@vyuhlabs/dxkit 2.5.2 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. package/CHANGELOG.md +218 -13
  2. package/README.md +220 -369
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/bom/discovery.d.ts +3 -4
  32. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  33. package/dist/analyzers/bom/discovery.js +3 -4
  34. package/dist/analyzers/bom/discovery.js.map +1 -1
  35. package/dist/analyzers/bom/types.d.ts +1 -1
  36. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  37. package/dist/analyzers/dashboard/index.js +42 -5
  38. package/dist/analyzers/dashboard/index.js.map +1 -1
  39. package/dist/analyzers/quality/detailed.d.ts +8 -1
  40. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  41. package/dist/analyzers/quality/detailed.js +43 -10
  42. package/dist/analyzers/quality/detailed.js.map +1 -1
  43. package/dist/analyzers/security/detailed.d.ts +8 -1
  44. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  45. package/dist/analyzers/security/detailed.js +14 -1
  46. package/dist/analyzers/security/detailed.js.map +1 -1
  47. package/dist/analyzers/tests/detailed.d.ts +8 -1
  48. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  49. package/dist/analyzers/tests/detailed.js +26 -7
  50. package/dist/analyzers/tests/detailed.js.map +1 -1
  51. package/dist/analyzers/tools/cloc.js +3 -3
  52. package/dist/analyzers/tools/cloc.js.map +1 -1
  53. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  54. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  55. package/dist/analyzers/tools/exclusions.js +27 -13
  56. package/dist/analyzers/tools/exclusions.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +39 -5
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +609 -45
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  62. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  63. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  68. package/dist/analyzers/tools/parallel.js +7 -0
  69. package/dist/analyzers/tools/parallel.js.map +1 -1
  70. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  71. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  72. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  73. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  74. package/dist/analyzers/xlsx/licenses.js +7 -7
  75. package/dist/baseline/baseline-file.d.ts +7 -0
  76. package/dist/baseline/baseline-file.d.ts.map +1 -1
  77. package/dist/baseline/baseline-file.js +22 -1
  78. package/dist/baseline/baseline-file.js.map +1 -1
  79. package/dist/baseline/check-renderers.d.ts +13 -1
  80. package/dist/baseline/check-renderers.d.ts.map +1 -1
  81. package/dist/baseline/check-renderers.js +67 -1
  82. package/dist/baseline/check-renderers.js.map +1 -1
  83. package/dist/baseline/check.d.ts +33 -7
  84. package/dist/baseline/check.d.ts.map +1 -1
  85. package/dist/baseline/check.js +90 -64
  86. package/dist/baseline/check.js.map +1 -1
  87. package/dist/baseline/create.d.ts +35 -7
  88. package/dist/baseline/create.d.ts.map +1 -1
  89. package/dist/baseline/create.js +43 -5
  90. package/dist/baseline/create.js.map +1 -1
  91. package/dist/baseline/entry-to-located.d.ts +6 -1
  92. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  93. package/dist/baseline/entry-to-located.js +20 -2
  94. package/dist/baseline/entry-to-located.js.map +1 -1
  95. package/dist/baseline/finding-identity.d.ts.map +1 -1
  96. package/dist/baseline/finding-identity.js +15 -13
  97. package/dist/baseline/finding-identity.js.map +1 -1
  98. package/dist/baseline/modes.d.ts +140 -0
  99. package/dist/baseline/modes.d.ts.map +1 -0
  100. package/dist/baseline/modes.js +179 -0
  101. package/dist/baseline/modes.js.map +1 -0
  102. package/dist/baseline/policy.d.ts +64 -0
  103. package/dist/baseline/policy.d.ts.map +1 -1
  104. package/dist/baseline/policy.js +102 -1
  105. package/dist/baseline/policy.js.map +1 -1
  106. package/dist/baseline/producers/health.d.ts +2 -2
  107. package/dist/baseline/producers/health.d.ts.map +1 -1
  108. package/dist/baseline/producers/health.js.map +1 -1
  109. package/dist/baseline/producers/index.d.ts +11 -5
  110. package/dist/baseline/producers/index.d.ts.map +1 -1
  111. package/dist/baseline/producers/index.js +12 -9
  112. package/dist/baseline/producers/index.js.map +1 -1
  113. package/dist/baseline/producers/quality.d.ts +3 -3
  114. package/dist/baseline/producers/quality.d.ts.map +1 -1
  115. package/dist/baseline/producers/quality.js.map +1 -1
  116. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  117. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  118. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  119. package/dist/baseline/producers/security.d.ts +2 -2
  120. package/dist/baseline/producers/security.d.ts.map +1 -1
  121. package/dist/baseline/producers/security.js.map +1 -1
  122. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  123. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  124. package/dist/baseline/producers/stale-allow.js +111 -0
  125. package/dist/baseline/producers/stale-allow.js.map +1 -0
  126. package/dist/baseline/producers/tests.d.ts +2 -2
  127. package/dist/baseline/producers/tests.d.ts.map +1 -1
  128. package/dist/baseline/producers/tests.js.map +1 -1
  129. package/dist/baseline/ref-baseline.d.ts +114 -0
  130. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  131. package/dist/baseline/ref-baseline.js +260 -0
  132. package/dist/baseline/ref-baseline.js.map +1 -0
  133. package/dist/baseline/sanitize.d.ts +80 -0
  134. package/dist/baseline/sanitize.d.ts.map +1 -0
  135. package/dist/baseline/sanitize.js +91 -0
  136. package/dist/baseline/sanitize.js.map +1 -0
  137. package/dist/baseline/show.d.ts.map +1 -1
  138. package/dist/baseline/show.js +9 -3
  139. package/dist/baseline/show.js.map +1 -1
  140. package/dist/baseline/types.d.ts +73 -26
  141. package/dist/baseline/types.d.ts.map +1 -1
  142. package/dist/baseline/types.js +7 -1
  143. package/dist/baseline/types.js.map +1 -1
  144. package/dist/baseline/visibility.d.ts +61 -0
  145. package/dist/baseline/visibility.d.ts.map +1 -0
  146. package/dist/baseline/visibility.js +121 -0
  147. package/dist/baseline/visibility.js.map +1 -0
  148. package/dist/cli.d.ts.map +1 -1
  149. package/dist/cli.js +168 -6
  150. package/dist/cli.js.map +1 -1
  151. package/dist/dashboard/graph-adapter.d.ts +151 -0
  152. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  153. package/dist/dashboard/graph-adapter.js +415 -0
  154. package/dist/dashboard/graph-adapter.js.map +1 -0
  155. package/dist/dashboard/graph-tab.d.ts +109 -0
  156. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  157. package/dist/dashboard/graph-tab.js +297 -0
  158. package/dist/dashboard/graph-tab.js.map +1 -0
  159. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  160. package/dist/doctor.d.ts.map +1 -1
  161. package/dist/doctor.js +106 -16
  162. package/dist/doctor.js.map +1 -1
  163. package/dist/explore/cli/api-surface.d.ts +12 -0
  164. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  165. package/dist/explore/cli/api-surface.js +57 -0
  166. package/dist/explore/cli/api-surface.js.map +1 -0
  167. package/dist/explore/cli/communities.d.ts +10 -0
  168. package/dist/explore/cli/communities.d.ts.map +1 -0
  169. package/dist/explore/cli/communities.js +47 -0
  170. package/dist/explore/cli/communities.js.map +1 -0
  171. package/dist/explore/cli/context.d.ts +16 -0
  172. package/dist/explore/cli/context.d.ts.map +1 -0
  173. package/dist/explore/cli/context.js +118 -0
  174. package/dist/explore/cli/context.js.map +1 -0
  175. package/dist/explore/cli/entry-points.d.ts +12 -0
  176. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  177. package/dist/explore/cli/entry-points.js +85 -0
  178. package/dist/explore/cli/entry-points.js.map +1 -0
  179. package/dist/explore/cli/feature.d.ts +16 -0
  180. package/dist/explore/cli/feature.d.ts.map +1 -0
  181. package/dist/explore/cli/feature.js +89 -0
  182. package/dist/explore/cli/feature.js.map +1 -0
  183. package/dist/explore/cli/file.d.ts +12 -0
  184. package/dist/explore/cli/file.d.ts.map +1 -0
  185. package/dist/explore/cli/file.js +139 -0
  186. package/dist/explore/cli/file.js.map +1 -0
  187. package/dist/explore/cli/hot-files.d.ts +11 -0
  188. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  189. package/dist/explore/cli/hot-files.js +63 -0
  190. package/dist/explore/cli/hot-files.js.map +1 -0
  191. package/dist/explore/context-hook.d.ts +42 -0
  192. package/dist/explore/context-hook.d.ts.map +1 -0
  193. package/dist/explore/context-hook.js +131 -0
  194. package/dist/explore/context-hook.js.map +1 -0
  195. package/dist/explore/finding-context.d.ts +69 -0
  196. package/dist/explore/finding-context.d.ts.map +1 -0
  197. package/dist/explore/finding-context.js +102 -0
  198. package/dist/explore/finding-context.js.map +1 -0
  199. package/dist/explore/format.d.ts +64 -0
  200. package/dist/explore/format.d.ts.map +1 -0
  201. package/dist/explore/format.js +99 -0
  202. package/dist/explore/format.js.map +1 -0
  203. package/dist/explore/load.d.ts +50 -0
  204. package/dist/explore/load.d.ts.map +1 -0
  205. package/dist/explore/load.js +197 -0
  206. package/dist/explore/load.js.map +1 -0
  207. package/dist/explore/queries.d.ts +413 -0
  208. package/dist/explore/queries.d.ts.map +1 -0
  209. package/dist/explore/queries.js +855 -0
  210. package/dist/explore/queries.js.map +1 -0
  211. package/dist/explore/types.d.ts +130 -0
  212. package/dist/explore/types.d.ts.map +1 -0
  213. package/dist/explore/types.js +28 -0
  214. package/dist/explore/types.js.map +1 -0
  215. package/dist/explore-cli.d.ts +45 -0
  216. package/dist/explore-cli.d.ts.map +1 -0
  217. package/dist/explore-cli.js +213 -0
  218. package/dist/explore-cli.js.map +1 -0
  219. package/dist/generator.d.ts.map +1 -1
  220. package/dist/generator.js +19 -0
  221. package/dist/generator.js.map +1 -1
  222. package/dist/issue-cli.d.ts +62 -0
  223. package/dist/issue-cli.d.ts.map +1 -0
  224. package/dist/issue-cli.js +252 -0
  225. package/dist/issue-cli.js.map +1 -0
  226. package/dist/languages/csharp.d.ts.map +1 -1
  227. package/dist/languages/csharp.js +32 -11
  228. package/dist/languages/csharp.js.map +1 -1
  229. package/dist/languages/go.d.ts.map +1 -1
  230. package/dist/languages/go.js +5 -0
  231. package/dist/languages/go.js.map +1 -1
  232. package/dist/languages/index.d.ts +27 -0
  233. package/dist/languages/index.d.ts.map +1 -1
  234. package/dist/languages/index.js +35 -0
  235. package/dist/languages/index.js.map +1 -1
  236. package/dist/languages/java.d.ts.map +1 -1
  237. package/dist/languages/java.js +5 -0
  238. package/dist/languages/java.js.map +1 -1
  239. package/dist/languages/kotlin.d.ts.map +1 -1
  240. package/dist/languages/kotlin.js +5 -0
  241. package/dist/languages/kotlin.js.map +1 -1
  242. package/dist/languages/python.d.ts.map +1 -1
  243. package/dist/languages/python.js +5 -0
  244. package/dist/languages/python.js.map +1 -1
  245. package/dist/languages/ruby.d.ts.map +1 -1
  246. package/dist/languages/ruby.js +5 -0
  247. package/dist/languages/ruby.js.map +1 -1
  248. package/dist/languages/rust.d.ts.map +1 -1
  249. package/dist/languages/rust.js +5 -0
  250. package/dist/languages/rust.js.map +1 -1
  251. package/dist/languages/types.d.ts +79 -0
  252. package/dist/languages/types.d.ts.map +1 -1
  253. package/dist/languages/typescript.d.ts.map +1 -1
  254. package/dist/languages/typescript.js +6 -1
  255. package/dist/languages/typescript.js.map +1 -1
  256. package/package.json +2 -1
  257. package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
  258. package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
  259. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  260. package/templates/AGENTS.md.template +8 -1
  261. package/dist/baseline/producers/licenses.d.ts +0 -23
  262. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  263. package/dist/baseline/producers/licenses.js +0 -46
  264. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -17,7 +17,7 @@
17
17
  * apply to hygiene markers; the marker IS the canonical name.
18
18
  *
19
19
  * Kinds without file/line locators (dep-vuln, duplication,
20
- * coverage-gap, license, test-gap, test-file-degradation, god-file,
20
+ * coverage-gap, test-gap, test-file-degradation, god-file,
21
21
  * stale-file, large-file, secret-hmac) fall through to the matcher's
22
22
  * multiset pass — they're paired by exact identity-hash equality,
23
23
  * which the matcher already handles without any locator metadata.
@@ -26,13 +26,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
26
26
  exports.entryToLocated = entryToLocated;
27
27
  exports.entriesToLocated = entriesToLocated;
28
28
  const fingerprint_1 = require("../analyzers/tools/fingerprint");
29
+ const sanitize_1 = require("./sanitize");
29
30
  /**
30
31
  * Build a `LocatedIdentity` from one stored entry. The id is the
31
32
  * already-computed identity hash; locator fields are populated for
32
33
  * the kinds the matcher's location-pair / content-hash passes can
33
34
  * use.
35
+ *
36
+ * Sanitized entries (`sanitized: true`) carry only identity + kind;
37
+ * they short-circuit to identity-only locators because the
38
+ * location-pair pass has no fields to compare. The matcher's
39
+ * multiset pass still pairs them at full confidence by id.
34
40
  */
35
41
  function entryToLocated(entry) {
42
+ if ((0, sanitize_1.isSanitized)(entry))
43
+ return { id: entry.id };
36
44
  switch (entry.kind) {
37
45
  case 'secret':
38
46
  case 'code':
@@ -52,10 +60,20 @@ function entryToLocated(entry) {
52
60
  rule: entry.marker,
53
61
  ...(entry.contentHash !== undefined ? { contentHash: entry.contentHash } : {}),
54
62
  };
63
+ case 'stale-allow':
64
+ // Annotation comments don't have a tool/rule pair — the
65
+ // "rule" is the annotation's category. Reuse the field so
66
+ // the matcher's location-pair pass can treat them like other
67
+ // source-anchored kinds.
68
+ return {
69
+ id: entry.id,
70
+ file: entry.file,
71
+ line: entry.line,
72
+ rule: entry.category,
73
+ };
55
74
  case 'dep-vuln':
56
75
  case 'duplication':
57
76
  case 'coverage-gap':
58
- case 'license':
59
77
  case 'test-gap':
60
78
  case 'test-file-degradation':
61
79
  case 'god-file':
@@ -1 +1 @@
1
- {"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;AAYH,wCAgCC;AAGD,4CAIC;AAjDD,gEAAkE;AAIlE;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,KAAoB;IACjD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC;gBAC9C,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,MAAM;gBAClB,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc,CAAC;QACpB,KAAK,SAAS,CAAC;QACf,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,gBAAgB,CAC9B,OAAqC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}
1
+ {"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;AAkBH,wCA2CC;AAGD,4CAIC;AAlED,gEAAkE;AAElE,yCAAyC;AAGzC;;;;;;;;;;GAUG;AACH,SAAgB,cAAc,CAAC,KAAoB;IACjD,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAChD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC;gBAC9C,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,MAAM;gBAClB,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,aAAa;YAChB,wDAAwD;YACxD,0DAA0D;YAC1D,6DAA6D;YAC7D,yBAAyB;YACzB,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,QAAQ;aACrB,CAAC;QACJ,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,gBAAgB,CAC9B,OAAqC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;AA4KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC1B,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,GAC3B,WAAW,CAyDb"}
1
+ {"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;AA0KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC1B,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,GAC3B,WAAW,CAyDb"}
@@ -53,8 +53,6 @@ function identityFor(input, version = 'v1') {
53
53
  return computeTestGapIdentity(input.file, input.risk);
54
54
  case 'hygiene':
55
55
  return computeHygieneIdentity(input.file, input.line, input.marker);
56
- case 'license':
57
- return computeLicenseIdentity(input.package, input.version, input.licenseType);
58
56
  case 'test-file-degradation':
59
57
  return computeTestFileDegradationIdentity(input.file, input.status);
60
58
  case 'god-file':
@@ -65,6 +63,8 @@ function identityFor(input, version = 'v1') {
65
63
  return computeLargeFileIdentity(input.file);
66
64
  case 'secret-hmac':
67
65
  return computeSecretHmacIdentity(input.tool, input.rule, input.hmac);
66
+ case 'stale-allow':
67
+ return computeStaleAllowIdentity(input.file, input.line, input.category);
68
68
  }
69
69
  }
70
70
  /**
@@ -138,17 +138,6 @@ function computeHygieneIdentity(file, line, marker) {
138
138
  const input = `hygiene\0v1\0${marker}\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}`;
139
139
  return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
140
140
  }
141
- /**
142
- * Identity for a package license attribution. Includes the license
143
- * type so a re-licensing event on the same `(package, version)` pin
144
- * registers as a fresh finding — compliance teams want to be
145
- * notified when a transitive dep switches from MIT to GPL even
146
- * without a version bump.
147
- */
148
- function computeLicenseIdentity(packageName, version, licenseType) {
149
- const input = `license\0v1\0${packageName}\0${version}\0${licenseType}`;
150
- return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
151
- }
152
141
  /**
153
142
  * Identity for a degraded test file. Degradation status is part of
154
143
  * identity so transitions between states register as fresh findings
@@ -208,6 +197,19 @@ function computeSecretHmacIdentity(tool, rule, hmac) {
208
197
  const input = `secret-hmac\0v1\0${canonicalRule}\0${hmac}`;
209
198
  return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
210
199
  }
200
+ /**
201
+ * Identity for an orphaned inline allowlist annotation. Line is
202
+ * bucketed via the canonical 3-line window so small formatter /
203
+ * unrelated-edit drift doesn't churn identity. Category is part of
204
+ * identity so reclassifying an annotation (test-fixture →
205
+ * false-positive on the same source line) registers as a fresh
206
+ * finding — the new category's appropriateness is a separate
207
+ * judgment worth surfacing.
208
+ */
209
+ function computeStaleAllowIdentity(file, line, category) {
210
+ const input = `stale-allow\0v1\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}\0${category}`;
211
+ return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
212
+ }
211
213
  /**
212
214
  * Multiset-aware identity diff — the lowest layer of baseline
213
215
  * comparison. Pairs identities by occurrence count, not by presence:
@@ -1 +1 @@
1
- {"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;AA+LD,0CA4DC;AA9UD,mCAAoC;AACpC,gEAKwC;AAkBxC;;;;;;;;;;;GAWG;AACH,SAAgB,WAAW,CACzB,KAAoB,EACpB,UAAiC,IAAI;IAErC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,IAAA,oCAAsB,EAAC,aAAa,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,UAAU;YACb,OAAO,IAAA,gCAAkB,EAAC;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,EAAE,EAAE,KAAK,CAAC,EAAE;aACb,CAAC,CAAC;QACL,KAAK,aAAa;YAChB,OAAO,0BAA0B,CAC/B,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,0BAA0B,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/E,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACxD,KAAK,SAAS;YACZ,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,SAAS;YACZ,OAAO,sBAAsB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QACjF,KAAK,uBAAuB;YAC1B,OAAO,kCAAkC,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,KAAa,EACb,KAAa,EACb,UAAkB,EAClB,UAAkB;IAElB,MAAM,KAAK,GAA4B;QACrC,CAAC,KAAK,EAAE,UAAU,CAAC;QACnB,CAAC,KAAK,EAAE,UAAU,CAAC;KACpB,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,KAAK,GAAG,oBAAoB,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;IAC1G,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,0BAA0B,CACjC,IAAY,EACZ,MAA0B,EAC1B,SAAgD;IAEhD,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,yEAAyE,IAAI,GAAG,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,SAAU,CAAC,CAAC,CAAC,IAAI,SAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,KAAK,GAAG,qBAAqB,IAAI,KAAK,aAAa,EAAE,CAAC;IAC5D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAiB;IAC7D,MAAM,KAAK,GAAG,iBAAiB,IAAI,KAAK,IAAI,EAAE,CAAC;IAC/C,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAY,EAAE,MAAqB;IAC/E,MAAM,KAAK,GAAG,gBAAgB,MAAM,KAAK,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;IACxE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAC7B,WAAmB,EACnB,OAAe,EACf,WAAmB;IAEnB,MAAM,KAAK,GAAG,gBAAgB,WAAW,KAAK,OAAO,KAAK,WAAW,EAAE,CAAC;IACxE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,kCAAkC,CACzC,IAAY,EACZ,MAAiC;IAEjC,MAAM,KAAK,GAAG,8BAA8B,IAAI,KAAK,MAAM,EAAE,CAAC;IAC9D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,iBAAiB,IAAI,EAAE,CAAC;IACtC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,wBAAwB,CAAC,IAAY,EAAE,MAAc;IAC5D,MAAM,KAAK,GAAG,mBAAmB,IAAI,KAAK,MAAM,EAAE,CAAC;IACnD,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,mBAAmB,IAAI,EAAE,CAAC;IACxC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,IAAY;IACzE,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,oBAAoB,aAAa,KAAK,IAAI,EAAE,CAAC;IAC3D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,eAAe,CAC7B,KAA0B,EAC1B,OAA4B;IAE5B,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,aAAa,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAY,CAAC,GAAG,WAAW,CAAC,IAAI,EAAE,EAAE,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpF,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,wDAAwD;KACjE,CAAC;IACF,MAAM,SAAS,GAAgB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,kDAAkD;KAC3D,CAAC;IACF,MAAM,UAAU,GAAgB;QAC9B,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,sDAAsD;KAC/D,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,WAAW,CAAC;aACvB,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,OAAO;gBACf,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,SAAS,CAAC;aACrB,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,SAAS;gBACjB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,UAAU,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,aAAa,CAAC,KAA0B;IAC/C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
1
+ {"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;AA6LD,0CA4DC;AA5UD,mCAAoC;AACpC,gEAKwC;AAkBxC;;;;;;;;;;;GAWG;AACH,SAAgB,WAAW,CACzB,KAAoB,EACpB,UAAiC,IAAI;IAErC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,IAAA,oCAAsB,EAAC,aAAa,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,UAAU;YACb,OAAO,IAAA,gCAAkB,EAAC;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,EAAE,EAAE,KAAK,CAAC,EAAE;aACb,CAAC,CAAC;QACL,KAAK,aAAa;YAChB,OAAO,0BAA0B,CAC/B,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,0BAA0B,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/E,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACxD,KAAK,SAAS;YACZ,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,uBAAuB;YAC1B,OAAO,kCAAkC,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,KAAa,EACb,KAAa,EACb,UAAkB,EAClB,UAAkB;IAElB,MAAM,KAAK,GAA4B;QACrC,CAAC,KAAK,EAAE,UAAU,CAAC;QACnB,CAAC,KAAK,EAAE,UAAU,CAAC;KACpB,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,KAAK,GAAG,oBAAoB,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;IAC1G,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,0BAA0B,CACjC,IAAY,EACZ,MAA0B,EAC1B,SAAgD;IAEhD,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,yEAAyE,IAAI,GAAG,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,SAAU,CAAC,CAAC,CAAC,IAAI,SAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,KAAK,GAAG,qBAAqB,IAAI,KAAK,aAAa,EAAE,CAAC;IAC5D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAiB;IAC7D,MAAM,KAAK,GAAG,iBAAiB,IAAI,KAAK,IAAI,EAAE,CAAC;IAC/C,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAY,EAAE,MAAqB;IAC/E,MAAM,KAAK,GAAG,gBAAgB,MAAM,KAAK,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;IACxE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,kCAAkC,CACzC,IAAY,EACZ,MAAiC;IAEjC,MAAM,KAAK,GAAG,8BAA8B,IAAI,KAAK,MAAM,EAAE,CAAC;IAC9D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,iBAAiB,IAAI,EAAE,CAAC;IACtC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,wBAAwB,CAAC,IAAY,EAAE,MAAc;IAC5D,MAAM,KAAK,GAAG,mBAAmB,IAAI,KAAK,MAAM,EAAE,CAAC;IACnD,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,mBAAmB,IAAI,EAAE,CAAC;IACxC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,IAAY;IACzE,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,oBAAoB,aAAa,KAAK,IAAI,EAAE,CAAC;IAC3D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,QAAgB;IAC7E,MAAM,KAAK,GAAG,oBAAoB,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;IAC9E,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,eAAe,CAC7B,KAA0B,EAC1B,OAA4B;IAE5B,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,aAAa,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAY,CAAC,GAAG,WAAW,CAAC,IAAI,EAAE,EAAE,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpF,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,wDAAwD;KACjE,CAAC;IACF,MAAM,SAAS,GAAgB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,kDAAkD;KAC3D,CAAC;IACF,MAAM,UAAU,GAAgB;QAC9B,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,sDAAsD;KAC/D,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,WAAW,CAAC;aACvB,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,OAAO;gBACf,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,SAAS,CAAC;aACrB,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,SAAS;gBACjB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,UAAU,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,aAAa,CAAC,KAA0B;IAC/C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
@@ -0,0 +1,140 @@
1
+ /**
2
+ * Baseline mode resolution — single source of truth for picking
3
+ * between `committed-full`, `committed-sanitized`, and `ref-based`.
4
+ *
5
+ * # The three modes
6
+ *
7
+ * - **`committed-full`** — Rich entries committed to git under
8
+ * `.dxkit/baselines/<name>.json`. The default behavior dxkit
9
+ * has had since baselines existed. Best for private repos with
10
+ * small teams; the human-readable locator fields make `baseline
11
+ * show` and block-time hints maximally useful.
12
+ *
13
+ * - **`committed-sanitized`** — The file is still committed, but
14
+ * every entry is stripped to `{ id, kind, sanitized: true }`
15
+ * before write (see `./sanitize.ts`). The cross-run matching
16
+ * contract is preserved (identity fingerprints are unchanged);
17
+ * human-readable locators are gone. Best for compliance-
18
+ * conscious private repos where broad internal read access
19
+ * makes location disclosures material.
20
+ *
21
+ * - **`ref-based`** — No baseline file is committed. The prior
22
+ * side of the guardrail diff is computed at check time from a
23
+ * git ref (default: `origin/<default-branch>`) via
24
+ * `git worktree add`. Zero disclosure surface; best for public
25
+ * repos. Cost is a longer check (gather runs twice — once
26
+ * against the ref, once against HEAD).
27
+ *
28
+ * # Resolution precedence
29
+ *
30
+ * 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
31
+ * precedence. Overrides everything else.
32
+ * 2. **Policy file** — `baseline.mode` / `baseline.ref` in
33
+ * `.dxkit/policy.json`. Pins the choice repo-wide so every
34
+ * developer + every CI job uses the same posture.
35
+ * 3. **Visibility-derived default** — probes
36
+ * `gh repo view --json visibility` (see `./visibility.ts`)
37
+ * and picks:
38
+ * - `'public'` → `ref-based`
39
+ * - `'private'` / `'internal'` → `committed-full`
40
+ * - `'unknown'` → `committed-full` (safe default + warning)
41
+ *
42
+ * `committed-sanitized` is never auto-picked. It's the explicit
43
+ * opt-in for compliance-conscious private repos. The reasoning:
44
+ *
45
+ * - For public repos, sanitized-in-git is strictly worse than
46
+ * ref-based — you're still committing the fingerprint set,
47
+ * and ref-based gives the same matching contract without
48
+ * storing anything.
49
+ * - For typical private repos with small teams, full content
50
+ * is more useful.
51
+ *
52
+ * So sanitized lives between those two extremes and customers
53
+ * opt in via `policy.json` or `--mode=committed-sanitized`.
54
+ *
55
+ * # Why one resolver
56
+ *
57
+ * Every consumer (the `baseline create` orchestrator, the
58
+ * `guardrail check` orchestrator, doctor checks, future modes-
59
+ * aware tooling) calls `resolveBaselineMode` and reads the
60
+ * returned `ResolvedMode`. Scattered `if (visibility === 'public')`
61
+ * branches would drift independently as the rules evolve; this
62
+ * module is the single edit point.
63
+ *
64
+ * Pure module — no I/O of its own. The visibility probe is
65
+ * injectable via `probeVisibility` so tests can simulate every
66
+ * path without going through `execSync('gh ...')`.
67
+ */
68
+ import type { RepoVisibility } from './visibility';
69
+ /** The three modes. Keep this union ordered the same way as
70
+ * `BASELINE_MODES` (declared below) so help text + arch checks
71
+ * match. */
72
+ export type BaselineMode = 'committed-full' | 'committed-sanitized' | 'ref-based';
73
+ /** Canonical enumeration of the mode strings. Consumers wanting to
74
+ * iterate every mode (CLI flag validation, help text, doctor)
75
+ * import this rather than re-listing the union members. */
76
+ export declare const BASELINE_MODES: ReadonlyArray<BaselineMode>;
77
+ /** Where the resolver picked the mode from. Surfaced to the
78
+ * runtime log + doctor + agent skills so customers see WHY
79
+ * `committed-full` was picked over `ref-based`. */
80
+ export type ModeSource = 'cli' | 'policy' | 'auto-public' | 'auto-private' | 'auto-internal' | 'auto-unknown';
81
+ /** Resolution outcome carrying the chosen mode + the audit trail
82
+ * + the resolved ref (for ref-based). Consumers read
83
+ * `mode` to dispatch and `explanation` to log. */
84
+ export interface ResolvedMode {
85
+ readonly mode: BaselineMode;
86
+ readonly source: ModeSource;
87
+ /** One-line human-readable explanation suitable for the runtime
88
+ * log. Always populated. */
89
+ readonly explanation: string;
90
+ /** Git ref used when `mode === 'ref-based'`. Resolved from CLI,
91
+ * policy, or the repo's default-branch upstream tracking ref.
92
+ * Undefined when mode is not ref-based. */
93
+ readonly ref?: string;
94
+ }
95
+ /** Input shape for the resolver. Every field is optional so the
96
+ * same function handles "no flags, no policy" and "explicit
97
+ * everything" without branching on call site. */
98
+ export interface ResolveModeOptions {
99
+ readonly cwd: string;
100
+ /** Explicit CLI flag value. Highest precedence when present. */
101
+ readonly cliMode?: BaselineMode;
102
+ /** `baseline.mode` field from `.dxkit/policy.json`. Second
103
+ * precedence. */
104
+ readonly policyMode?: BaselineMode;
105
+ /** Explicit CLI ref value (`--ref=<R>`). Only consulted when
106
+ * the resolved mode is `ref-based`. */
107
+ readonly cliRef?: string;
108
+ /** `baseline.ref` field from `.dxkit/policy.json`. */
109
+ readonly policyRef?: string;
110
+ /** Injectable for tests; production omits and the resolver
111
+ * calls `detectRepoVisibility` directly. */
112
+ readonly probeVisibility?: (cwd: string) => RepoVisibility;
113
+ /** Injectable for tests; production omits and the resolver
114
+ * shells out to `git symbolic-ref refs/remotes/origin/HEAD`. */
115
+ readonly probeDefaultRef?: (cwd: string) => string | undefined;
116
+ }
117
+ /**
118
+ * Resolve the baseline mode for a given run. Pure over its inputs
119
+ * apart from the optional probe functions (which default to
120
+ * `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
121
+ * The returned `ResolvedMode` carries everything callers need to
122
+ * dispatch + log.
123
+ */
124
+ export declare function resolveBaselineMode(opts: ResolveModeOptions): ResolvedMode;
125
+ /**
126
+ * Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
127
+ * remote's default branch. Returns `'origin/<branch>'` on success,
128
+ * `undefined` on any failure (no remote, no fetch ever ran, etc.).
129
+ *
130
+ * Public for testing — production callers go through
131
+ * `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
132
+ */
133
+ export declare function probeOriginHeadRef(cwd: string): string | undefined;
134
+ /**
135
+ * Parse a string into a `BaselineMode`. Returns `null` for unknown
136
+ * values so the CLI surfaces a helpful error including the full
137
+ * accepted list. Used by `--mode=<X>` flag parsing.
138
+ */
139
+ export declare function parseBaselineMode(raw: string): BaselineMode | null;
140
+ //# sourceMappingURL=modes.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"modes.d.ts","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD;;aAEa;AACb,MAAM,MAAM,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GAAG,WAAW,CAAC;AAElF;;4DAE4D;AAC5D,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,YAAY,CAIrD,CAAC;AAEH;;oDAEoD;AACpD,MAAM,MAAM,UAAU,GAClB,KAAK,GACL,QAAQ,GACR,aAAa,GACb,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB;;mDAEmD;AACnD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B;iCAC6B;IAC7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;gDAE4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;kDAEkD;AAClD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,gEAAgE;IAChE,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC;IAChC;sBACkB;IAClB,QAAQ,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC;IACnC;4CACwC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;iDAC6C;IAC7C,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,cAAc,CAAC;IAC3D;qEACiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAChE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,kBAAkB,GAAG,YAAY,CAmB1E;AAqBD;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAalE;AAmBD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAElE"}
@@ -0,0 +1,179 @@
1
+ "use strict";
2
+ /**
3
+ * Baseline mode resolution — single source of truth for picking
4
+ * between `committed-full`, `committed-sanitized`, and `ref-based`.
5
+ *
6
+ * # The three modes
7
+ *
8
+ * - **`committed-full`** — Rich entries committed to git under
9
+ * `.dxkit/baselines/<name>.json`. The default behavior dxkit
10
+ * has had since baselines existed. Best for private repos with
11
+ * small teams; the human-readable locator fields make `baseline
12
+ * show` and block-time hints maximally useful.
13
+ *
14
+ * - **`committed-sanitized`** — The file is still committed, but
15
+ * every entry is stripped to `{ id, kind, sanitized: true }`
16
+ * before write (see `./sanitize.ts`). The cross-run matching
17
+ * contract is preserved (identity fingerprints are unchanged);
18
+ * human-readable locators are gone. Best for compliance-
19
+ * conscious private repos where broad internal read access
20
+ * makes location disclosures material.
21
+ *
22
+ * - **`ref-based`** — No baseline file is committed. The prior
23
+ * side of the guardrail diff is computed at check time from a
24
+ * git ref (default: `origin/<default-branch>`) via
25
+ * `git worktree add`. Zero disclosure surface; best for public
26
+ * repos. Cost is a longer check (gather runs twice — once
27
+ * against the ref, once against HEAD).
28
+ *
29
+ * # Resolution precedence
30
+ *
31
+ * 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
32
+ * precedence. Overrides everything else.
33
+ * 2. **Policy file** — `baseline.mode` / `baseline.ref` in
34
+ * `.dxkit/policy.json`. Pins the choice repo-wide so every
35
+ * developer + every CI job uses the same posture.
36
+ * 3. **Visibility-derived default** — probes
37
+ * `gh repo view --json visibility` (see `./visibility.ts`)
38
+ * and picks:
39
+ * - `'public'` → `ref-based`
40
+ * - `'private'` / `'internal'` → `committed-full`
41
+ * - `'unknown'` → `committed-full` (safe default + warning)
42
+ *
43
+ * `committed-sanitized` is never auto-picked. It's the explicit
44
+ * opt-in for compliance-conscious private repos. The reasoning:
45
+ *
46
+ * - For public repos, sanitized-in-git is strictly worse than
47
+ * ref-based — you're still committing the fingerprint set,
48
+ * and ref-based gives the same matching contract without
49
+ * storing anything.
50
+ * - For typical private repos with small teams, full content
51
+ * is more useful.
52
+ *
53
+ * So sanitized lives between those two extremes and customers
54
+ * opt in via `policy.json` or `--mode=committed-sanitized`.
55
+ *
56
+ * # Why one resolver
57
+ *
58
+ * Every consumer (the `baseline create` orchestrator, the
59
+ * `guardrail check` orchestrator, doctor checks, future modes-
60
+ * aware tooling) calls `resolveBaselineMode` and reads the
61
+ * returned `ResolvedMode`. Scattered `if (visibility === 'public')`
62
+ * branches would drift independently as the rules evolve; this
63
+ * module is the single edit point.
64
+ *
65
+ * Pure module — no I/O of its own. The visibility probe is
66
+ * injectable via `probeVisibility` so tests can simulate every
67
+ * path without going through `execSync('gh ...')`.
68
+ */
69
+ Object.defineProperty(exports, "__esModule", { value: true });
70
+ exports.BASELINE_MODES = void 0;
71
+ exports.resolveBaselineMode = resolveBaselineMode;
72
+ exports.probeOriginHeadRef = probeOriginHeadRef;
73
+ exports.parseBaselineMode = parseBaselineMode;
74
+ const child_process_1 = require("child_process");
75
+ const visibility_1 = require("./visibility");
76
+ /** Canonical enumeration of the mode strings. Consumers wanting to
77
+ * iterate every mode (CLI flag validation, help text, doctor)
78
+ * import this rather than re-listing the union members. */
79
+ exports.BASELINE_MODES = Object.freeze([
80
+ 'committed-full',
81
+ 'committed-sanitized',
82
+ 'ref-based',
83
+ ]);
84
+ /**
85
+ * Resolve the baseline mode for a given run. Pure over its inputs
86
+ * apart from the optional probe functions (which default to
87
+ * `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
88
+ * The returned `ResolvedMode` carries everything callers need to
89
+ * dispatch + log.
90
+ */
91
+ function resolveBaselineMode(opts) {
92
+ if (opts.cliMode !== undefined) {
93
+ return finalize(opts, opts.cliMode, 'cli');
94
+ }
95
+ if (opts.policyMode !== undefined) {
96
+ return finalize(opts, opts.policyMode, 'policy');
97
+ }
98
+ const probe = opts.probeVisibility ?? visibility_1.detectRepoVisibility;
99
+ const visibility = probe(opts.cwd);
100
+ switch (visibility) {
101
+ case 'public':
102
+ return finalize(opts, 'ref-based', 'auto-public');
103
+ case 'private':
104
+ return finalize(opts, 'committed-full', 'auto-private');
105
+ case 'internal':
106
+ return finalize(opts, 'committed-full', 'auto-internal');
107
+ case 'unknown':
108
+ return finalize(opts, 'committed-full', 'auto-unknown');
109
+ }
110
+ }
111
+ /**
112
+ * Internal: stamp the explanation + resolve the ref (for ref-based)
113
+ * onto the outcome. Centralized so every code path emits the same
114
+ * shape.
115
+ */
116
+ function finalize(opts, mode, source) {
117
+ const explanation = explanationFor(mode, source);
118
+ if (mode !== 'ref-based')
119
+ return { mode, source, explanation };
120
+ const ref = resolveRef(opts);
121
+ return { mode, source, explanation, ref };
122
+ }
123
+ function resolveRef(opts) {
124
+ if (opts.cliRef)
125
+ return opts.cliRef;
126
+ if (opts.policyRef)
127
+ return opts.policyRef;
128
+ const probe = opts.probeDefaultRef ?? probeOriginHeadRef;
129
+ return probe(opts.cwd) ?? 'origin/main';
130
+ }
131
+ /**
132
+ * Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
133
+ * remote's default branch. Returns `'origin/<branch>'` on success,
134
+ * `undefined` on any failure (no remote, no fetch ever ran, etc.).
135
+ *
136
+ * Public for testing — production callers go through
137
+ * `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
138
+ */
139
+ function probeOriginHeadRef(cwd) {
140
+ try {
141
+ const out = (0, child_process_1.execSync)('git symbolic-ref refs/remotes/origin/HEAD', {
142
+ cwd,
143
+ stdio: ['ignore', 'pipe', 'pipe'],
144
+ encoding: 'utf-8',
145
+ }).trim();
146
+ // Output shape: "refs/remotes/origin/main" → strip the prefix.
147
+ if (out.startsWith('refs/remotes/'))
148
+ return out.slice('refs/remotes/'.length);
149
+ return undefined;
150
+ }
151
+ catch {
152
+ return undefined;
153
+ }
154
+ }
155
+ function explanationFor(mode, source) {
156
+ switch (source) {
157
+ case 'cli':
158
+ return `mode=${mode} (--mode flag)`;
159
+ case 'policy':
160
+ return `mode=${mode} (.dxkit/policy.json: baseline.mode)`;
161
+ case 'auto-public':
162
+ return `mode=${mode} (auto: gh detected a public repo)`;
163
+ case 'auto-private':
164
+ return `mode=${mode} (auto: gh detected a private repo)`;
165
+ case 'auto-internal':
166
+ return `mode=${mode} (auto: gh detected an internal repo)`;
167
+ case 'auto-unknown':
168
+ return `mode=${mode} (auto: visibility not detectable via gh; defaulting to private posture)`;
169
+ }
170
+ }
171
+ /**
172
+ * Parse a string into a `BaselineMode`. Returns `null` for unknown
173
+ * values so the CLI surfaces a helpful error including the full
174
+ * accepted list. Used by `--mode=<X>` flag parsing.
175
+ */
176
+ function parseBaselineMode(raw) {
177
+ return exports.BASELINE_MODES.includes(raw) ? raw : null;
178
+ }
179
+ //# sourceMappingURL=modes.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"modes.js","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;;;AA4EH,kDAmBC;AA6BD,gDAaC;AAwBD,8CAEC;AAjKD,iDAAyC;AACzC,6CAAoD;AAQpD;;4DAE4D;AAC/C,QAAA,cAAc,GAAgC,MAAM,CAAC,MAAM,CAAC;IACvE,gBAAgB;IAChB,qBAAqB;IACrB,WAAW;CACZ,CAAC,CAAC;AAmDH;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAwB;IAC1D,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,iCAAoB,CAAC;IAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;QACpD,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,eAAe,CAAC,CAAC;QAC3D,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,IAAwB,EAAE,IAAkB,EAAE,MAAkB;IAChF,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC/D,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,UAAU,CAAC,IAAwB;IAC1C,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,MAAM,CAAC;IACpC,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,kBAAkB,CAAC;IACzD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,2CAA2C,EAAE;YAChE,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,+DAA+D;QAC/D,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAC9E,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB,EAAE,MAAkB;IAC5D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,OAAO,QAAQ,IAAI,gBAAgB,CAAC;QACtC,KAAK,QAAQ;YACX,OAAO,QAAQ,IAAI,sCAAsC,CAAC;QAC5D,KAAK,aAAa;YAChB,OAAO,QAAQ,IAAI,oCAAoC,CAAC;QAC1D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,qCAAqC,CAAC;QAC3D,KAAK,eAAe;YAClB,OAAO,QAAQ,IAAI,uCAAuC,CAAC;QAC7D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,0EAA0E,CAAC;IAClG,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,OAAQ,sBAAwC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,GAAoB,CAAC,CAAC,CAAC,IAAI,CAAC;AAChG,CAAC"}
@@ -22,7 +22,31 @@
22
22
  * Phase 3's baseline-metadata work can light them up incrementally
23
23
  * without re-shaping consumer code.
24
24
  */
25
+ import type { BaselineMode } from './modes';
25
26
  import type { FindingSeverity, FindingStatus, MatchPair, MatchReason } from './types';
27
+ /**
28
+ * Optional `baseline.*` block in `.dxkit/policy.json`. Pins the
29
+ * mode + (when ref-based) the comparison ref repo-wide so every
30
+ * developer + every CI job uses the same posture. Both fields are
31
+ * optional; when absent the resolver in `./modes.ts` falls back to
32
+ * visibility-derived defaults.
33
+ *
34
+ * Schema example:
35
+ *
36
+ * {
37
+ * "baseline": {
38
+ * "mode": "ref-based",
39
+ * "ref": "origin/main"
40
+ * }
41
+ * }
42
+ */
43
+ export interface BaselineSection {
44
+ readonly mode?: BaselineMode;
45
+ /** Git ref to compare against in `ref-based` mode. When absent,
46
+ * the resolver probes `origin/HEAD` and falls back to
47
+ * `'origin/main'`. */
48
+ readonly ref?: string;
49
+ }
26
50
  /**
27
51
  * Per-finding-kind overrides that escalate specific guardrail rules
28
52
  * beyond the generic `block` / `warn` lists. Each rule maps to a
@@ -87,6 +111,21 @@ export interface BrownfieldPolicy {
87
111
  * diff overlap) via `.dxkit/policy.json`.
88
112
  */
89
113
  readonly addedRequiresChangedLines: ReadonlyArray<string>;
114
+ /**
115
+ * Baseline-mode pinning. When absent, the resolver in `./modes.ts`
116
+ * falls back to visibility-derived defaults
117
+ * (`'public'` → `ref-based`; `'private'` / `'internal'` /
118
+ * `'unknown'` → `committed-full`). Customers pin this to lock the
119
+ * posture across all developers + CI jobs:
120
+ *
121
+ * - `'committed-full'`: rich entries committed (default for
122
+ * private repos with small teams).
123
+ * - `'committed-sanitized'`: stripped entries committed
124
+ * (compliance-conscious private repos).
125
+ * - `'ref-based'`: no committed baseline; computed from a git
126
+ * ref at check time (default for public repos).
127
+ */
128
+ readonly baseline?: BaselineSection;
90
129
  }
91
130
  /**
92
131
  * Default brownfield policy. Captures the conservative posture from
@@ -168,4 +207,29 @@ export declare function classify(pair: MatchPair, policy?: BrownfieldPolicy, con
168
207
  * envelope to fill in the fields the classifier reads.
169
208
  */
170
209
  export declare function classifyAll(pairs: ReadonlyArray<MatchPair>, policy?: BrownfieldPolicy, contextFor?: (pair: MatchPair) => ClassifyContext): ReadonlyArray<ClassifyResult>;
210
+ /** Conventional location for a per-repo brownfield policy. Loaded
211
+ * automatically by `resolvePolicy` when present. */
212
+ export declare const DEFAULT_POLICY_FILENAME: string;
213
+ /**
214
+ * Load a brownfield policy with the three-step resolution order
215
+ * shared by `createBaseline` and `runGuardrailCheck`:
216
+ *
217
+ * 1. `policyPath` (explicit `--policy <p>` flag). Errors if the
218
+ * path is supplied but unreadable / malformed.
219
+ * 2. `<cwd>/.dxkit/policy.json` (conventional). Silently skipped
220
+ * when absent so consumers without a policy get the defaults.
221
+ * 3. `DEFAULT_BROWNFIELD_POLICY` (compiled-in fallback).
222
+ *
223
+ * Customer fields shallow-merge over the default. The
224
+ * `confidence` / `blockRules` blocks deep-merge by key. Unknown
225
+ * fields are preserved — the classifier ignores what it doesn't
226
+ * know, so forward-compatible policy files don't break old dxkit.
227
+ */
228
+ export declare function resolvePolicy(policyPath: string | undefined, cwd: string): BrownfieldPolicy;
229
+ /**
230
+ * Convenience wrapper for callers that don't take a `--policy`
231
+ * override (e.g., `createBaseline`). Loads the conventional file if
232
+ * present; returns defaults otherwise.
233
+ */
234
+ export declare function loadPolicyFromCwd(cwd: string): BrownfieldPolicy;
171
235
  //# sourceMappingURL=policy.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtF;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IACvC,iEAAiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,oEAAoE;IACpE,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,CAAC;IACtD,mEAAmE;IACnE,QAAQ,CAAC,uCAAuC,CAAC,EAAE,OAAO,CAAC;IAC3D,qEAAqE;IACrE,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,mCAAmC,CAAC,EAAE,OAAO,CAAC;CACxD;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC7C,mDAAmD;IACnD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC5C;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,uCAAuC;IACvC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAC;IAC1C;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,QAAQ,CAAC,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC3D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBA0BtC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,sEAAsE;IACtE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;uEAEmE;IACnE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;yEACqE;IACrE,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;yDAGqD;IACrD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B;wCACoC;IACpC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;kDAC8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,SAAS,EACf,MAAM,GAAE,gBAA4C,EACpD,OAAO,GAAE,eAAoB,GAC5B,cAAc,CAmEhB;AA0DD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAC/B,MAAM,GAAE,gBAA4C,EACpD,UAAU,GAAE,CAAC,IAAI,EAAE,SAAS,KAAK,eAA4B,GAC5D,aAAa,CAAC,cAAc,CAAC,CAE/B"}
1
+ {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC;IAC7B;;2BAEuB;IACvB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IACvC,iEAAiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,oEAAoE;IACpE,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,CAAC;IACtD,mEAAmE;IACnE,QAAQ,CAAC,uCAAuC,CAAC,EAAE,OAAO,CAAC;IAC3D,qEAAqE;IACrE,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,mCAAmC,CAAC,EAAE,OAAO,CAAC;CACxD;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC7C,mDAAmD;IACnD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC5C;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,uCAAuC;IACvC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAC;IAC1C;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,QAAQ,CAAC,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1D;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;CACrC;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBA0BtC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,sEAAsE;IACtE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;uEAEmE;IACnE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;yEACqE;IACrE,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;yDAGqD;IACrD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B;wCACoC;IACpC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;kDAC8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,SAAS,EACf,MAAM,GAAE,gBAA4C,EACpD,OAAO,GAAE,eAAoB,GAC5B,cAAc,CAmEhB;AA0DD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAC/B,MAAM,GAAE,gBAA4C,EACpD,UAAU,GAAE,CAAC,IAAI,EAAE,SAAS,KAAK,eAA4B,GAC5D,aAAa,CAAC,cAAc,CAAC,CAE/B;AAED;qDACqD;AACrD,eAAO,MAAM,uBAAuB,QAAqC,CAAC;AAE1E;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAkC3F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAE/D"}