Documentation
¶
Overview ¶
Package types defines data structures for git-vendor configuration and state management.
Package types defines compliance-related data structures for internal vendor tracking (Spec 070).
Package types defines data structures for git-vendor configuration and state management.
Package types defines data structures for git-vendor configuration and state management.
Package types defines data structures for git-vendor configuration and state management.
Package types defines data structures for git-vendor configuration and state management.
Index ¶
- Constants
- Variables
- type AuditResult
- type AuditSummary
- type BranchSpec
- type CloneOptions
- type CommitInfo
- type CommitOptions
- type ComplianceDriftDirection
- type ComplianceEntry
- type ComplianceResult
- type ComplianceSummary
- type DependencyScan
- type DriftDependency
- type DriftDetail
- type DriftFile
- type DriftResult
- type DriftStats
- type DriftSummary
- type FileChecksum
- type FileStatus
- type HookConfig
- type HookContext
- type IncrementalSyncCache
- type LicensePolicy
- type LicensePolicyRules
- type LicenseReportResult
- type LicenseReportSummary
- type LockConflict
- type LockDetails
- type LockMergeConflict
- type LockMergeResult
- type OutdatedResult
- type ParallelOptions
- type PathConflict
- type PathMapping
- type PolicyViolation
- type PositionDetail
- type PositionLock
- type PositionSpec
- type ProgressTracker
- type ScanResult
- type ScanSummary
- type StatusResult
- type StatusSummary
- type SyncStatus
- type Trailer
- type UpdateCheckResult
- type VendorConfig
- type VendorDiff
- type VendorLicenseStatus
- type VendorLock
- type VendorPolicy
- type VendorSpec
- type VendorStatus
- type VendorStatusDetail
- type VerifyResult
- type VerifySummary
- type VulnCounts
- type Vulnerability
Constants ¶
const ( AuditResultPass = "PASS" AuditResultFail = "FAIL" AuditResultWarn = "WARN" )
Audit result constants for AuditSummary.Result.
const ( DriftStatusUnchanged = "unchanged" DriftStatusModified = "modified" DriftStatusDeleted = "deleted" DriftStatusAdded = "added" )
Drift status constants for DriftFile.LocalStatus and DriftFile.UpstreamStatus.
const ( DriftResultClean = "CLEAN" DriftResultDrifted = "DRIFTED" DriftResultConflict = "CONFLICT" )
Drift result constants for DriftSummary.Result.
const ( PolicyAllow = "allow" PolicyDeny = "deny" PolicyWarn = "warn" )
PolicyDecision represents the outcome of evaluating a license against a LicensePolicy.
const ( SeverityCritical = "CRITICAL" SeverityHigh = "HIGH" SeverityMedium = "MEDIUM" SeverityLow = "LOW" SeverityUnknown = "UNKNOWN" )
SeverityLevel constants for vulnerability severity
const ( ScanStatusScanned = "scanned" ScanStatusNotScanned = "not_scanned" ScanStatusError = "error" )
ScanStatus constants for dependency scan status
const ( ScanResultPass = "PASS" ScanResultFail = "FAIL" ScanResultWarn = "WARN" )
ScanResultCode constants for overall scan result
Variables ¶
var SeverityThreshold = map[string]int{ SeverityCritical: 4, SeverityHigh: 3, SeverityMedium: 2, SeverityLow: 1, SeverityUnknown: 0, }
SeverityThreshold maps severity names to numeric levels for comparison. Higher numbers indicate more severe vulnerabilities.
var ValidSeverityThresholds = map[string]bool{ "critical": true, "high": true, "medium": true, "low": true, }
ValidSeverityThresholds defines valid values for the --fail-on flag. Used for validation in both CLI and Scan() method.
Functions ¶
This section is empty.
Types ¶
type AuditResult ¶ added in v1.1.0
type AuditResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
Verify *VerifyResult `json:"verify,omitempty"`
Scan *ScanResult `json:"scan,omitempty"`
License *LicenseReportResult `json:"license,omitempty"`
Drift *DriftResult `json:"drift,omitempty"`
Summary AuditSummary `json:"summary"`
}
AuditResult is the top-level result for the unified audit command. AuditResult aggregates results from verify, scan, license, and drift sub-checks and produces a combined pass/fail summary.
type AuditSummary ¶ added in v1.1.0
type AuditSummary struct {
Result string `json:"result"` // "PASS", "FAIL", "WARN"
Checks int `json:"checks_run"` // Number of sub-checks executed
Passed int `json:"checks_passed"` // Sub-checks that passed
Failed int `json:"checks_failed"` // Sub-checks that failed
Warnings int `json:"checks_warned"` // Sub-checks that warned
Errors []string `json:"errors,omitempty"` // Non-fatal errors (e.g., network failures)
}
AuditSummary contains aggregate pass/fail/warn counts across all audit sub-checks.
type BranchSpec ¶
type BranchSpec struct {
Ref string `yaml:"ref"`
DefaultTarget string `yaml:"default_target,omitempty"`
Mapping []PathMapping `yaml:"mapping"`
}
BranchSpec defines mappings for a specific Git ref (branch, tag, or commit).
type CloneOptions ¶
CloneOptions holds options for git clone operations
type CommitInfo ¶
CommitInfo represents a single git commit
type CommitOptions ¶ added in v1.1.0
CommitOptions holds options for creating a git commit with structured trailers. CommitOptions is used by CommitVendorChanges to pass message and trailer data to the GitClient.Commit adapter. Trailers are ordered and support duplicate keys.
type ComplianceDriftDirection ¶ added in v1.1.0
type ComplianceDriftDirection string
ComplianceDriftDirection represents the drift state between source and destination.
const ( DriftSynced ComplianceDriftDirection = "synced" DriftSourceDrift ComplianceDriftDirection = "source_drifted" DriftDestDrift ComplianceDriftDirection = "dest_drifted" DriftBothDrift ComplianceDriftDirection = "both_drifted" )
ComplianceDriftDirection values for internal vendor compliance.
type ComplianceEntry ¶ added in v1.1.0
type ComplianceEntry struct {
VendorName string `json:"vendor_name"`
FromPath string `json:"from_path"`
ToPath string `json:"to_path"`
Direction ComplianceDriftDirection `json:"direction"`
Compliance string `json:"compliance"` // "source-canonical" or "bidirectional"
SourceHashLocked string `json:"source_hash_locked"`
SourceHashCurrent string `json:"source_hash_current"`
DestHashLocked string `json:"dest_hash_locked"`
DestHashCurrent string `json:"dest_hash_current"`
Action string `json:"action"` // suggested action
}
ComplianceEntry represents the compliance state of a single source-to-destination mapping.
type ComplianceResult ¶ added in v1.1.0
type ComplianceResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
Entries []ComplianceEntry `json:"entries"`
Summary ComplianceSummary `json:"summary"`
}
ComplianceResult holds the full compliance check output for internal vendors.
type ComplianceSummary ¶ added in v1.1.0
type ComplianceSummary struct {
Total int `json:"total"`
Synced int `json:"synced"`
SourceDrift int `json:"source_drift"`
DestDrift int `json:"dest_drift"`
BothDrift int `json:"both_drift"`
Result string `json:"result"` // "SYNCED" | "DRIFTED" | "CONFLICT"
}
ComplianceSummary aggregates compliance statistics.
type DependencyScan ¶ added in v1.1.0
type DependencyScan struct {
Name string `json:"name"`
Version *string `json:"version"`
Commit string `json:"commit"`
URL string `json:"url,omitempty"`
ScanStatus string `json:"scan_status"` // scanned, not_scanned, error
ScanReason string `json:"scan_reason,omitempty"`
Vulnerabilities []Vulnerability `json:"vulnerabilities"`
}
DependencyScan represents scan results for a single vendored dependency. Each dependency in the lockfile gets a corresponding DependencyScan entry.
type DriftDependency ¶ added in v1.1.0
type DriftDependency struct {
Name string `json:"name"`
URL string `json:"url"`
Ref string `json:"ref"`
LockedCommit string `json:"locked_commit"`
LatestCommit string `json:"latest_commit,omitempty"` // Empty in offline mode
DriftScore float64 `json:"drift_score"` // 0-100
Files []DriftFile `json:"files"`
LocalDrift DriftStats `json:"local_drift"`
UpstreamDrift DriftStats `json:"upstream_drift,omitempty"`
HasConflictRisk bool `json:"has_conflict_risk"`
}
DriftDependency represents drift analysis results for a single vendor.
type DriftDetail ¶ added in v1.1.0
type DriftDetail struct {
Path string `json:"path"`
LockHash string `json:"lock_hash"`
DiskHash string `json:"disk_hash"`
Accepted bool `json:"accepted"`
}
DriftDetail provides per-file hash comparison for drift detection (GRD-001). DriftDetail is included in VendorStatusDetail JSON output so pre-commit hooks can display lock vs disk hash mismatches without re-computing hashes.
type DriftFile ¶ added in v1.1.0
type DriftFile struct {
Path string `json:"path"`
LocalStatus string `json:"local_status"` // unchanged, modified, deleted, added
UpstreamStatus string `json:"upstream_status,omitempty"` // unchanged, modified, deleted, added
LocalLinesAdded int `json:"local_lines_added,omitempty"`
LocalLinesRemoved int `json:"local_lines_removed,omitempty"`
LocalDriftPct float64 `json:"local_drift_pct"`
UpstreamLinesAdded int `json:"upstream_lines_added,omitempty"`
UpstreamLinesRemoved int `json:"upstream_lines_removed,omitempty"`
UpstreamDriftPct float64 `json:"upstream_drift_pct,omitempty"`
HasConflictRisk bool `json:"has_conflict_risk,omitempty"`
DiffOutput string `json:"diff_output,omitempty"` // Populated only with --detail flag
}
DriftFile represents drift analysis for a single vendored file.
type DriftResult ¶ added in v1.1.0
type DriftResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
Summary DriftSummary `json:"summary"`
Dependencies []DriftDependency `json:"dependencies"`
}
DriftResult is the top-level result for the drift detection command. DriftResult supports both JSON and table output formats and captures local drift, upstream drift, and conflict risk for all vendored dependencies.
type DriftStats ¶ added in v1.1.0
type DriftStats struct {
FilesChanged int `json:"files_changed"`
FilesUnchanged int `json:"files_unchanged"`
TotalLinesAdded int `json:"total_lines_added"`
TotalLinesRemoved int `json:"total_lines_removed"`
DriftPercentage float64 `json:"drift_percentage"` // 0-100
}
DriftStats aggregates line-level drift statistics for a category (local or upstream).
type DriftSummary ¶ added in v1.1.0
type DriftSummary struct {
TotalDependencies int `json:"total_dependencies"`
DriftedLocal int `json:"drifted_local"` // Dependencies with local modifications
DriftedUpstream int `json:"drifted_upstream"` // Dependencies with upstream changes
ConflictRisk int `json:"conflict_risk"` // Dependencies with both local + upstream changes
Clean int `json:"clean"` // Dependencies with zero drift
OverallDriftScore float64 `json:"overall_drift_score"` // Average drift score (0-100)
Result string `json:"result"` // CLEAN, DRIFTED, CONFLICT
}
DriftSummary contains aggregate drift statistics across all dependencies.
type FileChecksum ¶
type FileChecksum struct {
Path string `json:"path"`
Hash string `json:"hash"` // SHA-256 of file content
}
FileChecksum represents a cached checksum for incremental sync
type FileStatus ¶ added in v1.1.0
type FileStatus struct {
Path string `json:"path"`
Vendor *string `json:"vendor"`
Status string `json:"status"` // verified, modified, added, deleted, accepted, stale, orphaned
Type string `json:"type"` // "file", "position", or "coherence"
ExpectedHash *string `json:"expected_hash,omitempty"`
ActualHash *string `json:"actual_hash,omitempty"`
Position *PositionDetail `json:"position,omitempty"` // Present only for type="position"
}
FileStatus represents the verification status of a single file
type HookConfig ¶
type HookConfig struct {
PreSync string `yaml:"pre_sync,omitempty"` // Shell command to run before sync
PostSync string `yaml:"post_sync,omitempty"` // Shell command to run after sync
}
HookConfig defines pre/post sync shell commands for automation
type HookContext ¶
type HookContext struct {
VendorName string // Name of the vendor being synced
VendorURL string // URL of the vendor repository
Ref string // Git ref being synced
CommitHash string // Resolved commit hash
RootDir string // Project root directory
FilesCopied int // Number of files copied
DirsCreated int // Number of directories created
Environment map[string]string // Additional environment variables
}
HookContext provides environment context for hook execution
type IncrementalSyncCache ¶
type IncrementalSyncCache struct {
VendorName string `json:"vendor_name"`
Ref string `json:"ref"`
CommitHash string `json:"commit_hash"`
Files []FileChecksum `json:"files"`
CachedAt string `json:"cached_at"` // RFC3339 timestamp
}
IncrementalSyncCache tracks file states for skip optimization
type LicensePolicy ¶ added in v1.1.0
type LicensePolicy struct {
LicensePolicy LicensePolicyRules `yaml:"license_policy"`
}
LicensePolicy defines configurable allow/deny/warn lists for license compliance enforcement. LicensePolicy is loaded from .git-vendor-policy.yml and evaluated by LicensePolicyService.
type LicensePolicyRules ¶ added in v1.1.0
type LicensePolicyRules struct {
Allow []string `yaml:"allow"` // Licenses explicitly permitted (SPDX identifiers)
Deny []string `yaml:"deny"` // Licenses explicitly blocked (SPDX identifiers)
Warn []string `yaml:"warn"` // Licenses that emit warnings but do not block (SPDX identifiers)
Unknown string `yaml:"unknown"` // How to handle undetected licenses: "allow", "warn", or "deny"
}
LicensePolicyRules contains the allow/deny/warn lists and the unknown license handling strategy.
type LicenseReportResult ¶ added in v1.1.0
type LicenseReportResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
PolicyFile string `json:"policy_file"` // Path to policy file used, or "default" if none
Summary LicenseReportSummary `json:"summary"`
Vendors []VendorLicenseStatus `json:"vendors"`
}
LicenseReportResult represents the complete license policy report output. LicenseReportResult is the top-level structure returned by the license command and used for both JSON and table output formats.
type LicenseReportSummary ¶ added in v1.1.0
type LicenseReportSummary struct {
TotalVendors int `json:"total_vendors"`
Allowed int `json:"allowed"`
Denied int `json:"denied"`
Warned int `json:"warned"`
Unknown int `json:"unknown"`
Result string `json:"result"` // PASS, FAIL, WARN
}
LicenseReportSummary contains aggregate statistics for the license report.
type LockConflict ¶ added in v1.1.0
type LockConflict struct {
LineNumber int // Line where the conflict marker starts
OursRaw string // Content from the "ours" side (between <<<<<<< and =======)
TheirsRaw string // Content from the "theirs" side (between ======= and >>>>>>>)
}
LockConflict represents a merge conflict detected in a vendor.lock file. LockConflict is returned when git merge markers are found, providing structured context for error reporting instead of a cryptic YAML parse failure.
type LockDetails ¶
type LockDetails struct {
Name string `yaml:"name"`
Ref string `yaml:"ref"`
CommitHash string `yaml:"commit_hash"`
LicensePath string `yaml:"license_path"` // Automatically managed
Updated string `yaml:"updated"`
FileHashes map[string]string `yaml:"file_hashes,omitempty"` // path -> SHA-256 hash
// Metadata fields (schema v1.1)
LicenseSPDX string `yaml:"license_spdx,omitempty"` // SPDX license identifier
SourceVersionTag string `yaml:"source_version_tag,omitempty"` // Git tag matching commit (if any)
VendoredAt string `yaml:"vendored_at,omitempty"` // ISO 8601 timestamp of initial vendoring
VendoredBy string `yaml:"vendored_by,omitempty"` // Git user identity who performed the vendoring
LastSyncedAt string `yaml:"last_synced_at,omitempty"` // ISO 8601 timestamp of most recent sync
// Position extraction metadata (spec 071)
Positions []PositionLock `yaml:"positions,omitempty"` // Position-extracted mappings with source hashes
// Multi-remote provenance (schema v1.3)
SourceURL string `yaml:"source_url,omitempty"` // Which URL actually served the content (empty = primary URL)
// Accepted drift metadata (CLI-003)
AcceptedDrift map[string]string `yaml:"accepted_drift,omitempty"` // path -> SHA-256 of accepted local content
// Internal vendor metadata (spec 070)
Source string `yaml:"source,omitempty"` // "internal" for internal vendors
SourceFileHashes map[string]string `yaml:"source_file_hashes,omitempty"` // source path -> SHA-256
}
LockDetails contains the locked state for a specific vendor and ref.
type LockMergeConflict ¶ added in v1.1.0
type LockMergeConflict struct {
VendorName string // Vendor name in conflict
Ref string // Ref in conflict
Ours LockDetails // Lock entry from "ours" side
Theirs LockDetails // Lock entry from "theirs" side
}
LockMergeConflict represents a vendor entry that could not be auto-merged because both sides modified the same vendor with no clear resolution strategy.
type LockMergeResult ¶ added in v1.1.0
type LockMergeResult struct {
Merged VendorLock // Successfully merged lock
Conflicts []LockMergeConflict // Entries requiring manual resolution
}
LockMergeResult holds the outcome of merging two VendorLock structs.
type OutdatedResult ¶ added in v1.1.0
type OutdatedResult struct {
Dependencies []UpdateCheckResult `json:"dependencies"`
TotalChecked int `json:"total_checked"`
Outdated int `json:"outdated"`
UpToDate int `json:"up_to_date"`
Skipped int `json:"skipped"`
}
OutdatedResult aggregates the results of checking all vendors for staleness. OutdatedResult is returned by OutdatedService.Outdated and consumed by the "outdated" CLI command for both human-readable and JSON output.
type ParallelOptions ¶
type ParallelOptions struct {
Enabled bool // Whether parallel processing is enabled
MaxWorkers int // Maximum concurrent workers (0 = use NumCPU)
}
ParallelOptions configures parallel processing behavior
type PathConflict ¶
type PathConflict struct {
Path string
Vendor1 string
Vendor2 string
Mapping1 PathMapping
Mapping2 PathMapping
}
PathConflict represents a conflict between two vendors mapping to overlapping paths
type PathMapping ¶
type PathMapping struct {
From string `yaml:"from"`
To string `yaml:"to"`
Exclude []string `yaml:"exclude,omitempty"`
}
PathMapping defines a source-to-destination path mapping for vendoring. When From is a directory, Exclude patterns (gitignore-style globs) skip matching files during sync. Exclude has no effect on file-level mappings.
type PolicyViolation ¶ added in v1.1.0
type PolicyViolation struct {
VendorName string `json:"vendor_name"`
Type string `json:"type"` // "drift" or "stale"
Message string `json:"message"`
Severity string `json:"severity"` // "error" (blocks commit) or "warning" (report only)
}
PolicyViolation represents a single policy rule that a vendor has violated. PolicyViolation is produced by policy evaluation and surfaced in StatusResult and commit guard output.
type PositionDetail ¶ added in v1.1.0
type PositionDetail struct {
From string `json:"from"` // Source path with position (e.g., "api/constants.go:L4-L6")
To string `json:"to"` // Destination path with optional position
SourceHash string `json:"source_hash"` // SHA-256 of extracted content at sync time
}
PositionDetail provides position-level metadata for FileStatus entries that originate from position-extracted mappings.
type PositionLock ¶ added in v1.1.0
type PositionLock struct {
From string `yaml:"from"` // Source path with position (e.g., "api/constants.go:L4-L6")
To string `yaml:"to"` // Destination path with optional position
SourceHash string `yaml:"source_hash"` // SHA-256 of extracted content
}
PositionLock records a position-extracted mapping in the lockfile for auditing and verification.
type PositionSpec ¶ added in v1.1.0
type PositionSpec struct {
StartLine int // 1-indexed
EndLine int // 1-indexed, 0 means same as StartLine (single line)
StartCol int // 1-indexed byte offset, 0 means no column specified
EndCol int // 1-indexed inclusive byte offset, 0 means no column specified
ToEOF bool
}
PositionSpec represents a line/column range extracted from a path specifier. Supports: L5, L5-L20, L5:L20, L5-EOF, L5C10:L10C30
Column semantics (byte-offset based): Columns use Go string byte indexing, NOT Unicode rune offsets. For ASCII content the two are identical. For multi-byte characters (emoji, CJK, accented characters), users MUST count bytes, not visible characters. Example: in "café", é occupies bytes 4-5, so L1C4:L1C5 extracts "é". Extracting a partial multi-byte character (e.g., L1C4:L1C4 on "café") produces invalid UTF-8. Byte-offset semantics are a deliberate design choice — consistent with Go string indexing and avoiding hidden rune-counting costs.
Line ending normalization: CRLF (\r\n) is normalized to LF (\n) before extraction and placement. Extracted content always uses LF regardless of the source file's original line endings. CRLF normalization ensures deterministic hashing across platforms. Standalone \r (classic Mac line endings) is NOT normalized.
Trailing newline behavior: A file ending with \n is treated as having an additional empty line after the final newline. For a 5-line file ending with \n, the internal line count is 6 (5 content lines + 1 empty). L5-EOF on such a file extracts "line5\n" (including the trailing newline). On a file without a trailing newline, L5-EOF extracts just "line5".
Empty file behavior: A 0-byte file is treated as having exactly 1 empty line. L1 extracts "". L2+ errors with "line does not exist".
L1-EOF hash equivalence: L1-EOF on any file produces content identical to the raw file bytes (after CRLF normalization), so the extracted hash matches sha256(normalized_file).
func ParsePathPosition ¶ added in v1.1.0
func ParsePathPosition(path string) (string, *PositionSpec, error)
ParsePathPosition splits a path string into the file path and an optional PositionSpec. Returns (filePath, position, error). position is nil if no position specifier is found.
Examples:
"src/file.go" -> ("src/file.go", nil, nil)
"src/file.go:L5" -> ("src/file.go", &PositionSpec{StartLine:5}, nil)
"src/file.go:L5-L20" -> ("src/file.go", &PositionSpec{StartLine:5, EndLine:20}, nil)
"src/file.go:L10-EOF" -> ("src/file.go", &PositionSpec{StartLine:10, ToEOF:true}, nil)
"src/file.go:L5C10:L5C30" -> ("src/file.go", &PositionSpec{...columns...}, nil)
func (*PositionSpec) HasColumns ¶ added in v1.1.0
func (p *PositionSpec) HasColumns() bool
HasColumns returns true if column-level precision is specified.
func (*PositionSpec) IsSingleLine ¶ added in v1.1.0
func (p *PositionSpec) IsSingleLine() bool
IsSingleLine returns true if the position targets a single line (no range).
type ProgressTracker ¶
type ProgressTracker interface {
// Increment advances progress by one unit with an optional status message
Increment(message string)
// SetTotal updates the total expected units (for dynamic totals)
SetTotal(total int)
// Complete marks the operation as successfully finished
Complete()
// Fail marks the operation as failed with an error
Fail(err error)
}
ProgressTracker represents a progress indicator for long-running operations
type ScanResult ¶ added in v1.1.0
type ScanResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
Summary ScanSummary `json:"summary"`
Dependencies []DependencyScan `json:"dependencies"`
}
ScanResult represents the complete vulnerability scan output. ScanResult is the top-level structure returned by the scan command and used for both JSON and table output formats.
type ScanSummary ¶ added in v1.1.0
type ScanSummary struct {
TotalDependencies int `json:"total_dependencies"`
Scanned int `json:"scanned"`
NotScanned int `json:"not_scanned"`
Vulnerabilities VulnCounts `json:"vulnerabilities"`
Result string `json:"result"` // PASS, FAIL, WARN
FailOnThreshold string `json:"fail_on_threshold,omitempty"`
ThresholdExceeded bool `json:"threshold_exceeded,omitempty"`
}
ScanSummary contains aggregate statistics for the scan. ScanSummary provides a quick overview of the scan results including counts by severity level and the overall result determination.
type StatusResult ¶ added in v1.1.0
type StatusResult struct {
Vendors []VendorStatusDetail `json:"vendors"`
Summary StatusSummary `json:"summary"`
PolicyViolations []PolicyViolation `json:"policy_violations,omitempty"` // All violations across vendors (GRD-002)
}
StatusResult holds the combined output of the status command (verify + outdated). StatusResult is the top-level return type for Manager.Status / VendorSyncer.Status.
type StatusSummary ¶ added in v1.1.0
type StatusSummary struct {
TotalVendors int `json:"total_vendors"`
TotalFiles int `json:"total_files"`
Verified int `json:"verified"`
Modified int `json:"modified"`
Added int `json:"added"`
Deleted int `json:"deleted"`
Accepted int `json:"accepted"` // Files with accepted drift (CLI-003)
Stale int `json:"stale"` // Vendors behind upstream
UpstreamErrors int `json:"upstream_errors"` // Vendors where ls-remote failed
StaleConfigs int `json:"stale_configs"` // Config mapping dests with no lock FileHashes entry (VFY-001)
OrphanedLock int `json:"orphaned_lock"` // Lock FileHashes entries with no config mapping dest (VFY-001)
Result string `json:"result"` // PASS, FAIL, WARN
}
StatusSummary contains aggregate statistics across all vendors for the status command.
type SyncStatus ¶
type SyncStatus struct {
AllSynced bool
VendorStatuses []VendorStatus
}
SyncStatus represents the overall sync status
type Trailer ¶ added in v1.1.0
Trailer represents a single key-value git trailer. Multiple Trailers with the same Key are valid for multi-valued trailers (e.g., multiple Vendor-Name entries in a multi-vendor commit).
type UpdateCheckResult ¶
type UpdateCheckResult struct {
VendorName string `json:"vendor_name"`
Ref string `json:"ref"`
CurrentHash string `json:"current_hash"`
LatestHash string `json:"latest_hash"`
LastUpdated string `json:"last_updated"`
UpToDate bool `json:"up_to_date"`
}
UpdateCheckResult represents an available update for a vendor
type VendorConfig ¶
type VendorConfig struct {
Policy *VendorPolicy `yaml:"policy,omitempty" json:"policy,omitempty"` // Global policy defaults
Vendors []VendorSpec `yaml:"vendors"`
}
VendorConfig represents the root configuration file (vendor.yml) structure.
type VendorDiff ¶
type VendorDiff struct {
VendorName string
Ref string
OldHash string
NewHash string
OldDate string
NewDate string
Commits []CommitInfo
CommitCount int
}
VendorDiff represents the commit history between two refs
type VendorLicenseStatus ¶ added in v1.1.0
type VendorLicenseStatus struct {
Name string `json:"name"`
URL string `json:"url"`
License string `json:"license"` // Detected SPDX license identifier
Decision string `json:"decision"` // "allow", "deny", or "warn"
Reason string `json:"reason"` // Human-readable reason for the decision
}
VendorLicenseStatus represents the license compliance status for a single vendor.
type VendorLock ¶
type VendorLock struct {
SchemaVersion string `yaml:"schema_version,omitempty"`
Vendors []LockDetails `yaml:"vendors"`
}
VendorLock represents the lock file (vendor.lock) storing resolved commit hashes.
Schema version uses major.minor format:
- Minor bump: new optional fields added (backward compatible)
- Major bump: breaking changes requiring CLI upgrade
Version compatibility:
- Missing schema_version is treated as "1.0"
- Unknown minor versions: warning, operation proceeds, unknown fields preserved
- Unknown major versions: error, operation aborts to prevent data corruption
Current version: 1.1 (adds LicenseSPDX, SourceVersionTag, VendoredAt, VendoredBy, LastSyncedAt). Migrate via "git-vendor migrate".
type VendorPolicy ¶ added in v1.1.0
type VendorPolicy struct {
BlockOnDrift *bool `yaml:"block_on_drift,omitempty" json:"block_on_drift,omitempty"`
BlockOnStale *bool `yaml:"block_on_stale,omitempty" json:"block_on_stale,omitempty"`
MaxStalenessDays *int `yaml:"max_staleness_days,omitempty" json:"max_staleness_days,omitempty"`
}
VendorPolicy defines commit guard and status policy for vendor drift and staleness. Pointer types distinguish "not set" (nil) from "explicitly false/0" so that per-vendor overrides only replace fields they explicitly declare.
Defaults (when nil): BlockOnDrift=true, BlockOnStale=false, MaxStalenessDays=0 (no limit).
func ResolvedPolicy ¶ added in v1.1.0
func ResolvedPolicy(global, perVendor *VendorPolicy) VendorPolicy
ResolvedPolicy merges a per-vendor VendorPolicy into a global VendorPolicy, with per-vendor fields winning when non-nil. Returns a fully-populated VendorPolicy with no nil pointers.
Defaults: BlockOnDrift=true, BlockOnStale=false, MaxStalenessDays=0.
type VendorSpec ¶
type VendorSpec struct {
Name string `yaml:"name"`
URL string `yaml:"url"`
Mirrors []string `yaml:"mirrors,omitempty"` // Fallback URLs, tried in declaration order after URL
License string `yaml:"license"`
Groups []string `yaml:"groups,omitempty"` // Optional groups for batch operations
Hooks *HookConfig `yaml:"hooks,omitempty"` // Optional pre/post sync hooks
Policy *VendorPolicy `yaml:"policy,omitempty"` // Per-vendor policy overrides
Source string `yaml:"source,omitempty"` // "" (external, default) or "internal"
Compliance string `yaml:"compliance,omitempty"` // "" (source-canonical) or "bidirectional"
Specs []BranchSpec `yaml:"specs"`
}
VendorSpec defines a single vendored dependency with source repository URL and path mappings.
type VendorStatus ¶
type VendorStatus struct {
Name string
Ref string
IsSynced bool
MissingPaths []string // Paths that should exist but don't
FileCount int // Number of file-level mappings
PositionCount int // Number of position-level mappings from lockfile
}
VendorStatus represents the sync status of a vendor
type VendorStatusDetail ¶ added in v1.1.0
type VendorStatusDetail struct {
Name string `json:"name"`
Ref string `json:"ref"`
CommitHash string `json:"commit_hash"`
// Offline (verify) results
FilesVerified int `json:"files_verified"`
FilesModified int `json:"files_modified"`
FilesAdded int `json:"files_added"`
FilesDeleted int `json:"files_deleted"`
FilesAccepted int `json:"files_accepted"` // Files with accepted drift (CLI-003)
ModifiedPaths []string `json:"modified_paths,omitempty"`
AddedPaths []string `json:"added_paths,omitempty"`
DeletedPaths []string `json:"deleted_paths,omitempty"`
AcceptedPaths []string `json:"accepted_paths,omitempty"`
// Per-file drift details with hash comparison (GRD-001).
// Populated for modified and accepted files when offline checks run.
DriftDetails []DriftDetail `json:"drift_details,omitempty"`
// Lock age metadata for staleness policy evaluation (GRD-003).
// LastUpdated is the RFC3339 timestamp from LockDetails.Updated, recording when
// the lock entry was last written. Used by PolicyService to compare against
// MaxStalenessDays when the vendor is behind upstream.
LastUpdated string `json:"last_updated,omitempty"`
// Remote (outdated) results — nil when --offline
UpstreamHash string `json:"upstream_hash,omitempty"`
UpstreamStale *bool `json:"upstream_stale,omitempty"` // nil = not checked
UpstreamSkipped bool `json:"upstream_skipped,omitempty"` // true = ls-remote failed
// Policy violations for this vendor (GRD-002).
// Populated when policy section is present in vendor.yml.
PolicyViolations []PolicyViolation `json:"policy_violations,omitempty"`
}
VendorStatusDetail holds combined verify + outdated information for a single vendor/ref pair. VendorStatusDetail is produced by the status command to merge offline (disk) and remote checks.
type VerifyResult ¶ added in v1.1.0
type VerifyResult struct {
SchemaVersion string `json:"schema_version"`
Timestamp string `json:"timestamp"`
Summary VerifySummary `json:"summary"`
Files []FileStatus `json:"files"`
InternalStatus []ComplianceEntry `json:"internal_status,omitempty"` // Spec 070: internal vendor drift
}
VerifyResult represents the outcome of verification
type VerifySummary ¶ added in v1.1.0
type VerifySummary struct {
TotalFiles int `json:"total_files"`
Verified int `json:"verified"`
Modified int `json:"modified"`
Added int `json:"added"`
Deleted int `json:"deleted"`
Accepted int `json:"accepted"` // Files with accepted drift (CLI-003)
Stale int `json:"stale"` // Config mappings not present in lock FileHashes
Orphaned int `json:"orphaned"` // Lock FileHashes entries not present in config mappings
Result string `json:"result"` // PASS, FAIL, WARN
}
VerifySummary contains aggregate statistics for verification. Stale and Orphaned track config/lock coherence issues (VFY-001):
- Stale: config mapping destinations with no corresponding lock FileHashes entry
- Orphaned: lock FileHashes entries with no corresponding config mapping destination
type VulnCounts ¶ added in v1.1.0
type VulnCounts struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
Unknown int `json:"unknown"`
Total int `json:"total"`
}
VulnCounts holds vulnerability counts by severity level. Used in ScanSummary for aggregate reporting.
type Vulnerability ¶ added in v1.1.0
type Vulnerability struct {
ID string `json:"id"`
Aliases []string `json:"aliases"`
Severity string `json:"severity"`
CVSSScore float64 `json:"cvss_score,omitempty"`
Summary string `json:"summary"`
Details string `json:"details,omitempty"` // Extended description from OSV.dev
FixedVersion string `json:"fixed_version,omitempty"`
References []string `json:"references"`
}
Vulnerability represents a single CVE/vulnerability finding. Vulnerability captures essential vulnerability information from the OSV.dev API response in a normalized format.
Source Files