@vyuhlabs/dxkit 2.4.6 → 2.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/CHANGELOG.md +1076 -0
  2. package/README.md +132 -27
  3. package/dist/analysis-result.d.ts +112 -0
  4. package/dist/analysis-result.d.ts.map +1 -0
  5. package/dist/analysis-result.js +52 -0
  6. package/dist/analysis-result.js.map +1 -0
  7. package/dist/analyzers/bom/detailed.d.ts.map +1 -1
  8. package/dist/analyzers/bom/detailed.js +19 -0
  9. package/dist/analyzers/bom/detailed.js.map +1 -1
  10. package/dist/analyzers/bom/gather.d.ts +27 -26
  11. package/dist/analyzers/bom/gather.d.ts.map +1 -1
  12. package/dist/analyzers/bom/gather.js +26 -87
  13. package/dist/analyzers/bom/gather.js.map +1 -1
  14. package/dist/analyzers/bom/index.d.ts +0 -7
  15. package/dist/analyzers/bom/index.d.ts.map +1 -1
  16. package/dist/analyzers/bom/index.js +98 -48
  17. package/dist/analyzers/bom/index.js.map +1 -1
  18. package/dist/analyzers/bom/types.d.ts +11 -13
  19. package/dist/analyzers/bom/types.d.ts.map +1 -1
  20. package/dist/analyzers/cache.d.ts +95 -0
  21. package/dist/analyzers/cache.d.ts.map +1 -0
  22. package/dist/analyzers/cache.js +309 -0
  23. package/dist/analyzers/cache.js.map +1 -0
  24. package/dist/analyzers/coverage-runner.d.ts +56 -0
  25. package/dist/analyzers/coverage-runner.d.ts.map +1 -0
  26. package/dist/analyzers/coverage-runner.js +72 -0
  27. package/dist/analyzers/coverage-runner.js.map +1 -0
  28. package/dist/analyzers/dashboard/index.d.ts +24 -0
  29. package/dist/analyzers/dashboard/index.d.ts.map +1 -0
  30. package/dist/analyzers/dashboard/index.js +667 -0
  31. package/dist/analyzers/dashboard/index.js.map +1 -0
  32. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  33. package/dist/analyzers/developer/gather.js +205 -37
  34. package/dist/analyzers/developer/gather.js.map +1 -1
  35. package/dist/analyzers/developer/index.d.ts +1 -1
  36. package/dist/analyzers/developer/index.d.ts.map +1 -1
  37. package/dist/analyzers/developer/index.js +21 -9
  38. package/dist/analyzers/developer/index.js.map +1 -1
  39. package/dist/analyzers/dispatcher.d.ts +52 -0
  40. package/dist/analyzers/dispatcher.d.ts.map +1 -1
  41. package/dist/analyzers/dispatcher.js +92 -9
  42. package/dist/analyzers/dispatcher.js.map +1 -1
  43. package/dist/analyzers/docs/shallow.d.ts +17 -5
  44. package/dist/analyzers/docs/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/docs/shallow.js +65 -2
  46. package/dist/analyzers/docs/shallow.js.map +1 -1
  47. package/dist/analyzers/dx/shallow.d.ts +17 -5
  48. package/dist/analyzers/dx/shallow.d.ts.map +1 -1
  49. package/dist/analyzers/dx/shallow.js +66 -2
  50. package/dist/analyzers/dx/shallow.js.map +1 -1
  51. package/dist/analyzers/health/actions.d.ts +1 -1
  52. package/dist/analyzers/health/actions.d.ts.map +1 -1
  53. package/dist/analyzers/health/actions.js +27 -9
  54. package/dist/analyzers/health/actions.js.map +1 -1
  55. package/dist/analyzers/health/detailed.d.ts +2 -1
  56. package/dist/analyzers/health/detailed.d.ts.map +1 -1
  57. package/dist/analyzers/health/detailed.js +11 -7
  58. package/dist/analyzers/health/detailed.js.map +1 -1
  59. package/dist/analyzers/health.d.ts +27 -0
  60. package/dist/analyzers/health.d.ts.map +1 -1
  61. package/dist/analyzers/health.js +282 -34
  62. package/dist/analyzers/health.js.map +1 -1
  63. package/dist/analyzers/licenses/gather.d.ts +35 -8
  64. package/dist/analyzers/licenses/gather.d.ts.map +1 -1
  65. package/dist/analyzers/licenses/gather.js +86 -13
  66. package/dist/analyzers/licenses/gather.js.map +1 -1
  67. package/dist/analyzers/licenses/index.d.ts +1 -1
  68. package/dist/analyzers/licenses/index.d.ts.map +1 -1
  69. package/dist/analyzers/licenses/index.js +52 -11
  70. package/dist/analyzers/licenses/index.js.map +1 -1
  71. package/dist/analyzers/licenses/types.d.ts +15 -0
  72. package/dist/analyzers/licenses/types.d.ts.map +1 -1
  73. package/dist/analyzers/maintainability/shallow.d.ts +17 -5
  74. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
  75. package/dist/analyzers/maintainability/shallow.js +80 -2
  76. package/dist/analyzers/maintainability/shallow.js.map +1 -1
  77. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  78. package/dist/analyzers/quality/detailed.js +4 -6
  79. package/dist/analyzers/quality/detailed.js.map +1 -1
  80. package/dist/analyzers/quality/gather.d.ts +1 -14
  81. package/dist/analyzers/quality/gather.d.ts.map +1 -1
  82. package/dist/analyzers/quality/gather.js +48 -137
  83. package/dist/analyzers/quality/gather.js.map +1 -1
  84. package/dist/analyzers/quality/index.d.ts +9 -2
  85. package/dist/analyzers/quality/index.d.ts.map +1 -1
  86. package/dist/analyzers/quality/index.js +197 -117
  87. package/dist/analyzers/quality/index.js.map +1 -1
  88. package/dist/analyzers/quality/shallow.d.ts +50 -5
  89. package/dist/analyzers/quality/shallow.d.ts.map +1 -1
  90. package/dist/analyzers/quality/shallow.js +155 -2
  91. package/dist/analyzers/quality/shallow.js.map +1 -1
  92. package/dist/analyzers/quality/types.d.ts +14 -0
  93. package/dist/analyzers/quality/types.d.ts.map +1 -1
  94. package/dist/analyzers/security/actions.d.ts +11 -4
  95. package/dist/analyzers/security/actions.d.ts.map +1 -1
  96. package/dist/analyzers/security/actions.js +87 -37
  97. package/dist/analyzers/security/actions.js.map +1 -1
  98. package/dist/analyzers/security/aggregator.d.ts +236 -0
  99. package/dist/analyzers/security/aggregator.d.ts.map +1 -0
  100. package/dist/analyzers/security/aggregator.js +349 -0
  101. package/dist/analyzers/security/aggregator.js.map +1 -0
  102. package/dist/analyzers/security/detailed.d.ts +2 -2
  103. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  104. package/dist/analyzers/security/detailed.js +10 -9
  105. package/dist/analyzers/security/detailed.js.map +1 -1
  106. package/dist/analyzers/security/gather.d.ts +104 -1
  107. package/dist/analyzers/security/gather.d.ts.map +1 -1
  108. package/dist/analyzers/security/gather.js +299 -9
  109. package/dist/analyzers/security/gather.js.map +1 -1
  110. package/dist/analyzers/security/index.d.ts +15 -0
  111. package/dist/analyzers/security/index.d.ts.map +1 -1
  112. package/dist/analyzers/security/index.js +463 -50
  113. package/dist/analyzers/security/index.js.map +1 -1
  114. package/dist/analyzers/security/shallow.d.ts +50 -6
  115. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  116. package/dist/analyzers/security/shallow.js +154 -2
  117. package/dist/analyzers/security/shallow.js.map +1 -1
  118. package/dist/analyzers/security/types.d.ts +51 -0
  119. package/dist/analyzers/security/types.d.ts.map +1 -1
  120. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  121. package/dist/analyzers/tests/detailed.js +2 -3
  122. package/dist/analyzers/tests/detailed.js.map +1 -1
  123. package/dist/analyzers/tests/gather.d.ts +2 -1
  124. package/dist/analyzers/tests/gather.d.ts.map +1 -1
  125. package/dist/analyzers/tests/gather.js +98 -69
  126. package/dist/analyzers/tests/gather.js.map +1 -1
  127. package/dist/analyzers/tests/index.d.ts +11 -2
  128. package/dist/analyzers/tests/index.d.ts.map +1 -1
  129. package/dist/analyzers/tests/index.js +83 -18
  130. package/dist/analyzers/tests/index.js.map +1 -1
  131. package/dist/analyzers/tests/shallow.d.ts +19 -5
  132. package/dist/analyzers/tests/shallow.d.ts.map +1 -1
  133. package/dist/analyzers/tests/shallow.js +89 -2
  134. package/dist/analyzers/tests/shallow.js.map +1 -1
  135. package/dist/analyzers/tests/types.d.ts +41 -1
  136. package/dist/analyzers/tests/types.d.ts.map +1 -1
  137. package/dist/analyzers/tools/autogen-header.d.ts +8 -0
  138. package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
  139. package/dist/analyzers/tools/autogen-header.js +107 -0
  140. package/dist/analyzers/tools/autogen-header.js.map +1 -0
  141. package/dist/analyzers/tools/cloc.d.ts.map +1 -1
  142. package/dist/analyzers/tools/cloc.js +36 -5
  143. package/dist/analyzers/tools/cloc.js.map +1 -1
  144. package/dist/analyzers/tools/deadline.d.ts +67 -0
  145. package/dist/analyzers/tools/deadline.d.ts.map +1 -0
  146. package/dist/analyzers/tools/deadline.js +81 -0
  147. package/dist/analyzers/tools/deadline.js.map +1 -0
  148. package/dist/analyzers/tools/debug-statements.d.ts +17 -0
  149. package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
  150. package/dist/analyzers/tools/debug-statements.js +58 -0
  151. package/dist/analyzers/tools/debug-statements.js.map +1 -0
  152. package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
  153. package/dist/analyzers/tools/exclusions.d.ts +33 -6
  154. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  155. package/dist/analyzers/tools/exclusions.js +95 -26
  156. package/dist/analyzers/tools/exclusions.js.map +1 -1
  157. package/dist/analyzers/tools/generic.d.ts +17 -2
  158. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  159. package/dist/analyzers/tools/generic.js +206 -109
  160. package/dist/analyzers/tools/generic.js.map +1 -1
  161. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  162. package/dist/analyzers/tools/gitleaks.js +48 -1
  163. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  164. package/dist/analyzers/tools/graphify.d.ts +30 -2
  165. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  166. package/dist/analyzers/tools/graphify.js +131 -15
  167. package/dist/analyzers/tools/graphify.js.map +1 -1
  168. package/dist/analyzers/tools/jscpd.d.ts +12 -2
  169. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  170. package/dist/analyzers/tools/jscpd.js +129 -6
  171. package/dist/analyzers/tools/jscpd.js.map +1 -1
  172. package/dist/analyzers/tools/lint-label.d.ts +29 -0
  173. package/dist/analyzers/tools/lint-label.d.ts.map +1 -0
  174. package/dist/analyzers/tools/lint-label.js +23 -0
  175. package/dist/analyzers/tools/lint-label.js.map +1 -0
  176. package/dist/analyzers/tools/minified-detection.d.ts +9 -0
  177. package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
  178. package/dist/analyzers/tools/minified-detection.js +147 -0
  179. package/dist/analyzers/tools/minified-detection.js.map +1 -0
  180. package/dist/analyzers/tools/nuget-package-reference.d.ts +133 -0
  181. package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
  182. package/dist/analyzers/tools/nuget-package-reference.js +177 -0
  183. package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
  184. package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
  185. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  186. package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
  187. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  188. package/dist/analyzers/tools/osv.d.ts +36 -0
  189. package/dist/analyzers/tools/osv.d.ts.map +1 -1
  190. package/dist/analyzers/tools/osv.js +26 -0
  191. package/dist/analyzers/tools/osv.js.map +1 -1
  192. package/dist/analyzers/tools/parallel.d.ts +1 -1
  193. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  194. package/dist/analyzers/tools/parallel.js +2 -2
  195. package/dist/analyzers/tools/parallel.js.map +1 -1
  196. package/dist/analyzers/tools/report-date.d.ts +17 -0
  197. package/dist/analyzers/tools/report-date.d.ts.map +1 -0
  198. package/dist/analyzers/tools/report-date.js +26 -0
  199. package/dist/analyzers/tools/report-date.js.map +1 -0
  200. package/dist/analyzers/tools/risk-score.d.ts +7 -0
  201. package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
  202. package/dist/analyzers/tools/risk-score.js +9 -2
  203. package/dist/analyzers/tools/risk-score.js.map +1 -1
  204. package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
  205. package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
  206. package/dist/analyzers/tools/run-tests-helper.js +156 -0
  207. package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
  208. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  209. package/dist/analyzers/tools/runner.js +75 -12
  210. package/dist/analyzers/tools/runner.js.map +1 -1
  211. package/dist/analyzers/tools/semgrep.d.ts +39 -2
  212. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  213. package/dist/analyzers/tools/semgrep.js +131 -9
  214. package/dist/analyzers/tools/semgrep.js.map +1 -1
  215. package/dist/analyzers/tools/timing.d.ts +17 -3
  216. package/dist/analyzers/tools/timing.d.ts.map +1 -1
  217. package/dist/analyzers/tools/timing.js +36 -14
  218. package/dist/analyzers/tools/timing.js.map +1 -1
  219. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  220. package/dist/analyzers/tools/tool-registry.js +11 -1
  221. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  222. package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
  223. package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
  224. package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
  225. package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
  226. package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
  227. package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
  228. package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
  229. package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
  230. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
  231. package/dist/analyzers/tools/vendored-advisor.js +107 -0
  232. package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
  233. package/dist/analyzers/tools/walk-paths.d.ts +78 -0
  234. package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
  235. package/dist/analyzers/tools/walk-paths.js +150 -0
  236. package/dist/analyzers/tools/walk-paths.js.map +1 -0
  237. package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
  238. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
  239. package/dist/analyzers/tools/walk-source-files.js +369 -0
  240. package/dist/analyzers/tools/walk-source-files.js.map +1 -0
  241. package/dist/analyzers/types.d.ts +204 -4
  242. package/dist/analyzers/types.d.ts.map +1 -1
  243. package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
  244. package/dist/analyzers/xlsx/bom.js +8 -1
  245. package/dist/analyzers/xlsx/bom.js.map +1 -1
  246. package/dist/cli.d.ts.map +1 -1
  247. package/dist/cli.js +581 -189
  248. package/dist/cli.js.map +1 -1
  249. package/dist/detect.d.ts.map +1 -1
  250. package/dist/detect.js +24 -7
  251. package/dist/detect.js.map +1 -1
  252. package/dist/doctor.d.ts.map +1 -1
  253. package/dist/doctor.js +103 -53
  254. package/dist/doctor.js.map +1 -1
  255. package/dist/languages/capabilities/provider.d.ts +130 -1
  256. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  257. package/dist/languages/capabilities/types.d.ts +68 -7
  258. package/dist/languages/capabilities/types.d.ts.map +1 -1
  259. package/dist/languages/csharp.d.ts +15 -1
  260. package/dist/languages/csharp.d.ts.map +1 -1
  261. package/dist/languages/csharp.js +624 -146
  262. package/dist/languages/csharp.js.map +1 -1
  263. package/dist/languages/go.d.ts.map +1 -1
  264. package/dist/languages/go.js +89 -11
  265. package/dist/languages/go.js.map +1 -1
  266. package/dist/languages/index.d.ts +132 -2
  267. package/dist/languages/index.d.ts.map +1 -1
  268. package/dist/languages/index.js +207 -0
  269. package/dist/languages/index.js.map +1 -1
  270. package/dist/languages/java.d.ts.map +1 -1
  271. package/dist/languages/java.js +113 -26
  272. package/dist/languages/java.js.map +1 -1
  273. package/dist/languages/kotlin.d.ts.map +1 -1
  274. package/dist/languages/kotlin.js +132 -26
  275. package/dist/languages/kotlin.js.map +1 -1
  276. package/dist/languages/python.d.ts.map +1 -1
  277. package/dist/languages/python.js +149 -44
  278. package/dist/languages/python.js.map +1 -1
  279. package/dist/languages/ruby.d.ts +39 -1
  280. package/dist/languages/ruby.d.ts.map +1 -1
  281. package/dist/languages/ruby.js +178 -44
  282. package/dist/languages/ruby.js.map +1 -1
  283. package/dist/languages/rust.d.ts.map +1 -1
  284. package/dist/languages/rust.js +103 -16
  285. package/dist/languages/rust.js.map +1 -1
  286. package/dist/languages/types.d.ts +228 -5
  287. package/dist/languages/types.d.ts.map +1 -1
  288. package/dist/languages/typescript.d.ts.map +1 -1
  289. package/dist/languages/typescript.js +201 -14
  290. package/dist/languages/typescript.js.map +1 -1
  291. package/dist/scoring/dimensions/documentation.d.ts +53 -0
  292. package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
  293. package/dist/scoring/dimensions/documentation.js +106 -0
  294. package/dist/scoring/dimensions/documentation.js.map +1 -0
  295. package/dist/scoring/dimensions/dx.d.ts +53 -0
  296. package/dist/scoring/dimensions/dx.d.ts.map +1 -0
  297. package/dist/scoring/dimensions/dx.js +105 -0
  298. package/dist/scoring/dimensions/dx.js.map +1 -0
  299. package/dist/scoring/dimensions/maintainability.d.ts +53 -0
  300. package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
  301. package/dist/scoring/dimensions/maintainability.js +101 -0
  302. package/dist/scoring/dimensions/maintainability.js.map +1 -0
  303. package/dist/scoring/dimensions/quality.d.ts +108 -0
  304. package/dist/scoring/dimensions/quality.d.ts.map +1 -0
  305. package/dist/scoring/dimensions/quality.js +174 -0
  306. package/dist/scoring/dimensions/quality.js.map +1 -0
  307. package/dist/scoring/dimensions/security.d.ts +84 -0
  308. package/dist/scoring/dimensions/security.d.ts.map +1 -0
  309. package/dist/scoring/dimensions/security.js +135 -0
  310. package/dist/scoring/dimensions/security.js.map +1 -0
  311. package/dist/scoring/dimensions/testing.d.ts +56 -0
  312. package/dist/scoring/dimensions/testing.d.ts.map +1 -0
  313. package/dist/scoring/dimensions/testing.js +98 -0
  314. package/dist/scoring/dimensions/testing.js.map +1 -0
  315. package/dist/scoring/evaluator.d.ts +27 -0
  316. package/dist/scoring/evaluator.d.ts.map +1 -0
  317. package/dist/scoring/evaluator.js +124 -0
  318. package/dist/scoring/evaluator.js.map +1 -0
  319. package/dist/scoring/format.d.ts +34 -0
  320. package/dist/scoring/format.d.ts.map +1 -0
  321. package/dist/scoring/format.js +63 -0
  322. package/dist/scoring/format.js.map +1 -0
  323. package/dist/scoring/index.d.ts +37 -0
  324. package/dist/scoring/index.d.ts.map +1 -0
  325. package/dist/scoring/index.js +57 -0
  326. package/dist/scoring/index.js.map +1 -0
  327. package/dist/scoring/overall.d.ts +54 -0
  328. package/dist/scoring/overall.d.ts.map +1 -0
  329. package/dist/scoring/overall.js +76 -0
  330. package/dist/scoring/overall.js.map +1 -0
  331. package/dist/scoring/result.d.ts +111 -0
  332. package/dist/scoring/result.d.ts.map +1 -0
  333. package/dist/scoring/result.js +14 -0
  334. package/dist/scoring/result.js.map +1 -0
  335. package/dist/scoring/spec.d.ts +76 -0
  336. package/dist/scoring/spec.d.ts.map +1 -0
  337. package/dist/scoring/spec.js +22 -0
  338. package/dist/scoring/spec.js.map +1 -0
  339. package/dist/scoring/thresholds.d.ts +56 -0
  340. package/dist/scoring/thresholds.d.ts.map +1 -0
  341. package/dist/scoring/thresholds.js +75 -0
  342. package/dist/scoring/thresholds.js.map +1 -0
  343. package/dist/tools-cli.d.ts.map +1 -1
  344. package/dist/tools-cli.js +21 -2
  345. package/dist/tools-cli.js.map +1 -1
  346. package/dist/types.d.ts +16 -0
  347. package/dist/types.d.ts.map +1 -1
  348. package/package.json +1 -1
  349. package/templates/.claude/commands/dashboard.md +17 -9
  350. package/dist/analyzers/scoring.d.ts +0 -49
  351. package/dist/analyzers/scoring.d.ts.map +0 -1
  352. package/dist/analyzers/scoring.js +0 -422
  353. package/dist/analyzers/scoring.js.map +0 -1
  354. package/dist/analyzers/security/scoring.d.ts +0 -29
  355. package/dist/analyzers/security/scoring.d.ts.map +0 -1
  356. package/dist/analyzers/security/scoring.js +0 -40
  357. package/dist/analyzers/security/scoring.js.map +0 -1
package/README.md CHANGED
@@ -32,11 +32,11 @@ npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks
32
32
 
33
33
  The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
34
34
 
35
- > **Already installed dxkit globally? Upgrade explicitly.** `npx @vyuhlabs/dxkit@<version>` resolves the `vyuh-dxkit` binary off PATH first — if you previously ran `npm install -g @vyuhlabs/dxkit`, npx silently uses that older global binary regardless of the `@<version>` you specified. This is npx behavior, not a dxkit bug. To pick up the latest fixes (e.g. the 2.4.5 osv-scanner-fix data-mutation fix), run:
35
+ > **Already installed dxkit globally?** Globals don't auto-update. If you previously ran `npm install -g @vyuhlabs/dxkit`, the `vyuh-dxkit` binary on your PATH stays pinned to whatever version was installed then; running `vyuh-dxkit` (without `npx`) keeps using the pinned version. To pick up the latest fixes, either upgrade the global or remove it and rely on `npx` (which fetches the requested version on demand):
36
36
  >
37
37
  > ```bash
38
38
  > npm install -g @vyuhlabs/dxkit@latest
39
- > # or, if you don't need a global install, remove the old one and rely on npx:
39
+ > # or:
40
40
  > npm uninstall -g @vyuhlabs/dxkit
41
41
  > ```
42
42
 
@@ -44,33 +44,39 @@ The two modes are complementary. The analyzers run anywhere; the scaffolder writ
44
44
 
45
45
  ## Analyzer CLI (`vyuh-dxkit <command>`)
46
46
 
47
- Seven deterministic analyzers. Each emits a markdown report to `.dxkit/reports/` and optional structured JSON.
47
+ Seven deterministic analyzers + a one-shot orchestrator. Each emits a markdown report to `.dxkit/reports/` and a structured JSON file the dashboard reads.
48
48
 
49
49
  | Command | What it does | Runtime | Output |
50
50
  | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------- |
51
51
  | `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.dxkit/reports/health-audit-<date>.md` |
52
52
  | `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (enriched with EPSS exploit probability, CISA KEV catalog, reachability from your source, composite riskScore; per-advisory detail in `--detailed`) | 5–30s | `.dxkit/reports/vulnerability-scan-<date>.md` |
53
- | `test-gaps` | Coverage artifact → import-graph → filename (strongest wins) | <1s | `.dxkit/reports/test-gaps-<date>.md` |
53
+ | `test-gaps` | Coverage artifact → import-graph → filename (strongest wins). Headline coverage carries a `coverageFidelity` tier; banners surface heuristic-vs-line-coverage trust. | <1s | `.dxkit/reports/test-gaps-<date>.md` |
54
54
  | `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.dxkit/reports/quality-review-<date>.md` |
55
- | `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
55
+ | `dev-report` | Commits, contributors, hot files (autogen-filtered), weekly velocity (with zero-rows for empty weeks), conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
56
56
  | `licenses` | Dependency license inventory across every active pack (TS, Python, Go, Rust, C#; Kotlin + Java omitted — no canonical CLI license tool for Maven/Gradle ecosystems) | 5–20s | `.dxkit/reports/licenses-<date>.md` |
57
57
  | `bom` | **Bill of Materials** — joins licenses + vulns per package, groups by top-level manifest dep (Snyk-style), enriches with CISA KEV + EPSS + reachability, ranks by composite risk score with "This Week's Triage" summary, aggregates nested sub-projects, `--filter=top-level` collapses transitive rows, 15-col XLSX | 10–40s | `.dxkit/reports/bom-<date>.{md,xlsx}` |
58
+ | `coverage` | Side-effecting — runs each active pack's `test-with-coverage` command to materialize the artifact `test-gaps` / `health` read back. Use this once before analysis, or pass `--with-coverage` to the analyzer. | 1–10m | per-pack artifact (`coverage.json` etc.) |
59
+ | `dashboard` | Renders every report under `.dxkit/reports/` into a single HTML page (tiles + per-report tabs + cross-cutting "Critical Issues at a Glance"). Reads `*-detailed.json` (written unconditionally as of 2.4.7). | <1s | `.dxkit/reports/dashboard.html` |
60
+ | `report` | **One-shot full audit** — runs every analyzer + dashboard in dependency order. `--with-coverage` materializes coverage once upfront so both `health` and `test-gaps` benefit without re-running tests per analyzer. | 5–15m | every output above + dashboard |
58
61
 
59
62
  Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bom` detailed JSON as the canonical 15-column XLSX.
60
63
 
61
64
  ### Flags (apply to all analyzer commands)
62
65
 
63
- | Flag | Effect |
64
- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
65
- | `--detailed` | Also writes `<name>-detailed.md` + `.json` with evidence + ranked remediation actions |
66
- | `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
67
- | `--verbose` | Print per-tool timing to stderr |
68
- | `--no-save` | Skip writing markdown; useful with `--json` |
69
- | `--xlsx` | (`licenses`, `bom` only) Also write 15-col `.xlsx` — drop-in for spreadsheet workflows |
70
- | `-o <file>` | (`licenses`, `bom`, `to-xlsx`) Override output path for xlsx / converted file |
71
- | `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
72
- | `--filter` | (`bom` only) `all` (default) or `top-level` — keep only root manifest deps; the byTopLevelDep rollup still reflects transitives |
73
- | `--no-nested` | (`bom` only) Disable nested-project aggregation. Default discovers every sub-project with a language manifest under cwd and merges their BOMs |
66
+ | Flag | Effect |
67
+ | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
68
+ | `--detailed` | Surface the success-log line for the detailed report. (As of 2.4.7 the `-detailed.json` + `-detailed.md` files are written **unconditionally** so the dashboard always finds fresh input — this flag only controls the console-side noise.) |
69
+ | `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
70
+ | `--verbose` | Print per-tool timing to stderr |
71
+ | `--no-save` | Skip writing markdown; useful with `--json` |
72
+ | `--xlsx` | (`licenses`, `bom` only) Also write 15-col `.xlsx` — drop-in for spreadsheet workflows |
73
+ | `-o <file>` | (`licenses`, `bom`, `to-xlsx`) Override output path for xlsx / converted file |
74
+ | `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
75
+ | `--filter` | (`bom` only) `all` (default) or `top-level` — keep only root manifest deps; the byTopLevelDep rollup still reflects transitives |
76
+ | `--no-nested` | (`bom` only) Disable nested-project aggregation. Default discovers every sub-project with a language manifest under cwd and merges their BOMs |
77
+ | `--with-coverage` | (`health`, `test-gaps`, `report`) Materialize coverage artifacts via per-pack `runTests()` **before** analysis. Promotes the headline from filename-match heuristic to `line-coverage` truth. With `report`, runs once upfront — health + test-gaps share the artifact. |
78
+ | `--lang <id>` | (`coverage`, `--with-coverage`) Restrict to one pack id when the repo is polyglot |
79
+ | `--no-fail-fast` | (`coverage`, `--with-coverage`) Continue running coverage across remaining packs after a `failed` outcome |
74
80
 
75
81
  ### Detailed mode — evidence + ranked fixes
76
82
 
@@ -85,12 +91,24 @@ Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bo
85
91
 
86
92
  Three signals, strongest wins for files it covers:
87
93
 
88
- 1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin). If the tool measured a file, that decision is authoritative.
94
+ 1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin/Java), SimpleCov resultset (Ruby). If the tool measured a file, that decision is authoritative.
89
95
  2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
90
96
  3. **Filename match** — last-resort basename similarity.
91
97
 
92
98
  A file counts as "tested" when the strongest available signal says so.
93
99
 
100
+ #### Coverage fidelity tier (2.4.7+)
101
+
102
+ Test-gap reports now carry a `coverageFidelity` tier so a 0% from a heuristic can't be confused with a 0% from a real coverage run:
103
+
104
+ | Tier | Source | Trust |
105
+ | ---------------- | -------------------------------------------------------------------------- | ------------------ |
106
+ | `line-coverage` | Any of the artifacts above | Line-level truth |
107
+ | `import-graph` | Test-file import edges (up to N hops) | Informed heuristic |
108
+ | `filename-match` | Source files with a name-matched test (200-line file / 5-line test passes) | Pure heuristic |
109
+
110
+ The test-gaps markdown leads with a ⚠️ / ℹ️ banner when fidelity isn't `line-coverage`, pointing at `vyuh-dxkit coverage` and `vyuh-dxkit health --with-coverage` as the install paths to ground-truth.
111
+
94
112
  ---
95
113
 
96
114
  ## Tool Registry
@@ -281,6 +299,32 @@ Mirrors pre-push but also runs the slop check against the PR base branch, so `--
281
299
 
282
300
  ---
283
301
 
302
+ ## Scoring
303
+
304
+ dxkit produces a 0-100 score + A/B/C/D/E letter rating for six
305
+ dimensions of every codebase. Three properties define the scoring
306
+ model:
307
+
308
+ - **Deterministic** — pure-function evaluator over a declarative spec
309
+ per dimension. Same `git rev-parse HEAD` + same dxkit version
310
+ produces the identical score on every run, every machine. This is
311
+ the moat against LLM-driven review products, where outputs drift
312
+ run-to-run.
313
+ - **Anchored** — methodology cites underlying open international
314
+ standards (ISO/IEC 25010, ISO/IEC 5055, SQALE method, CVSS v4,
315
+ CWE, OWASP, OpenSSF Scorecard) rather than invented thresholds.
316
+ - **Actionable** — every score is paired with structured provenance
317
+ so the report says what to fix and how much the score would lift.
318
+ Customer-facing markdown surfaces a "Top actions" block per
319
+ dimension; agents consume the same structured `ScoreResult` JSON
320
+ directly.
321
+
322
+ The customer-facing methodology document — including the per-
323
+ dimension penalty/cap breakdown and citations — lives at
324
+ **[`docs/SCORING.md`](docs/SCORING.md)**.
325
+
326
+ ---
327
+
284
328
  ## Quality Gates for Agent-Written Code
285
329
 
286
330
  dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
@@ -356,24 +400,46 @@ Both loops use the session framework — checkpoints, skill evolution, progress
356
400
 
357
401
  ## Reports
358
402
 
359
- All analyzer commands save timestamped reports to `.dxkit/reports/`:
403
+ All analyzer commands save timestamped reports to `.dxkit/reports/`.
404
+ Every command writes a summary markdown, a detailed markdown, and a
405
+ canonical detailed JSON. `bom` adds an XLSX; `licenses` adds an XLSX
406
+ when `--xlsx` is set. `dashboard` (or `report`) writes the single-file
407
+ HTML view that stitches everything together.
360
408
 
361
409
  ```
362
410
  .dxkit/reports/
363
- health-audit-<date>.md
364
- health-audit-<date>-detailed.md # with --detailed
365
- health-audit-<date>-detailed.json # agent-consumable
411
+ health-audit-<date>.md # 6-dimension summary
412
+ health-audit-<date>-detailed.md # with per-dim plans + evidence
413
+ health-audit-<date>-detailed.json # agent-consumable schema
414
+
366
415
  vulnerability-scan-<date>.md
416
+ vulnerability-scan-<date>-detailed.{md,json}
417
+
367
418
  test-gaps-<date>.md
419
+ test-gaps-<date>-detailed.{md,json}
420
+
368
421
  quality-review-<date>.md
422
+ quality-review-<date>-detailed.{md,json}
423
+
369
424
  developer-report-<date>.md
425
+ developer-report-<date>-detailed.{md,json}
426
+
427
+ bom-<date>.md # Bill of Materials summary
428
+ bom-<date>-detailed.{md,json} # full per-package rows
429
+ bom-<date>.xlsx # 15-col XLSX (with --xlsx)
430
+
431
+ licenses-<date>.md # license inventory
432
+ licenses-<date>-detailed.{md,json}
433
+ licenses-<date>.xlsx # with --xlsx
434
+
435
+ dashboard.html # single-file HTML view
370
436
  ```
371
437
 
372
438
  Export options:
373
439
 
374
- - **HTML dashboard**: `/dashboard` (Claude Code slash command) — dark-themed sidebar navigation
375
- - **PDF**: `/export-pdf all` — converts all reports to PDF
376
- - **Structured JSON**: `--detailed` on any command emits a canonical JSON schema
440
+ - **HTML dashboard**: `vyuh-dxkit dashboard` or the `/dashboard` slash command — dark-themed sidebar navigation, reads every `*-detailed.json` under `.dxkit/reports/`
441
+ - **PDF**: `/export-pdf all` — converts every report to PDF
442
+ - **Structured JSON**: every command writes a `-detailed.json` unconditionally as of 2.4.7, so agents and dashboards always have the structured schema available
377
443
 
378
444
  ---
379
445
 
@@ -402,15 +468,22 @@ When create-devstack writes `.project.yaml` before calling dxkit, detection and
402
468
  ## CLI Reference
403
469
 
404
470
  ```bash
405
- # Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md
406
- vyuh-dxkit health [path] # 6-dimension score
471
+ # Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md + <name>-<date>-detailed.{md,json}
472
+ vyuh-dxkit health [path] [--with-coverage] # 6-dimension score
407
473
  vyuh-dxkit vulnerabilities [path] # Security scan, ranked by composite risk
408
- vyuh-dxkit test-gaps [path] # Coverage + gaps + actions
474
+ vyuh-dxkit test-gaps [path] [--with-coverage] # Coverage + gaps + actions
409
475
  vyuh-dxkit quality [path] # Slop + duplication + lint
410
476
  vyuh-dxkit dev-report [path] [--since <date>] # Git activity report
411
477
  vyuh-dxkit licenses [path] # Dependency license inventory
412
478
  vyuh-dxkit bom [path] [--filter=top-level] # Bill of Materials + risk-ranked triage
413
479
 
480
+ # Coverage materialization (side-effecting — runs each pack's test runner)
481
+ vyuh-dxkit coverage [path] [--lang <id>] [--no-fail-fast]
482
+
483
+ # Dashboard + one-shot full audit
484
+ vyuh-dxkit dashboard [path] # render .dxkit/reports/ to a single HTML page
485
+ vyuh-dxkit report [path] [--with-coverage] # run every analyzer + dashboard end-to-end
486
+
414
487
  # Data conversion
415
488
  vyuh-dxkit to-xlsx <json-file> # render licenses/bom detailed JSON as 15-col XLSX
416
489
 
@@ -442,6 +515,38 @@ No LLM in the analysis path. Scores are reproducible: same repo state → same r
442
515
 
443
516
  ---
444
517
 
518
+ ## Community + Contributing
519
+
520
+ - **[`CHANGELOG.md`](CHANGELOG.md)** — release notes by version,
521
+ including methodology shifts that may change scores between
522
+ releases (e.g. the 2.4.7 scoring foundation).
523
+ - **[`CONTRIBUTING.md`](CONTRIBUTING.md)** — local setup, the
524
+ pre-commit hook stack, test conventions, and the "Adding a new
525
+ language" walkthrough.
526
+ - **[`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md)** — a short tour
527
+ of the analyzer data flow, the three core patterns (language
528
+ packs, scoring specs, centralized exclusions + tool registry),
529
+ the subprocess discipline, and the `AnalysisResult` cache.
530
+ - **[`CLAUDE.md`](CLAUDE.md)** — the authoritative architectural
531
+ rule set with pre-commit + CI enforcement. Required reading
532
+ before opening a PR that touches scoring, packs, exclusions, or
533
+ tool invocation.
534
+ - **[`docs/SCORING.md`](docs/SCORING.md)** — full scoring
535
+ methodology: dimensions, weights, thresholds, caps, and the
536
+ Layer-1 standards each spec anchors to.
537
+ - **[`SECURITY.md`](SECURITY.md)** — security policy, supported
538
+ versions, response SLAs, and the [private vulnerability
539
+ reporting](https://github.com/vyuh-labs/dxkit/security/advisories/new)
540
+ channel.
541
+ - **[`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md)** — Contributor
542
+ Covenant 2.1.
543
+
544
+ Bug reports, feature requests, and questions: file an
545
+ [issue](https://github.com/vyuh-labs/dxkit/issues/new/choose) using
546
+ one of the templates.
547
+
548
+ ---
549
+
445
550
  ## License
446
551
 
447
552
  MIT
@@ -0,0 +1,112 @@
1
+ /**
2
+ * AnalysisResult — the canonical cross-process aggregate that every
3
+ * dxkit subcommand reads from instead of independently re-running the
4
+ * tool gather.
5
+ *
6
+ * Architectural posture:
7
+ *
8
+ * - **One gather per repo+SHA.** `vyuh-dxkit health`, `vulnerabilities`,
9
+ * `test-gaps`, `quality`, `dev-report`, `licenses`, `bom`, `dashboard`,
10
+ * and `coverage` all build OR read this same struct. When two
11
+ * subcommands run minutes apart on the same commit, they see byte-
12
+ * identical inputs — multi-consumer drift on shared metrics becomes
13
+ * structurally impossible.
14
+ *
15
+ * - **Provenance is part of the type.** `commitSha` + `dxkitVersion`
16
+ * + `schemaVersion` + `ignoreFileMtime` form the cache invalidation
17
+ * key. Any of them changing means the cached file is stale and the
18
+ * gather must rerun.
19
+ *
20
+ * - **Dirty trees never persist.** When the working tree has
21
+ * uncommitted changes, `workingTreeDirty` is true. The cache module
22
+ * refuses to read or write the on-disk file in that state; in-
23
+ * process callers can still share a single rebuild via the in-
24
+ * memory cache, but nothing reaches `.dxkit/cache/` on disk.
25
+ *
26
+ * - **`capabilities` + `metrics` are the canonical aggregates** —
27
+ * identical to what the health analyzer's internal gather produces,
28
+ * just persisted between processes. `CapabilityReport` already
29
+ * carries the canonical security aggregate (one severity-bucket
30
+ * source for every consumer). This envelope generalizes the same
31
+ * "one aggregate, many consumers" template up one architectural
32
+ * level: one `AnalysisResult` across the process boundary.
33
+ *
34
+ * - **`derived` is for lazily-materialized per-analyzer outputs**
35
+ * (LicensesReport, BomReport, DevReport, …). Empty at first;
36
+ * consumers widen the union as each analyzer migrates so a
37
+ * subcommand can fetch its pre-rendered report by name. Keeping
38
+ * it optional lets every consumer choose between "render from
39
+ * `capabilities` + `metrics`" and "read the cached derived report"
40
+ * without forcing a single answer up front.
41
+ */
42
+ import type { DetectedStack } from './types';
43
+ import type { CapabilityReport, HealthMetrics } from './analyzers/types';
44
+ /**
45
+ * Bump whenever the shape of `AnalysisResult` or any of its nested
46
+ * types changes in a way that makes an older cached JSON file
47
+ * incompatible. The cache module treats any mismatch as a hard miss
48
+ * and rebuilds from scratch.
49
+ */
50
+ export declare const ANALYSIS_RESULT_SCHEMA_VERSION: 3;
51
+ export type AnalysisResultSchemaVersion = typeof ANALYSIS_RESULT_SCHEMA_VERSION;
52
+ /**
53
+ * Reserved for lazily-materialized per-analyzer outputs. Empty at
54
+ * present; each analyzer that migrates onto the cache adds its
55
+ * rendered report under a named key here. Keeping the type optional
56
+ * and extensible lets analyzers migrate one at a time without forcing
57
+ * a single decision on which ones cache their derived output (vs
58
+ * render fresh on every call from `capabilities` + `metrics`).
59
+ */
60
+ export interface AnalysisResultDerived {
61
+ }
62
+ /**
63
+ * The non-provenance content of an `AnalysisResult` — what the
64
+ * gather pipeline actually produces. `cache.ts` accepts a builder
65
+ * function returning this shape and stamps the surrounding provenance
66
+ * itself, so callers don't have to hand-roll SHA / mtime / version
67
+ * detection.
68
+ */
69
+ export interface AnalysisResultBody {
70
+ stack: DetectedStack;
71
+ capabilities: CapabilityReport;
72
+ metrics: HealthMetrics;
73
+ derived?: AnalysisResultDerived;
74
+ }
75
+ /**
76
+ * The full cached envelope. Provenance fields up front, body fields
77
+ * follow. Serialized to JSON when persisted; the schema-version field
78
+ * makes future migrations explicit rather than relying on shape
79
+ * detection.
80
+ */
81
+ export interface AnalysisResult extends AnalysisResultBody {
82
+ /** Short SHA (`git rev-parse --short HEAD`). Empty when not in a git repo. */
83
+ commitSha: string;
84
+ /** Current branch name. Empty when not in a git repo. */
85
+ branch: string;
86
+ /** Absolute repo path the gather ran against. Disambiguates two
87
+ * worktrees of the same repo persisting independent caches. */
88
+ cwd: string;
89
+ /** ISO timestamp of when the result was built (NOT when it was last
90
+ * read from cache). Useful for "report is X minutes old" surfacing
91
+ * in the CLI and for distinguishing a fresh rebuild from a hit. */
92
+ builtAt: string;
93
+ /** Version of dxkit that produced the result. Different versions can
94
+ * produce different metrics (new tools added, scoring formulas
95
+ * changed); a version delta invalidates the cache. */
96
+ dxkitVersion: string;
97
+ /** Schema version of THIS envelope shape. See
98
+ * `ANALYSIS_RESULT_SCHEMA_VERSION`. */
99
+ schemaVersion: AnalysisResultSchemaVersion;
100
+ /** `.dxkit-ignore` mtime in ms (from `fs.statSync(...).mtimeMs`).
101
+ * `null` when the file doesn't exist. Differences invalidate the
102
+ * cache — ignore-rule changes alter what gets scanned, so cached
103
+ * metrics computed against the old ruleset are stale. */
104
+ ignoreFileMtime: number | null;
105
+ /** True when `git status --porcelain` reports any change. Dirty-tree
106
+ * results NEVER persist to disk and are not read back from disk
107
+ * (their commit SHA doesn't reflect the on-disk state). The flag
108
+ * surfaces in JSON-mode output so consumers know they're looking at
109
+ * an in-process-only result. */
110
+ workingTreeDirty: boolean;
111
+ }
112
+ //# sourceMappingURL=analysis-result.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"analysis-result.d.ts","sourceRoot":"","sources":["../src/analysis-result.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,EAAG,CAAU,CAAC;AACzD,MAAM,MAAM,2BAA2B,GAAG,OAAO,8BAA8B,CAAC;AAEhF;;;;;;;GAOG;AAWH,MAAM,WAAW,qBAAqB;CAAG;AAEzC;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,EAAE,gBAAgB,CAAC;IAC/B,OAAO,EAAE,aAAa,CAAC;IACvB,OAAO,CAAC,EAAE,qBAAqB,CAAC;CACjC;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAe,SAAQ,kBAAkB;IACxD,8EAA8E;IAC9E,SAAS,EAAE,MAAM,CAAC;IAElB,yDAAyD;IACzD,MAAM,EAAE,MAAM,CAAC;IAEf;oEACgE;IAChE,GAAG,EAAE,MAAM,CAAC;IAEZ;;wEAEoE;IACpE,OAAO,EAAE,MAAM,CAAC;IAEhB;;2DAEuD;IACvD,YAAY,EAAE,MAAM,CAAC;IAErB;4CACwC;IACxC,aAAa,EAAE,2BAA2B,CAAC;IAE3C;;;8DAG0D;IAC1D,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAE/B;;;;qCAIiC;IACjC,gBAAgB,EAAE,OAAO,CAAC;CAC3B"}
@@ -0,0 +1,52 @@
1
+ "use strict";
2
+ /**
3
+ * AnalysisResult — the canonical cross-process aggregate that every
4
+ * dxkit subcommand reads from instead of independently re-running the
5
+ * tool gather.
6
+ *
7
+ * Architectural posture:
8
+ *
9
+ * - **One gather per repo+SHA.** `vyuh-dxkit health`, `vulnerabilities`,
10
+ * `test-gaps`, `quality`, `dev-report`, `licenses`, `bom`, `dashboard`,
11
+ * and `coverage` all build OR read this same struct. When two
12
+ * subcommands run minutes apart on the same commit, they see byte-
13
+ * identical inputs — multi-consumer drift on shared metrics becomes
14
+ * structurally impossible.
15
+ *
16
+ * - **Provenance is part of the type.** `commitSha` + `dxkitVersion`
17
+ * + `schemaVersion` + `ignoreFileMtime` form the cache invalidation
18
+ * key. Any of them changing means the cached file is stale and the
19
+ * gather must rerun.
20
+ *
21
+ * - **Dirty trees never persist.** When the working tree has
22
+ * uncommitted changes, `workingTreeDirty` is true. The cache module
23
+ * refuses to read or write the on-disk file in that state; in-
24
+ * process callers can still share a single rebuild via the in-
25
+ * memory cache, but nothing reaches `.dxkit/cache/` on disk.
26
+ *
27
+ * - **`capabilities` + `metrics` are the canonical aggregates** —
28
+ * identical to what the health analyzer's internal gather produces,
29
+ * just persisted between processes. `CapabilityReport` already
30
+ * carries the canonical security aggregate (one severity-bucket
31
+ * source for every consumer). This envelope generalizes the same
32
+ * "one aggregate, many consumers" template up one architectural
33
+ * level: one `AnalysisResult` across the process boundary.
34
+ *
35
+ * - **`derived` is for lazily-materialized per-analyzer outputs**
36
+ * (LicensesReport, BomReport, DevReport, …). Empty at first;
37
+ * consumers widen the union as each analyzer migrates so a
38
+ * subcommand can fetch its pre-rendered report by name. Keeping
39
+ * it optional lets every consumer choose between "render from
40
+ * `capabilities` + `metrics`" and "read the cached derived report"
41
+ * without forcing a single answer up front.
42
+ */
43
+ Object.defineProperty(exports, "__esModule", { value: true });
44
+ exports.ANALYSIS_RESULT_SCHEMA_VERSION = void 0;
45
+ /**
46
+ * Bump whenever the shape of `AnalysisResult` or any of its nested
47
+ * types changes in a way that makes an older cached JSON file
48
+ * incompatible. The cache module treats any mismatch as a hard miss
49
+ * and rebuilds from scratch.
50
+ */
51
+ exports.ANALYSIS_RESULT_SCHEMA_VERSION = 3;
52
+ //# sourceMappingURL=analysis-result.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"analysis-result.js","sourceRoot":"","sources":["../src/analysis-result.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;;;AAKH;;;;;GAKG;AACU,QAAA,8BAA8B,GAAG,CAAU,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"detailed.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC/B,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EACP,iBAAiB,GACjB,qBAAqB,GACrB,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,WAAW,GACX,uBAAuB,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,cAAc,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CAChD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,iBAAiB,CA8HrE;AASD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CA6G9F"}
1
+ {"version":3,"file":"detailed.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEhE,MAAM,WAAW,eAAe;IAC9B,kCAAkC;IAClC,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC/B,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EACP,iBAAiB,GACjB,qBAAqB,GACrB,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,WAAW,GACX,uBAAuB,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CAC5C;AAED,MAAM,WAAW,iBAAkB,SAAQ,SAAS;IAClD,cAAc,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CAChD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,iBAAiB,CA8HrE;AASD,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAmI9F"}
@@ -152,6 +152,25 @@ function formatBomDetailedMarkdown(detailed, elapsed) {
152
152
  L.push(`- **Vuln-only entries (license gap):** ${s.vulnOnlyPackages}`);
153
153
  }
154
154
  L.push('');
155
+ // D070 (2.4.7): full per-root listing lives in the detailed report
156
+ // only — the main report collapses to a count + 5-root preview to
157
+ // stay scannable. One root per line here so customers auditing
158
+ // per-root attribution can grep / sort cleanly.
159
+ if (s.projectRoots.length > 1) {
160
+ L.push(`## Project Roots (${s.projectRoots.length})`);
161
+ L.push('');
162
+ L.push('Each row in the package tables unions the roots that installed the ' +
163
+ 'package; the full list is reproduced here for per-root audit. See the ' +
164
+ '`sources` column in `bom-<date>.xlsx` (when `--xlsx` is passed) for ' +
165
+ 'machine-readable per-row attribution.');
166
+ L.push('');
167
+ for (const r of s.projectRoots) {
168
+ L.push(`- \`${r}\``);
169
+ }
170
+ L.push('');
171
+ L.push('---');
172
+ L.push('');
173
+ }
155
174
  L.push(`> Reconciles with \`vyuh-dxkit vulnerabilities\`: that command counts ` +
156
175
  `per-advisory (${s.totalAdvisories}); bom collapses per-package ` +
157
176
  `(${s.vulnerablePackages}) so each xlsx row is one upgrade decision.`);
@@ -1 +1 @@
1
- {"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA0BH,4CA8HC;AASD,8DA6GC;AApPD,SAAgB,gBAAgB,CAAC,MAAiB;IAChD,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,sEAAsE;IACtE,iEAAiE;IACjE,gEAAgE;IAChE,oBAAoB;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,CAAC,WAAW;YAAE,SAAS;QAC7B,MAAM,UAAU,GAAG,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,WAAW,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,sCAAsC;YAC7C,SAAS,EACP,+DAA+D;gBAC/D,mEAAmE;gBACnE,qEAAqE;YACvE,cAAc,EACZ,gEAAgE;gBAChE,6DAA6D;YAC/D,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC7D,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,qCAAqC;YAC5C,SAAS,EACP,gEAAgE;gBAChE,+DAA+D;gBAC/D,wCAAwC;YAC1C,cAAc,EACZ,gEAAgE;gBAChE,4DAA4D;YAC9D,QAAQ,EAAE,kBAAkB;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,aAAa;YACjB,KAAK,EAAE,2CAA2C;YAClD,SAAS,EACP,gEAAgE;gBAChE,gEAAgE;YAClE,cAAc,EACZ,+DAA+D;gBAC/D,mDAAmD;YACrD,QAAQ,EAAE,SAAS;SACpB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IACrD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,0CAA0C;YACjD,SAAS,EAAE,0DAA0D;YACrE,cAAc,EAAE,2CAA2C;YAC3D,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;KACvC,CAAC;IACF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,iCAAiC;YACxC,SAAS,EAAE,gEAAgE;YAC3E,cAAc,EACZ,4DAA4D;gBAC5D,4DAA4D;gBAC5D,6BAA6B;YAC/B,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC1F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,KAAK;YACf,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,8BAA8B;YACrC,SAAS,EAAE,kDAAkD;YAC7D,cAAc,EAAE,8CAA8C;YAC9D,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,uBAAuB;YAC3B,KAAK,EAAE,yCAAyC;YAChD,SAAS,EACP,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,wBAAwB;YAC1B,cAAc,EACZ,+DAA+D;gBAC/D,+DAA+D;gBAC/D,wCAAwC;YAC1C,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,GAAG,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAgB,yBAAyB,CAAC,QAA2B,EAAE,OAAe;IACpF,MAAM,CAAC,GAAa,EAAE,CAAC;IACvB,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE3B,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IAC/C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,eAAe,8BAA8B,CAAC,CAAC;IACnF,CAAC,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,wEAAwE;QACtE,iBAAiB,CAAC,CAAC,eAAe,+BAA+B;QACjE,IAAI,CAAC,CAAC,kBAAkB,6CAA6C,CACxE,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,QAAQ,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAChF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,uBAAuB,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC;YACpD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACrD,CAAC,CAAC,IAAI,CACJ,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,MAAM,IAAI,CACvF,CAAC;YACJ,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,oCAAoC;IACpC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACpC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1F,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO;SAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;SACjC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACb,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,YAAY,EAAE,CAAC,CAAC,YAAY;QAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,OAAO,EAAE,CAAC,CAAC,OAAO;KACnB,CAAC,CAAC,CACJ;SACA,IAAI,CACH,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC5F,CAAC;IAEJ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,oBAAoB,CAAC,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC1F,MAAM,IAAI,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACtE,CAAC,CAAC,IAAI,CACJ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,YAAY,IAAI,GAAG,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,MAAM,OAAO,IAAI,CAC3I,CAAC;QACJ,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,gGAAgG,CACjG,CAAC;IACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
1
+ {"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/bom/detailed.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AA0BH,4CA8HC;AASD,8DAmIC;AA1QD,SAAgB,gBAAgB,CAAC,MAAiB;IAChD,MAAM,UAAU,GAAsB,EAAE,CAAC;IAEzC,sEAAsE;IACtE,iEAAiE;IACjE,gEAAgE;IAChE,oBAAoB;IACpB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,CAAC,CAAC,WAAW;YAAE,SAAS;QAC7B,MAAM,UAAU,GAAG,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,WAAW,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAC/D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC1D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,sCAAsC;YAC7C,SAAS,EACP,+DAA+D;gBAC/D,mEAAmE;gBACnE,qEAAqE;YACvE,cAAc,EACZ,gEAAgE;gBAChE,6DAA6D;YAC/D,QAAQ,EAAE,aAAa;SACxB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC7D,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,UAAU;YACpB,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,qCAAqC;YAC5C,SAAS,EACP,gEAAgE;gBAChE,+DAA+D;gBAC/D,wCAAwC;YAC1C,cAAc,EACZ,gEAAgE;gBAChE,4DAA4D;YAC9D,QAAQ,EAAE,kBAAkB;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,aAAa;YACjB,KAAK,EAAE,2CAA2C;YAClD,SAAS,EACP,gEAAgE;gBAChE,gEAAgE;YAClE,cAAc,EACZ,+DAA+D;gBAC/D,mDAAmD;YACrD,QAAQ,EAAE,SAAS;SACpB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IACrD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,MAAM;YAChB,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,0CAA0C;YACjD,SAAS,EAAE,0DAA0D;YACrE,cAAc,EAAE,2CAA2C;YAC3D,QAAQ,EAAE,cAAc;SACzB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;KACvC,CAAC;IACF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,iCAAiC;YACxC,SAAS,EAAE,gEAAgE;YAC3E,cAAc,EACZ,4DAA4D;gBAC5D,4DAA4D;gBAC5D,6BAA6B;YAC/B,QAAQ,EAAE,WAAW;SACtB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC1F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,KAAK;YACf,EAAE,EAAE,WAAW;YACf,KAAK,EAAE,8BAA8B;YACrC,SAAS,EAAE,kDAAkD;YAC7D,cAAc,EAAE,8CAA8C;YAC9D,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACjE,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC;YACd,QAAQ,EAAE,QAAQ;YAClB,EAAE,EAAE,uBAAuB;YAC3B,KAAK,EAAE,yCAAyC;YAChD,SAAS,EACP,8DAA8D;gBAC9D,+DAA+D;gBAC/D,iEAAiE;gBACjE,wBAAwB;YAC1B,cAAc,EACZ,+DAA+D;gBAC/D,+DAA+D;gBAC/D,wCAAwC;YAC1C,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,GAAG,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC;AACnD,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAgB,yBAAyB,CAAC,QAA2B,EAAE,OAAe;IACpF,MAAM,CAAC,GAAa,EAAE,CAAC;IACvB,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC;IAE3B,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IAC/C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,eAAe,8BAA8B,CAAC,CAAC;IACnF,CAAC,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7E,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,mEAAmE;IACnE,kEAAkE;IAClE,+DAA+D;IAC/D,gDAAgD;IAChD,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qEAAqE;YACnE,wEAAwE;YACxE,sEAAsE;YACtE,uCAAuC,CAC1C,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;YAC/B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CACJ,wEAAwE;QACtE,iBAAiB,CAAC,CAAC,eAAe,+BAA+B;QACjE,IAAI,CAAC,CAAC,kBAAkB,6CAA6C,CACxE,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,QAAQ,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACxD,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YAChF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,uBAAuB,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC;YACpD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,CAAC,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YAC/D,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBACrD,CAAC,CAAC,IAAI,CACJ,OAAO,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,MAAM,IAAI,CACvF,CAAC;YACJ,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,oEAAoE;IACpE,oCAAoC;IACpC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACpC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC1F,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO;SAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;SACjC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACb,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,YAAY,EAAE,CAAC,CAAC,YAAY;QAC5B,SAAS,EAAE,CAAC,CAAC,SAAS;QACtB,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,OAAO,EAAE,CAAC,CAAC,OAAO;KACnB,CAAC,CAAC,CACJ;SACA,IAAI,CACH,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC5F,CAAC;IAEJ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,oBAAoB,CAAC,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,CAAC,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAC5E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC1F,MAAM,IAAI,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YACtE,CAAC,CAAC,IAAI,CACJ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,YAAY,IAAI,GAAG,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,MAAM,OAAO,IAAI,CAC3I,CAAC;QACJ,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACvE,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,gGAAgG,CACjG,CAAC;IACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
@@ -4,7 +4,8 @@
4
4
  * (CLAUDE.md rule 2). The gather just calls each, then walks both
5
5
  * result sets to build a per-package join keyed by `package@version`.
6
6
  */
7
- import type { DepVulnFinding } from '../../languages/capabilities/types';
7
+ import type { DepVulnSummary } from '../security/types';
8
+ import type { DepVulnFinding, LicensesResult } from '../../languages/capabilities/types';
8
9
  import type { BomEntry, BomTopLevelRollup } from './types';
9
10
  /**
10
11
  * Compare two version strings as semver triples. Strips a leading
@@ -58,34 +59,34 @@ export interface BomGatherResult {
58
59
  entries: BomEntry[];
59
60
  toolsUsed: string[];
60
61
  toolsUnavailable: string[];
61
- /** Cwd-relative project-root paths the gather walked. Length 1 for
62
- * single-root scans ("." ); length >1 for nested aggregation. */
63
- projectRoots: string[];
64
62
  }
65
63
  /**
66
- * Merge per-root gather results into one deduplicated set.
64
+ * Both pre-gathered envelopes are optional. The override pattern lets
65
+ * the analyzer layer hand BoM a canonical inventory + advisory set
66
+ * built once at repo-root, so the gather pipeline never re-walks the
67
+ * tree from a different cwd (the root cause of cross-consumer drift
68
+ * on the same logical metric — e.g. licenses-vs-BoM package count
69
+ * diverging on a deep C# monorepo because two walks visited two
70
+ * different subsets of csproj files).
67
71
  *
68
- * Dedupe key is `(package, version)` the same logical package at
69
- * the same version installed under two roots is the same artifact,
70
- * so reporting two rows would be noise. When the same key appears
71
- * under multiple roots:
72
+ * `depVulnsOverride`: shared dep-vuln set across nested callers.
73
+ * Pre-fix BoM called `gatherDepVulns(absRoot)` per sub-root, and
74
+ * the csharp pack's gather was cwd-sensitive at a sub-root with
75
+ * a stale `obj/project.assets.json` it returned 0 advisories via
76
+ * dotnet, while at repo-root with no `.csproj` it correctly fell
77
+ * back to `osv-scanner-nuget-direct` and surfaced them. Override +
78
+ * the pack-layer cwd-invariance work closed that gap.
72
79
  *
73
- * - `sources` unions the sub-paths
74
- * - `isTopLevel` OR-merges if any root treats the package as
75
- * top-level, the merged entry is top-level (upgrade decisions
76
- * surface under Top-Level Dep Groups)
77
- * - `vulns` unions with dedup on `(id, package, installedVersion)`
78
- * the same advisory reported from two roots collapses into
79
- * one finding but its `topLevelDep` list unions
80
- * - license metadata (licenseType, sourceUrl, etc.) prefers the
81
- * first root with non-UNKNOWN data, falling back to whatever
82
- * the first-seen entry carried
83
- *
84
- * Pure function; unit-testable without filesystem.
80
+ * `licensesOverride`: pre-gathered canonical license inventory.
81
+ * When set, the gather skips its own `gatherLicensesResult(cwd)`
82
+ * call and uses the override directly. `null` (a deliberate
83
+ * "license inventory exists but is empty / unavailable") is
84
+ * distinguished from `undefined` ("gather it yourself") the
85
+ * canonical analyzer-layer caller always passes the cached
86
+ * envelope shape verbatim.
85
87
  */
86
- export declare function mergeNestedBomEntries(perRoot: ReadonlyArray<{
87
- relPath: string;
88
- result: BomGatherResult;
89
- }>): BomGatherResult;
90
- export declare function gatherBomEntries(cwd: string): Promise<BomGatherResult>;
88
+ export declare function gatherBomEntries(cwd: string, options?: {
89
+ depVulnsOverride?: DepVulnSummary;
90
+ licensesOverride?: LicensesResult | null;
91
+ }): Promise<BomGatherResult>;
91
92
  //# sourceMappingURL=gather.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAkB,MAAM,oCAAoC,CAAC;AACzF,OAAO,KAAK,EAAE,QAAQ,EAAe,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAIxE;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAgB1D;AAED;mDACmD;AACnD,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,MAAM,CAQrE;AAYD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAkCzF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B;sEACkE;IAClE,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,aAAa,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,eAAe,CAAA;CAAE,CAAC,GACnE,eAAe,CAkEjB;AAED,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAkF5E"}
1
+ {"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EACV,cAAc,EAEd,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,QAAQ,EAAe,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAIxE;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAgB1D;AAED;mDACmD;AACnD,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,MAAM,CAQrE;AAYD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAkCzF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,MAAM,EACX,OAAO,GAAE;IACP,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC,gBAAgB,CAAC,EAAE,cAAc,GAAG,IAAI,CAAC;CACrC,GACL,OAAO,CAAC,eAAe,CAAC,CAmF1B"}