@vyuhlabs/dxkit 2.10.0 → 2.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +122 -0
- package/dist/allowlist/cli.d.ts +23 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +72 -34
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +90 -90
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +140 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +30 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +29 -7
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +28 -0
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +22 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +4 -4
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/context-hook-format.d.ts +55 -0
- package/dist/explore/context-hook-format.d.ts.map +1 -0
- package/dist/explore/context-hook-format.js +153 -0
- package/dist/explore/context-hook-format.js.map +1 -0
- package/dist/explore/context-hook.d.ts +8 -18
- package/dist/explore/context-hook.d.ts.map +1 -1
- package/dist/explore/context-hook.js +24 -87
- package/dist/explore/context-hook.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
package/dist/baseline/types.d.ts
CHANGED
|
@@ -9,20 +9,20 @@
|
|
|
9
9
|
* identity." Each finding has up to several fingerprint axes,
|
|
10
10
|
* differentiated by what they capture:
|
|
11
11
|
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
12
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
13
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
14
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
15
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
16
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
17
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
18
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
19
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
20
|
+
* is about* independent of source position. Drift-immune.
|
|
21
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
22
|
+
* when a symbol is known. Survives any vertical drift within
|
|
23
|
+
* the symbol body.
|
|
24
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
25
|
+
* hash; fallback when git history is unreachable.
|
|
26
26
|
*
|
|
27
27
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
28
28
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -34,18 +34,18 @@
|
|
|
34
34
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
35
35
|
* gather pipeline:
|
|
36
36
|
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
37
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
38
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
39
|
+
* private-key files, env-in-git).
|
|
40
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
41
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
42
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
43
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
44
|
+
* when available, fallback to file + line range).
|
|
45
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
46
|
+
* analyzer.
|
|
47
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
48
|
+
* occurrences (per-occurrence identity).
|
|
49
49
|
*
|
|
50
50
|
* License attributions are NOT a baseline finding kind. They live in
|
|
51
51
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -67,38 +67,76 @@
|
|
|
67
67
|
*/
|
|
68
68
|
export type FindingId = string;
|
|
69
69
|
/**
|
|
70
|
-
* Identity-scheme version.
|
|
71
|
-
*
|
|
72
|
-
*
|
|
70
|
+
* Identity-scheme version. Bumped whenever the hashing inputs change in a
|
|
71
|
+
* way that would invalidate stored baselines / allowlists.
|
|
72
|
+
*
|
|
73
|
+
* - `v1` — the pre-2.11 scheme: code/secret/config hashed
|
|
74
|
+
* `(canonicalRule, file, lineWindow)`; dep-vuln hashed
|
|
75
|
+
* `(package, installedVersion, id)`.
|
|
76
|
+
* - `v2` (current) — content-anchored: code = `(scope, spanHash,
|
|
77
|
+
* ordinal)`, secret = salted HMAC, config = `(rule, file)`, all with
|
|
78
|
+
* a line-window fallback; dep-vuln = `(package, canonicalAdvisoryId)`.
|
|
79
|
+
*
|
|
80
|
+
* `identityFor` can compute EITHER scheme (every shipped scheme's id
|
|
81
|
+
* function is retained — see `computeFingerprintV1`), which is what lets
|
|
82
|
+
* the identity migrator build an `old → new` remap and carry allowlist
|
|
83
|
+
* entries across an upgrade. The version is stamped on the baseline +
|
|
84
|
+
* allowlist files so a later dxkit can detect the gap and migrate.
|
|
85
|
+
*
|
|
86
|
+
* Adding a future `v3`: extend this union, add its branch in
|
|
87
|
+
* `identityFor`, retain the prior scheme's id function, and the migrator
|
|
88
|
+
* + `update` handle the rest with no further wiring.
|
|
73
89
|
*/
|
|
74
|
-
export type IdentitySchemeVersion = 'v1';
|
|
90
|
+
export type IdentitySchemeVersion = 'v1' | 'v2';
|
|
91
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
92
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
93
|
+
export declare const CURRENT_IDENTITY_SCHEME: IdentitySchemeVersion;
|
|
75
94
|
/**
|
|
76
95
|
* Discriminated union of every finding kind that participates in
|
|
77
96
|
* identity. Producers wrap their per-tool finding shape into one of
|
|
78
97
|
* these before calling `identityFor`.
|
|
79
98
|
*
|
|
80
99
|
* Adding a new finding kind to the dispatch is a three-line change:
|
|
81
|
-
*
|
|
82
|
-
*
|
|
83
|
-
*
|
|
100
|
+
* 1. Add the per-kind interface below.
|
|
101
|
+
* 2. Append the interface name to this union.
|
|
102
|
+
* 3. Add the corresponding case branch in `identityFor`.
|
|
84
103
|
*
|
|
85
104
|
* The hash format is SHA-1[0:16] across every kind — callers store
|
|
86
105
|
* identities in one flat set without tracking provenance.
|
|
87
106
|
*/
|
|
88
107
|
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput | StaleAllowIdentityInput;
|
|
108
|
+
/**
|
|
109
|
+
* Content anchor for the secret/code/config identity schemes.
|
|
110
|
+
* Derived from WHAT a finding is, not WHERE it sits, so identity
|
|
111
|
+
* survives the finding moving lines:
|
|
112
|
+
* - secret → salted HMAC of the value (`computeSecretHmac`).
|
|
113
|
+
* - code → `codeContentAnchor(scope, span, ordinal)` — enclosing
|
|
114
|
+
* symbol + normalized-span hash + in-scope ordinal.
|
|
115
|
+
* - config → `''` (identity is just `(canonicalRule, file)`; a config
|
|
116
|
+
* finding is inherently line-independent).
|
|
117
|
+
*
|
|
118
|
+
* Optional: when absent, `identityFor` falls back to the legacy
|
|
119
|
+
* line-window hash; when present, the dispatch prefers this anchor and
|
|
120
|
+
* `line` becomes display metadata only.
|
|
121
|
+
*/
|
|
122
|
+
export type ContentAnchor = string;
|
|
89
123
|
/** gitleaks + private-key files + similar secret detectors. */
|
|
90
124
|
export interface SecretIdentityInput {
|
|
91
125
|
readonly kind: 'secret';
|
|
92
126
|
/** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
|
|
93
127
|
readonly tool: string;
|
|
94
128
|
/** Producer-specific rule id. The canonical-rule map collapses
|
|
95
|
-
*
|
|
129
|
+
* cross-tool overlaps where they exist. */
|
|
96
130
|
readonly rule: string;
|
|
97
131
|
/** Project-relative file path. */
|
|
98
132
|
readonly file: string;
|
|
99
133
|
/** 1-based line number. Bucketed to absorb small drift between
|
|
100
|
-
*
|
|
134
|
+
* tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. Display metadata
|
|
135
|
+
* once `contentAnchor` is present. */
|
|
101
136
|
readonly line: number;
|
|
137
|
+
/** Salted HMAC of the secret value (Content anchor). Present when
|
|
138
|
+
* the gather could derive a salt; absent → line-based fallback. */
|
|
139
|
+
readonly contentAnchor?: ContentAnchor;
|
|
102
140
|
}
|
|
103
141
|
/** semgrep + TLS-bypass registry + per-language code-pattern providers. */
|
|
104
142
|
export interface CodeIdentityInput {
|
|
@@ -107,6 +145,9 @@ export interface CodeIdentityInput {
|
|
|
107
145
|
readonly rule: string;
|
|
108
146
|
readonly file: string;
|
|
109
147
|
readonly line: number;
|
|
148
|
+
/** `codeContentAnchor(scope, span, ordinal)`. Present when the
|
|
149
|
+
* aggregator could resolve a span/scope; absent → line-based fallback. */
|
|
150
|
+
readonly contentAnchor?: ContentAnchor;
|
|
110
151
|
}
|
|
111
152
|
/** Configuration-class findings (e.g. .env tracked in git). */
|
|
112
153
|
export interface ConfigIdentityInput {
|
|
@@ -116,6 +157,9 @@ export interface ConfigIdentityInput {
|
|
|
116
157
|
readonly file: string;
|
|
117
158
|
/** Line 0 acceptable for whole-file findings. */
|
|
118
159
|
readonly line: number;
|
|
160
|
+
/** `''` for config (identity is `(canonicalRule, file)`). Carried for
|
|
161
|
+
* uniformity with the other code-side inputs. */
|
|
162
|
+
readonly contentAnchor?: ContentAnchor;
|
|
119
163
|
}
|
|
120
164
|
/** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
|
|
121
165
|
export interface DepVulnIdentityInput {
|
|
@@ -123,28 +167,34 @@ export interface DepVulnIdentityInput {
|
|
|
123
167
|
/** Package name as reported by the producer. */
|
|
124
168
|
readonly package: string;
|
|
125
169
|
/** Installed version string, when known. Absent for findings produced
|
|
126
|
-
*
|
|
170
|
+
* without an accessible lockfile. Display metadata only — NOT part of
|
|
171
|
+
* the fingerprint (it's environment-dependent; see
|
|
172
|
+
* `computeFingerprint`). */
|
|
127
173
|
readonly installedVersion: string | undefined;
|
|
128
174
|
/** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
|
|
129
175
|
readonly id: string;
|
|
176
|
+
/** Cross-namespace aliases (CVE / GHSA / OSV / SNYK …) the producer
|
|
177
|
+
* surfaced. Used to canonicalize identity so the same advisory found
|
|
178
|
+
* by different scanners shares one fingerprint. */
|
|
179
|
+
readonly aliases?: readonly string[];
|
|
130
180
|
}
|
|
131
181
|
/** jscpd-style duplicate-block findings. */
|
|
132
182
|
export interface DuplicationIdentityInput {
|
|
133
183
|
readonly kind: 'duplication';
|
|
134
184
|
/** Files on each side of the duplicate pair. Order is normalized
|
|
135
|
-
*
|
|
185
|
+
* inside `identityFor` so swapped sides hash identically. */
|
|
136
186
|
readonly fileA: string;
|
|
137
187
|
readonly fileB: string;
|
|
138
188
|
/** Line count of the duplicated block. `lines` is preferred over
|
|
139
|
-
*
|
|
140
|
-
*
|
|
141
|
-
*
|
|
142
|
-
*
|
|
189
|
+
* the `tokens` field jscpd also reports because jscpd's JSON
|
|
190
|
+
* reporter does not populate `tokens` in practice — it's always
|
|
191
|
+
* 0, which would degenerate the identity tuple and silently lose
|
|
192
|
+
* the "block-size changes → identity changes" property. */
|
|
143
193
|
readonly lines: number;
|
|
144
194
|
/** Start line of the block on side A. Combined with `startLineB`
|
|
145
|
-
*
|
|
146
|
-
*
|
|
147
|
-
*
|
|
195
|
+
* this distinguishes intra-file clones at different positions
|
|
196
|
+
* (same `fileA === fileB`, different line ranges) which would
|
|
197
|
+
* otherwise collapse to one identity. */
|
|
148
198
|
readonly startLineA: number;
|
|
149
199
|
/** Start line of the block on side B. */
|
|
150
200
|
readonly startLineB: number;
|
|
@@ -159,11 +209,11 @@ export interface CoverageGapIdentityInput {
|
|
|
159
209
|
readonly kind: 'coverage-gap';
|
|
160
210
|
readonly file: string;
|
|
161
211
|
/** Function / method / class symbol. Present when the gap is
|
|
162
|
-
*
|
|
163
|
-
*
|
|
212
|
+
* attributable to a named symbol; absent for line-range-only
|
|
213
|
+
* attribution. */
|
|
164
214
|
readonly symbol?: string;
|
|
165
215
|
/** Inclusive `[startLine, endLine]`. Required when `symbol` is
|
|
166
|
-
*
|
|
216
|
+
* absent. */
|
|
167
217
|
readonly lineRange?: readonly [number, number];
|
|
168
218
|
}
|
|
169
219
|
/**
|
|
@@ -233,9 +283,9 @@ export interface StaleFileIdentityInput {
|
|
|
233
283
|
readonly kind: 'stale-file';
|
|
234
284
|
readonly file: string;
|
|
235
285
|
/** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
|
|
236
|
-
*
|
|
237
|
-
*
|
|
238
|
-
*
|
|
286
|
+
* `'orig'`, `'tmp'`). The producer derives this from the file
|
|
287
|
+
* extension; storing it in identity makes the reason for the
|
|
288
|
+
* flag inspectable from the baseline alone. */
|
|
239
289
|
readonly suffix: string;
|
|
240
290
|
}
|
|
241
291
|
/**
|
|
@@ -277,8 +327,8 @@ export interface SecretHmacIdentityInput {
|
|
|
277
327
|
/** Producer tool name (e.g. 'gitleaks'). */
|
|
278
328
|
readonly tool: string;
|
|
279
329
|
/** Producer-specific rule id. The canonical-rule map applies here
|
|
280
|
-
*
|
|
281
|
-
*
|
|
330
|
+
* too: two tools detecting the same secret class collapse to one
|
|
331
|
+
* canonical rule. */
|
|
282
332
|
readonly rule: string;
|
|
283
333
|
/** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
|
|
284
334
|
readonly hmac: string;
|
|
@@ -304,9 +354,9 @@ export interface StaleAllowIdentityInput {
|
|
|
304
354
|
readonly file: string;
|
|
305
355
|
readonly line: number;
|
|
306
356
|
/** The category named in the orphaned annotation. Free-form
|
|
307
|
-
*
|
|
308
|
-
*
|
|
309
|
-
*
|
|
357
|
+
* string at identity-input level (the canonical
|
|
358
|
+
* `AllowlistCategory` union lives in `src/allowlist/categories.ts`
|
|
359
|
+
* to avoid a cross-module import here in the baseline types). */
|
|
310
360
|
readonly category: string;
|
|
311
361
|
}
|
|
312
362
|
/**
|
|
@@ -324,18 +374,18 @@ export type BaselineEntry = {
|
|
|
324
374
|
file: string;
|
|
325
375
|
line: number;
|
|
326
376
|
/** 16-char hex hash of normalized context around `line` at
|
|
327
|
-
*
|
|
328
|
-
*
|
|
329
|
-
*
|
|
330
|
-
*
|
|
331
|
-
*
|
|
377
|
+
* baseline-create time. Stamped via `computeContentHashFromCommit`;
|
|
378
|
+
* the matcher's third pass uses it as a fallback when git-aware
|
|
379
|
+
* location matching fails (shallow clones, force-pushed base,
|
|
380
|
+
* context survives but line shifts past the fuzz window). Absent
|
|
381
|
+
* when the producer couldn't read the file. */
|
|
332
382
|
contentHash?: string;
|
|
333
383
|
/** Fingerprints of cross-tool / neighbor-bucket / CWE-bridge
|
|
334
|
-
*
|
|
335
|
-
*
|
|
336
|
-
*
|
|
337
|
-
*
|
|
338
|
-
*
|
|
384
|
+
* findings that the aggregator collapsed into this one. Carried
|
|
385
|
+
* so an allowlist entry keyed on a contributing fingerprint still
|
|
386
|
+
* suppresses the merged finding — robust matching against dedup
|
|
387
|
+
* nondeterminism between runs. Present only when such a merge
|
|
388
|
+
* fired. */
|
|
339
389
|
absorbedFingerprints?: readonly string[];
|
|
340
390
|
} | {
|
|
341
391
|
id: FindingId;
|
|
@@ -369,8 +419,8 @@ export type BaselineEntry = {
|
|
|
369
419
|
line: number;
|
|
370
420
|
marker: HygieneMarker;
|
|
371
421
|
/** Same content-hash semantics as the secret/code/config variant
|
|
372
|
-
*
|
|
373
|
-
*
|
|
422
|
+
* — populated when the producer can read the file at the
|
|
423
|
+
* baseline commit. */
|
|
374
424
|
contentHash?: string;
|
|
375
425
|
} | {
|
|
376
426
|
id: FindingId;
|
|
@@ -444,17 +494,17 @@ export interface SanitizedBaselineEntry {
|
|
|
444
494
|
* the prose and use the codes for filtering / policy decisions.
|
|
445
495
|
*
|
|
446
496
|
* `priorId` and `currentId` are both optional because:
|
|
447
|
-
*
|
|
448
|
-
*
|
|
449
|
-
*
|
|
450
|
-
*
|
|
451
|
-
*
|
|
452
|
-
*
|
|
497
|
+
* - `added` → only `currentId` is present.
|
|
498
|
+
* - `removed` → only `priorId` is present.
|
|
499
|
+
* - `persisted` / `relocated` → both, and they may differ when a
|
|
500
|
+
* location fingerprint shifted across the line-window boundary
|
|
501
|
+
* (each "side" has its own hash even though they describe the
|
|
502
|
+
* same finding).
|
|
453
503
|
*/
|
|
454
504
|
export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
|
|
455
505
|
export interface MatchReason {
|
|
456
506
|
/** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
|
|
457
|
-
*
|
|
507
|
+
* 'git-rename', 'multiset-occurrence'. */
|
|
458
508
|
readonly code: string;
|
|
459
509
|
/** Human-readable explanation suitable for end-user rendering. */
|
|
460
510
|
readonly detail: string;
|
|
@@ -464,7 +514,7 @@ export interface MatchPair {
|
|
|
464
514
|
readonly currentId?: FindingId;
|
|
465
515
|
readonly status: MatchStatus;
|
|
466
516
|
/** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
|
|
467
|
-
*
|
|
517
|
+
* a fallback layer (git relocation, line-fuzz, rename). */
|
|
468
518
|
readonly confidence: number;
|
|
469
519
|
readonly reasons: ReadonlyArray<MatchReason>;
|
|
470
520
|
}
|
|
@@ -479,26 +529,26 @@ export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
|
479
529
|
* check can emit. Wider than `MatchStatus` because policy adds context
|
|
480
530
|
* the matcher doesn't have:
|
|
481
531
|
*
|
|
482
|
-
*
|
|
483
|
-
*
|
|
484
|
-
*
|
|
485
|
-
*
|
|
486
|
-
*
|
|
487
|
-
*
|
|
488
|
-
*
|
|
489
|
-
*
|
|
490
|
-
*
|
|
491
|
-
*
|
|
492
|
-
*
|
|
493
|
-
*
|
|
494
|
-
*
|
|
495
|
-
*
|
|
496
|
-
*
|
|
497
|
-
*
|
|
498
|
-
*
|
|
499
|
-
*
|
|
500
|
-
*
|
|
501
|
-
*
|
|
532
|
+
* - `persisted` / `relocated` / `added` / `removed` — direct
|
|
533
|
+
* pass-through of the matcher's pair status.
|
|
534
|
+
* - `fixed` — a `removed` finding that the policy treats as a
|
|
535
|
+
* positive event (resolution rather than disappearance). Today
|
|
536
|
+
* this is informational only; Phase 3 distinguishes the two when
|
|
537
|
+
* `--detailed` flags it.
|
|
538
|
+
* - `newly_detected` — current-only finding that surfaced because
|
|
539
|
+
* the scanner / ruleset / advisory DB / policy config changed,
|
|
540
|
+
* not because a developer introduced new code. Parent category;
|
|
541
|
+
* `tooling_drift` and `config_drift` are the specific subtypes.
|
|
542
|
+
* - `tooling_drift` — scanner or advisory-db version differs
|
|
543
|
+
* between baseline and current. Reclassified `added` is suspect.
|
|
544
|
+
* - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
|
|
545
|
+
* differs between runs.
|
|
546
|
+
* - `probable_existing` — current-only with weak evidence it's
|
|
547
|
+
* truly new (a prior near-match exists but didn't pair cleanly).
|
|
548
|
+
* Reserved for the content-hash / semantic fallback layer in
|
|
549
|
+
* Sprint 0.x.
|
|
550
|
+
* - `uncertain` — confidence below the per-severity threshold;
|
|
551
|
+
* the policy can't classify with conviction.
|
|
502
552
|
*
|
|
503
553
|
* The enum is the contract Phase 3's guardrail CLI reads. Today's
|
|
504
554
|
* classifier emits a subset — the remaining states are reserved for
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,IAAI,CAAC;AAEhD;qEACqE;AACrE,eAAO,MAAM,uBAAuB,EAAE,qBAA4B,CAAC;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC;AAEnC,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0CAEsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;uEACmE;IACnE,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;8EAC0E;IAC1E,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;qDACiD;IACjD,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;gCAG4B;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB;;uDAEmD;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;iEAC6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;+DAI2D;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;6CAGyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;iBACa;IACb,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;mDAG+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;yBAEqB;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;qEAGiE;IACjE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;mDAK+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;gBAKY;IACZ,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;0BAEsB;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;8CAC0C;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;+DAC2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
|
package/dist/baseline/types.js
CHANGED
|
@@ -10,20 +10,20 @@
|
|
|
10
10
|
* identity." Each finding has up to several fingerprint axes,
|
|
11
11
|
* differentiated by what they capture:
|
|
12
12
|
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
13
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
14
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
15
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
16
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
17
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
18
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
19
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
20
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
21
|
+
* is about* independent of source position. Drift-immune.
|
|
22
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
23
|
+
* when a symbol is known. Survives any vertical drift within
|
|
24
|
+
* the symbol body.
|
|
25
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
26
|
+
* hash; fallback when git history is unreachable.
|
|
27
27
|
*
|
|
28
28
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
29
29
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -35,18 +35,18 @@
|
|
|
35
35
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
36
36
|
* gather pipeline:
|
|
37
37
|
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
*
|
|
38
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
39
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
40
|
+
* private-key files, env-in-git).
|
|
41
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
42
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
43
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
44
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
45
|
+
* when available, fallback to file + line range).
|
|
46
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
47
|
+
* analyzer.
|
|
48
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
49
|
+
* occurrences (per-occurrence identity).
|
|
50
50
|
*
|
|
51
51
|
* License attributions are NOT a baseline finding kind. They live in
|
|
52
52
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -56,4 +56,8 @@
|
|
|
56
56
|
* lifted out.
|
|
57
57
|
*/
|
|
58
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
59
|
+
exports.CURRENT_IDENTITY_SCHEME = void 0;
|
|
60
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
61
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
62
|
+
exports.CURRENT_IDENTITY_SCHEME = 'v2';
|
|
59
63
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG"}
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;;AAsCH;qEACqE;AACxD,QAAA,uBAAuB,GAA0B,IAAI,CAAC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Presentation layer for `vyuh-dxkit context-hook` — the compact
|
|
3
|
+
* `additionalContext` bodies the hook injects. Split out of
|
|
4
|
+
* `context-hook.ts` (which owns the stdin/route/dedup orchestration) so
|
|
5
|
+
* each file stays a cohesive unit under the large-file bar: this module is
|
|
6
|
+
* pure string-building over already-queried graph data, trivially unit-
|
|
7
|
+
* testable without touching stdin or the filesystem.
|
|
8
|
+
*
|
|
9
|
+
* Three shapes, one per hook target:
|
|
10
|
+
* - `formatFileContext` — a FILE the agent opened (whole-file read): its
|
|
11
|
+
* symbols + who depends on it + what it calls into.
|
|
12
|
+
* - `formatFileLineContext` — a FILE at a LINE (Read's `offset`): the
|
|
13
|
+
* location's enclosing symbol + its direct callers/callees, plus the
|
|
14
|
+
* file's cross-file role. Useful even for symbol-less regions.
|
|
15
|
+
* - `formatHookContext` — a search PATTERN (Bash/Grep/Glob): the anchor
|
|
16
|
+
* symbol, blast radius, and the top neighborhood symbols.
|
|
17
|
+
*
|
|
18
|
+
* Each returns '' when there's nothing worth the token cost, which the
|
|
19
|
+
* hook treats as "don't fire" (the additive/fail-open contract).
|
|
20
|
+
*/
|
|
21
|
+
import type { ContextResult, FileLineContext, FileSummary } from './queries';
|
|
22
|
+
import type { Graph } from './types';
|
|
23
|
+
/**
|
|
24
|
+
* Compact `additionalContext` body for a FILE target: the file's
|
|
25
|
+
* symbols, who depends on it (caller files), and what it reaches into
|
|
26
|
+
* (callee files). Terser than the CLI's markdown — the hook pays this on
|
|
27
|
+
* every read. Leads with provenance + a best-effort caveat so the agent
|
|
28
|
+
* calibrates trust.
|
|
29
|
+
*/
|
|
30
|
+
export declare function formatFileContext(summary: FileSummary, graph: Graph): string;
|
|
31
|
+
/**
|
|
32
|
+
* Compact `additionalContext` for a FILE target with a LINE (Read's
|
|
33
|
+
* `offset`). Frames the location's structural neighborhood: the enclosing
|
|
34
|
+
* symbol + its direct callers/callees, plus the file's cross-file role
|
|
35
|
+
* (who imports it, what it reaches into) and module group.
|
|
36
|
+
*
|
|
37
|
+
* It deliberately injects NO source text — the Read the agent just issued
|
|
38
|
+
* already returns the lines; the hook's value is the structure the Read
|
|
39
|
+
* does NOT show (who reaches this symbol, blast radius, what it calls).
|
|
40
|
+
* That's also why this works for symbol-less regions (top-level config,
|
|
41
|
+
* an entrypoint's middleware block): even with no enclosing symbol, the
|
|
42
|
+
* file's role orients the agent — exactly the case a file-level symbol map
|
|
43
|
+
* left empty. Returns '' (→ silent no-op) when there's no enclosing symbol
|
|
44
|
+
* AND no cross-file edges to report.
|
|
45
|
+
*/
|
|
46
|
+
export declare function formatFileLineContext(ctx: FileLineContext, summary: FileSummary, graph: Graph, file: string, line: number): string;
|
|
47
|
+
/**
|
|
48
|
+
* Compact `additionalContext` body for a PATTERN target. Terser than the
|
|
49
|
+
* CLI's markdown (the hook pays this cost on every grep): an anchor line,
|
|
50
|
+
* blast radius, and the top symbols grouped by their leading community.
|
|
51
|
+
* Leads with a one-line provenance + best-effort caveat so the agent
|
|
52
|
+
* calibrates trust.
|
|
53
|
+
*/
|
|
54
|
+
export declare function formatHookContext(result: ContextResult, graph: Graph): string;
|
|
55
|
+
//# sourceMappingURL=context-hook-format.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"context-hook-format.d.ts","sourceRoot":"","sources":["../../src/explore/context-hook-format.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAC7E,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,GAAG,MAAM,CAuD5E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,eAAe,EACpB,OAAO,EAAE,WAAW,EACpB,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,MAAM,CA8CR;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,GAAG,MAAM,CAiC7E"}
|