@vyuhlabs/dxkit 2.4.6 → 2.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1076 -0
- package/README.md +132 -27
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +667 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +21 -9
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +52 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +92 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +282 -34
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +86 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +197 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +349 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +104 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +299 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +83 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/deadline.d.ts +67 -0
- package/dist/analyzers/tools/deadline.d.ts.map +1 -0
- package/dist/analyzers/tools/deadline.js +81 -0
- package/dist/analyzers/tools/deadline.js.map +1 -0
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/lint-label.d.ts +29 -0
- package/dist/analyzers/tools/lint-label.d.ts.map +1 -0
- package/dist/analyzers/tools/lint-label.js +23 -0
- package/dist/analyzers/tools/lint-label.js.map +1 -0
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +133 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +177 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/report-date.d.ts +17 -0
- package/dist/analyzers/tools/report-date.d.ts.map +1 -0
- package/dist/analyzers/tools/report-date.js +26 -0
- package/dist/analyzers/tools/report-date.js.map +1 -0
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +11 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +581 -189
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +132 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +207 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +113 -26
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +132 -26
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +39 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +178 -44
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +16 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
package/README.md
CHANGED
|
@@ -32,11 +32,11 @@ npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks
|
|
|
32
32
|
|
|
33
33
|
The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
|
|
34
34
|
|
|
35
|
-
> **Already installed dxkit globally
|
|
35
|
+
> **Already installed dxkit globally?** Globals don't auto-update. If you previously ran `npm install -g @vyuhlabs/dxkit`, the `vyuh-dxkit` binary on your PATH stays pinned to whatever version was installed then; running `vyuh-dxkit` (without `npx`) keeps using the pinned version. To pick up the latest fixes, either upgrade the global or remove it and rely on `npx` (which fetches the requested version on demand):
|
|
36
36
|
>
|
|
37
37
|
> ```bash
|
|
38
38
|
> npm install -g @vyuhlabs/dxkit@latest
|
|
39
|
-
> # or
|
|
39
|
+
> # or:
|
|
40
40
|
> npm uninstall -g @vyuhlabs/dxkit
|
|
41
41
|
> ```
|
|
42
42
|
|
|
@@ -44,33 +44,39 @@ The two modes are complementary. The analyzers run anywhere; the scaffolder writ
|
|
|
44
44
|
|
|
45
45
|
## Analyzer CLI (`vyuh-dxkit <command>`)
|
|
46
46
|
|
|
47
|
-
Seven deterministic analyzers. Each emits a markdown report to `.dxkit/reports/` and
|
|
47
|
+
Seven deterministic analyzers + a one-shot orchestrator. Each emits a markdown report to `.dxkit/reports/` and a structured JSON file the dashboard reads.
|
|
48
48
|
|
|
49
49
|
| Command | What it does | Runtime | Output |
|
|
50
50
|
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------- |
|
|
51
51
|
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.dxkit/reports/health-audit-<date>.md` |
|
|
52
52
|
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (enriched with EPSS exploit probability, CISA KEV catalog, reachability from your source, composite riskScore; per-advisory detail in `--detailed`) | 5–30s | `.dxkit/reports/vulnerability-scan-<date>.md` |
|
|
53
|
-
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins)
|
|
53
|
+
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins). Headline coverage carries a `coverageFidelity` tier; banners surface heuristic-vs-line-coverage trust. | <1s | `.dxkit/reports/test-gaps-<date>.md` |
|
|
54
54
|
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.dxkit/reports/quality-review-<date>.md` |
|
|
55
|
-
| `dev-report` | Commits, contributors, hot files, velocity, conventional %
|
|
55
|
+
| `dev-report` | Commits, contributors, hot files (autogen-filtered), weekly velocity (with zero-rows for empty weeks), conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
|
|
56
56
|
| `licenses` | Dependency license inventory across every active pack (TS, Python, Go, Rust, C#; Kotlin + Java omitted — no canonical CLI license tool for Maven/Gradle ecosystems) | 5–20s | `.dxkit/reports/licenses-<date>.md` |
|
|
57
57
|
| `bom` | **Bill of Materials** — joins licenses + vulns per package, groups by top-level manifest dep (Snyk-style), enriches with CISA KEV + EPSS + reachability, ranks by composite risk score with "This Week's Triage" summary, aggregates nested sub-projects, `--filter=top-level` collapses transitive rows, 15-col XLSX | 10–40s | `.dxkit/reports/bom-<date>.{md,xlsx}` |
|
|
58
|
+
| `coverage` | Side-effecting — runs each active pack's `test-with-coverage` command to materialize the artifact `test-gaps` / `health` read back. Use this once before analysis, or pass `--with-coverage` to the analyzer. | 1–10m | per-pack artifact (`coverage.json` etc.) |
|
|
59
|
+
| `dashboard` | Renders every report under `.dxkit/reports/` into a single HTML page (tiles + per-report tabs + cross-cutting "Critical Issues at a Glance"). Reads `*-detailed.json` (written unconditionally as of 2.4.7). | <1s | `.dxkit/reports/dashboard.html` |
|
|
60
|
+
| `report` | **One-shot full audit** — runs every analyzer + dashboard in dependency order. `--with-coverage` materializes coverage once upfront so both `health` and `test-gaps` benefit without re-running tests per analyzer. | 5–15m | every output above + dashboard |
|
|
58
61
|
|
|
59
62
|
Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bom` detailed JSON as the canonical 15-column XLSX.
|
|
60
63
|
|
|
61
64
|
### Flags (apply to all analyzer commands)
|
|
62
65
|
|
|
63
|
-
| Flag
|
|
64
|
-
|
|
|
65
|
-
| `--detailed`
|
|
66
|
-
| `--json`
|
|
67
|
-
| `--verbose`
|
|
68
|
-
| `--no-save`
|
|
69
|
-
| `--xlsx`
|
|
70
|
-
| `-o <file>`
|
|
71
|
-
| `--since <date>`
|
|
72
|
-
| `--filter`
|
|
73
|
-
| `--no-nested`
|
|
66
|
+
| Flag | Effect |
|
|
67
|
+
| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
68
|
+
| `--detailed` | Surface the success-log line for the detailed report. (As of 2.4.7 the `-detailed.json` + `-detailed.md` files are written **unconditionally** so the dashboard always finds fresh input — this flag only controls the console-side noise.) |
|
|
69
|
+
| `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
|
|
70
|
+
| `--verbose` | Print per-tool timing to stderr |
|
|
71
|
+
| `--no-save` | Skip writing markdown; useful with `--json` |
|
|
72
|
+
| `--xlsx` | (`licenses`, `bom` only) Also write 15-col `.xlsx` — drop-in for spreadsheet workflows |
|
|
73
|
+
| `-o <file>` | (`licenses`, `bom`, `to-xlsx`) Override output path for xlsx / converted file |
|
|
74
|
+
| `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
|
|
75
|
+
| `--filter` | (`bom` only) `all` (default) or `top-level` — keep only root manifest deps; the byTopLevelDep rollup still reflects transitives |
|
|
76
|
+
| `--no-nested` | (`bom` only) Disable nested-project aggregation. Default discovers every sub-project with a language manifest under cwd and merges their BOMs |
|
|
77
|
+
| `--with-coverage` | (`health`, `test-gaps`, `report`) Materialize coverage artifacts via per-pack `runTests()` **before** analysis. Promotes the headline from filename-match heuristic to `line-coverage` truth. With `report`, runs once upfront — health + test-gaps share the artifact. |
|
|
78
|
+
| `--lang <id>` | (`coverage`, `--with-coverage`) Restrict to one pack id when the repo is polyglot |
|
|
79
|
+
| `--no-fail-fast` | (`coverage`, `--with-coverage`) Continue running coverage across remaining packs after a `failed` outcome |
|
|
74
80
|
|
|
75
81
|
### Detailed mode — evidence + ranked fixes
|
|
76
82
|
|
|
@@ -85,12 +91,24 @@ Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bo
|
|
|
85
91
|
|
|
86
92
|
Three signals, strongest wins for files it covers:
|
|
87
93
|
|
|
88
|
-
1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin). If the tool measured a file, that decision is authoritative.
|
|
94
|
+
1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin/Java), SimpleCov resultset (Ruby). If the tool measured a file, that decision is authoritative.
|
|
89
95
|
2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
|
|
90
96
|
3. **Filename match** — last-resort basename similarity.
|
|
91
97
|
|
|
92
98
|
A file counts as "tested" when the strongest available signal says so.
|
|
93
99
|
|
|
100
|
+
#### Coverage fidelity tier (2.4.7+)
|
|
101
|
+
|
|
102
|
+
Test-gap reports now carry a `coverageFidelity` tier so a 0% from a heuristic can't be confused with a 0% from a real coverage run:
|
|
103
|
+
|
|
104
|
+
| Tier | Source | Trust |
|
|
105
|
+
| ---------------- | -------------------------------------------------------------------------- | ------------------ |
|
|
106
|
+
| `line-coverage` | Any of the artifacts above | Line-level truth |
|
|
107
|
+
| `import-graph` | Test-file import edges (up to N hops) | Informed heuristic |
|
|
108
|
+
| `filename-match` | Source files with a name-matched test (200-line file / 5-line test passes) | Pure heuristic |
|
|
109
|
+
|
|
110
|
+
The test-gaps markdown leads with a ⚠️ / ℹ️ banner when fidelity isn't `line-coverage`, pointing at `vyuh-dxkit coverage` and `vyuh-dxkit health --with-coverage` as the install paths to ground-truth.
|
|
111
|
+
|
|
94
112
|
---
|
|
95
113
|
|
|
96
114
|
## Tool Registry
|
|
@@ -281,6 +299,32 @@ Mirrors pre-push but also runs the slop check against the PR base branch, so `--
|
|
|
281
299
|
|
|
282
300
|
---
|
|
283
301
|
|
|
302
|
+
## Scoring
|
|
303
|
+
|
|
304
|
+
dxkit produces a 0-100 score + A/B/C/D/E letter rating for six
|
|
305
|
+
dimensions of every codebase. Three properties define the scoring
|
|
306
|
+
model:
|
|
307
|
+
|
|
308
|
+
- **Deterministic** — pure-function evaluator over a declarative spec
|
|
309
|
+
per dimension. Same `git rev-parse HEAD` + same dxkit version
|
|
310
|
+
produces the identical score on every run, every machine. This is
|
|
311
|
+
the moat against LLM-driven review products, where outputs drift
|
|
312
|
+
run-to-run.
|
|
313
|
+
- **Anchored** — methodology cites underlying open international
|
|
314
|
+
standards (ISO/IEC 25010, ISO/IEC 5055, SQALE method, CVSS v4,
|
|
315
|
+
CWE, OWASP, OpenSSF Scorecard) rather than invented thresholds.
|
|
316
|
+
- **Actionable** — every score is paired with structured provenance
|
|
317
|
+
so the report says what to fix and how much the score would lift.
|
|
318
|
+
Customer-facing markdown surfaces a "Top actions" block per
|
|
319
|
+
dimension; agents consume the same structured `ScoreResult` JSON
|
|
320
|
+
directly.
|
|
321
|
+
|
|
322
|
+
The customer-facing methodology document — including the per-
|
|
323
|
+
dimension penalty/cap breakdown and citations — lives at
|
|
324
|
+
**[`docs/SCORING.md`](docs/SCORING.md)**.
|
|
325
|
+
|
|
326
|
+
---
|
|
327
|
+
|
|
284
328
|
## Quality Gates for Agent-Written Code
|
|
285
329
|
|
|
286
330
|
dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
|
|
@@ -356,24 +400,46 @@ Both loops use the session framework — checkpoints, skill evolution, progress
|
|
|
356
400
|
|
|
357
401
|
## Reports
|
|
358
402
|
|
|
359
|
-
All analyzer commands save timestamped reports to `.dxkit/reports
|
|
403
|
+
All analyzer commands save timestamped reports to `.dxkit/reports/`.
|
|
404
|
+
Every command writes a summary markdown, a detailed markdown, and a
|
|
405
|
+
canonical detailed JSON. `bom` adds an XLSX; `licenses` adds an XLSX
|
|
406
|
+
when `--xlsx` is set. `dashboard` (or `report`) writes the single-file
|
|
407
|
+
HTML view that stitches everything together.
|
|
360
408
|
|
|
361
409
|
```
|
|
362
410
|
.dxkit/reports/
|
|
363
|
-
health-audit-<date>.md
|
|
364
|
-
health-audit-<date>-detailed.md # with
|
|
365
|
-
health-audit-<date>-detailed.json # agent-consumable
|
|
411
|
+
health-audit-<date>.md # 6-dimension summary
|
|
412
|
+
health-audit-<date>-detailed.md # with per-dim plans + evidence
|
|
413
|
+
health-audit-<date>-detailed.json # agent-consumable schema
|
|
414
|
+
|
|
366
415
|
vulnerability-scan-<date>.md
|
|
416
|
+
vulnerability-scan-<date>-detailed.{md,json}
|
|
417
|
+
|
|
367
418
|
test-gaps-<date>.md
|
|
419
|
+
test-gaps-<date>-detailed.{md,json}
|
|
420
|
+
|
|
368
421
|
quality-review-<date>.md
|
|
422
|
+
quality-review-<date>-detailed.{md,json}
|
|
423
|
+
|
|
369
424
|
developer-report-<date>.md
|
|
425
|
+
developer-report-<date>-detailed.{md,json}
|
|
426
|
+
|
|
427
|
+
bom-<date>.md # Bill of Materials summary
|
|
428
|
+
bom-<date>-detailed.{md,json} # full per-package rows
|
|
429
|
+
bom-<date>.xlsx # 15-col XLSX (with --xlsx)
|
|
430
|
+
|
|
431
|
+
licenses-<date>.md # license inventory
|
|
432
|
+
licenses-<date>-detailed.{md,json}
|
|
433
|
+
licenses-<date>.xlsx # with --xlsx
|
|
434
|
+
|
|
435
|
+
dashboard.html # single-file HTML view
|
|
370
436
|
```
|
|
371
437
|
|
|
372
438
|
Export options:
|
|
373
439
|
|
|
374
|
-
- **HTML dashboard**:
|
|
375
|
-
- **PDF**: `/export-pdf all` — converts
|
|
376
|
-
- **Structured JSON**:
|
|
440
|
+
- **HTML dashboard**: `vyuh-dxkit dashboard` or the `/dashboard` slash command — dark-themed sidebar navigation, reads every `*-detailed.json` under `.dxkit/reports/`
|
|
441
|
+
- **PDF**: `/export-pdf all` — converts every report to PDF
|
|
442
|
+
- **Structured JSON**: every command writes a `-detailed.json` unconditionally as of 2.4.7, so agents and dashboards always have the structured schema available
|
|
377
443
|
|
|
378
444
|
---
|
|
379
445
|
|
|
@@ -402,15 +468,22 @@ When create-devstack writes `.project.yaml` before calling dxkit, detection and
|
|
|
402
468
|
## CLI Reference
|
|
403
469
|
|
|
404
470
|
```bash
|
|
405
|
-
# Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md
|
|
406
|
-
vyuh-dxkit health [path]
|
|
471
|
+
# Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md + <name>-<date>-detailed.{md,json}
|
|
472
|
+
vyuh-dxkit health [path] [--with-coverage] # 6-dimension score
|
|
407
473
|
vyuh-dxkit vulnerabilities [path] # Security scan, ranked by composite risk
|
|
408
|
-
vyuh-dxkit test-gaps [path]
|
|
474
|
+
vyuh-dxkit test-gaps [path] [--with-coverage] # Coverage + gaps + actions
|
|
409
475
|
vyuh-dxkit quality [path] # Slop + duplication + lint
|
|
410
476
|
vyuh-dxkit dev-report [path] [--since <date>] # Git activity report
|
|
411
477
|
vyuh-dxkit licenses [path] # Dependency license inventory
|
|
412
478
|
vyuh-dxkit bom [path] [--filter=top-level] # Bill of Materials + risk-ranked triage
|
|
413
479
|
|
|
480
|
+
# Coverage materialization (side-effecting — runs each pack's test runner)
|
|
481
|
+
vyuh-dxkit coverage [path] [--lang <id>] [--no-fail-fast]
|
|
482
|
+
|
|
483
|
+
# Dashboard + one-shot full audit
|
|
484
|
+
vyuh-dxkit dashboard [path] # render .dxkit/reports/ to a single HTML page
|
|
485
|
+
vyuh-dxkit report [path] [--with-coverage] # run every analyzer + dashboard end-to-end
|
|
486
|
+
|
|
414
487
|
# Data conversion
|
|
415
488
|
vyuh-dxkit to-xlsx <json-file> # render licenses/bom detailed JSON as 15-col XLSX
|
|
416
489
|
|
|
@@ -442,6 +515,38 @@ No LLM in the analysis path. Scores are reproducible: same repo state → same r
|
|
|
442
515
|
|
|
443
516
|
---
|
|
444
517
|
|
|
518
|
+
## Community + Contributing
|
|
519
|
+
|
|
520
|
+
- **[`CHANGELOG.md`](CHANGELOG.md)** — release notes by version,
|
|
521
|
+
including methodology shifts that may change scores between
|
|
522
|
+
releases (e.g. the 2.4.7 scoring foundation).
|
|
523
|
+
- **[`CONTRIBUTING.md`](CONTRIBUTING.md)** — local setup, the
|
|
524
|
+
pre-commit hook stack, test conventions, and the "Adding a new
|
|
525
|
+
language" walkthrough.
|
|
526
|
+
- **[`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md)** — a short tour
|
|
527
|
+
of the analyzer data flow, the three core patterns (language
|
|
528
|
+
packs, scoring specs, centralized exclusions + tool registry),
|
|
529
|
+
the subprocess discipline, and the `AnalysisResult` cache.
|
|
530
|
+
- **[`CLAUDE.md`](CLAUDE.md)** — the authoritative architectural
|
|
531
|
+
rule set with pre-commit + CI enforcement. Required reading
|
|
532
|
+
before opening a PR that touches scoring, packs, exclusions, or
|
|
533
|
+
tool invocation.
|
|
534
|
+
- **[`docs/SCORING.md`](docs/SCORING.md)** — full scoring
|
|
535
|
+
methodology: dimensions, weights, thresholds, caps, and the
|
|
536
|
+
Layer-1 standards each spec anchors to.
|
|
537
|
+
- **[`SECURITY.md`](SECURITY.md)** — security policy, supported
|
|
538
|
+
versions, response SLAs, and the [private vulnerability
|
|
539
|
+
reporting](https://github.com/vyuh-labs/dxkit/security/advisories/new)
|
|
540
|
+
channel.
|
|
541
|
+
- **[`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md)** — Contributor
|
|
542
|
+
Covenant 2.1.
|
|
543
|
+
|
|
544
|
+
Bug reports, feature requests, and questions: file an
|
|
545
|
+
[issue](https://github.com/vyuh-labs/dxkit/issues/new/choose) using
|
|
546
|
+
one of the templates.
|
|
547
|
+
|
|
548
|
+
---
|
|
549
|
+
|
|
445
550
|
## License
|
|
446
551
|
|
|
447
552
|
MIT
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AnalysisResult — the canonical cross-process aggregate that every
|
|
3
|
+
* dxkit subcommand reads from instead of independently re-running the
|
|
4
|
+
* tool gather.
|
|
5
|
+
*
|
|
6
|
+
* Architectural posture:
|
|
7
|
+
*
|
|
8
|
+
* - **One gather per repo+SHA.** `vyuh-dxkit health`, `vulnerabilities`,
|
|
9
|
+
* `test-gaps`, `quality`, `dev-report`, `licenses`, `bom`, `dashboard`,
|
|
10
|
+
* and `coverage` all build OR read this same struct. When two
|
|
11
|
+
* subcommands run minutes apart on the same commit, they see byte-
|
|
12
|
+
* identical inputs — multi-consumer drift on shared metrics becomes
|
|
13
|
+
* structurally impossible.
|
|
14
|
+
*
|
|
15
|
+
* - **Provenance is part of the type.** `commitSha` + `dxkitVersion`
|
|
16
|
+
* + `schemaVersion` + `ignoreFileMtime` form the cache invalidation
|
|
17
|
+
* key. Any of them changing means the cached file is stale and the
|
|
18
|
+
* gather must rerun.
|
|
19
|
+
*
|
|
20
|
+
* - **Dirty trees never persist.** When the working tree has
|
|
21
|
+
* uncommitted changes, `workingTreeDirty` is true. The cache module
|
|
22
|
+
* refuses to read or write the on-disk file in that state; in-
|
|
23
|
+
* process callers can still share a single rebuild via the in-
|
|
24
|
+
* memory cache, but nothing reaches `.dxkit/cache/` on disk.
|
|
25
|
+
*
|
|
26
|
+
* - **`capabilities` + `metrics` are the canonical aggregates** —
|
|
27
|
+
* identical to what the health analyzer's internal gather produces,
|
|
28
|
+
* just persisted between processes. `CapabilityReport` already
|
|
29
|
+
* carries the canonical security aggregate (one severity-bucket
|
|
30
|
+
* source for every consumer). This envelope generalizes the same
|
|
31
|
+
* "one aggregate, many consumers" template up one architectural
|
|
32
|
+
* level: one `AnalysisResult` across the process boundary.
|
|
33
|
+
*
|
|
34
|
+
* - **`derived` is for lazily-materialized per-analyzer outputs**
|
|
35
|
+
* (LicensesReport, BomReport, DevReport, …). Empty at first;
|
|
36
|
+
* consumers widen the union as each analyzer migrates so a
|
|
37
|
+
* subcommand can fetch its pre-rendered report by name. Keeping
|
|
38
|
+
* it optional lets every consumer choose between "render from
|
|
39
|
+
* `capabilities` + `metrics`" and "read the cached derived report"
|
|
40
|
+
* without forcing a single answer up front.
|
|
41
|
+
*/
|
|
42
|
+
import type { DetectedStack } from './types';
|
|
43
|
+
import type { CapabilityReport, HealthMetrics } from './analyzers/types';
|
|
44
|
+
/**
|
|
45
|
+
* Bump whenever the shape of `AnalysisResult` or any of its nested
|
|
46
|
+
* types changes in a way that makes an older cached JSON file
|
|
47
|
+
* incompatible. The cache module treats any mismatch as a hard miss
|
|
48
|
+
* and rebuilds from scratch.
|
|
49
|
+
*/
|
|
50
|
+
export declare const ANALYSIS_RESULT_SCHEMA_VERSION: 3;
|
|
51
|
+
export type AnalysisResultSchemaVersion = typeof ANALYSIS_RESULT_SCHEMA_VERSION;
|
|
52
|
+
/**
|
|
53
|
+
* Reserved for lazily-materialized per-analyzer outputs. Empty at
|
|
54
|
+
* present; each analyzer that migrates onto the cache adds its
|
|
55
|
+
* rendered report under a named key here. Keeping the type optional
|
|
56
|
+
* and extensible lets analyzers migrate one at a time without forcing
|
|
57
|
+
* a single decision on which ones cache their derived output (vs
|
|
58
|
+
* render fresh on every call from `capabilities` + `metrics`).
|
|
59
|
+
*/
|
|
60
|
+
export interface AnalysisResultDerived {
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* The non-provenance content of an `AnalysisResult` — what the
|
|
64
|
+
* gather pipeline actually produces. `cache.ts` accepts a builder
|
|
65
|
+
* function returning this shape and stamps the surrounding provenance
|
|
66
|
+
* itself, so callers don't have to hand-roll SHA / mtime / version
|
|
67
|
+
* detection.
|
|
68
|
+
*/
|
|
69
|
+
export interface AnalysisResultBody {
|
|
70
|
+
stack: DetectedStack;
|
|
71
|
+
capabilities: CapabilityReport;
|
|
72
|
+
metrics: HealthMetrics;
|
|
73
|
+
derived?: AnalysisResultDerived;
|
|
74
|
+
}
|
|
75
|
+
/**
|
|
76
|
+
* The full cached envelope. Provenance fields up front, body fields
|
|
77
|
+
* follow. Serialized to JSON when persisted; the schema-version field
|
|
78
|
+
* makes future migrations explicit rather than relying on shape
|
|
79
|
+
* detection.
|
|
80
|
+
*/
|
|
81
|
+
export interface AnalysisResult extends AnalysisResultBody {
|
|
82
|
+
/** Short SHA (`git rev-parse --short HEAD`). Empty when not in a git repo. */
|
|
83
|
+
commitSha: string;
|
|
84
|
+
/** Current branch name. Empty when not in a git repo. */
|
|
85
|
+
branch: string;
|
|
86
|
+
/** Absolute repo path the gather ran against. Disambiguates two
|
|
87
|
+
* worktrees of the same repo persisting independent caches. */
|
|
88
|
+
cwd: string;
|
|
89
|
+
/** ISO timestamp of when the result was built (NOT when it was last
|
|
90
|
+
* read from cache). Useful for "report is X minutes old" surfacing
|
|
91
|
+
* in the CLI and for distinguishing a fresh rebuild from a hit. */
|
|
92
|
+
builtAt: string;
|
|
93
|
+
/** Version of dxkit that produced the result. Different versions can
|
|
94
|
+
* produce different metrics (new tools added, scoring formulas
|
|
95
|
+
* changed); a version delta invalidates the cache. */
|
|
96
|
+
dxkitVersion: string;
|
|
97
|
+
/** Schema version of THIS envelope shape. See
|
|
98
|
+
* `ANALYSIS_RESULT_SCHEMA_VERSION`. */
|
|
99
|
+
schemaVersion: AnalysisResultSchemaVersion;
|
|
100
|
+
/** `.dxkit-ignore` mtime in ms (from `fs.statSync(...).mtimeMs`).
|
|
101
|
+
* `null` when the file doesn't exist. Differences invalidate the
|
|
102
|
+
* cache — ignore-rule changes alter what gets scanned, so cached
|
|
103
|
+
* metrics computed against the old ruleset are stale. */
|
|
104
|
+
ignoreFileMtime: number | null;
|
|
105
|
+
/** True when `git status --porcelain` reports any change. Dirty-tree
|
|
106
|
+
* results NEVER persist to disk and are not read back from disk
|
|
107
|
+
* (their commit SHA doesn't reflect the on-disk state). The flag
|
|
108
|
+
* surfaces in JSON-mode output so consumers know they're looking at
|
|
109
|
+
* an in-process-only result. */
|
|
110
|
+
workingTreeDirty: boolean;
|
|
111
|
+
}
|
|
112
|
+
//# sourceMappingURL=analysis-result.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analysis-result.d.ts","sourceRoot":"","sources":["../src/analysis-result.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,MAAM,MAAM,2BAA2B,GAAG,OAAO,8BAA8B,CAAC;AAEhF;;;;;;;GAOG;AAWH,MAAM,WAAW,qBAAqB;CAAG;AAEzC;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,EAAE,gBAAgB,CAAC;IAC/B,OAAO,EAAE,aAAa,CAAC;IACvB,OAAO,CAAC,EAAE,qBAAqB,CAAC;CACjC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAe,SAAQ,kBAAkB;IACxD,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;IAElB,yDAAyD;IACzD,MAAM,EAAE,MAAM,CAAC;IAEf;oEACgE;IAChE,GAAG,EAAE,MAAM,CAAC;IAEZ;;wEAEoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAEhB;;2DAEuD;IACvD,YAAY,EAAE,MAAM,CAAC;IAErB;4CACwC;IACxC,aAAa,EAAE,2BAA2B,CAAC;IAE3C;;;8DAG0D;IAC1D,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAE/B;;;;qCAIiC;IACjC,gBAAgB,EAAE,OAAO,CAAC;CAC3B"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* AnalysisResult — the canonical cross-process aggregate that every
|
|
4
|
+
* dxkit subcommand reads from instead of independently re-running the
|
|
5
|
+
* tool gather.
|
|
6
|
+
*
|
|
7
|
+
* Architectural posture:
|
|
8
|
+
*
|
|
9
|
+
* - **One gather per repo+SHA.** `vyuh-dxkit health`, `vulnerabilities`,
|
|
10
|
+
* `test-gaps`, `quality`, `dev-report`, `licenses`, `bom`, `dashboard`,
|
|
11
|
+
* and `coverage` all build OR read this same struct. When two
|
|
12
|
+
* subcommands run minutes apart on the same commit, they see byte-
|
|
13
|
+
* identical inputs — multi-consumer drift on shared metrics becomes
|
|
14
|
+
* structurally impossible.
|
|
15
|
+
*
|
|
16
|
+
* - **Provenance is part of the type.** `commitSha` + `dxkitVersion`
|
|
17
|
+
* + `schemaVersion` + `ignoreFileMtime` form the cache invalidation
|
|
18
|
+
* key. Any of them changing means the cached file is stale and the
|
|
19
|
+
* gather must rerun.
|
|
20
|
+
*
|
|
21
|
+
* - **Dirty trees never persist.** When the working tree has
|
|
22
|
+
* uncommitted changes, `workingTreeDirty` is true. The cache module
|
|
23
|
+
* refuses to read or write the on-disk file in that state; in-
|
|
24
|
+
* process callers can still share a single rebuild via the in-
|
|
25
|
+
* memory cache, but nothing reaches `.dxkit/cache/` on disk.
|
|
26
|
+
*
|
|
27
|
+
* - **`capabilities` + `metrics` are the canonical aggregates** —
|
|
28
|
+
* identical to what the health analyzer's internal gather produces,
|
|
29
|
+
* just persisted between processes. `CapabilityReport` already
|
|
30
|
+
* carries the canonical security aggregate (one severity-bucket
|
|
31
|
+
* source for every consumer). This envelope generalizes the same
|
|
32
|
+
* "one aggregate, many consumers" template up one architectural
|
|
33
|
+
* level: one `AnalysisResult` across the process boundary.
|
|
34
|
+
*
|
|
35
|
+
* - **`derived` is for lazily-materialized per-analyzer outputs**
|
|
36
|
+
* (LicensesReport, BomReport, DevReport, …). Empty at first;
|
|
37
|
+
* consumers widen the union as each analyzer migrates so a
|
|
38
|
+
* subcommand can fetch its pre-rendered report by name. Keeping
|
|
39
|
+
* it optional lets every consumer choose between "render from
|
|
40
|
+
* `capabilities` + `metrics`" and "read the cached derived report"
|
|
41
|
+
* without forcing a single answer up front.
|
|
42
|
+
*/
|
|
43
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
44
|
+
exports.ANALYSIS_RESULT_SCHEMA_VERSION = void 0;
|
|
45
|
+
/**
|
|
46
|
+
* Bump whenever the shape of `AnalysisResult` or any of its nested
|
|
47
|
+
* types changes in a way that makes an older cached JSON file
|
|
48
|
+
* incompatible. The cache module treats any mismatch as a hard miss
|
|
49
|
+
* and rebuilds from scratch.
|
|
50
|
+
*/
|
|
51
|
+
exports.ANALYSIS_RESULT_SCHEMA_VERSION = 3;
|
|
52
|
+
//# sourceMappingURL=analysis-result.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analysis-result.js","sourceRoot":"","sources":["../src/analysis-result.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;;;AAKH;;;;;GAKG;AACU,QAAA,8BAA8B,GAAG,CAAU,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"detailed.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC/B,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EACP,iBAAiB,GACjB,qBAAqB,GACrB,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,WAAW,GACX,uBAAuB,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,cAAc,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CAChD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,iBAAiB,CA8HrE;AASD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,
|
|
1
|
+
{"version":3,"file":"detailed.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC/B,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EACP,iBAAiB,GACjB,qBAAqB,GACrB,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,WAAW,GACX,uBAAuB,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,cAAc,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CAChD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,iBAAiB,CA8HrE;AASD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAmI9F"}
|
|
@@ -152,6 +152,25 @@ function formatBomDetailedMarkdown(detailed, elapsed) {
|
|
|
152
152
|
L.push(`- **Vuln-only entries (license gap):** ${s.vulnOnlyPackages}`);
|
|
153
153
|
}
|
|
154
154
|
L.push('');
|
|
155
|
+
// D070 (2.4.7): full per-root listing lives in the detailed report
|
|
156
|
+
// only — the main report collapses to a count + 5-root preview to
|
|
157
|
+
// stay scannable. One root per line here so customers auditing
|
|
158
|
+
// per-root attribution can grep / sort cleanly.
|
|
159
|
+
if (s.projectRoots.length > 1) {
|
|
160
|
+
L.push(`## Project Roots (${s.projectRoots.length})`);
|
|
161
|
+
L.push('');
|
|
162
|
+
L.push('Each row in the package tables unions the roots that installed the ' +
|
|
163
|
+
'package; the full list is reproduced here for per-root audit. See the ' +
|
|
164
|
+
'`sources` column in `bom-<date>.xlsx` (when `--xlsx` is passed) for ' +
|
|
165
|
+
'machine-readable per-row attribution.');
|
|
166
|
+
L.push('');
|
|
167
|
+
for (const r of s.projectRoots) {
|
|
168
|
+
L.push(`- \`${r}\``);
|
|
169
|
+
}
|
|
170
|
+
L.push('');
|
|
171
|
+
L.push('---');
|
|
172
|
+
L.push('');
|
|
173
|
+
}
|
|
155
174
|
L.push(`> Reconciles with \`vyuh-dxkit vulnerabilities\`: that command counts ` +
|
|
156
175
|
`per-advisory (${s.totalAdvisories}); bom collapses per-package ` +
|
|
157
176
|
`(${s.vulnerablePackages}) so each xlsx row is one upgrade decision.`);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA0BH,4CA8HC;AASD,
|
|
1
|
+
{"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA0BH,4CA8HC;AASD,8DAmIC;AA1QD,SAAgB,gBAAgB,CAAC,MAAiB;IAChD,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,sEAAsE;IACtE,iEAAiE;IACjE,gEAAgE;IAChE,oBAAoB;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,CAAC,WAAW;YAAE,SAAS;QAC7B,MAAM,UAAU,GAAG,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,WAAW,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,sCAAsC;YAC7C,SAAS,EACP,+DAA+D;gBAC/D,mEAAmE;gBACnE,qEAAqE;YACvE,cAAc,EACZ,gEAAgE;gBAChE,6DAA6D;YAC/D,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC7D,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,qCAAqC;YAC5C,SAAS,EACP,gEAAgE;gBAChE,+DAA+D;gBAC/D,wCAAwC;YAC1C,cAAc,EACZ,gEAAgE;gBAChE,4DAA4D;YAC9D,QAAQ,EAAE,kBAAkB;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,aAAa;YACjB,KAAK,EAAE,2CAA2C;YAClD,SAAS,EACP,gEAAgE;gBAChE,gEAAgE;YAClE,cAAc,EACZ,+DAA+D;gBAC/D,mDAAmD;YACrD,QAAQ,EAAE,SAAS;SACpB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IACrD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,0CAA0C;YACjD,SAAS,EAAE,0DAA0D;YACrE,cAAc,EAAE,2CAA2C;YAC3D,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;KACvC,CAAC;IACF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,iCAAiC;YACxC,SAAS,EAAE,gEAAgE;YAC3E,cAAc,EACZ,4DAA4D;gBAC5D,4DAA4D;gBAC5D,6BAA6B;YAC/B,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC1F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,KAAK;YACf,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,8BAA8B;YACrC,SAAS,EAAE,kDAAkD;YAC7D,cAAc,EAAE,8CAA8C;YAC9D,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,uBAAuB;YAC3B,KAAK,EAAE,yCAAyC;YAChD,SAAS,EACP,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,wBAAwB;YAC1B,cAAc,EACZ,+DAA+D;gBAC/D,+DAA+D;gBAC/D,wCAAwC;YAC1C,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,GAAG,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAgB,yBAAyB,CAAC,QAA2B,EAAE,OAAe;IACpF,MAAM,CAAC,GAAa,EAAE,CAAC;IACvB,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE3B,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IAC/C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,eAAe,8BAA8B,CAAC,CAAC;IACnF,CAAC,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,mEAAmE;IACnE,kEAAkE;IAClE,+DAA+D;IAC/D,gDAAgD;IAChD,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qEAAqE;YACnE,wEAAwE;YACxE,sEAAsE;YACtE,uCAAuC,CAC1C,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CACJ,wEAAwE;QACtE,iBAAiB,CAAC,CAAC,eAAe,+BAA+B;QACjE,IAAI,CAAC,CAAC,kBAAkB,6CAA6C,CACxE,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,QAAQ,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAChF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,uBAAuB,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC;YACpD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACrD,CAAC,CAAC,IAAI,CACJ,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,MAAM,IAAI,CACvF,CAAC;YACJ,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,oCAAoC;IACpC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACpC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1F,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO;SAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;SACjC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACb,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,YAAY,EAAE,CAAC,CAAC,YAAY;QAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,OAAO,EAAE,CAAC,CAAC,OAAO;KACnB,CAAC,CAAC,CACJ;SACA,IAAI,CACH,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC5F,CAAC;IAEJ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,oBAAoB,CAAC,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC1F,MAAM,IAAI,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACtE,CAAC,CAAC,IAAI,CACJ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,YAAY,IAAI,GAAG,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,MAAM,OAAO,IAAI,CAC3I,CAAC;QACJ,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,gGAAgG,CACjG,CAAC;IACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -4,7 +4,8 @@
|
|
|
4
4
|
* (CLAUDE.md rule 2). The gather just calls each, then walks both
|
|
5
5
|
* result sets to build a per-package join keyed by `package@version`.
|
|
6
6
|
*/
|
|
7
|
-
import type {
|
|
7
|
+
import type { DepVulnSummary } from '../security/types';
|
|
8
|
+
import type { DepVulnFinding, LicensesResult } from '../../languages/capabilities/types';
|
|
8
9
|
import type { BomEntry, BomTopLevelRollup } from './types';
|
|
9
10
|
/**
|
|
10
11
|
* Compare two version strings as semver triples. Strips a leading
|
|
@@ -58,34 +59,34 @@ export interface BomGatherResult {
|
|
|
58
59
|
entries: BomEntry[];
|
|
59
60
|
toolsUsed: string[];
|
|
60
61
|
toolsUnavailable: string[];
|
|
61
|
-
/** Cwd-relative project-root paths the gather walked. Length 1 for
|
|
62
|
-
* single-root scans ("." ); length >1 for nested aggregation. */
|
|
63
|
-
projectRoots: string[];
|
|
64
62
|
}
|
|
65
63
|
/**
|
|
66
|
-
*
|
|
64
|
+
* Both pre-gathered envelopes are optional. The override pattern lets
|
|
65
|
+
* the analyzer layer hand BoM a canonical inventory + advisory set
|
|
66
|
+
* built once at repo-root, so the gather pipeline never re-walks the
|
|
67
|
+
* tree from a different cwd (the root cause of cross-consumer drift
|
|
68
|
+
* on the same logical metric — e.g. licenses-vs-BoM package count
|
|
69
|
+
* diverging on a deep C# monorepo because two walks visited two
|
|
70
|
+
* different subsets of csproj files).
|
|
67
71
|
*
|
|
68
|
-
*
|
|
69
|
-
*
|
|
70
|
-
*
|
|
71
|
-
*
|
|
72
|
+
* `depVulnsOverride`: shared dep-vuln set across nested callers.
|
|
73
|
+
* Pre-fix BoM called `gatherDepVulns(absRoot)` per sub-root, and
|
|
74
|
+
* the csharp pack's gather was cwd-sensitive — at a sub-root with
|
|
75
|
+
* a stale `obj/project.assets.json` it returned 0 advisories via
|
|
76
|
+
* dotnet, while at repo-root with no `.csproj` it correctly fell
|
|
77
|
+
* back to `osv-scanner-nuget-direct` and surfaced them. Override +
|
|
78
|
+
* the pack-layer cwd-invariance work closed that gap.
|
|
72
79
|
*
|
|
73
|
-
*
|
|
74
|
-
*
|
|
75
|
-
*
|
|
76
|
-
*
|
|
77
|
-
*
|
|
78
|
-
*
|
|
79
|
-
*
|
|
80
|
-
* - license metadata (licenseType, sourceUrl, etc.) prefers the
|
|
81
|
-
* first root with non-UNKNOWN data, falling back to whatever
|
|
82
|
-
* the first-seen entry carried
|
|
83
|
-
*
|
|
84
|
-
* Pure function; unit-testable without filesystem.
|
|
80
|
+
* `licensesOverride`: pre-gathered canonical license inventory.
|
|
81
|
+
* When set, the gather skips its own `gatherLicensesResult(cwd)`
|
|
82
|
+
* call and uses the override directly. `null` (a deliberate
|
|
83
|
+
* "license inventory exists but is empty / unavailable") is
|
|
84
|
+
* distinguished from `undefined` ("gather it yourself") — the
|
|
85
|
+
* canonical analyzer-layer caller always passes the cached
|
|
86
|
+
* envelope shape verbatim.
|
|
85
87
|
*/
|
|
86
|
-
export declare function
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
}
|
|
90
|
-
export declare function gatherBomEntries(cwd: string): Promise<BomGatherResult>;
|
|
88
|
+
export declare function gatherBomEntries(cwd: string, options?: {
|
|
89
|
+
depVulnsOverride?: DepVulnSummary;
|
|
90
|
+
licensesOverride?: LicensesResult | null;
|
|
91
|
+
}): Promise<BomGatherResult>;
|
|
91
92
|
//# sourceMappingURL=gather.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,
|
|
1
|
+
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EACV,cAAc,EAEd,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,QAAQ,EAAe,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAIxE;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAgB1D;AAED;mDACmD;AACnD,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,MAAM,CAQrE;AAYD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAkCzF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE;IACP,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC,gBAAgB,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;CACrC,GACL,OAAO,CAAC,eAAe,CAAC,CAmF1B"}
|