@vyuhlabs/dxkit 2.9.4 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +236 -0
- package/dist/allowlist/annotate.d.ts +71 -0
- package/dist/allowlist/annotate.d.ts.map +1 -0
- package/dist/allowlist/annotate.js +105 -0
- package/dist/allowlist/annotate.js.map +1 -0
- package/dist/allowlist/cli.d.ts +29 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +141 -70
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +6 -1
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +17 -2
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +13 -0
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +97 -79
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +168 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +36 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +81 -2
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/scanner-drift.d.ts +21 -0
- package/dist/analyzers/security/scanner-drift.d.ts.map +1 -0
- package/dist/analyzers/security/scanner-drift.js +113 -0
- package/dist/analyzers/security/scanner-drift.js.map +1 -0
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +24 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +64 -4
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +11 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +457 -413
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +31 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +12 -1
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +78 -43
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/walk-source-files.d.ts +10 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
- package/dist/analyzers/tools/walk-source-files.js +14 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -1
- package/dist/analyzers/types.d.ts +9 -0
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +12 -5
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +21 -7
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/git-aware-match.d.ts +7 -5
- package/dist/baseline/git-aware-match.d.ts.map +1 -1
- package/dist/baseline/git-aware-match.js +78 -5
- package/dist/baseline/git-aware-match.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/context-hook.d.ts +49 -29
- package/dist/explore/context-hook.d.ts.map +1 -1
- package/dist/explore/context-hook.js +304 -29
- package/dist/explore/context-hook.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +13 -7
- package/dist/generator.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/snyk-policy.d.ts +22 -1
- package/dist/ingest/snyk-policy.d.ts.map +1 -1
- package/dist/ingest/snyk-policy.js +75 -18
- package/dist/ingest/snyk-policy.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/languages/index.d.ts +28 -5
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +38 -7
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +19 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/security.d.ts +17 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -1
- package/dist/scoring/dimensions/security.js +12 -0
- package/dist/scoring/dimensions/security.js.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-action/SKILL.md +11 -2
- package/templates/.claude/skills/dxkit-allowlist/SKILL.md +9 -0
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -2
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
package/dist/baseline/types.d.ts
CHANGED
|
@@ -9,20 +9,20 @@
|
|
|
9
9
|
* identity." Each finding has up to several fingerprint axes,
|
|
10
10
|
* differentiated by what they capture:
|
|
11
11
|
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
12
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
13
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
14
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
15
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
16
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
17
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
18
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
19
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
20
|
+
* is about* independent of source position. Drift-immune.
|
|
21
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
22
|
+
* when a symbol is known. Survives any vertical drift within
|
|
23
|
+
* the symbol body.
|
|
24
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
25
|
+
* hash; fallback when git history is unreachable.
|
|
26
26
|
*
|
|
27
27
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
28
28
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -34,18 +34,18 @@
|
|
|
34
34
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
35
35
|
* gather pipeline:
|
|
36
36
|
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
37
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
38
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
39
|
+
* private-key files, env-in-git).
|
|
40
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
41
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
42
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
43
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
44
|
+
* when available, fallback to file + line range).
|
|
45
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
46
|
+
* analyzer.
|
|
47
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
48
|
+
* occurrences (per-occurrence identity).
|
|
49
49
|
*
|
|
50
50
|
* License attributions are NOT a baseline finding kind. They live in
|
|
51
51
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -67,38 +67,76 @@
|
|
|
67
67
|
*/
|
|
68
68
|
export type FindingId = string;
|
|
69
69
|
/**
|
|
70
|
-
* Identity-scheme version.
|
|
71
|
-
*
|
|
72
|
-
*
|
|
70
|
+
* Identity-scheme version. Bumped whenever the hashing inputs change in a
|
|
71
|
+
* way that would invalidate stored baselines / allowlists.
|
|
72
|
+
*
|
|
73
|
+
* - `v1` — the pre-2.11 scheme: code/secret/config hashed
|
|
74
|
+
* `(canonicalRule, file, lineWindow)`; dep-vuln hashed
|
|
75
|
+
* `(package, installedVersion, id)`.
|
|
76
|
+
* - `v2` (current) — content-anchored: code = `(scope, spanHash,
|
|
77
|
+
* ordinal)`, secret = salted HMAC, config = `(rule, file)`, all with
|
|
78
|
+
* a line-window fallback; dep-vuln = `(package, canonicalAdvisoryId)`.
|
|
79
|
+
*
|
|
80
|
+
* `identityFor` can compute EITHER scheme (every shipped scheme's id
|
|
81
|
+
* function is retained — see `computeFingerprintV1`), which is what lets
|
|
82
|
+
* the identity migrator build an `old → new` remap and carry allowlist
|
|
83
|
+
* entries across an upgrade. The version is stamped on the baseline +
|
|
84
|
+
* allowlist files so a later dxkit can detect the gap and migrate.
|
|
85
|
+
*
|
|
86
|
+
* Adding a future `v3`: extend this union, add its branch in
|
|
87
|
+
* `identityFor`, retain the prior scheme's id function, and the migrator
|
|
88
|
+
* + `update` handle the rest with no further wiring.
|
|
73
89
|
*/
|
|
74
|
-
export type IdentitySchemeVersion = 'v1';
|
|
90
|
+
export type IdentitySchemeVersion = 'v1' | 'v2';
|
|
91
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
92
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
93
|
+
export declare const CURRENT_IDENTITY_SCHEME: IdentitySchemeVersion;
|
|
75
94
|
/**
|
|
76
95
|
* Discriminated union of every finding kind that participates in
|
|
77
96
|
* identity. Producers wrap their per-tool finding shape into one of
|
|
78
97
|
* these before calling `identityFor`.
|
|
79
98
|
*
|
|
80
99
|
* Adding a new finding kind to the dispatch is a three-line change:
|
|
81
|
-
*
|
|
82
|
-
*
|
|
83
|
-
*
|
|
100
|
+
* 1. Add the per-kind interface below.
|
|
101
|
+
* 2. Append the interface name to this union.
|
|
102
|
+
* 3. Add the corresponding case branch in `identityFor`.
|
|
84
103
|
*
|
|
85
104
|
* The hash format is SHA-1[0:16] across every kind — callers store
|
|
86
105
|
* identities in one flat set without tracking provenance.
|
|
87
106
|
*/
|
|
88
107
|
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput | StaleAllowIdentityInput;
|
|
108
|
+
/**
|
|
109
|
+
* Content anchor for the secret/code/config identity schemes.
|
|
110
|
+
* Derived from WHAT a finding is, not WHERE it sits, so identity
|
|
111
|
+
* survives the finding moving lines:
|
|
112
|
+
* - secret → salted HMAC of the value (`computeSecretHmac`).
|
|
113
|
+
* - code → `codeContentAnchor(scope, span, ordinal)` — enclosing
|
|
114
|
+
* symbol + normalized-span hash + in-scope ordinal.
|
|
115
|
+
* - config → `''` (identity is just `(canonicalRule, file)`; a config
|
|
116
|
+
* finding is inherently line-independent).
|
|
117
|
+
*
|
|
118
|
+
* Optional: when absent, `identityFor` falls back to the legacy
|
|
119
|
+
* line-window hash; when present, the dispatch prefers this anchor and
|
|
120
|
+
* `line` becomes display metadata only.
|
|
121
|
+
*/
|
|
122
|
+
export type ContentAnchor = string;
|
|
89
123
|
/** gitleaks + private-key files + similar secret detectors. */
|
|
90
124
|
export interface SecretIdentityInput {
|
|
91
125
|
readonly kind: 'secret';
|
|
92
126
|
/** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
|
|
93
127
|
readonly tool: string;
|
|
94
128
|
/** Producer-specific rule id. The canonical-rule map collapses
|
|
95
|
-
*
|
|
129
|
+
* cross-tool overlaps where they exist. */
|
|
96
130
|
readonly rule: string;
|
|
97
131
|
/** Project-relative file path. */
|
|
98
132
|
readonly file: string;
|
|
99
133
|
/** 1-based line number. Bucketed to absorb small drift between
|
|
100
|
-
*
|
|
134
|
+
* tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. Display metadata
|
|
135
|
+
* once `contentAnchor` is present. */
|
|
101
136
|
readonly line: number;
|
|
137
|
+
/** Salted HMAC of the secret value (Content anchor). Present when
|
|
138
|
+
* the gather could derive a salt; absent → line-based fallback. */
|
|
139
|
+
readonly contentAnchor?: ContentAnchor;
|
|
102
140
|
}
|
|
103
141
|
/** semgrep + TLS-bypass registry + per-language code-pattern providers. */
|
|
104
142
|
export interface CodeIdentityInput {
|
|
@@ -107,6 +145,9 @@ export interface CodeIdentityInput {
|
|
|
107
145
|
readonly rule: string;
|
|
108
146
|
readonly file: string;
|
|
109
147
|
readonly line: number;
|
|
148
|
+
/** `codeContentAnchor(scope, span, ordinal)`. Present when the
|
|
149
|
+
* aggregator could resolve a span/scope; absent → line-based fallback. */
|
|
150
|
+
readonly contentAnchor?: ContentAnchor;
|
|
110
151
|
}
|
|
111
152
|
/** Configuration-class findings (e.g. .env tracked in git). */
|
|
112
153
|
export interface ConfigIdentityInput {
|
|
@@ -116,6 +157,9 @@ export interface ConfigIdentityInput {
|
|
|
116
157
|
readonly file: string;
|
|
117
158
|
/** Line 0 acceptable for whole-file findings. */
|
|
118
159
|
readonly line: number;
|
|
160
|
+
/** `''` for config (identity is `(canonicalRule, file)`). Carried for
|
|
161
|
+
* uniformity with the other code-side inputs. */
|
|
162
|
+
readonly contentAnchor?: ContentAnchor;
|
|
119
163
|
}
|
|
120
164
|
/** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
|
|
121
165
|
export interface DepVulnIdentityInput {
|
|
@@ -123,28 +167,34 @@ export interface DepVulnIdentityInput {
|
|
|
123
167
|
/** Package name as reported by the producer. */
|
|
124
168
|
readonly package: string;
|
|
125
169
|
/** Installed version string, when known. Absent for findings produced
|
|
126
|
-
*
|
|
170
|
+
* without an accessible lockfile. Display metadata only — NOT part of
|
|
171
|
+
* the fingerprint (it's environment-dependent; see
|
|
172
|
+
* `computeFingerprint`). */
|
|
127
173
|
readonly installedVersion: string | undefined;
|
|
128
174
|
/** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
|
|
129
175
|
readonly id: string;
|
|
176
|
+
/** Cross-namespace aliases (CVE / GHSA / OSV / SNYK …) the producer
|
|
177
|
+
* surfaced. Used to canonicalize identity so the same advisory found
|
|
178
|
+
* by different scanners shares one fingerprint. */
|
|
179
|
+
readonly aliases?: readonly string[];
|
|
130
180
|
}
|
|
131
181
|
/** jscpd-style duplicate-block findings. */
|
|
132
182
|
export interface DuplicationIdentityInput {
|
|
133
183
|
readonly kind: 'duplication';
|
|
134
184
|
/** Files on each side of the duplicate pair. Order is normalized
|
|
135
|
-
*
|
|
185
|
+
* inside `identityFor` so swapped sides hash identically. */
|
|
136
186
|
readonly fileA: string;
|
|
137
187
|
readonly fileB: string;
|
|
138
188
|
/** Line count of the duplicated block. `lines` is preferred over
|
|
139
|
-
*
|
|
140
|
-
*
|
|
141
|
-
*
|
|
142
|
-
*
|
|
189
|
+
* the `tokens` field jscpd also reports because jscpd's JSON
|
|
190
|
+
* reporter does not populate `tokens` in practice — it's always
|
|
191
|
+
* 0, which would degenerate the identity tuple and silently lose
|
|
192
|
+
* the "block-size changes → identity changes" property. */
|
|
143
193
|
readonly lines: number;
|
|
144
194
|
/** Start line of the block on side A. Combined with `startLineB`
|
|
145
|
-
*
|
|
146
|
-
*
|
|
147
|
-
*
|
|
195
|
+
* this distinguishes intra-file clones at different positions
|
|
196
|
+
* (same `fileA === fileB`, different line ranges) which would
|
|
197
|
+
* otherwise collapse to one identity. */
|
|
148
198
|
readonly startLineA: number;
|
|
149
199
|
/** Start line of the block on side B. */
|
|
150
200
|
readonly startLineB: number;
|
|
@@ -159,11 +209,11 @@ export interface CoverageGapIdentityInput {
|
|
|
159
209
|
readonly kind: 'coverage-gap';
|
|
160
210
|
readonly file: string;
|
|
161
211
|
/** Function / method / class symbol. Present when the gap is
|
|
162
|
-
*
|
|
163
|
-
*
|
|
212
|
+
* attributable to a named symbol; absent for line-range-only
|
|
213
|
+
* attribution. */
|
|
164
214
|
readonly symbol?: string;
|
|
165
215
|
/** Inclusive `[startLine, endLine]`. Required when `symbol` is
|
|
166
|
-
*
|
|
216
|
+
* absent. */
|
|
167
217
|
readonly lineRange?: readonly [number, number];
|
|
168
218
|
}
|
|
169
219
|
/**
|
|
@@ -233,9 +283,9 @@ export interface StaleFileIdentityInput {
|
|
|
233
283
|
readonly kind: 'stale-file';
|
|
234
284
|
readonly file: string;
|
|
235
285
|
/** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
|
|
236
|
-
*
|
|
237
|
-
*
|
|
238
|
-
*
|
|
286
|
+
* `'orig'`, `'tmp'`). The producer derives this from the file
|
|
287
|
+
* extension; storing it in identity makes the reason for the
|
|
288
|
+
* flag inspectable from the baseline alone. */
|
|
239
289
|
readonly suffix: string;
|
|
240
290
|
}
|
|
241
291
|
/**
|
|
@@ -277,8 +327,8 @@ export interface SecretHmacIdentityInput {
|
|
|
277
327
|
/** Producer tool name (e.g. 'gitleaks'). */
|
|
278
328
|
readonly tool: string;
|
|
279
329
|
/** Producer-specific rule id. The canonical-rule map applies here
|
|
280
|
-
*
|
|
281
|
-
*
|
|
330
|
+
* too: two tools detecting the same secret class collapse to one
|
|
331
|
+
* canonical rule. */
|
|
282
332
|
readonly rule: string;
|
|
283
333
|
/** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
|
|
284
334
|
readonly hmac: string;
|
|
@@ -304,9 +354,9 @@ export interface StaleAllowIdentityInput {
|
|
|
304
354
|
readonly file: string;
|
|
305
355
|
readonly line: number;
|
|
306
356
|
/** The category named in the orphaned annotation. Free-form
|
|
307
|
-
*
|
|
308
|
-
*
|
|
309
|
-
*
|
|
357
|
+
* string at identity-input level (the canonical
|
|
358
|
+
* `AllowlistCategory` union lives in `src/allowlist/categories.ts`
|
|
359
|
+
* to avoid a cross-module import here in the baseline types). */
|
|
310
360
|
readonly category: string;
|
|
311
361
|
}
|
|
312
362
|
/**
|
|
@@ -324,18 +374,18 @@ export type BaselineEntry = {
|
|
|
324
374
|
file: string;
|
|
325
375
|
line: number;
|
|
326
376
|
/** 16-char hex hash of normalized context around `line` at
|
|
327
|
-
*
|
|
328
|
-
*
|
|
329
|
-
*
|
|
330
|
-
*
|
|
331
|
-
*
|
|
377
|
+
* baseline-create time. Stamped via `computeContentHashFromCommit`;
|
|
378
|
+
* the matcher's third pass uses it as a fallback when git-aware
|
|
379
|
+
* location matching fails (shallow clones, force-pushed base,
|
|
380
|
+
* context survives but line shifts past the fuzz window). Absent
|
|
381
|
+
* when the producer couldn't read the file. */
|
|
332
382
|
contentHash?: string;
|
|
333
383
|
/** Fingerprints of cross-tool / neighbor-bucket / CWE-bridge
|
|
334
|
-
*
|
|
335
|
-
*
|
|
336
|
-
*
|
|
337
|
-
*
|
|
338
|
-
*
|
|
384
|
+
* findings that the aggregator collapsed into this one. Carried
|
|
385
|
+
* so an allowlist entry keyed on a contributing fingerprint still
|
|
386
|
+
* suppresses the merged finding — robust matching against dedup
|
|
387
|
+
* nondeterminism between runs. Present only when such a merge
|
|
388
|
+
* fired. */
|
|
339
389
|
absorbedFingerprints?: readonly string[];
|
|
340
390
|
} | {
|
|
341
391
|
id: FindingId;
|
|
@@ -369,8 +419,8 @@ export type BaselineEntry = {
|
|
|
369
419
|
line: number;
|
|
370
420
|
marker: HygieneMarker;
|
|
371
421
|
/** Same content-hash semantics as the secret/code/config variant
|
|
372
|
-
*
|
|
373
|
-
*
|
|
422
|
+
* — populated when the producer can read the file at the
|
|
423
|
+
* baseline commit. */
|
|
374
424
|
contentHash?: string;
|
|
375
425
|
} | {
|
|
376
426
|
id: FindingId;
|
|
@@ -444,17 +494,17 @@ export interface SanitizedBaselineEntry {
|
|
|
444
494
|
* the prose and use the codes for filtering / policy decisions.
|
|
445
495
|
*
|
|
446
496
|
* `priorId` and `currentId` are both optional because:
|
|
447
|
-
*
|
|
448
|
-
*
|
|
449
|
-
*
|
|
450
|
-
*
|
|
451
|
-
*
|
|
452
|
-
*
|
|
497
|
+
* - `added` → only `currentId` is present.
|
|
498
|
+
* - `removed` → only `priorId` is present.
|
|
499
|
+
* - `persisted` / `relocated` → both, and they may differ when a
|
|
500
|
+
* location fingerprint shifted across the line-window boundary
|
|
501
|
+
* (each "side" has its own hash even though they describe the
|
|
502
|
+
* same finding).
|
|
453
503
|
*/
|
|
454
504
|
export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
|
|
455
505
|
export interface MatchReason {
|
|
456
506
|
/** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
|
|
457
|
-
*
|
|
507
|
+
* 'git-rename', 'multiset-occurrence'. */
|
|
458
508
|
readonly code: string;
|
|
459
509
|
/** Human-readable explanation suitable for end-user rendering. */
|
|
460
510
|
readonly detail: string;
|
|
@@ -464,7 +514,7 @@ export interface MatchPair {
|
|
|
464
514
|
readonly currentId?: FindingId;
|
|
465
515
|
readonly status: MatchStatus;
|
|
466
516
|
/** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
|
|
467
|
-
*
|
|
517
|
+
* a fallback layer (git relocation, line-fuzz, rename). */
|
|
468
518
|
readonly confidence: number;
|
|
469
519
|
readonly reasons: ReadonlyArray<MatchReason>;
|
|
470
520
|
}
|
|
@@ -479,26 +529,26 @@ export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
|
479
529
|
* check can emit. Wider than `MatchStatus` because policy adds context
|
|
480
530
|
* the matcher doesn't have:
|
|
481
531
|
*
|
|
482
|
-
*
|
|
483
|
-
*
|
|
484
|
-
*
|
|
485
|
-
*
|
|
486
|
-
*
|
|
487
|
-
*
|
|
488
|
-
*
|
|
489
|
-
*
|
|
490
|
-
*
|
|
491
|
-
*
|
|
492
|
-
*
|
|
493
|
-
*
|
|
494
|
-
*
|
|
495
|
-
*
|
|
496
|
-
*
|
|
497
|
-
*
|
|
498
|
-
*
|
|
499
|
-
*
|
|
500
|
-
*
|
|
501
|
-
*
|
|
532
|
+
* - `persisted` / `relocated` / `added` / `removed` — direct
|
|
533
|
+
* pass-through of the matcher's pair status.
|
|
534
|
+
* - `fixed` — a `removed` finding that the policy treats as a
|
|
535
|
+
* positive event (resolution rather than disappearance). Today
|
|
536
|
+
* this is informational only; Phase 3 distinguishes the two when
|
|
537
|
+
* `--detailed` flags it.
|
|
538
|
+
* - `newly_detected` — current-only finding that surfaced because
|
|
539
|
+
* the scanner / ruleset / advisory DB / policy config changed,
|
|
540
|
+
* not because a developer introduced new code. Parent category;
|
|
541
|
+
* `tooling_drift` and `config_drift` are the specific subtypes.
|
|
542
|
+
* - `tooling_drift` — scanner or advisory-db version differs
|
|
543
|
+
* between baseline and current. Reclassified `added` is suspect.
|
|
544
|
+
* - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
|
|
545
|
+
* differs between runs.
|
|
546
|
+
* - `probable_existing` — current-only with weak evidence it's
|
|
547
|
+
* truly new (a prior near-match exists but didn't pair cleanly).
|
|
548
|
+
* Reserved for the content-hash / semantic fallback layer in
|
|
549
|
+
* Sprint 0.x.
|
|
550
|
+
* - `uncertain` — confidence below the per-severity threshold;
|
|
551
|
+
* the policy can't classify with conviction.
|
|
502
552
|
*
|
|
503
553
|
* The enum is the contract Phase 3's guardrail CLI reads. Today's
|
|
504
554
|
* classifier emits a subset — the remaining states are reserved for
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,IAAI,CAAC;AAEhD;qEACqE;AACrE,eAAO,MAAM,uBAAuB,EAAE,qBAA4B,CAAC;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC;AAEnC,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0CAEsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;uEACmE;IACnE,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;8EAC0E;IAC1E,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;qDACiD;IACjD,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;gCAG4B;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB;;uDAEmD;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;iEAC6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;+DAI2D;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;6CAGyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;iBACa;IACb,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;mDAG+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;yBAEqB;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;qEAGiE;IACjE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;mDAK+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;gBAKY;IACZ,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;0BAEsB;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;8CAC0C;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;+DAC2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
|
package/dist/baseline/types.js
CHANGED
|
@@ -10,20 +10,20 @@
|
|
|
10
10
|
* identity." Each finding has up to several fingerprint axes,
|
|
11
11
|
* differentiated by what they capture:
|
|
12
12
|
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
13
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
14
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
15
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
16
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
17
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
18
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
19
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
20
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
21
|
+
* is about* independent of source position. Drift-immune.
|
|
22
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
23
|
+
* when a symbol is known. Survives any vertical drift within
|
|
24
|
+
* the symbol body.
|
|
25
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
26
|
+
* hash; fallback when git history is unreachable.
|
|
27
27
|
*
|
|
28
28
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
29
29
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -35,18 +35,18 @@
|
|
|
35
35
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
36
36
|
* gather pipeline:
|
|
37
37
|
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
*
|
|
38
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
39
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
40
|
+
* private-key files, env-in-git).
|
|
41
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
42
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
43
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
44
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
45
|
+
* when available, fallback to file + line range).
|
|
46
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
47
|
+
* analyzer.
|
|
48
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
49
|
+
* occurrences (per-occurrence identity).
|
|
50
50
|
*
|
|
51
51
|
* License attributions are NOT a baseline finding kind. They live in
|
|
52
52
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -56,4 +56,8 @@
|
|
|
56
56
|
* lifted out.
|
|
57
57
|
*/
|
|
58
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
59
|
+
exports.CURRENT_IDENTITY_SCHEME = void 0;
|
|
60
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
61
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
62
|
+
exports.CURRENT_IDENTITY_SCHEME = 'v2';
|
|
59
63
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG"}
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;;AAsCH;qEACqE;AACxD,QAAA,uBAAuB,GAA0B,IAAI,CAAC"}
|
|
@@ -1,42 +1,62 @@
|
|
|
1
|
-
|
|
2
|
-
* `vyuh-dxkit context-hook` — the Claude Code PreToolUse hook that
|
|
3
|
-
* delivers the token-reduction win passively. Wired into a scaffolded
|
|
4
|
-
* repo's `.claude/settings.json` with a `Grep|Glob` matcher: when an
|
|
5
|
-
* agent is about to search the codebase, this hook injects a slim
|
|
6
|
-
* structural map as `additionalContext` so the agent needs fewer
|
|
7
|
-
* follow-up whole-file reads.
|
|
8
|
-
*
|
|
9
|
-
* THE CONTRACT IS FAIL-OPEN + ADDITIVE. This hook can only ever ADD
|
|
10
|
-
* context; it never blocks the tool, never replaces grep output, and
|
|
11
|
-
* stays a silent no-op (exit 0, no stdout) on ANY problem — missing
|
|
12
|
-
* graph.json, parse error, no keyword match, unreadable stdin. So
|
|
13
|
-
* Claude Code behaves exactly as it does today whenever the graph is
|
|
14
|
-
* absent or unhelpful; the hook is pure upside.
|
|
15
|
-
*
|
|
16
|
-
* Claude Code passes the tool call as JSON on stdin
|
|
17
|
-
* (`{ tool_name, tool_input: { pattern, ... }, ... }`) and reads a
|
|
18
|
-
* JSON object on stdout with `hookSpecificOutput.additionalContext`.
|
|
19
|
-
*/
|
|
20
|
-
import { type ContextResult } from './queries';
|
|
1
|
+
import { type ContextResult, type FileSummary } from './queries';
|
|
21
2
|
import type { Graph } from './types';
|
|
3
|
+
/** What the agent's tool call resolved to: a specific file, or a search term. */
|
|
4
|
+
type HookTarget = {
|
|
5
|
+
kind: 'file';
|
|
6
|
+
file: string;
|
|
7
|
+
} | {
|
|
8
|
+
kind: 'pattern';
|
|
9
|
+
pattern: string;
|
|
10
|
+
};
|
|
22
11
|
/**
|
|
23
|
-
* Entry point for `case 'context-hook'`. Reads stdin,
|
|
24
|
-
* writes the hook output. Wrapped so nothing it
|
|
25
|
-
* tool call: every failure path resolves to a silent
|
|
12
|
+
* Entry point for `case 'context-hook'`. Reads stdin, resolves the
|
|
13
|
+
* target, runs the query, writes the hook output. Wrapped so nothing it
|
|
14
|
+
* does can fail the tool call: every failure path resolves to a silent
|
|
15
|
+
* no-op.
|
|
26
16
|
*/
|
|
27
17
|
export declare function runContextHook(cwd: string): Promise<void>;
|
|
18
|
+
/** The fields of the PreToolUse payload the hook consumes. */
|
|
19
|
+
interface HookPayload {
|
|
20
|
+
toolName?: string;
|
|
21
|
+
toolInput: Record<string, unknown>;
|
|
22
|
+
sessionId?: string;
|
|
23
|
+
}
|
|
24
|
+
/** Parse the raw stdin JSON into the subset of fields the hook needs. */
|
|
25
|
+
export declare function parsePayload(rawStdin: string): HookPayload | undefined;
|
|
26
|
+
/**
|
|
27
|
+
* Decide what to inject context about, given the tool the agent invoked.
|
|
28
|
+
* Returns undefined (→ no-op) for tools/inputs we can't confidently map.
|
|
29
|
+
*/
|
|
30
|
+
export declare function resolveHookTarget(payload: HookPayload, graph: Graph, cwd: string): HookTarget | undefined;
|
|
31
|
+
/**
|
|
32
|
+
* Extract a grep/rg target from a Bash command. Prefers a concrete
|
|
33
|
+
* source file named in the command (→ that file's structural summary);
|
|
34
|
+
* otherwise falls back to the search pattern (→ symbol-name match). Only
|
|
35
|
+
* fires for recognised search tools so an arbitrary Bash command is a
|
|
36
|
+
* clean no-op.
|
|
37
|
+
*/
|
|
38
|
+
export declare function parseBashForTarget(command: string, graph: Graph, cwd: string): HookTarget | undefined;
|
|
39
|
+
/**
|
|
40
|
+
* Compact `additionalContext` body for a FILE target: the file's
|
|
41
|
+
* symbols, who depends on it (caller files), and what it reaches into
|
|
42
|
+
* (callee files). Terser than the CLI's markdown — the hook pays this on
|
|
43
|
+
* every read. Leads with provenance + a best-effort caveat so the agent
|
|
44
|
+
* calibrates trust.
|
|
45
|
+
*/
|
|
46
|
+
export declare function formatFileContext(summary: FileSummary, graph: Graph): string;
|
|
28
47
|
/**
|
|
29
|
-
* Extract the search keyword from
|
|
30
|
-
*
|
|
31
|
-
*
|
|
48
|
+
* Extract the search keyword from a Grep/Glob-style payload. Both carry
|
|
49
|
+
* it on `tool_input.pattern`. Returns undefined for anything we can't
|
|
50
|
+
* confidently read (→ no-op upstream).
|
|
32
51
|
*/
|
|
33
52
|
export declare function extractPattern(rawStdin: string): string | undefined;
|
|
34
53
|
/**
|
|
35
|
-
* Compact `additionalContext` body. Terser than the
|
|
36
|
-
* (the hook pays this cost on every grep): an anchor line,
|
|
37
|
-
* radius, and the top symbols grouped by their leading community.
|
|
54
|
+
* Compact `additionalContext` body for a PATTERN target. Terser than the
|
|
55
|
+
* CLI's markdown (the hook pays this cost on every grep): an anchor line,
|
|
56
|
+
* blast radius, and the top symbols grouped by their leading community.
|
|
38
57
|
* Leads with a one-line provenance + best-effort caveat so the agent
|
|
39
58
|
* calibrates trust.
|
|
40
59
|
*/
|
|
41
60
|
export declare function formatHookContext(result: ContextResult, graph: Graph): string;
|
|
61
|
+
export {};
|
|
42
62
|
//# sourceMappingURL=context-hook.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"context-hook.d.ts","sourceRoot":"","sources":["../../src/explore/context-hook.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"context-hook.d.ts","sourceRoot":"","sources":["../../src/explore/context-hook.ts"],"names":[],"mappings":"AA2CA,OAAO,EAAkC,KAAK,aAAa,EAAE,KAAK,WAAW,EAAE,MAAM,WAAW,CAAC;AAEjG,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAKrC,iFAAiF;AACjF,KAAK,UAAU,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAExF;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAmD/D;AAED,8DAA8D;AAC9D,UAAU,WAAW;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,yEAAyE;AACzE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAkBtE;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,WAAW,EACpB,KAAK,EAAE,KAAK,EACZ,GAAG,EAAE,MAAM,GACV,UAAU,GAAG,SAAS,CAqBxB;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,KAAK,EACZ,GAAG,EAAE,MAAM,GACV,UAAU,GAAG,SAAS,CA2BxB;AAiBD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,KAAK,GAAG,MAAM,CA4C5E;AA8CD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAcnE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,GAAG,MAAM,CAiC7E"}
|