@vyuhlabs/dxkit 2.5.2 → 2.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +164 -0
- package/README.md +102 -0
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +88 -3
- package/dist/cli.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +1 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +1 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +1 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +1 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +1 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +1 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +1 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +25 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +1 -0
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +105 -11
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
package/dist/baseline/types.d.ts
CHANGED
|
@@ -46,7 +46,13 @@
|
|
|
46
46
|
* analyzer.
|
|
47
47
|
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
48
48
|
* occurrences (per-occurrence identity).
|
|
49
|
-
*
|
|
49
|
+
*
|
|
50
|
+
* License attributions are NOT a baseline finding kind. They live in
|
|
51
|
+
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
52
|
+
* license inventory carried by `vyuh-dxkit bom`. License findings
|
|
53
|
+
* are informational, not regression material, and dominated the
|
|
54
|
+
* baseline (~73% of entries on real customer repos) before being
|
|
55
|
+
* lifted out.
|
|
50
56
|
*/
|
|
51
57
|
/**
|
|
52
58
|
* 16-char lowercase hex fingerprint. Same byte format as the
|
|
@@ -79,7 +85,7 @@ export type IdentitySchemeVersion = 'v1';
|
|
|
79
85
|
* The hash format is SHA-1[0:16] across every kind — callers store
|
|
80
86
|
* identities in one flat set without tracking provenance.
|
|
81
87
|
*/
|
|
82
|
-
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput |
|
|
88
|
+
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput | StaleAllowIdentityInput;
|
|
83
89
|
/** gitleaks + private-key files + similar secret detectors. */
|
|
84
90
|
export interface SecretIdentityInput {
|
|
85
91
|
readonly kind: 'secret';
|
|
@@ -190,23 +196,6 @@ export interface HygieneOffenderIdentityInput {
|
|
|
190
196
|
readonly line: number;
|
|
191
197
|
readonly marker: HygieneMarker;
|
|
192
198
|
}
|
|
193
|
-
/**
|
|
194
|
-
* Package license attribution. Identity includes the license type so
|
|
195
|
-
* a license change on the same `(package, version)` pin registers
|
|
196
|
-
* as a fresh finding — compliance teams want to know if a dependency
|
|
197
|
-
* re-licenses under a different (perhaps more restrictive) license
|
|
198
|
-
* even when no version bump happened.
|
|
199
|
-
*/
|
|
200
|
-
export interface LicenseIdentityInput {
|
|
201
|
-
readonly kind: 'license';
|
|
202
|
-
readonly package: string;
|
|
203
|
-
readonly version: string;
|
|
204
|
-
/** Canonical SPDX identifier (`'MIT'`, `'Apache-2.0'`, `'GPL-3.0'`,
|
|
205
|
-
* `'UNKNOWN'`). Producer is the existing license-aggregation
|
|
206
|
-
* pipeline; identity is byte-stable as long as the producer
|
|
207
|
-
* reports the SPDX id consistently. */
|
|
208
|
-
readonly licenseType: string;
|
|
209
|
-
}
|
|
210
199
|
/**
|
|
211
200
|
* A test file flagged by the test-gaps analyzer as degraded — present
|
|
212
201
|
* but not actively exercising the system under test. Identity carries
|
|
@@ -294,6 +283,32 @@ export interface SecretHmacIdentityInput {
|
|
|
294
283
|
/** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
|
|
295
284
|
readonly hmac: string;
|
|
296
285
|
}
|
|
286
|
+
/**
|
|
287
|
+
* Orphaned inline allowlist annotation — a `dxkit-allow:<category>`
|
|
288
|
+
* comment in a source file that matches no current finding. The
|
|
289
|
+
* developer suppressed something that's since been fixed (or the
|
|
290
|
+
* scanner stopped flagging), and the annotation should be removed.
|
|
291
|
+
* TypeScript's `@ts-expect-error` proved this pattern: tools that
|
|
292
|
+
* surface their own stale suppressions as findings force the dev
|
|
293
|
+
* to clean up, preventing the annotation graveyard.
|
|
294
|
+
*
|
|
295
|
+
* Identity is `(file, lineWindow, category)` — same 3-line window
|
|
296
|
+
* the code-finding fingerprint uses, so formatter / unrelated-edit
|
|
297
|
+
* line drift doesn't churn identity. Category is part of identity
|
|
298
|
+
* because a `# dxkit-allow:test-fixture` becoming
|
|
299
|
+
* `# dxkit-allow:false-positive` (developer reclassified mid-review)
|
|
300
|
+
* is a semantically different stale-allow.
|
|
301
|
+
*/
|
|
302
|
+
export interface StaleAllowIdentityInput {
|
|
303
|
+
readonly kind: 'stale-allow';
|
|
304
|
+
readonly file: string;
|
|
305
|
+
readonly line: number;
|
|
306
|
+
/** The category named in the orphaned annotation. Free-form
|
|
307
|
+
* string at identity-input level (the canonical
|
|
308
|
+
* `AllowlistCategory` union lives in `src/allowlist/categories.ts`
|
|
309
|
+
* to avoid a cross-module import here in the baseline types). */
|
|
310
|
+
readonly category: string;
|
|
311
|
+
}
|
|
297
312
|
/**
|
|
298
313
|
* Per-finding entry stored in a baseline. Carries identity plus the
|
|
299
314
|
* minimum metadata needed for cross-run drift-tolerant matching —
|
|
@@ -350,12 +365,6 @@ export type BaselineEntry = {
|
|
|
350
365
|
* — populated when the producer can read the file at the
|
|
351
366
|
* baseline commit. */
|
|
352
367
|
contentHash?: string;
|
|
353
|
-
} | {
|
|
354
|
-
id: FindingId;
|
|
355
|
-
kind: 'license';
|
|
356
|
-
package: string;
|
|
357
|
-
version: string;
|
|
358
|
-
licenseType: string;
|
|
359
368
|
} | {
|
|
360
369
|
id: FindingId;
|
|
361
370
|
kind: 'test-file-degradation';
|
|
@@ -380,7 +389,45 @@ export type BaselineEntry = {
|
|
|
380
389
|
tool: string;
|
|
381
390
|
rule: string;
|
|
382
391
|
hmac: string;
|
|
383
|
-
}
|
|
392
|
+
} | {
|
|
393
|
+
id: FindingId;
|
|
394
|
+
kind: 'stale-allow';
|
|
395
|
+
file: string;
|
|
396
|
+
line: number;
|
|
397
|
+
category: string;
|
|
398
|
+
} | SanitizedBaselineEntry;
|
|
399
|
+
/**
|
|
400
|
+
* The full-payload subset of `BaselineEntry` — every variant except
|
|
401
|
+
* the stripped sanitized shape. Producers emit this shape directly;
|
|
402
|
+
* sanitization is a write-time transformation, never a producer
|
|
403
|
+
* concern. Consumers narrowing on `entry.kind` from a `BaselineEntry`
|
|
404
|
+
* must call `isSanitized` first to reach this shape (or accept the
|
|
405
|
+
* sanitized variant in the union).
|
|
406
|
+
*/
|
|
407
|
+
export type RichBaselineEntry = Exclude<BaselineEntry, SanitizedBaselineEntry>;
|
|
408
|
+
/**
|
|
409
|
+
* Stripped per-finding entry — identity + kind only, every other
|
|
410
|
+
* field dropped. Produced by `sanitizeEntry` for baselines written in
|
|
411
|
+
* sanitized mode (the public-repo / compliance-conscious posture).
|
|
412
|
+
*
|
|
413
|
+
* Sanitization preserves the cross-run matching contract: the
|
|
414
|
+
* fingerprint `id` is unchanged, the matcher's identity-multiset
|
|
415
|
+
* pass still works at full confidence. What's lost is the location-
|
|
416
|
+
* pair pass (no `file` / `line` to compare) and the renderer's
|
|
417
|
+
* ability to surface human-readable locators (`src/auth/oauth.ts:42`)
|
|
418
|
+
* — they collapse to `<sanitized>` in `baseline show` output.
|
|
419
|
+
*
|
|
420
|
+
* The `sanitized: true` discriminant lets exhaustive switches narrow
|
|
421
|
+
* to either the rich shape or the stripped shape via the
|
|
422
|
+
* `isSanitized` guard in `./sanitize.ts`. Adding a new finding kind
|
|
423
|
+
* doesn't require touching this variant — `kind` is the union of all
|
|
424
|
+
* non-sanitized kinds, propagated automatically.
|
|
425
|
+
*/
|
|
426
|
+
export interface SanitizedBaselineEntry {
|
|
427
|
+
readonly id: FindingId;
|
|
428
|
+
readonly kind: 'secret' | 'code' | 'config' | 'dep-vuln' | 'duplication' | 'coverage-gap' | 'test-gap' | 'hygiene' | 'test-file-degradation' | 'god-file' | 'stale-file' | 'large-file' | 'secret-hmac' | 'stale-allow';
|
|
429
|
+
readonly sanitized: true;
|
|
430
|
+
}
|
|
384
431
|
/**
|
|
385
432
|
* One pairing decision from the matcher. Carries enough context for
|
|
386
433
|
* the guardrail to render a clear explanation ("this finding was
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;GAIG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,CAAC;AAEzC;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;gDAC4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;6DACyD;IACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;0CACsC;IACtC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;kEAC8D;IAC9D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;gEAI4D;IAC5D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;8CAG0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;kBACc;IACd,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;oDAGgD;IAChD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0BAEsB;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;sEAGkE;IAClE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;oDAKgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;2BAEuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;gEAC4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
|
package/dist/baseline/types.js
CHANGED
|
@@ -47,7 +47,13 @@
|
|
|
47
47
|
* analyzer.
|
|
48
48
|
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
49
49
|
* occurrences (per-occurrence identity).
|
|
50
|
-
*
|
|
50
|
+
*
|
|
51
|
+
* License attributions are NOT a baseline finding kind. They live in
|
|
52
|
+
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
53
|
+
* license inventory carried by `vyuh-dxkit bom`. License findings
|
|
54
|
+
* are informational, not regression material, and dominated the
|
|
55
|
+
* baseline (~73% of entries on real customer repos) before being
|
|
56
|
+
* lifted out.
|
|
51
57
|
*/
|
|
52
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
53
59
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG"}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Repo visibility detection — probes `gh repo view --json visibility`
|
|
3
|
+
* to learn whether the current repo is public, private, or internal
|
|
4
|
+
* (GitHub Enterprise's middle tier).
|
|
5
|
+
*
|
|
6
|
+
* # Why this module exists
|
|
7
|
+
*
|
|
8
|
+
* Baseline mode resolution (see `./modes.ts`) needs the answer to
|
|
9
|
+
* "is this a public repo?" to pick the right default posture.
|
|
10
|
+
* Public repos default to `ref-based` (no committed baseline,
|
|
11
|
+
* zero disclosure); private repos default to `committed-full`.
|
|
12
|
+
* Without a reliable visibility probe the picker can't be safe-
|
|
13
|
+
* by-default.
|
|
14
|
+
*
|
|
15
|
+
* # Failure semantics
|
|
16
|
+
*
|
|
17
|
+
* Every failure path returns `'unknown'` rather than throwing.
|
|
18
|
+
* Callers treat unknown the same way they treat private — the
|
|
19
|
+
* safe default. Concrete failure modes:
|
|
20
|
+
*
|
|
21
|
+
* - `gh` binary missing
|
|
22
|
+
* - `gh auth` not configured
|
|
23
|
+
* - Repo has no GitHub remote
|
|
24
|
+
* - Repo is on a non-GitHub host (GitLab, self-hosted)
|
|
25
|
+
* - Network failure / API throttling
|
|
26
|
+
* - Repo deleted or made inaccessible to the calling user
|
|
27
|
+
*
|
|
28
|
+
* None of these warrant a surprise switch to sanitized mode — a
|
|
29
|
+
* customer's private repo shouldn't suddenly start writing
|
|
30
|
+
* stripped baselines because `gh auth` lapsed.
|
|
31
|
+
*
|
|
32
|
+
* # Caching
|
|
33
|
+
*
|
|
34
|
+
* The probe is slow (~500ms cold). Results are cached per-process
|
|
35
|
+
* by absolute cwd. Tests clear the cache via `clearVisibilityCache`.
|
|
36
|
+
*/
|
|
37
|
+
/**
|
|
38
|
+
* The visibility states the picker reads. `'internal'` is GitHub
|
|
39
|
+
* Enterprise's middle tier (visible to org members; not the public).
|
|
40
|
+
* The mode picker treats internal the same as private — internal
|
|
41
|
+
* repos are not safe to expose location data on, but they're not
|
|
42
|
+
* literally public either.
|
|
43
|
+
*/
|
|
44
|
+
export type RepoVisibility = 'public' | 'private' | 'internal' | 'unknown';
|
|
45
|
+
/**
|
|
46
|
+
* Detect the visibility of the repo rooted at `cwd`. Returns
|
|
47
|
+
* `'unknown'` on every failure path — never throws. Cached per
|
|
48
|
+
* absolute cwd for the lifetime of the process.
|
|
49
|
+
*
|
|
50
|
+
* Production callers always use this through `resolveBaselineMode`;
|
|
51
|
+
* direct invocations should be rare. The single-entry contract keeps
|
|
52
|
+
* the `gh` probe count predictable + makes mocking trivial in tests.
|
|
53
|
+
*/
|
|
54
|
+
export declare function detectRepoVisibility(cwd: string): RepoVisibility;
|
|
55
|
+
/**
|
|
56
|
+
* Test seam: clear the per-process visibility cache. Production
|
|
57
|
+
* callers never use this — the cache lives for the entire CLI
|
|
58
|
+
* invocation and dies with the process.
|
|
59
|
+
*/
|
|
60
|
+
export declare function clearVisibilityCache(): void;
|
|
61
|
+
//# sourceMappingURL=visibility.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"visibility.d.ts","sourceRoot":"","sources":["../../src/baseline/visibility.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAKH;;;;;;GAMG;AACH,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;AAI3E;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAOhE;AAmBD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Repo visibility detection — probes `gh repo view --json visibility`
|
|
4
|
+
* to learn whether the current repo is public, private, or internal
|
|
5
|
+
* (GitHub Enterprise's middle tier).
|
|
6
|
+
*
|
|
7
|
+
* # Why this module exists
|
|
8
|
+
*
|
|
9
|
+
* Baseline mode resolution (see `./modes.ts`) needs the answer to
|
|
10
|
+
* "is this a public repo?" to pick the right default posture.
|
|
11
|
+
* Public repos default to `ref-based` (no committed baseline,
|
|
12
|
+
* zero disclosure); private repos default to `committed-full`.
|
|
13
|
+
* Without a reliable visibility probe the picker can't be safe-
|
|
14
|
+
* by-default.
|
|
15
|
+
*
|
|
16
|
+
* # Failure semantics
|
|
17
|
+
*
|
|
18
|
+
* Every failure path returns `'unknown'` rather than throwing.
|
|
19
|
+
* Callers treat unknown the same way they treat private — the
|
|
20
|
+
* safe default. Concrete failure modes:
|
|
21
|
+
*
|
|
22
|
+
* - `gh` binary missing
|
|
23
|
+
* - `gh auth` not configured
|
|
24
|
+
* - Repo has no GitHub remote
|
|
25
|
+
* - Repo is on a non-GitHub host (GitLab, self-hosted)
|
|
26
|
+
* - Network failure / API throttling
|
|
27
|
+
* - Repo deleted or made inaccessible to the calling user
|
|
28
|
+
*
|
|
29
|
+
* None of these warrant a surprise switch to sanitized mode — a
|
|
30
|
+
* customer's private repo shouldn't suddenly start writing
|
|
31
|
+
* stripped baselines because `gh auth` lapsed.
|
|
32
|
+
*
|
|
33
|
+
* # Caching
|
|
34
|
+
*
|
|
35
|
+
* The probe is slow (~500ms cold). Results are cached per-process
|
|
36
|
+
* by absolute cwd. Tests clear the cache via `clearVisibilityCache`.
|
|
37
|
+
*/
|
|
38
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
39
|
+
if (k2 === undefined) k2 = k;
|
|
40
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
41
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
42
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
43
|
+
}
|
|
44
|
+
Object.defineProperty(o, k2, desc);
|
|
45
|
+
}) : (function(o, m, k, k2) {
|
|
46
|
+
if (k2 === undefined) k2 = k;
|
|
47
|
+
o[k2] = m[k];
|
|
48
|
+
}));
|
|
49
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
50
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
51
|
+
}) : function(o, v) {
|
|
52
|
+
o["default"] = v;
|
|
53
|
+
});
|
|
54
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
55
|
+
var ownKeys = function(o) {
|
|
56
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
57
|
+
var ar = [];
|
|
58
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
59
|
+
return ar;
|
|
60
|
+
};
|
|
61
|
+
return ownKeys(o);
|
|
62
|
+
};
|
|
63
|
+
return function (mod) {
|
|
64
|
+
if (mod && mod.__esModule) return mod;
|
|
65
|
+
var result = {};
|
|
66
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
67
|
+
__setModuleDefault(result, mod);
|
|
68
|
+
return result;
|
|
69
|
+
};
|
|
70
|
+
})();
|
|
71
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
72
|
+
exports.detectRepoVisibility = detectRepoVisibility;
|
|
73
|
+
exports.clearVisibilityCache = clearVisibilityCache;
|
|
74
|
+
const child_process_1 = require("child_process");
|
|
75
|
+
const path = __importStar(require("path"));
|
|
76
|
+
const VISIBILITY_CACHE = new Map();
|
|
77
|
+
/**
|
|
78
|
+
* Detect the visibility of the repo rooted at `cwd`. Returns
|
|
79
|
+
* `'unknown'` on every failure path — never throws. Cached per
|
|
80
|
+
* absolute cwd for the lifetime of the process.
|
|
81
|
+
*
|
|
82
|
+
* Production callers always use this through `resolveBaselineMode`;
|
|
83
|
+
* direct invocations should be rare. The single-entry contract keeps
|
|
84
|
+
* the `gh` probe count predictable + makes mocking trivial in tests.
|
|
85
|
+
*/
|
|
86
|
+
function detectRepoVisibility(cwd) {
|
|
87
|
+
const cacheKey = path.resolve(cwd);
|
|
88
|
+
const cached = VISIBILITY_CACHE.get(cacheKey);
|
|
89
|
+
if (cached !== undefined)
|
|
90
|
+
return cached;
|
|
91
|
+
const resolved = detectRepoVisibilityUncached(cwd);
|
|
92
|
+
VISIBILITY_CACHE.set(cacheKey, resolved);
|
|
93
|
+
return resolved;
|
|
94
|
+
}
|
|
95
|
+
function detectRepoVisibilityUncached(cwd) {
|
|
96
|
+
try {
|
|
97
|
+
const out = (0, child_process_1.execSync)('gh repo view --json visibility', {
|
|
98
|
+
cwd,
|
|
99
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
100
|
+
encoding: 'utf-8',
|
|
101
|
+
timeout: 5000,
|
|
102
|
+
});
|
|
103
|
+
const parsed = JSON.parse(out);
|
|
104
|
+
const raw = typeof parsed.visibility === 'string' ? parsed.visibility.toLowerCase() : '';
|
|
105
|
+
if (raw === 'public' || raw === 'private' || raw === 'internal')
|
|
106
|
+
return raw;
|
|
107
|
+
return 'unknown';
|
|
108
|
+
}
|
|
109
|
+
catch {
|
|
110
|
+
return 'unknown';
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* Test seam: clear the per-process visibility cache. Production
|
|
115
|
+
* callers never use this — the cache lives for the entire CLI
|
|
116
|
+
* invocation and dies with the process.
|
|
117
|
+
*/
|
|
118
|
+
function clearVisibilityCache() {
|
|
119
|
+
VISIBILITY_CACHE.clear();
|
|
120
|
+
}
|
|
121
|
+
//# sourceMappingURL=visibility.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"visibility.js","sourceRoot":"","sources":["../../src/baseline/visibility.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBH,oDAOC;AAwBD,oDAEC;AAxDD,iDAAyC;AACzC,2CAA6B;AAW7B,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA0B,CAAC;AAE3D;;;;;;;;GAQG;AACH,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IACxC,MAAM,QAAQ,GAAG,4BAA4B,CAAC,GAAG,CAAC,CAAC;IACnD,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACzC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,4BAA4B,CAAC,GAAW;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,gCAAgC,EAAE;YACrD,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,IAAI;SACd,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3D,MAAM,GAAG,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzF,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,UAAU;YAAE,OAAO,GAAG,CAAC;QAC5E,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB;IAClC,gBAAgB,CAAC,KAAK,EAAE,CAAC;AAC3B,CAAC"}
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAiNA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA4kDvD"}
|
package/dist/cli.js
CHANGED
|
@@ -123,8 +123,11 @@ function printUsage() {
|
|
|
123
123
|
vyuh-dxkit tools [path] Show required analysis tools status
|
|
124
124
|
vyuh-dxkit tools install Interactively install missing tools
|
|
125
125
|
vyuh-dxkit baseline create [path] [--name <name>] [--force]
|
|
126
|
+
[--mode=<mode>] [--ref=<ref>]
|
|
126
127
|
Capture per-finding identities to .dxkit/baselines/<name>.json
|
|
127
|
-
(read later by guardrail check to gate new regressions)
|
|
128
|
+
(read later by guardrail check to gate new regressions).
|
|
129
|
+
--mode=committed-full|committed-sanitized|ref-based picks
|
|
130
|
+
the on-disk posture; default auto-selects from repo visibility.
|
|
128
131
|
vyuh-dxkit baseline show [path] [--name <n>] [--baseline <path>]
|
|
129
132
|
[--kind <kind>] [--json]
|
|
130
133
|
Pretty-print the on-disk baseline. Default: summary +
|
|
@@ -132,14 +135,33 @@ function printUsage() {
|
|
|
132
135
|
emits a schema-banner-wrapped payload.
|
|
133
136
|
vyuh-dxkit guardrail check [path] [--name <n>] [--baseline <path>]
|
|
134
137
|
[--changed-only] [--policy <path>]
|
|
138
|
+
[--mode=<mode>] [--ref=<ref>]
|
|
135
139
|
[--json | --markdown]
|
|
136
140
|
Diff current scan against the named baseline; block on net-new
|
|
137
141
|
regressions per brownfield policy. Exit code 1 when blocked.
|
|
142
|
+
--mode/--ref mirror baseline create (override policy.json).
|
|
138
143
|
vyuh-dxkit hooks activate [path]
|
|
139
144
|
Idempotently set core.hooksPath = .githooks. Wired into
|
|
140
145
|
package.json postinstall by 'init --with-hooks' so every
|
|
141
146
|
clone + 'npm install' activates the dxkit hooks
|
|
142
147
|
automatically. Safe to run by hand; always exits 0.
|
|
148
|
+
vyuh-dxkit allowlist add <file:line> --category=<cat> --reason=<text>
|
|
149
|
+
vyuh-dxkit allowlist add --fingerprint=<id> --kind=<kind> --category=<cat>
|
|
150
|
+
--reason=<text> [--expires=<YYYY-MM-DD>]
|
|
151
|
+
Suppress an individual finding with a typed category
|
|
152
|
+
(false-positive / test-fixture / mitigated-externally /
|
|
153
|
+
accepted-risk / deferred) and required reason. Inline
|
|
154
|
+
form inserts a dxkit-allow: annotation; file-level
|
|
155
|
+
form writes to .dxkit/allowlist.json.
|
|
156
|
+
vyuh-dxkit allowlist list | show <fingerprint> | audit | prune [--dry-run] [--json]
|
|
157
|
+
Review / audit / clean the allowlist. audit surfaces
|
|
158
|
+
expired + soon-to-expire (within 14 days) + missing-
|
|
159
|
+
rationale entries. prune removes expired entries.
|
|
160
|
+
vyuh-dxkit issue --type=<type> [--about=<text>] [--fingerprint=<id>] [--no-browser]
|
|
161
|
+
Open a pre-filled GitHub Issue against vyuh-labs/dxkit.
|
|
162
|
+
Types: false-positive, missing-finding, bug,
|
|
163
|
+
feature-request, docs. Nothing is submitted until
|
|
164
|
+
you click "Submit" in your browser.
|
|
143
165
|
|
|
144
166
|
${logger.bold('Init options:')}
|
|
145
167
|
--dx-only Just .claude/ + CLAUDE.md (default)
|
|
@@ -251,6 +273,20 @@ async function run(argv) {
|
|
|
251
273
|
target: { type: 'string' },
|
|
252
274
|
'dry-run': { type: 'boolean', default: false },
|
|
253
275
|
plan: { type: 'boolean', default: false },
|
|
276
|
+
// allowlist flags (allowlist add | list | show | audit | prune)
|
|
277
|
+
category: { type: 'string' },
|
|
278
|
+
reason: { type: 'string' },
|
|
279
|
+
fingerprint: { type: 'string' },
|
|
280
|
+
expires: { type: 'string' },
|
|
281
|
+
'acknowledged-severity': { type: 'string' },
|
|
282
|
+
'added-by': { type: 'string' },
|
|
283
|
+
mode: { type: 'string' },
|
|
284
|
+
ref: { type: 'string' },
|
|
285
|
+
'soon-days': { type: 'string' },
|
|
286
|
+
// issue flags
|
|
287
|
+
type: { type: 'string' },
|
|
288
|
+
about: { type: 'string' },
|
|
289
|
+
'no-browser': { type: 'boolean', default: false },
|
|
254
290
|
},
|
|
255
291
|
allowPositionals: true,
|
|
256
292
|
strict: false,
|
|
@@ -1350,19 +1386,36 @@ async function run(argv) {
|
|
|
1350
1386
|
if (subCommand === 'create') {
|
|
1351
1387
|
const targetPath = resolveRepoPath(positionals[2]);
|
|
1352
1388
|
const { createBaseline } = await Promise.resolve().then(() => __importStar(require('./baseline/create')));
|
|
1389
|
+
const { parseBaselineMode } = await Promise.resolve().then(() => __importStar(require('./baseline/modes')));
|
|
1353
1390
|
logger.header('vyuh-dxkit baseline create');
|
|
1354
1391
|
logger.info(`Capturing baseline for ${targetPath}...`);
|
|
1355
1392
|
const startTime = Date.now();
|
|
1393
|
+
const cliModeRaw = values.mode;
|
|
1394
|
+
const cliMode = cliModeRaw !== undefined ? parseBaselineMode(cliModeRaw) : undefined;
|
|
1395
|
+
if (cliModeRaw !== undefined && cliMode === null) {
|
|
1396
|
+
logger.fail(`Unknown --mode value: ${cliModeRaw}. ` +
|
|
1397
|
+
`Expected one of: committed-full, committed-sanitized, ref-based.`);
|
|
1398
|
+
process.exit(1);
|
|
1399
|
+
}
|
|
1356
1400
|
try {
|
|
1357
1401
|
const result = await createBaseline({
|
|
1358
1402
|
cwd: targetPath,
|
|
1359
1403
|
name: values.name,
|
|
1360
1404
|
force: !!values.force,
|
|
1361
1405
|
verbose: !!values.verbose,
|
|
1406
|
+
cliMode: cliMode ?? undefined,
|
|
1407
|
+
cliRef: values.ref,
|
|
1362
1408
|
});
|
|
1363
1409
|
const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
|
|
1364
|
-
|
|
1365
|
-
|
|
1410
|
+
logger.info(`Baseline ${result.mode.explanation}`);
|
|
1411
|
+
if (result.mode.mode === 'ref-based') {
|
|
1412
|
+
logger.success(`Ref-based mode: no file written. Guardrail check will compare against ${result.mode.ref} on demand (${elapsed}s)`);
|
|
1413
|
+
}
|
|
1414
|
+
else if (result.path && result.file) {
|
|
1415
|
+
const rel = path.relative(targetPath, result.path);
|
|
1416
|
+
const tag = result.mode.mode === 'committed-sanitized' ? ' (sanitized)' : '';
|
|
1417
|
+
logger.success(`Wrote ${rel}${tag} — ${result.file.findings.length} findings, salt: ${result.file.saltMode} (${elapsed}s)`);
|
|
1418
|
+
}
|
|
1366
1419
|
}
|
|
1367
1420
|
catch (err) {
|
|
1368
1421
|
logger.fail(err.message);
|
|
@@ -1423,6 +1476,14 @@ async function run(argv) {
|
|
|
1423
1476
|
const targetPath = resolveRepoPath(positionals[2]);
|
|
1424
1477
|
const { runGuardrailCheck } = await Promise.resolve().then(() => __importStar(require('./baseline/check')));
|
|
1425
1478
|
const { renderConsole, renderJson, renderMarkdown } = await Promise.resolve().then(() => __importStar(require('./baseline/check-renderers')));
|
|
1479
|
+
const { parseBaselineMode } = await Promise.resolve().then(() => __importStar(require('./baseline/modes')));
|
|
1480
|
+
const cliModeRaw = values.mode;
|
|
1481
|
+
const cliMode = cliModeRaw !== undefined ? parseBaselineMode(cliModeRaw) : undefined;
|
|
1482
|
+
if (cliModeRaw !== undefined && cliMode === null) {
|
|
1483
|
+
logger.fail(`Unknown --mode value: ${cliModeRaw}. ` +
|
|
1484
|
+
`Expected one of: committed-full, committed-sanitized, ref-based.`);
|
|
1485
|
+
process.exit(1);
|
|
1486
|
+
}
|
|
1426
1487
|
if (!values.json)
|
|
1427
1488
|
logger.header('vyuh-dxkit guardrail check');
|
|
1428
1489
|
if (!values.json)
|
|
@@ -1436,7 +1497,11 @@ async function run(argv) {
|
|
|
1436
1497
|
changedOnly: !!values['changed-only'],
|
|
1437
1498
|
policyPath: values.policy,
|
|
1438
1499
|
verbose: !!values.verbose,
|
|
1500
|
+
cliMode: cliMode ?? undefined,
|
|
1501
|
+
cliRef: values.ref,
|
|
1439
1502
|
});
|
|
1503
|
+
if (!values.json)
|
|
1504
|
+
logger.info(`Baseline ${result.mode.explanation}`);
|
|
1440
1505
|
const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
|
|
1441
1506
|
if (values.json) {
|
|
1442
1507
|
await emitJson(renderJson(result));
|
|
@@ -1486,6 +1551,26 @@ async function run(argv) {
|
|
|
1486
1551
|
});
|
|
1487
1552
|
break;
|
|
1488
1553
|
}
|
|
1554
|
+
case 'allowlist': {
|
|
1555
|
+
const { runAllowlist } = await Promise.resolve().then(() => __importStar(require('./allowlist/cli')));
|
|
1556
|
+
// positionals[1] = subcommand (add | list | show)
|
|
1557
|
+
// positionals[2] = optional target (file:line for add, fingerprint for show)
|
|
1558
|
+
await runAllowlist(cwd, positionals[1], {
|
|
1559
|
+
positionalAfter: positionals[2],
|
|
1560
|
+
values: values,
|
|
1561
|
+
});
|
|
1562
|
+
break;
|
|
1563
|
+
}
|
|
1564
|
+
case 'issue': {
|
|
1565
|
+
const { runIssueSubmit } = await Promise.resolve().then(() => __importStar(require('./issue-cli')));
|
|
1566
|
+
await runIssueSubmit(cwd, {
|
|
1567
|
+
type: values.type,
|
|
1568
|
+
fingerprint: values.fingerprint,
|
|
1569
|
+
about: values.about,
|
|
1570
|
+
noBrowser: !!values['no-browser'],
|
|
1571
|
+
});
|
|
1572
|
+
break;
|
|
1573
|
+
}
|
|
1489
1574
|
default:
|
|
1490
1575
|
console.error(`Unknown command: ${command}`);
|
|
1491
1576
|
printUsage();
|