@vyuhlabs/dxkit 2.5.2 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (146) hide show
  1. package/CHANGELOG.md +164 -0
  2. package/README.md +102 -0
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/baseline/baseline-file.d.ts +7 -0
  32. package/dist/baseline/baseline-file.d.ts.map +1 -1
  33. package/dist/baseline/baseline-file.js +22 -1
  34. package/dist/baseline/baseline-file.js.map +1 -1
  35. package/dist/baseline/check-renderers.d.ts +13 -1
  36. package/dist/baseline/check-renderers.d.ts.map +1 -1
  37. package/dist/baseline/check-renderers.js +67 -1
  38. package/dist/baseline/check-renderers.js.map +1 -1
  39. package/dist/baseline/check.d.ts +33 -7
  40. package/dist/baseline/check.d.ts.map +1 -1
  41. package/dist/baseline/check.js +90 -64
  42. package/dist/baseline/check.js.map +1 -1
  43. package/dist/baseline/create.d.ts +35 -7
  44. package/dist/baseline/create.d.ts.map +1 -1
  45. package/dist/baseline/create.js +43 -5
  46. package/dist/baseline/create.js.map +1 -1
  47. package/dist/baseline/entry-to-located.d.ts +6 -1
  48. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  49. package/dist/baseline/entry-to-located.js +20 -2
  50. package/dist/baseline/entry-to-located.js.map +1 -1
  51. package/dist/baseline/finding-identity.d.ts.map +1 -1
  52. package/dist/baseline/finding-identity.js +15 -13
  53. package/dist/baseline/finding-identity.js.map +1 -1
  54. package/dist/baseline/modes.d.ts +140 -0
  55. package/dist/baseline/modes.d.ts.map +1 -0
  56. package/dist/baseline/modes.js +179 -0
  57. package/dist/baseline/modes.js.map +1 -0
  58. package/dist/baseline/policy.d.ts +64 -0
  59. package/dist/baseline/policy.d.ts.map +1 -1
  60. package/dist/baseline/policy.js +102 -1
  61. package/dist/baseline/policy.js.map +1 -1
  62. package/dist/baseline/producers/health.d.ts +2 -2
  63. package/dist/baseline/producers/health.d.ts.map +1 -1
  64. package/dist/baseline/producers/health.js.map +1 -1
  65. package/dist/baseline/producers/index.d.ts +11 -5
  66. package/dist/baseline/producers/index.d.ts.map +1 -1
  67. package/dist/baseline/producers/index.js +12 -9
  68. package/dist/baseline/producers/index.js.map +1 -1
  69. package/dist/baseline/producers/quality.d.ts +3 -3
  70. package/dist/baseline/producers/quality.d.ts.map +1 -1
  71. package/dist/baseline/producers/quality.js.map +1 -1
  72. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  73. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  74. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  75. package/dist/baseline/producers/security.d.ts +2 -2
  76. package/dist/baseline/producers/security.d.ts.map +1 -1
  77. package/dist/baseline/producers/security.js.map +1 -1
  78. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  79. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  80. package/dist/baseline/producers/stale-allow.js +111 -0
  81. package/dist/baseline/producers/stale-allow.js.map +1 -0
  82. package/dist/baseline/producers/tests.d.ts +2 -2
  83. package/dist/baseline/producers/tests.d.ts.map +1 -1
  84. package/dist/baseline/producers/tests.js.map +1 -1
  85. package/dist/baseline/ref-baseline.d.ts +114 -0
  86. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  87. package/dist/baseline/ref-baseline.js +260 -0
  88. package/dist/baseline/ref-baseline.js.map +1 -0
  89. package/dist/baseline/sanitize.d.ts +80 -0
  90. package/dist/baseline/sanitize.d.ts.map +1 -0
  91. package/dist/baseline/sanitize.js +91 -0
  92. package/dist/baseline/sanitize.js.map +1 -0
  93. package/dist/baseline/show.d.ts.map +1 -1
  94. package/dist/baseline/show.js +9 -3
  95. package/dist/baseline/show.js.map +1 -1
  96. package/dist/baseline/types.d.ts +73 -26
  97. package/dist/baseline/types.d.ts.map +1 -1
  98. package/dist/baseline/types.js +7 -1
  99. package/dist/baseline/types.js.map +1 -1
  100. package/dist/baseline/visibility.d.ts +61 -0
  101. package/dist/baseline/visibility.d.ts.map +1 -0
  102. package/dist/baseline/visibility.js +121 -0
  103. package/dist/baseline/visibility.js.map +1 -0
  104. package/dist/cli.d.ts.map +1 -1
  105. package/dist/cli.js +88 -3
  106. package/dist/cli.js.map +1 -1
  107. package/dist/doctor.d.ts.map +1 -1
  108. package/dist/doctor.js +106 -16
  109. package/dist/doctor.js.map +1 -1
  110. package/dist/issue-cli.d.ts +62 -0
  111. package/dist/issue-cli.d.ts.map +1 -0
  112. package/dist/issue-cli.js +252 -0
  113. package/dist/issue-cli.js.map +1 -0
  114. package/dist/languages/csharp.d.ts.map +1 -1
  115. package/dist/languages/csharp.js +1 -0
  116. package/dist/languages/csharp.js.map +1 -1
  117. package/dist/languages/go.d.ts.map +1 -1
  118. package/dist/languages/go.js +1 -0
  119. package/dist/languages/go.js.map +1 -1
  120. package/dist/languages/java.d.ts.map +1 -1
  121. package/dist/languages/java.js +1 -0
  122. package/dist/languages/java.js.map +1 -1
  123. package/dist/languages/kotlin.d.ts.map +1 -1
  124. package/dist/languages/kotlin.js +1 -0
  125. package/dist/languages/kotlin.js.map +1 -1
  126. package/dist/languages/python.d.ts.map +1 -1
  127. package/dist/languages/python.js +1 -0
  128. package/dist/languages/python.js.map +1 -1
  129. package/dist/languages/ruby.d.ts.map +1 -1
  130. package/dist/languages/ruby.js +1 -0
  131. package/dist/languages/ruby.js.map +1 -1
  132. package/dist/languages/rust.d.ts.map +1 -1
  133. package/dist/languages/rust.js +1 -0
  134. package/dist/languages/rust.js.map +1 -1
  135. package/dist/languages/types.d.ts +25 -0
  136. package/dist/languages/types.d.ts.map +1 -1
  137. package/dist/languages/typescript.d.ts.map +1 -1
  138. package/dist/languages/typescript.js +1 -0
  139. package/dist/languages/typescript.js.map +1 -1
  140. package/package.json +1 -1
  141. package/templates/.claude/skills/dxkit-action/SKILL.md +105 -11
  142. package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
  143. package/dist/baseline/producers/licenses.d.ts +0 -23
  144. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  145. package/dist/baseline/producers/licenses.js +0 -46
  146. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -1 +1 @@
1
- {"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAoB,EAAE,CAAC;IAEhC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAwB,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -0,0 +1,114 @@
1
+ /**
2
+ * Ref-based baseline gather — produces a `CurrentScan` for a git
3
+ * ref by checking it out into a temporary worktree and running the
4
+ * analyzer pipeline there.
5
+ *
6
+ * # When this runs
7
+ *
8
+ * `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
9
+ * needs a "prior side" to diff against; in committed modes the
10
+ * prior side comes from `.dxkit/baselines/<name>.json`, but in
11
+ * ref-based mode no file is committed — the prior side is
12
+ * recomputed on the fly from a git ref (default
13
+ * `origin/<default-branch>`).
14
+ *
15
+ * # Mechanics
16
+ *
17
+ * 1. Resolve `ref` to a commit SHA. Failure here surfaces a
18
+ * `RefBaselineError` with one of three actionable hints:
19
+ * - Shallow clone → `git fetch --unshallow` / CI fetch-depth
20
+ * - Ref doesn't exist → `git fetch origin` or fix policy
21
+ * - Local-only ref → push it or use a remote-tracking ref
22
+ * 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
23
+ * full checkout of the source tree at that SHA — but NOT a
24
+ * package-manager install, so dep-vuln scanners that read
25
+ * `node_modules` directly will see degraded results. The
26
+ * dxkit dep scanners use lockfiles (`package-lock.json`,
27
+ * `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
28
+ * survives the gap.
29
+ * 3. Run `gatherCurrentScan` against the worktree directory. Same
30
+ * pipeline as the live current scan — same producer registry,
31
+ * same envelope shape — so the matcher diffs apples-to-apples.
32
+ * 4. Clean up the worktree on the way out (try/finally).
33
+ *
34
+ * # Why a generic `withRefWorktree` helper
35
+ *
36
+ * The worktree setup + cleanup pattern is reusable. Future modes-
37
+ * aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
38
+ * subcommand) can compose `withRefWorktree` directly instead of
39
+ * re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
40
+ * thin specialization for the guardrail-check use case.
41
+ *
42
+ * # Failure semantics
43
+ *
44
+ * Recoverable failures (ref unreachable, worktree-add fails) throw
45
+ * `RefBaselineError` with a `hint` field the CLI renders in plain
46
+ * prose. Unrecoverable failures (the gather pipeline itself
47
+ * crashes) propagate up the original Error subclass — they're not
48
+ * specific to ref-based mode and live with the existing error
49
+ * handling in the orchestrator.
50
+ */
51
+ import type { CurrentScan } from './create';
52
+ /**
53
+ * Recoverable error from the ref-based gather path. Carries an
54
+ * actionable `hint` the CLI surfaces verbatim so customers don't
55
+ * have to interpret raw git output. Inherits from `Error` so
56
+ * existing catch-by-Error code keeps working.
57
+ */
58
+ export declare class RefBaselineError extends Error {
59
+ readonly hint: string;
60
+ constructor(message: string, hint: string);
61
+ }
62
+ export interface RefWorktreeOptions {
63
+ readonly cwd: string;
64
+ readonly ref: string;
65
+ }
66
+ /**
67
+ * Resolve a ref to a commit SHA via `git rev-parse --verify
68
+ * <ref>^{commit}`. Returns null when the ref isn't reachable (the
69
+ * caller surfaces the appropriate hint based on shallow-clone /
70
+ * remote-only state).
71
+ */
72
+ export declare function resolveRefToSha(cwd: string, ref: string): string | null;
73
+ /**
74
+ * Whether the current working tree was cloned shallowly. Drives
75
+ * the hint surfaced when a ref isn't reachable: a CI clone with
76
+ * `fetch-depth: 1` won't have the baseline ref's history, and the
77
+ * fix is `fetch-depth: 0`, not pushing the missing ref.
78
+ */
79
+ export declare function isShallowRepo(cwd: string): boolean;
80
+ /**
81
+ * Check out `ref` into a temporary worktree, run `fn` with the
82
+ * worktree path, and tear down the worktree on the way out.
83
+ *
84
+ * Always cleans up — even when `fn` throws. The cleanup tolerates
85
+ * `git worktree remove` failures (e.g., dirty worktree from a
86
+ * partial gather) by falling back to `rm -rf` on the temp dir.
87
+ */
88
+ export declare function withRefWorktree<T>(opts: RefWorktreeOptions, fn: (worktreePath: string) => Promise<T>): Promise<T>;
89
+ /**
90
+ * Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
91
+ * Public for testing — production callers reach this through
92
+ * `withRefWorktree`. The directory is created on demand; absent
93
+ * source files are silently skipped (env-var + deterministic salt
94
+ * modes both work without the file).
95
+ */
96
+ export declare function mirrorSaltFile(srcCwd: string, dstCwd: string): void;
97
+ /**
98
+ * Run `gatherCurrentScan` against a temporary worktree checked out
99
+ * to `ref`. Returns the same shape as a live gather — the matcher
100
+ * doesn't care which side was the worktree, only that both sides
101
+ * are `CurrentScan` envelopes.
102
+ *
103
+ * Per-tool degradation note: dep-vuln scanners may report less
104
+ * coverage in the worktree because `node_modules` (and analogous
105
+ * install artifacts) are typically gitignored and so don't exist
106
+ * in the worktree. The lockfile-driven scanners dxkit prefers
107
+ * survive the gap; `npm audit`-style probes do not.
108
+ */
109
+ export declare function gatherFromRef(opts: {
110
+ readonly cwd: string;
111
+ readonly ref: string;
112
+ readonly verbose?: boolean;
113
+ }): Promise<CurrentScan>;
114
+ //# sourceMappingURL=ref-baseline.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAOH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5C;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWlD;AAqBD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,IAAI,EAAE,kBAAkB,EACxB,EAAE,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,CAAC,CAAC,CAuDZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,WAAW,CAAC,CAIvB"}
@@ -0,0 +1,260 @@
1
+ "use strict";
2
+ /**
3
+ * Ref-based baseline gather — produces a `CurrentScan` for a git
4
+ * ref by checking it out into a temporary worktree and running the
5
+ * analyzer pipeline there.
6
+ *
7
+ * # When this runs
8
+ *
9
+ * `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
10
+ * needs a "prior side" to diff against; in committed modes the
11
+ * prior side comes from `.dxkit/baselines/<name>.json`, but in
12
+ * ref-based mode no file is committed — the prior side is
13
+ * recomputed on the fly from a git ref (default
14
+ * `origin/<default-branch>`).
15
+ *
16
+ * # Mechanics
17
+ *
18
+ * 1. Resolve `ref` to a commit SHA. Failure here surfaces a
19
+ * `RefBaselineError` with one of three actionable hints:
20
+ * - Shallow clone → `git fetch --unshallow` / CI fetch-depth
21
+ * - Ref doesn't exist → `git fetch origin` or fix policy
22
+ * - Local-only ref → push it or use a remote-tracking ref
23
+ * 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
24
+ * full checkout of the source tree at that SHA — but NOT a
25
+ * package-manager install, so dep-vuln scanners that read
26
+ * `node_modules` directly will see degraded results. The
27
+ * dxkit dep scanners use lockfiles (`package-lock.json`,
28
+ * `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
29
+ * survives the gap.
30
+ * 3. Run `gatherCurrentScan` against the worktree directory. Same
31
+ * pipeline as the live current scan — same producer registry,
32
+ * same envelope shape — so the matcher diffs apples-to-apples.
33
+ * 4. Clean up the worktree on the way out (try/finally).
34
+ *
35
+ * # Why a generic `withRefWorktree` helper
36
+ *
37
+ * The worktree setup + cleanup pattern is reusable. Future modes-
38
+ * aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
39
+ * subcommand) can compose `withRefWorktree` directly instead of
40
+ * re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
41
+ * thin specialization for the guardrail-check use case.
42
+ *
43
+ * # Failure semantics
44
+ *
45
+ * Recoverable failures (ref unreachable, worktree-add fails) throw
46
+ * `RefBaselineError` with a `hint` field the CLI renders in plain
47
+ * prose. Unrecoverable failures (the gather pipeline itself
48
+ * crashes) propagate up the original Error subclass — they're not
49
+ * specific to ref-based mode and live with the existing error
50
+ * handling in the orchestrator.
51
+ */
52
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
53
+ if (k2 === undefined) k2 = k;
54
+ var desc = Object.getOwnPropertyDescriptor(m, k);
55
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
56
+ desc = { enumerable: true, get: function() { return m[k]; } };
57
+ }
58
+ Object.defineProperty(o, k2, desc);
59
+ }) : (function(o, m, k, k2) {
60
+ if (k2 === undefined) k2 = k;
61
+ o[k2] = m[k];
62
+ }));
63
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
64
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
65
+ }) : function(o, v) {
66
+ o["default"] = v;
67
+ });
68
+ var __importStar = (this && this.__importStar) || (function () {
69
+ var ownKeys = function(o) {
70
+ ownKeys = Object.getOwnPropertyNames || function (o) {
71
+ var ar = [];
72
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
73
+ return ar;
74
+ };
75
+ return ownKeys(o);
76
+ };
77
+ return function (mod) {
78
+ if (mod && mod.__esModule) return mod;
79
+ var result = {};
80
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
81
+ __setModuleDefault(result, mod);
82
+ return result;
83
+ };
84
+ })();
85
+ Object.defineProperty(exports, "__esModule", { value: true });
86
+ exports.RefBaselineError = void 0;
87
+ exports.resolveRefToSha = resolveRefToSha;
88
+ exports.isShallowRepo = isShallowRepo;
89
+ exports.withRefWorktree = withRefWorktree;
90
+ exports.mirrorSaltFile = mirrorSaltFile;
91
+ exports.gatherFromRef = gatherFromRef;
92
+ const child_process_1 = require("child_process");
93
+ const fs_1 = require("fs");
94
+ const os_1 = require("os");
95
+ const path = __importStar(require("path"));
96
+ const create_1 = require("./create");
97
+ /**
98
+ * Recoverable error from the ref-based gather path. Carries an
99
+ * actionable `hint` the CLI surfaces verbatim so customers don't
100
+ * have to interpret raw git output. Inherits from `Error` so
101
+ * existing catch-by-Error code keeps working.
102
+ */
103
+ class RefBaselineError extends Error {
104
+ hint;
105
+ constructor(message, hint) {
106
+ super(message);
107
+ this.name = 'RefBaselineError';
108
+ this.hint = hint;
109
+ }
110
+ }
111
+ exports.RefBaselineError = RefBaselineError;
112
+ /**
113
+ * Resolve a ref to a commit SHA via `git rev-parse --verify
114
+ * <ref>^{commit}`. Returns null when the ref isn't reachable (the
115
+ * caller surfaces the appropriate hint based on shallow-clone /
116
+ * remote-only state).
117
+ */
118
+ function resolveRefToSha(cwd, ref) {
119
+ try {
120
+ const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--verify', `${ref}^{commit}`], {
121
+ cwd,
122
+ encoding: 'utf-8',
123
+ stdio: ['ignore', 'pipe', 'pipe'],
124
+ }).trim();
125
+ return out || null;
126
+ }
127
+ catch {
128
+ return null;
129
+ }
130
+ }
131
+ /**
132
+ * Whether the current working tree was cloned shallowly. Drives
133
+ * the hint surfaced when a ref isn't reachable: a CI clone with
134
+ * `fetch-depth: 1` won't have the baseline ref's history, and the
135
+ * fix is `fetch-depth: 0`, not pushing the missing ref.
136
+ */
137
+ function isShallowRepo(cwd) {
138
+ try {
139
+ const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--is-shallow-repository'], {
140
+ cwd,
141
+ encoding: 'utf-8',
142
+ stdio: ['ignore', 'pipe', 'pipe'],
143
+ }).trim();
144
+ return out === 'true';
145
+ }
146
+ catch {
147
+ return false;
148
+ }
149
+ }
150
+ /**
151
+ * Build the right `RefBaselineError` for an unreachable ref. The
152
+ * hint is the actionable next step, not a tautology — shallow
153
+ * clones get fetch-depth advice, otherwise we suggest configuring
154
+ * a different ref.
155
+ */
156
+ function unreachableRefError(cwd, ref) {
157
+ if (isShallowRepo(cwd)) {
158
+ return new RefBaselineError(`Cannot resolve baseline ref ${ref}: this is a shallow clone.`, 'Run `git fetch --unshallow` locally, or set `fetch-depth: 0` in your CI checkout step.');
159
+ }
160
+ return new RefBaselineError(`Cannot resolve baseline ref ${ref}.`, `Run \`git fetch origin\`, push the ref upstream, or set \`baseline.ref\` in .dxkit/policy.json to an existing ref.`);
161
+ }
162
+ /**
163
+ * Check out `ref` into a temporary worktree, run `fn` with the
164
+ * worktree path, and tear down the worktree on the way out.
165
+ *
166
+ * Always cleans up — even when `fn` throws. The cleanup tolerates
167
+ * `git worktree remove` failures (e.g., dirty worktree from a
168
+ * partial gather) by falling back to `rm -rf` on the temp dir.
169
+ */
170
+ async function withRefWorktree(opts, fn) {
171
+ const sha = resolveRefToSha(opts.cwd, opts.ref);
172
+ if (sha === null)
173
+ throw unreachableRefError(opts.cwd, opts.ref);
174
+ // mkdtempSync returns an empty dir; git worktree add wants the
175
+ // target path NOT to exist (or to be empty). Use a fresh subdir
176
+ // inside the temp parent so git creates it cleanly.
177
+ const tempBase = (0, fs_1.mkdtempSync)(path.join((0, os_1.tmpdir)(), 'dxkit-ref-'));
178
+ const worktreePath = path.join(tempBase, 'baseline');
179
+ let worktreeAdded = false;
180
+ try {
181
+ (0, child_process_1.execFileSync)('git', ['worktree', 'add', '--detach', worktreePath, sha], {
182
+ cwd: opts.cwd,
183
+ stdio: ['ignore', 'pipe', 'pipe'],
184
+ });
185
+ worktreeAdded = true;
186
+ // Mirror file-mode salt into the worktree so secret-HMAC entries
187
+ // pair across prior/current sides. Env-var + deterministic modes
188
+ // resolve identically across cwd + worktree (env inheritance +
189
+ // shared initial-commit SHA); file mode is the one that drifts
190
+ // because `.dxkit/salt` is gitignored and so isn't part of the
191
+ // checkout. The copy is no-op when the file doesn't exist.
192
+ mirrorSaltFile(opts.cwd, worktreePath);
193
+ return await fn(worktreePath);
194
+ }
195
+ catch (err) {
196
+ if (err instanceof RefBaselineError)
197
+ throw err;
198
+ if (!worktreeAdded) {
199
+ // The worktree-add itself failed. Surface a clean error
200
+ // instead of bubbling the raw stderr.
201
+ throw new RefBaselineError(`Failed to set up baseline worktree at ${opts.ref}.`, `Check that 'git worktree' is available and that ${tempBase} is writable.`);
202
+ }
203
+ throw err;
204
+ }
205
+ finally {
206
+ if (worktreeAdded) {
207
+ try {
208
+ (0, child_process_1.execFileSync)('git', ['worktree', 'remove', '--force', worktreePath], {
209
+ cwd: opts.cwd,
210
+ stdio: ['ignore', 'pipe', 'pipe'],
211
+ });
212
+ }
213
+ catch {
214
+ // git worktree remove can fail if the worktree dir was
215
+ // already cleaned externally. The rmSync below recovers.
216
+ }
217
+ }
218
+ try {
219
+ (0, fs_1.rmSync)(tempBase, { recursive: true, force: true });
220
+ }
221
+ catch {
222
+ // Best-effort cleanup of the temp parent. A stale temp dir
223
+ // is preferable to surfacing a misleading error if the gather
224
+ // already succeeded.
225
+ }
226
+ }
227
+ }
228
+ /**
229
+ * Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
230
+ * Public for testing — production callers reach this through
231
+ * `withRefWorktree`. The directory is created on demand; absent
232
+ * source files are silently skipped (env-var + deterministic salt
233
+ * modes both work without the file).
234
+ */
235
+ function mirrorSaltFile(srcCwd, dstCwd) {
236
+ const src = path.join(srcCwd, '.dxkit', 'salt');
237
+ if (!(0, fs_1.existsSync)(src))
238
+ return;
239
+ const dstDir = path.join(dstCwd, '.dxkit');
240
+ (0, fs_1.mkdirSync)(dstDir, { recursive: true });
241
+ (0, fs_1.copyFileSync)(src, path.join(dstDir, 'salt'));
242
+ }
243
+ /**
244
+ * Run `gatherCurrentScan` against a temporary worktree checked out
245
+ * to `ref`. Returns the same shape as a live gather — the matcher
246
+ * doesn't care which side was the worktree, only that both sides
247
+ * are `CurrentScan` envelopes.
248
+ *
249
+ * Per-tool degradation note: dep-vuln scanners may report less
250
+ * coverage in the worktree because `node_modules` (and analogous
251
+ * install artifacts) are typically gitignored and so don't exist
252
+ * in the worktree. The lockfile-driven scanners dxkit prefers
253
+ * survive the gap; `npm audit`-style probes do not.
254
+ */
255
+ async function gatherFromRef(opts) {
256
+ return withRefWorktree({ cwd: opts.cwd, ref: opts.ref }, async (worktreePath) => {
257
+ return (0, create_1.gatherCurrentScan)({ cwd: worktreePath, verbose: opts.verbose });
258
+ });
259
+ }
260
+ //# sourceMappingURL=ref-baseline.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCH,0CAWC;AAQD,sCAWC;AA6BD,0CA0DC;AASD,wCAMC;AAcD,sCAQC;AA3LD,iDAA6C;AAC7C,2BAA8E;AAC9E,2BAA4B;AAC5B,2CAA6B;AAC7B,qCAA6C;AAG7C;;;;;GAKG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IACtB,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAPD,4CAOC;AAOD;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC5E,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,yBAAyB,CAAC,EAAE;YACxE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,KAAK,MAAM,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,GAAW;IACnD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,4BAA4B,EAC9D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,GAAG,EACrC,oHAAoH,CACrH,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,EAAwC;IAExC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,+DAA+D;IAC/D,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,gBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,WAAM,GAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrD,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,EAAE;YACtE,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,aAAa,GAAG,IAAI,CAAC;QACrB,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,gBAAgB;YAAE,MAAM,GAAG,CAAC;QAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,wDAAwD;YACxD,sCAAsC;YACtC,MAAM,IAAI,gBAAgB,CACxB,yCAAyC,IAAI,CAAC,GAAG,GAAG,EACpD,mDAAmD,QAAQ,eAAe,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE;oBACnE,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,yDAAyD;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,IAAA,WAAM,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,MAAc;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC;QAAE,OAAO;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAA,cAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,IAAA,iBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CAAC,IAInC;IACC,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE;QAC9E,OAAO,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC"}
@@ -0,0 +1,80 @@
1
+ /**
2
+ * Baseline sanitization — pure transformation that strips every
3
+ * non-identity field from a `BaselineEntry`, producing a
4
+ * `SanitizedBaselineEntry` carrying only `id`, `kind`, and the
5
+ * `sanitized: true` discriminant.
6
+ *
7
+ * # Why sanitization exists
8
+ *
9
+ * A committed-to-git baseline carries human-readable metadata that
10
+ * can leak useful intelligence to anyone with read access to the
11
+ * repo:
12
+ *
13
+ * - `secret` / `code` / `config` findings disclose the exact file
14
+ * path + line + rule that flagged them — an attacker reading the
15
+ * baseline knows where to grep history for the leaked credential
16
+ * or which insecure call site to inspect first.
17
+ * - `dep-vuln` findings disclose private package names + installed
18
+ * versions + advisory ids — discloses internal repo structure
19
+ * and which CVEs the codebase is currently vulnerable to.
20
+ * - File paths in any source-anchored kind disclose repo layout
21
+ * (module boundaries, internal naming conventions).
22
+ *
23
+ * The sanitization pass collapses every entry to identity-only.
24
+ * What's lost:
25
+ * - The matcher's location-pair pass (no `file` / `line` to
26
+ * compare across runs); the matcher falls back to identity-
27
+ * multiset matching, which still works at full confidence for
28
+ * exact-byte-equality matches.
29
+ * - The renderer's ability to surface human-readable locators.
30
+ * `baseline show` collapses to `<sanitized>` for the locator
31
+ * string.
32
+ *
33
+ * What's preserved:
34
+ * - The 16-char fingerprint `id`. Cross-run matching works.
35
+ * - The `kind` discriminant. Severity defaults + classifier
36
+ * behavior work.
37
+ * - The full envelope metadata (createdAt, commitSha, tools,
38
+ * analysis hashes) — none of those carry per-finding sensitive
39
+ * content.
40
+ *
41
+ * # Public-repo + private-repo posture
42
+ *
43
+ * The two modes that consume sanitization (selected in a later
44
+ * commit alongside the visibility-aware mode picker):
45
+ * - `committed-full` — store rich entries; default on private
46
+ * repos with small teams.
47
+ * - `committed-sanitized` — strip every entry via `sanitizeFile`;
48
+ * default on public repos and on private repos with
49
+ * compliance-conscious posture.
50
+ *
51
+ * Pure module — no I/O. The write path applies the transformation
52
+ * before serializing; the read path observes the `sanitized: true`
53
+ * field on each entry and routes consumers accordingly.
54
+ */
55
+ import type { BaselineEntry, SanitizedBaselineEntry } from './types';
56
+ import type { BaselineFile } from './baseline-file';
57
+ /**
58
+ * Type guard: distinguishes a stripped entry from a rich one.
59
+ * Consumers walking a `BaselineEntry` exhaustively call this first
60
+ * so the rest of their switch narrows to the rich union and stays
61
+ * type-safe.
62
+ */
63
+ export declare function isSanitized(entry: BaselineEntry): entry is SanitizedBaselineEntry;
64
+ /**
65
+ * Strip every non-identity field from a single entry. Already-
66
+ * sanitized entries pass through unchanged. `kind` is preserved
67
+ * verbatim; readers can still partition the baseline by kind for
68
+ * count reporting + per-kind severity defaults.
69
+ */
70
+ export declare function sanitizeEntry(entry: BaselineEntry): SanitizedBaselineEntry;
71
+ /**
72
+ * Apply `sanitizeEntry` to every finding in a baseline file. The
73
+ * envelope (repo, analysis, tools, saltMode, createdAt, etc.)
74
+ * passes through unchanged — none of those fields carry per-finding
75
+ * sensitive content. The resulting file is byte-stable across
76
+ * repeated sanitizations: a sanitized file sanitized again returns
77
+ * an identity-equal file.
78
+ */
79
+ export declare function sanitizeFile(file: BaselineFile): BaselineFile;
80
+ //# sourceMappingURL=sanitize.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/baseline/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AACrE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,aAAa,GAAG,KAAK,IAAI,sBAAsB,CAEjF;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,aAAa,GAAG,sBAAsB,CAG1E;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,GAAG,YAAY,CAE7D"}
@@ -0,0 +1,91 @@
1
+ "use strict";
2
+ /**
3
+ * Baseline sanitization — pure transformation that strips every
4
+ * non-identity field from a `BaselineEntry`, producing a
5
+ * `SanitizedBaselineEntry` carrying only `id`, `kind`, and the
6
+ * `sanitized: true` discriminant.
7
+ *
8
+ * # Why sanitization exists
9
+ *
10
+ * A committed-to-git baseline carries human-readable metadata that
11
+ * can leak useful intelligence to anyone with read access to the
12
+ * repo:
13
+ *
14
+ * - `secret` / `code` / `config` findings disclose the exact file
15
+ * path + line + rule that flagged them — an attacker reading the
16
+ * baseline knows where to grep history for the leaked credential
17
+ * or which insecure call site to inspect first.
18
+ * - `dep-vuln` findings disclose private package names + installed
19
+ * versions + advisory ids — discloses internal repo structure
20
+ * and which CVEs the codebase is currently vulnerable to.
21
+ * - File paths in any source-anchored kind disclose repo layout
22
+ * (module boundaries, internal naming conventions).
23
+ *
24
+ * The sanitization pass collapses every entry to identity-only.
25
+ * What's lost:
26
+ * - The matcher's location-pair pass (no `file` / `line` to
27
+ * compare across runs); the matcher falls back to identity-
28
+ * multiset matching, which still works at full confidence for
29
+ * exact-byte-equality matches.
30
+ * - The renderer's ability to surface human-readable locators.
31
+ * `baseline show` collapses to `<sanitized>` for the locator
32
+ * string.
33
+ *
34
+ * What's preserved:
35
+ * - The 16-char fingerprint `id`. Cross-run matching works.
36
+ * - The `kind` discriminant. Severity defaults + classifier
37
+ * behavior work.
38
+ * - The full envelope metadata (createdAt, commitSha, tools,
39
+ * analysis hashes) — none of those carry per-finding sensitive
40
+ * content.
41
+ *
42
+ * # Public-repo + private-repo posture
43
+ *
44
+ * The two modes that consume sanitization (selected in a later
45
+ * commit alongside the visibility-aware mode picker):
46
+ * - `committed-full` — store rich entries; default on private
47
+ * repos with small teams.
48
+ * - `committed-sanitized` — strip every entry via `sanitizeFile`;
49
+ * default on public repos and on private repos with
50
+ * compliance-conscious posture.
51
+ *
52
+ * Pure module — no I/O. The write path applies the transformation
53
+ * before serializing; the read path observes the `sanitized: true`
54
+ * field on each entry and routes consumers accordingly.
55
+ */
56
+ Object.defineProperty(exports, "__esModule", { value: true });
57
+ exports.isSanitized = isSanitized;
58
+ exports.sanitizeEntry = sanitizeEntry;
59
+ exports.sanitizeFile = sanitizeFile;
60
+ /**
61
+ * Type guard: distinguishes a stripped entry from a rich one.
62
+ * Consumers walking a `BaselineEntry` exhaustively call this first
63
+ * so the rest of their switch narrows to the rich union and stays
64
+ * type-safe.
65
+ */
66
+ function isSanitized(entry) {
67
+ return entry.sanitized === true;
68
+ }
69
+ /**
70
+ * Strip every non-identity field from a single entry. Already-
71
+ * sanitized entries pass through unchanged. `kind` is preserved
72
+ * verbatim; readers can still partition the baseline by kind for
73
+ * count reporting + per-kind severity defaults.
74
+ */
75
+ function sanitizeEntry(entry) {
76
+ if (isSanitized(entry))
77
+ return entry;
78
+ return { id: entry.id, kind: entry.kind, sanitized: true };
79
+ }
80
+ /**
81
+ * Apply `sanitizeEntry` to every finding in a baseline file. The
82
+ * envelope (repo, analysis, tools, saltMode, createdAt, etc.)
83
+ * passes through unchanged — none of those fields carry per-finding
84
+ * sensitive content. The resulting file is byte-stable across
85
+ * repeated sanitizations: a sanitized file sanitized again returns
86
+ * an identity-equal file.
87
+ */
88
+ function sanitizeFile(file) {
89
+ return { ...file, findings: file.findings.map(sanitizeEntry) };
90
+ }
91
+ //# sourceMappingURL=sanitize.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/baseline/sanitize.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;;AAWH,kCAEC;AAQD,sCAGC;AAUD,oCAEC;AA/BD;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,KAAoB;IAC9C,OAAQ,KAAiC,CAAC,SAAS,KAAK,IAAI,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,KAAoB;IAChD,IAAI,WAAW,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,YAAY,CAAC,IAAkB;IAC7C,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;AACjE,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"show.d.ts","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC,CAe5D,CAAC;AAEH;;mCAEmC;AACnC,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,IAAI,CAIzE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,YAAY,GAAG,MAAM,CA6BxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAkBlF;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,YAAY,EAClB,OAAO,GAAE;IAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAO,GACtD;IACD,QAAQ,CAAC,MAAM,EAAE,OAAO,oBAAoB,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IACjE,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;KAC3E,CAAC;CACH,CAcA"}
1
+ {"version":3,"file":"show.d.ts","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC,CAc5D,CAAC;AAEH;;mCAEmC;AACnC,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,IAAI,CAIzE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,YAAY,GAAG,MAAM,CA6BxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAkBlF;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,YAAY,EAClB,OAAO,GAAE;IAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAO,GACtD;IACD,QAAQ,CAAC,MAAM,EAAE,OAAO,oBAAoB,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IACjE,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;KAC3E,CAAC;CACH,CAcA"}
@@ -61,6 +61,7 @@ exports.renderSummary = renderSummary;
61
61
  exports.renderKind = renderKind;
62
62
  exports.renderJson = renderJson;
63
63
  const logger = __importStar(require("../logger"));
64
+ const sanitize_1 = require("./sanitize");
64
65
  /**
65
66
  * JSON schema banner for the `baseline show --json` envelope.
66
67
  * Distinct from the raw `schemaVersion: 'dxkit-baseline/v1'` field
@@ -82,7 +83,6 @@ exports.FILTER_KINDS = Object.freeze([
82
83
  'coverage-gap',
83
84
  'test-gap',
84
85
  'hygiene',
85
- 'license',
86
86
  'test-file-degradation',
87
87
  'god-file',
88
88
  'stale-file',
@@ -193,8 +193,14 @@ function countByKind(entries) {
193
193
  * Kind-specific fields drive the format so a reader sees the
194
194
  * meaningful axis (file:line for source-anchored kinds,
195
195
  * package@version+advisory for dep-vulns, etc.).
196
+ *
197
+ * Sanitized entries carry only identity + kind; renderer surfaces
198
+ * `<sanitized>` so the user knows location detail was stripped at
199
+ * write time. The fingerprint prefix still anchors the row.
196
200
  */
197
201
  function describeEntry(entry) {
202
+ if ((0, sanitize_1.isSanitized)(entry))
203
+ return '<sanitized>';
198
204
  switch (entry.kind) {
199
205
  case 'secret':
200
206
  case 'code':
@@ -212,8 +218,6 @@ function describeEntry(entry) {
212
218
  : `${entry.file}:${entry.lineRange?.[0] ?? '?'}-${entry.lineRange?.[1] ?? '?'}`;
213
219
  case 'test-gap':
214
220
  return `${entry.file} [risk: ${entry.risk}]`;
215
- case 'license':
216
- return `${entry.package}@${entry.version} [${entry.licenseType}]`;
217
221
  case 'test-file-degradation':
218
222
  return `${entry.file} [${entry.status}]`;
219
223
  case 'god-file':
@@ -223,6 +227,8 @@ function describeEntry(entry) {
223
227
  return `${entry.file} [.${entry.suffix}]`;
224
228
  case 'secret-hmac':
225
229
  return `[${entry.tool}/${entry.rule}] hmac:${entry.hmac.slice(0, 12)}`;
230
+ case 'stale-allow':
231
+ return `${entry.file}:${entry.line} [stale dxkit-allow:${entry.category}]`;
226
232
  }
227
233
  }
228
234
  function shortSha(sha) {
@@ -1 +1 @@
1
- {"version":3,"file":"show.js","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCH,0CAIC;AAOD,sCA6BC;AAYD,gCAkBC;AASD,gCAyBC;AA7ID,kDAAoC;AAIpC;;;;;GAKG;AACU,QAAA,oBAAoB,GAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACU,QAAA,YAAY,GAAyC,MAAM,CAAC,MAAM,CAAC;IAC9E,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,UAAU;IACV,aAAa;IACb,cAAc;IACd,UAAU;IACV,SAAS;IACT,SAAS;IACT,uBAAuB;IACvB,UAAU;IACV,YAAY;IACZ,YAAY;IACZ,aAAa;CACd,CAAC,CAAC;AAEH;;mCAEmC;AACnC,SAAgB,eAAe,CAAC,GAAW;IACzC,OAAQ,oBAAsC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC1D,CAAC,CAAE,GAA6B;QAChC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,IAAkB;IAC9C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,CAAC;IAClG,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC;IACpD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAA2C,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,UAAU,CAAC,IAAkB,EAAE,IAA2B;IACxE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,0BAA0B,IAAI,IAAI,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,CAAC,IAAI,CACR,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CACzF,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,UAAU,CACxB,IAAkB,EAClB,UAAqD,EAAE;IAUvD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;QAC3B,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;IAClB,MAAM,IAAI,GAAiB,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjD,OAAO;QACL,MAAM,EAAE,4BAAoB;QAC5B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;QACpD,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE;YACP,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;yDACyD;AACzD,SAAS,WAAW,CAClB,OAAqC;IAErC,MAAM,GAAG,GAAmD,EAAE,CAAC;IAC/D,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9D,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,SAAS,aAAa,CAAC,KAAoB;IACzC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC;QACtE,KAAK,SAAS;YACZ,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,gBAAgB,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,GAAG,CAAC;QACpF,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,QAAQ,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,MAAM,KAAK,CAAC,KAAK,SAAS,CAAC;QAC7G,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC,MAAM;gBACjB,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE;gBACjC,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;QACpF,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,GAAG,CAAC;QAChD,KAAK,SAAS;YACZ,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,MAAM,KAAK,CAAC,WAAW,GAAG,CAAC;QACrE,KAAK,uBAAuB;YAC1B,OAAO,GAAG,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC5C,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY;YACf,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,KAAK,YAAY;YACf,OAAO,GAAG,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC;QAC7C,KAAK,aAAa;YAChB,OAAO,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IAC5E,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,IAAI,CAAC,GAAG;QAAE,OAAO,aAAa,CAAC;IAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACzB,CAAC"}
1
+ {"version":3,"file":"show.js","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCH,0CAIC;AAOD,sCA6BC;AAYD,gCAkBC;AASD,gCAyBC;AA7ID,kDAAoC;AAEpC,yCAAyC;AAGzC;;;;;GAKG;AACU,QAAA,oBAAoB,GAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACU,QAAA,YAAY,GAAyC,MAAM,CAAC,MAAM,CAAC;IAC9E,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,UAAU;IACV,aAAa;IACb,cAAc;IACd,UAAU;IACV,SAAS;IACT,uBAAuB;IACvB,UAAU;IACV,YAAY;IACZ,YAAY;IACZ,aAAa;CACd,CAAC,CAAC;AAEH;;mCAEmC;AACnC,SAAgB,eAAe,CAAC,GAAW;IACzC,OAAQ,oBAAsC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC1D,CAAC,CAAE,GAA6B;QAChC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,IAAkB;IAC9C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,CAAC;IAClG,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC;IACpD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAA2C,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,UAAU,CAAC,IAAkB,EAAE,IAA2B;IACxE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,0BAA0B,IAAI,IAAI,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,CAAC,IAAI,CACR,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CACzF,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,UAAU,CACxB,IAAkB,EAClB,UAAqD,EAAE;IAUvD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;QAC3B,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;IAClB,MAAM,IAAI,GAAiB,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjD,OAAO;QACL,MAAM,EAAE,4BAAoB;QAC5B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;QACpD,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE;YACP,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;yDACyD;AACzD,SAAS,WAAW,CAClB,OAAqC;IAErC,MAAM,GAAG,GAAmD,EAAE,CAAC;IAC/D,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9D,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,aAAa,CAAC,KAAoB;IACzC,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC;IAC7C,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC;QACtE,KAAK,SAAS;YACZ,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,gBAAgB,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,GAAG,CAAC;QACpF,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,QAAQ,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,MAAM,KAAK,CAAC,KAAK,SAAS,CAAC;QAC7G,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC,MAAM;gBACjB,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE;gBACjC,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;QACpF,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,GAAG,CAAC;QAChD,KAAK,uBAAuB;YAC1B,OAAO,GAAG,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC5C,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY;YACf,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,KAAK,YAAY;YACf,OAAO,GAAG,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC;QAC7C,KAAK,aAAa;YAChB,OAAO,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC1E,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,wBAAwB,KAAK,CAAC,QAAQ,GAAG,CAAC;IAChF,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,IAAI,CAAC,GAAG;QAAE,OAAO,aAAa,CAAC;IAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACzB,CAAC"}