@vyuhlabs/dxkit 2.14.0 → 2.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +81 -16
- package/README.md +79 -61
- package/dist/allowlist/categories.d.ts +0 -2
- package/dist/allowlist/categories.d.ts.map +1 -1
- package/dist/allowlist/categories.js +0 -2
- package/dist/allowlist/categories.js.map +1 -1
- package/dist/analyzers/tools/graphify.js +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +1 -3
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/baseline/check.d.ts +15 -8
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +80 -13
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +12 -2
- package/dist/baseline/ref-baseline.d.ts.map +1 -1
- package/dist/baseline/ref-baseline.js +23 -4
- package/dist/baseline/ref-baseline.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +10 -2
- package/dist/cli.js.map +1 -1
- package/dist/explore/format.d.ts +1 -1
- package/dist/explore/format.js +1 -1
- package/dist/explore/types.d.ts +2 -3
- package/dist/explore/types.d.ts.map +1 -1
- package/dist/explore/types.js +1 -1
- package/dist/explore-cli.d.ts +1 -1
- package/dist/explore-cli.js +1 -1
- package/dist/languages/capabilities/provider.d.ts +17 -0
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +7 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +1 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +24 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +45 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +9 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +10 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +9 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +3 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +1 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +7 -0
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,77 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.16.0] - 2026-06-23
|
|
11
|
+
|
|
12
|
+
### Changed — `--incremental` skips the dependency audit when no manifest changed
|
|
13
|
+
|
|
14
|
+
`vyuh-dxkit guardrail check --incremental` now, in ref-based mode, **skips the
|
|
15
|
+
OSV dependency-vulnerability audit entirely when the change touched no
|
|
16
|
+
dependency manifest or lockfile.** This is the dominant latency win for the
|
|
17
|
+
incremental path: profiling a 4-file documentation PR on this repo showed the
|
|
18
|
+
dep audit accounting for ~100s of a ~119s scan (gitleaks was 0.4s; the rest of
|
|
19
|
+
a secrets+deps scoped gather was sub-second) — and that audit ran twice (base
|
|
20
|
+
and head) over an unchanged dependency set, so it could not surface anything
|
|
21
|
+
net-new. The same end-to-end check now completes in **~7s**.
|
|
22
|
+
|
|
23
|
+
The skip is **sound and verdict-preserving in ref-based mode only**: a net-new
|
|
24
|
+
dependency vulnerability requires a manifest/lockfile change, and ref-based
|
|
25
|
+
audits both sides against the *same* advisory snapshot, so an unchanged
|
|
26
|
+
dependency is identical on both sides and never net-new. It deliberately does
|
|
27
|
+
**not** apply to committed modes, where the baseline is an older snapshot and a
|
|
28
|
+
newly-disclosed CVE on an unchanged dependency genuinely *is* net-new and must
|
|
29
|
+
still surface. When the change *does* touch a manifest, the audit runs as before
|
|
30
|
+
and net-new critical/high dependency vulnerabilities block normally.
|
|
31
|
+
|
|
32
|
+
- **Manifest patterns are now a pack-declared fact** (CLAUDE.md Rule 6): each
|
|
33
|
+
language pack's `depVulns` capability declares a **required**
|
|
34
|
+
`manifestPatterns` field (its manifests + lockfiles). The skip consults the
|
|
35
|
+
active packs' union via `allDependencyManifestPatterns` /
|
|
36
|
+
`changedFilesTouchDependencyManifest`, so adding a language auto-extends the
|
|
37
|
+
skip's awareness. A pack that adds dependency auditing but omits the patterns
|
|
38
|
+
fails to compile **and** fails `test/languages-contract.test.ts`;
|
|
39
|
+
`test/recipe-playbook.test.ts` proves the union stays pack-driven via a
|
|
40
|
+
synthetic pack.
|
|
41
|
+
|
|
42
|
+
Without `--incremental`, behavior is byte-identical to 2.15. `health`,
|
|
43
|
+
`vulnerabilities`, and `committed-full`/`committed-sanitized` guardrail checks
|
|
44
|
+
are unaffected.
|
|
45
|
+
|
|
46
|
+
## [2.15.0] - 2026-06-22
|
|
47
|
+
|
|
48
|
+
### Fixed — ref-based guardrail no longer false-blocks on `secret-hmac`
|
|
49
|
+
|
|
50
|
+
In ref-based mode (the default for public repos), dxkit mints a locator-less
|
|
51
|
+
`secret-hmac` companion alongside each located `secret` for cross-file
|
|
52
|
+
relocation matching. On a fresh or shallow checkout the two sides of the diff
|
|
53
|
+
can derive different salts, so the companions never match and read as net-new —
|
|
54
|
+
a **false block**, even though the located `secret` twins match correctly.
|
|
55
|
+
`secret-hmac` now joins `duplication` and `test-gap` in the set of kinds
|
|
56
|
+
excluded from the ref-based diff (they can't be gathered comparably across a
|
|
57
|
+
detached worktree). The located `secret` kind still gates net-new credentials;
|
|
58
|
+
only the redundant companion is dropped. **Committed modes are unaffected.**
|
|
59
|
+
|
|
60
|
+
### Added — opt-in `--incremental` for `guardrail check`
|
|
61
|
+
|
|
62
|
+
`vyuh-dxkit guardrail check --incremental` scopes the gather to the analyzers
|
|
63
|
+
the active policy can actually block on (reusing the loop Stop-gate's
|
|
64
|
+
`scopeForPolicy`) and, in ref-based mode, scopes semgrep to the changed files
|
|
65
|
+
on both sides. Same verdict, far less work — the check scales with PR size
|
|
66
|
+
rather than repo size. **Opt-in and verdict-preserving:** without the flag,
|
|
67
|
+
behavior is byte-identical to 2.14; it falls back to a full scan whenever the
|
|
68
|
+
changed set can't be computed completely. The CLI flag exposes what the loop
|
|
69
|
+
Stop-gate already did internally, so a ref-based CI guardrail (or a hosted
|
|
70
|
+
PR-gate) can run the fast path too.
|
|
71
|
+
|
|
72
|
+
### Changed — positioning: two pillars (context + gate)
|
|
73
|
+
|
|
74
|
+
- README hero, package description, and `--help` tagline now lead with both
|
|
75
|
+
pillars: **"a deterministic stop condition and code-graph context layer for
|
|
76
|
+
AI coding agents."** The README opening + "What dxkit does" foreground the
|
|
77
|
+
code graph (callers, callees, blast radius) the agent uses *while making a
|
|
78
|
+
change*, then the deterministic stop-gate that blocks net-new regressions
|
|
79
|
+
*before it exits* — so the graph is no longer undersold as a footnote.
|
|
80
|
+
|
|
10
81
|
## [2.14.0] - 2026-06-22
|
|
11
82
|
|
|
12
83
|
### Changed — the loop Stop-gate gathers far less work per stop
|
|
@@ -2189,8 +2260,8 @@ the .NET WinForms benchmark, the JS-heavy customer frontend). All vuln-scan + he
|
|
|
2189
2260
|
|
|
2190
2261
|
C2.5 also surfaced a candidate drift: platform vuln-scan code-only
|
|
2191
2262
|
`10H 7M` vs health `10H 10M`. HIGH agreed; MEDIUM differed by 3.
|
|
2192
|
-
Investigation via an in-process probe (
|
|
2193
|
-
|
|
2263
|
+
Investigation via an in-process probe (running both analyzers
|
|
2264
|
+
sequentially in ONE node process, sharing the
|
|
2194
2265
|
dispatcher cache) showed identical aggregates: `{ high: 10,
|
|
2195
2266
|
medium: 20 }` on both sides. **D109 is NOT a real defect** — the
|
|
2196
2267
|
architecture is sound. The observed drift across separate
|
|
@@ -2288,8 +2359,7 @@ pre-release audit and fixed before ship.
|
|
|
2288
2359
|
pattern (different attribute name) so BoM's legitimate per-package
|
|
2289
2360
|
aggregation is unaffected.
|
|
2290
2361
|
|
|
2291
|
-
- **Recipe codification (G_v4_8 + G_v4_9
|
|
2292
|
-
`tmp/recipe-v4-working-doc.md`)**. Two recipe-playbook
|
|
2362
|
+
- **Recipe codification (G_v4_8 + G_v4_9)**. Two recipe-playbook
|
|
2293
2363
|
synthetic-pack assertions in `test/recipe-playbook.test.ts`
|
|
2294
2364
|
(synthetic depVuln finding flows into `depBySeverity` +
|
|
2295
2365
|
`dependencyAdvisoryUniqueCount`; cross-tool TLS-bypass collapses
|
|
@@ -2676,10 +2746,9 @@ conditions: G2-Opt2 typed-null capability (Swift consumer), G3
|
|
|
2676
2746
|
BENCHMARK_LANGUAGES auto-edit (matrix > 8 packs), G7 pre-commit hook
|
|
2677
2747
|
polish (multi-gate diagnosis cost).
|
|
2678
2748
|
|
|
2679
|
-
### Recipe v4
|
|
2749
|
+
### Recipe v4
|
|
2680
2750
|
|
|
2681
|
-
|
|
2682
|
-
during 10k.2:
|
|
2751
|
+
Surfaced during 10k.2:
|
|
2683
2752
|
|
|
2684
2753
|
- **G_v4_1** — scaffolder TEST_TEMPLATE conflates source-text vs
|
|
2685
2754
|
tool-output parsers. Future contributors must re-derive the
|
|
@@ -2792,10 +2861,8 @@ at every commit in the 10-commit branch.
|
|
|
2792
2861
|
validated end-to-end — the same scan that found bug #1 also
|
|
2793
2862
|
surfaced #2 and #3 once we knew where to look.
|
|
2794
2863
|
|
|
2795
|
-
**Forensic evidence preserved**
|
|
2796
|
-
|
|
2797
|
-
with under-reported BoM) vs `tmp/regression/2.4.5-fixed/dxkit/bom.json`
|
|
2798
|
-
(full enumeration after the fix).
|
|
2864
|
+
**Forensic evidence preserved** comparing the 2.4.4 baseline
|
|
2865
|
+
(under-reported BoM) against the 2.4.5 fix (full enumeration).
|
|
2799
2866
|
|
|
2800
2867
|
|
|
2801
2868
|
|
|
@@ -2924,8 +2991,7 @@ recipe stress test #2 — fully dynamic language outside the JVM family.
|
|
|
2924
2991
|
Then **2.5.0 (Phase 10i — fingerprints + exec summary across 8-language
|
|
2925
2992
|
matrix)**. Phase 10j.2 (Swift/iOS) is **deferred to post-10rr / pre-3.0.0
|
|
2926
2993
|
opportunistic slot** because Linux/WSL2 development can't validate the
|
|
2927
|
-
xcodeproj-shape majority without macOS access.
|
|
2928
|
-
`tmp/phase-10k-backend-langs-roadmap.md` for the full phase plan.
|
|
2994
|
+
xcodeproj-shape majority without macOS access.
|
|
2929
2995
|
|
|
2930
2996
|
## [2.4.4] - 2026-04-27
|
|
2931
2997
|
|
|
@@ -3012,7 +3078,7 @@ output for non-Kotlin projects.
|
|
|
3012
3078
|
Triage" risk scoring — caught during the regression-check pass
|
|
3013
3079
|
on dxkit's own BoM diff. Cross-ecosystem.test.ts: 444s peak →
|
|
3014
3080
|
174s wall-clock after Recipe v2 (-228s, 51% reduction). Closes
|
|
3015
|
-
D010
|
|
3081
|
+
D010. (`src/languages/capabilities/index.ts`,
|
|
3016
3082
|
`src/analyzers/{health,licenses,quality,security,tests}/...`)
|
|
3017
3083
|
|
|
3018
3084
|
- **`JSCPD_PATTERN` was hardcoded** with `'ts,tsx,js,jsx,py,go,rs,cs'`
|
|
@@ -3211,8 +3277,7 @@ identical output before and after.
|
|
|
3211
3277
|
`generic.ts`, `grep-secrets.ts`, `project-yaml.ts`, `constants.ts`,
|
|
3212
3278
|
`tool-registry.ts`** — all per-language if-chains replaced with
|
|
3213
3279
|
iteration over the `LANGUAGES` registry. 12 of the 14 LP-audit
|
|
3214
|
-
items closed across these files
|
|
3215
|
-
curious).
|
|
3280
|
+
items closed across these files.
|
|
3216
3281
|
|
|
3217
3282
|
### Internal
|
|
3218
3283
|
|
package/README.md
CHANGED
|
@@ -1,11 +1,16 @@
|
|
|
1
1
|
# dxkit
|
|
2
2
|
|
|
3
|
-
**A deterministic
|
|
3
|
+
**A deterministic stop condition and code-graph context layer for AI coding agents.**
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
5
|
+
Autonomous coding loops face two control problems: orienting in the code while
|
|
6
|
+
they make a change, and deciding whether that change made the repository worse
|
|
7
|
+
before they stop.
|
|
8
|
+
|
|
9
|
+
dxkit addresses both. While the agent works, it provides a code graph of
|
|
10
|
+
callers, callees, blast radius, and the files a change touches. Then, when the
|
|
11
|
+
agent tries to stop, dxkit baselines existing findings, reruns trusted checks,
|
|
12
|
+
and blocks only net-new detector-backed regressions with a concrete repair
|
|
13
|
+
reason.
|
|
9
14
|
|
|
10
15
|
In our loop benchmark, vanilla Claude Code-style loops stopped with net-new
|
|
11
16
|
debt in **11 of 16 runs**. A prompt that told the agent to self-check still
|
|
@@ -20,9 +25,10 @@ finding, and the agent repaired before stopping clean.
|
|
|
20
25
|
|
|
21
26
|
dxkit does not reinvent detection. It runs trusted open source scanners
|
|
22
27
|
(gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from
|
|
23
|
-
Snyk and CodeQL. What
|
|
24
|
-
|
|
25
|
-
finding
|
|
28
|
+
Snyk and CodeQL. What dxkit adds is the agent-loop layer around those tools: a
|
|
29
|
+
per-stop, baseline-relative verdict of whether this change introduced a new
|
|
30
|
+
finding, returned to the agent with the exact repair reason while the loop is
|
|
31
|
+
still warm.
|
|
26
32
|
|
|
27
33
|
```bash
|
|
28
34
|
npm init @vyuhlabs/dxkit -- --claude-loop --yes # install dxkit + register the Claude Code Stop hook
|
|
@@ -30,12 +36,12 @@ npx vyuh-dxkit baseline create # grandfather today's findings
|
|
|
30
36
|
npx vyuh-dxkit loop doctor # verify the gate is wired
|
|
31
37
|
```
|
|
32
38
|
|
|
33
|
-
The
|
|
39
|
+
The stop verdict has no model in the path: same input, same verdict.
|
|
34
40
|
Existing debt stays grandfathered; only net-new regressions block. Want to
|
|
35
41
|
watch the flow first, on a sandbox dxkit creates? See the
|
|
36
|
-
[
|
|
42
|
+
[fixture gate](#run-a-local-fixture-gate).
|
|
37
43
|
|
|
38
|
-
[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo)
|
|
44
|
+
[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo) · [Run the fixture gate](#run-a-local-fixture-gate)
|
|
39
45
|
|
|
40
46
|
<p>
|
|
41
47
|
<a href="https://www.npmjs.com/package/@vyuhlabs/dxkit"><img alt="npm" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit"></a>
|
|
@@ -48,23 +54,27 @@ watch the flow first, on a sandbox dxkit creates? See the
|
|
|
48
54
|
|
|
49
55
|
## The problem: loops do not know when they made things worse
|
|
50
56
|
|
|
51
|
-
An autonomous loop runs until the agent decides it is done. The
|
|
52
|
-
that loop
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
57
|
+
An autonomous loop runs until the agent decides it is done. The common checks in
|
|
58
|
+
that loop (tests, linters, scanners, CI-style commands) usually answer whether
|
|
59
|
+
something is broken or flagged. They do not, by themselves, maintain a
|
|
60
|
+
brownfield baseline and answer the loop-level question: did this change
|
|
61
|
+
introduce something net-new? So an agent can add a feature, leave a new untested
|
|
62
|
+
path or a hardcoded credential behind, run the tests, see green, and declare
|
|
63
|
+
success.
|
|
56
64
|
|
|
57
65
|
In our benchmark this happened in most vanilla runs, and telling the agent to
|
|
58
66
|
check its own work only helped a little.
|
|
59
67
|
|
|
60
68
|
## What dxkit does
|
|
61
69
|
|
|
62
|
-
1. **
|
|
63
|
-
|
|
64
|
-
2. **
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
70
|
+
1. **Build a structural code graph.** dxkit gives the agent callers, callees,
|
|
71
|
+
blast radius, and relevant files so it can orient before editing.
|
|
72
|
+
2. **Baseline today's debt.** `baseline create` records current findings, so
|
|
73
|
+
pre-existing issues are grandfathered and never block.
|
|
74
|
+
3. **Run a deterministic Stop-gate on every stop.** A Claude Code Stop hook
|
|
75
|
+
reruns the guardrail against that baseline. Same input gives the same
|
|
76
|
+
verdict; no model decides whether the gate passes.
|
|
77
|
+
4. **Feed net-new findings back to the agent.** If the change introduced a
|
|
68
78
|
finding, the gate blocks the stop and hands the agent the exact finding to
|
|
69
79
|
fix: do not refresh the baseline, do not touch unrelated debt, fix what this
|
|
70
80
|
branch introduced. The loop stops only when clean.
|
|
@@ -78,11 +88,27 @@ Use dxkit if you let coding agents:
|
|
|
78
88
|
- touch brownfield repos that already carry debt,
|
|
79
89
|
- or work where "new debt" matters more than "all debt."
|
|
80
90
|
|
|
91
|
+
## What dxkit is, and is not
|
|
92
|
+
|
|
93
|
+
**It is a deterministic verification layer.** It baselines today's findings,
|
|
94
|
+
fingerprints them across churn, and blocks only net-new regressions.
|
|
95
|
+
|
|
96
|
+
**It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
|
|
97
|
+
Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
|
|
98
|
+
claim to find more bugs than they do.
|
|
99
|
+
|
|
100
|
+
**It is not an LLM judge.** No model decides whether the gate passes. The model
|
|
101
|
+
can repair findings. The gate itself is deterministic, and the prompt does not
|
|
102
|
+
grow as the baseline grows.
|
|
103
|
+
|
|
104
|
+
**It is not a guarantee of safe code.** It blocks detector-backed net-new
|
|
105
|
+
findings it can observe. You still need tests, review, scanners, and judgment.
|
|
106
|
+
|
|
81
107
|
## Built on tools you already trust
|
|
82
108
|
|
|
83
109
|
dxkit is an orchestration and enforcement layer, not another scanner. It runs
|
|
84
110
|
established open source tools and treats their output as one stream. Which tools
|
|
85
|
-
run depends on the languages in your repo
|
|
111
|
+
run depends on the languages in your repo. dxkit covers **8 ecosystems**
|
|
86
112
|
(TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).
|
|
87
113
|
|
|
88
114
|
Universal, on every repo:
|
|
@@ -92,8 +118,8 @@ Universal, on every repo:
|
|
|
92
118
|
- dependency advisories: OSV.dev
|
|
93
119
|
- size, duplication, and the code graph: cloc, jscpd, graphify
|
|
94
120
|
|
|
95
|
-
Per language, dxkit adds that ecosystem's own linter and audit tool
|
|
96
|
-
example npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
|
|
121
|
+
Per language, dxkit adds that ecosystem's own linter and audit tool. For
|
|
122
|
+
example, npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
|
|
97
123
|
golangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`
|
|
98
124
|
(C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and
|
|
99
125
|
bundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack
|
|
@@ -114,7 +140,7 @@ and inside the agent loop.
|
|
|
114
140
|
## Try it on your repo
|
|
115
141
|
|
|
116
142
|
The Stop hook runs dxkit on every stop, so install dxkit into the repo. This
|
|
117
|
-
one command adds it as a devDependency and registers the hook additively
|
|
143
|
+
one command adds it as a devDependency and registers the hook additively, so your
|
|
118
144
|
existing `.claude` settings are preserved:
|
|
119
145
|
|
|
120
146
|
```bash
|
|
@@ -128,9 +154,9 @@ npx vyuh-dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired
|
|
|
128
154
|
When the agent tries to stop, dxkit runs the net-new gate against the baseline.
|
|
129
155
|
Existing findings are grandfathered; only findings this change introduced block.
|
|
130
156
|
|
|
131
|
-
##
|
|
157
|
+
## Run a local fixture gate
|
|
132
158
|
|
|
133
|
-
Want
|
|
159
|
+
Want to see the Stop-gate before installing dxkit into your repo?
|
|
134
160
|
|
|
135
161
|
```bash
|
|
136
162
|
npx -y @vyuhlabs/dxkit@latest demo loop-guardrail
|
|
@@ -141,7 +167,7 @@ net-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. N
|
|
|
141
167
|
key and no Claude Code, and your own repo is never touched. It needs gitleaks
|
|
142
168
|
installed and takes about 20 seconds; without gitleaks it shows a clearly
|
|
143
169
|
labelled illustration instead. (It does a one-time `npx` download, so it is not
|
|
144
|
-
fully offline
|
|
170
|
+
fully offline, though the gate itself is.)
|
|
145
171
|
|
|
146
172
|
### Presets: what blocks the loop
|
|
147
173
|
|
|
@@ -192,18 +218,26 @@ ships, the graph bounds how the loop works.
|
|
|
192
218
|
Three independent benchmark results, one theme: dxkit makes agent work more
|
|
193
219
|
predictable.
|
|
194
220
|
|
|
195
|
-
| Layer | What it bounds | Observed result
|
|
196
|
-
| -------------------------- | ------------------------------------ |
|
|
197
|
-
| **Stop-gate** |
|
|
198
|
-
| **Deterministic identity** | false "net-new" findings under churn | **
|
|
199
|
-
| **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved
|
|
200
|
-
|
|
201
|
-
**
|
|
202
|
-
loop-safety study measured the "detect on CI, fix later" model:
|
|
203
|
-
net-new finding to a cold session cost
|
|
204
|
-
turns
|
|
205
|
-
re-orient in a context it no longer holds.
|
|
206
|
-
|
|
221
|
+
| Layer | What it bounds | Observed result |
|
|
222
|
+
| -------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
|
|
223
|
+
| **Stop-gate** | net-new detector-backed debt | vanilla loops escaped **11/16** times, prompt-only checklist escaped **9/16**, dxkit escaped **0/16** |
|
|
224
|
+
| **Deterministic identity** | false "net-new" findings under churn | caught **all 3** seeded regressions with **0/2** false blocks on clean edits; **0 false net-new** on tested line shifts and renames |
|
|
225
|
+
| **Graph context** | large-repo exploration tails | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved |
|
|
226
|
+
|
|
227
|
+
**Deferral has a re-orientation cost.** A fourth arm of the
|
|
228
|
+
loop-safety study measured the "detect on CI, fix later" model: on the test-gap
|
|
229
|
+
task, deferring a net-new finding to a cold session cost **~49% more in
|
|
230
|
+
equivalent cost** and **~51% more turns** than repairing it inside the warm loop,
|
|
231
|
+
because the cold fixer has to re-orient in a context it no longer holds. (The
|
|
232
|
+
secret-task premium pointed the same way but was weak (mean +19%, median
|
|
233
|
+
slightly negative), so we lean on the robust test-gap result.) So the gate is not
|
|
234
|
+
just safer than deferring, it is plausibly cheaper too.
|
|
235
|
+
|
|
236
|
+
**And the gate is fast enough to run on every stop.** dxkit 2.14.0 scopes the
|
|
237
|
+
Stop-gate scan to the active preset's blockable finding kinds and re-scans only
|
|
238
|
+
the changed files, reusing cached results for everything unchanged. The verdict
|
|
239
|
+
is identical to a full scan; the cost is seconds per stop, not minutes, even on
|
|
240
|
+
large repositories.
|
|
207
241
|
|
|
208
242
|
> **Benchmark caveats:** the loop-safety study uses controlled synthetic tasks
|
|
209
243
|
> plus real-repo validation, detector-backed findings, and Sonnet runs. It is
|
|
@@ -214,22 +248,6 @@ deferring, it is cheaper.
|
|
|
214
248
|
Full methodology, reproducibility notes, artifact status, and caveats are in
|
|
215
249
|
**[docs/benchmarks.md](docs/benchmarks.md)**.
|
|
216
250
|
|
|
217
|
-
## What dxkit is, and is not
|
|
218
|
-
|
|
219
|
-
**It is a deterministic verification layer.** It baselines today's findings,
|
|
220
|
-
fingerprints them across churn, and blocks only net-new regressions.
|
|
221
|
-
|
|
222
|
-
**It is not a scanner replacement.** It runs and ingests scanners (gitleaks,
|
|
223
|
-
Semgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not
|
|
224
|
-
claim to find more bugs than they do.
|
|
225
|
-
|
|
226
|
-
**It is not an LLM judge.** No model decides whether the gate passes. The model
|
|
227
|
-
can repair findings. The gate itself is deterministic, and the prompt does not
|
|
228
|
-
grow as the baseline grows.
|
|
229
|
-
|
|
230
|
-
**It is not a guarantee of safe code.** It blocks detector-backed net-new
|
|
231
|
-
findings it can observe. You still need tests, review, scanners, and judgment.
|
|
232
|
-
|
|
233
251
|
## Why not just Snyk, SonarQube, or CodeQL?
|
|
234
252
|
|
|
235
253
|
Use them. dxkit can ingest their findings. The difference is tempo and control,
|
|
@@ -240,7 +258,7 @@ every time the agent tries to declare done.
|
|
|
240
258
|
| Loop Stop-gate need | dxkit | Cloud or CI scanners |
|
|
241
259
|
| ----------------------------------------------------------- | ----- | -------------------------------------- |
|
|
242
260
|
| Runs locally on every stop, in seconds | yes | usually CI or cloud cadence |
|
|
243
|
-
|
|
|
261
|
+
| Deterministic verdict, no model in the gate | yes | varies (some add an LLM judge) |
|
|
244
262
|
| Grandfathers existing debt | yes | tool-dependent |
|
|
245
263
|
| Feeds the exact block reason back to the warm agent session | yes | usually a human-facing dashboard or PR |
|
|
246
264
|
|
|
@@ -273,7 +291,7 @@ cloc, jscpd, graphify).
|
|
|
273
291
|
| Ruby | `Gemfile`, `*.rb` | RuboCop, bundler-audit |
|
|
274
292
|
|
|
275
293
|
<details>
|
|
276
|
-
<summary><strong>Per-pack capabilities</strong
|
|
294
|
+
<summary><strong>Per-pack capabilities</strong>: coverage import, import-graph, severity tiers (click to expand)</summary>
|
|
277
295
|
|
|
278
296
|
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
279
297
|
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
@@ -300,8 +318,8 @@ so it does not inflate the Code Quality score.
|
|
|
300
318
|
|
|
301
319
|
## Reproduce the deterministic tier
|
|
302
320
|
|
|
303
|
-
The deterministic results
|
|
304
|
-
matcher
|
|
321
|
+
The deterministic results (the net-new gate decision and the finding-identity
|
|
322
|
+
matcher) reproduce offline with no API key, so you do not have to trust our
|
|
305
323
|
numbers. These harnesses live in `benchmarks/`:
|
|
306
324
|
|
|
307
325
|
```bash
|
|
@@ -10,8 +10,6 @@
|
|
|
10
10
|
* allowlist file reader/writer, the inline-annotation parser, the
|
|
11
11
|
* CLI, the block-time hint formatter, and the new `allowlistHits`
|
|
12
12
|
* baseline producer.
|
|
13
|
-
*
|
|
14
|
-
* See tmp/2.6-allowlist-design.md for the design discussion.
|
|
15
13
|
*/
|
|
16
14
|
import type { IdentityKind } from '../baseline/producers';
|
|
17
15
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,kGAMjB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,iBAAiB,CAG7D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,iBAAiB,CAItE,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,YAAY,CAO5D,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,iBAAiB,EAAE,CAAC,CA6C3F,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAErF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAE/F;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAIhE"}
|
|
@@ -11,8 +11,6 @@
|
|
|
11
11
|
* allowlist file reader/writer, the inline-annotation parser, the
|
|
12
12
|
* CLI, the block-time hint formatter, and the new `allowlistHits`
|
|
13
13
|
* baseline producer.
|
|
14
|
-
*
|
|
15
|
-
* See tmp/2.6-allowlist-design.md for the design discussion.
|
|
16
14
|
*/
|
|
17
15
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
16
|
exports.DEFAULT_EXPIRY_DAYS = exports.CATEGORIES_BY_KIND = exports.INLINE_COMPATIBLE_KINDS = exports.INLINE_COMPATIBLE_CATEGORIES = exports.EXPIRING_CATEGORIES = exports.ALL_CATEGORIES = void 0;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAoJH,oCAEC;AAMD,wCAEC;AAQD,wDAEC;AAmBD,8CAIC;AA3LD;;;;;;GAMG;AACU,QAAA,cAAc,GAAG;IAC5B,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,UAAU;CACF,CAAC;AAIX;;;;;;;;;;;GAWG;AACU,QAAA,mBAAmB,GAAmC,IAAI,GAAG,CAAC;IACzE,eAAe;IACf,UAAU;CACX,CAAC,CAAC;AAEH;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAmC,IAAI,GAAG,CAAC;IAClF,gBAAgB;IAChB,cAAc;IACd,sBAAsB;CACvB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,uBAAuB,GAA8B,IAAI,GAAG,CAAe;IACtF,QAAQ;IACR,aAAa;IACb,MAAM;IACN,QAAQ;IACR,UAAU;IACV,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACU,QAAA,kBAAkB,GAAiE;IAC9F,yDAAyD;IACzD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC/F,aAAa,EAAE;QACb,gBAAgB;QAChB,cAAc;QACd,sBAAsB;QACtB,eAAe;QACf,UAAU;KACX;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7F,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE/F,uEAAuE;IACvE,+BAA+B;IAC/B,UAAU,EAAE,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAEnF,iEAAiE;IACjE,uDAAuD;IACvD,WAAW,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE5D,qEAAqE;IACrE,iCAAiC;IACjC,cAAc,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAC7C,UAAU,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IACzC,uBAAuB,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtD,oEAAoE;IACpE,kEAAkE;IAClE,UAAU,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC3D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE7D,6DAA6D;IAC7D,8DAA8D;IAC9D,OAAO,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtC,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,YAAY;IACZ,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAgB,YAAY,CAAC,IAAkB,EAAE,QAA2B;IAC1E,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,oCAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,QAA2B;IACxD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAkB,EAAE,QAA2B;IACpF,OAAO,0BAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACU,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAY,IAAI,IAAI,EAAE;IACtD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,2BAAmB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,CAAC"}
|
|
@@ -386,7 +386,7 @@ if __name__ == '__main__':
|
|
|
386
386
|
# 2.7 Sprint 1: emit nodes / edges / communities / symbolIndex alongside
|
|
387
387
|
# the aggregate metrics. Consumers (explore CLI, dashboard viz, future
|
|
388
388
|
# 2.8 context CLI + reachability) read this via src/explore/load.ts.
|
|
389
|
-
# Schema contract
|
|
389
|
+
# Schema contract: the GraphJson interface in src/explore/types.ts.
|
|
390
390
|
|
|
391
391
|
# Determine class membership: a module-shaped node is a CLASS if it has
|
|
392
392
|
# outbound 'method' edges to other nodes (it's the owner). A function-
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vendored-advisor.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;
|
|
1
|
+
{"version":3,"file":"vendored-advisor.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AA0DH;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAGtD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAE/F"}
|
|
@@ -82,9 +82,7 @@ const SUSPECT_VENDORED_TOKENS = [
|
|
|
82
82
|
// analyzes the customer's repo via graphify (looking for files with
|
|
83
83
|
// proxy-shape signatures — high class:method ratio, no autogen
|
|
84
84
|
// header, anomalous file size), and proposes `.dxkit-ignore`
|
|
85
|
-
// entries.
|
|
86
|
-
// 2026-05-17 — see `tmp/next-session-graphify-deep-dive.md` and
|
|
87
|
-
// `tmp/graphify-capabilities-expansion.md`.
|
|
85
|
+
// entries.
|
|
88
86
|
/**
|
|
89
87
|
* Check if a relative POSIX path contains a suspect-vendored token.
|
|
90
88
|
* Anchors the check with leading slash so `/libs/` matches a directory
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vendored-advisor.js","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;
|
|
1
|
+
{"version":3,"file":"vendored-advisor.js","sourceRoot":"","sources":["../../../src/analyzers/tools/vendored-advisor.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;AA+DH,sCAGC;AAQD,wDAEC;AA1ED;;;;;;;;;;;GAWG;AACH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,eAAe;IACf,cAAc;IACd,sBAAsB;IACtB,WAAW;IACX,YAAY;IACZ,WAAW;IACX,eAAe;IACf,eAAe;IACf,YAAY;IACZ,gEAAgE;IAChE,kEAAkE;IAClE,gEAAgE;IAChE,aAAa;IACb,WAAW;IACX,UAAU;IACV,UAAU;IACV,WAAW;IACX,qEAAqE;IACrE,qEAAqE;IACrE,+DAA+D;IAC/D,SAAS;IACT,UAAU;IACV,SAAS;IACT,mEAAmE;IACnE,kEAAkE;IAClE,0CAA0C;IAC1C,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;CACnB,CAAC;AAEF,+DAA+D;AAC/D,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAC9D,gEAAgE;AAChE,oEAAoE;AACpE,+DAA+D;AAC/D,6DAA6D;AAC7D,WAAW;AAEX;;;;GAIG;AACH,SAAgB,aAAa,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAA6B,KAAuB;IACxF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC"}
|
package/dist/baseline/check.d.ts
CHANGED
|
@@ -98,14 +98,21 @@ export interface RunGuardrailCheckOptions {
|
|
|
98
98
|
*/
|
|
99
99
|
readonly scope?: GatherScope;
|
|
100
100
|
/**
|
|
101
|
-
* Incremental scanning (opt 3): when true,
|
|
102
|
-
*
|
|
103
|
-
*
|
|
104
|
-
*
|
|
105
|
-
*
|
|
106
|
-
*
|
|
107
|
-
*
|
|
108
|
-
*
|
|
101
|
+
* Incremental scanning (opt 3): when true, semgrep scans only files that
|
|
102
|
+
* changed vs the comparison base, instead of the whole tree. Sound for a
|
|
103
|
+
* net-new gate (semgrep is intraprocedural — a net-new code finding only
|
|
104
|
+
* appears in a changed file). Scope by mode:
|
|
105
|
+
* - committed: only the CURRENT side is scoped (the prior side is the
|
|
106
|
+
* on-disk, already-full baseline), against the baseline's commit.
|
|
107
|
+
* - ref-based: the changed set is fully computable (`diff(ref, HEAD)`),
|
|
108
|
+
* so BOTH the ref side and the current side are scoped to the SAME
|
|
109
|
+
* set, keeping the cross-run diff symmetric. This makes a ref-based
|
|
110
|
+
* guardrail (CI, pre-push, the hosted PR gate) scale with PR size
|
|
111
|
+
* rather than repo size.
|
|
112
|
+
* Falls back to a full scan when the changed set can't be computed
|
|
113
|
+
* completely. Opt-in: the loop Stop-gate sets it, and `guardrail check
|
|
114
|
+
* --incremental` exposes it on the CLI; otherwise it stays false so the
|
|
115
|
+
* full report is unaffected.
|
|
109
116
|
*/
|
|
110
117
|
readonly incremental?: boolean;
|
|
111
118
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/baseline/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAO5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAmB,cAAc,EAAE,MAAM,UAAU,CAAC;AAElF,OAAO,EAAE,KAAK,WAAW,
|
|
1
|
+
{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/baseline/check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAMH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAO5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAKhD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,OAAO,KAAK,EAAE,gBAAgB,EAAmB,cAAc,EAAE,MAAM,UAAU,CAAC;AAElF,OAAO,EAAE,KAAK,WAAW,EAA8B,MAAM,gBAAgB,CAAC;AAI9E,OAAO,KAAK,EAAE,aAAa,EAAa,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAGjG,OAAO,EAAyB,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAE/E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAEjE,MAAM,WAAW,wBAAwB;IACvC,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;2DAEuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;gBAEY;IACZ,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAC/B;;;;;0CAKsC;IACtC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;;uEAKmE;IACnE,QAAQ,CAAC,MAAM,CAAC,EAAE,gBAAgB,CAAC;IACnC,sEAAsE;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;;8CAE0C;IAC1C,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC;;oBAEgB;IAChB,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC;2DACuD;IACvD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;;;OASG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC;IAC7B;;;;;;;;;;;;;;;;OAgBG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;CAChC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;mEAC+D;IAC/D,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC;gCAC4B;IAC5B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;;;uBAKmB;IACnB,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC;;;;;yEAKqE;IACrE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,oBAAoB,CAAC;CACvD;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,EAAE,iBAAiB,CAAC;IACrC;mCAC+B;IAC/B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,oBAAoB,EAAE,OAAO,CAAC;IACvC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,6DAA6D;IAC7D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,eAAe,EAAE,MAAM,GAAG,SAAS,CAAC;QAC7C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,SAAS,CAAC;KAC7C,CAAC,CAAC;IACH;;;;kDAI8C;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;CACtD;AAED,MAAM,WAAW,oBAAoB;IACnC;;uDAEmD;IACnD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B;;uCAEmC;IACnC,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;IAC9B,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAC9C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC;+BAC2B;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB;sCACkC;IAClC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;;;;yDAIqD;IACrD,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;;;;;;;;mEAQ+D;IAC/D,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC;QACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;QACrC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;KAC/B,CAAC,CAAC;CACJ;AAkCD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CAAC,CAAC,SAAS;IAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAE,EACzF,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,EAC/B,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,EACjC,UAAU,EAAE,OAAO,GAClB;IACD,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAChC,eAAe,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAClC,gBAAgB,EAAE,oBAAoB,CAAC,kBAAkB,CAAC,CAAC;CAC5D,CAoBA;AAwBD;;;;GAIG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,oBAAoB,CAAC,CAiR/B;AA8KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CACrC,SAAS,EAAE,aAAa,EACxB,WAAW,EAAE,aAAa,EAC1B,GAAG,EAAE,IAAI,GACR,oBAAoB,GAAG,SAAS,CAYlC"}
|