@vyuhlabs/dxkit 2.13.0 → 2.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/CHANGELOG.md +48 -0
  2. package/README.md +105 -59
  3. package/dist/allowlist/hint.d.ts +1 -1
  4. package/dist/allowlist/hint.d.ts.map +1 -1
  5. package/dist/allowlist/hint.js +6 -3
  6. package/dist/allowlist/hint.js.map +1 -1
  7. package/dist/cli.d.ts.map +1 -1
  8. package/dist/cli.js +20 -13
  9. package/dist/cli.js.map +1 -1
  10. package/dist/dashboard/graph-tab.d.ts.map +1 -1
  11. package/dist/dashboard/graph-tab.js +6 -3
  12. package/dist/dashboard/graph-tab.js.map +1 -1
  13. package/dist/doctor.d.ts.map +1 -1
  14. package/dist/doctor.js +13 -12
  15. package/dist/doctor.js.map +1 -1
  16. package/dist/generator.d.ts.map +1 -1
  17. package/dist/generator.js +3 -2
  18. package/dist/generator.js.map +1 -1
  19. package/dist/issue-cli.d.ts +1 -1
  20. package/dist/issue-cli.js +1 -1
  21. package/dist/loop/demo.d.ts +3 -2
  22. package/dist/loop/demo.d.ts.map +1 -1
  23. package/dist/loop/demo.js +207 -32
  24. package/dist/loop/demo.js.map +1 -1
  25. package/dist/loop/doctor.d.ts.map +1 -1
  26. package/dist/loop/doctor.js +29 -3
  27. package/dist/loop/doctor.js.map +1 -1
  28. package/dist/loop/scaffold.d.ts +5 -3
  29. package/dist/loop/scaffold.d.ts.map +1 -1
  30. package/dist/loop/scaffold.js +6 -3
  31. package/dist/loop/scaffold.js.map +1 -1
  32. package/dist/self-invocation.d.ts +77 -0
  33. package/dist/self-invocation.d.ts.map +1 -0
  34. package/dist/self-invocation.js +157 -0
  35. package/dist/self-invocation.js.map +1 -0
  36. package/dist/ship-installers.d.ts.map +1 -1
  37. package/dist/ship-installers.js +8 -0
  38. package/dist/ship-installers.js.map +1 -1
  39. package/dist/update.d.ts.map +1 -1
  40. package/dist/update.js +13 -5
  41. package/dist/update.js.map +1 -1
  42. package/dist/upgrade.d.ts +3 -3
  43. package/dist/upgrade.d.ts.map +1 -1
  44. package/dist/upgrade.js +5 -4
  45. package/dist/upgrade.js.map +1 -1
  46. package/package.json +6 -4
package/CHANGELOG.md CHANGED
@@ -7,6 +7,54 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.13.1] - 2026-06-21
11
+
12
+ ### Fixed — the loop Stop hook could fail on every stop when dxkit was not installed
13
+
14
+ The loop Stop hook (and the `.claude` PreToolUse context hook) invoke the
15
+ dxkit CLI as `npx vyuh-dxkit …`. That only resolves when dxkit is installed
16
+ in the repo (a devDependency or a global). When the loop was wired with a
17
+ pure-`npx @vyuhlabs/dxkit init --claude-loop` flow — no install — the hook
18
+ hit `npm error 404 'vyuh-dxkit' is not in this registry` on every stop,
19
+ because `vyuh-dxkit` is a binary name, not a package. `loop doctor` reported
20
+ the hook as wired even though it could not run.
21
+
22
+ - **`init --claude-loop` and `update` now declare `@vyuhlabs/dxkit` as a
23
+ devDependency** whenever they install an artifact that invokes the CLI (the
24
+ Stop hook, the context hook, the pre-push guardrail, or the CI guardrail),
25
+ so `npx vyuh-dxkit` resolves to a project-local binary. Skipped for
26
+ non-Node repos and when the dependency is already declared.
27
+ - **`loop doctor` now verifies the CLI actually resolves**, not just that the
28
+ hook string is present, and tells you to install dxkit when it does not.
29
+ - **The recommended loop setup installs dxkit first** via
30
+ `npm init @vyuhlabs/dxkit -- --claude-loop --yes`, which adds the
31
+ devDependency and registers the hook in one step.
32
+
33
+ ### Changed — one canonical CLI invocation, one registry of self-invoking surfaces
34
+
35
+ Every generated artifact that runs the dxkit CLI now builds its command from
36
+ a single helper, and every such artifact is listed in one registry that
37
+ drives the devDependency wire-up and the doctor checks. Adding a new
38
+ auto-running surface can no longer silently skip either. Enforced by an
39
+ architecture check and a registry-injection test.
40
+
41
+ ### Changed — positioning aligned to the Stop-gate
42
+
43
+ The package description, CLI banner, npm keywords, and the docs now lead with
44
+ the deterministic Stop-gate framing. The README loop quickstart installs
45
+ dxkit first, and the demo command is pinned to `@latest` so a stale global or
46
+ npx cache cannot run an older version that lacks the command.
47
+
48
+ ### Changed — `demo loop-guardrail` now runs a real sandbox scan
49
+
50
+ The demo no longer prints a scripted scenario. When gitleaks is available it
51
+ generates a throwaway git repo, runs the real `baseline create`, introduces a
52
+ real hardcoded secret, and runs the real `guardrail check` — the same commands
53
+ a user runs — so the block→repair→clean walkthrough is an actual scan, not a
54
+ mock. Your repo is never touched. The fabricated "agent" dialogue is gone; when
55
+ gitleaks is absent it shows a clearly-labelled illustration and how to run the
56
+ real sandbox.
57
+
10
58
  ## [2.13.0] - 2026-06-18
11
59
 
12
60
  ### Loop pack — a deterministic Stop-gate for autonomous coding loops
package/README.md CHANGED
@@ -16,6 +16,7 @@ finding, and the agent repaired before stopping clean.
16
16
  <p align="center">
17
17
  <img src=".github/assets/loop-stop-gate-demo.gif" width="820" alt="dxkit's Stop-gate blocks a coding-agent loop on a net-new critical dependency vulnerability, the agent bumps the version, and the gate goes clean." />
18
18
  </p>
19
+ <p align="center"><sub>Recorded from a real run on a synthetic repo, shortened for readability. Blocked and repaired inside the same warm loop.</sub></p>
19
20
 
20
21
  dxkit does not reinvent detection. It runs trusted open source scanners
21
22
  (gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from
@@ -24,13 +25,17 @@ deterministic check, on every stop, of whether this change introduced a new
24
25
  finding compared with a baseline.
25
26
 
26
27
  ```bash
27
- npx -y @vyuhlabs/dxkit demo loop-guardrail # see it in 5 seconds, no API key, no setup
28
+ npm init @vyuhlabs/dxkit -- --claude-loop --yes # install dxkit + register the Claude Code Stop hook
29
+ npx vyuh-dxkit baseline create # grandfather today's findings
30
+ npx vyuh-dxkit loop doctor # verify the gate is wired
28
31
  ```
29
32
 
30
- Local. Offline. No model in the gate. Existing debt stays grandfathered. Only
31
- net-new regressions block.
33
+ The gate runs locally with no model: same input, same verdict, in seconds.
34
+ Existing debt stays grandfathered; only net-new regressions block. Want to
35
+ watch the flow first, on a sandbox dxkit creates? See the
36
+ [walkthrough](#see-it-without-touching-your-repo).
32
37
 
33
- [Watch it block and repair](#watch-it-block-and-repair) · [Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-locally)
38
+ [Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo)
34
39
 
35
40
  <p>
36
41
  <a href="https://www.npmjs.com/package/@vyuhlabs/dxkit"><img alt="npm" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit"></a>
@@ -76,12 +81,23 @@ Use dxkit if you let coding agents:
76
81
  ## Built on tools you already trust
77
82
 
78
83
  dxkit is an orchestration and enforcement layer, not another scanner. It runs
79
- established open source tools and treats their output as one stream:
84
+ established open source tools and treats their output as one stream. Which tools
85
+ run depends on the languages in your repo — dxkit covers **8 ecosystems**
86
+ (TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).
87
+
88
+ Universal, on every repo:
80
89
 
81
90
  - secrets: gitleaks
82
91
  - code patterns: Semgrep
83
- - dependency vulnerabilities: OSV and npm audit
84
- - duplication, size, and the code graph: jscpd, cloc, and graphify
92
+ - dependency advisories: OSV.dev
93
+ - size, duplication, and the code graph: cloc, jscpd, graphify
94
+
95
+ Per language, dxkit adds that ecosystem's own linter and audit tool — for
96
+ example npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
97
+ golangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`
98
+ (C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and
99
+ bundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack
100
+ capabilities** below.
85
101
 
86
102
  For deep interprocedural analysis, it ingests findings from **Snyk Code** and
87
103
  **CodeQL** (or any SARIF file), fingerprints them the same way as native
@@ -95,42 +111,38 @@ and inside the agent loop.
95
111
  | dxkit | baseline, fingerprint matcher, Stop-gate, loop ledger | Decide whether this change introduced something net-new |
96
112
  | Agent | Claude Code or another coding loop | Repair the exact finding and try to stop again |
97
113
 
98
- ## Watch it block and repair
99
-
100
- ```text
101
- checkout-service · loop behind the dxkit Stop-gate
102
- task: add a debounce helper using lodash 4.17.4
103
- claude ▸ Added a debounce helper using lodash 4.17.4. Done.
104
- ✗ dxkit Stop-gate ▸ BLOCKED: 1 net-new finding
105
- lodash 4.17.4: critical dependency vuln (GHSA-JF85-CPCP-J695)
106
- claude ▸ Bumped lodash to 4.17.21 and re-checked. Done.
107
- ✓ dxkit Stop-gate ▸ CLEAN the loop may stop.
108
- ```
109
-
110
- Recorded from a real run on a synthetic repo, shortened for readability.
111
- Blocked and repaired inside the same warm loop.
112
-
113
- ## Try it locally
114
+ ## Try it on your repo
114
115
 
115
- See the gate with no API key, no Claude Code, and no setup:
116
+ The Stop hook runs dxkit on every stop, so install dxkit into the repo. This
117
+ one command adds it as a devDependency and registers the hook additively — your
118
+ existing `.claude` settings are preserved:
116
119
 
117
120
  ```bash
118
- npx -y @vyuhlabs/dxkit demo loop-guardrail
121
+ npm init @vyuhlabs/dxkit -- --claude-loop --yes
122
+ npx vyuh-dxkit baseline create # grandfather today's findings
123
+ npx vyuh-dxkit loop doctor # verify the gate is wired safely and dxkit resolves
124
+ # then run Claude Code as you normally would. The Stop-gate fires on every stop.
125
+ npx vyuh-dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired-after-block
119
126
  ```
120
127
 
121
- It runs the real gate over an example finding and shows what it feeds the
122
- agent: block, repair, clean.
128
+ When the agent tries to stop, dxkit runs the net-new gate against the baseline.
129
+ Existing findings are grandfathered; only findings this change introduced block.
130
+
131
+ ## See it without touching your repo
123
132
 
124
- Wire it into your real Claude Code loop:
133
+ Want the flow first, on a sandbox dxkit creates?
125
134
 
126
135
  ```bash
127
- npx @vyuhlabs/dxkit init --claude-loop # registers the Stop hook (additive: your settings are kept)
128
- npx @vyuhlabs/dxkit baseline create # grandfather today's findings
129
- npx @vyuhlabs/dxkit loop doctor # verify the gate is wired safely
130
- # then run Claude Code as you normally would. The Stop-gate fires on every stop.
131
- npx @vyuhlabs/dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired-after-block
136
+ npx -y @vyuhlabs/dxkit@latest demo loop-guardrail
132
137
  ```
133
138
 
139
+ This runs the **real** gate on a temporary fixture repo: baseline → introduce a
140
+ net-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. No API
141
+ key and no Claude Code, and your own repo is never touched. It needs gitleaks
142
+ installed and takes about 20 seconds; without gitleaks it shows a clearly
143
+ labelled illustration instead. (It does a one-time `npx` download, so it is not
144
+ fully offline — the gate itself is.)
145
+
134
146
  ### Presets: what blocks the loop
135
147
 
136
148
  ```text
@@ -141,25 +153,39 @@ full-debt (opt-in) also gates test gaps and maintainability regressions.
141
153
  The default is `security-only`. The headline escape-rate benchmark used
142
154
  `full-debt` (it gated both the secret trap and the test-gap trap); the default
143
155
  install starts narrower so a first run does not trap users in expensive
144
- test-generation loops. Switch with `init --claude-loop --loop-preset full-debt`.
145
-
146
- ## Graph context: reducing the exploration tail
147
-
148
- The Stop-gate controls what the loop is allowed to ship. The code graph helps
149
- control how far the loop wanders. When dxkit scaffolds a repo, it builds a code
150
- graph and feeds the agent structural context: callers, callees, and blast
151
- radius. The agent gets a map before it starts grepping through unfamiliar code.
152
-
153
- The honest result from our benchmarks is predictable spend, not guaranteed
154
- cheaper spend. On a large repo the median was roughly tied, but the worst-case
155
- session used about **57% fewer tokens** and the variance was **roughly halved**.
156
- On a small repo the overhead was about zero. The graph caps the expensive tail.
157
- It does not promise a lower average.
156
+ test-generation loops. Switch with
157
+ `npm init @vyuhlabs/dxkit -- --claude-loop --loop-preset full-debt`.
158
+
159
+ ## Give the agent a map, not just a gate
160
+
161
+ The Stop-gate controls what a loop is allowed to ship. The code graph controls
162
+ how the agent does the work in between. When dxkit scaffolds a repo it builds a
163
+ code graph and installs skills that drive real development off it, so the agent
164
+ orients by querying structure instead of grepping and re-reading whole files.
165
+
166
+ - **Build a feature** (`dxkit-feature` skill): query the graph for where the
167
+ feature plugs in, what patterns already exist, and what the change will
168
+ touch, then implement against those patterns and run the analyzers on the
169
+ result before it stops.
170
+ - **Fix a finding** (`dxkit-action` skill): take a flagged finding, pull its
171
+ callers, callees, and blast radius from the graph, repair it, and confirm the
172
+ change did not introduce something net-new.
173
+
174
+ The agent gets callers, callees, and blast radius up front as a budget-bounded
175
+ slice, not a pile of file reads. It is the same graph, the same baseline, and
176
+ the same identity contract the gate already uses.
177
+
178
+ What the benchmarks actually show is predictable spend, not guaranteed cheaper
179
+ spend. On a large repo the median was roughly tied, the worst-case session used
180
+ about **57% fewer tokens**, and the variance was **roughly halved**. On a small
181
+ repo the overhead was about zero. The graph caps the expensive tail. It does
182
+ not promise a lower average, and it does not make the agent write better code on
183
+ its own.
158
184
 
159
185
  This is a different axis from detection. Snyk, SonarQube, and CodeQL tell you
160
186
  what is wrong. They do not give the agent a map of the code or bound how much it
161
187
  spends finding its way around. dxkit does both: the gate bounds what the loop
162
- ships, the graph bounds what the loop costs.
188
+ ships, the graph bounds how the loop works.
163
189
 
164
190
  ## The numbers
165
191
 
@@ -178,7 +204,7 @@ predictable.
178
204
  > dxkit catches every possible bug. The claim is narrower: for findings the
179
205
  > detector observes, dxkit gives the loop a deterministic net-new stop decision.
180
206
 
181
- Full methodology, raw artifacts, and the rest of the caveats are in
207
+ Full methodology, reproducibility notes, artifact status, and caveats are in
182
208
  **[docs/benchmarks.md](docs/benchmarks.md)**.
183
209
 
184
210
  ## What dxkit is, and is not
@@ -219,11 +245,28 @@ at the speed of the agent loop.
219
245
  The same deterministic core powers the rest of dxkit: pre-push and CI
220
246
  guardrails, brownfield baselines, durable finding identity, SARIF, CodeQL, and
221
247
  Snyk ingest, a six-dimension health report, code-graph context, and a set of
222
- Claude Code skills. It covers TypeScript / JavaScript, Python, Go, Rust, C# /
223
- .NET, Java, Kotlin, and Ruby. See **[the docs](docs/README.md)**.
248
+ Claude Code skills. See **[the docs](docs/README.md)**.
249
+
250
+ ## Languages
251
+
252
+ dxkit covers 8 ecosystems. Detection is automatic from your manifests and
253
+ source; each language brings its own native linter, dependency-audit tool, and
254
+ coverage parser, layered on the universal scanners (gitleaks, Semgrep, OSV,
255
+ cloc, jscpd, graphify).
256
+
257
+ | Language | Detected by | Native linter + audit |
258
+ | ----------------------- | --------------------------- | ----------------------------------------- |
259
+ | TypeScript / JavaScript | `package.json` | ESLint, npm audit |
260
+ | Python | `pyproject.toml`, `*.py` | ruff, pip-audit |
261
+ | Go | `go.mod` | golangci-lint, govulncheck |
262
+ | Rust | `Cargo.toml` | clippy, cargo-audit |
263
+ | C# / .NET | `*.csproj`, `*.sln` | dotnet-format, `dotnet list --vulnerable` |
264
+ | Java | `pom.xml`, `src/main/java/` | PMD, osv-scanner |
265
+ | Kotlin | `*.gradle{.kts,}`, `*.kt` | detekt, osv-scanner |
266
+ | Ruby | `Gemfile`, `*.rb` | RuboCop, bundler-audit |
224
267
 
225
268
  <details>
226
- <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
269
+ <summary><strong>Per-pack capabilities</strong> — coverage import, import-graph, severity tiers (click to expand)</summary>
227
270
 
228
271
  | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
229
272
  | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
@@ -248,18 +291,21 @@ so it does not inflate the Code Quality score.
248
291
 
249
292
  </details>
250
293
 
251
- ## Reproduce the benchmark
294
+ ## Reproduce the deterministic tier
252
295
 
253
- The deterministic tier runs offline, so you do not have to trust our numbers:
296
+ The deterministic results the net-new gate decision and the finding-identity
297
+ matcher — reproduce offline, so you do not have to trust our numbers. This is
298
+ separate from the agentic benchmark, which requires running real agent sessions.
299
+ The harnesses live in `benchmarks/`:
254
300
 
255
301
  ```bash
256
- npx @vyuhlabs/dxkit demo loop-guardrail # the gate, end to end, no API key
257
- npx @vyuhlabs/dxkit init --claude-loop
258
- npx @vyuhlabs/dxkit baseline create
259
- npx @vyuhlabs/dxkit loop doctor
302
+ node benchmarks/bench-guardrail.mjs config.json # block/allow on seeded findings
303
+ node benchmarks/bench-netnew-isolation.mjs config.json # net-new isolation under churn
304
+ node benchmarks/bench-matcher.mjs config.json # false net-new on line shifts + renames
260
305
  ```
261
306
 
262
- Methodology and raw artifacts: **[docs/benchmarks.md](docs/benchmarks.md)**.
307
+ See `benchmarks/README.md` to point them at a repo, and the full methodology,
308
+ caveats, and artifact status in **[docs/benchmarks.md](docs/benchmarks.md)**.
263
309
 
264
310
  ## Credits
265
311
 
@@ -11,7 +11,7 @@
11
11
  * 2. **Inline example** — the exact annotation comment to paste
12
12
  * when the finding has a stable single-line attachment point
13
13
  * and the chosen category is inline-compatible.
14
- * 3. **CLI command** — the exact `npx vyuh-dxkit allowlist add`
14
+ * 3. **CLI command** — the exact `vyuh-dxkit allowlist add`
15
15
  * invocation that handles the mutation without the developer
16
16
  * typing annotation syntax.
17
17
  *
@@ -1 +1 @@
1
- {"version":3,"file":"hint.d.ts","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGxE,OAAO,EAKL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;AAStB,MAAM,WAAW,SAAS;IACxB,yDAAyD;IACzD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;oBAEgB;IAChB,QAAQ,CAAC,oBAAoB,EAAE,SAAS,iBAAiB,EAAE,CAAC;IAC5D;;;mCAG+B;IAC/B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,4DAA4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;;4CAGwC;IACxC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;2DACuD;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,CAAC,EAAE,eAAe,GAAG,SAAS,CAyB3F;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAsFlE"}
1
+ {"version":3,"file":"hint.d.ts","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGxE,OAAO,EAKL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;AAUtB,MAAM,WAAW,SAAS;IACxB,yDAAyD;IACzD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;oBAEgB;IAChB,QAAQ,CAAC,oBAAoB,EAAE,SAAS,iBAAiB,EAAE,CAAC;IAC5D;;;mCAG+B;IAC/B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,4DAA4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;;4CAGwC;IACxC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;2DACuD;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,CAAC,EAAE,eAAe,GAAG,SAAS,CAyB3F;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAwFlE"}
@@ -12,7 +12,7 @@
12
12
  * 2. **Inline example** — the exact annotation comment to paste
13
13
  * when the finding has a stable single-line attachment point
14
14
  * and the chosen category is inline-compatible.
15
- * 3. **CLI command** — the exact `npx vyuh-dxkit allowlist add`
15
+ * 3. **CLI command** — the exact `vyuh-dxkit allowlist add`
16
16
  * invocation that handles the mutation without the developer
17
17
  * typing annotation syntax.
18
18
  *
@@ -75,11 +75,12 @@ const sanitize_1 = require("../baseline/sanitize");
75
75
  const languages_1 = require("../languages");
76
76
  const categories_1 = require("./categories");
77
77
  const inline_1 = require("./inline");
78
+ const self_invocation_1 = require("../self-invocation");
78
79
  /**
79
80
  * Subcommand string used in every `cliCommand` rendered by this
80
81
  * module. One place to update if the subcommand ever renames.
81
82
  */
82
- const ALLOWLIST_ADD_CMD = 'npx vyuh-dxkit allowlist add';
83
+ const ALLOWLIST_ADD_CMD = (0, self_invocation_1.dxkitCli)('allowlist add');
83
84
  /**
84
85
  * Build the structured block-time hint from a baseline entry.
85
86
  * Pure function — no IO, no side effects. The caller renders the
@@ -135,7 +136,9 @@ function remediationFor(kind) {
135
136
  'possible rather than in source.');
136
137
  case 'dep-vuln':
137
138
  return ('Upgrade the vulnerable dependency to the patched version. Run ' +
138
- '`npx vyuh-dxkit vulnerabilities` to see the suggested install command ' +
139
+ '`' +
140
+ (0, self_invocation_1.dxkitCli)('vulnerabilities') +
141
+ '` to see the suggested install command ' +
139
142
  'for this ecosystem.');
140
143
  case 'duplication':
141
144
  return ('Extract the duplicated logic into a shared helper or accept the ' +
@@ -1 +1 @@
1
- {"version":3,"file":"hint.js","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyDH,0CAyBC;AAQD,wCAsFC;AA9KD,2CAA6B;AAC7B,mDAAmD;AAEnD,4CAAyC;AAEzC,6CAMsB;AACtB,qCAA4C;AAE5C;;;GAGG;AACH,MAAM,iBAAiB,GAAG,8BAA8B,CAAC;AA0BzD;;;;;;;;;;GAUG;AACH,SAAgB,eAAe,CAAC,KAAoB,EAAE,QAA0B;IAC9E,MAAM,oBAAoB,GAAG,+BAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5D,MAAM,0BAA0B,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnE,yCAA4B,CAAC,GAAG,CAAC,CAAC,CAAC,CACpC,CAAC;IACF,MAAM,aAAa,GACjB,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,MAAM,KAAK,CAAC,CAAC;IAEtF,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;IAChE,MAAM,aAAa,GAAG,kBAAkB,CAAC,oBAAoB,CAAC,CAAC;IAE/D,kEAAkE;IAClE,wDAAwD;IACxD,KAAK,QAAQ,CAAC;IAEd,OAAO;QACL,WAAW,EAAE,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC;QACvC,oBAAoB;QACpB,aAAa;QACb,UAAU;QACV,aAAa;QACb,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,IAA2B;IACxD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ,CAAC;QACd,KAAK,aAAa;YAChB,OAAO,CACL,8EAA8E;gBAC9E,4EAA4E;gBAC5E,qEAAqE,CACtE,CAAC;QACJ,KAAK,MAAM;YACT,OAAO,CACL,6EAA6E;gBAC7E,6EAA6E;gBAC7E,wDAAwD,CACzD,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO,CACL,+DAA+D;gBAC/D,oEAAoE;gBACpE,uEAAuE;gBACvE,iCAAiC,CAClC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,gEAAgE;gBAChE,wEAAwE;gBACxE,qBAAqB,CACtB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,kEAAkE;gBAClE,uDAAuD;gBACvD,wEAAwE,CACzE,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,CACL,gEAAgE;gBAChE,sEAAsE;gBACtE,kEAAkE,CACnE,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,sEAAsE;gBACtE,iEAAiE;gBACjE,sCAAsC,CACvC,CAAC;QACJ,KAAK,uBAAuB;YAC1B,OAAO,CACL,0EAA0E;gBAC1E,yEAAyE;gBACzE,0DAA0D,CAC3D,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO,CACL,uEAAuE;gBACvE,0EAA0E;gBAC1E,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,yEAAyE;gBACzE,uEAAuE;gBACvE,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,+DAA+D;gBAC/D,gEAAgE;gBAChE,uDAAuD,CACxD,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,wEAAwE;gBACxE,wEAAwE;gBACxE,+CAA+C,CAChD,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,iEAAiE;gBACjE,mEAAmE;gBACnE,sEAAsE;gBACtE,mCAAmC,CACpC,CAAC;IACN,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,KAAoB;IACxC,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAC9B,KAAK,aAAa,CAAC;QACnB,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa;YAChB,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACvD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAoB,EACpB,mBAAkD;IAElD,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC/D,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1D,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa;QAAE,OAAO,SAAS,CAAC;IACnD,OAAO,IAAA,yBAAgB,EAAC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,eAAe,CACtB,KAAoB,EACpB,oBAAkD;IAElD,MAAM,aAAa,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,6BAA6B,CAAC;IAChD,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,cAAc,aAAa,EAAE,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAC5F,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAEhC,oEAAoE;IACpE,oEAAoE;IACpE,EAAE;IACF,qEAAqE;IACrE,kEAAkE;IAClE,qDAAqD;IACrD,iEAAiE;IACjE,kEAAkE;IAClE,kDAAkD;IAClD,IAAI,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAClF,OAAO,GAAG,iBAAiB,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;IACpF,CAAC;IACD,OAAO,GAAG,iBAAiB,kBAAkB,KAAK,CAAC,EAAE,WAAW,KAAK,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,kBAAkB,CACzB,oBAAkD;IAElD,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,OAAO,CACL,2EAA2E;QAC3E,iFAAiF;QACjF,yCAAyC,CAC1C,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"hint.js","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DH,0CAyBC;AAQD,wCAwFC;AAjLD,2CAA6B;AAC7B,mDAAmD;AAEnD,4CAAyC;AAEzC,6CAMsB;AACtB,qCAA4C;AAC5C,wDAA8C;AAE9C;;;GAGG;AACH,MAAM,iBAAiB,GAAG,IAAA,0BAAQ,EAAC,eAAe,CAAC,CAAC;AA0BpD;;;;;;;;;;GAUG;AACH,SAAgB,eAAe,CAAC,KAAoB,EAAE,QAA0B;IAC9E,MAAM,oBAAoB,GAAG,+BAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5D,MAAM,0BAA0B,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnE,yCAA4B,CAAC,GAAG,CAAC,CAAC,CAAC,CACpC,CAAC;IACF,MAAM,aAAa,GACjB,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,MAAM,KAAK,CAAC,CAAC;IAEtF,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;IAChE,MAAM,aAAa,GAAG,kBAAkB,CAAC,oBAAoB,CAAC,CAAC;IAE/D,kEAAkE;IAClE,wDAAwD;IACxD,KAAK,QAAQ,CAAC;IAEd,OAAO;QACL,WAAW,EAAE,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC;QACvC,oBAAoB;QACpB,aAAa;QACb,UAAU;QACV,aAAa;QACb,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,IAA2B;IACxD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ,CAAC;QACd,KAAK,aAAa;YAChB,OAAO,CACL,8EAA8E;gBAC9E,4EAA4E;gBAC5E,qEAAqE,CACtE,CAAC;QACJ,KAAK,MAAM;YACT,OAAO,CACL,6EAA6E;gBAC7E,6EAA6E;gBAC7E,wDAAwD,CACzD,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO,CACL,+DAA+D;gBAC/D,oEAAoE;gBACpE,uEAAuE;gBACvE,iCAAiC,CAClC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,gEAAgE;gBAChE,GAAG;gBACH,IAAA,0BAAQ,EAAC,iBAAiB,CAAC;gBAC3B,yCAAyC;gBACzC,qBAAqB,CACtB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,kEAAkE;gBAClE,uDAAuD;gBACvD,wEAAwE,CACzE,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,CACL,gEAAgE;gBAChE,sEAAsE;gBACtE,kEAAkE,CACnE,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,sEAAsE;gBACtE,iEAAiE;gBACjE,sCAAsC,CACvC,CAAC;QACJ,KAAK,uBAAuB;YAC1B,OAAO,CACL,0EAA0E;gBAC1E,yEAAyE;gBACzE,0DAA0D,CAC3D,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO,CACL,uEAAuE;gBACvE,0EAA0E;gBAC1E,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,yEAAyE;gBACzE,uEAAuE;gBACvE,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,+DAA+D;gBAC/D,gEAAgE;gBAChE,uDAAuD,CACxD,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,wEAAwE;gBACxE,wEAAwE;gBACxE,+CAA+C,CAChD,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,iEAAiE;gBACjE,mEAAmE;gBACnE,sEAAsE;gBACtE,mCAAmC,CACpC,CAAC;IACN,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,KAAoB;IACxC,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAC9B,KAAK,aAAa,CAAC;QACnB,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa;YAChB,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACvD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAoB,EACpB,mBAAkD;IAElD,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC/D,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1D,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa;QAAE,OAAO,SAAS,CAAC;IACnD,OAAO,IAAA,yBAAgB,EAAC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,eAAe,CACtB,KAAoB,EACpB,oBAAkD;IAElD,MAAM,aAAa,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,6BAA6B,CAAC;IAChD,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,cAAc,aAAa,EAAE,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAC5F,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAEhC,oEAAoE;IACpE,oEAAoE;IACpE,EAAE;IACF,qEAAqE;IACrE,kEAAkE;IAClE,qDAAqD;IACrD,iEAAiE;IACjE,kEAAkE;IAClE,kDAAkD;IAClD,IAAI,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAClF,OAAO,GAAG,iBAAiB,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;IACpF,CAAC;IACD,OAAO,GAAG,iBAAiB,kBAAkB,KAAK,CAAC,EAAE,WAAW,KAAK,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,kBAAkB,CACzB,oBAAkD;IAElD,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,OAAO,CACL,2EAA2E;QAC3E,iFAAiF;QACjF,yCAAyC,CAC1C,CAAC;AACJ,CAAC"}
package/dist/cli.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AA6RA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAi4DvD"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AA8RA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAy4DvD"}
package/dist/cli.js CHANGED
@@ -49,6 +49,7 @@ const report_date_1 = require("./analyzers/tools/report-date");
49
49
  const fail_on_1 = require("./fail-on");
50
50
  const report_schema_1 = require("./report-schema");
51
51
  const ship_installers_1 = require("./ship-installers");
52
+ const self_invocation_1 = require("./self-invocation");
52
53
  const fs = __importStar(require("fs"));
53
54
  const path = __importStar(require("path"));
54
55
  // process.stdout.write returns false when the OS pipe buffer is full
@@ -136,7 +137,7 @@ function applyFailOnSeverity(raw, counts, countsLabel) {
136
137
  }
137
138
  function printUsage() {
138
139
  console.log(`
139
- ${logger.bold('vyuh-dxkit')} v${constants_1.VERSION} — AI-native developer experience toolkit for any codebase
140
+ ${logger.bold('vyuh-dxkit')} v${constants_1.VERSION} — a Stop-gate for autonomous coding loops that blocks net-new findings
140
141
 
141
142
  ${logger.bold('Usage:')}
142
143
  vyuh-dxkit init [options] Install dxkit agent DX in this repo
@@ -277,11 +278,11 @@ function printUsage() {
277
278
  Applies to: vulnerabilities, bom.
278
279
 
279
280
  ${logger.bold('Examples:')}
280
- npx vyuh-dxkit init # Interactive
281
- npx vyuh-dxkit init --detect # Auto-detect, just DX
282
- npx vyuh-dxkit init --full --yes # Everything, no prompts
283
- npx vyuh-dxkit init --detect --stealth # Local-only, not committed
284
- npx vyuh-dxkit update # Re-generate from manifest
281
+ ${(0, self_invocation_1.dxkitCli)('init')} # Interactive
282
+ ${(0, self_invocation_1.dxkitCli)('init --detect')} # Auto-detect, just DX
283
+ ${(0, self_invocation_1.dxkitCli)('init --full --yes')} # Everything, no prompts
284
+ ${(0, self_invocation_1.dxkitCli)('init --detect --stealth')} # Local-only, not committed
285
+ ${(0, self_invocation_1.dxkitCli)('update')} # Re-generate from manifest
285
286
  `);
286
287
  }
287
288
  async function run(argv) {
@@ -545,12 +546,18 @@ async function run(argv) {
545
546
  result: (0, ship_installers_1.installCiDeepSastRefresh)(cwd, { force: !!values.force }),
546
547
  });
547
548
  }
548
- // dxkit must resolve project-locally for the hooks + CI guardrail
549
- // to run a pinned version (both prefer ./node_modules/.bin over a
550
- // global). Add it to devDependencies whenever a surface that
551
- // invokes it is installed. No-ops for non-Node repos and when the
552
- // consumer already declares the dep.
553
- if (wantHooks || wantCi) {
549
+ // dxkit must resolve project-locally so every installed self-invocation
550
+ // surface (Stop hook, context-hook, pre-push + CI guardrail) can run a
551
+ // pinned dxkit instead of 404-ing. The set of surfaces that imply this
552
+ // is derived from the one registry in src/self-invocation.ts never a
553
+ // hand-maintained flag chain, which is what once dropped the loop Stop
554
+ // hook. No-ops for non-Node repos and when the dep is already declared.
555
+ if ((0, self_invocation_1.requiresResolvableCli)({
556
+ claudeSettings: wantDxkitAgents,
557
+ claudeLoop: wantClaudeLoop,
558
+ gitHooks: wantHooks,
559
+ ciGuardrails: wantCi,
560
+ })) {
554
561
  shipResults.push({
555
562
  label: 'dxkit devDependency',
556
563
  result: (0, ship_installers_1.installDxkitDevDependency)(cwd, { force: !!values.force }),
@@ -1554,7 +1561,7 @@ async function run(argv) {
1554
1561
  if (missing.length > 0) {
1555
1562
  logger.warn(`${missing.length} scanner(s) not detected: ${missing.map((m) => m.tool).join(', ')}`);
1556
1563
  logger.dim(' Findings in these categories will NOT be captured in the baseline.');
1557
- logger.dim(' Install with `npx vyuh-dxkit tools install`, or if a tool IS installed but');
1564
+ logger.dim(' Install with `' + (0, self_invocation_1.dxkitCli)('tools install') + '`, or if a tool IS installed but');
1558
1565
  logger.dim(' not detected, point dxkit at it via .dxkit/tools.json (ask Claude: "fix dxkit").');
1559
1566
  // `--force` is an explicit "overwrite, non-interactive, I know
1560
1567
  // what I'm doing" signal — and the shipped baseline-refresh