@vyuhlabs/dxkit 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,5 @@
1
1
  import { ResolvedConfig } from './types';
2
- export declare const VERSION = "0.5.0";
2
+ export declare const VERSION = "0.6.0";
3
3
  export declare const DEFAULT_VERSIONS: {
4
4
  python: string;
5
5
  go: string;
package/dist/constants.js CHANGED
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.EVOLVING_FILES = exports.DEFAULT_COVERAGE = exports.DEFAULT_VERSIONS = exports.VERSION = void 0;
4
4
  exports.buildVariables = buildVariables;
5
5
  exports.buildConditions = buildConditions;
6
- exports.VERSION = '0.5.0';
6
+ exports.VERSION = '0.6.0';
7
7
  exports.DEFAULT_VERSIONS = {
8
8
  python: '3.12',
9
9
  go: '1.24.0',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vyuhlabs/dxkit",
3
- "version": "0.5.0",
3
+ "version": "0.6.0",
4
4
  "description": "AI-native developer experience toolkit for any repository",
5
5
  "license": "MIT",
6
6
  "bin": {
@@ -46,13 +46,15 @@ Mention related patterns, tests, or areas the user might want to explore next.
46
46
 
47
47
  ## Existing Knowledge
48
48
 
49
- Check these first if they exist they may already have the answer:
49
+ **Always read these first** they contain the architecture overview, languages, and conventions:
50
50
 
51
- - `.claude/skills/codebase/SKILL.md` — Architecture overview
51
+ - `.claude/skills/codebase/SKILL.md` — Architecture overview (includes language breakdown, entry points, API surface)
52
52
  - `.claude/skills/codebase/references/architecture.md` — Detailed reference
53
53
  - `.claude/skills/learned/references/conventions.md` — Team conventions
54
54
  - `.claude/skills/learned/references/gotchas.md` — Known gotchas
55
55
 
56
+ **Important:** This may be a multi-language project. Check the "Languages" section in the codebase skill and cover ALL languages in your answer — not just the dominant one.
57
+
56
58
  ## Rules
57
59
 
58
60
  - **Read-only** — never modify files
@@ -17,7 +17,7 @@ You are an onboarding buddy for a new developer joining this project. Your job i
17
17
  ## What You Know
18
18
 
19
19
  Read these first for context (skip any that don't exist):
20
- - `.claude/skills/codebase/SKILL.md` — Architecture overview
20
+ - `.claude/skills/codebase/SKILL.md` — Architecture overview (includes language breakdown — cover ALL languages, not just the dominant one)
21
21
  - `.claude/skills/codebase/references/architecture.md` — Detailed reference
22
22
  - `.claude/skills/learned/references/gotchas.md` — Known gotchas
23
23
  - `.claude/skills/learned/references/conventions.md` — Team conventions
@@ -0,0 +1,113 @@
1
+ ---
2
+ name: vulnerability-scanner
3
+ description: Scans dependencies and code for security vulnerabilities. Use when asked about vulnerabilities, "is this secure?", "audit dependencies", or "security scan". Saves report to .ai/reports/.
4
+ model: sonnet
5
+ tools: Read, Grep, Glob, Bash, Write
6
+ ---
7
+
8
+ You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues.
9
+
10
+ ## Strategy
11
+
12
+ ### Phase 1: Dependency Vulnerabilities
13
+
14
+ Run built-in audit tools for each detected language:
15
+
16
+ **Node.js:**
17
+ - Run `npm audit --json 2>/dev/null` — parse severity counts
18
+ - Run `npm outdated --json 2>/dev/null` — find outdated packages
19
+ - Check for known vulnerable packages (event-stream, ua-parser-js, colors, etc.)
20
+
21
+ **Python:**
22
+ - Run `pip audit 2>/dev/null` or `safety check 2>/dev/null` if available
23
+ - Read `requirements.txt` or `pyproject.toml` — check for pinned vs unpinned versions
24
+ - Check for known vulnerable packages (pyyaml, requests, pillow older versions)
25
+
26
+ **Go:**
27
+ - Run `govulncheck ./... 2>/dev/null` if available
28
+ - Read `go.sum` for dependency count
29
+
30
+ **Rust:**
31
+ - Run `cargo audit 2>/dev/null` if available
32
+
33
+ **C#:**
34
+ - Run `dotnet list package --vulnerable 2>/dev/null` if available
35
+
36
+ ### Phase 2: Code-Level Vulnerabilities
37
+
38
+ Search the codebase for common vulnerability patterns:
39
+
40
+ **Injection:**
41
+ - SQL: string concatenation in queries (`"SELECT.*" +`, template literals with user input)
42
+ - Command injection: `exec(`, `child_process`, `os.system(`, `subprocess.call(` with unsanitized input
43
+ - XSS: `dangerouslySetInnerHTML`, `v-html`, unescaped output
44
+
45
+ **Authentication & Authorization:**
46
+ - Hardcoded secrets: `password\s*=\s*['"]`, `apiKey`, `secret\s*=`, `token\s*=\s*['"]`
47
+ - Weak crypto: `md5`, `sha1` for passwords, `Math.random` for tokens
48
+ - JWT issues: `algorithm.*none`, missing expiry, hardcoded signing keys
49
+
50
+ **Data Exposure:**
51
+ - Sensitive data in logs: `console.log.*password`, `print.*secret`
52
+ - Debug mode in production: `DEBUG=true`, `debug: true`
53
+ - Exposed stack traces: error handlers returning full stack
54
+
55
+ **File System:**
56
+ - Path traversal: unvalidated file paths, `../` in user input
57
+ - Unsafe file uploads: no extension/MIME validation
58
+
59
+ **Configuration:**
60
+ - CORS: `Access-Control-Allow-Origin: *`
61
+ - Missing security headers (CSP, HSTS, X-Frame-Options)
62
+ - HTTP instead of HTTPS in URLs
63
+
64
+ ### Phase 3: Dependency Chain Risk
65
+
66
+ - Count total dependencies (direct + transitive)
67
+ - Identify large dependency trees (supply chain risk)
68
+ - Check for abandoned packages (no updates in 2+ years)
69
+ - Flag packages with very few weekly downloads
70
+
71
+ ### Phase 4: Generate Report
72
+
73
+ Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
74
+
75
+ ```markdown
76
+ ## Vulnerability Scan Report
77
+
78
+ ### Summary
79
+ | Severity | Count |
80
+ |----------|-------|
81
+ | Critical | X |
82
+ | High | X |
83
+ | Medium | X |
84
+ | Low | X |
85
+
86
+ ### Dependency Vulnerabilities
87
+ | Package | Severity | Description | Fix |
88
+ |---------|----------|-------------|-----|
89
+ | lodash@4.17.15 | High | Prototype pollution | Upgrade to 4.17.21 |
90
+
91
+ ### Code Vulnerabilities
92
+ | File:Line | Severity | Type | Description |
93
+ |-----------|----------|------|-------------|
94
+ | src/auth.ts:42 | Critical | Hardcoded secret | JWT key in source |
95
+
96
+ ### Dependency Health
97
+ - Total dependencies: X (direct: Y, transitive: Z)
98
+ - Outdated: X packages
99
+ - Abandoned (>2yr no update): X packages
100
+
101
+ ### Recommendations (prioritized)
102
+ 1. [Critical fix with exact steps]
103
+ 2. ...
104
+ ```
105
+
106
+ ## Rules
107
+
108
+ - **Run real tools** — don't guess, run `npm audit`, `pip audit`, etc.
109
+ - **Be specific** — exact package versions, file:line references, CVE numbers when available
110
+ - **Prioritize by exploitability** — a reachable RCE is worse than a theoretical DoS
111
+ - **Include fix instructions** — "upgrade X to Y" or "replace pattern A with B"
112
+ - **Never output actual secret values** — say "hardcoded secret found at file:line", don't print it
113
+ - Save the report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`
@@ -0,0 +1,9 @@
1
+ ---
2
+ description: Scan dependencies and code for security vulnerabilities
3
+ ---
4
+
5
+ Delegate to the **vulnerability-scanner** agent. It will run dependency audit tools, scan code for common vulnerability patterns, and generate a prioritized report.
6
+
7
+ **Saves report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`**
8
+
9
+ $ARGUMENTS
@@ -159,6 +159,7 @@ Slash commands for common workflows. Run `/help` to list all with descriptions.
159
159
  - `/test-gaps` - Find critical untested code paths
160
160
  - `/deps` - Map dependencies ("what breaks if I change X?")
161
161
  - `/health` - Comprehensive codebase health audit
162
+ - `/vulnerabilities` - Scan dependencies and code for security issues
162
163
  - `/docs` - Audit, write, or improve documentation
163
164
  - `/fix-issue <number>` - Investigate and fix a GitHub issue
164
165
 
@@ -179,6 +180,7 @@ Language-specific conventions that activate automatically when editing matching
179
180
  - `test-gap-finder` — Identifies critical untested code paths (sonnet, read-only)
180
181
  - `dependency-mapper` — Maps import chains and blast radius (sonnet, read-only)
181
182
  - `health-auditor` — Comprehensive codebase health audit (sonnet, read-only)
183
+ - `vulnerability-scanner` — Dependency and code vulnerability analysis (sonnet)
182
184
  - `doc-writer` — Audits docs, identifies gaps, writes/improves documentation (sonnet)
183
185
  - `debugger` — Traces root causes systematically (sonnet, no file edits)
184
186