@vyuhlabs/dxkit 2.5.1 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +318 -0
- package/README.md +150 -28
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -8
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +154 -13
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -10
- package/dist/constants.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +0 -15
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts +78 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +590 -101
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +15 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +2 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +2 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +25 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +44 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +2 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +2 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +11 -1
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +2 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +2 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +45 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +2 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -5
- package/dist/prompts.js.map +1 -1
- package/dist/setup-branch-protection.d.ts +34 -0
- package/dist/setup-branch-protection.d.ts.map +1 -0
- package/dist/setup-branch-protection.js +190 -0
- package/dist/setup-branch-protection.js.map +1 -0
- package/dist/setup-gh.d.ts +75 -0
- package/dist/setup-gh.d.ts.map +1 -0
- package/dist/setup-gh.js +213 -0
- package/dist/setup-gh.js.map +1 -0
- package/dist/setup-prebuild.d.ts +34 -0
- package/dist/setup-prebuild.d.ts.map +1 -0
- package/dist/setup-prebuild.js +181 -0
- package/dist/setup-prebuild.js.map +1 -0
- package/dist/ship-installers.d.ts.map +1 -1
- package/dist/ship-installers.js +19 -4
- package/dist/ship-installers.js.map +1 -1
- package/dist/types.d.ts +24 -6
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts +41 -0
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +154 -15
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts +88 -0
- package/dist/upgrade.d.ts.map +1 -0
- package/dist/upgrade.js +324 -0
- package/dist/upgrade.js.map +1 -0
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
- package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
- package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
- package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
- package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
- package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
- package/templates/.devcontainer/devcontainer.json +6 -15
- package/templates/.devcontainer/post-create.sh +19 -4
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Baseline mode resolution — single source of truth for picking
|
|
4
|
+
* between `committed-full`, `committed-sanitized`, and `ref-based`.
|
|
5
|
+
*
|
|
6
|
+
* # The three modes
|
|
7
|
+
*
|
|
8
|
+
* - **`committed-full`** — Rich entries committed to git under
|
|
9
|
+
* `.dxkit/baselines/<name>.json`. The default behavior dxkit
|
|
10
|
+
* has had since baselines existed. Best for private repos with
|
|
11
|
+
* small teams; the human-readable locator fields make `baseline
|
|
12
|
+
* show` and block-time hints maximally useful.
|
|
13
|
+
*
|
|
14
|
+
* - **`committed-sanitized`** — The file is still committed, but
|
|
15
|
+
* every entry is stripped to `{ id, kind, sanitized: true }`
|
|
16
|
+
* before write (see `./sanitize.ts`). The cross-run matching
|
|
17
|
+
* contract is preserved (identity fingerprints are unchanged);
|
|
18
|
+
* human-readable locators are gone. Best for compliance-
|
|
19
|
+
* conscious private repos where broad internal read access
|
|
20
|
+
* makes location disclosures material.
|
|
21
|
+
*
|
|
22
|
+
* - **`ref-based`** — No baseline file is committed. The prior
|
|
23
|
+
* side of the guardrail diff is computed at check time from a
|
|
24
|
+
* git ref (default: `origin/<default-branch>`) via
|
|
25
|
+
* `git worktree add`. Zero disclosure surface; best for public
|
|
26
|
+
* repos. Cost is a longer check (gather runs twice — once
|
|
27
|
+
* against the ref, once against HEAD).
|
|
28
|
+
*
|
|
29
|
+
* # Resolution precedence
|
|
30
|
+
*
|
|
31
|
+
* 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
|
|
32
|
+
* precedence. Overrides everything else.
|
|
33
|
+
* 2. **Policy file** — `baseline.mode` / `baseline.ref` in
|
|
34
|
+
* `.dxkit/policy.json`. Pins the choice repo-wide so every
|
|
35
|
+
* developer + every CI job uses the same posture.
|
|
36
|
+
* 3. **Visibility-derived default** — probes
|
|
37
|
+
* `gh repo view --json visibility` (see `./visibility.ts`)
|
|
38
|
+
* and picks:
|
|
39
|
+
* - `'public'` → `ref-based`
|
|
40
|
+
* - `'private'` / `'internal'` → `committed-full`
|
|
41
|
+
* - `'unknown'` → `committed-full` (safe default + warning)
|
|
42
|
+
*
|
|
43
|
+
* `committed-sanitized` is never auto-picked. It's the explicit
|
|
44
|
+
* opt-in for compliance-conscious private repos. The reasoning:
|
|
45
|
+
*
|
|
46
|
+
* - For public repos, sanitized-in-git is strictly worse than
|
|
47
|
+
* ref-based — you're still committing the fingerprint set,
|
|
48
|
+
* and ref-based gives the same matching contract without
|
|
49
|
+
* storing anything.
|
|
50
|
+
* - For typical private repos with small teams, full content
|
|
51
|
+
* is more useful.
|
|
52
|
+
*
|
|
53
|
+
* So sanitized lives between those two extremes and customers
|
|
54
|
+
* opt in via `policy.json` or `--mode=committed-sanitized`.
|
|
55
|
+
*
|
|
56
|
+
* # Why one resolver
|
|
57
|
+
*
|
|
58
|
+
* Every consumer (the `baseline create` orchestrator, the
|
|
59
|
+
* `guardrail check` orchestrator, doctor checks, future modes-
|
|
60
|
+
* aware tooling) calls `resolveBaselineMode` and reads the
|
|
61
|
+
* returned `ResolvedMode`. Scattered `if (visibility === 'public')`
|
|
62
|
+
* branches would drift independently as the rules evolve; this
|
|
63
|
+
* module is the single edit point.
|
|
64
|
+
*
|
|
65
|
+
* Pure module — no I/O of its own. The visibility probe is
|
|
66
|
+
* injectable via `probeVisibility` so tests can simulate every
|
|
67
|
+
* path without going through `execSync('gh ...')`.
|
|
68
|
+
*/
|
|
69
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
70
|
+
exports.BASELINE_MODES = void 0;
|
|
71
|
+
exports.resolveBaselineMode = resolveBaselineMode;
|
|
72
|
+
exports.probeOriginHeadRef = probeOriginHeadRef;
|
|
73
|
+
exports.parseBaselineMode = parseBaselineMode;
|
|
74
|
+
const child_process_1 = require("child_process");
|
|
75
|
+
const visibility_1 = require("./visibility");
|
|
76
|
+
/** Canonical enumeration of the mode strings. Consumers wanting to
|
|
77
|
+
* iterate every mode (CLI flag validation, help text, doctor)
|
|
78
|
+
* import this rather than re-listing the union members. */
|
|
79
|
+
exports.BASELINE_MODES = Object.freeze([
|
|
80
|
+
'committed-full',
|
|
81
|
+
'committed-sanitized',
|
|
82
|
+
'ref-based',
|
|
83
|
+
]);
|
|
84
|
+
/**
|
|
85
|
+
* Resolve the baseline mode for a given run. Pure over its inputs
|
|
86
|
+
* apart from the optional probe functions (which default to
|
|
87
|
+
* `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
|
|
88
|
+
* The returned `ResolvedMode` carries everything callers need to
|
|
89
|
+
* dispatch + log.
|
|
90
|
+
*/
|
|
91
|
+
function resolveBaselineMode(opts) {
|
|
92
|
+
if (opts.cliMode !== undefined) {
|
|
93
|
+
return finalize(opts, opts.cliMode, 'cli');
|
|
94
|
+
}
|
|
95
|
+
if (opts.policyMode !== undefined) {
|
|
96
|
+
return finalize(opts, opts.policyMode, 'policy');
|
|
97
|
+
}
|
|
98
|
+
const probe = opts.probeVisibility ?? visibility_1.detectRepoVisibility;
|
|
99
|
+
const visibility = probe(opts.cwd);
|
|
100
|
+
switch (visibility) {
|
|
101
|
+
case 'public':
|
|
102
|
+
return finalize(opts, 'ref-based', 'auto-public');
|
|
103
|
+
case 'private':
|
|
104
|
+
return finalize(opts, 'committed-full', 'auto-private');
|
|
105
|
+
case 'internal':
|
|
106
|
+
return finalize(opts, 'committed-full', 'auto-internal');
|
|
107
|
+
case 'unknown':
|
|
108
|
+
return finalize(opts, 'committed-full', 'auto-unknown');
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Internal: stamp the explanation + resolve the ref (for ref-based)
|
|
113
|
+
* onto the outcome. Centralized so every code path emits the same
|
|
114
|
+
* shape.
|
|
115
|
+
*/
|
|
116
|
+
function finalize(opts, mode, source) {
|
|
117
|
+
const explanation = explanationFor(mode, source);
|
|
118
|
+
if (mode !== 'ref-based')
|
|
119
|
+
return { mode, source, explanation };
|
|
120
|
+
const ref = resolveRef(opts);
|
|
121
|
+
return { mode, source, explanation, ref };
|
|
122
|
+
}
|
|
123
|
+
function resolveRef(opts) {
|
|
124
|
+
if (opts.cliRef)
|
|
125
|
+
return opts.cliRef;
|
|
126
|
+
if (opts.policyRef)
|
|
127
|
+
return opts.policyRef;
|
|
128
|
+
const probe = opts.probeDefaultRef ?? probeOriginHeadRef;
|
|
129
|
+
return probe(opts.cwd) ?? 'origin/main';
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
|
|
133
|
+
* remote's default branch. Returns `'origin/<branch>'` on success,
|
|
134
|
+
* `undefined` on any failure (no remote, no fetch ever ran, etc.).
|
|
135
|
+
*
|
|
136
|
+
* Public for testing — production callers go through
|
|
137
|
+
* `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
|
|
138
|
+
*/
|
|
139
|
+
function probeOriginHeadRef(cwd) {
|
|
140
|
+
try {
|
|
141
|
+
const out = (0, child_process_1.execSync)('git symbolic-ref refs/remotes/origin/HEAD', {
|
|
142
|
+
cwd,
|
|
143
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
144
|
+
encoding: 'utf-8',
|
|
145
|
+
}).trim();
|
|
146
|
+
// Output shape: "refs/remotes/origin/main" → strip the prefix.
|
|
147
|
+
if (out.startsWith('refs/remotes/'))
|
|
148
|
+
return out.slice('refs/remotes/'.length);
|
|
149
|
+
return undefined;
|
|
150
|
+
}
|
|
151
|
+
catch {
|
|
152
|
+
return undefined;
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
function explanationFor(mode, source) {
|
|
156
|
+
switch (source) {
|
|
157
|
+
case 'cli':
|
|
158
|
+
return `mode=${mode} (--mode flag)`;
|
|
159
|
+
case 'policy':
|
|
160
|
+
return `mode=${mode} (.dxkit/policy.json: baseline.mode)`;
|
|
161
|
+
case 'auto-public':
|
|
162
|
+
return `mode=${mode} (auto: gh detected a public repo)`;
|
|
163
|
+
case 'auto-private':
|
|
164
|
+
return `mode=${mode} (auto: gh detected a private repo)`;
|
|
165
|
+
case 'auto-internal':
|
|
166
|
+
return `mode=${mode} (auto: gh detected an internal repo)`;
|
|
167
|
+
case 'auto-unknown':
|
|
168
|
+
return `mode=${mode} (auto: visibility not detectable via gh; defaulting to private posture)`;
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
/**
|
|
172
|
+
* Parse a string into a `BaselineMode`. Returns `null` for unknown
|
|
173
|
+
* values so the CLI surfaces a helpful error including the full
|
|
174
|
+
* accepted list. Used by `--mode=<X>` flag parsing.
|
|
175
|
+
*/
|
|
176
|
+
function parseBaselineMode(raw) {
|
|
177
|
+
return exports.BASELINE_MODES.includes(raw) ? raw : null;
|
|
178
|
+
}
|
|
179
|
+
//# sourceMappingURL=modes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"modes.js","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;;;AA4EH,kDAmBC;AA6BD,gDAaC;AAwBD,8CAEC;AAjKD,iDAAyC;AACzC,6CAAoD;AAQpD;;4DAE4D;AAC/C,QAAA,cAAc,GAAgC,MAAM,CAAC,MAAM,CAAC;IACvE,gBAAgB;IAChB,qBAAqB;IACrB,WAAW;CACZ,CAAC,CAAC;AAmDH;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAwB;IAC1D,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,iCAAoB,CAAC;IAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;QACpD,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,eAAe,CAAC,CAAC;QAC3D,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,IAAwB,EAAE,IAAkB,EAAE,MAAkB;IAChF,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC/D,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,UAAU,CAAC,IAAwB;IAC1C,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,MAAM,CAAC;IACpC,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,kBAAkB,CAAC;IACzD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,2CAA2C,EAAE;YAChE,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,+DAA+D;QAC/D,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAC9E,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB,EAAE,MAAkB;IAC5D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,OAAO,QAAQ,IAAI,gBAAgB,CAAC;QACtC,KAAK,QAAQ;YACX,OAAO,QAAQ,IAAI,sCAAsC,CAAC;QAC5D,KAAK,aAAa;YAChB,OAAO,QAAQ,IAAI,oCAAoC,CAAC;QAC1D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,qCAAqC,CAAC;QAC3D,KAAK,eAAe;YAClB,OAAO,QAAQ,IAAI,uCAAuC,CAAC;QAC7D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,0EAA0E,CAAC;IAClG,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,OAAQ,sBAAwC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,GAAoB,CAAC,CAAC,CAAC,IAAI,CAAC;AAChG,CAAC"}
|
|
@@ -22,7 +22,31 @@
|
|
|
22
22
|
* Phase 3's baseline-metadata work can light them up incrementally
|
|
23
23
|
* without re-shaping consumer code.
|
|
24
24
|
*/
|
|
25
|
+
import type { BaselineMode } from './modes';
|
|
25
26
|
import type { FindingSeverity, FindingStatus, MatchPair, MatchReason } from './types';
|
|
27
|
+
/**
|
|
28
|
+
* Optional `baseline.*` block in `.dxkit/policy.json`. Pins the
|
|
29
|
+
* mode + (when ref-based) the comparison ref repo-wide so every
|
|
30
|
+
* developer + every CI job uses the same posture. Both fields are
|
|
31
|
+
* optional; when absent the resolver in `./modes.ts` falls back to
|
|
32
|
+
* visibility-derived defaults.
|
|
33
|
+
*
|
|
34
|
+
* Schema example:
|
|
35
|
+
*
|
|
36
|
+
* {
|
|
37
|
+
* "baseline": {
|
|
38
|
+
* "mode": "ref-based",
|
|
39
|
+
* "ref": "origin/main"
|
|
40
|
+
* }
|
|
41
|
+
* }
|
|
42
|
+
*/
|
|
43
|
+
export interface BaselineSection {
|
|
44
|
+
readonly mode?: BaselineMode;
|
|
45
|
+
/** Git ref to compare against in `ref-based` mode. When absent,
|
|
46
|
+
* the resolver probes `origin/HEAD` and falls back to
|
|
47
|
+
* `'origin/main'`. */
|
|
48
|
+
readonly ref?: string;
|
|
49
|
+
}
|
|
26
50
|
/**
|
|
27
51
|
* Per-finding-kind overrides that escalate specific guardrail rules
|
|
28
52
|
* beyond the generic `block` / `warn` lists. Each rule maps to a
|
|
@@ -87,6 +111,21 @@ export interface BrownfieldPolicy {
|
|
|
87
111
|
* diff overlap) via `.dxkit/policy.json`.
|
|
88
112
|
*/
|
|
89
113
|
readonly addedRequiresChangedLines: ReadonlyArray<string>;
|
|
114
|
+
/**
|
|
115
|
+
* Baseline-mode pinning. When absent, the resolver in `./modes.ts`
|
|
116
|
+
* falls back to visibility-derived defaults
|
|
117
|
+
* (`'public'` → `ref-based`; `'private'` / `'internal'` /
|
|
118
|
+
* `'unknown'` → `committed-full`). Customers pin this to lock the
|
|
119
|
+
* posture across all developers + CI jobs:
|
|
120
|
+
*
|
|
121
|
+
* - `'committed-full'`: rich entries committed (default for
|
|
122
|
+
* private repos with small teams).
|
|
123
|
+
* - `'committed-sanitized'`: stripped entries committed
|
|
124
|
+
* (compliance-conscious private repos).
|
|
125
|
+
* - `'ref-based'`: no committed baseline; computed from a git
|
|
126
|
+
* ref at check time (default for public repos).
|
|
127
|
+
*/
|
|
128
|
+
readonly baseline?: BaselineSection;
|
|
90
129
|
}
|
|
91
130
|
/**
|
|
92
131
|
* Default brownfield policy. Captures the conservative posture from
|
|
@@ -168,4 +207,29 @@ export declare function classify(pair: MatchPair, policy?: BrownfieldPolicy, con
|
|
|
168
207
|
* envelope to fill in the fields the classifier reads.
|
|
169
208
|
*/
|
|
170
209
|
export declare function classifyAll(pairs: ReadonlyArray<MatchPair>, policy?: BrownfieldPolicy, contextFor?: (pair: MatchPair) => ClassifyContext): ReadonlyArray<ClassifyResult>;
|
|
210
|
+
/** Conventional location for a per-repo brownfield policy. Loaded
|
|
211
|
+
* automatically by `resolvePolicy` when present. */
|
|
212
|
+
export declare const DEFAULT_POLICY_FILENAME: string;
|
|
213
|
+
/**
|
|
214
|
+
* Load a brownfield policy with the three-step resolution order
|
|
215
|
+
* shared by `createBaseline` and `runGuardrailCheck`:
|
|
216
|
+
*
|
|
217
|
+
* 1. `policyPath` (explicit `--policy <p>` flag). Errors if the
|
|
218
|
+
* path is supplied but unreadable / malformed.
|
|
219
|
+
* 2. `<cwd>/.dxkit/policy.json` (conventional). Silently skipped
|
|
220
|
+
* when absent so consumers without a policy get the defaults.
|
|
221
|
+
* 3. `DEFAULT_BROWNFIELD_POLICY` (compiled-in fallback).
|
|
222
|
+
*
|
|
223
|
+
* Customer fields shallow-merge over the default. The
|
|
224
|
+
* `confidence` / `blockRules` blocks deep-merge by key. Unknown
|
|
225
|
+
* fields are preserved — the classifier ignores what it doesn't
|
|
226
|
+
* know, so forward-compatible policy files don't break old dxkit.
|
|
227
|
+
*/
|
|
228
|
+
export declare function resolvePolicy(policyPath: string | undefined, cwd: string): BrownfieldPolicy;
|
|
229
|
+
/**
|
|
230
|
+
* Convenience wrapper for callers that don't take a `--policy`
|
|
231
|
+
* override (e.g., `createBaseline`). Loads the conventional file if
|
|
232
|
+
* present; returns defaults otherwise.
|
|
233
|
+
*/
|
|
234
|
+
export declare function loadPolicyFromCwd(cwd: string): BrownfieldPolicy;
|
|
171
235
|
//# sourceMappingURL=policy.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC;IAC7B;;2BAEuB;IACvB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IACvC,iEAAiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,oEAAoE;IACpE,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,CAAC;IACtD,mEAAmE;IACnE,QAAQ,CAAC,uCAAuC,CAAC,EAAE,OAAO,CAAC;IAC3D,qEAAqE;IACrE,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,mCAAmC,CAAC,EAAE,OAAO,CAAC;CACxD;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC7C,mDAAmD;IACnD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC5C;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,uCAAuC;IACvC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAC;IAC1C;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,QAAQ,CAAC,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1D;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;CACrC;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBA0BtC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,sEAAsE;IACtE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;uEAEmE;IACnE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;yEACqE;IACrE,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;yDAGqD;IACrD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B;wCACoC;IACpC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;kDAC8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,SAAS,EACf,MAAM,GAAE,gBAA4C,EACpD,OAAO,GAAE,eAAoB,GAC5B,cAAc,CAmEhB;AA0DD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAC/B,MAAM,GAAE,gBAA4C,EACpD,UAAU,GAAE,CAAC,IAAI,EAAE,SAAS,KAAK,eAA4B,GAC5D,aAAa,CAAC,cAAc,CAAC,CAE/B;AAED;qDACqD;AACrD,eAAO,MAAM,uBAAuB,QAAqC,CAAC;AAE1E;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAkC3F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAE/D"}
|
package/dist/baseline/policy.js
CHANGED
|
@@ -23,10 +23,47 @@
|
|
|
23
23
|
* Phase 3's baseline-metadata work can light them up incrementally
|
|
24
24
|
* without re-shaping consumer code.
|
|
25
25
|
*/
|
|
26
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
27
|
+
if (k2 === undefined) k2 = k;
|
|
28
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
29
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
30
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
31
|
+
}
|
|
32
|
+
Object.defineProperty(o, k2, desc);
|
|
33
|
+
}) : (function(o, m, k, k2) {
|
|
34
|
+
if (k2 === undefined) k2 = k;
|
|
35
|
+
o[k2] = m[k];
|
|
36
|
+
}));
|
|
37
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
38
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
39
|
+
}) : function(o, v) {
|
|
40
|
+
o["default"] = v;
|
|
41
|
+
});
|
|
42
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
43
|
+
var ownKeys = function(o) {
|
|
44
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
45
|
+
var ar = [];
|
|
46
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
47
|
+
return ar;
|
|
48
|
+
};
|
|
49
|
+
return ownKeys(o);
|
|
50
|
+
};
|
|
51
|
+
return function (mod) {
|
|
52
|
+
if (mod && mod.__esModule) return mod;
|
|
53
|
+
var result = {};
|
|
54
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
55
|
+
__setModuleDefault(result, mod);
|
|
56
|
+
return result;
|
|
57
|
+
};
|
|
58
|
+
})();
|
|
26
59
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
27
|
-
exports.DEFAULT_BROWNFIELD_POLICY = void 0;
|
|
60
|
+
exports.DEFAULT_POLICY_FILENAME = exports.DEFAULT_BROWNFIELD_POLICY = void 0;
|
|
28
61
|
exports.classify = classify;
|
|
29
62
|
exports.classifyAll = classifyAll;
|
|
63
|
+
exports.resolvePolicy = resolvePolicy;
|
|
64
|
+
exports.loadPolicyFromCwd = loadPolicyFromCwd;
|
|
65
|
+
const fs = __importStar(require("fs"));
|
|
66
|
+
const path = __importStar(require("path"));
|
|
30
67
|
/**
|
|
31
68
|
* Default brownfield policy. Captures the conservative posture from
|
|
32
69
|
* the agentic-brownfield strategy: block only on high-confidence new
|
|
@@ -203,4 +240,68 @@ function evaluateBlockRules(status, rules, context) {
|
|
|
203
240
|
function classifyAll(pairs, policy = exports.DEFAULT_BROWNFIELD_POLICY, contextFor = () => ({})) {
|
|
204
241
|
return pairs.map((pair) => classify(pair, policy, contextFor(pair)));
|
|
205
242
|
}
|
|
243
|
+
/** Conventional location for a per-repo brownfield policy. Loaded
|
|
244
|
+
* automatically by `resolvePolicy` when present. */
|
|
245
|
+
exports.DEFAULT_POLICY_FILENAME = path.join('.dxkit', 'policy.json');
|
|
246
|
+
/**
|
|
247
|
+
* Load a brownfield policy with the three-step resolution order
|
|
248
|
+
* shared by `createBaseline` and `runGuardrailCheck`:
|
|
249
|
+
*
|
|
250
|
+
* 1. `policyPath` (explicit `--policy <p>` flag). Errors if the
|
|
251
|
+
* path is supplied but unreadable / malformed.
|
|
252
|
+
* 2. `<cwd>/.dxkit/policy.json` (conventional). Silently skipped
|
|
253
|
+
* when absent so consumers without a policy get the defaults.
|
|
254
|
+
* 3. `DEFAULT_BROWNFIELD_POLICY` (compiled-in fallback).
|
|
255
|
+
*
|
|
256
|
+
* Customer fields shallow-merge over the default. The
|
|
257
|
+
* `confidence` / `blockRules` blocks deep-merge by key. Unknown
|
|
258
|
+
* fields are preserved — the classifier ignores what it doesn't
|
|
259
|
+
* know, so forward-compatible policy files don't break old dxkit.
|
|
260
|
+
*/
|
|
261
|
+
function resolvePolicy(policyPath, cwd) {
|
|
262
|
+
let resolvedPath = policyPath;
|
|
263
|
+
if (!resolvedPath) {
|
|
264
|
+
const conventional = path.join(cwd, exports.DEFAULT_POLICY_FILENAME);
|
|
265
|
+
if (fs.existsSync(conventional))
|
|
266
|
+
resolvedPath = conventional;
|
|
267
|
+
}
|
|
268
|
+
if (!resolvedPath)
|
|
269
|
+
return exports.DEFAULT_BROWNFIELD_POLICY;
|
|
270
|
+
let raw;
|
|
271
|
+
try {
|
|
272
|
+
raw = fs.readFileSync(resolvedPath, 'utf8');
|
|
273
|
+
}
|
|
274
|
+
catch (err) {
|
|
275
|
+
throw new Error(`policy file not readable: ${resolvedPath} (${err.message})`);
|
|
276
|
+
}
|
|
277
|
+
let parsed;
|
|
278
|
+
try {
|
|
279
|
+
parsed = JSON.parse(raw);
|
|
280
|
+
}
|
|
281
|
+
catch (err) {
|
|
282
|
+
throw new Error(`policy file is not valid JSON: ${resolvedPath} (${err.message})`);
|
|
283
|
+
}
|
|
284
|
+
if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
|
|
285
|
+
throw new Error(`policy file root is not an object: ${resolvedPath}`);
|
|
286
|
+
}
|
|
287
|
+
const obj = parsed;
|
|
288
|
+
return {
|
|
289
|
+
...exports.DEFAULT_BROWNFIELD_POLICY,
|
|
290
|
+
...obj,
|
|
291
|
+
confidence: { ...exports.DEFAULT_BROWNFIELD_POLICY.confidence, ...(obj.confidence ?? {}) },
|
|
292
|
+
blockRules: { ...exports.DEFAULT_BROWNFIELD_POLICY.blockRules, ...(obj.blockRules ?? {}) },
|
|
293
|
+
block: obj.block ?? exports.DEFAULT_BROWNFIELD_POLICY.block,
|
|
294
|
+
warn: obj.warn ?? exports.DEFAULT_BROWNFIELD_POLICY.warn,
|
|
295
|
+
addedRequiresChangedLines: obj.addedRequiresChangedLines ?? exports.DEFAULT_BROWNFIELD_POLICY.addedRequiresChangedLines,
|
|
296
|
+
mode: 'brownfield',
|
|
297
|
+
};
|
|
298
|
+
}
|
|
299
|
+
/**
|
|
300
|
+
* Convenience wrapper for callers that don't take a `--policy`
|
|
301
|
+
* override (e.g., `createBaseline`). Loads the conventional file if
|
|
302
|
+
* present; returns defaults otherwise.
|
|
303
|
+
*/
|
|
304
|
+
function loadPolicyFromCwd(cwd) {
|
|
305
|
+
return resolvePolicy(undefined, cwd);
|
|
306
|
+
}
|
|
206
307
|
//# sourceMappingURL=policy.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAoNH,4BAuEC;AAkED,kCAMC;AAqBD,sCAkCC;AAOD,8CAEC;AAjaD,uCAAyB;AACzB,2CAA6B;AA8G7B;;;;;;;;;;;GAWG;AACU,QAAA,yBAAyB,GAAqB,MAAM,CAAC,MAAM,CAAC;IACvE,IAAI,EAAE,YAAY;IAClB,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAiC,CAAC;IAC/D,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;QAClB,mBAAmB;QACnB,gBAAgB;QAChB,eAAe;QACf,cAAc;QACd,WAAW;KACoB,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC;QACxB,QAAQ,EAAE,IAAI;QACd,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,IAAI;QACZ,GAAG,EAAE,GAAG;KACT,CAAC;IACF,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC;QACxB,SAAS,EAAE,IAAI;QACf,mBAAmB,EAAE,IAAI;QACzB,eAAe,EAAE,IAAI;QACrB,kCAAkC,EAAE,IAAI;QACxC,uCAAuC,EAAE,IAAI;QAC7C,wBAAwB,EAAE,IAAI;QAC9B,mCAAmC,EAAE,IAAI;KAC1C,CAAC;IACF,yBAAyB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;CAC9D,CAAC,CAAC;AA0CH;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,QAAQ,CACtB,IAAe,EACf,SAA2B,iCAAyB,EACpD,UAA2B,EAAE;IAE7B,IAAI,MAAM,GAAkB,IAAI,CAAC,MAAM,CAAC;IACxC,MAAM,OAAO,GAAkB,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;IAEjD,gDAAgD;IAChD,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,IAAI,OAAO,CAAC,qBAAqB,EAAE,CAAC;YAClC,MAAM,GAAG,eAAe,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,eAAe;gBACrB,MAAM,EAAE,qDAAqD;aAC9D,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YACjC,MAAM,GAAG,cAAc,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,cAAc;gBACpB,MAAM,EAAE,mDAAmD;aAC5D,CAAC,CAAC;QACL,CAAC;aAAM,IACL,OAAO,CAAC,IAAI;YACZ,MAAM,CAAC,yBAAyB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC;YACvD,OAAO,CAAC,oBAAoB,KAAK,KAAK,EACtC,CAAC;YACD,2DAA2D;YAC3D,yDAAyD;YACzD,yDAAyD;YACzD,6DAA6D;YAC7D,4DAA4D;YAC5D,yBAAyB;YACzB,MAAM,GAAG,WAAW,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,iBAAiB;gBACvB,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,8HAA8H;aACtJ,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,IAAI,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;QACrD,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ;YAChC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC;YACrC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,UAAU,GAAG,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,gBAAgB;gBACtB,MAAM,EACJ,oBAAoB,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,oBAAoB,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE;oBACxF,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,iBAAiB,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChE,CAAC,CAAC;YACH,MAAM,GAAG,WAAW,CAAC;QACvB,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,MAAM,YAAY,GAAG,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC5E,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,4BAA4B,YAAY,EAAE;SACnD,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,MAAM,GAAG,YAAY,KAAK,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtE,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAE3C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,kBAAkB,CACzB,MAAqB,EACrB,KAA2B,EAC3B,OAAwB;IAExB,IAAI,MAAM,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,KAAK,CAAC,SAAS,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC;IACrE,IAAI,KAAK,CAAC,mBAAmB,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QAC5F,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IACD,IAAI,KAAK,CAAC,eAAe,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACpF,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IACD,IACE,KAAK,CAAC,kCAAkC;QACxC,OAAO,CAAC,IAAI,KAAK,UAAU;QAC3B,OAAO,CAAC,QAAQ,KAAK,UAAU,EAC/B,CAAC;QACD,OAAO,oCAAoC,CAAC;IAC9C,CAAC;IACD,IACE,KAAK,CAAC,uCAAuC;QAC7C,OAAO,CAAC,IAAI,KAAK,UAAU;QAC3B,OAAO,CAAC,QAAQ,KAAK,MAAM;QAC3B,OAAO,CAAC,SAAS,KAAK,IAAI,EAC1B,CAAC;QACD,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,IACE,KAAK,CAAC,wBAAwB;QAC9B,OAAO,CAAC,IAAI,KAAK,UAAU;QAC3B,OAAO,CAAC,oBAAoB,KAAK,IAAI,EACrC,CAAC;QACD,OAAO,0BAA0B,CAAC;IACpC,CAAC;IACD,IACE,KAAK,CAAC,mCAAmC;QACzC,CAAC,OAAO,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC;QACvD,CAAC,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC;QAChE,OAAO,CAAC,oBAAoB,KAAK,IAAI,EACrC,CAAC;QACD,OAAO,qCAAqC,CAAC;IAC/C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,WAAW,CACzB,KAA+B,EAC/B,SAA2B,iCAAyB,EACpD,aAAmD,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;IAE7D,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACvE,CAAC;AAED;qDACqD;AACxC,QAAA,uBAAuB,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;AAE1E;;;;;;;;;;;;;;GAcG;AACH,SAAgB,aAAa,CAAC,UAA8B,EAAE,GAAW;IACvE,IAAI,YAAY,GAAuB,UAAU,CAAC;IAClD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,+BAAuB,CAAC,CAAC;QAC7D,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,YAAY,GAAG,YAAY,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,YAAY;QAAE,OAAO,iCAAyB,CAAC;IACpD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,6BAA6B,YAAY,KAAM,GAAa,CAAC,OAAO,GAAG,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,kCAAkC,YAAY,KAAM,GAAa,CAAC,OAAO,GAAG,CAAC,CAAC;IAChG,CAAC;IACD,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,sCAAsC,YAAY,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,GAAG,GAAG,MAAmC,CAAC;IAChD,OAAO;QACL,GAAG,iCAAyB;QAC5B,GAAG,GAAG;QACN,UAAU,EAAE,EAAE,GAAG,iCAAyB,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE;QAClF,UAAU,EAAE,EAAE,GAAG,iCAAyB,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,EAAE;QAClF,KAAK,EAAE,GAAG,CAAC,KAAK,IAAI,iCAAyB,CAAC,KAAK;QACnD,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,iCAAyB,CAAC,IAAI;QAChD,yBAAyB,EACvB,GAAG,CAAC,yBAAyB,IAAI,iCAAyB,CAAC,yBAAyB;QACtF,IAAI,EAAE,YAAY;KACnB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,OAAO,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACvC,CAAC"}
|
|
@@ -14,7 +14,7 @@
|
|
|
14
14
|
* two in sync ensures the per-file identity set sums to the
|
|
15
15
|
* aggregate count.
|
|
16
16
|
*/
|
|
17
|
-
import type {
|
|
17
|
+
import type { RichBaselineEntry } from '../types';
|
|
18
18
|
import type { HealthMetrics } from '../../analyzers/types';
|
|
19
19
|
/** Canonical large-file threshold — file is "too large" at strictly
|
|
20
20
|
* more than this many lines. Mirror of the constant the generic-
|
|
@@ -26,5 +26,5 @@ export declare const LARGE_FILE_THRESHOLD_LINES = 500;
|
|
|
26
26
|
* Files with `lines <= threshold` are skipped so the identity set
|
|
27
27
|
* matches the user-facing aggregate count.
|
|
28
28
|
*/
|
|
29
|
-
export declare function largeFilesToBaselineEntries(metrics: HealthMetrics):
|
|
29
|
+
export declare function largeFilesToBaselineEntries(metrics: HealthMetrics): RichBaselineEntry[];
|
|
30
30
|
//# sourceMappingURL=health.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/health.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"health.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/health.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAA0B,MAAM,UAAU,CAAC;AAC1E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAE3D;;;uDAGuD;AACvD,eAAO,MAAM,0BAA0B,MAAM,CAAC;AAE9C;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,aAAa,GAAG,iBAAiB,EAAE,CAQvF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"health.js","sourceRoot":"","sources":["../../../src/baseline/producers/health.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAiBH,kEAQC;AAvBD,0DAAkD;AAIlD;;;uDAGuD;AAC1C,QAAA,0BAA0B,GAAG,GAAG,CAAC;AAE9C;;;;GAIG;AACH,SAAgB,2BAA2B,CAAC,OAAsB;IAChE,MAAM,GAAG,
|
|
1
|
+
{"version":3,"file":"health.js","sourceRoot":"","sources":["../../../src/baseline/producers/health.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAiBH,kEAQC;AAvBD,0DAAkD;AAIlD;;;uDAGuD;AAC1C,QAAA,0BAA0B,GAAG,GAAG,CAAC;AAE9C;;;;GAIG;AACH,SAAgB,2BAA2B,CAAC,OAAsB;IAChE,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACrC,IAAI,CAAC,CAAC,KAAK,IAAI,kCAA0B;YAAE,SAAS;QACpD,MAAM,KAAK,GAA2B,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -52,7 +52,8 @@
|
|
|
52
52
|
import type { GitleaksRawSecret } from '../../analyzers/tools/gitleaks';
|
|
53
53
|
import type { AnalysisResult } from '../../analysis-result';
|
|
54
54
|
import type { TestGapsReport } from '../../analyzers/tests/types';
|
|
55
|
-
import type {
|
|
55
|
+
import type { InlineAllowlistOccurrence } from '../../allowlist/gather';
|
|
56
|
+
import type { BaselineEntry, RichBaselineEntry } from '../types';
|
|
56
57
|
/** Every discriminant value the `BaselineEntry` union takes. Mirror
|
|
57
58
|
* of `IdentityInput['kind']` — kept as a separate alias because the
|
|
58
59
|
* registry contract speaks in terms of stored entries, not the
|
|
@@ -101,6 +102,10 @@ export interface ProducerContext {
|
|
|
101
102
|
/** Raw secrets gitleaks captured (process-only; never written to
|
|
102
103
|
* disk; consumed by the secret-HMAC producer). */
|
|
103
104
|
readonly rawSecrets: ReadonlyArray<GitleaksRawSecret>;
|
|
105
|
+
/** Inline `dxkit-allow:` annotations gathered from source files.
|
|
106
|
+
* Consumed by the stale-allow producer to detect orphaned
|
|
107
|
+
* annotations whose underlying finding is gone. */
|
|
108
|
+
readonly inlineAllowlistAnnotations: ReadonlyArray<InlineAllowlistOccurrence>;
|
|
104
109
|
}
|
|
105
110
|
/**
|
|
106
111
|
* The registry entry shape. A producer self-describes the kinds it
|
|
@@ -114,11 +119,12 @@ export interface BaselineProducer {
|
|
|
114
119
|
* the union across every producer and asserts it covers every
|
|
115
120
|
* `IdentityKind` value not in `DEFERRED_KINDS`. */
|
|
116
121
|
readonly contributes: ReadonlyArray<IdentityKind>;
|
|
117
|
-
/** Build `
|
|
122
|
+
/** Build `RichBaselineEntry`s from the shared context. Producers
|
|
118
123
|
* emit ZERO entries when their upstream data is missing
|
|
119
124
|
* (analyzer didn't run, envelope absent, etc.) — never throw
|
|
120
|
-
* for missing inputs.
|
|
121
|
-
|
|
125
|
+
* for missing inputs. Producers always emit the rich shape;
|
|
126
|
+
* sanitization is applied at the write boundary, not here. */
|
|
127
|
+
readonly produce: (ctx: ProducerContext) => RichBaselineEntry[];
|
|
122
128
|
}
|
|
123
129
|
/**
|
|
124
130
|
* Identity kinds declared in `IdentityInput` but not yet wired by
|
|
@@ -154,7 +160,7 @@ export declare const PRODUCERS: ReadonlyArray<BaselineProducer>;
|
|
|
154
160
|
* for production use; the playbook test calls it with an extended
|
|
155
161
|
* list to verify synthetic producers flow through.
|
|
156
162
|
*/
|
|
157
|
-
export declare function runProducers(ctx: ProducerContext, producers?: ReadonlyArray<BaselineProducer>):
|
|
163
|
+
export declare function runProducers(ctx: ProducerContext, producers?: ReadonlyArray<BaselineProducer>): RichBaselineEntry[];
|
|
158
164
|
/**
|
|
159
165
|
* Every kind currently contributed by some producer in `producers`.
|
|
160
166
|
* Convenience used by the contract test + by the orchestrator for
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACxE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AACxE,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAQjE;;;8BAG8B;AAC9B,MAAM,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;AAEjD;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC3C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;CAClC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,eAAe;IAC9B,0BAA0B;IAC1B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB;;yCAEqC;IACrC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;wCACoC;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;kDAC8C;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC;;qBAEiB;IACjB,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,oEAAoE;IACpE,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC;uDACmD;IACnD,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACtD;;wDAEoD;IACpD,QAAQ,CAAC,0BAA0B,EAAE,aAAa,CAAC,yBAAyB,CAAC,CAAC;CAC/E;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B;4DACwD;IACxD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;wDAEoD;IACpD,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IAClD;;;;mEAI+D;IAC/D,QAAQ,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,iBAAiB,EAAE,CAAC;CACjE;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc,EAAE,QAAQ,CACnC,MAAM,CAAC,MAAM,EAAE;IAAE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAAC,CA2B1E,CAAC;AAoEH;;;;;;;;GAQG;AACH,eAAO,MAAM,SAAS,EAAE,aAAa,CAAC,gBAAgB,CAOpD,CAAC;AAEH;;;;;GAKG;AACH,wBAAgB,YAAY,CAC1B,GAAG,EAAE,eAAe,EACpB,SAAS,GAAE,aAAa,CAAC,gBAAgB,CAAa,GACrD,iBAAiB,EAAE,CAMrB;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CACxB,SAAS,GAAE,aAAa,CAAC,gBAAgB,CAAa,GACrD,WAAW,CAAC,YAAY,CAAC,CAI3B"}
|
|
@@ -55,10 +55,10 @@ exports.PRODUCERS = exports.DEFERRED_KINDS = void 0;
|
|
|
55
55
|
exports.runProducers = runProducers;
|
|
56
56
|
exports.wiredKinds = wiredKinds;
|
|
57
57
|
const health_1 = require("./health");
|
|
58
|
-
const licenses_1 = require("./licenses");
|
|
59
58
|
const quality_1 = require("./quality");
|
|
60
59
|
const secret_hmac_1 = require("./secret-hmac");
|
|
61
60
|
const security_1 = require("./security");
|
|
61
|
+
const stale_allow_1 = require("./stale-allow");
|
|
62
62
|
const tests_1 = require("./tests");
|
|
63
63
|
/**
|
|
64
64
|
* Identity kinds declared in `IdentityInput` but not yet wired by
|
|
@@ -141,13 +141,6 @@ const HEALTH_PRODUCER = {
|
|
|
141
141
|
return (0, health_1.largeFilesToBaselineEntries)(ctx.analysisResult.metrics);
|
|
142
142
|
},
|
|
143
143
|
};
|
|
144
|
-
const LICENSES_PRODUCER = {
|
|
145
|
-
name: 'licenses',
|
|
146
|
-
contributes: ['license'],
|
|
147
|
-
produce(ctx) {
|
|
148
|
-
return (0, licenses_1.licensesToBaselineEntries)(ctx.analysisResult.capabilities.licenses);
|
|
149
|
-
},
|
|
150
|
-
};
|
|
151
144
|
const TESTS_PRODUCER = {
|
|
152
145
|
name: 'tests',
|
|
153
146
|
contributes: ['test-gap', 'test-file-degradation'],
|
|
@@ -155,6 +148,16 @@ const TESTS_PRODUCER = {
|
|
|
155
148
|
return (0, tests_1.testGapsToBaselineEntries)(ctx.testGapsReport);
|
|
156
149
|
},
|
|
157
150
|
};
|
|
151
|
+
const STALE_ALLOW_PRODUCER = {
|
|
152
|
+
name: 'stale-allow',
|
|
153
|
+
contributes: ['stale-allow'],
|
|
154
|
+
produce(ctx) {
|
|
155
|
+
return (0, stale_allow_1.staleAllowToBaselineEntries)({
|
|
156
|
+
annotations: ctx.inlineAllowlistAnnotations,
|
|
157
|
+
aggregate: ctx.analysisResult.capabilities.securityAggregate ?? null,
|
|
158
|
+
});
|
|
159
|
+
},
|
|
160
|
+
};
|
|
158
161
|
/**
|
|
159
162
|
* The canonical producer list. Order is preserved in baseline-file
|
|
160
163
|
* output for deterministic diffs; adding a new producer appends
|
|
@@ -169,8 +172,8 @@ exports.PRODUCERS = Object.freeze([
|
|
|
169
172
|
SECRET_HMAC_PRODUCER,
|
|
170
173
|
QUALITY_PRODUCER,
|
|
171
174
|
HEALTH_PRODUCER,
|
|
172
|
-
LICENSES_PRODUCER,
|
|
173
175
|
TESTS_PRODUCER,
|
|
176
|
+
STALE_ALLOW_PRODUCER,
|
|
174
177
|
]);
|
|
175
178
|
/**
|
|
176
179
|
* Run every producer in `producers` against the shared context and
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/baseline/producers/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;;;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/baseline/producers/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;;;AAgOH,oCASC;AAOD,gCAMC;AA/OD,qCAAuD;AACvD,uCAAsF;AACtF,+CAA4D;AAC5D,yCAAgE;AAChE,+CAA4D;AAC5D,mCAAoD;AA8EpD;;;;;;;;;;;;;GAaG;AACU,QAAA,cAAc,GAEvB,MAAM,CAAC,MAAM,CAAC;IAChB,UAAU,EAAE;QACV,MAAM,EACJ,6EAA6E;YAC7E,kEAAkE;YAClE,gFAAgF;QAClF,YAAY,EAAE,gDAAgD;KAC/D;IACD,OAAO,EAAE;QACP,MAAM,EACJ,6EAA6E;YAC7E,+EAA+E;YAC/E,iEAAiE;YACjE,+EAA+E;QACjF,YAAY,EAAE,6BAA6B;KAC5C;IACD,cAAc,EAAE;QACd,MAAM,EACJ,yEAAyE;YACzE,uEAAuE;YACvE,yEAAyE;YACzE,6CAA6C;YAC7C,2EAA2E;YAC3E,uEAAuE;QACzE,YAAY,EAAE,uCAAuC;KACtD;CACF,CAAC,CAAC;AAEH,6EAA6E;AAC7E,mEAAmE;AACnE,qEAAqE;AACrE,mEAAmE;AACnE,iEAAiE;AACjE,aAAa;AAEb,MAAM,iBAAiB,GAAqB;IAC1C,IAAI,EAAE,UAAU;IAChB,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC;IACrD,OAAO,CAAC,GAAG;QACT,MAAM,SAAS,GAAG,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,iBAAiB,CAAC;QACpE,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAA,6CAAkC,EAAC,SAAS,EAAE;YACnD,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;SACtC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,MAAM,oBAAoB,GAAqB;IAC7C,IAAI,EAAE,aAAa;IACnB,WAAW,EAAE,CAAC,aAAa,CAAC;IAC5B,OAAO,CAAC,GAAG;QACT,OAAO,IAAA,yCAA2B,EAAC,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACrF,CAAC;CACF,CAAC;AAEF,MAAM,gBAAgB,GAAqB;IACzC,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC;IAC1C,OAAO,CAAC,GAAG;QACT,OAAO;YACL,GAAG,IAAA,sCAA4B,EAAC,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,WAAW,CAAC;YAC5E,GAAG,IAAA,qCAA2B,EAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC;SACvD,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,MAAM,eAAe,GAAqB;IACxC,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,CAAC,YAAY,CAAC;IAC3B,OAAO,CAAC,GAAG;QACT,OAAO,IAAA,oCAA2B,EAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACjE,CAAC;CACF,CAAC;AAEF,MAAM,cAAc,GAAqB;IACvC,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,CAAC,UAAU,EAAE,uBAAuB,CAAC;IAClD,OAAO,CAAC,GAAG;QACT,OAAO,IAAA,iCAAyB,EAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACvD,CAAC;CACF,CAAC;AAEF,MAAM,oBAAoB,GAAqB;IAC7C,IAAI,EAAE,aAAa;IACnB,WAAW,EAAE,CAAC,aAAa,CAAC;IAC5B,OAAO,CAAC,GAAG;QACT,OAAO,IAAA,yCAA2B,EAAC;YACjC,WAAW,EAAE,GAAG,CAAC,0BAA0B;YAC3C,SAAS,EAAE,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,iBAAiB,IAAI,IAAI;SACrE,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;;;;GAQG;AACU,QAAA,SAAS,GAAoC,MAAM,CAAC,MAAM,CAAC;IACtE,iBAAiB;IACjB,oBAAoB;IACpB,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,oBAAoB;CACrB,CAAC,CAAC;AAEH;;;;;GAKG;AACH,SAAgB,YAAY,CAC1B,GAAoB,EACpB,YAA6C,iBAAS;IAEtD,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,GAAG,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CACxB,YAA6C,iBAAS;IAEtD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAgB,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,SAAS;QAAE,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACrE,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -26,14 +26,14 @@
|
|
|
26
26
|
* kind) require extending `gatherHygieneMarkers` to emit
|
|
27
27
|
* positions, not just counts. Pending in a follow-up commit.
|
|
28
28
|
*/
|
|
29
|
-
import type {
|
|
29
|
+
import type { RichBaselineEntry } from '../types';
|
|
30
30
|
import type { DuplicationResult } from '../../languages/capabilities/types';
|
|
31
31
|
/** Build `duplication` entries from a jscpd-style envelope. */
|
|
32
|
-
export declare function duplicationToBaselineEntries(duplication: DuplicationResult | undefined):
|
|
32
|
+
export declare function duplicationToBaselineEntries(duplication: DuplicationResult | undefined): RichBaselineEntry[];
|
|
33
33
|
/**
|
|
34
34
|
* Build `stale-file` entries from a list of repo-relative paths.
|
|
35
35
|
* Files with a suffix outside the canonical stale set are skipped
|
|
36
36
|
* (defensive — the caller's gather should already have filtered).
|
|
37
37
|
*/
|
|
38
|
-
export declare function staleFilesToBaselineEntries(staleFiles: ReadonlyArray<string>):
|
|
38
|
+
export declare function staleFilesToBaselineEntries(staleFiles: ReadonlyArray<string>): RichBaselineEntry[];
|
|
39
39
|
//# sourceMappingURL=quality.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"quality.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/quality.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"quality.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/quality.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAoD,MAAM,UAAU,CAAC;AACpG,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAQ5E,+DAA+D;AAC/D,wBAAgB,4BAA4B,CAC1C,WAAW,EAAE,iBAAiB,GAAG,SAAS,GACzC,iBAAiB,EAAE,CAuBrB;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CACzC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,GAChC,iBAAiB,EAAE,CAWrB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"quality.js","sourceRoot":"","sources":["../../../src/baseline/producers/quality.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;AAaH,oEAyBC;AAOD,
|
|
1
|
+
{"version":3,"file":"quality.js","sourceRoot":"","sources":["../../../src/baseline/producers/quality.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;AAaH,oEAyBC;AAOD,kEAaC;AAxDD,0DAAkD;AAIlD;;;gBAGgB;AAChB,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AAEnF,+DAA+D;AAC/D,SAAgB,4BAA4B,CAC1C,WAA0C;IAE1C,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,KAAK,GAA6B;YACtC,IAAI,EAAE,aAAa;YACnB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI;YACnB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI;YACnB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS;YAC7B,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS;SAC9B,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,aAAa;YACnB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI;YACnB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI;YACnB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS;YAC7B,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,SAAS;SAC9B,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAgB,2BAA2B,CACzC,UAAiC;IAEjC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,GAAG,GAAG,CAAC;YAAE,SAAS;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACjD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QAC1C,MAAM,KAAK,GAA2B,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC3E,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
* value, so the HMAC machinery stays out of the public envelope.
|
|
22
22
|
*/
|
|
23
23
|
import type { GitleaksRawSecret } from '../../analyzers/tools/gitleaks';
|
|
24
|
-
import type {
|
|
24
|
+
import type { RichBaselineEntry } from '../types';
|
|
25
25
|
export interface SecretHmacProducerInput {
|
|
26
26
|
/** Raw secrets from `gatherGitleaksResult(cwd).rawSecrets`. */
|
|
27
27
|
readonly rawSecrets: ReadonlyArray<GitleaksRawSecret>;
|
|
@@ -41,5 +41,5 @@ export interface SecretHmacProducerInput {
|
|
|
41
41
|
* etc.) would add their own producer; the canonical-rule mapping
|
|
42
42
|
* collapses cross-tool overlaps inside `identityFor`.
|
|
43
43
|
*/
|
|
44
|
-
export declare function rawSecretsToBaselineEntries(input: SecretHmacProducerInput):
|
|
44
|
+
export declare function rawSecretsToBaselineEntries(input: SecretHmacProducerInput): RichBaselineEntry[];
|
|
45
45
|
//# sourceMappingURL=secret-hmac.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secret-hmac.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAExE,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"secret-hmac.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AAExE,OAAO,KAAK,EAAE,iBAAiB,EAA2B,MAAM,UAAU,CAAC;AAE3E,MAAM,WAAW,uBAAuB;IACtC,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACtD;;;iDAG6C;IAC7C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,uBAAuB,GAAG,iBAAiB,EAAE,CA6B/F"}
|