@vyuhlabs/dxkit 2.12.0 → 2.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/CHANGELOG.md +90 -0
  2. package/README.md +246 -287
  3. package/dist/allowlist/hint.d.ts +1 -1
  4. package/dist/allowlist/hint.d.ts.map +1 -1
  5. package/dist/allowlist/hint.js +6 -3
  6. package/dist/allowlist/hint.js.map +1 -1
  7. package/dist/baseline/check.d.ts +7 -0
  8. package/dist/baseline/check.d.ts.map +1 -1
  9. package/dist/baseline/check.js +3 -1
  10. package/dist/baseline/check.js.map +1 -1
  11. package/dist/cli.d.ts.map +1 -1
  12. package/dist/cli.js +101 -14
  13. package/dist/cli.js.map +1 -1
  14. package/dist/dashboard/graph-tab.d.ts.map +1 -1
  15. package/dist/dashboard/graph-tab.js +6 -3
  16. package/dist/dashboard/graph-tab.js.map +1 -1
  17. package/dist/doctor.d.ts.map +1 -1
  18. package/dist/doctor.js +13 -12
  19. package/dist/doctor.js.map +1 -1
  20. package/dist/generator.d.ts.map +1 -1
  21. package/dist/generator.js +8 -2
  22. package/dist/generator.js.map +1 -1
  23. package/dist/issue-cli.d.ts +1 -1
  24. package/dist/issue-cli.js +1 -1
  25. package/dist/loop/demo.d.ts +12 -0
  26. package/dist/loop/demo.d.ts.map +1 -0
  27. package/dist/loop/demo.js +331 -0
  28. package/dist/loop/demo.js.map +1 -0
  29. package/dist/loop/doctor.d.ts +37 -0
  30. package/dist/loop/doctor.d.ts.map +1 -0
  31. package/dist/loop/doctor.js +320 -0
  32. package/dist/loop/doctor.js.map +1 -0
  33. package/dist/loop/ledger-cli.d.ts +7 -0
  34. package/dist/loop/ledger-cli.d.ts.map +1 -0
  35. package/dist/loop/ledger-cli.js +95 -0
  36. package/dist/loop/ledger-cli.js.map +1 -0
  37. package/dist/loop/ledger.d.ts +95 -0
  38. package/dist/loop/ledger.d.ts.map +1 -0
  39. package/dist/loop/ledger.js +201 -0
  40. package/dist/loop/ledger.js.map +1 -0
  41. package/dist/loop/policy.d.ts +35 -0
  42. package/dist/loop/policy.d.ts.map +1 -0
  43. package/dist/loop/policy.js +151 -0
  44. package/dist/loop/policy.js.map +1 -0
  45. package/dist/loop/scaffold.d.ts +28 -0
  46. package/dist/loop/scaffold.d.ts.map +1 -0
  47. package/dist/loop/scaffold.js +224 -0
  48. package/dist/loop/scaffold.js.map +1 -0
  49. package/dist/loop/stop-gate.d.ts +71 -0
  50. package/dist/loop/stop-gate.d.ts.map +1 -0
  51. package/dist/loop/stop-gate.js +295 -0
  52. package/dist/loop/stop-gate.js.map +1 -0
  53. package/dist/self-invocation.d.ts +77 -0
  54. package/dist/self-invocation.d.ts.map +1 -0
  55. package/dist/self-invocation.js +157 -0
  56. package/dist/self-invocation.js.map +1 -0
  57. package/dist/ship-installers.d.ts.map +1 -1
  58. package/dist/ship-installers.js +8 -0
  59. package/dist/ship-installers.js.map +1 -1
  60. package/dist/types.d.ts +4 -0
  61. package/dist/types.d.ts.map +1 -1
  62. package/dist/update.d.ts.map +1 -1
  63. package/dist/update.js +22 -5
  64. package/dist/update.js.map +1 -1
  65. package/dist/upgrade.d.ts +3 -3
  66. package/dist/upgrade.d.ts.map +1 -1
  67. package/dist/upgrade.js +5 -4
  68. package/dist/upgrade.js.map +1 -1
  69. package/package.json +6 -4
  70. package/templates/.claude/skills/dxkit-config/SKILL.md +17 -0
  71. package/templates/.claude/skills/dxkit-init/SKILL.md +1 -0
  72. package/templates/.claude/skills/dxkit-learn/SKILL.md +17 -0
  73. package/templates/.claude/skills/dxkit-loop/SKILL.md +114 -0
  74. package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -0
  75. package/templates/.claude/skills/dxkit-update/SKILL.md +3 -0
package/CHANGELOG.md CHANGED
@@ -7,6 +7,96 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.13.1] - 2026-06-21
11
+
12
+ ### Fixed — the loop Stop hook could fail on every stop when dxkit was not installed
13
+
14
+ The loop Stop hook (and the `.claude` PreToolUse context hook) invoke the
15
+ dxkit CLI as `npx vyuh-dxkit …`. That only resolves when dxkit is installed
16
+ in the repo (a devDependency or a global). When the loop was wired with a
17
+ pure-`npx @vyuhlabs/dxkit init --claude-loop` flow — no install — the hook
18
+ hit `npm error 404 'vyuh-dxkit' is not in this registry` on every stop,
19
+ because `vyuh-dxkit` is a binary name, not a package. `loop doctor` reported
20
+ the hook as wired even though it could not run.
21
+
22
+ - **`init --claude-loop` and `update` now declare `@vyuhlabs/dxkit` as a
23
+ devDependency** whenever they install an artifact that invokes the CLI (the
24
+ Stop hook, the context hook, the pre-push guardrail, or the CI guardrail),
25
+ so `npx vyuh-dxkit` resolves to a project-local binary. Skipped for
26
+ non-Node repos and when the dependency is already declared.
27
+ - **`loop doctor` now verifies the CLI actually resolves**, not just that the
28
+ hook string is present, and tells you to install dxkit when it does not.
29
+ - **The recommended loop setup installs dxkit first** via
30
+ `npm init @vyuhlabs/dxkit -- --claude-loop --yes`, which adds the
31
+ devDependency and registers the hook in one step.
32
+
33
+ ### Changed — one canonical CLI invocation, one registry of self-invoking surfaces
34
+
35
+ Every generated artifact that runs the dxkit CLI now builds its command from
36
+ a single helper, and every such artifact is listed in one registry that
37
+ drives the devDependency wire-up and the doctor checks. Adding a new
38
+ auto-running surface can no longer silently skip either. Enforced by an
39
+ architecture check and a registry-injection test.
40
+
41
+ ### Changed — positioning aligned to the Stop-gate
42
+
43
+ The package description, CLI banner, npm keywords, and the docs now lead with
44
+ the deterministic Stop-gate framing. The README loop quickstart installs
45
+ dxkit first, and the demo command is pinned to `@latest` so a stale global or
46
+ npx cache cannot run an older version that lacks the command.
47
+
48
+ ### Changed — `demo loop-guardrail` now runs a real sandbox scan
49
+
50
+ The demo no longer prints a scripted scenario. When gitleaks is available it
51
+ generates a throwaway git repo, runs the real `baseline create`, introduces a
52
+ real hardcoded secret, and runs the real `guardrail check` — the same commands
53
+ a user runs — so the block→repair→clean walkthrough is an actual scan, not a
54
+ mock. Your repo is never touched. The fabricated "agent" dialogue is gone; when
55
+ gitleaks is absent it shows a clearly-labelled illustration and how to run the
56
+ real sandbox.
57
+
58
+ ## [2.13.0] - 2026-06-18
59
+
60
+ ### Loop pack — a deterministic Stop-gate for autonomous coding loops
61
+
62
+ When Claude Code runs in an autonomous loop (it keeps working until it
63
+ decides to stop), the new loop pack stops it from declaring "done" while it
64
+ has introduced net-new findings. It re-runs the guardrail on every Stop and
65
+ feeds any net-new findings back to the model for repair. The value is
66
+ predictability, not new detection — it bounds the "loop shipped debt and
67
+ never fixed it" failure mode using the findings, baseline, and identity
68
+ contract dxkit already computes.
69
+
70
+ - **`vyuh-dxkit init --claude-loop`** registers the Stop-gate hook. The
71
+ install is **additive**: it deep-merges the hook into an existing
72
+ `.claude/settings.json` (preserving your other hooks + permissions) and
73
+ appends a sentinel-delimited managed block to `CLAUDE.md` (never touching
74
+ your prose). Opt-in even under `--full`, because it registers a hook that
75
+ blocks the agent from stopping. Re-applied by `vyuh-dxkit update` on repos
76
+ that opted in.
77
+ - **Loop-scoped presets.** A `loop.preset` in `.dxkit/policy.json` decides
78
+ what blocks the loop: `security-only` (default — net-new secrets +
79
+ crit/high security + reachable dependency vulns) or `full-debt` (also
80
+ blocks test-gap + quality). It is read **only by the Stop-gate**; your CI
81
+ / PR guardrail always uses the full policy, so the loop posture can't
82
+ silently weaken your CI gate. `security-only` is the default because a
83
+ block in a loop tells the model to *fix* the finding, and open-ended debt
84
+ (write tests / refactor until clear) would make an unattended agent grind.
85
+ - **`vyuh-dxkit loop doctor`** — preflight that verifies a loop is wired
86
+ safely before an unattended run (baseline present, Stop hook registered,
87
+ guardrail runnable, posture). Catches the silent-failure class: an
88
+ unregistered hook never fires, so the loop would run with no gate and no
89
+ error. Exits non-zero so a CI loop-setup step can gate on it.
90
+ - **`vyuh-dxkit loop ledger [show|summarize|clear]`** — an append-only audit
91
+ trail of every Stop event (`.dxkit/loop/ledger.jsonl`): blocked vs
92
+ allowed, net-new counts, and repaired-after-block sessions.
93
+ - **New `dxkit-loop` skill** plus loop-aware updates to `dxkit-config`,
94
+ `dxkit-learn`, `dxkit-update`, `dxkit-onboard`, and `dxkit-init` so the
95
+ loop is set up and operated conversationally through Claude Code.
96
+ - No baseline re-creation is needed; existing baselines and allowlists are
97
+ unaffected. The loop pack is opt-in — existing installs are unchanged
98
+ until they run `init --claude-loop`.
99
+
10
100
  ## [2.12.0] - 2026-06-17
11
101
 
12
102
  ### Guardrail: benign line shifts no longer read as net-new