projscan 4.4.0 → 4.6.0

package/dist/core/reviewState.js

@@ -0,0 +1,96 @@
+import { buildNoChangeReviewReport } from './reviewNoChanges.js';
+import { isGitRepository, isWorktreeClean, pickDefaultBase, resolveSha } from './reviewRefs.js';
+export async function resolveReviewState(rootPath, options = {}) {
+    const unavailable = await repositoryUnavailableState(rootPath, options);
+    if (unavailable)
+        return unavailable;
+    const refs = await resolveReviewRefs(rootPath, options);
+    const ready = requireResolvedRefs(refs, options);
+    if (ready.kind !== 'ready')
+        return ready;
+    const noChange = await noChangeReviewState(rootPath, ready);
+    if (noChange)
+        return noChange;
+    return ready;
+}
+async function repositoryUnavailableState(rootPath, options) {
+    if (await isGitRepository(rootPath))
+        return undefined;
+    return {
+        kind: 'unavailable',
+        report: unavailableReviewReport('Not a git repository - PR review requires git history.', options),
+    };
+}
+async function resolveReviewRefs(rootPath, options) {
+    const headRef = options.head ?? 'HEAD';
+    const baseRef = options.base ?? (await pickDefaultBase(rootPath));
+    return {
+        headRef,
+        baseRef,
+        headSha: await resolveSha(rootPath, headRef),
+        baseSha: await resolveSha(rootPath, baseRef),
+    };
+}
+function requireResolvedRefs(refs, options) {
+    if (!refs.baseSha) {
+        return {
+            kind: 'unavailable',
+            report: unavailableReviewReport(`Could not resolve base ref "${refs.baseRef}".`, options, refs.baseRef, refs.headRef, refs.headSha),
+        };
+    }
+    if (!refs.headSha) {
+        return {
+            kind: 'unavailable',
+            report: unavailableReviewReport(`Could not resolve head ref "${refs.headRef}".`, options, refs.baseRef, refs.headRef, null, refs.baseSha),
+        };
+    }
+    return {
+        kind: 'ready',
+        baseRef: refs.baseRef,
+        baseSha: refs.baseSha,
+        headRef: refs.headRef,
+        headSha: refs.headSha,
+    };
+}
+async function noChangeReviewState(rootPath, refs) {
+    if (refs.headSha !== refs.baseSha)
+        return undefined;
+    if (!(await isWorktreeClean(rootPath)))
+        return undefined;
+    return {
+        kind: 'no-change',
+        report: buildNoChangeReviewReport({
+            baseRef: refs.baseRef,
+            baseSha: refs.baseSha,
+            headRef: refs.headRef,
+            headSha: refs.headSha,
+        }),
+    };
+}
+export function unavailableReviewReport(reason, options, baseRef = options.base ?? '', headRef = options.head ?? 'HEAD', headSha = null, baseSha = null) {
+    return {
+        available: false,
+        reason,
+        base: { ref: baseRef, resolvedSha: baseSha },
+        head: { ref: headRef, resolvedSha: headSha },
+        prDiff: {
+            available: false,
+            reason,
+            base: { ref: baseRef, resolvedSha: baseSha },
+            head: { ref: headRef, resolvedSha: headSha },
+            filesAdded: [],
+            filesRemoved: [],
+            filesModified: [],
+            totalFilesChanged: 0,
+        },
+        changedFiles: [],
+        newCycles: [],
+        riskyFunctions: [],
+        dependencyChanges: [],
+        newTaintFlows: [],
+        newDataflowRisks: [],
+        verdict: 'ok',
+        summary: [reason],
+    };
+}
+//# sourceMappingURL=reviewState.js.map

package/dist/core/reviewState.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewState.js","sourceRoot":"","sources":["../../src/core/reviewState.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AA0BhG,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,QAAgB,EAChB,UAA8B,EAAE;IAEhC,MAAM,WAAW,GAAG,MAAM,0BAA0B,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACxE,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IAEpC,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAEzC,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5D,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,QAAgB,EAChB,OAA2B;IAE3B,IAAI,MAAM,eAAe,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IACtD,OAAO;QACL,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,uBAAuB,CAAC,wDAAwD,EAAE,OAAO,CAAC;KACnG,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,QAAgB,EAChB,OAA2B;IAE3B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,CAAC,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClE,OAAO;QACL,OAAO;QACP,OAAO;QACP,OAAO,EAAE,MAAM,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC;QAC5C,OAAO,EAAE,MAAM,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAAgB,EAChB,OAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,uBAAuB,CAC7B,+BAA+B,IAAI,CAAC,OAAO,IAAI,EAC/C,OAAO,EACP,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,CACb;SACF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,uBAAuB,CAC7B,+BAA+B,IAAI,CAAC,OAAO,IAAI,EAC/C,OAAO,EACP,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,OAAO,EACZ,IAAI,EACJ,IAAI,CAAC,OAAO,CACb;SACF,CAAC;IACJ,CAAC;IACD,OAAO;QACL,IAAI,EAAE,OAAO;QACb,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAgB,EAChB,IAA6C;IAE7C,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IACpD,IAAI,CAAC,CAAC,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzD,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,yBAAyB,CAAC;YAChC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,MAAc,EACd,OAA2B,EAC3B,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,EAAE,EAC5B,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,EAChC,UAAyB,IAAI,EAC7B,UAAyB,IAAI;IAE7B,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,MAAM;QACN,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE;QAC5C,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE;QAC5C,MAAM,EAAE;YACN,SAAS,EAAE,KAAK;YAChB,MAAM;YACN,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE;YAC5C,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE;YAC5C,UAAU,EAAE,EAAE;YACd,YAAY,EAAE,EAAE;YAChB,aAAa,EAAE,EAAE;YACjB,iBAAiB,EAAE,CAAC;SACrB;QACD,YAAY,EAAE,EAAE;QAChB,SAAS,EAAE,EAAE;QACb,cAAc,EAAE,EAAE;QAClB,iBAAiB,EAAE,EAAE;QACrB,aAAa,EAAE,EAAE;QACjB,gBAAgB,EAAE,EAAE;QACpB,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC,MAAM,CAAC;KAClB,CAAC;AACJ,CAAC"}

package/dist/core/reviewTier.d.ts

@@ -0,0 +1,18 @@
+import type { ReviewReport, ReviewTier } from '../types/review.js';
+/**
+ * 1.5+ - pick a review tier based on the caller's token budget.
+ *
+ *   <3000  -> 'verdict-only'  (verdict + summary + totals)
+ *   <7000  -> 'summary'       (verdict + summary + top files / top cycles / etc.)
+ *   else   -> 'full'          (everything)
+ *
+ * `0`, `undefined`, and any non-positive value all mean "no budget given"
+ * - the caller wants the full report. The tier names are stable.
+ */
+export declare function selectReviewTier(maxCostTokens: number | undefined): ReviewTier;
+/**
+ * Reshape a full ReviewReport for the chosen tier. The caller passes a
+ * fully populated report from `computeReview`; this returns a plain object
+ * sized for the tier.
+ */
+export declare function shapeReviewForTier(report: ReviewReport, tier: ReviewTier): Record<string, unknown>;

package/dist/core/reviewTier.js

@@ -0,0 +1,99 @@
+/**
+ * 1.5+ - pick a review tier based on the caller's token budget.
+ *
+ *   <3000  -> 'verdict-only'  (verdict + summary + totals)
+ *   <7000  -> 'summary'       (verdict + summary + top files / top cycles / etc.)
+ *   else   -> 'full'          (everything)
+ *
+ * `0`, `undefined`, and any non-positive value all mean "no budget given"
+ * - the caller wants the full report. The tier names are stable.
+ */
+export function selectReviewTier(maxCostTokens) {
+    if (maxCostTokens === undefined)
+        return 'full';
+    if (hasInvalidReviewBudget(maxCostTokens))
+        return 'full';
+    if (maxCostTokens < 3000)
+        return 'verdict-only';
+    if (maxCostTokens < 7000)
+        return 'summary';
+    return 'full';
+}
+function hasInvalidReviewBudget(maxCostTokens) {
+    return !Number.isFinite(maxCostTokens) || maxCostTokens <= 0;
+}
+/**
+ * Reshape a full ReviewReport for the chosen tier. The caller passes a
+ * fully populated report from `computeReview`; this returns a plain object
+ * sized for the tier.
+ */
+export function shapeReviewForTier(report, tier) {
+    if (!report.available || tier === 'full') {
+        return { ...report, tier };
+    }
+    const totals = reviewTierTotals(report);
+    if (tier === 'verdict-only') {
+        return verdictOnlyReview(report, totals, tier);
+    }
+    return summaryReview(report, totals, tier);
+}
+function reviewTierTotals(report) {
+    return {
+        filesChanged: report.changedFiles.length,
+        cyclesAdded: report.newCycles.length,
+        riskyFunctionsAdded: report.riskyFunctions.length,
+        depsChanged: report.dependencyChanges.length,
+        taintFlowsAdded: report.newTaintFlows?.length ?? 0,
+        dataflowRisksAdded: report.newDataflowRisks?.length ?? 0,
+        contractChanges: report.contractChanges?.length ?? 0,
+    };
+}
+function verdictOnlyReview(report, totals, tier) {
+    return {
+        available: report.available,
+        base: report.base,
+        head: report.head,
+        verdict: report.verdict,
+        summary: report.summary,
+        totals,
+        graphEvidence: report.graphEvidence,
+        tier,
+    };
+}
+function summaryReview(report, totals, tier) {
+    const top = 5;
+    return {
+        available: report.available,
+        base: report.base,
+        head: report.head,
+        prDiff: trimmedPrDiff(report, top),
+        changedFiles: report.changedFiles.slice(0, top),
+        newCycles: report.newCycles.slice(0, 3),
+        riskyFunctions: report.riskyFunctions.slice(0, 3),
+        dependencyChanges: report.dependencyChanges.slice(0, 3),
+        contractChanges: report.contractChanges?.slice(0, top) ?? [],
+        newTaintFlows: report.newTaintFlows?.slice(0, 5) ?? [],
+        newDataflowRisks: report.newDataflowRisks?.slice(0, 5) ?? [],
+        graphEvidence: report.graphEvidence,
+        verdict: report.verdict,
+        summary: report.summary,
+        totals,
+        tier,
+    };
+}
+function trimmedPrDiff(report, top) {
+    return {
+        available: report.prDiff.available,
+        base: report.prDiff.base,
+        head: report.prDiff.head,
+        totalFilesChanged: report.prDiff.totalFilesChanged,
+        filesAdded: report.prDiff.filesAdded.slice(0, top),
+        filesRemoved: report.prDiff.filesRemoved.slice(0, top),
+        filesModified: report.prDiff.filesModified.slice(0, top).map((file) => ({
+            relativePath: file.relativePath,
+            cyclomaticDelta: file.cyclomaticDelta,
+            fanInDelta: file.fanInDelta,
+        })),
+    };
+}
+//# sourceMappingURL=reviewTier.js.map

package/dist/core/reviewTier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewTier.js","sourceRoot":"","sources":["../../src/core/reviewTier.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,aAAiC;IAChE,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IAC/C,IAAI,sBAAsB,CAAC,aAAa,CAAC;QAAE,OAAO,MAAM,CAAC;IACzD,IAAI,aAAa,GAAG,IAAI;QAAE,OAAO,cAAc,CAAC;IAChD,IAAI,aAAa,GAAG,IAAI;QAAE,OAAO,SAAS,CAAC;IAC3C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,aAAqB;IACnD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,aAAa,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAoB,EACpB,IAAgB;IAEhB,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACzC,OAAO,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,IAAI,KAAK,cAAc,EAAE,CAAC;QAC5B,OAAO,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAoB;IAC5C,OAAO;QACL,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM;QACxC,WAAW,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM;QACpC,mBAAmB,EAAE,MAAM,CAAC,cAAc,CAAC,MAAM;QACjD,WAAW,EAAE,MAAM,CAAC,iBAAiB,CAAC,MAAM;QAC5C,eAAe,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC;QAClD,kBAAkB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,IAAI,CAAC;QACxD,eAAe,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,IAAI,CAAC;KACrD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAoB,EACpB,MAA8B,EAC9B,IAAgB;IAEhB,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM;QACN,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,IAAI;KACL,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CACpB,MAAoB,EACpB,MAA8B,EAC9B,IAAgB;IAEhB,MAAM,GAAG,GAAG,CAAC,CAAC;IACd,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC;QAClC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAC/C,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACvC,cAAc,EAAE,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACjD,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACvD,eAAe,EAAE,MAAM,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE;QAC5D,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE;QACtD,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE;QAC5D,aAAa,EAAE,MAAM,CAAC,aAAa;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM;QACN,IAAI;KACL,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,MAAoB,EAAE,GAAW;IACtD,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;QAClC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QACxB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QACxB,iBAAiB,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB;QAClD,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QAClD,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QACtD,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACtE,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAC;KACJ,CAAC;AACJ,CAAC"}

package/dist/core/reviewVerdict.d.ts

@@ -0,0 +1,9 @@
+import type { ReviewContractChange } from '../types/reviewContract.js';
+import type { ReviewCycle, ReviewDataflowRisk, ReviewDependencyChange, ReviewFile, ReviewFunction, ReviewReport, ReviewTaintFlow } from '../types/review.js';
+type ReviewVerdict = ReviewReport['verdict'];
+interface VerdictDecision {
+    verdict: ReviewVerdict;
+    summary: string[];
+}
+export declare function decideVerdict(changedFiles: ReviewFile[], newCycles: ReviewCycle[], riskyFunctions: ReviewFunction[], depChanges: ReviewDependencyChange[], contractChanges: ReviewContractChange[], newTaintFlows: ReviewTaintFlow[], newDataflowRisks: ReviewDataflowRisk[]): VerdictDecision;
+export {};

package/dist/core/reviewVerdict.js

@@ -0,0 +1,121 @@
+const RISK_VERDICT_BLOCK_SCORE = 80;
+const RISK_VERDICT_REVIEW_SCORE = 40;
+export function decideVerdict(changedFiles, newCycles, riskyFunctions, depChanges, contractChanges, newTaintFlows, newDataflowRisks) {
+    const decision = { verdict: 'ok', summary: [] };
+    const maxRisk = maxChangedFileRisk(changedFiles);
+    applyRiskScoreSignal(decision, maxRisk);
+    applyCycleSignal(decision, newCycles);
+    applyRiskyFunctionSignal(decision, riskyFunctions);
+    applyTaintFlowSignal(decision, newTaintFlows);
+    applyDataflowRiskSignal(decision, newDataflowRisks);
+    appendDependencySummary(decision.summary, depChanges);
+    appendManualReleaseSignOff(decision, {
+        maxRisk,
+        newCycles,
+        riskyFunctions,
+        contractChanges,
+        newTaintFlows,
+        newDataflowRisks,
+    });
+    appendFallbackSummary(decision, changedFiles.length);
+    return decision;
+}
+function maxChangedFileRisk(changedFiles) {
+    return Math.max(0, ...changedFiles.map((file) => file.riskScore ?? 0));
+}
+function applyRiskScoreSignal(decision, maxRisk) {
+    if (maxRisk >= RISK_VERDICT_BLOCK_SCORE) {
+        decision.verdict = 'block';
+        decision.summary.push(`Maximum changed-file risk score is ${maxRisk.toFixed(1)} (>= ${RISK_VERDICT_BLOCK_SCORE}).`);
+        return;
+    }
+    if (maxRisk >= RISK_VERDICT_REVIEW_SCORE) {
+        decision.verdict = bumpTo(decision.verdict, 'review');
+        decision.summary.push(`Maximum changed-file risk score is ${maxRisk.toFixed(1)} (>= ${RISK_VERDICT_REVIEW_SCORE}).`);
+    }
+}
+function applyCycleSignal(decision, newCycles) {
+    if (newCycles.length === 0)
+        return;
+    const newOnly = newCycles.filter((cycle) => cycle.classification === 'new');
+    if (newOnly.length > 0) {
+        decision.verdict = 'block';
+        decision.summary.push(`${newOnly.length} new import cycle(s) introduced.`);
+        return;
+    }
+    decision.verdict = bumpTo(decision.verdict, 'review');
+    decision.summary.push(`${newCycles.length} cycle(s) expanded.`);
+}
+function applyRiskyFunctionSignal(decision, riskyFunctions) {
+    if (riskyFunctions.length === 0)
+        return;
+    decision.verdict = bumpTo(decision.verdict, 'review');
+    decision.summary.push(`${riskyFunctions.length} function(s) flagged: high CC added or jumped.`);
+}
+function applyTaintFlowSignal(decision, newTaintFlows) {
+    if (newTaintFlows.length === 0)
+        return;
+    decision.verdict = 'block';
+    const sample = newTaintFlows
+        .slice(0, 3)
+        .map((flow) => `${flow.source}→${flow.sink} (${flow.sourceFn}${flow.pathLength > 1 ? '…' : ''})`)
+        .join(', ');
+    decision.summary.push(`${newTaintFlows.length} new taint flow(s) detected: ${sample}${newTaintFlows.length > 3 ? ', …' : ''}.`);
+}
+function applyDataflowRiskSignal(decision, newDataflowRisks) {
+    if (newDataflowRisks.length === 0)
+        return;
+    decision.verdict = 'block';
+    const sample = newDataflowRisks
+        .slice(0, 3)
+        .map((risk) => `${risk.source}→${risk.sink} (${risk.bridgeFn ?? risk.sourceFn})`)
+        .join(', ');
+    decision.summary.push(`${newDataflowRisks.length} new dataflow risk(s) detected: ${sample}${newDataflowRisks.length > 3 ? ', …' : ''}.`);
+}
+function appendDependencySummary(summary, depChanges) {
+    if (depChanges.length === 0)
+        return;
+    const totals = dependencyTotals(depChanges);
+    if (totals.added + totals.removed + totals.bumped === 0)
+        return;
+    summary.push(`Dependency changes: +${totals.added} -${totals.removed} ~${totals.bumped}.`);
+}
+function dependencyTotals(depChanges) {
+    return depChanges.reduce((acc, change) => {
+        acc.added += change.added.length;
+        acc.removed += change.removed.length;
+        acc.bumped += change.bumped.length;
+        return acc;
+    }, { added: 0, removed: 0, bumped: 0 });
+}
+function appendManualReleaseSignOff(decision, signals) {
+    if (!isManualReleaseSignOffBlock(decision.verdict, signals))
+        return;
+    decision.summary.push('Manual release sign-off required: review blocks on release-scale risk signals, not concrete cycle, risky-function, contract, taint, or dataflow defects.');
+}
+function isManualReleaseSignOffBlock(verdict, signals) {
+    const concreteSignals = [
+        signals.newCycles,
+        signals.riskyFunctions,
+        signals.contractChanges,
+        signals.newTaintFlows,
+        signals.newDataflowRisks,
+    ];
+    return (verdict === 'block' &&
+        signals.maxRisk >= RISK_VERDICT_BLOCK_SCORE &&
+        concreteSignals.every((entries) => entries.length === 0));
+}
+function appendFallbackSummary(decision, changedFileCount) {
+    if (changedFileCount === 0 && decision.summary.length === 0) {
+        decision.summary.push('No structural changes detected between base and head.');
+        return;
+    }
+    if (decision.verdict === 'ok' && decision.summary.length === 0) {
+        decision.summary.push(`${changedFileCount} file(s) changed; no risk signals.`);
+    }
+}
+function bumpTo(current, target) {
+    const order = { ok: 0, review: 1, block: 2 };
+    return order[target] > order[current] ? target : current;
+}
+//# sourceMappingURL=reviewVerdict.js.map

package/dist/core/reviewVerdict.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewVerdict.js","sourceRoot":"","sources":["../../src/core/reviewVerdict.ts"],"names":[],"mappings":"AAWA,MAAM,wBAAwB,GAAG,EAAE,CAAC;AACpC,MAAM,yBAAyB,GAAG,EAAE,CAAC;AASrC,MAAM,UAAU,aAAa,CAC3B,YAA0B,EAC1B,SAAwB,EACxB,cAAgC,EAChC,UAAoC,EACpC,eAAuC,EACvC,aAAgC,EAChC,gBAAsC;IAEtC,MAAM,QAAQ,GAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACjE,MAAM,OAAO,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACjD,oBAAoB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACxC,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IACtC,wBAAwB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACnD,oBAAoB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAC9C,uBAAuB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IACpD,uBAAuB,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACtD,0BAA0B,CAAC,QAAQ,EAAE;QACnC,OAAO;QACP,SAAS;QACT,cAAc;QACd,eAAe;QACf,aAAa;QACb,gBAAgB;KACjB,CAAC,CAAC;IACH,qBAAqB,CAAC,QAAQ,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IACrD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CAAC,YAA0B;IACpD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAyB,EAAE,OAAe;IACtE,IAAI,OAAO,IAAI,wBAAwB,EAAE,CAAC;QACxC,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;QAC3B,QAAQ,CAAC,OAAO,CAAC,IAAI,CACnB,sCAAsC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,wBAAwB,IAAI,CAC7F,CAAC;QACF,OAAO;IACT,CAAC;IACD,IAAI,OAAO,IAAI,yBAAyB,EAAE,CAAC;QACzC,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtD,QAAQ,CAAC,OAAO,CAAC,IAAI,CACnB,sCAAsC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,yBAAyB,IAAI,CAC9F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAyB,EAAE,SAAwB;IAC3E,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACnC,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,cAAc,KAAK,KAAK,CAAC,CAAC;IAC5E,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;QAC3B,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,kCAAkC,CAAC,CAAC;QAC3E,OAAO;IACT,CAAC;IACD,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,qBAAqB,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAyB,EACzB,cAAgC;IAEhC,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACxC,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACtD,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,MAAM,gDAAgD,CAAC,CAAC;AAClG,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAyB,EAAE,aAAgC;IACvF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACvC,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;IAC3B,MAAM,MAAM,GAAG,aAAa;SACzB,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;SAChG,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,QAAQ,CAAC,OAAO,CAAC,IAAI,CACnB,GAAG,aAAa,CAAC,MAAM,gCAAgC,MAAM,GAAG,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CACzG,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,QAAyB,EACzB,gBAAsC;IAEtC,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAC1C,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB;SAC5B,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,GAAG,CAAC;SAChF,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,QAAQ,CAAC,OAAO,CAAC,IAAI,CACnB,GAAG,gBAAgB,CAAC,MAAM,mCAAmC,MAAM,GAAG,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,CAClH,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,OAAiB,EACjB,UAAoC;IAEpC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAChE,OAAO,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAoC;IAK5D,OAAO,UAAU,CAAC,MAAM,CACtB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;QACd,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;QACjC,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;QACrC,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;QACnC,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CACpC,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CACjC,QAAyB,EACzB,OAOC;IAED,IAAI,CAAC,2BAA2B,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;QAAE,OAAO;IACpE,QAAQ,CAAC,OAAO,CAAC,IAAI,CACnB,0JAA0J,CAC3J,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAClC,OAAsB,EACtB,OAOC;IAED,MAAM,eAAe,GAAG;QACtB,OAAO,CAAC,SAAS;QACjB,OAAO,CAAC,cAAc;QACtB,OAAO,CAAC,eAAe;QACvB,OAAO,CAAC,aAAa;QACrB,OAAO,CAAC,gBAAgB;KACzB,CAAC;IACF,OAAO,CACL,OAAO,KAAK,OAAO;QACnB,OAAO,CAAC,OAAO,IAAI,wBAAwB;QAC3C,eAAe,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAyB,EAAE,gBAAwB;IAChF,IAAI,gBAAgB,KAAK,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAC/E,OAAO;IACT,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/D,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,gBAAgB,oCAAoC,CAAC,CAAC;IACjF,CAAC;AACH,CAAC;AAED,SAAS,MAAM,CAAC,OAAsB,EAAE,MAAqB;IAC3D,MAAM,KAAK,GAAkC,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC5E,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;AAC3D,CAAC"}

package/dist/core/roadmapCatalog.d.ts

@@ -1,6 +1,7 @@
 import type { ReleaseTrainTask, ReleaseTrainTrack } from '../types.js';
 export declare const ROADMAP_3_2_LINES: readonly ["3.2.x", "3.3.x", "3.4.x", "3.5.x", "3.6.x", "3.7.x", "3.8.x", "3.9.x"];
 export declare const ROADMAP_3_4_LINES: readonly ["3.4.x"];
+export declare const ROADMAP_POST_4_4_LINES: readonly ["4.5.x", "4.6.x", "4.7.x", "4.8.x", "4.9.x"];
 export declare function defaultRoadmapLinesForVersion(version: string | null): string[] | undefined;
 export declare function roadmapTrackForLine(line: string): ReleaseTrainTrack | undefined;
 export declare function roadmapTasksForLine(line: string): ReleaseTrainTask[];

package/dist/core/roadmapCatalog.js

@@ -9,6 +9,18 @@ export const ROADMAP_3_2_LINES = [
     '3.9.x',
 ];
 export const ROADMAP_3_4_LINES = ['3.4.x'];
+export const ROADMAP_POST_4_4_LINES = [
+    '4.5.x',
+    '4.6.x',
+    '4.7.x',
+    '4.8.x',
+    '4.9.x',
+];
+const DEFAULT_ROADMAP_LINE_RULES = [
+    { minimumMajor: 4, minimumMinor: 4, lines: ROADMAP_POST_4_4_LINES },
+    { minimumMajor: 3, minimumMinor: 4, lines: ROADMAP_3_4_LINES },
+    { minimumMajor: 3, minimumMinor: 1, lines: ROADMAP_3_2_LINES },
+];
 const ROADMAP_3_2_CATALOG = {
     '3.2.x': {
         line: '3.2.x',
@@ -288,18 +300,226 @@ const ROADMAP_3_2_CATALOG = {
             },
         ],
     },
+    '4.5.x': {
+        line: '4.5.x',
+        track: {
+            theme: 'Roadmap And Release-Train Reliability',
+            outcome: 'Planning surfaces describe the current post-4.4 product direction instead of stale shipped 3.x/4.0 work.',
+            includedInPlan: true,
+            scope: [
+                'post-4.4 roadmap refresh',
+                'release-train default-line refresh',
+                'product-planning route verification',
+            ],
+            successCriteria: [
+                'release-train defaults to post-4.4 lines on 4.4.x and newer',
+                'docs/ROADMAP.md names already-shipped 4.0 through 4.4 work as completed',
+                'planning output remains read-only and does not bump versions',
+            ],
+        },
+        tasks: [
+            {
+                id: 'rt-4-5-roadmap-release-train-refresh',
+                priority: 'p0',
+                title: 'Refresh roadmap and release-train surfaces',
+                why: 'Maintainers and agents should see the real next product bets after 4.4.0 instead of a completed 3.4/3.6/4.0 plan.',
+                track: '4.5.x',
+                files: [
+                    'src/core/roadmapCatalog.ts',
+                    'src/core/releaseTrain.ts',
+                    'docs/ROADMAP.md',
+                    'docs/GUIDE.md',
+                ],
+                verification: {
+                    commands: [
+                        'projscan release-train --format json',
+                        'projscan start --intent "what should we build next?" --format json',
+                    ],
+                    expected: 'Planning output names post-4.4 workstreams and stays read-only without package version changes.',
+                },
+            },
+        ],
+    },
+    '4.6.x': {
+        line: '4.6.x',
+        track: {
+            theme: 'Swarm Coordination Evidence',
+            outcome: 'Teams can validate which coordination commands agents actually use before investing in deeper swarm automation.',
+            includedInPlan: true,
+            scope: [
+                'coordination workflow examples',
+                'claims and collision evidence recipes',
+                'coordinate-watch adoption proof',
+            ],
+            successCriteria: [
+                'docs show a real local workflow for collisions, claims, merge-risk, coordinate, and coordinate --watch',
+                'agent-brief and preflight coordination evidence stay separated from remembered session context',
+                'validation examples stay local-first and require no daemon or cloud service',
+            ],
+        },
+        tasks: [
+            {
+                id: 'rt-4-6-swarm-coordination-validation',
+                priority: 'p0',
+                title: 'Validate swarm coordination in real agent workflows',
+                why: 'The coordination surface is only valuable if teams can see where it prevents collisions and which command answered the coordination question.',
+                track: '4.6.x',
+                files: [
+                    'docs/GUIDE.md',
+                    'README.md',
+                    'docs/examples/swarm-coordination.md',
+                    'src/core/agentBrief.ts',
+                    'src/core/preflight.ts',
+                ],
+                verification: {
+                    commands: [
+                        'projscan collisions --format json',
+                        'projscan coordinate --format json',
+                        'projscan agent-brief --format json',
+                    ],
+                    expected: 'Coordination evidence names the active command path, current worktree state, and local-only validation workflow.',
+                },
+            },
+        ],
+    },
+    '4.7.x': {
+        line: '4.7.x',
+        track: {
+            theme: 'Framework Dataflow Precision',
+            outcome: 'Framework-specific request sources continue to expand through narrow, tested source patterns instead of broad name matching.',
+            includedInPlan: true,
+            scope: [
+                'Fastify and Koa request source coverage',
+                'receiver-sensitive database sink checks',
+                'regression fixtures for false-positive suppression',
+            ],
+            successCriteria: [
+                'dataflow detects tested framework request sources into database sinks',
+                'ordinary helper functions with similar names stay quiet',
+                'custom source and sink configuration still overrides defaults',
+            ],
+        },
+        tasks: [
+            {
+                id: 'rt-4-7-framework-dataflow-precision',
+                priority: 'p1',
+                title: 'Broaden framework dataflow precision',
+                why: 'Deeper framework precision is the right static-analysis moat when it is added as small tested patterns.',
+                track: '4.7.x',
+                files: ['src/core/frameworkSources.ts', 'src/core/dataflow.ts', 'tests/core/dataflow.test.ts'],
+                verification: {
+                    commands: ['npm run test -- tests/core/dataflow.test.ts', 'projscan dataflow --format json'],
+                    expected: 'New framework request-source fixtures report real source-to-sink paths and suppress lookalike helpers.',
+                },
+            },
+        ],
+    },
+    '4.8.x': {
+        line: '4.8.x',
+        track: {
+            theme: 'Scoped Evidence Exports',
+            outcome: 'Teams can share report artifacts with scoped or redacted paths without exposing broader repository structure.',
+            includedInPlan: true,
+            scope: [
+                'path-scope filtering',
+                'stable path redaction labels',
+                'SARIF and JSON evidence shaping',
+            ],
+            successCriteria: [
+                'issue reports can be filtered to a requested path scope',
+                'redacted reports replace file paths with stable labels',
+                'redaction never reads .env values or adds network calls',
+            ],
+        },
+        tasks: [
+            {
+                id: 'rt-4-8-scoped-redacted-evidence',
+                priority: 'p1',
+                title: 'Add scoped and redacted report export controls',
+                why: 'Security reviewers need useful artifacts they can share without leaking paths outside the reviewed area.',
+                track: '4.8.x',
+                files: [
+                    'src/core/reportScope.ts',
+                    'src/cli/commands/analyze.ts',
+                    'src/cli/commands/doctor.ts',
+                    'src/cli/commands/ci.ts',
+                    'src/reporters/sarifReporter.ts',
+                ],
+                verification: {
+                    commands: [
+                        'projscan doctor --report-scope src --redact-paths --format json',
+                        'projscan analyze --report-scope src --redact-paths --format sarif',
+                    ],
+                    expected: 'Reports include only scoped issue evidence and expose redacted path labels instead of raw file paths.',
+                },
+            },
+        ],
+    },
+    '4.9.x': {
+        line: '4.9.x',
+        track: {
+            theme: 'Python Upgrade Intelligence And Hotspot Maintainability',
+            outcome: 'Python dependency upgrade previews become useful offline, while the highest-churn projscan surfaces keep shrinking through focused tests and extraction.',
+            includedInPlan: true,
+            scope: [
+                'requirements.txt and Poetry dependency lookup',
+                'Python importers for upgrade preview',
+                'start/types/test hotspot coverage and extraction',
+                'real adoption examples for orchestration, ownership, and plugins',
+            ],
+            successCriteria: [
+                'projscan_upgrade can preview Python dependencies from local manifests',
+                'README and guide no longer describe Python upgrade support as only planned',
+                'hotspot work adds focused coverage or extraction without unrelated refactors',
+                'docs include concrete adoption examples for agent orchestration, package ownership, and policy plugins',
+            ],
+        },
+        tasks: [
+            {
+                id: 'rt-4-9-python-upgrade-and-hotspot-maintainability',
+                priority: 'p1',
+                title: 'Ship Python upgrade intelligence and keep reducing hotspots',
+                why: 'Python repos should get the same offline upgrade impact preview as Node repos, and the repo should keep paying down known high-churn surfaces.',
+                track: '4.9.x',
+                files: [
+                    'src/core/upgradePreview.ts',
+                    'src/core/languages/pythonManifests.ts',
+                    'src/types/dependencyHealth.ts',
+                    'tests/core/upgradePreview.test.ts',
+                    'src/core/start.ts',
+                    'src/types.ts',
+                    'tests/core/start.test.ts',
+                ],
+                verification: {
+                    commands: [
+                        'npm run test -- tests/core/upgradePreview.test.ts tests/mcp/pythonUpgradeFallback.test.ts',
+                        'npm run typecheck:public-types',
+                        'projscan hotspots --format json',
+                    ],
+                    expected: 'Python upgrade previews return declared versions and importers, public types compile, and hotspot risk is covered or explicitly deferred.',
+                },
+            },
+        ],
+    },
 };
 export function defaultRoadmapLinesForVersion(version) {
     if (!version)
         return undefined;
-    const [major = 0, minor = 0] = version.split('.').map((part) => Number.parseInt(part, 10));
-    if (!Number.isFinite(major) || !Number.isFinite(minor))
+    const roadmapVersion = roadmapVersionParts(version);
+    if (!roadmapVersion)
         return undefined;
-    if (major > 3 || (major === 3 && minor >= 4))
-        return [...ROADMAP_3_4_LINES];
-    if (major === 3 && minor >= 1)
-        return [...ROADMAP_3_2_LINES];
-    return undefined;
+    const rule = DEFAULT_ROADMAP_LINE_RULES.find((candidate) => isAtLeastRoadmapVersion(roadmapVersion, candidate));
+    return rule ? [...rule.lines] : undefined;
+}
+function roadmapVersionParts(version) {
+    const [majorPart, minorPart = '0'] = version.split('.');
+    const major = Number.parseInt(majorPart ?? '', 10);
+    const minor = Number.parseInt(minorPart, 10);
+    return Number.isFinite(major) && Number.isFinite(minor) ? { major, minor } : null;
+}
+function isAtLeastRoadmapVersion(version, rule) {
+    return (version.major > rule.minimumMajor ||
+        (version.major === rule.minimumMajor && version.minor >= rule.minimumMinor));
 }
 export function roadmapTrackForLine(line) {
     const entry = ROADMAP_3_2_CATALOG[line];