@vyuhlabs/dxkit 2.4.8 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +235 -0
- package/README.md +360 -439
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +4 -46
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +91 -26
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +111 -22
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +6 -1
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +24 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +20 -11
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/types.d.ts +6 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +104 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -0
- package/dist/baseline/baseline-file.js +110 -0
- package/dist/baseline/baseline-file.js.map +1 -0
- package/dist/baseline/check-renderers.d.ts +108 -0
- package/dist/baseline/check-renderers.d.ts.map +1 -0
- package/dist/baseline/check-renderers.js +379 -0
- package/dist/baseline/check-renderers.js.map +1 -0
- package/dist/baseline/check.d.ts +127 -0
- package/dist/baseline/check.d.ts.map +1 -0
- package/dist/baseline/check.js +462 -0
- package/dist/baseline/check.js.map +1 -0
- package/dist/baseline/content-hash.d.ts +83 -0
- package/dist/baseline/content-hash.d.ts.map +1 -0
- package/dist/baseline/content-hash.js +131 -0
- package/dist/baseline/content-hash.js.map +1 -0
- package/dist/baseline/create.d.ts +96 -0
- package/dist/baseline/create.d.ts.map +1 -0
- package/dist/baseline/create.js +339 -0
- package/dist/baseline/create.js.map +1 -0
- package/dist/baseline/entry-to-located.d.ts +35 -0
- package/dist/baseline/entry-to-located.d.ts.map +1 -0
- package/dist/baseline/entry-to-located.js +72 -0
- package/dist/baseline/entry-to-located.js.map +1 -0
- package/dist/baseline/finding-identity.d.ts +47 -0
- package/dist/baseline/finding-identity.d.ts.map +1 -0
- package/dist/baseline/finding-identity.js +292 -0
- package/dist/baseline/finding-identity.js.map +1 -0
- package/dist/baseline/git-aware-match.d.ts +146 -0
- package/dist/baseline/git-aware-match.d.ts.map +1 -0
- package/dist/baseline/git-aware-match.js +439 -0
- package/dist/baseline/git-aware-match.js.map +1 -0
- package/dist/baseline/policy.d.ts +171 -0
- package/dist/baseline/policy.d.ts.map +1 -0
- package/dist/baseline/policy.js +206 -0
- package/dist/baseline/policy.js.map +1 -0
- package/dist/baseline/producers/health.d.ts +30 -0
- package/dist/baseline/producers/health.d.ts.map +1 -0
- package/dist/baseline/producers/health.js +42 -0
- package/dist/baseline/producers/health.js.map +1 -0
- package/dist/baseline/producers/index.d.ts +164 -0
- package/dist/baseline/producers/index.d.ts.map +1 -0
- package/dist/baseline/producers/index.js +200 -0
- package/dist/baseline/producers/index.js.map +1 -0
- package/dist/baseline/producers/licenses.d.ts +23 -0
- package/dist/baseline/producers/licenses.d.ts.map +1 -0
- package/dist/baseline/producers/licenses.js +46 -0
- package/dist/baseline/producers/licenses.js.map +1 -0
- package/dist/baseline/producers/quality.d.ts +39 -0
- package/dist/baseline/producers/quality.d.ts.map +1 -0
- package/dist/baseline/producers/quality.js +84 -0
- package/dist/baseline/producers/quality.js.map +1 -0
- package/dist/baseline/producers/secret-hmac.d.ts +45 -0
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
- package/dist/baseline/producers/secret-hmac.js +70 -0
- package/dist/baseline/producers/secret-hmac.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +59 -0
- package/dist/baseline/producers/security.d.ts.map +1 -0
- package/dist/baseline/producers/security.js +135 -0
- package/dist/baseline/producers/security.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +36 -0
- package/dist/baseline/producers/tests.d.ts.map +1 -0
- package/dist/baseline/producers/tests.js +69 -0
- package/dist/baseline/producers/tests.js.map +1 -0
- package/dist/baseline/salt.d.ts +45 -0
- package/dist/baseline/salt.d.ts.map +1 -0
- package/dist/baseline/salt.js +113 -0
- package/dist/baseline/salt.js.map +1 -0
- package/dist/baseline/show.d.ts +79 -0
- package/dist/baseline/show.d.ts.map +1 -0
- package/dist/baseline/show.js +233 -0
- package/dist/baseline/show.js.map +1 -0
- package/dist/baseline/types.d.ts +482 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +53 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +360 -81
- package/dist/cli.js.map +1 -1
- package/dist/codebase-scanner.d.ts.map +1 -1
- package/dist/codebase-scanner.js +0 -1
- package/dist/codebase-scanner.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -4
- package/dist/constants.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +22 -25
- package/dist/doctor.js.map +1 -1
- package/dist/fail-on.d.ts +84 -0
- package/dist/fail-on.d.ts.map +1 -0
- package/dist/fail-on.js +128 -0
- package/dist/fail-on.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +2 -141
- package/dist/generator.js.map +1 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +0 -9
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +0 -15
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +1 -1
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +0 -6
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +0 -11
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +0 -15
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +0 -6
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +0 -4
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +2 -28
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +26 -4
- package/dist/languages/typescript.js.map +1 -1
- package/dist/lib.d.ts +2 -3
- package/dist/lib.d.ts.map +1 -1
- package/dist/lib.js +3 -6
- package/dist/lib.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -10
- package/dist/prompts.js.map +1 -1
- package/dist/report-schema.d.ts +42 -0
- package/dist/report-schema.d.ts.map +1 -0
- package/dist/report-schema.js +54 -0
- package/dist/report-schema.js.map +1 -0
- package/dist/ship-installers.d.ts +106 -0
- package/dist/ship-installers.d.ts.map +1 -0
- package/dist/ship-installers.js +415 -0
- package/dist/ship-installers.js.map +1 -0
- package/dist/types.d.ts +0 -4
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +0 -4
- package/dist/update.js.map +1 -1
- package/package.json +17 -11
- package/templates/.claude/agents/onboarding.md +5 -4
- package/templates/.claude/agents-available/codebase-explorer.md +1 -1
- package/templates/.claude/agents-available/debugger.md +2 -2
- package/templates/.claude/agents-available/health-auditor.md +2 -2
- package/templates/.claude/commands/doctor.md +20 -12
- package/templates/.claude/skills/build/SKILL.md.template +22 -30
- package/templates/.claude/skills/deploy/SKILL.md.template +5 -25
- package/templates/.claude/skills/doctor/SKILL.md +24 -47
- package/templates/.claude/skills/gcloud/SKILL.md +5 -5
- package/templates/.claude/skills/learned/SKILL.md +1 -1
- package/templates/.claude/skills/pulumi/SKILL.md +2 -2
- package/templates/.claude/skills/quality/SKILL.md.template +4 -23
- package/templates/.claude/skills/review/SKILL.md.template +4 -3
- package/templates/.claude/skills/scaffold/SKILL.md.template +5 -15
- package/templates/.claude/skills/secrets/SKILL.md +20 -21
- package/templates/.claude/skills/session/SKILL.md +20 -31
- package/templates/.claude/skills/test/SKILL.md.template +1 -7
- package/templates/.devcontainer/devcontainer.json +81 -0
- package/templates/.devcontainer/install-agent-clis.sh +42 -0
- package/templates/.devcontainer/post-create.sh +67 -0
- package/templates/.githooks/pre-commit +55 -0
- package/templates/.githooks/pre-push +63 -0
- package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
- package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
- package/templates/CLAUDE.md.template +62 -196
- package/dist/project-yaml.d.ts +0 -13
- package/dist/project-yaml.d.ts.map +0 -1
- package/dist/project-yaml.js +0 -188
- package/dist/project-yaml.js.map +0 -1
- package/templates/.ai/README.md +0 -117
- package/templates/.ai/prompts/execution-prompt.md +0 -9
- package/templates/.ai/prompts/planning-prompt.md +0 -18
- package/templates/.ai/prompts/session-end-template.md +0 -182
- package/templates/.ai/prompts/session-end.md +0 -132
- package/templates/.ai/prompts/session-start.md +0 -109
- package/templates/.ai/prompts/step-by-step.md +0 -113
- package/templates/.ai/sessions/.gitkeep +0 -0
- package/templates/.claude/commands/setup-pr-review.md +0 -72
- package/templates/.devcontainer/Dockerfile.dev.template +0 -89
- package/templates/.devcontainer/devcontainer.json.template +0 -184
- package/templates/.devcontainer/docker-compose.yml.template +0 -105
- package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
- package/templates/.devcontainer/post-create.sh.template +0 -298
- package/templates/.github/workflows/ci.yml.template +0 -399
- package/templates/.github/workflows/quality.yml.template +0 -376
- package/templates/.pre-commit-config.yaml.template +0 -106
- package/templates/.project/config/edit_config.py +0 -275
- package/templates/.project/config/project_config.py +0 -894
- package/templates/.project/scripts/codegen/generate-all.sh +0 -20
- package/templates/.project/scripts/codegen/validate-all.sh +0 -17
- package/templates/.project/scripts/docs/generate-all.sh +0 -30
- package/templates/.project/scripts/docs/serve.sh +0 -20
- package/templates/.project/scripts/quality/fix-all.sh +0 -138
- package/templates/.project/scripts/quality/lint-go.sh +0 -34
- package/templates/.project/scripts/quality/lint-python.sh +0 -54
- package/templates/.project/scripts/quality/run-all.sh +0 -497
- package/templates/.project/scripts/session/commit.sh +0 -70
- package/templates/.project/scripts/session/create-pr.sh +0 -165
- package/templates/.project/scripts/session/end.sh +0 -207
- package/templates/.project/scripts/session/start.sh +0 -233
- package/templates/.project/scripts/setup/doctor.sh +0 -404
- package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
- package/templates/.project/scripts/sync/sync-template.sh +0 -328
- package/templates/.project/scripts/test/run-all.sh +0 -179
- package/templates/.project/scripts/test/run-quick.sh +0 -25
- package/templates/Makefile +0 -514
- package/templates/config/versions.yaml +0 -57
- package/templates/configs/go/.golangci.yml.template +0 -172
- package/templates/configs/go/go.mod.template +0 -15
- package/templates/configs/java/README.md +0 -6
- package/templates/configs/kotlin/README.md +0 -6
- package/templates/configs/node/package.json.template +0 -67
- package/templates/configs/node/tsconfig.json.template +0 -53
- package/templates/configs/python/pyproject.toml.template +0 -92
- package/templates/configs/python/pytest.ini.template +0 -64
- package/templates/configs/python/ruff.toml.template +0 -79
- package/templates/configs/ruby/README.md +0 -6
- package/templates/configs/rust/Cargo.toml.template +0 -51
- package/templates/configs/shared/.editorconfig +0 -67
- package/templates/scripts/validate-templates.sh +0 -449
|
@@ -0,0 +1,482 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline types — per-finding fingerprints carried in
|
|
3
|
+
* `.dxkit-baseline.json` so the guardrail check can compare today's
|
|
4
|
+
* scan against the recorded baseline.
|
|
5
|
+
*
|
|
6
|
+
* # Identity model
|
|
7
|
+
*
|
|
8
|
+
* dxkit does not treat a single hash as "the finding's stable
|
|
9
|
+
* identity." Each finding has up to several fingerprint axes,
|
|
10
|
+
* differentiated by what they capture:
|
|
11
|
+
*
|
|
12
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
13
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
14
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
15
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
16
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
17
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
18
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
19
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
20
|
+
* is about* independent of source position. Drift-immune.
|
|
21
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
22
|
+
* when a symbol is known. Survives any vertical drift within
|
|
23
|
+
* the symbol body.
|
|
24
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
25
|
+
* hash; fallback when git history is unreachable.
|
|
26
|
+
*
|
|
27
|
+
* The hash format is identical across axes — 16-char lowercase hex
|
|
28
|
+
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
29
|
+
* from to use it for set-diff, but the matcher uses the axis
|
|
30
|
+
* structure to layer different match strategies (domain first,
|
|
31
|
+
* then git-aware location, then content fallback, then exact).
|
|
32
|
+
*
|
|
33
|
+
* The identity space mirrors the analyzer shapes that produce
|
|
34
|
+
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
35
|
+
* gather pipeline:
|
|
36
|
+
*
|
|
37
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
38
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
39
|
+
* private-key files, env-in-git).
|
|
40
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
41
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
42
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
43
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
44
|
+
* when available, fallback to file + line range).
|
|
45
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
46
|
+
* analyzer.
|
|
47
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
48
|
+
* occurrences (per-occurrence identity).
|
|
49
|
+
* - `license` — package license attributions.
|
|
50
|
+
*/
|
|
51
|
+
/**
|
|
52
|
+
* 16-char lowercase hex fingerprint. Same byte format as the
|
|
53
|
+
* `fingerprint` field stamped on `DepVulnFinding` and `CodeFinding`,
|
|
54
|
+
* so a baseline fingerprint compares directly to a fresh finding's
|
|
55
|
+
* stamped value without re-hashing.
|
|
56
|
+
*
|
|
57
|
+
* Whether this represents a location, domain, semantic, or content
|
|
58
|
+
* fingerprint depends on the finding kind — see the file header for
|
|
59
|
+
* the axis model. For line-anchored kinds this is the location
|
|
60
|
+
* fingerprint; for content-based kinds it IS the domain fingerprint.
|
|
61
|
+
*/
|
|
62
|
+
export type FindingId = string;
|
|
63
|
+
/**
|
|
64
|
+
* Identity-scheme version. Bumping this minor field will be required
|
|
65
|
+
* if the hashing inputs change in a way that would invalidate stored
|
|
66
|
+
* baselines. v1 is the only scheme today.
|
|
67
|
+
*/
|
|
68
|
+
export type IdentitySchemeVersion = 'v1';
|
|
69
|
+
/**
|
|
70
|
+
* Discriminated union of every finding kind that participates in
|
|
71
|
+
* identity. Producers wrap their per-tool finding shape into one of
|
|
72
|
+
* these before calling `identityFor`.
|
|
73
|
+
*
|
|
74
|
+
* Adding a new finding kind to the dispatch is a three-line change:
|
|
75
|
+
* 1. Add the per-kind interface below.
|
|
76
|
+
* 2. Append the interface name to this union.
|
|
77
|
+
* 3. Add the corresponding case branch in `identityFor`.
|
|
78
|
+
*
|
|
79
|
+
* The hash format is SHA-1[0:16] across every kind — callers store
|
|
80
|
+
* identities in one flat set without tracking provenance.
|
|
81
|
+
*/
|
|
82
|
+
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | LicenseIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput;
|
|
83
|
+
/** gitleaks + private-key files + similar secret detectors. */
|
|
84
|
+
export interface SecretIdentityInput {
|
|
85
|
+
readonly kind: 'secret';
|
|
86
|
+
/** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
|
|
87
|
+
readonly tool: string;
|
|
88
|
+
/** Producer-specific rule id. The canonical-rule map collapses
|
|
89
|
+
* cross-tool overlaps where they exist. */
|
|
90
|
+
readonly rule: string;
|
|
91
|
+
/** Project-relative file path. */
|
|
92
|
+
readonly file: string;
|
|
93
|
+
/** 1-based line number. Bucketed to absorb small drift between
|
|
94
|
+
* tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. */
|
|
95
|
+
readonly line: number;
|
|
96
|
+
}
|
|
97
|
+
/** semgrep + TLS-bypass registry + per-language code-pattern providers. */
|
|
98
|
+
export interface CodeIdentityInput {
|
|
99
|
+
readonly kind: 'code';
|
|
100
|
+
readonly tool: string;
|
|
101
|
+
readonly rule: string;
|
|
102
|
+
readonly file: string;
|
|
103
|
+
readonly line: number;
|
|
104
|
+
}
|
|
105
|
+
/** Configuration-class findings (e.g. .env tracked in git). */
|
|
106
|
+
export interface ConfigIdentityInput {
|
|
107
|
+
readonly kind: 'config';
|
|
108
|
+
readonly tool: string;
|
|
109
|
+
readonly rule: string;
|
|
110
|
+
readonly file: string;
|
|
111
|
+
/** Line 0 acceptable for whole-file findings. */
|
|
112
|
+
readonly line: number;
|
|
113
|
+
}
|
|
114
|
+
/** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
|
|
115
|
+
export interface DepVulnIdentityInput {
|
|
116
|
+
readonly kind: 'dep-vuln';
|
|
117
|
+
/** Package name as reported by the producer. */
|
|
118
|
+
readonly package: string;
|
|
119
|
+
/** Installed version string, when known. Absent for findings produced
|
|
120
|
+
* without an accessible lockfile. */
|
|
121
|
+
readonly installedVersion: string | undefined;
|
|
122
|
+
/** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
|
|
123
|
+
readonly id: string;
|
|
124
|
+
}
|
|
125
|
+
/** jscpd-style duplicate-block findings. */
|
|
126
|
+
export interface DuplicationIdentityInput {
|
|
127
|
+
readonly kind: 'duplication';
|
|
128
|
+
/** Files on each side of the duplicate pair. Order is normalized
|
|
129
|
+
* inside `identityFor` so swapped sides hash identically. */
|
|
130
|
+
readonly fileA: string;
|
|
131
|
+
readonly fileB: string;
|
|
132
|
+
/** Line count of the duplicated block. `lines` is preferred over
|
|
133
|
+
* the `tokens` field jscpd also reports because jscpd's JSON
|
|
134
|
+
* reporter does not populate `tokens` in practice — it's always
|
|
135
|
+
* 0, which would degenerate the identity tuple and silently lose
|
|
136
|
+
* the "block-size changes → identity changes" property. */
|
|
137
|
+
readonly lines: number;
|
|
138
|
+
/** Start line of the block on side A. Combined with `startLineB`
|
|
139
|
+
* this distinguishes intra-file clones at different positions
|
|
140
|
+
* (same `fileA === fileB`, different line ranges) which would
|
|
141
|
+
* otherwise collapse to one identity. */
|
|
142
|
+
readonly startLineA: number;
|
|
143
|
+
/** Start line of the block on side B. */
|
|
144
|
+
readonly startLineB: number;
|
|
145
|
+
}
|
|
146
|
+
/**
|
|
147
|
+
* Coverage-gap findings — uncovered code surfaces. Identity prefers
|
|
148
|
+
* `(file, symbol)` when the gap-detection pipeline has a symbol name
|
|
149
|
+
* available (graphify-symbols), falling back to `(file, lineRange)`
|
|
150
|
+
* otherwise.
|
|
151
|
+
*/
|
|
152
|
+
export interface CoverageGapIdentityInput {
|
|
153
|
+
readonly kind: 'coverage-gap';
|
|
154
|
+
readonly file: string;
|
|
155
|
+
/** Function / method / class symbol. Present when the gap is
|
|
156
|
+
* attributable to a named symbol; absent for line-range-only
|
|
157
|
+
* attribution. */
|
|
158
|
+
readonly symbol?: string;
|
|
159
|
+
/** Inclusive `[startLine, endLine]`. Required when `symbol` is
|
|
160
|
+
* absent. */
|
|
161
|
+
readonly lineRange?: readonly [number, number];
|
|
162
|
+
}
|
|
163
|
+
/**
|
|
164
|
+
* Test-gap source file — a non-test file flagged by the test-gaps
|
|
165
|
+
* analyzer as lacking a matching test. Identity carries the risk
|
|
166
|
+
* tier: a file moving from MEDIUM gap to CRITICAL gap deserves to
|
|
167
|
+
* register as a fresh added finding (the previous lower-tier
|
|
168
|
+
* identity disappears, a new higher-tier identity arrives), which is
|
|
169
|
+
* the right guardrail signal for "this file's testing situation
|
|
170
|
+
* regressed."
|
|
171
|
+
*/
|
|
172
|
+
export type TestGapRisk = 'critical' | 'high' | 'medium' | 'low';
|
|
173
|
+
export interface TestGapIdentityInput {
|
|
174
|
+
readonly kind: 'test-gap';
|
|
175
|
+
readonly file: string;
|
|
176
|
+
readonly risk: TestGapRisk;
|
|
177
|
+
}
|
|
178
|
+
/**
|
|
179
|
+
* Hygiene marker — one TODO / FIXME / HACK / console-log / any-type
|
|
180
|
+
* occurrence. Identity is per-occurrence so guardrails can fire on
|
|
181
|
+
* "a new TODO was added" rather than just "the TODO count went up."
|
|
182
|
+
* Line numbers are bucketed via the same line-window mechanism used
|
|
183
|
+
* by code-finding fingerprints, so small drift from formatter runs
|
|
184
|
+
* or unrelated edits doesn't churn identity.
|
|
185
|
+
*/
|
|
186
|
+
export type HygieneMarker = 'todo' | 'fixme' | 'hack' | 'console-log' | 'any-type';
|
|
187
|
+
export interface HygieneOffenderIdentityInput {
|
|
188
|
+
readonly kind: 'hygiene';
|
|
189
|
+
readonly file: string;
|
|
190
|
+
readonly line: number;
|
|
191
|
+
readonly marker: HygieneMarker;
|
|
192
|
+
}
|
|
193
|
+
/**
|
|
194
|
+
* Package license attribution. Identity includes the license type so
|
|
195
|
+
* a license change on the same `(package, version)` pin registers
|
|
196
|
+
* as a fresh finding — compliance teams want to know if a dependency
|
|
197
|
+
* re-licenses under a different (perhaps more restrictive) license
|
|
198
|
+
* even when no version bump happened.
|
|
199
|
+
*/
|
|
200
|
+
export interface LicenseIdentityInput {
|
|
201
|
+
readonly kind: 'license';
|
|
202
|
+
readonly package: string;
|
|
203
|
+
readonly version: string;
|
|
204
|
+
/** Canonical SPDX identifier (`'MIT'`, `'Apache-2.0'`, `'GPL-3.0'`,
|
|
205
|
+
* `'UNKNOWN'`). Producer is the existing license-aggregation
|
|
206
|
+
* pipeline; identity is byte-stable as long as the producer
|
|
207
|
+
* reports the SPDX id consistently. */
|
|
208
|
+
readonly licenseType: string;
|
|
209
|
+
}
|
|
210
|
+
/**
|
|
211
|
+
* A test file flagged by the test-gaps analyzer as degraded — present
|
|
212
|
+
* but not actively exercising the system under test. Identity carries
|
|
213
|
+
* the degradation status because a file moving between states (an
|
|
214
|
+
* empty stub becoming a schema-only test, or a commented-out test
|
|
215
|
+
* being uncommented into an empty body) is a real change worth a
|
|
216
|
+
* fresh guardrail signal.
|
|
217
|
+
*/
|
|
218
|
+
export type TestFileDegradationStatus = 'commented-out' | 'empty' | 'schema-only';
|
|
219
|
+
export interface TestFileDegradationIdentityInput {
|
|
220
|
+
readonly kind: 'test-file-degradation';
|
|
221
|
+
readonly file: string;
|
|
222
|
+
readonly status: TestFileDegradationStatus;
|
|
223
|
+
}
|
|
224
|
+
/**
|
|
225
|
+
* A source file flagged by the quality analyzer's complexity signals
|
|
226
|
+
* as a "god file" — a top offender for function count, function
|
|
227
|
+
* length, or graphify-derived complexity. Identity is per-file: the
|
|
228
|
+
* fact that this file IS a top offender is the durable signal. When
|
|
229
|
+
* a different file becomes the top offender, identity changes
|
|
230
|
+
* appropriately.
|
|
231
|
+
*/
|
|
232
|
+
export interface GodFileIdentityInput {
|
|
233
|
+
readonly kind: 'god-file';
|
|
234
|
+
readonly file: string;
|
|
235
|
+
}
|
|
236
|
+
/**
|
|
237
|
+
* A stale on-disk artifact tracked in git — `.swp`, `.bak`, `.orig`,
|
|
238
|
+
* `.tmp`, and similar editor / merge / backup leftovers. Identity
|
|
239
|
+
* pairs the path with the offending suffix so a file moved between
|
|
240
|
+
* directories registers as a fresh finding (the move ought to be
|
|
241
|
+
* noticed) but a single file's identity stays stable across runs.
|
|
242
|
+
*/
|
|
243
|
+
export interface StaleFileIdentityInput {
|
|
244
|
+
readonly kind: 'stale-file';
|
|
245
|
+
readonly file: string;
|
|
246
|
+
/** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
|
|
247
|
+
* `'orig'`, `'tmp'`). The producer derives this from the file
|
|
248
|
+
* extension; storing it in identity makes the reason for the
|
|
249
|
+
* flag inspectable from the baseline alone. */
|
|
250
|
+
readonly suffix: string;
|
|
251
|
+
}
|
|
252
|
+
/**
|
|
253
|
+
* A source file flagged by the health analyzer as over the
|
|
254
|
+
* largest-file threshold (today: 500 lines). Identity is per-file —
|
|
255
|
+
* the fact that this specific file crossed the threshold is the
|
|
256
|
+
* durable signal. Crossing back under the threshold removes the
|
|
257
|
+
* identity; crossing back over re-adds it.
|
|
258
|
+
*
|
|
259
|
+
* Note: aggregate "the largest file grew by N lines" reporting is a
|
|
260
|
+
* separate concern handled by `--fail-on-largest-file-size`; this
|
|
261
|
+
* identity tracks the discrete "X is now too large" finding.
|
|
262
|
+
*/
|
|
263
|
+
export interface LargeFileIdentityInput {
|
|
264
|
+
readonly kind: 'large-file';
|
|
265
|
+
readonly file: string;
|
|
266
|
+
}
|
|
267
|
+
/**
|
|
268
|
+
* Content-based identity for a detected secret. Companion to the
|
|
269
|
+
* location-based `SecretIdentityInput` — both can describe the same
|
|
270
|
+
* underlying finding, with the location identity locating WHERE the
|
|
271
|
+
* secret lives and the HMAC identity locating WHAT secret it is.
|
|
272
|
+
*
|
|
273
|
+
* The producer (gitleaks provider in Phase 3) computes the HMAC via
|
|
274
|
+
* `computeSecretHmac(secretValue, repoSalt)`. The salt lives in
|
|
275
|
+
* `.dxkit/salt` per repo, generated once and gitignored — see the
|
|
276
|
+
* baseline-create command for the salt-management contract.
|
|
277
|
+
*
|
|
278
|
+
* Identity-relocation use case: when a leaked token is copied from
|
|
279
|
+
* `.env` to `src/config.ts`, the location identities differ but the
|
|
280
|
+
* HMAC identities match. The matcher recognizes the move via HMAC
|
|
281
|
+
* and reports the pair as relocated rather than added+removed.
|
|
282
|
+
*
|
|
283
|
+
* Producer never stores the raw secret. Only the HMAC enters the
|
|
284
|
+
* baseline file, so a baseline leak doesn't leak secrets.
|
|
285
|
+
*/
|
|
286
|
+
export interface SecretHmacIdentityInput {
|
|
287
|
+
readonly kind: 'secret-hmac';
|
|
288
|
+
/** Producer tool name (e.g. 'gitleaks'). */
|
|
289
|
+
readonly tool: string;
|
|
290
|
+
/** Producer-specific rule id. The canonical-rule map applies here
|
|
291
|
+
* too: two tools detecting the same secret class collapse to one
|
|
292
|
+
* canonical rule. */
|
|
293
|
+
readonly rule: string;
|
|
294
|
+
/** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
|
|
295
|
+
readonly hmac: string;
|
|
296
|
+
}
|
|
297
|
+
/**
|
|
298
|
+
* Per-finding entry stored in a baseline. Carries identity plus the
|
|
299
|
+
* minimum metadata needed for cross-run drift-tolerant matching —
|
|
300
|
+
* never raw payloads (no titles, no secret content, no source
|
|
301
|
+
* excerpts). Sufficient for set-diff and for future drift heuristics
|
|
302
|
+
* (e.g. matching `(rule, file)` pairs across line shifts).
|
|
303
|
+
*/
|
|
304
|
+
export type BaselineEntry = {
|
|
305
|
+
id: FindingId;
|
|
306
|
+
kind: 'secret' | 'code' | 'config';
|
|
307
|
+
tool: string;
|
|
308
|
+
rule: string;
|
|
309
|
+
file: string;
|
|
310
|
+
line: number;
|
|
311
|
+
/** 16-char hex hash of normalized context around `line` at
|
|
312
|
+
* baseline-create time. Stamped via `computeContentHashFromCommit`;
|
|
313
|
+
* the matcher's third pass uses it as a fallback when git-aware
|
|
314
|
+
* location matching fails (shallow clones, force-pushed base,
|
|
315
|
+
* context survives but line shifts past the fuzz window). Absent
|
|
316
|
+
* when the producer couldn't read the file. */
|
|
317
|
+
contentHash?: string;
|
|
318
|
+
} | {
|
|
319
|
+
id: FindingId;
|
|
320
|
+
kind: 'dep-vuln';
|
|
321
|
+
package: string;
|
|
322
|
+
installedVersion?: string;
|
|
323
|
+
advisoryId: string;
|
|
324
|
+
} | {
|
|
325
|
+
id: FindingId;
|
|
326
|
+
kind: 'duplication';
|
|
327
|
+
fileA: string;
|
|
328
|
+
fileB: string;
|
|
329
|
+
lines: number;
|
|
330
|
+
startLineA: number;
|
|
331
|
+
startLineB: number;
|
|
332
|
+
} | {
|
|
333
|
+
id: FindingId;
|
|
334
|
+
kind: 'coverage-gap';
|
|
335
|
+
file: string;
|
|
336
|
+
symbol?: string;
|
|
337
|
+
lineRange?: readonly [number, number];
|
|
338
|
+
} | {
|
|
339
|
+
id: FindingId;
|
|
340
|
+
kind: 'test-gap';
|
|
341
|
+
file: string;
|
|
342
|
+
risk: TestGapRisk;
|
|
343
|
+
} | {
|
|
344
|
+
id: FindingId;
|
|
345
|
+
kind: 'hygiene';
|
|
346
|
+
file: string;
|
|
347
|
+
line: number;
|
|
348
|
+
marker: HygieneMarker;
|
|
349
|
+
/** Same content-hash semantics as the secret/code/config variant
|
|
350
|
+
* — populated when the producer can read the file at the
|
|
351
|
+
* baseline commit. */
|
|
352
|
+
contentHash?: string;
|
|
353
|
+
} | {
|
|
354
|
+
id: FindingId;
|
|
355
|
+
kind: 'license';
|
|
356
|
+
package: string;
|
|
357
|
+
version: string;
|
|
358
|
+
licenseType: string;
|
|
359
|
+
} | {
|
|
360
|
+
id: FindingId;
|
|
361
|
+
kind: 'test-file-degradation';
|
|
362
|
+
file: string;
|
|
363
|
+
status: TestFileDegradationStatus;
|
|
364
|
+
} | {
|
|
365
|
+
id: FindingId;
|
|
366
|
+
kind: 'god-file';
|
|
367
|
+
file: string;
|
|
368
|
+
} | {
|
|
369
|
+
id: FindingId;
|
|
370
|
+
kind: 'stale-file';
|
|
371
|
+
file: string;
|
|
372
|
+
suffix: string;
|
|
373
|
+
} | {
|
|
374
|
+
id: FindingId;
|
|
375
|
+
kind: 'large-file';
|
|
376
|
+
file: string;
|
|
377
|
+
} | {
|
|
378
|
+
id: FindingId;
|
|
379
|
+
kind: 'secret-hmac';
|
|
380
|
+
tool: string;
|
|
381
|
+
rule: string;
|
|
382
|
+
hmac: string;
|
|
383
|
+
};
|
|
384
|
+
/**
|
|
385
|
+
* One pairing decision from the matcher. Carries enough context for
|
|
386
|
+
* the guardrail to render a clear explanation ("this finding was
|
|
387
|
+
* relocated from line 42 to line 57 via git diff, 0.95 confidence,
|
|
388
|
+
* status: relocated") rather than a bare added/removed/persisted
|
|
389
|
+
* label. Reasons are short codes plus human prose; consumers display
|
|
390
|
+
* the prose and use the codes for filtering / policy decisions.
|
|
391
|
+
*
|
|
392
|
+
* `priorId` and `currentId` are both optional because:
|
|
393
|
+
* - `added` → only `currentId` is present.
|
|
394
|
+
* - `removed` → only `priorId` is present.
|
|
395
|
+
* - `persisted` / `relocated` → both, and they may differ when a
|
|
396
|
+
* location fingerprint shifted across the line-window boundary
|
|
397
|
+
* (each "side" has its own hash even though they describe the
|
|
398
|
+
* same finding).
|
|
399
|
+
*/
|
|
400
|
+
export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
|
|
401
|
+
export interface MatchReason {
|
|
402
|
+
/** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
|
|
403
|
+
* 'git-rename', 'multiset-occurrence'. */
|
|
404
|
+
readonly code: string;
|
|
405
|
+
/** Human-readable explanation suitable for end-user rendering. */
|
|
406
|
+
readonly detail: string;
|
|
407
|
+
}
|
|
408
|
+
export interface MatchPair {
|
|
409
|
+
readonly priorId?: FindingId;
|
|
410
|
+
readonly currentId?: FindingId;
|
|
411
|
+
readonly status: MatchStatus;
|
|
412
|
+
/** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
|
|
413
|
+
* a fallback layer (git relocation, line-fuzz, rename). */
|
|
414
|
+
readonly confidence: number;
|
|
415
|
+
readonly reasons: ReadonlyArray<MatchReason>;
|
|
416
|
+
}
|
|
417
|
+
/**
|
|
418
|
+
* Severity tier carried alongside each match pair for policy
|
|
419
|
+
* classification. Mirrors the global severity vocabulary used by the
|
|
420
|
+
* security analyzer and dimension scoring.
|
|
421
|
+
*/
|
|
422
|
+
export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
423
|
+
/**
|
|
424
|
+
* Full taxonomy of post-classification status values a guardrail
|
|
425
|
+
* check can emit. Wider than `MatchStatus` because policy adds context
|
|
426
|
+
* the matcher doesn't have:
|
|
427
|
+
*
|
|
428
|
+
* - `persisted` / `relocated` / `added` / `removed` — direct
|
|
429
|
+
* pass-through of the matcher's pair status.
|
|
430
|
+
* - `fixed` — a `removed` finding that the policy treats as a
|
|
431
|
+
* positive event (resolution rather than disappearance). Today
|
|
432
|
+
* this is informational only; Phase 3 distinguishes the two when
|
|
433
|
+
* `--detailed` flags it.
|
|
434
|
+
* - `newly_detected` — current-only finding that surfaced because
|
|
435
|
+
* the scanner / ruleset / advisory DB / policy config changed,
|
|
436
|
+
* not because a developer introduced new code. Parent category;
|
|
437
|
+
* `tooling_drift` and `config_drift` are the specific subtypes.
|
|
438
|
+
* - `tooling_drift` — scanner or advisory-db version differs
|
|
439
|
+
* between baseline and current. Reclassified `added` is suspect.
|
|
440
|
+
* - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
|
|
441
|
+
* differs between runs.
|
|
442
|
+
* - `probable_existing` — current-only with weak evidence it's
|
|
443
|
+
* truly new (a prior near-match exists but didn't pair cleanly).
|
|
444
|
+
* Reserved for the content-hash / semantic fallback layer in
|
|
445
|
+
* Sprint 0.x.
|
|
446
|
+
* - `uncertain` — confidence below the per-severity threshold;
|
|
447
|
+
* the policy can't classify with conviction.
|
|
448
|
+
*
|
|
449
|
+
* The enum is the contract Phase 3's guardrail CLI reads. Today's
|
|
450
|
+
* classifier emits a subset — the remaining states are reserved for
|
|
451
|
+
* the Phase 3 baseline-metadata work that will provide the
|
|
452
|
+
* contextual signals (scanner versions, config hashes, etc.).
|
|
453
|
+
*/
|
|
454
|
+
export type FindingStatus = 'persisted' | 'relocated' | 'added' | 'removed' | 'fixed' | 'newly_detected' | 'tooling_drift' | 'config_drift' | 'probable_existing' | 'uncertain';
|
|
455
|
+
/**
|
|
456
|
+
* Composite result of comparing two runs.
|
|
457
|
+
*
|
|
458
|
+
* The structured `pairs` field carries one entry per matched +
|
|
459
|
+
* unmatched finding occurrence (multiset-aware: an identity that
|
|
460
|
+
* occurs twice in prior and once in current produces three pairs —
|
|
461
|
+
* one persisted, one removed).
|
|
462
|
+
*
|
|
463
|
+
* `persisted` / `added` / `removed` are flat-array views over the
|
|
464
|
+
* pair set, retained for callers that want simple set-diff output
|
|
465
|
+
* without the reason metadata. Identity values appear once per
|
|
466
|
+
* occurrence (multiset, not set) — duplicate identities are NOT
|
|
467
|
+
* collapsed.
|
|
468
|
+
*
|
|
469
|
+
* `gitAware` reports whether the git-aware location pass actually
|
|
470
|
+
* ran. `degradedReason` carries a human-readable note when the
|
|
471
|
+
* pass was skipped (no git, base SHA unreachable, etc.) so the
|
|
472
|
+
* guardrail CLI can tell the user what mode it ran in.
|
|
473
|
+
*/
|
|
474
|
+
export interface MatchResult {
|
|
475
|
+
readonly pairs: ReadonlyArray<MatchPair>;
|
|
476
|
+
readonly persisted: ReadonlyArray<FindingId>;
|
|
477
|
+
readonly added: ReadonlyArray<FindingId>;
|
|
478
|
+
readonly removed: ReadonlyArray<FindingId>;
|
|
479
|
+
readonly gitAware: boolean;
|
|
480
|
+
readonly degradedReason?: string;
|
|
481
|
+
}
|
|
482
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;GAIG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEzC;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,oBAAoB,GACpB,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,CAAC;AAE5B,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;gDAC4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;6DACyD;IACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;0CACsC;IACtC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;gEAI4D;IAC5D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;8CAG0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;kBACc;IACd,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;4CAGwC;IACxC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;oDAGgD;IAChD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0BAEsB;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;oDAKgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;2BAEuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACzF;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAErF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;gEAC4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Baseline types — per-finding fingerprints carried in
|
|
4
|
+
* `.dxkit-baseline.json` so the guardrail check can compare today's
|
|
5
|
+
* scan against the recorded baseline.
|
|
6
|
+
*
|
|
7
|
+
* # Identity model
|
|
8
|
+
*
|
|
9
|
+
* dxkit does not treat a single hash as "the finding's stable
|
|
10
|
+
* identity." Each finding has up to several fingerprint axes,
|
|
11
|
+
* differentiated by what they capture:
|
|
12
|
+
*
|
|
13
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
14
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
15
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
16
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
17
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
18
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
19
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
20
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
21
|
+
* is about* independent of source position. Drift-immune.
|
|
22
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
23
|
+
* when a symbol is known. Survives any vertical drift within
|
|
24
|
+
* the symbol body.
|
|
25
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
26
|
+
* hash; fallback when git history is unreachable.
|
|
27
|
+
*
|
|
28
|
+
* The hash format is identical across axes — 16-char lowercase hex
|
|
29
|
+
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
30
|
+
* from to use it for set-diff, but the matcher uses the axis
|
|
31
|
+
* structure to layer different match strategies (domain first,
|
|
32
|
+
* then git-aware location, then content fallback, then exact).
|
|
33
|
+
*
|
|
34
|
+
* The identity space mirrors the analyzer shapes that produce
|
|
35
|
+
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
36
|
+
* gather pipeline:
|
|
37
|
+
*
|
|
38
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
39
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
40
|
+
* private-key files, env-in-git).
|
|
41
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
42
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
43
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
44
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
45
|
+
* when available, fallback to file + line range).
|
|
46
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
47
|
+
* analyzer.
|
|
48
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
49
|
+
* occurrences (per-occurrence identity).
|
|
50
|
+
* - `license` — package license attributions.
|
|
51
|
+
*/
|
|
52
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
53
|
+
//# sourceMappingURL=types.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG"}
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAkLA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAi6CvD"}
|