dw-kit 1.3.5 → 1.3.6

package/src/lib/npm-registry.mjs

@@ -0,0 +1,159 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, appendFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+
+const REGISTRY_BASE = 'https://registry.npmjs.org';
+const FETCH_TIMEOUT_MS = 5000;
+const CACHE_REL = '.dw/security/npm-registry-cache.jsonl';
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour per ADR-0006
+
+export function cachePath(rootDir = process.cwd()) {
+  return join(rootDir, CACHE_REL);
+}
+
+function ensureCacheDir(rootDir) {
+  const dir = dirname(cachePath(rootDir));
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+}
+
+export function loadCache(rootDir = process.cwd()) {
+  const p = cachePath(rootDir);
+  if (!existsSync(p)) return new Map();
+  const map = new Map();
+  try {
+    const lines = readFileSync(p, 'utf-8').split('\n').filter(Boolean);
+    for (const line of lines) {
+      try {
+        const e = JSON.parse(line);
+        if (e && e.key) map.set(e.key, e);
+      } catch {
+        // skip malformed line
+      }
+    }
+  } catch {
+    // unreadable cache → ignore
+  }
+  return map;
+}
+
+export function cacheGet(rootDir, key, ttlMs = CACHE_TTL_MS) {
+  const map = loadCache(rootDir);
+  const entry = map.get(key);
+  if (!entry) return null;
+  if (ttlMs <= 0) return null;
+  if (Date.now() - entry.cached_at > ttlMs) return null;
+  return entry.value;
+}
+
+export function cachePut(rootDir, key, value) {
+  ensureCacheDir(rootDir);
+  const line = JSON.stringify({ key, cached_at: Date.now(), value }) + '\n';
+  appendFileSync(cachePath(rootDir), line, 'utf-8');
+}
+
+export function pruneCache(rootDir, ttlMs = CACHE_TTL_MS) {
+  const p = cachePath(rootDir);
+  if (!existsSync(p)) return;
+  const map = loadCache(rootDir);
+  const now = Date.now();
+  const fresh = [];
+  for (const e of map.values()) {
+    if (now - e.cached_at <= ttlMs) fresh.push(e);
+  }
+  ensureCacheDir(rootDir);
+  writeFileSync(p, fresh.map((e) => JSON.stringify(e)).join('\n') + (fresh.length ? '\n' : ''), 'utf-8');
+}
+
+async function fetchJson(url, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetch(url, {
+      headers: { accept: 'application/json' },
+      signal: controller.signal,
+    });
+    if (!res.ok) {
+      const err = new Error(`npm registry HTTP ${res.status}`);
+      err.status = res.status;
+      throw err;
+    }
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+/**
+ * Fetch the full registry document for a package. Cached.
+ * Returns the raw npm registry response or null on hard failure.
+ */
+export async function fetchPackageMetadata(packageName, rootDir = process.cwd(), { useCache = true } = {}) {
+  const key = `pkg:${packageName}`;
+  if (useCache) {
+    const cached = cacheGet(rootDir, key);
+    if (cached) return cached;
+  }
+  try {
+    const data = await fetchJson(`${REGISTRY_BASE}/${encodeURIComponent(packageName).replace('%40', '@')}`);
+    cachePut(rootDir, key, data);
+    return data;
+  } catch (e) {
+    if (e.status === 404) return null;
+    throw e;
+  }
+}
+
+/**
+ * Extract the signals needed by the heuristic scorer (ADR-0006 pillar 3).
+ * Pure function — call after fetchPackageMetadata returned a document.
+ */
+export function extractSignals(metadata, version) {
+  if (!metadata) return null;
+  const timeMap = metadata.time || {};
+  const publishIso = timeMap[version] || null;
+  const publishedAt = publishIso ? new Date(publishIso).getTime() : null;
+  const ageHours = publishedAt ? (Date.now() - publishedAt) / (1000 * 60 * 60) : null;
+
+  // Last modified time on the package as a whole — proxy for maintainer activity
+  const modifiedIso = timeMap.modified || null;
+  const modifiedAt = modifiedIso ? new Date(modifiedIso).getTime() : null;
+
+  // Maintainer set
+  const maintainers = Array.isArray(metadata.maintainers)
+    ? metadata.maintainers.map((m) => (typeof m === 'string' ? m : m.name)).filter(Boolean)
+    : [];
+
+  // Latest version on dist-tags
+  const latestVersion = metadata['dist-tags']?.latest || null;
+
+  return {
+    package: metadata.name,
+    version,
+    publish_iso: publishIso,
+    publish_age_hours: ageHours,
+    latest_version: latestVersion,
+    modified_iso: modifiedIso,
+    package_modified_age_days: modifiedAt ? (Date.now() - modifiedAt) / (1000 * 60 * 60 * 24) : null,
+    maintainer_count: maintainers.length,
+    maintainers,
+  };
+}
+
+/**
+ * Lightweight popularity probe via downloads API. Cached separately.
+ * Returns weekly downloads count or null on failure.
+ */
+export async function fetchWeeklyDownloads(packageName, rootDir = process.cwd(), { useCache = true } = {}) {
+  const key = `dl:${packageName}`;
+  if (useCache) {
+    const cached = cacheGet(rootDir, key);
+    if (cached) return cached;
+  }
+  try {
+    const data = await fetchJson(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName).replace('%40', '@')}`);
+    const count = typeof data?.downloads === 'number' ? data.downloads : null;
+    cachePut(rootDir, key, count);
+    return count;
+  } catch {
+    return null;
+  }
+}

package/src/lib/sc-heuristic.mjs

@@ -0,0 +1,263 @@
+import { execSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { parsePackageLockfile, findLockfile, compareVersions } from './sc-scanner.mjs';
+
+const DEFAULT_THRESHOLD = 50;
+const DEFAULT_WEEKLY_DOWNLOADS_MIN = 10000;
+const DEFAULT_RECENT_PUBLISH_HOURS = 72;
+
+// Top-500 popular npm packages (small bundled list for typo-squat detection).
+// Source: npm download counts, December 2025 snapshot. Pruned to common surface.
+// Not exhaustive — typo-squat is one signal of many.
+const POPULAR_PACKAGES = new Set([
+  'react', 'react-dom', 'vue', 'angular', 'svelte', 'next', 'nuxt',
+  'lodash', 'axios', 'express', 'fastify', 'koa', 'hapi',
+  'typescript', 'eslint', 'prettier', 'webpack', 'vite', 'rollup', 'esbuild',
+  'jest', 'mocha', 'vitest', 'playwright', 'cypress', 'puppeteer',
+  'chalk', 'commander', 'yargs', 'inquirer', 'enquirer',
+  'tailwindcss', 'postcss', 'sass', 'less',
+  'tanstack', '@tanstack/react-query', '@tanstack/react-router', '@tanstack/react-table',
+  'redux', '@reduxjs/toolkit', 'zustand', 'jotai', 'recoil',
+  'graphql', 'apollo-client', '@apollo/client', 'urql',
+  'rxjs', 'immer', 'lodash-es', 'date-fns', 'moment', 'dayjs', 'luxon',
+  'cors', 'helmet', 'jsonwebtoken', 'bcrypt', 'argon2',
+  'mongoose', 'prisma', '@prisma/client', 'sequelize', 'typeorm', 'knex',
+  'pg', 'mysql', 'mysql2', 'sqlite3', 'better-sqlite3',
+  'redis', 'ioredis',
+  'dotenv', 'uuid', 'nanoid', 'pino', 'winston', 'debug',
+  'zod', 'yup', 'joi', 'ajv',
+  'sharp', 'jimp', 'multer',
+  'socket.io', 'ws', 'engine.io',
+  'pm2', 'nodemon', 'concurrently', 'cross-env',
+  'firebase', 'firebase-admin', '@supabase/supabase-js',
+  'stripe', '@stripe/stripe-js',
+]);
+
+export function loadHeuristicConfig(rootDir = process.cwd()) {
+  // Read .dw/config/dw.config.yml security.heuristic.* if present.
+  // Cheap inline YAML probe — no js-yaml dep here. Caller may pass overrides.
+  try {
+    const cfgPath = join(rootDir, '.dw/config/dw.config.yml');
+    if (!existsSync(cfgPath)) return defaultConfig();
+    const raw = readFileSync(cfgPath, 'utf-8');
+    const threshold = matchYamlNumber(raw, 'risk_threshold');
+    const weekly = matchYamlNumber(raw, 'weekly_downloads_min');
+    const recent = matchYamlNumber(raw, 'recent_publish_hours');
+    return {
+      risk_threshold: threshold ?? DEFAULT_THRESHOLD,
+      weekly_downloads_min: weekly ?? DEFAULT_WEEKLY_DOWNLOADS_MIN,
+      recent_publish_hours: recent ?? DEFAULT_RECENT_PUBLISH_HOURS,
+    };
+  } catch {
+    return defaultConfig();
+  }
+}
+
+function defaultConfig() {
+  return {
+    risk_threshold: DEFAULT_THRESHOLD,
+    weekly_downloads_min: DEFAULT_WEEKLY_DOWNLOADS_MIN,
+    recent_publish_hours: DEFAULT_RECENT_PUBLISH_HOURS,
+  };
+}
+
+function matchYamlNumber(yamlText, key) {
+  // Scoped inside security.heuristic.*
+  // Avoid full YAML parser dep; brittle but enough for top-level integer keys.
+  const re = new RegExp(`heuristic:[\\s\\S]*?\\b${key}\\s*:\\s*(\\d+)`, 'm');
+  const m = yamlText.match(re);
+  return m ? parseInt(m[1], 10) : null;
+}
+
+/**
+ * List packages introduced or version-bumped since the last committed lockfile.
+ *
+ * Strategy:
+ *   1. If git available and HEAD has a previous lockfile → diff against HEAD
+ *   2. Otherwise → return ALL packages in current lockfile (cold-start path,
+ *      caller can cap how many to actually probe)
+ *
+ * Returns Array<{ name, version, change: 'added' | 'bumped', from?: string }>.
+ */
+export function diffLockfilePackages(rootDir = process.cwd()) {
+  const lockPath = findLockfile(rootDir);
+  if (!lockPath) return [];
+  const currentPkgs = parsePackageLockfile(lockPath);
+
+  let previousPkgs = null;
+  try {
+    // Best-effort: read previous lockfile content from git HEAD
+    const lockRelPath = lockPath.startsWith(rootDir + '\\') || lockPath.startsWith(rootDir + '/')
+      ? lockPath.slice(rootDir.length + 1).replace(/\\/g, '/')
+      : 'package-lock.json';
+    const previousContent = execSync(`git show HEAD:${lockRelPath}`, {
+      cwd: rootDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    previousPkgs = parsePackageLockfileContent(previousContent);
+  } catch {
+    // No git, or HEAD has no lockfile → cold start
+    previousPkgs = null;
+  }
+
+  const out = [];
+  if (!previousPkgs) {
+    // Cold start: caller decides how to handle a full lockfile
+    for (const [name, version] of currentPkgs) {
+      out.push({ name, version, change: 'cold-start' });
+    }
+    return out;
+  }
+
+  for (const [name, version] of currentPkgs) {
+    if (!previousPkgs.has(name)) {
+      out.push({ name, version, change: 'added' });
+    } else {
+      const prev = previousPkgs.get(name);
+      if (prev !== version) {
+        out.push({ name, version, change: 'bumped', from: prev });
+      }
+    }
+  }
+  return out;
+}
+
+function parsePackageLockfileContent(content) {
+  const lock = JSON.parse(content);
+  const packages = new Map();
+  if (lock.packages) {
+    for (const [k, v] of Object.entries(lock.packages)) {
+      if (!k || !v?.version) continue;
+      const name = k.startsWith('node_modules/') ? k.slice('node_modules/'.length) : k.split('node_modules/').pop();
+      if (!name || name === '') continue;
+      packages.set(name, v.version);
+    }
+  } else if (lock.dependencies) {
+    function walk(deps) {
+      for (const [n, v] of Object.entries(deps)) {
+        if (v?.version) packages.set(n, v.version);
+        if (v?.dependencies) walk(v.dependencies);
+      }
+    }
+    walk(lock.dependencies);
+  }
+  return packages;
+}
+
+/**
+ * Score one package's signals into a risk number + reason breakdown.
+ *
+ * Returns { score, reasons: [{signal, weight, detail}], blocking: bool }
+ *
+ * Signals (per ADR-0006):
+ *   - very_recent_publish (<24h)        +50
+ *   - recent_publish (<72h)             +30
+ *   - popular_package (downloads≥10k)   +20
+ *   - maintainer_change_recent (<30d)   +40
+ *   - major_version_jump                +15
+ *   - typo_squat (Lev=1 of popular)     +60
+ */
+export function scoreSignals(signals, weeklyDownloads, config = defaultConfig(), context = {}) {
+  if (!signals) return { score: 0, reasons: [] };
+  const reasons = [];
+  let score = 0;
+
+  const age = signals.publish_age_hours;
+  if (age !== null && age !== undefined) {
+    if (age < 24) {
+      score += 50;
+      reasons.push({ signal: 'very_recent_publish', weight: 50, detail: `${age.toFixed(1)}h since publish` });
+    } else if (age < config.recent_publish_hours) {
+      score += 30;
+      reasons.push({ signal: 'recent_publish', weight: 30, detail: `${age.toFixed(1)}h since publish (threshold ${config.recent_publish_hours}h)` });
+    }
+  }
+
+  if (typeof weeklyDownloads === 'number' && weeklyDownloads >= config.weekly_downloads_min) {
+    score += 20;
+    reasons.push({ signal: 'popular_package', weight: 20, detail: `${weeklyDownloads.toLocaleString()} weekly downloads` });
+  }
+
+  // Maintainer-change proxy: package-level "modified" time within 30d
+  if (signals.package_modified_age_days !== null && signals.package_modified_age_days !== undefined) {
+    if (signals.package_modified_age_days < 30) {
+      score += 40;
+      reasons.push({
+        signal: 'maintainer_change_recent',
+        weight: 40,
+        detail: `package modified ${signals.package_modified_age_days.toFixed(1)}d ago — possible maintainer/token change`,
+      });
+    }
+  }
+
+  // Major-version-jump (caller passes context.from from diff)
+  if (context.change === 'bumped' && context.from && signals.version) {
+    try {
+      const fromMajor = parseInt(context.from.match(/\d+/)?.[0] || '0', 10);
+      const toMajor = parseInt(signals.version.match(/\d+/)?.[0] || '0', 10);
+      if (toMajor - fromMajor >= 1) {
+        score += 15;
+        reasons.push({
+          signal: 'major_version_jump',
+          weight: 15,
+          detail: `bumped from ${context.from} to ${signals.version}`,
+        });
+      }
+    } catch {
+      // skip
+    }
+  }
+
+  // Typo-squat detection (offline, bundled popular list)
+  const ts = detectTypoSquat(signals.package);
+  if (ts) {
+    score += 60;
+    reasons.push({ signal: 'typo_squat', weight: 60, detail: `name within Lev=1 of popular "${ts}"` });
+  }
+
+  return { score, reasons };
+}
+
+function detectTypoSquat(name) {
+  if (!name) return null;
+  if (POPULAR_PACKAGES.has(name)) return null;
+  // Strip scope for comparison; typo-squats often target unscoped popular names
+  const bare = name.includes('/') ? name.split('/').pop() : name;
+  for (const pop of POPULAR_PACKAGES) {
+    const popBare = pop.includes('/') ? pop.split('/').pop() : pop;
+    if (Math.abs(bare.length - popBare.length) > 2) continue;
+    if (levenshtein(bare, popBare) === 1) return pop;
+  }
+  return null;
+}
+
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (!a.length) return b.length;
+  if (!b.length) return a.length;
+  const prev = new Array(b.length + 1);
+  const curr = new Array(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= b.length; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    for (let j = 0; j <= b.length; j++) prev[j] = curr[j];
+  }
+  return prev[b.length];
+}
+
+export function formatHeuristicHit(pkg, version, change, scoring) {
+  const lines = [];
+  const tag = scoring.score >= 80 ? '[HIGH-RISK]' : scoring.score >= 50 ? '[REVIEW]' : '[INFO]';
+  const changeLabel = change === 'bumped' ? `bumped to ${version}` : change === 'added' ? `added@${version}` : `${version}`;
+  lines.push(`${tag} ${pkg} ${changeLabel} — risk_score: ${scoring.score}`);
+  for (const r of scoring.reasons) {
+    lines.push(`  · ${r.signal} (+${r.weight}): ${r.detail}`);
+  }
+  return lines.join('\n');
+}

package/src/lib/sc-scanner.mjs

@@ -247,6 +247,17 @@ export function matchPackageByName(packageName, advisories) {
   return hits;
 }
 
+function stripVersionPrefix(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/(\d+\.\d+\.\d+[\w.\-+]*)/);
+  return m ? m[1] : null;
+}
+
+function isRangeSpec(v) {
+  if (!v || typeof v !== 'string') return false;
+  return /^[\^~]|\s|^[<>=]/.test(v.trim());
+}
+
 export function matchNamespaceFixture(packages, fixture) {
   const now = new Date();
   const hits = [];
@@ -254,18 +265,56 @@ export function matchNamespaceFixture(packages, fixture) {
     if (entry.active_until && new Date(entry.active_until) < now) continue;
     if (!entry.pattern) continue;
 
-    for (const [name] of packages) {
-      if (name.startsWith(entry.pattern) || name === entry.pattern) {
-        hits.push({
-          package: name,
-          namespace_pattern: entry.pattern,
-          reason: entry.reason,
-          advisory_url: entry.advisory,
-          active_until: entry.active_until,
-          guidance: entry.guidance,
-          severity: entry.severity || 'high',
-        });
+    for (const [name, version] of packages) {
+      const prefixMatch = name.startsWith(entry.pattern) || name === entry.pattern;
+      if (!prefixMatch) continue;
+
+      // Version-aware gate (per ADR-0006):
+      //   - Concrete version (1.2.3) → strict in-range check; skip on miss (no FP)
+      //   - Range spec (^1.2.3, ~1.2.3, >=1.2.3) → ambiguity flag with downgrade
+      //     (resolve-on-install could land in affected range; warn but don't block)
+      //   - No affected_range → prefix-only, severity downgraded one tier
+      let versionCheck = 'no-range';
+      let severity = entry.severity || 'high';
+      if (entry.affected_range && version) {
+        const concrete = stripVersionPrefix(version);
+        if (concrete && !isRangeSpec(version)) {
+          if (versionInRange(concrete, entry.affected_range)) {
+            versionCheck = 'in-range';
+          } else {
+            continue;
+          }
+        } else if (concrete && isRangeSpec(version)) {
+          // package.json range — we don't know which version will resolve.
+          // Be cautious: flag with downgrade unless the range's lower bound is
+          // already beyond the fixed version (then certainly safe).
+          const fixedEvent = (entry.affected_range.events || []).find((e) => e.fixed);
+          if (fixedEvent && compareVersions(concrete, fixedEvent.fixed) >= 0) {
+            continue;
+          }
+          versionCheck = 'range-ambiguous';
+          if (severity === 'critical') severity = 'high';
+        } else {
+          versionCheck = 'unresolvable-range';
+          if (severity === 'critical') severity = 'high';
+          else if (severity === 'high') severity = 'medium';
+        }
+      } else if (!entry.affected_range) {
+        versionCheck = 'prefix-only';
+        if (severity === 'critical') severity = 'high';
       }
+
+      hits.push({
+        package: name,
+        version: version || null,
+        namespace_pattern: entry.pattern,
+        reason: entry.reason,
+        advisory_url: entry.advisory,
+        active_until: entry.active_until,
+        guidance: entry.guidance,
+        severity,
+        version_check: versionCheck,
+      });
     }
   }
   return hits;

package/src/lib/sc-sync.mjs

@@ -10,6 +10,13 @@ const OSV_BATCH_ENDPOINT = 'https://api.osv.dev/v1/querybatch';
 const STALE_DAYS_DEFAULT = 7;
 const FETCH_TIMEOUT_MS = 15000;
 
+// OSV.dev /v1/querybatch hard cap is 1000 entries per request.
+// Concurrency=2 + jittered backoff keeps us polite to a public free-tier API.
+const OSV_BATCH_LIMIT = 1000;
+const OSV_BATCH_CONCURRENCY = 2;
+const OSV_BATCH_RETRY_MAX = 3;
+const OSV_BATCH_RETRY_BASE_MS = 500;
+
 export function snapshotPath(rootDir = process.cwd()) {
   return join(rootDir, SECURITY_DIR, SNAPSHOT_FILE);
 }
@@ -70,13 +77,49 @@ export async function fetchOsvBatch(queries, { timeoutMs = FETCH_TIMEOUT_MS } =
       body: JSON.stringify({ queries }),
       signal: controller.signal,
     });
-    if (!res.ok) throw new Error(`OSV batch HTTP ${res.status}`);
+    if (!res.ok) {
+      const err = new Error(`OSV batch HTTP ${res.status}`);
+      err.status = res.status;
+      err.retryable = res.status === 429 || res.status === 503 || res.status === 502 || res.status === 504;
+      throw err;
+    }
     return await res.json();
   } finally {
     clearTimeout(timer);
   }
 }
 
+function chunkArray(arr, size) {
+  const out = [];
+  for (let i = 0; i < arr.length; i += size) out.push(arr.slice(i, i + size));
+  return out;
+}
+
+async function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function fetchOsvBatchWithRetry(queries, chunkIndex, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  let lastErr;
+  for (let attempt = 0; attempt < OSV_BATCH_RETRY_MAX; attempt++) {
+    try {
+      return await fetchOsvBatch(queries, { timeoutMs });
+    } catch (e) {
+      lastErr = e;
+      if (!e.retryable || attempt === OSV_BATCH_RETRY_MAX - 1) break;
+      const jitter = Math.floor(Math.random() * 200);
+      const delay = OSV_BATCH_RETRY_BASE_MS * Math.pow(2, attempt) + jitter;
+      await sleep(delay);
+    }
+  }
+  // Wrap with chunk diagnostics for the synthesis layer
+  const wrapped = new Error(`OSV batch chunk ${chunkIndex} failed: ${lastErr.message}`);
+  wrapped.cause = lastErr;
+  wrapped.chunkIndex = chunkIndex;
+  wrapped.retryable = lastErr.retryable;
+  throw wrapped;
+}
+
 export async function fetchOsvByName(packageName, ecosystem = 'npm', { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -125,19 +168,48 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
   if (queries.length === 0) {
     const empty = buildEmptySnapshot(ecosystem);
     saveSnapshot(empty, rootDir);
-    return { snapshot: empty, advisoryCount: 0, packageCount: 0 };
+    return { snapshot: empty, advisoryCount: 0, packageCount: 0, partial: false, chunks: { total: 0, succeeded: 0, failed: 0 } };
+  }
+
+  const chunks = chunkArray(queries, OSV_BATCH_LIMIT);
+  const chunkOutcomes = [];
+  // Process with bounded concurrency. allSettled so a single chunk failure
+  // does not discard sibling successes — critical for fail-soft behavior.
+  for (let i = 0; i < chunks.length; i += OSV_BATCH_CONCURRENCY) {
+    const slice = chunks.slice(i, i + OSV_BATCH_CONCURRENCY);
+    const settled = await Promise.allSettled(
+      slice.map((chunk, j) => fetchOsvBatchWithRetry(chunk, i + j))
+    );
+    for (let j = 0; j < settled.length; j++) {
+      chunkOutcomes.push({ index: i + j, ...settled[j] });
+    }
   }
 
-  const batchResults = await fetchOsvBatch(queries);
   const vulnIds = new Set();
-  if (batchResults && Array.isArray(batchResults.results)) {
-    for (const r of batchResults.results) {
-      if (r && Array.isArray(r.vulns)) {
-        for (const v of r.vulns) if (v.id) vulnIds.add(v.id);
+  const failedChunks = [];
+  for (const outcome of chunkOutcomes) {
+    if (outcome.status === 'fulfilled') {
+      const batchResults = outcome.value;
+      if (batchResults && Array.isArray(batchResults.results)) {
+        for (const r of batchResults.results) {
+          if (r && Array.isArray(r.vulns)) {
+            for (const v of r.vulns) if (v.id) vulnIds.add(v.id);
+          }
+        }
       }
+    } else {
+      failedChunks.push({ index: outcome.index, message: outcome.reason?.message || String(outcome.reason) });
     }
   }
 
+  // Hard fail only when ALL chunks failed — otherwise emit partial snapshot.
+  if (failedChunks.length === chunkOutcomes.length) {
+    const err = new Error(`All ${chunkOutcomes.length} OSV batch chunk(s) failed; first: ${failedChunks[0].message}`);
+    err.code = 'SYNC_ALL_CHUNKS_FAILED';
+    err.failedChunks = failedChunks;
+    throw err;
+  }
+
   const advisories = [];
   for (const id of vulnIds) {
     try {
@@ -148,6 +220,7 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
     }
   }
 
+  const partial = failedChunks.length > 0;
   const snapshot = {
     schema_version: SCHEMA_VERSION,
     fetched_at: new Date().toISOString(),
@@ -156,10 +229,23 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
     package_count: queryIndex.length,
     advisory_count: advisories.length,
     advisories,
+    partial,
+    chunks: {
+      total: chunkOutcomes.length,
+      succeeded: chunkOutcomes.length - failedChunks.length,
+      failed: failedChunks.length,
+      failed_indices: failedChunks.map((c) => c.index),
+    },
   };
 
   saveSnapshot(snapshot, rootDir);
-  return { snapshot, advisoryCount: advisories.length, packageCount: queryIndex.length };
+  return {
+    snapshot,
+    advisoryCount: advisories.length,
+    packageCount: queryIndex.length,
+    partial,
+    chunks: snapshot.chunks,
+  };
 }
 
 function buildEmptySnapshot(ecosystem) {
@@ -171,6 +257,8 @@ function buildEmptySnapshot(ecosystem) {
     package_count: 0,
     advisory_count: 0,
     advisories: [],
+    partial: false,
+    chunks: { total: 0, succeeded: 0, failed: 0, failed_indices: [] },
   };
 }
 
@@ -194,5 +282,7 @@ export function snapshotInfo(rootDir = process.cwd()) {
     age_days: snap ? snapshotAgeDays(snap) : Infinity,
     stale: snap ? isStale(snap) : true,
     schema_compatible: isSchemaCompatible(snap),
+    partial: snap?.partial === true,
+    chunks: snap?.chunks || null,
   };
 }