@vyuhlabs/dxkit 2.9.4 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/CHANGELOG.md +236 -0
  2. package/dist/allowlist/annotate.d.ts +71 -0
  3. package/dist/allowlist/annotate.d.ts.map +1 -0
  4. package/dist/allowlist/annotate.js +105 -0
  5. package/dist/allowlist/annotate.js.map +1 -0
  6. package/dist/allowlist/cli.d.ts +29 -23
  7. package/dist/allowlist/cli.d.ts.map +1 -1
  8. package/dist/allowlist/cli.js +141 -70
  9. package/dist/allowlist/cli.js.map +1 -1
  10. package/dist/allowlist/file.d.ts +7 -1
  11. package/dist/allowlist/file.d.ts.map +1 -1
  12. package/dist/allowlist/file.js +7 -1
  13. package/dist/allowlist/file.js.map +1 -1
  14. package/dist/analysis-result.d.ts +10 -0
  15. package/dist/analysis-result.d.ts.map +1 -1
  16. package/dist/analyzers/cache.d.ts +1 -0
  17. package/dist/analyzers/cache.d.ts.map +1 -1
  18. package/dist/analyzers/cache.js +69 -0
  19. package/dist/analyzers/cache.js.map +1 -1
  20. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  21. package/dist/analyzers/dashboard/index.js +6 -1
  22. package/dist/analyzers/dashboard/index.js.map +1 -1
  23. package/dist/analyzers/health.d.ts.map +1 -1
  24. package/dist/analyzers/health.js +17 -2
  25. package/dist/analyzers/health.js.map +1 -1
  26. package/dist/analyzers/security/actions.d.ts.map +1 -1
  27. package/dist/analyzers/security/actions.js +13 -0
  28. package/dist/analyzers/security/actions.js.map +1 -1
  29. package/dist/analyzers/security/aggregator.d.ts +97 -79
  30. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  31. package/dist/analyzers/security/aggregator.js +168 -56
  32. package/dist/analyzers/security/aggregator.js.map +1 -1
  33. package/dist/analyzers/security/gather.d.ts +2 -0
  34. package/dist/analyzers/security/gather.d.ts.map +1 -1
  35. package/dist/analyzers/security/gather.js +36 -4
  36. package/dist/analyzers/security/gather.js.map +1 -1
  37. package/dist/analyzers/security/index.d.ts.map +1 -1
  38. package/dist/analyzers/security/index.js +81 -2
  39. package/dist/analyzers/security/index.js.map +1 -1
  40. package/dist/analyzers/security/scanner-drift.d.ts +21 -0
  41. package/dist/analyzers/security/scanner-drift.d.ts.map +1 -0
  42. package/dist/analyzers/security/scanner-drift.js +113 -0
  43. package/dist/analyzers/security/scanner-drift.js.map +1 -0
  44. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/security/shallow.js +24 -2
  46. package/dist/analyzers/security/shallow.js.map +1 -1
  47. package/dist/analyzers/security/types.d.ts +64 -4
  48. package/dist/analyzers/security/types.d.ts.map +1 -1
  49. package/dist/analyzers/tools/fingerprint.d.ts +133 -20
  50. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  51. package/dist/analyzers/tools/fingerprint.js +194 -20
  52. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  53. package/dist/analyzers/tools/gitleaks.d.ts +2 -2
  54. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  55. package/dist/analyzers/tools/gitleaks.js +7 -1
  56. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +11 -0
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +457 -413
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  62. package/dist/analyzers/tools/grep-secrets.js +31 -12
  63. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +12 -1
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/salt.d.ts +68 -0
  68. package/dist/analyzers/tools/salt.d.ts.map +1 -0
  69. package/dist/{baseline → analyzers/tools}/salt.js +59 -18
  70. package/dist/analyzers/tools/salt.js.map +1 -0
  71. package/dist/analyzers/tools/semgrep.d.ts +7 -7
  72. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  73. package/dist/analyzers/tools/semgrep.js +14 -7
  74. package/dist/analyzers/tools/semgrep.js.map +1 -1
  75. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  76. package/dist/analyzers/tools/tool-registry.js +78 -43
  77. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  78. package/dist/analyzers/tools/walk-source-files.d.ts +10 -0
  79. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
  80. package/dist/analyzers/tools/walk-source-files.js +14 -0
  81. package/dist/analyzers/tools/walk-source-files.js.map +1 -1
  82. package/dist/analyzers/types.d.ts +9 -0
  83. package/dist/analyzers/types.d.ts.map +1 -1
  84. package/dist/baseline/baseline-file.d.ts +9 -2
  85. package/dist/baseline/baseline-file.d.ts.map +1 -1
  86. package/dist/baseline/baseline-file.js.map +1 -1
  87. package/dist/baseline/check-renderers.d.ts.map +1 -1
  88. package/dist/baseline/check-renderers.js +14 -0
  89. package/dist/baseline/check-renderers.js.map +1 -1
  90. package/dist/baseline/check.d.ts +33 -0
  91. package/dist/baseline/check.d.ts.map +1 -1
  92. package/dist/baseline/check.js +78 -2
  93. package/dist/baseline/check.js.map +1 -1
  94. package/dist/baseline/create.d.ts +1 -1
  95. package/dist/baseline/create.d.ts.map +1 -1
  96. package/dist/baseline/create.js +3 -1
  97. package/dist/baseline/create.js.map +1 -1
  98. package/dist/baseline/entry-to-located.d.ts +12 -5
  99. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  100. package/dist/baseline/entry-to-located.js +21 -7
  101. package/dist/baseline/entry-to-located.js.map +1 -1
  102. package/dist/baseline/finding-identity.d.ts +20 -13
  103. package/dist/baseline/finding-identity.d.ts.map +1 -1
  104. package/dist/baseline/finding-identity.js +51 -20
  105. package/dist/baseline/finding-identity.js.map +1 -1
  106. package/dist/baseline/git-aware-match.d.ts +7 -5
  107. package/dist/baseline/git-aware-match.d.ts.map +1 -1
  108. package/dist/baseline/git-aware-match.js +78 -5
  109. package/dist/baseline/git-aware-match.js.map +1 -1
  110. package/dist/baseline/migrate.d.ts +94 -0
  111. package/dist/baseline/migrate.d.ts.map +1 -0
  112. package/dist/baseline/migrate.js +238 -0
  113. package/dist/baseline/migrate.js.map +1 -0
  114. package/dist/baseline/producers/security.d.ts +9 -9
  115. package/dist/baseline/producers/security.d.ts.map +1 -1
  116. package/dist/baseline/producers/security.js +16 -4
  117. package/dist/baseline/producers/security.js.map +1 -1
  118. package/dist/baseline/types.d.ts +145 -95
  119. package/dist/baseline/types.d.ts.map +1 -1
  120. package/dist/baseline/types.js +30 -26
  121. package/dist/baseline/types.js.map +1 -1
  122. package/dist/explore/context-hook.d.ts +49 -29
  123. package/dist/explore/context-hook.d.ts.map +1 -1
  124. package/dist/explore/context-hook.js +304 -29
  125. package/dist/explore/context-hook.js.map +1 -1
  126. package/dist/explore/finding-context.d.ts +17 -0
  127. package/dist/explore/finding-context.d.ts.map +1 -1
  128. package/dist/explore/finding-context.js +34 -0
  129. package/dist/explore/finding-context.js.map +1 -1
  130. package/dist/explore/queries.d.ts +32 -15
  131. package/dist/explore/queries.d.ts.map +1 -1
  132. package/dist/explore/queries.js +36 -6
  133. package/dist/explore/queries.js.map +1 -1
  134. package/dist/generator.d.ts.map +1 -1
  135. package/dist/generator.js +13 -7
  136. package/dist/generator.js.map +1 -1
  137. package/dist/ingest/normalize.d.ts +1 -1
  138. package/dist/ingest/normalize.d.ts.map +1 -1
  139. package/dist/ingest/normalize.js +5 -1
  140. package/dist/ingest/normalize.js.map +1 -1
  141. package/dist/ingest/sarif.d.ts.map +1 -1
  142. package/dist/ingest/sarif.js +16 -7
  143. package/dist/ingest/sarif.js.map +1 -1
  144. package/dist/ingest/snyk-policy.d.ts +22 -1
  145. package/dist/ingest/snyk-policy.d.ts.map +1 -1
  146. package/dist/ingest/snyk-policy.js +75 -18
  147. package/dist/ingest/snyk-policy.js.map +1 -1
  148. package/dist/ingest/types.d.ts +23 -12
  149. package/dist/ingest/types.d.ts.map +1 -1
  150. package/dist/languages/capabilities/types.d.ts +64 -53
  151. package/dist/languages/capabilities/types.d.ts.map +1 -1
  152. package/dist/languages/capabilities/types.js +4 -4
  153. package/dist/languages/index.d.ts +28 -5
  154. package/dist/languages/index.d.ts.map +1 -1
  155. package/dist/languages/index.js +38 -7
  156. package/dist/languages/index.js.map +1 -1
  157. package/dist/languages/typescript.d.ts.map +1 -1
  158. package/dist/languages/typescript.js +19 -0
  159. package/dist/languages/typescript.js.map +1 -1
  160. package/dist/scoring/dimensions/security.d.ts +17 -0
  161. package/dist/scoring/dimensions/security.d.ts.map +1 -1
  162. package/dist/scoring/dimensions/security.js +12 -0
  163. package/dist/scoring/dimensions/security.js.map +1 -1
  164. package/dist/update.d.ts.map +1 -1
  165. package/dist/update.js +49 -0
  166. package/dist/update.js.map +1 -1
  167. package/dist/upgrade.d.ts.map +1 -1
  168. package/dist/upgrade.js +2 -1
  169. package/dist/upgrade.js.map +1 -1
  170. package/package.json +6 -3
  171. package/templates/.claude/skills/dxkit-action/SKILL.md +11 -2
  172. package/templates/.claude/skills/dxkit-allowlist/SKILL.md +9 -0
  173. package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -2
  174. package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
  175. package/dist/baseline/salt.d.ts +0 -45
  176. package/dist/baseline/salt.d.ts.map +0 -1
  177. package/dist/baseline/salt.js.map +0 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,242 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.11.0] - 2026-06-16
11
+
12
+ ### Code-graph quality, guardrail reliability on JS/TS, and a dogfooding pass
13
+
14
+ dxkit was run on its own repo and on real public targets, the way a user would.
15
+ That surfaced a cluster of graph-quality and guardrail-identity defects — several
16
+ HIGH — that the unit suite couldn't catch because they only appear on the default
17
+ configuration, end-to-end. This release closes them.
18
+
19
+ #### Code graph
20
+
21
+ - **JS/TS method extraction (via `graphifyy` 0.8.40).** Function symbols defined as
22
+ `this.x = () => {}` (constructor-assigned methods), `exports.x` / `module.exports.x`,
23
+ prototype methods, class arrow fields, and function expressions are now captured.
24
+ Previously only top-level declarations, `const` arrows, and class-method shorthand
25
+ were, so on expression-style JS and CommonJS the bulk of callable symbols — and any
26
+ call edges to them — were invisible. On a constructor-style DAO, a file goes from 1
27
+ captured symbol to all of its methods. (Fixed upstream in
28
+ [safishamsi/graphify#1323](https://github.com/safishamsi/graphify/pull/1323).)
29
+ - **The code graph is restricted to source files.** graphify also parses `.md`
30
+ (headings → nodes) and `.json` (config + lockfile keys → nodes); on a JS repo that
31
+ made the graph ~92% non-code (a `package-lock.json` alone outweighed all application
32
+ code). A source-extension allowlist, sourced from the language registry, keeps the
33
+ graph to actual code — node counts, communities, hot-files, api-surface, and the
34
+ context-hook's file summaries all stop being diluted by docs/config.
35
+
36
+ #### Guardrail + finding identity
37
+
38
+ - **Dependency-vulnerability identity is now environment-independent.** The
39
+ fingerprint hashed `(package, installedVersion, id)`; the installed version is only
40
+ resolvable when the dependency tree is installed (`npm-audit` reads `node_modules`),
41
+ so a lockfile-only scanner — or any scan in an environment without `node_modules` —
42
+ omitted it, and the **same advisory forked into two identities by scan environment.**
43
+ Identity is now `(package, canonicalAdvisoryId)`: the version is display metadata, not
44
+ identity, and the advisory id is canonicalized across namespaces (GHSA → CVE → raw) so
45
+ different scanners agree on the same vulnerability.
46
+ **Migration:** dep-vuln fingerprints change. `ref-based` baselines: nothing to do.
47
+ `committed-full` baselines: run `vyuh-dxkit baseline create --force` once; the
48
+ transition run shows dep-vulns as resolved+added (non-blocking) until re-baselined.
49
+ Fingerprint-allowlisted dep-vulns (rare) need re-adding.
50
+ - **Secret + code-pattern finding identity is anchored to content, not line position.**
51
+ A finding's durable fingerprint hashed its file plus a 3-line window, so any edit that
52
+ shifted a finding more than three lines re-minted its identity — which silently
53
+ stranded the allowlist entry pinned to it (the suppression stopped matching) and
54
+ churned the baseline on edits that never touched the finding. Identity now derives from
55
+ *what the finding is*, computed only from inputs dxkit derives itself — never a scanner's
56
+ captured text or an environment-derived salt: a secret from a tool-independent constant
57
+ plus its file plus an in-file ordinal (no captured value, no salt — so the same leak gets
58
+ one identity whether gitleaks or the grep fallback found it, and identically across a
59
+ developer's machine and CI); a code-pattern finding from its enclosing symbol (resolved
60
+ from the code graph, or the file when no symbol resolves) plus a hash of the matched span
61
+ plus an in-symbol ordinal; a config finding (`.env`-in-git) from `(rule, file)`. The line
62
+ number becomes display metadata. A finding keeps its identity when it moves and re-mints
63
+ only when the matched construct — or its enclosing function — actually changes, so
64
+ allowlist entries and baselines survive refactors and unrelated edits. Ingested SARIF
65
+ findings (Snyk Code / CodeQL) earn the same code anchor from the engine's reported
66
+ snippet. When no anchor is resolvable (e.g. a scanner that surfaces no matched snippet)
67
+ identity falls back to the previous line-window hash, so every finding still has a stable
68
+ id.
69
+ **Migration — one command:** secret/code/config and dep-vuln fingerprints change once.
70
+ Every artifact now records the identity scheme it was written under, and the upgrade is
71
+ automatic:
72
+
73
+ ```
74
+ npm i -D @vyuhlabs/dxkit@latest
75
+ vyuh-dxkit update # detects the scheme change → migrates baseline + allowlist
76
+ git add .dxkit && git commit -m "chore(dxkit): adopt this release"
77
+ ```
78
+
79
+ `update` rewrites the allowlist's fingerprints onto the new scheme (preserving every
80
+ reviewed suppression — no re-reviewing, no copying fingerprints from reports) and
81
+ regenerates the baseline, reporting what it re-anchored and flagging any entry whose
82
+ finding is gone. Inline `dxkit-allow:` source annotations need nothing (they match by
83
+ location). If you skip `update` and run the guardrail directly, it stops with an
84
+ explicit "run `vyuh-dxkit update`" message instead of reporting every pre-existing
85
+ finding as net-new. `ref-based` repos (no committed baseline) need nothing. Manual
86
+ fallback if you'd rather not use `update`: `vyuh-dxkit baseline create --force` plus
87
+ re-adding fingerprint-based allowlist entries by hand. Refresh committed SARIF
88
+ snapshots (`vyuh-dxkit ingest …`) so ingested findings pick up content anchors; until
89
+ refreshed they ride the line-window fallback.
90
+ - **`ref-based` guardrail is reliable on JS/TS repos.** ref-based gathers the prior side
91
+ from a detached `git worktree` that has no `node_modules` or coverage report, so the
92
+ build-artifact-dependent kinds (`duplication` via jscpd, `test-gap` via coverage)
93
+ under-produced on the prior side and the current side's full set read as net-new. They
94
+ are now excluded from both sides of a ref-based diff (symmetric), with a disclosure in
95
+ the console + PR-comment output; `committed-full` remains the mode that gates them.
96
+ - **The analysis cache invalidates on `.dxkit/` input changes.** Editing
97
+ `.dxkit/allowlist.json` had no effect until the commit changed, because the cache
98
+ key tracked `.dxkit-ignore` but not the allowlist / policy / ingested-snapshot inputs
99
+ that live under the same `.dxkit/` prefix the dirty-check excludes. The cache key now
100
+ folds in a content digest of those inputs, so an allowlist edit re-scores immediately.
101
+
102
+ #### Toolchain
103
+
104
+ - **vitest 4.** Bumps vitest + `@vitest/coverage-v8` to v4 and clears the critical +
105
+ high dev-tooling advisories in the vitest → vite → esbuild chain (plus `tmp`). All
106
+ dev-only — none ship in `dist/`. No published-`engines` change.
107
+
108
+ ## [2.10.0] - 2026-06-13
109
+
110
+ ### Honest scoring under changing scanners, passive graph delivery, tool-robustness
111
+
112
+ Closes a set of brownfield-install and guardrail-matcher defects (the original
113
+ 2.9.5 hardening), a class of scoring-honesty bugs (a Security score that could get
114
+ worse on an unchanged commit, with nothing explaining why), a defensive
115
+ tool-version-pin sweep, and the agentic-delivery redesign that finally routes the
116
+ code graph to the agent in a real fix workflow.
117
+
118
+ #### Scoring honesty
119
+
120
+ A Security score could drop on an **unchanged commit** — e.g. after an upgrade
121
+ enabled more scanners, or because a repo's own reviewed-and-accepted findings kept
122
+ holding it at a cap. The measurement was getting more honest, but the output
123
+ didn't explain it, and a properly-triaged repo couldn't recover its score. These
124
+ close that gap.
125
+
126
+ - **Symmetric unavailable-scanner caps.** A missing dependency-audit
127
+ already capped the Security score at the uncertainty tier, but missing
128
+ secret/code-pattern scanners silently scored as "0 findings" — so enabling
129
+ those scanners later read as a phantom regression. The secret and code-pattern
130
+ axes now get the same uncertainty cap when their scan didn't run, surfaced in
131
+ `metrics.toolsUnavailable` and the standalone vuln-scan report.
132
+ - **The score respects the allowlist.** Findings reviewed-and-accepted as
133
+ `false-positive` / `test-fixture` are now lifted from the Security penalties and
134
+ caps (not just the guardrail), so a triaged repo scores honestly instead of
135
+ staying capped on noise it has already accepted. `accepted-risk` / `deferred` /
136
+ `mitigated-externally` still count — accepting a real risk can't earn an A. The
137
+ vulnerability report and dashboard also annotate allowlisted findings and render
138
+ `Subtotal N (M allowlisted)` so the raw counts are explained, not alarming.
139
+ - **Scanner-coverage drift is disclosed.** When the active scanner set grew
140
+ since the last run, the vuln-scan report leads with a note: findings the new
141
+ scanners surface are newly **visible**, not newly **introduced**. This is the
142
+ root-cause explanation for a score that moved on unchanged code.
143
+ - **Secret severity is never lowered by file path.** A hardcoded credential keeps
144
+ its natural severity whether it sits in production code or a test — the generic
145
+ matcher can't tell a throwaway fixture from a real secret leaked into a test, so
146
+ lowering severity by path would silently hide genuine leaks. Test-file noise is
147
+ managed by the allowlist score-lift above (review fixtures once with
148
+ `--category test-fixture`), not by hiding. The vulnerability report now flags how
149
+ many secret findings sit in test files and points fixtures at the allowlist; the
150
+ `dxkit-action` and `dxkit-allowlist` skills gain an explicit triage step
151
+ (confirm fixture vs. real, allowlist fakes, rotate reals) so an agent handles
152
+ this judgment per finding rather than blanket-ignoring the test directory.
153
+ - **Systematic test-file detection.** Tests organized under Jest's `__tests__/`
154
+ directory — or named with the widespread `.unit.` / `.e2e.` / `.cy.` suffixes —
155
+ were classified as source, corrupting the test ratio, coverage, and test-gap
156
+ analysis. The cross-ecosystem test directories (`__tests__/`, `test/`, `tests/`,
157
+ `spec/`, `e2e/`) are now recognized in any language; the TS pack gains the
158
+ co-located suffix conventions.
159
+ - **Dependency-audit cleanup on Windows (EPERM).** The osv-scanner-fix temp-dir
160
+ cleanup now retries with backoff and never throws out of its `finally`, so a
161
+ Windows handle race (npm-install grandchildren / antivirus) can no longer
162
+ discard the already-parsed fix plans — which had let dependency vulnerabilities
163
+ go silently unreported.
164
+
165
+ #### Passive graph delivery (agentic value)
166
+
167
+ - **Context-hook fires on the tools agents actually use.** Pre-2.10 the graph
168
+ context-hook fired only on the native `Grep`/`Glob` tools and only when the
169
+ search pattern substring-matched a symbol name — so in a real fix workflow
170
+ (agents search via `Bash grep` for a symptom, and read files directly) it
171
+ almost never engaged. It now fires on **Read/Edit** (keyed on the file touched
172
+ → that file's structural summary: symbols, callers, callees, module group),
173
+ **Bash** (parses grep/rg commands; a named source file delivers its summary,
174
+ else a symbol match on the pattern), and the original **Grep/Glob** path.
175
+ Per-session, per-file dedup keeps it cheap; the FAIL-OPEN + ADDITIVE contract is
176
+ preserved (any problem is a silent no-op). **Existing repos must re-run
177
+ `vyuh-dxkit init`** (or update `.claude/settings.json`) to pick up the broadened
178
+ `Read|Edit|Bash|Grep|Glob` matcher.
179
+
180
+ #### Snyk sync
181
+
182
+ - **`.dxkit-ignore` → `.snyk` exclude sync.** `allowlist export --snyk` now also
183
+ emits the paths dxkit's analyzers skip (`.dxkit-ignore`) into the `.snyk`
184
+ `exclude.global` block, so Snyk and dxkit agree on what's out of scope —
185
+ mirroring the existing allowlist → `.snyk` ignore sync. An export carrying only
186
+ exclusions still writes.
187
+
188
+ #### Tool-robustness + matcher rename fixes
189
+
190
+ Hardening pass closing a set of brownfield-install and guardrail-matcher
191
+ defects surfaced while benchmarking on Python 3.14 and large real-world repos.
192
+
193
+ #### Fixed
194
+
195
+ - **graphify on Python 3.14.** Python 3.14 made `forkserver` the default
196
+ multiprocessing start method on Linux. graphify parallelises extraction with a
197
+ `ProcessPoolExecutor`, and under spawn/forkserver each worker re-imports the
198
+ generated script — re-running top-level extraction and crashing the run (no
199
+ `.dxkit/reports/graph.json` written; every graph-dependent feature silently
200
+ degraded). The generated script now wraps its execution body in
201
+ `if __name__ == '__main__'` — graphify's own documented requirement for
202
+ parallel extraction — so it is correct on every platform and start method
203
+ (Linux fork/forkserver, macOS/Windows spawn) while keeping multi-core
204
+ extraction. The previous forced `set_start_method('fork')` workaround is
205
+ removed.
206
+ - **graphify cache redirect.** The on-disk cache is now redirected via
207
+ graphify's public `extract(cache_root=...)` parameter instead of
208
+ monkeypatching the internal `graphify.cache.cache_dir`, whose signature
209
+ changed in graphifyy 0.8 (`cache_dir(root)` → `cache_dir(root, kind)`) and
210
+ crashed the run. This also stops graphify's `atexit` stat-index flush from
211
+ writing a stray `graphify-out/` into the scanned repo. The temp cache lives
212
+ under the caller-owned script dir and is reclaimed after the process (and its
213
+ atexit handlers) exit. `graphifyy` is pinned to `0.8.36`.
214
+ - **jscpd version pin.** jscpd is pinned to `4.2.5`. jscpd 5.x is a Rust
215
+ rewrite that dropped the `--gitignore` flag (dxkit passed it → exit 2) and
216
+ changed the report JSON schema dxkit parses.
217
+ - **Guardrail matcher — whole-file rename relocation.** Renaming a source
218
+ file no longer reports its whole-file findings (test-gap, coverage-gap,
219
+ test-file-degradation, god-file, stale-file, large-file) as removed + added,
220
+ which falsely blocked the guardrail on a pure rename. The git-aware matcher
221
+ now relocates these line-less, file-anchored findings through git's rename
222
+ detection, keyed on `(renamed-path, kind)` so two different whole-file kinds
223
+ on the same renamed file never cross-pair.
224
+
225
+ #### Tool-version pins
226
+
227
+ - **Defensive pin sweep.** Nine more dxkit-owned, deterministic-output scanners
228
+ are pinned to their current releases (semgrep `1.165.0`, ruff `0.15.17`,
229
+ pip-audit `2.10.1`, pip-licenses `5.5.5`, coverage `7.14.1`,
230
+ license-checker-rseidelsohn `5.0.1`, golangci-lint `v1.64.8` — the v1 line,
231
+ since v2 is a breaking rewrite on a separate module path — govulncheck `v1.3.0`,
232
+ go-licenses `v1.6.0`), so a future breaking major can't silently change parsed
233
+ output or exit codes the way jscpd 5.x and graphifyy 0.8 did. Five tools stay
234
+ unpinned by design and are now documented as such: `eslint` + `vitest-coverage`
235
+ (project-local — the consumer owns the version), `snyk` (a SaaS client that
236
+ self-manages backend compatibility), `codeql` (a GitHub-managed bundle paired
237
+ with query packs), and `cloc` (non-semver npm tag, lowest-risk schema). Proper
238
+ schema-adaptive multi-version handling is planned for a later release.
239
+
240
+ #### Internal
241
+
242
+ - The version-pin guard test partitions every registry tool into pinned /
243
+ unpinned-by-design / package-manager-tracked, so a tool can't be added or
244
+ un-pinned without a deliberate decision.
245
+
10
246
  ## [2.9.4] - 2026-06-09
11
247
 
12
248
  ### Connecting findings + PRs to the people who know the code
@@ -0,0 +1,71 @@
1
+ /**
2
+ * Annotate security findings with their active-allowlist status
3
+ * for REPORTING (not gating).
4
+ *
5
+ * The guardrail already consults the allowlist to decide whether a
6
+ * net-new finding blocks a push (`src/baseline/check.ts`). But the
7
+ * vulnerability-scan report and dashboard rendered raw counts with no
8
+ * indication that some findings are reviewed-and-accepted — a repo that
9
+ * has correctly allowlisted, say, its unit-test fixtures still showed
10
+ * them as headline criticals with no visual distinction, which reads as
11
+ * "the score is lying."
12
+ *
13
+ * This module marks each finding whose fingerprint matches an ACTIVE
14
+ * (unexpired) allowlist entry so renderers can show "(N allowlisted)"
15
+ * beside the subtotal. It does NOT change raw counts and does NOT change
16
+ * the score — dxkit's raw-truth model is preserved; only the
17
+ * presentation gains an honesty annotation.
18
+ *
19
+ * Identity contract (CLAUDE.md Rule 9): this module never computes a
20
+ * fingerprint. It matches against the fingerprint the aggregator
21
+ * already stamped on each code/secret/config finding (plus the
22
+ * `absorbedFingerprints` recorded when cross-tool dedup collapsed
23
+ * contributors — same robust-match set the guardrail uses). Dependency
24
+ * findings are keyed by `(package, version, id)` through a producer and
25
+ * carry no inline fingerprint, so they are out of scope here.
26
+ */
27
+ import { type AllowlistFile } from './file';
28
+ import type { AllowlistCategory } from './categories';
29
+ import type { FindingCategory } from '../analyzers/security/types';
30
+ /**
31
+ * The minimal finding shape this module reads + writes. The runtime
32
+ * objects are richer (`CodeFinding` carries `fingerprint` +
33
+ * `absorbedFingerprints`); we accept the structural subset so callers
34
+ * pass their findings directly without a cast.
35
+ */
36
+ export interface AnnotatableFinding {
37
+ readonly category: FindingCategory;
38
+ readonly fingerprint?: string;
39
+ readonly absorbedFingerprints?: readonly string[];
40
+ allowlisted?: boolean;
41
+ allowlistCategory?: AllowlistCategory;
42
+ }
43
+ /**
44
+ * Whether an active allowlist entry of this category should LIFT the
45
+ * finding from the dimension score (penalties + caps), not just from
46
+ * the guardrail.
47
+ *
48
+ * `false-positive` and `test-fixture` declare the finding is "not a real
49
+ * finding" — a misfire or throwaway test data — so a properly-triaged
50
+ * repo shouldn't carry a score penalty for it (the failure mode where a
51
+ * repo stays capped at the trust-broken tier despite having reviewed and
52
+ * accepted every flagged secret). `accepted-risk` and `deferred`, by
53
+ * contrast, accept a REAL risk: the guardrail stops blocking on them,
54
+ * but the score must still reflect the residual exposure — you can't
55
+ * `accepted-risk` your way to an A. `mitigated-externally` counts too:
56
+ * the risk is real, just handled outside dxkit.
57
+ */
58
+ export declare function allowlistLiftsScore(category: AllowlistCategory | undefined): boolean;
59
+ /**
60
+ * Mutate `findings` in place, setting `allowlisted` + `allowlistCategory`
61
+ * on each finding matched by an active allowlist entry. Returns the count
62
+ * of findings annotated, so callers can short-circuit rendering when zero.
63
+ *
64
+ * A finding matches when ANY of its candidate fingerprints (its own
65
+ * `fingerprint`, then any `absorbedFingerprints`) resolves to an
66
+ * allowlist entry whose `kind` equals the finding's kind and which is
67
+ * active at `now`. The kind guard rules out a cross-kind hash collision
68
+ * waiving the wrong finding — mirrors `allowlistSuppressionFor`.
69
+ */
70
+ export declare function annotateFindingsWithAllowlist(findings: AnnotatableFinding[], allowlist: AllowlistFile | null, now?: Date): number;
71
+ //# sourceMappingURL=annotate.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"annotate.d.ts","sourceRoot":"","sources":["../../src/allowlist/annotate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,OAAO,EAAE,KAAK,aAAa,EAA4B,MAAM,QAAQ,CAAC;AACtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAGnE;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC;AAoBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,SAAS,GAAG,OAAO,CAEpF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,kBAAkB,EAAE,EAC9B,SAAS,EAAE,aAAa,GAAG,IAAI,EAC/B,GAAG,GAAE,IAAiB,GACrB,MAAM,CAuBR"}
@@ -0,0 +1,105 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.allowlistLiftsScore = allowlistLiftsScore;
4
+ exports.annotateFindingsWithAllowlist = annotateFindingsWithAllowlist;
5
+ /**
6
+ * Annotate security findings with their active-allowlist status
7
+ * for REPORTING (not gating).
8
+ *
9
+ * The guardrail already consults the allowlist to decide whether a
10
+ * net-new finding blocks a push (`src/baseline/check.ts`). But the
11
+ * vulnerability-scan report and dashboard rendered raw counts with no
12
+ * indication that some findings are reviewed-and-accepted — a repo that
13
+ * has correctly allowlisted, say, its unit-test fixtures still showed
14
+ * them as headline criticals with no visual distinction, which reads as
15
+ * "the score is lying."
16
+ *
17
+ * This module marks each finding whose fingerprint matches an ACTIVE
18
+ * (unexpired) allowlist entry so renderers can show "(N allowlisted)"
19
+ * beside the subtotal. It does NOT change raw counts and does NOT change
20
+ * the score — dxkit's raw-truth model is preserved; only the
21
+ * presentation gains an honesty annotation.
22
+ *
23
+ * Identity contract (CLAUDE.md Rule 9): this module never computes a
24
+ * fingerprint. It matches against the fingerprint the aggregator
25
+ * already stamped on each code/secret/config finding (plus the
26
+ * `absorbedFingerprints` recorded when cross-tool dedup collapsed
27
+ * contributors — same robust-match set the guardrail uses). Dependency
28
+ * findings are keyed by `(package, version, id)` through a producer and
29
+ * carry no inline fingerprint, so they are out of scope here.
30
+ */
31
+ const file_1 = require("./file");
32
+ /**
33
+ * Map a report `FindingCategory` to the canonical `IdentityKind` used
34
+ * by allowlist entries. Only the three fingerprint-bearing categories
35
+ * resolve; `dependency` returns null (out of scope — see module doc).
36
+ */
37
+ function kindForCategory(category) {
38
+ switch (category) {
39
+ case 'secret':
40
+ return 'secret';
41
+ case 'code':
42
+ return 'code';
43
+ case 'config':
44
+ return 'config';
45
+ case 'dependency':
46
+ return null;
47
+ }
48
+ }
49
+ /**
50
+ * Whether an active allowlist entry of this category should LIFT the
51
+ * finding from the dimension score (penalties + caps), not just from
52
+ * the guardrail.
53
+ *
54
+ * `false-positive` and `test-fixture` declare the finding is "not a real
55
+ * finding" — a misfire or throwaway test data — so a properly-triaged
56
+ * repo shouldn't carry a score penalty for it (the failure mode where a
57
+ * repo stays capped at the trust-broken tier despite having reviewed and
58
+ * accepted every flagged secret). `accepted-risk` and `deferred`, by
59
+ * contrast, accept a REAL risk: the guardrail stops blocking on them,
60
+ * but the score must still reflect the residual exposure — you can't
61
+ * `accepted-risk` your way to an A. `mitigated-externally` counts too:
62
+ * the risk is real, just handled outside dxkit.
63
+ */
64
+ function allowlistLiftsScore(category) {
65
+ return category === 'false-positive' || category === 'test-fixture';
66
+ }
67
+ /**
68
+ * Mutate `findings` in place, setting `allowlisted` + `allowlistCategory`
69
+ * on each finding matched by an active allowlist entry. Returns the count
70
+ * of findings annotated, so callers can short-circuit rendering when zero.
71
+ *
72
+ * A finding matches when ANY of its candidate fingerprints (its own
73
+ * `fingerprint`, then any `absorbedFingerprints`) resolves to an
74
+ * allowlist entry whose `kind` equals the finding's kind and which is
75
+ * active at `now`. The kind guard rules out a cross-kind hash collision
76
+ * waiving the wrong finding — mirrors `allowlistSuppressionFor`.
77
+ */
78
+ function annotateFindingsWithAllowlist(findings, allowlist, now = new Date()) {
79
+ if (!allowlist || allowlist.entries.length === 0)
80
+ return 0;
81
+ let annotated = 0;
82
+ for (const f of findings) {
83
+ const kind = kindForCategory(f.category);
84
+ if (!kind)
85
+ continue;
86
+ const candidates = [];
87
+ if (f.fingerprint)
88
+ candidates.push(f.fingerprint);
89
+ if (f.absorbedFingerprints)
90
+ candidates.push(...f.absorbedFingerprints);
91
+ for (const fp of candidates) {
92
+ const entry = (0, file_1.findEntry)(allowlist, fp);
93
+ if (!entry || entry.kind !== kind)
94
+ continue;
95
+ if (!(0, file_1.isEntryActive)(entry, now))
96
+ continue;
97
+ f.allowlisted = true;
98
+ f.allowlistCategory = entry.category;
99
+ annotated++;
100
+ break;
101
+ }
102
+ }
103
+ return annotated;
104
+ }
105
+ //# sourceMappingURL=annotate.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"annotate.js","sourceRoot":"","sources":["../../src/allowlist/annotate.ts"],"names":[],"mappings":";;AA8EA,kDAEC;AAaD,sEA2BC;AAxHD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,iCAAsE;AAmBtE;;;;GAIG;AACH,SAAS,eAAe,CAAC,QAAyB;IAChD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,mBAAmB,CAAC,QAAuC;IACzE,OAAO,QAAQ,KAAK,gBAAgB,IAAI,QAAQ,KAAK,cAAc,CAAC;AACtE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,6BAA6B,CAC3C,QAA8B,EAC9B,SAA+B,EAC/B,MAAY,IAAI,IAAI,EAAE;IAEtB,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE3D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,CAAC,CAAC,WAAW;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,CAAC,CAAC,oBAAoB;YAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC;QAEvE,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACvC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC5C,IAAI,CAAC,IAAA,oBAAa,EAAC,KAAK,EAAE,GAAG,CAAC;gBAAE,SAAS;YACzC,CAAC,CAAC,WAAW,GAAG,IAAI,CAAC;YACrB,CAAC,CAAC,iBAAiB,GAAG,KAAK,CAAC,QAAQ,CAAC;YACrC,SAAS,EAAE,CAAC;YACZ,MAAM;QACR,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
@@ -4,22 +4,22 @@
4
4
  *
5
5
  * Subcommands (Sprint 1 chunk):
6
6
  *
7
- * - `add <file>:<line>` — inline annotation insertion. Kind-agnostic;
8
- * the annotation grammar carries category + reason only. Refuses
9
- * non-inline-compatible categories (accepted-risk / deferred).
7
+ * - `add <file>:<line>` — inline annotation insertion. Kind-agnostic;
8
+ * the annotation grammar carries category + reason only. Refuses
9
+ * non-inline-compatible categories (accepted-risk / deferred).
10
10
  *
11
- * - `add --fingerprint=<id> --kind=<kind>` — file-level allowlist
12
- * entry. Persists to `.dxkit/allowlist.json` (or its sanitized
13
- * mode + gitignored reasons sidecar). Required for any
14
- * accepted-risk / deferred suppression OR any kind that lacks a
15
- * stable single-line attachment point.
11
+ * - `add --fingerprint=<id> --kind=<kind>` — file-level allowlist
12
+ * entry. Persists to `.dxkit/allowlist.json` (or its sanitized
13
+ * mode + gitignored reasons sidecar). Required for any
14
+ * accepted-risk / deferred suppression OR any kind that lacks a
15
+ * stable single-line attachment point.
16
16
  *
17
- * - `list` — print every entry across the file-level allowlist.
18
- * Reads only; no mutation. Honors `--json` for structured output.
17
+ * - `list` — print every entry across the file-level allowlist.
18
+ * Reads only; no mutation. Honors `--json` for structured output.
19
19
  *
20
- * - `show <fingerprint>` — print one entry's full detail. Falls
21
- * back to a "no entry found" message when the fingerprint isn't
22
- * present.
20
+ * - `show <fingerprint>` — print one entry's full detail. Falls
21
+ * back to a "no entry found" message when the fingerprint isn't
22
+ * present.
23
23
  *
24
24
  * Subcommands `audit` and `prune` land in a follow-up commit.
25
25
  *
@@ -39,8 +39,8 @@ export declare const ALLOWLIST_SUBCOMMANDS: readonly ["add", "list", "show", "au
39
39
  export type AllowlistSubcommand = (typeof ALLOWLIST_SUBCOMMANDS)[number];
40
40
  export interface AllowlistAddOpts {
41
41
  /** Positional target. `<file>:<line>` for inline form; absent or a
42
- * bare file path for file-level form (requires `--fingerprint`
43
- * + `--kind`). */
42
+ * bare file path for file-level form (requires `--fingerprint`
43
+ * + `--kind`). */
44
44
  readonly target?: string;
45
45
  readonly category?: string;
46
46
  readonly reason?: string;
@@ -50,8 +50,8 @@ export interface AllowlistAddOpts {
50
50
  readonly acknowledgedSeverity?: string;
51
51
  readonly addedBy?: string;
52
52
  /** Override the configured mode for this write only. Default
53
- * reads from `.dxkit/policy.json` (out of scope here; this
54
- * module accepts a flag to choose). */
53
+ * reads from `.dxkit/policy.json` (out of scope here; this
54
+ * module accepts a flag to choose). */
55
55
  readonly mode?: AllowlistMode;
56
56
  }
57
57
  export interface AllowlistShowOpts {
@@ -66,9 +66,9 @@ export interface AllowlistAuditOpts {
66
66
  /** Soon-to-expire horizon in days (default 14). */
67
67
  readonly soonToExpireDays?: number;
68
68
  /** Cross-check fingerprints against the committed baseline so the
69
- * audit can flag orphaned entries (suppress nothing in the current
70
- * finding set). Off by default — keeps `audit` a pure read of the
71
- * allowlist file unless the user opts in. */
69
+ * audit can flag orphaned entries (suppress nothing in the current
70
+ * finding set). Off by default — keeps `audit` a pure read of the
71
+ * allowlist file unless the user opts in. */
72
72
  readonly againstBaseline?: boolean;
73
73
  /** Named baseline to diff against (default `main`). */
74
74
  readonly baselineName?: string;
@@ -84,7 +84,7 @@ export interface AllowlistExportOpts {
84
84
  readonly out?: string;
85
85
  readonly json?: boolean;
86
86
  /** ISO datetime stamped as each ignore's `created`. Defaults to now;
87
- * injectable for deterministic tests. */
87
+ * injectable for deterministic tests. */
88
88
  readonly now?: string;
89
89
  }
90
90
  export interface AllowlistPruneOpts {
@@ -92,8 +92,8 @@ export interface AllowlistPruneOpts {
92
92
  /** Don't write; just print what would be removed. */
93
93
  readonly dryRun?: boolean;
94
94
  /** Skip confirmation prompt + write directly. Default behavior
95
- * in Sprint 1 (no interactive prompts in dxkit yet) — the flag
96
- * is accepted for future-proofing. */
95
+ * in Sprint 1 (no interactive prompts in dxkit yet) — the flag
96
+ * is accepted for future-proofing. */
97
97
  readonly yes?: boolean;
98
98
  }
99
99
  /**
@@ -125,6 +125,12 @@ export declare function runAllowlistRemove(cwd: string, opts: AllowlistRemoveOpt
125
125
  * reason + expiry. Expired entries are skipped (they no longer
126
126
  * suppress). Only `snyk-code` findings export — native semgrep /
127
127
  * gitleaks findings have no Snyk equivalent.
128
+ *
129
+ * 2.10 also syncs the PATH-EXCLUSION half: `.dxkit-ignore` patterns
130
+ * (the paths dxkit's own analyzers skip) are emitted into the `.snyk`
131
+ * `exclude.global` block, so Snyk and dxkit agree on what's out of
132
+ * scope. The two halves compose into one `.snyk`; an export carrying
133
+ * only exclusions (no allowlisted Snyk findings yet) still writes.
128
134
  */
129
135
  export declare function runAllowlistExport(cwd: string, opts: AllowlistExportOpts): Promise<void>;
130
136
  export { DEFAULT_EXPIRY_DAYS };
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAkBH,OAAO,EAEL,mBAAmB,EAMpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAelB,KAAK,aAAa,EAEnB,MAAM,QAAQ,CAAC;AAGhB,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,wEAQxB,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,gBAAgB;IAC/B;;uBAEmB;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;4CAEwC;IACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;kDAG8C;IAC9C,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,4CAA4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB;8CAC0C;IAC1C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;2CAEuC;IACvC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,IAAI,CAAC,CAyDf;AAID,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBxF;AAyHD,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB1F;AAID,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuG5F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC5F;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CA4B9F;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CA6E9F;AAoID,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,CAAC"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AA6BH,OAAO,EAEL,mBAAmB,EAMpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAelB,KAAK,aAAa,EAEnB,MAAM,QAAQ,CAAC;AAGhB,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,wEAQxB,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,gBAAgB;IAC/B;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;2CAEuC;IACvC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;iDAG6C;IAC7C,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,4CAA4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB;6CACyC;IACzC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;0CAEsC;IACtC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,IAAI,CAAC,CAyDf;AAID,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBxF;AAyHD,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB1F;AAID,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuG5F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC5F;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CA4B9F;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmI9F;AAmJD,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,CAAC"}