@vyuhlabs/dxkit 2.5.1 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +318 -0
- package/README.md +150 -28
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -8
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +154 -13
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -10
- package/dist/constants.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +0 -15
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts +78 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +590 -101
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +15 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +2 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +2 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +25 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +44 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +2 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +2 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +11 -1
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +2 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +2 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +45 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +2 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -5
- package/dist/prompts.js.map +1 -1
- package/dist/setup-branch-protection.d.ts +34 -0
- package/dist/setup-branch-protection.d.ts.map +1 -0
- package/dist/setup-branch-protection.js +190 -0
- package/dist/setup-branch-protection.js.map +1 -0
- package/dist/setup-gh.d.ts +75 -0
- package/dist/setup-gh.d.ts.map +1 -0
- package/dist/setup-gh.js +213 -0
- package/dist/setup-gh.js.map +1 -0
- package/dist/setup-prebuild.d.ts +34 -0
- package/dist/setup-prebuild.d.ts.map +1 -0
- package/dist/setup-prebuild.js +181 -0
- package/dist/setup-prebuild.js.map +1 -0
- package/dist/ship-installers.d.ts.map +1 -1
- package/dist/ship-installers.js +19 -4
- package/dist/ship-installers.js.map +1 -1
- package/dist/types.d.ts +24 -6
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts +41 -0
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +154 -15
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts +88 -0
- package/dist/upgrade.d.ts.map +1 -0
- package/dist/upgrade.js +324 -0
- package/dist/upgrade.js.map +1 -0
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
- package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
- package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
- package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
- package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
- package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
- package/templates/.devcontainer/devcontainer.json +6 -15
- package/templates/.devcontainer/post-create.sh +19 -4
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAoBH,OAAO,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"create.d.ts","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAoBH,OAAO,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG5C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAEvC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AACjD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AAG1E,MAAM,WAAW,qBAAqB;IACpC,kEAAkE;IAClE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB;;oDAEgD;IAChD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;;yCAGqC;IACrC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,qEAAqE;IACrE,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B;;4DAEwD;IACxD,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC;;oBAEgB;IAChB,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC;2DACuD;IACvD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;kCAGkC;AAClC,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC;CAC9B;AA6JD;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CAE5C;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACpD,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD;iCAC6B;IAC7B,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAAC;IAC5C;yEACqE;IACrE,QAAQ,CAAC,WAAW,EAAE,eAAe,CAAC;CACvC;AAED;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,WAAW,CAAC,CA+EvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,oBAAoB,CAAC,CAgD/B"}
|
package/dist/baseline/create.js
CHANGED
|
@@ -68,9 +68,12 @@ const gitleaks_1 = require("../analyzers/tools/gitleaks");
|
|
|
68
68
|
const tool_registry_1 = require("../analyzers/tools/tool-registry");
|
|
69
69
|
const constants_1 = require("../constants");
|
|
70
70
|
const baseline_file_1 = require("./baseline-file");
|
|
71
|
+
const modes_1 = require("./modes");
|
|
71
72
|
const policy_1 = require("./policy");
|
|
72
73
|
const producers_1 = require("./producers");
|
|
73
74
|
const salt_1 = require("./salt");
|
|
75
|
+
const sanitize_1 = require("./sanitize");
|
|
76
|
+
const gather_2 = require("../allowlist/gather");
|
|
74
77
|
/** Hash used for baseline-envelope metadata fields (policy, ignore,
|
|
75
78
|
* toolchain, config). Distinct concern from finding-identity
|
|
76
79
|
* fingerprints — these never enter the matcher's identity space. */
|
|
@@ -271,6 +274,10 @@ async function gatherCurrentScan(options) {
|
|
|
271
274
|
const hygieneMarkers = (0, gather_1.gatherHygieneMarkers)(cwd);
|
|
272
275
|
const gitleaksOutcome = (0, gitleaks_1.gatherGitleaksResult)(cwd);
|
|
273
276
|
const rawSecrets = gitleaksOutcome.kind === 'success' ? gitleaksOutcome.rawSecrets : [];
|
|
277
|
+
// Inline `dxkit-allow:` annotations gathered from source so the
|
|
278
|
+
// stale-allow producer can flag orphans whose underlying findings
|
|
279
|
+
// are no longer present.
|
|
280
|
+
const inlineAllowlistAnnotations = (0, gather_2.gatherInlineAllowlistAnnotations)(cwd);
|
|
274
281
|
const producerCtx = {
|
|
275
282
|
cwd,
|
|
276
283
|
commitSha: repoState.commitSha,
|
|
@@ -279,6 +286,7 @@ async function gatherCurrentScan(options) {
|
|
|
279
286
|
testGapsReport,
|
|
280
287
|
hygiene: hygieneMarkers,
|
|
281
288
|
rawSecrets,
|
|
289
|
+
inlineAllowlistAnnotations,
|
|
282
290
|
};
|
|
283
291
|
// Dispatch through the canonical producer registry (CLAUDE.md
|
|
284
292
|
// Rule 10). Adding a new identity kind means registering a
|
|
@@ -310,20 +318,49 @@ async function gatherCurrentScan(options) {
|
|
|
310
318
|
};
|
|
311
319
|
}
|
|
312
320
|
/**
|
|
313
|
-
* Run the baseline-create pipeline. Pure-orchestrator:
|
|
314
|
-
*
|
|
315
|
-
*
|
|
321
|
+
* Run the baseline-create pipeline. Pure-orchestrator: resolve
|
|
322
|
+
* the baseline mode, gather the current scan, then either:
|
|
323
|
+
*
|
|
324
|
+
* - `committed-full` → write rich entries to disk (today's
|
|
325
|
+
* behavior).
|
|
326
|
+
* - `committed-sanitized` → sanitize every entry, then write.
|
|
327
|
+
* The cross-run matching contract is preserved; locator
|
|
328
|
+
* fields are stripped.
|
|
329
|
+
* - `ref-based` → no file write. The guardrail check will
|
|
330
|
+
* recompute the prior side from a git ref instead.
|
|
331
|
+
*
|
|
332
|
+
* In all three cases the returned `CreateBaselineResult` carries
|
|
333
|
+
* `resolvedMode` so callers can log WHY a given mode was picked
|
|
334
|
+
* (CLI flag / policy file / visibility auto-detect).
|
|
316
335
|
*/
|
|
317
336
|
async function createBaseline(options) {
|
|
318
337
|
const cwd = path.resolve(options.cwd);
|
|
319
338
|
const name = options.name ?? baseline_file_1.DEFAULT_BASELINE_NAME;
|
|
339
|
+
const mode = options.resolvedMode ??
|
|
340
|
+
(() => {
|
|
341
|
+
const policy = (0, policy_1.loadPolicyFromCwd)(cwd);
|
|
342
|
+
return (0, modes_1.resolveBaselineMode)({
|
|
343
|
+
cwd,
|
|
344
|
+
cliMode: options.cliMode,
|
|
345
|
+
cliRef: options.cliRef,
|
|
346
|
+
policyMode: policy.baseline?.mode,
|
|
347
|
+
policyRef: policy.baseline?.ref,
|
|
348
|
+
});
|
|
349
|
+
})();
|
|
350
|
+
if (mode.mode === 'ref-based') {
|
|
351
|
+
// Ref-based mode keeps no committed baseline. We still run no
|
|
352
|
+
// gather here — the guardrail check does it on demand against
|
|
353
|
+
// the configured ref. Returning the resolved mode lets the CLI
|
|
354
|
+
// surface a clear "ref-based mode active; no file written" log.
|
|
355
|
+
return { mode };
|
|
356
|
+
}
|
|
320
357
|
const filePath = (0, baseline_file_1.pathForBaseline)(cwd, name);
|
|
321
358
|
if (!options.force && fs.existsSync(filePath)) {
|
|
322
359
|
throw new Error(`baseline already exists at ${filePath}. Pass force: true to overwrite, ` +
|
|
323
360
|
`or use a different --name to keep both.`);
|
|
324
361
|
}
|
|
325
362
|
const scan = await gatherCurrentScan({ cwd, verbose: options.verbose });
|
|
326
|
-
const
|
|
363
|
+
const richFile = {
|
|
327
364
|
schemaVersion: baseline_file_1.BASELINE_SCHEMA_VERSION,
|
|
328
365
|
name,
|
|
329
366
|
createdAt: new Date().toISOString(),
|
|
@@ -333,7 +370,8 @@ async function createBaseline(options) {
|
|
|
333
370
|
saltMode: scan.saltMode,
|
|
334
371
|
findings: scan.findings,
|
|
335
372
|
};
|
|
373
|
+
const file = mode.mode === 'committed-sanitized' ? (0, sanitize_1.sanitizeFile)(richFile) : richFile;
|
|
336
374
|
(0, baseline_file_1.writeBaselineFile)(filePath, file);
|
|
337
|
-
return { path: filePath, file };
|
|
375
|
+
return { mode, path: filePath, file };
|
|
338
376
|
}
|
|
339
377
|
//# sourceMappingURL=create.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"create.js","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"create.js","sourceRoot":"","sources":["../../src/baseline/create.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuOH,sDAEC;AAqCD,8CAkFC;AAkBD,wCAkDC;AAlaD,iDAA6C;AAC7C,mCAAoC;AACpC,uCAAyB;AACzB,2CAA6B;AAC7B,gDAA+D;AAC/D,8CAA+D;AAC/D,wDAAmE;AACnE,8CAAqD;AACrD,0DAAmE;AAEnE,oEAAuE;AACvE,4CAAwD;AACxD,mDAKyB;AAEzB,mCAA8C;AAE9C,qCAAwE;AACxE,2CAAsD;AAEtD,iCAAqC;AAErC,yCAA0C;AAG1C,gDAAuE;AAuCvE;;qEAEqE;AACrE,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,sEAAsE;AAC9I,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,IAAI,CAAC;QACH,OAAO,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;qCAGqC;AACrC,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,GAAG,GAAG,CAAC,GAAG,IAAc,EAAU,EAAE;QACxC,IAAI,CAAC;YACH,OAAO,IAAA,4BAAY,EAAC,KAAK,EAAE,IAAI,EAAE;gBAC/B,GAAG;gBACH,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;IACF,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC;QACnC,MAAM,EAAE,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,qEAAqE;AACrE,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,kCAAyB,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClF,MAAM,UAAU,GAAG,WAAW,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACrF,0DAA0D;IAC1D,kEAAkE;IAClE,OAAO,EAAE,YAAY,EAAE,mBAAa,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC;AAChG,CAAC;AAED;;;;;;;;;;;;;;;;2CAgB2C;AAC3C,SAAS,aAAa,CAAC,SAAgC,EAAE,GAAW;IAClE,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,GAAG,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC,CAAC,qBAAqB,EAAE,cAAc,CAAC,CAAC,CAAC;AAE/F;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;AAEhD,SAAS,kBAAkB,CAAC,IAAY,EAAE,GAAW;IACnD,MAAM,QAAQ,GAAG,GAAG,IAAI,KAAK,GAAG,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,MAAM,QAAQ,GAAG,0BAA0B,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACtC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY,EAAE,GAAW;IAC3D,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,mBAAa,EAAE,CAAC;IAChE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,yBAAS,CAAC,SAAS,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,iEAAiE;QACjE,iEAAiE;QACjE,4DAA4D;QAC5D,+DAA+D;QAC/D,8DAA8D;QAC9D,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,8DAA8D;QAC9D,kDAAkD;QAClD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,OAAO;gBAAE,OAAO,MAAM,CAAC,OAAO,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB;IACnC,aAAa,CAAC,KAAK,EAAE,CAAC;AACxB,CAAC;AA4BD;;;;;;;;GAQG;AACI,KAAK,UAAU,iBAAiB,CAAC,OAGvC;IACC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAEtC,MAAM,cAAc,GAAG,MAAM,IAAA,iCAAyB,EAAC;QACrD,GAAG;QACH,KAAK,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAA,iCAAwB,EAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;KACxF,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,cAAc,CAAC,YAAY,CAAC,iBAAiB,CAAC;IAChE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,iEAAiE;YAC/D,yDAAyD,CAC5D,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAsB;QACnC,GAAG,aAAa,CAAC,GAAG,CAAC;QACrB,IAAI,EAAE,GAAG;KACV,CAAC;IAEF,iEAAiE;IACjE,4DAA4D;IAC5D,kEAAkE;IAClE,aAAa;IACb,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,IAAA,kBAAW,EAAC,GAAG,CAAC,CAAC;IAElD,gEAAgE;IAChE,kEAAkE;IAClE,6DAA6D;IAC7D,0DAA0D;IAC1D,2DAA2D;IAC3D,MAAM,cAAc,GAAG,MAAM,IAAA,uBAAe,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAClF,MAAM,cAAc,GAAG,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAC;IACjD,MAAM,eAAe,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAClD,MAAM,UAAU,GACd,eAAe,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,gEAAgE;IAChE,kEAAkE;IAClE,yBAAyB;IACzB,MAAM,0BAA0B,GAAG,IAAA,yCAAgC,EAAC,GAAG,CAAC,CAAC;IAEzE,MAAM,WAAW,GAAoB;QACnC,GAAG;QACH,SAAS,EAAE,SAAS,CAAC,SAAS;QAC9B,IAAI;QACJ,cAAc;QACd,cAAc;QACd,OAAO,EAAE,cAAc;QACvB,UAAU;QACV,0BAA0B;KAC3B,CAAC;IAEF,8DAA8D;IAC9D,2DAA2D;IAC3D,gEAAgE;IAChE,QAAQ;IACR,MAAM,QAAQ,GAAwB,IAAA,wBAAY,EAAC,WAAW,EAAE,qBAAS,CAAC,CAAC;IAE3E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI;QAAE,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACxF,IAAI,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI;QAAE,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IAClG,IAAI,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI;QAAE,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC1F,IAAI,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,GAAG;QAAE,SAAS,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC7E,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IAExD,MAAM,YAAY,GAAyB;QACzC,GAAG,iBAAiB,CAAC,GAAG,CAAC;QACzB,aAAa,EAAE,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;KAClD,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,SAAS;QACT,SAAS;QACT,QAAQ;QACR,KAAK;QACL,YAAY;QACZ,WAAW;KACZ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACI,KAAK,UAAU,cAAc,CAClC,OAA8B;IAE9B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,qCAAqB,CAAC;IACnD,MAAM,IAAI,GACR,OAAO,CAAC,YAAY;QACpB,CAAC,GAAG,EAAE;YACJ,MAAM,MAAM,GAAG,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YACtC,OAAO,IAAA,2BAAmB,EAAC;gBACzB,GAAG;gBACH,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI;gBACjC,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,GAAG;aAChC,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,8DAA8D;QAC9D,8DAA8D;QAC9D,+DAA+D;QAC/D,gEAAgE;QAChE,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAA,+BAAe,EAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,8BAA8B,QAAQ,mCAAmC;YACvE,yCAAyC,CAC5C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAExE,MAAM,QAAQ,GAAiB;QAC7B,aAAa,EAAE,uCAAuB;QACtC,IAAI;QACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI,EAAE,IAAI,CAAC,SAAS;QACpB,QAAQ,EAAE,IAAI,CAAC,YAAY;QAC3B,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACxB,CAAC;IAEF,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,IAAA,uBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IACrF,IAAA,iCAAiB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAClC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACxC,CAAC"}
|
|
@@ -16,7 +16,7 @@
|
|
|
16
16
|
* apply to hygiene markers; the marker IS the canonical name.
|
|
17
17
|
*
|
|
18
18
|
* Kinds without file/line locators (dep-vuln, duplication,
|
|
19
|
-
* coverage-gap,
|
|
19
|
+
* coverage-gap, test-gap, test-file-degradation, god-file,
|
|
20
20
|
* stale-file, large-file, secret-hmac) fall through to the matcher's
|
|
21
21
|
* multiset pass — they're paired by exact identity-hash equality,
|
|
22
22
|
* which the matcher already handles without any locator metadata.
|
|
@@ -28,6 +28,11 @@ import type { BaselineEntry } from './types';
|
|
|
28
28
|
* already-computed identity hash; locator fields are populated for
|
|
29
29
|
* the kinds the matcher's location-pair / content-hash passes can
|
|
30
30
|
* use.
|
|
31
|
+
*
|
|
32
|
+
* Sanitized entries (`sanitized: true`) carry only identity + kind;
|
|
33
|
+
* they short-circuit to identity-only locators because the
|
|
34
|
+
* location-pair pass has no fields to compare. The matcher's
|
|
35
|
+
* multiset pass still pairs them at full confidence by id.
|
|
31
36
|
*/
|
|
32
37
|
export declare function entryToLocated(entry: BaselineEntry): LocatedIdentity;
|
|
33
38
|
/** Convenience: map an array of entries through `entryToLocated`. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"entry-to-located.d.ts","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"entry-to-located.d.ts","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,eAAe,CA2CpE;AAED,qEAAqE;AACrE,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,aAAa,CAAC,aAAa,CAAC,GACpC,aAAa,CAAC,eAAe,CAAC,CAEhC"}
|
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
* apply to hygiene markers; the marker IS the canonical name.
|
|
18
18
|
*
|
|
19
19
|
* Kinds without file/line locators (dep-vuln, duplication,
|
|
20
|
-
* coverage-gap,
|
|
20
|
+
* coverage-gap, test-gap, test-file-degradation, god-file,
|
|
21
21
|
* stale-file, large-file, secret-hmac) fall through to the matcher's
|
|
22
22
|
* multiset pass — they're paired by exact identity-hash equality,
|
|
23
23
|
* which the matcher already handles without any locator metadata.
|
|
@@ -26,13 +26,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
26
26
|
exports.entryToLocated = entryToLocated;
|
|
27
27
|
exports.entriesToLocated = entriesToLocated;
|
|
28
28
|
const fingerprint_1 = require("../analyzers/tools/fingerprint");
|
|
29
|
+
const sanitize_1 = require("./sanitize");
|
|
29
30
|
/**
|
|
30
31
|
* Build a `LocatedIdentity` from one stored entry. The id is the
|
|
31
32
|
* already-computed identity hash; locator fields are populated for
|
|
32
33
|
* the kinds the matcher's location-pair / content-hash passes can
|
|
33
34
|
* use.
|
|
35
|
+
*
|
|
36
|
+
* Sanitized entries (`sanitized: true`) carry only identity + kind;
|
|
37
|
+
* they short-circuit to identity-only locators because the
|
|
38
|
+
* location-pair pass has no fields to compare. The matcher's
|
|
39
|
+
* multiset pass still pairs them at full confidence by id.
|
|
34
40
|
*/
|
|
35
41
|
function entryToLocated(entry) {
|
|
42
|
+
if ((0, sanitize_1.isSanitized)(entry))
|
|
43
|
+
return { id: entry.id };
|
|
36
44
|
switch (entry.kind) {
|
|
37
45
|
case 'secret':
|
|
38
46
|
case 'code':
|
|
@@ -52,10 +60,20 @@ function entryToLocated(entry) {
|
|
|
52
60
|
rule: entry.marker,
|
|
53
61
|
...(entry.contentHash !== undefined ? { contentHash: entry.contentHash } : {}),
|
|
54
62
|
};
|
|
63
|
+
case 'stale-allow':
|
|
64
|
+
// Annotation comments don't have a tool/rule pair — the
|
|
65
|
+
// "rule" is the annotation's category. Reuse the field so
|
|
66
|
+
// the matcher's location-pair pass can treat them like other
|
|
67
|
+
// source-anchored kinds.
|
|
68
|
+
return {
|
|
69
|
+
id: entry.id,
|
|
70
|
+
file: entry.file,
|
|
71
|
+
line: entry.line,
|
|
72
|
+
rule: entry.category,
|
|
73
|
+
};
|
|
55
74
|
case 'dep-vuln':
|
|
56
75
|
case 'duplication':
|
|
57
76
|
case 'coverage-gap':
|
|
58
|
-
case 'license':
|
|
59
77
|
case 'test-gap':
|
|
60
78
|
case 'test-file-degradation':
|
|
61
79
|
case 'god-file':
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;
|
|
1
|
+
{"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;AAkBH,wCA2CC;AAGD,4CAIC;AAlED,gEAAkE;AAElE,yCAAyC;AAGzC;;;;;;;;;;GAUG;AACH,SAAgB,cAAc,CAAC,KAAoB;IACjD,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAChD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC;gBAC9C,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,MAAM;gBAClB,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,aAAa;YAChB,wDAAwD;YACxD,0DAA0D;YAC1D,6DAA6D;YAC7D,yBAAyB;YACzB,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,QAAQ;aACrB,CAAC;QACJ,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,gBAAgB,CAC9B,OAAqC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;
|
|
1
|
+
{"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;AA0KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC1B,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,GAC3B,WAAW,CAyDb"}
|
|
@@ -53,8 +53,6 @@ function identityFor(input, version = 'v1') {
|
|
|
53
53
|
return computeTestGapIdentity(input.file, input.risk);
|
|
54
54
|
case 'hygiene':
|
|
55
55
|
return computeHygieneIdentity(input.file, input.line, input.marker);
|
|
56
|
-
case 'license':
|
|
57
|
-
return computeLicenseIdentity(input.package, input.version, input.licenseType);
|
|
58
56
|
case 'test-file-degradation':
|
|
59
57
|
return computeTestFileDegradationIdentity(input.file, input.status);
|
|
60
58
|
case 'god-file':
|
|
@@ -65,6 +63,8 @@ function identityFor(input, version = 'v1') {
|
|
|
65
63
|
return computeLargeFileIdentity(input.file);
|
|
66
64
|
case 'secret-hmac':
|
|
67
65
|
return computeSecretHmacIdentity(input.tool, input.rule, input.hmac);
|
|
66
|
+
case 'stale-allow':
|
|
67
|
+
return computeStaleAllowIdentity(input.file, input.line, input.category);
|
|
68
68
|
}
|
|
69
69
|
}
|
|
70
70
|
/**
|
|
@@ -138,17 +138,6 @@ function computeHygieneIdentity(file, line, marker) {
|
|
|
138
138
|
const input = `hygiene\0v1\0${marker}\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}`;
|
|
139
139
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
140
140
|
}
|
|
141
|
-
/**
|
|
142
|
-
* Identity for a package license attribution. Includes the license
|
|
143
|
-
* type so a re-licensing event on the same `(package, version)` pin
|
|
144
|
-
* registers as a fresh finding — compliance teams want to be
|
|
145
|
-
* notified when a transitive dep switches from MIT to GPL even
|
|
146
|
-
* without a version bump.
|
|
147
|
-
*/
|
|
148
|
-
function computeLicenseIdentity(packageName, version, licenseType) {
|
|
149
|
-
const input = `license\0v1\0${packageName}\0${version}\0${licenseType}`;
|
|
150
|
-
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
151
|
-
}
|
|
152
141
|
/**
|
|
153
142
|
* Identity for a degraded test file. Degradation status is part of
|
|
154
143
|
* identity so transitions between states register as fresh findings
|
|
@@ -208,6 +197,19 @@ function computeSecretHmacIdentity(tool, rule, hmac) {
|
|
|
208
197
|
const input = `secret-hmac\0v1\0${canonicalRule}\0${hmac}`;
|
|
209
198
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
210
199
|
}
|
|
200
|
+
/**
|
|
201
|
+
* Identity for an orphaned inline allowlist annotation. Line is
|
|
202
|
+
* bucketed via the canonical 3-line window so small formatter /
|
|
203
|
+
* unrelated-edit drift doesn't churn identity. Category is part of
|
|
204
|
+
* identity so reclassifying an annotation (test-fixture →
|
|
205
|
+
* false-positive on the same source line) registers as a fresh
|
|
206
|
+
* finding — the new category's appropriateness is a separate
|
|
207
|
+
* judgment worth surfacing.
|
|
208
|
+
*/
|
|
209
|
+
function computeStaleAllowIdentity(file, line, category) {
|
|
210
|
+
const input = `stale-allow\0v1\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}\0${category}`;
|
|
211
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
212
|
+
}
|
|
211
213
|
/**
|
|
212
214
|
* Multiset-aware identity diff — the lowest layer of baseline
|
|
213
215
|
* comparison. Pairs identities by occurrence count, not by presence:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;
|
|
1
|
+
{"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;AA6LD,0CA4DC;AA5UD,mCAAoC;AACpC,gEAKwC;AAkBxC;;;;;;;;;;;GAWG;AACH,SAAgB,WAAW,CACzB,KAAoB,EACpB,UAAiC,IAAI;IAErC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,IAAA,oCAAsB,EAAC,aAAa,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,UAAU;YACb,OAAO,IAAA,gCAAkB,EAAC;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,EAAE,EAAE,KAAK,CAAC,EAAE;aACb,CAAC,CAAC;QACL,KAAK,aAAa;YAChB,OAAO,0BAA0B,CAC/B,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,0BAA0B,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/E,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACxD,KAAK,SAAS;YACZ,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,uBAAuB;YAC1B,OAAO,kCAAkC,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,KAAa,EACb,KAAa,EACb,UAAkB,EAClB,UAAkB;IAElB,MAAM,KAAK,GAA4B;QACrC,CAAC,KAAK,EAAE,UAAU,CAAC;QACnB,CAAC,KAAK,EAAE,UAAU,CAAC;KACpB,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,KAAK,GAAG,oBAAoB,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;IAC1G,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,0BAA0B,CACjC,IAAY,EACZ,MAA0B,EAC1B,SAAgD;IAEhD,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,yEAAyE,IAAI,GAAG,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,SAAU,CAAC,CAAC,CAAC,IAAI,SAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,KAAK,GAAG,qBAAqB,IAAI,KAAK,aAAa,EAAE,CAAC;IAC5D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAiB;IAC7D,MAAM,KAAK,GAAG,iBAAiB,IAAI,KAAK,IAAI,EAAE,CAAC;IAC/C,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAY,EAAE,MAAqB;IAC/E,MAAM,KAAK,GAAG,gBAAgB,MAAM,KAAK,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;IACxE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,kCAAkC,CACzC,IAAY,EACZ,MAAiC;IAEjC,MAAM,KAAK,GAAG,8BAA8B,IAAI,KAAK,MAAM,EAAE,CAAC;IAC9D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,iBAAiB,IAAI,EAAE,CAAC;IACtC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,wBAAwB,CAAC,IAAY,EAAE,MAAc;IAC5D,MAAM,KAAK,GAAG,mBAAmB,IAAI,KAAK,MAAM,EAAE,CAAC;IACnD,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,mBAAmB,IAAI,EAAE,CAAC;IACxC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,IAAY;IACzE,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,oBAAoB,aAAa,KAAK,IAAI,EAAE,CAAC;IAC3D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,QAAgB;IAC7E,MAAM,KAAK,GAAG,oBAAoB,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;IAC9E,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,eAAe,CAC7B,KAA0B,EAC1B,OAA4B;IAE5B,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,aAAa,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAY,CAAC,GAAG,WAAW,CAAC,IAAI,EAAE,EAAE,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpF,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,wDAAwD;KACjE,CAAC;IACF,MAAM,SAAS,GAAgB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,kDAAkD;KAC3D,CAAC;IACF,MAAM,UAAU,GAAgB;QAC9B,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,sDAAsD;KAC/D,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,WAAW,CAAC;aACvB,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,OAAO;gBACf,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,SAAS,CAAC;aACrB,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,SAAS;gBACjB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,UAAU,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,aAAa,CAAC,KAA0B;IAC/C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline mode resolution — single source of truth for picking
|
|
3
|
+
* between `committed-full`, `committed-sanitized`, and `ref-based`.
|
|
4
|
+
*
|
|
5
|
+
* # The three modes
|
|
6
|
+
*
|
|
7
|
+
* - **`committed-full`** — Rich entries committed to git under
|
|
8
|
+
* `.dxkit/baselines/<name>.json`. The default behavior dxkit
|
|
9
|
+
* has had since baselines existed. Best for private repos with
|
|
10
|
+
* small teams; the human-readable locator fields make `baseline
|
|
11
|
+
* show` and block-time hints maximally useful.
|
|
12
|
+
*
|
|
13
|
+
* - **`committed-sanitized`** — The file is still committed, but
|
|
14
|
+
* every entry is stripped to `{ id, kind, sanitized: true }`
|
|
15
|
+
* before write (see `./sanitize.ts`). The cross-run matching
|
|
16
|
+
* contract is preserved (identity fingerprints are unchanged);
|
|
17
|
+
* human-readable locators are gone. Best for compliance-
|
|
18
|
+
* conscious private repos where broad internal read access
|
|
19
|
+
* makes location disclosures material.
|
|
20
|
+
*
|
|
21
|
+
* - **`ref-based`** — No baseline file is committed. The prior
|
|
22
|
+
* side of the guardrail diff is computed at check time from a
|
|
23
|
+
* git ref (default: `origin/<default-branch>`) via
|
|
24
|
+
* `git worktree add`. Zero disclosure surface; best for public
|
|
25
|
+
* repos. Cost is a longer check (gather runs twice — once
|
|
26
|
+
* against the ref, once against HEAD).
|
|
27
|
+
*
|
|
28
|
+
* # Resolution precedence
|
|
29
|
+
*
|
|
30
|
+
* 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
|
|
31
|
+
* precedence. Overrides everything else.
|
|
32
|
+
* 2. **Policy file** — `baseline.mode` / `baseline.ref` in
|
|
33
|
+
* `.dxkit/policy.json`. Pins the choice repo-wide so every
|
|
34
|
+
* developer + every CI job uses the same posture.
|
|
35
|
+
* 3. **Visibility-derived default** — probes
|
|
36
|
+
* `gh repo view --json visibility` (see `./visibility.ts`)
|
|
37
|
+
* and picks:
|
|
38
|
+
* - `'public'` → `ref-based`
|
|
39
|
+
* - `'private'` / `'internal'` → `committed-full`
|
|
40
|
+
* - `'unknown'` → `committed-full` (safe default + warning)
|
|
41
|
+
*
|
|
42
|
+
* `committed-sanitized` is never auto-picked. It's the explicit
|
|
43
|
+
* opt-in for compliance-conscious private repos. The reasoning:
|
|
44
|
+
*
|
|
45
|
+
* - For public repos, sanitized-in-git is strictly worse than
|
|
46
|
+
* ref-based — you're still committing the fingerprint set,
|
|
47
|
+
* and ref-based gives the same matching contract without
|
|
48
|
+
* storing anything.
|
|
49
|
+
* - For typical private repos with small teams, full content
|
|
50
|
+
* is more useful.
|
|
51
|
+
*
|
|
52
|
+
* So sanitized lives between those two extremes and customers
|
|
53
|
+
* opt in via `policy.json` or `--mode=committed-sanitized`.
|
|
54
|
+
*
|
|
55
|
+
* # Why one resolver
|
|
56
|
+
*
|
|
57
|
+
* Every consumer (the `baseline create` orchestrator, the
|
|
58
|
+
* `guardrail check` orchestrator, doctor checks, future modes-
|
|
59
|
+
* aware tooling) calls `resolveBaselineMode` and reads the
|
|
60
|
+
* returned `ResolvedMode`. Scattered `if (visibility === 'public')`
|
|
61
|
+
* branches would drift independently as the rules evolve; this
|
|
62
|
+
* module is the single edit point.
|
|
63
|
+
*
|
|
64
|
+
* Pure module — no I/O of its own. The visibility probe is
|
|
65
|
+
* injectable via `probeVisibility` so tests can simulate every
|
|
66
|
+
* path without going through `execSync('gh ...')`.
|
|
67
|
+
*/
|
|
68
|
+
import type { RepoVisibility } from './visibility';
|
|
69
|
+
/** The three modes. Keep this union ordered the same way as
|
|
70
|
+
* `BASELINE_MODES` (declared below) so help text + arch checks
|
|
71
|
+
* match. */
|
|
72
|
+
export type BaselineMode = 'committed-full' | 'committed-sanitized' | 'ref-based';
|
|
73
|
+
/** Canonical enumeration of the mode strings. Consumers wanting to
|
|
74
|
+
* iterate every mode (CLI flag validation, help text, doctor)
|
|
75
|
+
* import this rather than re-listing the union members. */
|
|
76
|
+
export declare const BASELINE_MODES: ReadonlyArray<BaselineMode>;
|
|
77
|
+
/** Where the resolver picked the mode from. Surfaced to the
|
|
78
|
+
* runtime log + doctor + agent skills so customers see WHY
|
|
79
|
+
* `committed-full` was picked over `ref-based`. */
|
|
80
|
+
export type ModeSource = 'cli' | 'policy' | 'auto-public' | 'auto-private' | 'auto-internal' | 'auto-unknown';
|
|
81
|
+
/** Resolution outcome carrying the chosen mode + the audit trail
|
|
82
|
+
* + the resolved ref (for ref-based). Consumers read
|
|
83
|
+
* `mode` to dispatch and `explanation` to log. */
|
|
84
|
+
export interface ResolvedMode {
|
|
85
|
+
readonly mode: BaselineMode;
|
|
86
|
+
readonly source: ModeSource;
|
|
87
|
+
/** One-line human-readable explanation suitable for the runtime
|
|
88
|
+
* log. Always populated. */
|
|
89
|
+
readonly explanation: string;
|
|
90
|
+
/** Git ref used when `mode === 'ref-based'`. Resolved from CLI,
|
|
91
|
+
* policy, or the repo's default-branch upstream tracking ref.
|
|
92
|
+
* Undefined when mode is not ref-based. */
|
|
93
|
+
readonly ref?: string;
|
|
94
|
+
}
|
|
95
|
+
/** Input shape for the resolver. Every field is optional so the
|
|
96
|
+
* same function handles "no flags, no policy" and "explicit
|
|
97
|
+
* everything" without branching on call site. */
|
|
98
|
+
export interface ResolveModeOptions {
|
|
99
|
+
readonly cwd: string;
|
|
100
|
+
/** Explicit CLI flag value. Highest precedence when present. */
|
|
101
|
+
readonly cliMode?: BaselineMode;
|
|
102
|
+
/** `baseline.mode` field from `.dxkit/policy.json`. Second
|
|
103
|
+
* precedence. */
|
|
104
|
+
readonly policyMode?: BaselineMode;
|
|
105
|
+
/** Explicit CLI ref value (`--ref=<R>`). Only consulted when
|
|
106
|
+
* the resolved mode is `ref-based`. */
|
|
107
|
+
readonly cliRef?: string;
|
|
108
|
+
/** `baseline.ref` field from `.dxkit/policy.json`. */
|
|
109
|
+
readonly policyRef?: string;
|
|
110
|
+
/** Injectable for tests; production omits and the resolver
|
|
111
|
+
* calls `detectRepoVisibility` directly. */
|
|
112
|
+
readonly probeVisibility?: (cwd: string) => RepoVisibility;
|
|
113
|
+
/** Injectable for tests; production omits and the resolver
|
|
114
|
+
* shells out to `git symbolic-ref refs/remotes/origin/HEAD`. */
|
|
115
|
+
readonly probeDefaultRef?: (cwd: string) => string | undefined;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Resolve the baseline mode for a given run. Pure over its inputs
|
|
119
|
+
* apart from the optional probe functions (which default to
|
|
120
|
+
* `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
|
|
121
|
+
* The returned `ResolvedMode` carries everything callers need to
|
|
122
|
+
* dispatch + log.
|
|
123
|
+
*/
|
|
124
|
+
export declare function resolveBaselineMode(opts: ResolveModeOptions): ResolvedMode;
|
|
125
|
+
/**
|
|
126
|
+
* Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
|
|
127
|
+
* remote's default branch. Returns `'origin/<branch>'` on success,
|
|
128
|
+
* `undefined` on any failure (no remote, no fetch ever ran, etc.).
|
|
129
|
+
*
|
|
130
|
+
* Public for testing — production callers go through
|
|
131
|
+
* `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
|
|
132
|
+
*/
|
|
133
|
+
export declare function probeOriginHeadRef(cwd: string): string | undefined;
|
|
134
|
+
/**
|
|
135
|
+
* Parse a string into a `BaselineMode`. Returns `null` for unknown
|
|
136
|
+
* values so the CLI surfaces a helpful error including the full
|
|
137
|
+
* accepted list. Used by `--mode=<X>` flag parsing.
|
|
138
|
+
*/
|
|
139
|
+
export declare function parseBaselineMode(raw: string): BaselineMode | null;
|
|
140
|
+
//# sourceMappingURL=modes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"modes.d.ts","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD;;aAEa;AACb,MAAM,MAAM,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GAAG,WAAW,CAAC;AAElF;;4DAE4D;AAC5D,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,YAAY,CAIrD,CAAC;AAEH;;oDAEoD;AACpD,MAAM,MAAM,UAAU,GAClB,KAAK,GACL,QAAQ,GACR,aAAa,GACb,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB;;mDAEmD;AACnD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B;iCAC6B;IAC7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;gDAE4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;kDAEkD;AAClD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,gEAAgE;IAChE,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC;IAChC;sBACkB;IAClB,QAAQ,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC;IACnC;4CACwC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;iDAC6C;IAC7C,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,cAAc,CAAC;IAC3D;qEACiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAChE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,kBAAkB,GAAG,YAAY,CAmB1E;AAqBD;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAalE;AAmBD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAElE"}
|