@vyuhlabs/dxkit 2.13.3 → 2.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +66 -0
- package/README.md +85 -58
- package/dist/analyzers/cache.d.ts +9 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +27 -15
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/health.d.ts +19 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +72 -26
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +9 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tests/types.js +34 -0
- package/dist/analyzers/tests/types.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +2 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +38 -24
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +15 -1
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +49 -3
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/baseline/changed-files.d.ts +12 -0
- package/dist/baseline/changed-files.d.ts.map +1 -0
- package/dist/baseline/changed-files.js +100 -0
- package/dist/baseline/changed-files.js.map +1 -0
- package/dist/baseline/check.d.ts +30 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +71 -4
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +10 -0
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +19 -15
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/gather-scope.d.ts +116 -0
- package/dist/baseline/gather-scope.d.ts.map +1 -0
- package/dist/baseline/gather-scope.js +105 -0
- package/dist/baseline/gather-scope.js.map +1 -0
- package/dist/baseline/ref-baseline.d.ts +17 -2
- package/dist/baseline/ref-baseline.d.ts.map +1 -1
- package/dist/baseline/ref-baseline.js +27 -4
- package/dist/baseline/ref-baseline.js.map +1 -1
- package/dist/baseline/scoped-inputs.d.ts +21 -0
- package/dist/baseline/scoped-inputs.d.ts.map +1 -0
- package/dist/baseline/scoped-inputs.js +53 -0
- package/dist/baseline/scoped-inputs.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +7 -2
- package/dist/cli.js.map +1 -1
- package/dist/loop/stop-gate.d.ts.map +1 -1
- package/dist/loop/stop-gate.js +12 -1
- package/dist/loop/stop-gate.js.map +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,72 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.15.0] - 2026-06-22
|
|
11
|
+
|
|
12
|
+
### Fixed — ref-based guardrail no longer false-blocks on `secret-hmac`
|
|
13
|
+
|
|
14
|
+
In ref-based mode (the default for public repos), dxkit mints a locator-less
|
|
15
|
+
`secret-hmac` companion alongside each located `secret` for cross-file
|
|
16
|
+
relocation matching. On a fresh or shallow checkout the two sides of the diff
|
|
17
|
+
can derive different salts, so the companions never match and read as net-new —
|
|
18
|
+
a **false block**, even though the located `secret` twins match correctly.
|
|
19
|
+
`secret-hmac` now joins `duplication` and `test-gap` in the set of kinds
|
|
20
|
+
excluded from the ref-based diff (they can't be gathered comparably across a
|
|
21
|
+
detached worktree). The located `secret` kind still gates net-new credentials;
|
|
22
|
+
only the redundant companion is dropped. **Committed modes are unaffected.**
|
|
23
|
+
|
|
24
|
+
### Added — opt-in `--incremental` for `guardrail check`
|
|
25
|
+
|
|
26
|
+
`vyuh-dxkit guardrail check --incremental` scopes the gather to the analyzers
|
|
27
|
+
the active policy can actually block on (reusing the loop Stop-gate's
|
|
28
|
+
`scopeForPolicy`) and, in ref-based mode, scopes semgrep to the changed files
|
|
29
|
+
on both sides. Same verdict, far less work — the check scales with PR size
|
|
30
|
+
rather than repo size. **Opt-in and verdict-preserving:** without the flag,
|
|
31
|
+
behavior is byte-identical to 2.14; it falls back to a full scan whenever the
|
|
32
|
+
changed set can't be computed completely. The CLI flag exposes what the loop
|
|
33
|
+
Stop-gate already did internally, so a ref-based CI guardrail (or a hosted
|
|
34
|
+
PR-gate) can run the fast path too.
|
|
35
|
+
|
|
36
|
+
### Changed — positioning: two pillars (context + gate)
|
|
37
|
+
|
|
38
|
+
- README hero, package description, and `--help` tagline now lead with both
|
|
39
|
+
pillars: **"a deterministic stop condition and code-graph context layer for
|
|
40
|
+
AI coding agents."** The README opening + "What dxkit does" foreground the
|
|
41
|
+
code graph (callers, callees, blast radius) the agent uses *while making a
|
|
42
|
+
change*, then the deterministic stop-gate that blocks net-new regressions
|
|
43
|
+
*before it exits* — so the graph is no longer undersold as a footnote.
|
|
44
|
+
|
|
45
|
+
## [2.14.0] - 2026-06-22
|
|
46
|
+
|
|
47
|
+
### Changed — the loop Stop-gate gathers far less work per stop
|
|
48
|
+
|
|
49
|
+
After 2.13.3 made the gate cache-aware, two further optimizations cut what an
|
|
50
|
+
unattended loop's `security-only` Stop-gate actually scans on every stop.
|
|
51
|
+
Both are **opt-in** (only the loop Stop-gate enables them) and **verdict-
|
|
52
|
+
preserving** — CI `baseline check`, `createBaseline`, and the `health` report
|
|
53
|
+
are byte-identical and still render every warning. End-to-end on a 3,748-file
|
|
54
|
+
repo with a realistic 2-file loop diff (separate processes), the security-only
|
|
55
|
+
gather dropped from **42.8s → 11.3s (74%)** while still blocking the same
|
|
56
|
+
net-new finding with identical blocking pairs.
|
|
57
|
+
|
|
58
|
+
- **Preset-scoped gather.** A guardrail can only block on the finding kinds its
|
|
59
|
+
policy escalates, so a `security-only` posture no longer runs the analyzers
|
|
60
|
+
that feed only non-blockable kinds (jscpd, lint, coverage, cloc, test-gaps,
|
|
61
|
+
graphify, licenses). The scope is derived declaratively from the policy
|
|
62
|
+
(`scopeForPolicy`): a `full-debt` posture, CI, and `health` all resolve to
|
|
63
|
+
the full scan. A scoped result is partial by construction and never enters
|
|
64
|
+
the shared `AnalysisResult` cache. (~42.8s → 24.0s.)
|
|
65
|
+
- **Incremental file-scoped scanning.** The current side's semgrep now scans
|
|
66
|
+
only the files that changed vs the baseline commit. Sound because semgrep is
|
|
67
|
+
intraprocedural — a net-new code finding can only appear in a file the diff
|
|
68
|
+
touched. The changed-file set is computed completely or falls back to a full
|
|
69
|
+
scan on any uncertainty (base unreachable, not a git repo), so a scan can
|
|
70
|
+
only ever over-cover, never under-cover. The ref/baseline side stays full.
|
|
71
|
+
(~24.0s → 11.3s.)
|
|
72
|
+
|
|
73
|
+
Both behaviors are confined to the loop Stop-gate; nothing about the CI
|
|
74
|
+
guardrail or the standalone reports changes.
|
|
75
|
+
|
|
10
76
|
## [2.13.3] - 2026-06-22
|
|
11
77
|
|
|
12
78
|
### Fixed — the loop Stop-gate no longer pays a full re-scan on every stop
|
package/README.md
CHANGED
|
@@ -1,11 +1,16 @@
|
|
|
1
1
|
# dxkit
|
|
2
2
|
|
|
3
|
-
**A deterministic
|
|
3
|
+
**A deterministic stop condition and code-graph context layer for AI coding agents.**
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
5
|
+
Autonomous coding loops face two control problems: orienting in the code while
|
|
6
|
+
they make a change, and deciding whether that change made the repository worse
|
|
7
|
+
before they stop.
|
|
8
|
+
|
|
9
|
+
dxkit addresses both. While the agent works, it provides a code graph of
|
|
10
|
+
callers, callees, blast radius, and the files a change touches. Then, when the
|
|
11
|
+
agent tries to stop, dxkit baselines existing findings, reruns trusted checks,
|
|
12
|
+
and blocks only net-new detector-backed regressions with a concrete repair
|
|
13
|
+
reason.
|
|
9
14
|
|
|
10
15
|
In our loop benchmark, vanilla Claude Code-style loops stopped with net-new
|
|
11
16
|
debt in **11 of 16 runs**. A prompt that told the agent to self-check still
|
|
@@ -20,9 +25,10 @@ finding, and the agent repaired before stopping clean.
|
|
|
20
25
|
|
|
21
26
|
dxkit does not reinvent detection. It runs trusted open source scanners
|
|
22
27
|
(gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from
|
|
23
|
-
Snyk and CodeQL. What
|
|
24
|
-
|
|
25
|
-
finding
|
|
28
|
+
Snyk and CodeQL. What dxkit adds is the agent-loop layer around those tools: a
|
|
29
|
+
per-stop, baseline-relative verdict of whether this change introduced a new
|
|
30
|
+
finding, returned to the agent with the exact repair reason while the loop is
|
|
31
|
+
still warm.
|
|
26
32
|
|
|
27
33
|
```bash
|
|
28
34
|
npm init @vyuhlabs/dxkit -- --claude-loop --yes # install dxkit + register the Claude Code Stop hook
|
|
@@ -30,12 +36,12 @@ npx vyuh-dxkit baseline create # grandfather today's findings
|
|
|
30
36
|
npx vyuh-dxkit loop doctor # verify the gate is wired
|
|
31
37
|
```
|
|
32
38
|
|
|
33
|
-
The
|
|
39
|
+
The stop verdict has no model in the path: same input, same verdict.
|
|
34
40
|
Existing debt stays grandfathered; only net-new regressions block. Want to
|
|
35
41
|
watch the flow first, on a sandbox dxkit creates? See the
|
|
36
|
-
[
|
|
42
|
+
[fixture gate](#run-a-local-fixture-gate).
|
|
37
43
|
|
|
38
|
-
[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo)
|
|
44
|
+
[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo) · [Run the fixture gate](#run-a-local-fixture-gate)
|
|
39
45
|
|
|
40
46
|
<p>
|
|
41
47
|
<a href="https://www.npmjs.com/package/@vyuhlabs/dxkit"><img alt="npm" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit"></a>
|
|
@@ -48,23 +54,27 @@ watch the flow first, on a sandbox dxkit creates? See the
|
|
|
48
54
|
|
|
49
55
|
## The problem: loops do not know when they made things worse
|
|
50
56
|
|
|
51
|
-
An autonomous loop runs until the agent decides it is done. The
|
|
52
|
-
that loop
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
57
|
+
An autonomous loop runs until the agent decides it is done. The common checks in
|
|
58
|
+
that loop (tests, linters, scanners, CI-style commands) usually answer whether
|
|
59
|
+
something is broken or flagged. They do not, by themselves, maintain a
|
|
60
|
+
brownfield baseline and answer the loop-level question: did this change
|
|
61
|
+
introduce something net-new? So an agent can add a feature, leave a new untested
|
|
62
|
+
path or a hardcoded credential behind, run the tests, see green, and declare
|
|
63
|
+
success.
|
|
56
64
|
|
|
57
65
|
In our benchmark this happened in most vanilla runs, and telling the agent to
|
|
58
66
|
check its own work only helped a little.
|
|
59
67
|
|
|
60
68
|
## What dxkit does
|
|
61
69
|
|
|
62
|
-
1. **
|
|
63
|
-
|
|
64
|
-
2. **
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
70
|
+
1. **Build a structural code graph.** dxkit gives the agent callers, callees,
|
|
71
|
+
blast radius, and relevant files so it can orient before editing.
|
|
72
|
+
2. **Baseline today's debt.** `baseline create` records current findings, so
|
|
73
|
+
pre-existing issues are grandfathered and never block.
|
|
74
|
+
3. **Run a deterministic Stop-gate on every stop.** A Claude Code Stop hook
|
|
75
|
+
reruns the guardrail against that baseline. Same input gives the same
|
|
76
|
+
verdict; no model decides whether the gate passes.
|
|
77
|
+
4. **Feed net-new findings back to the agent.** If the change introduced a
|
|
68
78
|
finding, the gate blocks the stop and hands the agent the exact finding to
|
|
69
79
|
fix: do not refresh the baseline, do not touch unrelated debt, fix what this
|
|
70
80
|
branch introduced. The loop stops only when clean.
|
|
@@ -78,11 +88,27 @@ Use dxkit if you let coding agents:
|
|
|
78
88
|
- touch brownfield repos that already carry debt,
|
|
79
89
|
- or work where "new debt" matters more than "all debt."
|
|
80
90
|
|
|
91
|
+
## What dxkit is, and is not
|
|
92
|
+
|
|
93
|
+
**It is a deterministic verification layer.** It baselines today's findings,
|
|
94
|
+
fingerprints them across churn, and blocks only net-new regressions.
|
|
95
|
+
|
|
96
|
+
**It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
|
|
97
|
+
Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
|
|
98
|
+
claim to find more bugs than they do.
|
|
99
|
+
|
|
100
|
+
**It is not an LLM judge.** No model decides whether the gate passes. The model
|
|
101
|
+
can repair findings. The gate itself is deterministic, and the prompt does not
|
|
102
|
+
grow as the baseline grows.
|
|
103
|
+
|
|
104
|
+
**It is not a guarantee of safe code.** It blocks detector-backed net-new
|
|
105
|
+
findings it can observe. You still need tests, review, scanners, and judgment.
|
|
106
|
+
|
|
81
107
|
## Built on tools you already trust
|
|
82
108
|
|
|
83
109
|
dxkit is an orchestration and enforcement layer, not another scanner. It runs
|
|
84
110
|
established open source tools and treats their output as one stream. Which tools
|
|
85
|
-
run depends on the languages in your repo
|
|
111
|
+
run depends on the languages in your repo. dxkit covers **8 ecosystems**
|
|
86
112
|
(TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).
|
|
87
113
|
|
|
88
114
|
Universal, on every repo:
|
|
@@ -92,8 +118,8 @@ Universal, on every repo:
|
|
|
92
118
|
- dependency advisories: OSV.dev
|
|
93
119
|
- size, duplication, and the code graph: cloc, jscpd, graphify
|
|
94
120
|
|
|
95
|
-
Per language, dxkit adds that ecosystem's own linter and audit tool
|
|
96
|
-
example npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
|
|
121
|
+
Per language, dxkit adds that ecosystem's own linter and audit tool. For
|
|
122
|
+
example, npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
|
|
97
123
|
golangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`
|
|
98
124
|
(C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and
|
|
99
125
|
bundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack
|
|
@@ -114,7 +140,7 @@ and inside the agent loop.
|
|
|
114
140
|
## Try it on your repo
|
|
115
141
|
|
|
116
142
|
The Stop hook runs dxkit on every stop, so install dxkit into the repo. This
|
|
117
|
-
one command adds it as a devDependency and registers the hook additively
|
|
143
|
+
one command adds it as a devDependency and registers the hook additively, so your
|
|
118
144
|
existing `.claude` settings are preserved:
|
|
119
145
|
|
|
120
146
|
```bash
|
|
@@ -128,9 +154,9 @@ npx vyuh-dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired
|
|
|
128
154
|
When the agent tries to stop, dxkit runs the net-new gate against the baseline.
|
|
129
155
|
Existing findings are grandfathered; only findings this change introduced block.
|
|
130
156
|
|
|
131
|
-
##
|
|
157
|
+
## Run a local fixture gate
|
|
132
158
|
|
|
133
|
-
Want
|
|
159
|
+
Want to see the Stop-gate before installing dxkit into your repo?
|
|
134
160
|
|
|
135
161
|
```bash
|
|
136
162
|
npx -y @vyuhlabs/dxkit@latest demo loop-guardrail
|
|
@@ -141,7 +167,7 @@ net-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. N
|
|
|
141
167
|
key and no Claude Code, and your own repo is never touched. It needs gitleaks
|
|
142
168
|
installed and takes about 20 seconds; without gitleaks it shows a clearly
|
|
143
169
|
labelled illustration instead. (It does a one-time `npx` download, so it is not
|
|
144
|
-
fully offline
|
|
170
|
+
fully offline, though the gate itself is.)
|
|
145
171
|
|
|
146
172
|
### Presets: what blocks the loop
|
|
147
173
|
|
|
@@ -192,11 +218,26 @@ ships, the graph bounds how the loop works.
|
|
|
192
218
|
Three independent benchmark results, one theme: dxkit makes agent work more
|
|
193
219
|
predictable.
|
|
194
220
|
|
|
195
|
-
| Layer | What it bounds | Observed result
|
|
196
|
-
| -------------------------- | ------------------------------------ |
|
|
197
|
-
| **Stop-gate** |
|
|
198
|
-
| **Deterministic identity** | false "net-new" findings under churn | **
|
|
199
|
-
| **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved
|
|
221
|
+
| Layer | What it bounds | Observed result |
|
|
222
|
+
| -------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
|
|
223
|
+
| **Stop-gate** | net-new detector-backed debt | vanilla loops escaped **11/16** times, prompt-only checklist escaped **9/16**, dxkit escaped **0/16** |
|
|
224
|
+
| **Deterministic identity** | false "net-new" findings under churn | caught **all 3** seeded regressions with **0/2** false blocks on clean edits; **0 false net-new** on tested line shifts and renames |
|
|
225
|
+
| **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved |
|
|
226
|
+
|
|
227
|
+
**Deferral has a re-orientation cost.** A fourth arm of the
|
|
228
|
+
loop-safety study measured the "detect on CI, fix later" model: on the test-gap
|
|
229
|
+
task, deferring a net-new finding to a cold session cost **~49% more in
|
|
230
|
+
equivalent cost** and **~51% more turns** than repairing it inside the warm loop,
|
|
231
|
+
because the cold fixer has to re-orient in a context it no longer holds. (The
|
|
232
|
+
secret-task premium pointed the same way but was weak (mean +19%, median
|
|
233
|
+
slightly negative), so we lean on the robust test-gap result.) So the gate is not
|
|
234
|
+
just safer than deferring, it is plausibly cheaper too.
|
|
235
|
+
|
|
236
|
+
**And the gate is fast enough to run on every stop.** dxkit 2.14.0 scopes the
|
|
237
|
+
Stop-gate scan to the active preset's blockable finding kinds and re-scans only
|
|
238
|
+
the changed files, reusing cached results for everything unchanged. The verdict
|
|
239
|
+
is identical to a full scan; the cost is seconds per stop, not minutes, even on
|
|
240
|
+
large repositories.
|
|
200
241
|
|
|
201
242
|
> **Benchmark caveats:** the loop-safety study uses controlled synthetic tasks
|
|
202
243
|
> plus real-repo validation, detector-backed findings, and Sonnet runs. It is
|
|
@@ -207,22 +248,6 @@ predictable.
|
|
|
207
248
|
Full methodology, reproducibility notes, artifact status, and caveats are in
|
|
208
249
|
**[docs/benchmarks.md](docs/benchmarks.md)**.
|
|
209
250
|
|
|
210
|
-
## What dxkit is, and is not
|
|
211
|
-
|
|
212
|
-
**It is a deterministic verification layer.** It baselines today's findings,
|
|
213
|
-
fingerprints them across churn, and blocks only net-new regressions.
|
|
214
|
-
|
|
215
|
-
**It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
|
|
216
|
-
Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
|
|
217
|
-
claim to find more bugs than they do.
|
|
218
|
-
|
|
219
|
-
**It is not an LLM judge.** No model decides whether the gate passes. The model
|
|
220
|
-
can repair findings. The gate itself is deterministic, and the prompt does not
|
|
221
|
-
grow as the baseline grows.
|
|
222
|
-
|
|
223
|
-
**It is not a guarantee of safe code.** It blocks detector-backed net-new
|
|
224
|
-
findings it can observe. You still need tests, review, scanners, and judgment.
|
|
225
|
-
|
|
226
251
|
## Why not just Snyk, SonarQube, or CodeQL?
|
|
227
252
|
|
|
228
253
|
Use them. dxkit can ingest their findings. The difference is tempo and control,
|
|
@@ -233,7 +258,7 @@ every time the agent tries to declare done.
|
|
|
233
258
|
| Loop Stop-gate need | dxkit | Cloud or CI scanners |
|
|
234
259
|
| ----------------------------------------------------------- | ----- | -------------------------------------- |
|
|
235
260
|
| Runs locally on every stop, in seconds | yes | usually CI or cloud cadence |
|
|
236
|
-
|
|
|
261
|
+
| Deterministic verdict, no model in the gate | yes | varies (some add an LLM judge) |
|
|
237
262
|
| Grandfathers existing debt | yes | tool-dependent |
|
|
238
263
|
| Feeds the exact block reason back to the warm agent session | yes | usually a human-facing dashboard or PR |
|
|
239
264
|
|
|
@@ -266,7 +291,7 @@ cloc, jscpd, graphify).
|
|
|
266
291
|
| Ruby | `Gemfile`, `*.rb` | RuboCop, bundler-audit |
|
|
267
292
|
|
|
268
293
|
<details>
|
|
269
|
-
<summary><strong>Per-pack capabilities</strong
|
|
294
|
+
<summary><strong>Per-pack capabilities</strong>: coverage import, import-graph, severity tiers (click to expand)</summary>
|
|
270
295
|
|
|
271
296
|
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
272
297
|
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
@@ -293,10 +318,9 @@ so it does not inflate the Code Quality score.
|
|
|
293
318
|
|
|
294
319
|
## Reproduce the deterministic tier
|
|
295
320
|
|
|
296
|
-
The deterministic results
|
|
297
|
-
matcher
|
|
298
|
-
|
|
299
|
-
The harnesses live in `benchmarks/`:
|
|
321
|
+
The deterministic results (the net-new gate decision and the finding-identity
|
|
322
|
+
matcher) reproduce offline with no API key, so you do not have to trust our
|
|
323
|
+
numbers. These harnesses live in `benchmarks/`:
|
|
300
324
|
|
|
301
325
|
```bash
|
|
302
326
|
node benchmarks/bench-guardrail.mjs config.json # block/allow on seeded findings
|
|
@@ -304,8 +328,11 @@ node benchmarks/bench-netnew-isolation.mjs config.json # net-new isolation under
|
|
|
304
328
|
node benchmarks/bench-matcher.mjs config.json # false net-new on line shifts + renames
|
|
305
329
|
```
|
|
306
330
|
|
|
307
|
-
See `benchmarks/README.md` to point them at a repo
|
|
308
|
-
|
|
331
|
+
See `benchmarks/README.md` to point them at a repo. The agent-driven harnesses
|
|
332
|
+
(loop safety, cost of deferral, gate-vs-LLM, and the graph-context sessions) need
|
|
333
|
+
a model subscription or API key and are published under `benchmarks/agentic/`.
|
|
334
|
+
Full methodology, the per-study reports, caveats, and repro steps:
|
|
335
|
+
**[docs/benchmarks.md](docs/benchmarks.md)**.
|
|
309
336
|
|
|
310
337
|
## Credits
|
|
311
338
|
|
|
@@ -73,6 +73,15 @@ export interface ReadOrBuildOptions {
|
|
|
73
73
|
/** Override the wall-clock used for `builtAt`. Tests use this to
|
|
74
74
|
* produce deterministic timestamps. Defaults to `new Date()`. */
|
|
75
75
|
now?: () => Date;
|
|
76
|
+
/**
|
|
77
|
+
* This build is a SCOPED/partial gather (some analyzers skipped — see
|
|
78
|
+
* `GatherScope`). Its `AnalysisResult` is incomplete, so it must never
|
|
79
|
+
* enter the shared cache where a later FULL consumer (`health`) could
|
|
80
|
+
* read it as if complete. Set by the loop guardrail path; skips both the
|
|
81
|
+
* in-memory and on-disk cache for read AND write. The build still runs;
|
|
82
|
+
* only persistence is bypassed.
|
|
83
|
+
*/
|
|
84
|
+
partial?: boolean;
|
|
76
85
|
}
|
|
77
86
|
/**
|
|
78
87
|
* Resolve provenance fields needed to compute the cache key. Reads
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../src/analyzers/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAMH,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACxB,MAAM,oBAAoB,CAAC;AAqB5B;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAEjF,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;uCAEmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;kBAEc;IACd,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,kBAAkB,CAAC;IAExD;sEACkE;IAClE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../../src/analyzers/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAMH,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACxB,MAAM,oBAAoB,CAAC;AAqB5B;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAEjF,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;uCAEmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;kBAEc;IACd,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,kBAAkB,CAAC;IAExD;sEACkE;IAClE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IAEjB;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAOD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,CAUjE;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAAC,IAAI,EAAE;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,qBAAqB,CAAC;IAC7B,IAAI,CAAC,EAAE,kBAAkB,CAAC;CAC3B,GAAG,OAAO,CAAC,cAAc,CAAC,CAyC1B;AA2BD,iEAAiE;AACjE,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC"}
|
package/dist/analyzers/cache.js
CHANGED
|
@@ -129,6 +129,13 @@ async function readOrBuildAnalysisResult(args) {
|
|
|
129
129
|
const provenance = (opts.resolveProvenance ?? resolveProvenance)(cwd);
|
|
130
130
|
const cacheDir = opts.cacheDir ?? path.join(provenance.cwd, CACHE_SUBDIR);
|
|
131
131
|
const cacheKey = buildCacheKey(provenance);
|
|
132
|
+
// A scoped/partial gather must bypass the shared cache entirely — neither
|
|
133
|
+
// read (a full entry would mask the requested scope, but more importantly
|
|
134
|
+
// the inverse is the hazard) nor write (a partial result must never be
|
|
135
|
+
// served to a later full consumer). Build straight through.
|
|
136
|
+
if (opts.partial) {
|
|
137
|
+
return buildResult(cwd, build, provenance, opts.now);
|
|
138
|
+
}
|
|
132
139
|
// In-memory short-circuit. Same provenance, same process: one rebuild.
|
|
133
140
|
if (!opts.rescan) {
|
|
134
141
|
const cached = inMemoryCache.get(cacheKey);
|
|
@@ -144,21 +151,7 @@ async function readOrBuildAnalysisResult(args) {
|
|
|
144
151
|
if (fromDisk)
|
|
145
152
|
return fromDisk;
|
|
146
153
|
}
|
|
147
|
-
|
|
148
|
-
const body = await build(cwd);
|
|
149
|
-
const now = (opts.now ?? (() => new Date()))();
|
|
150
|
-
const result = {
|
|
151
|
-
...body,
|
|
152
|
-
commitSha: provenance.commitSha,
|
|
153
|
-
branch: provenance.branch,
|
|
154
|
-
cwd: provenance.cwd,
|
|
155
|
-
builtAt: now.toISOString(),
|
|
156
|
-
dxkitVersion: provenance.dxkitVersion,
|
|
157
|
-
schemaVersion: analysis_result_1.ANALYSIS_RESULT_SCHEMA_VERSION,
|
|
158
|
-
ignoreFileMtime: provenance.ignoreFileMtime,
|
|
159
|
-
inputsDigest: provenance.inputsDigest,
|
|
160
|
-
workingTreeDirty: provenance.workingTreeDirty,
|
|
161
|
-
};
|
|
154
|
+
const result = await buildResult(cwd, build, provenance, opts.now);
|
|
162
155
|
if (!provenance.workingTreeDirty) {
|
|
163
156
|
writeDiskCache(cacheDir, result);
|
|
164
157
|
}
|
|
@@ -170,6 +163,25 @@ async function readOrBuildAnalysisResult(args) {
|
|
|
170
163
|
promise.catch(() => inMemoryCache.delete(cacheKey));
|
|
171
164
|
return promise;
|
|
172
165
|
}
|
|
166
|
+
/** Build + stamp provenance into a complete `AnalysisResult`. No caching —
|
|
167
|
+
* callers decide whether to persist. Shared by the cached and partial
|
|
168
|
+
* (scope-bypass) paths so they produce byte-identical result envelopes. */
|
|
169
|
+
async function buildResult(cwd, build, provenance, now) {
|
|
170
|
+
const body = await build(cwd);
|
|
171
|
+
const stamp = (now ?? (() => new Date()))();
|
|
172
|
+
return {
|
|
173
|
+
...body,
|
|
174
|
+
commitSha: provenance.commitSha,
|
|
175
|
+
branch: provenance.branch,
|
|
176
|
+
cwd: provenance.cwd,
|
|
177
|
+
builtAt: stamp.toISOString(),
|
|
178
|
+
dxkitVersion: provenance.dxkitVersion,
|
|
179
|
+
schemaVersion: analysis_result_1.ANALYSIS_RESULT_SCHEMA_VERSION,
|
|
180
|
+
ignoreFileMtime: provenance.ignoreFileMtime,
|
|
181
|
+
inputsDigest: provenance.inputsDigest,
|
|
182
|
+
workingTreeDirty: provenance.workingTreeDirty,
|
|
183
|
+
};
|
|
184
|
+
}
|
|
173
185
|
/** Test seam — drop in-memory dedup state between test cases. */
|
|
174
186
|
function clearInMemoryCache() {
|
|
175
187
|
inMemoryCache.clear();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../src/analyzers/cache.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"cache.js","sourceRoot":"","sources":["../../src/analyzers/cache.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8FH,8CAUC;AAOD,8DA6CC;AA4BD,gDAEC;AAxLD,uCAAyB;AACzB,2CAA6B;AAC7B,mCAAoC;AACpC,iDAAyC;AACzC,wDAI4B;AAC5B,4CAAwD;AAExD,MAAM,WAAW,GAAG,eAAe,CAAC;AACpC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAElD,uEAAuE;AACvE,sEAAsE;AACtE,uEAAuE;AACvE,uEAAuE;AACvE,wEAAwE;AACxE,yEAAyE;AACzE,0EAA0E;AAC1E,mEAAmE;AACnE,2EAA2E;AAC3E,yEAAyE;AACzE,4EAA4E;AAC5E,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,kBAAkB;AAChF,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;AACvD,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,qBAAqB;AAsD9E,qEAAqE;AACrE,mEAAmE;AACnE,2DAA2D;AAC3D,MAAM,aAAa,GAAG,IAAI,GAAG,EAAmC,CAAC;AAEjE;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,OAAO;QACL,SAAS,EAAE,WAAW,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC;QAC9C,MAAM,EAAE,WAAW,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,CAAC;QAChD,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QACtB,YAAY,EAAE,mBAAa;QAC3B,eAAe,EAAE,mBAAmB,CAAC,GAAG,CAAC;QACzC,YAAY,EAAE,mBAAmB,CAAC,GAAG,CAAC;QACtC,gBAAgB,EAAE,kBAAkB,CAAC,GAAG,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,yBAAyB,CAAC,IAI/C;IACC,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC;IACtE,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC1E,MAAM,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAE3C,0EAA0E;IAC1E,0EAA0E;IAC1E,uEAAuE;IACvE,4DAA4D;IAC5D,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,OAAO,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,uEAAuE;IACvE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;IAC5B,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE;QAC1B,oEAAoE;QACpE,kEAAkE;QAClE,wBAAwB;QACxB,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YACjD,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACrD,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC;QAChC,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACnE,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,CAAC;YACjC,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC,EAAE,CAAC;IAEL,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACrC,sEAAsE;IACtE,iEAAiE;IACjE,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;4EAE4E;AAC5E,KAAK,UAAU,WAAW,CACxB,GAAW,EACX,KAA4B,EAC5B,UAA8B,EAC9B,GAAgB;IAEhB,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;IAC5C,OAAO;QACL,GAAG,IAAI;QACP,SAAS,EAAE,UAAU,CAAC,SAAS;QAC/B,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,OAAO,EAAE,KAAK,CAAC,WAAW,EAAE;QAC5B,YAAY,EAAE,UAAU,CAAC,YAAY;QACrC,aAAa,EAAE,gDAA8B;QAC7C,eAAe,EAAE,UAAU,CAAC,eAAe;QAC3C,YAAY,EAAE,UAAU,CAAC,YAAY;QACrC,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;KAC9C,CAAC;AACJ,CAAC;AAED,iEAAiE;AACjE,SAAgB,kBAAkB;IAChC,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC;AAED,6EAA6E;AAE7E,SAAS,aAAa,CAAC,CAAqB;IAC1C,qEAAqE;IACrE,mEAAmE;IACnE,qEAAqE;IACrE,2CAA2C;IAC3C,OAAO;QACL,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,SAAS,IAAI,QAAQ;QACvB,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO;QACtC,CAAC,CAAC,YAAY;QACd,MAAM,CAAC,gDAA8B,CAAC;QACtC,CAAC,CAAC,eAAe,IAAI,WAAW;QAChC,CAAC,CAAC,YAAY,IAAI,WAAW;KAC9B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,SAAiB;IACxD,MAAM,GAAG,GAAG,SAAS,IAAI,QAAQ,CAAC;IAClC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,mBAAmB,GAAG,OAAO,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,QAA4B;IACnE,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IACzD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,MAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAmB,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;QAC/D,iEAAiE;QACjE,yBAAyB;QACzB,UAAU,CAAC,IAAI,CAAC,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;QACzC,UAAU,CAAC,IAAI,CAAC,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAsB,EAAE,QAA4B;IAC7E,IAAI,MAAM,CAAC,aAAa,KAAK,gDAA8B;QAAE,OAAO,KAAK,CAAC;IAC1E,IAAI,MAAM,CAAC,YAAY,KAAK,QAAQ,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAChE,IAAI,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,MAAM,CAAC,eAAe,KAAK,QAAQ,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACtE,8DAA8D;IAC9D,qEAAqE;IACrE,oEAAoE;IACpE,sEAAsE;IACtE,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,QAAQ,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAC1E,kEAAkE;IAClE,kEAAkE;IAClE,IAAI,MAAM,CAAC,gBAAgB;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB,EAAE,MAAsB;IAC9D,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QACvD,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;QAC9D,0DAA0D;QAC1D,8DAA8D;QAC9D,kCAAkC;IACpC,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,8BAA8B;IAChC,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,GAAG,IAAc;IACjD,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,iBAAiB,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE;YACjD,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,IAAI;SACd,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,kEAAkE;QAClE,iEAAiE;QACjE,4DAA4D;QAC5D,gEAAgE;QAChE,8DAA8D;QAC9D,yBAAyB;QACzB,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,8CAA8C,EAAE;YACnE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,4DAA4D;QAC5D,6DAA6D;QAC7D,iEAAiE;QACjE,4DAA4D;QAC5D,kEAAkE;QAClE,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,6DAA6D;QAC7D,EAAE;QACF,8DAA8D;QAC9D,0DAA0D;QAC1D,2DAA2D;QAC3D,gEAAgE;QAChE,gEAAgE;QAChE,yCAAyC;QACzC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YAC5C,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;gBAAE,OAAO,KAAK,CAAC;YAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACpB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrD,6DAA6D;YAC7D,6DAA6D;YAC7D,kEAAkE;YAClE,iEAAiE;YACjE,2DAA2D;YAC3D,8DAA8D;YAC9D,4DAA4D;YAC5D,0DAA0D;YAC1D,MAAM,kBAAkB,GAAG,QAAQ,CAAC,IAAI,CACtC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,QAAQ,IAAI,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAC/D,CAAC;YACF,IAAI,kBAAkB;gBAAE,OAAO,IAAI,CAAC;YACpC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,eAAe,CAAC,CAAC;QAC9E,CAAC,CAAC,CAAC;QACH,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,kEAAkE;QAClE,mEAAmE;QACnE,kDAAkD;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,wEAAwE;IACxE,kEAAkE;IAClE,MAAM,CAAC,GAAG,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,CAAC,wBAAwB;IACtD,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,MAAM,IAAI,GAAG,CAAC,GAAW,EAAQ,EAAE;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;YACjD,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACf,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACf,GAAG,GAAG,IAAI,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;QACjD,CAAC;IACH,CAAC,CAAC;IACF,IAAI,CAAC,cAAc,CAAC,CAAC;IACrB,IAAI,CAAC,WAAW,CAAC,CAAC;IAClB,sEAAsE;IACtE,iBAAiB;IACjB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACrE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qBAAqB;IACvB,CAAC;IACD,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC"}
|
|
@@ -1,11 +1,30 @@
|
|
|
1
1
|
import { HealthMetrics, HealthReport } from './types';
|
|
2
2
|
import type { AnalysisResult, AnalysisResultBody } from '../analysis-result';
|
|
3
|
+
import { type GatherScope } from '../baseline/gather-scope';
|
|
3
4
|
/** Default values for all HealthMetrics fields. */
|
|
4
5
|
export declare function defaultMetrics(): HealthMetrics;
|
|
5
6
|
/** Options for analyzeHealth. */
|
|
6
7
|
export interface AnalyzeHealthOptions {
|
|
7
8
|
/** Print per-tool timing to stderr. */
|
|
8
9
|
verbose?: boolean;
|
|
10
|
+
/**
|
|
11
|
+
* Restrict the gather to the analyzers a scope needs. Defaults to
|
|
12
|
+
* `FULL_SCOPE` (every analyzer), so the `health` report and CI guardrail
|
|
13
|
+
* are unaffected. The loop Stop-gate passes a policy-derived scope so a
|
|
14
|
+
* `security-only` posture skips the analyzers it can never block on (see
|
|
15
|
+
* `src/baseline/gather-scope.ts`). A scoped result is partial by
|
|
16
|
+
* construction and is never written to the shared `AnalysisResult` cache.
|
|
17
|
+
*/
|
|
18
|
+
scope?: GatherScope;
|
|
19
|
+
/**
|
|
20
|
+
* Incremental scanning (opt 3): when set, semgrep scans ONLY these
|
|
21
|
+
* project-relative changed files instead of the whole tree. Sound for a
|
|
22
|
+
* net-new gate because semgrep is intraprocedural — a net-new code
|
|
23
|
+
* finding can only appear in a changed file. Like `scope`, this makes the
|
|
24
|
+
* result partial (it never enters the shared cache). Only the loop
|
|
25
|
+
* Stop-gate sets it; CI / `health` leave it undefined (full scan).
|
|
26
|
+
*/
|
|
27
|
+
incrementalFiles?: ReadonlyArray<string>;
|
|
9
28
|
}
|
|
10
29
|
/**
|
|
11
30
|
* Run a full health analysis on a repository, returning both the summary
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../src/analyzers/health.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAoB,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAgC7E,mDAAmD;AACnD,wBAAgB,cAAc,IAAI,aAAa,CAiD9C;AAED,iCAAiC;AACjC,MAAM,WAAW,oBAAoB;IACnC,uCAAuC;IACvC,OAAO,CAAC,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../src/analyzers/health.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAoB,aAAa,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAgC7E,OAAO,EAAE,KAAK,WAAW,EAAc,MAAM,0BAA0B,CAAC;AAExE,mDAAmD;AACnD,wBAAgB,cAAc,IAAI,aAAa,CAiD9C;AAED,iCAAiC;AACjC,MAAM,WAAW,oBAAoB;IACnC,uCAAuC;IACvC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;;;;;OAOG;IACH,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,OAAO,EAAE,aAAa,CAAA;CAAE,CAAC,CAE3D;AAED,kDAAkD;AAClD,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,YAAY,CAAC,CAEvB;AAcD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,wBAAwB,CAC5C,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,kBAAkB,CAAC,CAiH7B;AAsBD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc,GAAG,YAAY,CA0BzE"}
|