@vyuhlabs/dxkit 1.5.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (258) hide show
  1. package/CHANGELOG.md +272 -0
  2. package/README.md +272 -358
  3. package/THIRD_PARTY_NOTICES.md +40 -0
  4. package/dist/analyzers/developer/detailed.d.ts +26 -0
  5. package/dist/analyzers/developer/detailed.d.ts.map +1 -0
  6. package/dist/analyzers/developer/detailed.js +193 -0
  7. package/dist/analyzers/developer/detailed.js.map +1 -0
  8. package/dist/analyzers/developer/gather.d.ts +11 -0
  9. package/dist/analyzers/developer/gather.d.ts.map +1 -0
  10. package/dist/analyzers/developer/gather.js +167 -0
  11. package/dist/analyzers/developer/gather.js.map +1 -0
  12. package/dist/analyzers/developer/index.d.ts +8 -0
  13. package/dist/analyzers/developer/index.d.ts.map +1 -0
  14. package/dist/analyzers/developer/index.js +168 -0
  15. package/dist/analyzers/developer/index.js.map +1 -0
  16. package/dist/analyzers/developer/types.d.ts +49 -0
  17. package/dist/analyzers/developer/types.d.ts.map +1 -0
  18. package/dist/analyzers/developer/types.js +6 -0
  19. package/dist/analyzers/developer/types.js.map +1 -0
  20. package/dist/analyzers/docs/shallow.d.ts +9 -0
  21. package/dist/analyzers/docs/shallow.d.ts.map +1 -0
  22. package/dist/analyzers/docs/shallow.js +8 -0
  23. package/dist/analyzers/docs/shallow.js.map +1 -0
  24. package/dist/analyzers/dx/shallow.d.ts +9 -0
  25. package/dist/analyzers/dx/shallow.d.ts.map +1 -0
  26. package/dist/analyzers/dx/shallow.js +8 -0
  27. package/dist/analyzers/dx/shallow.js.map +1 -0
  28. package/dist/analyzers/evidence.d.ts +36 -0
  29. package/dist/analyzers/evidence.d.ts.map +1 -0
  30. package/dist/analyzers/evidence.js +3 -0
  31. package/dist/analyzers/evidence.js.map +1 -0
  32. package/dist/analyzers/health/actions.d.ts +10 -0
  33. package/dist/analyzers/health/actions.d.ts.map +1 -0
  34. package/dist/analyzers/health/actions.js +284 -0
  35. package/dist/analyzers/health/actions.js.map +1 -0
  36. package/dist/analyzers/health/detailed.d.ts +26 -0
  37. package/dist/analyzers/health/detailed.d.ts.map +1 -0
  38. package/dist/analyzers/health/detailed.js +147 -0
  39. package/dist/analyzers/health/detailed.js.map +1 -0
  40. package/dist/analyzers/health.d.ts +22 -0
  41. package/dist/analyzers/health.d.ts.map +1 -0
  42. package/dist/analyzers/health.js +270 -0
  43. package/dist/analyzers/health.js.map +1 -0
  44. package/dist/analyzers/index.d.ts +3 -0
  45. package/dist/analyzers/index.d.ts.map +1 -0
  46. package/dist/analyzers/index.js +6 -0
  47. package/dist/analyzers/index.js.map +1 -0
  48. package/dist/analyzers/maintainability/shallow.d.ts +9 -0
  49. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
  50. package/dist/analyzers/maintainability/shallow.js +8 -0
  51. package/dist/analyzers/maintainability/shallow.js.map +1 -0
  52. package/dist/analyzers/quality/actions.d.ts +5 -0
  53. package/dist/analyzers/quality/actions.d.ts.map +1 -0
  54. package/dist/analyzers/quality/actions.js +158 -0
  55. package/dist/analyzers/quality/actions.js.map +1 -0
  56. package/dist/analyzers/quality/detailed.d.ts +17 -0
  57. package/dist/analyzers/quality/detailed.d.ts.map +1 -0
  58. package/dist/analyzers/quality/detailed.js +122 -0
  59. package/dist/analyzers/quality/detailed.js.map +1 -0
  60. package/dist/analyzers/quality/gather.d.ts +38 -0
  61. package/dist/analyzers/quality/gather.d.ts.map +1 -0
  62. package/dist/analyzers/quality/gather.js +279 -0
  63. package/dist/analyzers/quality/gather.js.map +1 -0
  64. package/dist/analyzers/quality/index.d.ts +12 -0
  65. package/dist/analyzers/quality/index.d.ts.map +1 -0
  66. package/dist/analyzers/quality/index.js +281 -0
  67. package/dist/analyzers/quality/index.js.map +1 -0
  68. package/dist/analyzers/quality/shallow.d.ts +9 -0
  69. package/dist/analyzers/quality/shallow.d.ts.map +1 -0
  70. package/dist/analyzers/quality/shallow.js +8 -0
  71. package/dist/analyzers/quality/shallow.js.map +1 -0
  72. package/dist/analyzers/quality/types.d.ts +66 -0
  73. package/dist/analyzers/quality/types.d.ts.map +1 -0
  74. package/dist/analyzers/quality/types.js +3 -0
  75. package/dist/analyzers/quality/types.js.map +1 -0
  76. package/dist/analyzers/remediation.d.ts +42 -0
  77. package/dist/analyzers/remediation.d.ts.map +1 -0
  78. package/dist/analyzers/remediation.js +28 -0
  79. package/dist/analyzers/remediation.js.map +1 -0
  80. package/dist/analyzers/scoring.d.ts +32 -0
  81. package/dist/analyzers/scoring.d.ts.map +1 -0
  82. package/dist/analyzers/scoring.js +410 -0
  83. package/dist/analyzers/scoring.js.map +1 -0
  84. package/dist/analyzers/security/actions.d.ts +7 -0
  85. package/dist/analyzers/security/actions.d.ts.map +1 -0
  86. package/dist/analyzers/security/actions.js +104 -0
  87. package/dist/analyzers/security/actions.js.map +1 -0
  88. package/dist/analyzers/security/detailed.d.ts +14 -0
  89. package/dist/analyzers/security/detailed.d.ts.map +1 -0
  90. package/dist/analyzers/security/detailed.js +124 -0
  91. package/dist/analyzers/security/detailed.js.map +1 -0
  92. package/dist/analyzers/security/gather.d.ts +12 -0
  93. package/dist/analyzers/security/gather.d.ts.map +1 -0
  94. package/dist/analyzers/security/gather.js +195 -0
  95. package/dist/analyzers/security/gather.js.map +1 -0
  96. package/dist/analyzers/security/index.d.ts +8 -0
  97. package/dist/analyzers/security/index.d.ts.map +1 -0
  98. package/dist/analyzers/security/index.js +173 -0
  99. package/dist/analyzers/security/index.js.map +1 -0
  100. package/dist/analyzers/security/scoring.d.ts +29 -0
  101. package/dist/analyzers/security/scoring.d.ts.map +1 -0
  102. package/dist/analyzers/security/scoring.js +40 -0
  103. package/dist/analyzers/security/scoring.js.map +1 -0
  104. package/dist/analyzers/security/shallow.d.ts +10 -0
  105. package/dist/analyzers/security/shallow.d.ts.map +1 -0
  106. package/dist/analyzers/security/shallow.js +8 -0
  107. package/dist/analyzers/security/shallow.js.map +1 -0
  108. package/dist/analyzers/security/types.d.ts +43 -0
  109. package/dist/analyzers/security/types.d.ts.map +1 -0
  110. package/dist/analyzers/security/types.js +6 -0
  111. package/dist/analyzers/security/types.js.map +1 -0
  112. package/dist/analyzers/tests/actions.d.ts +6 -0
  113. package/dist/analyzers/tests/actions.d.ts.map +1 -0
  114. package/dist/analyzers/tests/actions.js +80 -0
  115. package/dist/analyzers/tests/actions.js.map +1 -0
  116. package/dist/analyzers/tests/detailed.d.ts +14 -0
  117. package/dist/analyzers/tests/detailed.d.ts.map +1 -0
  118. package/dist/analyzers/tests/detailed.js +121 -0
  119. package/dist/analyzers/tests/detailed.js.map +1 -0
  120. package/dist/analyzers/tests/gather.d.ts +5 -0
  121. package/dist/analyzers/tests/gather.d.ts.map +1 -0
  122. package/dist/analyzers/tests/gather.js +270 -0
  123. package/dist/analyzers/tests/gather.js.map +1 -0
  124. package/dist/analyzers/tests/import-graph.d.ts +48 -0
  125. package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
  126. package/dist/analyzers/tests/import-graph.js +231 -0
  127. package/dist/analyzers/tests/import-graph.js.map +1 -0
  128. package/dist/analyzers/tests/index.d.ts +8 -0
  129. package/dist/analyzers/tests/index.d.ts.map +1 -0
  130. package/dist/analyzers/tests/index.js +247 -0
  131. package/dist/analyzers/tests/index.js.map +1 -0
  132. package/dist/analyzers/tests/scoring.d.ts +27 -0
  133. package/dist/analyzers/tests/scoring.d.ts.map +1 -0
  134. package/dist/analyzers/tests/scoring.js +38 -0
  135. package/dist/analyzers/tests/scoring.js.map +1 -0
  136. package/dist/analyzers/tests/shallow.d.ts +9 -0
  137. package/dist/analyzers/tests/shallow.d.ts.map +1 -0
  138. package/dist/analyzers/tests/shallow.js +8 -0
  139. package/dist/analyzers/tests/shallow.js.map +1 -0
  140. package/dist/analyzers/tests/types.d.ts +49 -0
  141. package/dist/analyzers/tests/types.d.ts.map +1 -0
  142. package/dist/analyzers/tests/types.js +6 -0
  143. package/dist/analyzers/tests/types.js.map +1 -0
  144. package/dist/analyzers/tools/cloc.d.ts +8 -0
  145. package/dist/analyzers/tools/cloc.d.ts.map +1 -0
  146. package/dist/analyzers/tools/cloc.js +49 -0
  147. package/dist/analyzers/tools/cloc.js.map +1 -0
  148. package/dist/analyzers/tools/coverage.d.ts +59 -0
  149. package/dist/analyzers/tools/coverage.d.ts.map +1 -0
  150. package/dist/analyzers/tools/coverage.js +280 -0
  151. package/dist/analyzers/tools/coverage.js.map +1 -0
  152. package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
  153. package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
  154. package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
  155. package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
  156. package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
  157. package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
  158. package/dist/analyzers/tools/cvss-v4.js +362 -0
  159. package/dist/analyzers/tools/cvss-v4.js.map +1 -0
  160. package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
  161. package/dist/analyzers/tools/exclusions.d.ts +70 -0
  162. package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
  163. package/dist/analyzers/tools/exclusions.js +250 -0
  164. package/dist/analyzers/tools/exclusions.js.map +1 -0
  165. package/dist/analyzers/tools/generic.d.ts +4 -0
  166. package/dist/analyzers/tools/generic.d.ts.map +1 -0
  167. package/dist/analyzers/tools/generic.js +198 -0
  168. package/dist/analyzers/tools/generic.js.map +1 -0
  169. package/dist/analyzers/tools/gitleaks.d.ts +8 -0
  170. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
  171. package/dist/analyzers/tools/gitleaks.js +58 -0
  172. package/dist/analyzers/tools/gitleaks.js.map +1 -0
  173. package/dist/analyzers/tools/graphify.d.ts +4 -0
  174. package/dist/analyzers/tools/graphify.d.ts.map +1 -0
  175. package/dist/analyzers/tools/graphify.js +222 -0
  176. package/dist/analyzers/tools/graphify.js.map +1 -0
  177. package/dist/analyzers/tools/osv.d.ts +51 -0
  178. package/dist/analyzers/tools/osv.d.ts.map +1 -0
  179. package/dist/analyzers/tools/osv.js +188 -0
  180. package/dist/analyzers/tools/osv.js.map +1 -0
  181. package/dist/analyzers/tools/parallel.d.ts +8 -0
  182. package/dist/analyzers/tools/parallel.d.ts.map +1 -0
  183. package/dist/analyzers/tools/parallel.js +195 -0
  184. package/dist/analyzers/tools/parallel.js.map +1 -0
  185. package/dist/analyzers/tools/runner.d.ts +13 -0
  186. package/dist/analyzers/tools/runner.d.ts.map +1 -0
  187. package/dist/analyzers/tools/runner.js +109 -0
  188. package/dist/analyzers/tools/runner.js.map +1 -0
  189. package/dist/analyzers/tools/suppressions.d.ts +55 -0
  190. package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
  191. package/dist/analyzers/tools/suppressions.js +203 -0
  192. package/dist/analyzers/tools/suppressions.js.map +1 -0
  193. package/dist/analyzers/tools/timing.d.ts +9 -0
  194. package/dist/analyzers/tools/timing.d.ts.map +1 -0
  195. package/dist/analyzers/tools/timing.js +29 -0
  196. package/dist/analyzers/tools/timing.js.map +1 -0
  197. package/dist/analyzers/tools/tool-registry.d.ts +86 -0
  198. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
  199. package/dist/analyzers/tools/tool-registry.js +705 -0
  200. package/dist/analyzers/tools/tool-registry.js.map +1 -0
  201. package/dist/analyzers/types.d.ts +125 -0
  202. package/dist/analyzers/types.d.ts.map +1 -0
  203. package/dist/analyzers/types.js +11 -0
  204. package/dist/analyzers/types.js.map +1 -0
  205. package/dist/cli.d.ts.map +1 -1
  206. package/dist/cli.js +462 -0
  207. package/dist/cli.js.map +1 -1
  208. package/dist/detect.d.ts.map +1 -1
  209. package/dist/detect.js +24 -15
  210. package/dist/detect.js.map +1 -1
  211. package/dist/languages/csharp.d.ts +5 -0
  212. package/dist/languages/csharp.d.ts.map +1 -0
  213. package/dist/languages/csharp.js +265 -0
  214. package/dist/languages/csharp.js.map +1 -0
  215. package/dist/languages/go.d.ts +11 -0
  216. package/dist/languages/go.d.ts.map +1 -0
  217. package/dist/languages/go.js +321 -0
  218. package/dist/languages/go.js.map +1 -0
  219. package/dist/languages/index.d.ts +6 -0
  220. package/dist/languages/index.d.ts.map +1 -0
  221. package/dist/languages/index.js +18 -0
  222. package/dist/languages/index.js.map +1 -0
  223. package/dist/languages/python.d.ts +3 -0
  224. package/dist/languages/python.d.ts.map +1 -0
  225. package/dist/languages/python.js +284 -0
  226. package/dist/languages/python.js.map +1 -0
  227. package/dist/languages/rust.d.ts +17 -0
  228. package/dist/languages/rust.d.ts.map +1 -0
  229. package/dist/languages/rust.js +333 -0
  230. package/dist/languages/rust.js.map +1 -0
  231. package/dist/languages/types.d.ts +38 -0
  232. package/dist/languages/types.d.ts.map +1 -0
  233. package/dist/languages/types.js +3 -0
  234. package/dist/languages/types.js.map +1 -0
  235. package/dist/languages/typescript.d.ts +15 -0
  236. package/dist/languages/typescript.d.ts.map +1 -0
  237. package/dist/languages/typescript.js +353 -0
  238. package/dist/languages/typescript.js.map +1 -0
  239. package/dist/logger.d.ts +1 -0
  240. package/dist/logger.d.ts.map +1 -1
  241. package/dist/logger.js +25 -12
  242. package/dist/logger.js.map +1 -1
  243. package/dist/project-yaml.d.ts.map +1 -1
  244. package/dist/project-yaml.js +1 -0
  245. package/dist/project-yaml.js.map +1 -1
  246. package/dist/tools-cli.d.ts +2 -0
  247. package/dist/tools-cli.d.ts.map +1 -0
  248. package/dist/tools-cli.js +231 -0
  249. package/dist/tools-cli.js.map +1 -0
  250. package/dist/types.d.ts +10 -0
  251. package/dist/types.d.ts.map +1 -1
  252. package/package.json +6 -2
  253. package/templates/.claude/commands/dev-report.md +34 -4
  254. package/templates/.claude/commands/health.md +45 -2
  255. package/templates/.claude/commands/quality.md.template +38 -15
  256. package/templates/.claude/commands/test-gaps.md +36 -2
  257. package/templates/.claude/commands/vulnerabilities.md +36 -2
  258. package/templates/.project/scripts/setup/interactive-setup.sh +6 -2
package/README.md CHANGED
@@ -1,426 +1,286 @@
1
1
  # @vyuhlabs/dxkit
2
2
 
3
- AI-native developer experience toolkit for any repository. Adds Claude Code agents, skills, commands, and quality hooks to existing projects in seconds.
3
+ AI-native analyzer and scaffolder for any repository. Two modes in one CLI:
4
+
5
+ 1. **Analyze** any repo deterministically — health, security, test gaps, code quality, developer activity — in seconds, no LLM required.
6
+ 2. **Scaffold** `.claude/` agents, skills, commands, and hooks tuned to your stack.
7
+
8
+ Built so agent-written code has deterministic guardrails before it ships. Scores don't move just because an LLM had a different mood today.
4
9
 
5
10
  ## Quick Start
6
11
 
12
+ **Analyze an existing repo:**
13
+
7
14
  ```bash
8
- # Auto-detect your stack and set up everything
9
- npx @vyuhlabs/dxkit init --detect
15
+ cd your-repo
16
+ npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
17
+ npx @vyuhlabs/dxkit health --detailed # 5-dimension score + remediation plan
18
+ npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit scan
19
+ npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
20
+ ```
10
21
 
11
- # Interactive mode (prompts for config)
12
- npx @vyuhlabs/dxkit init
22
+ **Scaffold AI tooling into a repo:**
13
23
 
14
- # Full mode (DX + quality + hooks + CI)
15
- npx @vyuhlabs/dxkit init --full --yes
24
+ ```bash
25
+ npx @vyuhlabs/dxkit init --detect # auto-detect stack, minimal prompts
26
+ npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
16
27
  ```
17
28
 
18
- ## What It Does
29
+ The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
19
30
 
20
- Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with:
31
+ ---
21
32
 
22
- ```
23
- .claude/
24
- settings.json # Permissions, deny list, learning hooks
25
- agents/ # Active agents (auto-trigger on matching questions)
26
- knowledge-bot.md # Answers codebase questions
27
- onboarding.md # Interactive onboarding buddy
28
- quality-reviewer.md # Reviews code before committing
29
- doc-writer.md # Audits and writes documentation
30
- agents-available/ # Dormant agents (activate with /enable-agent)
31
- codebase-explorer.md # Deep architecture analysis
32
- code-reviewer.md # PR review and security audit
33
- test-writer.md # Writes tests for existing code
34
- test-gap-finder.md # Identifies untested critical code
35
- dependency-mapper.md # Maps import chains and blast radius
36
- health-auditor.md # 6-dimension codebase health audit
37
- vulnerability-scanner.md # CWE-classified security scan (Snyk-comparable)
38
- dev-report.md # Developer activity + quality attribution
39
- dashboard-builder.md # HTML dashboard from all reports
40
- hooks-configurator.md # Git hooks from DXKit commands
41
- debugger.md # Root cause analysis
42
- commands/ # 26 slash commands (see below)
43
- skills/ # Domain knowledge
44
- codebase/ # Auto-generated architecture overview
45
- learned/ # Evolving gotchas, conventions, deny list
46
- rules/ # Path-scoped rules (per language + framework)
47
- CLAUDE.md # Main context file for Claude Code
48
- .ai/
49
- sessions/ # Session checkpoints
50
- reports/ # Generated reports (health, vulnerabilities, etc.)
51
- .github/
52
- workflows/
53
- pr-review.yml # Automated PR review (opt-in)
54
- ```
33
+ ## Analyzer CLI (`vyuh-dxkit <command>`)
55
34
 
56
- ## Supported Languages
35
+ Five deterministic analyzers. Each emits a markdown report to `.ai/reports/` and optional structured JSON.
57
36
 
58
- | Language | Detection | Linters | Test Runner |
59
- | -------------------- | ------------------------------------ | --------------------- | --------------------------------------------- |
60
- | Node.js / TypeScript | `package.json` | ESLint, Prettier, tsc | Auto-detected (Jest, Mocha, Vitest, Ava, Tap) |
61
- | Python | `pyproject.toml`, `setup.py`, `*.py` | ruff, mypy | pytest |
62
- | Go | `go.mod` | golangci-lint, go vet | go test |
63
- | C# | `*.csproj`, `*.sln` | dotnet format, Roslyn | dotnet test |
64
- | Rust | `Cargo.toml` | clippy, rustfmt | cargo test |
37
+ | Command | What it does | Runtime | Output |
38
+ | ----------------- | --------------------------------------------------------------- | ------- | ------------------------------------------ |
39
+ | `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.ai/reports/health-audit-<date>.md` |
40
+ | `vulnerabilities` | gitleaks + semgrep + `npm audit` / `pip-audit` | 5–30s | `.ai/reports/vulnerability-scan-<date>.md` |
41
+ | `test-gaps` | Coverage artifact → import-graph filename (strongest wins) | <1s | `.ai/reports/test-gaps-<date>.md` |
42
+ | `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.ai/reports/quality-review-<date>.md` |
43
+ | `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.ai/reports/developer-report-<date>.md` |
65
44
 
66
- Multi-language repos fully supported detects and generates rules/commands for all languages present.
45
+ ### Flags (apply to all analyzer commands)
67
46
 
68
- ## Supported Frameworks
47
+ | Flag | Effect |
48
+ | ---------------- | ------------------------------------------------------------------------------------- |
49
+ | `--detailed` | Also writes `<name>-detailed.md` + `.json` with evidence + ranked remediation actions |
50
+ | `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
51
+ | `--verbose` | Print per-tool timing to stderr |
52
+ | `--no-save` | Skip writing markdown; useful with `--json` |
53
+ | `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
69
54
 
70
- Auto-detected with framework-specific path-scoped rules:
55
+ ### Detailed mode evidence + ranked fixes
71
56
 
72
- - **LoopBack** Controller/model/repository patterns, decorator conventions
73
- - **Express** — Middleware/routing conventions, error handling patterns
74
- - **NestJS**, **Fastify**, **Koa**, **Hapi** — Detected (rules coming soon)
75
- - **FastAPI**, **Django**, **Flask** — Detected (rules coming soon)
76
- - **Gin**, **Echo**, **Fiber** — Detected (rules coming soon)
57
+ `--detailed` writes a second pair of files with:
77
58
 
78
- ## Supported Tools
79
-
80
- Auto-detected and integrated when present:
81
-
82
- - **Google Cloud** (gcloud) — SDK commands, security rules
83
- - **Infisical** — Secrets management, never-leak rules
84
- - **Pulumi** — IaC with preview-before-apply safety
85
- - **Docker** — Container commands
86
-
87
- ## Commands (30)
88
-
89
- ### Development Workflow
90
-
91
- | Command | Description |
92
- | ----------------- | --------------------------------------------------- |
93
- | `/session-start` | Start an AI-assisted dev session |
94
- | `/session-end` | End session, create checkpoint, evolve skills |
95
- | `/ask <question>` | Ask about the codebase (delegates to knowledge-bot) |
96
- | `/learn` | Capture a gotcha, convention, or thing to avoid |
97
-
98
- ### Quality & Testing
99
-
100
- | Command | Description |
101
- | ------------ | -------------------------------------------------------- |
102
- | `/quality` | Run language-specific linters + AI review |
103
- | `/test` | Run tests (auto-detected runner) |
104
- | `/check` | Full pre-commit validation (quality + tests + AI review) |
105
- | `/fix` | Auto-fix formatting and lint issues |
106
- | `/build` | Build the project |
107
- | `/test-gaps` | Find critical untested code paths |
108
-
109
- ### Analysis & Reports
110
-
111
- | Command | Description | Output |
112
- | ------------------ | ---------------------------------------------- | ------------------------------------- |
113
- | `/health` | 6-dimension codebase health audit | `.ai/reports/health-audit-*.md` |
114
- | `/vulnerabilities` | CWE-classified security scan (Snyk-comparable) | `.ai/reports/vulnerability-scan-*.md` |
115
- | `/dev-report` | Developer activity + security attribution | `.ai/reports/developer-report-*.md` |
116
- | `/docs audit` | Documentation gap analysis | `.ai/reports/docs-audit-*.md` |
117
- | `/deps` | Dependency map + blast radius | `.ai/reports/dependency-map-*.md` |
118
- | `/dashboard` | Generate HTML dashboard from all reports | `.ai/reports/dashboard.html` |
119
- | `/export-pdf` | Convert markdown reports to PDF | `.ai/reports/*.pdf` |
120
-
121
- ### Planning & Execution — Fix Loop
122
-
123
- | Command | Description | Output |
124
- | ---------------------- | ----------------------------------------------------------- | -------------------------------------- |
125
- | `/plan` | Analyze reports → propose KPIs → generate improvement plans | `.ai/plans/` |
126
- | `/execute-plan <name>` | Execute a fix plan task by task with session checkpoints | `.ai/plans/progress/`, `.ai/sessions/` |
127
-
128
- ### Feature Development Loop
129
-
130
- | Command | Description | Output |
131
- | ------------------------ | -------------------------------------------------- | ----------------------------------------- |
132
- | `/feature <description>` | Design new feature → implementation plan | `.ai/features/` |
133
- | `/build-feature <slug>` | Build feature from plan with tests and conventions | `.ai/features/progress/`, `.ai/sessions/` |
134
-
135
- ### Exploration & Onboarding
136
-
137
- | Command | Description |
138
- | ------------------- | ----------------------------------------------- |
139
- | `/onboarding` | Interactive onboarding buddy for new developers |
140
- | `/explore-codebase` | Deep architecture exploration |
141
- | `/help` | List all commands and agents |
142
-
143
- ### Setup & Hooks
144
-
145
- | Command | Description |
146
- | ---------------------- | ---------------------------------------------------------------------------------- |
147
- | `/setup-hooks` | Configure git hooks (quality, test, vulnerability) — consistent with DXKit reports |
148
- | `/stealth-mode` | Gitignore DXKit files + install hooks (DXKit local-only, hooks for all devs) |
149
- | `/setup-pr-review` | Set up automated PR review GitHub Action |
150
- | `/fix-issue <number>` | Investigate and fix a GitHub issue |
151
- | `/doctor` | Diagnose environment issues |
152
- | `/enable-agent <name>` | Activate a dormant agent |
153
-
154
- ## Agents
155
-
156
- ### Active by Default (4)
157
-
158
- These agents auto-trigger when Claude detects a matching question:
159
-
160
- - **knowledge-bot** — "How does auth work?" "Where are payments handled?"
161
- - **onboarding** — "I'm new, help me get started" "What does this project do?"
162
- - **quality-reviewer** — "Review my changes" "Check quality before I commit"
163
- - **doc-writer** — "What needs documentation?" "Help me write docs"
59
+ - **Per-dimension plans** with a prioritized fix list
60
+ - **Evidence** for every finding (file, line, rule ID, tool, snippet)
61
+ - **Projected score delta** for each remediation action — so you know which fix moves the needle most
62
+ - **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
164
63
 
165
- ### Dormant (16) activate with `/enable-agent`
166
-
167
- - **codebase-explorer** — Deep architecture analysis, generates documentation
168
- - **code-reviewer** — PR review and security audit (read-only)
169
- - **test-writer** — Writes tests for existing code
170
- - **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
171
- - **dependency-mapper** — Maps import chains and blast radius of changes
172
- - **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
173
- - **vulnerability-scanner** — CWE-classified security scan with Snyk-comparable depth
174
- - **dev-report** — Developer activity, quality patterns, security attribution
175
- - **dashboard-builder** — Generates HTML dashboard from all reports
176
- - **strategic-planner** — Analyzes reports, proposes KPIs, generates improvement plans
177
- - **plan-executor** — Executes fix plans task by task with session checkpoints
178
- - **feature-planner** — Designs new features, generates implementation plans
179
- - **feature-builder** — Implements features from plans with tests and conventions
180
- - **hooks-configurator** — Configures scoped git hooks from DXKit commands
181
- - **debugger** — Systematic root cause analysis
64
+ ### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
182
65
 
183
- ## Reports
66
+ Three signals, strongest wins for files it covers:
184
67
 
185
- All analysis commands save timestamped reports to `.ai/reports/`:
68
+ 1. **Coverage artifact** Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust). If the tool measured a file, that decision is authoritative.
69
+ 2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
70
+ 3. **Filename match** — last-resort basename similarity.
186
71
 
187
- ```bash
188
- .ai/reports/
189
- health-audit-2026-03-30.md # Scores: tests, quality, docs, security, DX
190
- vulnerability-scan-2026-03-30.md # CVEs, hardcoded secrets, dependency risks
191
- developer-report-2026-03-30.md # Team activity, ownership, security attribution
192
- test-gaps-2026-03-30.md # Critical untested code, prioritized by risk
193
- docs-audit-2026-03-30.md # Documentation gaps and recommendations
194
- dependency-map-2026-03-30.md # Import chains, most-depended-on files
195
- ```
72
+ A file counts as "tested" when the strongest available signal says so.
196
73
 
197
- Export options:
74
+ ---
198
75
 
199
- - **HTML dashboard**: `/dashboard` — beautiful dark-themed dashboard with sidebar navigation
200
- - **PDF**: `/export-pdf all` — converts all reports to PDF
76
+ ## Tool Registry
201
77
 
202
- ## Learning System
78
+ Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
203
79
 
204
- DXKit includes a continuous learning system that improves over time:
80
+ ```bash
81
+ vyuh-dxkit tools # list tool status for the detected stack
82
+ vyuh-dxkit tools install --yes # install all missing tools
83
+ vyuh-dxkit tools install # interactive: prompts per tool
84
+ ```
205
85
 
206
- 1. **Stop Hook** — After each conversation, Claude is reminded to capture learnings
207
- 2. **`/learn` command** — Explicitly save gotchas, conventions, or things to avoid
208
- 3. **`/session-end`** — Creates checkpoint and evolves skill files
209
- 4. **Evolving files** — Append-only, never overwritten even with `--force`:
210
- - `.claude/skills/learned/references/gotchas.md`
211
- - `.claude/skills/learned/references/conventions.md`
212
- - `.claude/skills/learned/references/deny-recommendations.md`
86
+ ### Tools integrated
213
87
 
214
- ## PR Review Automation
88
+ | Layer | Tools |
89
+ | --------- | -------------------------------------------------------- |
90
+ | Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
91
+ | Node / TS | `eslint`, `npm audit`, `@vitest/coverage-v8` |
92
+ | Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
93
+ | Go | `golangci-lint`, `govulncheck` |
94
+ | Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
95
+ | C# | `dotnet-format` (via SDK) |
215
96
 
216
- DXKit generates a GitHub Action that automatically reviews PRs using Claude Code:
97
+ Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
217
98
 
218
- 1. Set `ENABLE_AI_REVIEW=true` as a GitHub Actions variable
219
- 2. Add `ANTHROPIC_API_KEY` to repo secrets
99
+ ---
220
100
 
221
- Reviews appear as PR comments with issues rated as critical/warning/suggestion.
101
+ ## Config Files
222
102
 
223
- ## Git Hooks (Consistent with Reports)
103
+ ### `.dxkit-ignore`
224
104
 
225
- `/setup-hooks` configures git hooks that run the **exact same tools** as your DXKit reports:
105
+ Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
226
106
 
227
107
  ```
228
- commit → pre-commit → lint staged files only (fast, ~5s)
229
- push → pre-push → test affected areas only (medium, ~30s)
230
- PR → CI workflow → full quality + tests + security (thorough, ~3m)
108
+ # .dxkit-ignore override project exclusions for dxkit analyzers
109
+ vendor-bundle/
110
+ *.gen.ts
231
111
  ```
232
112
 
233
- - User chooses which checks to enable: quality, test, vulnerability
234
- - Hooks read from your `/quality`, `/test`, `/vulnerabilities` commands — no hardcoded tools
235
- - Supports scoped testing: Jest `--changedSince`, Vitest `--changed`, pytest `--testmon`
236
- - Works for all devs (plain bash, no Claude Code needed at runtime)
113
+ Three layers merge: bundled defaults repo `.gitignore` repo `.dxkit-ignore`.
237
114
 
238
- ### Stealth Mode
115
+ ### `.dxkit-suppressions.json`
239
116
 
240
- `/stealth-mode` keeps DXKit local-only:
117
+ Silence known-false positives without touching code. Currently wired to `gitleaks` (semgrep + slop-hook wiring in progress).
241
118
 
242
- - `.claude/`, `.ai/`, `CLAUDE.md` gitignored — not committed
243
- - `.githooks/` committed — all devs get the hooks
244
- - One-time setup: `git config core.hooksPath .githooks`
119
+ ```json
120
+ {
121
+ "gitleaks": [
122
+ {
123
+ "rule": "generic-api-key",
124
+ "paths": ["test/fixtures/**", "**/*.test.ts"],
125
+ "reason": "Fake keys in test fixtures"
126
+ }
127
+ ]
128
+ }
129
+ ```
245
130
 
246
- ## Vulnerability Scanner (Snyk-Comparable)
131
+ A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`.
247
132
 
248
- The `/vulnerabilities` command runs a comprehensive security scan with CWE classification:
133
+ ### `.project.yaml` (optional, for scaffolding)
249
134
 
250
- | Category | CWE | What It Checks |
251
- | ------------------------ | -------- | -------------------------------------------------------- |
252
- | Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
253
- | Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
254
- | Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
255
- | Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
256
- | Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
257
- | Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
258
- | Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
259
- | Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
260
- | + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
135
+ When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
261
136
 
262
- Reports include a **Findings by CWE Category** table for direct comparison with Snyk/Sonar output.
137
+ ---
263
138
 
264
- ## Smart Detection
139
+ ## Language Support
265
140
 
266
- - **Test runner** Detects Jest, Mocha, Vitest, Ava, Tap, pytest, go test from scripts and dependencies
267
- - **Framework** — Detects LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
268
- - **Test presence** — Counts test files vs source files, warns about minimal coverage
269
- - **Multi-language** — Detects all languages including Python from `.py` files (no config file required)
270
- - **Language breakdown** — Shows file count per language in codebase skill for accurate analysis
141
+ Each language is a single `LanguageSupport` implementation in `src/languages/`. Adding a new language is one file — detection, tools, coverage parsing, import extraction, and lint severity mapping in one place.
271
142
 
272
- ## Using with create-devstack
143
+ | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
144
+ | -------- | ------------------------------------ | ------------------- | --------------------------- | ----------------------------------- | ---------------------- | ----------------------------------- |
145
+ | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
146
+ | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
147
+ | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
148
+ | Rust | `Cargo.toml` | ✅ lcov + cobertura | ✅ use statements | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
149
+ | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ✅ using declarations | dotnet-format | — (formatter) | ✅ dotnet list --vulnerable |
273
150
 
274
- [`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
151
+ ✅ full support. Multi-language repos fully supported — every detected language's tools run, and `depVuln*` counts aggregate across all language packs (pip-audit findings don't silently replace npm-audit ones).
275
152
 
276
- When `create-devstack` writes a `.project.yaml` before calling `dxkit init`, dxkit reads it as the config source skipping detection and prompts. This enables greenfield projects where no language files exist yet:
153
+ **Severity enrichment.** Scanners that don't publish per-finding severity (pip-audit, govulncheck) are enriched via the OSV.dev API. DXKit ships a complete CVSS v4.0 base-score calculator (macrovector lookup + severity-distance refinement, ported from [FIRST's reference implementation](https://github.com/FIRSTdotorg/cvss-v4-calculator)) since modern CVEs (2025+) increasingly publish v4 vectors exclusively. Unreachable IDs keep the scanner's legacy default bucket the analyzer never fails because OSV was slow.
277
154
 
278
- ```bash
279
- # create-devstack writes .project.yaml + .devcontainer/, then calls dxkit
280
- npm create @vyuhlabs/devstack my-project
155
+ **Lint severity tiering.** Every lint finding is categorized into critical/high/medium/low by rule ID, linter name, or lint group. For backward compatibility, `gatherMetrics` collapses tiers to the existing `lintErrors` (critical + high) / `lintWarnings` (medium + low) fields, so scoring behavior is preserved. The tiered data is available for future analyzers that want finer granularity.
281
156
 
282
- # Or manually: write .project.yaml first, then run dxkit
283
- npx @vyuhlabs/dxkit init --full
284
- # dxkit reads .project.yaml, generates Makefile, configs, CI, .claude/
285
- ```
157
+ ---
158
+
159
+ ## Scaffolding Mode
160
+
161
+ Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with 4 active + 17 opt-in agents, 30 slash commands, skills, path-scoped rules, and hooks.
286
162
 
287
- ### .project.yaml schema
288
-
289
- ```yaml
290
- project:
291
- name: my-project
292
- description: A web API
293
- languages:
294
- python:
295
- enabled: true
296
- version: '3.12'
297
- quality:
298
- coverage: 80
299
- lint: true
300
- go:
301
- enabled: true
302
- version: '1.24.0'
303
- infrastructure:
304
- postgres:
305
- enabled: true
306
- version: '16'
307
- tools:
308
- claude_code: true
309
- precommit: true
310
- docker: true
311
- gcloud: false
163
+ ```
164
+ .claude/
165
+ settings.json # Permissions, deny list, learning hooks
166
+ agents/ # Active agents (auto-trigger on matching questions)
167
+ knowledge-bot.md # Answers codebase questions
168
+ onboarding.md # Interactive onboarding buddy
169
+ quality-reviewer.md # Reviews code before committing
170
+ doc-writer.md # Audits and writes documentation
171
+ agents-available/ # 17 dormant agents (activate with /enable-agent)
172
+ commands/ # 30 slash commands
173
+ skills/ # Domain knowledge
174
+ rules/ # Path-scoped rules (per language + framework)
175
+ CLAUDE.md # Main context file for Claude Code
176
+ .ai/
177
+ sessions/ # Session checkpoints
178
+ reports/ # Generated reports (health, vulnerabilities, etc.)
312
179
  ```
313
180
 
314
- When `.project.yaml` is present, dxkit uses it to determine which languages, tools, and quality settings to generate. When absent, dxkit falls back to filesystem detection + interactive prompts as before.
181
+ ### Slash commands native CLI delegation
315
182
 
316
- ## Library API
183
+ The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
317
184
 
318
- dxkit exports functions for programmatic use by other packages:
185
+ 1. **Check for an existing report** in `.ai/reports/` from today
186
+ 2. **Run `vyuh-dxkit <command>`** — deterministic, fast, same output
187
+ 3. **Fall back to LLM analysis** only if the CLI isn't available
319
188
 
320
- ```typescript
321
- import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
322
- import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
189
+ This means slash commands return the same report whether invoked by a human or an agent — and the analysis is reproducible across runs.
323
190
 
324
- // Detect stack from filesystem
325
- const stack = detect('/path/to/project');
191
+ ### Init flags
326
192
 
327
- // Read .project.yaml as ResolvedConfig
328
- if (hasProjectYaml('/path/to/project')) {
329
- const config = readProjectYaml('/path/to/project');
330
- }
193
+ | Flag | Description |
194
+ | ------------ | ----------------------------------------------------- |
195
+ | `--detect` | Auto-detect stack, minimal prompts |
196
+ | `--yes` | Accept all defaults |
197
+ | `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
198
+ | `--full` | Everything: DX + quality + hooks + CI |
199
+ | `--force` | Overwrite existing files (except evolving ones) |
200
+ | `--stealth` | Gitignore generated files (local-only, not committed) |
201
+ | `--name <n>` | Override project name |
202
+ | `--no-scan` | Skip codebase analysis |
331
203
 
332
- // Process templates
333
- const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
204
+ ### Stealth mode
205
+
206
+ `--stealth` keeps DXKit local: `.claude/`, `.ai/`, `CLAUDE.md` added to `.gitignore`, only `.githooks/` committed so all devs get the hooks without committing the scaffold.
207
+
208
+ ---
209
+
210
+ ## CI + Hooks
211
+
212
+ ### Pre-commit (set up automatically by `init --full` or husky)
213
+
214
+ ```
215
+ architecture check → validates imports + tool-registry + exclusions rules
216
+ slop check → blocks new console.log, `: any`, debugger, committed temp files
217
+ lint-staged → eslint --fix + prettier --write on changed files
218
+ typecheck → tsc --noEmit
334
219
  ```
335
220
 
336
- ## CLI Reference
221
+ ### Pre-push
337
222
 
338
- ```bash
339
- npx @vyuhlabs/dxkit init --detect # Auto-detect, minimal prompts
340
- npx @vyuhlabs/dxkit init # Interactive
341
- npx @vyuhlabs/dxkit init --full --yes # Everything, no prompts
342
- npx @vyuhlabs/dxkit update # Re-generate (preserves evolved files)
343
- npx @vyuhlabs/dxkit update --rescan # Re-run codebase analysis
344
- npx @vyuhlabs/dxkit doctor # Verify setup
223
+ ```
224
+ build → ensure dist/ is current
225
+ tests with coverage → vitest run --coverage (or equivalent per language)
226
+ coverage threshold → scripts/check-coverage.sh; fails below configurable threshold
345
227
  ```
346
228
 
347
- ### Init Options
229
+ ### PR CI (`.github/workflows/ci.yml`)
348
230
 
349
- | Flag | Description |
350
- | ------------ | ----------------------------------------- |
351
- | `--detect` | Auto-detect stack, minimal prompts |
352
- | `--yes` | Accept all defaults |
353
- | `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
354
- | `--full` | Everything: DX + quality + hooks + CI |
355
- | `--force` | Overwrite existing files (except evolved) |
356
- | `--name <n>` | Override project name |
357
- | `--no-scan` | Skip codebase analysis |
231
+ Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
358
232
 
359
- ### Config Source Priority
233
+ ---
360
234
 
361
- 1. `.project.yaml` (if present) — used as-is, no prompts
362
- 2. `--detect` — auto-detect from filesystem, minimal prompts
363
- 3. Interactive — prompt for all settings
235
+ ## Quality Gates for Agent-Written Code
364
236
 
365
- ## Example: Node.js/TypeScript Project
237
+ dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
366
238
 
367
- ```bash
368
- cd my-loopback-app
369
- npx @vyuhlabs/dxkit init --detect --yes
370
- ```
239
+ 1. **Pre-commit** — fast local checks (architecture, slop, lint, typecheck)
240
+ 2. **Pre-push** — thorough local checks (full suite + coverage threshold)
241
+ 3. **PR CI** unbypassable server-side checks (everything above + slop-vs-base + pack-dry)
242
+ 4. **Coverage threshold** — enforced at both local and CI tiers; agents can't silently lower it
371
243
 
372
- Output:
244
+ The same pattern is what dxkit itself uses. See `scripts/check-coverage.sh` + `scripts/check-slop.sh`.
373
245
 
374
- ```
375
- ✓ Languages: node
376
- Framework: loopback
377
- ✓ Tests: mocha (npm test)
378
- ✓ Created: 61 files
379
- ```
246
+ ---
247
+
248
+ ## Library API
380
249
 
381
- Then in Claude Code:
250
+ dxkit exports functions for programmatic use by downstream packages (e.g. `@vyuhlabs/create-devstack`):
382
251
 
383
- ```
384
- /help # See everything
385
- /ask How does the auth middleware work? # Codebase Q&A
386
- /health # Full health audit
387
- /vulnerabilities # Security scan
388
- /dev-report # Team activity report
389
- /quality # ESLint + AI review
390
- /onboarding # New developer guide
391
- ```
252
+ ```typescript
253
+ import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
254
+ import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
255
+
256
+ const stack = detect('/path/to/project');
392
257
 
393
- ## Example: Multi-Language Repo (Python + Go + TypeScript)
258
+ if (hasProjectYaml('/path/to/project')) {
259
+ const config = readProjectYaml('/path/to/project');
260
+ }
394
261
 
395
- ```bash
396
- cd my-monorepo
397
- npx @vyuhlabs/dxkit init --detect --yes
262
+ const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
398
263
  ```
399
264
 
400
- Generates:
265
+ The CLI binary (`vyuh-dxkit`) is separate; the library import is for build-time and programmatic consumers.
401
266
 
402
- - Quality commands with `npx eslint .` + `ruff check .` + `golangci-lint run`
403
- - Test commands with `npm test` + `pytest` + `go test`
404
- - Path-scoped rules for `.ts`, `.py`, and `.go` files
405
- - Language breakdown in codebase skill: "TypeScript: 200, Python: 50, Go: 30"
267
+ ---
406
268
 
407
- ## Two Workflows: Fix Loop and Feature Loop
269
+ ## Two Workflows
408
270
 
409
271
  ### Fix Loop: Reports → KPIs → Plans → Execution
410
272
 
411
- For improving existing code (security fixes, quality improvements, test coverage):
412
-
413
- ```
414
- # 1. Init DXKit
273
+ ```bash
274
+ # 1. Scaffold into an existing repo
415
275
  npx @vyuhlabs/dxkit init --detect --yes
416
276
 
417
- # 2. Generate reports
277
+ # 2. Run analyzers (any of these work standalone too)
418
278
  /health # Codebase health (6 dimensions)
419
- /vulnerabilities # Security scan (CWE-classified)
279
+ /vulnerabilities # Security scan
420
280
  /test-gaps # Untested critical code
421
281
 
422
282
  # 3. Generate improvement plans
423
- /plan # Propose KPIs + actionable plans
283
+ /plan # Proposes KPIs + actionable plans
424
284
 
425
285
  # 4. Execute plans with session management
426
286
  /execute-plan security # Work through security fixes
@@ -431,48 +291,102 @@ npx @vyuhlabs/dxkit init --detect --yes
431
291
 
432
292
  ### Feature Loop: Description → Design → Plan → Build
433
293
 
434
- For developing new features:
435
-
436
- ```
437
- # 1. Design a new feature
294
+ ```bash
438
295
  /feature add user roles with admin, editor, viewer tiers
439
-
440
296
  # Agent reads codebase, finds similar patterns, generates:
441
297
  # .ai/features/user-roles.md with full implementation plan
442
298
 
443
- # 2. Review and adjust the plan (edit the md file if needed)
444
-
445
- # 3. Build the feature
446
299
  /build-feature user-roles
447
-
448
300
  # Agent executes tasks: model → migration → repository → service → tests → controller
449
301
  # Session checkpoints after each task
450
- # Progress tracked in .ai/features/progress/user-roles.md
451
302
  ```
452
303
 
453
304
  Both loops use the session framework — checkpoints, skill evolution, progress tracking.
454
305
 
455
- ## Daily Development Workflow
306
+ ---
307
+
308
+ ## Reports
309
+
310
+ All analyzer commands save timestamped reports to `.ai/reports/`:
456
311
 
457
312
  ```
458
- /session-start # Load context, plan work
459
- git checkout -b feature/my-feature # Create branch
460
- /ask How does the payment flow work? # Understand the code
461
- # ... develop with full context ...
462
- /quality # Lint + AI review
463
- /test # Tests
464
- /learn auth tokens expire after 24h # Capture gotcha
465
- git add -A && git commit # Commit
466
- /session-end # Checkpoint + evolve skills
313
+ .ai/reports/
314
+ health-audit-<date>.md
315
+ health-audit-<date>-detailed.md # with --detailed
316
+ health-audit-<date>-detailed.json # agent-consumable
317
+ vulnerability-scan-<date>.md
318
+ test-gaps-<date>.md
319
+ quality-review-<date>.md
320
+ developer-report-<date>.md
467
321
  ```
468
322
 
323
+ Export options:
324
+
325
+ - **HTML dashboard**: `/dashboard` (Claude Code slash command) — dark-themed sidebar navigation
326
+ - **PDF**: `/export-pdf all` — converts all reports to PDF
327
+ - **Structured JSON**: `--detailed` on any command emits a canonical JSON schema
328
+
329
+ ---
330
+
331
+ ## Using with create-devstack
332
+
333
+ [`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
334
+
335
+ ```bash
336
+ npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
337
+ ```
338
+
339
+ When create-devstack writes `.project.yaml` before calling dxkit, detection and prompts are skipped.
340
+
341
+ ---
342
+
343
+ ## Smart Detection
344
+
345
+ - **Test runner** — Jest, Mocha, Vitest, Ava, Tap, pytest, go test
346
+ - **Framework** — LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
347
+ - **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
348
+ - **Multi-language** — detects all languages including Python from `.py` files (no config required)
349
+ - **Language breakdown** — file count per language via `cloc`
350
+
351
+ ---
352
+
353
+ ## CLI Reference
354
+
355
+ ```bash
356
+ # Analyzer commands
357
+ vyuh-dxkit health [path] # 6-dimension score
358
+ vyuh-dxkit vulnerabilities [path] # Security scan
359
+ vyuh-dxkit test-gaps [path] # Coverage + gaps + actions
360
+ vyuh-dxkit quality [path] # Slop + duplication + lint
361
+ vyuh-dxkit dev-report [path] # Git activity report
362
+
363
+ # Tool management
364
+ vyuh-dxkit tools # status
365
+ vyuh-dxkit tools install [--yes] # install missing
366
+
367
+ # Scaffolding
368
+ vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
369
+ vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
370
+ vyuh-dxkit doctor # diagnose environment
371
+
372
+ # Meta
373
+ vyuh-dxkit --help
374
+ vyuh-dxkit --version
375
+ ```
376
+
377
+ ---
378
+
469
379
  ## How It Works
470
380
 
471
- 1. **Detection** — Scans for config files, source files, and tools to determine languages, frameworks, and test runners
472
- 2. **Template Processing** — Processes `.md.template` files through a conditional engine, generating language-specific commands
473
- 3. **Codebase Scanning** — Analyzes source files to find entry points, API routes (including LoopBack/Express/FastAPI decorators), test patterns, and language breakdown
474
- 4. **Generation** — Writes 60+ files non-destructively (never overwrites without `--force`, evolving files always preserved)
475
- 5. **Manifest** — Saves state to `.vyuh-dxkit.json` for `update` and `doctor` commands
381
+ 1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
382
+ 2. **Tool resolution** — `findTool()` checks PATH brew npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
383
+ 3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
384
+ 4. **Score** — deterministic formulas map metrics to 0–100 per dimension
385
+ 5. **Report** — markdown for humans, JSON for agents
386
+
387
+ No LLM in the analysis path. Scores are reproducible: same repo state → same report.
388
+
389
+ ---
476
390
 
477
391
  ## License
478
392