@vyuhlabs/dxkit 2.13.2 → 2.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +90 -0
- package/README.md +14 -5
- package/dist/analyzers/cache.d.ts +9 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +27 -15
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/health.d.ts +19 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +72 -26
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +9 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tests/types.js +34 -0
- package/dist/analyzers/tests/types.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +2 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +38 -24
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +15 -1
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +49 -3
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/baseline/changed-files.d.ts +12 -0
- package/dist/baseline/changed-files.d.ts.map +1 -0
- package/dist/baseline/changed-files.js +100 -0
- package/dist/baseline/changed-files.js.map +1 -0
- package/dist/baseline/check.d.ts +23 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +24 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +10 -0
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +19 -15
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/gather-scope.d.ts +116 -0
- package/dist/baseline/gather-scope.d.ts.map +1 -0
- package/dist/baseline/gather-scope.js +105 -0
- package/dist/baseline/gather-scope.js.map +1 -0
- package/dist/baseline/ref-baseline.d.ts +14 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -1
- package/dist/baseline/ref-baseline.js +97 -2
- package/dist/baseline/ref-baseline.js.map +1 -1
- package/dist/baseline/scoped-inputs.d.ts +21 -0
- package/dist/baseline/scoped-inputs.d.ts.map +1 -0
- package/dist/baseline/scoped-inputs.js +53 -0
- package/dist/baseline/scoped-inputs.js.map +1 -0
- package/dist/loop/doctor.d.ts.map +1 -1
- package/dist/loop/doctor.js +16 -0
- package/dist/loop/doctor.js.map +1 -1
- package/dist/loop/gate-cache.d.ts +42 -0
- package/dist/loop/gate-cache.d.ts.map +1 -0
- package/dist/loop/gate-cache.js +167 -0
- package/dist/loop/gate-cache.js.map +1 -0
- package/dist/loop/ledger.d.ts +7 -0
- package/dist/loop/ledger.d.ts.map +1 -1
- package/dist/loop/ledger.js.map +1 -1
- package/dist/loop/scaffold.d.ts +9 -0
- package/dist/loop/scaffold.d.ts.map +1 -1
- package/dist/loop/scaffold.js +23 -6
- package/dist/loop/scaffold.js.map +1 -1
- package/dist/loop/stop-gate.d.ts +10 -0
- package/dist/loop/stop-gate.d.ts.map +1 -1
- package/dist/loop/stop-gate.js +74 -1
- package/dist/loop/stop-gate.js.map +1 -1
- package/package.json +1 -1
- package/templates/.github/workflows/dxkit-guardrails.yml +12 -1
package/dist/baseline/create.js
CHANGED
|
@@ -63,9 +63,8 @@ const fs = __importStar(require("fs"));
|
|
|
63
63
|
const path = __importStar(require("path"));
|
|
64
64
|
const health_1 = require("../analyzers/health");
|
|
65
65
|
const cache_1 = require("../analyzers/cache");
|
|
66
|
-
const
|
|
67
|
-
const
|
|
68
|
-
const gitleaks_1 = require("../analyzers/tools/gitleaks");
|
|
66
|
+
const gather_scope_1 = require("./gather-scope");
|
|
67
|
+
const scoped_inputs_1 = require("./scoped-inputs");
|
|
69
68
|
const tool_registry_1 = require("../analyzers/tools/tool-registry");
|
|
70
69
|
const detect_1 = require("../detect");
|
|
71
70
|
const coverage_1 = require("./coverage");
|
|
@@ -77,7 +76,6 @@ const producers_1 = require("./producers");
|
|
|
77
76
|
const salt_1 = require("../analyzers/tools/salt");
|
|
78
77
|
const sanitize_1 = require("./sanitize");
|
|
79
78
|
const types_1 = require("./types");
|
|
80
|
-
const gather_2 = require("../allowlist/gather");
|
|
81
79
|
/** Hash used for baseline-envelope metadata fields (policy, ignore,
|
|
82
80
|
* toolchain, config). Distinct concern from finding-identity
|
|
83
81
|
* fingerprints — these never enter the matcher's identity space. */
|
|
@@ -251,9 +249,19 @@ function clearToolVersionCache() {
|
|
|
251
249
|
*/
|
|
252
250
|
async function gatherCurrentScan(options) {
|
|
253
251
|
const cwd = path.resolve(options.cwd);
|
|
252
|
+
const scope = options.scope ?? gather_scope_1.FULL_SCOPE;
|
|
253
|
+
// A scoped OR incrementally-scanned result is partial — it must never
|
|
254
|
+
// enter the shared cache where a later full `health` read would consume
|
|
255
|
+
// an incomplete codePatterns set.
|
|
256
|
+
const partial = !(0, gather_scope_1.isFullScope)(scope) || options.incrementalFiles !== undefined;
|
|
254
257
|
const analysisResult = await (0, cache_1.readOrBuildAnalysisResult)({
|
|
255
258
|
cwd,
|
|
256
|
-
build: (innerCwd) => (0, health_1.gatherAnalysisResultBody)(innerCwd, {
|
|
259
|
+
build: (innerCwd) => (0, health_1.gatherAnalysisResultBody)(innerCwd, {
|
|
260
|
+
verbose: !!options.verbose,
|
|
261
|
+
scope,
|
|
262
|
+
incrementalFiles: options.incrementalFiles,
|
|
263
|
+
}),
|
|
264
|
+
opts: { partial },
|
|
257
265
|
});
|
|
258
266
|
const aggregate = analysisResult.capabilities.securityAggregate;
|
|
259
267
|
if (!aggregate) {
|
|
@@ -273,22 +281,18 @@ async function gatherCurrentScan(options) {
|
|
|
273
281
|
// here (or earlier inside readOrBuildAnalysisResult) so producers
|
|
274
282
|
// can be pure or near-pure consumers — adding a new producer
|
|
275
283
|
// means extending this context with one more input, never
|
|
276
|
-
// adding another producer-specific block in this function.
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
const rawSecrets
|
|
281
|
-
// Inline `dxkit-allow:` annotations gathered from source so the
|
|
282
|
-
// stale-allow producer can flag orphans whose underlying findings
|
|
283
|
-
// are no longer present.
|
|
284
|
-
const inlineAllowlistAnnotations = (0, gather_2.gatherInlineAllowlistAnnotations)(cwd);
|
|
284
|
+
// adding another producer-specific block in this function. The
|
|
285
|
+
// scope-aware analyzer inputs (test-gaps, hygiene, raw secrets,
|
|
286
|
+
// inline annotations) come from one helper that skips the gathers a
|
|
287
|
+
// scope can't block on (see scoped-inputs.ts).
|
|
288
|
+
const { testGapsReport, hygiene, rawSecrets, inlineAllowlistAnnotations } = await (0, scoped_inputs_1.gatherScopedProducerInputs)(cwd, scope, !!options.verbose);
|
|
285
289
|
const producerCtx = {
|
|
286
290
|
cwd,
|
|
287
291
|
commitSha: repoState.commitSha,
|
|
288
292
|
salt,
|
|
289
293
|
analysisResult,
|
|
290
294
|
testGapsReport,
|
|
291
|
-
hygiene
|
|
295
|
+
hygiene,
|
|
292
296
|
rawSecrets,
|
|
293
297
|
inlineAllowlistAnnotations,
|
|
294
298
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create.js","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"create.js","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwOH,sDAEC;AAwCD,8CAsHC;AAUD,gDAGC;AAkBD,wCAoDC;AAzdD,iDAA6C;AAC7C,mCAAoC;AACpC,uCAAyB;AACzB,2CAA6B;AAC7B,gDAA+D;AAC/D,8CAA+D;AAC/D,iDAA2E;AAC3E,mDAA6D;AAC7D,oEAAsF;AACtF,sCAAmC;AACnC,yCAAsD;AAEtD,4CAAwD;AACxD,mDAKyB;AAEzB,mCAA8C;AAE9C,qCAAwE;AACxE,2CAAsD;AAEtD,kDAAsD;AAEtD,yCAA0C;AAE1C,mCAAkD;AAwClD;;qEAEqE;AACrE,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sEAAsE;AAC9I,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;qCAGqC;AACrC,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,GAAG,GAAG,CAAC,GAAG,IAAc,EAAU,EAAE;QACxC,IAAI,CAAC;YACH,OAAO,IAAA,4BAAY,EAAC,KAAK,EAAE,IAAI,EAAE;gBAC/B,GAAG;gBACH,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IACF,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC;QACnC,MAAM,EAAE,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,qEAAqE;AACrE,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,kCAAyB,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClF,MAAM,UAAU,GAAG,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACrF,0DAA0D;IAC1D,kEAAkE;IAClE,OAAO,EAAE,YAAY,EAAE,mBAAa,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;AAChG,CAAC;AAED;;;;;;;;;;;;;;;;2CAgB2C;AAC3C,SAAS,aAAa,CAAC,SAAgC,EAAE,GAAW;IAClE,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,GAAG,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC,CAAC,qBAAqB,EAAE,cAAc,CAAC,CAAC,CAAC;AAE/F;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;AAEhD,SAAS,kBAAkB,CAAC,IAAY,EAAE,GAAW;IACnD,MAAM,QAAQ,GAAG,GAAG,IAAI,KAAK,GAAG,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,MAAM,QAAQ,GAAG,0BAA0B,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACtC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY,EAAE,GAAW;IAC3D,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,mBAAa,EAAE,CAAC;IAChE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,yBAAS,CAAC,SAAS,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,iEAAiE;QACjE,iEAAiE;QACjE,4DAA4D;QAC5D,+DAA+D;QAC/D,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,8DAA8D;QAC9D,kDAAkD;QAClD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,OAAO;gBAAE,OAAO,MAAM,CAAC,OAAO,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB;IACnC,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC;AA+BD;;;;;;;;GAQG;AACI,KAAK,UAAU,iBAAiB,CAAC,OAYvC;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,yBAAU,CAAC;IAC1C,sEAAsE;IACtE,wEAAwE;IACxE,kCAAkC;IAClC,MAAM,OAAO,GAAG,CAAC,IAAA,0BAAW,EAAC,KAAK,CAAC,IAAI,OAAO,CAAC,gBAAgB,KAAK,SAAS,CAAC;IAE9E,MAAM,cAAc,GAAG,MAAM,IAAA,iCAAyB,EAAC;QACrD,GAAG;QACH,KAAK,EAAE,CAAC,QAAQ,EAAE,EAAE,CAClB,IAAA,iCAAwB,EAAC,QAAQ,EAAE;YACjC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO;YAC1B,KAAK;YACL,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;SAC3C,CAAC;QACJ,IAAI,EAAE,EAAE,OAAO,EAAE;KAClB,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,cAAc,CAAC,YAAY,CAAC,iBAAiB,CAAC;IAChE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,iEAAiE;YAC/D,yDAAyD,CAC5D,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAsB;QACnC,GAAG,aAAa,CAAC,GAAG,CAAC;QACrB,IAAI,EAAE,GAAG;KACV,CAAC;IAEF,iEAAiE;IACjE,4DAA4D;IAC5D,kEAAkE;IAClE,aAAa;IACb,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,IAAA,kBAAW,EAAC,GAAG,CAAC,CAAC;IAElD,gEAAgE;IAChE,kEAAkE;IAClE,6DAA6D;IAC7D,0DAA0D;IAC1D,+DAA+D;IAC/D,gEAAgE;IAChE,oEAAoE;IACpE,+CAA+C;IAC/C,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,0BAA0B,EAAE,GACvE,MAAM,IAAA,0CAA0B,EAAC,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAElE,MAAM,WAAW,GAAoB;QACnC,GAAG;QACH,SAAS,EAAE,SAAS,CAAC,SAAS;QAC9B,IAAI;QACJ,cAAc;QACd,cAAc;QACd,OAAO;QACP,UAAU;QACV,0BAA0B;KAC3B,CAAC;IAEF,8DAA8D;IAC9D,2DAA2D;IAC3D,gEAAgE;IAChE,QAAQ;IACR,MAAM,QAAQ,GAAwB,IAAA,wBAAY,EAAC,WAAW,EAAE,qBAAS,CAAC,CAAC;IAE3E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,MAAM,QAAQ,GAAG,CAAC,MAAiC,EAAE,EAAE;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,KAAK,MAAM,IAAI,IAAI,MAAM;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YACnB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC,CAAC;IACF,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACjD,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG;QAAE,SAAS,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC7E,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IAExD,MAAM,YAAY,GAAyB;QACzC,GAAG,iBAAiB,CAAC,GAAG,CAAC;QACzB,aAAa,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;KAClD,CAAC;IAEF,sEAAsE;IACtE,kEAAkE;IAClE,wDAAwD;IACxD,MAAM,QAAQ,GAAG,IAAA,mCAAwB,EAAC,IAAA,6BAAa,EAAC,cAAc,CAAC,KAAK,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;IAE9F,OAAO;QACL,QAAQ;QACR,SAAS;QACT,SAAS;QACT,QAAQ;QACR,KAAK;QACL,QAAQ;QACR,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,OAAO,IAAA,mCAAwB,EAAC,IAAA,6BAAa,EAAC,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvF,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACI,KAAK,UAAU,cAAc,CAClC,OAA8B;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,qCAAqB,CAAC;IACnD,MAAM,IAAI,GACR,OAAO,CAAC,YAAY;QACpB,CAAC,GAAG,EAAE;YACJ,MAAM,MAAM,GAAG,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YACtC,OAAO,IAAA,2BAAmB,EAAC;gBACzB,GAAG;gBACH,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI;gBACjC,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG;aAChC,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,8DAA8D;QAC9D,8DAA8D;QAC9D,+DAA+D;QAC/D,gEAAgE;QAChE,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,8BAA8B,QAAQ,mCAAmC;YACvE,yCAAyC,CAC5C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAExE,MAAM,QAAQ,GAAiB;QAC7B,aAAa,EAAE,uCAAuB;QACtC,IAAI;QACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI,EAAE,IAAI,CAAC,SAAS;QACpB,QAAQ,EAAE,IAAI,CAAC,YAAY;QAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,cAAc,EAAE,+BAAuB;QACvC,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACxB,CAAC;IAEF,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAA,uBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACrF,IAAA,iCAAiB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAClC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Gather scope — which analyzers a guardrail gather actually needs to run.
|
|
3
|
+
*
|
|
4
|
+
* # Why this exists (2.14.0 opt 1)
|
|
5
|
+
*
|
|
6
|
+
* The full current-side gather runs every analyzer (semgrep, gitleaks,
|
|
7
|
+
* graphify AST, jscpd, OSV, lint, coverage, cloc, test-gaps, licenses, …).
|
|
8
|
+
* On a large repo that is ~60s. But a guardrail check can only ever BLOCK
|
|
9
|
+
* on the finding kinds its policy escalates — see `evaluateBlockRules` in
|
|
10
|
+
* `./policy.ts`. A `security-only` loop posture blocks on secrets + crit/
|
|
11
|
+
* high SAST + critical dep-vulns and NOTHING else, so gathering jscpd /
|
|
12
|
+
* lint / coverage / cloc / test-gaps / graphify for it is pure waste: those
|
|
13
|
+
* analyzers feed only kinds the policy can't act on.
|
|
14
|
+
*
|
|
15
|
+
* This module derives, from a `BrownfieldPolicy`, the minimal set of
|
|
16
|
+
* analyzers whose output can change the verdict, so the gather can skip the
|
|
17
|
+
* rest. It is the single source of truth for that mapping.
|
|
18
|
+
*
|
|
19
|
+
* # Safety contract (load-bearing)
|
|
20
|
+
*
|
|
21
|
+
* Scoping is correct ONLY because the verdict depends solely on BLOCKING
|
|
22
|
+
* pairs, and a kind the policy cannot block can never produce one. The map
|
|
23
|
+
* below therefore tracks `evaluateBlockRules` exactly:
|
|
24
|
+
*
|
|
25
|
+
* - `policy.block` non-empty (e.g. `['added']`, the `full-debt` posture)
|
|
26
|
+
* means ANY kind blocks by status alone → FULL_SCOPE, gather everything.
|
|
27
|
+
* - otherwise each enabled `blockRule` pulls in exactly the analyzer(s)
|
|
28
|
+
* that feed its kind.
|
|
29
|
+
*
|
|
30
|
+
* Two structural guarantees keep this honest:
|
|
31
|
+
* 1. Scoping is OPT-IN. Every existing caller (CI guardrail, `createBaseline`,
|
|
32
|
+
* the `health` report) gets `FULL_SCOPE` and is byte-identical. Only the
|
|
33
|
+
* loop Stop-gate passes a derived scope.
|
|
34
|
+
* 2. The security aggregate's cheap intrinsic scans (tls-bypass + file
|
|
35
|
+
* findings, ~0.5s) always run inside `buildSecurityAggregateForHealth`,
|
|
36
|
+
* so a `code`/`config` security finding can never be skipped by scoping.
|
|
37
|
+
*
|
|
38
|
+
* If a new block rule lands in `evaluateBlockRules`, `scopeForPolicy` MUST
|
|
39
|
+
* gain the matching analyzer here or a real finding could be skipped — the
|
|
40
|
+
* scope contract test pins this.
|
|
41
|
+
*/
|
|
42
|
+
import type { BrownfieldPolicy } from './policy';
|
|
43
|
+
/**
|
|
44
|
+
* One boolean per skippable analyzer. `true` = run it. The names mirror the
|
|
45
|
+
* gather steps in `health.ts` / `create.ts` so threading is mechanical.
|
|
46
|
+
*
|
|
47
|
+
* Not represented (always run, never scoped away):
|
|
48
|
+
* - the cheap tls-bypass + file-finding scans intrinsic to the security
|
|
49
|
+
* aggregate (they contribute blockable `code`/`config` findings);
|
|
50
|
+
* - generic Layer-0 metrics + package.json (microseconds).
|
|
51
|
+
*/
|
|
52
|
+
export interface GatherScope {
|
|
53
|
+
/** gitleaks + grep-secrets → `secret` (+ raw secrets → `secret-hmac`). */
|
|
54
|
+
readonly secrets: boolean;
|
|
55
|
+
/** semgrep → `code` SAST findings. */
|
|
56
|
+
readonly codePatterns: boolean;
|
|
57
|
+
/** OSV / per-pack dep audit → `dep-vuln`. */
|
|
58
|
+
readonly depVulns: boolean;
|
|
59
|
+
/** graphify AST → structural metrics + import reachability. */
|
|
60
|
+
readonly structural: boolean;
|
|
61
|
+
/** jscpd → `duplication`. */
|
|
62
|
+
readonly duplication: boolean;
|
|
63
|
+
/** per-pack linters → Quality dimension + `code`-adjacent hygiene. */
|
|
64
|
+
readonly lint: boolean;
|
|
65
|
+
/** coverage providers → Tests dimension. */
|
|
66
|
+
readonly coverage: boolean;
|
|
67
|
+
/** license scan → attribution (never a blockable kind). */
|
|
68
|
+
readonly licenses: boolean;
|
|
69
|
+
/** import graph → dep-vuln reachability + DX metrics. */
|
|
70
|
+
readonly imports: boolean;
|
|
71
|
+
/** test-framework detection → DX metrics. */
|
|
72
|
+
readonly testFramework: boolean;
|
|
73
|
+
/** cloc line counts → `large-file`, comment ratio, language breakdown. */
|
|
74
|
+
readonly cloc: boolean;
|
|
75
|
+
/** test-gap analyzer → `test-gap` / `test-file-degradation`. */
|
|
76
|
+
readonly testGaps: boolean;
|
|
77
|
+
/** hygiene markers (TODO/FIXME/stale) → `stale-file` + Quality counts. */
|
|
78
|
+
readonly hygiene: boolean;
|
|
79
|
+
}
|
|
80
|
+
/** Everything on — the default every non-loop caller gets. */
|
|
81
|
+
export declare const FULL_SCOPE: GatherScope;
|
|
82
|
+
/** True when no analyzer at all is required — caller can short-circuit. */
|
|
83
|
+
export declare function isEmptyScope(s: GatherScope): boolean;
|
|
84
|
+
/** True when this is the full gather (no analyzer skipped). */
|
|
85
|
+
export declare function isFullScope(s: GatherScope): boolean;
|
|
86
|
+
/**
|
|
87
|
+
* A compact, deterministic signature of which analyzers a scope runs.
|
|
88
|
+
* Used to namespace the ref-scan cache so a scoped ref gather is never
|
|
89
|
+
* served as if it were a full one (and vice versa). Order is fixed by the
|
|
90
|
+
* sorted key list, so the signature is stable across calls.
|
|
91
|
+
*/
|
|
92
|
+
export declare function scopeSignature(s: GatherScope): string;
|
|
93
|
+
/**
|
|
94
|
+
* Derive the minimal gather scope a policy needs.
|
|
95
|
+
*
|
|
96
|
+
* The verdict can only be changed by a kind the policy BLOCKS, so the scope
|
|
97
|
+
* tracks `evaluateBlockRules` (in `./policy.ts`) one-to-one:
|
|
98
|
+
*
|
|
99
|
+
* newSecret → secrets
|
|
100
|
+
* newCriticalSecurity / newHighSecurity → codePatterns
|
|
101
|
+
* newCritical/HighReachableDependency… → depVulns
|
|
102
|
+
* newUntestedChangedSource → testGaps
|
|
103
|
+
* newSevereQualityIssueInChangedFiles → codePatterns + hygiene
|
|
104
|
+
*
|
|
105
|
+
* A non-empty `policy.block` list (statuses that block regardless of kind,
|
|
106
|
+
* e.g. `full-debt`'s `['added']`) means any kind can block, so we cannot
|
|
107
|
+
* skip anything → `FULL_SCOPE`.
|
|
108
|
+
*
|
|
109
|
+
* NB: `newHighReachableDependencyVulnerability` needs reachability, which the
|
|
110
|
+
* guardrail's classifier never populates today (`context.reachable` is unset
|
|
111
|
+
* on the check path), so it cannot actually fire — but we still scope in
|
|
112
|
+
* `depVulns` for it so the mapping stays a faithful, future-proof mirror of
|
|
113
|
+
* the rule table rather than relying on that downstream gap.
|
|
114
|
+
*/
|
|
115
|
+
export declare function scopeForPolicy(policy: BrownfieldPolicy): GatherScope;
|
|
116
|
+
//# sourceMappingURL=gather-scope.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gather-scope.d.ts","sourceRoot":"","sources":["../../src/baseline/gather-scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAEjD;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,sCAAsC;IACtC,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC;IAC/B,6CAA6C;IAC7C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,6BAA6B;IAC7B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,sEAAsE;IACtE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,2DAA2D;IAC3D,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,yDAAyD;IACzD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,6CAA6C;IAC7C,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC,0EAA0E;IAC1E,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,gEAAgE;IAChE,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,0EAA0E;IAC1E,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED,8DAA8D;AAC9D,eAAO,MAAM,UAAU,EAAE,WAcvB,CAAC;AAmBH,2EAA2E;AAC3E,wBAAgB,YAAY,CAAC,CAAC,EAAE,WAAW,GAAG,OAAO,CAEpD;AAED,+DAA+D;AAC/D,wBAAgB,WAAW,CAAC,CAAC,EAAE,WAAW,GAAG,OAAO,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,WAAW,GAAG,MAAM,CAMrD;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,gBAAgB,GAAG,WAAW,CAiBpE"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.FULL_SCOPE = void 0;
|
|
4
|
+
exports.isEmptyScope = isEmptyScope;
|
|
5
|
+
exports.isFullScope = isFullScope;
|
|
6
|
+
exports.scopeSignature = scopeSignature;
|
|
7
|
+
exports.scopeForPolicy = scopeForPolicy;
|
|
8
|
+
/** Everything on — the default every non-loop caller gets. */
|
|
9
|
+
exports.FULL_SCOPE = Object.freeze({
|
|
10
|
+
secrets: true,
|
|
11
|
+
codePatterns: true,
|
|
12
|
+
depVulns: true,
|
|
13
|
+
structural: true,
|
|
14
|
+
duplication: true,
|
|
15
|
+
lint: true,
|
|
16
|
+
coverage: true,
|
|
17
|
+
licenses: true,
|
|
18
|
+
imports: true,
|
|
19
|
+
testFramework: true,
|
|
20
|
+
cloc: true,
|
|
21
|
+
testGaps: true,
|
|
22
|
+
hygiene: true,
|
|
23
|
+
});
|
|
24
|
+
/** All-off starting point for the additive derivation below. */
|
|
25
|
+
const EMPTY_SCOPE = Object.freeze({
|
|
26
|
+
secrets: false,
|
|
27
|
+
codePatterns: false,
|
|
28
|
+
depVulns: false,
|
|
29
|
+
structural: false,
|
|
30
|
+
duplication: false,
|
|
31
|
+
lint: false,
|
|
32
|
+
coverage: false,
|
|
33
|
+
licenses: false,
|
|
34
|
+
imports: false,
|
|
35
|
+
testFramework: false,
|
|
36
|
+
cloc: false,
|
|
37
|
+
testGaps: false,
|
|
38
|
+
hygiene: false,
|
|
39
|
+
});
|
|
40
|
+
/** True when no analyzer at all is required — caller can short-circuit. */
|
|
41
|
+
function isEmptyScope(s) {
|
|
42
|
+
return !Object.values(s).some(Boolean);
|
|
43
|
+
}
|
|
44
|
+
/** True when this is the full gather (no analyzer skipped). */
|
|
45
|
+
function isFullScope(s) {
|
|
46
|
+
return Object.values(s).every(Boolean);
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* A compact, deterministic signature of which analyzers a scope runs.
|
|
50
|
+
* Used to namespace the ref-scan cache so a scoped ref gather is never
|
|
51
|
+
* served as if it were a full one (and vice versa). Order is fixed by the
|
|
52
|
+
* sorted key list, so the signature is stable across calls.
|
|
53
|
+
*/
|
|
54
|
+
function scopeSignature(s) {
|
|
55
|
+
if (isFullScope(s))
|
|
56
|
+
return 'full';
|
|
57
|
+
return Object.keys(s)
|
|
58
|
+
.sort()
|
|
59
|
+
.filter((k) => s[k])
|
|
60
|
+
.join('+');
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Derive the minimal gather scope a policy needs.
|
|
64
|
+
*
|
|
65
|
+
* The verdict can only be changed by a kind the policy BLOCKS, so the scope
|
|
66
|
+
* tracks `evaluateBlockRules` (in `./policy.ts`) one-to-one:
|
|
67
|
+
*
|
|
68
|
+
* newSecret → secrets
|
|
69
|
+
* newCriticalSecurity / newHighSecurity → codePatterns
|
|
70
|
+
* newCritical/HighReachableDependency… → depVulns
|
|
71
|
+
* newUntestedChangedSource → testGaps
|
|
72
|
+
* newSevereQualityIssueInChangedFiles → codePatterns + hygiene
|
|
73
|
+
*
|
|
74
|
+
* A non-empty `policy.block` list (statuses that block regardless of kind,
|
|
75
|
+
* e.g. `full-debt`'s `['added']`) means any kind can block, so we cannot
|
|
76
|
+
* skip anything → `FULL_SCOPE`.
|
|
77
|
+
*
|
|
78
|
+
* NB: `newHighReachableDependencyVulnerability` needs reachability, which the
|
|
79
|
+
* guardrail's classifier never populates today (`context.reachable` is unset
|
|
80
|
+
* on the check path), so it cannot actually fire — but we still scope in
|
|
81
|
+
* `depVulns` for it so the mapping stays a faithful, future-proof mirror of
|
|
82
|
+
* the rule table rather than relying on that downstream gap.
|
|
83
|
+
*/
|
|
84
|
+
function scopeForPolicy(policy) {
|
|
85
|
+
// Any status-based block applies across all kinds — nothing is safe to skip.
|
|
86
|
+
if (policy.block.length > 0)
|
|
87
|
+
return exports.FULL_SCOPE;
|
|
88
|
+
const r = policy.blockRules;
|
|
89
|
+
const scope = { ...EMPTY_SCOPE };
|
|
90
|
+
if (r.newSecret)
|
|
91
|
+
scope.secrets = true;
|
|
92
|
+
if (r.newCriticalSecurity || r.newHighSecurity)
|
|
93
|
+
scope.codePatterns = true;
|
|
94
|
+
if (r.newCriticalDependencyVulnerability || r.newHighReachableDependencyVulnerability) {
|
|
95
|
+
scope.depVulns = true;
|
|
96
|
+
}
|
|
97
|
+
if (r.newUntestedChangedSource)
|
|
98
|
+
scope.testGaps = true;
|
|
99
|
+
if (r.newSevereQualityIssueInChangedFiles) {
|
|
100
|
+
scope.codePatterns = true;
|
|
101
|
+
scope.hygiene = true;
|
|
102
|
+
}
|
|
103
|
+
return Object.freeze(scope);
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=gather-scope.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gather-scope.js","sourceRoot":"","sources":["../../src/baseline/gather-scope.ts"],"names":[],"mappings":";;;AAoHA,oCAEC;AAGD,kCAEC;AAQD,wCAMC;AAwBD,wCAiBC;AAjGD,8DAA8D;AACjD,QAAA,UAAU,GAAgB,MAAM,CAAC,MAAM,CAAC;IACnD,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,IAAI;IAClB,QAAQ,EAAE,IAAI;IACd,UAAU,EAAE,IAAI;IAChB,WAAW,EAAE,IAAI;IACjB,IAAI,EAAE,IAAI;IACV,QAAQ,EAAE,IAAI;IACd,QAAQ,EAAE,IAAI;IACd,OAAO,EAAE,IAAI;IACb,aAAa,EAAE,IAAI;IACnB,IAAI,EAAE,IAAI;IACV,QAAQ,EAAE,IAAI;IACd,OAAO,EAAE,IAAI;CACd,CAAC,CAAC;AAEH,gEAAgE;AAChE,MAAM,WAAW,GAAgB,MAAM,CAAC,MAAM,CAAC;IAC7C,OAAO,EAAE,KAAK;IACd,YAAY,EAAE,KAAK;IACnB,QAAQ,EAAE,KAAK;IACf,UAAU,EAAE,KAAK;IACjB,WAAW,EAAE,KAAK;IAClB,IAAI,EAAE,KAAK;IACX,QAAQ,EAAE,KAAK;IACf,QAAQ,EAAE,KAAK;IACf,OAAO,EAAE,KAAK;IACd,aAAa,EAAE,KAAK;IACpB,IAAI,EAAE,KAAK;IACX,QAAQ,EAAE,KAAK;IACf,OAAO,EAAE,KAAK;CACf,CAAC,CAAC;AAEH,2EAA2E;AAC3E,SAAgB,YAAY,CAAC,CAAc;IACzC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,+DAA+D;AAC/D,SAAgB,WAAW,CAAC,CAAc;IACxC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,CAAc;IAC3C,IAAI,WAAW,CAAC,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAClC,OAAQ,MAAM,CAAC,IAAI,CAAC,CAAC,CAA8B;SAChD,IAAI,EAAE;SACN,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACnB,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,cAAc,CAAC,MAAwB;IACrD,6EAA6E;IAC7E,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,kBAAU,CAAC;IAE/C,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC;IAC5B,MAAM,KAAK,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,CAAC,SAAS;QAAE,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;IACtC,IAAI,CAAC,CAAC,mBAAmB,IAAI,CAAC,CAAC,eAAe;QAAE,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC;IAC1E,IAAI,CAAC,CAAC,kCAAkC,IAAI,CAAC,CAAC,uCAAuC,EAAE,CAAC;QACtF,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxB,CAAC;IACD,IAAI,CAAC,CAAC,wBAAwB;QAAE,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC;IACtD,IAAI,CAAC,CAAC,mCAAmC,EAAE,CAAC;QAC1C,KAAK,CAAC,YAAY,GAAG,IAAI,CAAC;QAC1B,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;IACvB,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC"}
|
|
@@ -49,6 +49,7 @@
|
|
|
49
49
|
* handling in the orchestrator.
|
|
50
50
|
*/
|
|
51
51
|
import type { CurrentScan } from './create';
|
|
52
|
+
import { type GatherScope } from './gather-scope';
|
|
52
53
|
/**
|
|
53
54
|
* Recoverable error from the ref-based gather path. Carries an
|
|
54
55
|
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
@@ -110,5 +111,18 @@ export declare function gatherFromRef(opts: {
|
|
|
110
111
|
readonly cwd: string;
|
|
111
112
|
readonly ref: string;
|
|
112
113
|
readonly verbose?: boolean;
|
|
114
|
+
/** Scope the ref-side gather identically to the current side so the
|
|
115
|
+
* cross-run diff stays balanced. Defaults to `FULL_SCOPE`. */
|
|
116
|
+
readonly scope?: GatherScope;
|
|
113
117
|
}): Promise<CurrentScan>;
|
|
118
|
+
/** Deterministic cache key over every input that can change a ref scan.
|
|
119
|
+
* Includes the gather scope so a scoped ref scan is never reused for a
|
|
120
|
+
* full request (or vice versa). Exported for testing. */
|
|
121
|
+
export declare function refScanCacheKey(cwd: string, sha: string, scope?: GatherScope): string;
|
|
122
|
+
/** Read a cached ref scan; null on miss, bypass, or any shape mismatch.
|
|
123
|
+
* Exported for testing. */
|
|
124
|
+
export declare function readRefScanCache(cwd: string, key: string): CurrentScan | null;
|
|
125
|
+
/** Persist a ref scan keyed by its content address. Best-effort.
|
|
126
|
+
* Exported for testing. */
|
|
127
|
+
export declare function writeRefScanCache(cwd: string, key: string, scan: CurrentScan): void;
|
|
114
128
|
//# sourceMappingURL=ref-baseline.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;
|
|
1
|
+
{"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAkBH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,KAAK,WAAW,EAA8B,MAAM,gBAAgB,CAAC;AAE9E;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWlD;AAqBD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,IAAI,EAAE,kBAAkB,EACxB,EAAE,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,CAAC,CAAC,CAuDZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;mEAC+D;IAC/D,QAAQ,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC;CAC9B,GAAG,OAAO,CAAC,WAAW,CAAC,CAcvB;AAkCD;;0DAE0D;AAC1D,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,GAAE,WAAwB,GAAG,MAAM,CAUjG;AAED;4BAC4B;AAC5B,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,WAAW,GAAG,IAAI,CAgB7E;AAED;4BAC4B;AAC5B,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,GAAG,IAAI,CAanF"}
|
|
@@ -89,11 +89,18 @@ exports.isShallowRepo = isShallowRepo;
|
|
|
89
89
|
exports.withRefWorktree = withRefWorktree;
|
|
90
90
|
exports.mirrorSaltFile = mirrorSaltFile;
|
|
91
91
|
exports.gatherFromRef = gatherFromRef;
|
|
92
|
+
exports.refScanCacheKey = refScanCacheKey;
|
|
93
|
+
exports.readRefScanCache = readRefScanCache;
|
|
94
|
+
exports.writeRefScanCache = writeRefScanCache;
|
|
92
95
|
const child_process_1 = require("child_process");
|
|
96
|
+
const crypto_1 = require("crypto");
|
|
93
97
|
const fs_1 = require("fs");
|
|
94
98
|
const os_1 = require("os");
|
|
95
99
|
const path = __importStar(require("path"));
|
|
100
|
+
const constants_1 = require("../constants");
|
|
101
|
+
const types_1 = require("./types");
|
|
96
102
|
const create_1 = require("./create");
|
|
103
|
+
const gather_scope_1 = require("./gather-scope");
|
|
97
104
|
/**
|
|
98
105
|
* Recoverable error from the ref-based gather path. Carries an
|
|
99
106
|
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
@@ -253,8 +260,96 @@ function mirrorSaltFile(srcCwd, dstCwd) {
|
|
|
253
260
|
* survive the gap; `npm audit`-style probes do not.
|
|
254
261
|
*/
|
|
255
262
|
async function gatherFromRef(opts) {
|
|
256
|
-
|
|
257
|
-
|
|
263
|
+
const sha = resolveRefToSha(opts.cwd, opts.ref);
|
|
264
|
+
if (sha === null)
|
|
265
|
+
throw unreachableRefError(opts.cwd, opts.ref);
|
|
266
|
+
const scope = opts.scope ?? gather_scope_1.FULL_SCOPE;
|
|
267
|
+
const key = refScanCacheKey(opts.cwd, sha, scope);
|
|
268
|
+
const cached = readRefScanCache(opts.cwd, key);
|
|
269
|
+
if (cached)
|
|
270
|
+
return cached;
|
|
271
|
+
const scan = await withRefWorktree({ cwd: opts.cwd, ref: opts.ref }, async (worktreePath) => {
|
|
272
|
+
return (0, create_1.gatherCurrentScan)({ cwd: worktreePath, verbose: opts.verbose, scope });
|
|
258
273
|
});
|
|
274
|
+
writeRefScanCache(opts.cwd, key, scan);
|
|
275
|
+
return scan;
|
|
276
|
+
}
|
|
277
|
+
/**
|
|
278
|
+
* Content-addressed cache for ref-side gathers.
|
|
279
|
+
*
|
|
280
|
+
* A ref scan is a pure function of its inputs: the ref commit, the dxkit
|
|
281
|
+
* version, the identity scheme, and the salt. The loop Stop-gate fires the
|
|
282
|
+
* ref gather on every stop against an `origin/main` that rarely moves, so
|
|
283
|
+
* without this cache it re-scans an unchanged ref each time — the dominant
|
|
284
|
+
* cost of a ref-based gate. A cache hit is only ever a genuinely identical
|
|
285
|
+
* scan (the key captures every input that can change the findings), so the
|
|
286
|
+
* cache can never alter a guardrail verdict.
|
|
287
|
+
*
|
|
288
|
+
* Safety note: `gatherFromRef` returns a full `CurrentScan`, but the sole
|
|
289
|
+
* consumer (the ref-based branch of `runGuardrailCheck`) reads only the
|
|
290
|
+
* plain `findings`/`repoState`/`analysisMeta`/`tools`/`saltMode` fields,
|
|
291
|
+
* all of which JSON round-trip exactly. The cache file is JSON, lives under
|
|
292
|
+
* the already-gitignored `.dxkit/cache/`, and is bypassed entirely with
|
|
293
|
+
* `DXKIT_NO_REF_CACHE=1`. Bump `REF_SCAN_CACHE_FORMAT` if `CurrentScan`'s
|
|
294
|
+
* serialized shape changes.
|
|
295
|
+
*/
|
|
296
|
+
const REF_SCAN_CACHE_FORMAT = 1;
|
|
297
|
+
const REF_SCAN_CACHE_DIR = path.join('.dxkit', 'cache', 'ref-scan');
|
|
298
|
+
/** Hash of the file-mode salt, or a sentinel when absent. */
|
|
299
|
+
function saltSignature(cwd) {
|
|
300
|
+
try {
|
|
301
|
+
const buf = (0, fs_1.readFileSync)(path.join(cwd, '.dxkit', 'salt'));
|
|
302
|
+
return (0, crypto_1.createHash)('sha256').update(buf).digest('hex').slice(0, 16); // fingerprint-helper-ok
|
|
303
|
+
}
|
|
304
|
+
catch {
|
|
305
|
+
return 'no-salt';
|
|
306
|
+
}
|
|
307
|
+
}
|
|
308
|
+
/** Deterministic cache key over every input that can change a ref scan.
|
|
309
|
+
* Includes the gather scope so a scoped ref scan is never reused for a
|
|
310
|
+
* full request (or vice versa). Exported for testing. */
|
|
311
|
+
function refScanCacheKey(cwd, sha, scope = gather_scope_1.FULL_SCOPE) {
|
|
312
|
+
const material = [
|
|
313
|
+
`fmt:${REF_SCAN_CACHE_FORMAT}`,
|
|
314
|
+
`sha:${sha}`,
|
|
315
|
+
`ver:${constants_1.VERSION}`,
|
|
316
|
+
`scheme:${types_1.CURRENT_IDENTITY_SCHEME}`,
|
|
317
|
+
`salt:${saltSignature(cwd)}`,
|
|
318
|
+
`scope:${(0, gather_scope_1.scopeSignature)(scope)}`,
|
|
319
|
+
].join('\0');
|
|
320
|
+
return (0, crypto_1.createHash)('sha256').update(material).digest('hex').slice(0, 32); // fingerprint-helper-ok
|
|
321
|
+
}
|
|
322
|
+
/** Read a cached ref scan; null on miss, bypass, or any shape mismatch.
|
|
323
|
+
* Exported for testing. */
|
|
324
|
+
function readRefScanCache(cwd, key) {
|
|
325
|
+
if (process.env.DXKIT_NO_REF_CACHE === '1')
|
|
326
|
+
return null;
|
|
327
|
+
try {
|
|
328
|
+
const raw = (0, fs_1.readFileSync)(path.join(cwd, REF_SCAN_CACHE_DIR, `${key}.json`), 'utf8');
|
|
329
|
+
const parsed = JSON.parse(raw);
|
|
330
|
+
if (parsed.format !== REF_SCAN_CACHE_FORMAT ||
|
|
331
|
+
!parsed.scan ||
|
|
332
|
+
!Array.isArray(parsed.scan.findings)) {
|
|
333
|
+
return null; // unexpected shape → gather fresh (safe default)
|
|
334
|
+
}
|
|
335
|
+
return parsed.scan;
|
|
336
|
+
}
|
|
337
|
+
catch {
|
|
338
|
+
return null; // miss / unreadable / parse error → gather fresh (safe default)
|
|
339
|
+
}
|
|
340
|
+
}
|
|
341
|
+
/** Persist a ref scan keyed by its content address. Best-effort.
|
|
342
|
+
* Exported for testing. */
|
|
343
|
+
function writeRefScanCache(cwd, key, scan) {
|
|
344
|
+
if (process.env.DXKIT_NO_REF_CACHE === '1')
|
|
345
|
+
return;
|
|
346
|
+
try {
|
|
347
|
+
const dir = path.join(cwd, REF_SCAN_CACHE_DIR);
|
|
348
|
+
(0, fs_1.mkdirSync)(dir, { recursive: true });
|
|
349
|
+
(0, fs_1.writeFileSync)(path.join(dir, `${key}.json`), JSON.stringify({ format: REF_SCAN_CACHE_FORMAT, scan }) + '\n', 'utf8');
|
|
350
|
+
}
|
|
351
|
+
catch {
|
|
352
|
+
/* A cache write must never break the gather. */
|
|
353
|
+
}
|
|
259
354
|
}
|
|
260
355
|
//# sourceMappingURL=ref-baseline.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CH,0CAWC;AAQD,sCAWC;AA6BD,0CA0DC;AASD,wCAMC;AAcD,sCAqBC;AAqCD,0CAUC;AAID,4CAgBC;AAID,8CAaC;AAxSD,iDAA6C;AAC7C,mCAAoC;AACpC,2BAQY;AACZ,2BAA4B;AAC5B,2CAA6B;AAC7B,4CAAuC;AACvC,mCAAkD;AAClD,qCAA6C;AAE7C,iDAA8E;AAE9E;;;;;GAKG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IACtB,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAPD,4CAOC;AAOD;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC5E,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,yBAAyB,CAAC,EAAE;YACxE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,KAAK,MAAM,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,GAAW;IACnD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,4BAA4B,EAC9D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,GAAG,EACrC,oHAAoH,CACrH,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,EAAwC;IAExC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,+DAA+D;IAC/D,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,gBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,WAAM,GAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrD,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,EAAE;YACtE,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,aAAa,GAAG,IAAI,CAAC;QACrB,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,gBAAgB;YAAE,MAAM,GAAG,CAAC;QAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,wDAAwD;YACxD,sCAAsC;YACtC,MAAM,IAAI,gBAAgB,CACxB,yCAAyC,IAAI,CAAC,GAAG,GAAG,EACpD,mDAAmD,QAAQ,eAAe,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE;oBACnE,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,yDAAyD;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,IAAA,WAAM,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,MAAc;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC;QAAE,OAAO;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAA,cAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,IAAA,iBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CAAC,IAOnC;IACC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,yBAAU,CAAC;IACvC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE;QAC1F,OAAO,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IACH,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAChC,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AAEpE,6DAA6D;AAC7D,SAAS,aAAa,CAAC,GAAW;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAC3D,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;IAC9F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;0DAE0D;AAC1D,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW,EAAE,QAAqB,yBAAU;IACvF,MAAM,QAAQ,GAAG;QACf,OAAO,qBAAqB,EAAE;QAC9B,OAAO,GAAG,EAAE;QACZ,OAAO,mBAAO,EAAE;QAChB,UAAU,+BAAuB,EAAE;QACnC,QAAQ,aAAa,CAAC,GAAG,CAAC,EAAE;QAC5B,SAAS,IAAA,6BAAc,EAAC,KAAK,CAAC,EAAE;KACjC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACb,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;AACnG,CAAC;AAED;4BAC4B;AAC5B,SAAgB,gBAAgB,CAAC,GAAW,EAAE,GAAW;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,EAAE,GAAG,GAAG,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC;QACpF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4C,CAAC;QAC1E,IACE,MAAM,CAAC,MAAM,KAAK,qBAAqB;YACvC,CAAC,MAAM,CAAC,IAAI;YACZ,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EACpC,CAAC;YACD,OAAO,IAAI,CAAC,CAAC,iDAAiD;QAChE,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,gEAAgE;IAC/E,CAAC;AACH,CAAC;AAED;4BAC4B;AAC5B,SAAgB,iBAAiB,CAAC,GAAW,EAAE,GAAW,EAAE,IAAiB;IAC3E,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,GAAG;QAAE,OAAO;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QAC/C,IAAA,cAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,IAAA,kBAAa,EACX,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,EAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,EAC9D,MAAM,CACP,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,gDAAgD;IAClD,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { type TestGapsReport } from '../analyzers/tests/types';
|
|
2
|
+
import type { GitleaksRawSecret } from '../analyzers/tools/gitleaks';
|
|
3
|
+
import type { InlineAllowlistOccurrence } from '../allowlist/gather';
|
|
4
|
+
import type { GatherScope } from './gather-scope';
|
|
5
|
+
import type { HygieneSnapshot } from './producers';
|
|
6
|
+
/** The non-cached analyzer outputs the producer registry consumes. */
|
|
7
|
+
export interface ScopedProducerInputs {
|
|
8
|
+
readonly testGapsReport: TestGapsReport;
|
|
9
|
+
readonly hygiene: HygieneSnapshot;
|
|
10
|
+
readonly rawSecrets: ReadonlyArray<GitleaksRawSecret>;
|
|
11
|
+
readonly inlineAllowlistAnnotations: ReadonlyArray<InlineAllowlistOccurrence>;
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Gather the producer-context inputs a scope needs. Each gather is skipped
|
|
15
|
+
* when its scope flag is off, substituting an empty value so the
|
|
16
|
+
* corresponding producer emits zero entries. `inlineAllowlistAnnotations` is
|
|
17
|
+
* always gathered (a cheap source scan that feeds the stale-allow producer,
|
|
18
|
+
* which has no scope flag).
|
|
19
|
+
*/
|
|
20
|
+
export declare function gatherScopedProducerInputs(cwd: string, scope: GatherScope, verbose: boolean): Promise<ScopedProducerInputs>;
|
|
21
|
+
//# sourceMappingURL=scoped-inputs.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scoped-inputs.d.ts","sourceRoot":"","sources":["../../src/baseline/scoped-inputs.ts"],"names":[],"mappings":"AAcA,OAAO,EAAuB,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAGpF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AACrE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAenD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACtD,QAAQ,CAAC,0BAA0B,EAAE,aAAa,CAAC,yBAAyB,CAAC,CAAC;CAC/E;AAED;;;;;;GAMG;AACH,wBAAsB,0BAA0B,CAC9C,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,oBAAoB,CAAC,CAY/B"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.gatherScopedProducerInputs = gatherScopedProducerInputs;
|
|
4
|
+
/**
|
|
5
|
+
* Scope-aware producer-context inputs.
|
|
6
|
+
*
|
|
7
|
+
* Extracted from `create.ts` so `gatherCurrentScan` stays focused on
|
|
8
|
+
* orchestration. The producer registry (CLAUDE.md Rule 10) reads a handful
|
|
9
|
+
* of analyzer outputs from `ProducerContext` beyond the cached
|
|
10
|
+
* `AnalysisResult`: the test-gaps report, hygiene markers, raw secrets, and
|
|
11
|
+
* inline allowlist annotations. Each feeds exactly one producer family, so a
|
|
12
|
+
* gather scope that can't block on that family skips the (sometimes
|
|
13
|
+
* expensive) gather and substitutes an empty input — the producer then
|
|
14
|
+
* emits zero entries. The ref side is scoped identically, so the cross-run
|
|
15
|
+
* diff stays balanced (see `gather-scope.ts`).
|
|
16
|
+
*/
|
|
17
|
+
const tests_1 = require("../analyzers/tests");
|
|
18
|
+
const types_1 = require("../analyzers/tests/types");
|
|
19
|
+
const gather_1 = require("../analyzers/quality/gather");
|
|
20
|
+
const gitleaks_1 = require("../analyzers/tools/gitleaks");
|
|
21
|
+
const gather_2 = require("../allowlist/gather");
|
|
22
|
+
/** Vacuous hygiene snapshot for the scope-aware gather when a posture
|
|
23
|
+
* cannot block on `stale-file` / hygiene counts (`scope.hygiene === false`),
|
|
24
|
+
* so the hygiene grep is skipped. The `quality` producer reads
|
|
25
|
+
* `hygiene.staleFiles` and emits zero entries from the empty list. */
|
|
26
|
+
const EMPTY_HYGIENE_SNAPSHOT = {
|
|
27
|
+
staleFiles: [],
|
|
28
|
+
todoCount: 0,
|
|
29
|
+
fixmeCount: 0,
|
|
30
|
+
hackCount: 0,
|
|
31
|
+
consoleLogCount: 0,
|
|
32
|
+
mixedLanguages: false,
|
|
33
|
+
};
|
|
34
|
+
/**
|
|
35
|
+
* Gather the producer-context inputs a scope needs. Each gather is skipped
|
|
36
|
+
* when its scope flag is off, substituting an empty value so the
|
|
37
|
+
* corresponding producer emits zero entries. `inlineAllowlistAnnotations` is
|
|
38
|
+
* always gathered (a cheap source scan that feeds the stale-allow producer,
|
|
39
|
+
* which has no scope flag).
|
|
40
|
+
*/
|
|
41
|
+
async function gatherScopedProducerInputs(cwd, scope, verbose) {
|
|
42
|
+
const testGapsReport = scope.testGaps
|
|
43
|
+
? await (0, tests_1.analyzeTestGaps)(cwd, { verbose })
|
|
44
|
+
: (0, types_1.emptyTestGapsReport)();
|
|
45
|
+
const hygiene = scope.hygiene ? (0, gather_1.gatherHygieneMarkers)(cwd) : EMPTY_HYGIENE_SNAPSHOT;
|
|
46
|
+
const gitleaksOutcome = scope.secrets
|
|
47
|
+
? (0, gitleaks_1.gatherGitleaksResult)(cwd)
|
|
48
|
+
: { kind: 'unavailable', reason: 'scoped out' };
|
|
49
|
+
const rawSecrets = gitleaksOutcome.kind === 'success' ? gitleaksOutcome.rawSecrets : [];
|
|
50
|
+
const inlineAllowlistAnnotations = (0, gather_2.gatherInlineAllowlistAnnotations)(cwd);
|
|
51
|
+
return { testGapsReport, hygiene, rawSecrets, inlineAllowlistAnnotations };
|
|
52
|
+
}
|
|
53
|
+
//# sourceMappingURL=scoped-inputs.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scoped-inputs.js","sourceRoot":"","sources":["../../src/baseline/scoped-inputs.ts"],"names":[],"mappings":";;AAmDA,gEAgBC;AAnED;;;;;;;;;;;;GAYG;AACH,8CAAqD;AACrD,oDAAoF;AACpF,wDAAmE;AACnE,0DAAmE;AAEnE,gDAAuE;AAKvE;;;uEAGuE;AACvE,MAAM,sBAAsB,GAAoB;IAC9C,UAAU,EAAE,EAAE;IACd,SAAS,EAAE,CAAC;IACZ,UAAU,EAAE,CAAC;IACb,SAAS,EAAE,CAAC;IACZ,eAAe,EAAE,CAAC;IAClB,cAAc,EAAE,KAAK;CACtB,CAAC;AAUF;;;;;;GAMG;AACI,KAAK,UAAU,0BAA0B,CAC9C,GAAW,EACX,KAAkB,EAClB,OAAgB;IAEhB,MAAM,cAAc,GAAG,KAAK,CAAC,QAAQ;QACnC,CAAC,CAAC,MAAM,IAAA,uBAAe,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC;QACzC,CAAC,CAAC,IAAA,2BAAmB,GAAE,CAAC;IAC1B,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,sBAAsB,CAAC;IACnF,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO;QACnC,CAAC,CAAC,IAAA,+BAAoB,EAAC,GAAG,CAAC;QAC3B,CAAC,CAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAY,CAAC;IAC7D,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,0BAA0B,GAAG,IAAA,yCAAgC,EAAC,GAAG,CAAC,CAAC;IACzE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,0BAA0B,EAAE,CAAC;AAC7E,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/loop/doctor.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/loop/doctor.ts"],"names":[],"mappings":"AAyBA;2EAC2E;AAC3E,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAEvD,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,6CAA6C;IAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,2EAA2E;IAC3E,QAAQ,CAAC,GAAG,CAAC,EAAE;QACb,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;CACH;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,2DAA2D;IAC3D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC1C;iDAC6C;IAC7C,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;CACtB;AA6ED,mEAAmE;AACnE,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAgMnE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,GAAE;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CA0B7F"}
|