@vyuhlabs/dxkit 2.5.2 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -13
- package/README.md +220 -369
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +168 -6
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +32 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +5 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +5 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +79 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -17,7 +17,7 @@
|
|
|
17
17
|
* apply to hygiene markers; the marker IS the canonical name.
|
|
18
18
|
*
|
|
19
19
|
* Kinds without file/line locators (dep-vuln, duplication,
|
|
20
|
-
* coverage-gap,
|
|
20
|
+
* coverage-gap, test-gap, test-file-degradation, god-file,
|
|
21
21
|
* stale-file, large-file, secret-hmac) fall through to the matcher's
|
|
22
22
|
* multiset pass — they're paired by exact identity-hash equality,
|
|
23
23
|
* which the matcher already handles without any locator metadata.
|
|
@@ -26,13 +26,21 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
26
26
|
exports.entryToLocated = entryToLocated;
|
|
27
27
|
exports.entriesToLocated = entriesToLocated;
|
|
28
28
|
const fingerprint_1 = require("../analyzers/tools/fingerprint");
|
|
29
|
+
const sanitize_1 = require("./sanitize");
|
|
29
30
|
/**
|
|
30
31
|
* Build a `LocatedIdentity` from one stored entry. The id is the
|
|
31
32
|
* already-computed identity hash; locator fields are populated for
|
|
32
33
|
* the kinds the matcher's location-pair / content-hash passes can
|
|
33
34
|
* use.
|
|
35
|
+
*
|
|
36
|
+
* Sanitized entries (`sanitized: true`) carry only identity + kind;
|
|
37
|
+
* they short-circuit to identity-only locators because the
|
|
38
|
+
* location-pair pass has no fields to compare. The matcher's
|
|
39
|
+
* multiset pass still pairs them at full confidence by id.
|
|
34
40
|
*/
|
|
35
41
|
function entryToLocated(entry) {
|
|
42
|
+
if ((0, sanitize_1.isSanitized)(entry))
|
|
43
|
+
return { id: entry.id };
|
|
36
44
|
switch (entry.kind) {
|
|
37
45
|
case 'secret':
|
|
38
46
|
case 'code':
|
|
@@ -52,10 +60,20 @@ function entryToLocated(entry) {
|
|
|
52
60
|
rule: entry.marker,
|
|
53
61
|
...(entry.contentHash !== undefined ? { contentHash: entry.contentHash } : {}),
|
|
54
62
|
};
|
|
63
|
+
case 'stale-allow':
|
|
64
|
+
// Annotation comments don't have a tool/rule pair — the
|
|
65
|
+
// "rule" is the annotation's category. Reuse the field so
|
|
66
|
+
// the matcher's location-pair pass can treat them like other
|
|
67
|
+
// source-anchored kinds.
|
|
68
|
+
return {
|
|
69
|
+
id: entry.id,
|
|
70
|
+
file: entry.file,
|
|
71
|
+
line: entry.line,
|
|
72
|
+
rule: entry.category,
|
|
73
|
+
};
|
|
55
74
|
case 'dep-vuln':
|
|
56
75
|
case 'duplication':
|
|
57
76
|
case 'coverage-gap':
|
|
58
|
-
case 'license':
|
|
59
77
|
case 'test-gap':
|
|
60
78
|
case 'test-file-degradation':
|
|
61
79
|
case 'god-file':
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;
|
|
1
|
+
{"version":3,"file":"entry-to-located.js","sourceRoot":"","sources":["../../src/baseline/entry-to-located.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;;AAkBH,wCA2CC;AAGD,4CAIC;AAlED,gEAAkE;AAElE,yCAAyC;AAGzC;;;;;;;;;;GAUG;AACH,SAAgB,cAAc,CAAC,KAAoB;IACjD,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAChD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC;gBAC9C,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,MAAM;gBAClB,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC/E,CAAC;QACJ,KAAK,aAAa;YAChB,wDAAwD;YACxD,0DAA0D;YAC1D,6DAA6D;YAC7D,yBAAyB;YACzB,OAAO;gBACL,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,IAAI,EAAE,KAAK,CAAC,QAAQ;aACrB,CAAC;QACJ,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa,CAAC;QACnB,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa;YAChB,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,SAAgB,gBAAgB,CAC9B,OAAqC;IAErC,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;AACrC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;
|
|
1
|
+
{"version":3,"file":"finding-identity.d.ts","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAcH,OAAO,KAAK,EACV,SAAS,EAET,aAAa,EACb,qBAAqB,EAGrB,WAAW,EAGZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;;GAWG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,EACpB,OAAO,GAAE,qBAA4B,GACpC,SAAS,CA4CX;AA0KD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC1B,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,GAC3B,WAAW,CAyDb"}
|
|
@@ -53,8 +53,6 @@ function identityFor(input, version = 'v1') {
|
|
|
53
53
|
return computeTestGapIdentity(input.file, input.risk);
|
|
54
54
|
case 'hygiene':
|
|
55
55
|
return computeHygieneIdentity(input.file, input.line, input.marker);
|
|
56
|
-
case 'license':
|
|
57
|
-
return computeLicenseIdentity(input.package, input.version, input.licenseType);
|
|
58
56
|
case 'test-file-degradation':
|
|
59
57
|
return computeTestFileDegradationIdentity(input.file, input.status);
|
|
60
58
|
case 'god-file':
|
|
@@ -65,6 +63,8 @@ function identityFor(input, version = 'v1') {
|
|
|
65
63
|
return computeLargeFileIdentity(input.file);
|
|
66
64
|
case 'secret-hmac':
|
|
67
65
|
return computeSecretHmacIdentity(input.tool, input.rule, input.hmac);
|
|
66
|
+
case 'stale-allow':
|
|
67
|
+
return computeStaleAllowIdentity(input.file, input.line, input.category);
|
|
68
68
|
}
|
|
69
69
|
}
|
|
70
70
|
/**
|
|
@@ -138,17 +138,6 @@ function computeHygieneIdentity(file, line, marker) {
|
|
|
138
138
|
const input = `hygiene\0v1\0${marker}\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}`;
|
|
139
139
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
140
140
|
}
|
|
141
|
-
/**
|
|
142
|
-
* Identity for a package license attribution. Includes the license
|
|
143
|
-
* type so a re-licensing event on the same `(package, version)` pin
|
|
144
|
-
* registers as a fresh finding — compliance teams want to be
|
|
145
|
-
* notified when a transitive dep switches from MIT to GPL even
|
|
146
|
-
* without a version bump.
|
|
147
|
-
*/
|
|
148
|
-
function computeLicenseIdentity(packageName, version, licenseType) {
|
|
149
|
-
const input = `license\0v1\0${packageName}\0${version}\0${licenseType}`;
|
|
150
|
-
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
151
|
-
}
|
|
152
141
|
/**
|
|
153
142
|
* Identity for a degraded test file. Degradation status is part of
|
|
154
143
|
* identity so transitions between states register as fresh findings
|
|
@@ -208,6 +197,19 @@ function computeSecretHmacIdentity(tool, rule, hmac) {
|
|
|
208
197
|
const input = `secret-hmac\0v1\0${canonicalRule}\0${hmac}`;
|
|
209
198
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
210
199
|
}
|
|
200
|
+
/**
|
|
201
|
+
* Identity for an orphaned inline allowlist annotation. Line is
|
|
202
|
+
* bucketed via the canonical 3-line window so small formatter /
|
|
203
|
+
* unrelated-edit drift doesn't churn identity. Category is part of
|
|
204
|
+
* identity so reclassifying an annotation (test-fixture →
|
|
205
|
+
* false-positive on the same source line) registers as a fresh
|
|
206
|
+
* finding — the new category's appropriateness is a separate
|
|
207
|
+
* judgment worth surfacing.
|
|
208
|
+
*/
|
|
209
|
+
function computeStaleAllowIdentity(file, line, category) {
|
|
210
|
+
const input = `stale-allow\0v1\0${file}\0${(0, fingerprint_1.lineWindowFor)(line)}\0${category}`;
|
|
211
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
212
|
+
}
|
|
211
213
|
/**
|
|
212
214
|
* Multiset-aware identity diff — the lowest layer of baseline
|
|
213
215
|
* comparison. Pairs identities by occurrence count, not by presence:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;
|
|
1
|
+
{"version":3,"file":"finding-identity.js","sourceRoot":"","sources":["../../src/baseline/finding-identity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAsCH,kCA+CC;AA6LD,0CA4DC;AA5UD,mCAAoC;AACpC,gEAKwC;AAkBxC;;;;;;;;;;;GAWG;AACH,SAAgB,WAAW,CACzB,KAAoB,EACpB,UAAiC,IAAI;IAErC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;IACD,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC/D,OAAO,IAAA,oCAAsB,EAAC,aAAa,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,UAAU;YACb,OAAO,IAAA,gCAAkB,EAAC;gBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;gBACxC,EAAE,EAAE,KAAK,CAAC,EAAE;aACb,CAAC,CAAC;QACL,KAAK,aAAa;YAChB,OAAO,0BAA0B,CAC/B,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,0BAA0B,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/E,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACxD,KAAK,SAAS;YACZ,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,uBAAuB;YAC1B,OAAO,kCAAkC,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QACtE,KAAK,UAAU;YACb,OAAO,sBAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC5D,KAAK,YAAY;YACf,OAAO,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvE,KAAK,aAAa;YAChB,OAAO,yBAAyB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,KAAa,EACb,KAAa,EACb,UAAkB,EAClB,UAAkB;IAElB,MAAM,KAAK,GAA4B;QACrC,CAAC,KAAK,EAAE,UAAU,CAAC;QACnB,CAAC,KAAK,EAAE,UAAU,CAAC;KACpB,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,KAAK,GAAG,oBAAoB,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;IAC1G,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,0BAA0B,CACjC,IAAY,EACZ,MAA0B,EAC1B,SAAgD;IAEhD,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,yEAAyE,IAAI,GAAG,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS,SAAU,CAAC,CAAC,CAAC,IAAI,SAAU,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3F,MAAM,KAAK,GAAG,qBAAqB,IAAI,KAAK,aAAa,EAAE,CAAC;IAC5D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAiB;IAC7D,MAAM,KAAK,GAAG,iBAAiB,IAAI,KAAK,IAAI,EAAE,CAAC;IAC/C,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY,EAAE,IAAY,EAAE,MAAqB;IAC/E,MAAM,KAAK,GAAG,gBAAgB,MAAM,KAAK,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,EAAE,CAAC;IACxE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,kCAAkC,CACzC,IAAY,EACZ,MAAiC;IAEjC,MAAM,KAAK,GAAG,8BAA8B,IAAI,KAAK,MAAM,EAAE,CAAC;IAC9D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,KAAK,GAAG,iBAAiB,IAAI,EAAE,CAAC;IACtC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,wBAAwB,CAAC,IAAY,EAAE,MAAc;IAC5D,MAAM,KAAK,GAAG,mBAAmB,IAAI,KAAK,MAAM,EAAE,CAAC;IACnD,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,mBAAmB,IAAI,EAAE,CAAC;IACxC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,IAAY;IACzE,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,oBAAoB,aAAa,KAAK,IAAI,EAAE,CAAC;IAC3D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,yBAAyB,CAAC,IAAY,EAAE,IAAY,EAAE,QAAgB;IAC7E,MAAM,KAAK,GAAG,oBAAoB,IAAI,KAAK,IAAA,2BAAa,EAAC,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;IAC9E,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,eAAe,CAC7B,KAA0B,EAC1B,OAA4B;IAE5B,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,aAAa,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAY,CAAC,GAAG,WAAW,CAAC,IAAI,EAAE,EAAE,GAAG,aAAa,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpF,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAgB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAgB,EAAE,CAAC;IAChC,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,wDAAwD;KACjE,CAAC;IACF,MAAM,SAAS,GAAgB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,kDAAkD;KAC3D,CAAC;IACF,MAAM,UAAU,GAAgB;QAC9B,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,sDAAsD;KAC/D,CAAC;IAEF,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,WAAW,CAAC;aACvB,CAAC,CAAC;YACH,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,SAAS,EAAE,EAAE;gBACb,MAAM,EAAE,OAAO;gBACf,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,SAAS,CAAC;aACrB,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,SAAS;gBACjB,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,CAAC,UAAU,CAAC;aACtB,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,aAAa,CAAC,KAA0B;IAC/C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,140 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline mode resolution — single source of truth for picking
|
|
3
|
+
* between `committed-full`, `committed-sanitized`, and `ref-based`.
|
|
4
|
+
*
|
|
5
|
+
* # The three modes
|
|
6
|
+
*
|
|
7
|
+
* - **`committed-full`** — Rich entries committed to git under
|
|
8
|
+
* `.dxkit/baselines/<name>.json`. The default behavior dxkit
|
|
9
|
+
* has had since baselines existed. Best for private repos with
|
|
10
|
+
* small teams; the human-readable locator fields make `baseline
|
|
11
|
+
* show` and block-time hints maximally useful.
|
|
12
|
+
*
|
|
13
|
+
* - **`committed-sanitized`** — The file is still committed, but
|
|
14
|
+
* every entry is stripped to `{ id, kind, sanitized: true }`
|
|
15
|
+
* before write (see `./sanitize.ts`). The cross-run matching
|
|
16
|
+
* contract is preserved (identity fingerprints are unchanged);
|
|
17
|
+
* human-readable locators are gone. Best for compliance-
|
|
18
|
+
* conscious private repos where broad internal read access
|
|
19
|
+
* makes location disclosures material.
|
|
20
|
+
*
|
|
21
|
+
* - **`ref-based`** — No baseline file is committed. The prior
|
|
22
|
+
* side of the guardrail diff is computed at check time from a
|
|
23
|
+
* git ref (default: `origin/<default-branch>`) via
|
|
24
|
+
* `git worktree add`. Zero disclosure surface; best for public
|
|
25
|
+
* repos. Cost is a longer check (gather runs twice — once
|
|
26
|
+
* against the ref, once against HEAD).
|
|
27
|
+
*
|
|
28
|
+
* # Resolution precedence
|
|
29
|
+
*
|
|
30
|
+
* 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
|
|
31
|
+
* precedence. Overrides everything else.
|
|
32
|
+
* 2. **Policy file** — `baseline.mode` / `baseline.ref` in
|
|
33
|
+
* `.dxkit/policy.json`. Pins the choice repo-wide so every
|
|
34
|
+
* developer + every CI job uses the same posture.
|
|
35
|
+
* 3. **Visibility-derived default** — probes
|
|
36
|
+
* `gh repo view --json visibility` (see `./visibility.ts`)
|
|
37
|
+
* and picks:
|
|
38
|
+
* - `'public'` → `ref-based`
|
|
39
|
+
* - `'private'` / `'internal'` → `committed-full`
|
|
40
|
+
* - `'unknown'` → `committed-full` (safe default + warning)
|
|
41
|
+
*
|
|
42
|
+
* `committed-sanitized` is never auto-picked. It's the explicit
|
|
43
|
+
* opt-in for compliance-conscious private repos. The reasoning:
|
|
44
|
+
*
|
|
45
|
+
* - For public repos, sanitized-in-git is strictly worse than
|
|
46
|
+
* ref-based — you're still committing the fingerprint set,
|
|
47
|
+
* and ref-based gives the same matching contract without
|
|
48
|
+
* storing anything.
|
|
49
|
+
* - For typical private repos with small teams, full content
|
|
50
|
+
* is more useful.
|
|
51
|
+
*
|
|
52
|
+
* So sanitized lives between those two extremes and customers
|
|
53
|
+
* opt in via `policy.json` or `--mode=committed-sanitized`.
|
|
54
|
+
*
|
|
55
|
+
* # Why one resolver
|
|
56
|
+
*
|
|
57
|
+
* Every consumer (the `baseline create` orchestrator, the
|
|
58
|
+
* `guardrail check` orchestrator, doctor checks, future modes-
|
|
59
|
+
* aware tooling) calls `resolveBaselineMode` and reads the
|
|
60
|
+
* returned `ResolvedMode`. Scattered `if (visibility === 'public')`
|
|
61
|
+
* branches would drift independently as the rules evolve; this
|
|
62
|
+
* module is the single edit point.
|
|
63
|
+
*
|
|
64
|
+
* Pure module — no I/O of its own. The visibility probe is
|
|
65
|
+
* injectable via `probeVisibility` so tests can simulate every
|
|
66
|
+
* path without going through `execSync('gh ...')`.
|
|
67
|
+
*/
|
|
68
|
+
import type { RepoVisibility } from './visibility';
|
|
69
|
+
/** The three modes. Keep this union ordered the same way as
|
|
70
|
+
* `BASELINE_MODES` (declared below) so help text + arch checks
|
|
71
|
+
* match. */
|
|
72
|
+
export type BaselineMode = 'committed-full' | 'committed-sanitized' | 'ref-based';
|
|
73
|
+
/** Canonical enumeration of the mode strings. Consumers wanting to
|
|
74
|
+
* iterate every mode (CLI flag validation, help text, doctor)
|
|
75
|
+
* import this rather than re-listing the union members. */
|
|
76
|
+
export declare const BASELINE_MODES: ReadonlyArray<BaselineMode>;
|
|
77
|
+
/** Where the resolver picked the mode from. Surfaced to the
|
|
78
|
+
* runtime log + doctor + agent skills so customers see WHY
|
|
79
|
+
* `committed-full` was picked over `ref-based`. */
|
|
80
|
+
export type ModeSource = 'cli' | 'policy' | 'auto-public' | 'auto-private' | 'auto-internal' | 'auto-unknown';
|
|
81
|
+
/** Resolution outcome carrying the chosen mode + the audit trail
|
|
82
|
+
* + the resolved ref (for ref-based). Consumers read
|
|
83
|
+
* `mode` to dispatch and `explanation` to log. */
|
|
84
|
+
export interface ResolvedMode {
|
|
85
|
+
readonly mode: BaselineMode;
|
|
86
|
+
readonly source: ModeSource;
|
|
87
|
+
/** One-line human-readable explanation suitable for the runtime
|
|
88
|
+
* log. Always populated. */
|
|
89
|
+
readonly explanation: string;
|
|
90
|
+
/** Git ref used when `mode === 'ref-based'`. Resolved from CLI,
|
|
91
|
+
* policy, or the repo's default-branch upstream tracking ref.
|
|
92
|
+
* Undefined when mode is not ref-based. */
|
|
93
|
+
readonly ref?: string;
|
|
94
|
+
}
|
|
95
|
+
/** Input shape for the resolver. Every field is optional so the
|
|
96
|
+
* same function handles "no flags, no policy" and "explicit
|
|
97
|
+
* everything" without branching on call site. */
|
|
98
|
+
export interface ResolveModeOptions {
|
|
99
|
+
readonly cwd: string;
|
|
100
|
+
/** Explicit CLI flag value. Highest precedence when present. */
|
|
101
|
+
readonly cliMode?: BaselineMode;
|
|
102
|
+
/** `baseline.mode` field from `.dxkit/policy.json`. Second
|
|
103
|
+
* precedence. */
|
|
104
|
+
readonly policyMode?: BaselineMode;
|
|
105
|
+
/** Explicit CLI ref value (`--ref=<R>`). Only consulted when
|
|
106
|
+
* the resolved mode is `ref-based`. */
|
|
107
|
+
readonly cliRef?: string;
|
|
108
|
+
/** `baseline.ref` field from `.dxkit/policy.json`. */
|
|
109
|
+
readonly policyRef?: string;
|
|
110
|
+
/** Injectable for tests; production omits and the resolver
|
|
111
|
+
* calls `detectRepoVisibility` directly. */
|
|
112
|
+
readonly probeVisibility?: (cwd: string) => RepoVisibility;
|
|
113
|
+
/** Injectable for tests; production omits and the resolver
|
|
114
|
+
* shells out to `git symbolic-ref refs/remotes/origin/HEAD`. */
|
|
115
|
+
readonly probeDefaultRef?: (cwd: string) => string | undefined;
|
|
116
|
+
}
|
|
117
|
+
/**
|
|
118
|
+
* Resolve the baseline mode for a given run. Pure over its inputs
|
|
119
|
+
* apart from the optional probe functions (which default to
|
|
120
|
+
* `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
|
|
121
|
+
* The returned `ResolvedMode` carries everything callers need to
|
|
122
|
+
* dispatch + log.
|
|
123
|
+
*/
|
|
124
|
+
export declare function resolveBaselineMode(opts: ResolveModeOptions): ResolvedMode;
|
|
125
|
+
/**
|
|
126
|
+
* Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
|
|
127
|
+
* remote's default branch. Returns `'origin/<branch>'` on success,
|
|
128
|
+
* `undefined` on any failure (no remote, no fetch ever ran, etc.).
|
|
129
|
+
*
|
|
130
|
+
* Public for testing — production callers go through
|
|
131
|
+
* `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
|
|
132
|
+
*/
|
|
133
|
+
export declare function probeOriginHeadRef(cwd: string): string | undefined;
|
|
134
|
+
/**
|
|
135
|
+
* Parse a string into a `BaselineMode`. Returns `null` for unknown
|
|
136
|
+
* values so the CLI surfaces a helpful error including the full
|
|
137
|
+
* accepted list. Used by `--mode=<X>` flag parsing.
|
|
138
|
+
*/
|
|
139
|
+
export declare function parseBaselineMode(raw: string): BaselineMode | null;
|
|
140
|
+
//# sourceMappingURL=modes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"modes.d.ts","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD;;aAEa;AACb,MAAM,MAAM,YAAY,GAAG,gBAAgB,GAAG,qBAAqB,GAAG,WAAW,CAAC;AAElF;;4DAE4D;AAC5D,eAAO,MAAM,cAAc,EAAE,aAAa,CAAC,YAAY,CAIrD,CAAC;AAEH;;oDAEoD;AACpD,MAAM,MAAM,UAAU,GAClB,KAAK,GACL,QAAQ,GACR,aAAa,GACb,cAAc,GACd,eAAe,GACf,cAAc,CAAC;AAEnB;;mDAEmD;AACnD,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B;iCAC6B;IAC7B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;gDAE4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;kDAEkD;AAClD,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,gEAAgE;IAChE,QAAQ,CAAC,OAAO,CAAC,EAAE,YAAY,CAAC;IAChC;sBACkB;IAClB,QAAQ,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC;IACnC;4CACwC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;iDAC6C;IAC7C,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,cAAc,CAAC;IAC3D;qEACiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAChE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,kBAAkB,GAAG,YAAY,CAmB1E;AAqBD;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAalE;AAmBD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAElE"}
|
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Baseline mode resolution — single source of truth for picking
|
|
4
|
+
* between `committed-full`, `committed-sanitized`, and `ref-based`.
|
|
5
|
+
*
|
|
6
|
+
* # The three modes
|
|
7
|
+
*
|
|
8
|
+
* - **`committed-full`** — Rich entries committed to git under
|
|
9
|
+
* `.dxkit/baselines/<name>.json`. The default behavior dxkit
|
|
10
|
+
* has had since baselines existed. Best for private repos with
|
|
11
|
+
* small teams; the human-readable locator fields make `baseline
|
|
12
|
+
* show` and block-time hints maximally useful.
|
|
13
|
+
*
|
|
14
|
+
* - **`committed-sanitized`** — The file is still committed, but
|
|
15
|
+
* every entry is stripped to `{ id, kind, sanitized: true }`
|
|
16
|
+
* before write (see `./sanitize.ts`). The cross-run matching
|
|
17
|
+
* contract is preserved (identity fingerprints are unchanged);
|
|
18
|
+
* human-readable locators are gone. Best for compliance-
|
|
19
|
+
* conscious private repos where broad internal read access
|
|
20
|
+
* makes location disclosures material.
|
|
21
|
+
*
|
|
22
|
+
* - **`ref-based`** — No baseline file is committed. The prior
|
|
23
|
+
* side of the guardrail diff is computed at check time from a
|
|
24
|
+
* git ref (default: `origin/<default-branch>`) via
|
|
25
|
+
* `git worktree add`. Zero disclosure surface; best for public
|
|
26
|
+
* repos. Cost is a longer check (gather runs twice — once
|
|
27
|
+
* against the ref, once against HEAD).
|
|
28
|
+
*
|
|
29
|
+
* # Resolution precedence
|
|
30
|
+
*
|
|
31
|
+
* 1. **CLI flag** — `--mode=<X>` (and `--ref=<R>`). Highest
|
|
32
|
+
* precedence. Overrides everything else.
|
|
33
|
+
* 2. **Policy file** — `baseline.mode` / `baseline.ref` in
|
|
34
|
+
* `.dxkit/policy.json`. Pins the choice repo-wide so every
|
|
35
|
+
* developer + every CI job uses the same posture.
|
|
36
|
+
* 3. **Visibility-derived default** — probes
|
|
37
|
+
* `gh repo view --json visibility` (see `./visibility.ts`)
|
|
38
|
+
* and picks:
|
|
39
|
+
* - `'public'` → `ref-based`
|
|
40
|
+
* - `'private'` / `'internal'` → `committed-full`
|
|
41
|
+
* - `'unknown'` → `committed-full` (safe default + warning)
|
|
42
|
+
*
|
|
43
|
+
* `committed-sanitized` is never auto-picked. It's the explicit
|
|
44
|
+
* opt-in for compliance-conscious private repos. The reasoning:
|
|
45
|
+
*
|
|
46
|
+
* - For public repos, sanitized-in-git is strictly worse than
|
|
47
|
+
* ref-based — you're still committing the fingerprint set,
|
|
48
|
+
* and ref-based gives the same matching contract without
|
|
49
|
+
* storing anything.
|
|
50
|
+
* - For typical private repos with small teams, full content
|
|
51
|
+
* is more useful.
|
|
52
|
+
*
|
|
53
|
+
* So sanitized lives between those two extremes and customers
|
|
54
|
+
* opt in via `policy.json` or `--mode=committed-sanitized`.
|
|
55
|
+
*
|
|
56
|
+
* # Why one resolver
|
|
57
|
+
*
|
|
58
|
+
* Every consumer (the `baseline create` orchestrator, the
|
|
59
|
+
* `guardrail check` orchestrator, doctor checks, future modes-
|
|
60
|
+
* aware tooling) calls `resolveBaselineMode` and reads the
|
|
61
|
+
* returned `ResolvedMode`. Scattered `if (visibility === 'public')`
|
|
62
|
+
* branches would drift independently as the rules evolve; this
|
|
63
|
+
* module is the single edit point.
|
|
64
|
+
*
|
|
65
|
+
* Pure module — no I/O of its own. The visibility probe is
|
|
66
|
+
* injectable via `probeVisibility` so tests can simulate every
|
|
67
|
+
* path without going through `execSync('gh ...')`.
|
|
68
|
+
*/
|
|
69
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
70
|
+
exports.BASELINE_MODES = void 0;
|
|
71
|
+
exports.resolveBaselineMode = resolveBaselineMode;
|
|
72
|
+
exports.probeOriginHeadRef = probeOriginHeadRef;
|
|
73
|
+
exports.parseBaselineMode = parseBaselineMode;
|
|
74
|
+
const child_process_1 = require("child_process");
|
|
75
|
+
const visibility_1 = require("./visibility");
|
|
76
|
+
/** Canonical enumeration of the mode strings. Consumers wanting to
|
|
77
|
+
* iterate every mode (CLI flag validation, help text, doctor)
|
|
78
|
+
* import this rather than re-listing the union members. */
|
|
79
|
+
exports.BASELINE_MODES = Object.freeze([
|
|
80
|
+
'committed-full',
|
|
81
|
+
'committed-sanitized',
|
|
82
|
+
'ref-based',
|
|
83
|
+
]);
|
|
84
|
+
/**
|
|
85
|
+
* Resolve the baseline mode for a given run. Pure over its inputs
|
|
86
|
+
* apart from the optional probe functions (which default to
|
|
87
|
+
* `detectRepoVisibility` + `probeOriginHeadRef` and ARE I/O-bound).
|
|
88
|
+
* The returned `ResolvedMode` carries everything callers need to
|
|
89
|
+
* dispatch + log.
|
|
90
|
+
*/
|
|
91
|
+
function resolveBaselineMode(opts) {
|
|
92
|
+
if (opts.cliMode !== undefined) {
|
|
93
|
+
return finalize(opts, opts.cliMode, 'cli');
|
|
94
|
+
}
|
|
95
|
+
if (opts.policyMode !== undefined) {
|
|
96
|
+
return finalize(opts, opts.policyMode, 'policy');
|
|
97
|
+
}
|
|
98
|
+
const probe = opts.probeVisibility ?? visibility_1.detectRepoVisibility;
|
|
99
|
+
const visibility = probe(opts.cwd);
|
|
100
|
+
switch (visibility) {
|
|
101
|
+
case 'public':
|
|
102
|
+
return finalize(opts, 'ref-based', 'auto-public');
|
|
103
|
+
case 'private':
|
|
104
|
+
return finalize(opts, 'committed-full', 'auto-private');
|
|
105
|
+
case 'internal':
|
|
106
|
+
return finalize(opts, 'committed-full', 'auto-internal');
|
|
107
|
+
case 'unknown':
|
|
108
|
+
return finalize(opts, 'committed-full', 'auto-unknown');
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Internal: stamp the explanation + resolve the ref (for ref-based)
|
|
113
|
+
* onto the outcome. Centralized so every code path emits the same
|
|
114
|
+
* shape.
|
|
115
|
+
*/
|
|
116
|
+
function finalize(opts, mode, source) {
|
|
117
|
+
const explanation = explanationFor(mode, source);
|
|
118
|
+
if (mode !== 'ref-based')
|
|
119
|
+
return { mode, source, explanation };
|
|
120
|
+
const ref = resolveRef(opts);
|
|
121
|
+
return { mode, source, explanation, ref };
|
|
122
|
+
}
|
|
123
|
+
function resolveRef(opts) {
|
|
124
|
+
if (opts.cliRef)
|
|
125
|
+
return opts.cliRef;
|
|
126
|
+
if (opts.policyRef)
|
|
127
|
+
return opts.policyRef;
|
|
128
|
+
const probe = opts.probeDefaultRef ?? probeOriginHeadRef;
|
|
129
|
+
return probe(opts.cwd) ?? 'origin/main';
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Probe `git symbolic-ref refs/remotes/origin/HEAD` to learn the
|
|
133
|
+
* remote's default branch. Returns `'origin/<branch>'` on success,
|
|
134
|
+
* `undefined` on any failure (no remote, no fetch ever ran, etc.).
|
|
135
|
+
*
|
|
136
|
+
* Public for testing — production callers go through
|
|
137
|
+
* `resolveBaselineMode`'s `opts.probeDefaultRef` injection.
|
|
138
|
+
*/
|
|
139
|
+
function probeOriginHeadRef(cwd) {
|
|
140
|
+
try {
|
|
141
|
+
const out = (0, child_process_1.execSync)('git symbolic-ref refs/remotes/origin/HEAD', {
|
|
142
|
+
cwd,
|
|
143
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
144
|
+
encoding: 'utf-8',
|
|
145
|
+
}).trim();
|
|
146
|
+
// Output shape: "refs/remotes/origin/main" → strip the prefix.
|
|
147
|
+
if (out.startsWith('refs/remotes/'))
|
|
148
|
+
return out.slice('refs/remotes/'.length);
|
|
149
|
+
return undefined;
|
|
150
|
+
}
|
|
151
|
+
catch {
|
|
152
|
+
return undefined;
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
function explanationFor(mode, source) {
|
|
156
|
+
switch (source) {
|
|
157
|
+
case 'cli':
|
|
158
|
+
return `mode=${mode} (--mode flag)`;
|
|
159
|
+
case 'policy':
|
|
160
|
+
return `mode=${mode} (.dxkit/policy.json: baseline.mode)`;
|
|
161
|
+
case 'auto-public':
|
|
162
|
+
return `mode=${mode} (auto: gh detected a public repo)`;
|
|
163
|
+
case 'auto-private':
|
|
164
|
+
return `mode=${mode} (auto: gh detected a private repo)`;
|
|
165
|
+
case 'auto-internal':
|
|
166
|
+
return `mode=${mode} (auto: gh detected an internal repo)`;
|
|
167
|
+
case 'auto-unknown':
|
|
168
|
+
return `mode=${mode} (auto: visibility not detectable via gh; defaulting to private posture)`;
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
/**
|
|
172
|
+
* Parse a string into a `BaselineMode`. Returns `null` for unknown
|
|
173
|
+
* values so the CLI surfaces a helpful error including the full
|
|
174
|
+
* accepted list. Used by `--mode=<X>` flag parsing.
|
|
175
|
+
*/
|
|
176
|
+
function parseBaselineMode(raw) {
|
|
177
|
+
return exports.BASELINE_MODES.includes(raw) ? raw : null;
|
|
178
|
+
}
|
|
179
|
+
//# sourceMappingURL=modes.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"modes.js","sourceRoot":"","sources":["../../src/baseline/modes.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkEG;;;AA4EH,kDAmBC;AA6BD,gDAaC;AAwBD,8CAEC;AAjKD,iDAAyC;AACzC,6CAAoD;AAQpD;;4DAE4D;AAC/C,QAAA,cAAc,GAAgC,MAAM,CAAC,MAAM,CAAC;IACvE,gBAAgB;IAChB,qBAAqB;IACrB,WAAW;CACZ,CAAC,CAAC;AAmDH;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAwB;IAC1D,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAClC,OAAO,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,iCAAoB,CAAC;IAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;QACpD,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,eAAe,CAAC,CAAC;QAC3D,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC,IAAI,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,IAAwB,EAAE,IAAkB,EAAE,MAAkB;IAChF,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC/D,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,UAAU,CAAC,IAAwB;IAC1C,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,MAAM,CAAC;IACpC,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,IAAI,kBAAkB,CAAC;IACzD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC;AAC1C,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,wBAAQ,EAAC,2CAA2C,EAAE;YAChE,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,QAAQ,EAAE,OAAO;SAClB,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,+DAA+D;QAC/D,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAC9E,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,IAAkB,EAAE,MAAkB;IAC5D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,KAAK;YACR,OAAO,QAAQ,IAAI,gBAAgB,CAAC;QACtC,KAAK,QAAQ;YACX,OAAO,QAAQ,IAAI,sCAAsC,CAAC;QAC5D,KAAK,aAAa;YAChB,OAAO,QAAQ,IAAI,oCAAoC,CAAC;QAC1D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,qCAAqC,CAAC;QAC3D,KAAK,eAAe;YAClB,OAAO,QAAQ,IAAI,uCAAuC,CAAC;QAC7D,KAAK,cAAc;YACjB,OAAO,QAAQ,IAAI,0EAA0E,CAAC;IAClG,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,OAAQ,sBAAwC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,GAAoB,CAAC,CAAC,CAAC,IAAI,CAAC;AAChG,CAAC"}
|
|
@@ -22,7 +22,31 @@
|
|
|
22
22
|
* Phase 3's baseline-metadata work can light them up incrementally
|
|
23
23
|
* without re-shaping consumer code.
|
|
24
24
|
*/
|
|
25
|
+
import type { BaselineMode } from './modes';
|
|
25
26
|
import type { FindingSeverity, FindingStatus, MatchPair, MatchReason } from './types';
|
|
27
|
+
/**
|
|
28
|
+
* Optional `baseline.*` block in `.dxkit/policy.json`. Pins the
|
|
29
|
+
* mode + (when ref-based) the comparison ref repo-wide so every
|
|
30
|
+
* developer + every CI job uses the same posture. Both fields are
|
|
31
|
+
* optional; when absent the resolver in `./modes.ts` falls back to
|
|
32
|
+
* visibility-derived defaults.
|
|
33
|
+
*
|
|
34
|
+
* Schema example:
|
|
35
|
+
*
|
|
36
|
+
* {
|
|
37
|
+
* "baseline": {
|
|
38
|
+
* "mode": "ref-based",
|
|
39
|
+
* "ref": "origin/main"
|
|
40
|
+
* }
|
|
41
|
+
* }
|
|
42
|
+
*/
|
|
43
|
+
export interface BaselineSection {
|
|
44
|
+
readonly mode?: BaselineMode;
|
|
45
|
+
/** Git ref to compare against in `ref-based` mode. When absent,
|
|
46
|
+
* the resolver probes `origin/HEAD` and falls back to
|
|
47
|
+
* `'origin/main'`. */
|
|
48
|
+
readonly ref?: string;
|
|
49
|
+
}
|
|
26
50
|
/**
|
|
27
51
|
* Per-finding-kind overrides that escalate specific guardrail rules
|
|
28
52
|
* beyond the generic `block` / `warn` lists. Each rule maps to a
|
|
@@ -87,6 +111,21 @@ export interface BrownfieldPolicy {
|
|
|
87
111
|
* diff overlap) via `.dxkit/policy.json`.
|
|
88
112
|
*/
|
|
89
113
|
readonly addedRequiresChangedLines: ReadonlyArray<string>;
|
|
114
|
+
/**
|
|
115
|
+
* Baseline-mode pinning. When absent, the resolver in `./modes.ts`
|
|
116
|
+
* falls back to visibility-derived defaults
|
|
117
|
+
* (`'public'` → `ref-based`; `'private'` / `'internal'` /
|
|
118
|
+
* `'unknown'` → `committed-full`). Customers pin this to lock the
|
|
119
|
+
* posture across all developers + CI jobs:
|
|
120
|
+
*
|
|
121
|
+
* - `'committed-full'`: rich entries committed (default for
|
|
122
|
+
* private repos with small teams).
|
|
123
|
+
* - `'committed-sanitized'`: stripped entries committed
|
|
124
|
+
* (compliance-conscious private repos).
|
|
125
|
+
* - `'ref-based'`: no committed baseline; computed from a git
|
|
126
|
+
* ref at check time (default for public repos).
|
|
127
|
+
*/
|
|
128
|
+
readonly baseline?: BaselineSection;
|
|
90
129
|
}
|
|
91
130
|
/**
|
|
92
131
|
* Default brownfield policy. Captures the conservative posture from
|
|
@@ -168,4 +207,29 @@ export declare function classify(pair: MatchPair, policy?: BrownfieldPolicy, con
|
|
|
168
207
|
* envelope to fill in the fields the classifier reads.
|
|
169
208
|
*/
|
|
170
209
|
export declare function classifyAll(pairs: ReadonlyArray<MatchPair>, policy?: BrownfieldPolicy, contextFor?: (pair: MatchPair) => ClassifyContext): ReadonlyArray<ClassifyResult>;
|
|
210
|
+
/** Conventional location for a per-repo brownfield policy. Loaded
|
|
211
|
+
* automatically by `resolvePolicy` when present. */
|
|
212
|
+
export declare const DEFAULT_POLICY_FILENAME: string;
|
|
213
|
+
/**
|
|
214
|
+
* Load a brownfield policy with the three-step resolution order
|
|
215
|
+
* shared by `createBaseline` and `runGuardrailCheck`:
|
|
216
|
+
*
|
|
217
|
+
* 1. `policyPath` (explicit `--policy <p>` flag). Errors if the
|
|
218
|
+
* path is supplied but unreadable / malformed.
|
|
219
|
+
* 2. `<cwd>/.dxkit/policy.json` (conventional). Silently skipped
|
|
220
|
+
* when absent so consumers without a policy get the defaults.
|
|
221
|
+
* 3. `DEFAULT_BROWNFIELD_POLICY` (compiled-in fallback).
|
|
222
|
+
*
|
|
223
|
+
* Customer fields shallow-merge over the default. The
|
|
224
|
+
* `confidence` / `blockRules` blocks deep-merge by key. Unknown
|
|
225
|
+
* fields are preserved — the classifier ignores what it doesn't
|
|
226
|
+
* know, so forward-compatible policy files don't break old dxkit.
|
|
227
|
+
*/
|
|
228
|
+
export declare function resolvePolicy(policyPath: string | undefined, cwd: string): BrownfieldPolicy;
|
|
229
|
+
/**
|
|
230
|
+
* Convenience wrapper for callers that don't take a `--policy`
|
|
231
|
+
* override (e.g., `createBaseline`). Loads the conventional file if
|
|
232
|
+
* present; returns defaults otherwise.
|
|
233
|
+
*/
|
|
234
|
+
export declare function loadPolicyFromCwd(cwd: string): BrownfieldPolicy;
|
|
171
235
|
//# sourceMappingURL=policy.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/baseline/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC;IAC7B;;2BAEuB;IACvB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,kEAAkE;IAClE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,4DAA4D;IAC5D,QAAQ,CAAC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IACvC,iEAAiE;IACjE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,oEAAoE;IACpE,QAAQ,CAAC,kCAAkC,CAAC,EAAE,OAAO,CAAC;IACtD,mEAAmE;IACnE,QAAQ,CAAC,uCAAuC,CAAC,EAAE,OAAO,CAAC;IAC3D,qEAAqE;IACrE,QAAQ,CAAC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,mCAAmC,CAAC,EAAE,OAAO,CAAC;CACxD;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC7C,mDAAmD;IACnD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC5C;;;;;OAKG;IACH,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/D,uCAAuC;IACvC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAC;IAC1C;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,QAAQ,CAAC,yBAAyB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1D;;;;;;;;;;;;;OAaG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;CACrC;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBA0BtC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,sEAAsE;IACtE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB;;uEAEmE;IACnE,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IACzC;yEACqE;IACrE,QAAQ,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IACjC;;;yDAGqD;IACrD,QAAQ,CAAC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IACxC,iEAAiE;IACjE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B;wCACoC;IACpC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC;IACxB;kDAC8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,SAAS,EACf,MAAM,GAAE,gBAA4C,EACpD,OAAO,GAAE,eAAoB,GAC5B,cAAc,CAmEhB;AA0DD;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,EAC/B,MAAM,GAAE,gBAA4C,EACpD,UAAU,GAAE,CAAC,IAAI,EAAE,SAAS,KAAK,eAA4B,GAC5D,aAAa,CAAC,cAAc,CAAC,CAE/B;AAED;qDACqD;AACrD,eAAO,MAAM,uBAAuB,QAAqC,CAAC;AAE1E;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAkC3F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAE/D"}
|