@opensip-cli/external-tool-adapter 0.1.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/NOTICE +8 -0
- package/README.md +33 -0
- package/dist/__tests__/acceptance-harness.test.d.ts +2 -0
- package/dist/__tests__/acceptance-harness.test.d.ts.map +1 -0
- package/dist/__tests__/acceptance-harness.test.js +106 -0
- package/dist/__tests__/acceptance-harness.test.js.map +1 -0
- package/dist/__tests__/artifact-path.test.d.ts +2 -0
- package/dist/__tests__/artifact-path.test.d.ts.map +1 -0
- package/dist/__tests__/artifact-path.test.js +19 -0
- package/dist/__tests__/artifact-path.test.js.map +1 -0
- package/dist/__tests__/binary-resolver.test.d.ts +2 -0
- package/dist/__tests__/binary-resolver.test.d.ts.map +1 -0
- package/dist/__tests__/binary-resolver.test.js +64 -0
- package/dist/__tests__/binary-resolver.test.js.map +1 -0
- package/dist/__tests__/define-external-tool-adapter.test.d.ts +2 -0
- package/dist/__tests__/define-external-tool-adapter.test.d.ts.map +1 -0
- package/dist/__tests__/define-external-tool-adapter.test.js +165 -0
- package/dist/__tests__/define-external-tool-adapter.test.js.map +1 -0
- package/dist/__tests__/doctor-command.test.d.ts +2 -0
- package/dist/__tests__/doctor-command.test.d.ts.map +1 -0
- package/dist/__tests__/doctor-command.test.js +124 -0
- package/dist/__tests__/doctor-command.test.js.map +1 -0
- package/dist/__tests__/exit-model.test.d.ts +2 -0
- package/dist/__tests__/exit-model.test.d.ts.map +1 -0
- package/dist/__tests__/exit-model.test.js +30 -0
- package/dist/__tests__/exit-model.test.js.map +1 -0
- package/dist/__tests__/fingerprint.test.d.ts +2 -0
- package/dist/__tests__/fingerprint.test.d.ts.map +1 -0
- package/dist/__tests__/fingerprint.test.js +39 -0
- package/dist/__tests__/fingerprint.test.js.map +1 -0
- package/dist/__tests__/gate-render.test.d.ts +2 -0
- package/dist/__tests__/gate-render.test.d.ts.map +1 -0
- package/dist/__tests__/gate-render.test.js +82 -0
- package/dist/__tests__/gate-render.test.js.map +1 -0
- package/dist/__tests__/ingest-json.test.d.ts +2 -0
- package/dist/__tests__/ingest-json.test.d.ts.map +1 -0
- package/dist/__tests__/ingest-json.test.js +53 -0
- package/dist/__tests__/ingest-json.test.js.map +1 -0
- package/dist/__tests__/ingest-sarif.test.d.ts +2 -0
- package/dist/__tests__/ingest-sarif.test.d.ts.map +1 -0
- package/dist/__tests__/ingest-sarif.test.js +283 -0
- package/dist/__tests__/ingest-sarif.test.js.map +1 -0
- package/dist/__tests__/manifest-commands.test.d.ts +2 -0
- package/dist/__tests__/manifest-commands.test.d.ts.map +1 -0
- package/dist/__tests__/manifest-commands.test.js +67 -0
- package/dist/__tests__/manifest-commands.test.js.map +1 -0
- package/dist/__tests__/provenance.test.d.ts +2 -0
- package/dist/__tests__/provenance.test.d.ts.map +1 -0
- package/dist/__tests__/provenance.test.js +48 -0
- package/dist/__tests__/provenance.test.js.map +1 -0
- package/dist/__tests__/redact.test.d.ts +2 -0
- package/dist/__tests__/redact.test.d.ts.map +1 -0
- package/dist/__tests__/redact.test.js +37 -0
- package/dist/__tests__/redact.test.js.map +1 -0
- package/dist/__tests__/run-loop-artifact.test.d.ts +21 -0
- package/dist/__tests__/run-loop-artifact.test.d.ts.map +1 -0
- package/dist/__tests__/run-loop-artifact.test.js +186 -0
- package/dist/__tests__/run-loop-artifact.test.js.map +1 -0
- package/dist/__tests__/run-loop-exit.test.d.ts +21 -0
- package/dist/__tests__/run-loop-exit.test.d.ts.map +1 -0
- package/dist/__tests__/run-loop-exit.test.js +123 -0
- package/dist/__tests__/run-loop-exit.test.js.map +1 -0
- package/dist/__tests__/run-loop-gate.test.d.ts +10 -0
- package/dist/__tests__/run-loop-gate.test.d.ts.map +1 -0
- package/dist/__tests__/run-loop-gate.test.js +159 -0
- package/dist/__tests__/run-loop-gate.test.js.map +1 -0
- package/dist/__tests__/session-payload.test.d.ts +12 -0
- package/dist/__tests__/session-payload.test.d.ts.map +1 -0
- package/dist/__tests__/session-payload.test.js +131 -0
- package/dist/__tests__/session-payload.test.js.map +1 -0
- package/dist/__tests__/severity-map.test.d.ts +2 -0
- package/dist/__tests__/severity-map.test.d.ts.map +1 -0
- package/dist/__tests__/severity-map.test.js +57 -0
- package/dist/__tests__/severity-map.test.js.map +1 -0
- package/dist/acceptance-harness.d.ts +48 -0
- package/dist/acceptance-harness.d.ts.map +1 -0
- package/dist/acceptance-harness.js +78 -0
- package/dist/acceptance-harness.js.map +1 -0
- package/dist/adapter-config.d.ts +58 -0
- package/dist/adapter-config.d.ts.map +1 -0
- package/dist/adapter-config.js +73 -0
- package/dist/adapter-config.js.map +1 -0
- package/dist/adapter-manifest.d.ts +57 -0
- package/dist/adapter-manifest.d.ts.map +1 -0
- package/dist/adapter-manifest.js +68 -0
- package/dist/adapter-manifest.js.map +1 -0
- package/dist/artifact-path.d.ts +26 -0
- package/dist/artifact-path.d.ts.map +1 -0
- package/dist/artifact-path.js +22 -0
- package/dist/artifact-path.js.map +1 -0
- package/dist/binary-resolver.d.ts +51 -0
- package/dist/binary-resolver.d.ts.map +1 -0
- package/dist/binary-resolver.js +66 -0
- package/dist/binary-resolver.js.map +1 -0
- package/dist/define-external-tool-adapter.d.ts +25 -0
- package/dist/define-external-tool-adapter.d.ts.map +1 -0
- package/dist/define-external-tool-adapter.js +149 -0
- package/dist/define-external-tool-adapter.js.map +1 -0
- package/dist/doctor-command.d.ts +81 -0
- package/dist/doctor-command.d.ts.map +1 -0
- package/dist/doctor-command.js +160 -0
- package/dist/doctor-command.js.map +1 -0
- package/dist/exit-model.d.ts +33 -0
- package/dist/exit-model.d.ts.map +1 -0
- package/dist/exit-model.js +35 -0
- package/dist/exit-model.js.map +1 -0
- package/dist/fingerprint.d.ts +26 -0
- package/dist/fingerprint.d.ts.map +1 -0
- package/dist/fingerprint.js +32 -0
- package/dist/fingerprint.js.map +1 -0
- package/dist/gate-render.d.ts +18 -0
- package/dist/gate-render.d.ts.map +1 -0
- package/dist/gate-render.js +25 -0
- package/dist/gate-render.js.map +1 -0
- package/dist/index.d.ts +39 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +35 -0
- package/dist/index.js.map +1 -0
- package/dist/ingest-json.d.ts +32 -0
- package/dist/ingest-json.d.ts.map +1 -0
- package/dist/ingest-json.js +66 -0
- package/dist/ingest-json.js.map +1 -0
- package/dist/ingest-sarif.d.ts +113 -0
- package/dist/ingest-sarif.d.ts.map +1 -0
- package/dist/ingest-sarif.js +158 -0
- package/dist/ingest-sarif.js.map +1 -0
- package/dist/manifest-commands.d.ts +23 -0
- package/dist/manifest-commands.d.ts.map +1 -0
- package/dist/manifest-commands.js +47 -0
- package/dist/manifest-commands.js.map +1 -0
- package/dist/process-exec.d.ts +51 -0
- package/dist/process-exec.d.ts.map +1 -0
- package/dist/process-exec.js +99 -0
- package/dist/process-exec.js.map +1 -0
- package/dist/provenance.d.ts +19 -0
- package/dist/provenance.d.ts.map +1 -0
- package/dist/provenance.js +31 -0
- package/dist/provenance.js.map +1 -0
- package/dist/redact.d.ts +24 -0
- package/dist/redact.d.ts.map +1 -0
- package/dist/redact.js +38 -0
- package/dist/redact.js.map +1 -0
- package/dist/run-context.d.ts +24 -0
- package/dist/run-context.d.ts.map +1 -0
- package/dist/run-context.js +36 -0
- package/dist/run-context.js.map +1 -0
- package/dist/run-loop.d.ts +64 -0
- package/dist/run-loop.d.ts.map +1 -0
- package/dist/run-loop.js +320 -0
- package/dist/run-loop.js.map +1 -0
- package/dist/scan-emit.d.ts +81 -0
- package/dist/scan-emit.d.ts.map +1 -0
- package/dist/scan-emit.js +125 -0
- package/dist/scan-emit.js.map +1 -0
- package/dist/session-payload.d.ts +81 -0
- package/dist/session-payload.d.ts.map +1 -0
- package/dist/session-payload.js +86 -0
- package/dist/session-payload.js.map +1 -0
- package/dist/severity-map.d.ts +43 -0
- package/dist/severity-map.d.ts.map +1 -0
- package/dist/severity-map.js +84 -0
- package/dist/severity-map.js.map +1 -0
- package/dist/types.d.ts +228 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +15 -0
- package/dist/types.js.map +1 -0
- package/dist/version-command.d.ts +36 -0
- package/dist/version-command.d.ts.map +1 -0
- package/dist/version-command.js +74 -0
- package/dist/version-command.js.map +1 -0
- package/package.json +52 -0
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Adapter-owned session payload (ADR-0090; ADR-0011 session split).
|
|
3
|
+
*
|
|
4
|
+
* The host persists each adapter run's session row with an OPAQUE, tool-owned
|
|
5
|
+
* detail blob (`session_tool_payload.payload`). The dashboard's shared
|
|
6
|
+
* session-detail renderer groups `payload.checks[]` and computes
|
|
7
|
+
* `clean = errors === 0 && warnings === 0` from `payload.summary`. An adapter
|
|
8
|
+
* session that carried only a finding COUNT (no `checks`/`summary`) therefore
|
|
9
|
+
* rendered a secret/vuln scan as "No findings — this run was clean. Every rule
|
|
10
|
+
* passed" — actively misleading. This builder gives adapters the SAME
|
|
11
|
+
* rule-grouped detail shape graph and fitness own (`buildGraphSessionPayload` /
|
|
12
|
+
* `buildFitnessSessionPayload`), derived straight from the run's already-redacted,
|
|
13
|
+
* provenance-stamped `Signal[]`.
|
|
14
|
+
*
|
|
15
|
+
* Layer-legal: pure and substrate-local (no `cli`/datastore import — the host
|
|
16
|
+
* writes the row). The shape is tool-owned and opaque to `contracts`, exactly
|
|
17
|
+
* like graph/fitness own theirs.
|
|
18
|
+
*
|
|
19
|
+
* SECRET HYGIENE: every field here is copied from a signal that was redacted at
|
|
20
|
+
* INGEST (e.g. the gitleaks parser masks `Secret` to a non-reversible preview and
|
|
21
|
+
* never reads `Match`). No raw credential reaches this payload — and `metadata`
|
|
22
|
+
* is narrowed to JSON scalars, dropping the nested provenance object entirely.
|
|
23
|
+
* Proven by the substrate unit suite and each adapter's worker E2E.
|
|
24
|
+
*/
|
|
25
|
+
import type { JsonScalar, Signal, SignalRepair } from '@opensip-cli/core';
|
|
26
|
+
/** Two-level severity the dashboard buckets on (`critical|high → error`). */
|
|
27
|
+
export type AdapterFindingSeverity = 'error' | 'warning';
|
|
28
|
+
/** A persisted finding row — the structural subset the dashboard renders. */
|
|
29
|
+
export interface AdapterSessionFinding {
|
|
30
|
+
readonly ruleId: string;
|
|
31
|
+
readonly message: string;
|
|
32
|
+
readonly severity: AdapterFindingSeverity;
|
|
33
|
+
readonly filePath: string;
|
|
34
|
+
readonly line?: number;
|
|
35
|
+
readonly column?: number;
|
|
36
|
+
readonly suggestion?: string;
|
|
37
|
+
readonly metadata?: Readonly<Record<string, JsonScalar>>;
|
|
38
|
+
/** Structured repair guidance (ADR-0086) — round-trips through replay. */
|
|
39
|
+
readonly repair?: SignalRepair;
|
|
40
|
+
}
|
|
41
|
+
/** A persisted per-rule detail row — the structural subset the dashboard renders. */
|
|
42
|
+
export interface AdapterSessionCheck {
|
|
43
|
+
readonly checkSlug: string;
|
|
44
|
+
readonly passed: boolean;
|
|
45
|
+
readonly violationCount: number;
|
|
46
|
+
readonly findings: readonly AdapterSessionFinding[];
|
|
47
|
+
readonly durationMs: number;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Opaque-to-contracts detail blob written for every adapter session. `checks` is
|
|
51
|
+
* the scanner's findings grouped by `ruleId` (one row per rule that fired); the
|
|
52
|
+
* dashboard's shared session-detail renderer reads `summary` and `checks`
|
|
53
|
+
* structurally.
|
|
54
|
+
*/
|
|
55
|
+
export interface AdapterSessionPayload {
|
|
56
|
+
/** Inner version per the payload schema evolution convention (v1 shape). */
|
|
57
|
+
readonly __version: 1;
|
|
58
|
+
readonly summary: {
|
|
59
|
+
/** Rules that fired (one `checks[]` row each). */
|
|
60
|
+
readonly total: number;
|
|
61
|
+
/** Rules with no error-severity finding. */
|
|
62
|
+
readonly passed: number;
|
|
63
|
+
/** Rules with ≥1 error-severity finding. */
|
|
64
|
+
readonly failed: number;
|
|
65
|
+
/** Error-severity (critical|high) finding count. */
|
|
66
|
+
readonly errors: number;
|
|
67
|
+
/** Warning-severity (medium|low) finding count. */
|
|
68
|
+
readonly warnings: number;
|
|
69
|
+
};
|
|
70
|
+
readonly checks: readonly AdapterSessionCheck[];
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* Build the adapter session payload directly from the run's redacted `Signal[]`.
|
|
74
|
+
*
|
|
75
|
+
* Groups by `ruleId` into the dashboard's rule-grouped detail (`checks[]`),
|
|
76
|
+
* collapsing the 4-level signal severity to the dashboard's two-level
|
|
77
|
+
* `error`/`warning` bucket. Per-rule `passed` follows fit/graph semantics
|
|
78
|
+
* (warnings alone do not fail a rule).
|
|
79
|
+
*/
|
|
80
|
+
export declare function buildAdapterSessionPayload(signals: readonly Signal[]): AdapterSessionPayload;
|
|
81
|
+
//# sourceMappingURL=session-payload.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session-payload.d.ts","sourceRoot":"","sources":["../src/session-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE1E,6EAA6E;AAC7E,MAAM,MAAM,sBAAsB,GAAG,OAAO,GAAG,SAAS,CAAC;AAEzD,6EAA6E;AAC7E,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;IAC1C,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;IACzD,0EAA0E;IAC1E,QAAQ,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC;CAChC;AAED,qFAAqF;AACrF,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,SAAS,qBAAqB,EAAE,CAAC;IACpD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,4EAA4E;IAC5E,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE;QAChB,kDAAkD;QAClD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,4CAA4C;QAC5C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,4CAA4C;QAC5C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,oDAAoD;QACpD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;QACxB,mDAAmD;QACnD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,QAAQ,CAAC,MAAM,EAAE,SAAS,mBAAmB,EAAE,CAAC;CACjD;AAsCD;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,GAAG,qBAAqB,CAgB5F"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Adapter-owned session payload (ADR-0090; ADR-0011 session split).
|
|
3
|
+
*
|
|
4
|
+
* The host persists each adapter run's session row with an OPAQUE, tool-owned
|
|
5
|
+
* detail blob (`session_tool_payload.payload`). The dashboard's shared
|
|
6
|
+
* session-detail renderer groups `payload.checks[]` and computes
|
|
7
|
+
* `clean = errors === 0 && warnings === 0` from `payload.summary`. An adapter
|
|
8
|
+
* session that carried only a finding COUNT (no `checks`/`summary`) therefore
|
|
9
|
+
* rendered a secret/vuln scan as "No findings — this run was clean. Every rule
|
|
10
|
+
* passed" — actively misleading. This builder gives adapters the SAME
|
|
11
|
+
* rule-grouped detail shape graph and fitness own (`buildGraphSessionPayload` /
|
|
12
|
+
* `buildFitnessSessionPayload`), derived straight from the run's already-redacted,
|
|
13
|
+
* provenance-stamped `Signal[]`.
|
|
14
|
+
*
|
|
15
|
+
* Layer-legal: pure and substrate-local (no `cli`/datastore import — the host
|
|
16
|
+
* writes the row). The shape is tool-owned and opaque to `contracts`, exactly
|
|
17
|
+
* like graph/fitness own theirs.
|
|
18
|
+
*
|
|
19
|
+
* SECRET HYGIENE: every field here is copied from a signal that was redacted at
|
|
20
|
+
* INGEST (e.g. the gitleaks parser masks `Secret` to a non-reversible preview and
|
|
21
|
+
* never reads `Match`). No raw credential reaches this payload — and `metadata`
|
|
22
|
+
* is narrowed to JSON scalars, dropping the nested provenance object entirely.
|
|
23
|
+
* Proven by the substrate unit suite and each adapter's worker E2E.
|
|
24
|
+
*/
|
|
25
|
+
import { isErrorSignal, projectJsonScalarMetadata } from '@opensip-cli/core';
|
|
26
|
+
/** Map one redacted signal to its persisted finding row (2-level severity bucket). */
|
|
27
|
+
function toSessionFinding(s) {
|
|
28
|
+
const metadata = projectJsonScalarMetadata(s.metadata);
|
|
29
|
+
return {
|
|
30
|
+
ruleId: s.ruleId,
|
|
31
|
+
message: s.message,
|
|
32
|
+
severity: isErrorSignal(s) ? 'error' : 'warning',
|
|
33
|
+
filePath: s.filePath,
|
|
34
|
+
...(s.line === undefined ? {} : { line: s.line }),
|
|
35
|
+
...(s.column === undefined ? {} : { column: s.column }),
|
|
36
|
+
...(s.suggestion === undefined ? {} : { suggestion: s.suggestion }),
|
|
37
|
+
...(metadata ? { metadata } : {}),
|
|
38
|
+
...(s.repair === undefined ? {} : { repair: s.repair }),
|
|
39
|
+
};
|
|
40
|
+
}
|
|
41
|
+
/** Group findings by `ruleId` into one `checks[]` row per rule (fit/graph semantics). */
|
|
42
|
+
function groupByRule(signals) {
|
|
43
|
+
const byRule = new Map();
|
|
44
|
+
for (const s of signals) {
|
|
45
|
+
const arr = byRule.get(s.ruleId);
|
|
46
|
+
if (arr)
|
|
47
|
+
arr.push(toSessionFinding(s));
|
|
48
|
+
else
|
|
49
|
+
byRule.set(s.ruleId, [toSessionFinding(s)]);
|
|
50
|
+
}
|
|
51
|
+
return [...byRule].map(([checkSlug, findings]) => ({
|
|
52
|
+
checkSlug,
|
|
53
|
+
passed: findings.every((f) => f.severity !== 'error'),
|
|
54
|
+
violationCount: findings.length,
|
|
55
|
+
findings,
|
|
56
|
+
// Per-rule `durationMs` is 0 — a scanner reports one wall-clock duration for the
|
|
57
|
+
// whole run (carried separately on the session payload), not per rule, exactly
|
|
58
|
+
// as graph does for its rule groups.
|
|
59
|
+
durationMs: 0,
|
|
60
|
+
}));
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Build the adapter session payload directly from the run's redacted `Signal[]`.
|
|
64
|
+
*
|
|
65
|
+
* Groups by `ruleId` into the dashboard's rule-grouped detail (`checks[]`),
|
|
66
|
+
* collapsing the 4-level signal severity to the dashboard's two-level
|
|
67
|
+
* `error`/`warning` bucket. Per-rule `passed` follows fit/graph semantics
|
|
68
|
+
* (warnings alone do not fail a rule).
|
|
69
|
+
*/
|
|
70
|
+
export function buildAdapterSessionPayload(signals) {
|
|
71
|
+
const checks = groupByRule(signals);
|
|
72
|
+
const errors = signals.filter(isErrorSignal).length;
|
|
73
|
+
const warnings = signals.length - errors;
|
|
74
|
+
return {
|
|
75
|
+
__version: 1,
|
|
76
|
+
summary: {
|
|
77
|
+
total: checks.length,
|
|
78
|
+
passed: checks.filter((c) => c.passed).length,
|
|
79
|
+
failed: checks.filter((c) => !c.passed).length,
|
|
80
|
+
errors,
|
|
81
|
+
warnings,
|
|
82
|
+
},
|
|
83
|
+
checks,
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
//# sourceMappingURL=session-payload.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"session-payload.js","sourceRoot":"","sources":["../src/session-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,aAAa,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAsD7E,sFAAsF;AACtF,SAAS,gBAAgB,CAAC,CAAS;IACjC,MAAM,QAAQ,GAAG,yBAAyB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACvD,OAAO;QACL,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAChD,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,GAAG,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QACvD,GAAG,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC;QACnE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjC,GAAG,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,yFAAyF;AACzF,SAAS,WAAW,CAAC,OAA0B;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC1D,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,GAAG;YAAE,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;;YAClC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;QACjD,SAAS;QACT,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC;QACrD,cAAc,EAAE,QAAQ,CAAC,MAAM;QAC/B,QAAQ;QACR,iFAAiF;QACjF,+EAA+E;QAC/E,qCAAqC;QACrC,UAAU,EAAE,CAAC;KACd,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,0BAA0B,CAAC,OAA0B;IACnE,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;IACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;IAEzC,OAAO;QACL,SAAS,EAAE,CAAC;QACZ,OAAO,EAAE;YACP,KAAK,EAAE,MAAM,CAAC,MAAM;YACpB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;YAC7C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM;YAC9C,MAAM;YACN,QAAQ;SACT;QACD,MAAM;KACP,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Severity mapping for external-scanner ingestion (ADR-0091).
|
|
3
|
+
*
|
|
4
|
+
* Pure functions only. Two jobs:
|
|
5
|
+
* 1. CVSS number → OpenSIP four-bucket severity (FIRST/NVD v3 bands).
|
|
6
|
+
* 2. SARIF `level` → severity FALLBACK (lossy — the OpenSIP SARIF writer
|
|
7
|
+
* collapses `critical` AND `high` to `error`, so a level-only inverse can
|
|
8
|
+
* never recover `critical`; `error → high`).
|
|
9
|
+
*
|
|
10
|
+
* Native severity is always preserved on `Signal.metadata` beside the mapped
|
|
11
|
+
* four-bucket `Signal.severity` (the four-bucket set is `critical|high|medium|low`
|
|
12
|
+
* — there is no info/unknown rung).
|
|
13
|
+
*/
|
|
14
|
+
import type { SignalSeverity } from '@opensip-cli/core';
|
|
15
|
+
/** SARIF v2.1.0 levels. */
|
|
16
|
+
export type SarifLevel = 'error' | 'warning' | 'note' | 'none';
|
|
17
|
+
/**
|
|
18
|
+
* Map a CVSS base score to the OpenSIP four-bucket severity using the FIRST/NVD
|
|
19
|
+
* v3 bands: `>= 9.0` critical · `7.0–8.9` high · `4.0–6.9` medium ·
|
|
20
|
+
* `0.1–3.9` low · `0`/non-finite → low.
|
|
21
|
+
*/
|
|
22
|
+
export declare function cvssToSeverity(score: number): SignalSeverity;
|
|
23
|
+
/**
|
|
24
|
+
* Parse a CVSS number out of a value that may be a number or a numeric string
|
|
25
|
+
* (e.g. SARIF `security-severity` `"9.8"`, OSV `groups[].max_severity` `"7.5"`).
|
|
26
|
+
* A CVSS *vector* string (`"CVSS:3.1/AV:N/…"`) has no leading number and returns
|
|
27
|
+
* `undefined`. Returns `undefined` for anything non-numeric.
|
|
28
|
+
*/
|
|
29
|
+
export declare function parseCvss(raw: unknown): number | undefined;
|
|
30
|
+
/**
|
|
31
|
+
* SARIF `level` → severity FALLBACK (used only when a CVSS `security-severity`
|
|
32
|
+
* is absent). `error → high` (NEVER critical), `warning → medium`,
|
|
33
|
+
* `note → low`, `none → low`. An absent/unknown level defaults to the SARIF
|
|
34
|
+
* default rung (`warning` → medium).
|
|
35
|
+
*/
|
|
36
|
+
export declare function sarifLevelToSeverity(level: string | undefined): SignalSeverity;
|
|
37
|
+
/**
|
|
38
|
+
* Merge the scanner's NATIVE severity label/number onto a metadata bag under
|
|
39
|
+
* `nativeSeverity` (preserved beside the mapped four-bucket `Signal.severity`).
|
|
40
|
+
* `null` records "the scanner emits no severity" (e.g. stock gitleaks).
|
|
41
|
+
*/
|
|
42
|
+
export declare function withNativeSeverity(metadata: Readonly<Record<string, unknown>>, nativeSeverity: unknown): Record<string, unknown>;
|
|
43
|
+
//# sourceMappingURL=severity-map.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"severity-map.d.ts","sourceRoot":"","sources":["../src/severity-map.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAExD,2BAA2B;AAC3B,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,MAAM,CAAC;AAE/D;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,cAAc,CAM5D;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAU1D;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,cAAc,CAkB9E;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EAC3C,cAAc,EAAE,OAAO,GACtB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzB"}
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Severity mapping for external-scanner ingestion (ADR-0091).
|
|
3
|
+
*
|
|
4
|
+
* Pure functions only. Two jobs:
|
|
5
|
+
* 1. CVSS number → OpenSIP four-bucket severity (FIRST/NVD v3 bands).
|
|
6
|
+
* 2. SARIF `level` → severity FALLBACK (lossy — the OpenSIP SARIF writer
|
|
7
|
+
* collapses `critical` AND `high` to `error`, so a level-only inverse can
|
|
8
|
+
* never recover `critical`; `error → high`).
|
|
9
|
+
*
|
|
10
|
+
* Native severity is always preserved on `Signal.metadata` beside the mapped
|
|
11
|
+
* four-bucket `Signal.severity` (the four-bucket set is `critical|high|medium|low`
|
|
12
|
+
* — there is no info/unknown rung).
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* Map a CVSS base score to the OpenSIP four-bucket severity using the FIRST/NVD
|
|
16
|
+
* v3 bands: `>= 9.0` critical · `7.0–8.9` high · `4.0–6.9` medium ·
|
|
17
|
+
* `0.1–3.9` low · `0`/non-finite → low.
|
|
18
|
+
*/
|
|
19
|
+
export function cvssToSeverity(score) {
|
|
20
|
+
if (!Number.isFinite(score) || score <= 0)
|
|
21
|
+
return 'low';
|
|
22
|
+
if (score >= 9)
|
|
23
|
+
return 'critical';
|
|
24
|
+
if (score >= 7)
|
|
25
|
+
return 'high';
|
|
26
|
+
if (score >= 4)
|
|
27
|
+
return 'medium';
|
|
28
|
+
return 'low';
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Parse a CVSS number out of a value that may be a number or a numeric string
|
|
32
|
+
* (e.g. SARIF `security-severity` `"9.8"`, OSV `groups[].max_severity` `"7.5"`).
|
|
33
|
+
* A CVSS *vector* string (`"CVSS:3.1/AV:N/…"`) has no leading number and returns
|
|
34
|
+
* `undefined`. Returns `undefined` for anything non-numeric.
|
|
35
|
+
*/
|
|
36
|
+
export function parseCvss(raw) {
|
|
37
|
+
if (typeof raw === 'number')
|
|
38
|
+
return Number.isFinite(raw) ? raw : undefined;
|
|
39
|
+
if (typeof raw !== 'string')
|
|
40
|
+
return undefined;
|
|
41
|
+
const trimmed = raw.trim();
|
|
42
|
+
if (trimmed.length === 0)
|
|
43
|
+
return undefined;
|
|
44
|
+
// Reject CVSS vector strings (they start with "CVSS:" and carry no base score
|
|
45
|
+
// we can read without computing it).
|
|
46
|
+
if (/^cvss:/i.test(trimmed))
|
|
47
|
+
return undefined;
|
|
48
|
+
const value = Number.parseFloat(trimmed);
|
|
49
|
+
return Number.isFinite(value) ? value : undefined;
|
|
50
|
+
}
|
|
51
|
+
/**
|
|
52
|
+
* SARIF `level` → severity FALLBACK (used only when a CVSS `security-severity`
|
|
53
|
+
* is absent). `error → high` (NEVER critical), `warning → medium`,
|
|
54
|
+
* `note → low`, `none → low`. An absent/unknown level defaults to the SARIF
|
|
55
|
+
* default rung (`warning` → medium).
|
|
56
|
+
*/
|
|
57
|
+
export function sarifLevelToSeverity(level) {
|
|
58
|
+
switch (level) {
|
|
59
|
+
case 'error': {
|
|
60
|
+
return 'high';
|
|
61
|
+
}
|
|
62
|
+
case 'warning': {
|
|
63
|
+
return 'medium';
|
|
64
|
+
}
|
|
65
|
+
case 'note': {
|
|
66
|
+
return 'low';
|
|
67
|
+
}
|
|
68
|
+
case 'none': {
|
|
69
|
+
return 'low';
|
|
70
|
+
}
|
|
71
|
+
default: {
|
|
72
|
+
return 'medium';
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Merge the scanner's NATIVE severity label/number onto a metadata bag under
|
|
78
|
+
* `nativeSeverity` (preserved beside the mapped four-bucket `Signal.severity`).
|
|
79
|
+
* `null` records "the scanner emits no severity" (e.g. stock gitleaks).
|
|
80
|
+
*/
|
|
81
|
+
export function withNativeSeverity(metadata, nativeSeverity) {
|
|
82
|
+
return { ...metadata, nativeSeverity: nativeSeverity ?? null };
|
|
83
|
+
}
|
|
84
|
+
//# sourceMappingURL=severity-map.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"severity-map.js","sourceRoot":"","sources":["../src/severity-map.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,UAAU,CAAC;IAClC,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAC9B,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IAChC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,GAAY;IACpC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC9C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC3C,8EAA8E;IAC9E,qCAAqC;IACrC,IAAI,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACzC,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACpD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAyB;IAC5D,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,OAAO,KAAK,CAAC;QACf,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAA2C,EAC3C,cAAuB;IAEvB,OAAO,EAAE,GAAG,QAAQ,EAAE,cAAc,EAAE,cAAc,IAAI,IAAI,EAAE,CAAC;AACjE,CAAC"}
|
package/dist/types.d.ts
ADDED
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Shared contract types for the External Tool Adapter substrate
|
|
3
|
+
* (ADR-0090 / ADR-0091 / ADR-0092).
|
|
4
|
+
*
|
|
5
|
+
* An "external tool adapter" wraps a user-installed CLI scanner (gitleaks,
|
|
6
|
+
* osv-scanner, trivy, …) as an ordinary opensip-cli `Tool`. The author declares
|
|
7
|
+
* identity + a binary + per-command descriptors; the substrate owns the run
|
|
8
|
+
* loop (resolve → execFile → capture → interpret exit → ingest → normalize →
|
|
9
|
+
* persist), the standardized `doctor`/`version` commands, and provenance.
|
|
10
|
+
*
|
|
11
|
+
* These are pure data shapes — no runtime, no IO — so the file is a kernel-safe
|
|
12
|
+
* type surface the rest of the substrate imports.
|
|
13
|
+
*/
|
|
14
|
+
import type { Logger, ManifestOptionDescriptor, Signal, SignalSeverity, ToolConfigContribution, ToolIdentity } from '@opensip-cli/core';
|
|
15
|
+
/**
|
|
16
|
+
* The network posture an adapter declares (ADR-0092). The host displays it
|
|
17
|
+
* (`doctor`, `tools list`) and the manifest generator forward-maps it onto
|
|
18
|
+
* `opensipTools.requires` via {@link deriveAdapterManifestRequires}: `subprocess` +
|
|
19
|
+
* `filesystem` always; `network` when `networked`/`auth-required`. The mapping is
|
|
20
|
+
* DERIVED (not hand-authored), so flipping an adapter to a networked posture
|
|
21
|
+
* produces a `--check` drift the gate catches — the §4.8 honest-labeling guarantee.
|
|
22
|
+
* `requires` enforcement (a sandbox) is still deferred (ADR-0061); declaration +
|
|
23
|
+
* the honest label land now.
|
|
24
|
+
*/
|
|
25
|
+
export type NetworkPosture = 'local-only' | 'networked' | 'auth-required';
|
|
26
|
+
/** The native output shape a scanner command produces. */
|
|
27
|
+
export type ScannerOutputKind = 'sarif' | 'json' | 'stdout';
|
|
28
|
+
/**
|
|
29
|
+
* Per-command exit-code model (ADR-0091). Separates "scanner found problems"
|
|
30
|
+
* (a verdict) from "scanner broke" (a fault). Interpreted by {@link interpretExit}.
|
|
31
|
+
*/
|
|
32
|
+
export interface ScannerExitModel {
|
|
33
|
+
/** Clean run, no findings (e.g. `[0]`). */
|
|
34
|
+
readonly ok: readonly number[];
|
|
35
|
+
/** Ran fine, found issues (e.g. `[1]`) — NOT a fault. */
|
|
36
|
+
readonly findings: readonly number[];
|
|
37
|
+
/** `>= this` ⇒ a genuine scanner error (e.g. `2`). Any unmodeled nonzero is also a fault. */
|
|
38
|
+
readonly errorFrom?: number;
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* How the substrate resolves the scanner binary (ADR-0090 §4.3): a layered,
|
|
42
|
+
* deterministic order, first hit wins. `config` reads the operator pin
|
|
43
|
+
* (`binaries.<tool>.path` in the namespaced config or the `OPENSIP_<TOOL>_BIN`
|
|
44
|
+
* env var); `path` is the system `PATH` lookup. A missing binary yields a
|
|
45
|
+
* `doctor` install hint, never a fetch.
|
|
46
|
+
*/
|
|
47
|
+
export type BinaryResolutionLayer = 'config' | 'env' | 'path';
|
|
48
|
+
/** The wrapped-binary declaration. */
|
|
49
|
+
export interface BinarySpec {
|
|
50
|
+
/** PATH lookup name (e.g. `'gitleaks'`). */
|
|
51
|
+
readonly command: string;
|
|
52
|
+
/** Args that print the version (e.g. `['version']`), for `doctor` + provenance. */
|
|
53
|
+
readonly versionArgs: readonly string[];
|
|
54
|
+
/** Parse the version stdout to a semver-ish string. Defaults to `stdout.trim()`. */
|
|
55
|
+
readonly versionParse?: (stdout: string) => string;
|
|
56
|
+
/** `doctor` warns when the resolved version is below this. */
|
|
57
|
+
readonly minVersion?: string;
|
|
58
|
+
/** Resolution order (default `['config', 'path']`). */
|
|
59
|
+
readonly resolution?: readonly Exclude<BinaryResolutionLayer, 'env'>[];
|
|
60
|
+
/**
|
|
61
|
+
* Env var that pins the binary path. Defaults to `OPENSIP_<TOOL>_BIN`
|
|
62
|
+
* (uppercased identity name, `-`→`_`).
|
|
63
|
+
*/
|
|
64
|
+
readonly envVar?: string;
|
|
65
|
+
/** Platform-agnostic install hint surfaced by `doctor` when the binary is missing. */
|
|
66
|
+
readonly installHint?: string;
|
|
67
|
+
}
|
|
68
|
+
/** The parsed native scanner output handed to a command's `parse`. */
|
|
69
|
+
export interface ParsedScannerOutput {
|
|
70
|
+
readonly kind: ScannerOutputKind;
|
|
71
|
+
/** Raw bytes/text exactly as the scanner wrote them. */
|
|
72
|
+
readonly raw: string;
|
|
73
|
+
/** Parsed JSON value when `kind` is `'json'`/`'sarif'` and parsing succeeded. */
|
|
74
|
+
readonly json?: unknown;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* The resolved, per-run context the substrate hands a command's `args(ctx)` /
|
|
78
|
+
* `parse(raw, ctx)` (ADR-0090 §4.2 / Phase-0 decision 8). Built from the
|
|
79
|
+
* `ToolCliContext` with NO `cli` import (paths via core `resolveProjectPaths`).
|
|
80
|
+
*/
|
|
81
|
+
export interface AdapterRunContext {
|
|
82
|
+
/** The adapter's identity name (`'gitleaks'`). */
|
|
83
|
+
readonly tool: string;
|
|
84
|
+
/** The adapter's npm package name, stamped into provenance. */
|
|
85
|
+
readonly adapterPackage?: string;
|
|
86
|
+
/** The resolved targeting root the scanner runs against. */
|
|
87
|
+
readonly projectRoot: string;
|
|
88
|
+
/** This invocation's run id (the artifact run-segment, ADR-0091). */
|
|
89
|
+
readonly runId: string;
|
|
90
|
+
/** The shared structured logger. */
|
|
91
|
+
readonly logger: Logger;
|
|
92
|
+
/** The adapter's resolved, namespaced config block (`scope.toolConfig?.<tool>`). */
|
|
93
|
+
readonly config: Readonly<Record<string, unknown>>;
|
|
94
|
+
/** The resolved binary (path/layer/version). */
|
|
95
|
+
readonly binary: ResolvedBinary;
|
|
96
|
+
/** The config file path (when one was read), for provenance. */
|
|
97
|
+
readonly configPath?: string;
|
|
98
|
+
/** Resolve a host-owned artifact path under `.runtime/artifacts/<tool>/<runId>/<name>`. */
|
|
99
|
+
artifactPath(name: string): string;
|
|
100
|
+
}
|
|
101
|
+
/** A successfully resolved scanner binary. */
|
|
102
|
+
export interface ResolvedBinary {
|
|
103
|
+
readonly path: string;
|
|
104
|
+
readonly layer: BinaryResolutionLayer;
|
|
105
|
+
readonly version?: string;
|
|
106
|
+
}
|
|
107
|
+
/**
|
|
108
|
+
* One scanner command descriptor. The substrate owns the run loop; the author
|
|
109
|
+
* supplies args + (for non-SARIF) a `parse`.
|
|
110
|
+
*/
|
|
111
|
+
export interface ExternalCommandSpec {
|
|
112
|
+
/** The verb (`'scan'` is the conventional primary). */
|
|
113
|
+
readonly name: string;
|
|
114
|
+
readonly description?: string;
|
|
115
|
+
/** Build the scanner argv (no shell). */
|
|
116
|
+
readonly args: (ctx: AdapterRunContext) => readonly string[];
|
|
117
|
+
/** Where the scanner writes its native output. `path` is the artifact basename for file outputs. */
|
|
118
|
+
readonly output: {
|
|
119
|
+
readonly kind: ScannerOutputKind;
|
|
120
|
+
readonly path?: string;
|
|
121
|
+
};
|
|
122
|
+
/** The exit-code model. Defaults to `{ ok: [0], findings: [1], errorFrom: 2 }`. */
|
|
123
|
+
readonly exitCodes?: ScannerExitModel;
|
|
124
|
+
/**
|
|
125
|
+
* Native output → normalized signals. A `'sarif'` command MAY omit this — the
|
|
126
|
+
* substrate's shared `ingestSarif` handles it.
|
|
127
|
+
*/
|
|
128
|
+
readonly parse?: (raw: ParsedScannerOutput, ctx: AdapterRunContext) => readonly Signal[];
|
|
129
|
+
/** Optional raw-label → severity overrides consulted by the adapter's `parse`. */
|
|
130
|
+
readonly severityMap?: Readonly<Record<string, SignalSeverity>>;
|
|
131
|
+
/**
|
|
132
|
+
* A3: declare how THIS scanner excludes a directory from its walk, so the
|
|
133
|
+
* substrate can keep it from re-scanning opensip's own persisted reports under
|
|
134
|
+
* `.runtime/` (which would mint a net-new fingerprint every run and permanently
|
|
135
|
+
* degrade `--gate-compare`). The substrate calls this with `excludePath` set to
|
|
136
|
+
* the project's `.runtime` dir and appends the returned `args` to the scanner
|
|
137
|
+
* argv — so every adapter inherits the guard WITHOUT a user-facing flag (the
|
|
138
|
+
* mounted command's options are unchanged; the manifest does not regen).
|
|
139
|
+
*
|
|
140
|
+
* Scanners spell exclusion differently: trivy `--skip-dirs <path>`; gitleaks has
|
|
141
|
+
* NO CLI path-exclude and needs a `--config` allowlist file, so this may also
|
|
142
|
+
* return a `configFile` — the substrate writes it (through the host `writeArtifact`
|
|
143
|
+
* seam, never a raw substrate fs write) into the per-run dir via `configPath(name)`
|
|
144
|
+
* and the `args` reference it. A scanner that only parses recognized lockfiles
|
|
145
|
+
* (osv-scanner) never re-detects a JSON report and may omit this entirely.
|
|
146
|
+
*
|
|
147
|
+
* VERIFY-against-installed-binary: the exact exclude-flag / config semantics per
|
|
148
|
+
* scanner version.
|
|
149
|
+
*/
|
|
150
|
+
readonly excludeScan?: (input: {
|
|
151
|
+
/** Absolute path the scanner must NOT walk (the project `.runtime` dir). */
|
|
152
|
+
readonly excludePath: string;
|
|
153
|
+
/** Compose a per-run artifact path for an ephemeral config file. */
|
|
154
|
+
readonly configPath: (name: string) => string;
|
|
155
|
+
}) => {
|
|
156
|
+
/** Extra scanner argv appended verbatim (e.g. `['--skip-dirs', excludePath]`). */
|
|
157
|
+
readonly args?: readonly string[];
|
|
158
|
+
/** An ephemeral config the substrate writes (host seam) before the scan. */
|
|
159
|
+
readonly configFile?: {
|
|
160
|
+
readonly path: string;
|
|
161
|
+
readonly contents: string;
|
|
162
|
+
};
|
|
163
|
+
};
|
|
164
|
+
}
|
|
165
|
+
/**
|
|
166
|
+
* The fingerprint strategy choice (ADR-0091 §4.5). `message-hash` is the adapter
|
|
167
|
+
* default (line-shift tolerant — scanner output is line-volatile). Stamped
|
|
168
|
+
* worker-side when the envelope is built; the host ratchet only reads
|
|
169
|
+
* `signal.fingerprint`.
|
|
170
|
+
*/
|
|
171
|
+
export type FingerprintStrategyChoice = 'message-hash' | 'rule-location';
|
|
172
|
+
/** The author surface of {@link defineExternalToolAdapter}. */
|
|
173
|
+
export interface ExternalToolAdapterSpec {
|
|
174
|
+
readonly identity: ToolIdentity;
|
|
175
|
+
readonly metadata: {
|
|
176
|
+
/** Stable UUID (ADR-0048). */
|
|
177
|
+
readonly id: string;
|
|
178
|
+
readonly description: string;
|
|
179
|
+
/** Package version stamped into the Tool metadata + provenance. Defaults to `'0.0.0'`. */
|
|
180
|
+
readonly version?: string;
|
|
181
|
+
/** npm package name for provenance (e.g. `'@opensip-cli/tool-gitleaks'`). */
|
|
182
|
+
readonly adapterPackage?: string;
|
|
183
|
+
};
|
|
184
|
+
readonly binary: BinarySpec;
|
|
185
|
+
readonly network: NetworkPosture;
|
|
186
|
+
readonly commands: readonly ExternalCommandSpec[];
|
|
187
|
+
/** Adapter default `'message-hash'` (ADR-0091 §4.5). */
|
|
188
|
+
readonly fingerprintStrategy?: FingerprintStrategyChoice;
|
|
189
|
+
/**
|
|
190
|
+
* Optional namespaced config contribution. OMIT it for the standard behaviour:
|
|
191
|
+
* the substrate DEFAULTS to a claimed namespace ({@link defaultAdapterConfigSchema}
|
|
192
|
+
* — the `binaries.<tool>.path` operator pin + the reserved verdict-policy keys),
|
|
193
|
+
* so the binary pin resolves and the gate thresholds are configurable like a
|
|
194
|
+
* bundled tool. Supply a custom contribution only to claim extra keys; doing so
|
|
195
|
+
* opts out of the auto-generated static config descriptor (its validation then
|
|
196
|
+
* defers entirely to the worker deep pass).
|
|
197
|
+
*/
|
|
198
|
+
readonly config?: Omit<ToolConfigContribution, 'namespace'>;
|
|
199
|
+
/** Optional per-tool contract version marker (ADR-0046). */
|
|
200
|
+
readonly contractVersion?: string;
|
|
201
|
+
}
|
|
202
|
+
/** Adapter provenance stamped onto every signal's `metadata.provenance` (ADR-0090 §8). */
|
|
203
|
+
export interface AdapterProvenance {
|
|
204
|
+
readonly tool: string;
|
|
205
|
+
readonly adapterPackage?: string;
|
|
206
|
+
readonly binaryPath: string;
|
|
207
|
+
readonly binaryVersion?: string;
|
|
208
|
+
readonly args: readonly string[];
|
|
209
|
+
readonly configPath?: string;
|
|
210
|
+
}
|
|
211
|
+
/**
|
|
212
|
+
* A serializable command shell — the data a generator writes into an adapter's
|
|
213
|
+
* `package.json#opensipTools.commands` so the static manifest matches the
|
|
214
|
+
* runtime `commandSpecs` (the `assertCommandNamesMatch` parity mechanism).
|
|
215
|
+
*/
|
|
216
|
+
export interface ManifestCommandShell {
|
|
217
|
+
readonly name: string;
|
|
218
|
+
readonly description: string;
|
|
219
|
+
readonly aliases: readonly string[];
|
|
220
|
+
readonly commonFlags: readonly string[];
|
|
221
|
+
/** Tool-specific options (e.g. the gate flags), MINUS the non-serializable `parse` closure. */
|
|
222
|
+
readonly options?: readonly ManifestOptionDescriptor[];
|
|
223
|
+
readonly scope: 'project' | 'none';
|
|
224
|
+
readonly output: string;
|
|
225
|
+
readonly parent?: string;
|
|
226
|
+
readonly rawStreamReason?: string;
|
|
227
|
+
}
|
|
228
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,MAAM,EACN,wBAAwB,EACxB,MAAM,EACN,cAAc,EACd,sBAAsB,EACtB,YAAY,EACb,MAAM,mBAAmB,CAAC;AAE3B;;;;;;;;;GASG;AACH,MAAM,MAAM,cAAc,GAAG,YAAY,GAAG,WAAW,GAAG,eAAe,CAAC;AAE1E,0DAA0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;AAE5D;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,yDAAyD;IACzD,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,6FAA6F;IAC7F,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAE9D,sCAAsC;AACtC,MAAM,WAAW,UAAU;IACzB,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,oFAAoF;IACpF,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,CAAC;IACnD,8DAA8D;IAC9D,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,uDAAuD;IACvD,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,OAAO,CAAC,qBAAqB,EAAE,KAAK,CAAC,EAAE,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,sFAAsF;IACtF,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,sEAAsE;AACtE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;IACjC,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,iFAAiF;IACjF,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,+DAA+D;IAC/D,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,4DAA4D;IAC5D,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,qEAAqE;IACrE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,oCAAoC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,oFAAoF;IACpF,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,gDAAgD;IAChD,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,gEAAgE;IAChE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,2FAA2F;IAC3F,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;CACpC;AAED,8CAA8C;AAC9C,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,qBAAqB,CAAC;IACtC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,yCAAyC;IACzC,QAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,SAAS,MAAM,EAAE,CAAC;IAC7D,oGAAoG;IACpG,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;QAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC9E,mFAAmF;IACnF,QAAQ,CAAC,SAAS,CAAC,EAAE,gBAAgB,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,mBAAmB,EAAE,GAAG,EAAE,iBAAiB,KAAK,SAAS,MAAM,EAAE,CAAC;IACzF,kFAAkF;IAClF,QAAQ,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAChE;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE;QAC7B,4EAA4E;QAC5E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,oEAAoE;QACpE,QAAQ,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;KAC/C,KAAK;QACJ,kFAAkF;QAClF,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;QAClC,4EAA4E;QAC5E,QAAQ,CAAC,UAAU,CAAC,EAAE;YAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;SAAE,CAAC;KAC5E,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,cAAc,GAAG,eAAe,CAAC;AAEzE,+DAA+D;AAC/D,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE;QACjB,8BAA8B;QAC9B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;QAC7B,0FAA0F;QAC1F,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAC1B,6EAA6E;QAC7E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;KAClC,CAAC;IACF,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;IACjC,QAAQ,CAAC,QAAQ,EAAE,SAAS,mBAAmB,EAAE,CAAC;IAClD,wDAAwD;IACxD,QAAQ,CAAC,mBAAmB,CAAC,EAAE,yBAAyB,CAAC;IACzD;;;;;;;;OAQG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,sBAAsB,EAAE,WAAW,CAAC,CAAC;IAC5D,4DAA4D;IAC5D,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC;AAED,0FAA0F;AAC1F,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,WAAW,EAAE,SAAS,MAAM,EAAE,CAAC;IACxC,+FAA+F;IAC/F,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,wBAAwB,EAAE,CAAC;IACvD,QAAQ,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM,CAAC;IACnC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;CACnC"}
|
package/dist/types.js
ADDED
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Shared contract types for the External Tool Adapter substrate
|
|
3
|
+
* (ADR-0090 / ADR-0091 / ADR-0092).
|
|
4
|
+
*
|
|
5
|
+
* An "external tool adapter" wraps a user-installed CLI scanner (gitleaks,
|
|
6
|
+
* osv-scanner, trivy, …) as an ordinary opensip-cli `Tool`. The author declares
|
|
7
|
+
* identity + a binary + per-command descriptors; the substrate owns the run
|
|
8
|
+
* loop (resolve → execFile → capture → interpret exit → ingest → normalize →
|
|
9
|
+
* persist), the standardized `doctor`/`version` commands, and provenance.
|
|
10
|
+
*
|
|
11
|
+
* These are pure data shapes — no runtime, no IO — so the file is a kernel-safe
|
|
12
|
+
* type surface the rest of the substrate imports.
|
|
13
|
+
*/
|
|
14
|
+
export {};
|
|
15
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG"}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview The standardized `version` command (ADR-0090 §4.9).
|
|
3
|
+
*
|
|
4
|
+
* Resolves + probes the wrapped binary and prints its version (and path).
|
|
5
|
+
* Output mode `raw-stream`/`'diagnostic-gate'` for the same reason as `doctor`
|
|
6
|
+
* (a structured `--json` shape AND a human line): the handler owns its output.
|
|
7
|
+
* The probe runs worker-side for an installed adapter.
|
|
8
|
+
*/
|
|
9
|
+
import type { DoctorProbeDeps } from './doctor-command.js';
|
|
10
|
+
import type { BinaryResolutionLayer, BinarySpec } from './types.js';
|
|
11
|
+
import type { ToolCliContext, ToolCommandSpecInput } from '@opensip-cli/core';
|
|
12
|
+
/** The structured payload `version --json` emits. */
|
|
13
|
+
export interface AdapterVersionReport {
|
|
14
|
+
readonly tool: string;
|
|
15
|
+
readonly found: boolean;
|
|
16
|
+
readonly command: string;
|
|
17
|
+
readonly path?: string;
|
|
18
|
+
readonly layer?: BinaryResolutionLayer;
|
|
19
|
+
readonly version?: string;
|
|
20
|
+
}
|
|
21
|
+
/** The inputs to {@link probeVersionReport}: the tool identity, binary spec, and resolved config. */
|
|
22
|
+
export interface VersionProbeInput {
|
|
23
|
+
readonly tool: string;
|
|
24
|
+
readonly binary: BinarySpec;
|
|
25
|
+
readonly config: Readonly<Record<string, unknown>>;
|
|
26
|
+
}
|
|
27
|
+
/** Resolve + probe the binary into an {@link AdapterVersionReport}. Pure given deps. */
|
|
28
|
+
export declare function probeVersionReport(input: VersionProbeInput, deps: DoctorProbeDeps): AdapterVersionReport;
|
|
29
|
+
/** The inputs to {@link buildVersionCommand}: the tool identity and binary spec. */
|
|
30
|
+
export interface VersionCommandInput {
|
|
31
|
+
readonly tool: string;
|
|
32
|
+
readonly binary: BinarySpec;
|
|
33
|
+
}
|
|
34
|
+
/** Build the nested `version` command (prints the resolved binary version). */
|
|
35
|
+
export declare function buildVersionCommand(input: VersionCommandInput, probeDeps?: DoctorProbeDeps): ToolCommandSpecInput<unknown, ToolCliContext>;
|
|
36
|
+
//# sourceMappingURL=version-command.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"version-command.d.ts","sourceRoot":"","sources":["../src/version-command.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACpE,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAI9E,qDAAqD;AACrD,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,CAAC,EAAE,qBAAqB,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAQD,qGAAqG;AACrG,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACpD;AAED,wFAAwF;AACxF,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,iBAAiB,EACxB,IAAI,EAAE,eAAe,GACpB,oBAAoB,CAyBtB;AAED,oFAAoF;AACpF,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;CAC7B;AAED,+EAA+E;AAC/E,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,mBAAmB,EAC1B,SAAS,CAAC,EAAE,eAAe,GAC1B,oBAAoB,CAAC,OAAO,EAAE,cAAc,CAAC,CA8B/C"}
|