@vyuhlabs/dxkit 2.5.1 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/CHANGELOG.md +318 -0
  2. package/README.md +150 -28
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  32. package/dist/analyzers/tools/tool-registry.js +25 -8
  33. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  34. package/dist/baseline/baseline-file.d.ts +7 -0
  35. package/dist/baseline/baseline-file.d.ts.map +1 -1
  36. package/dist/baseline/baseline-file.js +22 -1
  37. package/dist/baseline/baseline-file.js.map +1 -1
  38. package/dist/baseline/check-renderers.d.ts +13 -1
  39. package/dist/baseline/check-renderers.d.ts.map +1 -1
  40. package/dist/baseline/check-renderers.js +67 -1
  41. package/dist/baseline/check-renderers.js.map +1 -1
  42. package/dist/baseline/check.d.ts +33 -7
  43. package/dist/baseline/check.d.ts.map +1 -1
  44. package/dist/baseline/check.js +90 -64
  45. package/dist/baseline/check.js.map +1 -1
  46. package/dist/baseline/create.d.ts +35 -7
  47. package/dist/baseline/create.d.ts.map +1 -1
  48. package/dist/baseline/create.js +43 -5
  49. package/dist/baseline/create.js.map +1 -1
  50. package/dist/baseline/entry-to-located.d.ts +6 -1
  51. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  52. package/dist/baseline/entry-to-located.js +20 -2
  53. package/dist/baseline/entry-to-located.js.map +1 -1
  54. package/dist/baseline/finding-identity.d.ts.map +1 -1
  55. package/dist/baseline/finding-identity.js +15 -13
  56. package/dist/baseline/finding-identity.js.map +1 -1
  57. package/dist/baseline/modes.d.ts +140 -0
  58. package/dist/baseline/modes.d.ts.map +1 -0
  59. package/dist/baseline/modes.js +179 -0
  60. package/dist/baseline/modes.js.map +1 -0
  61. package/dist/baseline/policy.d.ts +64 -0
  62. package/dist/baseline/policy.d.ts.map +1 -1
  63. package/dist/baseline/policy.js +102 -1
  64. package/dist/baseline/policy.js.map +1 -1
  65. package/dist/baseline/producers/health.d.ts +2 -2
  66. package/dist/baseline/producers/health.d.ts.map +1 -1
  67. package/dist/baseline/producers/health.js.map +1 -1
  68. package/dist/baseline/producers/index.d.ts +11 -5
  69. package/dist/baseline/producers/index.d.ts.map +1 -1
  70. package/dist/baseline/producers/index.js +12 -9
  71. package/dist/baseline/producers/index.js.map +1 -1
  72. package/dist/baseline/producers/quality.d.ts +3 -3
  73. package/dist/baseline/producers/quality.d.ts.map +1 -1
  74. package/dist/baseline/producers/quality.js.map +1 -1
  75. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  76. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  77. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  78. package/dist/baseline/producers/security.d.ts +2 -2
  79. package/dist/baseline/producers/security.d.ts.map +1 -1
  80. package/dist/baseline/producers/security.js.map +1 -1
  81. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  82. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  83. package/dist/baseline/producers/stale-allow.js +111 -0
  84. package/dist/baseline/producers/stale-allow.js.map +1 -0
  85. package/dist/baseline/producers/tests.d.ts +2 -2
  86. package/dist/baseline/producers/tests.d.ts.map +1 -1
  87. package/dist/baseline/producers/tests.js.map +1 -1
  88. package/dist/baseline/ref-baseline.d.ts +114 -0
  89. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  90. package/dist/baseline/ref-baseline.js +260 -0
  91. package/dist/baseline/ref-baseline.js.map +1 -0
  92. package/dist/baseline/sanitize.d.ts +80 -0
  93. package/dist/baseline/sanitize.d.ts.map +1 -0
  94. package/dist/baseline/sanitize.js +91 -0
  95. package/dist/baseline/sanitize.js.map +1 -0
  96. package/dist/baseline/show.d.ts.map +1 -1
  97. package/dist/baseline/show.js +9 -3
  98. package/dist/baseline/show.js.map +1 -1
  99. package/dist/baseline/types.d.ts +73 -26
  100. package/dist/baseline/types.d.ts.map +1 -1
  101. package/dist/baseline/types.js +7 -1
  102. package/dist/baseline/types.js.map +1 -1
  103. package/dist/baseline/visibility.d.ts +61 -0
  104. package/dist/baseline/visibility.d.ts.map +1 -0
  105. package/dist/baseline/visibility.js +121 -0
  106. package/dist/baseline/visibility.js.map +1 -0
  107. package/dist/cli.d.ts.map +1 -1
  108. package/dist/cli.js +154 -13
  109. package/dist/cli.js.map +1 -1
  110. package/dist/constants.d.ts.map +1 -1
  111. package/dist/constants.js +0 -10
  112. package/dist/constants.js.map +1 -1
  113. package/dist/detect.d.ts.map +1 -1
  114. package/dist/detect.js +0 -15
  115. package/dist/detect.js.map +1 -1
  116. package/dist/doctor.d.ts +78 -1
  117. package/dist/doctor.d.ts.map +1 -1
  118. package/dist/doctor.js +590 -101
  119. package/dist/doctor.js.map +1 -1
  120. package/dist/generator.d.ts.map +1 -1
  121. package/dist/generator.js +15 -0
  122. package/dist/generator.js.map +1 -1
  123. package/dist/issue-cli.d.ts +62 -0
  124. package/dist/issue-cli.d.ts.map +1 -0
  125. package/dist/issue-cli.js +252 -0
  126. package/dist/issue-cli.js.map +1 -0
  127. package/dist/languages/csharp.d.ts.map +1 -1
  128. package/dist/languages/csharp.js +2 -0
  129. package/dist/languages/csharp.js.map +1 -1
  130. package/dist/languages/go.d.ts.map +1 -1
  131. package/dist/languages/go.js +2 -0
  132. package/dist/languages/go.js.map +1 -1
  133. package/dist/languages/index.d.ts +25 -0
  134. package/dist/languages/index.d.ts.map +1 -1
  135. package/dist/languages/index.js +44 -0
  136. package/dist/languages/index.js.map +1 -1
  137. package/dist/languages/java.d.ts.map +1 -1
  138. package/dist/languages/java.js +2 -0
  139. package/dist/languages/java.js.map +1 -1
  140. package/dist/languages/kotlin.d.ts.map +1 -1
  141. package/dist/languages/kotlin.js +2 -0
  142. package/dist/languages/kotlin.js.map +1 -1
  143. package/dist/languages/python.d.ts.map +1 -1
  144. package/dist/languages/python.js +11 -1
  145. package/dist/languages/python.js.map +1 -1
  146. package/dist/languages/ruby.d.ts.map +1 -1
  147. package/dist/languages/ruby.js +2 -0
  148. package/dist/languages/ruby.js.map +1 -1
  149. package/dist/languages/rust.d.ts.map +1 -1
  150. package/dist/languages/rust.js +2 -0
  151. package/dist/languages/rust.js.map +1 -1
  152. package/dist/languages/types.d.ts +45 -0
  153. package/dist/languages/types.d.ts.map +1 -1
  154. package/dist/languages/typescript.d.ts.map +1 -1
  155. package/dist/languages/typescript.js +2 -0
  156. package/dist/languages/typescript.js.map +1 -1
  157. package/dist/prompts.d.ts.map +1 -1
  158. package/dist/prompts.js +0 -5
  159. package/dist/prompts.js.map +1 -1
  160. package/dist/setup-branch-protection.d.ts +34 -0
  161. package/dist/setup-branch-protection.d.ts.map +1 -0
  162. package/dist/setup-branch-protection.js +190 -0
  163. package/dist/setup-branch-protection.js.map +1 -0
  164. package/dist/setup-gh.d.ts +75 -0
  165. package/dist/setup-gh.d.ts.map +1 -0
  166. package/dist/setup-gh.js +213 -0
  167. package/dist/setup-gh.js.map +1 -0
  168. package/dist/setup-prebuild.d.ts +34 -0
  169. package/dist/setup-prebuild.d.ts.map +1 -0
  170. package/dist/setup-prebuild.js +181 -0
  171. package/dist/setup-prebuild.js.map +1 -0
  172. package/dist/ship-installers.d.ts.map +1 -1
  173. package/dist/ship-installers.js +19 -4
  174. package/dist/ship-installers.js.map +1 -1
  175. package/dist/types.d.ts +24 -6
  176. package/dist/types.d.ts.map +1 -1
  177. package/dist/update.d.ts +41 -0
  178. package/dist/update.d.ts.map +1 -1
  179. package/dist/update.js +154 -15
  180. package/dist/update.js.map +1 -1
  181. package/dist/upgrade.d.ts +88 -0
  182. package/dist/upgrade.d.ts.map +1 -0
  183. package/dist/upgrade.js +324 -0
  184. package/dist/upgrade.js.map +1 -0
  185. package/package.json +1 -1
  186. package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
  187. package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
  188. package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
  189. package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
  190. package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
  191. package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
  192. package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
  193. package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
  194. package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
  195. package/templates/.devcontainer/devcontainer.json +6 -15
  196. package/templates/.devcontainer/post-create.sh +19 -4
  197. package/dist/baseline/producers/licenses.d.ts +0 -23
  198. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  199. package/dist/baseline/producers/licenses.js +0 -46
  200. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -1 +1 @@
1
- {"version":3,"file":"secret-hmac.js","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AA2BH,kEA6BC;AAtDD,mEAAsE;AAEtE,0DAAkD;AAalD;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CAAC,KAA8B;IACxE,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,oEAAoE;IACpE,mEAAmE;IACnE,kEAAkE;IAClE,8DAA8D;IAC9D,qDAAqD;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,SAAS;QAC1B,MAAM,IAAI,GAAG,IAAA,+BAAiB,EAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,aAAa,GAA4B;YAC7C,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC;QACF,MAAM,EAAE,GAAG,IAAA,8BAAW,EAAC,aAAa,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,SAAS;QAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACb,GAAG,CAAC,IAAI,CAAC;YACP,EAAE;YACF,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"secret-hmac.js","sourceRoot":"","sources":["../../../src/baseline/producers/secret-hmac.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AA2BH,kEA6BC;AAtDD,mEAAsE;AAEtE,0DAAkD;AAalD;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CAAC,KAA8B;IACxE,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,oEAAoE;IACpE,mEAAmE;IACnE,kEAAkE;IAClE,8DAA8D;IAC9D,qDAAqD;IACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,SAAS;QAC1B,MAAM,IAAI,GAAG,IAAA,+BAAiB,EAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,aAAa,GAA4B;YAC7C,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC;QACF,MAAM,EAAE,GAAG,IAAA,8BAAW,EAAC,aAAa,CAAC,CAAC;QACtC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,SAAS;QAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACb,GAAG,CAAC,IAAI,CAAC;YACP,EAAE;YACF,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -38,7 +38,7 @@
38
38
  * work.
39
39
  */
40
40
  import type { SecurityAggregate } from '../../analyzers/security/aggregator';
41
- import type { BaselineEntry } from '../types';
41
+ import type { RichBaselineEntry } from '../types';
42
42
  export interface SecurityProducerOptions {
43
43
  /** Repo path; used by `computeContentHashFromCommit` to invoke
44
44
  * `git show`. Omitting it disables content-hash stamping. */
@@ -55,5 +55,5 @@ export interface SecurityProducerOptions {
55
55
  * iteration order of the four categories so the produced baseline
56
56
  * stays stable across re-runs of the same scan.
57
57
  */
58
- export declare function securityAggregateToBaselineEntries(aggregate: SecurityAggregate, options?: SecurityProducerOptions): BaselineEntry[];
58
+ export declare function securityAggregateToBaselineEntries(aggregate: SecurityAggregate, options?: SecurityProducerOptions): RichBaselineEntry[];
59
59
  //# sourceMappingURL=security.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,aAAa,EAKd,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;kEAC8D;IAC9D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;eAIW;IACX,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,aAAa,EAAE,CAwFjB"}
1
+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;kEAC8D;IAC9D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;eAIW;IACX,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,EAAE,CAwFrB"}
@@ -1 +1 @@
1
- {"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFA2FC;AAvHD,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;SACT,CAAC;QACF,MAAM,KAAK,GAAkB;YAC3B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFA2FC;AAvHD,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;SACT,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -0,0 +1,70 @@
1
+ /**
2
+ * Stale-allow → baseline-entry producer.
3
+ *
4
+ * Detects orphaned inline allowlist annotations — `dxkit-allow:`
5
+ * comments in source files that no longer match any current
6
+ * finding. The developer added the annotation when something was
7
+ * flagged; the finding is now gone (resolved, scanner-rule changed,
8
+ * code refactored); the annotation is dead code that should be
9
+ * removed.
10
+ *
11
+ * # The matching contract
12
+ *
13
+ * An annotation at `(file, line)` is considered ACTIVE when at
14
+ * least one current finding lands at the same `(file, lineWindow)` —
15
+ * the 3-line window from `lineWindowFor` absorbs small formatter /
16
+ * line-shift drift so a still-relevant annotation doesn't get
17
+ * flagged stale by an unrelated edit.
18
+ *
19
+ * Annotations with no matching finding emit a `stale-allow`
20
+ * `BaselineEntry` whose identity is `(file, lineWindow, category)`.
21
+ * The strict-stale model (TypeScript's `@ts-expect-error` pattern)
22
+ * forces the developer to clean up — preventing the annotation
23
+ * graveyard pattern common to less strict tools.
24
+ *
25
+ * # What counts as a "covered location"
26
+ *
27
+ * Source-anchored finding kinds — `secret`, `code`, `config` —
28
+ * carry `(file, line)` and contribute to the covered set. The
29
+ * `findingsByCategory` arrays on the canonical `SecurityAggregate`
30
+ * are the only source today; the aggregator is the single canonical
31
+ * fingerprint-deduped source of these findings (CLAUDE.md G_v4_8).
32
+ *
33
+ * Kinds without `(file, line)` — `dep-vuln`, `duplication`,
34
+ * `secret-hmac`, `license`, etc. — never participate in inline-
35
+ * annotation matching by construction. Annotations targeting those
36
+ * findings always use the file-level allowlist.
37
+ *
38
+ * # Mode handling
39
+ *
40
+ * `staleHandling` lives in `.dxkit/policy.json` (out of scope for
41
+ * this producer — the orchestrator gates whether to call it). When
42
+ * called, the producer emits `stale-allow` entries unconditionally
43
+ * for every orphan; the policy-level "lenient mode" surfaces these
44
+ * as warnings in the renderer rather than as blocking entries.
45
+ */
46
+ import type { SecurityAggregate } from '../../analyzers/security/aggregator';
47
+ import type { InlineAllowlistOccurrence } from '../../allowlist/gather';
48
+ import type { RichBaselineEntry } from '../types';
49
+ export interface StaleAllowInput {
50
+ readonly annotations: ReadonlyArray<InlineAllowlistOccurrence>;
51
+ readonly aggregate: SecurityAggregate | null;
52
+ }
53
+ /**
54
+ * Build `stale-allow` entries from the annotation list + the
55
+ * canonical security aggregate. Pure function — no I/O, no side
56
+ * effects. Deterministic over equal inputs.
57
+ *
58
+ * Returns an empty array when:
59
+ * - The annotation list is empty (nothing to check).
60
+ * - The aggregate is null AND the annotation list is empty.
61
+ *
62
+ * When the aggregate is null but annotations exist, the producer
63
+ * conservatively emits NO stale entries — the caller has no way to
64
+ * know whether annotations are active or stale without the
65
+ * findings. Surfacing "everything is stale" in that scenario would
66
+ * be wrong; surfacing "everything is fine" is also wrong but less
67
+ * actively misleading.
68
+ */
69
+ export declare function staleAllowToBaselineEntries(input: StaleAllowInput): RichBaselineEntry[];
70
+ //# sourceMappingURL=stale-allow.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stale-allow.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/stale-allow.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAC7E,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,wBAAwB,CAAC;AAExE,OAAO,KAAK,EAAE,iBAAiB,EAA2B,MAAM,UAAU,CAAC;AAE3E,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,yBAAyB,CAAC,CAAC;IAC/D,QAAQ,CAAC,SAAS,EAAE,iBAAiB,GAAG,IAAI,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,eAAe,GAAG,iBAAiB,EAAE,CAwBvF"}
@@ -0,0 +1,111 @@
1
+ "use strict";
2
+ /**
3
+ * Stale-allow → baseline-entry producer.
4
+ *
5
+ * Detects orphaned inline allowlist annotations — `dxkit-allow:`
6
+ * comments in source files that no longer match any current
7
+ * finding. The developer added the annotation when something was
8
+ * flagged; the finding is now gone (resolved, scanner-rule changed,
9
+ * code refactored); the annotation is dead code that should be
10
+ * removed.
11
+ *
12
+ * # The matching contract
13
+ *
14
+ * An annotation at `(file, line)` is considered ACTIVE when at
15
+ * least one current finding lands at the same `(file, lineWindow)` —
16
+ * the 3-line window from `lineWindowFor` absorbs small formatter /
17
+ * line-shift drift so a still-relevant annotation doesn't get
18
+ * flagged stale by an unrelated edit.
19
+ *
20
+ * Annotations with no matching finding emit a `stale-allow`
21
+ * `BaselineEntry` whose identity is `(file, lineWindow, category)`.
22
+ * The strict-stale model (TypeScript's `@ts-expect-error` pattern)
23
+ * forces the developer to clean up — preventing the annotation
24
+ * graveyard pattern common to less strict tools.
25
+ *
26
+ * # What counts as a "covered location"
27
+ *
28
+ * Source-anchored finding kinds — `secret`, `code`, `config` —
29
+ * carry `(file, line)` and contribute to the covered set. The
30
+ * `findingsByCategory` arrays on the canonical `SecurityAggregate`
31
+ * are the only source today; the aggregator is the single canonical
32
+ * fingerprint-deduped source of these findings (CLAUDE.md G_v4_8).
33
+ *
34
+ * Kinds without `(file, line)` — `dep-vuln`, `duplication`,
35
+ * `secret-hmac`, `license`, etc. — never participate in inline-
36
+ * annotation matching by construction. Annotations targeting those
37
+ * findings always use the file-level allowlist.
38
+ *
39
+ * # Mode handling
40
+ *
41
+ * `staleHandling` lives in `.dxkit/policy.json` (out of scope for
42
+ * this producer — the orchestrator gates whether to call it). When
43
+ * called, the producer emits `stale-allow` entries unconditionally
44
+ * for every orphan; the policy-level "lenient mode" surfaces these
45
+ * as warnings in the renderer rather than as blocking entries.
46
+ */
47
+ Object.defineProperty(exports, "__esModule", { value: true });
48
+ exports.staleAllowToBaselineEntries = staleAllowToBaselineEntries;
49
+ const fingerprint_1 = require("../../analyzers/tools/fingerprint");
50
+ const finding_identity_1 = require("../finding-identity");
51
+ /**
52
+ * Build `stale-allow` entries from the annotation list + the
53
+ * canonical security aggregate. Pure function — no I/O, no side
54
+ * effects. Deterministic over equal inputs.
55
+ *
56
+ * Returns an empty array when:
57
+ * - The annotation list is empty (nothing to check).
58
+ * - The aggregate is null AND the annotation list is empty.
59
+ *
60
+ * When the aggregate is null but annotations exist, the producer
61
+ * conservatively emits NO stale entries — the caller has no way to
62
+ * know whether annotations are active or stale without the
63
+ * findings. Surfacing "everything is stale" in that scenario would
64
+ * be wrong; surfacing "everything is fine" is also wrong but less
65
+ * actively misleading.
66
+ */
67
+ function staleAllowToBaselineEntries(input) {
68
+ if (input.annotations.length === 0)
69
+ return [];
70
+ if (input.aggregate === null)
71
+ return [];
72
+ const covered = buildCoveredLocations(input.aggregate);
73
+ const out = [];
74
+ for (const occ of input.annotations) {
75
+ const key = locationKey(occ.file, occ.line);
76
+ if (covered.has(key))
77
+ continue; // active suppression — not stale
78
+ const identityInput = {
79
+ kind: 'stale-allow',
80
+ file: occ.file,
81
+ line: occ.line,
82
+ category: occ.category,
83
+ };
84
+ out.push({
85
+ id: (0, finding_identity_1.identityFor)(identityInput),
86
+ kind: 'stale-allow',
87
+ file: occ.file,
88
+ line: occ.line,
89
+ category: occ.category,
90
+ });
91
+ }
92
+ return out;
93
+ }
94
+ // ─── Internals ────────────────────────────────────────────────────────────
95
+ function buildCoveredLocations(aggregate) {
96
+ const out = new Set();
97
+ for (const f of aggregate.findingsByCategory.secret) {
98
+ out.add(locationKey(f.file, f.line));
99
+ }
100
+ for (const f of aggregate.findingsByCategory.code) {
101
+ out.add(locationKey(f.file, f.line));
102
+ }
103
+ for (const f of aggregate.findingsByCategory.config) {
104
+ out.add(locationKey(f.file, f.line));
105
+ }
106
+ return out;
107
+ }
108
+ function locationKey(file, line) {
109
+ return `${file}\0${(0, fingerprint_1.lineWindowFor)(line)}`;
110
+ }
111
+ //# sourceMappingURL=stale-allow.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"stale-allow.js","sourceRoot":"","sources":["../../../src/baseline/producers/stale-allow.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;;AA6BH,kEAwBC;AAnDD,mEAAkE;AAGlE,0DAAkD;AAQlD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,2BAA2B,CAAC,KAAsB;IAChE,IAAI,KAAK,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC9C,IAAI,KAAK,CAAC,SAAS,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,OAAO,GAAG,qBAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACvD,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,iCAAiC;QACjE,MAAM,aAAa,GAA4B;YAC7C,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,aAAa,CAAC;YAC9B,IAAI,EAAE,aAAa;YACnB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;SACvB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,6EAA6E;AAE7E,SAAS,qBAAqB,CAAC,SAA4B;IACzD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,IAAY;IAC7C,OAAO,GAAG,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;AAC3C,CAAC"}
@@ -22,7 +22,7 @@
22
22
  * `AnalysisResult` cache so it doesn't re-gather what the security
23
23
  * producer already triggered).
24
24
  */
25
- import type { BaselineEntry } from '../types';
25
+ import type { RichBaselineEntry } from '../types';
26
26
  import type { TestGapsReport } from '../../analyzers/tests/types';
27
27
  /**
28
28
  * Build `test-gap` + `test-file-degradation` entries from a
@@ -32,5 +32,5 @@ import type { TestGapsReport } from '../../analyzers/tests/types';
32
32
  * report's iteration order so re-runs against the same scan are
33
33
  * byte-stable.
34
34
  */
35
- export declare function testGapsToBaselineEntries(report: TestGapsReport): BaselineEntry[];
35
+ export declare function testGapsToBaselineEntries(report: TestGapsReport): RichBaselineEntry[];
36
36
  //# sourceMappingURL=tests.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EACV,aAAa,EAGd,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAElE;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,cAAc,GAAG,aAAa,EAAE,CAgCjF"}
1
+ {"version":3,"file":"tests.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,KAAK,EACV,iBAAiB,EAGlB,MAAM,UAAU,CAAC;AAClB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAElE;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,cAAc,GAAG,iBAAiB,EAAE,CAgCrF"}
@@ -1 +1 @@
1
- {"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAoB,EAAE,CAAC;IAEhC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAwB,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -0,0 +1,114 @@
1
+ /**
2
+ * Ref-based baseline gather — produces a `CurrentScan` for a git
3
+ * ref by checking it out into a temporary worktree and running the
4
+ * analyzer pipeline there.
5
+ *
6
+ * # When this runs
7
+ *
8
+ * `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
9
+ * needs a "prior side" to diff against; in committed modes the
10
+ * prior side comes from `.dxkit/baselines/<name>.json`, but in
11
+ * ref-based mode no file is committed — the prior side is
12
+ * recomputed on the fly from a git ref (default
13
+ * `origin/<default-branch>`).
14
+ *
15
+ * # Mechanics
16
+ *
17
+ * 1. Resolve `ref` to a commit SHA. Failure here surfaces a
18
+ * `RefBaselineError` with one of three actionable hints:
19
+ * - Shallow clone → `git fetch --unshallow` / CI fetch-depth
20
+ * - Ref doesn't exist → `git fetch origin` or fix policy
21
+ * - Local-only ref → push it or use a remote-tracking ref
22
+ * 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
23
+ * full checkout of the source tree at that SHA — but NOT a
24
+ * package-manager install, so dep-vuln scanners that read
25
+ * `node_modules` directly will see degraded results. The
26
+ * dxkit dep scanners use lockfiles (`package-lock.json`,
27
+ * `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
28
+ * survives the gap.
29
+ * 3. Run `gatherCurrentScan` against the worktree directory. Same
30
+ * pipeline as the live current scan — same producer registry,
31
+ * same envelope shape — so the matcher diffs apples-to-apples.
32
+ * 4. Clean up the worktree on the way out (try/finally).
33
+ *
34
+ * # Why a generic `withRefWorktree` helper
35
+ *
36
+ * The worktree setup + cleanup pattern is reusable. Future modes-
37
+ * aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
38
+ * subcommand) can compose `withRefWorktree` directly instead of
39
+ * re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
40
+ * thin specialization for the guardrail-check use case.
41
+ *
42
+ * # Failure semantics
43
+ *
44
+ * Recoverable failures (ref unreachable, worktree-add fails) throw
45
+ * `RefBaselineError` with a `hint` field the CLI renders in plain
46
+ * prose. Unrecoverable failures (the gather pipeline itself
47
+ * crashes) propagate up the original Error subclass — they're not
48
+ * specific to ref-based mode and live with the existing error
49
+ * handling in the orchestrator.
50
+ */
51
+ import type { CurrentScan } from './create';
52
+ /**
53
+ * Recoverable error from the ref-based gather path. Carries an
54
+ * actionable `hint` the CLI surfaces verbatim so customers don't
55
+ * have to interpret raw git output. Inherits from `Error` so
56
+ * existing catch-by-Error code keeps working.
57
+ */
58
+ export declare class RefBaselineError extends Error {
59
+ readonly hint: string;
60
+ constructor(message: string, hint: string);
61
+ }
62
+ export interface RefWorktreeOptions {
63
+ readonly cwd: string;
64
+ readonly ref: string;
65
+ }
66
+ /**
67
+ * Resolve a ref to a commit SHA via `git rev-parse --verify
68
+ * <ref>^{commit}`. Returns null when the ref isn't reachable (the
69
+ * caller surfaces the appropriate hint based on shallow-clone /
70
+ * remote-only state).
71
+ */
72
+ export declare function resolveRefToSha(cwd: string, ref: string): string | null;
73
+ /**
74
+ * Whether the current working tree was cloned shallowly. Drives
75
+ * the hint surfaced when a ref isn't reachable: a CI clone with
76
+ * `fetch-depth: 1` won't have the baseline ref's history, and the
77
+ * fix is `fetch-depth: 0`, not pushing the missing ref.
78
+ */
79
+ export declare function isShallowRepo(cwd: string): boolean;
80
+ /**
81
+ * Check out `ref` into a temporary worktree, run `fn` with the
82
+ * worktree path, and tear down the worktree on the way out.
83
+ *
84
+ * Always cleans up — even when `fn` throws. The cleanup tolerates
85
+ * `git worktree remove` failures (e.g., dirty worktree from a
86
+ * partial gather) by falling back to `rm -rf` on the temp dir.
87
+ */
88
+ export declare function withRefWorktree<T>(opts: RefWorktreeOptions, fn: (worktreePath: string) => Promise<T>): Promise<T>;
89
+ /**
90
+ * Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
91
+ * Public for testing — production callers reach this through
92
+ * `withRefWorktree`. The directory is created on demand; absent
93
+ * source files are silently skipped (env-var + deterministic salt
94
+ * modes both work without the file).
95
+ */
96
+ export declare function mirrorSaltFile(srcCwd: string, dstCwd: string): void;
97
+ /**
98
+ * Run `gatherCurrentScan` against a temporary worktree checked out
99
+ * to `ref`. Returns the same shape as a live gather — the matcher
100
+ * doesn't care which side was the worktree, only that both sides
101
+ * are `CurrentScan` envelopes.
102
+ *
103
+ * Per-tool degradation note: dep-vuln scanners may report less
104
+ * coverage in the worktree because `node_modules` (and analogous
105
+ * install artifacts) are typically gitignored and so don't exist
106
+ * in the worktree. The lockfile-driven scanners dxkit prefers
107
+ * survive the gap; `npm audit`-style probes do not.
108
+ */
109
+ export declare function gatherFromRef(opts: {
110
+ readonly cwd: string;
111
+ readonly ref: string;
112
+ readonly verbose?: boolean;
113
+ }): Promise<CurrentScan>;
114
+ //# sourceMappingURL=ref-baseline.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAOH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5C;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWlD;AAqBD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,IAAI,EAAE,kBAAkB,EACxB,EAAE,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,CAAC,CAAC,CAuDZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,WAAW,CAAC,CAIvB"}
@@ -0,0 +1,260 @@
1
+ "use strict";
2
+ /**
3
+ * Ref-based baseline gather — produces a `CurrentScan` for a git
4
+ * ref by checking it out into a temporary worktree and running the
5
+ * analyzer pipeline there.
6
+ *
7
+ * # When this runs
8
+ *
9
+ * `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
10
+ * needs a "prior side" to diff against; in committed modes the
11
+ * prior side comes from `.dxkit/baselines/<name>.json`, but in
12
+ * ref-based mode no file is committed — the prior side is
13
+ * recomputed on the fly from a git ref (default
14
+ * `origin/<default-branch>`).
15
+ *
16
+ * # Mechanics
17
+ *
18
+ * 1. Resolve `ref` to a commit SHA. Failure here surfaces a
19
+ * `RefBaselineError` with one of three actionable hints:
20
+ * - Shallow clone → `git fetch --unshallow` / CI fetch-depth
21
+ * - Ref doesn't exist → `git fetch origin` or fix policy
22
+ * - Local-only ref → push it or use a remote-tracking ref
23
+ * 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
24
+ * full checkout of the source tree at that SHA — but NOT a
25
+ * package-manager install, so dep-vuln scanners that read
26
+ * `node_modules` directly will see degraded results. The
27
+ * dxkit dep scanners use lockfiles (`package-lock.json`,
28
+ * `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
29
+ * survives the gap.
30
+ * 3. Run `gatherCurrentScan` against the worktree directory. Same
31
+ * pipeline as the live current scan — same producer registry,
32
+ * same envelope shape — so the matcher diffs apples-to-apples.
33
+ * 4. Clean up the worktree on the way out (try/finally).
34
+ *
35
+ * # Why a generic `withRefWorktree` helper
36
+ *
37
+ * The worktree setup + cleanup pattern is reusable. Future modes-
38
+ * aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
39
+ * subcommand) can compose `withRefWorktree` directly instead of
40
+ * re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
41
+ * thin specialization for the guardrail-check use case.
42
+ *
43
+ * # Failure semantics
44
+ *
45
+ * Recoverable failures (ref unreachable, worktree-add fails) throw
46
+ * `RefBaselineError` with a `hint` field the CLI renders in plain
47
+ * prose. Unrecoverable failures (the gather pipeline itself
48
+ * crashes) propagate up the original Error subclass — they're not
49
+ * specific to ref-based mode and live with the existing error
50
+ * handling in the orchestrator.
51
+ */
52
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
53
+ if (k2 === undefined) k2 = k;
54
+ var desc = Object.getOwnPropertyDescriptor(m, k);
55
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
56
+ desc = { enumerable: true, get: function() { return m[k]; } };
57
+ }
58
+ Object.defineProperty(o, k2, desc);
59
+ }) : (function(o, m, k, k2) {
60
+ if (k2 === undefined) k2 = k;
61
+ o[k2] = m[k];
62
+ }));
63
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
64
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
65
+ }) : function(o, v) {
66
+ o["default"] = v;
67
+ });
68
+ var __importStar = (this && this.__importStar) || (function () {
69
+ var ownKeys = function(o) {
70
+ ownKeys = Object.getOwnPropertyNames || function (o) {
71
+ var ar = [];
72
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
73
+ return ar;
74
+ };
75
+ return ownKeys(o);
76
+ };
77
+ return function (mod) {
78
+ if (mod && mod.__esModule) return mod;
79
+ var result = {};
80
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
81
+ __setModuleDefault(result, mod);
82
+ return result;
83
+ };
84
+ })();
85
+ Object.defineProperty(exports, "__esModule", { value: true });
86
+ exports.RefBaselineError = void 0;
87
+ exports.resolveRefToSha = resolveRefToSha;
88
+ exports.isShallowRepo = isShallowRepo;
89
+ exports.withRefWorktree = withRefWorktree;
90
+ exports.mirrorSaltFile = mirrorSaltFile;
91
+ exports.gatherFromRef = gatherFromRef;
92
+ const child_process_1 = require("child_process");
93
+ const fs_1 = require("fs");
94
+ const os_1 = require("os");
95
+ const path = __importStar(require("path"));
96
+ const create_1 = require("./create");
97
+ /**
98
+ * Recoverable error from the ref-based gather path. Carries an
99
+ * actionable `hint` the CLI surfaces verbatim so customers don't
100
+ * have to interpret raw git output. Inherits from `Error` so
101
+ * existing catch-by-Error code keeps working.
102
+ */
103
+ class RefBaselineError extends Error {
104
+ hint;
105
+ constructor(message, hint) {
106
+ super(message);
107
+ this.name = 'RefBaselineError';
108
+ this.hint = hint;
109
+ }
110
+ }
111
+ exports.RefBaselineError = RefBaselineError;
112
+ /**
113
+ * Resolve a ref to a commit SHA via `git rev-parse --verify
114
+ * <ref>^{commit}`. Returns null when the ref isn't reachable (the
115
+ * caller surfaces the appropriate hint based on shallow-clone /
116
+ * remote-only state).
117
+ */
118
+ function resolveRefToSha(cwd, ref) {
119
+ try {
120
+ const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--verify', `${ref}^{commit}`], {
121
+ cwd,
122
+ encoding: 'utf-8',
123
+ stdio: ['ignore', 'pipe', 'pipe'],
124
+ }).trim();
125
+ return out || null;
126
+ }
127
+ catch {
128
+ return null;
129
+ }
130
+ }
131
+ /**
132
+ * Whether the current working tree was cloned shallowly. Drives
133
+ * the hint surfaced when a ref isn't reachable: a CI clone with
134
+ * `fetch-depth: 1` won't have the baseline ref's history, and the
135
+ * fix is `fetch-depth: 0`, not pushing the missing ref.
136
+ */
137
+ function isShallowRepo(cwd) {
138
+ try {
139
+ const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--is-shallow-repository'], {
140
+ cwd,
141
+ encoding: 'utf-8',
142
+ stdio: ['ignore', 'pipe', 'pipe'],
143
+ }).trim();
144
+ return out === 'true';
145
+ }
146
+ catch {
147
+ return false;
148
+ }
149
+ }
150
+ /**
151
+ * Build the right `RefBaselineError` for an unreachable ref. The
152
+ * hint is the actionable next step, not a tautology — shallow
153
+ * clones get fetch-depth advice, otherwise we suggest configuring
154
+ * a different ref.
155
+ */
156
+ function unreachableRefError(cwd, ref) {
157
+ if (isShallowRepo(cwd)) {
158
+ return new RefBaselineError(`Cannot resolve baseline ref ${ref}: this is a shallow clone.`, 'Run `git fetch --unshallow` locally, or set `fetch-depth: 0` in your CI checkout step.');
159
+ }
160
+ return new RefBaselineError(`Cannot resolve baseline ref ${ref}.`, `Run \`git fetch origin\`, push the ref upstream, or set \`baseline.ref\` in .dxkit/policy.json to an existing ref.`);
161
+ }
162
+ /**
163
+ * Check out `ref` into a temporary worktree, run `fn` with the
164
+ * worktree path, and tear down the worktree on the way out.
165
+ *
166
+ * Always cleans up — even when `fn` throws. The cleanup tolerates
167
+ * `git worktree remove` failures (e.g., dirty worktree from a
168
+ * partial gather) by falling back to `rm -rf` on the temp dir.
169
+ */
170
+ async function withRefWorktree(opts, fn) {
171
+ const sha = resolveRefToSha(opts.cwd, opts.ref);
172
+ if (sha === null)
173
+ throw unreachableRefError(opts.cwd, opts.ref);
174
+ // mkdtempSync returns an empty dir; git worktree add wants the
175
+ // target path NOT to exist (or to be empty). Use a fresh subdir
176
+ // inside the temp parent so git creates it cleanly.
177
+ const tempBase = (0, fs_1.mkdtempSync)(path.join((0, os_1.tmpdir)(), 'dxkit-ref-'));
178
+ const worktreePath = path.join(tempBase, 'baseline');
179
+ let worktreeAdded = false;
180
+ try {
181
+ (0, child_process_1.execFileSync)('git', ['worktree', 'add', '--detach', worktreePath, sha], {
182
+ cwd: opts.cwd,
183
+ stdio: ['ignore', 'pipe', 'pipe'],
184
+ });
185
+ worktreeAdded = true;
186
+ // Mirror file-mode salt into the worktree so secret-HMAC entries
187
+ // pair across prior/current sides. Env-var + deterministic modes
188
+ // resolve identically across cwd + worktree (env inheritance +
189
+ // shared initial-commit SHA); file mode is the one that drifts
190
+ // because `.dxkit/salt` is gitignored and so isn't part of the
191
+ // checkout. The copy is no-op when the file doesn't exist.
192
+ mirrorSaltFile(opts.cwd, worktreePath);
193
+ return await fn(worktreePath);
194
+ }
195
+ catch (err) {
196
+ if (err instanceof RefBaselineError)
197
+ throw err;
198
+ if (!worktreeAdded) {
199
+ // The worktree-add itself failed. Surface a clean error
200
+ // instead of bubbling the raw stderr.
201
+ throw new RefBaselineError(`Failed to set up baseline worktree at ${opts.ref}.`, `Check that 'git worktree' is available and that ${tempBase} is writable.`);
202
+ }
203
+ throw err;
204
+ }
205
+ finally {
206
+ if (worktreeAdded) {
207
+ try {
208
+ (0, child_process_1.execFileSync)('git', ['worktree', 'remove', '--force', worktreePath], {
209
+ cwd: opts.cwd,
210
+ stdio: ['ignore', 'pipe', 'pipe'],
211
+ });
212
+ }
213
+ catch {
214
+ // git worktree remove can fail if the worktree dir was
215
+ // already cleaned externally. The rmSync below recovers.
216
+ }
217
+ }
218
+ try {
219
+ (0, fs_1.rmSync)(tempBase, { recursive: true, force: true });
220
+ }
221
+ catch {
222
+ // Best-effort cleanup of the temp parent. A stale temp dir
223
+ // is preferable to surfacing a misleading error if the gather
224
+ // already succeeded.
225
+ }
226
+ }
227
+ }
228
+ /**
229
+ * Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
230
+ * Public for testing — production callers reach this through
231
+ * `withRefWorktree`. The directory is created on demand; absent
232
+ * source files are silently skipped (env-var + deterministic salt
233
+ * modes both work without the file).
234
+ */
235
+ function mirrorSaltFile(srcCwd, dstCwd) {
236
+ const src = path.join(srcCwd, '.dxkit', 'salt');
237
+ if (!(0, fs_1.existsSync)(src))
238
+ return;
239
+ const dstDir = path.join(dstCwd, '.dxkit');
240
+ (0, fs_1.mkdirSync)(dstDir, { recursive: true });
241
+ (0, fs_1.copyFileSync)(src, path.join(dstDir, 'salt'));
242
+ }
243
+ /**
244
+ * Run `gatherCurrentScan` against a temporary worktree checked out
245
+ * to `ref`. Returns the same shape as a live gather — the matcher
246
+ * doesn't care which side was the worktree, only that both sides
247
+ * are `CurrentScan` envelopes.
248
+ *
249
+ * Per-tool degradation note: dep-vuln scanners may report less
250
+ * coverage in the worktree because `node_modules` (and analogous
251
+ * install artifacts) are typically gitignored and so don't exist
252
+ * in the worktree. The lockfile-driven scanners dxkit prefers
253
+ * survive the gap; `npm audit`-style probes do not.
254
+ */
255
+ async function gatherFromRef(opts) {
256
+ return withRefWorktree({ cwd: opts.cwd, ref: opts.ref }, async (worktreePath) => {
257
+ return (0, create_1.gatherCurrentScan)({ cwd: worktreePath, verbose: opts.verbose });
258
+ });
259
+ }
260
+ //# sourceMappingURL=ref-baseline.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCH,0CAWC;AAQD,sCAWC;AA6BD,0CA0DC;AASD,wCAMC;AAcD,sCAQC;AA3LD,iDAA6C;AAC7C,2BAA8E;AAC9E,2BAA4B;AAC5B,2CAA6B;AAC7B,qCAA6C;AAG7C;;;;;GAKG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IACtB,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAPD,4CAOC;AAOD;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC5E,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,yBAAyB,CAAC,EAAE;YACxE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,KAAK,MAAM,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,GAAW;IACnD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,4BAA4B,EAC9D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,GAAG,EACrC,oHAAoH,CACrH,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,EAAwC;IAExC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,+DAA+D;IAC/D,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,gBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,WAAM,GAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrD,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,EAAE;YACtE,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,aAAa,GAAG,IAAI,CAAC;QACrB,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,gBAAgB;YAAE,MAAM,GAAG,CAAC;QAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,wDAAwD;YACxD,sCAAsC;YACtC,MAAM,IAAI,gBAAgB,CACxB,yCAAyC,IAAI,CAAC,GAAG,GAAG,EACpD,mDAAmD,QAAQ,eAAe,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE;oBACnE,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,yDAAyD;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,IAAA,WAAM,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,MAAc;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC;QAAE,OAAO;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAA,cAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,IAAA,iBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CAAC,IAInC;IACC,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE;QAC9E,OAAO,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC"}