dw-kit 1.3.5 → 1.4.0

package/CLAUDE.md

@@ -3,7 +3,7 @@
 Workflow toolkit codebase. Rules live in `.claude/rules/` (auto-loaded).
 
 **v2.0 direction:** Context-First SDLC Governance Layer (5 pillars — see `.dw/core/PILLARS.md`)
-**Current:** v1.3.5 (released 2026-05-12) · ADR-0001 active · ADR-0005 Accepted (Supply-Chain Guard, sunset review 2026-08-12) · v1.4 cuts pending telemetry
+**Current:** v1.3.6 (released 2026-05-14) · ADR-0001 active · ADR-0005 + ADR-0006 Accepted (Supply-Chain Guard 3-pillar AI-Native; sunset review 2026-08-12 per pillar) · v1.4 cuts pending telemetry
 
 ---
 

package/README.md

@@ -2,7 +2,7 @@
 
 > An AI development workflow toolkit for teams using agentic IDEs (Claude Code, Cursor) — from idea to review-ready commits.
 
-**v1.3.5** · `npm install -g dw-kit` · [Docs](docs/README.md) · [Get started](docs/get-started.md) · [Cheatsheet](docs/cheatsheet.md) · [Migration v1.3](MIGRATION-v1.3.md) · [Changelog](CHANGELOG.md)
+**v1.3.6** · `npm install -g dw-kit` · [Docs](docs/README.md) · [Get started](docs/get-started.md) · [Cheatsheet](docs/cheatsheet.md) · [Migration v1.3](MIGRATION-v1.3.md) · [Changelog](CHANGELOG.md)
 
 ---
 
@@ -36,7 +36,9 @@ It’s designed for collaboration (Dev / Tech Lead / QA / PM) and keeps work aud
 
 ## Release notes
 
-- **v1.3.5** (2026-05-12) — AI-Native Supply-Chain Guard: `dw security-scan` CLI + OSV.dev auto-sync + Edit-lockfile hook + scoped `.gitignore` for end-user projects. See [`CHANGELOG.md#v135--2026-05-12`](CHANGELOG.md#v135--2026-05-12) and [ADR-0005](.dw/decisions/0005-supply-chain-guard.md). Public 90-day sunset review committed for 2026-08-12.
+- **v1.4 (in progress)** — Optional **Review Render Pipeline** ([ADR-0007](.dw/decisions/0007-decoupled-review-render-pipeline.md)): `/dw:review --visual` plus a separate `dw-kit-render` package turn findings into SVG + PNG cards for PR comments / Slack / stakeholders. Pure JS + WASM, universal `npm install`, no system deps. See [`docs/review-renderer.md`](docs/review-renderer.md).
+- **v1.3.6** (2026-05-14) — Supply-Chain Guard upgraded to 3-pillar architecture: OSV snapshot + curated IoC fixture (version-aware, wired into default scan) + **AI-Native NEW-package heuristic** that catches zero-day-ish risk at the AI-edit boundary. See [`CHANGELOG.md#v136--2026-05-14`](CHANGELOG.md#v136--2026-05-14) and [ADR-0006](.dw/decisions/0006-supply-chain-guard-heuristic.md).
+- v1.3.5 (2026-05-12) — AI-Native Supply-Chain Guard: `dw security-scan` CLI + OSV.dev auto-sync + Edit-lockfile hook + scoped `.gitignore` for end-user projects. See [ADR-0005](.dw/decisions/0005-supply-chain-guard.md). Public 90-day sunset review committed for 2026-08-12.
 - v1.3.4 (2026-04-21) — `/dw:plan` Quick Debate (red/blue self-critique), depth-driven activation
 - v1.3.3 (2026-04-21) — Writer skills v1/v2 compatibility fix
 - v1.3.0 (2026-04-21) — 5-pillar governance layer + telemetry foundation + ADRs + v2 task docs ([ADR-0001](.dw/decisions/0001-v2-pragmatic-lean.md))
@@ -44,6 +46,17 @@ It’s designed for collaboration (Dev / Tech Lead / QA / PM) and keeps work aud
 - Full changelog: `CHANGELOG.md`
 - Latest release notes: [GitHub Releases](https://github.com/dv-workflow/dv-workflow/releases)
 
+### What's in v1.3.6 for your team
+
+Reaction time when a supply-chain incident drops goes from 24-72 hours (wait for OSV index + npm publish cycle) to **~1 hour** (AI edits lockfile → hook fires → heuristic flags BEFORE anyone knows).
+
+- **3-pillar default scan** — `dw security-scan` now runs OSV snapshot + curated IoC fixture + AI-Native heuristic in one go. Heuristic only probes NEW/bumped packages from `git show HEAD:package-lock.json` diff — typical edit = 1-5 packages probed, not 1000+.
+- **npm registry metadata heuristic** — composite scoring on `recent_publish` (<72h), `popular_package` (≥10k weekly DL), `maintainer_change_recent`, `major_version_jump`, `typo_squat`. Per-package metadata cached 1h. Tunable threshold via `.dw/config/dw.config.yml`.
+- **Version-aware IoC fixture** — `affected_range` per entry. Concrete versions out-of-range are skipped (no false positives). Range specs (`^1.169.0`) emit ambiguity warnings with severity downgrade.
+- **Hook fires `dw security-scan --heuristic-only`** on Claude Code lockfile edit — fast diff-only check.
+- **Telemetry per pillar** — `source: 'osv' | 'fixture' | 'heuristic'` tracked separately so the 2026-08-12 sunset review attributes catches to the right pillar.
+- **`>1000 packages`** crash bug from v1.3.5 fixed (chunked OSV batches).
+
 ### What's in v1.3.5 for your team
 
 - **`dw security-scan`** — scan for known supply-chain advisories against your project's `package-lock.json` (full match) or `package.json` (pre-install approximate). Uses [OSV.dev](https://osv.dev/) as data source (multi-maintainer upstream feed; no solo-curated bundle to go stale).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dw-kit",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "description": "AI development workflow toolkit — structured, quality-assured, team-ready. From requirements to dashboard.",
   "type": "module",
   "bin": {
@@ -56,6 +56,7 @@
   },
   "scripts": {
     "test": "node src/smoke-test.mjs",
+    "test:renderer": "cd packages/dw-kit-render && npm test",
     "link": "npm link",
     "test:e2e-local": "bash scripts/e2e-local-check.sh"
   },

package/src/cli.mjs

@@ -103,11 +103,14 @@ export function run(argv) {
 
   program
     .command('security-scan')
-    .description('Scan project lockfile against advisory snapshot (OSV.dev). Supply-chain guard (ADR-0005, opt-in).')
+    .alias('scan')
+    .description('Scan project: 3-pillar supply-chain guard (OSV + fixture + AI-Native heuristic). Auto-syncs OSV snapshot if missing or stale.')
     .option('--quick', 'Offline mode — use existing snapshot only (default behavior)')
     .option('--update-db', 'Fetch fresh advisory snapshot from OSV.dev before scanning')
     .option('--pre-install', 'Scan package.json without lockfile (OSV name-only + namespace fixture)')
-    .option('--offline', 'Skip network in --pre-install mode (fixture-only)')
+    .option('--offline', 'Skip network in --pre-install mode + skip pillar 3 heuristic')
+    .option('--no-heuristic', 'Skip pillar 3 (AI-Native NEW-package heuristic). Default: enabled on lockfile diff.')
+    .option('--heuristic-only', 'Run ONLY pillar 3 (used by hook). Skips OSV + fixture pillars.')
     .option('--json', 'Output machine-readable JSON')
     .option('--install-hook', 'Wire supply-chain-scan.sh into .claude/settings.json PostToolUse (idempotent)')
     .option('--uninstall-hook', 'Remove supply-chain-scan.sh entry from .claude/settings.json')
@@ -128,6 +131,21 @@ export function run(argv) {
       await securityScanCommand(opts);
     });
 
+  const reviewCmd = program
+    .command('review')
+    .description('Review subcommands (ADR-0007)');
+
+  reviewCmd
+    .command('render <manifest>')
+    .description('Render a /dw:review --visual manifest into SVG/PNG (requires dw-kit-render) or markdown summary fallback')
+    .option('-f, --format <kind>', 'Override output formats: svg | png | both', null)
+    .option('-s, --strategy <name>', 'Override strategy: auto | plugin | markdown-only', null)
+    .option('-q, --quiet', 'Suppress info logs (still exits non-zero on hard errors)')
+    .action(async (manifest, opts) => {
+      const { reviewRenderCommand } = await import('./commands/review-render.mjs');
+      await reviewRenderCommand(manifest, opts);
+    });
+
   program
     .command('claude-vn-fix')
     .description('Patch Claude CLI to fix Vietnamese IME (local, with backup/restore)')

package/src/commands/doctor.mjs

@@ -1,12 +1,29 @@
 import { existsSync, readFileSync } from 'node:fs';
+import { createRequire } from 'node:module';
 import { join, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { header, ok, warn, err, info, log } from '../lib/ui.mjs';
-import { loadConfig, getToolkitVersions } from '../lib/config.mjs';
+import { loadConfig, getToolkitVersions, getReviewRendererConfig } from '../lib/config.mjs';
 import { detectPlatform, platformLabel } from '../lib/platform.mjs';
 import { snapshotInfo } from '../lib/sc-sync.mjs';
 
 const TOOLKIT_ROOT = resolve(fileURLToPath(import.meta.url), '..', '..', '..');
+const RENDER_PACKAGE = 'dw-kit-render';
+
+function tryResolveRenderer(projectDir) {
+  if (process.env.DW_REVIEW_NO_RENDERER === '1') return { ok: false, reason: 'disabled by DW_REVIEW_NO_RENDERER=1' };
+  const reqProject = createRequire(join(projectDir, 'package.json'));
+  for (const req of [reqProject, createRequire(import.meta.url)]) {
+    try {
+      const pkgPath = req.resolve(`${RENDER_PACKAGE}/package.json`);
+      const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+      return { ok: true, version: pkg.version };
+    } catch {
+      // try next
+    }
+  }
+  return { ok: false };
+}
 
 const CORE_FILES = [
   '.dw/core/WORKFLOW.md',
@@ -151,6 +168,29 @@ export async function doctorCommand() {
     }
   }
 
+  info('Review Render Pipeline (ADR-0007, opt-in)');
+  const rendererCfg = existsSync(configPath) ? getReviewRendererConfig(loadConfig(configPath) || {}) : getReviewRendererConfig({});
+  log(`  Strategy    : ${rendererCfg.strategy}`);
+  log(`  Formats     : ${rendererCfg.formats.join(', ')}`);
+  log(`  Theme/Font  : ${rendererCfg.theme} / ${rendererCfg.font}`);
+
+  if (rendererCfg.strategy === 'markdown-only') {
+    log('  Renderer    : skipped (strategy=markdown-only)');
+  } else {
+    const r = tryResolveRenderer(projectDir);
+    if (r.ok) {
+      ok(`Renderer    : dw-kit-render v${r.version || '?'} resolvable`);
+    } else if (rendererCfg.strategy === 'plugin') {
+      err("Renderer    : 'dw-kit-render' NOT installed but strategy='plugin'");
+      log(`  Install:  npm install -g dw-kit-render`);
+      issues++;
+    } else {
+      warn(`Renderer    : 'dw-kit-render' not installed — /dw:review --visual will fall back to markdown`);
+      log(`  Install (optional):  npm install -g dw-kit-render`);
+      warnings++;
+    }
+  }
+
   info('Supply-Chain Guard (ADR-0005, opt-in)');
   const sc = snapshotInfo(projectDir);
   if (!sc.exists) {

package/src/commands/init.mjs

@@ -193,7 +193,51 @@ async function maybeInstallSupplyChainHook(projectDir, presetKey) {
   }
   if (result.action === 'added') {
     ok('Supply-chain guard hook wired (ADR-0005 — opt-in flag enabled)');
-    log('  First scan: `dw security-scan --update-db`');
+  }
+
+  // UX: offer one-time OSV snapshot sync so end-user doesn't need to know
+  // `--update-db` exists. Lazy auto-refresh in `dw scan` covers the case
+  // when user declines, but offering during init gets snapshot ready upfront.
+  await maybeBootstrapOsvSnapshot(projectDir);
+}
+
+async function maybeBootstrapOsvSnapshot(projectDir) {
+  // Non-TTY (CI / scripted): default yes so the snapshot exists for next scan.
+  // TTY: prompt user, default yes.
+  let shouldSync = true;
+  if (process.stdin.isTTY && !process.env.DW_INIT_NO_PROMPT) {
+    try {
+      const { prompt } = await import('enquirer');
+      const answer = await prompt({
+        type: 'confirm',
+        name: 'syncNow',
+        message: 'Sync OSV advisory snapshot now? (recommended first-time; ~10-30s)',
+        initial: true,
+      });
+      shouldSync = !!answer.syncNow;
+    } catch {
+      shouldSync = true;
+    }
+  }
+  if (!shouldSync) {
+    log('  Skipped. First `dw scan` will auto-sync if needed.');
+    return;
+  }
+
+  const { findLockfile } = await import('../lib/sc-scanner.mjs');
+  if (!findLockfile(projectDir)) {
+    log('  No lockfile yet — first `dw scan` will sync after `npm install` runs.');
+    return;
+  }
+  log('  Syncing OSV snapshot...');
+  try {
+    const { syncSnapshotForProject } = await import('../lib/sc-sync.mjs');
+    const start = Date.now();
+    const res = await syncSnapshotForProject(projectDir);
+    const partialNote = res.partial ? ` (PARTIAL ${res.chunks.failed}/${res.chunks.total})` : '';
+    ok(`OSV snapshot ready — ${res.advisoryCount} advisories for ${res.packageCount} packages (${Date.now() - start}ms)${partialNote}`);
+  } catch (e) {
+    warn(`OSV sync skipped: ${e.message}. Will retry on first \`dw scan\`.`);
   }
 }
 

package/src/commands/review-render.mjs

@@ -0,0 +1,255 @@
+import { createRequire } from 'node:module';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { dirname, join, resolve, isAbsolute } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { performance } from 'node:perf_hooks';
+import chalk from 'chalk';
+import { header, ok, info, log, warn, err } from '../lib/ui.mjs';
+import { loadConfigWithLocal, getReviewRendererConfig } from '../lib/config.mjs';
+import { readManifest } from '../lib/review/manifest-validator.mjs';
+import { logEvent } from '../lib/telemetry.mjs';
+
+const RENDER_PACKAGE = 'dw-kit-render';
+const INSTALL_HINT = `  Install renderer with: ${chalk.cyan('npm install -g dw-kit-render')}\n  Or run: ${chalk.cyan('dw doctor')} for environment check.`;
+
+/**
+ * `dw review render <manifest>` — invoked by /dw:review --visual after writing manifest.
+ * See ADR-0007 for architecture.
+ *
+ * @param {string} manifestPath - path to manifest.json (relative or absolute)
+ * @param {{format?: string, strategy?: string, quiet?: boolean}} opts
+ */
+export async function reviewRenderCommand(manifestPath, opts = {}) {
+  const projectDir = process.cwd();
+  const absManifest = isAbsolute(manifestPath) ? manifestPath : resolve(projectDir, manifestPath);
+  const startedAt = performance.now();
+
+  if (!opts.quiet) header('dw review render');
+
+  // 1. Load + validate manifest.
+  const parseResult = readManifest(absManifest);
+  if (!parseResult.ok) {
+    err(`Manifest invalid: ${absManifest}`);
+    for (const e of parseResult.errors.slice(0, 10)) {
+      log(`  ${chalk.dim(e.path || '/')} — ${e.message}`);
+    }
+    logEvent({ event: 'review_render', action: 'fail', fallback_reason: 'invalid-manifest' }, projectDir);
+    process.exit(1);
+  }
+  const manifest = parseResult.manifest;
+
+  // 2. Resolve config + strategy.
+  const config = loadConfigWithLocal(join(projectDir, '.dw', 'config')) || {};
+  const rendererCfg = getReviewRendererConfig(config);
+  const strategy = opts.strategy || rendererCfg.strategy;
+  const formats = parseFormats(opts.format) || rendererCfg.formats;
+
+  // 3. Resolve output directory.
+  const outDir = resolveOutputDir(rendererCfg.output_dir, manifest, projectDir);
+  if (!existsSync(outDir)) mkdirSync(outDir, { recursive: true });
+
+  if (!opts.quiet) {
+    info('Render context');
+    log(`  Manifest    : ${absManifest}`);
+    log(`  Scope       : ${manifest.scope} (slug: ${manifest.scope_slug || '—'})`);
+    log(`  Findings    : ${manifest.findings.length}`);
+    log(`  Strategy    : ${strategy}`);
+    log(`  Formats     : ${formats.join(', ')}`);
+    log(`  Output dir  : ${outDir}`);
+  }
+
+  // 4. Resolve renderer (dw-kit-render package).
+  const rendererResolved = strategy === 'markdown-only' ? null : await tryResolveRenderer(projectDir);
+  const finalStrategy = strategy === 'markdown-only'
+    ? 'markdown-only'
+    : (rendererResolved ? 'plugin' : (strategy === 'plugin' ? 'plugin-missing' : 'fallback-markdown'));
+
+  // Plugin strategy was requested but package is missing — fail loudly.
+  if (strategy === 'plugin' && !rendererResolved) {
+    err(`Strategy 'plugin' requested but '${RENDER_PACKAGE}' is not installed.`);
+    log(INSTALL_HINT);
+    logEvent({ event: 'review_render', action: 'fail', fallback_reason: 'no-renderer', strategy, formats }, projectDir);
+    process.exit(1);
+  }
+
+  let artifacts = { svg: [], png: [] };
+  let renderErrors = [];
+
+  if (rendererResolved) {
+    try {
+      if (!opts.quiet) info('Rendering with dw-kit-render');
+      const result = await rendererResolved.render({
+        manifest,
+        outDir,
+        formats,
+        theme: rendererCfg.theme,
+        font: rendererCfg.font,
+      });
+      artifacts = {
+        svg: Array.isArray(result?.svgPaths) ? result.svgPaths : [],
+        png: Array.isArray(result?.pngPaths) ? result.pngPaths : [],
+      };
+    } catch (e) {
+      renderErrors.push(e.message || String(e));
+      warn(`Renderer error: ${e.message || e}`);
+      warn('Falling back to markdown-only summary.');
+    }
+  } else if (strategy !== 'markdown-only') {
+    if (!opts.quiet) {
+      warn(`'${RENDER_PACKAGE}' not found — emitting markdown summary only.`);
+      log(INSTALL_HINT);
+    }
+  }
+
+  // 5. Write summary.md (always — works without renderer too).
+  const summaryPath = join(outDir, 'summary.md');
+  writeFileSync(summaryPath, buildSummaryMarkdown(manifest, artifacts, { outDir, projectDir }), 'utf-8');
+
+  const durationMs = Math.round(performance.now() - startedAt);
+
+  if (!opts.quiet) {
+    console.log();
+    info('Artifacts');
+    log(`  Summary     : ${summaryPath}`);
+    if (artifacts.svg.length) log(`  SVG         : ${artifacts.svg.length} file(s)`);
+    if (artifacts.png.length) log(`  PNG         : ${artifacts.png.length} file(s)`);
+    if (!artifacts.svg.length && !artifacts.png.length) log(`  ${chalk.dim('(markdown only — install dw-kit-render for images)')}`);
+    console.log();
+    if (renderErrors.length) {
+      warn(`${renderErrors.length} render error(s) — see above`);
+    } else {
+      ok(`Done in ${durationMs}ms`);
+    }
+  }
+
+  logEvent({
+    event: 'review_render',
+    action: renderErrors.length ? 'partial' : 'success',
+    strategy: finalStrategy,
+    formats,
+    findings: manifest.findings.length,
+    duration_ms: durationMs,
+    fallback_reason: rendererResolved ? null : (strategy === 'markdown-only' ? 'config-markdown-only' : 'no-renderer'),
+  }, projectDir);
+
+  process.exit(0);
+}
+
+function parseFormats(value) {
+  if (!value) return null;
+  if (value === 'both') return ['svg', 'png'];
+  if (value === 'svg' || value === 'png') return [value];
+  return null;
+}
+
+function resolveOutputDir(configDir, manifest, projectDir) {
+  const baseDir = isAbsolute(configDir) ? configDir : join(projectDir, configDir);
+  const slug = manifest.scope_slug || manifest.scope || 'review';
+  return join(baseDir, slug);
+}
+
+async function tryResolveRenderer(projectDir) {
+  // Test-only escape hatch: tests use this to force the markdown fallback even
+  // when a local renderer is dev-linked from a sibling packages/ dir.
+  if (process.env.DW_REVIEW_NO_RENDERER === '1') return null;
+
+  // Resolution order: project node_modules → CLI's own node_modules (global -g case).
+  // We use createRequire to get a *resolution* path, then dynamic-import that URL
+  // so the renderer can be ESM-only (Phase 1 ships ESM only).
+  for (const anchor of [join(projectDir, 'package.json'), import.meta.url]) {
+    try {
+      const req = createRequire(anchor);
+      const entry = req.resolve(RENDER_PACKAGE);
+      const mod = await import(pathToFileURL(entry).href);
+      const render = mod?.render || mod?.default?.render;
+      if (typeof render !== 'function') {
+        throw new Error("dw-kit-render module did not export a 'render' function");
+      }
+      return { render };
+    } catch {
+      // try next anchor
+    }
+  }
+  return null;
+}
+
+function buildSummaryMarkdown(manifest, artifacts, { outDir, projectDir }) {
+  const lines = [];
+  const counts = countBySeverity(manifest.findings);
+  const slug = manifest.scope_slug || manifest.scope;
+
+  lines.push(`# Review summary — ${manifest.scope}`);
+  lines.push('');
+  lines.push(`- Generated: ${manifest.generated_at}`);
+  if (manifest.review_meta?.diff_base) lines.push(`- Diff base: ${manifest.review_meta.diff_base}`);
+  if (manifest.review_meta?.files_reviewed != null) lines.push(`- Files reviewed: ${manifest.review_meta.files_reviewed}`);
+  if (manifest.task_id) lines.push(`- Task: \`${manifest.task_id}\``);
+  lines.push('');
+  lines.push(`**Severity counts:** critical=${counts.critical}, warning=${counts.warning}, suggestion=${counts.suggestion}`);
+  lines.push('');
+
+  if (!manifest.findings.length) {
+    lines.push('No findings.');
+    lines.push('');
+    return lines.join('\n');
+  }
+
+  lines.push('## Findings');
+  lines.push('');
+  for (const f of manifest.findings) {
+    const loc = formatLocation(f.location);
+    lines.push(`### [${f.severity.toUpperCase()}] ${f.title}`);
+    lines.push('');
+    lines.push(`- File: \`${loc}\``);
+    if (f.rule_ref) lines.push(`- Rule: ${f.rule_ref}`);
+
+    const svg = artifacts.svg.find((p) => p.endsWith(`finding-${f.id}.svg`));
+    const png = artifacts.png.find((p) => p.endsWith(`finding-${f.id}.png`));
+    if (svg) lines.push(`- SVG: \`${relativeTo(svg, outDir)}\``);
+    if (png) lines.push(`- PNG: \`${relativeTo(png, outDir)}\``);
+    lines.push('');
+    lines.push(f.body);
+    lines.push('');
+    if (f.code_snippet) {
+      const lang = f.language || '';
+      lines.push('```' + lang);
+      lines.push(f.code_snippet);
+      lines.push('```');
+      lines.push('');
+    }
+    if (f.fix) {
+      lines.push(`**Fix:** ${f.fix}`);
+      lines.push('');
+    }
+    lines.push('---');
+    lines.push('');
+  }
+
+  lines.push(`*Manifest: \`${relativeTo(join(outDir, 'manifest.json'), projectDir)}\`*`);
+  lines.push('');
+  return lines.join('\n');
+}
+
+function countBySeverity(findings) {
+  const out = { critical: 0, warning: 0, suggestion: 0 };
+  for (const f of findings) {
+    if (out[f.severity] != null) out[f.severity]++;
+  }
+  return out;
+}
+
+function formatLocation(loc) {
+  if (!loc) return '?';
+  if (loc.line_start && loc.line_end && loc.line_start !== loc.line_end) {
+    return `${loc.file}:${loc.line_start}-${loc.line_end}`;
+  }
+  if (loc.line_start) return `${loc.file}:${loc.line_start}`;
+  return loc.file;
+}
+
+function relativeTo(target, base) {
+  const t = target.replace(/\\/g, '/');
+  const b = base.replace(/\\/g, '/').replace(/\/$/, '');
+  if (t.startsWith(b + '/')) return t.slice(b.length + 1);
+  return t;
+}