@vyuhlabs/dxkit 1.5.1 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +264 -0
- package/README.md +265 -352
- package/THIRD_PARTY_NOTICES.md +40 -0
- package/dist/analyzers/developer/detailed.d.ts +26 -0
- package/dist/analyzers/developer/detailed.d.ts.map +1 -0
- package/dist/analyzers/developer/detailed.js +193 -0
- package/dist/analyzers/developer/detailed.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts +11 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -0
- package/dist/analyzers/developer/gather.js +167 -0
- package/dist/analyzers/developer/gather.js.map +1 -0
- package/dist/analyzers/developer/index.d.ts +8 -0
- package/dist/analyzers/developer/index.d.ts.map +1 -0
- package/dist/analyzers/developer/index.js +168 -0
- package/dist/analyzers/developer/index.js.map +1 -0
- package/dist/analyzers/developer/types.d.ts +49 -0
- package/dist/analyzers/developer/types.d.ts.map +1 -0
- package/dist/analyzers/developer/types.js +6 -0
- package/dist/analyzers/developer/types.js.map +1 -0
- package/dist/analyzers/docs/shallow.d.ts +9 -0
- package/dist/analyzers/docs/shallow.d.ts.map +1 -0
- package/dist/analyzers/docs/shallow.js +8 -0
- package/dist/analyzers/docs/shallow.js.map +1 -0
- package/dist/analyzers/dx/shallow.d.ts +9 -0
- package/dist/analyzers/dx/shallow.d.ts.map +1 -0
- package/dist/analyzers/dx/shallow.js +8 -0
- package/dist/analyzers/dx/shallow.js.map +1 -0
- package/dist/analyzers/evidence.d.ts +36 -0
- package/dist/analyzers/evidence.d.ts.map +1 -0
- package/dist/analyzers/evidence.js +3 -0
- package/dist/analyzers/evidence.js.map +1 -0
- package/dist/analyzers/health/actions.d.ts +10 -0
- package/dist/analyzers/health/actions.d.ts.map +1 -0
- package/dist/analyzers/health/actions.js +284 -0
- package/dist/analyzers/health/actions.js.map +1 -0
- package/dist/analyzers/health/detailed.d.ts +26 -0
- package/dist/analyzers/health/detailed.d.ts.map +1 -0
- package/dist/analyzers/health/detailed.js +147 -0
- package/dist/analyzers/health/detailed.js.map +1 -0
- package/dist/analyzers/health.d.ts +22 -0
- package/dist/analyzers/health.d.ts.map +1 -0
- package/dist/analyzers/health.js +270 -0
- package/dist/analyzers/health.js.map +1 -0
- package/dist/analyzers/index.d.ts +3 -0
- package/dist/analyzers/index.d.ts.map +1 -0
- package/dist/analyzers/index.js +6 -0
- package/dist/analyzers/index.js.map +1 -0
- package/dist/analyzers/maintainability/shallow.d.ts +9 -0
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
- package/dist/analyzers/maintainability/shallow.js +8 -0
- package/dist/analyzers/maintainability/shallow.js.map +1 -0
- package/dist/analyzers/quality/actions.d.ts +5 -0
- package/dist/analyzers/quality/actions.d.ts.map +1 -0
- package/dist/analyzers/quality/actions.js +158 -0
- package/dist/analyzers/quality/actions.js.map +1 -0
- package/dist/analyzers/quality/detailed.d.ts +17 -0
- package/dist/analyzers/quality/detailed.d.ts.map +1 -0
- package/dist/analyzers/quality/detailed.js +122 -0
- package/dist/analyzers/quality/detailed.js.map +1 -0
- package/dist/analyzers/quality/gather.d.ts +38 -0
- package/dist/analyzers/quality/gather.d.ts.map +1 -0
- package/dist/analyzers/quality/gather.js +279 -0
- package/dist/analyzers/quality/gather.js.map +1 -0
- package/dist/analyzers/quality/index.d.ts +12 -0
- package/dist/analyzers/quality/index.d.ts.map +1 -0
- package/dist/analyzers/quality/index.js +281 -0
- package/dist/analyzers/quality/index.js.map +1 -0
- package/dist/analyzers/quality/shallow.d.ts +9 -0
- package/dist/analyzers/quality/shallow.d.ts.map +1 -0
- package/dist/analyzers/quality/shallow.js +8 -0
- package/dist/analyzers/quality/shallow.js.map +1 -0
- package/dist/analyzers/quality/types.d.ts +66 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -0
- package/dist/analyzers/quality/types.js +3 -0
- package/dist/analyzers/quality/types.js.map +1 -0
- package/dist/analyzers/remediation.d.ts +42 -0
- package/dist/analyzers/remediation.d.ts.map +1 -0
- package/dist/analyzers/remediation.js +28 -0
- package/dist/analyzers/remediation.js.map +1 -0
- package/dist/analyzers/scoring.d.ts +32 -0
- package/dist/analyzers/scoring.d.ts.map +1 -0
- package/dist/analyzers/scoring.js +410 -0
- package/dist/analyzers/scoring.js.map +1 -0
- package/dist/analyzers/security/actions.d.ts +7 -0
- package/dist/analyzers/security/actions.d.ts.map +1 -0
- package/dist/analyzers/security/actions.js +104 -0
- package/dist/analyzers/security/actions.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +14 -0
- package/dist/analyzers/security/detailed.d.ts.map +1 -0
- package/dist/analyzers/security/detailed.js +124 -0
- package/dist/analyzers/security/detailed.js.map +1 -0
- package/dist/analyzers/security/gather.d.ts +12 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -0
- package/dist/analyzers/security/gather.js +195 -0
- package/dist/analyzers/security/gather.js.map +1 -0
- package/dist/analyzers/security/index.d.ts +8 -0
- package/dist/analyzers/security/index.d.ts.map +1 -0
- package/dist/analyzers/security/index.js +173 -0
- package/dist/analyzers/security/index.js.map +1 -0
- package/dist/analyzers/security/scoring.d.ts +29 -0
- package/dist/analyzers/security/scoring.d.ts.map +1 -0
- package/dist/analyzers/security/scoring.js +40 -0
- package/dist/analyzers/security/scoring.js.map +1 -0
- package/dist/analyzers/security/shallow.d.ts +10 -0
- package/dist/analyzers/security/shallow.d.ts.map +1 -0
- package/dist/analyzers/security/shallow.js +8 -0
- package/dist/analyzers/security/shallow.js.map +1 -0
- package/dist/analyzers/security/types.d.ts +43 -0
- package/dist/analyzers/security/types.d.ts.map +1 -0
- package/dist/analyzers/security/types.js +6 -0
- package/dist/analyzers/security/types.js.map +1 -0
- package/dist/analyzers/tests/actions.d.ts +6 -0
- package/dist/analyzers/tests/actions.d.ts.map +1 -0
- package/dist/analyzers/tests/actions.js +80 -0
- package/dist/analyzers/tests/actions.js.map +1 -0
- package/dist/analyzers/tests/detailed.d.ts +14 -0
- package/dist/analyzers/tests/detailed.d.ts.map +1 -0
- package/dist/analyzers/tests/detailed.js +121 -0
- package/dist/analyzers/tests/detailed.js.map +1 -0
- package/dist/analyzers/tests/gather.d.ts +5 -0
- package/dist/analyzers/tests/gather.d.ts.map +1 -0
- package/dist/analyzers/tests/gather.js +270 -0
- package/dist/analyzers/tests/gather.js.map +1 -0
- package/dist/analyzers/tests/import-graph.d.ts +48 -0
- package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
- package/dist/analyzers/tests/import-graph.js +231 -0
- package/dist/analyzers/tests/import-graph.js.map +1 -0
- package/dist/analyzers/tests/index.d.ts +8 -0
- package/dist/analyzers/tests/index.d.ts.map +1 -0
- package/dist/analyzers/tests/index.js +247 -0
- package/dist/analyzers/tests/index.js.map +1 -0
- package/dist/analyzers/tests/scoring.d.ts +27 -0
- package/dist/analyzers/tests/scoring.d.ts.map +1 -0
- package/dist/analyzers/tests/scoring.js +38 -0
- package/dist/analyzers/tests/scoring.js.map +1 -0
- package/dist/analyzers/tests/shallow.d.ts +9 -0
- package/dist/analyzers/tests/shallow.d.ts.map +1 -0
- package/dist/analyzers/tests/shallow.js +8 -0
- package/dist/analyzers/tests/shallow.js.map +1 -0
- package/dist/analyzers/tests/types.d.ts +49 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -0
- package/dist/analyzers/tests/types.js +6 -0
- package/dist/analyzers/tests/types.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts +8 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -0
- package/dist/analyzers/tools/cloc.js +49 -0
- package/dist/analyzers/tools/cloc.js.map +1 -0
- package/dist/analyzers/tools/coverage.d.ts +59 -0
- package/dist/analyzers/tools/coverage.d.ts.map +1 -0
- package/dist/analyzers/tools/coverage.js +280 -0
- package/dist/analyzers/tools/coverage.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
- package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4.js +362 -0
- package/dist/analyzers/tools/cvss-v4.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
- package/dist/analyzers/tools/exclusions.d.ts +70 -0
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
- package/dist/analyzers/tools/exclusions.js +250 -0
- package/dist/analyzers/tools/exclusions.js.map +1 -0
- package/dist/analyzers/tools/generic.d.ts +4 -0
- package/dist/analyzers/tools/generic.d.ts.map +1 -0
- package/dist/analyzers/tools/generic.js +198 -0
- package/dist/analyzers/tools/generic.js.map +1 -0
- package/dist/analyzers/tools/gitleaks.d.ts +8 -0
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
- package/dist/analyzers/tools/gitleaks.js +58 -0
- package/dist/analyzers/tools/gitleaks.js.map +1 -0
- package/dist/analyzers/tools/graphify.d.ts +4 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -0
- package/dist/analyzers/tools/graphify.js +222 -0
- package/dist/analyzers/tools/graphify.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +51 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -0
- package/dist/analyzers/tools/osv.js +188 -0
- package/dist/analyzers/tools/osv.js.map +1 -0
- package/dist/analyzers/tools/parallel.d.ts +8 -0
- package/dist/analyzers/tools/parallel.d.ts.map +1 -0
- package/dist/analyzers/tools/parallel.js +195 -0
- package/dist/analyzers/tools/parallel.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts +13 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -0
- package/dist/analyzers/tools/runner.js +109 -0
- package/dist/analyzers/tools/runner.js.map +1 -0
- package/dist/analyzers/tools/suppressions.d.ts +55 -0
- package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
- package/dist/analyzers/tools/suppressions.js +203 -0
- package/dist/analyzers/tools/suppressions.js.map +1 -0
- package/dist/analyzers/tools/timing.d.ts +9 -0
- package/dist/analyzers/tools/timing.d.ts.map +1 -0
- package/dist/analyzers/tools/timing.js +29 -0
- package/dist/analyzers/tools/timing.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts +86 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
- package/dist/analyzers/tools/tool-registry.js +705 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -0
- package/dist/analyzers/types.d.ts +125 -0
- package/dist/analyzers/types.d.ts.map +1 -0
- package/dist/analyzers/types.js +11 -0
- package/dist/analyzers/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +405 -0
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -15
- package/dist/detect.js.map +1 -1
- package/dist/languages/csharp.d.ts +5 -0
- package/dist/languages/csharp.d.ts.map +1 -0
- package/dist/languages/csharp.js +265 -0
- package/dist/languages/csharp.js.map +1 -0
- package/dist/languages/go.d.ts +11 -0
- package/dist/languages/go.d.ts.map +1 -0
- package/dist/languages/go.js +321 -0
- package/dist/languages/go.js.map +1 -0
- package/dist/languages/index.d.ts +6 -0
- package/dist/languages/index.d.ts.map +1 -0
- package/dist/languages/index.js +18 -0
- package/dist/languages/index.js.map +1 -0
- package/dist/languages/python.d.ts +3 -0
- package/dist/languages/python.d.ts.map +1 -0
- package/dist/languages/python.js +284 -0
- package/dist/languages/python.js.map +1 -0
- package/dist/languages/rust.d.ts +17 -0
- package/dist/languages/rust.d.ts.map +1 -0
- package/dist/languages/rust.js +333 -0
- package/dist/languages/rust.js.map +1 -0
- package/dist/languages/types.d.ts +38 -0
- package/dist/languages/types.d.ts.map +1 -0
- package/dist/languages/types.js +3 -0
- package/dist/languages/types.js.map +1 -0
- package/dist/languages/typescript.d.ts +15 -0
- package/dist/languages/typescript.d.ts.map +1 -0
- package/dist/languages/typescript.js +353 -0
- package/dist/languages/typescript.js.map +1 -0
- package/dist/logger.d.ts +1 -0
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +25 -12
- package/dist/logger.js.map +1 -1
- package/dist/project-yaml.d.ts.map +1 -1
- package/dist/project-yaml.js +1 -0
- package/dist/project-yaml.js.map +1 -1
- package/dist/tools-cli.d.ts +2 -0
- package/dist/tools-cli.d.ts.map +1 -0
- package/dist/tools-cli.js +231 -0
- package/dist/tools-cli.js.map +1 -0
- package/dist/types.d.ts +10 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +6 -2
- package/templates/.claude/commands/dev-report.md +34 -4
- package/templates/.claude/commands/health.md +45 -2
- package/templates/.claude/commands/quality.md.template +38 -15
- package/templates/.claude/commands/test-gaps.md +36 -2
- package/templates/.claude/commands/vulnerabilities.md +36 -2
package/README.md
CHANGED
|
@@ -1,350 +1,194 @@
|
|
|
1
1
|
# @vyuhlabs/dxkit
|
|
2
2
|
|
|
3
|
-
AI-native
|
|
3
|
+
AI-native analyzer and scaffolder for any repository. Two modes in one CLI:
|
|
4
|
+
|
|
5
|
+
1. **Analyze** any repo deterministically — health, security, test gaps, code quality, developer activity — in seconds, no LLM required.
|
|
6
|
+
2. **Scaffold** `.claude/` agents, skills, commands, and hooks tuned to your stack.
|
|
7
|
+
|
|
8
|
+
Built so agent-written code has deterministic guardrails before it ships. Scores don't move just because an LLM had a different mood today.
|
|
4
9
|
|
|
5
10
|
## Quick Start
|
|
6
11
|
|
|
12
|
+
**Analyze an existing repo:**
|
|
13
|
+
|
|
7
14
|
```bash
|
|
8
|
-
|
|
9
|
-
npx @vyuhlabs/dxkit
|
|
15
|
+
cd your-repo
|
|
16
|
+
npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
|
|
17
|
+
npx @vyuhlabs/dxkit health --detailed # 5-dimension score + remediation plan
|
|
18
|
+
npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit scan
|
|
19
|
+
npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
|
|
20
|
+
```
|
|
10
21
|
|
|
11
|
-
|
|
12
|
-
npx @vyuhlabs/dxkit init
|
|
22
|
+
**Scaffold AI tooling into a repo:**
|
|
13
23
|
|
|
14
|
-
|
|
15
|
-
npx @vyuhlabs/dxkit init --
|
|
24
|
+
```bash
|
|
25
|
+
npx @vyuhlabs/dxkit init --detect # auto-detect stack, minimal prompts
|
|
26
|
+
npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
|
|
16
27
|
```
|
|
17
28
|
|
|
18
|
-
|
|
29
|
+
The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
|
|
19
30
|
|
|
20
|
-
|
|
31
|
+
---
|
|
21
32
|
|
|
22
|
-
|
|
23
|
-
.claude/
|
|
24
|
-
settings.json # Permissions, deny list, learning hooks
|
|
25
|
-
agents/ # Active agents (auto-trigger on matching questions)
|
|
26
|
-
knowledge-bot.md # Answers codebase questions
|
|
27
|
-
onboarding.md # Interactive onboarding buddy
|
|
28
|
-
quality-reviewer.md # Reviews code before committing
|
|
29
|
-
doc-writer.md # Audits and writes documentation
|
|
30
|
-
agents-available/ # Dormant agents (activate with /enable-agent)
|
|
31
|
-
codebase-explorer.md # Deep architecture analysis
|
|
32
|
-
code-reviewer.md # PR review and security audit
|
|
33
|
-
test-writer.md # Writes tests for existing code
|
|
34
|
-
test-gap-finder.md # Identifies untested critical code
|
|
35
|
-
dependency-mapper.md # Maps import chains and blast radius
|
|
36
|
-
health-auditor.md # 6-dimension codebase health audit
|
|
37
|
-
vulnerability-scanner.md # CWE-classified security scan (Snyk-comparable)
|
|
38
|
-
dev-report.md # Developer activity + quality attribution
|
|
39
|
-
dashboard-builder.md # HTML dashboard from all reports
|
|
40
|
-
hooks-configurator.md # Git hooks from DXKit commands
|
|
41
|
-
debugger.md # Root cause analysis
|
|
42
|
-
commands/ # 26 slash commands (see below)
|
|
43
|
-
skills/ # Domain knowledge
|
|
44
|
-
codebase/ # Auto-generated architecture overview
|
|
45
|
-
learned/ # Evolving gotchas, conventions, deny list
|
|
46
|
-
rules/ # Path-scoped rules (per language + framework)
|
|
47
|
-
CLAUDE.md # Main context file for Claude Code
|
|
48
|
-
.ai/
|
|
49
|
-
sessions/ # Session checkpoints
|
|
50
|
-
reports/ # Generated reports (health, vulnerabilities, etc.)
|
|
51
|
-
.github/
|
|
52
|
-
workflows/
|
|
53
|
-
pr-review.yml # Automated PR review (opt-in)
|
|
54
|
-
```
|
|
33
|
+
## Analyzer CLI (`vyuh-dxkit <command>`)
|
|
55
34
|
|
|
56
|
-
|
|
35
|
+
Five deterministic analyzers. Each emits a markdown report to `.ai/reports/` and optional structured JSON.
|
|
57
36
|
|
|
58
|
-
|
|
|
59
|
-
|
|
|
60
|
-
|
|
|
61
|
-
|
|
|
62
|
-
|
|
|
63
|
-
|
|
|
64
|
-
|
|
|
37
|
+
| Command | What it does | Runtime | Output |
|
|
38
|
+
| ----------------- | --------------------------------------------------------------- | ------- | ------------------------------------------ |
|
|
39
|
+
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.ai/reports/health-audit-<date>.md` |
|
|
40
|
+
| `vulnerabilities` | gitleaks + semgrep + `npm audit` / `pip-audit` | 5–30s | `.ai/reports/vulnerability-scan-<date>.md` |
|
|
41
|
+
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins) | <1s | `.ai/reports/test-gaps-<date>.md` |
|
|
42
|
+
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.ai/reports/quality-review-<date>.md` |
|
|
43
|
+
| `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.ai/reports/developer-report-<date>.md` |
|
|
65
44
|
|
|
66
|
-
|
|
45
|
+
### Flags (apply to all analyzer commands)
|
|
67
46
|
|
|
68
|
-
|
|
47
|
+
| Flag | Effect |
|
|
48
|
+
| ---------------- | ------------------------------------------------------------------------------------- |
|
|
49
|
+
| `--detailed` | Also writes `<name>-detailed.md` + `.json` with evidence + ranked remediation actions |
|
|
50
|
+
| `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
|
|
51
|
+
| `--verbose` | Print per-tool timing to stderr |
|
|
52
|
+
| `--no-save` | Skip writing markdown; useful with `--json` |
|
|
53
|
+
| `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
|
|
69
54
|
|
|
70
|
-
|
|
55
|
+
### Detailed mode — evidence + ranked fixes
|
|
71
56
|
|
|
72
|
-
|
|
73
|
-
- **Express** — Middleware/routing conventions, error handling patterns
|
|
74
|
-
- **NestJS**, **Fastify**, **Koa**, **Hapi** — Detected (rules coming soon)
|
|
75
|
-
- **FastAPI**, **Django**, **Flask** — Detected (rules coming soon)
|
|
76
|
-
- **Gin**, **Echo**, **Fiber** — Detected (rules coming soon)
|
|
57
|
+
`--detailed` writes a second pair of files with:
|
|
77
58
|
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
- **Google Cloud** (gcloud) — SDK commands, security rules
|
|
83
|
-
- **Infisical** — Secrets management, never-leak rules
|
|
84
|
-
- **Pulumi** — IaC with preview-before-apply safety
|
|
85
|
-
- **Docker** — Container commands
|
|
86
|
-
|
|
87
|
-
## Commands (30)
|
|
88
|
-
|
|
89
|
-
### Development Workflow
|
|
90
|
-
|
|
91
|
-
| Command | Description |
|
|
92
|
-
| ----------------- | --------------------------------------------------- |
|
|
93
|
-
| `/session-start` | Start an AI-assisted dev session |
|
|
94
|
-
| `/session-end` | End session, create checkpoint, evolve skills |
|
|
95
|
-
| `/ask <question>` | Ask about the codebase (delegates to knowledge-bot) |
|
|
96
|
-
| `/learn` | Capture a gotcha, convention, or thing to avoid |
|
|
97
|
-
|
|
98
|
-
### Quality & Testing
|
|
99
|
-
|
|
100
|
-
| Command | Description |
|
|
101
|
-
| ------------ | -------------------------------------------------------- |
|
|
102
|
-
| `/quality` | Run language-specific linters + AI review |
|
|
103
|
-
| `/test` | Run tests (auto-detected runner) |
|
|
104
|
-
| `/check` | Full pre-commit validation (quality + tests + AI review) |
|
|
105
|
-
| `/fix` | Auto-fix formatting and lint issues |
|
|
106
|
-
| `/build` | Build the project |
|
|
107
|
-
| `/test-gaps` | Find critical untested code paths |
|
|
108
|
-
|
|
109
|
-
### Analysis & Reports
|
|
110
|
-
|
|
111
|
-
| Command | Description | Output |
|
|
112
|
-
| ------------------ | ---------------------------------------------- | ------------------------------------- |
|
|
113
|
-
| `/health` | 6-dimension codebase health audit | `.ai/reports/health-audit-*.md` |
|
|
114
|
-
| `/vulnerabilities` | CWE-classified security scan (Snyk-comparable) | `.ai/reports/vulnerability-scan-*.md` |
|
|
115
|
-
| `/dev-report` | Developer activity + security attribution | `.ai/reports/developer-report-*.md` |
|
|
116
|
-
| `/docs audit` | Documentation gap analysis | `.ai/reports/docs-audit-*.md` |
|
|
117
|
-
| `/deps` | Dependency map + blast radius | `.ai/reports/dependency-map-*.md` |
|
|
118
|
-
| `/dashboard` | Generate HTML dashboard from all reports | `.ai/reports/dashboard.html` |
|
|
119
|
-
| `/export-pdf` | Convert markdown reports to PDF | `.ai/reports/*.pdf` |
|
|
120
|
-
|
|
121
|
-
### Planning & Execution — Fix Loop
|
|
122
|
-
|
|
123
|
-
| Command | Description | Output |
|
|
124
|
-
| ---------------------- | ----------------------------------------------------------- | -------------------------------------- |
|
|
125
|
-
| `/plan` | Analyze reports → propose KPIs → generate improvement plans | `.ai/plans/` |
|
|
126
|
-
| `/execute-plan <name>` | Execute a fix plan task by task with session checkpoints | `.ai/plans/progress/`, `.ai/sessions/` |
|
|
127
|
-
|
|
128
|
-
### Feature Development Loop
|
|
129
|
-
|
|
130
|
-
| Command | Description | Output |
|
|
131
|
-
| ------------------------ | -------------------------------------------------- | ----------------------------------------- |
|
|
132
|
-
| `/feature <description>` | Design new feature → implementation plan | `.ai/features/` |
|
|
133
|
-
| `/build-feature <slug>` | Build feature from plan with tests and conventions | `.ai/features/progress/`, `.ai/sessions/` |
|
|
134
|
-
|
|
135
|
-
### Exploration & Onboarding
|
|
136
|
-
|
|
137
|
-
| Command | Description |
|
|
138
|
-
| ------------------- | ----------------------------------------------- |
|
|
139
|
-
| `/onboarding` | Interactive onboarding buddy for new developers |
|
|
140
|
-
| `/explore-codebase` | Deep architecture exploration |
|
|
141
|
-
| `/help` | List all commands and agents |
|
|
142
|
-
|
|
143
|
-
### Setup & Hooks
|
|
144
|
-
|
|
145
|
-
| Command | Description |
|
|
146
|
-
| ---------------------- | ---------------------------------------------------------------------------------- |
|
|
147
|
-
| `/setup-hooks` | Configure git hooks (quality, test, vulnerability) — consistent with DXKit reports |
|
|
148
|
-
| `/stealth-mode` | Gitignore DXKit files + install hooks (DXKit local-only, hooks for all devs) |
|
|
149
|
-
| `/setup-pr-review` | Set up automated PR review GitHub Action |
|
|
150
|
-
| `/fix-issue <number>` | Investigate and fix a GitHub issue |
|
|
151
|
-
| `/doctor` | Diagnose environment issues |
|
|
152
|
-
| `/enable-agent <name>` | Activate a dormant agent |
|
|
153
|
-
|
|
154
|
-
## Agents
|
|
155
|
-
|
|
156
|
-
### Active by Default (4)
|
|
157
|
-
|
|
158
|
-
These agents auto-trigger when Claude detects a matching question:
|
|
159
|
-
|
|
160
|
-
- **knowledge-bot** — "How does auth work?" "Where are payments handled?"
|
|
161
|
-
- **onboarding** — "I'm new, help me get started" "What does this project do?"
|
|
162
|
-
- **quality-reviewer** — "Review my changes" "Check quality before I commit"
|
|
163
|
-
- **doc-writer** — "What needs documentation?" "Help me write docs"
|
|
59
|
+
- **Per-dimension plans** with a prioritized fix list
|
|
60
|
+
- **Evidence** for every finding (file, line, rule ID, tool, snippet)
|
|
61
|
+
- **Projected score delta** for each remediation action — so you know which fix moves the needle most
|
|
62
|
+
- **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
|
|
164
63
|
|
|
165
|
-
###
|
|
166
|
-
|
|
167
|
-
- **codebase-explorer** — Deep architecture analysis, generates documentation
|
|
168
|
-
- **code-reviewer** — PR review and security audit (read-only)
|
|
169
|
-
- **test-writer** — Writes tests for existing code
|
|
170
|
-
- **test-gap-finder** — Identifies critical untested code paths, prioritized by risk
|
|
171
|
-
- **dependency-mapper** — Maps import chains and blast radius of changes
|
|
172
|
-
- **health-auditor** — Comprehensive codebase health audit (scores 6 dimensions)
|
|
173
|
-
- **vulnerability-scanner** — CWE-classified security scan with Snyk-comparable depth
|
|
174
|
-
- **dev-report** — Developer activity, quality patterns, security attribution
|
|
175
|
-
- **dashboard-builder** — Generates HTML dashboard from all reports
|
|
176
|
-
- **strategic-planner** — Analyzes reports, proposes KPIs, generates improvement plans
|
|
177
|
-
- **plan-executor** — Executes fix plans task by task with session checkpoints
|
|
178
|
-
- **feature-planner** — Designs new features, generates implementation plans
|
|
179
|
-
- **feature-builder** — Implements features from plans with tests and conventions
|
|
180
|
-
- **hooks-configurator** — Configures scoped git hooks from DXKit commands
|
|
181
|
-
- **debugger** — Systematic root cause analysis
|
|
64
|
+
### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
|
|
182
65
|
|
|
183
|
-
|
|
66
|
+
Three signals, strongest wins for files it covers:
|
|
184
67
|
|
|
185
|
-
|
|
68
|
+
1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust). If the tool measured a file, that decision is authoritative.
|
|
69
|
+
2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
|
|
70
|
+
3. **Filename match** — last-resort basename similarity.
|
|
186
71
|
|
|
187
|
-
|
|
188
|
-
.ai/reports/
|
|
189
|
-
health-audit-2026-03-30.md # Scores: tests, quality, docs, security, DX
|
|
190
|
-
vulnerability-scan-2026-03-30.md # CVEs, hardcoded secrets, dependency risks
|
|
191
|
-
developer-report-2026-03-30.md # Team activity, ownership, security attribution
|
|
192
|
-
test-gaps-2026-03-30.md # Critical untested code, prioritized by risk
|
|
193
|
-
docs-audit-2026-03-30.md # Documentation gaps and recommendations
|
|
194
|
-
dependency-map-2026-03-30.md # Import chains, most-depended-on files
|
|
195
|
-
```
|
|
72
|
+
A file counts as "tested" when the strongest available signal says so.
|
|
196
73
|
|
|
197
|
-
|
|
74
|
+
---
|
|
198
75
|
|
|
199
|
-
|
|
200
|
-
- **PDF**: `/export-pdf all` — converts all reports to PDF
|
|
76
|
+
## Tool Registry
|
|
201
77
|
|
|
202
|
-
|
|
78
|
+
Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
|
|
203
79
|
|
|
204
|
-
|
|
80
|
+
```bash
|
|
81
|
+
vyuh-dxkit tools # list tool status for the detected stack
|
|
82
|
+
vyuh-dxkit tools install --yes # install all missing tools
|
|
83
|
+
vyuh-dxkit tools install # interactive: prompts per tool
|
|
84
|
+
```
|
|
205
85
|
|
|
206
|
-
|
|
207
|
-
2. **`/learn` command** — Explicitly save gotchas, conventions, or things to avoid
|
|
208
|
-
3. **`/session-end`** — Creates checkpoint and evolves skill files
|
|
209
|
-
4. **Evolving files** — Append-only, never overwritten even with `--force`:
|
|
210
|
-
- `.claude/skills/learned/references/gotchas.md`
|
|
211
|
-
- `.claude/skills/learned/references/conventions.md`
|
|
212
|
-
- `.claude/skills/learned/references/deny-recommendations.md`
|
|
86
|
+
### Tools integrated
|
|
213
87
|
|
|
214
|
-
|
|
88
|
+
| Layer | Tools |
|
|
89
|
+
| --------- | -------------------------------------------------------- |
|
|
90
|
+
| Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
|
|
91
|
+
| Node / TS | `eslint`, `npm audit`, `@vitest/coverage-v8` |
|
|
92
|
+
| Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
|
|
93
|
+
| Go | `golangci-lint`, `govulncheck` |
|
|
94
|
+
| Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
|
|
95
|
+
| C# | `dotnet-format` (via SDK) |
|
|
215
96
|
|
|
216
|
-
|
|
97
|
+
Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
|
|
217
98
|
|
|
218
|
-
|
|
219
|
-
2. Add `ANTHROPIC_API_KEY` to repo secrets
|
|
99
|
+
---
|
|
220
100
|
|
|
221
|
-
|
|
101
|
+
## Config Files
|
|
222
102
|
|
|
223
|
-
|
|
103
|
+
### `.dxkit-ignore`
|
|
224
104
|
|
|
225
|
-
|
|
105
|
+
Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
|
|
226
106
|
|
|
227
107
|
```
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
108
|
+
# .dxkit-ignore — override project exclusions for dxkit analyzers
|
|
109
|
+
vendor-bundle/
|
|
110
|
+
*.gen.ts
|
|
231
111
|
```
|
|
232
112
|
|
|
233
|
-
|
|
234
|
-
- Hooks read from your `/quality`, `/test`, `/vulnerabilities` commands — no hardcoded tools
|
|
235
|
-
- Supports scoped testing: Jest `--changedSince`, Vitest `--changed`, pytest `--testmon`
|
|
236
|
-
- Works for all devs (plain bash, no Claude Code needed at runtime)
|
|
237
|
-
|
|
238
|
-
### Stealth Mode
|
|
113
|
+
Three layers merge: bundled defaults → repo `.gitignore` → repo `.dxkit-ignore`.
|
|
239
114
|
|
|
240
|
-
|
|
115
|
+
### `.dxkit-suppressions.json`
|
|
241
116
|
|
|
242
|
-
-
|
|
243
|
-
- `.githooks/` committed — all devs get the hooks
|
|
244
|
-
- One-time setup: `git config core.hooksPath .githooks`
|
|
117
|
+
Silence known-false positives without touching code. Currently wired to `gitleaks` (semgrep + slop-hook wiring in progress).
|
|
245
118
|
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
119
|
+
```json
|
|
120
|
+
{
|
|
121
|
+
"gitleaks": [
|
|
122
|
+
{
|
|
123
|
+
"rule": "generic-api-key",
|
|
124
|
+
"paths": ["test/fixtures/**", "**/*.test.ts"],
|
|
125
|
+
"reason": "Fake keys in test fixtures"
|
|
126
|
+
}
|
|
127
|
+
]
|
|
128
|
+
}
|
|
129
|
+
```
|
|
249
130
|
|
|
250
|
-
|
|
251
|
-
| ------------------------ | -------- | -------------------------------------------------------- |
|
|
252
|
-
| Command Injection | CWE-78 | `exec()`, `child_process`, unsanitized input |
|
|
253
|
-
| Decompression Bomb | CWE-409 | zlib/tar/decompress without size limits |
|
|
254
|
-
| Uncontrolled Recursion | CWE-674 | JSON/XML/YAML parsers without depth limits |
|
|
255
|
-
| Arbitrary File Upload | CWE-434 | multer/formidable/busboy without validation |
|
|
256
|
-
| Buffer Overflow | CWE-120 | Native modules (binding.gyp, .node files) |
|
|
257
|
-
| Resource Exhaustion | CWE-770 | Missing rate limits, body size limits, WebSocket payload |
|
|
258
|
-
| Hardcoded Secrets | CWE-798 | Passwords, API keys, tokens in source |
|
|
259
|
-
| Prototype Pollution | CWE-1321 | Via dependency audit CWE extraction |
|
|
260
|
-
| + 15 more CWE categories | | Parsed from `npm audit --json` CWE fields |
|
|
131
|
+
A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`.
|
|
261
132
|
|
|
262
|
-
|
|
133
|
+
### `.project.yaml` (optional, for scaffolding)
|
|
263
134
|
|
|
264
|
-
|
|
135
|
+
When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
|
|
265
136
|
|
|
266
|
-
|
|
267
|
-
- **Framework** — Detects LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
|
|
268
|
-
- **Test presence** — Counts test files vs source files, warns about minimal coverage
|
|
269
|
-
- **Multi-language** — Detects all languages including Python from `.py` files (no config file required)
|
|
270
|
-
- **Language breakdown** — Shows file count per language in codebase skill for accurate analysis
|
|
137
|
+
---
|
|
271
138
|
|
|
272
|
-
##
|
|
139
|
+
## Language Support
|
|
273
140
|
|
|
274
|
-
|
|
141
|
+
Each language is a single `LanguageSupport` implementation in `src/languages/`. Adding a new language is one file — detection, tools, coverage parsing, import extraction, and lint severity mapping in one place.
|
|
275
142
|
|
|
276
|
-
|
|
143
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
144
|
+
| -------- | ------------------------------------ | ------------------- | --------------------------- | ----------------------------------- | ---------------------- | ----------------------------------- |
|
|
145
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
146
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
147
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
148
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ✅ use statements | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
149
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ✅ using declarations | dotnet-format | — (formatter) | ✅ dotnet list --vulnerable |
|
|
277
150
|
|
|
278
|
-
|
|
279
|
-
# create-devstack writes .project.yaml + .devcontainer/, then calls dxkit
|
|
280
|
-
npm create @vyuhlabs/devstack my-project
|
|
151
|
+
✅ full support. Multi-language repos fully supported — every detected language's tools run, and `depVuln*` counts aggregate across all language packs (pip-audit findings don't silently replace npm-audit ones).
|
|
281
152
|
|
|
282
|
-
|
|
283
|
-
npx @vyuhlabs/dxkit init --full
|
|
284
|
-
# → dxkit reads .project.yaml, generates Makefile, configs, CI, .claude/
|
|
285
|
-
```
|
|
153
|
+
**Severity enrichment.** Scanners that don't publish per-finding severity (pip-audit, govulncheck) are enriched via the OSV.dev API. DXKit ships a complete CVSS v4.0 base-score calculator (macrovector lookup + severity-distance refinement, ported from [FIRST's reference implementation](https://github.com/FIRSTdotorg/cvss-v4-calculator)) since modern CVEs (2025+) increasingly publish v4 vectors exclusively. Unreachable IDs keep the scanner's legacy default bucket — the analyzer never fails because OSV was slow.
|
|
286
154
|
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
```yaml
|
|
290
|
-
project:
|
|
291
|
-
name: my-project
|
|
292
|
-
description: A web API
|
|
293
|
-
languages:
|
|
294
|
-
python:
|
|
295
|
-
enabled: true
|
|
296
|
-
version: '3.12'
|
|
297
|
-
quality:
|
|
298
|
-
coverage: 80
|
|
299
|
-
lint: true
|
|
300
|
-
go:
|
|
301
|
-
enabled: true
|
|
302
|
-
version: '1.24.0'
|
|
303
|
-
infrastructure:
|
|
304
|
-
postgres:
|
|
305
|
-
enabled: true
|
|
306
|
-
version: '16'
|
|
307
|
-
tools:
|
|
308
|
-
claude_code: true
|
|
309
|
-
precommit: true
|
|
310
|
-
docker: true
|
|
311
|
-
gcloud: false
|
|
312
|
-
```
|
|
155
|
+
**Lint severity tiering.** Every lint finding is categorized into critical/high/medium/low by rule ID, linter name, or lint group. For backward compatibility, `gatherMetrics` collapses tiers to the existing `lintErrors` (critical + high) / `lintWarnings` (medium + low) fields, so scoring behavior is preserved. The tiered data is available for future analyzers that want finer granularity.
|
|
313
156
|
|
|
314
|
-
|
|
157
|
+
---
|
|
315
158
|
|
|
316
|
-
##
|
|
159
|
+
## Scaffolding Mode
|
|
317
160
|
|
|
318
|
-
|
|
161
|
+
Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with 4 active + 17 opt-in agents, 30 slash commands, skills, path-scoped rules, and hooks.
|
|
319
162
|
|
|
320
|
-
```
|
|
321
|
-
|
|
322
|
-
|
|
163
|
+
```
|
|
164
|
+
.claude/
|
|
165
|
+
settings.json # Permissions, deny list, learning hooks
|
|
166
|
+
agents/ # Active agents (auto-trigger on matching questions)
|
|
167
|
+
knowledge-bot.md # Answers codebase questions
|
|
168
|
+
onboarding.md # Interactive onboarding buddy
|
|
169
|
+
quality-reviewer.md # Reviews code before committing
|
|
170
|
+
doc-writer.md # Audits and writes documentation
|
|
171
|
+
agents-available/ # 17 dormant agents (activate with /enable-agent)
|
|
172
|
+
commands/ # 30 slash commands
|
|
173
|
+
skills/ # Domain knowledge
|
|
174
|
+
rules/ # Path-scoped rules (per language + framework)
|
|
175
|
+
CLAUDE.md # Main context file for Claude Code
|
|
176
|
+
.ai/
|
|
177
|
+
sessions/ # Session checkpoints
|
|
178
|
+
reports/ # Generated reports (health, vulnerabilities, etc.)
|
|
179
|
+
```
|
|
323
180
|
|
|
324
|
-
|
|
325
|
-
const stack = detect('/path/to/project');
|
|
181
|
+
### Slash commands → native CLI delegation
|
|
326
182
|
|
|
327
|
-
|
|
328
|
-
if (hasProjectYaml('/path/to/project')) {
|
|
329
|
-
const config = readProjectYaml('/path/to/project');
|
|
330
|
-
}
|
|
183
|
+
The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
|
|
331
184
|
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
185
|
+
1. **Check for an existing report** in `.ai/reports/` from today
|
|
186
|
+
2. **Run `vyuh-dxkit <command>`** — deterministic, fast, same output
|
|
187
|
+
3. **Fall back to LLM analysis** only if the CLI isn't available
|
|
335
188
|
|
|
336
|
-
|
|
189
|
+
This means slash commands return the same report whether invoked by a human or an agent — and the analysis is reproducible across runs.
|
|
337
190
|
|
|
338
|
-
|
|
339
|
-
npx @vyuhlabs/dxkit init --detect # Auto-detect, minimal prompts
|
|
340
|
-
npx @vyuhlabs/dxkit init # Interactive
|
|
341
|
-
npx @vyuhlabs/dxkit init --full --yes # Everything, no prompts
|
|
342
|
-
npx @vyuhlabs/dxkit update # Re-generate (preserves evolved files)
|
|
343
|
-
npx @vyuhlabs/dxkit update --rescan # Re-run codebase analysis
|
|
344
|
-
npx @vyuhlabs/dxkit doctor # Verify setup
|
|
345
|
-
```
|
|
346
|
-
|
|
347
|
-
### Init Options
|
|
191
|
+
### Init flags
|
|
348
192
|
|
|
349
193
|
| Flag | Description |
|
|
350
194
|
| ------------ | ----------------------------------------------------- |
|
|
@@ -352,76 +196,91 @@ npx @vyuhlabs/dxkit doctor # Verify setup
|
|
|
352
196
|
| `--yes` | Accept all defaults |
|
|
353
197
|
| `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
|
|
354
198
|
| `--full` | Everything: DX + quality + hooks + CI |
|
|
355
|
-
| `--force` | Overwrite existing files (except
|
|
199
|
+
| `--force` | Overwrite existing files (except evolving ones) |
|
|
356
200
|
| `--stealth` | Gitignore generated files (local-only, not committed) |
|
|
357
201
|
| `--name <n>` | Override project name |
|
|
358
202
|
| `--no-scan` | Skip codebase analysis |
|
|
359
203
|
|
|
360
|
-
###
|
|
204
|
+
### Stealth mode
|
|
361
205
|
|
|
362
|
-
|
|
363
|
-
2. `--detect` — auto-detect from filesystem, minimal prompts
|
|
364
|
-
3. Interactive — prompt for all settings
|
|
206
|
+
`--stealth` keeps DXKit local: `.claude/`, `.ai/`, `CLAUDE.md` added to `.gitignore`, only `.githooks/` committed so all devs get the hooks without committing the scaffold.
|
|
365
207
|
|
|
366
|
-
|
|
208
|
+
---
|
|
367
209
|
|
|
368
|
-
|
|
369
|
-
cd my-loopback-app
|
|
370
|
-
npx @vyuhlabs/dxkit init --detect --yes
|
|
371
|
-
```
|
|
210
|
+
## CI + Hooks
|
|
372
211
|
|
|
373
|
-
|
|
212
|
+
### Pre-commit (set up automatically by `init --full` or husky)
|
|
374
213
|
|
|
375
214
|
```
|
|
376
|
-
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
|
|
215
|
+
architecture check → validates imports + tool-registry + exclusions rules
|
|
216
|
+
slop check → blocks new console.log, `: any`, debugger, committed temp files
|
|
217
|
+
lint-staged → eslint --fix + prettier --write on changed files
|
|
218
|
+
typecheck → tsc --noEmit
|
|
380
219
|
```
|
|
381
220
|
|
|
382
|
-
|
|
221
|
+
### Pre-push
|
|
383
222
|
|
|
384
223
|
```
|
|
385
|
-
/
|
|
386
|
-
|
|
387
|
-
/
|
|
388
|
-
/vulnerabilities # Security scan
|
|
389
|
-
/dev-report # Team activity report
|
|
390
|
-
/quality # ESLint + AI review
|
|
391
|
-
/onboarding # New developer guide
|
|
224
|
+
build → ensure dist/ is current
|
|
225
|
+
tests with coverage → vitest run --coverage (or equivalent per language)
|
|
226
|
+
coverage threshold → scripts/check-coverage.sh; fails below configurable threshold
|
|
392
227
|
```
|
|
393
228
|
|
|
394
|
-
|
|
229
|
+
### PR CI (`.github/workflows/ci.yml`)
|
|
395
230
|
|
|
396
|
-
|
|
397
|
-
cd my-monorepo
|
|
398
|
-
npx @vyuhlabs/dxkit init --detect --yes
|
|
399
|
-
```
|
|
231
|
+
Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
|
|
400
232
|
|
|
401
|
-
|
|
233
|
+
---
|
|
402
234
|
|
|
403
|
-
|
|
404
|
-
- Test commands with `npm test` + `pytest` + `go test`
|
|
405
|
-
- Path-scoped rules for `.ts`, `.py`, and `.go` files
|
|
406
|
-
- Language breakdown in codebase skill: "TypeScript: 200, Python: 50, Go: 30"
|
|
235
|
+
## Quality Gates for Agent-Written Code
|
|
407
236
|
|
|
408
|
-
|
|
237
|
+
dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
|
|
409
238
|
|
|
410
|
-
|
|
239
|
+
1. **Pre-commit** — fast local checks (architecture, slop, lint, typecheck)
|
|
240
|
+
2. **Pre-push** — thorough local checks (full suite + coverage threshold)
|
|
241
|
+
3. **PR CI** — unbypassable server-side checks (everything above + slop-vs-base + pack-dry)
|
|
242
|
+
4. **Coverage threshold** — enforced at both local and CI tiers; agents can't silently lower it
|
|
243
|
+
|
|
244
|
+
The same pattern is what dxkit itself uses. See `scripts/check-coverage.sh` + `scripts/check-slop.sh`.
|
|
245
|
+
|
|
246
|
+
---
|
|
247
|
+
|
|
248
|
+
## Library API
|
|
249
|
+
|
|
250
|
+
dxkit exports functions for programmatic use by downstream packages (e.g. `@vyuhlabs/create-devstack`):
|
|
251
|
+
|
|
252
|
+
```typescript
|
|
253
|
+
import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
|
|
254
|
+
import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
|
|
255
|
+
|
|
256
|
+
const stack = detect('/path/to/project');
|
|
411
257
|
|
|
412
|
-
|
|
258
|
+
if (hasProjectYaml('/path/to/project')) {
|
|
259
|
+
const config = readProjectYaml('/path/to/project');
|
|
260
|
+
}
|
|
413
261
|
|
|
262
|
+
const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
|
|
414
263
|
```
|
|
415
|
-
|
|
264
|
+
|
|
265
|
+
The CLI binary (`vyuh-dxkit`) is separate; the library import is for build-time and programmatic consumers.
|
|
266
|
+
|
|
267
|
+
---
|
|
268
|
+
|
|
269
|
+
## Two Workflows
|
|
270
|
+
|
|
271
|
+
### Fix Loop: Reports → KPIs → Plans → Execution
|
|
272
|
+
|
|
273
|
+
```bash
|
|
274
|
+
# 1. Scaffold into an existing repo
|
|
416
275
|
npx @vyuhlabs/dxkit init --detect --yes
|
|
417
276
|
|
|
418
|
-
# 2.
|
|
277
|
+
# 2. Run analyzers (any of these work standalone too)
|
|
419
278
|
/health # Codebase health (6 dimensions)
|
|
420
|
-
/vulnerabilities # Security scan
|
|
279
|
+
/vulnerabilities # Security scan
|
|
421
280
|
/test-gaps # Untested critical code
|
|
422
281
|
|
|
423
282
|
# 3. Generate improvement plans
|
|
424
|
-
/plan #
|
|
283
|
+
/plan # Proposes KPIs + actionable plans
|
|
425
284
|
|
|
426
285
|
# 4. Execute plans with session management
|
|
427
286
|
/execute-plan security # Work through security fixes
|
|
@@ -432,48 +291,102 @@ npx @vyuhlabs/dxkit init --detect --yes
|
|
|
432
291
|
|
|
433
292
|
### Feature Loop: Description → Design → Plan → Build
|
|
434
293
|
|
|
435
|
-
|
|
436
|
-
|
|
437
|
-
```
|
|
438
|
-
# 1. Design a new feature
|
|
294
|
+
```bash
|
|
439
295
|
/feature add user roles with admin, editor, viewer tiers
|
|
440
|
-
|
|
441
296
|
# Agent reads codebase, finds similar patterns, generates:
|
|
442
297
|
# .ai/features/user-roles.md with full implementation plan
|
|
443
298
|
|
|
444
|
-
# 2. Review and adjust the plan (edit the md file if needed)
|
|
445
|
-
|
|
446
|
-
# 3. Build the feature
|
|
447
299
|
/build-feature user-roles
|
|
448
|
-
|
|
449
300
|
# Agent executes tasks: model → migration → repository → service → tests → controller
|
|
450
301
|
# Session checkpoints after each task
|
|
451
|
-
# Progress tracked in .ai/features/progress/user-roles.md
|
|
452
302
|
```
|
|
453
303
|
|
|
454
304
|
Both loops use the session framework — checkpoints, skill evolution, progress tracking.
|
|
455
305
|
|
|
456
|
-
|
|
306
|
+
---
|
|
307
|
+
|
|
308
|
+
## Reports
|
|
309
|
+
|
|
310
|
+
All analyzer commands save timestamped reports to `.ai/reports/`:
|
|
457
311
|
|
|
458
312
|
```
|
|
459
|
-
/
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
#
|
|
463
|
-
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
|
|
467
|
-
|
|
313
|
+
.ai/reports/
|
|
314
|
+
health-audit-<date>.md
|
|
315
|
+
health-audit-<date>-detailed.md # with --detailed
|
|
316
|
+
health-audit-<date>-detailed.json # agent-consumable
|
|
317
|
+
vulnerability-scan-<date>.md
|
|
318
|
+
test-gaps-<date>.md
|
|
319
|
+
quality-review-<date>.md
|
|
320
|
+
developer-report-<date>.md
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
Export options:
|
|
324
|
+
|
|
325
|
+
- **HTML dashboard**: `/dashboard` (Claude Code slash command) — dark-themed sidebar navigation
|
|
326
|
+
- **PDF**: `/export-pdf all` — converts all reports to PDF
|
|
327
|
+
- **Structured JSON**: `--detailed` on any command emits a canonical JSON schema
|
|
328
|
+
|
|
329
|
+
---
|
|
330
|
+
|
|
331
|
+
## Using with create-devstack
|
|
332
|
+
|
|
333
|
+
[`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
|
|
334
|
+
|
|
335
|
+
```bash
|
|
336
|
+
npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
|
|
468
337
|
```
|
|
469
338
|
|
|
339
|
+
When create-devstack writes `.project.yaml` before calling dxkit, detection and prompts are skipped.
|
|
340
|
+
|
|
341
|
+
---
|
|
342
|
+
|
|
343
|
+
## Smart Detection
|
|
344
|
+
|
|
345
|
+
- **Test runner** — Jest, Mocha, Vitest, Ava, Tap, pytest, go test
|
|
346
|
+
- **Framework** — LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
|
|
347
|
+
- **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
|
|
348
|
+
- **Multi-language** — detects all languages including Python from `.py` files (no config required)
|
|
349
|
+
- **Language breakdown** — file count per language via `cloc`
|
|
350
|
+
|
|
351
|
+
---
|
|
352
|
+
|
|
353
|
+
## CLI Reference
|
|
354
|
+
|
|
355
|
+
```bash
|
|
356
|
+
# Analyzer commands
|
|
357
|
+
vyuh-dxkit health [path] # 6-dimension score
|
|
358
|
+
vyuh-dxkit vulnerabilities [path] # Security scan
|
|
359
|
+
vyuh-dxkit test-gaps [path] # Coverage + gaps + actions
|
|
360
|
+
vyuh-dxkit quality [path] # Slop + duplication + lint
|
|
361
|
+
vyuh-dxkit dev-report [path] # Git activity report
|
|
362
|
+
|
|
363
|
+
# Tool management
|
|
364
|
+
vyuh-dxkit tools # status
|
|
365
|
+
vyuh-dxkit tools install [--yes] # install missing
|
|
366
|
+
|
|
367
|
+
# Scaffolding
|
|
368
|
+
vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
|
|
369
|
+
vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
|
|
370
|
+
vyuh-dxkit doctor # diagnose environment
|
|
371
|
+
|
|
372
|
+
# Meta
|
|
373
|
+
vyuh-dxkit --help
|
|
374
|
+
vyuh-dxkit --version
|
|
375
|
+
```
|
|
376
|
+
|
|
377
|
+
---
|
|
378
|
+
|
|
470
379
|
## How It Works
|
|
471
380
|
|
|
472
|
-
1. **Detection** —
|
|
473
|
-
2. **
|
|
474
|
-
3. **
|
|
475
|
-
4. **
|
|
476
|
-
5. **
|
|
381
|
+
1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
|
|
382
|
+
2. **Tool resolution** — `findTool()` checks PATH → brew → npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
|
|
383
|
+
3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
|
|
384
|
+
4. **Score** — deterministic formulas map metrics to 0–100 per dimension
|
|
385
|
+
5. **Report** — markdown for humans, JSON for agents
|
|
386
|
+
|
|
387
|
+
No LLM in the analysis path. Scores are reproducible: same repo state → same report.
|
|
388
|
+
|
|
389
|
+
---
|
|
477
390
|
|
|
478
391
|
## License
|
|
479
392
|
|