# Phase 2 — dependency identification and externalization

## Goal
Shrink the app-authored surface by identifying vendored third-party code, recording package-match decisions, and externalizing only high-confidence matches while preserving safe fallbacks.

## Scripts
- `scripts/identify-dependencies.js`
- `scripts/externalize-dependencies.js`

## Inputs
- `--manifest <runs/<id>/manifest.json>`
- `--segments <runs/<id>/segments.jsonl>`
- `--bundle <bundle.js>` optional
- optional npm metadata, tarballs, or CDN mirrors
- optional runtime traces

## Responsibilities
1. score vendored candidates using static evidence first
2. use runtime evidence only as a tie-breaker
3. record accepted, rejected, and unresolved decisions in machine-readable manifests
4. externalize accepted dependencies only
5. preserve bundled fallback code so execution remains safe

## Release-oriented requirements
- dependency decisions should be reusable across nearby upstream snapshots when hashes and evidence remain compatible
- dependency reports should feed the compact upstream summary for published releases
- do not block later phases on perfect package-version recovery

## Verification
- verify accepted matches externalize cleanly
- verify unresolved matches stay in the bundled fallback path
- confirm dependency decisions are deterministic for the same ingest output