@vyuhlabs/dxkit 2.5.2 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -13
- package/README.md +220 -369
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +168 -6
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +32 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +5 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +5 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +79 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,
|
|
1
|
+
{"version":3,"file":"tests.js","sourceRoot":"","sources":["../../../src/baseline/producers/tests.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;AAkBH,8DAgCC;AAhDD,0DAAkD;AAQlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CAAC,MAAsB;IAC9D,MAAM,GAAG,GAAwB,EAAE,CAAC;IAEpC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,iEAAiE;QACjE,kEAAkE;QAClE,aAAa;QACb,IAAI,GAAG,CAAC,eAAe;YAAE,SAAS;QAClC,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ;YAAE,SAAS;QACrC,MAAM,KAAK,GAAqC;YAC9C,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,uBAAuB;YAC7B,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;SAClB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Ref-based baseline gather — produces a `CurrentScan` for a git
|
|
3
|
+
* ref by checking it out into a temporary worktree and running the
|
|
4
|
+
* analyzer pipeline there.
|
|
5
|
+
*
|
|
6
|
+
* # When this runs
|
|
7
|
+
*
|
|
8
|
+
* `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
|
|
9
|
+
* needs a "prior side" to diff against; in committed modes the
|
|
10
|
+
* prior side comes from `.dxkit/baselines/<name>.json`, but in
|
|
11
|
+
* ref-based mode no file is committed — the prior side is
|
|
12
|
+
* recomputed on the fly from a git ref (default
|
|
13
|
+
* `origin/<default-branch>`).
|
|
14
|
+
*
|
|
15
|
+
* # Mechanics
|
|
16
|
+
*
|
|
17
|
+
* 1. Resolve `ref` to a commit SHA. Failure here surfaces a
|
|
18
|
+
* `RefBaselineError` with one of three actionable hints:
|
|
19
|
+
* - Shallow clone → `git fetch --unshallow` / CI fetch-depth
|
|
20
|
+
* - Ref doesn't exist → `git fetch origin` or fix policy
|
|
21
|
+
* - Local-only ref → push it or use a remote-tracking ref
|
|
22
|
+
* 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
|
|
23
|
+
* full checkout of the source tree at that SHA — but NOT a
|
|
24
|
+
* package-manager install, so dep-vuln scanners that read
|
|
25
|
+
* `node_modules` directly will see degraded results. The
|
|
26
|
+
* dxkit dep scanners use lockfiles (`package-lock.json`,
|
|
27
|
+
* `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
|
|
28
|
+
* survives the gap.
|
|
29
|
+
* 3. Run `gatherCurrentScan` against the worktree directory. Same
|
|
30
|
+
* pipeline as the live current scan — same producer registry,
|
|
31
|
+
* same envelope shape — so the matcher diffs apples-to-apples.
|
|
32
|
+
* 4. Clean up the worktree on the way out (try/finally).
|
|
33
|
+
*
|
|
34
|
+
* # Why a generic `withRefWorktree` helper
|
|
35
|
+
*
|
|
36
|
+
* The worktree setup + cleanup pattern is reusable. Future modes-
|
|
37
|
+
* aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
|
|
38
|
+
* subcommand) can compose `withRefWorktree` directly instead of
|
|
39
|
+
* re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
|
|
40
|
+
* thin specialization for the guardrail-check use case.
|
|
41
|
+
*
|
|
42
|
+
* # Failure semantics
|
|
43
|
+
*
|
|
44
|
+
* Recoverable failures (ref unreachable, worktree-add fails) throw
|
|
45
|
+
* `RefBaselineError` with a `hint` field the CLI renders in plain
|
|
46
|
+
* prose. Unrecoverable failures (the gather pipeline itself
|
|
47
|
+
* crashes) propagate up the original Error subclass — they're not
|
|
48
|
+
* specific to ref-based mode and live with the existing error
|
|
49
|
+
* handling in the orchestrator.
|
|
50
|
+
*/
|
|
51
|
+
import type { CurrentScan } from './create';
|
|
52
|
+
/**
|
|
53
|
+
* Recoverable error from the ref-based gather path. Carries an
|
|
54
|
+
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
55
|
+
* have to interpret raw git output. Inherits from `Error` so
|
|
56
|
+
* existing catch-by-Error code keeps working.
|
|
57
|
+
*/
|
|
58
|
+
export declare class RefBaselineError extends Error {
|
|
59
|
+
readonly hint: string;
|
|
60
|
+
constructor(message: string, hint: string);
|
|
61
|
+
}
|
|
62
|
+
export interface RefWorktreeOptions {
|
|
63
|
+
readonly cwd: string;
|
|
64
|
+
readonly ref: string;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Resolve a ref to a commit SHA via `git rev-parse --verify
|
|
68
|
+
* <ref>^{commit}`. Returns null when the ref isn't reachable (the
|
|
69
|
+
* caller surfaces the appropriate hint based on shallow-clone /
|
|
70
|
+
* remote-only state).
|
|
71
|
+
*/
|
|
72
|
+
export declare function resolveRefToSha(cwd: string, ref: string): string | null;
|
|
73
|
+
/**
|
|
74
|
+
* Whether the current working tree was cloned shallowly. Drives
|
|
75
|
+
* the hint surfaced when a ref isn't reachable: a CI clone with
|
|
76
|
+
* `fetch-depth: 1` won't have the baseline ref's history, and the
|
|
77
|
+
* fix is `fetch-depth: 0`, not pushing the missing ref.
|
|
78
|
+
*/
|
|
79
|
+
export declare function isShallowRepo(cwd: string): boolean;
|
|
80
|
+
/**
|
|
81
|
+
* Check out `ref` into a temporary worktree, run `fn` with the
|
|
82
|
+
* worktree path, and tear down the worktree on the way out.
|
|
83
|
+
*
|
|
84
|
+
* Always cleans up — even when `fn` throws. The cleanup tolerates
|
|
85
|
+
* `git worktree remove` failures (e.g., dirty worktree from a
|
|
86
|
+
* partial gather) by falling back to `rm -rf` on the temp dir.
|
|
87
|
+
*/
|
|
88
|
+
export declare function withRefWorktree<T>(opts: RefWorktreeOptions, fn: (worktreePath: string) => Promise<T>): Promise<T>;
|
|
89
|
+
/**
|
|
90
|
+
* Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
|
|
91
|
+
* Public for testing — production callers reach this through
|
|
92
|
+
* `withRefWorktree`. The directory is created on demand; absent
|
|
93
|
+
* source files are silently skipped (env-var + deterministic salt
|
|
94
|
+
* modes both work without the file).
|
|
95
|
+
*/
|
|
96
|
+
export declare function mirrorSaltFile(srcCwd: string, dstCwd: string): void;
|
|
97
|
+
/**
|
|
98
|
+
* Run `gatherCurrentScan` against a temporary worktree checked out
|
|
99
|
+
* to `ref`. Returns the same shape as a live gather — the matcher
|
|
100
|
+
* doesn't care which side was the worktree, only that both sides
|
|
101
|
+
* are `CurrentScan` envelopes.
|
|
102
|
+
*
|
|
103
|
+
* Per-tool degradation note: dep-vuln scanners may report less
|
|
104
|
+
* coverage in the worktree because `node_modules` (and analogous
|
|
105
|
+
* install artifacts) are typically gitignored and so don't exist
|
|
106
|
+
* in the worktree. The lockfile-driven scanners dxkit prefers
|
|
107
|
+
* survive the gap; `npm audit`-style probes do not.
|
|
108
|
+
*/
|
|
109
|
+
export declare function gatherFromRef(opts: {
|
|
110
|
+
readonly cwd: string;
|
|
111
|
+
readonly ref: string;
|
|
112
|
+
readonly verbose?: boolean;
|
|
113
|
+
}): Promise<CurrentScan>;
|
|
114
|
+
//# sourceMappingURL=ref-baseline.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ref-baseline.d.ts","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAOH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE5C;;;;;GAKG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAK1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAWlD;AAqBD;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,CAAC,EACrC,IAAI,EAAE,kBAAkB,EACxB,EAAE,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACvC,OAAO,CAAC,CAAC,CAAC,CAuDZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;CAC5B,GAAG,OAAO,CAAC,WAAW,CAAC,CAIvB"}
|
|
@@ -0,0 +1,260 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Ref-based baseline gather — produces a `CurrentScan` for a git
|
|
4
|
+
* ref by checking it out into a temporary worktree and running the
|
|
5
|
+
* analyzer pipeline there.
|
|
6
|
+
*
|
|
7
|
+
* # When this runs
|
|
8
|
+
*
|
|
9
|
+
* `mode === 'ref-based'` (see `./modes.ts`). The guardrail check
|
|
10
|
+
* needs a "prior side" to diff against; in committed modes the
|
|
11
|
+
* prior side comes from `.dxkit/baselines/<name>.json`, but in
|
|
12
|
+
* ref-based mode no file is committed — the prior side is
|
|
13
|
+
* recomputed on the fly from a git ref (default
|
|
14
|
+
* `origin/<default-branch>`).
|
|
15
|
+
*
|
|
16
|
+
* # Mechanics
|
|
17
|
+
*
|
|
18
|
+
* 1. Resolve `ref` to a commit SHA. Failure here surfaces a
|
|
19
|
+
* `RefBaselineError` with one of three actionable hints:
|
|
20
|
+
* - Shallow clone → `git fetch --unshallow` / CI fetch-depth
|
|
21
|
+
* - Ref doesn't exist → `git fetch origin` or fix policy
|
|
22
|
+
* - Local-only ref → push it or use a remote-tracking ref
|
|
23
|
+
* 2. `git worktree add --detach <tempDir> <sha>`. The worktree is a
|
|
24
|
+
* full checkout of the source tree at that SHA — but NOT a
|
|
25
|
+
* package-manager install, so dep-vuln scanners that read
|
|
26
|
+
* `node_modules` directly will see degraded results. The
|
|
27
|
+
* dxkit dep scanners use lockfiles (`package-lock.json`,
|
|
28
|
+
* `Pipfile.lock`, etc.) which ARE in the worktree, so coverage
|
|
29
|
+
* survives the gap.
|
|
30
|
+
* 3. Run `gatherCurrentScan` against the worktree directory. Same
|
|
31
|
+
* pipeline as the live current scan — same producer registry,
|
|
32
|
+
* same envelope shape — so the matcher diffs apples-to-apples.
|
|
33
|
+
* 4. Clean up the worktree on the way out (try/finally).
|
|
34
|
+
*
|
|
35
|
+
* # Why a generic `withRefWorktree` helper
|
|
36
|
+
*
|
|
37
|
+
* The worktree setup + cleanup pattern is reusable. Future modes-
|
|
38
|
+
* aware tooling (e.g., a `vyuh-dxkit baseline diff <refA> <refB>`
|
|
39
|
+
* subcommand) can compose `withRefWorktree` directly instead of
|
|
40
|
+
* re-deriving the temp-dir + cleanup dance. `gatherFromRef` is a
|
|
41
|
+
* thin specialization for the guardrail-check use case.
|
|
42
|
+
*
|
|
43
|
+
* # Failure semantics
|
|
44
|
+
*
|
|
45
|
+
* Recoverable failures (ref unreachable, worktree-add fails) throw
|
|
46
|
+
* `RefBaselineError` with a `hint` field the CLI renders in plain
|
|
47
|
+
* prose. Unrecoverable failures (the gather pipeline itself
|
|
48
|
+
* crashes) propagate up the original Error subclass — they're not
|
|
49
|
+
* specific to ref-based mode and live with the existing error
|
|
50
|
+
* handling in the orchestrator.
|
|
51
|
+
*/
|
|
52
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
53
|
+
if (k2 === undefined) k2 = k;
|
|
54
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
55
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
56
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
57
|
+
}
|
|
58
|
+
Object.defineProperty(o, k2, desc);
|
|
59
|
+
}) : (function(o, m, k, k2) {
|
|
60
|
+
if (k2 === undefined) k2 = k;
|
|
61
|
+
o[k2] = m[k];
|
|
62
|
+
}));
|
|
63
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
64
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
65
|
+
}) : function(o, v) {
|
|
66
|
+
o["default"] = v;
|
|
67
|
+
});
|
|
68
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
69
|
+
var ownKeys = function(o) {
|
|
70
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
71
|
+
var ar = [];
|
|
72
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
73
|
+
return ar;
|
|
74
|
+
};
|
|
75
|
+
return ownKeys(o);
|
|
76
|
+
};
|
|
77
|
+
return function (mod) {
|
|
78
|
+
if (mod && mod.__esModule) return mod;
|
|
79
|
+
var result = {};
|
|
80
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
81
|
+
__setModuleDefault(result, mod);
|
|
82
|
+
return result;
|
|
83
|
+
};
|
|
84
|
+
})();
|
|
85
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
86
|
+
exports.RefBaselineError = void 0;
|
|
87
|
+
exports.resolveRefToSha = resolveRefToSha;
|
|
88
|
+
exports.isShallowRepo = isShallowRepo;
|
|
89
|
+
exports.withRefWorktree = withRefWorktree;
|
|
90
|
+
exports.mirrorSaltFile = mirrorSaltFile;
|
|
91
|
+
exports.gatherFromRef = gatherFromRef;
|
|
92
|
+
const child_process_1 = require("child_process");
|
|
93
|
+
const fs_1 = require("fs");
|
|
94
|
+
const os_1 = require("os");
|
|
95
|
+
const path = __importStar(require("path"));
|
|
96
|
+
const create_1 = require("./create");
|
|
97
|
+
/**
|
|
98
|
+
* Recoverable error from the ref-based gather path. Carries an
|
|
99
|
+
* actionable `hint` the CLI surfaces verbatim so customers don't
|
|
100
|
+
* have to interpret raw git output. Inherits from `Error` so
|
|
101
|
+
* existing catch-by-Error code keeps working.
|
|
102
|
+
*/
|
|
103
|
+
class RefBaselineError extends Error {
|
|
104
|
+
hint;
|
|
105
|
+
constructor(message, hint) {
|
|
106
|
+
super(message);
|
|
107
|
+
this.name = 'RefBaselineError';
|
|
108
|
+
this.hint = hint;
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
exports.RefBaselineError = RefBaselineError;
|
|
112
|
+
/**
|
|
113
|
+
* Resolve a ref to a commit SHA via `git rev-parse --verify
|
|
114
|
+
* <ref>^{commit}`. Returns null when the ref isn't reachable (the
|
|
115
|
+
* caller surfaces the appropriate hint based on shallow-clone /
|
|
116
|
+
* remote-only state).
|
|
117
|
+
*/
|
|
118
|
+
function resolveRefToSha(cwd, ref) {
|
|
119
|
+
try {
|
|
120
|
+
const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--verify', `${ref}^{commit}`], {
|
|
121
|
+
cwd,
|
|
122
|
+
encoding: 'utf-8',
|
|
123
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
124
|
+
}).trim();
|
|
125
|
+
return out || null;
|
|
126
|
+
}
|
|
127
|
+
catch {
|
|
128
|
+
return null;
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Whether the current working tree was cloned shallowly. Drives
|
|
133
|
+
* the hint surfaced when a ref isn't reachable: a CI clone with
|
|
134
|
+
* `fetch-depth: 1` won't have the baseline ref's history, and the
|
|
135
|
+
* fix is `fetch-depth: 0`, not pushing the missing ref.
|
|
136
|
+
*/
|
|
137
|
+
function isShallowRepo(cwd) {
|
|
138
|
+
try {
|
|
139
|
+
const out = (0, child_process_1.execFileSync)('git', ['rev-parse', '--is-shallow-repository'], {
|
|
140
|
+
cwd,
|
|
141
|
+
encoding: 'utf-8',
|
|
142
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
143
|
+
}).trim();
|
|
144
|
+
return out === 'true';
|
|
145
|
+
}
|
|
146
|
+
catch {
|
|
147
|
+
return false;
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
/**
|
|
151
|
+
* Build the right `RefBaselineError` for an unreachable ref. The
|
|
152
|
+
* hint is the actionable next step, not a tautology — shallow
|
|
153
|
+
* clones get fetch-depth advice, otherwise we suggest configuring
|
|
154
|
+
* a different ref.
|
|
155
|
+
*/
|
|
156
|
+
function unreachableRefError(cwd, ref) {
|
|
157
|
+
if (isShallowRepo(cwd)) {
|
|
158
|
+
return new RefBaselineError(`Cannot resolve baseline ref ${ref}: this is a shallow clone.`, 'Run `git fetch --unshallow` locally, or set `fetch-depth: 0` in your CI checkout step.');
|
|
159
|
+
}
|
|
160
|
+
return new RefBaselineError(`Cannot resolve baseline ref ${ref}.`, `Run \`git fetch origin\`, push the ref upstream, or set \`baseline.ref\` in .dxkit/policy.json to an existing ref.`);
|
|
161
|
+
}
|
|
162
|
+
/**
|
|
163
|
+
* Check out `ref` into a temporary worktree, run `fn` with the
|
|
164
|
+
* worktree path, and tear down the worktree on the way out.
|
|
165
|
+
*
|
|
166
|
+
* Always cleans up — even when `fn` throws. The cleanup tolerates
|
|
167
|
+
* `git worktree remove` failures (e.g., dirty worktree from a
|
|
168
|
+
* partial gather) by falling back to `rm -rf` on the temp dir.
|
|
169
|
+
*/
|
|
170
|
+
async function withRefWorktree(opts, fn) {
|
|
171
|
+
const sha = resolveRefToSha(opts.cwd, opts.ref);
|
|
172
|
+
if (sha === null)
|
|
173
|
+
throw unreachableRefError(opts.cwd, opts.ref);
|
|
174
|
+
// mkdtempSync returns an empty dir; git worktree add wants the
|
|
175
|
+
// target path NOT to exist (or to be empty). Use a fresh subdir
|
|
176
|
+
// inside the temp parent so git creates it cleanly.
|
|
177
|
+
const tempBase = (0, fs_1.mkdtempSync)(path.join((0, os_1.tmpdir)(), 'dxkit-ref-'));
|
|
178
|
+
const worktreePath = path.join(tempBase, 'baseline');
|
|
179
|
+
let worktreeAdded = false;
|
|
180
|
+
try {
|
|
181
|
+
(0, child_process_1.execFileSync)('git', ['worktree', 'add', '--detach', worktreePath, sha], {
|
|
182
|
+
cwd: opts.cwd,
|
|
183
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
184
|
+
});
|
|
185
|
+
worktreeAdded = true;
|
|
186
|
+
// Mirror file-mode salt into the worktree so secret-HMAC entries
|
|
187
|
+
// pair across prior/current sides. Env-var + deterministic modes
|
|
188
|
+
// resolve identically across cwd + worktree (env inheritance +
|
|
189
|
+
// shared initial-commit SHA); file mode is the one that drifts
|
|
190
|
+
// because `.dxkit/salt` is gitignored and so isn't part of the
|
|
191
|
+
// checkout. The copy is no-op when the file doesn't exist.
|
|
192
|
+
mirrorSaltFile(opts.cwd, worktreePath);
|
|
193
|
+
return await fn(worktreePath);
|
|
194
|
+
}
|
|
195
|
+
catch (err) {
|
|
196
|
+
if (err instanceof RefBaselineError)
|
|
197
|
+
throw err;
|
|
198
|
+
if (!worktreeAdded) {
|
|
199
|
+
// The worktree-add itself failed. Surface a clean error
|
|
200
|
+
// instead of bubbling the raw stderr.
|
|
201
|
+
throw new RefBaselineError(`Failed to set up baseline worktree at ${opts.ref}.`, `Check that 'git worktree' is available and that ${tempBase} is writable.`);
|
|
202
|
+
}
|
|
203
|
+
throw err;
|
|
204
|
+
}
|
|
205
|
+
finally {
|
|
206
|
+
if (worktreeAdded) {
|
|
207
|
+
try {
|
|
208
|
+
(0, child_process_1.execFileSync)('git', ['worktree', 'remove', '--force', worktreePath], {
|
|
209
|
+
cwd: opts.cwd,
|
|
210
|
+
stdio: ['ignore', 'pipe', 'pipe'],
|
|
211
|
+
});
|
|
212
|
+
}
|
|
213
|
+
catch {
|
|
214
|
+
// git worktree remove can fail if the worktree dir was
|
|
215
|
+
// already cleaned externally. The rmSync below recovers.
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
try {
|
|
219
|
+
(0, fs_1.rmSync)(tempBase, { recursive: true, force: true });
|
|
220
|
+
}
|
|
221
|
+
catch {
|
|
222
|
+
// Best-effort cleanup of the temp parent. A stale temp dir
|
|
223
|
+
// is preferable to surfacing a misleading error if the gather
|
|
224
|
+
// already succeeded.
|
|
225
|
+
}
|
|
226
|
+
}
|
|
227
|
+
}
|
|
228
|
+
/**
|
|
229
|
+
* Copy `.dxkit/salt` from `srcCwd` into `dstCwd` when present.
|
|
230
|
+
* Public for testing — production callers reach this through
|
|
231
|
+
* `withRefWorktree`. The directory is created on demand; absent
|
|
232
|
+
* source files are silently skipped (env-var + deterministic salt
|
|
233
|
+
* modes both work without the file).
|
|
234
|
+
*/
|
|
235
|
+
function mirrorSaltFile(srcCwd, dstCwd) {
|
|
236
|
+
const src = path.join(srcCwd, '.dxkit', 'salt');
|
|
237
|
+
if (!(0, fs_1.existsSync)(src))
|
|
238
|
+
return;
|
|
239
|
+
const dstDir = path.join(dstCwd, '.dxkit');
|
|
240
|
+
(0, fs_1.mkdirSync)(dstDir, { recursive: true });
|
|
241
|
+
(0, fs_1.copyFileSync)(src, path.join(dstDir, 'salt'));
|
|
242
|
+
}
|
|
243
|
+
/**
|
|
244
|
+
* Run `gatherCurrentScan` against a temporary worktree checked out
|
|
245
|
+
* to `ref`. Returns the same shape as a live gather — the matcher
|
|
246
|
+
* doesn't care which side was the worktree, only that both sides
|
|
247
|
+
* are `CurrentScan` envelopes.
|
|
248
|
+
*
|
|
249
|
+
* Per-tool degradation note: dep-vuln scanners may report less
|
|
250
|
+
* coverage in the worktree because `node_modules` (and analogous
|
|
251
|
+
* install artifacts) are typically gitignored and so don't exist
|
|
252
|
+
* in the worktree. The lockfile-driven scanners dxkit prefers
|
|
253
|
+
* survive the gap; `npm audit`-style probes do not.
|
|
254
|
+
*/
|
|
255
|
+
async function gatherFromRef(opts) {
|
|
256
|
+
return withRefWorktree({ cwd: opts.cwd, ref: opts.ref }, async (worktreePath) => {
|
|
257
|
+
return (0, create_1.gatherCurrentScan)({ cwd: worktreePath, verbose: opts.verbose });
|
|
258
|
+
});
|
|
259
|
+
}
|
|
260
|
+
//# sourceMappingURL=ref-baseline.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ref-baseline.js","sourceRoot":"","sources":["../../src/baseline/ref-baseline.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCH,0CAWC;AAQD,sCAWC;AA6BD,0CA0DC;AASD,wCAMC;AAcD,sCAQC;AA3LD,iDAA6C;AAC7C,2BAA8E;AAC9E,2BAA4B;AAC5B,2CAA6B;AAC7B,qCAA6C;AAG7C;;;;;GAKG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IAChC,IAAI,CAAS;IACtB,YAAY,OAAe,EAAE,IAAY;QACvC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAPD,4CAOC;AAOD;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,GAAW,EAAE,GAAW;IACtD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,GAAG,WAAW,CAAC,EAAE;YAC5E,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,WAAW,EAAE,yBAAyB,CAAC,EAAE;YACxE,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,GAAG,KAAK,MAAM,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,GAAW,EAAE,GAAW;IACnD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,4BAA4B,EAC9D,wFAAwF,CACzF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,gBAAgB,CACzB,+BAA+B,GAAG,GAAG,EACrC,oHAAoH,CACrH,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,IAAwB,EACxB,EAAwC;IAExC,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,IAAI,GAAG,KAAK,IAAI;QAAE,MAAM,mBAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAEhE,+DAA+D;IAC/D,gEAAgE;IAChE,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,gBAAW,EAAC,IAAI,CAAC,IAAI,CAAC,IAAA,WAAM,GAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IACrD,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,EAAE;YACtE,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QACH,aAAa,GAAG,IAAI,CAAC;QACrB,iEAAiE;QACjE,iEAAiE;QACjE,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,2DAA2D;QAC3D,cAAc,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;QACvC,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,gBAAgB;YAAE,MAAM,GAAG,CAAC;QAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,wDAAwD;YACxD,sCAAsC;YACtC,MAAM,IAAI,gBAAgB,CACxB,yCAAyC,IAAI,CAAC,GAAG,GAAG,EACpD,mDAAmD,QAAQ,eAAe,CAC3E,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,IAAA,4BAAY,EAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,EAAE;oBACnE,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;iBAClC,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,yDAAyD;YAC3D,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,IAAA,WAAM,EAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,MAAc;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC;QAAE,OAAO;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3C,IAAA,cAAS,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,IAAA,iBAAY,EAAC,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CAAC,IAInC;IACC,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE;QAC9E,OAAO,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline sanitization — pure transformation that strips every
|
|
3
|
+
* non-identity field from a `BaselineEntry`, producing a
|
|
4
|
+
* `SanitizedBaselineEntry` carrying only `id`, `kind`, and the
|
|
5
|
+
* `sanitized: true` discriminant.
|
|
6
|
+
*
|
|
7
|
+
* # Why sanitization exists
|
|
8
|
+
*
|
|
9
|
+
* A committed-to-git baseline carries human-readable metadata that
|
|
10
|
+
* can leak useful intelligence to anyone with read access to the
|
|
11
|
+
* repo:
|
|
12
|
+
*
|
|
13
|
+
* - `secret` / `code` / `config` findings disclose the exact file
|
|
14
|
+
* path + line + rule that flagged them — an attacker reading the
|
|
15
|
+
* baseline knows where to grep history for the leaked credential
|
|
16
|
+
* or which insecure call site to inspect first.
|
|
17
|
+
* - `dep-vuln` findings disclose private package names + installed
|
|
18
|
+
* versions + advisory ids — discloses internal repo structure
|
|
19
|
+
* and which CVEs the codebase is currently vulnerable to.
|
|
20
|
+
* - File paths in any source-anchored kind disclose repo layout
|
|
21
|
+
* (module boundaries, internal naming conventions).
|
|
22
|
+
*
|
|
23
|
+
* The sanitization pass collapses every entry to identity-only.
|
|
24
|
+
* What's lost:
|
|
25
|
+
* - The matcher's location-pair pass (no `file` / `line` to
|
|
26
|
+
* compare across runs); the matcher falls back to identity-
|
|
27
|
+
* multiset matching, which still works at full confidence for
|
|
28
|
+
* exact-byte-equality matches.
|
|
29
|
+
* - The renderer's ability to surface human-readable locators.
|
|
30
|
+
* `baseline show` collapses to `<sanitized>` for the locator
|
|
31
|
+
* string.
|
|
32
|
+
*
|
|
33
|
+
* What's preserved:
|
|
34
|
+
* - The 16-char fingerprint `id`. Cross-run matching works.
|
|
35
|
+
* - The `kind` discriminant. Severity defaults + classifier
|
|
36
|
+
* behavior work.
|
|
37
|
+
* - The full envelope metadata (createdAt, commitSha, tools,
|
|
38
|
+
* analysis hashes) — none of those carry per-finding sensitive
|
|
39
|
+
* content.
|
|
40
|
+
*
|
|
41
|
+
* # Public-repo + private-repo posture
|
|
42
|
+
*
|
|
43
|
+
* The two modes that consume sanitization (selected in a later
|
|
44
|
+
* commit alongside the visibility-aware mode picker):
|
|
45
|
+
* - `committed-full` — store rich entries; default on private
|
|
46
|
+
* repos with small teams.
|
|
47
|
+
* - `committed-sanitized` — strip every entry via `sanitizeFile`;
|
|
48
|
+
* default on public repos and on private repos with
|
|
49
|
+
* compliance-conscious posture.
|
|
50
|
+
*
|
|
51
|
+
* Pure module — no I/O. The write path applies the transformation
|
|
52
|
+
* before serializing; the read path observes the `sanitized: true`
|
|
53
|
+
* field on each entry and routes consumers accordingly.
|
|
54
|
+
*/
|
|
55
|
+
import type { BaselineEntry, SanitizedBaselineEntry } from './types';
|
|
56
|
+
import type { BaselineFile } from './baseline-file';
|
|
57
|
+
/**
|
|
58
|
+
* Type guard: distinguishes a stripped entry from a rich one.
|
|
59
|
+
* Consumers walking a `BaselineEntry` exhaustively call this first
|
|
60
|
+
* so the rest of their switch narrows to the rich union and stays
|
|
61
|
+
* type-safe.
|
|
62
|
+
*/
|
|
63
|
+
export declare function isSanitized(entry: BaselineEntry): entry is SanitizedBaselineEntry;
|
|
64
|
+
/**
|
|
65
|
+
* Strip every non-identity field from a single entry. Already-
|
|
66
|
+
* sanitized entries pass through unchanged. `kind` is preserved
|
|
67
|
+
* verbatim; readers can still partition the baseline by kind for
|
|
68
|
+
* count reporting + per-kind severity defaults.
|
|
69
|
+
*/
|
|
70
|
+
export declare function sanitizeEntry(entry: BaselineEntry): SanitizedBaselineEntry;
|
|
71
|
+
/**
|
|
72
|
+
* Apply `sanitizeEntry` to every finding in a baseline file. The
|
|
73
|
+
* envelope (repo, analysis, tools, saltMode, createdAt, etc.)
|
|
74
|
+
* passes through unchanged — none of those fields carry per-finding
|
|
75
|
+
* sensitive content. The resulting file is byte-stable across
|
|
76
|
+
* repeated sanitizations: a sanitized file sanitized again returns
|
|
77
|
+
* an identity-equal file.
|
|
78
|
+
*/
|
|
79
|
+
export declare function sanitizeFile(file: BaselineFile): BaselineFile;
|
|
80
|
+
//# sourceMappingURL=sanitize.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/baseline/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAC;AACrE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,aAAa,GAAG,KAAK,IAAI,sBAAsB,CAEjF;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,aAAa,GAAG,sBAAsB,CAG1E;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,GAAG,YAAY,CAE7D"}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Baseline sanitization — pure transformation that strips every
|
|
4
|
+
* non-identity field from a `BaselineEntry`, producing a
|
|
5
|
+
* `SanitizedBaselineEntry` carrying only `id`, `kind`, and the
|
|
6
|
+
* `sanitized: true` discriminant.
|
|
7
|
+
*
|
|
8
|
+
* # Why sanitization exists
|
|
9
|
+
*
|
|
10
|
+
* A committed-to-git baseline carries human-readable metadata that
|
|
11
|
+
* can leak useful intelligence to anyone with read access to the
|
|
12
|
+
* repo:
|
|
13
|
+
*
|
|
14
|
+
* - `secret` / `code` / `config` findings disclose the exact file
|
|
15
|
+
* path + line + rule that flagged them — an attacker reading the
|
|
16
|
+
* baseline knows where to grep history for the leaked credential
|
|
17
|
+
* or which insecure call site to inspect first.
|
|
18
|
+
* - `dep-vuln` findings disclose private package names + installed
|
|
19
|
+
* versions + advisory ids — discloses internal repo structure
|
|
20
|
+
* and which CVEs the codebase is currently vulnerable to.
|
|
21
|
+
* - File paths in any source-anchored kind disclose repo layout
|
|
22
|
+
* (module boundaries, internal naming conventions).
|
|
23
|
+
*
|
|
24
|
+
* The sanitization pass collapses every entry to identity-only.
|
|
25
|
+
* What's lost:
|
|
26
|
+
* - The matcher's location-pair pass (no `file` / `line` to
|
|
27
|
+
* compare across runs); the matcher falls back to identity-
|
|
28
|
+
* multiset matching, which still works at full confidence for
|
|
29
|
+
* exact-byte-equality matches.
|
|
30
|
+
* - The renderer's ability to surface human-readable locators.
|
|
31
|
+
* `baseline show` collapses to `<sanitized>` for the locator
|
|
32
|
+
* string.
|
|
33
|
+
*
|
|
34
|
+
* What's preserved:
|
|
35
|
+
* - The 16-char fingerprint `id`. Cross-run matching works.
|
|
36
|
+
* - The `kind` discriminant. Severity defaults + classifier
|
|
37
|
+
* behavior work.
|
|
38
|
+
* - The full envelope metadata (createdAt, commitSha, tools,
|
|
39
|
+
* analysis hashes) — none of those carry per-finding sensitive
|
|
40
|
+
* content.
|
|
41
|
+
*
|
|
42
|
+
* # Public-repo + private-repo posture
|
|
43
|
+
*
|
|
44
|
+
* The two modes that consume sanitization (selected in a later
|
|
45
|
+
* commit alongside the visibility-aware mode picker):
|
|
46
|
+
* - `committed-full` — store rich entries; default on private
|
|
47
|
+
* repos with small teams.
|
|
48
|
+
* - `committed-sanitized` — strip every entry via `sanitizeFile`;
|
|
49
|
+
* default on public repos and on private repos with
|
|
50
|
+
* compliance-conscious posture.
|
|
51
|
+
*
|
|
52
|
+
* Pure module — no I/O. The write path applies the transformation
|
|
53
|
+
* before serializing; the read path observes the `sanitized: true`
|
|
54
|
+
* field on each entry and routes consumers accordingly.
|
|
55
|
+
*/
|
|
56
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
57
|
+
exports.isSanitized = isSanitized;
|
|
58
|
+
exports.sanitizeEntry = sanitizeEntry;
|
|
59
|
+
exports.sanitizeFile = sanitizeFile;
|
|
60
|
+
/**
|
|
61
|
+
* Type guard: distinguishes a stripped entry from a rich one.
|
|
62
|
+
* Consumers walking a `BaselineEntry` exhaustively call this first
|
|
63
|
+
* so the rest of their switch narrows to the rich union and stays
|
|
64
|
+
* type-safe.
|
|
65
|
+
*/
|
|
66
|
+
function isSanitized(entry) {
|
|
67
|
+
return entry.sanitized === true;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Strip every non-identity field from a single entry. Already-
|
|
71
|
+
* sanitized entries pass through unchanged. `kind` is preserved
|
|
72
|
+
* verbatim; readers can still partition the baseline by kind for
|
|
73
|
+
* count reporting + per-kind severity defaults.
|
|
74
|
+
*/
|
|
75
|
+
function sanitizeEntry(entry) {
|
|
76
|
+
if (isSanitized(entry))
|
|
77
|
+
return entry;
|
|
78
|
+
return { id: entry.id, kind: entry.kind, sanitized: true };
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Apply `sanitizeEntry` to every finding in a baseline file. The
|
|
82
|
+
* envelope (repo, analysis, tools, saltMode, createdAt, etc.)
|
|
83
|
+
* passes through unchanged — none of those fields carry per-finding
|
|
84
|
+
* sensitive content. The resulting file is byte-stable across
|
|
85
|
+
* repeated sanitizations: a sanitized file sanitized again returns
|
|
86
|
+
* an identity-equal file.
|
|
87
|
+
*/
|
|
88
|
+
function sanitizeFile(file) {
|
|
89
|
+
return { ...file, findings: file.findings.map(sanitizeEntry) };
|
|
90
|
+
}
|
|
91
|
+
//# sourceMappingURL=sanitize.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/baseline/sanitize.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;;AAWH,kCAEC;AAQD,sCAGC;AAUD,oCAEC;AA/BD;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,KAAoB;IAC9C,OAAQ,KAAiC,CAAC,SAAS,KAAK,IAAI,CAAC;AAC/D,CAAC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAAC,KAAoB;IAChD,IAAI,WAAW,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,YAAY,CAAC,IAAkB;IAC7C,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;AACjE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"show.d.ts","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"show.d.ts","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,aAAa,CAAC,aAAa,CAAC,MAAM,CAAC,CAc5D,CAAC;AAEH;;mCAEmC;AACnC,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,GAAG,IAAI,CAIzE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,YAAY,GAAG,MAAM,CA6BxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAkBlF;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,YAAY,EAClB,OAAO,GAAE;IAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CAAO,GACtD;IACD,QAAQ,CAAC,MAAM,EAAE,OAAO,oBAAoB,CAAC;IAC7C,QAAQ,CAAC,MAAM,EAAE;QAAE,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;IACjE,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;KAC3E,CAAC;CACH,CAcA"}
|
package/dist/baseline/show.js
CHANGED
|
@@ -61,6 +61,7 @@ exports.renderSummary = renderSummary;
|
|
|
61
61
|
exports.renderKind = renderKind;
|
|
62
62
|
exports.renderJson = renderJson;
|
|
63
63
|
const logger = __importStar(require("../logger"));
|
|
64
|
+
const sanitize_1 = require("./sanitize");
|
|
64
65
|
/**
|
|
65
66
|
* JSON schema banner for the `baseline show --json` envelope.
|
|
66
67
|
* Distinct from the raw `schemaVersion: 'dxkit-baseline/v1'` field
|
|
@@ -82,7 +83,6 @@ exports.FILTER_KINDS = Object.freeze([
|
|
|
82
83
|
'coverage-gap',
|
|
83
84
|
'test-gap',
|
|
84
85
|
'hygiene',
|
|
85
|
-
'license',
|
|
86
86
|
'test-file-degradation',
|
|
87
87
|
'god-file',
|
|
88
88
|
'stale-file',
|
|
@@ -193,8 +193,14 @@ function countByKind(entries) {
|
|
|
193
193
|
* Kind-specific fields drive the format so a reader sees the
|
|
194
194
|
* meaningful axis (file:line for source-anchored kinds,
|
|
195
195
|
* package@version+advisory for dep-vulns, etc.).
|
|
196
|
+
*
|
|
197
|
+
* Sanitized entries carry only identity + kind; renderer surfaces
|
|
198
|
+
* `<sanitized>` so the user knows location detail was stripped at
|
|
199
|
+
* write time. The fingerprint prefix still anchors the row.
|
|
196
200
|
*/
|
|
197
201
|
function describeEntry(entry) {
|
|
202
|
+
if ((0, sanitize_1.isSanitized)(entry))
|
|
203
|
+
return '<sanitized>';
|
|
198
204
|
switch (entry.kind) {
|
|
199
205
|
case 'secret':
|
|
200
206
|
case 'code':
|
|
@@ -212,8 +218,6 @@ function describeEntry(entry) {
|
|
|
212
218
|
: `${entry.file}:${entry.lineRange?.[0] ?? '?'}-${entry.lineRange?.[1] ?? '?'}`;
|
|
213
219
|
case 'test-gap':
|
|
214
220
|
return `${entry.file} [risk: ${entry.risk}]`;
|
|
215
|
-
case 'license':
|
|
216
|
-
return `${entry.package}@${entry.version} [${entry.licenseType}]`;
|
|
217
221
|
case 'test-file-degradation':
|
|
218
222
|
return `${entry.file} [${entry.status}]`;
|
|
219
223
|
case 'god-file':
|
|
@@ -223,6 +227,8 @@ function describeEntry(entry) {
|
|
|
223
227
|
return `${entry.file} [.${entry.suffix}]`;
|
|
224
228
|
case 'secret-hmac':
|
|
225
229
|
return `[${entry.tool}/${entry.rule}] hmac:${entry.hmac.slice(0, 12)}`;
|
|
230
|
+
case 'stale-allow':
|
|
231
|
+
return `${entry.file}:${entry.line} [stale dxkit-allow:${entry.category}]`;
|
|
226
232
|
}
|
|
227
233
|
}
|
|
228
234
|
function shortSha(sha) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"show.js","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCH,0CAIC;AAOD,sCA6BC;AAYD,gCAkBC;AASD,gCAyBC;AA7ID,kDAAoC;
|
|
1
|
+
{"version":3,"file":"show.js","sourceRoot":"","sources":["../../src/baseline/show.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCH,0CAIC;AAOD,sCA6BC;AAYD,gCAkBC;AASD,gCAyBC;AA7ID,kDAAoC;AAEpC,yCAAyC;AAGzC;;;;;GAKG;AACU,QAAA,oBAAoB,GAAG,wBAAiC,CAAC;AAEtE;;;;GAIG;AACU,QAAA,YAAY,GAAyC,MAAM,CAAC,MAAM,CAAC;IAC9E,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,UAAU;IACV,aAAa;IACb,cAAc;IACd,UAAU;IACV,SAAS;IACT,uBAAuB;IACvB,UAAU;IACV,YAAY;IACZ,YAAY;IACZ,aAAa;CACd,CAAC,CAAC;AAEH;;mCAEmC;AACnC,SAAgB,eAAe,CAAC,GAAW;IACzC,OAAQ,oBAAsC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC1D,CAAC,CAAE,GAA6B;QAChC,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,IAAkB;IAC9C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,UAAU,GAAG,CAAC,CAAC;IAClG,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;IACnD,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,kBAAkB,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;IACnC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC;IACpD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAA2C,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/D,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,UAAU,CAAC,IAAkB,EAAE,IAA2B;IACxE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,IAAI,aAAa,IAAI,EAAE,CAAC,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,kBAAkB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,0BAA0B,IAAI,IAAI,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,CAAC,IAAI,CACR,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,IAAI,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CACzF,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,UAAU,CACxB,IAAkB,EAClB,UAAqD,EAAE;IAUvD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI;QAC3B,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC;QACtD,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;IAClB,MAAM,IAAI,GAAiB,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjD,OAAO;QACL,MAAM,EAAE,4BAAoB;QAC5B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI;QACpD,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE;YACP,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;yDACyD;AACzD,SAAS,WAAW,CAClB,OAAqC;IAErC,MAAM,GAAG,GAAmD,EAAE,CAAC;IAC/D,KAAK,MAAM,CAAC,IAAI,OAAO;QAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC9D,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,aAAa,CAAC,KAAoB;IACzC,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC;IAC7C,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC;QACtE,KAAK,SAAS;YACZ,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC1D,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,gBAAgB,IAAI,GAAG,MAAM,KAAK,CAAC,UAAU,GAAG,CAAC;QACpF,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,QAAQ,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,UAAU,MAAM,KAAK,CAAC,KAAK,SAAS,CAAC;QAC7G,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC,MAAM;gBACjB,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE;gBACjC,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;QACpF,KAAK,UAAU;YACb,OAAO,GAAG,KAAK,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,GAAG,CAAC;QAChD,KAAK,uBAAuB;YAC1B,OAAO,GAAG,KAAK,CAAC,IAAI,MAAM,KAAK,CAAC,MAAM,GAAG,CAAC;QAC5C,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY;YACf,OAAO,KAAK,CAAC,IAAI,CAAC;QACpB,KAAK,YAAY;YACf,OAAO,GAAG,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC;QAC7C,KAAK,aAAa;YAChB,OAAO,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,WAAW,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC1E,KAAK,aAAa;YAChB,OAAO,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,wBAAwB,KAAK,CAAC,QAAQ,GAAG,CAAC;IAChF,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,IAAI,CAAC,GAAG;QAAE,OAAO,aAAa,CAAC;IAC/B,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACzB,CAAC"}
|