`crimes@0.6.0` — Detector and scoring completion

Draft release notes for the GitHub Release tagged v0.6.0. The body below is what should go in the Releases page when you cut the tag — that triggers .github/workflows/release.yml and publishes to npm via Trusted Publishing.

TL;DR

crimes@0.6.0 is the detector-and-scoring completion release. Three product-surface releases in a row (0.3.0, 0.4.0, 0.5.0) left two PRD-named milestones outstanding: M2 (the risk model — real per-finding churn / test_gap / blast_radius) and the long tail of named detectors in PRD.md §8. 0.6.0 closes both and adds the full /docs/ Starlight site under crimes.sh/docs/.

Highlights:

18 new detector types, grouped into four categories:
- Architecture / dependency graph (4): layer_violation, circular_dependency, deep_import, high_fan_in_fan_out.
- IA completion (5): orphaned_destination, parallel_destination, permission_ia_drift, action_label_drift, command_drift_docs_code_drift.
- Frontend / UI agent-risk (6): design_token_escape, accessible_interaction_risk, duplicate_component_shape, responsive_fragility, copy_ia_drift, visual_regression_review_hint (removed in 0.7.5 — its churn-based trigger was a poor proxy for “needs visual review”).
- Duplication (3): exact_duplicate_block, near_duplicate_block, duplicated_role_status_plan_check.
Per-finding scores — every Finding.scores now carries real blast_radius, churn, and test_gap values backed by the import graph, git history, and the test-file index. The agent_risk score rolls them into a single ordinal ranking. See docs/scoring.md.
Shape-aware large_function for CLI registrars — the cli_command_registrar shape recognises Commander-style register*Command(program) wrappers and their .action(...) callbacks. Threshold raised from the domain default (60) to 200, severity capped at low / medium. Fixes the dominant false- positive cluster from crimes@0.5.0 self-scan.
Shape-aware large_file for test suites — the new test_file shape matches **/*.{test,spec}.[jt]sx? and __tests__/**, applies a 1500-line threshold (vs. 300 for domain code), and caps severity at low / medium. Tunable via thresholds.largeFile.<shape>. Addresses the dogfood pattern of legitimately-large test files (e.g. reporter.test.ts at 910 lines) tripping the God File charge.
todo_density self-reference exemption — files whose source contains the literal TODO|FIXME|XXX|HACK token sequence (the detector source itself, or fixtures/tests of it) are now skipped. Stops the detector from flagging its own implementation. Prose that mentions one marker name in passing is unaffected.
crimes hotspots <subdir> enclosing-repo lookup — running crimes hotspots packages from a monorepo root no longer reports “not a git repo” and falls back to severity-only ranking. The command walks upward to find the enclosing repo, runs git log there with a pathspec scoped to the passed directory, and re-roots paths to the scan root.
detectors.disable breadcrumb — crimes scan / context / diff now emit a one-line stderr notice when crimes.config.json has wholesale-disabled ≥ 3 detectors, steering teams toward per-finding crimes ignore for narrow exceptions. Suppressed when stdout is piped or --no-color is set.
Full /docs site at crimes.sh/docs/ — every existing markdown page in docs/ is now routed under crimes.sh/docs/ via Astro + Starlight. The landing page at crimes.sh/ is unchanged — Astro’s base: '/docs' keeps the two surfaces disjoint.

All additions are additive and backwards-compatible. No schema_version bump, no required field changes, no new CLI commands — every new capability surfaces through the existing command set.

Noise disclaimer for the new detectors

This release ships ~16 new detectors in one batch. The 0.4.0 lesson was that noise erodes trust faster than missing detectors do, so each new detector defaults to conservative confidence and low–medium severity at threshold. Where a heuristic can be wrong, the finding text uses hedged phrasing (“appears to”, “may”) rather than asserting semantic truth.

If you upgrade and see findings you disagree with:

Run crimes explain <id> to read the per-detector rationale.
If the finding is a known-exception, file an issue at github.com/ortomate/crimes/issues with the JSON output — 0.7.0 is the structured-testing milestone that re-tunes thresholds based on real-repo evidence.
Or suppress with crimes ignore, which carries a reason field and shows up in audit-suppressions.

Post-upgrade: re-pin your baseline

If you run crimes baseline check --fail-on medium in CI, the new detectors will surface findings that weren’t in your baseline (by definition — they’re new). Two paths:

# Path A: re-snapshot the baseline so the new findings are accepted.
crimes baseline save
git add .crimes/baseline.json && git commit -m "Re-pin baseline after crimes 0.6.0 upgrade"

# Path B: temporarily raise the gate so only `high` findings break CI
# while you audit the new ones.
crimes baseline check --fail-on high

high-severity findings are reserved for circular_dependency at ≥ 3 files; every other new detector defaults to medium or lower.

What’s not in 0.6.0

No new CLI commands. 0.5.0 was the product-surface release; every new 0.6.0 capability surfaces through scan, context, hotspots, diff, explain, baseline, and init.
No structured testing baseline. That’s 0.7.0. The 0.5.0 dogfood appendix in .planning/archive/0.6.0-detector-scoring-completion.md §20 is the starting point; the 0.7.0 milestone runs the same self-scan after 0.6.0 lands and feeds threshold tuning into 0.8.0+.
No fixture extension for every new detector. The bundled fixture at examples/messy-ts-app continues to exercise the pre-0.6.0 detector set; full coverage of all 18 new types is pulled into the 0.7.0 evidence-loop work.

Heading into 0.7.0

0.7.0 is the structured Claude + Codex testing + evidence-hook milestone. The 0.5.0 dogfood appendix becomes a regression test: re-run the self-scan after 0.6.0 lands, compare per-detector signal- vs-noise, and feed the comparison into severity / confidence / threshold tuning for 0.8.0+. No new product surface; the work is empirical.