specfact-cli 0.46.2__tar.gz → 0.46.9__tar.gz

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: specfact-cli
-Version: 0.46.2
+Version: 0.46.9
 Summary: The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with validation and contract enforcement for new projects and long-lived codebases.
 Project-URL: Homepage, https://github.com/nold-ai/specfact-cli
 Project-URL: Repository, https://github.com/nold-ai/specfact-cli.git
@@ -224,12 +224,12 @@ Classifier: Topic :: Software Development :: Testing
 Requires-Python: >=3.11
 Requires-Dist: azure-identity>=1.17.1
 Requires-Dist: beartype>=0.22.4
+Requires-Dist: commentjson>=0.9.0
 Requires-Dist: cryptography>=43.0.0
 Requires-Dist: gitpython>=3.1.45
 Requires-Dist: graphviz>=0.20.1
 Requires-Dist: icontract>=2.7.1
 Requires-Dist: jinja2>=3.1.6
-Requires-Dist: json5>=0.9.28
 Requires-Dist: jsonschema>=4.23.0
 Requires-Dist: networkx>=3.4.2
 Requires-Dist: opentelemetry-exporter-otlp-proto-http>=1.27.0
@@ -248,16 +248,18 @@ Provides-Extra: contracts
 Requires-Dist: crosshair-tool>=0.0.97; extra == 'contracts'
 Requires-Dist: hypothesis>=6.142.4; extra == 'contracts'
 Provides-Extra: dev
+Requires-Dist: bandit>=1.7.0; extra == 'dev'
 Requires-Dist: basedpyright>=1.32.1; extra == 'dev'
-Requires-Dist: bearer>=3.1.0; extra == 'dev'
 Requires-Dist: beartype>=0.22.4; extra == 'dev'
 Requires-Dist: crosshair-tool>=0.0.97; extra == 'dev'
 Requires-Dist: graphviz>=0.20.1; extra == 'dev'
 Requires-Dist: hypothesis>=6.142.4; extra == 'dev'
 Requires-Dist: icontract>=2.7.1; extra == 'dev'
 Requires-Dist: isort>=7.0.0; extra == 'dev'
+Requires-Dist: pip-audit>=2.0.0; extra == 'dev'
+Requires-Dist: pip-licenses>=4.0.0; extra == 'dev'
 Requires-Dist: pip-tools>=7.5.1; extra == 'dev'
-Requires-Dist: pyan3>=1.2.0; extra == 'dev'
+Requires-Dist: pycg==0.0.7; extra == 'dev'
 Requires-Dist: pylint>=4.0.2; extra == 'dev'
 Requires-Dist: pytest-asyncio>=1.2.0; extra == 'dev'
 Requires-Dist: pytest-cov>=7.0.0; extra == 'dev'
@@ -271,10 +273,8 @@ Requires-Dist: setuptools<82,>=69.0.0; extra == 'dev'
 Requires-Dist: tomlkit>=0.13.3; extra == 'dev'
 Requires-Dist: types-pyyaml>=6.0.12.20250516; extra == 'dev'
 Provides-Extra: enhanced-analysis
-Requires-Dist: bearer>=3.1.0; extra == 'enhanced-analysis'
 Requires-Dist: graphviz>=0.20.1; extra == 'enhanced-analysis'
-Requires-Dist: pyan3>=1.2.0; extra == 'enhanced-analysis'
-Requires-Dist: syft>=0.9.5; extra == 'enhanced-analysis'
+Requires-Dist: pycg==0.0.7; extra == 'enhanced-analysis'
 Provides-Extra: scanning
 Requires-Dist: semgrep>=1.144.0; extra == 'scanning'
 Description-Content-Type: text/markdown
@@ -308,7 +308,7 @@ uvx specfact-cli code review run --path . --scope full
 **Sample output:**
 
 ```text
-SpecFact CLI - v0.46.1
+SpecFact CLI - v0.46.4
 
 Running Ruff checks...
 Running Radon complexity checks...
@@ -367,14 +367,15 @@ This repository uses a **modular** local hook layout (parity with `specfact-cli-
 separate verify / format / YAML / Markdown / workflow / lint / Block 2 hooks). If you copy
 [`.pre-commit-config.yaml`](.pre-commit-config.yaml) into another repo, you must also vendor the
 referenced `scripts/*.sh` entrypoints (at minimum `scripts/pre-commit-quality-checks.sh`,
-`scripts/pre-commit-verify-modules.sh`, and `scripts/git-branch-module-signature-flag.sh`) so hook
+`scripts/pre-commit-verify-modules.sh`, `scripts/module-verify-policy.sh`, and
+`scripts/git-branch-module-signature-flag.sh`) so hook
 `entry:` paths resolve. Alternatively, skip vendoring the modular file and use the remote hook below.
 
 For a **single-hook** setup in downstream repos, keep using the stable id and script shim:
 
 ```yaml
 - repo: https://github.com/nold-ai/specfact-cli
-  rev: v0.46.1
+  rev: v0.46.4
   hooks:
     - id: specfact-smart-checks
 ```

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/README.md

@@ -27,7 +27,7 @@ uvx specfact-cli code review run --path . --scope full
 **Sample output:**
 
 ```text
-SpecFact CLI - v0.46.1
+SpecFact CLI - v0.46.4
 
 Running Ruff checks...
 Running Radon complexity checks...
@@ -86,14 +86,15 @@ This repository uses a **modular** local hook layout (parity with `specfact-cli-
 separate verify / format / YAML / Markdown / workflow / lint / Block 2 hooks). If you copy
 [`.pre-commit-config.yaml`](.pre-commit-config.yaml) into another repo, you must also vendor the
 referenced `scripts/*.sh` entrypoints (at minimum `scripts/pre-commit-quality-checks.sh`,
-`scripts/pre-commit-verify-modules.sh`, and `scripts/git-branch-module-signature-flag.sh`) so hook
+`scripts/pre-commit-verify-modules.sh`, `scripts/module-verify-policy.sh`, and
+`scripts/git-branch-module-signature-flag.sh`) so hook
 `entry:` paths resolve. Alternatively, skip vendoring the modular file and use the remote hook below.
 
 For a **single-hook** setup in downstream repos, keep using the stable id and script shim:
 
 ```yaml
 - repo: https://github.com/nold-ai/specfact-cli
-  rev: v0.46.1
+  rev: v0.46.4
   hooks:
     - id: specfact-smart-checks
 ```

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "specfact-cli"
-version = "0.46.2"
+version = "0.46.9"
 description = "The swiss knife CLI for agile DevOps teams. Keep backlog, specs, tests, and code in sync with validation and contract enforcement for new projects and long-lived codebases."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -77,6 +77,7 @@ dependencies = [
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
     
     # Git operations
+    # gitpython: CVE history (CVE-2022-24439, CVE-2023-41040, CVE-2023-40590). Phase 2: replace with dulwich.
     "gitpython>=3.1.45",
     
     # YAML utilities
@@ -84,8 +85,8 @@ dependencies = [
     
     # Schema validation
     "jsonschema>=4.23.0",
-    # VS Code settings.json is often JSON with comments (JSONC); parse/emit via JSON5 subset
-    "json5>=0.9.28",
+    # VS Code settings.json is JSONC (comments + trailing commas); commentjson (MIT) strips them, delegates to stdlib json
+    "commentjson>=0.9.0",
     
     # Contract-First (runtime decorators; exploration tools are optional extra `contracts`)
     "icontract>=2.7.1",  # Design-by-contract decorators
@@ -114,13 +115,13 @@ dev = [
     "pytest-xdist>=3.8.0",
     "basedpyright>=1.32.1",
     "isort>=7.0.0",
-    "pylint>=4.0.2",
+    "pylint>=4.0.2",  # GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
     "ruff>=0.14.2",
     "radon>=6.0.1",
     "tomlkit>=0.13.3",  # Style-preserving TOML library (recommended successor to pytoml)
     "types-PyYAML>=6.0.12.20250516",
     "pip-tools>=7.5.1",
-    "semgrep>=1.144.0",  # Latest version compatible with rich~=13.5.2
+    "semgrep>=1.144.0",  # LGPL-2.1 — required for code analysis; invoked as subprocess (accepted exception)
 
     # Same contract exploration stack as [contracts] (extras cannot self-reference)
     "crosshair-tool>=0.0.97",
@@ -131,11 +132,14 @@ dev = [
     "beartype>=0.22.4",
     
     # Enhanced Analysis Tools (for local development)
-    # Note: syft excluded from dev/test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from dev: pyan3 (GPL-2.0) and bearer (wrong PyPI package; SaaS auth, not scanner)
+    # syft removed — wrong PyPI package (OpenMined ML framework, not Anchore SBOM)
+    "bandit>=1.7.0",  # SAST scanner (MIT)
+    "pip-licenses>=4.0.0",  # License enumeration for compliance gate (MIT)
+    "pip-audit>=2.0.0",  # CVE audit via OSV database (Apache-2.0)
+    # pylint: GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
 ]
 
 scanning = [
@@ -144,9 +148,8 @@ scanning = [
 
 enhanced-analysis = [
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "syft>=0.9.5",  # Software Bill of Materials (SBOM) generation
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from enhanced-analysis: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
 ]
 
 # Note: Specmatic integration (specfact spec commands) requires the Specmatic CLI tool
@@ -188,29 +191,37 @@ dependencies = [
     "pylint>=4.0.2",
     "ruff>=0.14.2",
     "radon>=6.0.1",
-    "yamllint>=1.37.1",
-    "semgrep>=1.144.0",  # Latest version compatible with rich~=13.5.2
+    "yamllint>=1.37.1",  # GPL-3.0-or-later — dev/test-only exception. Phase 2: replace with non-GPL YAML lint path.
+    "semgrep>=1.144.0",  # LGPL-2.1 — required for code analysis; invoked as subprocess (accepted exception)
     # Contract-First Development Dependencies
     "icontract>=2.7.1",
-    "beartype>=0.22.4", 
+    "beartype>=0.22.4",
     "crosshair-tool>=0.0.97",
     "hypothesis>=6.142.4",
     # Enhanced Analysis Tools (for local development)
-    # Note: syft excluded from dev/test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from Hatch default: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
+    "bandit>=1.7.0",  # SAST scanner (MIT)
+    "pip-licenses>=4.0.0",  # License enumeration for compliance gate (MIT)
+    "pip-audit>=2.0.0",  # CVE audit via OSV database (Apache-2.0)
+    # pylint: GPL-2.0-or-later — dev-only exception (not in module manifests). Phase 2: replace with ruff --select ALL.
 ]
 
 [tool.hatch.envs.default.scripts]
 validate-prompts = "python tools/validate_prompts.py"
+# Security and license compliance gates
+bandit-scan = "bandit -r src/ -ll"
+license-check = "python scripts/check_license_compliance.py"
+# Wrap pip-audit so JSON parsing and CVSS threshold checks fail closed.
+security-audit = "python scripts/security_audit_gate.py"
 # Development scripts
 test = "pytest {args}"
 test-cov = "pytest --cov=src --cov-report=term-missing {args}"
 type-check = "basedpyright --pythonpath $(python -c 'import sys; print(sys.executable)') {args}"
 # basedpyright --level error: suppress warning noise in pre-commit (Block 1 runs `hatch run lint`).
 lint = "ruff format . --check && basedpyright --level error --pythonpath $(python -c 'import sys; print(sys.executable)') && ruff check . && pylint src tests tools && python scripts/verify_safe_project_writes.py"
+lint-changed = "python scripts/run_changed_lint.py {args}"
 governance = "pylint src tests tools --reports=y --output-format=parseable"
 format = "ruff check . --fix && ruff format ."
 
@@ -261,10 +272,15 @@ smart-test-e2e = "python tools/smart_test_coverage.py run --level e2e {args}"
 smart-test-full = "python tools/smart_test_coverage.py run --level full {args}"
 smart-test-auto = "python tools/smart_test_coverage.py run --level auto {args}"
 
+# Bundled module verify (flags from scripts/module-verify-policy.sh via run_verify_modules_policy.sh)
+verify-modules-signature = "bash scripts/run_verify_modules_policy.sh strict {args}"
+verify-modules-signature-pr = "bash scripts/run_verify_modules_policy.sh pr {args}"
+verify-modules-signature-push = "bash scripts/run_verify_modules_policy.sh push-orchestrator {args}"
+
 # Module migration pre-deletion gate
 verify-removal-gate = [
     "python scripts/verify-bundle-published.py --modules project,plan,import_cmd,sync,migrate,backlog,policy_engine,analyze,drift,validate,repro,contract,spec,sdd,generate,enforce,patch_mode",
-    "python scripts/verify-modules-signature.py --require-signature",
+    "hatch run verify-modules-signature",
 ]
 export-change-github = "python scripts/export-change-to-github.py {args}"
 
@@ -314,13 +330,12 @@ dependencies = [
     "beartype>=0.22.4", 
     "crosshair-tool>=0.0.97",
     "hypothesis>=6.142.4",
-    "yamllint>=1.37.1",
+    "yamllint>=1.37.1",  # GPL-3.0-or-later — dev/test-only exception. Phase 2: replace with non-GPL YAML lint path.
     # Enhanced Analysis Tools (for testing)
-    # Note: syft excluded from test due to rich version conflict with semgrep
-    # Install separately: pip install specfact-cli[enhanced-analysis] if needed
     "graphviz>=0.20.1",  # Graph visualization (requires system Graphviz: apt-get install graphviz)
-    "pyan3>=1.2.0",  # Python call graph analysis
-    "bearer>=3.1.0",  # Data flow analysis for security
+    "pycg==0.0.7",  # Python call graph analysis (Apache-2.0; replaces removed GPL-2.0 pyan3; pin avoids 0.0.8)
+    # Removed from Hatch test: pyan3 (GPL-2.0), bearer, and syft (wrong PyPI packages)
+    "commentjson>=0.9.0",  # JSONC parser (MIT; replaces json5 for VS Code settings JSONC support)
 ]
 dev-mode = true
 parallel = true

specfact_cli-0.46.9/resources/bundled-module-registry/index.json

@@ -0,0 +1,20 @@
+{
+  "modules": [
+    {
+      "id": "init",
+      "latest_version": "0.1.30"
+    },
+    {
+      "id": "upgrade",
+      "latest_version": "0.1.4"
+    },
+    {
+      "id": "module-registry",
+      "latest_version": "0.1.19"
+    },
+    {
+      "id": "bundle-mapper",
+      "latest_version": "0.1.9"
+    }
+  ]
+}

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/__init__.py

@@ -3,4 +3,4 @@ SpecFact CLI - Spec→Contract→Sentinel tool for contract-driven development.
 """
 
 # Package version: keep in sync with pyproject.toml, setup.py, src/specfact_cli/__init__.py
-__version__ = "0.46.2"
+__version__ = "0.46.9"

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/specfact_cli/__init__.py

@@ -45,6 +45,6 @@ def _bootstrap_bundle_paths() -> None:
 
 _bootstrap_bundle_paths()
 
-__version__ = "0.46.2"
+__version__ = "0.46.9"
 
 __all__ = ["__version__"]

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/specfact_cli/analyzers/code_analyzer.py

@@ -32,6 +32,24 @@ from specfact_cli.utils.feature_keys import to_classname_key, to_sequential_key
 console = Console()
 
 
+def _ensure_semgrep_runtime_dir(repo_path: Path, relative: str) -> str:
+    """Create and return a stable repo-local runtime directory for Semgrep."""
+    path = (repo_path / relative).resolve()
+    path.mkdir(parents=True, exist_ok=True)
+    return str(path)
+
+
+def _build_semgrep_env(repo_path: Path) -> dict[str, str]:
+    """Build a repo-local Semgrep runtime env so CLI startup stays deterministic."""
+    env = dict(os.environ)
+    env["XDG_CONFIG_HOME"] = _ensure_semgrep_runtime_dir(repo_path, ".specfact/config")
+    env["XDG_CACHE_HOME"] = _ensure_semgrep_runtime_dir(repo_path, ".specfact/cache")
+    env["SEMGREP_VERSION_CACHE_PATH"] = _ensure_semgrep_runtime_dir(repo_path, ".specfact/cache/semgrep")
+    semgrep_log_dir = _ensure_semgrep_runtime_dir(repo_path, ".specfact/logs")
+    env["SEMGREP_LOG_FILE"] = str((Path(semgrep_log_dir) / "semgrep.log").resolve())
+    return env
+
+
 @dataclass
 class _SemgrepFeatureBuckets:
     api_endpoints: list[str] = field(default_factory=list)
@@ -457,6 +475,7 @@ class CodeAnalyzer:
                 capture_output=True,
                 text=True,
                 timeout=5,  # Increased timeout to 5s (Semgrep may need time to initialize)
+                env=_build_semgrep_env(self.repo_path),
             )
             return result.returncode == 0
         except (FileNotFoundError, subprocess.TimeoutExpired, OSError):
@@ -507,16 +526,16 @@ class CodeAnalyzer:
             }
         )
 
-        # Dependency Graph Analysis (requires pyan3 and networkx)
-        pyan3_available, _ = check_cli_tool_available("pyan3")
+        # Dependency Graph Analysis (requires pycg and networkx)
+        pycg_available, _ = check_cli_tool_available("pycg")
         networkx_available = check_python_package_available("networkx")
-        graph_enabled = pyan3_available and networkx_available
+        graph_enabled = pycg_available and networkx_available
         graph_used = graph_enabled  # Used if both dependencies are available
 
-        if not pyan3_available and not networkx_available:
-            reason = "pyan3 and networkx not installed (install: pip install pyan3 networkx)"
-        elif not pyan3_available:
-            reason = "pyan3 not installed (install: pip install pyan3)"
+        if not pycg_available and not networkx_available:
+            reason = "pycg and networkx not installed (install: pip install pycg networkx)"
+        elif not pycg_available:
+            reason = "pycg not installed (install: pip install pycg)"
         elif not networkx_available:
             reason = "networkx not installed (install: pip install networkx)"
         else:
@@ -566,6 +585,7 @@ class CodeAnalyzer:
                 capture_output=True,
                 text=True,
                 timeout=timeout,
+                env=_build_semgrep_env(self.repo_path),
             )
 
             # Semgrep may return non-zero for valid findings

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/specfact_cli/analyzers/graph_analyzer.py

@@ -3,6 +3,8 @@ Graph-based dependency and call graph analysis.
 
 Enhances AST and Semgrep analysis with graph-based dependency tracking,
 call graph extraction, and architecture visualization.
+
+Call graph extraction uses pycg (MIT) via subprocess. pyan3 (GPL-2.0) removed.
 """
 
 from __future__ import annotations
@@ -28,7 +30,7 @@ class GraphAnalyzer:
     """
     Graph-based dependency and call graph analysis.
 
-    Uses pyan for call graphs, NetworkX for dependency graphs,
+    Uses pycg for call graphs, NetworkX for dependency graphs,
     and provides graph-based insights to complement AST and Semgrep.
     """
 
@@ -55,7 +57,7 @@ class GraphAnalyzer:
     @ensure(lambda result: isinstance(result, dict), "Must return dict")
     def extract_call_graph(self, file_path: Path) -> dict[str, list[str]]:
         """
-        Extract call graph using pyan.
+        Extract call graph using pycg (MIT).
 
         Args:
             file_path: Path to Python file
@@ -63,75 +65,67 @@ class GraphAnalyzer:
         Returns:
             Dictionary mapping function names to list of called functions
         """
-        # Check if pyan3 is available using utility function
         from specfact_cli.utils.optional_deps import check_cli_tool_available
 
-        is_available, _ = check_cli_tool_available("pyan3")
+        is_available, _ = check_cli_tool_available("pycg")
         if not is_available:
-            # pyan3 not available, return empty
+            # pycg not available — return empty (graceful degradation)
             return {}
 
-        # Run pyan to generate DOT file
-        with tempfile.NamedTemporaryFile(mode="w", suffix=".dot", delete=False) as dot_file:
-            dot_path = Path(dot_file.name)
+        # Run pycg to generate JSON call graph
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as json_file:
+            json_path = Path(json_file.name)
             try:
                 result = subprocess.run(
-                    ["pyan3", str(file_path), "--dot", "--no-defines", "--uses", "--defines"],
-                    stdout=dot_file,
+                    ["pycg", "--package", str(self.repo_path), str(file_path), "--output", str(json_path)],
                     stderr=subprocess.PIPE,
                     text=True,
-                    timeout=15,  # Reduced from 30 to 15 seconds for faster processing
+                    timeout=15,
                 )
 
                 if result.returncode == 0:
-                    # Parse DOT file to extract call relationships
-                    call_graph = self._parse_dot_file(dot_path)
+                    call_graph = self._parse_pycg_json(json_path)
                     file_key = str(file_path.relative_to(self.repo_path))
                     self.call_graphs[file_key] = call_graph
                     return call_graph
             finally:
-                # Clean up temp file
-                if dot_path.exists():
-                    dot_path.unlink()
+                if json_path.exists():
+                    json_path.unlink()
 
         return {}
 
     @beartype
-    @require(lambda dot_path: isinstance(dot_path, Path), "DOT path must be Path")
+    @require(lambda json_path: isinstance(json_path, Path), "JSON path must be Path")
     @ensure(lambda result: isinstance(result, dict), "Must return dict")
-    def _parse_dot_file(self, dot_path: Path) -> dict[str, list[str]]:
+    def _parse_pycg_json(self, json_path: Path) -> dict[str, list[str]]:
         """
-        Parse DOT file to extract call graph.
+        Parse pycg JSON output into caller → [callees] format.
+
+        PyCG's simple JSON format is an adjacency list: edge ``(src, dst)`` is
+        ``dst`` in the list for key ``src`` (caller → callees). See PyCG README
+        "Simple JSON format".
 
         Args:
-            dot_path: Path to DOT file
+            json_path: Path to pycg JSON output file
 
         Returns:
             Dictionary mapping function names to list of called functions
         """
-        call_graph: dict[str, list[str]] = defaultdict(list)
+        import json
 
-        if not dot_path.exists():
+        if not json_path.exists():
             return {}
 
         try:
-            content = dot_path.read_text(encoding="utf-8")
-            # Parse DOT format: "function_a" -> "function_b"
-            import re
-
-            # Pattern: "function_a" -> "function_b"
-            edge_pattern = r'"([^"]+)"\s*->\s*"([^"]+)"'
-            matches = re.finditer(edge_pattern, content)
-
-            for match in matches:
-                caller = match.group(1)
-                callee = match.group(2)
-                # Filter out internal Python functions (start with __)
+            raw: dict[str, list[str]] = json.loads(json_path.read_text(encoding="utf-8"))
+        except (json.JSONDecodeError, UnicodeDecodeError, OSError):
+            return {}
+
+        call_graph: dict[str, list[str]] = defaultdict(list)
+        for caller, callees in raw.items():
+            for callee in callees:
                 if not caller.startswith("__") and not callee.startswith("__"):
                     call_graph[caller].append(callee)
-        except (UnicodeDecodeError, Exception):
-            # Skip if parsing fails
-            pass
 
         return dict(call_graph)
 
@@ -209,7 +203,7 @@ class GraphAnalyzer:
         wait_on_shutdown: bool,
         progress_callback: Any | None,
     ) -> None:
-        """Populate graph with edges derived from pyan call graphs (parallel phase 2)."""
+        """Populate graph with edges derived from pycg call graphs (parallel phase 2)."""
         from concurrent.futures import ThreadPoolExecutor, as_completed
 
         loaded_contents = self._load_python_file_contents_index(python_files)
@@ -238,7 +232,7 @@ class GraphAnalyzer:
         """
         Build comprehensive dependency graph using NetworkX.
 
-        Combines AST-based imports with pyan call graphs for complete
+        Combines AST-based imports with pycg call graphs for complete
         dependency tracking.
 
         Args:

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/specfact_cli/cli.py

@@ -66,6 +66,7 @@ from specfact_cli.registry import CommandRegistry
 from specfact_cli.registry.alias_manager import resolve_command
 from specfact_cli.registry.bootstrap import register_builtin_commands
 from specfact_cli.registry.metadata import CommandMetadata
+from specfact_cli.registry.module_availability import ModuleAvailabilityStatus, classify_module_availability
 from specfact_cli.runtime import get_configured_console, init_debug_log_file, set_debug_mode
 from specfact_cli.utils.progressive_disclosure import ProgressiveDisclosureGroup
 from specfact_cli.utils.structured_io import StructuredFormat
@@ -124,6 +125,28 @@ def _print_missing_bundle_command_help(invoked: str) -> None:
     module_id = _INVOKED_TO_MARKETPLACE_MODULE.get(invoked)
     console = get_configured_console()
     if module_id is not None:
+        availability = classify_module_availability(module_id=module_id, command_name=invoked)
+        if availability.status is ModuleAvailabilityStatus.DISABLED:
+            console.print(
+                f"[bold red]Module '{availability.module_id or module_id}' is installed but disabled.[/bold red]\n"
+                f"The [bold]{invoked}[/bold] command group is provided by that module. "
+                f"Enable with [bold]{availability.recovery_command}[/bold]."
+            )
+            return
+        if availability.status is ModuleAvailabilityStatus.SKIPPED:
+            console.print(
+                f"[bold red]Module '{availability.module_id or module_id}' is installed but skipped.[/bold red]\n"
+                f"Reason: {availability.reason}. "
+                "Inspect with [bold]specfact module list --show-origin[/bold]."
+            )
+            return
+        if availability.status is ModuleAvailabilityStatus.SHADOWED:
+            console.print(
+                f"[bold red]Module '{availability.module_id or module_id}' is shadowed in this workspace.[/bold red]\n"
+                f"Shadowed by: {availability.shadowed_by}. "
+                "Inspect with [bold]specfact module list --show-origin[/bold]."
+            )
+            return
         console.print(
             f"[bold red]Module '{module_id}' is not installed.[/bold red]\n"
             f"The [bold]{invoked}[/bold] command group is provided by that module. "

{specfact_cli-0.46.2 → specfact_cli-0.46.9}/src/specfact_cli/modules/init/module-package.yaml

@@ -1,5 +1,5 @@
 name: init
-version: 0.1.30
+version: 0.1.31
 commands:
   - init
 category: core
@@ -17,5 +17,5 @@ publisher:
 description: Initialize SpecFact workspace and bootstrap local configuration.
 license: Apache-2.0
 integrity:
-  checksum: sha256:9e03421972d3254082307834b474e7673957de8c11ffacc563f2da3f35e7cf05
-  signature: ikUYhUJ8AFU9RkB+ZBnp0lKrDLT7ZIqkauRYUMRY/swrIjRCTRzHIpNcvCmujK6h1w6EtT/+wGG1v5bZtZB8CQ==
+  checksum: sha256:0f7bc54a823bea14033fcb143ecb6c83d2bca2b5da661f03a0b545100acebe5b
+  signature: dTatkqgBUtti4tL/pmcFBZY9bsJ61gY/V0lP9gZU8Y5W3YWK+wpgRx1oewlAmfKzkxca2NhalKcjLACQjTNvAA==