npm - @microsoft/sarif-multitool-darwin - Versions diffs - 4.6.4 → 5.0.0 - Mend

@microsoft/sarif-multitool-darwin 4.6.4 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/Sarif.Converters.pdb +0 -0
package/Sarif.Driver.pdb +0 -0
package/Sarif.Multitool +0 -0
package/Sarif.Multitool.Library.pdb +0 -0
package/Sarif.Multitool.Library.xml +507 -70
package/Sarif.Multitool.pdb +0 -0
package/Sarif.WorkItems.pdb +0 -0
package/Sarif.pdb +0 -0
package/Sarif.xml +604 -1
package/WorkItems.pdb +0 -0
package/package.json +1 -1

package/Sarif.Multitool.Library.xml CHANGED Viewed

@@ -4,6 +4,301 @@
         <name>Sarif.Multitool.Library</name>
     </assembly>
     <members>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddNotificationCommand">
+            <summary>
+            Implements <c>multitool add-notification</c>: appends a fully-formed SARIF notification
+            JSON to <c>&lt;output&gt;.wip.jsonl</c>.
+            </summary>
+            <remarks>
+            <para>Unlike <see cref="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddResultCommand"/>, this verb does not enforce the AI ruleId
+            convention on the notification's <c>associatedRule.id</c> — that field references a
+            descriptor in <c>tool.driver.rules</c>, which uses the base taxonomy id (e.g.,
+            <c>CWE-79</c>) per SARIF §3.49.3, not the result-side hierarchical form.</para>
+            <para>Notifications without a <c>timeUtc</c> stamp are auto-stamped at replay time
+            (<see cref="T:Microsoft.CodeAnalysis.Sarif.Emit.SarifEventReplayer"/>), so producers can omit that field without firing
+            AI2019 at validate time.</para>
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddNotificationOptions">
+            <summary>
+            Options for <c>add-notification</c>, which appends a fully-formed SARIF <c>notification</c>
+            object to a staged event log (<c>&lt;output&gt;.wip.jsonl</c>) created by
+            <c>emit-init-run</c>.
+            </summary>
+            <remarks>
+            The notification is supplied as a JSON document (file via <c>--input</c> or piped on
+            stdin). AI producers are expected to emit notifications with potentially very rich data
+            — associated rule references, full exception trees, descriptive markdown messages,
+            per-call properties — so the JSON-payload contract avoids encoding-by-flag entirely and
+            preserves whatever the producer chose to express.
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddReportingDescriptorCommand">
+            <summary>
+            Implements <c>multitool add-reporting-descriptor</c>: validates a fully-formed SARIF
+            reportingDescriptor JSON and appends an event to <c>&lt;output&gt;.wip.jsonl</c>.
+            </summary>
+            <remarks>
+            <para>Default target is <c>run.tool.driver.notifications[]</c>; pass <c>--rules</c> to
+            target <c>run.tool.driver.rules[]</c> instead.</para>
+            <para>On the <c>--rules</c> path, the descriptor id is gated against
+            <see cref="M:Microsoft.CodeAnalysis.Sarif.Emit.AIRuleIdConvention.IsNovel(System.String)"/>: only NOVEL- prefixed ids are accepted.
+            Taxonomy-mapped rule descriptors (e.g., <c>CWE-89</c>) come from the taxonomy enricher
+            at finalize time, not from this verb — this verb is the producer-side authoring path
+            for novel-finding descriptors that have no upstream taxonomy entry.</para>
+            <para>Duplicate-id submissions within the same event log are rejected on receipt — the
+            verb scans the existing event log (including any descriptors pre-populated on the
+            run-header event) and fails before appending. (A future <c>--force</c> escape hatch
+            is acknowledged; not in v1.)</para>
+            </remarks>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.AddReportingDescriptorCommand.TryFindDuplicate(System.String,System.String,System.String,System.String,System.String@)">
+            <summary>
+            Scans the staged event log for a prior descriptor with the same id targeting the
+            same array. Returns <c>true</c> with <paramref name="error"/> populated when a
+            duplicate is found; <c>false</c> otherwise.
+            </summary>
+            <remarks>
+            Two sources are checked:
+            <list type="bullet">
+            <item><description>Run-header events: <c>payload.tool.driver.&lt;targetArray&gt;[*].id</c>
+            — producers MAY pre-populate descriptors on the header.</description></item>
+            <item><description>Prior descriptor events of the same target kind:
+            <c>payload.id</c>.</description></item>
+            </list>
+            The reader silently skips unknown kinds and malformed-but-skippable rows; for the
+            scan we walk the full event sequence so the event index reported in the error
+            matches the producer's mental model of "the Nth thing I appended."
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddReportingDescriptorOptions">
+            <summary>
+            Options for <c>add-reporting-descriptor</c>, which appends a fully-formed SARIF
+            <c>reportingDescriptor</c> object to a staged event log
+            (<c>&lt;output&gt;.wip.jsonl</c>) created by <c>emit-init-run</c>.
+            </summary>
+            <remarks>
+            <para>The verb's default target is <c>run.tool.driver.notifications[]</c> — AI producers
+            routinely emit notification descriptors (progress, telemetry, config errors, handoff
+            breadcrumbs). Pass <c>--rules</c> to target <c>run.tool.driver.rules[]</c> instead;
+            this rule-descriptor path is reserved for NOVEL- novel-finding descriptors (taxonomy
+            rule descriptors such as <c>CWE-89</c> come from the taxonomy enricher, not this
+            verb).</para>
+            <para>The descriptor is supplied as a JSON document (file via <c>--input</c> or piped
+            on stdin). The full SARIF reportingDescriptor shape (id, name, shortDescription,
+            fullDescription, helpUri, messageStrings, defaultConfiguration, properties, …)
+            round-trips byte-for-byte through the staged event log.</para>
+            <para>Each descriptor <c>id</c> may appear at most once per event log. Submitting a
+            duplicate id is rejected with a clear error pointing at the prior occurrence.</para>
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddResultCommand">
+            <summary>
+            Implements <c>multitool add-result</c>: validates a fully-formed SARIF result JSON and
+            appends a <c>result</c> event to <c>&lt;output&gt;.wip.jsonl</c>.
+            </summary>
+            <remarks>
+            The result's <c>ruleId</c> is validated at receipt against the AI ruleId convention
+            (taxonomy sub-id form or NOVEL- escape hatch). On rejection the verb writes the
+            AI-consumable error envelope (error code AI-RULEID-001) to stderr and returns
+            <see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.FAILURE"/> WITHOUT appending — an AI orchestrator can retry the
+            individual result without first having to remove garbage from the event log.
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AddResultOptions">
+             <summary>
+             Options for <c>add-result</c>, which appends a fully-formed SARIF <c>result</c> object
+             to a staged event log (<c>&lt;output&gt;.wip.jsonl</c>) created by <c>emit-init-run</c>.
+             </summary>
+             <remarks>
+             The result is supplied as a JSON document (file via <c>--input</c> or piped on stdin).
+             The SARIF <c>result</c> object can carry rich nested structures (code flows, thread flows,
+             stacks, fixes, taxa, related locations, properties bags). Modeling every field as a CLI
+             flag would explode the surface; the JSON-payload contract keeps the verb generic and lets
+             an AI producer emit arbitrarily-rich findings without losing fidelity.
+             On receipt the verb validates that <c>result.ruleId</c> conforms to the AI ruleId
+             convention (taxonomy sub-id form or NOVEL- escape hatch) so an AI orchestrator gets an
+             immediate, AI-consumable rejection envelope rather than discovering the violation later
+             at <c>emit-finalize</c> time.
+             </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext">
+            <summary>
+            Detects an Azure DevOps pipeline execution context from environment variables and stamps
+            the corresponding <c>automationDetails</c> shape onto a <see cref="T:Microsoft.CodeAnalysis.Sarif.Run"/>, matching the
+            canonical write surface used by the Azure DevOps Advanced Security SARIF upload SDK
+            (<c>AlertHttpClientExtensions.AddAutomationDetails</c>).
+            </summary>
+            <remarks>
+            <para>Detection is gated on the standard ADO sentinel <c>TF_BUILD=True</c>. When not
+            running inside an ADO pipeline, <see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.None"/> is returned and no
+            stamping occurs. This avoids surprising failures on non-ADO CI systems that happen to
+            populate a subset of <c>BUILD_*</c> variables.</para>
+            <para>Inside an ADO pipeline three states are possible:</para>
+            <list type="bullet">
+            <item><see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.Complete"/> — every required logical variable is present
+            and well-formed; <see cref="M:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.ApplyTo(Microsoft.CodeAnalysis.Sarif.Run)"/> writes <c>automationDetails.id</c> plus the
+            four <c>azuredevops/pipeline/build/*</c> property keys that ADO ingestion validates.</item>
+            <item><see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.None"/> — no required variables are populated; nothing is
+            stamped (e.g. a manual local invocation that happens to have <c>TF_BUILD</c> set without
+            the rest).</item>
+            <item><see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.Partial"/> — one or more required variables are present
+            but others are missing or malformed; a partial pipeline identity is a misconfiguration
+            signal, not a soft skip, so callers should fail loudly rather than emit half-stamped
+            SARIF that will fail GHAzDO1019/1020 downstream.</item>
+            </list>
+            </remarks>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.TryDetect(Microsoft.CodeAnalysis.Sarif.Multitool.IEnvironmentVariableGetter,Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext@,System.String@)">
+            <summary>
+            Reads ADO predefined environment variables via <paramref name="environment"/> and
+            returns one of <see cref="T:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState"/>.
+            </summary>
+            <param name="environment">Env getter (test seam).</param>
+            <param name="context">Populated context when state is <see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.Complete"/>; otherwise <c>null</c>.</param>
+            <param name="errorMessage">Human-readable description of present/missing/malformed variables when state is <see cref="F:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.DetectionState.Partial"/>; otherwise <c>null</c>.</param>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.AdoPipelineContext.ApplyTo(Microsoft.CodeAnalysis.Sarif.Run)">
+            <summary>
+            Stamps the detected pipeline identity onto <paramref name="run"/>.
+            Creates <see cref="P:Microsoft.CodeAnalysis.Sarif.Run.AutomationDetails"/> if absent; does not overwrite
+            <c>Guid</c> or <c>CorrelationGuid</c> fields populated from other sources.
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.EmitEventLogHelpers">
+            <summary>
+            Shared plumbing for the emit verb chain (<c>emit-init-run</c>, <c>add-result</c>,
+            <c>add-notification</c>, <c>emit-finalize</c>): resolves the staged event log path,
+            reads caller-supplied JSON (file or stdin), and parses it into a
+            <see cref="T:Newtonsoft.Json.Linq.JToken"/> in a date-safe way.
+            </summary>
+            <remarks>
+            The verbs share three concerns — locating <c>&lt;output&gt;.wip.jsonl</c>, sourcing
+            the payload, and parsing it without lossy normalization — which live here so the
+            per-verb commands can stay focused on payload-specific validation and append.
+            </remarks>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitEventLogHelpers.TryValidateUri(System.String,System.String,System.String[],System.String@)">
+            <summary>
+            Validates that <paramref name="value"/> is either null/empty or a well-formed
+            absolute URI whose scheme appears in <paramref name="allowedSchemes"/>.
+            </summary>
+            <remarks>
+            Returning <c>true</c> when the value is empty preserves the "flag is optional"
+            contract — only supplied URIs are validated. We require an absolute URI (relative
+            values would never resolve meaningfully into a SARIF reader downstream) and we
+            constrain the scheme to a documented allow-list so a typo like <c>"htps://..."</c>
+            or an inappropriate scheme like <c>"file:..."</c> on a public-facing URL surfaces
+            here rather than silently shipping in the run header.
+            </remarks>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitEventLogHelpers.TryResolveWipPath(System.String,Microsoft.CodeAnalysis.Sarif.IFileSystem,System.String@)">
+            <summary>
+            Resolves the staged event-log path for an output SARIF path and verifies it exists.
+            </summary>
+            <param name="outputFilePath">The final SARIF file path (positional verb argument).</param>
+            <param name="fileSystem">The file system facade.</param>
+            <param name="wipPath">Set to the absolute event-log path on success.</param>
+            <returns><see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.SUCCESS"/> on success, <see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.FAILURE"/>
+            with a stderr message otherwise.</returns>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitEventLogHelpers.TryReadJsonPayload(System.String,System.String,Microsoft.CodeAnalysis.Sarif.IFileSystem,Newtonsoft.Json.Linq.JToken@)">
+            <summary>
+            Reads the caller-supplied JSON from <paramref name="inputFilePath"/> or stdin and
+            parses it. Returns <see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.SUCCESS"/> with <paramref name="payload"/>
+            populated, or <see cref="F:Microsoft.CodeAnalysis.Sarif.Driver.CommandBase.FAILURE"/> with a stderr message describing
+            what went wrong.
+            </summary>
+            <param name="inputFilePath">File path supplied by <c>--input</c>, or null/empty to
+            read from stdin.</param>
+            <param name="payloadKind">Human-readable label used in error messages ("result",
+            "notification", ...).</param>
+            <param name="fileSystem">The file system facade.</param>
+            <param name="payload">Set to the parsed payload on success.</param>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitEventLogHelpers.ReadStandardInputAsUtf8">
+            <summary>
+            Reads redirected stdin as UTF-8, bypassing <see cref="P:System.Console.InputEncoding"/>.
+            On Windows the console's default input encoding is the active OEM codepage
+            (often cp437 or cp850), which would mangle non-ASCII content in a piped
+            SARIF payload. AI orchestrators routinely emit messages, URIs, and properties
+            containing non-ASCII characters, so we must decode the raw byte stream as UTF-8
+            regardless of the console's current code page. A BOM-stamped input is still
+            honored — <see cref="T:System.IO.StreamReader"/>'s detect-BOM flag handles that case.
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.EmitFinalizeCommand">
+            <summary>
+            Implements <c>multitool emit-finalize</c>: replays <c>&lt;output&gt;.wip.jsonl</c>,
+            optionally enriches CWE-as-rule-id descriptors, and atomically writes the destination
+            SARIF file.
+            </summary>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.EmitFinalizeCommand.RunValidatorAndReport(System.String)">
+            <summary>
+            Runs the multitool validator (--rule-kind Sarif;AI) against the finalized SARIF.
+            Prints a one-line summary of Error/Warning/Note counts and (on Error) the rule IDs
+            that fired. Returns FAILURE if any Error-level finding is reported; otherwise SUCCESS.
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.EmitFinalizeOptions">
+            <summary>
+            Options for <c>emit-finalize</c>, which replays the staged event log and atomically
+            writes the destination SARIF file.
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.EmitInitRunCommand">
+            <summary>
+            Implements <c>multitool emit-init-run</c>: creates an append-only SARIF event log
+            (<c>&lt;output&gt;.wip.jsonl</c>) seeded with a <c>run-header</c> event built from the
+            supplied tool / repo flags.
+            </summary>
+            <remarks>
+            <para>State table:</para>
+            <list type="table">
+            <listheader>
+            <term>State</term>
+            <term>No <c>--force-overwrite</c></term>
+            <term>With <c>--force-overwrite</c></term>
+            </listheader>
+            <item>
+            <term>Neither .sarif nor .wip.jsonl exists</term>
+            <term>Create new .wip.jsonl</term>
+            <term>Create new .wip.jsonl</term>
+            </item>
+            <item>
+            <term>.sarif exists, no .wip.jsonl</term>
+            <term>Fail — would clobber a committed SARIF on finalize</term>
+            <term>Create new .wip.jsonl (existing .sarif is left until finalize replaces it)</term>
+            </item>
+            <item>
+            <term>No .sarif, .wip.jsonl exists</term>
+            <term>Fail — another authoring session is in flight (or was crashed)</term>
+            <term>Delete .wip.jsonl and recreate</term>
+            </item>
+            <item>
+            <term>Both .sarif and .wip.jsonl exist</term>
+            <term>Fail</term>
+            <term>Delete .wip.jsonl and recreate</term>
+            </item>
+            </list>
+            </remarks>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.EmitInitRunOptions">
+            <summary>
+            Options for <c>emit-init-run</c>, which opens an append-only event log
+            (<c>&lt;output&gt;.wip.jsonl</c>) seeded with a <c>run-header</c> event for the supplied
+            tool. Subsequent producers append events to the log via the SARIF emit API and finalize
+            via <c>multitool emit-finalize</c>.
+            </summary>
+            <remarks>
+            CLI flags mirror the SARIF interior paths they populate (e.g., <c>--tool-driver-name</c>
+            populates <c>run.tool.driver.name</c>; <c>--vcp-revisionid</c> populates
+            <c>run.versionControlProvenance[0].revisionId</c>). This trades verbosity for a one-to-one
+            mapping that a SARIF-literate user can read without a help page.
+            </remarks>
+        </member>
         <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.FileWorkItemsCommand">
             <summary>
             A class that drives SARIF work item filing. This class is responsible for
@@ -105,46 +400,6 @@
              and shows results.
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoReferenceFinalSchema.Id">
-            <summary>
-            ADO1011
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredSarifLogProperties.Id">
-            <summary>
-            ADO1013
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredRunProperties.Id">
-            <summary>
-            ADO1014
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredResultProperties.Id">
-            <summary>
-            ADO1015
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredLocationProperties.Id">
-            <summary>
-            ADO1016
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredPhysicalLocationProperties.Id">
-            <summary>
-            ADO1017
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredToolProperties.Id">
-            <summary>
-            ADO1018
-            </summary>
-        </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AdoProvideRequiredReportingDescriptorProperties.Id">
-            <summary>
-            ADO2012
-            </summary>
-        </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.AIProvideRequiredRegionProperties.Id">
             <summary>
             AI1003
@@ -185,11 +440,6 @@
             AI1013
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ExecutionNotificationPlacement.Id">
-            <summary>
-            AI1014
-            </summary>
-        </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ProvideSemanticVersion.Id">
             <summary>
             AI2003
@@ -235,7 +485,7 @@
             AI2017
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ProvideExecutionSignalArtifact.Id">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ProvideLearningSignalArtifact.Id">
             <summary>
             AI2018
             </summary>
@@ -255,6 +505,33 @@
              of the schema is valid.
              </summary>
         </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.EvidenceJsonReader">
+            <summary>
+            Defensive reads of <c>ai/evidence</c> entry properties. Producers in the
+            wild emit some properties (e.g. <c>backing</c>) as either a single
+            string or as an array of strings; a validator rule must accept both
+            shapes without throwing on well-formed input.
+            </summary>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.EvidenceJsonReader.ReadString(Newtonsoft.Json.Linq.JObject,System.String)">
+            <summary>
+            Reads <paramref name="propertyName"/> from <paramref name="entry"/>
+            as a string. Returns null if the property is absent or not a JSON
+            string token (i.e., array, object, number, boolean, null).
+            </summary>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.EvidenceJsonReader.ReadStrings(Newtonsoft.Json.Linq.JObject,System.String)">
+            <summary>
+            Reads <paramref name="propertyName"/> from <paramref name="entry"/>
+            as a list of strings. Accepts both shapes:
+            <list type="bullet">
+              <item>a single JSON string (yields a one-element list);</item>
+              <item>a JSON array of strings (non-string array elements are silently dropped).</item>
+            </list>
+            Returns an empty list when the property is absent, null-valued, or any
+            other JSON shape (object, number, boolean).
+            </summary>
+        </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ProvideRequiredLocationProperties.Id">
             <summary>
             GH1001
@@ -345,6 +622,76 @@
             GH2012
             </summary>
         </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOReferenceFinalSchema.Id">
+            <summary>
+            GHAzDO1011
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredSarifLogProperties.Id">
+            <summary>
+            GHAzDO1013
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredRunProperties.Id">
+            <summary>
+            GHAzDO1014
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredResultProperties.Id">
+            <summary>
+            GHAzDO1015
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredLocationProperties.Id">
+            <summary>
+            GHAzDO1016
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredPhysicalLocationProperties.Id">
+            <summary>
+            GHAzDO1017
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredToolProperties.Id">
+            <summary>
+            GHAzDO1018
+            </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvidePipelineProperties">
+             <summary>
+             GHAzDO1019 — when run.automationDetails is present, require the four
+             `azuredevops/pipeline/build/*` properties that GHAzDO ingestion reads to
+             identify the build definition + phase. Missing or unparseable values cause
+             ingestion to drop the run with "SarifValidation_MissingAdoPipelineProperties".
+             Required keys (all under run.automationDetails.properties):
+               azuredevops/pipeline/build/buildDefinitionId    (int, != 0)
+               azuredevops/pipeline/build/buildDefinitionName  (non-empty string)
+               azuredevops/pipeline/build/phaseId              (GUID, != Guid.Empty)
+               azuredevops/pipeline/build/phaseName            (non-empty string)
+             Source of truth: AdvancedSecurity.Service ./SarifUtils/SarifExtensions.cs
+             `GetPipeline(Run)` and CodeScanningResultPluginBase.ValidateRun.
+             </summary>
+        </member>
+        <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideAutomationDetailsIdFormat">
+             <summary>
+             GHAzDO1020 — when run.automationDetails.id is present, require it to start
+             with the canonical `azuredevops/pipeline/build/` prefix. GHAzDO ingestion
+             parses the slash-delimited remainder as
+             `&lt;org&gt;/&lt;project&gt;/&lt;buildDefId&gt;/&lt;phaseId&gt;/&lt;branch&gt;/&lt;buildId&gt;`;
+             IDs that don't carry the prefix fail downstream parsing.
+             Source of truth: AdvancedSecurity.Service runAutomationDetails.Id consumers.
+             We deliberately validate only the prefix here — the slash content is derived
+             from pipeline state and not authored by hand.
+             </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.GHAzDOProvideRequiredReportingDescriptorProperties.Id">
+            <summary>
+            GHAzDO2012
+            </summary>
+        </member>
         <member name="T:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources">
             <summary>
               A strongly-typed resource class, for looking up localized strings, etc.
@@ -361,33 +708,33 @@
               resource lookups using this strongly typed resource class.
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1011_ReferenceFinalSchema_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1011_ReferenceFinalSchema_FullDescription_Text">
              <summary>
                Looks up a localized string similar to The &apos;$schema&apos; property must refer to the final version of the SARIF 2.1.0 schema. This enables IDEs to provide Intellisense for SARIF log files.
             The SARIF standard was developed over several years and many intermediate versions of the schema were produced. Now that the standard is final, only the OASIS standard version of the schema is valid..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1013_ProvideRequiredSarifLogProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1013_ProvideRequiredSarifLogProperties_FullDescription_Text">
              <summary>
-               Looks up a localized string similar to The root element of a SARIF log file is a SarifLog object. The properties of this element provide information about the log&apos;s schema version as well as an array of analysis runs. These properties are required by the ADO Advanced Security service.
+               Looks up a localized string similar to The root element of a SARIF log file is a SarifLog object. The properties of this element provide information about the log&apos;s schema version as well as an array of analysis runs. These properties are required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
             Provide the &apos;$schema&apos; property, which must refer to the final version of the SARIF 2.1.0 schema. This enables IDEs to provide Intellisense for SARIF log files.
             Provide the &apos;version&apos; property, which must refer to the the final, OASIS standard version of the SA [rest of string was truncated]&quot;;.
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1014_AdoProvideRequiredRunProperties_Error_MissingAutomationDetails_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1014_GHAzDOProvideRequiredRunProperties_Error_MissingAutomationDetails_Text">
             <summary>
               Looks up a localized string similar to {0}: This &apos;run&apos; object does not provide an &apos;automationDetails&apos; property. This property is required by the {1} service..
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1014_AdoProvideRequiredRunProperties_Error_MissingAutomationDetailsId_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1014_GHAzDOProvideRequiredRunProperties_Error_MissingAutomationDetailsId_Text">
             <summary>
               Looks up a localized string similar to {0}: This &apos;run&apos; object&apos;s &apos;automationDetails&apos; object does not provide an &apos;id&apos; value. This property is required by the {1} service..
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1014_ProvideRequiredRunProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1014_ProvideRequiredRunProperties_FullDescription_Text">
              <summary>
                Looks up a localized string similar to The Run object represents a single execution of the specified analysis tool.
@@ -395,56 +742,101 @@
             Provide the &apos;results&apos; array, even if it is empty.
-            Provide the &apos;automationDetails&apos; property. The automationDetails&apos;s &apos;id&apos; property is required by the ADO Advanced Security service..
+            Provide the &apos;automationDetails&apos; property. The automationDetails&apos;s &apos;id&apos; property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1015_ProvideRequiredResultProperties_Error_MissingRuleId_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1015_ProvideRequiredResultProperties_Error_MissingRuleId_Text">
             <summary>
               Looks up a localized string similar to {0}: This &apos;result&apos; object does not provide a &apos;ruleId&apos; value. This property is required by the {1} service..
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1015_ProvideRequiredResultProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1015_ProvideRequiredResultProperties_FullDescription_Text">
              <summary>
                Looks up a localized string similar to The Result object represents an analysis finding and should provide details describing the nature of the problem along with its location in the scan target.
-            Provide the &apos;ruleId&apos; property, which is the unique identifier of the analysis rule that was violated. This property is required by the ADO Advanced Security service.
+            Provide the &apos;ruleId&apos; property, which is the unique identifier of the analysis rule that was violated. This property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
-            Provide the &apos;message&apos; property, which is a user-facing explanation of the result occurrence. The message&apos;s &apos;text&apos; property is required by the ADO Advanced Security service.
+            Provide the &apos;message&apos; property, which is a user-facing explanation of the result occurrence. The message&apos;s &apos;text&apos; property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
             Provide [rest of string was truncated]&quot;;.
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1016_ProvideRequiredLocationProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1016_ProvideRequiredLocationProperties_FullDescription_Text">
              <summary>
                Looks up a localized string similar to The Location object is important for providing consumers with the location where the result occurred.
-            Provide the &apos;physicalLocation&apos; property. This property is required by the ADO Advanced Security service..
+            Provide the &apos;physicalLocation&apos; property. This property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1017_ProvideRequiredPhysicalLocationProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1017_ProvideRequiredPhysicalLocationProperties_FullDescription_Text">
              <summary>
-               Looks up a localized string similar to Provide the &apos;region&apos; property, along with the appropriate region properties. This property is required by the ADO Advanced Security service.
+               Looks up a localized string similar to Provide the &apos;region&apos; property, along with the appropriate region properties. This property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
-            Provide the &apos;artifactLocation&apos; property. This property is required by the ADO Advanced Security service..
+            Provide the &apos;artifactLocation&apos; property. This property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1018_ProvideRequiredToolProperties_Error_MissingDriverFullName_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1018_ProvideRequiredToolProperties_Error_MissingDriverFullName_Text">
             <summary>
               Looks up a localized string similar to {0}: This &apos;driver&apos; object does not provide a &apos;fullName&apos; value. This property is required by the {1} service..
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO1018_ProvideRequiredToolProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1018_ProvideRequiredToolProperties_FullDescription_Text">
              <summary>
                Looks up a localized string similar to Provide information that makes it easy to identify the name and version of your tool.
-            Provide the &apos;driver&apos; property. This property is required by the ADO Advanced Security service.
+            Provide the &apos;driver&apos; property. This property is required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
             Provide the driver&apos;s &apos;name&apos; and &apos;fullName&apos; properties.
             Provide the driver&apos;s &apos;rules&apos; array..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO2012_ProvideRequiredReportingDescriptorProperties_FullDescription_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_FullDescription_Text">
+            <summary>
+              Looks up a localized string similar to When &apos;run.automationDetails&apos; is present, the four &apos;azuredevops/pipeline/build/&apos; properties identify the build definition and phase that produced the run..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_MissingBuildDefinitionId_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; bag does not provide &apos;{2}&apos;. This property is required by the {1} service to identify the build definition..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_InvalidBuildDefinitionId_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; value for &apos;{2}&apos; is &apos;{3}&apos;, which is not a non-zero integer. The {1} service requires a non-zero integer build definition id..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_MissingBuildDefinitionName_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; bag does not provide &apos;{2}&apos;. This property is required by the {1} service to identify the build definition by name..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_MissingPhaseId_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; bag does not provide &apos;{2}&apos;. This property is required by the {1} service to identify the build phase..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_InvalidPhaseId_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; value for &apos;{2}&apos; is &apos;{3}&apos;, which is not a non-empty GUID. The {1} service requires a non-empty GUID phase id..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1019_ProvidePipelineProperties_Error_MissingPhaseName_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.properties&apos; bag does not provide &apos;{2}&apos;. This property is required by the {1} service to identify the build phase by name..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1020_ProvideAutomationDetailsIdFormat_FullDescription_Text">
+            <summary>
+              Looks up a localized string similar to When &apos;run.automationDetails.id&apos; is present, it must start with the canonical &apos;azuredevops/pipeline/build/&apos; prefix..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO1020_ProvideAutomationDetailsIdFormat_Error_BadPrefix_Text">
+            <summary>
+              Looks up a localized string similar to {0}: The &apos;automationDetails.id&apos; value &apos;{3}&apos; does not start with the expected prefix &apos;{2}&apos;..
+            </summary>
+        </member>
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO2012_ProvideRequiredReportingDescriptorProperties_FullDescription_Text">
              <summary>
                Looks up a localized string similar to Rule metadata should provide information that makes it easy to understand and fix the problem.
             rule.id
@@ -454,7 +846,7 @@
             Provide the &apos;name&apos; property, which contains a &quot;friendly name&quot; that helps users see at a glance the purpose of the rule. For uniformity of experience across all tools that produce SARIF, the friendly name should be a single Pascal-case identifier, for example, &apos;ProvideRuleFriendlyName&apos;..
              </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ADO2012_ProvideRequiredResultProperties_Error_MissingName_Text">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GHAzDO2012_ProvideRequiredResultProperties_Error_MissingName_Text">
             <summary>
               Looks up a localized string similar to {0}: This &apos;reportingDescriptor&apos; object does not provide a &apos;name&apos; value. This property is required by the {1} service..
             </summary>
@@ -652,7 +1044,7 @@
         </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.GH1013_ProvideRequiredSarifLogProperties_FullDescription_Text">
              <summary>
-               Looks up a localized string similar to The root element of a SARIF log file is a SarifLog object. The properties of this element provide information about the log&apos;s schema version as well as an array of analysis runs. These properties are required by the ADO Advanced Security service.
+               Looks up a localized string similar to The root element of a SARIF log file is a SarifLog object. The properties of this element provide information about the log&apos;s schema version as well as an array of analysis runs. These properties are required by the GHAzDO (GitHub Advanced Security for Azure DevOps) service.
             Provide the &apos;$schema&apos; property, which must refer to the final version of the SARIF 2.1.0 schema. This enables IDEs to provide Intellisense for SARIF log files.
@@ -1183,9 +1575,9 @@
               Looks up a localized string similar to {0}: The &apos;startLine&apos; property is absent....
             </summary>
         </member>
-        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ServiceName_ADO">
+        <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ServiceName_GHAzDO">
             <summary>
-              Looks up a localized string similar to Azure DevOps Advanced Security.
+              Looks up a localized string similar to GHAzDO (GitHub Advanced Security for Azure DevOps).
             </summary>
         </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.RuleResources.ServiceName_GHAS">
@@ -1474,6 +1866,14 @@
              example.h. In this case, 'analysisTarget' is example.c, and the result location is in example.h.
              </summary>
         </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.OptimizeFileSize.CheckSentinelIndex(System.Int32,System.String,System.String)">
+            <summary>
+            Flag an explicit emission of the SARIF <c>-1</c> "unset index" sentinel
+            (\u00a73.4) when the JSON contains the property literally. The sentinel is
+            semantically equivalent to omitting the property; emitting it bloats the
+            log without changing meaning.
+            </summary>
+        </member>
         <member name="P:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.ProvideToolProperties.Id">
             <summary>
             SARIF2005
@@ -1690,5 +2090,42 @@
             <param name="uriKind">The type of the `Uri` in `uriString`.</param>
             <returns></returns>
         </member>
+        <member name="F:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.SarifValidationSkimmerBase.AIOriginPropertyName">
+             <summary>
+             The well-known run property whose presence (with any non-null/non-empty
+             value) declares that the containing run was produced by an AI emitter.
+             AI-emitted SARIF is stochastic by construction — message text is rendered
+             per-result rather than authored against a table of <c>messageStrings</c>
+             templates, and rule ids ride the <c>NOVEL-</c> / <c>BASE/sub-id</c>
+             convention rather than a fixed tool prefix. Style-class validation rules
+             (e.g. SARIF2002, SARIF2009, SARIF2014, SARIF2015) encode human-authoring
+             guidance whose preconditions don't hold for AI output, so they suppress
+             themselves when this marker is set.
+             Correctness-class rules (snippets, hashes, provenance, relative URIs, etc.)
+             must NOT consult this marker — those checks apply uniformly to AI content.
+             </summary>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.SarifValidationSkimmerBase.IsAIOriginRun(Microsoft.CodeAnalysis.Sarif.Run)">
+            <summary>
+            Returns true when <paramref name="run"/> declares AI provenance via the
+            <c>ai/origin</c> run property. Any non-null/non-empty value counts; the
+            vocabulary (<c>generated</c>, <c>annotated</c>, <c>synthesized</c>, …)
+            is open by design so AI tooling can self-describe at any granularity.
+            </summary>
+            <exception cref="T:System.ArgumentNullException">
+            <paramref name="run"/> is null. Callers reading AI-origin during rule
+            dispatch should already hold a non-null run; the strict contract makes
+            upstream lifecycle bugs loud rather than masking them as "not AI".
+            </exception>
+        </member>
+        <member name="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.SarifValidationSkimmerBase.IsAIOriginRun">
+            <summary>
+            Instance convenience: reports whether the run currently being visited
+            declares AI provenance. Returns false when there is no current run
+            scope (e.g. an <c>Analyze(SarifLog)</c> dispatch); otherwise defers to
+            <see cref="M:Microsoft.CodeAnalysis.Sarif.Multitool.Rules.SarifValidationSkimmerBase.IsAIOriginRun(Microsoft.CodeAnalysis.Sarif.Run)"/>.
+            </summary>
+        </member>
     </members>
 </doc>