feat(enrichment): native-build / install-cost dependency analyzer

[nickmopen]

Summary

Adds a REES analyzer (#1512) that flags the dependencies a PR adds/upgrades whose install does real work the manifest diff never shows — a hidden CI cold-start cost and a frequent cross-platform breakage source. Additive + fail-safe: fills its own nativeBuild findings key and degrades independently.

Detects (factual registry-metadata signals only)

• npm — native addon: a version with gypfile: true, or an install/preinstall/postinstall script that runs a native toolchain (node-gyp, cmake-js, node-pre-gyp, prebuild…). When a prebuilt-binary path exists (node-pre-gyp/prebuild-install, or a binary field), the finding notes the compile is a fallback for an unmatched platform/Node ABI rather than guaranteed — so bcrypt/sqlite3-style packages aren't mischaracterized.
• PyPI — sdist-only: a version that ships no bdist_wheel (only an sdist), so pip compiles from source on install.

These are objective properties read from the npm packument and the PyPI per-version JSON (not heuristics), so there are no fuzzy false positives. Unknown/non-ok registry responses fail safe (no finding).

Implementation (established review-enrichment/ pattern)

1. NativeBuildFinding type + nativeBuild? key in src/types.ts
2. src/analyzers/native-build.ts — pure helpers (npmNativeBuild, pypiSdistOnly) + scanNativeBuild(req, fetch, opts); reuses extractDependencyChanges
3. Registered in the src/brief.ts ANALYZERS registry
4. Public-safe block in src/render.ts (renders package@version + reason only)
5. node:test units in a separate test/native-build.test.ts

Validation

From review-enrichment/ (Node 24):

npm test   # build + node --test: 164 pass / 0 fail (13 new native-build units)

Covers gypfile/native-tool detection, prebuilt-fallback nuance, pure-JS negatives, PyPI sdist-only vs wheel, Go/invalid-name skips, fetch 404/throw/abort fail-safe, and the rendered block.

Closes #1512

[gittensory-orb]

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

_{Review updated: 2026-06-29 15:17:48 UTC}

5 files · 1 AI reviewer · no blockers · readiness 55/100 · CI green · clean

✅ Suggested Action - Approve/Merge

• safe to merge

Review summary
This adds a native-build enrichment analyzer, wires it into the analyzer registry, renders the new finding block, and covers the pure npm/PyPI helpers plus basic scan behavior. The implementation follows the existing best-effort analyzer shape and fails closed on registry errors. The main correctness gap is coverage of reachable production branches rather than the core analyzer logic itself.

Nits — 6 non-blocking

• nit: review-enrichment/src/analyzers/native-build.ts:52 treats any script containing `prebuild` as native work, but `PREBUILT_TOOL_RE` only gives fallback nuance to `prebuild-install`, so packages using the `prebuild` CLI can be reported as guaranteed source compiles even when the install path is prebuilt-first.
• nit: review-enrichment/test/native-build.test.ts:56 only checks the rendered package names, so it does not verify that `renderBrief` preserves the native-build reason text or sanitizes unsafe package/version content in this new block.
• nit: review-enrichment/test/native-build.test.ts:130 covers an already-aborted signal but not an abort after one registry query, leaving the loop-break behavior in `scanNativeBuild` unexercised on the multi-change path.
• In review-enrichment/src/analyzers/native-build.ts:52, either include `prebuild` in `PREBUILT_TOOL_RE` or split the reason logic so `prebuild` scripts are not over-described as unconditional source compiles.
• Add a render test in review-enrichment/test/native-build.test.ts that asserts the native-build reason appears and that backticks/control characters in `package@​version` are sanitized through `safeCodeSpan`.
• Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.

Signal	Result	Evidence
Code review	✅ No blockers	1 reviewer
Linked issue	✅ Linked	#1512
Related work	⚠️ 3 scoped overlaps	Top overlaps are listed below; lower-confidence bulk is hidden.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels; size label size:L.
Validation evidence	❌ 5/25	Cached preflight status is hold.
Open PR queue	❌ 3/10	24 open PR(s), 11 likely reviewable, 13 unlinked.
Contributor context	✅ Confirmed Gittensor contributor	nickmopen; Gittensor profile; 71 PR(s), 1 issue(s).
Gate result	✅ Passing	No configured blocker found.

Review context

• Author: nickmopen
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: TypeScript
• Official Gittensor activity: 71 PR(s), 1 issue(s).
• Related work: Items reference the same linked issue feat(enrichment): Native-build / install-cost dependency flag #1512. (issue #1512)
• Related work: Open PR work references issue feat(enrichment): Native-build / install-cost dependency flag #1512. (issue #1512)
• Related work: Items reference the same linked issue feat(enrichment): Heavy-dependency-for-trivial-use detector #1505. (issue #1505, PR #1702)
• Additional title-only matches omitted; title-only overlap does not block.

Contributor next steps

• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Check active issues and PRs before submitting.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

_{🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed}

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

• Re-run Gittensory review