@vyuhlabs/dxkit 2.5.2 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -13
- package/README.md +220 -369
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +168 -6
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +32 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +5 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +5 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +79 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Allowlist category taxonomy. Single source of truth for:
|
|
3
|
+
* - Which categories exist
|
|
4
|
+
* - Which categories require an expiry date
|
|
5
|
+
* - Which categories may be expressed via inline source annotation
|
|
6
|
+
* - Which categories apply to each `IdentityKind`
|
|
7
|
+
* - Which finding kinds support inline annotations at all
|
|
8
|
+
*
|
|
9
|
+
* Pure module — no I/O, no analyzer dependencies. Consumed by the
|
|
10
|
+
* allowlist file reader/writer, the inline-annotation parser, the
|
|
11
|
+
* CLI, the block-time hint formatter, and the new `allowlistHits`
|
|
12
|
+
* baseline producer.
|
|
13
|
+
*
|
|
14
|
+
* See tmp/2.6-allowlist-design.md for the design discussion.
|
|
15
|
+
*/
|
|
16
|
+
import type { IdentityKind } from '../baseline/producers';
|
|
17
|
+
/**
|
|
18
|
+
* Single source of truth for category values. The `AllowlistCategory`
|
|
19
|
+
* union type is derived from this array via `(typeof ...)[number]`,
|
|
20
|
+
* so adding a new category means appending one string here and every
|
|
21
|
+
* type-level check (Record-keyed tables, switch exhaustiveness,
|
|
22
|
+
* function parameter types) auto-updates. No two-place drift.
|
|
23
|
+
*/
|
|
24
|
+
export declare const ALL_CATEGORIES: readonly ["false-positive", "test-fixture", "mitigated-externally", "accepted-risk", "deferred"];
|
|
25
|
+
export type AllowlistCategory = (typeof ALL_CATEGORIES)[number];
|
|
26
|
+
/**
|
|
27
|
+
* Categories that REQUIRE a finite expiry date. The file-level
|
|
28
|
+
* allowlist write-path rejects entries in these categories without
|
|
29
|
+
* an `expiresAt`. The CLI defaults `expiresAt` to 90 days out for
|
|
30
|
+
* these — see `defaultExpiryDate`.
|
|
31
|
+
*
|
|
32
|
+
* Categories OUTSIDE this set represent stable assertions about the
|
|
33
|
+
* code that don't naturally stale (a test fixture remains a test
|
|
34
|
+
* fixture; a false positive remains a false positive until the
|
|
35
|
+
* scanner rule changes). They may carry an `expiresAt` if the
|
|
36
|
+
* customer chooses, but it's not enforced.
|
|
37
|
+
*/
|
|
38
|
+
export declare const EXPIRING_CATEGORIES: ReadonlySet<AllowlistCategory>;
|
|
39
|
+
/**
|
|
40
|
+
* Categories that may be expressed via inline source annotation
|
|
41
|
+
* (`// dxkit-allow:<category> reason="..."`). The complement
|
|
42
|
+
* (`accepted-risk`, `deferred`) is file-only because those categories
|
|
43
|
+
* need fields (expiresAt, acknowledgedSeverity) that don't fit
|
|
44
|
+
* cleanly into a code comment.
|
|
45
|
+
*/
|
|
46
|
+
export declare const INLINE_COMPATIBLE_CATEGORIES: ReadonlySet<AllowlistCategory>;
|
|
47
|
+
/**
|
|
48
|
+
* Finding kinds that have a stable single-line attachment point and
|
|
49
|
+
* therefore support inline annotations. Kinds outside this set are
|
|
50
|
+
* file-only (whole-file findings, cross-file findings, gap findings).
|
|
51
|
+
*
|
|
52
|
+
* Inline-compatible:
|
|
53
|
+
* - `secret` / `secret-hmac`: the source line is the credential
|
|
54
|
+
* - `code` / `config`: the source line is the flagged pattern
|
|
55
|
+
* - `dep-vuln`: annotate the import or first-use line
|
|
56
|
+
* - `hygiene`: the source line carries the TODO/FIXME/HACK marker
|
|
57
|
+
*
|
|
58
|
+
* File-only (no single-line site):
|
|
59
|
+
* - `duplication`: two locations across files
|
|
60
|
+
* - `coverage-gap` / `test-gap` / `test-file-degradation`: file or
|
|
61
|
+
* symbol-range level, not single-line
|
|
62
|
+
* - `god-file` / `large-file` / `stale-file`: whole-file findings
|
|
63
|
+
*/
|
|
64
|
+
export declare const INLINE_COMPATIBLE_KINDS: ReadonlySet<IdentityKind>;
|
|
65
|
+
/**
|
|
66
|
+
* Categories applicable to each `IdentityKind`. Reflects what
|
|
67
|
+
* suppression rationales the kind can plausibly carry — a
|
|
68
|
+
* `coverage-gap` is rarely a "false positive" in the same way a
|
|
69
|
+
* scanner finding is; a `dep-vuln` is rarely a "test fixture."
|
|
70
|
+
*
|
|
71
|
+
* The CLI presents the applicable list as a multiple-choice prompt
|
|
72
|
+
* when the customer runs `vyuh-dxkit allowlist add` against a
|
|
73
|
+
* finding.
|
|
74
|
+
*
|
|
75
|
+
* The `Record<IdentityKind, ...>` ties this table to the canonical
|
|
76
|
+
* union: TypeScript fails the build when a new `IdentityKind`
|
|
77
|
+
* variant lands without a corresponding entry here.
|
|
78
|
+
*/
|
|
79
|
+
export declare const CATEGORIES_BY_KIND: Readonly<Record<IdentityKind, readonly AllowlistCategory[]>>;
|
|
80
|
+
/**
|
|
81
|
+
* Whether a (kind, category) tuple may be expressed as an inline
|
|
82
|
+
* annotation. Both the kind AND the category must be inline-compatible.
|
|
83
|
+
*
|
|
84
|
+
* Examples:
|
|
85
|
+
* canUseInline('secret', 'test-fixture') // true
|
|
86
|
+
* canUseInline('secret', 'accepted-risk') // false (category file-only)
|
|
87
|
+
* canUseInline('large-file', 'false-positive') // false (kind file-only)
|
|
88
|
+
* canUseInline('hygiene', 'accepted-risk') // false (category file-only)
|
|
89
|
+
*/
|
|
90
|
+
export declare function canUseInline(kind: IdentityKind, category: AllowlistCategory): boolean;
|
|
91
|
+
/**
|
|
92
|
+
* Whether a category requires `expiresAt` on the file-level entry.
|
|
93
|
+
* Source of truth for the write-path validation rule.
|
|
94
|
+
*/
|
|
95
|
+
export declare function requiresExpiry(category: AllowlistCategory): boolean;
|
|
96
|
+
/**
|
|
97
|
+
* Whether a (kind, category) tuple is semantically valid. The CLI
|
|
98
|
+
* uses this to reject incoherent combinations like
|
|
99
|
+
* `coverage-gap + false-positive` with a clear error pointing at
|
|
100
|
+
* the applicable categories for that kind.
|
|
101
|
+
*/
|
|
102
|
+
export declare function isCategoryValidForKind(kind: IdentityKind, category: AllowlistCategory): boolean;
|
|
103
|
+
/**
|
|
104
|
+
* Number of days into the future the CLI defaults `expiresAt` to
|
|
105
|
+
* when the customer doesn't specify one. Locked at 90 in Sprint 0
|
|
106
|
+
* (Snyk + Dependabot industry default). Per-category overrides will
|
|
107
|
+
* land in `.dxkit/policy.json` (`allowlist.defaultExpiryDays`) in a
|
|
108
|
+
* follow-up commit if real customer signal demands it.
|
|
109
|
+
*/
|
|
110
|
+
export declare const DEFAULT_EXPIRY_DAYS = 90;
|
|
111
|
+
/**
|
|
112
|
+
* Compute the default expiry date as an ISO `YYYY-MM-DD` string,
|
|
113
|
+
* `DEFAULT_EXPIRY_DAYS` from `now`. UTC-anchored to keep the date
|
|
114
|
+
* stable across timezone-different developers on the same team.
|
|
115
|
+
*
|
|
116
|
+
* `now` is injected for deterministic testing — production callers
|
|
117
|
+
* pass `new Date()` (the default).
|
|
118
|
+
*/
|
|
119
|
+
export declare function defaultExpiryDate(now?: Date): string;
|
|
120
|
+
//# sourceMappingURL=categories.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"categories.d.ts","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,kGAMjB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,WAAW,CAAC,iBAAiB,CAG7D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,EAAE,WAAW,CAAC,iBAAiB,CAItE,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,EAAE,WAAW,CAAC,YAAY,CAO5D,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,QAAQ,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,iBAAiB,EAAE,CAAC,CA6C3F,CAAC;AAEF;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAErF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,iBAAiB,GAAG,OAAO,CAE/F;AAED;;;;;;GAMG;AACH,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,GAAE,IAAiB,GAAG,MAAM,CAIhE"}
|
|
@@ -0,0 +1,194 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Allowlist category taxonomy. Single source of truth for:
|
|
4
|
+
* - Which categories exist
|
|
5
|
+
* - Which categories require an expiry date
|
|
6
|
+
* - Which categories may be expressed via inline source annotation
|
|
7
|
+
* - Which categories apply to each `IdentityKind`
|
|
8
|
+
* - Which finding kinds support inline annotations at all
|
|
9
|
+
*
|
|
10
|
+
* Pure module — no I/O, no analyzer dependencies. Consumed by the
|
|
11
|
+
* allowlist file reader/writer, the inline-annotation parser, the
|
|
12
|
+
* CLI, the block-time hint formatter, and the new `allowlistHits`
|
|
13
|
+
* baseline producer.
|
|
14
|
+
*
|
|
15
|
+
* See tmp/2.6-allowlist-design.md for the design discussion.
|
|
16
|
+
*/
|
|
17
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
|
+
exports.DEFAULT_EXPIRY_DAYS = exports.CATEGORIES_BY_KIND = exports.INLINE_COMPATIBLE_KINDS = exports.INLINE_COMPATIBLE_CATEGORIES = exports.EXPIRING_CATEGORIES = exports.ALL_CATEGORIES = void 0;
|
|
19
|
+
exports.canUseInline = canUseInline;
|
|
20
|
+
exports.requiresExpiry = requiresExpiry;
|
|
21
|
+
exports.isCategoryValidForKind = isCategoryValidForKind;
|
|
22
|
+
exports.defaultExpiryDate = defaultExpiryDate;
|
|
23
|
+
/**
|
|
24
|
+
* Single source of truth for category values. The `AllowlistCategory`
|
|
25
|
+
* union type is derived from this array via `(typeof ...)[number]`,
|
|
26
|
+
* so adding a new category means appending one string here and every
|
|
27
|
+
* type-level check (Record-keyed tables, switch exhaustiveness,
|
|
28
|
+
* function parameter types) auto-updates. No two-place drift.
|
|
29
|
+
*/
|
|
30
|
+
exports.ALL_CATEGORIES = [
|
|
31
|
+
'false-positive',
|
|
32
|
+
'test-fixture',
|
|
33
|
+
'mitigated-externally',
|
|
34
|
+
'accepted-risk',
|
|
35
|
+
'deferred',
|
|
36
|
+
];
|
|
37
|
+
/**
|
|
38
|
+
* Categories that REQUIRE a finite expiry date. The file-level
|
|
39
|
+
* allowlist write-path rejects entries in these categories without
|
|
40
|
+
* an `expiresAt`. The CLI defaults `expiresAt` to 90 days out for
|
|
41
|
+
* these — see `defaultExpiryDate`.
|
|
42
|
+
*
|
|
43
|
+
* Categories OUTSIDE this set represent stable assertions about the
|
|
44
|
+
* code that don't naturally stale (a test fixture remains a test
|
|
45
|
+
* fixture; a false positive remains a false positive until the
|
|
46
|
+
* scanner rule changes). They may carry an `expiresAt` if the
|
|
47
|
+
* customer chooses, but it's not enforced.
|
|
48
|
+
*/
|
|
49
|
+
exports.EXPIRING_CATEGORIES = new Set([
|
|
50
|
+
'accepted-risk',
|
|
51
|
+
'deferred',
|
|
52
|
+
]);
|
|
53
|
+
/**
|
|
54
|
+
* Categories that may be expressed via inline source annotation
|
|
55
|
+
* (`// dxkit-allow:<category> reason="..."`). The complement
|
|
56
|
+
* (`accepted-risk`, `deferred`) is file-only because those categories
|
|
57
|
+
* need fields (expiresAt, acknowledgedSeverity) that don't fit
|
|
58
|
+
* cleanly into a code comment.
|
|
59
|
+
*/
|
|
60
|
+
exports.INLINE_COMPATIBLE_CATEGORIES = new Set([
|
|
61
|
+
'false-positive',
|
|
62
|
+
'test-fixture',
|
|
63
|
+
'mitigated-externally',
|
|
64
|
+
]);
|
|
65
|
+
/**
|
|
66
|
+
* Finding kinds that have a stable single-line attachment point and
|
|
67
|
+
* therefore support inline annotations. Kinds outside this set are
|
|
68
|
+
* file-only (whole-file findings, cross-file findings, gap findings).
|
|
69
|
+
*
|
|
70
|
+
* Inline-compatible:
|
|
71
|
+
* - `secret` / `secret-hmac`: the source line is the credential
|
|
72
|
+
* - `code` / `config`: the source line is the flagged pattern
|
|
73
|
+
* - `dep-vuln`: annotate the import or first-use line
|
|
74
|
+
* - `hygiene`: the source line carries the TODO/FIXME/HACK marker
|
|
75
|
+
*
|
|
76
|
+
* File-only (no single-line site):
|
|
77
|
+
* - `duplication`: two locations across files
|
|
78
|
+
* - `coverage-gap` / `test-gap` / `test-file-degradation`: file or
|
|
79
|
+
* symbol-range level, not single-line
|
|
80
|
+
* - `god-file` / `large-file` / `stale-file`: whole-file findings
|
|
81
|
+
*/
|
|
82
|
+
exports.INLINE_COMPATIBLE_KINDS = new Set([
|
|
83
|
+
'secret',
|
|
84
|
+
'secret-hmac',
|
|
85
|
+
'code',
|
|
86
|
+
'config',
|
|
87
|
+
'dep-vuln',
|
|
88
|
+
'hygiene',
|
|
89
|
+
]);
|
|
90
|
+
/**
|
|
91
|
+
* Categories applicable to each `IdentityKind`. Reflects what
|
|
92
|
+
* suppression rationales the kind can plausibly carry — a
|
|
93
|
+
* `coverage-gap` is rarely a "false positive" in the same way a
|
|
94
|
+
* scanner finding is; a `dep-vuln` is rarely a "test fixture."
|
|
95
|
+
*
|
|
96
|
+
* The CLI presents the applicable list as a multiple-choice prompt
|
|
97
|
+
* when the customer runs `vyuh-dxkit allowlist add` against a
|
|
98
|
+
* finding.
|
|
99
|
+
*
|
|
100
|
+
* The `Record<IdentityKind, ...>` ties this table to the canonical
|
|
101
|
+
* union: TypeScript fails the build when a new `IdentityKind`
|
|
102
|
+
* variant lands without a corresponding entry here.
|
|
103
|
+
*/
|
|
104
|
+
exports.CATEGORIES_BY_KIND = {
|
|
105
|
+
// Source-level security findings: every category applies
|
|
106
|
+
secret: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
|
|
107
|
+
'secret-hmac': [
|
|
108
|
+
'false-positive',
|
|
109
|
+
'test-fixture',
|
|
110
|
+
'mitigated-externally',
|
|
111
|
+
'accepted-risk',
|
|
112
|
+
'deferred',
|
|
113
|
+
],
|
|
114
|
+
code: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
|
|
115
|
+
config: ['false-positive', 'test-fixture', 'mitigated-externally', 'accepted-risk', 'deferred'],
|
|
116
|
+
// Dependency vulnerabilities: rarely a test fixture (the dep is real);
|
|
117
|
+
// every other category applies
|
|
118
|
+
'dep-vuln': ['false-positive', 'mitigated-externally', 'accepted-risk', 'deferred'],
|
|
119
|
+
// Duplicate blocks: occasionally a false positive (jscpd matched
|
|
120
|
+
// generated code); otherwise accepted-risk or deferred
|
|
121
|
+
duplication: ['false-positive', 'accepted-risk', 'deferred'],
|
|
122
|
+
// Coverage / test gaps: not "false-positive" in any practical sense;
|
|
123
|
+
// only accepted-risk or deferred
|
|
124
|
+
'coverage-gap': ['accepted-risk', 'deferred'],
|
|
125
|
+
'test-gap': ['accepted-risk', 'deferred'],
|
|
126
|
+
'test-file-degradation': ['accepted-risk', 'deferred'],
|
|
127
|
+
// Whole-file findings: false-positive (file IS not actually large /
|
|
128
|
+
// stale / god when reviewed); otherwise accepted-risk or deferred
|
|
129
|
+
'god-file': ['false-positive', 'accepted-risk', 'deferred'],
|
|
130
|
+
'large-file': ['false-positive', 'accepted-risk', 'deferred'],
|
|
131
|
+
'stale-file': ['false-positive', 'accepted-risk', 'deferred'],
|
|
132
|
+
// TODO / FIXME / HACK / console-log / any-type markers: only
|
|
133
|
+
// accepted-risk or deferred (the marker IS the hygiene issue)
|
|
134
|
+
hygiene: ['accepted-risk', 'deferred'],
|
|
135
|
+
// Stale-allow (orphaned inline allowlist annotation): never
|
|
136
|
+
// allowlisted. The right response is always "remove the stale
|
|
137
|
+
// annotation" — allowlisting the warning that an annotation is
|
|
138
|
+
// stale would defeat the entire strict-stale-detection model
|
|
139
|
+
// (TypeScript's @ts-expect-error pattern). Empty array means the
|
|
140
|
+
// CLI rejects with a hint pointing at the annotation's source
|
|
141
|
+
// location.
|
|
142
|
+
'stale-allow': [],
|
|
143
|
+
};
|
|
144
|
+
/**
|
|
145
|
+
* Whether a (kind, category) tuple may be expressed as an inline
|
|
146
|
+
* annotation. Both the kind AND the category must be inline-compatible.
|
|
147
|
+
*
|
|
148
|
+
* Examples:
|
|
149
|
+
* canUseInline('secret', 'test-fixture') // true
|
|
150
|
+
* canUseInline('secret', 'accepted-risk') // false (category file-only)
|
|
151
|
+
* canUseInline('large-file', 'false-positive') // false (kind file-only)
|
|
152
|
+
* canUseInline('hygiene', 'accepted-risk') // false (category file-only)
|
|
153
|
+
*/
|
|
154
|
+
function canUseInline(kind, category) {
|
|
155
|
+
return exports.INLINE_COMPATIBLE_KINDS.has(kind) && exports.INLINE_COMPATIBLE_CATEGORIES.has(category);
|
|
156
|
+
}
|
|
157
|
+
/**
|
|
158
|
+
* Whether a category requires `expiresAt` on the file-level entry.
|
|
159
|
+
* Source of truth for the write-path validation rule.
|
|
160
|
+
*/
|
|
161
|
+
function requiresExpiry(category) {
|
|
162
|
+
return exports.EXPIRING_CATEGORIES.has(category);
|
|
163
|
+
}
|
|
164
|
+
/**
|
|
165
|
+
* Whether a (kind, category) tuple is semantically valid. The CLI
|
|
166
|
+
* uses this to reject incoherent combinations like
|
|
167
|
+
* `coverage-gap + false-positive` with a clear error pointing at
|
|
168
|
+
* the applicable categories for that kind.
|
|
169
|
+
*/
|
|
170
|
+
function isCategoryValidForKind(kind, category) {
|
|
171
|
+
return exports.CATEGORIES_BY_KIND[kind].includes(category);
|
|
172
|
+
}
|
|
173
|
+
/**
|
|
174
|
+
* Number of days into the future the CLI defaults `expiresAt` to
|
|
175
|
+
* when the customer doesn't specify one. Locked at 90 in Sprint 0
|
|
176
|
+
* (Snyk + Dependabot industry default). Per-category overrides will
|
|
177
|
+
* land in `.dxkit/policy.json` (`allowlist.defaultExpiryDays`) in a
|
|
178
|
+
* follow-up commit if real customer signal demands it.
|
|
179
|
+
*/
|
|
180
|
+
exports.DEFAULT_EXPIRY_DAYS = 90;
|
|
181
|
+
/**
|
|
182
|
+
* Compute the default expiry date as an ISO `YYYY-MM-DD` string,
|
|
183
|
+
* `DEFAULT_EXPIRY_DAYS` from `now`. UTC-anchored to keep the date
|
|
184
|
+
* stable across timezone-different developers on the same team.
|
|
185
|
+
*
|
|
186
|
+
* `now` is injected for deterministic testing — production callers
|
|
187
|
+
* pass `new Date()` (the default).
|
|
188
|
+
*/
|
|
189
|
+
function defaultExpiryDate(now = new Date()) {
|
|
190
|
+
const expires = new Date(now);
|
|
191
|
+
expires.setUTCDate(expires.getUTCDate() + exports.DEFAULT_EXPIRY_DAYS);
|
|
192
|
+
return expires.toISOString().slice(0, 10);
|
|
193
|
+
}
|
|
194
|
+
//# sourceMappingURL=categories.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"categories.js","sourceRoot":"","sources":["../../src/allowlist/categories.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAoJH,oCAEC;AAMD,wCAEC;AAQD,wDAEC;AAmBD,8CAIC;AA3LD;;;;;;GAMG;AACU,QAAA,cAAc,GAAG;IAC5B,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,eAAe;IACf,UAAU;CACF,CAAC;AAIX;;;;;;;;;;;GAWG;AACU,QAAA,mBAAmB,GAAmC,IAAI,GAAG,CAAC;IACzE,eAAe;IACf,UAAU;CACX,CAAC,CAAC;AAEH;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAmC,IAAI,GAAG,CAAC;IAClF,gBAAgB;IAChB,cAAc;IACd,sBAAsB;CACvB,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,uBAAuB,GAA8B,IAAI,GAAG,CAAe;IACtF,QAAQ;IACR,aAAa;IACb,MAAM;IACN,QAAQ;IACR,UAAU;IACV,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACU,QAAA,kBAAkB,GAAiE;IAC9F,yDAAyD;IACzD,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC/F,aAAa,EAAE;QACb,gBAAgB;QAChB,cAAc;QACd,sBAAsB;QACtB,eAAe;QACf,UAAU;KACX;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7F,MAAM,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE/F,uEAAuE;IACvE,+BAA+B;IAC/B,UAAU,EAAE,CAAC,gBAAgB,EAAE,sBAAsB,EAAE,eAAe,EAAE,UAAU,CAAC;IAEnF,iEAAiE;IACjE,uDAAuD;IACvD,WAAW,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE5D,qEAAqE;IACrE,iCAAiC;IACjC,cAAc,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAC7C,UAAU,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IACzC,uBAAuB,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtD,oEAAoE;IACpE,kEAAkE;IAClE,UAAU,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC3D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAC7D,YAAY,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;IAE7D,6DAA6D;IAC7D,8DAA8D;IAC9D,OAAO,EAAE,CAAC,eAAe,EAAE,UAAU,CAAC;IAEtC,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,YAAY;IACZ,aAAa,EAAE,EAAE;CAClB,CAAC;AAEF;;;;;;;;;GASG;AACH,SAAgB,YAAY,CAAC,IAAkB,EAAE,QAA2B;IAC1E,OAAO,+BAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,oCAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,QAA2B;IACxD,OAAO,2BAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAkB,EAAE,QAA2B;IACpF,OAAO,0BAAkB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACU,QAAA,mBAAmB,GAAG,EAAE,CAAC;AAEtC;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,MAAY,IAAI,IAAI,EAAE;IACtD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,2BAAmB,CAAC,CAAC;IAC/D,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,CAAC"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `vyuh-dxkit allowlist <subcommand>` — orchestrates the user-facing
|
|
3
|
+
* write/read paths over the allowlist module.
|
|
4
|
+
*
|
|
5
|
+
* Subcommands (Sprint 1 chunk):
|
|
6
|
+
*
|
|
7
|
+
* - `add <file>:<line>` — inline annotation insertion. Kind-agnostic;
|
|
8
|
+
* the annotation grammar carries category + reason only. Refuses
|
|
9
|
+
* non-inline-compatible categories (accepted-risk / deferred).
|
|
10
|
+
*
|
|
11
|
+
* - `add --fingerprint=<id> --kind=<kind>` — file-level allowlist
|
|
12
|
+
* entry. Persists to `.dxkit/allowlist.json` (or its sanitized
|
|
13
|
+
* mode + gitignored reasons sidecar). Required for any
|
|
14
|
+
* accepted-risk / deferred suppression OR any kind that lacks a
|
|
15
|
+
* stable single-line attachment point.
|
|
16
|
+
*
|
|
17
|
+
* - `list` — print every entry across the file-level allowlist.
|
|
18
|
+
* Reads only; no mutation. Honors `--json` for structured output.
|
|
19
|
+
*
|
|
20
|
+
* - `show <fingerprint>` — print one entry's full detail. Falls
|
|
21
|
+
* back to a "no entry found" message when the fingerprint isn't
|
|
22
|
+
* present.
|
|
23
|
+
*
|
|
24
|
+
* Subcommands `audit` and `prune` land in a follow-up commit.
|
|
25
|
+
*
|
|
26
|
+
* # Architectural posture
|
|
27
|
+
*
|
|
28
|
+
* Every IO goes through `loadAllowlist` / `saveAllowlist` in
|
|
29
|
+
* `src/allowlist/file.ts` (arch-rule 1 enforces this). Inline
|
|
30
|
+
* annotation insertion goes through `insertAnnotation` in
|
|
31
|
+
* `src/allowlist/inline.ts`. Per-kind / per-category validation
|
|
32
|
+
* goes through `categories.ts` helpers. NO duplicated taxonomy or
|
|
33
|
+
* IO logic here — this file is pure orchestration.
|
|
34
|
+
*/
|
|
35
|
+
import { DEFAULT_EXPIRY_DAYS } from './categories';
|
|
36
|
+
import { ALLOWLIST_FILENAME, type AllowlistMode } from './file';
|
|
37
|
+
/** Subcommands recognized under `vyuh-dxkit allowlist`. */
|
|
38
|
+
export declare const ALLOWLIST_SUBCOMMANDS: readonly ["add", "list", "show", "audit", "prune"];
|
|
39
|
+
export type AllowlistSubcommand = (typeof ALLOWLIST_SUBCOMMANDS)[number];
|
|
40
|
+
export interface AllowlistAddOpts {
|
|
41
|
+
/** Positional target. `<file>:<line>` for inline form; absent or a
|
|
42
|
+
* bare file path for file-level form (requires `--fingerprint`
|
|
43
|
+
* + `--kind`). */
|
|
44
|
+
readonly target?: string;
|
|
45
|
+
readonly category?: string;
|
|
46
|
+
readonly reason?: string;
|
|
47
|
+
readonly kind?: string;
|
|
48
|
+
readonly fingerprint?: string;
|
|
49
|
+
readonly expires?: string;
|
|
50
|
+
readonly acknowledgedSeverity?: string;
|
|
51
|
+
readonly addedBy?: string;
|
|
52
|
+
/** Override the configured mode for this write only. Default
|
|
53
|
+
* reads from `.dxkit/policy.json` (out of scope here; this
|
|
54
|
+
* module accepts a flag to choose). */
|
|
55
|
+
readonly mode?: AllowlistMode;
|
|
56
|
+
}
|
|
57
|
+
export interface AllowlistShowOpts {
|
|
58
|
+
readonly fingerprint?: string;
|
|
59
|
+
readonly json?: boolean;
|
|
60
|
+
}
|
|
61
|
+
export interface AllowlistListOpts {
|
|
62
|
+
readonly json?: boolean;
|
|
63
|
+
}
|
|
64
|
+
export interface AllowlistAuditOpts {
|
|
65
|
+
readonly json?: boolean;
|
|
66
|
+
/** Soon-to-expire horizon in days (default 14). */
|
|
67
|
+
readonly soonToExpireDays?: number;
|
|
68
|
+
}
|
|
69
|
+
export interface AllowlistPruneOpts {
|
|
70
|
+
readonly json?: boolean;
|
|
71
|
+
/** Don't write; just print what would be removed. */
|
|
72
|
+
readonly dryRun?: boolean;
|
|
73
|
+
/** Skip confirmation prompt + write directly. Default behavior
|
|
74
|
+
* in Sprint 1 (no interactive prompts in dxkit yet) — the flag
|
|
75
|
+
* is accepted for future-proofing. */
|
|
76
|
+
readonly yes?: boolean;
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Dispatch entry point called from `src/cli.ts`. Validates the
|
|
80
|
+
* subcommand name + routes to the per-subcommand handler. Unknown
|
|
81
|
+
* subcommands exit with a clear error and the list of recognized
|
|
82
|
+
* names.
|
|
83
|
+
*/
|
|
84
|
+
export declare function runAllowlist(cwd: string, subcommand: string | undefined, args: {
|
|
85
|
+
positionalAfter?: string;
|
|
86
|
+
values: Record<string, unknown>;
|
|
87
|
+
}): Promise<void>;
|
|
88
|
+
export declare function runAllowlistAdd(cwd: string, opts: AllowlistAddOpts): Promise<void>;
|
|
89
|
+
export declare function runAllowlistList(cwd: string, opts: AllowlistListOpts): Promise<void>;
|
|
90
|
+
export declare function runAllowlistShow(cwd: string, opts: AllowlistShowOpts): Promise<void>;
|
|
91
|
+
export declare function runAllowlistAudit(cwd: string, opts: AllowlistAuditOpts): Promise<void>;
|
|
92
|
+
export declare function runAllowlistPrune(cwd: string, opts: AllowlistPruneOpts): Promise<void>;
|
|
93
|
+
export { DEFAULT_EXPIRY_DAYS };
|
|
94
|
+
export { ALLOWLIST_FILENAME };
|
|
95
|
+
//# sourceMappingURL=cli.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AASH,OAAO,EAEL,mBAAmB,EAMpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAalB,KAAK,aAAa,EAEnB,MAAM,QAAQ,CAAC;AAGhB,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,oDAAqD,CAAC;AACxF,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,gBAAgB;IAC/B;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;4CAEwC;IACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CACpC;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;2CAEuC;IACvC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,IAAI,CAAC,CA4Cf;AAID,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBxF;AAyHD,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB1F;AAID,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsE5F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC5F;AAuGD,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,CAAC"}
|