@vyuhlabs/dxkit 2.5.2 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. package/CHANGELOG.md +218 -13
  2. package/README.md +220 -369
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/bom/discovery.d.ts +3 -4
  32. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  33. package/dist/analyzers/bom/discovery.js +3 -4
  34. package/dist/analyzers/bom/discovery.js.map +1 -1
  35. package/dist/analyzers/bom/types.d.ts +1 -1
  36. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  37. package/dist/analyzers/dashboard/index.js +42 -5
  38. package/dist/analyzers/dashboard/index.js.map +1 -1
  39. package/dist/analyzers/quality/detailed.d.ts +8 -1
  40. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  41. package/dist/analyzers/quality/detailed.js +43 -10
  42. package/dist/analyzers/quality/detailed.js.map +1 -1
  43. package/dist/analyzers/security/detailed.d.ts +8 -1
  44. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  45. package/dist/analyzers/security/detailed.js +14 -1
  46. package/dist/analyzers/security/detailed.js.map +1 -1
  47. package/dist/analyzers/tests/detailed.d.ts +8 -1
  48. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  49. package/dist/analyzers/tests/detailed.js +26 -7
  50. package/dist/analyzers/tests/detailed.js.map +1 -1
  51. package/dist/analyzers/tools/cloc.js +3 -3
  52. package/dist/analyzers/tools/cloc.js.map +1 -1
  53. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  54. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  55. package/dist/analyzers/tools/exclusions.js +27 -13
  56. package/dist/analyzers/tools/exclusions.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +39 -5
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +609 -45
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  62. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  63. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  68. package/dist/analyzers/tools/parallel.js +7 -0
  69. package/dist/analyzers/tools/parallel.js.map +1 -1
  70. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  71. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  72. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  73. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  74. package/dist/analyzers/xlsx/licenses.js +7 -7
  75. package/dist/baseline/baseline-file.d.ts +7 -0
  76. package/dist/baseline/baseline-file.d.ts.map +1 -1
  77. package/dist/baseline/baseline-file.js +22 -1
  78. package/dist/baseline/baseline-file.js.map +1 -1
  79. package/dist/baseline/check-renderers.d.ts +13 -1
  80. package/dist/baseline/check-renderers.d.ts.map +1 -1
  81. package/dist/baseline/check-renderers.js +67 -1
  82. package/dist/baseline/check-renderers.js.map +1 -1
  83. package/dist/baseline/check.d.ts +33 -7
  84. package/dist/baseline/check.d.ts.map +1 -1
  85. package/dist/baseline/check.js +90 -64
  86. package/dist/baseline/check.js.map +1 -1
  87. package/dist/baseline/create.d.ts +35 -7
  88. package/dist/baseline/create.d.ts.map +1 -1
  89. package/dist/baseline/create.js +43 -5
  90. package/dist/baseline/create.js.map +1 -1
  91. package/dist/baseline/entry-to-located.d.ts +6 -1
  92. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  93. package/dist/baseline/entry-to-located.js +20 -2
  94. package/dist/baseline/entry-to-located.js.map +1 -1
  95. package/dist/baseline/finding-identity.d.ts.map +1 -1
  96. package/dist/baseline/finding-identity.js +15 -13
  97. package/dist/baseline/finding-identity.js.map +1 -1
  98. package/dist/baseline/modes.d.ts +140 -0
  99. package/dist/baseline/modes.d.ts.map +1 -0
  100. package/dist/baseline/modes.js +179 -0
  101. package/dist/baseline/modes.js.map +1 -0
  102. package/dist/baseline/policy.d.ts +64 -0
  103. package/dist/baseline/policy.d.ts.map +1 -1
  104. package/dist/baseline/policy.js +102 -1
  105. package/dist/baseline/policy.js.map +1 -1
  106. package/dist/baseline/producers/health.d.ts +2 -2
  107. package/dist/baseline/producers/health.d.ts.map +1 -1
  108. package/dist/baseline/producers/health.js.map +1 -1
  109. package/dist/baseline/producers/index.d.ts +11 -5
  110. package/dist/baseline/producers/index.d.ts.map +1 -1
  111. package/dist/baseline/producers/index.js +12 -9
  112. package/dist/baseline/producers/index.js.map +1 -1
  113. package/dist/baseline/producers/quality.d.ts +3 -3
  114. package/dist/baseline/producers/quality.d.ts.map +1 -1
  115. package/dist/baseline/producers/quality.js.map +1 -1
  116. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  117. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  118. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  119. package/dist/baseline/producers/security.d.ts +2 -2
  120. package/dist/baseline/producers/security.d.ts.map +1 -1
  121. package/dist/baseline/producers/security.js.map +1 -1
  122. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  123. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  124. package/dist/baseline/producers/stale-allow.js +111 -0
  125. package/dist/baseline/producers/stale-allow.js.map +1 -0
  126. package/dist/baseline/producers/tests.d.ts +2 -2
  127. package/dist/baseline/producers/tests.d.ts.map +1 -1
  128. package/dist/baseline/producers/tests.js.map +1 -1
  129. package/dist/baseline/ref-baseline.d.ts +114 -0
  130. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  131. package/dist/baseline/ref-baseline.js +260 -0
  132. package/dist/baseline/ref-baseline.js.map +1 -0
  133. package/dist/baseline/sanitize.d.ts +80 -0
  134. package/dist/baseline/sanitize.d.ts.map +1 -0
  135. package/dist/baseline/sanitize.js +91 -0
  136. package/dist/baseline/sanitize.js.map +1 -0
  137. package/dist/baseline/show.d.ts.map +1 -1
  138. package/dist/baseline/show.js +9 -3
  139. package/dist/baseline/show.js.map +1 -1
  140. package/dist/baseline/types.d.ts +73 -26
  141. package/dist/baseline/types.d.ts.map +1 -1
  142. package/dist/baseline/types.js +7 -1
  143. package/dist/baseline/types.js.map +1 -1
  144. package/dist/baseline/visibility.d.ts +61 -0
  145. package/dist/baseline/visibility.d.ts.map +1 -0
  146. package/dist/baseline/visibility.js +121 -0
  147. package/dist/baseline/visibility.js.map +1 -0
  148. package/dist/cli.d.ts.map +1 -1
  149. package/dist/cli.js +168 -6
  150. package/dist/cli.js.map +1 -1
  151. package/dist/dashboard/graph-adapter.d.ts +151 -0
  152. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  153. package/dist/dashboard/graph-adapter.js +415 -0
  154. package/dist/dashboard/graph-adapter.js.map +1 -0
  155. package/dist/dashboard/graph-tab.d.ts +109 -0
  156. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  157. package/dist/dashboard/graph-tab.js +297 -0
  158. package/dist/dashboard/graph-tab.js.map +1 -0
  159. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  160. package/dist/doctor.d.ts.map +1 -1
  161. package/dist/doctor.js +106 -16
  162. package/dist/doctor.js.map +1 -1
  163. package/dist/explore/cli/api-surface.d.ts +12 -0
  164. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  165. package/dist/explore/cli/api-surface.js +57 -0
  166. package/dist/explore/cli/api-surface.js.map +1 -0
  167. package/dist/explore/cli/communities.d.ts +10 -0
  168. package/dist/explore/cli/communities.d.ts.map +1 -0
  169. package/dist/explore/cli/communities.js +47 -0
  170. package/dist/explore/cli/communities.js.map +1 -0
  171. package/dist/explore/cli/context.d.ts +16 -0
  172. package/dist/explore/cli/context.d.ts.map +1 -0
  173. package/dist/explore/cli/context.js +118 -0
  174. package/dist/explore/cli/context.js.map +1 -0
  175. package/dist/explore/cli/entry-points.d.ts +12 -0
  176. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  177. package/dist/explore/cli/entry-points.js +85 -0
  178. package/dist/explore/cli/entry-points.js.map +1 -0
  179. package/dist/explore/cli/feature.d.ts +16 -0
  180. package/dist/explore/cli/feature.d.ts.map +1 -0
  181. package/dist/explore/cli/feature.js +89 -0
  182. package/dist/explore/cli/feature.js.map +1 -0
  183. package/dist/explore/cli/file.d.ts +12 -0
  184. package/dist/explore/cli/file.d.ts.map +1 -0
  185. package/dist/explore/cli/file.js +139 -0
  186. package/dist/explore/cli/file.js.map +1 -0
  187. package/dist/explore/cli/hot-files.d.ts +11 -0
  188. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  189. package/dist/explore/cli/hot-files.js +63 -0
  190. package/dist/explore/cli/hot-files.js.map +1 -0
  191. package/dist/explore/context-hook.d.ts +42 -0
  192. package/dist/explore/context-hook.d.ts.map +1 -0
  193. package/dist/explore/context-hook.js +131 -0
  194. package/dist/explore/context-hook.js.map +1 -0
  195. package/dist/explore/finding-context.d.ts +69 -0
  196. package/dist/explore/finding-context.d.ts.map +1 -0
  197. package/dist/explore/finding-context.js +102 -0
  198. package/dist/explore/finding-context.js.map +1 -0
  199. package/dist/explore/format.d.ts +64 -0
  200. package/dist/explore/format.d.ts.map +1 -0
  201. package/dist/explore/format.js +99 -0
  202. package/dist/explore/format.js.map +1 -0
  203. package/dist/explore/load.d.ts +50 -0
  204. package/dist/explore/load.d.ts.map +1 -0
  205. package/dist/explore/load.js +197 -0
  206. package/dist/explore/load.js.map +1 -0
  207. package/dist/explore/queries.d.ts +413 -0
  208. package/dist/explore/queries.d.ts.map +1 -0
  209. package/dist/explore/queries.js +855 -0
  210. package/dist/explore/queries.js.map +1 -0
  211. package/dist/explore/types.d.ts +130 -0
  212. package/dist/explore/types.d.ts.map +1 -0
  213. package/dist/explore/types.js +28 -0
  214. package/dist/explore/types.js.map +1 -0
  215. package/dist/explore-cli.d.ts +45 -0
  216. package/dist/explore-cli.d.ts.map +1 -0
  217. package/dist/explore-cli.js +213 -0
  218. package/dist/explore-cli.js.map +1 -0
  219. package/dist/generator.d.ts.map +1 -1
  220. package/dist/generator.js +19 -0
  221. package/dist/generator.js.map +1 -1
  222. package/dist/issue-cli.d.ts +62 -0
  223. package/dist/issue-cli.d.ts.map +1 -0
  224. package/dist/issue-cli.js +252 -0
  225. package/dist/issue-cli.js.map +1 -0
  226. package/dist/languages/csharp.d.ts.map +1 -1
  227. package/dist/languages/csharp.js +32 -11
  228. package/dist/languages/csharp.js.map +1 -1
  229. package/dist/languages/go.d.ts.map +1 -1
  230. package/dist/languages/go.js +5 -0
  231. package/dist/languages/go.js.map +1 -1
  232. package/dist/languages/index.d.ts +27 -0
  233. package/dist/languages/index.d.ts.map +1 -1
  234. package/dist/languages/index.js +35 -0
  235. package/dist/languages/index.js.map +1 -1
  236. package/dist/languages/java.d.ts.map +1 -1
  237. package/dist/languages/java.js +5 -0
  238. package/dist/languages/java.js.map +1 -1
  239. package/dist/languages/kotlin.d.ts.map +1 -1
  240. package/dist/languages/kotlin.js +5 -0
  241. package/dist/languages/kotlin.js.map +1 -1
  242. package/dist/languages/python.d.ts.map +1 -1
  243. package/dist/languages/python.js +5 -0
  244. package/dist/languages/python.js.map +1 -1
  245. package/dist/languages/ruby.d.ts.map +1 -1
  246. package/dist/languages/ruby.js +5 -0
  247. package/dist/languages/ruby.js.map +1 -1
  248. package/dist/languages/rust.d.ts.map +1 -1
  249. package/dist/languages/rust.js +5 -0
  250. package/dist/languages/rust.js.map +1 -1
  251. package/dist/languages/types.d.ts +79 -0
  252. package/dist/languages/types.d.ts.map +1 -1
  253. package/dist/languages/typescript.d.ts.map +1 -1
  254. package/dist/languages/typescript.js +6 -1
  255. package/dist/languages/typescript.js.map +1 -1
  256. package/package.json +2 -1
  257. package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
  258. package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
  259. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  260. package/templates/AGENTS.md.template +8 -1
  261. package/dist/baseline/producers/licenses.d.ts +0 -23
  262. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  263. package/dist/baseline/producers/licenses.js +0 -46
  264. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -0,0 +1,120 @@
1
+ /**
2
+ * Allowlist category taxonomy. Single source of truth for:
3
+ * - Which categories exist
4
+ * - Which categories require an expiry date
5
+ * - Which categories may be expressed via inline source annotation
6
+ * - Which categories apply to each `IdentityKind`
7
+ * - Which finding kinds support inline annotations at all
8
+ *
9
+ * Pure module — no I/O, no analyzer dependencies. Consumed by the
10
+ * allowlist file reader/writer, the inline-annotation parser, the
11
+ * CLI, the block-time hint formatter, and the new `allowlistHits`
12
+ * baseline producer.
13
+ *
14
+ * See tmp/2.6-allowlist-design.md for the design discussion.
15
+ */
16
+ import type { IdentityKind } from '../baseline/producers';
17
+ /**
18
+ * Single source of truth for category values. The `AllowlistCategory`
19
+ * union type is derived from this array via `(typeof ...)[number]`,
20
+ * so adding a new category means appending one string here and every
21
+ * type-level check (Record-keyed tables, switch exhaustiveness,
22
+ * function parameter types) auto-updates. No two-place drift.
23
+ */
24
+ export declare const ALL_CATEGORIES: readonly ["false-positive", "test-fixture", "mitigated-externally", "accepted-risk", "deferred"];
25
+ export type AllowlistCategory = (typeof ALL_CATEGORIES)[number];
26
+ /**
27
+ * Categories that REQUIRE a finite expiry date. The file-level
28
+ * allowlist write-path rejects entries in these categories without
29
+ * an `expiresAt`. The CLI defaults `expiresAt` to 90 days out for
30
+ * these — see `defaultExpiryDate`.
31
+ *
32
+ * Categories OUTSIDE this set represent stable assertions about the
33
+ * code that don't naturally stale (a test fixture remains a test
34
+ * fixture; a false positive remains a false positive until the
35
+ * scanner rule changes). They may carry an `expiresAt` if the
36
+ * customer chooses, but it's not enforced.
37
+ */
38
+ export declare const EXPIRING_CATEGORIES: ReadonlySet<AllowlistCategory>;
39
+ /**
40
+ * Categories that may be expressed via inline source annotation
41
+ * (`// dxkit-allow:<category> reason="..."`). The complement
42
+ * (`accepted-risk`, `deferred`) is file-only because those categories
43
+ * need fields (expiresAt, acknowledgedSeverity) that don't fit
44
+ * cleanly into a code comment.
45
+ */
46
+ export declare const INLINE_COMPATIBLE_CATEGORIES: ReadonlySet<AllowlistCategory>;
47
+ /**
48
+ * Finding kinds that have a stable single-line attachment point and
49
+ * therefore support inline annotations. Kinds outside this set are
50
+ * file-only (whole-file findings, cross-file findings, gap findings).
51
+ *
52
+ * Inline-compatible:
53
+ * - `secret` / `secret-hmac`: the source line is the credential
54
+ * - `code` / `config`: the source line is the flagged pattern
55
+ * - `dep-vuln`: annotate the import or first-use line
56
+ * - `hygiene`: the source line carries the TODO/FIXME/HACK marker
57
+ *
58
+ * File-only (no single-line site):
59
+ * - `duplication`: two locations across files
60
+ * - `coverage-gap` / `test-gap` / `test-file-degradation`: file or
61
+ * symbol-range level, not single-line
62
+ * - `god-file` / `large-file` / `stale-file`: whole-file findings
63
+ */
64
+ export declare const INLINE_COMPATIBLE_KINDS: ReadonlySet<IdentityKind>;
65
+ /**
66
+ * Categories applicable to each `IdentityKind`. Reflects what
67
+ * suppression rationales the kind can plausibly carry — a
68
+ * `coverage-gap` is rarely a "false positive" in the same way a
69
+ * scanner finding is; a `dep-vuln` is rarely a "test fixture."
70
+ *
71
+ * The CLI presents the applicable list as a multiple-choice prompt
72
+ * when the customer runs `vyuh-dxkit allowlist add` against a
73
+ * finding.
74
+ *
75
+ * The `Record<IdentityKind, ...>` ties this table to the canonical
76
+ * union: TypeScript fails the build when a new `IdentityKind`
77
+ * variant lands without a corresponding entry here.
78
+ */
79
+ export declare const CATEGORIES_BY_KIND: Readonly<Record<IdentityKind, readonly AllowlistCategory[]>>;
80
+ /**
81
+ * Whether a (kind, category) tuple may be expressed as an inline
82
+ * annotation. Both the kind AND the category must be inline-compatible.
83
+ *
84
+ * Examples:
85
+ * canUseInline('secret', 'test-fixture') // true
86
+ * canUseInline('secret', 'accepted-risk') // false (category file-only)
87
+ * canUseInline('large-file', 'false-positive') // false (kind file-only)
88
+ * canUseInline('hygiene', 'accepted-risk') // false (category file-only)
89
+ */
90
+ export declare function canUseInline(kind: IdentityKind, category: AllowlistCategory): boolean;
91
+ /**
92
+ * Whether a category requires `expiresAt` on the file-level entry.
93
+ * Source of truth for the write-path validation rule.
94
+ */
95
+ export declare function requiresExpiry(category: AllowlistCategory): boolean;
96
+ /**
97
+ * Whether a (kind, category) tuple is semantically valid. The CLI
98
+ * uses this to reject incoherent combinations like
99
+ * `coverage-gap + false-positive` with a clear error pointing at
100
+ * the applicable categories for that kind.
101
+ */
102
+ export declare function isCategoryValidForKind(kind: IdentityKind, category: AllowlistCategory): boolean;
103
+ /**
104
+ * Number of days into the future the CLI defaults `expiresAt` to
105
+ * when the customer doesn't specify one. Locked at 90 in Sprint 0
106
+ * (Snyk + Dependabot industry default). Per-category overrides will
107
+ * land in `.dxkit/policy.json` (`allowlist.defaultExpiryDays`) in a
108
+ * follow-up commit if real customer signal demands it.
109
+ */
110
+ export declare const DEFAULT_EXPIRY_DAYS = 90;
111
+ /**
112
+ * Compute the default expiry date as an ISO `YYYY-MM-DD` string,
113
+ * `DEFAULT_EXPIRY_DAYS` from `now`. UTC-anchored to keep the date
114
+ * stable across timezone-different developers on the same team.
115
+ *
116
+ * `now` is injected for deterministic testing — production callers
117
+ * pass `new Date()` (the default).
118
+ */
119
+ export declare function defaultExpiryDate(now?: Date): string;
120
+ //# sourceMappingURL=categories.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,kGAMjB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,iBAAiB,CAG7D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,iBAAiB,CAItE,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,YAAY,CAO5D,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,iBAAiB,EAAE,CAAC,CA6C3F,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAErF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAE/F;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAIhE"}
@@ -0,0 +1,194 @@
1
+ "use strict";
2
+ /**
3
+ * Allowlist category taxonomy. Single source of truth for:
4
+ * - Which categories exist
5
+ * - Which categories require an expiry date
6
+ * - Which categories may be expressed via inline source annotation
7
+ * - Which categories apply to each `IdentityKind`
8
+ * - Which finding kinds support inline annotations at all
9
+ *
10
+ * Pure module — no I/O, no analyzer dependencies. Consumed by the
11
+ * allowlist file reader/writer, the inline-annotation parser, the
12
+ * CLI, the block-time hint formatter, and the new `allowlistHits`
13
+ * baseline producer.
14
+ *
15
+ * See tmp/2.6-allowlist-design.md for the design discussion.
16
+ */
17
+ Object.defineProperty(exports, "__esModule", { value: true });
18
+ exports.DEFAULT_EXPIRY_DAYS = exports.CATEGORIES_BY_KIND = exports.INLINE_COMPATIBLE_KINDS = exports.INLINE_COMPATIBLE_CATEGORIES = exports.EXPIRING_CATEGORIES = exports.ALL_CATEGORIES = void 0;
19
+ exports.canUseInline = canUseInline;
20
+ exports.requiresExpiry = requiresExpiry;
21
+ exports.isCategoryValidForKind = isCategoryValidForKind;
22
+ exports.defaultExpiryDate = defaultExpiryDate;
23
+ /**
24
+ * Single source of truth for category values. The `AllowlistCategory`
25
+ * union type is derived from this array via `(typeof ...)[number]`,
26
+ * so adding a new category means appending one string here and every
27
+ * type-level check (Record-keyed tables, switch exhaustiveness,
28
+ * function parameter types) auto-updates. No two-place drift.
29
+ */
30
+ exports.ALL_CATEGORIES = [
31
+ 'false-positive',
32
+ 'test-fixture',
33
+ 'mitigated-externally',
34
+ 'accepted-risk',
35
+ 'deferred',
36
+ ];
37
+ /**
38
+ * Categories that REQUIRE a finite expiry date. The file-level
39
+ * allowlist write-path rejects entries in these categories without
40
+ * an `expiresAt`. The CLI defaults `expiresAt` to 90 days out for
41
+ * these — see `defaultExpiryDate`.
42
+ *
43
+ * Categories OUTSIDE this set represent stable assertions about the
44
+ * code that don't naturally stale (a test fixture remains a test
45
+ * fixture; a false positive remains a false positive until the
46
+ * scanner rule changes). They may carry an `expiresAt` if the
47
+ * customer chooses, but it's not enforced.
48
+ */
49
+ exports.EXPIRING_CATEGORIES = new Set([
50
+ 'accepted-risk',
51
+ 'deferred',
52
+ ]);
53
+ /**
54
+ * Categories that may be expressed via inline source annotation
55
+ * (`// dxkit-allow:<category> reason="..."`). The complement
56
+ * (`accepted-risk`, `deferred`) is file-only because those categories
57
+ * need fields (expiresAt, acknowledgedSeverity) that don't fit
58
+ * cleanly into a code comment.
59
+ */
60
+ exports.INLINE_COMPATIBLE_CATEGORIES = new Set([
61
+ 'false-positive',
62
+ 'test-fixture',
63
+ 'mitigated-externally',
64
+ ]);
65
+ /**
66
+ * Finding kinds that have a stable single-line attachment point and
67
+ * therefore support inline annotations. Kinds outside this set are
68
+ * file-only (whole-file findings, cross-file findings, gap findings).
69
+ *
70
+ * Inline-compatible:
71
+ * - `secret` / `secret-hmac`: the source line is the credential
72
+ * - `code` / `config`: the source line is the flagged pattern
73
+ * - `dep-vuln`: annotate the import or first-use line
74
+ * - `hygiene`: the source line carries the TODO/FIXME/HACK marker
75
+ *
76
+ * File-only (no single-line site):
77
+ * - `duplication`: two locations across files
78
+ * - `coverage-gap` / `test-gap` / `test-file-degradation`: file or
79
+ * symbol-range level, not single-line
80
+ * - `god-file` / `large-file` / `stale-file`: whole-file findings
81
+ */
82
+ exports.INLINE_COMPATIBLE_KINDS = new Set([
83
+ 'secret',
84
+ 'secret-hmac',
85
+ 'code',
86
+ 'config',
87
+ 'dep-vuln',
88
+ 'hygiene',
89
+ ]);
90
+ /**
91
+ * Categories applicable to each `IdentityKind`. Reflects what
92
+ * suppression rationales the kind can plausibly carry — a
93
+ * `coverage-gap` is rarely a "false positive" in the same way a
94
+ * scanner finding is; a `dep-vuln` is rarely a "test fixture."
95
+ *
96
+ * The CLI presents the applicable list as a multiple-choice prompt
97
+ * when the customer runs `vyuh-dxkit allowlist add` against a
98
+ * finding.
99
+ *
100
+ * The `Record<IdentityKind, ...>` ties this table to the canonical
101
+ * union: TypeScript fails the build when a new `IdentityKind`
102
+ * variant lands without a corresponding entry here.
103
+ */
104
+ exports.CATEGORIES_BY_KIND = {
105
+ // Source-level security findings: every category applies
106
+ secret: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
107
+ 'secret-hmac': [
108
+ 'false-positive',
109
+ 'test-fixture',
110
+ 'mitigated-externally',
111
+ 'accepted-risk',
112
+ 'deferred',
113
+ ],
114
+ code: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
115
+ config: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
116
+ // Dependency vulnerabilities: rarely a test fixture (the dep is real);
117
+ // every other category applies
118
+ 'dep-vuln': ['false-positive', 'mitigated-externally', 'accepted-risk', 'deferred'],
119
+ // Duplicate blocks: occasionally a false positive (jscpd matched
120
+ // generated code); otherwise accepted-risk or deferred
121
+ duplication: ['false-positive', 'accepted-risk', 'deferred'],
122
+ // Coverage / test gaps: not "false-positive" in any practical sense;
123
+ // only accepted-risk or deferred
124
+ 'coverage-gap': ['accepted-risk', 'deferred'],
125
+ 'test-gap': ['accepted-risk', 'deferred'],
126
+ 'test-file-degradation': ['accepted-risk', 'deferred'],
127
+ // Whole-file findings: false-positive (file IS not actually large /
128
+ // stale / god when reviewed); otherwise accepted-risk or deferred
129
+ 'god-file': ['false-positive', 'accepted-risk', 'deferred'],
130
+ 'large-file': ['false-positive', 'accepted-risk', 'deferred'],
131
+ 'stale-file': ['false-positive', 'accepted-risk', 'deferred'],
132
+ // TODO / FIXME / HACK / console-log / any-type markers: only
133
+ // accepted-risk or deferred (the marker IS the hygiene issue)
134
+ hygiene: ['accepted-risk', 'deferred'],
135
+ // Stale-allow (orphaned inline allowlist annotation): never
136
+ // allowlisted. The right response is always "remove the stale
137
+ // annotation" — allowlisting the warning that an annotation is
138
+ // stale would defeat the entire strict-stale-detection model
139
+ // (TypeScript's @ts-expect-error pattern). Empty array means the
140
+ // CLI rejects with a hint pointing at the annotation's source
141
+ // location.
142
+ 'stale-allow': [],
143
+ };
144
+ /**
145
+ * Whether a (kind, category) tuple may be expressed as an inline
146
+ * annotation. Both the kind AND the category must be inline-compatible.
147
+ *
148
+ * Examples:
149
+ * canUseInline('secret', 'test-fixture') // true
150
+ * canUseInline('secret', 'accepted-risk') // false (category file-only)
151
+ * canUseInline('large-file', 'false-positive') // false (kind file-only)
152
+ * canUseInline('hygiene', 'accepted-risk') // false (category file-only)
153
+ */
154
+ function canUseInline(kind, category) {
155
+ return exports.INLINE_COMPATIBLE_KINDS.has(kind) && exports.INLINE_COMPATIBLE_CATEGORIES.has(category);
156
+ }
157
+ /**
158
+ * Whether a category requires `expiresAt` on the file-level entry.
159
+ * Source of truth for the write-path validation rule.
160
+ */
161
+ function requiresExpiry(category) {
162
+ return exports.EXPIRING_CATEGORIES.has(category);
163
+ }
164
+ /**
165
+ * Whether a (kind, category) tuple is semantically valid. The CLI
166
+ * uses this to reject incoherent combinations like
167
+ * `coverage-gap + false-positive` with a clear error pointing at
168
+ * the applicable categories for that kind.
169
+ */
170
+ function isCategoryValidForKind(kind, category) {
171
+ return exports.CATEGORIES_BY_KIND[kind].includes(category);
172
+ }
173
+ /**
174
+ * Number of days into the future the CLI defaults `expiresAt` to
175
+ * when the customer doesn't specify one. Locked at 90 in Sprint 0
176
+ * (Snyk + Dependabot industry default). Per-category overrides will
177
+ * land in `.dxkit/policy.json` (`allowlist.defaultExpiryDays`) in a
178
+ * follow-up commit if real customer signal demands it.
179
+ */
180
+ exports.DEFAULT_EXPIRY_DAYS = 90;
181
+ /**
182
+ * Compute the default expiry date as an ISO `YYYY-MM-DD` string,
183
+ * `DEFAULT_EXPIRY_DAYS` from `now`. UTC-anchored to keep the date
184
+ * stable across timezone-different developers on the same team.
185
+ *
186
+ * `now` is injected for deterministic testing — production callers
187
+ * pass `new Date()` (the default).
188
+ */
189
+ function defaultExpiryDate(now = new Date()) {
190
+ const expires = new Date(now);
191
+ expires.setUTCDate(expires.getUTCDate() + exports.DEFAULT_EXPIRY_DAYS);
192
+ return expires.toISOString().slice(0, 10);
193
+ }
194
+ //# sourceMappingURL=categories.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAoJH,oCAEC;AAMD,wCAEC;AAQD,wDAEC;AAmBD,8CAIC;AA3LD;;;;;;GAMG;AACU,QAAA,cAAc,GAAG;IAC5B,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,UAAU;CACF,CAAC;AAIX;;;;;;;;;;;GAWG;AACU,QAAA,mBAAmB,GAAmC,IAAI,GAAG,CAAC;IACzE,eAAe;IACf,UAAU;CACX,CAAC,CAAC;AAEH;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAmC,IAAI,GAAG,CAAC;IAClF,gBAAgB;IAChB,cAAc;IACd,sBAAsB;CACvB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,uBAAuB,GAA8B,IAAI,GAAG,CAAe;IACtF,QAAQ;IACR,aAAa;IACb,MAAM;IACN,QAAQ;IACR,UAAU;IACV,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACU,QAAA,kBAAkB,GAAiE;IAC9F,yDAAyD;IACzD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC/F,aAAa,EAAE;QACb,gBAAgB;QAChB,cAAc;QACd,sBAAsB;QACtB,eAAe;QACf,UAAU;KACX;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7F,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE/F,uEAAuE;IACvE,+BAA+B;IAC/B,UAAU,EAAE,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAEnF,iEAAiE;IACjE,uDAAuD;IACvD,WAAW,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE5D,qEAAqE;IACrE,iCAAiC;IACjC,cAAc,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAC7C,UAAU,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IACzC,uBAAuB,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtD,oEAAoE;IACpE,kEAAkE;IAClE,UAAU,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC3D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE7D,6DAA6D;IAC7D,8DAA8D;IAC9D,OAAO,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtC,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,YAAY;IACZ,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAgB,YAAY,CAAC,IAAkB,EAAE,QAA2B;IAC1E,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,oCAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,QAA2B;IACxD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAkB,EAAE,QAA2B;IACpF,OAAO,0BAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACU,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAY,IAAI,IAAI,EAAE;IACtD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,2BAAmB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,CAAC"}
@@ -0,0 +1,95 @@
1
+ /**
2
+ * `vyuh-dxkit allowlist <subcommand>` — orchestrates the user-facing
3
+ * write/read paths over the allowlist module.
4
+ *
5
+ * Subcommands (Sprint 1 chunk):
6
+ *
7
+ * - `add <file>:<line>` — inline annotation insertion. Kind-agnostic;
8
+ * the annotation grammar carries category + reason only. Refuses
9
+ * non-inline-compatible categories (accepted-risk / deferred).
10
+ *
11
+ * - `add --fingerprint=<id> --kind=<kind>` — file-level allowlist
12
+ * entry. Persists to `.dxkit/allowlist.json` (or its sanitized
13
+ * mode + gitignored reasons sidecar). Required for any
14
+ * accepted-risk / deferred suppression OR any kind that lacks a
15
+ * stable single-line attachment point.
16
+ *
17
+ * - `list` — print every entry across the file-level allowlist.
18
+ * Reads only; no mutation. Honors `--json` for structured output.
19
+ *
20
+ * - `show <fingerprint>` — print one entry's full detail. Falls
21
+ * back to a "no entry found" message when the fingerprint isn't
22
+ * present.
23
+ *
24
+ * Subcommands `audit` and `prune` land in a follow-up commit.
25
+ *
26
+ * # Architectural posture
27
+ *
28
+ * Every IO goes through `loadAllowlist` / `saveAllowlist` in
29
+ * `src/allowlist/file.ts` (arch-rule 1 enforces this). Inline
30
+ * annotation insertion goes through `insertAnnotation` in
31
+ * `src/allowlist/inline.ts`. Per-kind / per-category validation
32
+ * goes through `categories.ts` helpers. NO duplicated taxonomy or
33
+ * IO logic here — this file is pure orchestration.
34
+ */
35
+ import { DEFAULT_EXPIRY_DAYS } from './categories';
36
+ import { ALLOWLIST_FILENAME, type AllowlistMode } from './file';
37
+ /** Subcommands recognized under `vyuh-dxkit allowlist`. */
38
+ export declare const ALLOWLIST_SUBCOMMANDS: readonly ["add", "list", "show", "audit", "prune"];
39
+ export type AllowlistSubcommand = (typeof ALLOWLIST_SUBCOMMANDS)[number];
40
+ export interface AllowlistAddOpts {
41
+ /** Positional target. `<file>:<line>` for inline form; absent or a
42
+ * bare file path for file-level form (requires `--fingerprint`
43
+ * + `--kind`). */
44
+ readonly target?: string;
45
+ readonly category?: string;
46
+ readonly reason?: string;
47
+ readonly kind?: string;
48
+ readonly fingerprint?: string;
49
+ readonly expires?: string;
50
+ readonly acknowledgedSeverity?: string;
51
+ readonly addedBy?: string;
52
+ /** Override the configured mode for this write only. Default
53
+ * reads from `.dxkit/policy.json` (out of scope here; this
54
+ * module accepts a flag to choose). */
55
+ readonly mode?: AllowlistMode;
56
+ }
57
+ export interface AllowlistShowOpts {
58
+ readonly fingerprint?: string;
59
+ readonly json?: boolean;
60
+ }
61
+ export interface AllowlistListOpts {
62
+ readonly json?: boolean;
63
+ }
64
+ export interface AllowlistAuditOpts {
65
+ readonly json?: boolean;
66
+ /** Soon-to-expire horizon in days (default 14). */
67
+ readonly soonToExpireDays?: number;
68
+ }
69
+ export interface AllowlistPruneOpts {
70
+ readonly json?: boolean;
71
+ /** Don't write; just print what would be removed. */
72
+ readonly dryRun?: boolean;
73
+ /** Skip confirmation prompt + write directly. Default behavior
74
+ * in Sprint 1 (no interactive prompts in dxkit yet) — the flag
75
+ * is accepted for future-proofing. */
76
+ readonly yes?: boolean;
77
+ }
78
+ /**
79
+ * Dispatch entry point called from `src/cli.ts`. Validates the
80
+ * subcommand name + routes to the per-subcommand handler. Unknown
81
+ * subcommands exit with a clear error and the list of recognized
82
+ * names.
83
+ */
84
+ export declare function runAllowlist(cwd: string, subcommand: string | undefined, args: {
85
+ positionalAfter?: string;
86
+ values: Record<string, unknown>;
87
+ }): Promise<void>;
88
+ export declare function runAllowlistAdd(cwd: string, opts: AllowlistAddOpts): Promise<void>;
89
+ export declare function runAllowlistList(cwd: string, opts: AllowlistListOpts): Promise<void>;
90
+ export declare function runAllowlistShow(cwd: string, opts: AllowlistShowOpts): Promise<void>;
91
+ export declare function runAllowlistAudit(cwd: string, opts: AllowlistAuditOpts): Promise<void>;
92
+ export declare function runAllowlistPrune(cwd: string, opts: AllowlistPruneOpts): Promise<void>;
93
+ export { DEFAULT_EXPIRY_DAYS };
94
+ export { ALLOWLIST_FILENAME };
95
+ //# sourceMappingURL=cli.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AASH,OAAO,EAEL,mBAAmB,EAMpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAalB,KAAK,aAAa,EAEnB,MAAM,QAAQ,CAAC;AAGhB,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,oDAAqD,CAAC;AACxF,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,gBAAgB;IAC/B;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;4CAEwC;IACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACpC;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;2CAEuC;IACvC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,IAAI,CAAC,CA4Cf;AAID,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBxF;AAyHD,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB1F;AAID,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsE5F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC5F;AAuGD,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,CAAC"}