@vyuhlabs/dxkit 2.4.8 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (243) hide show
  1. package/CHANGELOG.md +235 -0
  2. package/README.md +360 -439
  3. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  4. package/dist/analyzers/security/aggregator.js +4 -46
  5. package/dist/analyzers/security/aggregator.js.map +1 -1
  6. package/dist/analyzers/tools/fingerprint.d.ts +91 -26
  7. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  8. package/dist/analyzers/tools/fingerprint.js +111 -22
  9. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  10. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  11. package/dist/analyzers/tools/generic.js +6 -1
  12. package/dist/analyzers/tools/generic.js.map +1 -1
  13. package/dist/analyzers/tools/gitleaks.d.ts +24 -1
  14. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  15. package/dist/analyzers/tools/gitleaks.js +20 -11
  16. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  17. package/dist/analyzers/types.d.ts +6 -4
  18. package/dist/analyzers/types.d.ts.map +1 -1
  19. package/dist/baseline/baseline-file.d.ts +104 -0
  20. package/dist/baseline/baseline-file.d.ts.map +1 -0
  21. package/dist/baseline/baseline-file.js +110 -0
  22. package/dist/baseline/baseline-file.js.map +1 -0
  23. package/dist/baseline/check-renderers.d.ts +108 -0
  24. package/dist/baseline/check-renderers.d.ts.map +1 -0
  25. package/dist/baseline/check-renderers.js +379 -0
  26. package/dist/baseline/check-renderers.js.map +1 -0
  27. package/dist/baseline/check.d.ts +127 -0
  28. package/dist/baseline/check.d.ts.map +1 -0
  29. package/dist/baseline/check.js +462 -0
  30. package/dist/baseline/check.js.map +1 -0
  31. package/dist/baseline/content-hash.d.ts +83 -0
  32. package/dist/baseline/content-hash.d.ts.map +1 -0
  33. package/dist/baseline/content-hash.js +131 -0
  34. package/dist/baseline/content-hash.js.map +1 -0
  35. package/dist/baseline/create.d.ts +96 -0
  36. package/dist/baseline/create.d.ts.map +1 -0
  37. package/dist/baseline/create.js +339 -0
  38. package/dist/baseline/create.js.map +1 -0
  39. package/dist/baseline/entry-to-located.d.ts +35 -0
  40. package/dist/baseline/entry-to-located.d.ts.map +1 -0
  41. package/dist/baseline/entry-to-located.js +72 -0
  42. package/dist/baseline/entry-to-located.js.map +1 -0
  43. package/dist/baseline/finding-identity.d.ts +47 -0
  44. package/dist/baseline/finding-identity.d.ts.map +1 -0
  45. package/dist/baseline/finding-identity.js +292 -0
  46. package/dist/baseline/finding-identity.js.map +1 -0
  47. package/dist/baseline/git-aware-match.d.ts +146 -0
  48. package/dist/baseline/git-aware-match.d.ts.map +1 -0
  49. package/dist/baseline/git-aware-match.js +439 -0
  50. package/dist/baseline/git-aware-match.js.map +1 -0
  51. package/dist/baseline/policy.d.ts +171 -0
  52. package/dist/baseline/policy.d.ts.map +1 -0
  53. package/dist/baseline/policy.js +206 -0
  54. package/dist/baseline/policy.js.map +1 -0
  55. package/dist/baseline/producers/health.d.ts +30 -0
  56. package/dist/baseline/producers/health.d.ts.map +1 -0
  57. package/dist/baseline/producers/health.js +42 -0
  58. package/dist/baseline/producers/health.js.map +1 -0
  59. package/dist/baseline/producers/index.d.ts +164 -0
  60. package/dist/baseline/producers/index.d.ts.map +1 -0
  61. package/dist/baseline/producers/index.js +200 -0
  62. package/dist/baseline/producers/index.js.map +1 -0
  63. package/dist/baseline/producers/licenses.d.ts +23 -0
  64. package/dist/baseline/producers/licenses.d.ts.map +1 -0
  65. package/dist/baseline/producers/licenses.js +46 -0
  66. package/dist/baseline/producers/licenses.js.map +1 -0
  67. package/dist/baseline/producers/quality.d.ts +39 -0
  68. package/dist/baseline/producers/quality.d.ts.map +1 -0
  69. package/dist/baseline/producers/quality.js +84 -0
  70. package/dist/baseline/producers/quality.js.map +1 -0
  71. package/dist/baseline/producers/secret-hmac.d.ts +45 -0
  72. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
  73. package/dist/baseline/producers/secret-hmac.js +70 -0
  74. package/dist/baseline/producers/secret-hmac.js.map +1 -0
  75. package/dist/baseline/producers/security.d.ts +59 -0
  76. package/dist/baseline/producers/security.d.ts.map +1 -0
  77. package/dist/baseline/producers/security.js +135 -0
  78. package/dist/baseline/producers/security.js.map +1 -0
  79. package/dist/baseline/producers/tests.d.ts +36 -0
  80. package/dist/baseline/producers/tests.d.ts.map +1 -0
  81. package/dist/baseline/producers/tests.js +69 -0
  82. package/dist/baseline/producers/tests.js.map +1 -0
  83. package/dist/baseline/salt.d.ts +45 -0
  84. package/dist/baseline/salt.d.ts.map +1 -0
  85. package/dist/baseline/salt.js +113 -0
  86. package/dist/baseline/salt.js.map +1 -0
  87. package/dist/baseline/show.d.ts +79 -0
  88. package/dist/baseline/show.d.ts.map +1 -0
  89. package/dist/baseline/show.js +233 -0
  90. package/dist/baseline/show.js.map +1 -0
  91. package/dist/baseline/types.d.ts +482 -0
  92. package/dist/baseline/types.d.ts.map +1 -0
  93. package/dist/baseline/types.js +53 -0
  94. package/dist/baseline/types.js.map +1 -0
  95. package/dist/cli.d.ts.map +1 -1
  96. package/dist/cli.js +360 -81
  97. package/dist/cli.js.map +1 -1
  98. package/dist/codebase-scanner.d.ts.map +1 -1
  99. package/dist/codebase-scanner.js +0 -1
  100. package/dist/codebase-scanner.js.map +1 -1
  101. package/dist/constants.d.ts.map +1 -1
  102. package/dist/constants.js +0 -4
  103. package/dist/constants.js.map +1 -1
  104. package/dist/doctor.d.ts.map +1 -1
  105. package/dist/doctor.js +22 -25
  106. package/dist/doctor.js.map +1 -1
  107. package/dist/fail-on.d.ts +84 -0
  108. package/dist/fail-on.d.ts.map +1 -0
  109. package/dist/fail-on.js +128 -0
  110. package/dist/fail-on.js.map +1 -0
  111. package/dist/generator.d.ts.map +1 -1
  112. package/dist/generator.js +2 -141
  113. package/dist/generator.js.map +1 -1
  114. package/dist/languages/csharp.d.ts.map +1 -1
  115. package/dist/languages/csharp.js +0 -9
  116. package/dist/languages/csharp.js.map +1 -1
  117. package/dist/languages/go.d.ts.map +1 -1
  118. package/dist/languages/go.js +0 -15
  119. package/dist/languages/go.js.map +1 -1
  120. package/dist/languages/index.d.ts +1 -1
  121. package/dist/languages/index.d.ts.map +1 -1
  122. package/dist/languages/index.js.map +1 -1
  123. package/dist/languages/java.d.ts.map +1 -1
  124. package/dist/languages/java.js +0 -6
  125. package/dist/languages/java.js.map +1 -1
  126. package/dist/languages/kotlin.d.ts.map +1 -1
  127. package/dist/languages/kotlin.js +0 -11
  128. package/dist/languages/kotlin.js.map +1 -1
  129. package/dist/languages/python.d.ts.map +1 -1
  130. package/dist/languages/python.js +0 -15
  131. package/dist/languages/python.js.map +1 -1
  132. package/dist/languages/ruby.d.ts.map +1 -1
  133. package/dist/languages/ruby.js +0 -6
  134. package/dist/languages/ruby.js.map +1 -1
  135. package/dist/languages/rust.d.ts.map +1 -1
  136. package/dist/languages/rust.js +0 -4
  137. package/dist/languages/rust.js.map +1 -1
  138. package/dist/languages/types.d.ts +2 -28
  139. package/dist/languages/types.d.ts.map +1 -1
  140. package/dist/languages/typescript.d.ts.map +1 -1
  141. package/dist/languages/typescript.js +26 -4
  142. package/dist/languages/typescript.js.map +1 -1
  143. package/dist/lib.d.ts +2 -3
  144. package/dist/lib.d.ts.map +1 -1
  145. package/dist/lib.js +3 -6
  146. package/dist/lib.js.map +1 -1
  147. package/dist/prompts.d.ts.map +1 -1
  148. package/dist/prompts.js +0 -10
  149. package/dist/prompts.js.map +1 -1
  150. package/dist/report-schema.d.ts +42 -0
  151. package/dist/report-schema.d.ts.map +1 -0
  152. package/dist/report-schema.js +54 -0
  153. package/dist/report-schema.js.map +1 -0
  154. package/dist/ship-installers.d.ts +106 -0
  155. package/dist/ship-installers.d.ts.map +1 -0
  156. package/dist/ship-installers.js +415 -0
  157. package/dist/ship-installers.js.map +1 -0
  158. package/dist/types.d.ts +0 -4
  159. package/dist/types.d.ts.map +1 -1
  160. package/dist/update.d.ts.map +1 -1
  161. package/dist/update.js +0 -4
  162. package/dist/update.js.map +1 -1
  163. package/package.json +17 -11
  164. package/templates/.claude/agents/onboarding.md +5 -4
  165. package/templates/.claude/agents-available/codebase-explorer.md +1 -1
  166. package/templates/.claude/agents-available/debugger.md +2 -2
  167. package/templates/.claude/agents-available/health-auditor.md +2 -2
  168. package/templates/.claude/commands/doctor.md +20 -12
  169. package/templates/.claude/skills/build/SKILL.md.template +22 -30
  170. package/templates/.claude/skills/deploy/SKILL.md.template +5 -25
  171. package/templates/.claude/skills/doctor/SKILL.md +24 -47
  172. package/templates/.claude/skills/gcloud/SKILL.md +5 -5
  173. package/templates/.claude/skills/learned/SKILL.md +1 -1
  174. package/templates/.claude/skills/pulumi/SKILL.md +2 -2
  175. package/templates/.claude/skills/quality/SKILL.md.template +4 -23
  176. package/templates/.claude/skills/review/SKILL.md.template +4 -3
  177. package/templates/.claude/skills/scaffold/SKILL.md.template +5 -15
  178. package/templates/.claude/skills/secrets/SKILL.md +20 -21
  179. package/templates/.claude/skills/session/SKILL.md +20 -31
  180. package/templates/.claude/skills/test/SKILL.md.template +1 -7
  181. package/templates/.devcontainer/devcontainer.json +81 -0
  182. package/templates/.devcontainer/install-agent-clis.sh +42 -0
  183. package/templates/.devcontainer/post-create.sh +67 -0
  184. package/templates/.githooks/pre-commit +55 -0
  185. package/templates/.githooks/pre-push +63 -0
  186. package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
  187. package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
  188. package/templates/CLAUDE.md.template +62 -196
  189. package/dist/project-yaml.d.ts +0 -13
  190. package/dist/project-yaml.d.ts.map +0 -1
  191. package/dist/project-yaml.js +0 -188
  192. package/dist/project-yaml.js.map +0 -1
  193. package/templates/.ai/README.md +0 -117
  194. package/templates/.ai/prompts/execution-prompt.md +0 -9
  195. package/templates/.ai/prompts/planning-prompt.md +0 -18
  196. package/templates/.ai/prompts/session-end-template.md +0 -182
  197. package/templates/.ai/prompts/session-end.md +0 -132
  198. package/templates/.ai/prompts/session-start.md +0 -109
  199. package/templates/.ai/prompts/step-by-step.md +0 -113
  200. package/templates/.ai/sessions/.gitkeep +0 -0
  201. package/templates/.claude/commands/setup-pr-review.md +0 -72
  202. package/templates/.devcontainer/Dockerfile.dev.template +0 -89
  203. package/templates/.devcontainer/devcontainer.json.template +0 -184
  204. package/templates/.devcontainer/docker-compose.yml.template +0 -105
  205. package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
  206. package/templates/.devcontainer/post-create.sh.template +0 -298
  207. package/templates/.github/workflows/ci.yml.template +0 -399
  208. package/templates/.github/workflows/quality.yml.template +0 -376
  209. package/templates/.pre-commit-config.yaml.template +0 -106
  210. package/templates/.project/config/edit_config.py +0 -275
  211. package/templates/.project/config/project_config.py +0 -894
  212. package/templates/.project/scripts/codegen/generate-all.sh +0 -20
  213. package/templates/.project/scripts/codegen/validate-all.sh +0 -17
  214. package/templates/.project/scripts/docs/generate-all.sh +0 -30
  215. package/templates/.project/scripts/docs/serve.sh +0 -20
  216. package/templates/.project/scripts/quality/fix-all.sh +0 -138
  217. package/templates/.project/scripts/quality/lint-go.sh +0 -34
  218. package/templates/.project/scripts/quality/lint-python.sh +0 -54
  219. package/templates/.project/scripts/quality/run-all.sh +0 -497
  220. package/templates/.project/scripts/session/commit.sh +0 -70
  221. package/templates/.project/scripts/session/create-pr.sh +0 -165
  222. package/templates/.project/scripts/session/end.sh +0 -207
  223. package/templates/.project/scripts/session/start.sh +0 -233
  224. package/templates/.project/scripts/setup/doctor.sh +0 -404
  225. package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
  226. package/templates/.project/scripts/sync/sync-template.sh +0 -328
  227. package/templates/.project/scripts/test/run-all.sh +0 -179
  228. package/templates/.project/scripts/test/run-quick.sh +0 -25
  229. package/templates/Makefile +0 -514
  230. package/templates/config/versions.yaml +0 -57
  231. package/templates/configs/go/.golangci.yml.template +0 -172
  232. package/templates/configs/go/go.mod.template +0 -15
  233. package/templates/configs/java/README.md +0 -6
  234. package/templates/configs/kotlin/README.md +0 -6
  235. package/templates/configs/node/package.json.template +0 -67
  236. package/templates/configs/node/tsconfig.json.template +0 -53
  237. package/templates/configs/python/pyproject.toml.template +0 -92
  238. package/templates/configs/python/pytest.ini.template +0 -64
  239. package/templates/configs/python/ruff.toml.template +0 -79
  240. package/templates/configs/ruby/README.md +0 -6
  241. package/templates/configs/rust/Cargo.toml.template +0 -51
  242. package/templates/configs/shared/.editorconfig +0 -67
  243. package/templates/scripts/validate-templates.sh +0 -449
@@ -0,0 +1,482 @@
1
+ /**
2
+ * Baseline types — per-finding fingerprints carried in
3
+ * `.dxkit-baseline.json` so the guardrail check can compare today's
4
+ * scan against the recorded baseline.
5
+ *
6
+ * # Identity model
7
+ *
8
+ * dxkit does not treat a single hash as "the finding's stable
9
+ * identity." Each finding has up to several fingerprint axes,
10
+ * differentiated by what they capture:
11
+ *
12
+ * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
13
+ * for code/secret/config/hygiene findings. Locates a finding
14
+ * in the source tree with ±2 line drift tolerance via bucket
15
+ * windowing. Stable across small reformat / whitespace edits;
16
+ * drifts on bigger shifts (closed by git-aware match).
17
+ * - **Domain fingerprint** — `(package, version, advisoryId)` for
18
+ * dep-vulns; `(package, version, licenseType)` for licenses;
19
+ * normalized block hash for jscpd. Captures *what the finding
20
+ * is about* independent of source position. Drift-immune.
21
+ * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
22
+ * when a symbol is known. Survives any vertical drift within
23
+ * the symbol body.
24
+ * - **Content fingerprint** — Sprint 0.x. Normalized snippet
25
+ * hash; fallback when git history is unreachable.
26
+ *
27
+ * The hash format is identical across axes — 16-char lowercase hex
28
+ * (SHA-1[0:16]). Callers don't need to know which axis a hash came
29
+ * from to use it for set-diff, but the matcher uses the axis
30
+ * structure to layer different match strategies (domain first,
31
+ * then git-aware location, then content fallback, then exact).
32
+ *
33
+ * The identity space mirrors the analyzer shapes that produce
34
+ * findings. Each `IdentityInput` discriminant maps 1:1 to an existing
35
+ * gather pipeline:
36
+ *
37
+ * - `secret` / `code` / `config` — security analyzer's
38
+ * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
39
+ * private-key files, env-in-git).
40
+ * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
41
+ * npm-audit, pip-audit, cargo-audit, etc.).
42
+ * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
43
+ * - `coverage-gap` — coverage-gap report entries (file + symbol
44
+ * when available, fallback to file + line range).
45
+ * - `test-gap` — non-test source files flagged by the test-gaps
46
+ * analyzer.
47
+ * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
48
+ * occurrences (per-occurrence identity).
49
+ * - `license` — package license attributions.
50
+ */
51
+ /**
52
+ * 16-char lowercase hex fingerprint. Same byte format as the
53
+ * `fingerprint` field stamped on `DepVulnFinding` and `CodeFinding`,
54
+ * so a baseline fingerprint compares directly to a fresh finding's
55
+ * stamped value without re-hashing.
56
+ *
57
+ * Whether this represents a location, domain, semantic, or content
58
+ * fingerprint depends on the finding kind — see the file header for
59
+ * the axis model. For line-anchored kinds this is the location
60
+ * fingerprint; for content-based kinds it IS the domain fingerprint.
61
+ */
62
+ export type FindingId = string;
63
+ /**
64
+ * Identity-scheme version. Bumping this minor field will be required
65
+ * if the hashing inputs change in a way that would invalidate stored
66
+ * baselines. v1 is the only scheme today.
67
+ */
68
+ export type IdentitySchemeVersion = 'v1';
69
+ /**
70
+ * Discriminated union of every finding kind that participates in
71
+ * identity. Producers wrap their per-tool finding shape into one of
72
+ * these before calling `identityFor`.
73
+ *
74
+ * Adding a new finding kind to the dispatch is a three-line change:
75
+ * 1. Add the per-kind interface below.
76
+ * 2. Append the interface name to this union.
77
+ * 3. Add the corresponding case branch in `identityFor`.
78
+ *
79
+ * The hash format is SHA-1[0:16] across every kind — callers store
80
+ * identities in one flat set without tracking provenance.
81
+ */
82
+ export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | LicenseIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput;
83
+ /** gitleaks + private-key files + similar secret detectors. */
84
+ export interface SecretIdentityInput {
85
+ readonly kind: 'secret';
86
+ /** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
87
+ readonly tool: string;
88
+ /** Producer-specific rule id. The canonical-rule map collapses
89
+ * cross-tool overlaps where they exist. */
90
+ readonly rule: string;
91
+ /** Project-relative file path. */
92
+ readonly file: string;
93
+ /** 1-based line number. Bucketed to absorb small drift between
94
+ * tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. */
95
+ readonly line: number;
96
+ }
97
+ /** semgrep + TLS-bypass registry + per-language code-pattern providers. */
98
+ export interface CodeIdentityInput {
99
+ readonly kind: 'code';
100
+ readonly tool: string;
101
+ readonly rule: string;
102
+ readonly file: string;
103
+ readonly line: number;
104
+ }
105
+ /** Configuration-class findings (e.g. .env tracked in git). */
106
+ export interface ConfigIdentityInput {
107
+ readonly kind: 'config';
108
+ readonly tool: string;
109
+ readonly rule: string;
110
+ readonly file: string;
111
+ /** Line 0 acceptable for whole-file findings. */
112
+ readonly line: number;
113
+ }
114
+ /** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
115
+ export interface DepVulnIdentityInput {
116
+ readonly kind: 'dep-vuln';
117
+ /** Package name as reported by the producer. */
118
+ readonly package: string;
119
+ /** Installed version string, when known. Absent for findings produced
120
+ * without an accessible lockfile. */
121
+ readonly installedVersion: string | undefined;
122
+ /** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
123
+ readonly id: string;
124
+ }
125
+ /** jscpd-style duplicate-block findings. */
126
+ export interface DuplicationIdentityInput {
127
+ readonly kind: 'duplication';
128
+ /** Files on each side of the duplicate pair. Order is normalized
129
+ * inside `identityFor` so swapped sides hash identically. */
130
+ readonly fileA: string;
131
+ readonly fileB: string;
132
+ /** Line count of the duplicated block. `lines` is preferred over
133
+ * the `tokens` field jscpd also reports because jscpd's JSON
134
+ * reporter does not populate `tokens` in practice — it's always
135
+ * 0, which would degenerate the identity tuple and silently lose
136
+ * the "block-size changes → identity changes" property. */
137
+ readonly lines: number;
138
+ /** Start line of the block on side A. Combined with `startLineB`
139
+ * this distinguishes intra-file clones at different positions
140
+ * (same `fileA === fileB`, different line ranges) which would
141
+ * otherwise collapse to one identity. */
142
+ readonly startLineA: number;
143
+ /** Start line of the block on side B. */
144
+ readonly startLineB: number;
145
+ }
146
+ /**
147
+ * Coverage-gap findings — uncovered code surfaces. Identity prefers
148
+ * `(file, symbol)` when the gap-detection pipeline has a symbol name
149
+ * available (graphify-symbols), falling back to `(file, lineRange)`
150
+ * otherwise.
151
+ */
152
+ export interface CoverageGapIdentityInput {
153
+ readonly kind: 'coverage-gap';
154
+ readonly file: string;
155
+ /** Function / method / class symbol. Present when the gap is
156
+ * attributable to a named symbol; absent for line-range-only
157
+ * attribution. */
158
+ readonly symbol?: string;
159
+ /** Inclusive `[startLine, endLine]`. Required when `symbol` is
160
+ * absent. */
161
+ readonly lineRange?: readonly [number, number];
162
+ }
163
+ /**
164
+ * Test-gap source file — a non-test file flagged by the test-gaps
165
+ * analyzer as lacking a matching test. Identity carries the risk
166
+ * tier: a file moving from MEDIUM gap to CRITICAL gap deserves to
167
+ * register as a fresh added finding (the previous lower-tier
168
+ * identity disappears, a new higher-tier identity arrives), which is
169
+ * the right guardrail signal for "this file's testing situation
170
+ * regressed."
171
+ */
172
+ export type TestGapRisk = 'critical' | 'high' | 'medium' | 'low';
173
+ export interface TestGapIdentityInput {
174
+ readonly kind: 'test-gap';
175
+ readonly file: string;
176
+ readonly risk: TestGapRisk;
177
+ }
178
+ /**
179
+ * Hygiene marker — one TODO / FIXME / HACK / console-log / any-type
180
+ * occurrence. Identity is per-occurrence so guardrails can fire on
181
+ * "a new TODO was added" rather than just "the TODO count went up."
182
+ * Line numbers are bucketed via the same line-window mechanism used
183
+ * by code-finding fingerprints, so small drift from formatter runs
184
+ * or unrelated edits doesn't churn identity.
185
+ */
186
+ export type HygieneMarker = 'todo' | 'fixme' | 'hack' | 'console-log' | 'any-type';
187
+ export interface HygieneOffenderIdentityInput {
188
+ readonly kind: 'hygiene';
189
+ readonly file: string;
190
+ readonly line: number;
191
+ readonly marker: HygieneMarker;
192
+ }
193
+ /**
194
+ * Package license attribution. Identity includes the license type so
195
+ * a license change on the same `(package, version)` pin registers
196
+ * as a fresh finding — compliance teams want to know if a dependency
197
+ * re-licenses under a different (perhaps more restrictive) license
198
+ * even when no version bump happened.
199
+ */
200
+ export interface LicenseIdentityInput {
201
+ readonly kind: 'license';
202
+ readonly package: string;
203
+ readonly version: string;
204
+ /** Canonical SPDX identifier (`'MIT'`, `'Apache-2.0'`, `'GPL-3.0'`,
205
+ * `'UNKNOWN'`). Producer is the existing license-aggregation
206
+ * pipeline; identity is byte-stable as long as the producer
207
+ * reports the SPDX id consistently. */
208
+ readonly licenseType: string;
209
+ }
210
+ /**
211
+ * A test file flagged by the test-gaps analyzer as degraded — present
212
+ * but not actively exercising the system under test. Identity carries
213
+ * the degradation status because a file moving between states (an
214
+ * empty stub becoming a schema-only test, or a commented-out test
215
+ * being uncommented into an empty body) is a real change worth a
216
+ * fresh guardrail signal.
217
+ */
218
+ export type TestFileDegradationStatus = 'commented-out' | 'empty' | 'schema-only';
219
+ export interface TestFileDegradationIdentityInput {
220
+ readonly kind: 'test-file-degradation';
221
+ readonly file: string;
222
+ readonly status: TestFileDegradationStatus;
223
+ }
224
+ /**
225
+ * A source file flagged by the quality analyzer's complexity signals
226
+ * as a "god file" — a top offender for function count, function
227
+ * length, or graphify-derived complexity. Identity is per-file: the
228
+ * fact that this file IS a top offender is the durable signal. When
229
+ * a different file becomes the top offender, identity changes
230
+ * appropriately.
231
+ */
232
+ export interface GodFileIdentityInput {
233
+ readonly kind: 'god-file';
234
+ readonly file: string;
235
+ }
236
+ /**
237
+ * A stale on-disk artifact tracked in git — `.swp`, `.bak`, `.orig`,
238
+ * `.tmp`, and similar editor / merge / backup leftovers. Identity
239
+ * pairs the path with the offending suffix so a file moved between
240
+ * directories registers as a fresh finding (the move ought to be
241
+ * noticed) but a single file's identity stays stable across runs.
242
+ */
243
+ export interface StaleFileIdentityInput {
244
+ readonly kind: 'stale-file';
245
+ readonly file: string;
246
+ /** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
247
+ * `'orig'`, `'tmp'`). The producer derives this from the file
248
+ * extension; storing it in identity makes the reason for the
249
+ * flag inspectable from the baseline alone. */
250
+ readonly suffix: string;
251
+ }
252
+ /**
253
+ * A source file flagged by the health analyzer as over the
254
+ * largest-file threshold (today: 500 lines). Identity is per-file —
255
+ * the fact that this specific file crossed the threshold is the
256
+ * durable signal. Crossing back under the threshold removes the
257
+ * identity; crossing back over re-adds it.
258
+ *
259
+ * Note: aggregate "the largest file grew by N lines" reporting is a
260
+ * separate concern handled by `--fail-on-largest-file-size`; this
261
+ * identity tracks the discrete "X is now too large" finding.
262
+ */
263
+ export interface LargeFileIdentityInput {
264
+ readonly kind: 'large-file';
265
+ readonly file: string;
266
+ }
267
+ /**
268
+ * Content-based identity for a detected secret. Companion to the
269
+ * location-based `SecretIdentityInput` — both can describe the same
270
+ * underlying finding, with the location identity locating WHERE the
271
+ * secret lives and the HMAC identity locating WHAT secret it is.
272
+ *
273
+ * The producer (gitleaks provider in Phase 3) computes the HMAC via
274
+ * `computeSecretHmac(secretValue, repoSalt)`. The salt lives in
275
+ * `.dxkit/salt` per repo, generated once and gitignored — see the
276
+ * baseline-create command for the salt-management contract.
277
+ *
278
+ * Identity-relocation use case: when a leaked token is copied from
279
+ * `.env` to `src/config.ts`, the location identities differ but the
280
+ * HMAC identities match. The matcher recognizes the move via HMAC
281
+ * and reports the pair as relocated rather than added+removed.
282
+ *
283
+ * Producer never stores the raw secret. Only the HMAC enters the
284
+ * baseline file, so a baseline leak doesn't leak secrets.
285
+ */
286
+ export interface SecretHmacIdentityInput {
287
+ readonly kind: 'secret-hmac';
288
+ /** Producer tool name (e.g. 'gitleaks'). */
289
+ readonly tool: string;
290
+ /** Producer-specific rule id. The canonical-rule map applies here
291
+ * too: two tools detecting the same secret class collapse to one
292
+ * canonical rule. */
293
+ readonly rule: string;
294
+ /** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
295
+ readonly hmac: string;
296
+ }
297
+ /**
298
+ * Per-finding entry stored in a baseline. Carries identity plus the
299
+ * minimum metadata needed for cross-run drift-tolerant matching —
300
+ * never raw payloads (no titles, no secret content, no source
301
+ * excerpts). Sufficient for set-diff and for future drift heuristics
302
+ * (e.g. matching `(rule, file)` pairs across line shifts).
303
+ */
304
+ export type BaselineEntry = {
305
+ id: FindingId;
306
+ kind: 'secret' | 'code' | 'config';
307
+ tool: string;
308
+ rule: string;
309
+ file: string;
310
+ line: number;
311
+ /** 16-char hex hash of normalized context around `line` at
312
+ * baseline-create time. Stamped via `computeContentHashFromCommit`;
313
+ * the matcher's third pass uses it as a fallback when git-aware
314
+ * location matching fails (shallow clones, force-pushed base,
315
+ * context survives but line shifts past the fuzz window). Absent
316
+ * when the producer couldn't read the file. */
317
+ contentHash?: string;
318
+ } | {
319
+ id: FindingId;
320
+ kind: 'dep-vuln';
321
+ package: string;
322
+ installedVersion?: string;
323
+ advisoryId: string;
324
+ } | {
325
+ id: FindingId;
326
+ kind: 'duplication';
327
+ fileA: string;
328
+ fileB: string;
329
+ lines: number;
330
+ startLineA: number;
331
+ startLineB: number;
332
+ } | {
333
+ id: FindingId;
334
+ kind: 'coverage-gap';
335
+ file: string;
336
+ symbol?: string;
337
+ lineRange?: readonly [number, number];
338
+ } | {
339
+ id: FindingId;
340
+ kind: 'test-gap';
341
+ file: string;
342
+ risk: TestGapRisk;
343
+ } | {
344
+ id: FindingId;
345
+ kind: 'hygiene';
346
+ file: string;
347
+ line: number;
348
+ marker: HygieneMarker;
349
+ /** Same content-hash semantics as the secret/code/config variant
350
+ * — populated when the producer can read the file at the
351
+ * baseline commit. */
352
+ contentHash?: string;
353
+ } | {
354
+ id: FindingId;
355
+ kind: 'license';
356
+ package: string;
357
+ version: string;
358
+ licenseType: string;
359
+ } | {
360
+ id: FindingId;
361
+ kind: 'test-file-degradation';
362
+ file: string;
363
+ status: TestFileDegradationStatus;
364
+ } | {
365
+ id: FindingId;
366
+ kind: 'god-file';
367
+ file: string;
368
+ } | {
369
+ id: FindingId;
370
+ kind: 'stale-file';
371
+ file: string;
372
+ suffix: string;
373
+ } | {
374
+ id: FindingId;
375
+ kind: 'large-file';
376
+ file: string;
377
+ } | {
378
+ id: FindingId;
379
+ kind: 'secret-hmac';
380
+ tool: string;
381
+ rule: string;
382
+ hmac: string;
383
+ };
384
+ /**
385
+ * One pairing decision from the matcher. Carries enough context for
386
+ * the guardrail to render a clear explanation ("this finding was
387
+ * relocated from line 42 to line 57 via git diff, 0.95 confidence,
388
+ * status: relocated") rather than a bare added/removed/persisted
389
+ * label. Reasons are short codes plus human prose; consumers display
390
+ * the prose and use the codes for filtering / policy decisions.
391
+ *
392
+ * `priorId` and `currentId` are both optional because:
393
+ * - `added` → only `currentId` is present.
394
+ * - `removed` → only `priorId` is present.
395
+ * - `persisted` / `relocated` → both, and they may differ when a
396
+ * location fingerprint shifted across the line-window boundary
397
+ * (each "side" has its own hash even though they describe the
398
+ * same finding).
399
+ */
400
+ export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
401
+ export interface MatchReason {
402
+ /** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
403
+ * 'git-rename', 'multiset-occurrence'. */
404
+ readonly code: string;
405
+ /** Human-readable explanation suitable for end-user rendering. */
406
+ readonly detail: string;
407
+ }
408
+ export interface MatchPair {
409
+ readonly priorId?: FindingId;
410
+ readonly currentId?: FindingId;
411
+ readonly status: MatchStatus;
412
+ /** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
413
+ * a fallback layer (git relocation, line-fuzz, rename). */
414
+ readonly confidence: number;
415
+ readonly reasons: ReadonlyArray<MatchReason>;
416
+ }
417
+ /**
418
+ * Severity tier carried alongside each match pair for policy
419
+ * classification. Mirrors the global severity vocabulary used by the
420
+ * security analyzer and dimension scoring.
421
+ */
422
+ export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
423
+ /**
424
+ * Full taxonomy of post-classification status values a guardrail
425
+ * check can emit. Wider than `MatchStatus` because policy adds context
426
+ * the matcher doesn't have:
427
+ *
428
+ * - `persisted` / `relocated` / `added` / `removed` — direct
429
+ * pass-through of the matcher's pair status.
430
+ * - `fixed` — a `removed` finding that the policy treats as a
431
+ * positive event (resolution rather than disappearance). Today
432
+ * this is informational only; Phase 3 distinguishes the two when
433
+ * `--detailed` flags it.
434
+ * - `newly_detected` — current-only finding that surfaced because
435
+ * the scanner / ruleset / advisory DB / policy config changed,
436
+ * not because a developer introduced new code. Parent category;
437
+ * `tooling_drift` and `config_drift` are the specific subtypes.
438
+ * - `tooling_drift` — scanner or advisory-db version differs
439
+ * between baseline and current. Reclassified `added` is suspect.
440
+ * - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
441
+ * differs between runs.
442
+ * - `probable_existing` — current-only with weak evidence it's
443
+ * truly new (a prior near-match exists but didn't pair cleanly).
444
+ * Reserved for the content-hash / semantic fallback layer in
445
+ * Sprint 0.x.
446
+ * - `uncertain` — confidence below the per-severity threshold;
447
+ * the policy can't classify with conviction.
448
+ *
449
+ * The enum is the contract Phase 3's guardrail CLI reads. Today's
450
+ * classifier emits a subset — the remaining states are reserved for
451
+ * the Phase 3 baseline-metadata work that will provide the
452
+ * contextual signals (scanner versions, config hashes, etc.).
453
+ */
454
+ export type FindingStatus = 'persisted' | 'relocated' | 'added' | 'removed' | 'fixed' | 'newly_detected' | 'tooling_drift' | 'config_drift' | 'probable_existing' | 'uncertain';
455
+ /**
456
+ * Composite result of comparing two runs.
457
+ *
458
+ * The structured `pairs` field carries one entry per matched +
459
+ * unmatched finding occurrence (multiset-aware: an identity that
460
+ * occurs twice in prior and once in current produces three pairs —
461
+ * one persisted, one removed).
462
+ *
463
+ * `persisted` / `added` / `removed` are flat-array views over the
464
+ * pair set, retained for callers that want simple set-diff output
465
+ * without the reason metadata. Identity values appear once per
466
+ * occurrence (multiset, not set) — duplicate identities are NOT
467
+ * collapsed.
468
+ *
469
+ * `gitAware` reports whether the git-aware location pass actually
470
+ * ran. `degradedReason` carries a human-readable note when the
471
+ * pass was skipped (no git, base SHA unreachable, etc.) so the
472
+ * guardrail CLI can tell the user what mode it ran in.
473
+ */
474
+ export interface MatchResult {
475
+ readonly pairs: ReadonlyArray<MatchPair>;
476
+ readonly persisted: ReadonlyArray<FindingId>;
477
+ readonly added: ReadonlyArray<FindingId>;
478
+ readonly removed: ReadonlyArray<FindingId>;
479
+ readonly gitAware: boolean;
480
+ readonly degradedReason?: string;
481
+ }
482
+ //# sourceMappingURL=types.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;GAIG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEzC;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,oBAAoB,GACpB,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,CAAC;AAE5B,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;gDAC4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;6DACyD;IACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;0CACsC;IACtC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;gEAI4D;IAC5D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;8CAG0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;kBACc;IACd,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;4CAGwC;IACxC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;oDAGgD;IAChD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0BAEsB;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;oDAKgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;2BAEuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACzF;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAErF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;gEAC4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
@@ -0,0 +1,53 @@
1
+ "use strict";
2
+ /**
3
+ * Baseline types — per-finding fingerprints carried in
4
+ * `.dxkit-baseline.json` so the guardrail check can compare today's
5
+ * scan against the recorded baseline.
6
+ *
7
+ * # Identity model
8
+ *
9
+ * dxkit does not treat a single hash as "the finding's stable
10
+ * identity." Each finding has up to several fingerprint axes,
11
+ * differentiated by what they capture:
12
+ *
13
+ * - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
14
+ * for code/secret/config/hygiene findings. Locates a finding
15
+ * in the source tree with ±2 line drift tolerance via bucket
16
+ * windowing. Stable across small reformat / whitespace edits;
17
+ * drifts on bigger shifts (closed by git-aware match).
18
+ * - **Domain fingerprint** — `(package, version, advisoryId)` for
19
+ * dep-vulns; `(package, version, licenseType)` for licenses;
20
+ * normalized block hash for jscpd. Captures *what the finding
21
+ * is about* independent of source position. Drift-immune.
22
+ * - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
23
+ * when a symbol is known. Survives any vertical drift within
24
+ * the symbol body.
25
+ * - **Content fingerprint** — Sprint 0.x. Normalized snippet
26
+ * hash; fallback when git history is unreachable.
27
+ *
28
+ * The hash format is identical across axes — 16-char lowercase hex
29
+ * (SHA-1[0:16]). Callers don't need to know which axis a hash came
30
+ * from to use it for set-diff, but the matcher uses the axis
31
+ * structure to layer different match strategies (domain first,
32
+ * then git-aware location, then content fallback, then exact).
33
+ *
34
+ * The identity space mirrors the analyzer shapes that produce
35
+ * findings. Each `IdentityInput` discriminant maps 1:1 to an existing
36
+ * gather pipeline:
37
+ *
38
+ * - `secret` / `code` / `config` — security analyzer's
39
+ * `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
40
+ * private-key files, env-in-git).
41
+ * - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
42
+ * npm-audit, pip-audit, cargo-audit, etc.).
43
+ * - `duplication` — quality analyzer's `CloneGroup` (jscpd).
44
+ * - `coverage-gap` — coverage-gap report entries (file + symbol
45
+ * when available, fallback to file + line range).
46
+ * - `test-gap` — non-test source files flagged by the test-gaps
47
+ * analyzer.
48
+ * - `hygiene` — TODO / FIXME / HACK / console-log / any-type
49
+ * occurrences (per-occurrence identity).
50
+ * - `license` — package license attributions.
51
+ */
52
+ Object.defineProperty(exports, "__esModule", { value: true });
53
+ //# sourceMappingURL=types.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG"}
package/dist/cli.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAsFA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA6qCvD"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAkLA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAi6CvD"}