@vyuhlabs/dxkit 2.14.0 → 2.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/CHANGELOG.md +81 -16
  2. package/README.md +79 -61
  3. package/dist/allowlist/categories.d.ts +0 -2
  4. package/dist/allowlist/categories.d.ts.map +1 -1
  5. package/dist/allowlist/categories.js +0 -2
  6. package/dist/allowlist/categories.js.map +1 -1
  7. package/dist/analyzers/tools/graphify.js +1 -1
  8. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  9. package/dist/analyzers/tools/vendored-advisor.js +1 -3
  10. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  11. package/dist/baseline/check.d.ts +15 -8
  12. package/dist/baseline/check.d.ts.map +1 -1
  13. package/dist/baseline/check.js +80 -13
  14. package/dist/baseline/check.js.map +1 -1
  15. package/dist/baseline/ref-baseline.d.ts +12 -2
  16. package/dist/baseline/ref-baseline.d.ts.map +1 -1
  17. package/dist/baseline/ref-baseline.js +23 -4
  18. package/dist/baseline/ref-baseline.js.map +1 -1
  19. package/dist/cli.d.ts.map +1 -1
  20. package/dist/cli.js +10 -2
  21. package/dist/cli.js.map +1 -1
  22. package/dist/explore/format.d.ts +1 -1
  23. package/dist/explore/format.js +1 -1
  24. package/dist/explore/types.d.ts +2 -3
  25. package/dist/explore/types.d.ts.map +1 -1
  26. package/dist/explore/types.js +1 -1
  27. package/dist/explore-cli.d.ts +1 -1
  28. package/dist/explore-cli.js +1 -1
  29. package/dist/languages/capabilities/provider.d.ts +17 -0
  30. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  31. package/dist/languages/csharp.d.ts.map +1 -1
  32. package/dist/languages/csharp.js +7 -0
  33. package/dist/languages/csharp.js.map +1 -1
  34. package/dist/languages/go.d.ts.map +1 -1
  35. package/dist/languages/go.js +1 -0
  36. package/dist/languages/go.js.map +1 -1
  37. package/dist/languages/index.d.ts +24 -0
  38. package/dist/languages/index.d.ts.map +1 -1
  39. package/dist/languages/index.js +45 -0
  40. package/dist/languages/index.js.map +1 -1
  41. package/dist/languages/java.d.ts.map +1 -1
  42. package/dist/languages/java.js +9 -0
  43. package/dist/languages/java.js.map +1 -1
  44. package/dist/languages/kotlin.d.ts.map +1 -1
  45. package/dist/languages/kotlin.js +10 -0
  46. package/dist/languages/kotlin.js.map +1 -1
  47. package/dist/languages/python.d.ts.map +1 -1
  48. package/dist/languages/python.js +9 -0
  49. package/dist/languages/python.js.map +1 -1
  50. package/dist/languages/ruby.d.ts.map +1 -1
  51. package/dist/languages/ruby.js +3 -0
  52. package/dist/languages/ruby.js.map +1 -1
  53. package/dist/languages/rust.d.ts.map +1 -1
  54. package/dist/languages/rust.js +1 -0
  55. package/dist/languages/rust.js.map +1 -1
  56. package/dist/languages/typescript.d.ts.map +1 -1
  57. package/dist/languages/typescript.js +7 -0
  58. package/dist/languages/typescript.js.map +1 -1
  59. package/package.json +2 -2
package/CHANGELOG.md CHANGED
@@ -7,6 +7,77 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.16.0] - 2026-06-23
11
+
12
+ ### Changed — `--incremental` skips the dependency audit when no manifest changed
13
+
14
+ `vyuh-dxkit guardrail check --incremental` now, in ref-based mode, **skips the
15
+ OSV dependency-vulnerability audit entirely when the change touched no
16
+ dependency manifest or lockfile.** This is the dominant latency win for the
17
+ incremental path: profiling a 4-file documentation PR on this repo showed the
18
+ dep audit accounting for ~100s of a ~119s scan (gitleaks was 0.4s; the rest of
19
+ a secrets+deps scoped gather was sub-second) — and that audit ran twice (base
20
+ and head) over an unchanged dependency set, so it could not surface anything
21
+ net-new. The same end-to-end check now completes in **~7s**.
22
+
23
+ The skip is **sound and verdict-preserving in ref-based mode only**: a net-new
24
+ dependency vulnerability requires a manifest/lockfile change, and ref-based
25
+ audits both sides against the *same* advisory snapshot, so an unchanged
26
+ dependency is identical on both sides and never net-new. It deliberately does
27
+ **not** apply to committed modes, where the baseline is an older snapshot and a
28
+ newly-disclosed CVE on an unchanged dependency genuinely *is* net-new and must
29
+ still surface. When the change *does* touch a manifest, the audit runs as before
30
+ and net-new critical/high dependency vulnerabilities block normally.
31
+
32
+ - **Manifest patterns are now a pack-declared fact** (CLAUDE.md Rule 6): each
33
+ language pack's `depVulns` capability declares a **required**
34
+ `manifestPatterns` field (its manifests + lockfiles). The skip consults the
35
+ active packs' union via `allDependencyManifestPatterns` /
36
+ `changedFilesTouchDependencyManifest`, so adding a language auto-extends the
37
+ skip's awareness. A pack that adds dependency auditing but omits the patterns
38
+ fails to compile **and** fails `test/languages-contract.test.ts`;
39
+ `test/recipe-playbook.test.ts` proves the union stays pack-driven via a
40
+ synthetic pack.
41
+
42
+ Without `--incremental`, behavior is byte-identical to 2.15. `health`,
43
+ `vulnerabilities`, and `committed-full`/`committed-sanitized` guardrail checks
44
+ are unaffected.
45
+
46
+ ## [2.15.0] - 2026-06-22
47
+
48
+ ### Fixed — ref-based guardrail no longer false-blocks on `secret-hmac`
49
+
50
+ In ref-based mode (the default for public repos), dxkit mints a locator-less
51
+ `secret-hmac` companion alongside each located `secret` for cross-file
52
+ relocation matching. On a fresh or shallow checkout the two sides of the diff
53
+ can derive different salts, so the companions never match and read as net-new —
54
+ a **false block**, even though the located `secret` twins match correctly.
55
+ `secret-hmac` now joins `duplication` and `test-gap` in the set of kinds
56
+ excluded from the ref-based diff (they can't be gathered comparably across a
57
+ detached worktree). The located `secret` kind still gates net-new credentials;
58
+ only the redundant companion is dropped. **Committed modes are unaffected.**
59
+
60
+ ### Added — opt-in `--incremental` for `guardrail check`
61
+
62
+ `vyuh-dxkit guardrail check --incremental` scopes the gather to the analyzers
63
+ the active policy can actually block on (reusing the loop Stop-gate's
64
+ `scopeForPolicy`) and, in ref-based mode, scopes semgrep to the changed files
65
+ on both sides. Same verdict, far less work — the check scales with PR size
66
+ rather than repo size. **Opt-in and verdict-preserving:** without the flag,
67
+ behavior is byte-identical to 2.14; it falls back to a full scan whenever the
68
+ changed set can't be computed completely. The CLI flag exposes what the loop
69
+ Stop-gate already did internally, so a ref-based CI guardrail (or a hosted
70
+ PR-gate) can run the fast path too.
71
+
72
+ ### Changed — positioning: two pillars (context + gate)
73
+
74
+ - README hero, package description, and `--help` tagline now lead with both
75
+ pillars: **"a deterministic stop condition and code-graph context layer for
76
+ AI coding agents."** The README opening + "What dxkit does" foreground the
77
+ code graph (callers, callees, blast radius) the agent uses *while making a
78
+ change*, then the deterministic stop-gate that blocks net-new regressions
79
+ *before it exits* — so the graph is no longer undersold as a footnote.
80
+
10
81
  ## [2.14.0] - 2026-06-22
11
82
 
12
83
  ### Changed — the loop Stop-gate gathers far less work per stop
@@ -2189,8 +2260,8 @@ the .NET WinForms benchmark, the JS-heavy customer frontend). All vuln-scan + he
2189
2260
 
2190
2261
  C2.5 also surfaced a candidate drift: platform vuln-scan code-only
2191
2262
  `10H 7M` vs health `10H 10M`. HIGH agreed; MEDIUM differed by 3.
2192
- Investigation via an in-process probe (`tmp/d109-probe.js` runs
2193
- both analyzers sequentially in ONE node process, sharing the
2263
+ Investigation via an in-process probe (running both analyzers
2264
+ sequentially in ONE node process, sharing the
2194
2265
  dispatcher cache) showed identical aggregates: `{ high: 10,
2195
2266
  medium: 20 }` on both sides. **D109 is NOT a real defect** — the
2196
2267
  architecture is sound. The observed drift across separate
@@ -2288,8 +2359,7 @@ pre-release audit and fixed before ship.
2288
2359
  pattern (different attribute name) so BoM's legitimate per-package
2289
2360
  aggregation is unaffected.
2290
2361
 
2291
- - **Recipe codification (G_v4_8 + G_v4_9 in
2292
- `tmp/recipe-v4-working-doc.md`)**. Two recipe-playbook
2362
+ - **Recipe codification (G_v4_8 + G_v4_9)**. Two recipe-playbook
2293
2363
  synthetic-pack assertions in `test/recipe-playbook.test.ts`
2294
2364
  (synthetic depVuln finding flows into `depBySeverity` +
2295
2365
  `dependencyAdvisoryUniqueCount`; cross-tool TLS-bypass collapses
@@ -2676,10 +2746,9 @@ conditions: G2-Opt2 typed-null capability (Swift consumer), G3
2676
2746
  BENCHMARK_LANGUAGES auto-edit (matrix > 8 packs), G7 pre-commit hook
2677
2747
  polish (multi-gate diagnosis cost).
2678
2748
 
2679
- ### Recipe v4 (working doc opened)
2749
+ ### Recipe v4
2680
2750
 
2681
- `tmp/recipe-v4-working-doc.md` (gitignored, ephemeral). Surfaced
2682
- during 10k.2:
2751
+ Surfaced during 10k.2:
2683
2752
 
2684
2753
  - **G_v4_1** — scaffolder TEST_TEMPLATE conflates source-text vs
2685
2754
  tool-output parsers. Future contributors must re-derive the
@@ -2792,10 +2861,8 @@ at every commit in the 10-commit branch.
2792
2861
  validated end-to-end — the same scan that found bug #1 also
2793
2862
  surfaced #2 and #3 once we knew where to look.
2794
2863
 
2795
- **Forensic evidence preserved** at
2796
- `tmp/regression/2.4.4/dxkit/bom.json` (gitignored — 2.4.4 baseline
2797
- with under-reported BoM) vs `tmp/regression/2.4.5-fixed/dxkit/bom.json`
2798
- (full enumeration after the fix).
2864
+ **Forensic evidence preserved** comparing the 2.4.4 baseline
2865
+ (under-reported BoM) against the 2.4.5 fix (full enumeration).
2799
2866
 
2800
2867
 
2801
2868
 
@@ -2924,8 +2991,7 @@ recipe stress test #2 — fully dynamic language outside the JVM family.
2924
2991
  Then **2.5.0 (Phase 10i — fingerprints + exec summary across 8-language
2925
2992
  matrix)**. Phase 10j.2 (Swift/iOS) is **deferred to post-10rr / pre-3.0.0
2926
2993
  opportunistic slot** because Linux/WSL2 development can't validate the
2927
- xcodeproj-shape majority without macOS access. See
2928
- `tmp/phase-10k-backend-langs-roadmap.md` for the full phase plan.
2994
+ xcodeproj-shape majority without macOS access.
2929
2995
 
2930
2996
  ## [2.4.4] - 2026-04-27
2931
2997
 
@@ -3012,7 +3078,7 @@ output for non-Kotlin projects.
3012
3078
  Triage" risk scoring — caught during the regression-check pass
3013
3079
  on dxkit's own BoM diff. Cross-ecosystem.test.ts: 444s peak →
3014
3080
  174s wall-clock after Recipe v2 (-228s, 51% reduction). Closes
3015
- D010 (`tmp/known-defects.md`). (`src/languages/capabilities/index.ts`,
3081
+ D010. (`src/languages/capabilities/index.ts`,
3016
3082
  `src/analyzers/{health,licenses,quality,security,tests}/...`)
3017
3083
 
3018
3084
  - **`JSCPD_PATTERN` was hardcoded** with `'ts,tsx,js,jsx,py,go,rs,cs'`
@@ -3211,8 +3277,7 @@ identical output before and after.
3211
3277
  `generic.ts`, `grep-secrets.ts`, `project-yaml.ts`, `constants.ts`,
3212
3278
  `tool-registry.ts`** — all per-language if-chains replaced with
3213
3279
  iteration over the `LANGUAGES` registry. 12 of the 14 LP-audit
3214
- items closed across these files (the audit doc lives in `tmp/` if
3215
- curious).
3280
+ items closed across these files.
3216
3281
 
3217
3282
  ### Internal
3218
3283
 
package/README.md CHANGED
@@ -1,11 +1,16 @@
1
1
  # dxkit
2
2
 
3
- **A deterministic Stop-gate for autonomous coding loops.**
3
+ **A deterministic stop condition and code-graph context layer for AI coding agents.**
4
4
 
5
- Coding agents keep editing until they decide to stop. Tests and linters catch
6
- broken code, but they do not know whether the agent made the repo worse than
7
- the baseline. So loops can quietly ship new secrets, untested paths, and other
8
- detector-backed regressions, then report success.
5
+ Autonomous coding loops face two control problems: orienting in the code while
6
+ they make a change, and deciding whether that change made the repository worse
7
+ before they stop.
8
+
9
+ dxkit addresses both. While the agent works, it provides a code graph of
10
+ callers, callees, blast radius, and the files a change touches. Then, when the
11
+ agent tries to stop, dxkit baselines existing findings, reruns trusted checks,
12
+ and blocks only net-new detector-backed regressions with a concrete repair
13
+ reason.
9
14
 
10
15
  In our loop benchmark, vanilla Claude Code-style loops stopped with net-new
11
16
  debt in **11 of 16 runs**. A prompt that told the agent to self-check still
@@ -20,9 +25,10 @@ finding, and the agent repaired before stopping clean.
20
25
 
21
26
  dxkit does not reinvent detection. It runs trusted open source scanners
22
27
  (gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from
23
- Snyk and CodeQL. What it adds is the piece those tools were not built for: a
24
- deterministic check, on every stop, of whether this change introduced a new
25
- finding compared with a baseline.
28
+ Snyk and CodeQL. What dxkit adds is the agent-loop layer around those tools: a
29
+ per-stop, baseline-relative verdict of whether this change introduced a new
30
+ finding, returned to the agent with the exact repair reason while the loop is
31
+ still warm.
26
32
 
27
33
  ```bash
28
34
  npm init @vyuhlabs/dxkit -- --claude-loop --yes # install dxkit + register the Claude Code Stop hook
@@ -30,12 +36,12 @@ npx vyuh-dxkit baseline create # grandfather today's findings
30
36
  npx vyuh-dxkit loop doctor # verify the gate is wired
31
37
  ```
32
38
 
33
- The gate runs locally with no model: same input, same verdict, in seconds.
39
+ The stop verdict has no model in the path: same input, same verdict.
34
40
  Existing debt stays grandfathered; only net-new regressions block. Want to
35
41
  watch the flow first, on a sandbox dxkit creates? See the
36
- [walkthrough](#see-it-without-touching-your-repo).
42
+ [fixture gate](#run-a-local-fixture-gate).
37
43
 
38
- [Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo)
44
+ [Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo) · [Run the fixture gate](#run-a-local-fixture-gate)
39
45
 
40
46
  <p>
41
47
  <a href="https://www.npmjs.com/package/@vyuhlabs/dxkit"><img alt="npm" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit"></a>
@@ -48,23 +54,27 @@ watch the flow first, on a sandbox dxkit creates? See the
48
54
 
49
55
  ## The problem: loops do not know when they made things worse
50
56
 
51
- An autonomous loop runs until the agent decides it is done. The only checks in
52
- that loop today are tests and linters, and those catch broken code, not
53
- regressed code. There is no notion of "worse than the baseline." So an agent
54
- can add a feature, leave a new untested path or a hardcoded credential behind,
55
- run the tests, see green, and declare success.
57
+ An autonomous loop runs until the agent decides it is done. The common checks in
58
+ that loop (tests, linters, scanners, CI-style commands) usually answer whether
59
+ something is broken or flagged. They do not, by themselves, maintain a
60
+ brownfield baseline and answer the loop-level question: did this change
61
+ introduce something net-new? So an agent can add a feature, leave a new untested
62
+ path or a hardcoded credential behind, run the tests, see green, and declare
63
+ success.
56
64
 
57
65
  In our benchmark this happened in most vanilla runs, and telling the agent to
58
66
  check its own work only helped a little.
59
67
 
60
68
  ## What dxkit does
61
69
 
62
- 1. **Baseline today's debt.** `baseline create` records every current finding,
63
- so pre-existing issues are grandfathered and never block.
64
- 2. **Run a deterministic Stop-gate on every stop.** A Claude Code Stop hook
65
- re-runs the guardrail against that baseline. Same input gives the same
66
- verdict, in seconds, offline, with no model in the loop.
67
- 3. **Feed net-new findings back to the agent.** If the change introduced a
70
+ 1. **Build a structural code graph.** dxkit gives the agent callers, callees,
71
+ blast radius, and relevant files so it can orient before editing.
72
+ 2. **Baseline today's debt.** `baseline create` records current findings, so
73
+ pre-existing issues are grandfathered and never block.
74
+ 3. **Run a deterministic Stop-gate on every stop.** A Claude Code Stop hook
75
+ reruns the guardrail against that baseline. Same input gives the same
76
+ verdict; no model decides whether the gate passes.
77
+ 4. **Feed net-new findings back to the agent.** If the change introduced a
68
78
  finding, the gate blocks the stop and hands the agent the exact finding to
69
79
  fix: do not refresh the baseline, do not touch unrelated debt, fix what this
70
80
  branch introduced. The loop stops only when clean.
@@ -78,11 +88,27 @@ Use dxkit if you let coding agents:
78
88
  - touch brownfield repos that already carry debt,
79
89
  - or work where "new debt" matters more than "all debt."
80
90
 
91
+ ## What dxkit is, and is not
92
+
93
+ **It is a deterministic verification layer.** It baselines today's findings,
94
+ fingerprints them across churn, and blocks only net-new regressions.
95
+
96
+ **It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
97
+ Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
98
+ claim to find more bugs than they do.
99
+
100
+ **It is not an LLM judge.** No model decides whether the gate passes. The model
101
+ can repair findings. The gate itself is deterministic, and the prompt does not
102
+ grow as the baseline grows.
103
+
104
+ **It is not a guarantee of safe code.** It blocks detector-backed net-new
105
+ findings it can observe. You still need tests, review, scanners, and judgment.
106
+
81
107
  ## Built on tools you already trust
82
108
 
83
109
  dxkit is an orchestration and enforcement layer, not another scanner. It runs
84
110
  established open source tools and treats their output as one stream. Which tools
85
- run depends on the languages in your repo dxkit covers **8 ecosystems**
111
+ run depends on the languages in your repo. dxkit covers **8 ecosystems**
86
112
  (TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).
87
113
 
88
114
  Universal, on every repo:
@@ -92,8 +118,8 @@ Universal, on every repo:
92
118
  - dependency advisories: OSV.dev
93
119
  - size, duplication, and the code graph: cloc, jscpd, graphify
94
120
 
95
- Per language, dxkit adds that ecosystem's own linter and audit tool — for
96
- example npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
121
+ Per language, dxkit adds that ecosystem's own linter and audit tool. For
122
+ example, npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
97
123
  golangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`
98
124
  (C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and
99
125
  bundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack
@@ -114,7 +140,7 @@ and inside the agent loop.
114
140
  ## Try it on your repo
115
141
 
116
142
  The Stop hook runs dxkit on every stop, so install dxkit into the repo. This
117
- one command adds it as a devDependency and registers the hook additively your
143
+ one command adds it as a devDependency and registers the hook additively, so your
118
144
  existing `.claude` settings are preserved:
119
145
 
120
146
  ```bash
@@ -128,9 +154,9 @@ npx vyuh-dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired
128
154
  When the agent tries to stop, dxkit runs the net-new gate against the baseline.
129
155
  Existing findings are grandfathered; only findings this change introduced block.
130
156
 
131
- ## See it without touching your repo
157
+ ## Run a local fixture gate
132
158
 
133
- Want the flow first, on a sandbox dxkit creates?
159
+ Want to see the Stop-gate before installing dxkit into your repo?
134
160
 
135
161
  ```bash
136
162
  npx -y @vyuhlabs/dxkit@latest demo loop-guardrail
@@ -141,7 +167,7 @@ net-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. N
141
167
  key and no Claude Code, and your own repo is never touched. It needs gitleaks
142
168
  installed and takes about 20 seconds; without gitleaks it shows a clearly
143
169
  labelled illustration instead. (It does a one-time `npx` download, so it is not
144
- fully offline the gate itself is.)
170
+ fully offline, though the gate itself is.)
145
171
 
146
172
  ### Presets: what blocks the loop
147
173
 
@@ -192,18 +218,26 @@ ships, the graph bounds how the loop works.
192
218
  Three independent benchmark results, one theme: dxkit makes agent work more
193
219
  predictable.
194
220
 
195
- | Layer | What it bounds | Observed result |
196
- | -------------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------- |
197
- | **Stop-gate** | unsafe final state | vanilla loops escaped **11/16** times, prompt-only checklist escaped **9/16**, dxkit escaped **0/16** |
198
- | **Deterministic identity** | false "net-new" findings under churn | **100% catch / 0% false-block** on seeded gate tests; **0 false net-new** on tested line shifts and renames |
199
- | **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved |
200
-
201
- **Fixing in the loop is cheaper than fixing later.** A fourth arm of the
202
- loop-safety study measured the "detect on CI, fix later" model: deferring a
203
- net-new finding to a cold session cost **19–49% more tokens** (and up to 51% more
204
- turns) than repairing it inside the warm loop, because the cold fixer has to
205
- re-orient in a context it no longer holds. So the gate is not just safer than
206
- deferring, it is cheaper.
221
+ | Layer | What it bounds | Observed result |
222
+ | -------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
223
+ | **Stop-gate** | net-new detector-backed debt | vanilla loops escaped **11/16** times, prompt-only checklist escaped **9/16**, dxkit escaped **0/16** |
224
+ | **Deterministic identity** | false "net-new" findings under churn | caught **all 3** seeded regressions with **0/2** false blocks on clean edits; **0 false net-new** on tested line shifts and renames |
225
+ | **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved |
226
+
227
+ **Deferral has a re-orientation cost.** A fourth arm of the
228
+ loop-safety study measured the "detect on CI, fix later" model: on the test-gap
229
+ task, deferring a net-new finding to a cold session cost **~49% more in
230
+ equivalent cost** and **~51% more turns** than repairing it inside the warm loop,
231
+ because the cold fixer has to re-orient in a context it no longer holds. (The
232
+ secret-task premium pointed the same way but was weak (mean +19%, median
233
+ slightly negative), so we lean on the robust test-gap result.) So the gate is not
234
+ just safer than deferring, it is plausibly cheaper too.
235
+
236
+ **And the gate is fast enough to run on every stop.** dxkit 2.14.0 scopes the
237
+ Stop-gate scan to the active preset's blockable finding kinds and re-scans only
238
+ the changed files, reusing cached results for everything unchanged. The verdict
239
+ is identical to a full scan; the cost is seconds per stop, not minutes, even on
240
+ large repositories.
207
241
 
208
242
  > **Benchmark caveats:** the loop-safety study uses controlled synthetic tasks
209
243
  > plus real-repo validation, detector-backed findings, and Sonnet runs. It is
@@ -214,22 +248,6 @@ deferring, it is cheaper.
214
248
  Full methodology, reproducibility notes, artifact status, and caveats are in
215
249
  **[docs/benchmarks.md](docs/benchmarks.md)**.
216
250
 
217
- ## What dxkit is, and is not
218
-
219
- **It is a deterministic verification layer.** It baselines today's findings,
220
- fingerprints them across churn, and blocks only net-new regressions.
221
-
222
- **It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
223
- Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
224
- claim to find more bugs than they do.
225
-
226
- **It is not an LLM judge.** No model decides whether the gate passes. The model
227
- can repair findings. The gate itself is deterministic, and the prompt does not
228
- grow as the baseline grows.
229
-
230
- **It is not a guarantee of safe code.** It blocks detector-backed net-new
231
- findings it can observe. You still need tests, review, scanners, and judgment.
232
-
233
251
  ## Why not just Snyk, SonarQube, or CodeQL?
234
252
 
235
253
  Use them. dxkit can ingest their findings. The difference is tempo and control,
@@ -240,7 +258,7 @@ every time the agent tries to declare done.
240
258
  | Loop Stop-gate need | dxkit | Cloud or CI scanners |
241
259
  | ----------------------------------------------------------- | ----- | -------------------------------------- |
242
260
  | Runs locally on every stop, in seconds | yes | usually CI or cloud cadence |
243
- | Can run without network or auth | yes | usually requires network or auth |
261
+ | Deterministic verdict, no model in the gate | yes | varies (some add an LLM judge) |
244
262
  | Grandfathers existing debt | yes | tool-dependent |
245
263
  | Feeds the exact block reason back to the warm agent session | yes | usually a human-facing dashboard or PR |
246
264
 
@@ -273,7 +291,7 @@ cloc, jscpd, graphify).
273
291
  | Ruby | `Gemfile`, `*.rb` | RuboCop, bundler-audit |
274
292
 
275
293
  <details>
276
- <summary><strong>Per-pack capabilities</strong> coverage import, import-graph, severity tiers (click to expand)</summary>
294
+ <summary><strong>Per-pack capabilities</strong>: coverage import, import-graph, severity tiers (click to expand)</summary>
277
295
 
278
296
  | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
279
297
  | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
@@ -300,8 +318,8 @@ so it does not inflate the Code Quality score.
300
318
 
301
319
  ## Reproduce the deterministic tier
302
320
 
303
- The deterministic results the net-new gate decision and the finding-identity
304
- matcher reproduce offline with no API key, so you do not have to trust our
321
+ The deterministic results (the net-new gate decision and the finding-identity
322
+ matcher) reproduce offline with no API key, so you do not have to trust our
305
323
  numbers. These harnesses live in `benchmarks/`:
306
324
 
307
325
  ```bash
@@ -10,8 +10,6 @@
10
10
  * allowlist file reader/writer, the inline-annotation parser, the
11
11
  * CLI, the block-time hint formatter, and the new `allowlistHits`
12
12
  * baseline producer.
13
- *
14
- * See tmp/2.6-allowlist-design.md for the design discussion.
15
13
  */
16
14
  import type { IdentityKind } from '../baseline/producers';
17
15
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,kGAMjB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,iBAAiB,CAG7D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,iBAAiB,CAItE,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,YAAY,CAO5D,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,iBAAiB,EAAE,CAAC,CA6C3F,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAErF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAE/F;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAIhE"}
1
+ {"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,kGAMjB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,iBAAiB,CAG7D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,iBAAiB,CAItE,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,YAAY,CAO5D,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,iBAAiB,EAAE,CAAC,CA6C3F,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAErF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAE/F;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAIhE"}
@@ -11,8 +11,6 @@
11
11
  * allowlist file reader/writer, the inline-annotation parser, the
12
12
  * CLI, the block-time hint formatter, and the new `allowlistHits`
13
13
  * baseline producer.
14
- *
15
- * See tmp/2.6-allowlist-design.md for the design discussion.
16
14
  */
17
15
  Object.defineProperty(exports, "__esModule", { value: true });
18
16
  exports.DEFAULT_EXPIRY_DAYS = exports.CATEGORIES_BY_KIND = exports.INLINE_COMPATIBLE_KINDS = exports.INLINE_COMPATIBLE_CATEGORIES = exports.EXPIRING_CATEGORIES = exports.ALL_CATEGORIES = void 0;
@@ -1 +1 @@
1
- {"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAoJH,oCAEC;AAMD,wCAEC;AAQD,wDAEC;AAmBD,8CAIC;AA3LD;;;;;;GAMG;AACU,QAAA,cAAc,GAAG;IAC5B,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,UAAU;CACF,CAAC;AAIX;;;;;;;;;;;GAWG;AACU,QAAA,mBAAmB,GAAmC,IAAI,GAAG,CAAC;IACzE,eAAe;IACf,UAAU;CACX,CAAC,CAAC;AAEH;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAmC,IAAI,GAAG,CAAC;IAClF,gBAAgB;IAChB,cAAc;IACd,sBAAsB;CACvB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,uBAAuB,GAA8B,IAAI,GAAG,CAAe;IACtF,QAAQ;IACR,aAAa;IACb,MAAM;IACN,QAAQ;IACR,UAAU;IACV,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACU,QAAA,kBAAkB,GAAiE;IAC9F,yDAAyD;IACzD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC/F,aAAa,EAAE;QACb,gBAAgB;QAChB,cAAc;QACd,sBAAsB;QACtB,eAAe;QACf,UAAU;KACX;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7F,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE/F,uEAAuE;IACvE,+BAA+B;IAC/B,UAAU,EAAE,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAEnF,iEAAiE;IACjE,uDAAuD;IACvD,WAAW,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE5D,qEAAqE;IACrE,iCAAiC;IACjC,cAAc,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAC7C,UAAU,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IACzC,uBAAuB,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtD,oEAAoE;IACpE,kEAAkE;IAClE,UAAU,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC3D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE7D,6DAA6D;IAC7D,8DAA8D;IAC9D,OAAO,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtC,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,YAAY;IACZ,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAgB,YAAY,CAAC,IAAkB,EAAE,QAA2B;IAC1E,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,oCAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,QAA2B;IACxD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAkB,EAAE,QAA2B;IACpF,OAAO,0BAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACU,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAY,IAAI,IAAI,EAAE;IACtD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,2BAAmB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,CAAC"}
1
+ {"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAoJH,oCAEC;AAMD,wCAEC;AAQD,wDAEC;AAmBD,8CAIC;AA3LD;;;;;;GAMG;AACU,QAAA,cAAc,GAAG;IAC5B,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,UAAU;CACF,CAAC;AAIX;;;;;;;;;;;GAWG;AACU,QAAA,mBAAmB,GAAmC,IAAI,GAAG,CAAC;IACzE,eAAe;IACf,UAAU;CACX,CAAC,CAAC;AAEH;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAmC,IAAI,GAAG,CAAC;IAClF,gBAAgB;IAChB,cAAc;IACd,sBAAsB;CACvB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,uBAAuB,GAA8B,IAAI,GAAG,CAAe;IACtF,QAAQ;IACR,aAAa;IACb,MAAM;IACN,QAAQ;IACR,UAAU;IACV,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACU,QAAA,kBAAkB,GAAiE;IAC9F,yDAAyD;IACzD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC/F,aAAa,EAAE;QACb,gBAAgB;QAChB,cAAc;QACd,sBAAsB;QACtB,eAAe;QACf,UAAU;KACX;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7F,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE/F,uEAAuE;IACvE,+BAA+B;IAC/B,UAAU,EAAE,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAEnF,iEAAiE;IACjE,uDAAuD;IACvD,WAAW,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE5D,qEAAqE;IACrE,iCAAiC;IACjC,cAAc,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAC7C,UAAU,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IACzC,uBAAuB,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtD,oEAAoE;IACpE,kEAAkE;IAClE,UAAU,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC3D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE7D,6DAA6D;IAC7D,8DAA8D;IAC9D,OAAO,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtC,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,YAAY;IACZ,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAgB,YAAY,CAAC,IAAkB,EAAE,QAA2B;IAC1E,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,oCAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,QAA2B;IACxD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAkB,EAAE,QAA2B;IACpF,OAAO,0BAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACU,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAY,IAAI,IAAI,EAAE;IACtD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,2BAAmB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,CAAC"}
@@ -386,7 +386,7 @@ if __name__ == '__main__':
386
386
  # 2.7 Sprint 1: emit nodes / edges / communities / symbolIndex alongside
387
387
  # the aggregate metrics. Consumers (explore CLI, dashboard viz, future
388
388
  # 2.8 context CLI + reachability) read this via src/explore/load.ts.
389
- # Schema contract documented in tmp/2.7-graph-json-schema.md.
389
+ # Schema contract: the GraphJson interface in src/explore/types.ts.
390
390
 
391
391
  # Determine class membership: a module-shaped node is a CLASS if it has
392
392
  # outbound 'method' edges to other nodes (it's the owner). A function-
@@ -1 +1 @@
1
- {"version":3,"file":"vendored-advisor.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AA4DH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGtD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAE/F"}
1
+ {"version":3,"file":"vendored-advisor.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AA0DH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGtD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAE/F"}
@@ -82,9 +82,7 @@ const SUSPECT_VENDORED_TOKENS = [
82
82
  // analyzes the customer's repo via graphify (looking for files with
83
83
  // proxy-shape signatures — high class:method ratio, no autogen
84
84
  // header, anomalous file size), and proposes `.dxkit-ignore`
85
- // entries. Scoped in the next graphify session per user direction
86
- // 2026-05-17 — see `tmp/next-session-graphify-deep-dive.md` and
87
- // `tmp/graphify-capabilities-expansion.md`.
85
+ // entries.
88
86
  /**
89
87
  * Check if a relative POSIX path contains a suspect-vendored token.
90
88
  * Anchors the check with leading slash so `/libs/` matches a directory
@@ -1 +1 @@
1
- {"version":3,"file":"vendored-advisor.js","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;AAiEH,sCAGC;AAQD,wDAEC;AA5ED;;;;;;;;;;;GAWG;AACH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,eAAe;IACf,cAAc;IACd,sBAAsB;IACtB,WAAW;IACX,YAAY;IACZ,WAAW;IACX,eAAe;IACf,eAAe;IACf,YAAY;IACZ,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,aAAa;IACb,WAAW;IACX,UAAU;IACV,UAAU;IACV,WAAW;IACX,qEAAqE;IACrE,qEAAqE;IACrE,+DAA+D;IAC/D,SAAS;IACT,UAAU;IACV,SAAS;IACT,mEAAmE;IACnE,kEAAkE;IAClE,0CAA0C;IAC1C,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;CACnB,CAAC;AAEF,+DAA+D;AAC/D,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAC9D,gEAAgE;AAChE,oEAAoE;AACpE,+DAA+D;AAC/D,6DAA6D;AAC7D,kEAAkE;AAClE,gEAAgE;AAChE,4CAA4C;AAE5C;;;;GAIG;AACH,SAAgB,aAAa,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAA6B,KAAuB;IACxF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC"}
1
+ {"version":3,"file":"vendored-advisor.js","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;AA+DH,sCAGC;AAQD,wDAEC;AA1ED;;;;;;;;;;;GAWG;AACH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,eAAe;IACf,cAAc;IACd,sBAAsB;IACtB,WAAW;IACX,YAAY;IACZ,WAAW;IACX,eAAe;IACf,eAAe;IACf,YAAY;IACZ,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,aAAa;IACb,WAAW;IACX,UAAU;IACV,UAAU;IACV,WAAW;IACX,qEAAqE;IACrE,qEAAqE;IACrE,+DAA+D;IAC/D,SAAS;IACT,UAAU;IACV,SAAS;IACT,mEAAmE;IACnE,kEAAkE;IAClE,0CAA0C;IAC1C,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;CACnB,CAAC;AAEF,+DAA+D;AAC/D,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAC9D,gEAAgE;AAChE,oEAAoE;AACpE,+DAA+D;AAC/D,6DAA6D;AAC7D,WAAW;AAEX;;;;GAIG;AACH,SAAgB,aAAa,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAA6B,KAAuB;IACxF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC"}
@@ -98,14 +98,21 @@ export interface RunGuardrailCheckOptions {
98
98
  */
99
99
  readonly scope?: GatherScope;
100
100
  /**
101
- * Incremental scanning (opt 3): when true, the CURRENT side's semgrep
102
- * scans only files that changed vs the baseline's commit, instead of the
103
- * whole tree. Sound for a net-new gate (semgrep is intraprocedural — a
104
- * net-new code finding only appears in a changed file). The ref/baseline
105
- * side stays full so it covers every file. Falls back to a full scan when
106
- * the changed set can't be computed completely. Opt-in: only the loop
107
- * Stop-gate sets it; CI / `baseline check` leave it false so their full
108
- * report is unaffected.
101
+ * Incremental scanning (opt 3): when true, semgrep scans only files that
102
+ * changed vs the comparison base, instead of the whole tree. Sound for a
103
+ * net-new gate (semgrep is intraprocedural — a net-new code finding only
104
+ * appears in a changed file). Scope by mode:
105
+ * - committed: only the CURRENT side is scoped (the prior side is the
106
+ * on-disk, already-full baseline), against the baseline's commit.
107
+ * - ref-based: the changed set is fully computable (`diff(ref, HEAD)`),
108
+ * so BOTH the ref side and the current side are scoped to the SAME
109
+ * set, keeping the cross-run diff symmetric. This makes a ref-based
110
+ * guardrail (CI, pre-push, the hosted PR gate) scale with PR size
111
+ * rather than repo size.
112
+ * Falls back to a full scan when the changed set can't be computed
113
+ * completely. Opt-in: the loop Stop-gate sets it, and `guardrail check
114
+ * --incremental` exposes it on the CLI; otherwise it stays false so the
115
+ * full report is unaffected.
109
116
  */
110
117
  readonly incremental?: boolean;
111
118
  }
@@ -1 +1 @@
1
- {"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/baseline/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAO5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAmB,cAAc,EAAE,MAAM,UAAU,CAAC;AAElF,OAAO,EAAE,KAAK,WAAW,EAAc,MAAM,gBAAgB,CAAC;AAG9D,OAAO,KAAK,EAAE,aAAa,EAAa,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGjG,OAAO,EAAyB,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,MAAM,WAAW,wBAAwB;IACvC,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;2DAEuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;gBAEY;IACZ,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B;;;;;0CAKsC;IACtC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;;uEAKmE;IACnE,QAAQ,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC;IACnC,sEAAsE;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;;8CAE0C;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC;;oBAEgB;IAChB,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC;2DACuD;IACvD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;;OASG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC;IAC7B;;;;;;;;;OASG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;mEAC+D;IAC/D,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;uBAKmB;IACnB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC;;;;;yEAKqE;IACrE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,oBAAoB,CAAC;CACvD;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,6DAA6D;IAC7D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;QAC7C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7C,CAAC,CAAC;IACH;;;;kDAI8C;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;CACtD;AAED,MAAM,WAAW,oBAAoB;IACnC;;uDAEmD;IACnD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B;;uCAEmC;IACnC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC;+BAC2B;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB;sCACkC;IAClC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;;;;yDAIqD;IACrD,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;;;;;;;;mEAQ+D;IAC/D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;QACrC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC,CAAC;CACJ;AAoBD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,CAAC,SAAS;IAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAE,EACzF,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,EAC/B,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,EACjC,UAAU,EAAE,OAAO,GAClB;IACD,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAChC,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAClC,gBAAgB,EAAE,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;CAC5D,CAoBA;AAwBD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,oBAAoB,CAAC,CAsN/B;AA8KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,aAAa,EACxB,WAAW,EAAE,aAAa,EAC1B,GAAG,EAAE,IAAI,GACR,oBAAoB,GAAG,SAAS,CAYlC"}
1
+ {"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/baseline/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAO5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAmB,cAAc,EAAE,MAAM,UAAU,CAAC;AAElF,OAAO,EAAE,KAAK,WAAW,EAA8B,MAAM,gBAAgB,CAAC;AAI9E,OAAO,KAAK,EAAE,aAAa,EAAa,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGjG,OAAO,EAAyB,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,MAAM,WAAW,wBAAwB;IACvC,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;2DAEuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;gBAEY;IACZ,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B;;;;;0CAKsC;IACtC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;;uEAKmE;IACnE,QAAQ,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC;IACnC,sEAAsE;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;;8CAE0C;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC;;oBAEgB;IAChB,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC;2DACuD;IACvD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;;OASG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC;IAC7B;;;;;;;;;;;;;;;;OAgBG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;mEAC+D;IAC/D,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;uBAKmB;IACnB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC;;;;;yEAKqE;IACrE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,oBAAoB,CAAC;CACvD;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,6DAA6D;IAC7D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;QAC7C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7C,CAAC,CAAC;IACH;;;;kDAI8C;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;CACtD;AAED,MAAM,WAAW,oBAAoB;IACnC;;uDAEmD;IACnD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B;;uCAEmC;IACnC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC;+BAC2B;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB;sCACkC;IAClC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;;;;yDAIqD;IACrD,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;;;;;;;;mEAQ+D;IAC/D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;QACrC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC,CAAC;CACJ;AAkCD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,CAAC,SAAS;IAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAE,EACzF,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,EAC/B,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,EACjC,UAAU,EAAE,OAAO,GAClB;IACD,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAChC,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAClC,gBAAgB,EAAE,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;CAC5D,CAoBA;AAwBD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,oBAAoB,CAAC,CAiR/B;AA8KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,aAAa,EACxB,WAAW,EAAE,aAAa,EAC1B,GAAG,EAAE,IAAI,GACR,oBAAoB,GAAG,SAAS,CAYlC"}