@vyuhlabs/dxkit 2.10.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (109) hide show
  1. package/CHANGELOG.md +98 -0
  2. package/dist/allowlist/cli.d.ts +23 -23
  3. package/dist/allowlist/cli.d.ts.map +1 -1
  4. package/dist/allowlist/cli.js +72 -34
  5. package/dist/allowlist/cli.js.map +1 -1
  6. package/dist/allowlist/file.d.ts +7 -1
  7. package/dist/allowlist/file.d.ts.map +1 -1
  8. package/dist/allowlist/file.js +7 -1
  9. package/dist/allowlist/file.js.map +1 -1
  10. package/dist/analysis-result.d.ts +10 -0
  11. package/dist/analysis-result.d.ts.map +1 -1
  12. package/dist/analyzers/cache.d.ts +1 -0
  13. package/dist/analyzers/cache.d.ts.map +1 -1
  14. package/dist/analyzers/cache.js +69 -0
  15. package/dist/analyzers/cache.js.map +1 -1
  16. package/dist/analyzers/security/aggregator.d.ts +90 -90
  17. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  18. package/dist/analyzers/security/aggregator.js +140 -56
  19. package/dist/analyzers/security/aggregator.js.map +1 -1
  20. package/dist/analyzers/security/gather.d.ts +2 -0
  21. package/dist/analyzers/security/gather.d.ts.map +1 -1
  22. package/dist/analyzers/security/gather.js +30 -4
  23. package/dist/analyzers/security/gather.js.map +1 -1
  24. package/dist/analyzers/security/types.d.ts +29 -7
  25. package/dist/analyzers/security/types.d.ts.map +1 -1
  26. package/dist/analyzers/tools/fingerprint.d.ts +133 -20
  27. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  28. package/dist/analyzers/tools/fingerprint.js +194 -20
  29. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  30. package/dist/analyzers/tools/gitleaks.d.ts +2 -2
  31. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  32. package/dist/analyzers/tools/gitleaks.js +7 -1
  33. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  34. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  35. package/dist/analyzers/tools/graphify.js +28 -0
  36. package/dist/analyzers/tools/graphify.js.map +1 -1
  37. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  38. package/dist/analyzers/tools/grep-secrets.js +22 -12
  39. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  40. package/dist/analyzers/tools/salt.d.ts +68 -0
  41. package/dist/analyzers/tools/salt.d.ts.map +1 -0
  42. package/dist/{baseline → analyzers/tools}/salt.js +59 -18
  43. package/dist/analyzers/tools/salt.js.map +1 -0
  44. package/dist/analyzers/tools/semgrep.d.ts +7 -7
  45. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  46. package/dist/analyzers/tools/semgrep.js +14 -7
  47. package/dist/analyzers/tools/semgrep.js.map +1 -1
  48. package/dist/analyzers/tools/tool-registry.js +4 -4
  49. package/dist/baseline/baseline-file.d.ts +9 -2
  50. package/dist/baseline/baseline-file.d.ts.map +1 -1
  51. package/dist/baseline/baseline-file.js.map +1 -1
  52. package/dist/baseline/check-renderers.d.ts.map +1 -1
  53. package/dist/baseline/check-renderers.js +14 -0
  54. package/dist/baseline/check-renderers.js.map +1 -1
  55. package/dist/baseline/check.d.ts +33 -0
  56. package/dist/baseline/check.d.ts.map +1 -1
  57. package/dist/baseline/check.js +78 -2
  58. package/dist/baseline/check.js.map +1 -1
  59. package/dist/baseline/create.d.ts +1 -1
  60. package/dist/baseline/create.d.ts.map +1 -1
  61. package/dist/baseline/create.js +3 -1
  62. package/dist/baseline/create.js.map +1 -1
  63. package/dist/baseline/finding-identity.d.ts +20 -13
  64. package/dist/baseline/finding-identity.d.ts.map +1 -1
  65. package/dist/baseline/finding-identity.js +51 -20
  66. package/dist/baseline/finding-identity.js.map +1 -1
  67. package/dist/baseline/migrate.d.ts +94 -0
  68. package/dist/baseline/migrate.d.ts.map +1 -0
  69. package/dist/baseline/migrate.js +238 -0
  70. package/dist/baseline/migrate.js.map +1 -0
  71. package/dist/baseline/producers/security.d.ts +9 -9
  72. package/dist/baseline/producers/security.d.ts.map +1 -1
  73. package/dist/baseline/producers/security.js +16 -4
  74. package/dist/baseline/producers/security.js.map +1 -1
  75. package/dist/baseline/types.d.ts +145 -95
  76. package/dist/baseline/types.d.ts.map +1 -1
  77. package/dist/baseline/types.js +30 -26
  78. package/dist/baseline/types.js.map +1 -1
  79. package/dist/explore/finding-context.d.ts +17 -0
  80. package/dist/explore/finding-context.d.ts.map +1 -1
  81. package/dist/explore/finding-context.js +34 -0
  82. package/dist/explore/finding-context.js.map +1 -1
  83. package/dist/explore/queries.d.ts +32 -15
  84. package/dist/explore/queries.d.ts.map +1 -1
  85. package/dist/explore/queries.js +36 -6
  86. package/dist/explore/queries.js.map +1 -1
  87. package/dist/ingest/normalize.d.ts +1 -1
  88. package/dist/ingest/normalize.d.ts.map +1 -1
  89. package/dist/ingest/normalize.js +5 -1
  90. package/dist/ingest/normalize.js.map +1 -1
  91. package/dist/ingest/sarif.d.ts.map +1 -1
  92. package/dist/ingest/sarif.js +16 -7
  93. package/dist/ingest/sarif.js.map +1 -1
  94. package/dist/ingest/types.d.ts +23 -12
  95. package/dist/ingest/types.d.ts.map +1 -1
  96. package/dist/languages/capabilities/types.d.ts +64 -53
  97. package/dist/languages/capabilities/types.d.ts.map +1 -1
  98. package/dist/languages/capabilities/types.js +4 -4
  99. package/dist/update.d.ts.map +1 -1
  100. package/dist/update.js +49 -0
  101. package/dist/update.js.map +1 -1
  102. package/dist/upgrade.d.ts.map +1 -1
  103. package/dist/upgrade.js +2 -1
  104. package/dist/upgrade.js.map +1 -1
  105. package/package.json +6 -3
  106. package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
  107. package/dist/baseline/salt.d.ts +0 -45
  108. package/dist/baseline/salt.d.ts.map +0 -1
  109. package/dist/baseline/salt.js.map +0 -1
@@ -9,20 +9,20 @@
9
9
  * identity." Each finding has up to several fingerprint axes,
10
10
  * differentiated by what they capture:
11
11
  *
12
- * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
13
- * for code/secret/config/hygiene findings. Locates a finding
14
- * in the source tree with ±2 line drift tolerance via bucket
15
- * windowing. Stable across small reformat / whitespace edits;
16
- * drifts on bigger shifts (closed by git-aware match).
17
- * - **Domain fingerprint** — `(package, version, advisoryId)` for
18
- * dep-vulns; `(package, version, licenseType)` for licenses;
19
- * normalized block hash for jscpd. Captures *what the finding
20
- * is about* independent of source position. Drift-immune.
21
- * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
22
- * when a symbol is known. Survives any vertical drift within
23
- * the symbol body.
24
- * - **Content fingerprint** — Sprint 0.x. Normalized snippet
25
- * hash; fallback when git history is unreachable.
12
+ * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
13
+ * for code/secret/config/hygiene findings. Locates a finding
14
+ * in the source tree with ±2 line drift tolerance via bucket
15
+ * windowing. Stable across small reformat / whitespace edits;
16
+ * drifts on bigger shifts (closed by git-aware match).
17
+ * - **Domain fingerprint** — `(package, version, advisoryId)` for
18
+ * dep-vulns; `(package, version, licenseType)` for licenses;
19
+ * normalized block hash for jscpd. Captures *what the finding
20
+ * is about* independent of source position. Drift-immune.
21
+ * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
22
+ * when a symbol is known. Survives any vertical drift within
23
+ * the symbol body.
24
+ * - **Content fingerprint** — Sprint 0.x. Normalized snippet
25
+ * hash; fallback when git history is unreachable.
26
26
  *
27
27
  * The hash format is identical across axes — 16-char lowercase hex
28
28
  * (SHA-1[0:16]). Callers don't need to know which axis a hash came
@@ -34,18 +34,18 @@
34
34
  * findings. Each `IdentityInput` discriminant maps 1:1 to an existing
35
35
  * gather pipeline:
36
36
  *
37
- * - `secret` / `code` / `config` — security analyzer's
38
- * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
39
- * private-key files, env-in-git).
40
- * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
41
- * npm-audit, pip-audit, cargo-audit, etc.).
42
- * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
43
- * - `coverage-gap` — coverage-gap report entries (file + symbol
44
- * when available, fallback to file + line range).
45
- * - `test-gap` — non-test source files flagged by the test-gaps
46
- * analyzer.
47
- * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
48
- * occurrences (per-occurrence identity).
37
+ * - `secret` / `code` / `config` — security analyzer's
38
+ * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
39
+ * private-key files, env-in-git).
40
+ * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
41
+ * npm-audit, pip-audit, cargo-audit, etc.).
42
+ * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
43
+ * - `coverage-gap` — coverage-gap report entries (file + symbol
44
+ * when available, fallback to file + line range).
45
+ * - `test-gap` — non-test source files flagged by the test-gaps
46
+ * analyzer.
47
+ * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
48
+ * occurrences (per-occurrence identity).
49
49
  *
50
50
  * License attributions are NOT a baseline finding kind. They live in
51
51
  * the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
@@ -67,38 +67,76 @@
67
67
  */
68
68
  export type FindingId = string;
69
69
  /**
70
- * Identity-scheme version. Bumping this minor field will be required
71
- * if the hashing inputs change in a way that would invalidate stored
72
- * baselines. v1 is the only scheme today.
70
+ * Identity-scheme version. Bumped whenever the hashing inputs change in a
71
+ * way that would invalidate stored baselines / allowlists.
72
+ *
73
+ * - `v1` — the pre-2.11 scheme: code/secret/config hashed
74
+ * `(canonicalRule, file, lineWindow)`; dep-vuln hashed
75
+ * `(package, installedVersion, id)`.
76
+ * - `v2` (current) — content-anchored: code = `(scope, spanHash,
77
+ * ordinal)`, secret = salted HMAC, config = `(rule, file)`, all with
78
+ * a line-window fallback; dep-vuln = `(package, canonicalAdvisoryId)`.
79
+ *
80
+ * `identityFor` can compute EITHER scheme (every shipped scheme's id
81
+ * function is retained — see `computeFingerprintV1`), which is what lets
82
+ * the identity migrator build an `old → new` remap and carry allowlist
83
+ * entries across an upgrade. The version is stamped on the baseline +
84
+ * allowlist files so a later dxkit can detect the gap and migrate.
85
+ *
86
+ * Adding a future `v3`: extend this union, add its branch in
87
+ * `identityFor`, retain the prior scheme's id function, and the migrator
88
+ * + `update` handle the rest with no further wiring.
73
89
  */
74
- export type IdentitySchemeVersion = 'v1';
90
+ export type IdentitySchemeVersion = 'v1' | 'v2';
91
+ /** The scheme `identityFor` mints new identities under by default, and the
92
+ * version stamped on freshly written baseline / allowlist files. */
93
+ export declare const CURRENT_IDENTITY_SCHEME: IdentitySchemeVersion;
75
94
  /**
76
95
  * Discriminated union of every finding kind that participates in
77
96
  * identity. Producers wrap their per-tool finding shape into one of
78
97
  * these before calling `identityFor`.
79
98
  *
80
99
  * Adding a new finding kind to the dispatch is a three-line change:
81
- * 1. Add the per-kind interface below.
82
- * 2. Append the interface name to this union.
83
- * 3. Add the corresponding case branch in `identityFor`.
100
+ * 1. Add the per-kind interface below.
101
+ * 2. Append the interface name to this union.
102
+ * 3. Add the corresponding case branch in `identityFor`.
84
103
  *
85
104
  * The hash format is SHA-1[0:16] across every kind — callers store
86
105
  * identities in one flat set without tracking provenance.
87
106
  */
88
107
  export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput | StaleAllowIdentityInput;
108
+ /**
109
+ * Content anchor for the secret/code/config identity schemes.
110
+ * Derived from WHAT a finding is, not WHERE it sits, so identity
111
+ * survives the finding moving lines:
112
+ * - secret → salted HMAC of the value (`computeSecretHmac`).
113
+ * - code → `codeContentAnchor(scope, span, ordinal)` — enclosing
114
+ * symbol + normalized-span hash + in-scope ordinal.
115
+ * - config → `''` (identity is just `(canonicalRule, file)`; a config
116
+ * finding is inherently line-independent).
117
+ *
118
+ * Optional: when absent, `identityFor` falls back to the legacy
119
+ * line-window hash; when present, the dispatch prefers this anchor and
120
+ * `line` becomes display metadata only.
121
+ */
122
+ export type ContentAnchor = string;
89
123
  /** gitleaks + private-key files + similar secret detectors. */
90
124
  export interface SecretIdentityInput {
91
125
  readonly kind: 'secret';
92
126
  /** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
93
127
  readonly tool: string;
94
128
  /** Producer-specific rule id. The canonical-rule map collapses
95
- * cross-tool overlaps where they exist. */
129
+ * cross-tool overlaps where they exist. */
96
130
  readonly rule: string;
97
131
  /** Project-relative file path. */
98
132
  readonly file: string;
99
133
  /** 1-based line number. Bucketed to absorb small drift between
100
- * tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. */
134
+ * tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. Display metadata
135
+ * once `contentAnchor` is present. */
101
136
  readonly line: number;
137
+ /** Salted HMAC of the secret value (Content anchor). Present when
138
+ * the gather could derive a salt; absent → line-based fallback. */
139
+ readonly contentAnchor?: ContentAnchor;
102
140
  }
103
141
  /** semgrep + TLS-bypass registry + per-language code-pattern providers. */
104
142
  export interface CodeIdentityInput {
@@ -107,6 +145,9 @@ export interface CodeIdentityInput {
107
145
  readonly rule: string;
108
146
  readonly file: string;
109
147
  readonly line: number;
148
+ /** `codeContentAnchor(scope, span, ordinal)`. Present when the
149
+ * aggregator could resolve a span/scope; absent → line-based fallback. */
150
+ readonly contentAnchor?: ContentAnchor;
110
151
  }
111
152
  /** Configuration-class findings (e.g. .env tracked in git). */
112
153
  export interface ConfigIdentityInput {
@@ -116,6 +157,9 @@ export interface ConfigIdentityInput {
116
157
  readonly file: string;
117
158
  /** Line 0 acceptable for whole-file findings. */
118
159
  readonly line: number;
160
+ /** `''` for config (identity is `(canonicalRule, file)`). Carried for
161
+ * uniformity with the other code-side inputs. */
162
+ readonly contentAnchor?: ContentAnchor;
119
163
  }
120
164
  /** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
121
165
  export interface DepVulnIdentityInput {
@@ -123,28 +167,34 @@ export interface DepVulnIdentityInput {
123
167
  /** Package name as reported by the producer. */
124
168
  readonly package: string;
125
169
  /** Installed version string, when known. Absent for findings produced
126
- * without an accessible lockfile. */
170
+ * without an accessible lockfile. Display metadata only — NOT part of
171
+ * the fingerprint (it's environment-dependent; see
172
+ * `computeFingerprint`). */
127
173
  readonly installedVersion: string | undefined;
128
174
  /** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
129
175
  readonly id: string;
176
+ /** Cross-namespace aliases (CVE / GHSA / OSV / SNYK …) the producer
177
+ * surfaced. Used to canonicalize identity so the same advisory found
178
+ * by different scanners shares one fingerprint. */
179
+ readonly aliases?: readonly string[];
130
180
  }
131
181
  /** jscpd-style duplicate-block findings. */
132
182
  export interface DuplicationIdentityInput {
133
183
  readonly kind: 'duplication';
134
184
  /** Files on each side of the duplicate pair. Order is normalized
135
- * inside `identityFor` so swapped sides hash identically. */
185
+ * inside `identityFor` so swapped sides hash identically. */
136
186
  readonly fileA: string;
137
187
  readonly fileB: string;
138
188
  /** Line count of the duplicated block. `lines` is preferred over
139
- * the `tokens` field jscpd also reports because jscpd's JSON
140
- * reporter does not populate `tokens` in practice — it's always
141
- * 0, which would degenerate the identity tuple and silently lose
142
- * the "block-size changes → identity changes" property. */
189
+ * the `tokens` field jscpd also reports because jscpd's JSON
190
+ * reporter does not populate `tokens` in practice — it's always
191
+ * 0, which would degenerate the identity tuple and silently lose
192
+ * the "block-size changes → identity changes" property. */
143
193
  readonly lines: number;
144
194
  /** Start line of the block on side A. Combined with `startLineB`
145
- * this distinguishes intra-file clones at different positions
146
- * (same `fileA === fileB`, different line ranges) which would
147
- * otherwise collapse to one identity. */
195
+ * this distinguishes intra-file clones at different positions
196
+ * (same `fileA === fileB`, different line ranges) which would
197
+ * otherwise collapse to one identity. */
148
198
  readonly startLineA: number;
149
199
  /** Start line of the block on side B. */
150
200
  readonly startLineB: number;
@@ -159,11 +209,11 @@ export interface CoverageGapIdentityInput {
159
209
  readonly kind: 'coverage-gap';
160
210
  readonly file: string;
161
211
  /** Function / method / class symbol. Present when the gap is
162
- * attributable to a named symbol; absent for line-range-only
163
- * attribution. */
212
+ * attributable to a named symbol; absent for line-range-only
213
+ * attribution. */
164
214
  readonly symbol?: string;
165
215
  /** Inclusive `[startLine, endLine]`. Required when `symbol` is
166
- * absent. */
216
+ * absent. */
167
217
  readonly lineRange?: readonly [number, number];
168
218
  }
169
219
  /**
@@ -233,9 +283,9 @@ export interface StaleFileIdentityInput {
233
283
  readonly kind: 'stale-file';
234
284
  readonly file: string;
235
285
  /** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
236
- * `'orig'`, `'tmp'`). The producer derives this from the file
237
- * extension; storing it in identity makes the reason for the
238
- * flag inspectable from the baseline alone. */
286
+ * `'orig'`, `'tmp'`). The producer derives this from the file
287
+ * extension; storing it in identity makes the reason for the
288
+ * flag inspectable from the baseline alone. */
239
289
  readonly suffix: string;
240
290
  }
241
291
  /**
@@ -277,8 +327,8 @@ export interface SecretHmacIdentityInput {
277
327
  /** Producer tool name (e.g. 'gitleaks'). */
278
328
  readonly tool: string;
279
329
  /** Producer-specific rule id. The canonical-rule map applies here
280
- * too: two tools detecting the same secret class collapse to one
281
- * canonical rule. */
330
+ * too: two tools detecting the same secret class collapse to one
331
+ * canonical rule. */
282
332
  readonly rule: string;
283
333
  /** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
284
334
  readonly hmac: string;
@@ -304,9 +354,9 @@ export interface StaleAllowIdentityInput {
304
354
  readonly file: string;
305
355
  readonly line: number;
306
356
  /** The category named in the orphaned annotation. Free-form
307
- * string at identity-input level (the canonical
308
- * `AllowlistCategory` union lives in `src/allowlist/categories.ts`
309
- * to avoid a cross-module import here in the baseline types). */
357
+ * string at identity-input level (the canonical
358
+ * `AllowlistCategory` union lives in `src/allowlist/categories.ts`
359
+ * to avoid a cross-module import here in the baseline types). */
310
360
  readonly category: string;
311
361
  }
312
362
  /**
@@ -324,18 +374,18 @@ export type BaselineEntry = {
324
374
  file: string;
325
375
  line: number;
326
376
  /** 16-char hex hash of normalized context around `line` at
327
- * baseline-create time. Stamped via `computeContentHashFromCommit`;
328
- * the matcher's third pass uses it as a fallback when git-aware
329
- * location matching fails (shallow clones, force-pushed base,
330
- * context survives but line shifts past the fuzz window). Absent
331
- * when the producer couldn't read the file. */
377
+ * baseline-create time. Stamped via `computeContentHashFromCommit`;
378
+ * the matcher's third pass uses it as a fallback when git-aware
379
+ * location matching fails (shallow clones, force-pushed base,
380
+ * context survives but line shifts past the fuzz window). Absent
381
+ * when the producer couldn't read the file. */
332
382
  contentHash?: string;
333
383
  /** Fingerprints of cross-tool / neighbor-bucket / CWE-bridge
334
- * findings that the aggregator collapsed into this one. Carried
335
- * so an allowlist entry keyed on a contributing fingerprint still
336
- * suppresses the merged finding — robust matching against dedup
337
- * nondeterminism between runs. Present only when such a merge
338
- * fired. */
384
+ * findings that the aggregator collapsed into this one. Carried
385
+ * so an allowlist entry keyed on a contributing fingerprint still
386
+ * suppresses the merged finding — robust matching against dedup
387
+ * nondeterminism between runs. Present only when such a merge
388
+ * fired. */
339
389
  absorbedFingerprints?: readonly string[];
340
390
  } | {
341
391
  id: FindingId;
@@ -369,8 +419,8 @@ export type BaselineEntry = {
369
419
  line: number;
370
420
  marker: HygieneMarker;
371
421
  /** Same content-hash semantics as the secret/code/config variant
372
- * — populated when the producer can read the file at the
373
- * baseline commit. */
422
+ * — populated when the producer can read the file at the
423
+ * baseline commit. */
374
424
  contentHash?: string;
375
425
  } | {
376
426
  id: FindingId;
@@ -444,17 +494,17 @@ export interface SanitizedBaselineEntry {
444
494
  * the prose and use the codes for filtering / policy decisions.
445
495
  *
446
496
  * `priorId` and `currentId` are both optional because:
447
- * - `added` → only `currentId` is present.
448
- * - `removed` → only `priorId` is present.
449
- * - `persisted` / `relocated` → both, and they may differ when a
450
- * location fingerprint shifted across the line-window boundary
451
- * (each "side" has its own hash even though they describe the
452
- * same finding).
497
+ * - `added` → only `currentId` is present.
498
+ * - `removed` → only `priorId` is present.
499
+ * - `persisted` / `relocated` → both, and they may differ when a
500
+ * location fingerprint shifted across the line-window boundary
501
+ * (each "side" has its own hash even though they describe the
502
+ * same finding).
453
503
  */
454
504
  export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
455
505
  export interface MatchReason {
456
506
  /** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
457
- * 'git-rename', 'multiset-occurrence'. */
507
+ * 'git-rename', 'multiset-occurrence'. */
458
508
  readonly code: string;
459
509
  /** Human-readable explanation suitable for end-user rendering. */
460
510
  readonly detail: string;
@@ -464,7 +514,7 @@ export interface MatchPair {
464
514
  readonly currentId?: FindingId;
465
515
  readonly status: MatchStatus;
466
516
  /** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
467
- * a fallback layer (git relocation, line-fuzz, rename). */
517
+ * a fallback layer (git relocation, line-fuzz, rename). */
468
518
  readonly confidence: number;
469
519
  readonly reasons: ReadonlyArray<MatchReason>;
470
520
  }
@@ -479,26 +529,26 @@ export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
479
529
  * check can emit. Wider than `MatchStatus` because policy adds context
480
530
  * the matcher doesn't have:
481
531
  *
482
- * - `persisted` / `relocated` / `added` / `removed` — direct
483
- * pass-through of the matcher's pair status.
484
- * - `fixed` — a `removed` finding that the policy treats as a
485
- * positive event (resolution rather than disappearance). Today
486
- * this is informational only; Phase 3 distinguishes the two when
487
- * `--detailed` flags it.
488
- * - `newly_detected` — current-only finding that surfaced because
489
- * the scanner / ruleset / advisory DB / policy config changed,
490
- * not because a developer introduced new code. Parent category;
491
- * `tooling_drift` and `config_drift` are the specific subtypes.
492
- * - `tooling_drift` — scanner or advisory-db version differs
493
- * between baseline and current. Reclassified `added` is suspect.
494
- * - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
495
- * differs between runs.
496
- * - `probable_existing` — current-only with weak evidence it's
497
- * truly new (a prior near-match exists but didn't pair cleanly).
498
- * Reserved for the content-hash / semantic fallback layer in
499
- * Sprint 0.x.
500
- * - `uncertain` — confidence below the per-severity threshold;
501
- * the policy can't classify with conviction.
532
+ * - `persisted` / `relocated` / `added` / `removed` — direct
533
+ * pass-through of the matcher's pair status.
534
+ * - `fixed` — a `removed` finding that the policy treats as a
535
+ * positive event (resolution rather than disappearance). Today
536
+ * this is informational only; Phase 3 distinguishes the two when
537
+ * `--detailed` flags it.
538
+ * - `newly_detected` — current-only finding that surfaced because
539
+ * the scanner / ruleset / advisory DB / policy config changed,
540
+ * not because a developer introduced new code. Parent category;
541
+ * `tooling_drift` and `config_drift` are the specific subtypes.
542
+ * - `tooling_drift` — scanner or advisory-db version differs
543
+ * between baseline and current. Reclassified `added` is suspect.
544
+ * - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
545
+ * differs between runs.
546
+ * - `probable_existing` — current-only with weak evidence it's
547
+ * truly new (a prior near-match exists but didn't pair cleanly).
548
+ * Reserved for the content-hash / semantic fallback layer in
549
+ * Sprint 0.x.
550
+ * - `uncertain` — confidence below the per-severity threshold;
551
+ * the policy can't classify with conviction.
502
552
  *
503
553
  * The enum is the contract Phase 3's guardrail CLI reads. Today's
504
554
  * classifier emits a subset — the remaining states are reserved for
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;GAIG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEzC;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;gDAC4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;6DACyD;IACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;0CACsC;IACtC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;gEAI4D;IAC5D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;8CAG0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;kBACc;IACd,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;oDAGgD;IAChD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0BAEsB;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;sEAGkE;IAClE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;oDAKgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;iBAKa;IACb,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;2BAEuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;gEAC4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,IAAI,CAAC;AAEhD;qEACqE;AACrE,eAAO,MAAM,uBAAuB,EAAE,qBAA4B,CAAC;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC;AAEnC,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0CAEsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;uEACmE;IACnE,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;8EAC0E;IAC1E,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;qDACiD;IACjD,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;gCAG4B;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB;;uDAEmD;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;iEAC6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;+DAI2D;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;6CAGyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;iBACa;IACb,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;mDAG+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;yBAEqB;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;qEAGiE;IACjE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;mDAK+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;gBAKY;IACZ,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;0BAEsB;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;8CAC0C;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;+DAC2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
@@ -10,20 +10,20 @@
10
10
  * identity." Each finding has up to several fingerprint axes,
11
11
  * differentiated by what they capture:
12
12
  *
13
- * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
14
- * for code/secret/config/hygiene findings. Locates a finding
15
- * in the source tree with ±2 line drift tolerance via bucket
16
- * windowing. Stable across small reformat / whitespace edits;
17
- * drifts on bigger shifts (closed by git-aware match).
18
- * - **Domain fingerprint** — `(package, version, advisoryId)` for
19
- * dep-vulns; `(package, version, licenseType)` for licenses;
20
- * normalized block hash for jscpd. Captures *what the finding
21
- * is about* independent of source position. Drift-immune.
22
- * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
23
- * when a symbol is known. Survives any vertical drift within
24
- * the symbol body.
25
- * - **Content fingerprint** — Sprint 0.x. Normalized snippet
26
- * hash; fallback when git history is unreachable.
13
+ * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
14
+ * for code/secret/config/hygiene findings. Locates a finding
15
+ * in the source tree with ±2 line drift tolerance via bucket
16
+ * windowing. Stable across small reformat / whitespace edits;
17
+ * drifts on bigger shifts (closed by git-aware match).
18
+ * - **Domain fingerprint** — `(package, version, advisoryId)` for
19
+ * dep-vulns; `(package, version, licenseType)` for licenses;
20
+ * normalized block hash for jscpd. Captures *what the finding
21
+ * is about* independent of source position. Drift-immune.
22
+ * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
23
+ * when a symbol is known. Survives any vertical drift within
24
+ * the symbol body.
25
+ * - **Content fingerprint** — Sprint 0.x. Normalized snippet
26
+ * hash; fallback when git history is unreachable.
27
27
  *
28
28
  * The hash format is identical across axes — 16-char lowercase hex
29
29
  * (SHA-1[0:16]). Callers don't need to know which axis a hash came
@@ -35,18 +35,18 @@
35
35
  * findings. Each `IdentityInput` discriminant maps 1:1 to an existing
36
36
  * gather pipeline:
37
37
  *
38
- * - `secret` / `code` / `config` — security analyzer's
39
- * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
40
- * private-key files, env-in-git).
41
- * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
42
- * npm-audit, pip-audit, cargo-audit, etc.).
43
- * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
44
- * - `coverage-gap` — coverage-gap report entries (file + symbol
45
- * when available, fallback to file + line range).
46
- * - `test-gap` — non-test source files flagged by the test-gaps
47
- * analyzer.
48
- * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
49
- * occurrences (per-occurrence identity).
38
+ * - `secret` / `code` / `config` — security analyzer's
39
+ * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
40
+ * private-key files, env-in-git).
41
+ * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
42
+ * npm-audit, pip-audit, cargo-audit, etc.).
43
+ * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
44
+ * - `coverage-gap` — coverage-gap report entries (file + symbol
45
+ * when available, fallback to file + line range).
46
+ * - `test-gap` — non-test source files flagged by the test-gaps
47
+ * analyzer.
48
+ * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
49
+ * occurrences (per-occurrence identity).
50
50
  *
51
51
  * License attributions are NOT a baseline finding kind. They live in
52
52
  * the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
@@ -56,4 +56,8 @@
56
56
  * lifted out.
57
57
  */
58
58
  Object.defineProperty(exports, "__esModule", { value: true });
59
+ exports.CURRENT_IDENTITY_SCHEME = void 0;
60
+ /** The scheme `identityFor` mints new identities under by default, and the
61
+ * version stamped on freshly written baseline / allowlist files. */
62
+ exports.CURRENT_IDENTITY_SCHEME = 'v2';
59
63
  //# sourceMappingURL=types.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG"}
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;;AAsCH;qEACqE;AACxD,QAAA,uBAAuB,GAA0B,IAAI,CAAC"}
@@ -54,6 +54,23 @@ export declare function locationKey(file: string, line?: number): string;
54
54
  * repos where graphify covers only part of the tree.
55
55
  */
56
56
  export declare function buildFindingContextMap(cwd: string, locations: ReadonlyArray<FindingLocation>, opts?: BuildFindingContextOpts): DetailedGraphContext | undefined;
57
+ /**
58
+ * Build a `locationKey → enclosing-symbol` map for the content-anchored
59
+ * code identity (the scope pre-pass). Loads the graph once (Rule 12: graph
60
+ * access stays in `src/explore/`), resolves each location's enclosing
61
+ * symbol via the canonical `enclosingSymbolFor` query, and returns only
62
+ * the locations that resolved to a symbol. The security orchestration
63
+ * applies these onto its code findings' `scope` field before
64
+ * aggregation — the aggregator itself never touches the graph.
65
+ *
66
+ * Fail-open + additive, like `buildFindingContextMap`: a missing /
67
+ * corrupt / stale graph returns `undefined`, and locations with no
68
+ * resolvable symbol are simply absent from the map (caller leaves
69
+ * `scope` unset → the identity layer falls back to file-level). Dedupes
70
+ * identical locations so a file:line surfaced by several tools resolves
71
+ * once.
72
+ */
73
+ export declare function buildEnclosingScopeMap(cwd: string, locations: ReadonlyArray<FindingLocation>): Record<string, string> | undefined;
57
74
  /**
58
75
  * Compact one-cell rendering for a markdown table: `role · N caller
59
76
  * files`. Returns `—` when there's no context for the location (file
@@ -1 +1 @@
1
- {"version":3,"file":"finding-context.d.ts","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAuB,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AAGrE,wFAAwF;AACxF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,uBAAuB;IACtC,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,gDAAgD;AAChD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,aAAa,CAAC,eAAe,CAAC,EACzC,IAAI,GAAE,uBAA4B,GACjC,oBAAoB,GAAG,SAAS,CA4BlC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,SAAS,GAAG,MAAM,CAY9E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,EAAE,EAAE,oBAAoB,GAAG,MAAM,CAI3E"}
1
+ {"version":3,"file":"finding-context.d.ts","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAA2C,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AAGzF,wFAAwF;AACxF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,uBAAuB;IACtC,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,gDAAgD;AAChD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,aAAa,CAAC,eAAe,CAAC,EACzC,IAAI,GAAE,uBAA4B,GACjC,oBAAoB,GAAG,SAAS,CA4BlC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,aAAa,CAAC,eAAe,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAYpC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,SAAS,GAAG,MAAM,CAY9E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,EAAE,EAAE,oBAAoB,GAAG,MAAM,CAI3E"}
@@ -20,6 +20,7 @@
20
20
  Object.defineProperty(exports, "__esModule", { value: true });
21
21
  exports.locationKey = locationKey;
22
22
  exports.buildFindingContextMap = buildFindingContextMap;
23
+ exports.buildEnclosingScopeMap = buildEnclosingScopeMap;
23
24
  exports.formatGraphContextCell = formatGraphContextCell;
24
25
  exports.graphContextProvenanceLine = graphContextProvenanceLine;
25
26
  const load_1 = require("./load");
@@ -70,6 +71,39 @@ function buildFindingContextMap(cwd, locations, opts = {}) {
70
71
  contexts,
71
72
  };
72
73
  }
74
+ /**
75
+ * Build a `locationKey → enclosing-symbol` map for the content-anchored
76
+ * code identity (the scope pre-pass). Loads the graph once (Rule 12: graph
77
+ * access stays in `src/explore/`), resolves each location's enclosing
78
+ * symbol via the canonical `enclosingSymbolFor` query, and returns only
79
+ * the locations that resolved to a symbol. The security orchestration
80
+ * applies these onto its code findings' `scope` field before
81
+ * aggregation — the aggregator itself never touches the graph.
82
+ *
83
+ * Fail-open + additive, like `buildFindingContextMap`: a missing /
84
+ * corrupt / stale graph returns `undefined`, and locations with no
85
+ * resolvable symbol are simply absent from the map (caller leaves
86
+ * `scope` unset → the identity layer falls back to file-level). Dedupes
87
+ * identical locations so a file:line surfaced by several tools resolves
88
+ * once.
89
+ */
90
+ function buildEnclosingScopeMap(cwd, locations) {
91
+ const graph = (0, load_1.tryLoadGraph)(cwd);
92
+ if (!graph)
93
+ return undefined;
94
+ const scopes = {};
95
+ for (const loc of locations) {
96
+ if (typeof loc.line !== 'number')
97
+ continue;
98
+ const key = locationKey(loc.file, loc.line);
99
+ if (key in scopes)
100
+ continue;
101
+ const symbol = (0, queries_1.enclosingSymbolFor)(graph, loc.file, loc.line);
102
+ if (symbol)
103
+ scopes[key] = symbol;
104
+ }
105
+ return scopes;
106
+ }
73
107
  /**
74
108
  * Compact one-cell rendering for a markdown table: `role · N caller
75
109
  * files`. Returns `—` when there's no context for the location (file
@@ -1 +1 @@
1
- {"version":3,"file":"finding-context.js","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAkCH,kCAEC;AAYD,wDAgCC;AAOD,wDAYC;AAOD,gEAIC;AA5GD,iCAAsC;AACtC,uCAAqE;AACrE,4CAA+C;AA6B/C,gDAAgD;AAChD,SAAgB,WAAW,CAAC,IAAY,EAAE,IAAa;IACrD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7D,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,sBAAsB,CACpC,GAAW,EACX,SAAyC,EACzC,OAAgC,EAAE;IAElC,MAAM,KAAK,GAAG,IAAA,mBAAY,EAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,GAAG,CAAC;IACpC,MAAM,QAAQ,GAAmC,EAAE,CAAC;IACpD,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,QAAQ,IAAI,GAAG;YAAE,MAAM;QAC3B,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAG,IAAI,QAAQ;YAAE,SAAS;QAC9B,MAAM,GAAG,GAAG,IAAA,6BAAmB,EAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;YACzD,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;QACH,QAAQ,EAAE,CAAC;QACX,IAAI,CAAC,GAAG,CAAC,KAAK;YAAE,SAAS;QACzB,kEAAkE;QAClE,mEAAmE;QACnE,qEAAqE;QACrE,MAAM,GAAG,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACtF,CAAC;IAED,OAAO;QACL,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;QACnC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS;QAC/B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,GAA+B;IACpE,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK;QAAE,OAAO,GAAG,CAAC;IACnC,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,EAAE,IAAI,IAAI,aAAa,CAAC;IAClD,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,8DAA8D;IAC9D,IAAI,GAAG,CAAC,oBAAoB,KAAK,YAAY,EAAE,CAAC;QAC9C,OAAO,GAAG,IAAI,kCAAkC,CAAC;IACnD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,CAAC,WAAW,CAAC;IACtC,OAAO,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAgB,0BAA0B,CAAC,EAAwB;IACjE,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,uEAAuE,IAAI,GAAG,KAAK,wNAAwN,CAAC;AACrT,CAAC"}
1
+ {"version":3,"file":"finding-context.js","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAkCH,kCAEC;AAYD,wDAgCC;AAkBD,wDAeC;AAOD,wDAYC;AAOD,gEAIC;AA7ID,iCAAsC;AACtC,uCAAyF;AACzF,4CAA+C;AA6B/C,gDAAgD;AAChD,SAAgB,WAAW,CAAC,IAAY,EAAE,IAAa;IACrD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7D,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,sBAAsB,CACpC,GAAW,EACX,SAAyC,EACzC,OAAgC,EAAE;IAElC,MAAM,KAAK,GAAG,IAAA,mBAAY,EAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,GAAG,CAAC;IACpC,MAAM,QAAQ,GAAmC,EAAE,CAAC;IACpD,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,QAAQ,IAAI,GAAG;YAAE,MAAM;QAC3B,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAG,IAAI,QAAQ;YAAE,SAAS;QAC9B,MAAM,GAAG,GAAG,IAAA,6BAAmB,EAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;YACzD,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;QACH,QAAQ,EAAE,CAAC;QACX,IAAI,CAAC,GAAG,CAAC,KAAK;YAAE,SAAS;QACzB,kEAAkE;QAClE,mEAAmE;QACnE,qEAAqE;QACrE,MAAM,GAAG,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACtF,CAAC;IAED,OAAO;QACL,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;QACnC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS;QAC/B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,sBAAsB,CACpC,GAAW,EACX,SAAyC;IAEzC,MAAM,KAAK,GAAG,IAAA,mBAAY,EAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAAE,SAAS;QAC3C,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAG,IAAI,MAAM;YAAE,SAAS;QAC5B,MAAM,MAAM,GAAG,IAAA,4BAAkB,EAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7D,IAAI,MAAM;YAAE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;IACnC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,GAA+B;IACpE,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK;QAAE,OAAO,GAAG,CAAC;IACnC,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,EAAE,IAAI,IAAI,aAAa,CAAC;IAClD,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,8DAA8D;IAC9D,IAAI,GAAG,CAAC,oBAAoB,KAAK,YAAY,EAAE,CAAC;QAC9C,OAAO,GAAG,IAAI,kCAAkC,CAAC;IACnD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,CAAC,WAAW,CAAC;IACtC,OAAO,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAgB,0BAA0B,CAAC,EAAwB;IACjE,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,uEAAuE,IAAI,GAAG,KAAK,wNAAwN,CAAC;AACrT,CAAC"}