dw-kit 1.3.5 → 1.4.0

package/src/lib/review/scope-slug.mjs

@@ -0,0 +1,68 @@
+/**
+ * Sanitize an arbitrary scope string (branch name, task name, free-form label)
+ * into a filesystem-safe directory slug usable on Windows + POSIX.
+ *
+ * Rules:
+ *   - Strip filesystem-illegal chars on Windows (NTFS): / \ : * ? " < > |
+ *   - Collapse whitespace + control chars to single dash
+ *   - Collapse runs of dashes/underscores/dots
+ *   - Trim leading/trailing dashes, underscores, dots
+ *   - Forbid reserved Windows device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9)
+ *     by prefixing with `_` if matched
+ *   - Cap length at maxLength (default 80)
+ *   - Lowercase optional (default keeps case; renderer config can opt-in)
+ *
+ * Examples:
+ *   "fix/sc-guard-v1.3.6"     → "fix-sc-guard-v1.3.6"
+ *   "feat: thêm tính năng"     → "feat-thêm-tính-năng" (Unicode preserved)
+ *   "  multiple   spaces  "    → "multiple-spaces"
+ *   "CON"                      → "_CON"
+ *   "../../etc/passwd"         → "etc-passwd"
+ *
+ * @param {string} scope - raw scope string
+ * @param {{maxLength?: number, lowercase?: boolean}} [opts]
+ * @returns {string} sanitized slug
+ * @throws {Error} if input is empty after sanitization
+ */
+export function scopeSlug(scope, opts = {}) {
+  const { maxLength = 80, lowercase = false } = opts;
+
+  if (typeof scope !== 'string') {
+    throw new Error('scope must be a string');
+  }
+
+  let s = scope;
+
+  // Strip Windows-illegal chars + control chars (0x00-0x1F, 0x7F).
+  s = s.replace(/[\\/:*?"<>|\x00-\x1F\x7F]+/g, '-');
+
+  // Strip path traversal segments.
+  s = s.replace(/\.\.+/g, '-');
+
+  // Collapse whitespace runs to single dash.
+  s = s.replace(/\s+/g, '-');
+
+  // Collapse runs of separators (dash/underscore/dot) — keep one.
+  s = s.replace(/[-_.]{2,}/g, (m) => m[0]);
+
+  // Trim leading/trailing separators.
+  s = s.replace(/^[-_.]+|[-_.]+$/g, '');
+
+  if (lowercase) s = s.toLowerCase();
+
+  // Reserved Windows device names (case-insensitive).
+  if (/^(CON|PRN|AUX|NUL|COM[1-9]|LPT[1-9])$/i.test(s)) {
+    s = `_${s}`;
+  }
+
+  // Cap length.
+  if (s.length > maxLength) {
+    s = s.slice(0, maxLength).replace(/[-_.]+$/g, '');
+  }
+
+  if (s.length === 0) {
+    throw new Error('scope sanitization produced empty slug — provide a non-empty alphanumeric scope');
+  }
+
+  return s;
+}

package/src/lib/sc-heuristic.mjs

@@ -0,0 +1,263 @@
+import { execSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { parsePackageLockfile, findLockfile, compareVersions } from './sc-scanner.mjs';
+
+const DEFAULT_THRESHOLD = 50;
+const DEFAULT_WEEKLY_DOWNLOADS_MIN = 10000;
+const DEFAULT_RECENT_PUBLISH_HOURS = 72;
+
+// Top-500 popular npm packages (small bundled list for typo-squat detection).
+// Source: npm download counts, December 2025 snapshot. Pruned to common surface.
+// Not exhaustive — typo-squat is one signal of many.
+const POPULAR_PACKAGES = new Set([
+  'react', 'react-dom', 'vue', 'angular', 'svelte', 'next', 'nuxt',
+  'lodash', 'axios', 'express', 'fastify', 'koa', 'hapi',
+  'typescript', 'eslint', 'prettier', 'webpack', 'vite', 'rollup', 'esbuild',
+  'jest', 'mocha', 'vitest', 'playwright', 'cypress', 'puppeteer',
+  'chalk', 'commander', 'yargs', 'inquirer', 'enquirer',
+  'tailwindcss', 'postcss', 'sass', 'less',
+  'tanstack', '@tanstack/react-query', '@tanstack/react-router', '@tanstack/react-table',
+  'redux', '@reduxjs/toolkit', 'zustand', 'jotai', 'recoil',
+  'graphql', 'apollo-client', '@apollo/client', 'urql',
+  'rxjs', 'immer', 'lodash-es', 'date-fns', 'moment', 'dayjs', 'luxon',
+  'cors', 'helmet', 'jsonwebtoken', 'bcrypt', 'argon2',
+  'mongoose', 'prisma', '@prisma/client', 'sequelize', 'typeorm', 'knex',
+  'pg', 'mysql', 'mysql2', 'sqlite3', 'better-sqlite3',
+  'redis', 'ioredis',
+  'dotenv', 'uuid', 'nanoid', 'pino', 'winston', 'debug',
+  'zod', 'yup', 'joi', 'ajv',
+  'sharp', 'jimp', 'multer',
+  'socket.io', 'ws', 'engine.io',
+  'pm2', 'nodemon', 'concurrently', 'cross-env',
+  'firebase', 'firebase-admin', '@supabase/supabase-js',
+  'stripe', '@stripe/stripe-js',
+]);
+
+export function loadHeuristicConfig(rootDir = process.cwd()) {
+  // Read .dw/config/dw.config.yml security.heuristic.* if present.
+  // Cheap inline YAML probe — no js-yaml dep here. Caller may pass overrides.
+  try {
+    const cfgPath = join(rootDir, '.dw/config/dw.config.yml');
+    if (!existsSync(cfgPath)) return defaultConfig();
+    const raw = readFileSync(cfgPath, 'utf-8');
+    const threshold = matchYamlNumber(raw, 'risk_threshold');
+    const weekly = matchYamlNumber(raw, 'weekly_downloads_min');
+    const recent = matchYamlNumber(raw, 'recent_publish_hours');
+    return {
+      risk_threshold: threshold ?? DEFAULT_THRESHOLD,
+      weekly_downloads_min: weekly ?? DEFAULT_WEEKLY_DOWNLOADS_MIN,
+      recent_publish_hours: recent ?? DEFAULT_RECENT_PUBLISH_HOURS,
+    };
+  } catch {
+    return defaultConfig();
+  }
+}
+
+function defaultConfig() {
+  return {
+    risk_threshold: DEFAULT_THRESHOLD,
+    weekly_downloads_min: DEFAULT_WEEKLY_DOWNLOADS_MIN,
+    recent_publish_hours: DEFAULT_RECENT_PUBLISH_HOURS,
+  };
+}
+
+function matchYamlNumber(yamlText, key) {
+  // Scoped inside security.heuristic.*
+  // Avoid full YAML parser dep; brittle but enough for top-level integer keys.
+  const re = new RegExp(`heuristic:[\\s\\S]*?\\b${key}\\s*:\\s*(\\d+)`, 'm');
+  const m = yamlText.match(re);
+  return m ? parseInt(m[1], 10) : null;
+}
+
+/**
+ * List packages introduced or version-bumped since the last committed lockfile.
+ *
+ * Strategy:
+ *   1. If git available and HEAD has a previous lockfile → diff against HEAD
+ *   2. Otherwise → return ALL packages in current lockfile (cold-start path,
+ *      caller can cap how many to actually probe)
+ *
+ * Returns Array<{ name, version, change: 'added' | 'bumped', from?: string }>.
+ */
+export function diffLockfilePackages(rootDir = process.cwd()) {
+  const lockPath = findLockfile(rootDir);
+  if (!lockPath) return [];
+  const currentPkgs = parsePackageLockfile(lockPath);
+
+  let previousPkgs = null;
+  try {
+    // Best-effort: read previous lockfile content from git HEAD
+    const lockRelPath = lockPath.startsWith(rootDir + '\\') || lockPath.startsWith(rootDir + '/')
+      ? lockPath.slice(rootDir.length + 1).replace(/\\/g, '/')
+      : 'package-lock.json';
+    const previousContent = execSync(`git show HEAD:${lockRelPath}`, {
+      cwd: rootDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    previousPkgs = parsePackageLockfileContent(previousContent);
+  } catch {
+    // No git, or HEAD has no lockfile → cold start
+    previousPkgs = null;
+  }
+
+  const out = [];
+  if (!previousPkgs) {
+    // Cold start: caller decides how to handle a full lockfile
+    for (const [name, version] of currentPkgs) {
+      out.push({ name, version, change: 'cold-start' });
+    }
+    return out;
+  }
+
+  for (const [name, version] of currentPkgs) {
+    if (!previousPkgs.has(name)) {
+      out.push({ name, version, change: 'added' });
+    } else {
+      const prev = previousPkgs.get(name);
+      if (prev !== version) {
+        out.push({ name, version, change: 'bumped', from: prev });
+      }
+    }
+  }
+  return out;
+}
+
+function parsePackageLockfileContent(content) {
+  const lock = JSON.parse(content);
+  const packages = new Map();
+  if (lock.packages) {
+    for (const [k, v] of Object.entries(lock.packages)) {
+      if (!k || !v?.version) continue;
+      const name = k.startsWith('node_modules/') ? k.slice('node_modules/'.length) : k.split('node_modules/').pop();
+      if (!name || name === '') continue;
+      packages.set(name, v.version);
+    }
+  } else if (lock.dependencies) {
+    function walk(deps) {
+      for (const [n, v] of Object.entries(deps)) {
+        if (v?.version) packages.set(n, v.version);
+        if (v?.dependencies) walk(v.dependencies);
+      }
+    }
+    walk(lock.dependencies);
+  }
+  return packages;
+}
+
+/**
+ * Score one package's signals into a risk number + reason breakdown.
+ *
+ * Returns { score, reasons: [{signal, weight, detail}], blocking: bool }
+ *
+ * Signals (per ADR-0006):
+ *   - very_recent_publish (<24h)        +50
+ *   - recent_publish (<72h)             +30
+ *   - popular_package (downloads≥10k)   +20
+ *   - maintainer_change_recent (<30d)   +40
+ *   - major_version_jump                +15
+ *   - typo_squat (Lev=1 of popular)     +60
+ */
+export function scoreSignals(signals, weeklyDownloads, config = defaultConfig(), context = {}) {
+  if (!signals) return { score: 0, reasons: [] };
+  const reasons = [];
+  let score = 0;
+
+  const age = signals.publish_age_hours;
+  if (age !== null && age !== undefined) {
+    if (age < 24) {
+      score += 50;
+      reasons.push({ signal: 'very_recent_publish', weight: 50, detail: `${age.toFixed(1)}h since publish` });
+    } else if (age < config.recent_publish_hours) {
+      score += 30;
+      reasons.push({ signal: 'recent_publish', weight: 30, detail: `${age.toFixed(1)}h since publish (threshold ${config.recent_publish_hours}h)` });
+    }
+  }
+
+  if (typeof weeklyDownloads === 'number' && weeklyDownloads >= config.weekly_downloads_min) {
+    score += 20;
+    reasons.push({ signal: 'popular_package', weight: 20, detail: `${weeklyDownloads.toLocaleString()} weekly downloads` });
+  }
+
+  // Maintainer-change proxy: package-level "modified" time within 30d
+  if (signals.package_modified_age_days !== null && signals.package_modified_age_days !== undefined) {
+    if (signals.package_modified_age_days < 30) {
+      score += 40;
+      reasons.push({
+        signal: 'maintainer_change_recent',
+        weight: 40,
+        detail: `package modified ${signals.package_modified_age_days.toFixed(1)}d ago — possible maintainer/token change`,
+      });
+    }
+  }
+
+  // Major-version-jump (caller passes context.from from diff)
+  if (context.change === 'bumped' && context.from && signals.version) {
+    try {
+      const fromMajor = parseInt(context.from.match(/\d+/)?.[0] || '0', 10);
+      const toMajor = parseInt(signals.version.match(/\d+/)?.[0] || '0', 10);
+      if (toMajor - fromMajor >= 1) {
+        score += 15;
+        reasons.push({
+          signal: 'major_version_jump',
+          weight: 15,
+          detail: `bumped from ${context.from} to ${signals.version}`,
+        });
+      }
+    } catch {
+      // skip
+    }
+  }
+
+  // Typo-squat detection (offline, bundled popular list)
+  const ts = detectTypoSquat(signals.package);
+  if (ts) {
+    score += 60;
+    reasons.push({ signal: 'typo_squat', weight: 60, detail: `name within Lev=1 of popular "${ts}"` });
+  }
+
+  return { score, reasons };
+}
+
+function detectTypoSquat(name) {
+  if (!name) return null;
+  if (POPULAR_PACKAGES.has(name)) return null;
+  // Strip scope for comparison; typo-squats often target unscoped popular names
+  const bare = name.includes('/') ? name.split('/').pop() : name;
+  for (const pop of POPULAR_PACKAGES) {
+    const popBare = pop.includes('/') ? pop.split('/').pop() : pop;
+    if (Math.abs(bare.length - popBare.length) > 2) continue;
+    if (levenshtein(bare, popBare) === 1) return pop;
+  }
+  return null;
+}
+
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (!a.length) return b.length;
+  if (!b.length) return a.length;
+  const prev = new Array(b.length + 1);
+  const curr = new Array(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= b.length; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    for (let j = 0; j <= b.length; j++) prev[j] = curr[j];
+  }
+  return prev[b.length];
+}
+
+export function formatHeuristicHit(pkg, version, change, scoring) {
+  const lines = [];
+  const tag = scoring.score >= 80 ? '[HIGH-RISK]' : scoring.score >= 50 ? '[REVIEW]' : '[INFO]';
+  const changeLabel = change === 'bumped' ? `bumped to ${version}` : change === 'added' ? `added@${version}` : `${version}`;
+  lines.push(`${tag} ${pkg} ${changeLabel} — risk_score: ${scoring.score}`);
+  for (const r of scoring.reasons) {
+    lines.push(`  · ${r.signal} (+${r.weight}): ${r.detail}`);
+  }
+  return lines.join('\n');
+}

package/src/lib/sc-scanner.mjs

@@ -247,6 +247,17 @@ export function matchPackageByName(packageName, advisories) {
   return hits;
 }
 
+function stripVersionPrefix(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/(\d+\.\d+\.\d+[\w.\-+]*)/);
+  return m ? m[1] : null;
+}
+
+function isRangeSpec(v) {
+  if (!v || typeof v !== 'string') return false;
+  return /^[\^~]|\s|^[<>=]/.test(v.trim());
+}
+
 export function matchNamespaceFixture(packages, fixture) {
   const now = new Date();
   const hits = [];
@@ -254,18 +265,56 @@ export function matchNamespaceFixture(packages, fixture) {
     if (entry.active_until && new Date(entry.active_until) < now) continue;
     if (!entry.pattern) continue;
 
-    for (const [name] of packages) {
-      if (name.startsWith(entry.pattern) || name === entry.pattern) {
-        hits.push({
-          package: name,
-          namespace_pattern: entry.pattern,
-          reason: entry.reason,
-          advisory_url: entry.advisory,
-          active_until: entry.active_until,
-          guidance: entry.guidance,
-          severity: entry.severity || 'high',
-        });
+    for (const [name, version] of packages) {
+      const prefixMatch = name.startsWith(entry.pattern) || name === entry.pattern;
+      if (!prefixMatch) continue;
+
+      // Version-aware gate (per ADR-0006):
+      //   - Concrete version (1.2.3) → strict in-range check; skip on miss (no FP)
+      //   - Range spec (^1.2.3, ~1.2.3, >=1.2.3) → ambiguity flag with downgrade
+      //     (resolve-on-install could land in affected range; warn but don't block)
+      //   - No affected_range → prefix-only, severity downgraded one tier
+      let versionCheck = 'no-range';
+      let severity = entry.severity || 'high';
+      if (entry.affected_range && version) {
+        const concrete = stripVersionPrefix(version);
+        if (concrete && !isRangeSpec(version)) {
+          if (versionInRange(concrete, entry.affected_range)) {
+            versionCheck = 'in-range';
+          } else {
+            continue;
+          }
+        } else if (concrete && isRangeSpec(version)) {
+          // package.json range — we don't know which version will resolve.
+          // Be cautious: flag with downgrade unless the range's lower bound is
+          // already beyond the fixed version (then certainly safe).
+          const fixedEvent = (entry.affected_range.events || []).find((e) => e.fixed);
+          if (fixedEvent && compareVersions(concrete, fixedEvent.fixed) >= 0) {
+            continue;
+          }
+          versionCheck = 'range-ambiguous';
+          if (severity === 'critical') severity = 'high';
+        } else {
+          versionCheck = 'unresolvable-range';
+          if (severity === 'critical') severity = 'high';
+          else if (severity === 'high') severity = 'medium';
+        }
+      } else if (!entry.affected_range) {
+        versionCheck = 'prefix-only';
+        if (severity === 'critical') severity = 'high';
       }
+
+      hits.push({
+        package: name,
+        version: version || null,
+        namespace_pattern: entry.pattern,
+        reason: entry.reason,
+        advisory_url: entry.advisory,
+        active_until: entry.active_until,
+        guidance: entry.guidance,
+        severity,
+        version_check: versionCheck,
+      });
     }
   }
   return hits;

package/src/lib/sc-sync.mjs

@@ -10,6 +10,13 @@ const OSV_BATCH_ENDPOINT = 'https://api.osv.dev/v1/querybatch';
 const STALE_DAYS_DEFAULT = 7;
 const FETCH_TIMEOUT_MS = 15000;
 
+// OSV.dev /v1/querybatch hard cap is 1000 entries per request.
+// Concurrency=2 + jittered backoff keeps us polite to a public free-tier API.
+const OSV_BATCH_LIMIT = 1000;
+const OSV_BATCH_CONCURRENCY = 2;
+const OSV_BATCH_RETRY_MAX = 3;
+const OSV_BATCH_RETRY_BASE_MS = 500;
+
 export function snapshotPath(rootDir = process.cwd()) {
   return join(rootDir, SECURITY_DIR, SNAPSHOT_FILE);
 }
@@ -70,13 +77,49 @@ export async function fetchOsvBatch(queries, { timeoutMs = FETCH_TIMEOUT_MS } =
       body: JSON.stringify({ queries }),
       signal: controller.signal,
     });
-    if (!res.ok) throw new Error(`OSV batch HTTP ${res.status}`);
+    if (!res.ok) {
+      const err = new Error(`OSV batch HTTP ${res.status}`);
+      err.status = res.status;
+      err.retryable = res.status === 429 || res.status === 503 || res.status === 502 || res.status === 504;
+      throw err;
+    }
     return await res.json();
   } finally {
     clearTimeout(timer);
   }
 }
 
+function chunkArray(arr, size) {
+  const out = [];
+  for (let i = 0; i < arr.length; i += size) out.push(arr.slice(i, i + size));
+  return out;
+}
+
+async function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function fetchOsvBatchWithRetry(queries, chunkIndex, { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
+  let lastErr;
+  for (let attempt = 0; attempt < OSV_BATCH_RETRY_MAX; attempt++) {
+    try {
+      return await fetchOsvBatch(queries, { timeoutMs });
+    } catch (e) {
+      lastErr = e;
+      if (!e.retryable || attempt === OSV_BATCH_RETRY_MAX - 1) break;
+      const jitter = Math.floor(Math.random() * 200);
+      const delay = OSV_BATCH_RETRY_BASE_MS * Math.pow(2, attempt) + jitter;
+      await sleep(delay);
+    }
+  }
+  // Wrap with chunk diagnostics for the synthesis layer
+  const wrapped = new Error(`OSV batch chunk ${chunkIndex} failed: ${lastErr.message}`);
+  wrapped.cause = lastErr;
+  wrapped.chunkIndex = chunkIndex;
+  wrapped.retryable = lastErr.retryable;
+  throw wrapped;
+}
+
 export async function fetchOsvByName(packageName, ecosystem = 'npm', { timeoutMs = FETCH_TIMEOUT_MS } = {}) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
@@ -125,19 +168,48 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
   if (queries.length === 0) {
     const empty = buildEmptySnapshot(ecosystem);
     saveSnapshot(empty, rootDir);
-    return { snapshot: empty, advisoryCount: 0, packageCount: 0 };
+    return { snapshot: empty, advisoryCount: 0, packageCount: 0, partial: false, chunks: { total: 0, succeeded: 0, failed: 0 } };
+  }
+
+  const chunks = chunkArray(queries, OSV_BATCH_LIMIT);
+  const chunkOutcomes = [];
+  // Process with bounded concurrency. allSettled so a single chunk failure
+  // does not discard sibling successes — critical for fail-soft behavior.
+  for (let i = 0; i < chunks.length; i += OSV_BATCH_CONCURRENCY) {
+    const slice = chunks.slice(i, i + OSV_BATCH_CONCURRENCY);
+    const settled = await Promise.allSettled(
+      slice.map((chunk, j) => fetchOsvBatchWithRetry(chunk, i + j))
+    );
+    for (let j = 0; j < settled.length; j++) {
+      chunkOutcomes.push({ index: i + j, ...settled[j] });
+    }
   }
 
-  const batchResults = await fetchOsvBatch(queries);
   const vulnIds = new Set();
-  if (batchResults && Array.isArray(batchResults.results)) {
-    for (const r of batchResults.results) {
-      if (r && Array.isArray(r.vulns)) {
-        for (const v of r.vulns) if (v.id) vulnIds.add(v.id);
+  const failedChunks = [];
+  for (const outcome of chunkOutcomes) {
+    if (outcome.status === 'fulfilled') {
+      const batchResults = outcome.value;
+      if (batchResults && Array.isArray(batchResults.results)) {
+        for (const r of batchResults.results) {
+          if (r && Array.isArray(r.vulns)) {
+            for (const v of r.vulns) if (v.id) vulnIds.add(v.id);
+          }
+        }
       }
+    } else {
+      failedChunks.push({ index: outcome.index, message: outcome.reason?.message || String(outcome.reason) });
     }
   }
 
+  // Hard fail only when ALL chunks failed — otherwise emit partial snapshot.
+  if (failedChunks.length === chunkOutcomes.length) {
+    const err = new Error(`All ${chunkOutcomes.length} OSV batch chunk(s) failed; first: ${failedChunks[0].message}`);
+    err.code = 'SYNC_ALL_CHUNKS_FAILED';
+    err.failedChunks = failedChunks;
+    throw err;
+  }
+
   const advisories = [];
   for (const id of vulnIds) {
     try {
@@ -148,6 +220,7 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
     }
   }
 
+  const partial = failedChunks.length > 0;
   const snapshot = {
     schema_version: SCHEMA_VERSION,
     fetched_at: new Date().toISOString(),
@@ -156,10 +229,23 @@ export async function syncSnapshotForProject(rootDir = process.cwd(), { ecosyste
     package_count: queryIndex.length,
     advisory_count: advisories.length,
     advisories,
+    partial,
+    chunks: {
+      total: chunkOutcomes.length,
+      succeeded: chunkOutcomes.length - failedChunks.length,
+      failed: failedChunks.length,
+      failed_indices: failedChunks.map((c) => c.index),
+    },
   };
 
   saveSnapshot(snapshot, rootDir);
-  return { snapshot, advisoryCount: advisories.length, packageCount: queryIndex.length };
+  return {
+    snapshot,
+    advisoryCount: advisories.length,
+    packageCount: queryIndex.length,
+    partial,
+    chunks: snapshot.chunks,
+  };
 }
 
 function buildEmptySnapshot(ecosystem) {
@@ -171,6 +257,8 @@ function buildEmptySnapshot(ecosystem) {
     package_count: 0,
     advisory_count: 0,
     advisories: [],
+    partial: false,
+    chunks: { total: 0, succeeded: 0, failed: 0, failed_indices: [] },
   };
 }
 
@@ -194,5 +282,7 @@ export function snapshotInfo(rootDir = process.cwd()) {
     age_days: snap ? snapshotAgeDays(snap) : Infinity,
     stale: snap ? isStale(snap) : true,
     schema_compatible: isSchemaCompatible(snap),
+    partial: snap?.partial === true,
+    chunks: snap?.chunks || null,
   };
 }

package/src/lib/telemetry.mjs

@@ -63,6 +63,11 @@ export function summarize(events) {
   const byHook = {};
   const byTask = {};
   const bySupplyChain = { scan_run: 0, block: 0, allow: 0, sync: 0 };
+  // ADR-0005 sunset review: separate OSV catches from fixture catches.
+  // A catch from a curated namespace fixture is NOT evidence the OSV-based
+  // guard worked; conflating them would compromise the 2026-08-12 retire/keep decision.
+  const supplyChainBySource = { osv: 0, fixture: 0, mixed: 0, unknown: 0 };
+  const supplyChainPartial = { partial_syncs: 0, partial_scans: 0 };
 
   for (const e of events) {
     if (e.event === 'skill') bySkill[e.name] = (bySkill[e.name] || 0) + 1;
@@ -72,6 +77,19 @@ export function summarize(events) {
       const action = e.action || e.name || 'scan_run';
       if (bySupplyChain[action] === undefined) bySupplyChain[action] = 0;
       bySupplyChain[action]++;
+
+      // Track block/allow source for sunset-review integrity.
+      // Pre-install mode reports block_source explicitly (fixture vs osv vs mixed).
+      // Scan/JSON/update-db modes report source=osv directly.
+      if (action === 'block' || action === 'allow') {
+        const src = e.block_source || e.source || 'unknown';
+        const key = src === 'pre-install-mixed' ? 'mixed' : src.startsWith('fixture+') ? 'mixed' : src;
+        if (supplyChainBySource[key] === undefined) supplyChainBySource[key] = 0;
+        supplyChainBySource[key]++;
+      }
+
+      if (action === 'sync' && e.partial === true) supplyChainPartial.partial_syncs++;
+      if (action === 'scan_run' && e.partial_snapshot === true) supplyChainPartial.partial_scans++;
     }
   }
 
@@ -81,6 +99,8 @@ export function summarize(events) {
     byHook,
     byTask,
     bySupplyChain,
+    supplyChainBySource,
+    supplyChainPartial,
     dateRange:
       events.length > 0 ? { from: events[0].ts, to: events[events.length - 1].ts } : null,
   };