@vyuhlabs/dxkit 1.5.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +272 -0
- package/README.md +272 -358
- package/THIRD_PARTY_NOTICES.md +40 -0
- package/dist/analyzers/developer/detailed.d.ts +26 -0
- package/dist/analyzers/developer/detailed.d.ts.map +1 -0
- package/dist/analyzers/developer/detailed.js +193 -0
- package/dist/analyzers/developer/detailed.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts +11 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -0
- package/dist/analyzers/developer/gather.js +167 -0
- package/dist/analyzers/developer/gather.js.map +1 -0
- package/dist/analyzers/developer/index.d.ts +8 -0
- package/dist/analyzers/developer/index.d.ts.map +1 -0
- package/dist/analyzers/developer/index.js +168 -0
- package/dist/analyzers/developer/index.js.map +1 -0
- package/dist/analyzers/developer/types.d.ts +49 -0
- package/dist/analyzers/developer/types.d.ts.map +1 -0
- package/dist/analyzers/developer/types.js +6 -0
- package/dist/analyzers/developer/types.js.map +1 -0
- package/dist/analyzers/docs/shallow.d.ts +9 -0
- package/dist/analyzers/docs/shallow.d.ts.map +1 -0
- package/dist/analyzers/docs/shallow.js +8 -0
- package/dist/analyzers/docs/shallow.js.map +1 -0
- package/dist/analyzers/dx/shallow.d.ts +9 -0
- package/dist/analyzers/dx/shallow.d.ts.map +1 -0
- package/dist/analyzers/dx/shallow.js +8 -0
- package/dist/analyzers/dx/shallow.js.map +1 -0
- package/dist/analyzers/evidence.d.ts +36 -0
- package/dist/analyzers/evidence.d.ts.map +1 -0
- package/dist/analyzers/evidence.js +3 -0
- package/dist/analyzers/evidence.js.map +1 -0
- package/dist/analyzers/health/actions.d.ts +10 -0
- package/dist/analyzers/health/actions.d.ts.map +1 -0
- package/dist/analyzers/health/actions.js +284 -0
- package/dist/analyzers/health/actions.js.map +1 -0
- package/dist/analyzers/health/detailed.d.ts +26 -0
- package/dist/analyzers/health/detailed.d.ts.map +1 -0
- package/dist/analyzers/health/detailed.js +147 -0
- package/dist/analyzers/health/detailed.js.map +1 -0
- package/dist/analyzers/health.d.ts +22 -0
- package/dist/analyzers/health.d.ts.map +1 -0
- package/dist/analyzers/health.js +270 -0
- package/dist/analyzers/health.js.map +1 -0
- package/dist/analyzers/index.d.ts +3 -0
- package/dist/analyzers/index.d.ts.map +1 -0
- package/dist/analyzers/index.js +6 -0
- package/dist/analyzers/index.js.map +1 -0
- package/dist/analyzers/maintainability/shallow.d.ts +9 -0
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
- package/dist/analyzers/maintainability/shallow.js +8 -0
- package/dist/analyzers/maintainability/shallow.js.map +1 -0
- package/dist/analyzers/quality/actions.d.ts +5 -0
- package/dist/analyzers/quality/actions.d.ts.map +1 -0
- package/dist/analyzers/quality/actions.js +158 -0
- package/dist/analyzers/quality/actions.js.map +1 -0
- package/dist/analyzers/quality/detailed.d.ts +17 -0
- package/dist/analyzers/quality/detailed.d.ts.map +1 -0
- package/dist/analyzers/quality/detailed.js +122 -0
- package/dist/analyzers/quality/detailed.js.map +1 -0
- package/dist/analyzers/quality/gather.d.ts +38 -0
- package/dist/analyzers/quality/gather.d.ts.map +1 -0
- package/dist/analyzers/quality/gather.js +279 -0
- package/dist/analyzers/quality/gather.js.map +1 -0
- package/dist/analyzers/quality/index.d.ts +12 -0
- package/dist/analyzers/quality/index.d.ts.map +1 -0
- package/dist/analyzers/quality/index.js +281 -0
- package/dist/analyzers/quality/index.js.map +1 -0
- package/dist/analyzers/quality/shallow.d.ts +9 -0
- package/dist/analyzers/quality/shallow.d.ts.map +1 -0
- package/dist/analyzers/quality/shallow.js +8 -0
- package/dist/analyzers/quality/shallow.js.map +1 -0
- package/dist/analyzers/quality/types.d.ts +66 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -0
- package/dist/analyzers/quality/types.js +3 -0
- package/dist/analyzers/quality/types.js.map +1 -0
- package/dist/analyzers/remediation.d.ts +42 -0
- package/dist/analyzers/remediation.d.ts.map +1 -0
- package/dist/analyzers/remediation.js +28 -0
- package/dist/analyzers/remediation.js.map +1 -0
- package/dist/analyzers/scoring.d.ts +32 -0
- package/dist/analyzers/scoring.d.ts.map +1 -0
- package/dist/analyzers/scoring.js +410 -0
- package/dist/analyzers/scoring.js.map +1 -0
- package/dist/analyzers/security/actions.d.ts +7 -0
- package/dist/analyzers/security/actions.d.ts.map +1 -0
- package/dist/analyzers/security/actions.js +104 -0
- package/dist/analyzers/security/actions.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +14 -0
- package/dist/analyzers/security/detailed.d.ts.map +1 -0
- package/dist/analyzers/security/detailed.js +124 -0
- package/dist/analyzers/security/detailed.js.map +1 -0
- package/dist/analyzers/security/gather.d.ts +12 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -0
- package/dist/analyzers/security/gather.js +195 -0
- package/dist/analyzers/security/gather.js.map +1 -0
- package/dist/analyzers/security/index.d.ts +8 -0
- package/dist/analyzers/security/index.d.ts.map +1 -0
- package/dist/analyzers/security/index.js +173 -0
- package/dist/analyzers/security/index.js.map +1 -0
- package/dist/analyzers/security/scoring.d.ts +29 -0
- package/dist/analyzers/security/scoring.d.ts.map +1 -0
- package/dist/analyzers/security/scoring.js +40 -0
- package/dist/analyzers/security/scoring.js.map +1 -0
- package/dist/analyzers/security/shallow.d.ts +10 -0
- package/dist/analyzers/security/shallow.d.ts.map +1 -0
- package/dist/analyzers/security/shallow.js +8 -0
- package/dist/analyzers/security/shallow.js.map +1 -0
- package/dist/analyzers/security/types.d.ts +43 -0
- package/dist/analyzers/security/types.d.ts.map +1 -0
- package/dist/analyzers/security/types.js +6 -0
- package/dist/analyzers/security/types.js.map +1 -0
- package/dist/analyzers/tests/actions.d.ts +6 -0
- package/dist/analyzers/tests/actions.d.ts.map +1 -0
- package/dist/analyzers/tests/actions.js +80 -0
- package/dist/analyzers/tests/actions.js.map +1 -0
- package/dist/analyzers/tests/detailed.d.ts +14 -0
- package/dist/analyzers/tests/detailed.d.ts.map +1 -0
- package/dist/analyzers/tests/detailed.js +121 -0
- package/dist/analyzers/tests/detailed.js.map +1 -0
- package/dist/analyzers/tests/gather.d.ts +5 -0
- package/dist/analyzers/tests/gather.d.ts.map +1 -0
- package/dist/analyzers/tests/gather.js +270 -0
- package/dist/analyzers/tests/gather.js.map +1 -0
- package/dist/analyzers/tests/import-graph.d.ts +48 -0
- package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
- package/dist/analyzers/tests/import-graph.js +231 -0
- package/dist/analyzers/tests/import-graph.js.map +1 -0
- package/dist/analyzers/tests/index.d.ts +8 -0
- package/dist/analyzers/tests/index.d.ts.map +1 -0
- package/dist/analyzers/tests/index.js +247 -0
- package/dist/analyzers/tests/index.js.map +1 -0
- package/dist/analyzers/tests/scoring.d.ts +27 -0
- package/dist/analyzers/tests/scoring.d.ts.map +1 -0
- package/dist/analyzers/tests/scoring.js +38 -0
- package/dist/analyzers/tests/scoring.js.map +1 -0
- package/dist/analyzers/tests/shallow.d.ts +9 -0
- package/dist/analyzers/tests/shallow.d.ts.map +1 -0
- package/dist/analyzers/tests/shallow.js +8 -0
- package/dist/analyzers/tests/shallow.js.map +1 -0
- package/dist/analyzers/tests/types.d.ts +49 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -0
- package/dist/analyzers/tests/types.js +6 -0
- package/dist/analyzers/tests/types.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts +8 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -0
- package/dist/analyzers/tools/cloc.js +49 -0
- package/dist/analyzers/tools/cloc.js.map +1 -0
- package/dist/analyzers/tools/coverage.d.ts +59 -0
- package/dist/analyzers/tools/coverage.d.ts.map +1 -0
- package/dist/analyzers/tools/coverage.js +280 -0
- package/dist/analyzers/tools/coverage.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
- package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4.js +362 -0
- package/dist/analyzers/tools/cvss-v4.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
- package/dist/analyzers/tools/exclusions.d.ts +70 -0
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
- package/dist/analyzers/tools/exclusions.js +250 -0
- package/dist/analyzers/tools/exclusions.js.map +1 -0
- package/dist/analyzers/tools/generic.d.ts +4 -0
- package/dist/analyzers/tools/generic.d.ts.map +1 -0
- package/dist/analyzers/tools/generic.js +198 -0
- package/dist/analyzers/tools/generic.js.map +1 -0
- package/dist/analyzers/tools/gitleaks.d.ts +8 -0
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
- package/dist/analyzers/tools/gitleaks.js +58 -0
- package/dist/analyzers/tools/gitleaks.js.map +1 -0
- package/dist/analyzers/tools/graphify.d.ts +4 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -0
- package/dist/analyzers/tools/graphify.js +222 -0
- package/dist/analyzers/tools/graphify.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +51 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -0
- package/dist/analyzers/tools/osv.js +188 -0
- package/dist/analyzers/tools/osv.js.map +1 -0
- package/dist/analyzers/tools/parallel.d.ts +8 -0
- package/dist/analyzers/tools/parallel.d.ts.map +1 -0
- package/dist/analyzers/tools/parallel.js +195 -0
- package/dist/analyzers/tools/parallel.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts +13 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -0
- package/dist/analyzers/tools/runner.js +109 -0
- package/dist/analyzers/tools/runner.js.map +1 -0
- package/dist/analyzers/tools/suppressions.d.ts +55 -0
- package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
- package/dist/analyzers/tools/suppressions.js +203 -0
- package/dist/analyzers/tools/suppressions.js.map +1 -0
- package/dist/analyzers/tools/timing.d.ts +9 -0
- package/dist/analyzers/tools/timing.d.ts.map +1 -0
- package/dist/analyzers/tools/timing.js +29 -0
- package/dist/analyzers/tools/timing.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts +86 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
- package/dist/analyzers/tools/tool-registry.js +705 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -0
- package/dist/analyzers/types.d.ts +125 -0
- package/dist/analyzers/types.d.ts.map +1 -0
- package/dist/analyzers/types.js +11 -0
- package/dist/analyzers/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +462 -0
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -15
- package/dist/detect.js.map +1 -1
- package/dist/languages/csharp.d.ts +5 -0
- package/dist/languages/csharp.d.ts.map +1 -0
- package/dist/languages/csharp.js +265 -0
- package/dist/languages/csharp.js.map +1 -0
- package/dist/languages/go.d.ts +11 -0
- package/dist/languages/go.d.ts.map +1 -0
- package/dist/languages/go.js +321 -0
- package/dist/languages/go.js.map +1 -0
- package/dist/languages/index.d.ts +6 -0
- package/dist/languages/index.d.ts.map +1 -0
- package/dist/languages/index.js +18 -0
- package/dist/languages/index.js.map +1 -0
- package/dist/languages/python.d.ts +3 -0
- package/dist/languages/python.d.ts.map +1 -0
- package/dist/languages/python.js +284 -0
- package/dist/languages/python.js.map +1 -0
- package/dist/languages/rust.d.ts +17 -0
- package/dist/languages/rust.d.ts.map +1 -0
- package/dist/languages/rust.js +333 -0
- package/dist/languages/rust.js.map +1 -0
- package/dist/languages/types.d.ts +38 -0
- package/dist/languages/types.d.ts.map +1 -0
- package/dist/languages/types.js +3 -0
- package/dist/languages/types.js.map +1 -0
- package/dist/languages/typescript.d.ts +15 -0
- package/dist/languages/typescript.d.ts.map +1 -0
- package/dist/languages/typescript.js +353 -0
- package/dist/languages/typescript.js.map +1 -0
- package/dist/logger.d.ts +1 -0
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +25 -12
- package/dist/logger.js.map +1 -1
- package/dist/project-yaml.d.ts.map +1 -1
- package/dist/project-yaml.js +1 -0
- package/dist/project-yaml.js.map +1 -1
- package/dist/tools-cli.d.ts +2 -0
- package/dist/tools-cli.d.ts.map +1 -0
- package/dist/tools-cli.js +231 -0
- package/dist/tools-cli.js.map +1 -0
- package/dist/types.d.ts +10 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +6 -2
- package/templates/.claude/commands/dev-report.md +34 -4
- package/templates/.claude/commands/health.md +45 -2
- package/templates/.claude/commands/quality.md.template +38 -15
- package/templates/.claude/commands/test-gaps.md +36 -2
- package/templates/.claude/commands/vulnerabilities.md +36 -2
- package/templates/.project/scripts/setup/interactive-setup.sh +6 -2
package/README.md
CHANGED
|
@@ -1,426 +1,286 @@
|
|
|
1
1
|
# @vyuhlabs/dxkit
|
|
2
2
|
|
|
3
|
-
AI-native
|
|
3
|
+
AI-native analyzer and scaffolder for any repository. Two modes in one CLI:
|
|
4
|
+
|
|
5
|
+
1. **Analyze** any repo deterministically — health, security, test gaps, code quality, developer activity — in seconds, no LLM required.
|
|
6
|
+
2. **Scaffold** `.claude/` agents, skills, commands, and hooks tuned to your stack.
|
|
7
|
+
|
|
8
|
+
Built so agent-written code has deterministic guardrails before it ships. Scores don't move just because an LLM had a different mood today.
|
|
4
9
|
|
|
5
10
|
## Quick Start
|
|
6
11
|
|
|
12
|
+
**Analyze an existing repo:**
|
|
13
|
+
|
|
7
14
|
```bash
|
|
8
|
-
|
|
9
|
-
npx @vyuhlabs/dxkit
|
|
15
|
+
cd your-repo
|
|
16
|
+
npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
|
|
17
|
+
npx @vyuhlabs/dxkit health --detailed # 5-dimension score + remediation plan
|
|
18
|
+
npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit scan
|
|
19
|
+
npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
|
|
20
|
+
```
|
|
10
21
|
|
|
11
|
-
|
|
12
|
-
npx @vyuhlabs/dxkit init
|
|
22
|
+
**Scaffold AI tooling into a repo:**
|
|
13
23
|
|
|
14
|
-
|
|
15
|
-
npx @vyuhlabs/dxkit init --
|
|
24
|
+
```bash
|
|
25
|
+
npx @vyuhlabs/dxkit init --detect # auto-detect stack, minimal prompts
|
|
26
|
+
npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
|
|
16
27
|
```
|
|
17
28
|
|
|
18
|
-
|
|
29
|
+
The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
|
|
19
30
|
|
|
20
|
-
|
|
31
|
+
---
|
|
21
32
|
|
|
22
|
-
|
|
23
|
-
.claude/
|
|
24
|
-
settings.json # Permissions, deny list, learning hooks
|
|
25
|
-
agents/ # Active agents (auto-trigger on matching questions)
|
|
26
|
-
knowledge-bot.md # Answers codebase questions
|
|
27
|
-
onboarding.md # Interactive onboarding buddy
|
|
28
|
-
quality-reviewer.md # Reviews code before committing
|
|
29
|
-
doc-writer.md # Audits and writes documentation
|
|
30
|
-
agents-available/ # Dormant agents (activate with /enable-agent)
|
|
31
|
-
codebase-explorer.md # Deep architecture analysis
|
|
32
|
-
code-reviewer.md # PR review and security audit
|
|
33
|
-
test-writer.md # Writes tests for existing code
|
|
34
|
-
test-gap-finder.md # Identifies untested critical code
|
|
35
|
-
dependency-mapper.md # Maps import chains and blast radius
|
|
36
|
-
health-auditor.md # 6-dimension codebase health audit
|
|
37
|
-
vulnerability-scanner.md # CWE-classified security scan (Snyk-comparable)
|
|
38
|
-
dev-report.md # Developer activity + quality attribution
|
|
39
|
-
dashboard-builder.md # HTML dashboard from all reports
|
|
40
|
-
hooks-configurator.md # Git hooks from DXKit commands
|
|
41
|
-
debugger.md # Root cause analysis
|
|
42
|
-
commands/ # 26 slash commands (see below)
|
|
43
|
-
skills/ # Domain knowledge
|
|
44
|
-
codebase/ # Auto-generated architecture overview
|
|
45
|
-
learned/ # Evolving gotchas, conventions, deny list
|
|
46
|
-
rules/ # Path-scoped rules (per language + framework)
|
|
47
|
-
CLAUDE.md # Main context file for Claude Code
|
|
48
|
-
.ai/
|
|
49
|
-
sessions/ # Session checkpoints
|
|
50
|
-
reports/ # Generated reports (health, vulnerabilities, etc.)
|
|
51
|
-
.github/
|
|
52
|
-
workflows/
|
|
53
|
-
pr-review.yml # Automated PR review (opt-in)
|
|
54
|
-
```
|
|
33
|
+
## Analyzer CLI (`vyuh-dxkit <command>`)
|
|
55
34
|
|
|
56
|
-
|
|
35
|
+
Five deterministic analyzers. Each emits a markdown report to `.ai/reports/` and optional structured JSON.
|
|
57
36
|
|
|
58
|
-
|
|
|
59
|
-
|
|
|
60
|
-
|
|
|
61
|
-
|
|
|
62
|
-
|
|
|
63
|
-
|
|
|
64
|
-
|
|
|
37
|
+
| Command | What it does | Runtime | Output |
|
|
38
|
+
| ----------------- | --------------------------------------------------------------- | ------- | ------------------------------------------ |
|
|
39
|
+
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.ai/reports/health-audit-<date>.md` |
|
|
40
|
+
| `vulnerabilities` | gitleaks + semgrep + `npm audit` / `pip-audit` | 5–30s | `.ai/reports/vulnerability-scan-<date>.md` |
|
|
41
|
+
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins) | <1s | `.ai/reports/test-gaps-<date>.md` |
|
|
42
|
+
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.ai/reports/quality-review-<date>.md` |
|
|
43
|
+
| `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.ai/reports/developer-report-<date>.md` |
|
|
65
44
|
|
|
66
|
-
|
|
45
|
+
### Flags (apply to all analyzer commands)
|
|
67
46
|
|
|
68
|
-
|
|
47
|
+
| Flag | Effect |
|
|
48
|
+
| ---------------- | ------------------------------------------------------------------------------------- |
|
|
49
|
+
| `--detailed` | Also writes `<name>-detailed.md` + `.json` with evidence + ranked remediation actions |
|
|
50
|
+
| `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
|
|
51
|
+
| `--verbose` | Print per-tool timing to stderr |
|
|
52
|
+
| `--no-save` | Skip writing markdown; useful with `--json` |
|
|
53
|
+
| `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
|
|
69
54
|
|
|
70
|
-
|
|
55
|
+
### Detailed mode — evidence + ranked fixes
|
|
71
56
|
|
|
72
|
-
|
|
73
|
-
- **Express** — Middleware/routing conventions, error handling patterns
|
|
74
|
-
- **NestJS**, **Fastify**, **Koa**, **Hapi** — Detected (rules coming soon)
|
|
75
|
-
- **FastAPI**, **Django**, **Flask** — Detected (rules coming soon)
|
|
76
|
-
- **Gin**, **Echo**, **Fiber** — Detected (rules coming soon)
|
|
57
|
+
`--detailed` writes a second pair of files with:
|
|
77
58
|
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
- **Google Cloud** (gcloud) — SDK commands, security rules
|
|
83
|
-
- **Infisical** — Secrets management, never-leak rules
|
|
84
|
-
- **Pulumi** — IaC with preview-before-apply safety
|
|
85
|
-
- **Docker** — Container commands
|
|
86
|
-
|
|
87
|
-
## Commands (30)
|
|
88
|
-
|
|
89
|
-
### Development Workflow
|
|
90
|
-
|
|
91
|
-
| Command | Description |
|
|
92
|
-
| ----------------- | --------------------------------------------------- |
|
|
93
|
-
| `/session-start` | Start an AI-assisted dev session |
|
|
94
|
-
| `/session-end` | End session, create checkpoint, evolve skills |
|
|
95
|
-
| `/ask <question>` | Ask about the codebase (delegates to knowledge-bot) |
|
|
96
|
-
| `/learn` | Capture a gotcha, convention, or thing to avoid |
|
|
97
|
-
|
|
98
|
-
### Quality & Testing
|
|
99
|
-
|
|
100
|
-
| Command | Description |
|
|
101
|
-
| ------------ | -------------------------------------------------------- |
|
|
102
|
-
| `/quality` | Run language-specific linters + AI review |
|
|
103
|
-
| `/test` | Run tests (auto-detected runner) |
|
|
104
|
-
| `/check` | Full pre-commit validation (quality + tests + AI review) |
|
|
105
|
-
| `/fix` | Auto-fix formatting and lint issues |
|
|
106
|
-
| `/build` | Build the project |
|
|
107
|
-
| `/test-gaps` | Find critical untested code paths |
|
|
108
|
-
|
|
109
|
-
### Analysis & Reports
|
|
110
|
-
|
|
111
|
-
| Command | Description | Output |
|
|
112
|
-
| ------------------ | ---------------------------------------------- | ------------------------------------- |
|
|
113
|
-
| `/health` | 6-dimension codebase health audit | `.ai/reports/health-audit-*.md` |
|
|
114
|
-
| `/vulnerabilities` | CWE-classified security scan (Snyk-comparable) | `.ai/reports/vulnerability-scan-*.md` |
|
|
115
|
-
| `/dev-report` | Developer activity + security attribution | `.ai/reports/developer-report-*.md` |
|
|
116
|
-
| `/docs audit` | Documentation gap analysis | `.ai/reports/docs-audit-*.md` |
|
|
117
|
-
| `/deps` | Dependency map + blast radius | `.ai/reports/dependency-map-*.md` |
|
|
118
|
-
| `/dashboard` | Generate HTML dashboard from all reports | `.ai/reports/dashboard.html` |
|
|
119
|
-
| `/export-pdf` | Convert markdown reports to PDF | `.ai/reports/*.pdf` |
|
|
120
|
-
|
|
121
|
-
### Planning & Execution — Fix Loop
|
|
122
|
-
|
|
123
|
-
| Command | Description | Output |
|
|
124
|
-
| ---------------------- | ----------------------------------------------------------- | -------------------------------------- |
|
|
125
|
-
| `/plan` | Analyze reports → propose KPIs → generate improvement plans | `.ai/plans/` |
|
|
126
|
-
| `/execute-plan <name>` | Execute a fix plan task by task with session checkpoints | `.ai/plans/progress/`, `.ai/sessions/` |
|
|
127
|
-
|
|
128
|
-
### Feature Development Loop
|
|
129
|
-
|
|
130
|
-
| Command | Description | Output |
|
|
131
|
-
| ------------------------ | -------------------------------------------------- | ----------------------------------------- |
|
|
132
|
-
| `/feature <description>` | Design new feature → implementation plan | `.ai/features/` |
|
|
133
|
-
| `/build-feature <slug>` | Build feature from plan with tests and conventions | `.ai/features/progress/`, `.ai/sessions/` |
|
|
134
|
-
|
|
135
|
-
### Exploration & Onboarding
|
|
136
|
-
|
|
137
|
-
| Command | Description |
|
|
138
|
-
| ------------------- | ----------------------------------------------- |
|
|
139
|
-
| `/onboarding` | Interactive onboarding buddy for new developers |
|
|
140
|
-
| `/explore-codebase` | Deep architecture exploration |
|
|
141
|
-
| `/help` | List all commands and agents |
|
|
142
|
-
|
|
143
|
-
### Setup & Hooks
|
|
144
|
-
|
|
145
|
-
| Command | Description |
|
|
146
|
-
| ---------------------- | ---------------------------------------------------------------------------------- |
|
|
147
|
-
| `/setup-hooks` | Configure git hooks (quality, test, vulnerability) — consistent with DXKit reports |
|
|
148
|
-
| `/stealth-mode` | Gitignore DXKit files + install hooks (DXKit local-only, hooks for all devs) |
|
|
149
|
-
| `/setup-pr-review` | Set up automated PR review GitHub Action |
|
|
150
|
-
| `/fix-issue <number>` | Investigate and fix a GitHub issue |
|
|
151
|
-
| `/doctor` | Diagnose environment issues |
|
|
152
|
-
| `/enable-agent <name>` | Activate a dormant agent |
|
|
153
|
-
|
|
154
|
-
## Agents
|
|
155
|
-
|
|
156
|
-
### Active by Default (4)
|
|
157
|
-
|
|
158
|
-
These agents auto-trigger when Claude detects a matching question:
|
|
159
|
-
|
|
160
|
-
- **knowledge-bot** — "How does auth work?" "Where are payments handled?"
|
|
161
|
-
- **onboarding** — "I'm new, help me get started" "What does this project do?"
|
|
162
|
-
- **quality-reviewer** — "Review my changes" "Check quality before I commit"
|
|
163
|
-
- **doc-writer** — "What needs documentation?" "Help me write docs"
|
|
59
|
+
- **Per-dimension plans** with a prioritized fix list
|
|
60
|
+
- **Evidence** for every finding (file, line, rule ID, tool, snippet)
|
|
61
|
+
- **Projected score delta** for each remediation action — so you know which fix moves the needle most
|
|
62
|
+
- **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
|
|
164
63
|
|
|
165
|
-
###
|
|
166
|
-
|
|
167
|
-
- **codebase-explorer** — Deep architecture analysis, generates documentation
|
|
168
|
-
- **code-reviewer** — PR review and security audit (read-only)
|
|
169
|
-
- **test-writer** — Writes tests for existing code
|
|
170
|
-
- **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
|
|
171
|
-
- **dependency-mapper** — Maps import chains and blast radius of changes
|
|
172
|
-
- **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
|
|
173
|
-
- **vulnerability-scanner** — CWE-classified security scan with Snyk-comparable depth
|
|
174
|
-
- **dev-report** — Developer activity, quality patterns, security attribution
|
|
175
|
-
- **dashboard-builder** — Generates HTML dashboard from all reports
|
|
176
|
-
- **strategic-planner** — Analyzes reports, proposes KPIs, generates improvement plans
|
|
177
|
-
- **plan-executor** — Executes fix plans task by task with session checkpoints
|
|
178
|
-
- **feature-planner** — Designs new features, generates implementation plans
|
|
179
|
-
- **feature-builder** — Implements features from plans with tests and conventions
|
|
180
|
-
- **hooks-configurator** — Configures scoped git hooks from DXKit commands
|
|
181
|
-
- **debugger** — Systematic root cause analysis
|
|
64
|
+
### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
|
|
182
65
|
|
|
183
|
-
|
|
66
|
+
Three signals, strongest wins for files it covers:
|
|
184
67
|
|
|
185
|
-
|
|
68
|
+
1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust). If the tool measured a file, that decision is authoritative.
|
|
69
|
+
2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
|
|
70
|
+
3. **Filename match** — last-resort basename similarity.
|
|
186
71
|
|
|
187
|
-
|
|
188
|
-
.ai/reports/
|
|
189
|
-
health-audit-2026-03-30.md # Scores: tests, quality, docs, security, DX
|
|
190
|
-
vulnerability-scan-2026-03-30.md # CVEs, hardcoded secrets, dependency risks
|
|
191
|
-
developer-report-2026-03-30.md # Team activity, ownership, security attribution
|
|
192
|
-
test-gaps-2026-03-30.md # Critical untested code, prioritized by risk
|
|
193
|
-
docs-audit-2026-03-30.md # Documentation gaps and recommendations
|
|
194
|
-
dependency-map-2026-03-30.md # Import chains, most-depended-on files
|
|
195
|
-
```
|
|
72
|
+
A file counts as "tested" when the strongest available signal says so.
|
|
196
73
|
|
|
197
|
-
|
|
74
|
+
---
|
|
198
75
|
|
|
199
|
-
|
|
200
|
-
- **PDF**: `/export-pdf all` — converts all reports to PDF
|
|
76
|
+
## Tool Registry
|
|
201
77
|
|
|
202
|
-
|
|
78
|
+
Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
|
|
203
79
|
|
|
204
|
-
|
|
80
|
+
```bash
|
|
81
|
+
vyuh-dxkit tools # list tool status for the detected stack
|
|
82
|
+
vyuh-dxkit tools install --yes # install all missing tools
|
|
83
|
+
vyuh-dxkit tools install # interactive: prompts per tool
|
|
84
|
+
```
|
|
205
85
|
|
|
206
|
-
|
|
207
|
-
2. **`/learn` command** — Explicitly save gotchas, conventions, or things to avoid
|
|
208
|
-
3. **`/session-end`** — Creates checkpoint and evolves skill files
|
|
209
|
-
4. **Evolving files** — Append-only, never overwritten even with `--force`:
|
|
210
|
-
- `.claude/skills/learned/references/gotchas.md`
|
|
211
|
-
- `.claude/skills/learned/references/conventions.md`
|
|
212
|
-
- `.claude/skills/learned/references/deny-recommendations.md`
|
|
86
|
+
### Tools integrated
|
|
213
87
|
|
|
214
|
-
|
|
88
|
+
| Layer | Tools |
|
|
89
|
+
| --------- | -------------------------------------------------------- |
|
|
90
|
+
| Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
|
|
91
|
+
| Node / TS | `eslint`, `npm audit`, `@vitest/coverage-v8` |
|
|
92
|
+
| Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
|
|
93
|
+
| Go | `golangci-lint`, `govulncheck` |
|
|
94
|
+
| Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
|
|
95
|
+
| C# | `dotnet-format` (via SDK) |
|
|
215
96
|
|
|
216
|
-
|
|
97
|
+
Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
|
|
217
98
|
|
|
218
|
-
|
|
219
|
-
2. Add `ANTHROPIC_API_KEY` to repo secrets
|
|
99
|
+
---
|
|
220
100
|
|
|
221
|
-
|
|
101
|
+
## Config Files
|
|
222
102
|
|
|
223
|
-
|
|
103
|
+
### `.dxkit-ignore`
|
|
224
104
|
|
|
225
|
-
|
|
105
|
+
Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
|
|
226
106
|
|
|
227
107
|
```
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
108
|
+
# .dxkit-ignore — override project exclusions for dxkit analyzers
|
|
109
|
+
vendor-bundle/
|
|
110
|
+
*.gen.ts
|
|
231
111
|
```
|
|
232
112
|
|
|
233
|
-
|
|
234
|
-
- Hooks read from your `/quality`, `/test`, `/vulnerabilities` commands — no hardcoded tools
|
|
235
|
-
- Supports scoped testing: Jest `--changedSince`, Vitest `--changed`, pytest `--testmon`
|
|
236
|
-
- Works for all devs (plain bash, no Claude Code needed at runtime)
|
|
113
|
+
Three layers merge: bundled defaults → repo `.gitignore` → repo `.dxkit-ignore`.
|
|
237
114
|
|
|
238
|
-
###
|
|
115
|
+
### `.dxkit-suppressions.json`
|
|
239
116
|
|
|
240
|
-
|
|
117
|
+
Silence known-false positives without touching code. Currently wired to `gitleaks` (semgrep + slop-hook wiring in progress).
|
|
241
118
|
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
119
|
+
```json
|
|
120
|
+
{
|
|
121
|
+
"gitleaks": [
|
|
122
|
+
{
|
|
123
|
+
"rule": "generic-api-key",
|
|
124
|
+
"paths": ["test/fixtures/**", "**/*.test.ts"],
|
|
125
|
+
"reason": "Fake keys in test fixtures"
|
|
126
|
+
}
|
|
127
|
+
]
|
|
128
|
+
}
|
|
129
|
+
```
|
|
245
130
|
|
|
246
|
-
|
|
131
|
+
A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`.
|
|
247
132
|
|
|
248
|
-
|
|
133
|
+
### `.project.yaml` (optional, for scaffolding)
|
|
249
134
|
|
|
250
|
-
|
|
251
|
-
| ------------------------ | -------- | -------------------------------------------------------- |
|
|
252
|
-
| Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
|
|
253
|
-
| Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
|
|
254
|
-
| Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
|
|
255
|
-
| Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
|
|
256
|
-
| Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
|
|
257
|
-
| Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
|
|
258
|
-
| Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
|
|
259
|
-
| Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
|
|
260
|
-
| + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
|
|
135
|
+
When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
|
|
261
136
|
|
|
262
|
-
|
|
137
|
+
---
|
|
263
138
|
|
|
264
|
-
##
|
|
139
|
+
## Language Support
|
|
265
140
|
|
|
266
|
-
|
|
267
|
-
- **Framework** — Detects LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
|
|
268
|
-
- **Test presence** — Counts test files vs source files, warns about minimal coverage
|
|
269
|
-
- **Multi-language** — Detects all languages including Python from `.py` files (no config file required)
|
|
270
|
-
- **Language breakdown** — Shows file count per language in codebase skill for accurate analysis
|
|
141
|
+
Each language is a single `LanguageSupport` implementation in `src/languages/`. Adding a new language is one file — detection, tools, coverage parsing, import extraction, and lint severity mapping in one place.
|
|
271
142
|
|
|
272
|
-
|
|
143
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
144
|
+
| -------- | ------------------------------------ | ------------------- | --------------------------- | ----------------------------------- | ---------------------- | ----------------------------------- |
|
|
145
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
146
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
147
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
148
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ✅ use statements | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
149
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ✅ using declarations | dotnet-format | — (formatter) | ✅ dotnet list --vulnerable |
|
|
273
150
|
|
|
274
|
-
|
|
151
|
+
✅ full support. Multi-language repos fully supported — every detected language's tools run, and `depVuln*` counts aggregate across all language packs (pip-audit findings don't silently replace npm-audit ones).
|
|
275
152
|
|
|
276
|
-
|
|
153
|
+
**Severity enrichment.** Scanners that don't publish per-finding severity (pip-audit, govulncheck) are enriched via the OSV.dev API. DXKit ships a complete CVSS v4.0 base-score calculator (macrovector lookup + severity-distance refinement, ported from [FIRST's reference implementation](https://github.com/FIRSTdotorg/cvss-v4-calculator)) since modern CVEs (2025+) increasingly publish v4 vectors exclusively. Unreachable IDs keep the scanner's legacy default bucket — the analyzer never fails because OSV was slow.
|
|
277
154
|
|
|
278
|
-
|
|
279
|
-
# create-devstack writes .project.yaml + .devcontainer/, then calls dxkit
|
|
280
|
-
npm create @vyuhlabs/devstack my-project
|
|
155
|
+
**Lint severity tiering.** Every lint finding is categorized into critical/high/medium/low by rule ID, linter name, or lint group. For backward compatibility, `gatherMetrics` collapses tiers to the existing `lintErrors` (critical + high) / `lintWarnings` (medium + low) fields, so scoring behavior is preserved. The tiered data is available for future analyzers that want finer granularity.
|
|
281
156
|
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
157
|
+
---
|
|
158
|
+
|
|
159
|
+
## Scaffolding Mode
|
|
160
|
+
|
|
161
|
+
Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with 4 active + 17 opt-in agents, 30 slash commands, skills, path-scoped rules, and hooks.
|
|
286
162
|
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
infrastructure:
|
|
304
|
-
postgres:
|
|
305
|
-
enabled: true
|
|
306
|
-
version: '16'
|
|
307
|
-
tools:
|
|
308
|
-
claude_code: true
|
|
309
|
-
precommit: true
|
|
310
|
-
docker: true
|
|
311
|
-
gcloud: false
|
|
163
|
+
```
|
|
164
|
+
.claude/
|
|
165
|
+
settings.json # Permissions, deny list, learning hooks
|
|
166
|
+
agents/ # Active agents (auto-trigger on matching questions)
|
|
167
|
+
knowledge-bot.md # Answers codebase questions
|
|
168
|
+
onboarding.md # Interactive onboarding buddy
|
|
169
|
+
quality-reviewer.md # Reviews code before committing
|
|
170
|
+
doc-writer.md # Audits and writes documentation
|
|
171
|
+
agents-available/ # 17 dormant agents (activate with /enable-agent)
|
|
172
|
+
commands/ # 30 slash commands
|
|
173
|
+
skills/ # Domain knowledge
|
|
174
|
+
rules/ # Path-scoped rules (per language + framework)
|
|
175
|
+
CLAUDE.md # Main context file for Claude Code
|
|
176
|
+
.ai/
|
|
177
|
+
sessions/ # Session checkpoints
|
|
178
|
+
reports/ # Generated reports (health, vulnerabilities, etc.)
|
|
312
179
|
```
|
|
313
180
|
|
|
314
|
-
|
|
181
|
+
### Slash commands → native CLI delegation
|
|
315
182
|
|
|
316
|
-
|
|
183
|
+
The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
|
|
317
184
|
|
|
318
|
-
|
|
185
|
+
1. **Check for an existing report** in `.ai/reports/` from today
|
|
186
|
+
2. **Run `vyuh-dxkit <command>`** — deterministic, fast, same output
|
|
187
|
+
3. **Fall back to LLM analysis** only if the CLI isn't available
|
|
319
188
|
|
|
320
|
-
|
|
321
|
-
import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
|
|
322
|
-
import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
|
|
189
|
+
This means slash commands return the same report whether invoked by a human or an agent — and the analysis is reproducible across runs.
|
|
323
190
|
|
|
324
|
-
|
|
325
|
-
const stack = detect('/path/to/project');
|
|
191
|
+
### Init flags
|
|
326
192
|
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
193
|
+
| Flag | Description |
|
|
194
|
+
| ------------ | ----------------------------------------------------- |
|
|
195
|
+
| `--detect` | Auto-detect stack, minimal prompts |
|
|
196
|
+
| `--yes` | Accept all defaults |
|
|
197
|
+
| `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
|
|
198
|
+
| `--full` | Everything: DX + quality + hooks + CI |
|
|
199
|
+
| `--force` | Overwrite existing files (except evolving ones) |
|
|
200
|
+
| `--stealth` | Gitignore generated files (local-only, not committed) |
|
|
201
|
+
| `--name <n>` | Override project name |
|
|
202
|
+
| `--no-scan` | Skip codebase analysis |
|
|
331
203
|
|
|
332
|
-
|
|
333
|
-
|
|
204
|
+
### Stealth mode
|
|
205
|
+
|
|
206
|
+
`--stealth` keeps DXKit local: `.claude/`, `.ai/`, `CLAUDE.md` added to `.gitignore`, only `.githooks/` committed so all devs get the hooks without committing the scaffold.
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## CI + Hooks
|
|
211
|
+
|
|
212
|
+
### Pre-commit (set up automatically by `init --full` or husky)
|
|
213
|
+
|
|
214
|
+
```
|
|
215
|
+
architecture check → validates imports + tool-registry + exclusions rules
|
|
216
|
+
slop check → blocks new console.log, `: any`, debugger, committed temp files
|
|
217
|
+
lint-staged → eslint --fix + prettier --write on changed files
|
|
218
|
+
typecheck → tsc --noEmit
|
|
334
219
|
```
|
|
335
220
|
|
|
336
|
-
|
|
221
|
+
### Pre-push
|
|
337
222
|
|
|
338
|
-
```
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
npx @vyuhlabs/dxkit update # Re-generate (preserves evolved files)
|
|
343
|
-
npx @vyuhlabs/dxkit update --rescan # Re-run codebase analysis
|
|
344
|
-
npx @vyuhlabs/dxkit doctor # Verify setup
|
|
223
|
+
```
|
|
224
|
+
build → ensure dist/ is current
|
|
225
|
+
tests with coverage → vitest run --coverage (or equivalent per language)
|
|
226
|
+
coverage threshold → scripts/check-coverage.sh; fails below configurable threshold
|
|
345
227
|
```
|
|
346
228
|
|
|
347
|
-
###
|
|
229
|
+
### PR CI (`.github/workflows/ci.yml`)
|
|
348
230
|
|
|
349
|
-
|
|
350
|
-
| ------------ | ----------------------------------------- |
|
|
351
|
-
| `--detect` | Auto-detect stack, minimal prompts |
|
|
352
|
-
| `--yes` | Accept all defaults |
|
|
353
|
-
| `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
|
|
354
|
-
| `--full` | Everything: DX + quality + hooks + CI |
|
|
355
|
-
| `--force` | Overwrite existing files (except evolved) |
|
|
356
|
-
| `--name <n>` | Override project name |
|
|
357
|
-
| `--no-scan` | Skip codebase analysis |
|
|
231
|
+
Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
|
|
358
232
|
|
|
359
|
-
|
|
233
|
+
---
|
|
360
234
|
|
|
361
|
-
|
|
362
|
-
2. `--detect` — auto-detect from filesystem, minimal prompts
|
|
363
|
-
3. Interactive — prompt for all settings
|
|
235
|
+
## Quality Gates for Agent-Written Code
|
|
364
236
|
|
|
365
|
-
|
|
237
|
+
dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
|
|
366
238
|
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
|
|
239
|
+
1. **Pre-commit** — fast local checks (architecture, slop, lint, typecheck)
|
|
240
|
+
2. **Pre-push** — thorough local checks (full suite + coverage threshold)
|
|
241
|
+
3. **PR CI** — unbypassable server-side checks (everything above + slop-vs-base + pack-dry)
|
|
242
|
+
4. **Coverage threshold** — enforced at both local and CI tiers; agents can't silently lower it
|
|
371
243
|
|
|
372
|
-
|
|
244
|
+
The same pattern is what dxkit itself uses. See `scripts/check-coverage.sh` + `scripts/check-slop.sh`.
|
|
373
245
|
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
✓ Tests: mocha (npm test)
|
|
378
|
-
✓ Created: 61 files
|
|
379
|
-
```
|
|
246
|
+
---
|
|
247
|
+
|
|
248
|
+
## Library API
|
|
380
249
|
|
|
381
|
-
|
|
250
|
+
dxkit exports functions for programmatic use by downstream packages (e.g. `@vyuhlabs/create-devstack`):
|
|
382
251
|
|
|
383
|
-
```
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
/dev-report # Team activity report
|
|
389
|
-
/quality # ESLint + AI review
|
|
390
|
-
/onboarding # New developer guide
|
|
391
|
-
```
|
|
252
|
+
```typescript
|
|
253
|
+
import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
|
|
254
|
+
import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
|
|
255
|
+
|
|
256
|
+
const stack = detect('/path/to/project');
|
|
392
257
|
|
|
393
|
-
|
|
258
|
+
if (hasProjectYaml('/path/to/project')) {
|
|
259
|
+
const config = readProjectYaml('/path/to/project');
|
|
260
|
+
}
|
|
394
261
|
|
|
395
|
-
|
|
396
|
-
cd my-monorepo
|
|
397
|
-
npx @vyuhlabs/dxkit init --detect --yes
|
|
262
|
+
const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
|
|
398
263
|
```
|
|
399
264
|
|
|
400
|
-
|
|
265
|
+
The CLI binary (`vyuh-dxkit`) is separate; the library import is for build-time and programmatic consumers.
|
|
401
266
|
|
|
402
|
-
|
|
403
|
-
- Test commands with `npm test` + `pytest` + `go test`
|
|
404
|
-
- Path-scoped rules for `.ts`, `.py`, and `.go` files
|
|
405
|
-
- Language breakdown in codebase skill: "TypeScript: 200, Python: 50, Go: 30"
|
|
267
|
+
---
|
|
406
268
|
|
|
407
|
-
## Two Workflows
|
|
269
|
+
## Two Workflows
|
|
408
270
|
|
|
409
271
|
### Fix Loop: Reports → KPIs → Plans → Execution
|
|
410
272
|
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
```
|
|
414
|
-
# 1. Init DXKit
|
|
273
|
+
```bash
|
|
274
|
+
# 1. Scaffold into an existing repo
|
|
415
275
|
npx @vyuhlabs/dxkit init --detect --yes
|
|
416
276
|
|
|
417
|
-
# 2.
|
|
277
|
+
# 2. Run analyzers (any of these work standalone too)
|
|
418
278
|
/health # Codebase health (6 dimensions)
|
|
419
|
-
/vulnerabilities # Security scan
|
|
279
|
+
/vulnerabilities # Security scan
|
|
420
280
|
/test-gaps # Untested critical code
|
|
421
281
|
|
|
422
282
|
# 3. Generate improvement plans
|
|
423
|
-
/plan #
|
|
283
|
+
/plan # Proposes KPIs + actionable plans
|
|
424
284
|
|
|
425
285
|
# 4. Execute plans with session management
|
|
426
286
|
/execute-plan security # Work through security fixes
|
|
@@ -431,48 +291,102 @@ npx @vyuhlabs/dxkit init --detect --yes
|
|
|
431
291
|
|
|
432
292
|
### Feature Loop: Description → Design → Plan → Build
|
|
433
293
|
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
```
|
|
437
|
-
# 1. Design a new feature
|
|
294
|
+
```bash
|
|
438
295
|
/feature add user roles with admin, editor, viewer tiers
|
|
439
|
-
|
|
440
296
|
# Agent reads codebase, finds similar patterns, generates:
|
|
441
297
|
# .ai/features/user-roles.md with full implementation plan
|
|
442
298
|
|
|
443
|
-
# 2. Review and adjust the plan (edit the md file if needed)
|
|
444
|
-
|
|
445
|
-
# 3. Build the feature
|
|
446
299
|
/build-feature user-roles
|
|
447
|
-
|
|
448
300
|
# Agent executes tasks: model → migration → repository → service → tests → controller
|
|
449
301
|
# Session checkpoints after each task
|
|
450
|
-
# Progress tracked in .ai/features/progress/user-roles.md
|
|
451
302
|
```
|
|
452
303
|
|
|
453
304
|
Both loops use the session framework — checkpoints, skill evolution, progress tracking.
|
|
454
305
|
|
|
455
|
-
|
|
306
|
+
---
|
|
307
|
+
|
|
308
|
+
## Reports
|
|
309
|
+
|
|
310
|
+
All analyzer commands save timestamped reports to `.ai/reports/`:
|
|
456
311
|
|
|
457
312
|
```
|
|
458
|
-
/
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
#
|
|
462
|
-
|
|
463
|
-
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
/session-end # Checkpoint + evolve skills
|
|
313
|
+
.ai/reports/
|
|
314
|
+
health-audit-<date>.md
|
|
315
|
+
health-audit-<date>-detailed.md # with --detailed
|
|
316
|
+
health-audit-<date>-detailed.json # agent-consumable
|
|
317
|
+
vulnerability-scan-<date>.md
|
|
318
|
+
test-gaps-<date>.md
|
|
319
|
+
quality-review-<date>.md
|
|
320
|
+
developer-report-<date>.md
|
|
467
321
|
```
|
|
468
322
|
|
|
323
|
+
Export options:
|
|
324
|
+
|
|
325
|
+
- **HTML dashboard**: `/dashboard` (Claude Code slash command) — dark-themed sidebar navigation
|
|
326
|
+
- **PDF**: `/export-pdf all` — converts all reports to PDF
|
|
327
|
+
- **Structured JSON**: `--detailed` on any command emits a canonical JSON schema
|
|
328
|
+
|
|
329
|
+
---
|
|
330
|
+
|
|
331
|
+
## Using with create-devstack
|
|
332
|
+
|
|
333
|
+
[`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
|
|
334
|
+
|
|
335
|
+
```bash
|
|
336
|
+
npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
|
|
337
|
+
```
|
|
338
|
+
|
|
339
|
+
When create-devstack writes `.project.yaml` before calling dxkit, detection and prompts are skipped.
|
|
340
|
+
|
|
341
|
+
---
|
|
342
|
+
|
|
343
|
+
## Smart Detection
|
|
344
|
+
|
|
345
|
+
- **Test runner** — Jest, Mocha, Vitest, Ava, Tap, pytest, go test
|
|
346
|
+
- **Framework** — LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
|
|
347
|
+
- **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
|
|
348
|
+
- **Multi-language** — detects all languages including Python from `.py` files (no config required)
|
|
349
|
+
- **Language breakdown** — file count per language via `cloc`
|
|
350
|
+
|
|
351
|
+
---
|
|
352
|
+
|
|
353
|
+
## CLI Reference
|
|
354
|
+
|
|
355
|
+
```bash
|
|
356
|
+
# Analyzer commands
|
|
357
|
+
vyuh-dxkit health [path] # 6-dimension score
|
|
358
|
+
vyuh-dxkit vulnerabilities [path] # Security scan
|
|
359
|
+
vyuh-dxkit test-gaps [path] # Coverage + gaps + actions
|
|
360
|
+
vyuh-dxkit quality [path] # Slop + duplication + lint
|
|
361
|
+
vyuh-dxkit dev-report [path] # Git activity report
|
|
362
|
+
|
|
363
|
+
# Tool management
|
|
364
|
+
vyuh-dxkit tools # status
|
|
365
|
+
vyuh-dxkit tools install [--yes] # install missing
|
|
366
|
+
|
|
367
|
+
# Scaffolding
|
|
368
|
+
vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
|
|
369
|
+
vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
|
|
370
|
+
vyuh-dxkit doctor # diagnose environment
|
|
371
|
+
|
|
372
|
+
# Meta
|
|
373
|
+
vyuh-dxkit --help
|
|
374
|
+
vyuh-dxkit --version
|
|
375
|
+
```
|
|
376
|
+
|
|
377
|
+
---
|
|
378
|
+
|
|
469
379
|
## How It Works
|
|
470
380
|
|
|
471
|
-
1. **Detection** —
|
|
472
|
-
2. **
|
|
473
|
-
3. **
|
|
474
|
-
4. **
|
|
475
|
-
5. **
|
|
381
|
+
1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
|
|
382
|
+
2. **Tool resolution** — `findTool()` checks PATH → brew → npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
|
|
383
|
+
3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
|
|
384
|
+
4. **Score** — deterministic formulas map metrics to 0–100 per dimension
|
|
385
|
+
5. **Report** — markdown for humans, JSON for agents
|
|
386
|
+
|
|
387
|
+
No LLM in the analysis path. Scores are reproducible: same repo state → same report.
|
|
388
|
+
|
|
389
|
+
---
|
|
476
390
|
|
|
477
391
|
## License
|
|
478
392
|
|