@vyuhlabs/dxkit 2.5.1 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +318 -0
- package/README.md +150 -28
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -8
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +154 -13
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -10
- package/dist/constants.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +0 -15
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts +78 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +590 -101
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +15 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +2 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +2 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +25 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +44 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +2 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +2 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +11 -1
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +2 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +2 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +45 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +2 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -5
- package/dist/prompts.js.map +1 -1
- package/dist/setup-branch-protection.d.ts +34 -0
- package/dist/setup-branch-protection.d.ts.map +1 -0
- package/dist/setup-branch-protection.js +190 -0
- package/dist/setup-branch-protection.js.map +1 -0
- package/dist/setup-gh.d.ts +75 -0
- package/dist/setup-gh.d.ts.map +1 -0
- package/dist/setup-gh.js +213 -0
- package/dist/setup-gh.js.map +1 -0
- package/dist/setup-prebuild.d.ts +34 -0
- package/dist/setup-prebuild.d.ts.map +1 -0
- package/dist/setup-prebuild.js +181 -0
- package/dist/setup-prebuild.js.map +1 -0
- package/dist/ship-installers.d.ts.map +1 -1
- package/dist/ship-installers.js +19 -4
- package/dist/ship-installers.js.map +1 -1
- package/dist/types.d.ts +24 -6
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts +41 -0
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +154 -15
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts +88 -0
- package/dist/upgrade.d.ts.map +1 -0
- package/dist/upgrade.js +324 -0
- package/dist/upgrade.js.map +1 -0
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
- package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
- package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
- package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
- package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
- package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
- package/templates/.devcontainer/devcontainer.json +6 -15
- package/templates/.devcontainer/post-create.sh +19 -4
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secret-hmac.js","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AA2BH,kEA6BC;AAtDD,mEAAsE;AAEtE,0DAAkD;AAalD;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CAAC,KAA8B;IACxE,MAAM,GAAG,
|
|
1
|
+
{"version":3,"file":"secret-hmac.js","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AA2BH,kEA6BC;AAtDD,mEAAsE;AAEtE,0DAAkD;AAalD;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CAAC,KAA8B;IACxE,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,oEAAoE;IACpE,mEAAmE;IACnE,kEAAkE;IAClE,8DAA8D;IAC9D,qDAAqD;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,SAAS;QAC1B,MAAM,IAAI,GAAG,IAAA,+BAAiB,EAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,aAAa,GAA4B;YAC7C,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC;QACF,MAAM,EAAE,GAAG,IAAA,8BAAW,EAAC,aAAa,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,SAAS;QAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACb,GAAG,CAAC,IAAI,CAAC;YACP,EAAE;YACF,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -38,7 +38,7 @@
|
|
|
38
38
|
* work.
|
|
39
39
|
*/
|
|
40
40
|
import type { SecurityAggregate } from '../../analyzers/security/aggregator';
|
|
41
|
-
import type {
|
|
41
|
+
import type { RichBaselineEntry } from '../types';
|
|
42
42
|
export interface SecurityProducerOptions {
|
|
43
43
|
/** Repo path; used by `computeContentHashFromCommit` to invoke
|
|
44
44
|
* `git show`. Omitting it disables content-hash stamping. */
|
|
@@ -55,5 +55,5 @@ export interface SecurityProducerOptions {
|
|
|
55
55
|
* iteration order of the four categories so the produced baseline
|
|
56
56
|
* stays stable across re-runs of the same scan.
|
|
57
57
|
*/
|
|
58
|
-
export declare function securityAggregateToBaselineEntries(aggregate: SecurityAggregate, options?: SecurityProducerOptions):
|
|
58
|
+
export declare function securityAggregateToBaselineEntries(aggregate: SecurityAggregate, options?: SecurityProducerOptions): RichBaselineEntry[];
|
|
59
59
|
//# sourceMappingURL=security.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,
|
|
1
|
+
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;kEAC8D;IAC9D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;eAIW;IACX,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,EAAE,CAwFrB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFA2FC;AAvHD,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,
|
|
1
|
+
{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFA2FC;AAvHD,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;SACT,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Stale-allow → baseline-entry producer.
|
|
3
|
+
*
|
|
4
|
+
* Detects orphaned inline allowlist annotations — `dxkit-allow:`
|
|
5
|
+
* comments in source files that no longer match any current
|
|
6
|
+
* finding. The developer added the annotation when something was
|
|
7
|
+
* flagged; the finding is now gone (resolved, scanner-rule changed,
|
|
8
|
+
* code refactored); the annotation is dead code that should be
|
|
9
|
+
* removed.
|
|
10
|
+
*
|
|
11
|
+
* # The matching contract
|
|
12
|
+
*
|
|
13
|
+
* An annotation at `(file, line)` is considered ACTIVE when at
|
|
14
|
+
* least one current finding lands at the same `(file, lineWindow)` —
|
|
15
|
+
* the 3-line window from `lineWindowFor` absorbs small formatter /
|
|
16
|
+
* line-shift drift so a still-relevant annotation doesn't get
|
|
17
|
+
* flagged stale by an unrelated edit.
|
|
18
|
+
*
|
|
19
|
+
* Annotations with no matching finding emit a `stale-allow`
|
|
20
|
+
* `BaselineEntry` whose identity is `(file, lineWindow, category)`.
|
|
21
|
+
* The strict-stale model (TypeScript's `@ts-expect-error` pattern)
|
|
22
|
+
* forces the developer to clean up — preventing the annotation
|
|
23
|
+
* graveyard pattern common to less strict tools.
|
|
24
|
+
*
|
|
25
|
+
* # What counts as a "covered location"
|
|
26
|
+
*
|
|
27
|
+
* Source-anchored finding kinds — `secret`, `code`, `config` —
|
|
28
|
+
* carry `(file, line)` and contribute to the covered set. The
|
|
29
|
+
* `findingsByCategory` arrays on the canonical `SecurityAggregate`
|
|
30
|
+
* are the only source today; the aggregator is the single canonical
|
|
31
|
+
* fingerprint-deduped source of these findings (CLAUDE.md G_v4_8).
|
|
32
|
+
*
|
|
33
|
+
* Kinds without `(file, line)` — `dep-vuln`, `duplication`,
|
|
34
|
+
* `secret-hmac`, `license`, etc. — never participate in inline-
|
|
35
|
+
* annotation matching by construction. Annotations targeting those
|
|
36
|
+
* findings always use the file-level allowlist.
|
|
37
|
+
*
|
|
38
|
+
* # Mode handling
|
|
39
|
+
*
|
|
40
|
+
* `staleHandling` lives in `.dxkit/policy.json` (out of scope for
|
|
41
|
+
* this producer — the orchestrator gates whether to call it). When
|
|
42
|
+
* called, the producer emits `stale-allow` entries unconditionally
|
|
43
|
+
* for every orphan; the policy-level "lenient mode" surfaces these
|
|
44
|
+
* as warnings in the renderer rather than as blocking entries.
|
|
45
|
+
*/
|
|
46
|
+
import type { SecurityAggregate } from '../../analyzers/security/aggregator';
|
|
47
|
+
import type { InlineAllowlistOccurrence } from '../../allowlist/gather';
|
|
48
|
+
import type { RichBaselineEntry } from '../types';
|
|
49
|
+
export interface StaleAllowInput {
|
|
50
|
+
readonly annotations: ReadonlyArray<InlineAllowlistOccurrence>;
|
|
51
|
+
readonly aggregate: SecurityAggregate | null;
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Build `stale-allow` entries from the annotation list + the
|
|
55
|
+
* canonical security aggregate. Pure function — no I/O, no side
|
|
56
|
+
* effects. Deterministic over equal inputs.
|
|
57
|
+
*
|
|
58
|
+
* Returns an empty array when:
|
|
59
|
+
* - The annotation list is empty (nothing to check).
|
|
60
|
+
* - The aggregate is null AND the annotation list is empty.
|
|
61
|
+
*
|
|
62
|
+
* When the aggregate is null but annotations exist, the producer
|
|
63
|
+
* conservatively emits NO stale entries — the caller has no way to
|
|
64
|
+
* know whether annotations are active or stale without the
|
|
65
|
+
* findings. Surfacing "everything is stale" in that scenario would
|
|
66
|
+
* be wrong; surfacing "everything is fine" is also wrong but less
|
|
67
|
+
* actively misleading.
|
|
68
|
+
*/
|
|
69
|
+
export declare function staleAllowToBaselineEntries(input: StaleAllowInput): RichBaselineEntry[];
|
|
70
|
+
//# sourceMappingURL=stale-allow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"stale-allow.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/stale-allow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAC7E,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAExE,OAAO,KAAK,EAAE,iBAAiB,EAA2B,MAAM,UAAU,CAAC;AAE3E,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,yBAAyB,CAAC,CAAC;IAC/D,QAAQ,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,EAAE,CAwBvF"}
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Stale-allow → baseline-entry producer.
|
|
4
|
+
*
|
|
5
|
+
* Detects orphaned inline allowlist annotations — `dxkit-allow:`
|
|
6
|
+
* comments in source files that no longer match any current
|
|
7
|
+
* finding. The developer added the annotation when something was
|
|
8
|
+
* flagged; the finding is now gone (resolved, scanner-rule changed,
|
|
9
|
+
* code refactored); the annotation is dead code that should be
|
|
10
|
+
* removed.
|
|
11
|
+
*
|
|
12
|
+
* # The matching contract
|
|
13
|
+
*
|
|
14
|
+
* An annotation at `(file, line)` is considered ACTIVE when at
|
|
15
|
+
* least one current finding lands at the same `(file, lineWindow)` —
|
|
16
|
+
* the 3-line window from `lineWindowFor` absorbs small formatter /
|
|
17
|
+
* line-shift drift so a still-relevant annotation doesn't get
|
|
18
|
+
* flagged stale by an unrelated edit.
|
|
19
|
+
*
|
|
20
|
+
* Annotations with no matching finding emit a `stale-allow`
|
|
21
|
+
* `BaselineEntry` whose identity is `(file, lineWindow, category)`.
|
|
22
|
+
* The strict-stale model (TypeScript's `@ts-expect-error` pattern)
|
|
23
|
+
* forces the developer to clean up — preventing the annotation
|
|
24
|
+
* graveyard pattern common to less strict tools.
|
|
25
|
+
*
|
|
26
|
+
* # What counts as a "covered location"
|
|
27
|
+
*
|
|
28
|
+
* Source-anchored finding kinds — `secret`, `code`, `config` —
|
|
29
|
+
* carry `(file, line)` and contribute to the covered set. The
|
|
30
|
+
* `findingsByCategory` arrays on the canonical `SecurityAggregate`
|
|
31
|
+
* are the only source today; the aggregator is the single canonical
|
|
32
|
+
* fingerprint-deduped source of these findings (CLAUDE.md G_v4_8).
|
|
33
|
+
*
|
|
34
|
+
* Kinds without `(file, line)` — `dep-vuln`, `duplication`,
|
|
35
|
+
* `secret-hmac`, `license`, etc. — never participate in inline-
|
|
36
|
+
* annotation matching by construction. Annotations targeting those
|
|
37
|
+
* findings always use the file-level allowlist.
|
|
38
|
+
*
|
|
39
|
+
* # Mode handling
|
|
40
|
+
*
|
|
41
|
+
* `staleHandling` lives in `.dxkit/policy.json` (out of scope for
|
|
42
|
+
* this producer — the orchestrator gates whether to call it). When
|
|
43
|
+
* called, the producer emits `stale-allow` entries unconditionally
|
|
44
|
+
* for every orphan; the policy-level "lenient mode" surfaces these
|
|
45
|
+
* as warnings in the renderer rather than as blocking entries.
|
|
46
|
+
*/
|
|
47
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
48
|
+
exports.staleAllowToBaselineEntries = staleAllowToBaselineEntries;
|
|
49
|
+
const fingerprint_1 = require("../../analyzers/tools/fingerprint");
|
|
50
|
+
const finding_identity_1 = require("../finding-identity");
|
|
51
|
+
/**
|
|
52
|
+
* Build `stale-allow` entries from the annotation list + the
|
|
53
|
+
* canonical security aggregate. Pure function — no I/O, no side
|
|
54
|
+
* effects. Deterministic over equal inputs.
|
|
55
|
+
*
|
|
56
|
+
* Returns an empty array when:
|
|
57
|
+
* - The annotation list is empty (nothing to check).
|
|
58
|
+
* - The aggregate is null AND the annotation list is empty.
|
|
59
|
+
*
|
|
60
|
+
* When the aggregate is null but annotations exist, the producer
|
|
61
|
+
* conservatively emits NO stale entries — the caller has no way to
|
|
62
|
+
* know whether annotations are active or stale without the
|
|
63
|
+
* findings. Surfacing "everything is stale" in that scenario would
|
|
64
|
+
* be wrong; surfacing "everything is fine" is also wrong but less
|
|
65
|
+
* actively misleading.
|
|
66
|
+
*/
|
|
67
|
+
function staleAllowToBaselineEntries(input) {
|
|
68
|
+
if (input.annotations.length === 0)
|
|
69
|
+
return [];
|
|
70
|
+
if (input.aggregate === null)
|
|
71
|
+
return [];
|
|
72
|
+
const covered = buildCoveredLocations(input.aggregate);
|
|
73
|
+
const out = [];
|
|
74
|
+
for (const occ of input.annotations) {
|
|
75
|
+
const key = locationKey(occ.file, occ.line);
|
|
76
|
+
if (covered.has(key))
|
|
77
|
+
continue; // active suppression — not stale
|
|
78
|
+
const identityInput = {
|
|
79
|
+
kind: 'stale-allow',
|
|
80
|
+
file: occ.file,
|
|
81
|
+
line: occ.line,
|
|
82
|
+
category: occ.category,
|
|
83
|
+
};
|
|
84
|
+
out.push({
|
|
85
|
+
id: (0, finding_identity_1.identityFor)(identityInput),
|
|
86
|
+
kind: 'stale-allow',
|
|
87
|
+
file: occ.file,
|
|
88
|
+
line: occ.line,
|
|
89
|
+
category: occ.category,
|
|
90
|
+
});
|
|
91
|
+
}
|
|
92
|
+
return out;
|
|
93
|
+
}
|
|
94
|
+
// ─── Internals ────────────────────────────────────────────────────────────
|
|
95
|
+
function buildCoveredLocations(aggregate) {
|
|
96
|
+
const out = new Set();
|
|
97
|
+
for (const f of aggregate.findingsByCategory.secret) {
|
|
98
|
+
out.add(locationKey(f.file, f.line));
|
|
99
|
+
}
|
|
100
|
+
for (const f of aggregate.findingsByCategory.code) {
|
|
101
|
+
out.add(locationKey(f.file, f.line));
|
|
102
|
+
}
|
|
103
|
+
for (const f of aggregate.findingsByCategory.config) {
|
|
104
|
+
out.add(locationKey(f.file, f.line));
|
|
105
|
+
}
|
|
106
|
+
return out;
|
|
107
|
+
}
|
|
108
|
+
function locationKey(file, line) {
|
|
109
|
+
return `${file}\0${(0, fingerprint_1.lineWindowFor)(line)}`;
|
|
110
|
+
}
|
|
111
|
+
//# sourceMappingURL=stale-allow.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"stale-allow.js","sourceRoot":"","sources":["../../../src/baseline/producers/stale-allow.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;;AA6BH,kEAwBC;AAnDD,mEAAkE;AAGlE,0DAAkD;AAQlD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,2BAA2B,CAAC,KAAsB;IAChE,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,IAAI,KAAK,CAAC,SAAS,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,OAAO,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACvD,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,iCAAiC;QACjE,MAAM,aAAa,GAA4B;YAC7C,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,aAAa,CAAC;YAC9B,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,6EAA6E;AAE7E,SAAS,qBAAqB,CAAC,SAA4B;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,IAAY;IAC7C,OAAO,GAAG,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;AAC3C,CAAC"}
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
* `AnalysisResult` cache so it doesn't re-gather what the security
|
|
23
23
|
* producer already triggered).
|
|
24
24
|
*/
|
|
25
|
-
import type {
|
|
25
|
+
import type { RichBaselineEntry } from '../types';
|
|
26
26
|
import type { TestGapsReport } from '../../analyzers/tests/types';
|
|
27
27
|
/**
|
|
28
28
|
* Build `test-gap` + `test-file-degradation` entries from a
|
|
@@ -32,5 +32,5 @@ import type { TestGapsReport } from '../../analyzers/tests/types';
|
|
|
32
32
|
* report's iteration order so re-runs against the same scan are
|
|
33
33
|
* byte-stable.
|
|
34
34
|
*/
|
|
35
|
-
export declare function testGapsToBaselineEntries(report: TestGapsReport):
|
|
35
|
+
export declare function testGapsToBaselineEntries(report: TestGapsReport): RichBaselineEntry[];
|
|
36
36
|
//# sourceMappingURL=tests.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EACV,
|
|
1
|
+
{"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EACV,iBAAiB,EAGlB,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAElE;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,cAAc,GAAG,iBAAiB,EAAE,CAgCrF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,
|
|
1
|
+
{"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAwB,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Ref-based baseline gather — produces a `CurrentScan` for a git
|
|
3
|
+
* ref by checking it out into a temporary worktree and running the
|
|
4
|
+
* analyzer pipeline there.
|
|
5
|
+
*
|
|
6
|
+
* # When this runs
|
|
7
|
+
*
|
|
8
|
+
* `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
|
|
9
|
+
* needs a "prior side" to diff against; in committed modes the
|
|
10
|
+
* prior side comes from `.dxkit/baselines/<name>.json`, but in
|
|
11
|
+
* ref-based mode no file is committed — the prior side is
|
|
12
|
+
* recomputed on the fly from a git ref (default
|
|
13
|
+
* `origin/<default-branch>`).
|
|
14
|
+
*
|
|
15
|
+
* # Mechanics
|
|
16
|
+
*
|
|
17
|
+
* 1. Resolve `ref` to a commit SHA. Failure here surfaces a
|
|
18
|
+
* `RefBaselineError` with one of three actionable hints:
|
|
19
|
+
* - Shallow clone → `git fetch --unshallow` / CI fetch-depth
|
|
20
|
+
* - Ref doesn't exist → `git fetch origin` or fix policy
|
|
21
|
+
* - Local-only ref → push it or use a remote-tracking ref
|
|
22
|
+
* 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
|
|
23
|
+
* full checkout of the source tree at that SHA — but NOT a
|
|
24
|
+
* package-manager install, so dep-vuln scanners that read
|
|
25
|
+
* `node_modules` directly will see degraded results. The
|
|
26
|
+
* dxkit dep scanners use lockfiles (`package-lock.json`,
|
|
27
|
+
* `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
|
|
28
|
+
* survives the gap.
|
|
29
|
+
* 3. Run `gatherCurrentScan` against the worktree directory. Same
|
|
30
|
+
* pipeline as the live current scan — same producer registry,
|
|
31
|
+
* same envelope shape — so the matcher diffs apples-to-apples.
|
|
32
|
+
* 4. Clean up the worktree on the way out (try/finally).
|
|
33
|
+
*
|
|
34
|
+
* # Why a generic `withRefWorktree` helper
|
|
35
|
+
*
|
|
36
|
+
* The worktree setup + cleanup pattern is reusable. Future modes-
|
|
37
|
+
* aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
|
|
38
|
+
* subcommand) can compose `withRefWorktree` directly instead of
|
|
39
|
+
* re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
|
|
40
|
+
* thin specialization for the guardrail-check use case.
|
|
41
|
+
*
|
|
42
|
+
* # Failure semantics
|
|
43
|
+
*
|
|
44
|
+
* Recoverable failures (ref unreachable, worktree-add fails) throw
|
|
45
|
+
* `RefBaselineError` with a `hint` field the CLI renders in plain
|
|
46
|
+
* prose. Unrecoverable failures (the gather pipeline itself
|
|
47
|
+
* crashes) propagate up the original Error subclass — they're not
|
|
48
|
+
* specific to ref-based mode and live with the existing error
|
|
49
|
+
* handling in the orchestrator.
|
|
50
|
+
*/
|
|
51
|
+
import type { CurrentScan } from './create';
|
|
52
|
+
/**
|
|
53
|
+
* Recoverable error from the ref-based gather path. Carries an
|
|
54
|
+
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
55
|
+
* have to interpret raw git output. Inherits from `Error` so
|
|
56
|
+
* existing catch-by-Error code keeps working.
|
|
57
|
+
*/
|
|
58
|
+
export declare class RefBaselineError extends Error {
|
|
59
|
+
readonly hint: string;
|
|
60
|
+
constructor(message: string, hint: string);
|
|
61
|
+
}
|
|
62
|
+
export interface RefWorktreeOptions {
|
|
63
|
+
readonly cwd: string;
|
|
64
|
+
readonly ref: string;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Resolve a ref to a commit SHA via `git rev-parse --verify
|
|
68
|
+
* <ref>^{commit}`. Returns null when the ref isn't reachable (the
|
|
69
|
+
* caller surfaces the appropriate hint based on shallow-clone /
|
|
70
|
+
* remote-only state).
|
|
71
|
+
*/
|
|
72
|
+
export declare function resolveRefToSha(cwd: string, ref: string): string | null;
|
|
73
|
+
/**
|
|
74
|
+
* Whether the current working tree was cloned shallowly. Drives
|
|
75
|
+
* the hint surfaced when a ref isn't reachable: a CI clone with
|
|
76
|
+
* `fetch-depth: 1` won't have the baseline ref's history, and the
|
|
77
|
+
* fix is `fetch-depth: 0`, not pushing the missing ref.
|
|
78
|
+
*/
|
|
79
|
+
export declare function isShallowRepo(cwd: string): boolean;
|
|
80
|
+
/**
|
|
81
|
+
* Check out `ref` into a temporary worktree, run `fn` with the
|
|
82
|
+
* worktree path, and tear down the worktree on the way out.
|
|
83
|
+
*
|
|
84
|
+
* Always cleans up — even when `fn` throws. The cleanup tolerates
|
|
85
|
+
* `git worktree remove` failures (e.g., dirty worktree from a
|
|
86
|
+
* partial gather) by falling back to `rm -rf` on the temp dir.
|
|
87
|
+
*/
|
|
88
|
+
export declare function withRefWorktree<T>(opts: RefWorktreeOptions, fn: (worktreePath: string) => Promise<T>): Promise<T>;
|
|
89
|
+
/**
|
|
90
|
+
* Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
|
|
91
|
+
* Public for testing — production callers reach this through
|
|
92
|
+
* `withRefWorktree`. The directory is created on demand; absent
|
|
93
|
+
* source files are silently skipped (env-var + deterministic salt
|
|
94
|
+
* modes both work without the file).
|
|
95
|
+
*/
|
|
96
|
+
export declare function mirrorSaltFile(srcCwd: string, dstCwd: string): void;
|
|
97
|
+
/**
|
|
98
|
+
* Run `gatherCurrentScan` against a temporary worktree checked out
|
|
99
|
+
* to `ref`. Returns the same shape as a live gather — the matcher
|
|
100
|
+
* doesn't care which side was the worktree, only that both sides
|
|
101
|
+
* are `CurrentScan` envelopes.
|
|
102
|
+
*
|
|
103
|
+
* Per-tool degradation note: dep-vuln scanners may report less
|
|
104
|
+
* coverage in the worktree because `node_modules` (and analogous
|
|
105
|
+
* install artifacts) are typically gitignored and so don't exist
|
|
106
|
+
* in the worktree. The lockfile-driven scanners dxkit prefers
|
|
107
|
+
* survive the gap; `npm audit`-style probes do not.
|
|
108
|
+
*/
|
|
109
|
+
export declare function gatherFromRef(opts: {
|
|
110
|
+
readonly cwd: string;
|
|
111
|
+
readonly ref: string;
|
|
112
|
+
readonly verbose?: boolean;
|
|
113
|
+
}): Promise<CurrentScan>;
|
|
114
|
+
//# sourceMappingURL=ref-baseline.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAOH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5C;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWlD;AAqBD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,IAAI,EAAE,kBAAkB,EACxB,EAAE,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,CAAC,CAAC,CAuDZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,WAAW,CAAC,CAIvB"}
|
|
@@ -0,0 +1,260 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Ref-based baseline gather — produces a `CurrentScan` for a git
|
|
4
|
+
* ref by checking it out into a temporary worktree and running the
|
|
5
|
+
* analyzer pipeline there.
|
|
6
|
+
*
|
|
7
|
+
* # When this runs
|
|
8
|
+
*
|
|
9
|
+
* `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
|
|
10
|
+
* needs a "prior side" to diff against; in committed modes the
|
|
11
|
+
* prior side comes from `.dxkit/baselines/<name>.json`, but in
|
|
12
|
+
* ref-based mode no file is committed — the prior side is
|
|
13
|
+
* recomputed on the fly from a git ref (default
|
|
14
|
+
* `origin/<default-branch>`).
|
|
15
|
+
*
|
|
16
|
+
* # Mechanics
|
|
17
|
+
*
|
|
18
|
+
* 1. Resolve `ref` to a commit SHA. Failure here surfaces a
|
|
19
|
+
* `RefBaselineError` with one of three actionable hints:
|
|
20
|
+
* - Shallow clone → `git fetch --unshallow` / CI fetch-depth
|
|
21
|
+
* - Ref doesn't exist → `git fetch origin` or fix policy
|
|
22
|
+
* - Local-only ref → push it or use a remote-tracking ref
|
|
23
|
+
* 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
|
|
24
|
+
* full checkout of the source tree at that SHA — but NOT a
|
|
25
|
+
* package-manager install, so dep-vuln scanners that read
|
|
26
|
+
* `node_modules` directly will see degraded results. The
|
|
27
|
+
* dxkit dep scanners use lockfiles (`package-lock.json`,
|
|
28
|
+
* `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
|
|
29
|
+
* survives the gap.
|
|
30
|
+
* 3. Run `gatherCurrentScan` against the worktree directory. Same
|
|
31
|
+
* pipeline as the live current scan — same producer registry,
|
|
32
|
+
* same envelope shape — so the matcher diffs apples-to-apples.
|
|
33
|
+
* 4. Clean up the worktree on the way out (try/finally).
|
|
34
|
+
*
|
|
35
|
+
* # Why a generic `withRefWorktree` helper
|
|
36
|
+
*
|
|
37
|
+
* The worktree setup + cleanup pattern is reusable. Future modes-
|
|
38
|
+
* aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
|
|
39
|
+
* subcommand) can compose `withRefWorktree` directly instead of
|
|
40
|
+
* re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
|
|
41
|
+
* thin specialization for the guardrail-check use case.
|
|
42
|
+
*
|
|
43
|
+
* # Failure semantics
|
|
44
|
+
*
|
|
45
|
+
* Recoverable failures (ref unreachable, worktree-add fails) throw
|
|
46
|
+
* `RefBaselineError` with a `hint` field the CLI renders in plain
|
|
47
|
+
* prose. Unrecoverable failures (the gather pipeline itself
|
|
48
|
+
* crashes) propagate up the original Error subclass — they're not
|
|
49
|
+
* specific to ref-based mode and live with the existing error
|
|
50
|
+
* handling in the orchestrator.
|
|
51
|
+
*/
|
|
52
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
53
|
+
if (k2 === undefined) k2 = k;
|
|
54
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
55
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
56
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
57
|
+
}
|
|
58
|
+
Object.defineProperty(o, k2, desc);
|
|
59
|
+
}) : (function(o, m, k, k2) {
|
|
60
|
+
if (k2 === undefined) k2 = k;
|
|
61
|
+
o[k2] = m[k];
|
|
62
|
+
}));
|
|
63
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
64
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
65
|
+
}) : function(o, v) {
|
|
66
|
+
o["default"] = v;
|
|
67
|
+
});
|
|
68
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
69
|
+
var ownKeys = function(o) {
|
|
70
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
71
|
+
var ar = [];
|
|
72
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
73
|
+
return ar;
|
|
74
|
+
};
|
|
75
|
+
return ownKeys(o);
|
|
76
|
+
};
|
|
77
|
+
return function (mod) {
|
|
78
|
+
if (mod && mod.__esModule) return mod;
|
|
79
|
+
var result = {};
|
|
80
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
81
|
+
__setModuleDefault(result, mod);
|
|
82
|
+
return result;
|
|
83
|
+
};
|
|
84
|
+
})();
|
|
85
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
86
|
+
exports.RefBaselineError = void 0;
|
|
87
|
+
exports.resolveRefToSha = resolveRefToSha;
|
|
88
|
+
exports.isShallowRepo = isShallowRepo;
|
|
89
|
+
exports.withRefWorktree = withRefWorktree;
|
|
90
|
+
exports.mirrorSaltFile = mirrorSaltFile;
|
|
91
|
+
exports.gatherFromRef = gatherFromRef;
|
|
92
|
+
const child_process_1 = require("child_process");
|
|
93
|
+
const fs_1 = require("fs");
|
|
94
|
+
const os_1 = require("os");
|
|
95
|
+
const path = __importStar(require("path"));
|
|
96
|
+
const create_1 = require("./create");
|
|
97
|
+
/**
|
|
98
|
+
* Recoverable error from the ref-based gather path. Carries an
|
|
99
|
+
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
100
|
+
* have to interpret raw git output. Inherits from `Error` so
|
|
101
|
+
* existing catch-by-Error code keeps working.
|
|
102
|
+
*/
|
|
103
|
+
class RefBaselineError extends Error {
|
|
104
|
+
hint;
|
|
105
|
+
constructor(message, hint) {
|
|
106
|
+
super(message);
|
|
107
|
+
this.name = 'RefBaselineError';
|
|
108
|
+
this.hint = hint;
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
exports.RefBaselineError = RefBaselineError;
|
|
112
|
+
/**
|
|
113
|
+
* Resolve a ref to a commit SHA via `git rev-parse --verify
|
|
114
|
+
* <ref>^{commit}`. Returns null when the ref isn't reachable (the
|
|
115
|
+
* caller surfaces the appropriate hint based on shallow-clone /
|
|
116
|
+
* remote-only state).
|
|
117
|
+
*/
|
|
118
|
+
function resolveRefToSha(cwd, ref) {
|
|
119
|
+
try {
|
|
120
|
+
const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--verify', `${ref}^{commit}`], {
|
|
121
|
+
cwd,
|
|
122
|
+
encoding: 'utf-8',
|
|
123
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
124
|
+
}).trim();
|
|
125
|
+
return out || null;
|
|
126
|
+
}
|
|
127
|
+
catch {
|
|
128
|
+
return null;
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Whether the current working tree was cloned shallowly. Drives
|
|
133
|
+
* the hint surfaced when a ref isn't reachable: a CI clone with
|
|
134
|
+
* `fetch-depth: 1` won't have the baseline ref's history, and the
|
|
135
|
+
* fix is `fetch-depth: 0`, not pushing the missing ref.
|
|
136
|
+
*/
|
|
137
|
+
function isShallowRepo(cwd) {
|
|
138
|
+
try {
|
|
139
|
+
const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--is-shallow-repository'], {
|
|
140
|
+
cwd,
|
|
141
|
+
encoding: 'utf-8',
|
|
142
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
143
|
+
}).trim();
|
|
144
|
+
return out === 'true';
|
|
145
|
+
}
|
|
146
|
+
catch {
|
|
147
|
+
return false;
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
/**
|
|
151
|
+
* Build the right `RefBaselineError` for an unreachable ref. The
|
|
152
|
+
* hint is the actionable next step, not a tautology — shallow
|
|
153
|
+
* clones get fetch-depth advice, otherwise we suggest configuring
|
|
154
|
+
* a different ref.
|
|
155
|
+
*/
|
|
156
|
+
function unreachableRefError(cwd, ref) {
|
|
157
|
+
if (isShallowRepo(cwd)) {
|
|
158
|
+
return new RefBaselineError(`Cannot resolve baseline ref ${ref}: this is a shallow clone.`, 'Run `git fetch --unshallow` locally, or set `fetch-depth: 0` in your CI checkout step.');
|
|
159
|
+
}
|
|
160
|
+
return new RefBaselineError(`Cannot resolve baseline ref ${ref}.`, `Run \`git fetch origin\`, push the ref upstream, or set \`baseline.ref\` in .dxkit/policy.json to an existing ref.`);
|
|
161
|
+
}
|
|
162
|
+
/**
|
|
163
|
+
* Check out `ref` into a temporary worktree, run `fn` with the
|
|
164
|
+
* worktree path, and tear down the worktree on the way out.
|
|
165
|
+
*
|
|
166
|
+
* Always cleans up — even when `fn` throws. The cleanup tolerates
|
|
167
|
+
* `git worktree remove` failures (e.g., dirty worktree from a
|
|
168
|
+
* partial gather) by falling back to `rm -rf` on the temp dir.
|
|
169
|
+
*/
|
|
170
|
+
async function withRefWorktree(opts, fn) {
|
|
171
|
+
const sha = resolveRefToSha(opts.cwd, opts.ref);
|
|
172
|
+
if (sha === null)
|
|
173
|
+
throw unreachableRefError(opts.cwd, opts.ref);
|
|
174
|
+
// mkdtempSync returns an empty dir; git worktree add wants the
|
|
175
|
+
// target path NOT to exist (or to be empty). Use a fresh subdir
|
|
176
|
+
// inside the temp parent so git creates it cleanly.
|
|
177
|
+
const tempBase = (0, fs_1.mkdtempSync)(path.join((0, os_1.tmpdir)(), 'dxkit-ref-'));
|
|
178
|
+
const worktreePath = path.join(tempBase, 'baseline');
|
|
179
|
+
let worktreeAdded = false;
|
|
180
|
+
try {
|
|
181
|
+
(0, child_process_1.execFileSync)('git', ['worktree', 'add', '--detach', worktreePath, sha], {
|
|
182
|
+
cwd: opts.cwd,
|
|
183
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
184
|
+
});
|
|
185
|
+
worktreeAdded = true;
|
|
186
|
+
// Mirror file-mode salt into the worktree so secret-HMAC entries
|
|
187
|
+
// pair across prior/current sides. Env-var + deterministic modes
|
|
188
|
+
// resolve identically across cwd + worktree (env inheritance +
|
|
189
|
+
// shared initial-commit SHA); file mode is the one that drifts
|
|
190
|
+
// because `.dxkit/salt` is gitignored and so isn't part of the
|
|
191
|
+
// checkout. The copy is no-op when the file doesn't exist.
|
|
192
|
+
mirrorSaltFile(opts.cwd, worktreePath);
|
|
193
|
+
return await fn(worktreePath);
|
|
194
|
+
}
|
|
195
|
+
catch (err) {
|
|
196
|
+
if (err instanceof RefBaselineError)
|
|
197
|
+
throw err;
|
|
198
|
+
if (!worktreeAdded) {
|
|
199
|
+
// The worktree-add itself failed. Surface a clean error
|
|
200
|
+
// instead of bubbling the raw stderr.
|
|
201
|
+
throw new RefBaselineError(`Failed to set up baseline worktree at ${opts.ref}.`, `Check that 'git worktree' is available and that ${tempBase} is writable.`);
|
|
202
|
+
}
|
|
203
|
+
throw err;
|
|
204
|
+
}
|
|
205
|
+
finally {
|
|
206
|
+
if (worktreeAdded) {
|
|
207
|
+
try {
|
|
208
|
+
(0, child_process_1.execFileSync)('git', ['worktree', 'remove', '--force', worktreePath], {
|
|
209
|
+
cwd: opts.cwd,
|
|
210
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
211
|
+
});
|
|
212
|
+
}
|
|
213
|
+
catch {
|
|
214
|
+
// git worktree remove can fail if the worktree dir was
|
|
215
|
+
// already cleaned externally. The rmSync below recovers.
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
try {
|
|
219
|
+
(0, fs_1.rmSync)(tempBase, { recursive: true, force: true });
|
|
220
|
+
}
|
|
221
|
+
catch {
|
|
222
|
+
// Best-effort cleanup of the temp parent. A stale temp dir
|
|
223
|
+
// is preferable to surfacing a misleading error if the gather
|
|
224
|
+
// already succeeded.
|
|
225
|
+
}
|
|
226
|
+
}
|
|
227
|
+
}
|
|
228
|
+
/**
|
|
229
|
+
* Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
|
|
230
|
+
* Public for testing — production callers reach this through
|
|
231
|
+
* `withRefWorktree`. The directory is created on demand; absent
|
|
232
|
+
* source files are silently skipped (env-var + deterministic salt
|
|
233
|
+
* modes both work without the file).
|
|
234
|
+
*/
|
|
235
|
+
function mirrorSaltFile(srcCwd, dstCwd) {
|
|
236
|
+
const src = path.join(srcCwd, '.dxkit', 'salt');
|
|
237
|
+
if (!(0, fs_1.existsSync)(src))
|
|
238
|
+
return;
|
|
239
|
+
const dstDir = path.join(dstCwd, '.dxkit');
|
|
240
|
+
(0, fs_1.mkdirSync)(dstDir, { recursive: true });
|
|
241
|
+
(0, fs_1.copyFileSync)(src, path.join(dstDir, 'salt'));
|
|
242
|
+
}
|
|
243
|
+
/**
|
|
244
|
+
* Run `gatherCurrentScan` against a temporary worktree checked out
|
|
245
|
+
* to `ref`. Returns the same shape as a live gather — the matcher
|
|
246
|
+
* doesn't care which side was the worktree, only that both sides
|
|
247
|
+
* are `CurrentScan` envelopes.
|
|
248
|
+
*
|
|
249
|
+
* Per-tool degradation note: dep-vuln scanners may report less
|
|
250
|
+
* coverage in the worktree because `node_modules` (and analogous
|
|
251
|
+
* install artifacts) are typically gitignored and so don't exist
|
|
252
|
+
* in the worktree. The lockfile-driven scanners dxkit prefers
|
|
253
|
+
* survive the gap; `npm audit`-style probes do not.
|
|
254
|
+
*/
|
|
255
|
+
async function gatherFromRef(opts) {
|
|
256
|
+
return withRefWorktree({ cwd: opts.cwd, ref: opts.ref }, async (worktreePath) => {
|
|
257
|
+
return (0, create_1.gatherCurrentScan)({ cwd: worktreePath, verbose: opts.verbose });
|
|
258
|
+
});
|
|
259
|
+
}
|
|
260
|
+
//# sourceMappingURL=ref-baseline.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCH,0CAWC;AAQD,sCAWC;AA6BD,0CA0DC;AASD,wCAMC;AAcD,sCAQC;AA3LD,iDAA6C;AAC7C,2BAA8E;AAC9E,2BAA4B;AAC5B,2CAA6B;AAC7B,qCAA6C;AAG7C;;;;;GAKG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IACtB,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAPD,4CAOC;AAOD;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC5E,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,yBAAyB,CAAC,EAAE;YACxE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,KAAK,MAAM,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,GAAW;IACnD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,4BAA4B,EAC9D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,GAAG,EACrC,oHAAoH,CACrH,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,EAAwC;IAExC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,+DAA+D;IAC/D,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,gBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,WAAM,GAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrD,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,EAAE;YACtE,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,aAAa,GAAG,IAAI,CAAC;QACrB,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,gBAAgB;YAAE,MAAM,GAAG,CAAC;QAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,wDAAwD;YACxD,sCAAsC;YACtC,MAAM,IAAI,gBAAgB,CACxB,yCAAyC,IAAI,CAAC,GAAG,GAAG,EACpD,mDAAmD,QAAQ,eAAe,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE;oBACnE,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,yDAAyD;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,IAAA,WAAM,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,MAAc;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC;QAAE,OAAO;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAA,cAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,IAAA,iBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CAAC,IAInC;IACC,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE;QAC9E,OAAO,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC"}
|