@vyuhlabs/dxkit 1.5.1 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (257) hide show
  1. package/CHANGELOG.md +264 -0
  2. package/README.md +265 -352
  3. package/THIRD_PARTY_NOTICES.md +40 -0
  4. package/dist/analyzers/developer/detailed.d.ts +26 -0
  5. package/dist/analyzers/developer/detailed.d.ts.map +1 -0
  6. package/dist/analyzers/developer/detailed.js +193 -0
  7. package/dist/analyzers/developer/detailed.js.map +1 -0
  8. package/dist/analyzers/developer/gather.d.ts +11 -0
  9. package/dist/analyzers/developer/gather.d.ts.map +1 -0
  10. package/dist/analyzers/developer/gather.js +167 -0
  11. package/dist/analyzers/developer/gather.js.map +1 -0
  12. package/dist/analyzers/developer/index.d.ts +8 -0
  13. package/dist/analyzers/developer/index.d.ts.map +1 -0
  14. package/dist/analyzers/developer/index.js +168 -0
  15. package/dist/analyzers/developer/index.js.map +1 -0
  16. package/dist/analyzers/developer/types.d.ts +49 -0
  17. package/dist/analyzers/developer/types.d.ts.map +1 -0
  18. package/dist/analyzers/developer/types.js +6 -0
  19. package/dist/analyzers/developer/types.js.map +1 -0
  20. package/dist/analyzers/docs/shallow.d.ts +9 -0
  21. package/dist/analyzers/docs/shallow.d.ts.map +1 -0
  22. package/dist/analyzers/docs/shallow.js +8 -0
  23. package/dist/analyzers/docs/shallow.js.map +1 -0
  24. package/dist/analyzers/dx/shallow.d.ts +9 -0
  25. package/dist/analyzers/dx/shallow.d.ts.map +1 -0
  26. package/dist/analyzers/dx/shallow.js +8 -0
  27. package/dist/analyzers/dx/shallow.js.map +1 -0
  28. package/dist/analyzers/evidence.d.ts +36 -0
  29. package/dist/analyzers/evidence.d.ts.map +1 -0
  30. package/dist/analyzers/evidence.js +3 -0
  31. package/dist/analyzers/evidence.js.map +1 -0
  32. package/dist/analyzers/health/actions.d.ts +10 -0
  33. package/dist/analyzers/health/actions.d.ts.map +1 -0
  34. package/dist/analyzers/health/actions.js +284 -0
  35. package/dist/analyzers/health/actions.js.map +1 -0
  36. package/dist/analyzers/health/detailed.d.ts +26 -0
  37. package/dist/analyzers/health/detailed.d.ts.map +1 -0
  38. package/dist/analyzers/health/detailed.js +147 -0
  39. package/dist/analyzers/health/detailed.js.map +1 -0
  40. package/dist/analyzers/health.d.ts +22 -0
  41. package/dist/analyzers/health.d.ts.map +1 -0
  42. package/dist/analyzers/health.js +270 -0
  43. package/dist/analyzers/health.js.map +1 -0
  44. package/dist/analyzers/index.d.ts +3 -0
  45. package/dist/analyzers/index.d.ts.map +1 -0
  46. package/dist/analyzers/index.js +6 -0
  47. package/dist/analyzers/index.js.map +1 -0
  48. package/dist/analyzers/maintainability/shallow.d.ts +9 -0
  49. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
  50. package/dist/analyzers/maintainability/shallow.js +8 -0
  51. package/dist/analyzers/maintainability/shallow.js.map +1 -0
  52. package/dist/analyzers/quality/actions.d.ts +5 -0
  53. package/dist/analyzers/quality/actions.d.ts.map +1 -0
  54. package/dist/analyzers/quality/actions.js +158 -0
  55. package/dist/analyzers/quality/actions.js.map +1 -0
  56. package/dist/analyzers/quality/detailed.d.ts +17 -0
  57. package/dist/analyzers/quality/detailed.d.ts.map +1 -0
  58. package/dist/analyzers/quality/detailed.js +122 -0
  59. package/dist/analyzers/quality/detailed.js.map +1 -0
  60. package/dist/analyzers/quality/gather.d.ts +38 -0
  61. package/dist/analyzers/quality/gather.d.ts.map +1 -0
  62. package/dist/analyzers/quality/gather.js +279 -0
  63. package/dist/analyzers/quality/gather.js.map +1 -0
  64. package/dist/analyzers/quality/index.d.ts +12 -0
  65. package/dist/analyzers/quality/index.d.ts.map +1 -0
  66. package/dist/analyzers/quality/index.js +281 -0
  67. package/dist/analyzers/quality/index.js.map +1 -0
  68. package/dist/analyzers/quality/shallow.d.ts +9 -0
  69. package/dist/analyzers/quality/shallow.d.ts.map +1 -0
  70. package/dist/analyzers/quality/shallow.js +8 -0
  71. package/dist/analyzers/quality/shallow.js.map +1 -0
  72. package/dist/analyzers/quality/types.d.ts +66 -0
  73. package/dist/analyzers/quality/types.d.ts.map +1 -0
  74. package/dist/analyzers/quality/types.js +3 -0
  75. package/dist/analyzers/quality/types.js.map +1 -0
  76. package/dist/analyzers/remediation.d.ts +42 -0
  77. package/dist/analyzers/remediation.d.ts.map +1 -0
  78. package/dist/analyzers/remediation.js +28 -0
  79. package/dist/analyzers/remediation.js.map +1 -0
  80. package/dist/analyzers/scoring.d.ts +32 -0
  81. package/dist/analyzers/scoring.d.ts.map +1 -0
  82. package/dist/analyzers/scoring.js +410 -0
  83. package/dist/analyzers/scoring.js.map +1 -0
  84. package/dist/analyzers/security/actions.d.ts +7 -0
  85. package/dist/analyzers/security/actions.d.ts.map +1 -0
  86. package/dist/analyzers/security/actions.js +104 -0
  87. package/dist/analyzers/security/actions.js.map +1 -0
  88. package/dist/analyzers/security/detailed.d.ts +14 -0
  89. package/dist/analyzers/security/detailed.d.ts.map +1 -0
  90. package/dist/analyzers/security/detailed.js +124 -0
  91. package/dist/analyzers/security/detailed.js.map +1 -0
  92. package/dist/analyzers/security/gather.d.ts +12 -0
  93. package/dist/analyzers/security/gather.d.ts.map +1 -0
  94. package/dist/analyzers/security/gather.js +195 -0
  95. package/dist/analyzers/security/gather.js.map +1 -0
  96. package/dist/analyzers/security/index.d.ts +8 -0
  97. package/dist/analyzers/security/index.d.ts.map +1 -0
  98. package/dist/analyzers/security/index.js +173 -0
  99. package/dist/analyzers/security/index.js.map +1 -0
  100. package/dist/analyzers/security/scoring.d.ts +29 -0
  101. package/dist/analyzers/security/scoring.d.ts.map +1 -0
  102. package/dist/analyzers/security/scoring.js +40 -0
  103. package/dist/analyzers/security/scoring.js.map +1 -0
  104. package/dist/analyzers/security/shallow.d.ts +10 -0
  105. package/dist/analyzers/security/shallow.d.ts.map +1 -0
  106. package/dist/analyzers/security/shallow.js +8 -0
  107. package/dist/analyzers/security/shallow.js.map +1 -0
  108. package/dist/analyzers/security/types.d.ts +43 -0
  109. package/dist/analyzers/security/types.d.ts.map +1 -0
  110. package/dist/analyzers/security/types.js +6 -0
  111. package/dist/analyzers/security/types.js.map +1 -0
  112. package/dist/analyzers/tests/actions.d.ts +6 -0
  113. package/dist/analyzers/tests/actions.d.ts.map +1 -0
  114. package/dist/analyzers/tests/actions.js +80 -0
  115. package/dist/analyzers/tests/actions.js.map +1 -0
  116. package/dist/analyzers/tests/detailed.d.ts +14 -0
  117. package/dist/analyzers/tests/detailed.d.ts.map +1 -0
  118. package/dist/analyzers/tests/detailed.js +121 -0
  119. package/dist/analyzers/tests/detailed.js.map +1 -0
  120. package/dist/analyzers/tests/gather.d.ts +5 -0
  121. package/dist/analyzers/tests/gather.d.ts.map +1 -0
  122. package/dist/analyzers/tests/gather.js +270 -0
  123. package/dist/analyzers/tests/gather.js.map +1 -0
  124. package/dist/analyzers/tests/import-graph.d.ts +48 -0
  125. package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
  126. package/dist/analyzers/tests/import-graph.js +231 -0
  127. package/dist/analyzers/tests/import-graph.js.map +1 -0
  128. package/dist/analyzers/tests/index.d.ts +8 -0
  129. package/dist/analyzers/tests/index.d.ts.map +1 -0
  130. package/dist/analyzers/tests/index.js +247 -0
  131. package/dist/analyzers/tests/index.js.map +1 -0
  132. package/dist/analyzers/tests/scoring.d.ts +27 -0
  133. package/dist/analyzers/tests/scoring.d.ts.map +1 -0
  134. package/dist/analyzers/tests/scoring.js +38 -0
  135. package/dist/analyzers/tests/scoring.js.map +1 -0
  136. package/dist/analyzers/tests/shallow.d.ts +9 -0
  137. package/dist/analyzers/tests/shallow.d.ts.map +1 -0
  138. package/dist/analyzers/tests/shallow.js +8 -0
  139. package/dist/analyzers/tests/shallow.js.map +1 -0
  140. package/dist/analyzers/tests/types.d.ts +49 -0
  141. package/dist/analyzers/tests/types.d.ts.map +1 -0
  142. package/dist/analyzers/tests/types.js +6 -0
  143. package/dist/analyzers/tests/types.js.map +1 -0
  144. package/dist/analyzers/tools/cloc.d.ts +8 -0
  145. package/dist/analyzers/tools/cloc.d.ts.map +1 -0
  146. package/dist/analyzers/tools/cloc.js +49 -0
  147. package/dist/analyzers/tools/cloc.js.map +1 -0
  148. package/dist/analyzers/tools/coverage.d.ts +59 -0
  149. package/dist/analyzers/tools/coverage.d.ts.map +1 -0
  150. package/dist/analyzers/tools/coverage.js +280 -0
  151. package/dist/analyzers/tools/coverage.js.map +1 -0
  152. package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
  153. package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
  154. package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
  155. package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
  156. package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
  157. package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
  158. package/dist/analyzers/tools/cvss-v4.js +362 -0
  159. package/dist/analyzers/tools/cvss-v4.js.map +1 -0
  160. package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
  161. package/dist/analyzers/tools/exclusions.d.ts +70 -0
  162. package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
  163. package/dist/analyzers/tools/exclusions.js +250 -0
  164. package/dist/analyzers/tools/exclusions.js.map +1 -0
  165. package/dist/analyzers/tools/generic.d.ts +4 -0
  166. package/dist/analyzers/tools/generic.d.ts.map +1 -0
  167. package/dist/analyzers/tools/generic.js +198 -0
  168. package/dist/analyzers/tools/generic.js.map +1 -0
  169. package/dist/analyzers/tools/gitleaks.d.ts +8 -0
  170. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
  171. package/dist/analyzers/tools/gitleaks.js +58 -0
  172. package/dist/analyzers/tools/gitleaks.js.map +1 -0
  173. package/dist/analyzers/tools/graphify.d.ts +4 -0
  174. package/dist/analyzers/tools/graphify.d.ts.map +1 -0
  175. package/dist/analyzers/tools/graphify.js +222 -0
  176. package/dist/analyzers/tools/graphify.js.map +1 -0
  177. package/dist/analyzers/tools/osv.d.ts +51 -0
  178. package/dist/analyzers/tools/osv.d.ts.map +1 -0
  179. package/dist/analyzers/tools/osv.js +188 -0
  180. package/dist/analyzers/tools/osv.js.map +1 -0
  181. package/dist/analyzers/tools/parallel.d.ts +8 -0
  182. package/dist/analyzers/tools/parallel.d.ts.map +1 -0
  183. package/dist/analyzers/tools/parallel.js +195 -0
  184. package/dist/analyzers/tools/parallel.js.map +1 -0
  185. package/dist/analyzers/tools/runner.d.ts +13 -0
  186. package/dist/analyzers/tools/runner.d.ts.map +1 -0
  187. package/dist/analyzers/tools/runner.js +109 -0
  188. package/dist/analyzers/tools/runner.js.map +1 -0
  189. package/dist/analyzers/tools/suppressions.d.ts +55 -0
  190. package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
  191. package/dist/analyzers/tools/suppressions.js +203 -0
  192. package/dist/analyzers/tools/suppressions.js.map +1 -0
  193. package/dist/analyzers/tools/timing.d.ts +9 -0
  194. package/dist/analyzers/tools/timing.d.ts.map +1 -0
  195. package/dist/analyzers/tools/timing.js +29 -0
  196. package/dist/analyzers/tools/timing.js.map +1 -0
  197. package/dist/analyzers/tools/tool-registry.d.ts +86 -0
  198. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
  199. package/dist/analyzers/tools/tool-registry.js +705 -0
  200. package/dist/analyzers/tools/tool-registry.js.map +1 -0
  201. package/dist/analyzers/types.d.ts +125 -0
  202. package/dist/analyzers/types.d.ts.map +1 -0
  203. package/dist/analyzers/types.js +11 -0
  204. package/dist/analyzers/types.js.map +1 -0
  205. package/dist/cli.d.ts.map +1 -1
  206. package/dist/cli.js +405 -0
  207. package/dist/cli.js.map +1 -1
  208. package/dist/detect.d.ts.map +1 -1
  209. package/dist/detect.js +24 -15
  210. package/dist/detect.js.map +1 -1
  211. package/dist/languages/csharp.d.ts +5 -0
  212. package/dist/languages/csharp.d.ts.map +1 -0
  213. package/dist/languages/csharp.js +265 -0
  214. package/dist/languages/csharp.js.map +1 -0
  215. package/dist/languages/go.d.ts +11 -0
  216. package/dist/languages/go.d.ts.map +1 -0
  217. package/dist/languages/go.js +321 -0
  218. package/dist/languages/go.js.map +1 -0
  219. package/dist/languages/index.d.ts +6 -0
  220. package/dist/languages/index.d.ts.map +1 -0
  221. package/dist/languages/index.js +18 -0
  222. package/dist/languages/index.js.map +1 -0
  223. package/dist/languages/python.d.ts +3 -0
  224. package/dist/languages/python.d.ts.map +1 -0
  225. package/dist/languages/python.js +284 -0
  226. package/dist/languages/python.js.map +1 -0
  227. package/dist/languages/rust.d.ts +17 -0
  228. package/dist/languages/rust.d.ts.map +1 -0
  229. package/dist/languages/rust.js +333 -0
  230. package/dist/languages/rust.js.map +1 -0
  231. package/dist/languages/types.d.ts +38 -0
  232. package/dist/languages/types.d.ts.map +1 -0
  233. package/dist/languages/types.js +3 -0
  234. package/dist/languages/types.js.map +1 -0
  235. package/dist/languages/typescript.d.ts +15 -0
  236. package/dist/languages/typescript.d.ts.map +1 -0
  237. package/dist/languages/typescript.js +353 -0
  238. package/dist/languages/typescript.js.map +1 -0
  239. package/dist/logger.d.ts +1 -0
  240. package/dist/logger.d.ts.map +1 -1
  241. package/dist/logger.js +25 -12
  242. package/dist/logger.js.map +1 -1
  243. package/dist/project-yaml.d.ts.map +1 -1
  244. package/dist/project-yaml.js +1 -0
  245. package/dist/project-yaml.js.map +1 -1
  246. package/dist/tools-cli.d.ts +2 -0
  247. package/dist/tools-cli.d.ts.map +1 -0
  248. package/dist/tools-cli.js +231 -0
  249. package/dist/tools-cli.js.map +1 -0
  250. package/dist/types.d.ts +10 -0
  251. package/dist/types.d.ts.map +1 -1
  252. package/package.json +6 -2
  253. package/templates/.claude/commands/dev-report.md +34 -4
  254. package/templates/.claude/commands/health.md +45 -2
  255. package/templates/.claude/commands/quality.md.template +38 -15
  256. package/templates/.claude/commands/test-gaps.md +36 -2
  257. package/templates/.claude/commands/vulnerabilities.md +36 -2
package/README.md CHANGED
@@ -1,350 +1,194 @@
1
1
  # @vyuhlabs/dxkit
2
2
 
3
- AI-native developer experience toolkit for any repository. Adds Claude Code agents, skills, commands, and quality hooks to existing projects in seconds.
3
+ AI-native analyzer and scaffolder for any repository. Two modes in one CLI:
4
+
5
+ 1. **Analyze** any repo deterministically — health, security, test gaps, code quality, developer activity — in seconds, no LLM required.
6
+ 2. **Scaffold** `.claude/` agents, skills, commands, and hooks tuned to your stack.
7
+
8
+ Built so agent-written code has deterministic guardrails before it ships. Scores don't move just because an LLM had a different mood today.
4
9
 
5
10
  ## Quick Start
6
11
 
12
+ **Analyze an existing repo:**
13
+
7
14
  ```bash
8
- # Auto-detect your stack and set up everything
9
- npx @vyuhlabs/dxkit init --detect
15
+ cd your-repo
16
+ npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
17
+ npx @vyuhlabs/dxkit health --detailed # 5-dimension score + remediation plan
18
+ npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit scan
19
+ npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
20
+ ```
10
21
 
11
- # Interactive mode (prompts for config)
12
- npx @vyuhlabs/dxkit init
22
+ **Scaffold AI tooling into a repo:**
13
23
 
14
- # Full mode (DX + quality + hooks + CI)
15
- npx @vyuhlabs/dxkit init --full --yes
24
+ ```bash
25
+ npx @vyuhlabs/dxkit init --detect # auto-detect stack, minimal prompts
26
+ npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
16
27
  ```
17
28
 
18
- ## What It Does
29
+ The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
19
30
 
20
- Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with:
31
+ ---
21
32
 
22
- ```
23
- .claude/
24
- settings.json # Permissions, deny list, learning hooks
25
- agents/ # Active agents (auto-trigger on matching questions)
26
- knowledge-bot.md # Answers codebase questions
27
- onboarding.md # Interactive onboarding buddy
28
- quality-reviewer.md # Reviews code before committing
29
- doc-writer.md # Audits and writes documentation
30
- agents-available/ # Dormant agents (activate with /enable-agent)
31
- codebase-explorer.md # Deep architecture analysis
32
- code-reviewer.md # PR review and security audit
33
- test-writer.md # Writes tests for existing code
34
- test-gap-finder.md # Identifies untested critical code
35
- dependency-mapper.md # Maps import chains and blast radius
36
- health-auditor.md # 6-dimension codebase health audit
37
- vulnerability-scanner.md # CWE-classified security scan (Snyk-comparable)
38
- dev-report.md # Developer activity + quality attribution
39
- dashboard-builder.md # HTML dashboard from all reports
40
- hooks-configurator.md # Git hooks from DXKit commands
41
- debugger.md # Root cause analysis
42
- commands/ # 26 slash commands (see below)
43
- skills/ # Domain knowledge
44
- codebase/ # Auto-generated architecture overview
45
- learned/ # Evolving gotchas, conventions, deny list
46
- rules/ # Path-scoped rules (per language + framework)
47
- CLAUDE.md # Main context file for Claude Code
48
- .ai/
49
- sessions/ # Session checkpoints
50
- reports/ # Generated reports (health, vulnerabilities, etc.)
51
- .github/
52
- workflows/
53
- pr-review.yml # Automated PR review (opt-in)
54
- ```
33
+ ## Analyzer CLI (`vyuh-dxkit <command>`)
55
34
 
56
- ## Supported Languages
35
+ Five deterministic analyzers. Each emits a markdown report to `.ai/reports/` and optional structured JSON.
57
36
 
58
- | Language | Detection | Linters | Test Runner |
59
- | -------------------- | ------------------------------------ | --------------------- | --------------------------------------------- |
60
- | Node.js / TypeScript | `package.json` | ESLint, Prettier, tsc | Auto-detected (Jest, Mocha, Vitest, Ava, Tap) |
61
- | Python | `pyproject.toml`, `setup.py`, `*.py` | ruff, mypy | pytest |
62
- | Go | `go.mod` | golangci-lint, go vet | go test |
63
- | C# | `*.csproj`, `*.sln` | dotnet format, Roslyn | dotnet test |
64
- | Rust | `Cargo.toml` | clippy, rustfmt | cargo test |
37
+ | Command | What it does | Runtime | Output |
38
+ | ----------------- | --------------------------------------------------------------- | ------- | ------------------------------------------ |
39
+ | `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.ai/reports/health-audit-<date>.md` |
40
+ | `vulnerabilities` | gitleaks + semgrep + `npm audit` / `pip-audit` | 5–30s | `.ai/reports/vulnerability-scan-<date>.md` |
41
+ | `test-gaps` | Coverage artifact → import-graph filename (strongest wins) | <1s | `.ai/reports/test-gaps-<date>.md` |
42
+ | `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.ai/reports/quality-review-<date>.md` |
43
+ | `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.ai/reports/developer-report-<date>.md` |
65
44
 
66
- Multi-language repos fully supported detects and generates rules/commands for all languages present.
45
+ ### Flags (apply to all analyzer commands)
67
46
 
68
- ## Supported Frameworks
47
+ | Flag | Effect |
48
+ | ---------------- | ------------------------------------------------------------------------------------- |
49
+ | `--detailed` | Also writes `<name>-detailed.md` + `.json` with evidence + ranked remediation actions |
50
+ | `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
51
+ | `--verbose` | Print per-tool timing to stderr |
52
+ | `--no-save` | Skip writing markdown; useful with `--json` |
53
+ | `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
69
54
 
70
- Auto-detected with framework-specific path-scoped rules:
55
+ ### Detailed mode evidence + ranked fixes
71
56
 
72
- - **LoopBack** Controller/model/repository patterns, decorator conventions
73
- - **Express** — Middleware/routing conventions, error handling patterns
74
- - **NestJS**, **Fastify**, **Koa**, **Hapi** — Detected (rules coming soon)
75
- - **FastAPI**, **Django**, **Flask** — Detected (rules coming soon)
76
- - **Gin**, **Echo**, **Fiber** — Detected (rules coming soon)
57
+ `--detailed` writes a second pair of files with:
77
58
 
78
- ## Supported Tools
79
-
80
- Auto-detected and integrated when present:
81
-
82
- - **Google Cloud** (gcloud) — SDK commands, security rules
83
- - **Infisical** — Secrets management, never-leak rules
84
- - **Pulumi** — IaC with preview-before-apply safety
85
- - **Docker** — Container commands
86
-
87
- ## Commands (30)
88
-
89
- ### Development Workflow
90
-
91
- | Command | Description |
92
- | ----------------- | --------------------------------------------------- |
93
- | `/session-start` | Start an AI-assisted dev session |
94
- | `/session-end` | End session, create checkpoint, evolve skills |
95
- | `/ask <question>` | Ask about the codebase (delegates to knowledge-bot) |
96
- | `/learn` | Capture a gotcha, convention, or thing to avoid |
97
-
98
- ### Quality & Testing
99
-
100
- | Command | Description |
101
- | ------------ | -------------------------------------------------------- |
102
- | `/quality` | Run language-specific linters + AI review |
103
- | `/test` | Run tests (auto-detected runner) |
104
- | `/check` | Full pre-commit validation (quality + tests + AI review) |
105
- | `/fix` | Auto-fix formatting and lint issues |
106
- | `/build` | Build the project |
107
- | `/test-gaps` | Find critical untested code paths |
108
-
109
- ### Analysis & Reports
110
-
111
- | Command | Description | Output |
112
- | ------------------ | ---------------------------------------------- | ------------------------------------- |
113
- | `/health` | 6-dimension codebase health audit | `.ai/reports/health-audit-*.md` |
114
- | `/vulnerabilities` | CWE-classified security scan (Snyk-comparable) | `.ai/reports/vulnerability-scan-*.md` |
115
- | `/dev-report` | Developer activity + security attribution | `.ai/reports/developer-report-*.md` |
116
- | `/docs audit` | Documentation gap analysis | `.ai/reports/docs-audit-*.md` |
117
- | `/deps` | Dependency map + blast radius | `.ai/reports/dependency-map-*.md` |
118
- | `/dashboard` | Generate HTML dashboard from all reports | `.ai/reports/dashboard.html` |
119
- | `/export-pdf` | Convert markdown reports to PDF | `.ai/reports/*.pdf` |
120
-
121
- ### Planning & Execution — Fix Loop
122
-
123
- | Command | Description | Output |
124
- | ---------------------- | ----------------------------------------------------------- | -------------------------------------- |
125
- | `/plan` | Analyze reports → propose KPIs → generate improvement plans | `.ai/plans/` |
126
- | `/execute-plan <name>` | Execute a fix plan task by task with session checkpoints | `.ai/plans/progress/`, `.ai/sessions/` |
127
-
128
- ### Feature Development Loop
129
-
130
- | Command | Description | Output |
131
- | ------------------------ | -------------------------------------------------- | ----------------------------------------- |
132
- | `/feature <description>` | Design new feature → implementation plan | `.ai/features/` |
133
- | `/build-feature <slug>` | Build feature from plan with tests and conventions | `.ai/features/progress/`, `.ai/sessions/` |
134
-
135
- ### Exploration & Onboarding
136
-
137
- | Command | Description |
138
- | ------------------- | ----------------------------------------------- |
139
- | `/onboarding` | Interactive onboarding buddy for new developers |
140
- | `/explore-codebase` | Deep architecture exploration |
141
- | `/help` | List all commands and agents |
142
-
143
- ### Setup & Hooks
144
-
145
- | Command | Description |
146
- | ---------------------- | ---------------------------------------------------------------------------------- |
147
- | `/setup-hooks` | Configure git hooks (quality, test, vulnerability) — consistent with DXKit reports |
148
- | `/stealth-mode` | Gitignore DXKit files + install hooks (DXKit local-only, hooks for all devs) |
149
- | `/setup-pr-review` | Set up automated PR review GitHub Action |
150
- | `/fix-issue <number>` | Investigate and fix a GitHub issue |
151
- | `/doctor` | Diagnose environment issues |
152
- | `/enable-agent <name>` | Activate a dormant agent |
153
-
154
- ## Agents
155
-
156
- ### Active by Default (4)
157
-
158
- These agents auto-trigger when Claude detects a matching question:
159
-
160
- - **knowledge-bot** — "How does auth work?" "Where are payments handled?"
161
- - **onboarding** — "I'm new, help me get started" "What does this project do?"
162
- - **quality-reviewer** — "Review my changes" "Check quality before I commit"
163
- - **doc-writer** — "What needs documentation?" "Help me write docs"
59
+ - **Per-dimension plans** with a prioritized fix list
60
+ - **Evidence** for every finding (file, line, rule ID, tool, snippet)
61
+ - **Projected score delta** for each remediation action — so you know which fix moves the needle most
62
+ - **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
164
63
 
165
- ### Dormant (16) activate with `/enable-agent`
166
-
167
- - **codebase-explorer** — Deep architecture analysis, generates documentation
168
- - **code-reviewer** — PR review and security audit (read-only)
169
- - **test-writer** — Writes tests for existing code
170
- - **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
171
- - **dependency-mapper** — Maps import chains and blast radius of changes
172
- - **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
173
- - **vulnerability-scanner** — CWE-classified security scan with Snyk-comparable depth
174
- - **dev-report** — Developer activity, quality patterns, security attribution
175
- - **dashboard-builder** — Generates HTML dashboard from all reports
176
- - **strategic-planner** — Analyzes reports, proposes KPIs, generates improvement plans
177
- - **plan-executor** — Executes fix plans task by task with session checkpoints
178
- - **feature-planner** — Designs new features, generates implementation plans
179
- - **feature-builder** — Implements features from plans with tests and conventions
180
- - **hooks-configurator** — Configures scoped git hooks from DXKit commands
181
- - **debugger** — Systematic root cause analysis
64
+ ### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
182
65
 
183
- ## Reports
66
+ Three signals, strongest wins for files it covers:
184
67
 
185
- All analysis commands save timestamped reports to `.ai/reports/`:
68
+ 1. **Coverage artifact** Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust). If the tool measured a file, that decision is authoritative.
69
+ 2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
70
+ 3. **Filename match** — last-resort basename similarity.
186
71
 
187
- ```bash
188
- .ai/reports/
189
- health-audit-2026-03-30.md # Scores: tests, quality, docs, security, DX
190
- vulnerability-scan-2026-03-30.md # CVEs, hardcoded secrets, dependency risks
191
- developer-report-2026-03-30.md # Team activity, ownership, security attribution
192
- test-gaps-2026-03-30.md # Critical untested code, prioritized by risk
193
- docs-audit-2026-03-30.md # Documentation gaps and recommendations
194
- dependency-map-2026-03-30.md # Import chains, most-depended-on files
195
- ```
72
+ A file counts as "tested" when the strongest available signal says so.
196
73
 
197
- Export options:
74
+ ---
198
75
 
199
- - **HTML dashboard**: `/dashboard` — beautiful dark-themed dashboard with sidebar navigation
200
- - **PDF**: `/export-pdf all` — converts all reports to PDF
76
+ ## Tool Registry
201
77
 
202
- ## Learning System
78
+ Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
203
79
 
204
- DXKit includes a continuous learning system that improves over time:
80
+ ```bash
81
+ vyuh-dxkit tools # list tool status for the detected stack
82
+ vyuh-dxkit tools install --yes # install all missing tools
83
+ vyuh-dxkit tools install # interactive: prompts per tool
84
+ ```
205
85
 
206
- 1. **Stop Hook** — After each conversation, Claude is reminded to capture learnings
207
- 2. **`/learn` command** — Explicitly save gotchas, conventions, or things to avoid
208
- 3. **`/session-end`** — Creates checkpoint and evolves skill files
209
- 4. **Evolving files** — Append-only, never overwritten even with `--force`:
210
- - `.claude/skills/learned/references/gotchas.md`
211
- - `.claude/skills/learned/references/conventions.md`
212
- - `.claude/skills/learned/references/deny-recommendations.md`
86
+ ### Tools integrated
213
87
 
214
- ## PR Review Automation
88
+ | Layer | Tools |
89
+ | --------- | -------------------------------------------------------- |
90
+ | Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
91
+ | Node / TS | `eslint`, `npm audit`, `@vitest/coverage-v8` |
92
+ | Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
93
+ | Go | `golangci-lint`, `govulncheck` |
94
+ | Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
95
+ | C# | `dotnet-format` (via SDK) |
215
96
 
216
- DXKit generates a GitHub Action that automatically reviews PRs using Claude Code:
97
+ Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
217
98
 
218
- 1. Set `ENABLE_AI_REVIEW=true` as a GitHub Actions variable
219
- 2. Add `ANTHROPIC_API_KEY` to repo secrets
99
+ ---
220
100
 
221
- Reviews appear as PR comments with issues rated as critical/warning/suggestion.
101
+ ## Config Files
222
102
 
223
- ## Git Hooks (Consistent with Reports)
103
+ ### `.dxkit-ignore`
224
104
 
225
- `/setup-hooks` configures git hooks that run the **exact same tools** as your DXKit reports:
105
+ Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
226
106
 
227
107
  ```
228
- commit → pre-commit → lint staged files only (fast, ~5s)
229
- push → pre-push → test affected areas only (medium, ~30s)
230
- PR → CI workflow → full quality + tests + security (thorough, ~3m)
108
+ # .dxkit-ignore override project exclusions for dxkit analyzers
109
+ vendor-bundle/
110
+ *.gen.ts
231
111
  ```
232
112
 
233
- - User chooses which checks to enable: quality, test, vulnerability
234
- - Hooks read from your `/quality`, `/test`, `/vulnerabilities` commands — no hardcoded tools
235
- - Supports scoped testing: Jest `--changedSince`, Vitest `--changed`, pytest `--testmon`
236
- - Works for all devs (plain bash, no Claude Code needed at runtime)
237
-
238
- ### Stealth Mode
113
+ Three layers merge: bundled defaults repo `.gitignore` repo `.dxkit-ignore`.
239
114
 
240
- `/stealth-mode` keeps DXKit local-only:
115
+ ### `.dxkit-suppressions.json`
241
116
 
242
- - `.claude/`, `.ai/`, `CLAUDE.md` gitignored not committed
243
- - `.githooks/` committed — all devs get the hooks
244
- - One-time setup: `git config core.hooksPath .githooks`
117
+ Silence known-false positives without touching code. Currently wired to `gitleaks` (semgrep + slop-hook wiring in progress).
245
118
 
246
- ## Vulnerability Scanner (Snyk-Comparable)
247
-
248
- The `/vulnerabilities` command runs a comprehensive security scan with CWE classification:
119
+ ```json
120
+ {
121
+ "gitleaks": [
122
+ {
123
+ "rule": "generic-api-key",
124
+ "paths": ["test/fixtures/**", "**/*.test.ts"],
125
+ "reason": "Fake keys in test fixtures"
126
+ }
127
+ ]
128
+ }
129
+ ```
249
130
 
250
- | Category | CWE | What It Checks |
251
- | ------------------------ | -------- | -------------------------------------------------------- |
252
- | Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
253
- | Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
254
- | Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
255
- | Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
256
- | Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
257
- | Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
258
- | Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
259
- | Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
260
- | + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
131
+ A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`.
261
132
 
262
- Reports include a **Findings by CWE Category** table for direct comparison with Snyk/Sonar output.
133
+ ### `.project.yaml` (optional, for scaffolding)
263
134
 
264
- ## Smart Detection
135
+ When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
265
136
 
266
- - **Test runner** — Detects Jest, Mocha, Vitest, Ava, Tap, pytest, go test from scripts and dependencies
267
- - **Framework** — Detects LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
268
- - **Test presence** — Counts test files vs source files, warns about minimal coverage
269
- - **Multi-language** — Detects all languages including Python from `.py` files (no config file required)
270
- - **Language breakdown** — Shows file count per language in codebase skill for accurate analysis
137
+ ---
271
138
 
272
- ## Using with create-devstack
139
+ ## Language Support
273
140
 
274
- [`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
141
+ Each language is a single `LanguageSupport` implementation in `src/languages/`. Adding a new language is one file — detection, tools, coverage parsing, import extraction, and lint severity mapping in one place.
275
142
 
276
- When `create-devstack` writes a `.project.yaml` before calling `dxkit init`, dxkit reads it as the config source — skipping detection and prompts. This enables greenfield projects where no language files exist yet:
143
+ | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
144
+ | -------- | ------------------------------------ | ------------------- | --------------------------- | ----------------------------------- | ---------------------- | ----------------------------------- |
145
+ | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
146
+ | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
147
+ | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
148
+ | Rust | `Cargo.toml` | ✅ lcov + cobertura | ✅ use statements | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
149
+ | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ✅ using declarations | dotnet-format | — (formatter) | ✅ dotnet list --vulnerable |
277
150
 
278
- ```bash
279
- # create-devstack writes .project.yaml + .devcontainer/, then calls dxkit
280
- npm create @vyuhlabs/devstack my-project
151
+ ✅ full support. Multi-language repos fully supported — every detected language's tools run, and `depVuln*` counts aggregate across all language packs (pip-audit findings don't silently replace npm-audit ones).
281
152
 
282
- # Or manually: write .project.yaml first, then run dxkit
283
- npx @vyuhlabs/dxkit init --full
284
- # → dxkit reads .project.yaml, generates Makefile, configs, CI, .claude/
285
- ```
153
+ **Severity enrichment.** Scanners that don't publish per-finding severity (pip-audit, govulncheck) are enriched via the OSV.dev API. DXKit ships a complete CVSS v4.0 base-score calculator (macrovector lookup + severity-distance refinement, ported from [FIRST's reference implementation](https://github.com/FIRSTdotorg/cvss-v4-calculator)) since modern CVEs (2025+) increasingly publish v4 vectors exclusively. Unreachable IDs keep the scanner's legacy default bucket — the analyzer never fails because OSV was slow.
286
154
 
287
- ### .project.yaml schema
288
-
289
- ```yaml
290
- project:
291
- name: my-project
292
- description: A web API
293
- languages:
294
- python:
295
- enabled: true
296
- version: '3.12'
297
- quality:
298
- coverage: 80
299
- lint: true
300
- go:
301
- enabled: true
302
- version: '1.24.0'
303
- infrastructure:
304
- postgres:
305
- enabled: true
306
- version: '16'
307
- tools:
308
- claude_code: true
309
- precommit: true
310
- docker: true
311
- gcloud: false
312
- ```
155
+ **Lint severity tiering.** Every lint finding is categorized into critical/high/medium/low by rule ID, linter name, or lint group. For backward compatibility, `gatherMetrics` collapses tiers to the existing `lintErrors` (critical + high) / `lintWarnings` (medium + low) fields, so scoring behavior is preserved. The tiered data is available for future analyzers that want finer granularity.
313
156
 
314
- When `.project.yaml` is present, dxkit uses it to determine which languages, tools, and quality settings to generate. When absent, dxkit falls back to filesystem detection + interactive prompts as before.
157
+ ---
315
158
 
316
- ## Library API
159
+ ## Scaffolding Mode
317
160
 
318
- dxkit exports functions for programmatic use by other packages:
161
+ Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with 4 active + 17 opt-in agents, 30 slash commands, skills, path-scoped rules, and hooks.
319
162
 
320
- ```typescript
321
- import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
322
- import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
163
+ ```
164
+ .claude/
165
+ settings.json # Permissions, deny list, learning hooks
166
+ agents/ # Active agents (auto-trigger on matching questions)
167
+ knowledge-bot.md # Answers codebase questions
168
+ onboarding.md # Interactive onboarding buddy
169
+ quality-reviewer.md # Reviews code before committing
170
+ doc-writer.md # Audits and writes documentation
171
+ agents-available/ # 17 dormant agents (activate with /enable-agent)
172
+ commands/ # 30 slash commands
173
+ skills/ # Domain knowledge
174
+ rules/ # Path-scoped rules (per language + framework)
175
+ CLAUDE.md # Main context file for Claude Code
176
+ .ai/
177
+ sessions/ # Session checkpoints
178
+ reports/ # Generated reports (health, vulnerabilities, etc.)
179
+ ```
323
180
 
324
- // Detect stack from filesystem
325
- const stack = detect('/path/to/project');
181
+ ### Slash commands native CLI delegation
326
182
 
327
- // Read .project.yaml as ResolvedConfig
328
- if (hasProjectYaml('/path/to/project')) {
329
- const config = readProjectYaml('/path/to/project');
330
- }
183
+ The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
331
184
 
332
- // Process templates
333
- const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
334
- ```
185
+ 1. **Check for an existing report** in `.ai/reports/` from today
186
+ 2. **Run `vyuh-dxkit <command>`** — deterministic, fast, same output
187
+ 3. **Fall back to LLM analysis** only if the CLI isn't available
335
188
 
336
- ## CLI Reference
189
+ This means slash commands return the same report whether invoked by a human or an agent — and the analysis is reproducible across runs.
337
190
 
338
- ```bash
339
- npx @vyuhlabs/dxkit init --detect # Auto-detect, minimal prompts
340
- npx @vyuhlabs/dxkit init # Interactive
341
- npx @vyuhlabs/dxkit init --full --yes # Everything, no prompts
342
- npx @vyuhlabs/dxkit update # Re-generate (preserves evolved files)
343
- npx @vyuhlabs/dxkit update --rescan # Re-run codebase analysis
344
- npx @vyuhlabs/dxkit doctor # Verify setup
345
- ```
346
-
347
- ### Init Options
191
+ ### Init flags
348
192
 
349
193
  | Flag | Description |
350
194
  | ------------ | ----------------------------------------------------- |
@@ -352,76 +196,91 @@ npx @vyuhlabs/dxkit doctor # Verify setup
352
196
  | `--yes` | Accept all defaults |
353
197
  | `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
354
198
  | `--full` | Everything: DX + quality + hooks + CI |
355
- | `--force` | Overwrite existing files (except evolved) |
199
+ | `--force` | Overwrite existing files (except evolving ones) |
356
200
  | `--stealth` | Gitignore generated files (local-only, not committed) |
357
201
  | `--name <n>` | Override project name |
358
202
  | `--no-scan` | Skip codebase analysis |
359
203
 
360
- ### Config Source Priority
204
+ ### Stealth mode
361
205
 
362
- 1. `.project.yaml` (if present) used as-is, no prompts
363
- 2. `--detect` — auto-detect from filesystem, minimal prompts
364
- 3. Interactive — prompt for all settings
206
+ `--stealth` keeps DXKit local: `.claude/`, `.ai/`, `CLAUDE.md` added to `.gitignore`, only `.githooks/` committed so all devs get the hooks without committing the scaffold.
365
207
 
366
- ## Example: Node.js/TypeScript Project
208
+ ---
367
209
 
368
- ```bash
369
- cd my-loopback-app
370
- npx @vyuhlabs/dxkit init --detect --yes
371
- ```
210
+ ## CI + Hooks
372
211
 
373
- Output:
212
+ ### Pre-commit (set up automatically by `init --full` or husky)
374
213
 
375
214
  ```
376
- Languages: node
377
- Framework: loopback
378
- Tests: mocha (npm test)
379
- Created: 61 files
215
+ architecture check → validates imports + tool-registry + exclusions rules
216
+ slop check → blocks new console.log, `: any`, debugger, committed temp files
217
+ lint-staged → eslint --fix + prettier --write on changed files
218
+ typecheck → tsc --noEmit
380
219
  ```
381
220
 
382
- Then in Claude Code:
221
+ ### Pre-push
383
222
 
384
223
  ```
385
- /help # See everything
386
- /ask How does the auth middleware work? # Codebase Q&A
387
- /health # Full health audit
388
- /vulnerabilities # Security scan
389
- /dev-report # Team activity report
390
- /quality # ESLint + AI review
391
- /onboarding # New developer guide
224
+ build → ensure dist/ is current
225
+ tests with coverage → vitest run --coverage (or equivalent per language)
226
+ coverage threshold → scripts/check-coverage.sh; fails below configurable threshold
392
227
  ```
393
228
 
394
- ## Example: Multi-Language Repo (Python + Go + TypeScript)
229
+ ### PR CI (`.github/workflows/ci.yml`)
395
230
 
396
- ```bash
397
- cd my-monorepo
398
- npx @vyuhlabs/dxkit init --detect --yes
399
- ```
231
+ Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
400
232
 
401
- Generates:
233
+ ---
402
234
 
403
- - Quality commands with `npx eslint .` + `ruff check .` + `golangci-lint run`
404
- - Test commands with `npm test` + `pytest` + `go test`
405
- - Path-scoped rules for `.ts`, `.py`, and `.go` files
406
- - Language breakdown in codebase skill: "TypeScript: 200, Python: 50, Go: 30"
235
+ ## Quality Gates for Agent-Written Code
407
236
 
408
- ## Two Workflows: Fix Loop and Feature Loop
237
+ dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
409
238
 
410
- ### Fix Loop: Reports KPIs Plans Execution
239
+ 1. **Pre-commit** fast local checks (architecture, slop, lint, typecheck)
240
+ 2. **Pre-push** — thorough local checks (full suite + coverage threshold)
241
+ 3. **PR CI** — unbypassable server-side checks (everything above + slop-vs-base + pack-dry)
242
+ 4. **Coverage threshold** — enforced at both local and CI tiers; agents can't silently lower it
243
+
244
+ The same pattern is what dxkit itself uses. See `scripts/check-coverage.sh` + `scripts/check-slop.sh`.
245
+
246
+ ---
247
+
248
+ ## Library API
249
+
250
+ dxkit exports functions for programmatic use by downstream packages (e.g. `@vyuhlabs/create-devstack`):
251
+
252
+ ```typescript
253
+ import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
254
+ import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
255
+
256
+ const stack = detect('/path/to/project');
411
257
 
412
- For improving existing code (security fixes, quality improvements, test coverage):
258
+ if (hasProjectYaml('/path/to/project')) {
259
+ const config = readProjectYaml('/path/to/project');
260
+ }
413
261
 
262
+ const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
414
263
  ```
415
- # 1. Init DXKit
264
+
265
+ The CLI binary (`vyuh-dxkit`) is separate; the library import is for build-time and programmatic consumers.
266
+
267
+ ---
268
+
269
+ ## Two Workflows
270
+
271
+ ### Fix Loop: Reports → KPIs → Plans → Execution
272
+
273
+ ```bash
274
+ # 1. Scaffold into an existing repo
416
275
  npx @vyuhlabs/dxkit init --detect --yes
417
276
 
418
- # 2. Generate reports
277
+ # 2. Run analyzers (any of these work standalone too)
419
278
  /health # Codebase health (6 dimensions)
420
- /vulnerabilities # Security scan (CWE-classified)
279
+ /vulnerabilities # Security scan
421
280
  /test-gaps # Untested critical code
422
281
 
423
282
  # 3. Generate improvement plans
424
- /plan # Propose KPIs + actionable plans
283
+ /plan # Proposes KPIs + actionable plans
425
284
 
426
285
  # 4. Execute plans with session management
427
286
  /execute-plan security # Work through security fixes
@@ -432,48 +291,102 @@ npx @vyuhlabs/dxkit init --detect --yes
432
291
 
433
292
  ### Feature Loop: Description → Design → Plan → Build
434
293
 
435
- For developing new features:
436
-
437
- ```
438
- # 1. Design a new feature
294
+ ```bash
439
295
  /feature add user roles with admin, editor, viewer tiers
440
-
441
296
  # Agent reads codebase, finds similar patterns, generates:
442
297
  # .ai/features/user-roles.md with full implementation plan
443
298
 
444
- # 2. Review and adjust the plan (edit the md file if needed)
445
-
446
- # 3. Build the feature
447
299
  /build-feature user-roles
448
-
449
300
  # Agent executes tasks: model → migration → repository → service → tests → controller
450
301
  # Session checkpoints after each task
451
- # Progress tracked in .ai/features/progress/user-roles.md
452
302
  ```
453
303
 
454
304
  Both loops use the session framework — checkpoints, skill evolution, progress tracking.
455
305
 
456
- ## Daily Development Workflow
306
+ ---
307
+
308
+ ## Reports
309
+
310
+ All analyzer commands save timestamped reports to `.ai/reports/`:
457
311
 
458
312
  ```
459
- /session-start # Load context, plan work
460
- git checkout -b feature/my-feature # Create branch
461
- /ask How does the payment flow work? # Understand the code
462
- # ... develop with full context ...
463
- /quality # Lint + AI review
464
- /test # Tests
465
- /learn auth tokens expire after 24h # Capture gotcha
466
- git add -A && git commit # Commit
467
- /session-end # Checkpoint + evolve skills
313
+ .ai/reports/
314
+ health-audit-<date>.md
315
+ health-audit-<date>-detailed.md # with --detailed
316
+ health-audit-<date>-detailed.json # agent-consumable
317
+ vulnerability-scan-<date>.md
318
+ test-gaps-<date>.md
319
+ quality-review-<date>.md
320
+ developer-report-<date>.md
321
+ ```
322
+
323
+ Export options:
324
+
325
+ - **HTML dashboard**: `/dashboard` (Claude Code slash command) — dark-themed sidebar navigation
326
+ - **PDF**: `/export-pdf all` — converts all reports to PDF
327
+ - **Structured JSON**: `--detailed` on any command emits a canonical JSON schema
328
+
329
+ ---
330
+
331
+ ## Using with create-devstack
332
+
333
+ [`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
334
+
335
+ ```bash
336
+ npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
468
337
  ```
469
338
 
339
+ When create-devstack writes `.project.yaml` before calling dxkit, detection and prompts are skipped.
340
+
341
+ ---
342
+
343
+ ## Smart Detection
344
+
345
+ - **Test runner** — Jest, Mocha, Vitest, Ava, Tap, pytest, go test
346
+ - **Framework** — LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
347
+ - **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
348
+ - **Multi-language** — detects all languages including Python from `.py` files (no config required)
349
+ - **Language breakdown** — file count per language via `cloc`
350
+
351
+ ---
352
+
353
+ ## CLI Reference
354
+
355
+ ```bash
356
+ # Analyzer commands
357
+ vyuh-dxkit health [path] # 6-dimension score
358
+ vyuh-dxkit vulnerabilities [path] # Security scan
359
+ vyuh-dxkit test-gaps [path] # Coverage + gaps + actions
360
+ vyuh-dxkit quality [path] # Slop + duplication + lint
361
+ vyuh-dxkit dev-report [path] # Git activity report
362
+
363
+ # Tool management
364
+ vyuh-dxkit tools # status
365
+ vyuh-dxkit tools install [--yes] # install missing
366
+
367
+ # Scaffolding
368
+ vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
369
+ vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
370
+ vyuh-dxkit doctor # diagnose environment
371
+
372
+ # Meta
373
+ vyuh-dxkit --help
374
+ vyuh-dxkit --version
375
+ ```
376
+
377
+ ---
378
+
470
379
  ## How It Works
471
380
 
472
- 1. **Detection** — Scans for config files, source files, and tools to determine languages, frameworks, and test runners
473
- 2. **Template Processing** — Processes `.md.template` files through a conditional engine, generating language-specific commands
474
- 3. **Codebase Scanning** — Analyzes source files to find entry points, API routes (including LoopBack/Express/FastAPI decorators), test patterns, and language breakdown
475
- 4. **Generation** — Writes 60+ files non-destructively (never overwrites without `--force`, evolving files always preserved)
476
- 5. **Manifest** — Saves state to `.vyuh-dxkit.json` for `update` and `doctor` commands
381
+ 1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
382
+ 2. **Tool resolution** — `findTool()` checks PATH brew npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
383
+ 3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
384
+ 4. **Score** — deterministic formulas map metrics to 0–100 per dimension
385
+ 5. **Report** — markdown for humans, JSON for agents
386
+
387
+ No LLM in the analysis path. Scores are reproducible: same repo state → same report.
388
+
389
+ ---
477
390
 
478
391
  ## License
479
392