@vyuhlabs/dxkit 2.13.0 → 2.13.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +64 -0
- package/README.md +105 -59
- package/dist/allowlist/hint.d.ts +1 -1
- package/dist/allowlist/hint.d.ts.map +1 -1
- package/dist/allowlist/hint.js +6 -3
- package/dist/allowlist/hint.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +20 -13
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-tab.d.ts.map +1 -1
- package/dist/dashboard/graph-tab.js +6 -3
- package/dist/dashboard/graph-tab.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +13 -12
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +3 -2
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +1 -1
- package/dist/issue-cli.js +1 -1
- package/dist/loop/demo.d.ts +3 -2
- package/dist/loop/demo.d.ts.map +1 -1
- package/dist/loop/demo.js +207 -32
- package/dist/loop/demo.js.map +1 -1
- package/dist/loop/doctor.d.ts.map +1 -1
- package/dist/loop/doctor.js +72 -14
- package/dist/loop/doctor.js.map +1 -1
- package/dist/loop/scaffold.d.ts +5 -3
- package/dist/loop/scaffold.d.ts.map +1 -1
- package/dist/loop/scaffold.js +6 -3
- package/dist/loop/scaffold.js.map +1 -1
- package/dist/self-invocation.d.ts +77 -0
- package/dist/self-invocation.d.ts.map +1 -0
- package/dist/self-invocation.js +157 -0
- package/dist/self-invocation.js.map +1 -0
- package/dist/ship-installers.d.ts.map +1 -1
- package/dist/ship-installers.js +9 -0
- package/dist/ship-installers.js.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +13 -5
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts +3 -3
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +5 -4
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -4
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,70 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.13.2] - 2026-06-22
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- `init` and `update` now gitignore `.dxkit/loop/`, so the loop pack's runtime
|
|
15
|
+
output (the ledger and the last-guardrail snapshot) is no longer committed by
|
|
16
|
+
repos that use the Stop-gate. Latent since the loop pack shipped in 2.13.0.
|
|
17
|
+
|
|
18
|
+
### Changed
|
|
19
|
+
|
|
20
|
+
- `loop doctor` now validates the **actual** registered Stop hook command. It
|
|
21
|
+
understands both the `npx vyuh-dxkit` / installed-binary form (the binary must
|
|
22
|
+
resolve) and a local-build `node <script>` form (the script must exist),
|
|
23
|
+
instead of only the npx form. This lets a repo dogfood the gate against its own
|
|
24
|
+
build, and gives a correct verdict for any custom hook command.
|
|
25
|
+
|
|
26
|
+
## [2.13.1] - 2026-06-21
|
|
27
|
+
|
|
28
|
+
### Fixed — the loop Stop hook could fail on every stop when dxkit was not installed
|
|
29
|
+
|
|
30
|
+
The loop Stop hook (and the `.claude` PreToolUse context hook) invoke the
|
|
31
|
+
dxkit CLI as `npx vyuh-dxkit …`. That only resolves when dxkit is installed
|
|
32
|
+
in the repo (a devDependency or a global). When the loop was wired with a
|
|
33
|
+
pure-`npx @vyuhlabs/dxkit init --claude-loop` flow — no install — the hook
|
|
34
|
+
hit `npm error 404 'vyuh-dxkit' is not in this registry` on every stop,
|
|
35
|
+
because `vyuh-dxkit` is a binary name, not a package. `loop doctor` reported
|
|
36
|
+
the hook as wired even though it could not run.
|
|
37
|
+
|
|
38
|
+
- **`init --claude-loop` and `update` now declare `@vyuhlabs/dxkit` as a
|
|
39
|
+
devDependency** whenever they install an artifact that invokes the CLI (the
|
|
40
|
+
Stop hook, the context hook, the pre-push guardrail, or the CI guardrail),
|
|
41
|
+
so `npx vyuh-dxkit` resolves to a project-local binary. Skipped for
|
|
42
|
+
non-Node repos and when the dependency is already declared.
|
|
43
|
+
- **`loop doctor` now verifies the CLI actually resolves**, not just that the
|
|
44
|
+
hook string is present, and tells you to install dxkit when it does not.
|
|
45
|
+
- **The recommended loop setup installs dxkit first** via
|
|
46
|
+
`npm init @vyuhlabs/dxkit -- --claude-loop --yes`, which adds the
|
|
47
|
+
devDependency and registers the hook in one step.
|
|
48
|
+
|
|
49
|
+
### Changed — one canonical CLI invocation, one registry of self-invoking surfaces
|
|
50
|
+
|
|
51
|
+
Every generated artifact that runs the dxkit CLI now builds its command from
|
|
52
|
+
a single helper, and every such artifact is listed in one registry that
|
|
53
|
+
drives the devDependency wire-up and the doctor checks. Adding a new
|
|
54
|
+
auto-running surface can no longer silently skip either. Enforced by an
|
|
55
|
+
architecture check and a registry-injection test.
|
|
56
|
+
|
|
57
|
+
### Changed — positioning aligned to the Stop-gate
|
|
58
|
+
|
|
59
|
+
The package description, CLI banner, npm keywords, and the docs now lead with
|
|
60
|
+
the deterministic Stop-gate framing. The README loop quickstart installs
|
|
61
|
+
dxkit first, and the demo command is pinned to `@latest` so a stale global or
|
|
62
|
+
npx cache cannot run an older version that lacks the command.
|
|
63
|
+
|
|
64
|
+
### Changed — `demo loop-guardrail` now runs a real sandbox scan
|
|
65
|
+
|
|
66
|
+
The demo no longer prints a scripted scenario. When gitleaks is available it
|
|
67
|
+
generates a throwaway git repo, runs the real `baseline create`, introduces a
|
|
68
|
+
real hardcoded secret, and runs the real `guardrail check` — the same commands
|
|
69
|
+
a user runs — so the block→repair→clean walkthrough is an actual scan, not a
|
|
70
|
+
mock. Your repo is never touched. The fabricated "agent" dialogue is gone; when
|
|
71
|
+
gitleaks is absent it shows a clearly-labelled illustration and how to run the
|
|
72
|
+
real sandbox.
|
|
73
|
+
|
|
10
74
|
## [2.13.0] - 2026-06-18
|
|
11
75
|
|
|
12
76
|
### Loop pack — a deterministic Stop-gate for autonomous coding loops
|
package/README.md
CHANGED
|
@@ -16,6 +16,7 @@ finding, and the agent repaired before stopping clean.
|
|
|
16
16
|
<p align="center">
|
|
17
17
|
<img src=".github/assets/loop-stop-gate-demo.gif" width="820" alt="dxkit's Stop-gate blocks a coding-agent loop on a net-new critical dependency vulnerability, the agent bumps the version, and the gate goes clean." />
|
|
18
18
|
</p>
|
|
19
|
+
<p align="center"><sub>Recorded from a real run on a synthetic repo, shortened for readability. Blocked and repaired inside the same warm loop.</sub></p>
|
|
19
20
|
|
|
20
21
|
dxkit does not reinvent detection. It runs trusted open source scanners
|
|
21
22
|
(gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from
|
|
@@ -24,13 +25,17 @@ deterministic check, on every stop, of whether this change introduced a new
|
|
|
24
25
|
finding compared with a baseline.
|
|
25
26
|
|
|
26
27
|
```bash
|
|
27
|
-
|
|
28
|
+
npm init @vyuhlabs/dxkit -- --claude-loop --yes # install dxkit + register the Claude Code Stop hook
|
|
29
|
+
npx vyuh-dxkit baseline create # grandfather today's findings
|
|
30
|
+
npx vyuh-dxkit loop doctor # verify the gate is wired
|
|
28
31
|
```
|
|
29
32
|
|
|
30
|
-
|
|
31
|
-
net-new regressions block.
|
|
33
|
+
The gate runs locally with no model: same input, same verdict, in seconds.
|
|
34
|
+
Existing debt stays grandfathered; only net-new regressions block. Want to
|
|
35
|
+
watch the flow first, on a sandbox dxkit creates? See the
|
|
36
|
+
[walkthrough](#see-it-without-touching-your-repo).
|
|
32
37
|
|
|
33
|
-
[
|
|
38
|
+
[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo)
|
|
34
39
|
|
|
35
40
|
<p>
|
|
36
41
|
<a href="https://www.npmjs.com/package/@vyuhlabs/dxkit"><img alt="npm" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit"></a>
|
|
@@ -76,12 +81,23 @@ Use dxkit if you let coding agents:
|
|
|
76
81
|
## Built on tools you already trust
|
|
77
82
|
|
|
78
83
|
dxkit is an orchestration and enforcement layer, not another scanner. It runs
|
|
79
|
-
established open source tools and treats their output as one stream
|
|
84
|
+
established open source tools and treats their output as one stream. Which tools
|
|
85
|
+
run depends on the languages in your repo — dxkit covers **8 ecosystems**
|
|
86
|
+
(TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).
|
|
87
|
+
|
|
88
|
+
Universal, on every repo:
|
|
80
89
|
|
|
81
90
|
- secrets: gitleaks
|
|
82
91
|
- code patterns: Semgrep
|
|
83
|
-
- dependency
|
|
84
|
-
-
|
|
92
|
+
- dependency advisories: OSV.dev
|
|
93
|
+
- size, duplication, and the code graph: cloc, jscpd, graphify
|
|
94
|
+
|
|
95
|
+
Per language, dxkit adds that ecosystem's own linter and audit tool — for
|
|
96
|
+
example npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +
|
|
97
|
+
golangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`
|
|
98
|
+
(C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and
|
|
99
|
+
bundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack
|
|
100
|
+
capabilities** below.
|
|
85
101
|
|
|
86
102
|
For deep interprocedural analysis, it ingests findings from **Snyk Code** and
|
|
87
103
|
**CodeQL** (or any SARIF file), fingerprints them the same way as native
|
|
@@ -95,42 +111,38 @@ and inside the agent loop.
|
|
|
95
111
|
| dxkit | baseline, fingerprint matcher, Stop-gate, loop ledger | Decide whether this change introduced something net-new |
|
|
96
112
|
| Agent | Claude Code or another coding loop | Repair the exact finding and try to stop again |
|
|
97
113
|
|
|
98
|
-
##
|
|
99
|
-
|
|
100
|
-
```text
|
|
101
|
-
checkout-service · loop behind the dxkit Stop-gate
|
|
102
|
-
task: add a debounce helper using lodash 4.17.4
|
|
103
|
-
claude ▸ Added a debounce helper using lodash 4.17.4. Done.
|
|
104
|
-
✗ dxkit Stop-gate ▸ BLOCKED: 1 net-new finding
|
|
105
|
-
lodash 4.17.4: critical dependency vuln (GHSA-JF85-CPCP-J695)
|
|
106
|
-
claude ▸ Bumped lodash to 4.17.21 and re-checked. Done.
|
|
107
|
-
✓ dxkit Stop-gate ▸ CLEAN the loop may stop.
|
|
108
|
-
```
|
|
109
|
-
|
|
110
|
-
Recorded from a real run on a synthetic repo, shortened for readability.
|
|
111
|
-
Blocked and repaired inside the same warm loop.
|
|
112
|
-
|
|
113
|
-
## Try it locally
|
|
114
|
+
## Try it on your repo
|
|
114
115
|
|
|
115
|
-
|
|
116
|
+
The Stop hook runs dxkit on every stop, so install dxkit into the repo. This
|
|
117
|
+
one command adds it as a devDependency and registers the hook additively — your
|
|
118
|
+
existing `.claude` settings are preserved:
|
|
116
119
|
|
|
117
120
|
```bash
|
|
118
|
-
|
|
121
|
+
npm init @vyuhlabs/dxkit -- --claude-loop --yes
|
|
122
|
+
npx vyuh-dxkit baseline create # grandfather today's findings
|
|
123
|
+
npx vyuh-dxkit loop doctor # verify the gate is wired safely and dxkit resolves
|
|
124
|
+
# then run Claude Code as you normally would. The Stop-gate fires on every stop.
|
|
125
|
+
npx vyuh-dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired-after-block
|
|
119
126
|
```
|
|
120
127
|
|
|
121
|
-
|
|
122
|
-
|
|
128
|
+
When the agent tries to stop, dxkit runs the net-new gate against the baseline.
|
|
129
|
+
Existing findings are grandfathered; only findings this change introduced block.
|
|
130
|
+
|
|
131
|
+
## See it without touching your repo
|
|
123
132
|
|
|
124
|
-
|
|
133
|
+
Want the flow first, on a sandbox dxkit creates?
|
|
125
134
|
|
|
126
135
|
```bash
|
|
127
|
-
npx @vyuhlabs/dxkit
|
|
128
|
-
npx @vyuhlabs/dxkit baseline create # grandfather today's findings
|
|
129
|
-
npx @vyuhlabs/dxkit loop doctor # verify the gate is wired safely
|
|
130
|
-
# then run Claude Code as you normally would. The Stop-gate fires on every stop.
|
|
131
|
-
npx @vyuhlabs/dxkit loop ledger summarize # afterwards: blocked vs allowed, repaired-after-block
|
|
136
|
+
npx -y @vyuhlabs/dxkit@latest demo loop-guardrail
|
|
132
137
|
```
|
|
133
138
|
|
|
139
|
+
This runs the **real** gate on a temporary fixture repo: baseline → introduce a
|
|
140
|
+
net-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. No API
|
|
141
|
+
key and no Claude Code, and your own repo is never touched. It needs gitleaks
|
|
142
|
+
installed and takes about 20 seconds; without gitleaks it shows a clearly
|
|
143
|
+
labelled illustration instead. (It does a one-time `npx` download, so it is not
|
|
144
|
+
fully offline — the gate itself is.)
|
|
145
|
+
|
|
134
146
|
### Presets: what blocks the loop
|
|
135
147
|
|
|
136
148
|
```text
|
|
@@ -141,25 +153,39 @@ full-debt (opt-in) also gates test gaps and maintainability regressions.
|
|
|
141
153
|
The default is `security-only`. The headline escape-rate benchmark used
|
|
142
154
|
`full-debt` (it gated both the secret trap and the test-gap trap); the default
|
|
143
155
|
install starts narrower so a first run does not trap users in expensive
|
|
144
|
-
test-generation loops. Switch with
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
156
|
+
test-generation loops. Switch with
|
|
157
|
+
`npm init @vyuhlabs/dxkit -- --claude-loop --loop-preset full-debt`.
|
|
158
|
+
|
|
159
|
+
## Give the agent a map, not just a gate
|
|
160
|
+
|
|
161
|
+
The Stop-gate controls what a loop is allowed to ship. The code graph controls
|
|
162
|
+
how the agent does the work in between. When dxkit scaffolds a repo it builds a
|
|
163
|
+
code graph and installs skills that drive real development off it, so the agent
|
|
164
|
+
orients by querying structure instead of grepping and re-reading whole files.
|
|
165
|
+
|
|
166
|
+
- **Build a feature** (`dxkit-feature` skill): query the graph for where the
|
|
167
|
+
feature plugs in, what patterns already exist, and what the change will
|
|
168
|
+
touch, then implement against those patterns and run the analyzers on the
|
|
169
|
+
result before it stops.
|
|
170
|
+
- **Fix a finding** (`dxkit-action` skill): take a flagged finding, pull its
|
|
171
|
+
callers, callees, and blast radius from the graph, repair it, and confirm the
|
|
172
|
+
change did not introduce something net-new.
|
|
173
|
+
|
|
174
|
+
The agent gets callers, callees, and blast radius up front as a budget-bounded
|
|
175
|
+
slice, not a pile of file reads. It is the same graph, the same baseline, and
|
|
176
|
+
the same identity contract the gate already uses.
|
|
177
|
+
|
|
178
|
+
What the benchmarks actually show is predictable spend, not guaranteed cheaper
|
|
179
|
+
spend. On a large repo the median was roughly tied, the worst-case session used
|
|
180
|
+
about **57% fewer tokens**, and the variance was **roughly halved**. On a small
|
|
181
|
+
repo the overhead was about zero. The graph caps the expensive tail. It does
|
|
182
|
+
not promise a lower average, and it does not make the agent write better code on
|
|
183
|
+
its own.
|
|
158
184
|
|
|
159
185
|
This is a different axis from detection. Snyk, SonarQube, and CodeQL tell you
|
|
160
186
|
what is wrong. They do not give the agent a map of the code or bound how much it
|
|
161
187
|
spends finding its way around. dxkit does both: the gate bounds what the loop
|
|
162
|
-
ships, the graph bounds
|
|
188
|
+
ships, the graph bounds how the loop works.
|
|
163
189
|
|
|
164
190
|
## The numbers
|
|
165
191
|
|
|
@@ -178,7 +204,7 @@ predictable.
|
|
|
178
204
|
> dxkit catches every possible bug. The claim is narrower: for findings the
|
|
179
205
|
> detector observes, dxkit gives the loop a deterministic net-new stop decision.
|
|
180
206
|
|
|
181
|
-
Full methodology,
|
|
207
|
+
Full methodology, reproducibility notes, artifact status, and caveats are in
|
|
182
208
|
**[docs/benchmarks.md](docs/benchmarks.md)**.
|
|
183
209
|
|
|
184
210
|
## What dxkit is, and is not
|
|
@@ -219,11 +245,28 @@ at the speed of the agent loop.
|
|
|
219
245
|
The same deterministic core powers the rest of dxkit: pre-push and CI
|
|
220
246
|
guardrails, brownfield baselines, durable finding identity, SARIF, CodeQL, and
|
|
221
247
|
Snyk ingest, a six-dimension health report, code-graph context, and a set of
|
|
222
|
-
Claude Code skills.
|
|
223
|
-
|
|
248
|
+
Claude Code skills. See **[the docs](docs/README.md)**.
|
|
249
|
+
|
|
250
|
+
## Languages
|
|
251
|
+
|
|
252
|
+
dxkit covers 8 ecosystems. Detection is automatic from your manifests and
|
|
253
|
+
source; each language brings its own native linter, dependency-audit tool, and
|
|
254
|
+
coverage parser, layered on the universal scanners (gitleaks, Semgrep, OSV,
|
|
255
|
+
cloc, jscpd, graphify).
|
|
256
|
+
|
|
257
|
+
| Language | Detected by | Native linter + audit |
|
|
258
|
+
| ----------------------- | --------------------------- | ----------------------------------------- |
|
|
259
|
+
| TypeScript / JavaScript | `package.json` | ESLint, npm audit |
|
|
260
|
+
| Python | `pyproject.toml`, `*.py` | ruff, pip-audit |
|
|
261
|
+
| Go | `go.mod` | golangci-lint, govulncheck |
|
|
262
|
+
| Rust | `Cargo.toml` | clippy, cargo-audit |
|
|
263
|
+
| C# / .NET | `*.csproj`, `*.sln` | dotnet-format, `dotnet list --vulnerable` |
|
|
264
|
+
| Java | `pom.xml`, `src/main/java/` | PMD, osv-scanner |
|
|
265
|
+
| Kotlin | `*.gradle{.kts,}`, `*.kt` | detekt, osv-scanner |
|
|
266
|
+
| Ruby | `Gemfile`, `*.rb` | RuboCop, bundler-audit |
|
|
224
267
|
|
|
225
268
|
<details>
|
|
226
|
-
<summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
|
|
269
|
+
<summary><strong>Per-pack capabilities</strong> — coverage import, import-graph, severity tiers (click to expand)</summary>
|
|
227
270
|
|
|
228
271
|
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
229
272
|
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
@@ -248,18 +291,21 @@ so it does not inflate the Code Quality score.
|
|
|
248
291
|
|
|
249
292
|
</details>
|
|
250
293
|
|
|
251
|
-
## Reproduce the
|
|
294
|
+
## Reproduce the deterministic tier
|
|
252
295
|
|
|
253
|
-
The deterministic
|
|
296
|
+
The deterministic results — the net-new gate decision and the finding-identity
|
|
297
|
+
matcher — reproduce offline, so you do not have to trust our numbers. This is
|
|
298
|
+
separate from the agentic benchmark, which requires running real agent sessions.
|
|
299
|
+
The harnesses live in `benchmarks/`:
|
|
254
300
|
|
|
255
301
|
```bash
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
npx @vyuhlabs/dxkit loop doctor
|
|
302
|
+
node benchmarks/bench-guardrail.mjs config.json # block/allow on seeded findings
|
|
303
|
+
node benchmarks/bench-netnew-isolation.mjs config.json # net-new isolation under churn
|
|
304
|
+
node benchmarks/bench-matcher.mjs config.json # false net-new on line shifts + renames
|
|
260
305
|
```
|
|
261
306
|
|
|
262
|
-
|
|
307
|
+
See `benchmarks/README.md` to point them at a repo, and the full methodology,
|
|
308
|
+
caveats, and artifact status in **[docs/benchmarks.md](docs/benchmarks.md)**.
|
|
263
309
|
|
|
264
310
|
## Credits
|
|
265
311
|
|
package/dist/allowlist/hint.d.ts
CHANGED
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
* 2. **Inline example** — the exact annotation comment to paste
|
|
12
12
|
* when the finding has a stable single-line attachment point
|
|
13
13
|
* and the chosen category is inline-compatible.
|
|
14
|
-
* 3. **CLI command** — the exact `
|
|
14
|
+
* 3. **CLI command** — the exact `vyuh-dxkit allowlist add`
|
|
15
15
|
* invocation that handles the mutation without the developer
|
|
16
16
|
* typing annotation syntax.
|
|
17
17
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hint.d.ts","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGxE,OAAO,EAKL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"hint.d.ts","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGxE,OAAO,EAKL,KAAK,iBAAiB,EACvB,MAAM,cAAc,CAAC;AAUtB,MAAM,WAAW,SAAS;IACxB,yDAAyD;IACzD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;oBAEgB;IAChB,QAAQ,CAAC,oBAAoB,EAAE,SAAS,iBAAiB,EAAE,CAAC;IAC5D;;;mCAG+B;IAC/B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC,4DAA4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B;;;4CAGwC;IACxC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC;IAChC;2DACuD;IACvD,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,aAAa,EAAE,QAAQ,CAAC,EAAE,eAAe,GAAG,SAAS,CAyB3F;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,MAAM,CAwFlE"}
|
package/dist/allowlist/hint.js
CHANGED
|
@@ -12,7 +12,7 @@
|
|
|
12
12
|
* 2. **Inline example** — the exact annotation comment to paste
|
|
13
13
|
* when the finding has a stable single-line attachment point
|
|
14
14
|
* and the chosen category is inline-compatible.
|
|
15
|
-
* 3. **CLI command** — the exact `
|
|
15
|
+
* 3. **CLI command** — the exact `vyuh-dxkit allowlist add`
|
|
16
16
|
* invocation that handles the mutation without the developer
|
|
17
17
|
* typing annotation syntax.
|
|
18
18
|
*
|
|
@@ -75,11 +75,12 @@ const sanitize_1 = require("../baseline/sanitize");
|
|
|
75
75
|
const languages_1 = require("../languages");
|
|
76
76
|
const categories_1 = require("./categories");
|
|
77
77
|
const inline_1 = require("./inline");
|
|
78
|
+
const self_invocation_1 = require("../self-invocation");
|
|
78
79
|
/**
|
|
79
80
|
* Subcommand string used in every `cliCommand` rendered by this
|
|
80
81
|
* module. One place to update if the subcommand ever renames.
|
|
81
82
|
*/
|
|
82
|
-
const ALLOWLIST_ADD_CMD = '
|
|
83
|
+
const ALLOWLIST_ADD_CMD = (0, self_invocation_1.dxkitCli)('allowlist add');
|
|
83
84
|
/**
|
|
84
85
|
* Build the structured block-time hint from a baseline entry.
|
|
85
86
|
* Pure function — no IO, no side effects. The caller renders the
|
|
@@ -135,7 +136,9 @@ function remediationFor(kind) {
|
|
|
135
136
|
'possible rather than in source.');
|
|
136
137
|
case 'dep-vuln':
|
|
137
138
|
return ('Upgrade the vulnerable dependency to the patched version. Run ' +
|
|
138
|
-
'`
|
|
139
|
+
'`' +
|
|
140
|
+
(0, self_invocation_1.dxkitCli)('vulnerabilities') +
|
|
141
|
+
'` to see the suggested install command ' +
|
|
139
142
|
'for this ecosystem.');
|
|
140
143
|
case 'duplication':
|
|
141
144
|
return ('Extract the duplicated logic into a shared helper or accept the ' +
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hint.js","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"hint.js","sourceRoot":"","sources":["../../src/allowlist/hint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DH,0CAyBC;AAQD,wCAwFC;AAjLD,2CAA6B;AAC7B,mDAAmD;AAEnD,4CAAyC;AAEzC,6CAMsB;AACtB,qCAA4C;AAC5C,wDAA8C;AAE9C;;;GAGG;AACH,MAAM,iBAAiB,GAAG,IAAA,0BAAQ,EAAC,eAAe,CAAC,CAAC;AA0BpD;;;;;;;;;;GAUG;AACH,SAAgB,eAAe,CAAC,KAAoB,EAAE,QAA0B;IAC9E,MAAM,oBAAoB,GAAG,+BAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5D,MAAM,0BAA0B,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnE,yCAA4B,CAAC,GAAG,CAAC,CAAC,CAAC,CACpC,CAAC;IACF,MAAM,aAAa,GACjB,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,0BAA0B,CAAC,MAAM,KAAK,CAAC,CAAC;IAEtF,MAAM,mBAAmB,GAAG,0BAA0B,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,kBAAkB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;IAChE,MAAM,aAAa,GAAG,kBAAkB,CAAC,oBAAoB,CAAC,CAAC;IAE/D,kEAAkE;IAClE,wDAAwD;IACxD,KAAK,QAAQ,CAAC;IAEd,OAAO;QACL,WAAW,EAAE,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC;QACvC,oBAAoB;QACpB,aAAa;QACb,UAAU;QACV,aAAa;QACb,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,IAA2B;IACxD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ,CAAC;QACd,KAAK,aAAa;YAChB,OAAO,CACL,8EAA8E;gBAC9E,4EAA4E;gBAC5E,qEAAqE,CACtE,CAAC;QACJ,KAAK,MAAM;YACT,OAAO,CACL,6EAA6E;gBAC7E,6EAA6E;gBAC7E,wDAAwD,CACzD,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO,CACL,+DAA+D;gBAC/D,oEAAoE;gBACpE,uEAAuE;gBACvE,iCAAiC,CAClC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,gEAAgE;gBAChE,GAAG;gBACH,IAAA,0BAAQ,EAAC,iBAAiB,CAAC;gBAC3B,yCAAyC;gBACzC,qBAAqB,CACtB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,kEAAkE;gBAClE,uDAAuD;gBACvD,wEAAwE,CACzE,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,CACL,gEAAgE;gBAChE,sEAAsE;gBACtE,kEAAkE,CACnE,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,sEAAsE;gBACtE,iEAAiE;gBACjE,sCAAsC,CACvC,CAAC;QACJ,KAAK,uBAAuB;YAC1B,OAAO,CACL,0EAA0E;gBAC1E,yEAAyE;gBACzE,0DAA0D,CAC3D,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO,CACL,uEAAuE;gBACvE,0EAA0E;gBAC1E,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,UAAU;YACb,OAAO,CACL,yEAAyE;gBACzE,uEAAuE;gBACvE,yEAAyE;gBACzE,+BAA+B,CAChC,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,+DAA+D;gBAC/D,gEAAgE;gBAChE,uDAAuD,CACxD,CAAC;QACJ,KAAK,YAAY;YACf,OAAO,CACL,wEAAwE;gBACxE,wEAAwE;gBACxE,+CAA+C,CAChD,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO,CACL,iEAAiE;gBACjE,mEAAmE;gBACnE,sEAAsE;gBACtE,mCAAmC,CACpC,CAAC;IACN,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E;;;;;;;;;;GAUG;AACH,SAAS,YAAY,CAAC,KAAoB;IACxC,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ,CAAC;QACd,KAAK,SAAS,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAChD,KAAK,cAAc,CAAC;QACpB,KAAK,UAAU,CAAC;QAChB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAC9B,KAAK,aAAa,CAAC;QACnB,KAAK,UAAU,CAAC;QAChB,KAAK,aAAa;YAChB,OAAO,EAAE,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACvD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAoB,EACpB,mBAAkD;IAElD,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,IAAI,CAAC,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC/D,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1D,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa;QAAE,OAAO,SAAS,CAAC;IACnD,OAAO,IAAA,yBAAgB,EAAC,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,EAAE,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,eAAe,CACtB,KAAoB,EACpB,oBAAkD;IAElD,MAAM,aAAa,GAAG,oBAAoB,CAAC,CAAC,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,6BAA6B,CAAC;IAChD,MAAM,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,cAAc,aAAa,EAAE,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAC5F,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAEhC,oEAAoE;IACpE,oEAAoE;IACpE,EAAE;IACF,qEAAqE;IACrE,kEAAkE;IAClE,qDAAqD;IACrD,iEAAiE;IACjE,kEAAkE;IAClE,kDAAkD;IAClD,IAAI,oCAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAClF,OAAO,GAAG,iBAAiB,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;IACpF,CAAC;IACD,OAAO,GAAG,iBAAiB,kBAAkB,KAAK,CAAC,EAAE,WAAW,KAAK,CAAC,IAAI,IAAI,WAAW,IAAI,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,kBAAkB,CACzB,oBAAkD;IAElD,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACzF,IAAI,CAAC,mBAAmB;QAAE,OAAO,SAAS,CAAC;IAC3C,OAAO,CACL,2EAA2E;QAC3E,iFAAiF;QACjF,yCAAyC,CAC1C,CAAC;AACJ,CAAC"}
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AA8RA,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAy4DvD"}
|
package/dist/cli.js
CHANGED
|
@@ -49,6 +49,7 @@ const report_date_1 = require("./analyzers/tools/report-date");
|
|
|
49
49
|
const fail_on_1 = require("./fail-on");
|
|
50
50
|
const report_schema_1 = require("./report-schema");
|
|
51
51
|
const ship_installers_1 = require("./ship-installers");
|
|
52
|
+
const self_invocation_1 = require("./self-invocation");
|
|
52
53
|
const fs = __importStar(require("fs"));
|
|
53
54
|
const path = __importStar(require("path"));
|
|
54
55
|
// process.stdout.write returns false when the OS pipe buffer is full
|
|
@@ -136,7 +137,7 @@ function applyFailOnSeverity(raw, counts, countsLabel) {
|
|
|
136
137
|
}
|
|
137
138
|
function printUsage() {
|
|
138
139
|
console.log(`
|
|
139
|
-
${logger.bold('vyuh-dxkit')} v${constants_1.VERSION} —
|
|
140
|
+
${logger.bold('vyuh-dxkit')} v${constants_1.VERSION} — a Stop-gate for autonomous coding loops that blocks net-new findings
|
|
140
141
|
|
|
141
142
|
${logger.bold('Usage:')}
|
|
142
143
|
vyuh-dxkit init [options] Install dxkit agent DX in this repo
|
|
@@ -277,11 +278,11 @@ function printUsage() {
|
|
|
277
278
|
Applies to: vulnerabilities, bom.
|
|
278
279
|
|
|
279
280
|
${logger.bold('Examples:')}
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
281
|
+
${(0, self_invocation_1.dxkitCli)('init')} # Interactive
|
|
282
|
+
${(0, self_invocation_1.dxkitCli)('init --detect')} # Auto-detect, just DX
|
|
283
|
+
${(0, self_invocation_1.dxkitCli)('init --full --yes')} # Everything, no prompts
|
|
284
|
+
${(0, self_invocation_1.dxkitCli)('init --detect --stealth')} # Local-only, not committed
|
|
285
|
+
${(0, self_invocation_1.dxkitCli)('update')} # Re-generate from manifest
|
|
285
286
|
`);
|
|
286
287
|
}
|
|
287
288
|
async function run(argv) {
|
|
@@ -545,12 +546,18 @@ async function run(argv) {
|
|
|
545
546
|
result: (0, ship_installers_1.installCiDeepSastRefresh)(cwd, { force: !!values.force }),
|
|
546
547
|
});
|
|
547
548
|
}
|
|
548
|
-
// dxkit must resolve project-locally
|
|
549
|
-
//
|
|
550
|
-
//
|
|
551
|
-
//
|
|
552
|
-
//
|
|
553
|
-
|
|
549
|
+
// dxkit must resolve project-locally so every installed self-invocation
|
|
550
|
+
// surface (Stop hook, context-hook, pre-push + CI guardrail) can run a
|
|
551
|
+
// pinned dxkit instead of 404-ing. The set of surfaces that imply this
|
|
552
|
+
// is derived from the one registry in src/self-invocation.ts — never a
|
|
553
|
+
// hand-maintained flag chain, which is what once dropped the loop Stop
|
|
554
|
+
// hook. No-ops for non-Node repos and when the dep is already declared.
|
|
555
|
+
if ((0, self_invocation_1.requiresResolvableCli)({
|
|
556
|
+
claudeSettings: wantDxkitAgents,
|
|
557
|
+
claudeLoop: wantClaudeLoop,
|
|
558
|
+
gitHooks: wantHooks,
|
|
559
|
+
ciGuardrails: wantCi,
|
|
560
|
+
})) {
|
|
554
561
|
shipResults.push({
|
|
555
562
|
label: 'dxkit devDependency',
|
|
556
563
|
result: (0, ship_installers_1.installDxkitDevDependency)(cwd, { force: !!values.force }),
|
|
@@ -1554,7 +1561,7 @@ async function run(argv) {
|
|
|
1554
1561
|
if (missing.length > 0) {
|
|
1555
1562
|
logger.warn(`${missing.length} scanner(s) not detected: ${missing.map((m) => m.tool).join(', ')}`);
|
|
1556
1563
|
logger.dim(' Findings in these categories will NOT be captured in the baseline.');
|
|
1557
|
-
logger.dim(' Install with `
|
|
1564
|
+
logger.dim(' Install with `' + (0, self_invocation_1.dxkitCli)('tools install') + '`, or if a tool IS installed but');
|
|
1558
1565
|
logger.dim(' not detected, point dxkit at it via .dxkit/tools.json (ask Claude: "fix dxkit").');
|
|
1559
1566
|
// `--force` is an explicit "overwrite, non-interactive, I know
|
|
1560
1567
|
// what I'm doing" signal — and the shipped baseline-refresh
|