+            lockfilePath,
+            dependencies: packageJson.dependencies ?? {},
+            devDependencies: packageJson.devDependencies ?? {},
+            overrides: packageJson.overrides ?? {},
+            scripts: packageJson.scripts ?? {},
+            lockPackages: parsed.lockPackages,
+            lockDependencies: parsed.lockDependencies
+        };
     }
     catch {
-        const fallbackLockfile = await readAlternativeLockfile(pnpmLockfilePath, yarnLockfilePath);
+        const fallbackLockfile = await readAlternativeLockfile(pnpmLockfilePath, yarnLockfilePath, {
+            ...packageJson.dependencies,
+            ...packageJson.devDependencies
+        });
         return {
             rootDir,
             packageJsonPath,
@@ -41,29 +38,19 @@ export async function buildDependencyGraph(rootDir) {
             devDependencies: packageJson.devDependencies ?? {},
             overrides: packageJson.overrides ?? {},
             scripts: packageJson.scripts ?? {},
-            lockPackages: fallbackLockfile.lockPackages
+            lockPackages: fallbackLockfile.lockPackages,
+            lockDependencies: fallbackLockfile.lockDependencies
         };
     }
-    return {
-        rootDir,
-        packageJsonPath,
-        lockfilePath,
-        dependencies: packageJson.dependencies ?? {},
-        devDependencies: packageJson.devDependencies ?? {},
-        overrides: packageJson.overrides ?? {},
-        scripts: packageJson.scripts ?? {},
-        lockPackages: Object.fromEntries(Array.from(lockPackages.entries()).map(([name, instances]) => [
-            name,
-            Array.from(instances.values()).sort((left, right) => left.path.localeCompare(right.path))
-        ]))
-    };
 }
-async function readAlternativeLockfile(pnpmLockfilePath, yarnLockfilePath) {
+async function readAlternativeLockfile(pnpmLockfilePath, yarnLockfilePath, rootDependencies) {
     try {
         const content = await fs.readFile(pnpmLockfilePath, "utf8");
+        const parsed = parsePnpmLockfile(content, rootDependencies);
         return {
             lockfilePath: pnpmLockfilePath,
-            lockPackages: parsePnpmLockfile(content)
+            lockPackages: parsed.lockPackages,
+            lockDependencies: parsed.lockDependencies
         };
     }
     catch {
@@ -71,58 +58,150 @@ async function readAlternativeLockfile(pnpmLockfilePath, yarnLockfilePath) {
     }
     try {
         const content = await fs.readFile(yarnLockfilePath, "utf8");
+        const parsed = parseYarnLockfile(content, rootDependencies);
         return {
             lockfilePath: yarnLockfilePath,
-            lockPackages: parseYarnLockfile(content)
+            lockPackages: parsed.lockPackages,
+            lockDependencies: parsed.lockDependencies
         };
     }
     catch {
         return {
-            lockPackages: {}
+            lockPackages: {},
+            lockDependencies: {}
         };
     }
 }
-function extractPackageName(packagePath) {
-    if (!packagePath) {
-        return null;
+function parseNpmLockfile(packageLock, rootDependencies) {
+    const lockPackages = new Map();
+    const lockDependencies = new Map();
+    for (const [packagePath, details] of Object.entries(packageLock.packages ?? {})) {
+        const name = details.name ?? extractPackageName(packagePath);
+        const version = details.version;
+        if (name && version) {
+            const instances = lockPackages.get(name) ?? new Map();
+            const normalizedPath = packagePath || "node_modules/" + name;
+            instances.set(normalizedPath, { path: normalizedPath, version });
+            lockPackages.set(name, instances);
+        }
+        if (name) {
+            addDependencyNames(lockDependencies, name, Object.keys(details.dependencies ?? {}));
+        }
     }
-    const match = packagePath.match(/(?:^|\/)node_modules\/(.+)$/);
-    if (!match) {
-        return null;
+    for (const [name, details] of Object.entries(packageLock.dependencies ?? {})) {
+        if (details.version) {
+            const instances = lockPackages.get(name) ?? new Map();
+            const normalizedPath = `node_modules/${name}`;
+            instances.set(normalizedPath, { path: normalizedPath, version: details.version });
+            lockPackages.set(name, instances);
+        }
+        addDependencyNames(lockDependencies, name, Object.keys(details.requires ?? {}));
     }
-    return match[1];
+    addDependencyNames(lockDependencies, "__root__", Object.keys(rootDependencies));
+    return {
+        lockPackages: toLockPackageRecord(lockPackages),
+        lockDependencies: toDependencyRecord(lockDependencies)
+    };
 }
-function parsePnpmLockfile(content) {
+function parsePnpmLockfile(content, rootDependencies) {
     const lockPackages = new Map();
-    for (const line of content.split(/\r?\n/)) {
-        const match = line.match(/^\s{2}(?:'|")?\/((?:@[^/]+\/)?[^/@'"]+)@([^('":]+)[^:]*:(?:'|")?\s*$/);
-        if (!match) {
+    const lockDependencies = new Map();
+    const lines = content.split(/\r?\n/);
+    let currentName = null;
+    let currentVersion = null;
+    let inDependenciesBlock = false;
+    for (const line of lines) {
+        const packageMatch = line.match(/^\s{2}(?:'|")?\/((?:@[^/]+\/)?[^/@'"]+)@([^('":]+)[^:]*:(?:'|")?\s*$/);
+        if (packageMatch) {
+            currentName = packageMatch[1];
+            currentVersion = packageMatch[2];
+            inDependenciesBlock = false;
+            addLockPackage(lockPackages, currentName, `pnpm:${currentName}@${currentVersion}`, currentVersion);
+            continue;
+        }
+        if (!currentName) {
+            continue;
+        }
+        if (/^\s{4}(?:dependencies|optionalDependencies):\s*$/.test(line)) {
+            inDependenciesBlock = true;
+            continue;
+        }
+        if (/^\s{4}\S/.test(line) && !/^\s{4}(?:dependencies|optionalDependencies):\s*$/.test(line)) {
+            inDependenciesBlock = false;
+        }
+        if (!inDependenciesBlock) {
             continue;
         }
-        addLockPackage(lockPackages, match[1], `pnpm-lock:${match[0].trim()}`, match[2]);
+        const dependencyMatch = line.match(/^\s{6}((?:@[^/]+\/)?[^:\s]+):\s*(.+)?$/);
+        if (!dependencyMatch) {
+            continue;
+        }
+        addDependencyNames(lockDependencies, currentName, [dependencyMatch[1]]);
     }
-    return toLockPackageRecord(lockPackages);
+    addDependencyNames(lockDependencies, "__root__", Object.keys(rootDependencies));
+    return {
+        lockPackages: toLockPackageRecord(lockPackages),
+        lockDependencies: toDependencyRecord(lockDependencies)
+    };
 }
-function parseYarnLockfile(content) {
+function parseYarnLockfile(content, rootDependencies) {
     const lockPackages = new Map();
+    const lockDependencies = new Map();
+    const lines = content.split(/\r?\n/);
     let currentNames = [];
-    for (const line of content.split(/\r?\n/)) {
+    let currentVersion = null;
+    let inDependenciesBlock = false;
+    for (const line of lines) {
         if (line.trim().length === 0 || line.startsWith("#")) {
             continue;
         }
         if (!line.startsWith(" ") && line.endsWith(":")) {
             currentNames = extractYarnEntryNames(line.slice(0, -1));
+            currentVersion = null;
+            inDependenciesBlock = false;
             continue;
         }
         const versionMatch = line.match(/^\s+version\s+"?([^"\s]+)"?\s*$/);
-        if (!versionMatch) {
+        if (versionMatch) {
+            currentVersion = versionMatch[1];
+            for (const name of currentNames) {
+                addLockPackage(lockPackages, name, `yarn:${name}@${currentVersion}`, currentVersion);
+            }
+            continue;
+        }
+        if (/^\s{2}dependencies:\s*$/.test(line)) {
+            inDependenciesBlock = true;
+            continue;
+        }
+        if (/^\s{2}\S/.test(line) && !/^\s{2}dependencies:\s*$/.test(line)) {
+            inDependenciesBlock = false;
+        }
+        if (!inDependenciesBlock) {
+            continue;
+        }
+        const dependencyMatch = line.match(/^\s{4}((?:@[^/]+\/)?[^"\s]+)\s+/);
+        if (!dependencyMatch) {
             continue;
         }
         for (const name of currentNames) {
-            addLockPackage(lockPackages, name, `yarn-lock:${name}@${versionMatch[1]}`, versionMatch[1]);
+            addDependencyNames(lockDependencies, name, [dependencyMatch[1]]);
         }
     }
-    return toLockPackageRecord(lockPackages);
+    addDependencyNames(lockDependencies, "__root__", Object.keys(rootDependencies));
+    return {
+        lockPackages: toLockPackageRecord(lockPackages),
+        lockDependencies: toDependencyRecord(lockDependencies)
+    };
+}
+function extractPackageName(packagePath) {
+    if (!packagePath) {
+        return null;
+    }
+    const match = packagePath.match(/(?:^|\/)node_modules\/(.+)$/);
+    if (!match) {
+        return null;
+    }
+    return match[1];
 }
 function extractYarnEntryNames(entry) {
     const names = new Set();
@@ -149,9 +228,25 @@ function addLockPackage(lockPackages, name, packagePath, version) {
     instances.set(packagePath, { path: packagePath, version });
     lockPackages.set(name, instances);
 }
+function addDependencyNames(lockDependencies, name, dependencies) {
+    if (dependencies.length === 0) {
+        return;
+    }
+    const entry = lockDependencies.get(name) ?? new Set();
+    for (const dependency of dependencies) {
+        entry.add(dependency);
+    }
+    lockDependencies.set(name, entry);
+}
 function toLockPackageRecord(lockPackages) {
     return Object.fromEntries(Array.from(lockPackages.entries()).map(([name, instances]) => [
         name,
         Array.from(instances.values()).sort((left, right) => left.path.localeCompare(right.path))
     ]));
 }
+function toDependencyRecord(lockDependencies) {
+    return Object.fromEntries(Array.from(lockDependencies.entries()).map(([name, dependencies]) => [
+        name,
+        Array.from(dependencies).sort((left, right) => left.localeCompare(right))
+    ]));
+}

package/dist/core/plugin-manager.d.ts

@@ -11,10 +11,19 @@ export interface DepBrainPlugin {
     reportHook?: (result: AnalysisResult) => Promise<Record<string, unknown> | void> | Record<string, unknown> | void;
     cliCommands?: (cli: unknown) => void;
 }
+export interface PluginDiagnostic {
+    spec: string;
+    code: "load_failed" | "invalid_plugin" | "hook_failed";
+    message: string;
+    plugin?: string;
+    hook?: "preScan" | "postScan" | "reportHook";
+}
 export declare class PluginManager {
     private readonly plugins;
+    private readonly diagnostics;
     private constructor();
     static load(rootDir: string, config: DepBrainConfig): Promise<PluginManager>;
     runPreScan(context: ProjectContext): Promise<void>;
     runPostScan(result: AnalysisResult): Promise<AnalysisResult>;
+    private attachDiagnostics;
 }

package/dist/core/plugin-manager.js

@@ -1,9 +1,12 @@
+import { promises as fs } from "node:fs";
 import path from "node:path";
 import { pathToFileURL } from "node:url";
 export class PluginManager {
     plugins;
-    constructor(plugins) {
+    diagnostics;
+    constructor(plugins, diagnostics) {
         this.plugins = plugins;
+        this.diagnostics = diagnostics;
     }
     static async load(rootDir, config) {
         const specs = [
@@ -11,38 +14,71 @@ export class PluginManager {
             ...config.plugins.paths
         ];
         const plugins = [];
+        const diagnostics = [];
         for (const spec of specs) {
-            const plugin = await loadPlugin(rootDir, spec);
-            if (plugin) {
-                plugins.push(plugin);
+            const result = await loadPlugin(rootDir, spec);
+            if (result.plugin) {
+                plugins.push(result.plugin);
+            }
+            if (result.diagnostic) {
+                diagnostics.push(result.diagnostic);
             }
         }
-        return new PluginManager(plugins);
+        return new PluginManager(plugins, diagnostics);
     }
     async runPreScan(context) {
         for (const plugin of this.plugins) {
-            await plugin.preScan?.(context);
+            try {
+                await plugin.preScan?.(context);
+            }
+            catch (error) {
+                this.diagnostics.push(buildHookDiagnostic(plugin.name, "preScan", error));
+            }
         }
     }
     async runPostScan(result) {
         let current = result;
         for (const plugin of this.plugins) {
-            const next = await plugin.postScan?.(current);
-            if (next) {
-                current = next;
+            try {
+                const next = await plugin.postScan?.(current);
+                if (next) {
+                    current = next;
+                }
             }
-            const reportSection = await plugin.reportHook?.(current);
-            if (reportSection) {
-                current.extensions[plugin.name] = {
-                    ...(asRecord(current.extensions[plugin.name]) ?? {}),
-                    ...reportSection
-                };
+            catch (error) {
+                this.diagnostics.push(buildHookDiagnostic(plugin.name, "postScan", error));
             }
+            try {
+                const reportSection = await plugin.reportHook?.(current);
+                if (reportSection) {
+                    current.extensions[plugin.name] = {
+                        ...(asRecord(current.extensions[plugin.name]) ?? {}),
+                        ...reportSection
+                    };
+                }
+            }
+            catch (error) {
+                this.diagnostics.push(buildHookDiagnostic(plugin.name, "reportHook", error));
+            }
+        }
+        return this.attachDiagnostics(current);
+    }
+    attachDiagnostics(result) {
+        if (this.diagnostics.length === 0) {
+            return result;
         }
-        return current;
+        result.extensions.depBrain = {
+            ...(asRecord(result.extensions.depBrain) ?? {}),
+            plugins: this.diagnostics
+        };
+        return result;
     }
 }
 async function loadPlugin(rootDir, spec) {
+    const builtIn = getBuiltInPlugin(spec);
+    if (builtIn) {
+        return { plugin: builtIn };
+    }
     try {
         const resolved = spec.startsWith(".") || path.isAbsolute(spec)
             ? path.resolve(rootDir, spec)
@@ -51,11 +87,99 @@ async function loadPlugin(rootDir, spec) {
         const mod = await import(moduleUrl);
         const exported = mod.default ?? mod.plugin ?? mod;
         const candidate = typeof exported === "function" ? new exported() : exported;
-        return isPlugin(candidate) ? candidate : null;
+        if (isPlugin(candidate)) {
+            return { plugin: candidate };
+        }
+        return {
+            plugin: null,
+            diagnostic: {
+                spec,
+                code: "invalid_plugin",
+                message: "Plugin must export an object with a string name."
+            }
+        };
     }
-    catch {
+    catch (error) {
+        return {
+            plugin: null,
+            diagnostic: {
+                spec,
+                code: "load_failed",
+                message: error instanceof Error ? error.message : String(error)
+            }
+        };
+    }
+}
+function getBuiltInPlugin(spec) {
+    if (spec !== "license" && spec !== "dep-brain-plugin-license") {
         return null;
     }
+    return {
+        name: "license",
+        reportHook: async (result) => {
+            const packages = await collectLicensePackages(result.rootDir);
+            const licenses = packages.reduce((acc, item) => {
+                acc[item.license] = (acc[item.license] ?? 0) + 1;
+                return acc;
+            }, {});
+            return {
+                summary: {
+                    total: packages.length,
+                    unknown: packages.filter((item) => item.license === "UNKNOWN").length,
+                    licenses
+                },
+                packages
+            };
+        }
+    };
+}
+async function collectLicensePackages(rootDir) {
+    const raw = await fs.readFile(path.join(rootDir, "package.json"), "utf8");
+    const pkg = JSON.parse(raw);
+    const names = Object.keys({
+        ...(pkg.dependencies ?? {}),
+        ...(pkg.devDependencies ?? {})
+    }).sort();
+    return Promise.all(names.map(async (name) => ({
+        name,
+        license: await readPackageLicense(rootDir, name)
+    })));
+}
+async function readPackageLicense(rootDir, name) {
+    try {
+        const raw = await fs.readFile(path.join(rootDir, "node_modules", name, "package.json"), "utf8");
+        const pkg = JSON.parse(raw);
+        if (typeof pkg.license === "string" && pkg.license.trim().length > 0) {
+            return pkg.license;
+        }
+        if (Array.isArray(pkg.licenses) && pkg.licenses.length > 0) {
+            const licenses = pkg.licenses
+                .map((item) => {
+                if (typeof item === "string") {
+                    return item;
+                }
+                if (item && typeof item === "object" && typeof item.type === "string") {
+                    return item.type;
+                }
+                return null;
+            })
+                .filter((item) => Boolean(item));
+            return licenses.length > 0 ? licenses.join(", ") : "UNKNOWN";
+        }
+    }
+    catch {
+        return "UNKNOWN";
+    }
+    return "UNKNOWN";
+}
+function buildHookDiagnostic(plugin, hook, error) {
+    return {
+        spec: plugin,
+        plugin,
+        hook,
+        code: "hook_failed",
+        message: error instanceof Error ? error.message : String(error)
+    };
 }
 function isPlugin(value) {
     return Boolean(value &&

package/dist/index.d.ts

@@ -1,8 +1,8 @@
 export { analyzeProject } from "./core/analyzer.js";
-export type { AnalysisOptions, AnalysisFocus, AnalysisResult, DepBrainBaseline, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, Recommendation, RiskFactors, ScoreBreakdown, RiskDependency, TopIssue, TrustScore, UnusedDependency, WorkspaceDependencyUsage, WorkspaceOwnershipSummary } from "./core/analyzer.js";
+export type { AnalysisOptions, AnalysisFocus, AnalysisResult, DepBrainBaseline, DuplicateDependency, OutdatedDependency, PolicyResult, PackageAnalysisResult, Recommendation, RiskFactors, RiskTransitiveDependency, ScoreBreakdown, RiskDependency, TopIssue, TrustScore, UnusedDependency, WorkspaceDependencyUsage, WorkspaceOwnershipSummary } from "./core/analyzer.js";
 export { OUTPUT_VERSION } from "./core/analyzer.js";
 export { PluginManager } from "./core/plugin-manager.js";
-export type { DepBrainPlugin, ProjectContext } from "./core/plugin-manager.js";
+export type { DepBrainPlugin, PluginDiagnostic, ProjectContext } from "./core/plugin-manager.js";
 export type { AnalysisContext, CheckResult, Issue } from "./core/types.js";
 export type { DepBrainConfig, DepBrainConfigOverrides } from "./utils/config.js";
 export type { WorkspacePackage } from "./utils/workspaces.js";