@vyuhlabs/dxkit 2.9.0 → 2.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. package/CHANGELOG.md +91 -0
  2. package/README.md +3 -2
  3. package/dist/allowlist/cli.d.ts +38 -1
  4. package/dist/allowlist/cli.d.ts.map +1 -1
  5. package/dist/allowlist/cli.js +190 -3
  6. package/dist/allowlist/cli.js.map +1 -1
  7. package/dist/allowlist/file.d.ts +18 -0
  8. package/dist/allowlist/file.d.ts.map +1 -1
  9. package/dist/allowlist/file.js +10 -1
  10. package/dist/allowlist/file.js.map +1 -1
  11. package/dist/analyzers/security/aggregator.d.ts +6 -0
  12. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  13. package/dist/analyzers/security/aggregator.js +41 -0
  14. package/dist/analyzers/security/aggregator.js.map +1 -1
  15. package/dist/analyzers/security/gather.d.ts.map +1 -1
  16. package/dist/analyzers/security/gather.js +8 -1
  17. package/dist/analyzers/security/gather.js.map +1 -1
  18. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  19. package/dist/analyzers/tools/fingerprint.js +10 -1
  20. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  21. package/dist/baseline/check-renderers.d.ts +12 -0
  22. package/dist/baseline/check-renderers.d.ts.map +1 -1
  23. package/dist/baseline/check-renderers.js +60 -4
  24. package/dist/baseline/check-renderers.js.map +1 -1
  25. package/dist/baseline/check.d.ts +42 -0
  26. package/dist/baseline/check.d.ts.map +1 -1
  27. package/dist/baseline/check.js +83 -2
  28. package/dist/baseline/check.js.map +1 -1
  29. package/dist/baseline/producers/security.d.ts.map +1 -1
  30. package/dist/baseline/producers/security.js +9 -0
  31. package/dist/baseline/producers/security.js.map +1 -1
  32. package/dist/baseline/types.d.ts +7 -0
  33. package/dist/baseline/types.d.ts.map +1 -1
  34. package/dist/cli.d.ts.map +1 -1
  35. package/dist/cli.js +23 -4
  36. package/dist/cli.js.map +1 -1
  37. package/dist/doctor.d.ts.map +1 -1
  38. package/dist/doctor.js +55 -0
  39. package/dist/doctor.js.map +1 -1
  40. package/dist/generator.d.ts.map +1 -1
  41. package/dist/generator.js +7 -1
  42. package/dist/generator.js.map +1 -1
  43. package/dist/ingest/env-file.d.ts +40 -0
  44. package/dist/ingest/env-file.d.ts.map +1 -0
  45. package/dist/ingest/env-file.js +163 -0
  46. package/dist/ingest/env-file.js.map +1 -0
  47. package/dist/ingest/sarif.d.ts.map +1 -1
  48. package/dist/ingest/sarif.js +22 -0
  49. package/dist/ingest/sarif.js.map +1 -1
  50. package/dist/ingest/snyk-policy.d.ts +60 -0
  51. package/dist/ingest/snyk-policy.d.ts.map +1 -0
  52. package/dist/ingest/snyk-policy.js +104 -0
  53. package/dist/ingest/snyk-policy.js.map +1 -0
  54. package/dist/ingest-cli.d.ts +4 -0
  55. package/dist/ingest-cli.d.ts.map +1 -1
  56. package/dist/ingest-cli.js +23 -4
  57. package/dist/ingest-cli.js.map +1 -1
  58. package/package.json +1 -1
  59. package/templates/.claude/skills/dxkit-action/SKILL.md +5 -3
  60. package/templates/.claude/skills/dxkit-allowlist/SKILL.md +107 -0
  61. package/templates/.claude/skills/dxkit-config/SKILL.md +4 -4
  62. package/templates/.claude/skills/dxkit-fix/SKILL.md +1 -1
  63. package/templates/.claude/skills/dxkit-ingest/SKILL.md +2 -0
@@ -0,0 +1,40 @@
1
+ /** Prefix that gates which keys may be lifted from the file. Nothing
2
+ * outside this prefix is ever read into the environment. */
3
+ export declare const SNYK_ENV_PREFIX = "SNYK_";
4
+ export interface SnykEnvLoadOptions {
5
+ /** Skip `.env` loading entirely (`--no-env-file`). */
6
+ readonly noEnvFile?: boolean;
7
+ /** Explicit path override (`--env-file <path>`). Relative paths
8
+ * resolve against `cwd`. When set and the file is missing, that's
9
+ * a surfaced warning (the user asked for a specific file). */
10
+ readonly envFile?: string;
11
+ }
12
+ export interface SnykEnvLoadResult {
13
+ /** Absolute path of the file that was read. */
14
+ readonly path: string;
15
+ /** `SNYK_*` keys lifted into `process.env` (only those that weren't
16
+ * already set). Empty when the file had none or they were all
17
+ * already present in the environment. */
18
+ readonly loadedKeys: ReadonlyArray<string>;
19
+ /** Advisory messages for the caller to surface (e.g. the file looks
20
+ * committed to git). Never fatal. */
21
+ readonly warnings: ReadonlyArray<string>;
22
+ }
23
+ /**
24
+ * Parse a `.env`-style file body into key/value pairs, keeping ONLY
25
+ * keys that start with `SNYK_`. Tolerant of the common shapes:
26
+ * blank lines, `#` comments, an optional `export ` prefix, and
27
+ * single/double-quoted values. No variable interpolation — values are
28
+ * taken literally (after unquoting), which is correct for opaque
29
+ * tokens and ids.
30
+ */
31
+ export declare function parseSnykEnv(body: string): Record<string, string>;
32
+ /**
33
+ * Lift `SNYK_*` keys from the cwd's `.env` (or `--env-file`) into
34
+ * `process.env`, unless `--no-env-file` is set or no file exists.
35
+ * Real environment values are never overwritten. Returns `null` when
36
+ * nothing was attempted (disabled, or no file present and none
37
+ * explicitly requested); otherwise a result describing what happened.
38
+ */
39
+ export declare function loadSnykEnv(cwd: string, opts?: SnykEnvLoadOptions): SnykEnvLoadResult | null;
40
+ //# sourceMappingURL=env-file.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"env-file.d.ts","sourceRoot":"","sources":["../../src/ingest/env-file.ts"],"names":[],"mappings":"AAyBA;6DAC6D;AAC7D,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC,MAAM,WAAW,kBAAkB;IACjC,sDAAsD;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B;;mEAE+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,+CAA+C;IAC/C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;8CAE0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC3C;0CACsC;IACtC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAYjE;AAcD;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,GAAE,kBAAuB,GAAG,iBAAiB,GAAG,IAAI,CA6ChG"}
@@ -0,0 +1,163 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.SNYK_ENV_PREFIX = void 0;
37
+ exports.parseSnykEnv = parseSnykEnv;
38
+ exports.loadSnykEnv = loadSnykEnv;
39
+ /**
40
+ * Opt-in `.env` loading for Snyk credentials — scoped strictly to the
41
+ * `SNYK_*` prefix.
42
+ *
43
+ * dxkit deliberately does NOT auto-load a whole `.env` into
44
+ * `process.env` (pulling a developer's entire secrets file — GitHub
45
+ * tokens, database URLs, unrelated API keys — into the process is a
46
+ * footgun). But a local developer who keeps their Snyk token in `.env`
47
+ * shouldn't have to re-`export` it before every `ingest --from-snyk`.
48
+ *
49
+ * The compromise: read the cwd's `.env` (or an explicit `--env-file`
50
+ * path), parse it, and lift ONLY keys beginning with `SNYK_` into the
51
+ * environment — and only when they aren't already set, so a real
52
+ * exported env / CI Actions secret always wins. CI, which sets the
53
+ * token via the environment and has no `.env`, is a no-op.
54
+ *
55
+ * This module is pure data-in/data-out: it mutates `process.env` for
56
+ * the lifted keys and returns a structured result (the keys it set +
57
+ * any advisory warnings). The CLI renders the one-line notice + the
58
+ * warnings; the module logs nothing itself, which keeps it testable.
59
+ */
60
+ const fs = __importStar(require("fs"));
61
+ const path = __importStar(require("path"));
62
+ const child_process_1 = require("child_process");
63
+ /** Prefix that gates which keys may be lifted from the file. Nothing
64
+ * outside this prefix is ever read into the environment. */
65
+ exports.SNYK_ENV_PREFIX = 'SNYK_';
66
+ /**
67
+ * Parse a `.env`-style file body into key/value pairs, keeping ONLY
68
+ * keys that start with `SNYK_`. Tolerant of the common shapes:
69
+ * blank lines, `#` comments, an optional `export ` prefix, and
70
+ * single/double-quoted values. No variable interpolation — values are
71
+ * taken literally (after unquoting), which is correct for opaque
72
+ * tokens and ids.
73
+ */
74
+ function parseSnykEnv(body) {
75
+ const out = {};
76
+ for (const rawLine of body.split(/\r?\n/)) {
77
+ const line = rawLine.trim();
78
+ if (!line || line.startsWith('#'))
79
+ continue;
80
+ const m = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
81
+ if (!m)
82
+ continue;
83
+ const key = m[1];
84
+ if (!key.startsWith(exports.SNYK_ENV_PREFIX))
85
+ continue;
86
+ out[key] = unquote(m[2]);
87
+ }
88
+ return out;
89
+ }
90
+ function unquote(value) {
91
+ const v = value.trim();
92
+ if (v.length >= 2) {
93
+ const first = v[0];
94
+ const last = v[v.length - 1];
95
+ if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
96
+ return v.slice(1, -1);
97
+ }
98
+ }
99
+ return v;
100
+ }
101
+ /**
102
+ * Lift `SNYK_*` keys from the cwd's `.env` (or `--env-file`) into
103
+ * `process.env`, unless `--no-env-file` is set or no file exists.
104
+ * Real environment values are never overwritten. Returns `null` when
105
+ * nothing was attempted (disabled, or no file present and none
106
+ * explicitly requested); otherwise a result describing what happened.
107
+ */
108
+ function loadSnykEnv(cwd, opts = {}) {
109
+ if (opts.noEnvFile)
110
+ return null;
111
+ const explicit = opts.envFile !== undefined;
112
+ const filePath = explicit ? path.resolve(cwd, opts.envFile) : path.join(cwd, '.env');
113
+ if (!fs.existsSync(filePath)) {
114
+ if (explicit) {
115
+ return { path: filePath, loadedKeys: [], warnings: [`env-file not found: ${filePath}`] };
116
+ }
117
+ return null;
118
+ }
119
+ let body;
120
+ try {
121
+ body = fs.readFileSync(filePath, 'utf8');
122
+ }
123
+ catch (err) {
124
+ return {
125
+ path: filePath,
126
+ loadedKeys: [],
127
+ warnings: [`could not read env-file ${filePath}: ${err.message}`],
128
+ };
129
+ }
130
+ const parsed = parseSnykEnv(body);
131
+ const loadedKeys = [];
132
+ for (const [key, value] of Object.entries(parsed)) {
133
+ // Real exported env / CI secret always wins. Treat an empty string
134
+ // as "unset" so a blank export doesn't shadow a populated .env.
135
+ const current = process.env[key];
136
+ if (current === undefined || current === '') {
137
+ process.env[key] = value;
138
+ loadedKeys.push(key);
139
+ }
140
+ }
141
+ const warnings = [];
142
+ if (isTrackedByGit(cwd, filePath)) {
143
+ warnings.push(`${path.basename(filePath)} appears to be committed to git — a secrets file ` +
144
+ `should be gitignored. Move SNYK_TOKEN out of version control.`);
145
+ }
146
+ return { path: filePath, loadedKeys, warnings };
147
+ }
148
+ /** Whether `filePath` is tracked in the git index at `cwd`. Best-effort
149
+ * — any failure (not a repo, git missing) is treated as "not tracked"
150
+ * so the advisory simply doesn't fire. */
151
+ function isTrackedByGit(cwd, filePath) {
152
+ try {
153
+ (0, child_process_1.execSync)(`git ls-files --error-unmatch ${JSON.stringify(filePath)}`, {
154
+ cwd,
155
+ stdio: ['ignore', 'ignore', 'ignore'],
156
+ });
157
+ return true;
158
+ }
159
+ catch {
160
+ return false;
161
+ }
162
+ }
163
+ //# sourceMappingURL=env-file.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"env-file.js","sourceRoot":"","sources":["../../src/ingest/env-file.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DA,oCAYC;AAqBD,kCA6CC;AAxID;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,uCAAyB;AACzB,2CAA6B;AAC7B,iDAAyC;AAEzC;6DAC6D;AAChD,QAAA,eAAe,GAAG,OAAO,CAAC;AAuBvC;;;;;;;GAOG;AACH,SAAgB,YAAY,CAAC,IAAY;IACvC,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;QAC5E,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACjB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,uBAAe,CAAC;YAAE,SAAS;QAC/C,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,KAAa;IAC5B,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACvB,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACnB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,WAAW,CAAC,GAAW,EAAE,OAA2B,EAAE;IACpE,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,OAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAE/F,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,uBAAuB,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC3F,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,CAAC,2BAA2B,QAAQ,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC;SAC7E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,mEAAmE;QACnE,gEAAgE;QAChE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CACX,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,mDAAmD;YAC3E,+DAA+D,CAClE,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED;;2CAE2C;AAC3C,SAAS,cAAc,CAAC,GAAW,EAAE,QAAgB;IACnD,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,gCAAgC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE;YACnE,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;SACtC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAuG7D;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,eAAe,EAAE,CAqDhF"}
1
+ {"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AA+H7D;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,eAAe,EAAE,CAyDhF"}
@@ -41,6 +41,24 @@ function cweFromRule(rule) {
41
41
  }
42
42
  return '';
43
43
  }
44
+ /**
45
+ * Whether a SARIF result has been dismissed upstream. True when it
46
+ * carries at least one suppression whose status is `accepted` — SARIF
47
+ * treats an absent `status` as `accepted`, while `underReview` and
48
+ * `rejected` mean the suppression is NOT yet (or no longer) in effect.
49
+ *
50
+ * Honoring this keeps dxkit's ingest in sync with the engine's own
51
+ * ignore state: a finding a developer dismissed in Snyk / CodeQL does
52
+ * not re-surface here as a fresh active finding. The decision was
53
+ * already reviewed in the engine that owns it, so dxkit drops it rather
54
+ * than re-litigating it.
55
+ */
56
+ function isResultSuppressed(res) {
57
+ const s = res.suppressions;
58
+ if (!Array.isArray(s) || s.length === 0)
59
+ return false;
60
+ return s.some((entry) => entry.status === undefined || entry.status === 'accepted');
61
+ }
44
62
  /** Resolve four-tier severity. Prefer numeric `security-severity`
45
63
  * (CVSS-like 0–10); else the rule's `problem.severity`; else the
46
64
  * result `level`. */
@@ -107,6 +125,10 @@ function parseSarif(raw, engine) {
107
125
  }
108
126
  }
109
127
  for (const res of run.results || []) {
128
+ // Honor the engine's own dismissal — a finding suppressed in Snyk
129
+ // / CodeQL / Semgrep Pro must not re-surface in dxkit.
130
+ if (isResultSuppressed(res))
131
+ continue;
110
132
  const ruleId = res.ruleId || res.rule?.id;
111
133
  // Rule can be referenced by id or by index into the (flattened) list.
112
134
  let rule = ruleId ? rulesById.get(ruleId) : undefined;
@@ -1 +1 @@
1
- {"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":";;AAiIA,gCAqDC;AAvHD;;qDAEqD;AACrD,SAAS,gBAAgB,CAAC,IAAwB;IAChD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,WAAW,CAAC;IAC3C,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC;IAChD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;0CAC0C;AAC1C,SAAS,YAAY,CAAC,CAAqB;IACzC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,MAAM,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED;;gEAEgE;AAChE,SAAS,WAAW,CAAC,IAA2B;IAC9C,MAAM,MAAM,GAAG,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC;gBAAE,OAAO,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;sBAEsB;AACtB,SAAS,eAAe,CAAC,IAA2B,EAAE,KAAyB;IAC7E,MAAM,GAAG,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,UAAU,CAAC;YACpC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC;YAChC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,QAAQ,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,kBAAkB,CAAC,CAAC;IAClD,IAAI,EAAE,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,EAAE,KAAK,SAAS,IAAI,EAAE,KAAK,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IACjE,yCAAyC;IACzC,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IACrC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CAAC,GAAW,EAAE,MAAqB;IAC3D,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC;QAC1C,MAAM,cAAc,GAAG,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAE9D,mDAAmD;QACnD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAqB,CAAC;QAC/C,MAAM,SAAS,GAAkB,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK;YAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,CAAC;YAC7C,IAAI,GAAG,CAAC,KAAK;gBAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,SAAS,GAAgB,EAAE,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,IAAI,CAAC,CAAC,EAAE;oBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1C,sEAAsE;YACtE,IAAI,IAAI,GAA0B,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC7E,IAAI,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,EAAE,KAAK,KAAK,QAAQ;gBAAE,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEnF,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB,CAAC;YACjD,MAAM,IAAI,GAAG,GAAG,EAAE,gBAAgB,EAAE,GAAG,CAAC;YACxC,MAAM,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,8DAA8D;YAC9D,qDAAqD;YACrD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE7B,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC;gBAC1C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC;gBACtB,IAAI,EAAE,MAAM,IAAI,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,MAAM,IAAI,cAAc;gBACpF,IAAI;gBACJ,IAAI;aACL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":";;AAyJA,gCAyDC;AA7ID;;qDAEqD;AACrD,SAAS,gBAAgB,CAAC,IAAwB;IAChD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,WAAW,CAAC;IAC3C,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC;IAChD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;0CAC0C;AAC1C,SAAS,YAAY,CAAC,CAAqB;IACzC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,MAAM,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED;;gEAEgE;AAChE,SAAS,WAAW,CAAC,IAA2B;IAC9C,MAAM,MAAM,GAAG,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC;gBAAE,OAAO,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CAAC,GAAgB;IAC1C,MAAM,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;AACtF,CAAC;AAED;;sBAEsB;AACtB,SAAS,eAAe,CAAC,IAA2B,EAAE,KAAyB;IAC7E,MAAM,GAAG,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,UAAU,CAAC;YACpC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC;YAChC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,QAAQ,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,kBAAkB,CAAC,CAAC;IAClD,IAAI,EAAE,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,EAAE,KAAK,SAAS,IAAI,EAAE,KAAK,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IACjE,yCAAyC;IACzC,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IACrC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CAAC,GAAW,EAAE,MAAqB;IAC3D,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC;QAC1C,MAAM,cAAc,GAAG,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAE9D,mDAAmD;QACnD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAqB,CAAC;QAC/C,MAAM,SAAS,GAAkB,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK;YAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,CAAC;YAC7C,IAAI,GAAG,CAAC,KAAK;gBAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,SAAS,GAAgB,EAAE,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,IAAI,CAAC,CAAC,EAAE;oBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACpC,kEAAkE;YAClE,uDAAuD;YACvD,IAAI,kBAAkB,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEtC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1C,sEAAsE;YACtE,IAAI,IAAI,GAA0B,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC7E,IAAI,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,EAAE,KAAK,KAAK,QAAQ;gBAAE,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEnF,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB,CAAC;YACjD,MAAM,IAAI,GAAG,GAAG,EAAE,gBAAgB,EAAE,GAAG,CAAC;YACxC,MAAM,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,8DAA8D;YAC9D,qDAAqD;YACrD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE7B,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC;gBAC1C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC;gBACtB,IAAI,EAAE,MAAM,IAAI,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,MAAM,IAAI,cAAc;gBACpF,IAAI;gBACJ,IAAI;aACL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -0,0 +1,60 @@
1
+ /**
2
+ * Writer for Snyk's `.snyk` policy file — the OUTBOUND half of the
3
+ * Snyk ↔ dxkit suppression sync.
4
+ *
5
+ * 2.9.1 wired the INBOUND direction: dxkit honors SARIF
6
+ * `result.suppressions` so a finding the team dismissed in Snyk is
7
+ * dropped at ingest time (`src/ingest/sarif.ts`). This module is the
8
+ * mirror: when the team allowlists a Snyk-originated finding in dxkit,
9
+ * `allowlist export --snyk` writes a `.snyk` ignore so the decision
10
+ * propagates back to Snyk's own gate (`snyk code test`, the Snyk UI).
11
+ *
12
+ * The `.snyk` file is YAML. dxkit carries no YAML dependency, so this
13
+ * is a small CONTROLLED serializer for exactly the policy shape Snyk's
14
+ * tooling reads — not a general YAML emitter. The structure is fixed:
15
+ *
16
+ * version: v1.25.0
17
+ * ignore:
18
+ * '<rule-id>':
19
+ * - '<path>':
20
+ * reason: "<reason>"
21
+ * expires: <ISO datetime> # omitted for a permanent ignore
22
+ * created: <ISO datetime>
23
+ * patch: {}
24
+ *
25
+ * Caveat surfaced to the user by the CLI: Snyk Code (SAST) honors
26
+ * `.snyk` ignores only when the org has Snyk's "consistent ignores"
27
+ * feature enabled; SCA/dependency ignores are standard. dxkit writes
28
+ * the file either way — the caller documents the prerequisite.
29
+ */
30
+ /** One ignore directive — a single (rule, path) pair plus metadata. */
31
+ export interface SnykIgnore {
32
+ /** Snyk-native rule / issue id (e.g. `javascript/InsecureTLSConfig`). */
33
+ readonly ruleId: string;
34
+ /** Repo-relative path the ignore applies to. */
35
+ readonly path: string;
36
+ /** Human rationale carried over from the allowlist entry. */
37
+ readonly reason?: string;
38
+ /** ISO 8601 datetime after which the ignore lapses. Omitted →
39
+ * permanent ignore (Snyk treats a missing `expires` as no expiry). */
40
+ readonly expires?: string;
41
+ /** ISO 8601 datetime the ignore was written. */
42
+ readonly created: string;
43
+ }
44
+ /** Snyk policy schema version dxkit emits. Matches the version Snyk's
45
+ * own `snyk ignore` writes for the ignore/patch shape used here. */
46
+ export declare const SNYK_POLICY_VERSION: "v1.25.0";
47
+ /**
48
+ * Convert an allowlist entry's `expiresAt` (`YYYY-MM-DD`) into the ISO
49
+ * datetime Snyk's policy file expects. Returns `undefined` for a
50
+ * missing date so the caller emits a permanent ignore.
51
+ */
52
+ export declare function expiryToSnykDatetime(expiresAt: string | undefined): string | undefined;
53
+ /**
54
+ * Serialize ignores into `.snyk` policy YAML. Groups by rule id (the
55
+ * file's top-level ignore key), each carrying a list of per-path
56
+ * directives. Deterministic ordering (rules + paths sorted) so the
57
+ * committed file has stable diffs across runs.
58
+ */
59
+ export declare function buildSnykPolicy(ignores: ReadonlyArray<SnykIgnore>): string;
60
+ //# sourceMappingURL=snyk-policy.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"snyk-policy.d.ts","sourceRoot":"","sources":["../../src/ingest/snyk-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,uEAAuE;AACvE,MAAM,WAAW,UAAU;IACzB,yEAAyE;IACzE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;2EACuE;IACvE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED;qEACqE;AACrE,eAAO,MAAM,mBAAmB,EAAG,SAAkB,CAAC;AAEtD;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAGtF;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,MAAM,CAoC1E"}
@@ -0,0 +1,104 @@
1
+ "use strict";
2
+ /**
3
+ * Writer for Snyk's `.snyk` policy file — the OUTBOUND half of the
4
+ * Snyk ↔ dxkit suppression sync.
5
+ *
6
+ * 2.9.1 wired the INBOUND direction: dxkit honors SARIF
7
+ * `result.suppressions` so a finding the team dismissed in Snyk is
8
+ * dropped at ingest time (`src/ingest/sarif.ts`). This module is the
9
+ * mirror: when the team allowlists a Snyk-originated finding in dxkit,
10
+ * `allowlist export --snyk` writes a `.snyk` ignore so the decision
11
+ * propagates back to Snyk's own gate (`snyk code test`, the Snyk UI).
12
+ *
13
+ * The `.snyk` file is YAML. dxkit carries no YAML dependency, so this
14
+ * is a small CONTROLLED serializer for exactly the policy shape Snyk's
15
+ * tooling reads — not a general YAML emitter. The structure is fixed:
16
+ *
17
+ * version: v1.25.0
18
+ * ignore:
19
+ * '<rule-id>':
20
+ * - '<path>':
21
+ * reason: "<reason>"
22
+ * expires: <ISO datetime> # omitted for a permanent ignore
23
+ * created: <ISO datetime>
24
+ * patch: {}
25
+ *
26
+ * Caveat surfaced to the user by the CLI: Snyk Code (SAST) honors
27
+ * `.snyk` ignores only when the org has Snyk's "consistent ignores"
28
+ * feature enabled; SCA/dependency ignores are standard. dxkit writes
29
+ * the file either way — the caller documents the prerequisite.
30
+ */
31
+ Object.defineProperty(exports, "__esModule", { value: true });
32
+ exports.SNYK_POLICY_VERSION = void 0;
33
+ exports.expiryToSnykDatetime = expiryToSnykDatetime;
34
+ exports.buildSnykPolicy = buildSnykPolicy;
35
+ /** Snyk policy schema version dxkit emits. Matches the version Snyk's
36
+ * own `snyk ignore` writes for the ignore/patch shape used here. */
37
+ exports.SNYK_POLICY_VERSION = 'v1.25.0';
38
+ /**
39
+ * Convert an allowlist entry's `expiresAt` (`YYYY-MM-DD`) into the ISO
40
+ * datetime Snyk's policy file expects. Returns `undefined` for a
41
+ * missing date so the caller emits a permanent ignore.
42
+ */
43
+ function expiryToSnykDatetime(expiresAt) {
44
+ if (!expiresAt)
45
+ return undefined;
46
+ return `${expiresAt}T00:00:00.000Z`;
47
+ }
48
+ /**
49
+ * Serialize ignores into `.snyk` policy YAML. Groups by rule id (the
50
+ * file's top-level ignore key), each carrying a list of per-path
51
+ * directives. Deterministic ordering (rules + paths sorted) so the
52
+ * committed file has stable diffs across runs.
53
+ */
54
+ function buildSnykPolicy(ignores) {
55
+ const byRule = new Map();
56
+ for (const ig of ignores) {
57
+ const list = byRule.get(ig.ruleId) ?? [];
58
+ list.push(ig);
59
+ byRule.set(ig.ruleId, list);
60
+ }
61
+ const lines = [
62
+ '# Snyk (https://snyk.io) policy file, written by dxkit allowlist export.',
63
+ `version: ${exports.SNYK_POLICY_VERSION}`,
64
+ ];
65
+ if (byRule.size === 0) {
66
+ lines.push('ignore: {}');
67
+ lines.push('patch: {}');
68
+ return lines.join('\n') + '\n';
69
+ }
70
+ lines.push('ignore:');
71
+ for (const ruleId of [...byRule.keys()].sort()) {
72
+ lines.push(` ${quoteKey(ruleId)}:`);
73
+ const perPath = byRule.get(ruleId);
74
+ // Stable order + one directive per unique path.
75
+ const seen = new Set();
76
+ for (const ig of perPath.slice().sort((a, b) => a.path.localeCompare(b.path))) {
77
+ if (seen.has(ig.path))
78
+ continue;
79
+ seen.add(ig.path);
80
+ lines.push(` - ${quoteKey(ig.path)}:`);
81
+ lines.push(` reason: ${doubleQuote(ig.reason ?? '')}`);
82
+ if (ig.expires)
83
+ lines.push(` expires: ${ig.expires}`);
84
+ lines.push(` created: ${ig.created}`);
85
+ }
86
+ }
87
+ lines.push('patch: {}');
88
+ return lines.join('\n') + '\n';
89
+ }
90
+ // ─── Minimal scalar quoting ───────────────────────────────────────────────
91
+ /** Single-quote a YAML key/scalar, escaping embedded single quotes by
92
+ * doubling (the YAML single-quote rule). Used for rule ids + paths,
93
+ * which never contain newlines. */
94
+ function quoteKey(value) {
95
+ return `'${value.replace(/'/g, "''")}'`;
96
+ }
97
+ /** Double-quote a YAML scalar. JSON's string encoding is a valid YAML
98
+ * double-quoted flow scalar (YAML is a JSON superset), so JSON.stringify
99
+ * gives correct escaping for reasons that may carry quotes, colons, or
100
+ * other special characters. */
101
+ function doubleQuote(value) {
102
+ return JSON.stringify(value);
103
+ }
104
+ //# sourceMappingURL=snyk-policy.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"snyk-policy.js","sourceRoot":"","sources":["../../src/ingest/snyk-policy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;;;AA0BH,oDAGC;AAQD,0CAoCC;AAxDD;qEACqE;AACxD,QAAA,mBAAmB,GAAG,SAAkB,CAAC;AAEtD;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,SAA6B;IAChE,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,OAAO,GAAG,SAAS,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,OAAkC;IAChE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC/C,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACd,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,KAAK,GAAa;QACtB,0EAA0E;QAC1E,YAAY,2BAAmB,EAAE;KAClC,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,MAAM,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QACpC,gDAAgD;QAChD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC9E,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC;gBAAE,SAAS;YAChC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC,SAAS,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,mBAAmB,WAAW,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9D,IAAI,EAAE,CAAC,OAAO;gBAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7D,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,6EAA6E;AAE7E;;oCAEoC;AACpC,SAAS,QAAQ,CAAC,KAAa;IAC7B,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC1C,CAAC;AAED;;;gCAGgC;AAChC,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC"}
@@ -13,6 +13,10 @@ export interface IngestOptions {
13
13
  project?: string;
14
14
  generatedAt: string;
15
15
  commitSha?: string;
16
+ /** Skip opt-in `.env` loading of `SNYK_*` credentials (`--no-env-file`). */
17
+ noEnvFile?: boolean;
18
+ /** Explicit `.env` path for `SNYK_*` credentials (`--env-file <path>`). */
19
+ envFile?: string;
16
20
  }
17
21
  export declare function runIngest(cwd: string, opts: IngestOptions): Promise<void>;
18
22
  /** A REST failure that means "this plan can't read the API" — Enterprise-
@@ -1 +1 @@
1
- {"version":3,"file":"ingest-cli.d.ts","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":"AA6BA,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;mEAE+D;IAC/D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,yEAAyE;IACzE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAoB/E;AAmDD;0EAC0E;AAC1E,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEtD"}
1
+ {"version":3,"file":"ingest-cli.d.ts","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":"AAiCA,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;mEAE+D;IAC/D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,yEAAyE;IACzE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB/E;AAmDD;0EAC0E;AAC1E,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEtD"}
@@ -47,6 +47,9 @@ exports.isNotEntitled = isNotEntitled;
47
47
  * On plans without REST API access (Enterprise-only)
48
48
  * this auto-falls-back to `snyk code test`; pass
49
49
  * --snyk-cli to force that path and skip the REST try.
50
+ * SNYK_* credentials are read from the environment and,
51
+ * as a fallback, from a local `.env` (only SNYK_* keys;
52
+ * --no-env-file opts out, --env-file <path> overrides).
50
53
  *
51
54
  * Either way the result is written to `.dxkit/external/<engine>.json`,
52
55
  * a committed snapshot every later scan reads — so the token is needed
@@ -60,6 +63,7 @@ const snyk_api_1 = require("./ingest/snyk-api");
60
63
  const snyk_cli_1 = require("./ingest/snyk-cli");
61
64
  const codeql_1 = require("./ingest/codeql");
62
65
  const config_1 = require("./ingest/config");
66
+ const env_file_1 = require("./ingest/env-file");
63
67
  const snapshot_1 = require("./ingest/snapshot");
64
68
  const index_1 = require("./languages/index");
65
69
  function isSourceEngine(s) {
@@ -83,6 +87,7 @@ async function runIngest(cwd, opts) {
83
87
  logger.dim(' vyuh-dxkit ingest --sarif results.sarif');
84
88
  logger.dim(' SNYK_TOKEN=… vyuh-dxkit ingest --from-snyk --org <id> --project <id>');
85
89
  logger.dim(' SNYK_TOKEN=… vyuh-dxkit ingest --from-snyk --snyk-cli # free/team plans');
90
+ logger.dim(' vyuh-dxkit ingest --from-snyk # SNYK_* read from .env when present');
86
91
  logger.dim(' vyuh-dxkit ingest --codeql # OSS / GitHub Advanced Security only');
87
92
  process.exitCode = 1;
88
93
  }
@@ -139,18 +144,32 @@ function isNotEntitled(message) {
139
144
  return /\b403\b/.test(message) || /not entitled/i.test(message) || /api access/i.test(message);
140
145
  }
141
146
  async function ingestFromSnyk(cwd, opts) {
147
+ // Opt-in: lift ONLY SNYK_* keys from a local `.env` into the
148
+ // environment (real exported env / CI secret always wins). Disabled
149
+ // by --no-env-file; path overridable by --env-file. CI has no .env →
150
+ // no-op, so behavior there is unchanged.
151
+ const envLoad = (0, env_file_1.loadSnykEnv)(cwd, { noEnvFile: opts.noEnvFile, envFile: opts.envFile });
152
+ if (envLoad) {
153
+ for (const w of envLoad.warnings)
154
+ logger.warn(w);
155
+ if (envLoad.loadedKeys.length > 0) {
156
+ logger.dim(` Loaded ${envLoad.loadedKeys.join(', ')} from ${envLoad.path}`);
157
+ }
158
+ }
142
159
  const token = process.env.SNYK_TOKEN;
143
160
  if (!token) {
144
161
  logger.warn('SNYK_TOKEN is not set.');
145
- logger.dim(' dxkit reads SNYK_TOKEN from the environment it does NOT auto-load a .env file.');
146
- logger.dim(' Export it (`export SNYK_TOKEN=…`) or add it as a CI secret, then retry.');
162
+ logger.dim(' dxkit reads SNYK_TOKEN from the environment. It also auto-loads SNYK_* keys ' +
163
+ 'from a local .env (only those keys, never the rest of the file).');
164
+ logger.dim(' Export it (`export SNYK_TOKEN=…`), put it in .env, or add it as a CI secret, then retry. ' +
165
+ 'Use --no-env-file to skip .env, or --env-file <path> to point elsewhere.');
147
166
  process.exitCode = 1;
148
167
  return;
149
168
  }
150
169
  // Org/project resolve flag → persisted config (`.vyuh-dxkit.json:
151
170
  // deepSast.snyk`) → environment, so a sourced shell or configured repo
152
- // can run `ingest --from-snyk` with no flags. (dxkit does not read .env;
153
- // export the vars or set CI secrets.)
171
+ // can run `ingest --from-snyk` with no flags. SNYK_ORG_ID / SNYK_PROJECT_ID
172
+ // also come from a local .env via loadSnykEnv above (SNYK_* keys only).
154
173
  const cfg = (0, config_1.readDeepSastConfig)(cwd);
155
174
  const orgId = opts.org ?? cfg.snyk?.orgId ?? process.env.SNYK_ORG_ID;
156
175
  const projectId = opts.project ?? cfg.snyk?.projectId ?? process.env.SNYK_PROJECT_ID;
@@ -1 +1 @@
1
- {"version":3,"file":"ingest-cli.js","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,8BAoBC;AAqDD,sCAEC;AA7HD;;;;;;;;;;;;;;;;;GAiBG;AACH,uCAAyB;AACzB,iDAAmC;AACnC,0CAA4C;AAC5C,gDAA0D;AAC1D,gDAAoD;AACpD,4CAA+D;AAC/D,4CAAqD;AACrD,gDAAkD;AAClD,6CAA0D;AAoB1D,SAAS,cAAc,CAAC,CAAqB;IAC3C,OAAO,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,OAAO,CAAC;AACrF,CAAC;AAEM,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,IAAmB;IAC9D,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAChC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IACjF,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC1B,MAAM,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAC1D,MAAM,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;IAC1F,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,IAAmB;IAC9D,qEAAqE;IACrE,iEAAiE;IACjE,mBAAmB;IACnB,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,IAAA,6BAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC;QAC3C,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QAC7E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CACT,uBAAuB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,CACjG,CAAC;IACF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,kBAAS,EAAC,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,sBAAuB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,IAAmB;IACvD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAe,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,KAAK,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,MAAM,QAAQ,GAAG,IAAA,kBAAU,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IACjD,qEAAqE;IACrE,8DAA8D;IAC9D,MAAM,MAAM,GAAiB,cAAc,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,IAAI,OAAO,CAAC;IAC9E,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;0EAC0E;AAC1E,SAAgB,aAAa,CAAC,OAAe;IAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACjG,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAW,EAAE,IAAmB;IAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,CACR,oFAAoF,CACrF,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,2EAA2E,CAAC,CAAC;QACxF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,kEAAkE;IAClE,uEAAuE;IACvE,yEAAyE;IACzE,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAA,2BAAkB,EAAC,GAAG,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAErF,yEAAyE;IACzE,uEAAuE;IACvE,kCAAkC;IAClC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QACzC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QAClF,MAAM,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACnF,MAAM,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QACjF,MAAM,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAC7E,MAAM,CAAC,GAAG,CACR,oFAAoF,CACrF,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;QAChG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACrF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,gCAAqB,EAAC;YACrC,KAAK;YACL,KAAK;YACL,SAAS;YACT,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAI,GAAa,CAAC,OAAO,CAAC;QACvC,oEAAoE;QACpE,sEAAsE;QACtE,2DAA2D;QAC3D,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,6EAA6E,CAAC,CAAC;YAC3F,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;YAC3F,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED;4EAC4E;AAC5E,KAAK,UAAU,gBAAgB,CAC7B,GAAW,EACX,IAAmB,EACnB,KAAyB;IAEzB,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,0BAAe,EAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA2B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CACrB,GAAW,EACX,MAAoB,EACpB,QAA2B,EAC3B,IAAmB;IAEnB,MAAM,IAAI,GAAG,IAAA,wBAAa,EAAC,GAAG,EAAE;QAC9B,aAAa,EAAE,CAAC;QAChB,MAAM;QACN,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAyB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAC/D,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC7C,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,MAAM,CAAC,OAAO,CAAC,YAAY,QAAQ,CAAC,MAAM,IAAI,MAAM,iBAAiB,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,CACR,cAAc,KAAK,CAAC,QAAQ,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,IAAI,CAAC,EAAE,CAC9G,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC;AAC/F,CAAC"}
1
+ {"version":3,"file":"ingest-cli.js","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DA,8BAqBC;AAqDD,sCAEC;AAtID;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,uCAAyB;AACzB,iDAAmC;AACnC,0CAA4C;AAC5C,gDAA0D;AAC1D,gDAAoD;AACpD,4CAA+D;AAC/D,4CAAqD;AACrD,gDAAgD;AAChD,gDAAkD;AAClD,6CAA0D;AAwB1D,SAAS,cAAc,CAAC,CAAqB;IAC3C,OAAO,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,OAAO,CAAC;AACrF,CAAC;AAEM,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,IAAmB;IAC9D,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAChC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IACjF,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC1B,MAAM,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAC1D,MAAM,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;IAC1F,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,IAAmB;IAC9D,qEAAqE;IACrE,iEAAiE;IACjE,mBAAmB;IACnB,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,IAAA,6BAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC;QAC3C,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QAC7E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CACT,uBAAuB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,CACjG,CAAC;IACF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,kBAAS,EAAC,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,sBAAuB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,IAAmB;IACvD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAe,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,KAAK,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,MAAM,QAAQ,GAAG,IAAA,kBAAU,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IACjD,qEAAqE;IACrE,8DAA8D;IAC9D,MAAM,MAAM,GAAiB,cAAc,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,IAAI,OAAO,CAAC;IAC9E,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;0EAC0E;AAC1E,SAAgB,aAAa,CAAC,OAAe;IAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACjG,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAW,EAAE,IAAmB;IAC5D,6DAA6D;IAC7D,oEAAoE;IACpE,qEAAqE;IACrE,yCAAyC;IACzC,MAAM,OAAO,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACvF,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjD,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,CACR,gFAAgF;YAC9E,kEAAkE,CACrE,CAAC;QACF,MAAM,CAAC,GAAG,CACR,6FAA6F;YAC3F,0EAA0E,CAC7E,CAAC;QACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,kEAAkE;IAClE,uEAAuE;IACvE,4EAA4E;IAC5E,wEAAwE;IACxE,MAAM,GAAG,GAAG,IAAA,2BAAkB,EAAC,GAAG,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAErF,yEAAyE;IACzE,uEAAuE;IACvE,kCAAkC;IAClC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QACzC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QAClF,MAAM,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACnF,MAAM,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QACjF,MAAM,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAC7E,MAAM,CAAC,GAAG,CACR,oFAAoF,CACrF,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;QAChG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACrF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,gCAAqB,EAAC;YACrC,KAAK;YACL,KAAK;YACL,SAAS;YACT,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAI,GAAa,CAAC,OAAO,CAAC;QACvC,oEAAoE;QACpE,sEAAsE;QACtE,2DAA2D;QAC3D,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,6EAA6E,CAAC,CAAC;YAC3F,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;YAC3F,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED;4EAC4E;AAC5E,KAAK,UAAU,gBAAgB,CAC7B,GAAW,EACX,IAAmB,EACnB,KAAyB;IAEzB,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,0BAAe,EAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA2B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CACrB,GAAW,EACX,MAAoB,EACpB,QAA2B,EAC3B,IAAmB;IAEnB,MAAM,IAAI,GAAG,IAAA,wBAAa,EAAC,GAAG,EAAE;QAC9B,aAAa,EAAE,CAAC;QAChB,MAAM;QACN,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAyB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAC/D,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC7C,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,MAAM,CAAC,OAAO,CAAC,YAAY,QAAQ,CAAC,MAAM,IAAI,MAAM,iBAAiB,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,CACR,cAAc,KAAK,CAAC,QAAQ,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,IAAI,CAAC,EAAE,CAC9G,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC;AAC/F,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vyuhlabs/dxkit",
3
- "version": "2.9.0",
3
+ "version": "2.9.2",
4
4
  "description": "AI-native developer experience toolkit for any codebase",
5
5
  "license": "MIT",
6
6
  "author": "Vyuh Labs",
@@ -202,7 +202,7 @@ npx vyuh-dxkit allowlist audit # expired / soon-to-expire / missing-r
202
202
  npx vyuh-dxkit allowlist prune # remove expired entries
203
203
  ```
204
204
 
205
- Run `audit` periodically — `accepted-risk` and `deferred` entries that pass their expiry should either be re-justified (renew expiry) or pruned (remove the entry; the underlying finding will re-flag on the next scan).
205
+ Run `audit` periodically — `accepted-risk` and `deferred` entries that pass their expiry should either be re-justified (renew expiry) or pruned (remove the entry; the underlying finding will re-flag on the next scan). For the full lifecycle — auditing orphaned entries after a re-baseline (`audit --against-baseline`), removing a single stale fingerprint (`allowlist remove`), and exporting Snyk-originated suppressions back to a `.snyk` (`allowlist export --snyk`) — hand off to the **dxkit-allowlist** skill.
206
206
 
207
207
  ### Stale annotations
208
208
 
@@ -235,13 +235,15 @@ Once a finding is processed (fixed, allowlisted, or accepted), the workflow depe
235
235
  | Real risk neutralized externally (WAF, runtime guard) | `vyuh-dxkit allowlist add` with `category=mitigated-externally` + a reason describing the mitigation. Baseline unchanged. |
236
236
  | Real risk, accepted by team, won't fix | `vyuh-dxkit allowlist add` with `category=accepted-risk` + `--expires=YYYY-MM-DD` (defaults 90 days). Acknowledged-severity required for high/critical. |
237
237
  | Real risk, will fix later (tracked work) | `vyuh-dxkit allowlist add` with `category=deferred` + `--expires=YYYY-MM-DD`. The expiry forces re-review when the deadline passes. |
238
- | Fix landed via a config change (e.g., new entry in `.dxkit-ignore`) | Re-baseline: `npx vyuh-dxkit baseline create --force`. Commit both `.dxkit-ignore` and the new baseline. |
238
+ | Fix landed via a config change (e.g., new entry in `.dxkit-ignore`) | Re-baseline through the `dxkit-baseline-refresh` CI workflow (NOT a local `baseline create --force` — see the note below). Commit the `.dxkit-ignore` change; let CI refresh + commit the baseline. |
239
239
  | Brownfield acceptance (the whole CURRENT state is known mess; future regressions must be net-new) | Re-baseline with an explicit reason in the commit message. Reserve this for the deliberate "draw a line here" moment, not per-finding suppression. |
240
240
 
241
241
  **Prefer the allowlist over re-baselining for per-finding decisions.** The allowlist carries a typed category + reason + (when relevant) expiry; the baseline carries only "this finding was here." Future maintainers reading `vyuh-dxkit allowlist show <fingerprint>` see WHY the suppression is in place; reading the baseline file shows only that the finding existed at capture time. Per-finding decisions belong in the allowlist; codebase-wide brownfield acceptance belongs in the baseline.
242
242
 
243
243
  **Never** re-baseline a finding silently — the commit message should explain why the regression is accepted. Future maintainers reading `git log .dxkit/baselines/` should see the rationale.
244
244
 
245
+ **Refresh the baseline in CI, not locally.** When a re-baseline is the right call, run it through the bundled `dxkit-baseline-refresh` workflow (or a runner pinned to CI's scanner versions) — not a local `npx vyuh-dxkit baseline create --force`. A local refresh records your machine's semgrep / npm-audit / jscpd versions in the committed baseline; when they differ from CI's, the next PR's guardrail surfaces spurious `TOOLING-DRIFT` warnings and phantom "resolved" findings. A local `--force` is fine only for the very first capture or a throwaway experiment.
246
+
245
247
  ## Workflow guardrail
246
248
 
247
249
  After fixing N findings, run the guardrail check before pushing:
@@ -270,4 +272,4 @@ In those cases: `vyuh-dxkit allowlist add` is the right tool for per-finding dec
270
272
  - For hook-related issues during a fix push → `dxkit-hooks` skill
271
273
  - For re-running reports between fixes → `dxkit-reports` skill
272
274
  - For broken dxkit install (hooks not firing, vyuh-dxkit not on PATH) → `dxkit-fix` skill
273
- - For allowlist management beyond the per-finding `add` path (auditing existing entries, pruning expired ones, reviewing the team's overall suppression posture)run `npx vyuh-dxkit allowlist audit` / `list` / `prune` directly; no separate skill yet
275
+ - For allowlist management beyond the per-finding `add` path auditing existing entries (including orphans after a re-baseline), removing stale fingerprints, pruning expired ones, exporting to a `.snyk`, or reviewing the team's overall suppression posture → **dxkit-allowlist** skill