TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt
Use this file to discover all available pages before exploring further.
fangs baseline command is your interface to the fingerprint memory FANGS builds for every watched package. A baseline is the set of (category, value) pairs — network destinations, file paths, SNI hostnames — that have been confirmed as legitimate behavior. When a new run produces deviations, baseline promote lets you accept those findings as known-good after human review, teaching FANGS what the package is now allowed to do.
Subcommands
| Subcommand | Purpose |
|---|---|
baseline list | Display the current baseline fingerprints for a package |
baseline promote <run_id> | Accept a run’s behavior into the baseline and clear its deviations |
fangs baseline list
Reads thebaseline_fingerprints table and renders one row per (category, value) pair observed across all promoted runs for the requested package.
Flags
The npm package name to inspect. Must match the name as recorded during the watched-package run (e.g.
lodash, @scope/pkg).Output columns
| Column | Description |
|---|---|
CATEGORY | Fingerprint category: net_new_destination, fs_new_path_write, net_new_https_host, etc. |
VALUE | The observed value — an IP address, file path, or SNI hostname |
COUNT | occurrence_count — how many times this (category, value) pair has been seen across all promoted runs |
FIRST_SEEN | Short prefix of the run_id where this fingerprint first appeared |
LAST_SEEN | Short prefix of the run_id where this fingerprint was most recently observed |
Examples
Long values in the
VALUE column are truncated to 60 characters in table output. Use -json to retrieve the full untruncated value.fangs baseline promote
Loads a run’s raw events, applies the current allowlist filter (identical to the filter the Differ uses during automated analysis), extracts fingerprints, and merges them into thebaseline_fingerprints table. The run is then marked is_baseline = true and all of its deviation rows are deleted, removing it from the pending queue.
run_id argument accepts either a full 32-character hex ID or any unique short prefix (git-style). FANGS resolves the prefix against the runs table; if multiple runs share the prefix, the command errors and asks for a longer prefix.
What promote does
Resolve the run
Looks up the run by full ID or unique hex prefix via
ResolveRunPrefix. Fails with an error if the package name on the run is empty.Apply allowlist filter
Builds a
differ.Filter using the current global and package-scoped allowlist entries. This guarantees that suppressed values (CIDRs, paths, SNI names) are not accidentally baked into the baseline.Extract fingerprints
Calls
differ.ExtractFingerprintsWith to derive (category, value, count) tuples from the filtered events.Merge into baseline
Upserts the fingerprint rows via
MergeBaseline. Existing (package, category, value) rows have their last_seen_run_id updated and occurrence_count incremented; new rows are inserted.JSON output
When-json is passed, baseline promote emits a single object:
Examples
When to promote
Legitimate behavior change
The package added a new CDN endpoint or updated a dependency that hits a new host. Review confirms no malicious intent — promote to teach FANGS the new pattern.
New install-time path
A major version now writes to a different directory. After confirming the path is expected, promote so future runs don’t re-flag the same location.
Do NOT promote
If any deviation looks genuinely suspicious — unexpected outbound connection, novel write to a sensitive path — investigate fully before promoting. Promotion is permanent within the run.
After allowlisting
If you added an allowlist entry to suppress a known-safe value, re-analyze or re-run the package first, then promote the clean run. Promoting before allowlisting bakes the suppressed value into the baseline.