feat(enrichment): detect heavy deps used trivially

[tmimmanuel]

Summary

• Add a REES analyzer that flags newly added/upgraded npm dependencies when the PR only imports/requires them one or two times but the package is materially heavy.
• Fetch Bundlephobia size metadata and render install, bundle, gzip, dependency-count, and file:line usage evidence in the external review brief.
• Wire the analyzer into buildBrief and add regression coverage for usage counting, size lookup degradation, rendering, and analyzer integration.
• Repair pre-existing malformed REES test harness fragments so the standalone enrichment suite runs.

Fixes #1505

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage locally; codecov/patch requires ≥97% coverage of the lines AND branches you changed (aim for 98%+ on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• None skipped locally. Also ran cd review-enrichment && npm test for the standalone REES package (build + 107 node:test cases passing).

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
• API/OpenAPI/MCP behavior is updated and tested where needed.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

Required for visible UI, frontend, docs, or extension changes. Attach GitHub-hosted JPG/JPEG or PNG screenshots here; SVG screenshots are not accepted as review evidence. Use a compact table/grid of clickable thumbnails with a short state/title such as "Loaded state", "Empty state", "Error state", "Mobile layout", or "PR sidebar". Prefer annotated screenshots with a colored box, outline, arrow, or highlighter showing what changed. Recordings can be supplemental, but screenshots are still expected for visual review. Do not commit review-only screenshots, recordings, or docs/review-evidence/** files.

State / title	JPG/PNG evidence
Not applicable	No visible UI, frontend, docs, or extension changes.

Notes

• The analyzer is fail-safe: package size lookup failures return no finding instead of blocking enrichment.
• Direct usage is counted only from added patch lines and reports bounded file:line evidence in the review brief.
• npm run test:coverage passed with 4,987 tests passing and 4 skipped; global coverage was 96.1% statements / 95.14% branches.

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

_{Review updated: 2026-06-29 12:39:29 UTC}

5 files · 1 AI reviewer · no blockers · readiness 55/100 · CI green · clean

✅ Suggested Action - Approve/Merge

• safe to merge

Review summary
This adds a new REES analyzer for newly added/upgraded npm dependencies that are heavy but only used directly a small number of times, then renders the size and usage evidence into the external brief. The orchestration and rendering are wired cleanly, and the tests cover the happy path, degradation, and integration path. The main weakness is that the analyzer currently only accepts exact semver versions, which leaves a common package.json path under-covered unless dependency scanning normalizes ranges before this point.

Nits — 6 non-blocking

• nit: review-enrichment/src/analyzers/heavy-dependency.ts:35 should either normalize common npm ranges like ^1.2.3/~1.2.3 before Bundlephobia lookup or add a test proving extractDependencyChanges already returns an exact resolved version, because most package.json dependency additions are not bare semver strings.
• nit: review-enrichment/src/analyzers/heavy-dependency.ts:64 only detects double/single-quoted import and require forms, so `import type ... from`, `export ... from`, or template-literal dynamic imports are intentionally missed; document that limitation or add cases for the static forms you want counted.
• nit: review-enrichment/src/render.ts:42 introduces decimal MB/KB formatting while this file already has binary `formatBytes`; consider sharing one formatter or naming this one to make the Bundlephobia decimal-units choice explicit.
• nit: review-enrichment/test/enrichment.test.ts:548 should include a package.json dependency with a caret or tilde range if that is expected to work on the real path.
• review-enrichment/src/analyzers/heavy-dependency.ts:35: add a small `normalizeNpmVersionForLookup` helper for safe range prefixes, or explicitly keep rejecting ranges and cover that behavior in tests.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ Linked	#1505
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:L.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	21 open PR(s), 9 likely reviewable, 12 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	tmimmanuel; Gittensor profile; 36 PR(s), 34 issue(s).
Gate result	✅ Passing	No configured blocker found.

Review context

• Author: tmimmanuel
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: Python, TypeScript, Java, JavaScript, Rust, C++, Astro, Kotlin
• Official Gittensor activity: 36 PR(s), 34 issue(s).
• Related work: Items reference the same linked issue feat(enrichment): Heavy-dependency-for-trivial-use detector #1505. (issue #1505)
• Related work: Open PR work references issue feat(enrichment): Heavy-dependency-for-trivial-use detector #1505. (issue #1505)
• Related work: Items reference the same linked issue feat(enrichment): Native-build / install-cost dependency flag #1512. (issue #1512, PR #1742)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review