@vyuhlabs/dxkit 2.21.2 → 2.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (114) hide show
  1. package/CHANGELOG.md +94 -0
  2. package/dist/analyzers/correctness/run.d.ts +79 -0
  3. package/dist/analyzers/correctness/run.d.ts.map +1 -0
  4. package/dist/analyzers/correctness/run.js +173 -0
  5. package/dist/analyzers/correctness/run.js.map +1 -0
  6. package/dist/analyzers/correctness/surface-run.d.ts +73 -0
  7. package/dist/analyzers/correctness/surface-run.d.ts.map +1 -0
  8. package/dist/analyzers/correctness/surface-run.js +142 -0
  9. package/dist/analyzers/correctness/surface-run.js.map +1 -0
  10. package/dist/analyzers/correctness/surface.d.ts +69 -0
  11. package/dist/analyzers/correctness/surface.d.ts.map +1 -0
  12. package/dist/analyzers/correctness/surface.js +281 -0
  13. package/dist/analyzers/correctness/surface.js.map +1 -0
  14. package/dist/analyzers/flow/config.d.ts +10 -0
  15. package/dist/analyzers/flow/config.d.ts.map +1 -1
  16. package/dist/analyzers/flow/config.js +29 -0
  17. package/dist/analyzers/flow/config.js.map +1 -1
  18. package/dist/analyzers/flow/contract.d.ts +12 -0
  19. package/dist/analyzers/flow/contract.d.ts.map +1 -1
  20. package/dist/analyzers/flow/contract.js +20 -0
  21. package/dist/analyzers/flow/contract.js.map +1 -1
  22. package/dist/analyzers/flow/diagnose.d.ts +62 -0
  23. package/dist/analyzers/flow/diagnose.d.ts.map +1 -0
  24. package/dist/analyzers/flow/diagnose.js +120 -0
  25. package/dist/analyzers/flow/diagnose.js.map +1 -0
  26. package/dist/analyzers/flow/publish.d.ts +47 -0
  27. package/dist/analyzers/flow/publish.d.ts.map +1 -0
  28. package/dist/analyzers/flow/publish.js +146 -0
  29. package/dist/analyzers/flow/publish.js.map +1 -0
  30. package/dist/analyzers/flow/setup.d.ts +71 -0
  31. package/dist/analyzers/flow/setup.d.ts.map +1 -0
  32. package/dist/analyzers/flow/setup.js +136 -0
  33. package/dist/analyzers/flow/setup.js.map +1 -0
  34. package/dist/cli.d.ts.map +1 -1
  35. package/dist/cli.js +129 -6
  36. package/dist/cli.js.map +1 -1
  37. package/dist/doctor.d.ts +7 -0
  38. package/dist/doctor.d.ts.map +1 -1
  39. package/dist/doctor.js +38 -1
  40. package/dist/doctor.js.map +1 -1
  41. package/dist/flow-cli.d.ts +10 -0
  42. package/dist/flow-cli.d.ts.map +1 -1
  43. package/dist/flow-cli.js +46 -0
  44. package/dist/flow-cli.js.map +1 -1
  45. package/dist/generator.d.ts.map +1 -1
  46. package/dist/generator.js +6 -0
  47. package/dist/generator.js.map +1 -1
  48. package/dist/languages/capabilities/correctness.d.ts +54 -0
  49. package/dist/languages/capabilities/correctness.d.ts.map +1 -0
  50. package/dist/languages/capabilities/correctness.js +20 -0
  51. package/dist/languages/capabilities/correctness.js.map +1 -0
  52. package/dist/languages/csharp.d.ts.map +1 -1
  53. package/dist/languages/csharp.js +84 -0
  54. package/dist/languages/csharp.js.map +1 -1
  55. package/dist/languages/go.d.ts.map +1 -1
  56. package/dist/languages/go.js +51 -0
  57. package/dist/languages/go.js.map +1 -1
  58. package/dist/languages/index.d.ts +11 -0
  59. package/dist/languages/index.d.ts.map +1 -1
  60. package/dist/languages/index.js +12 -0
  61. package/dist/languages/index.js.map +1 -1
  62. package/dist/languages/java.d.ts.map +1 -1
  63. package/dist/languages/java.js +12 -0
  64. package/dist/languages/java.js.map +1 -1
  65. package/dist/languages/jvm-build.d.ts +54 -0
  66. package/dist/languages/jvm-build.d.ts.map +1 -0
  67. package/dist/languages/jvm-build.js +245 -0
  68. package/dist/languages/jvm-build.js.map +1 -0
  69. package/dist/languages/kotlin.d.ts.map +1 -1
  70. package/dist/languages/kotlin.js +13 -0
  71. package/dist/languages/kotlin.js.map +1 -1
  72. package/dist/languages/python.d.ts.map +1 -1
  73. package/dist/languages/python.js +78 -0
  74. package/dist/languages/python.js.map +1 -1
  75. package/dist/languages/ruby.d.ts.map +1 -1
  76. package/dist/languages/ruby.js +64 -0
  77. package/dist/languages/ruby.js.map +1 -1
  78. package/dist/languages/rust.d.ts.map +1 -1
  79. package/dist/languages/rust.js +110 -0
  80. package/dist/languages/rust.js.map +1 -1
  81. package/dist/languages/types.d.ts +20 -0
  82. package/dist/languages/types.d.ts.map +1 -1
  83. package/dist/languages/typescript.d.ts.map +1 -1
  84. package/dist/languages/typescript.js +109 -0
  85. package/dist/languages/typescript.js.map +1 -1
  86. package/dist/loop/floor-gate.d.ts +54 -0
  87. package/dist/loop/floor-gate.d.ts.map +1 -0
  88. package/dist/loop/floor-gate.js +157 -0
  89. package/dist/loop/floor-gate.js.map +1 -0
  90. package/dist/loop/floor-state.d.ts +66 -0
  91. package/dist/loop/floor-state.d.ts.map +1 -0
  92. package/dist/loop/floor-state.js +138 -0
  93. package/dist/loop/floor-state.js.map +1 -0
  94. package/dist/loop/stop-gate.d.ts +2 -1
  95. package/dist/loop/stop-gate.d.ts.map +1 -1
  96. package/dist/loop/stop-gate.js +44 -6
  97. package/dist/loop/stop-gate.js.map +1 -1
  98. package/dist/prompts.d.ts +15 -0
  99. package/dist/prompts.d.ts.map +1 -1
  100. package/dist/prompts.js +66 -0
  101. package/dist/prompts.js.map +1 -1
  102. package/dist/workspace.d.ts +52 -0
  103. package/dist/workspace.d.ts.map +1 -0
  104. package/dist/workspace.js +130 -0
  105. package/dist/workspace.js.map +1 -0
  106. package/package.json +1 -1
  107. package/templates/.claude/skills/dxkit-config/SKILL.md +14 -0
  108. package/templates/.claude/skills/dxkit-fix/SKILL.md +2 -0
  109. package/templates/.claude/skills/dxkit-flow/SKILL.md +83 -0
  110. package/templates/.claude/skills/dxkit-hooks/SKILL.md +1 -1
  111. package/templates/.claude/skills/dxkit-init/SKILL.md +5 -0
  112. package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -0
  113. package/templates/.githooks/pre-push +10 -0
  114. package/templates/.github/workflows/dxkit-guardrails.yml +17 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vyuhlabs/dxkit",
3
- "version": "2.21.2",
3
+ "version": "2.23.0",
4
4
  "description": "A deterministic stop condition and code-graph context layer for AI coding agents: gives agents a code graph to make changes, then blocks only net-new detector-backed regressions at the stop boundary, with no model in the gate.",
5
5
  "license": "MIT",
6
6
  "author": "Vyuh Labs",
@@ -126,6 +126,20 @@ A repo running autonomous coding loops behind the dxkit Stop-gate has a **loop-o
126
126
 
127
127
  This key is read **only by the Stop-gate** (`vyuh-dxkit hook stop-gate`) — your CI / PR guardrail always uses the full policy above, so changing the loop posture never weakens your CI gate. Edit it here, or run `npx vyuh-dxkit init --claude-loop --loop-preset full-debt`. Use `full-debt` only when you deliberately want an unattended loop to also close test/quality gaps (it can drive a long repair). For setting up or operating the loop, hand off to the **dxkit-loop** skill.
128
128
 
129
+ ### Switching the flow-gate posture (`flow.mode`)
130
+
131
+ The UI→API integration gate has its own posture under `flow.mode` in the same file:
132
+
133
+ ```jsonc
134
+ { "flow": { "mode": "warn" } } // warn (default) | block | off
135
+ ```
136
+
137
+ - `warn` — surface net-new broken integrations as warnings, never fail a build.
138
+ - `block` — fail the check on an exact break (confidence-gated: only fully-specified bindings block).
139
+ - `off` — the gate does not run.
140
+
141
+ The gate is additive and fail-open: it only fires when a change touches a client call / route / spec, and self-skips when there is no served-side truth to check against. Set it up with `npx vyuh-dxkit init --flow`, or hand off to the **dxkit-flow** skill for setup / diagnosis / repair.
142
+
129
143
  ## Configuring deep-SAST ingestion (`.vyuh-dxkit.json:deepSast`)
130
144
 
131
145
  dxkit's bundled SAST is intraprocedural; interprocedural findings (path traversal, info exposure, SSRF, injection) come from an external engine (Snyk Code or CodeQL) ingested via the `dxkit-ingest` skill. Persist the engine + Snyk project once so `ingest --from-snyk` needs no flags:
@@ -18,6 +18,8 @@ The skill consumes `npx vyuh-dxkit doctor --json` output. Doctor returns a struc
18
18
 
19
19
  The skill iterates `summary.fixable[]`, asks the customer for confirmation on each fix (with the command shown), runs it, then re-runs doctor at the end to verify everything closed.
20
20
 
21
+ Doctor also carries an optional top-level `flow` field when the repo has a UI→API surface — a diagnosis of the integration contract (unresolved client calls with reasons + suggestions, served routes nobody consumes, and how the served side is resolved). This is **diagnostic, not an install fix**: it does not appear in `summary.fixable[]`, and dxkit-fix leaves it alone. It surfaces contract health (e.g. a call to a route no backend serves) rather than a broken-install signal.
22
+
21
23
  ## The repair loop
22
24
 
23
25
  ```
@@ -0,0 +1,83 @@
1
+ ---
2
+ name: dxkit-flow
3
+ description: Configure, diagnose, and repair the dxkit UI→API integration gate — set up flow gating, explain the flow-contract diagnosis, fix a net-new broken integration a guardrail flagged, and run the cross-repo handshake. Use when the user says "set up the flow gate", "why is this call unresolved", "the guardrail says I broke an integration", "a route was removed but something still calls it", "wire up flow across repos", "publish the flow contract", or anything about the UI→API integration gate.
4
+ ---
5
+
6
+ # dxkit-flow
7
+
8
+ This skill owns the **UI→API integration gate**: dxkit statically reconstructs which client calls (`METHOD url`) bind to which server routes, and fails a PR that net-new breaks one — a frontend call to an endpoint no backend serves, or a removed route a consumer still calls.
9
+
10
+ It is **thin orchestration over the deterministic CLI.** It never re-implements extraction: it runs `init` / `doctor` / `guardrail check` / `flow publish`, reads their structured output, and supplies judgment + code edits. The determinism stays in the CLI; the agent supplies the reasoning.
11
+
12
+ ## Modes
13
+
14
+ Pick the mode from what the user is doing. They share context — a fix often starts from a diagnose.
15
+
16
+ ### setup — turn the gate on
17
+
18
+ Flow setup is folded into `init`; **there is no `flow init` command.**
19
+
20
+ - Fresh or re-run: `npx vyuh-dxkit init --flow` (forces `warn` posture, no prompt) or plain `npx vyuh-dxkit init` (interactive — it detects a UI→API surface and asks for the posture). If the repo has no client calls / routes, init stays silent; there is nothing to gate.
21
+ - The posture lives in `.dxkit/policy.json:flow.mode`:
22
+ - `warn` — surfaces net-new breaks as warnings, never fails a build (the default; good for adoption).
23
+ - `block` — fails the check on an exact break (confidence-gated: only fully-specified bindings block).
24
+ - `off` — scaffold config only, do not gate.
25
+ - To change it later, edit `flow.mode` (or defer to **dxkit-config**).
26
+
27
+ ### diagnose — read the contract's current state
28
+
29
+ `doctor` carries the flow diagnosis; **there is no `flow doctor` command.**
30
+
31
+ ```
32
+ npx vyuh-dxkit doctor --json → read the top-level `flow` field
33
+ ```
34
+
35
+ `flow` (when the repo has a UI→API surface) contains:
36
+ - `topology` (monorepo / consumer-only / provider-only), `calls`, `routes`, `resolved`
37
+ - `unresolved[]` — each `{ method, path, reason, suggestion, file, line }`. `reason` is `no-route` / `external` / `placeholder-only`; `suggestion` is `add-route` / `configure-participant` / `adopt-spec` / `annotate`.
38
+ - `servedUnconsumed[]` — served routes no in-repo call hits (dead route, or a cross-repo consumer).
39
+ - `connection.rung` — how the served side is resolved (`monorepo` / `committed-counterpart` / `configured-participants` / `unresolved`).
40
+
41
+ Walk the `unresolved` tail and, per item, act on its `suggestion`: add the missing route, configure a participant (handshake mode), adopt a spec, or annotate an intentional external call.
42
+
43
+ ### fix — repair a net-new broken integration ⭐
44
+
45
+ When a guardrail check (or the loop Stop-gate) reports a flow block, read it:
46
+
47
+ ```
48
+ npx vyuh-dxkit guardrail check --json → read `flowGate.findings[]`
49
+ ```
50
+
51
+ Each finding is `{ method, path, file, line, reason, verdict }`. `reason` is `no-route` (a call to nothing) or `route-removed` (a served route the PR deleted, still consumed). For each:
52
+
53
+ 1. Explain it in one line: which call, which route, what the PR changed.
54
+ 2. Propose the **repair** — restore the removed route, update the consumer to the new route, or (only if genuinely intentional) add an explicit annotation / a per-finding allowlist entry that a human reviews.
55
+
56
+ **Load-bearing safety rule — repair, never suppress.** Fix the integration; do not clear the block by refreshing the baseline or silently allowlisting the finding. An intentional break requires an explicit, reviewed acceptance, never a quiet re-baseline. This mirrors the loop discipline (do NOT refresh the baseline to clear a block) and is what keeps the gate honest when an agent is the one clearing it.
57
+
58
+ ### handshake — gate across repos
59
+
60
+ When the provider a call targets lives in another repo, the gate needs that repo's served contract. Two ways, both landing in `.dxkit/flow/served.json` (which the gate reads offline):
61
+
62
+ - **Committed counterpart** — the provider commits its own `served.json`; this repo vendors it. Fully offline, diff-reviewable.
63
+ - **Workspace participants** — declare the services in `.dxkit/workspace.json` (`participants[]` with a local `path` and optional `ref`), then:
64
+
65
+ ```
66
+ npx vyuh-dxkit flow publish → unions every participant's served routes into this repo's served.json
67
+ ```
68
+
69
+ `flow refresh` writes just this repo's snapshots; `flow publish` unions the whole mesh so this repo resolves calls to services it does not co-locate. Commit the result.
70
+
71
+ ## What lives where
72
+
73
+ | Artifact | Role |
74
+ |---|---|
75
+ | `.dxkit/policy.json:flow` | posture (`mode`) + URL strip-prefixes + specs |
76
+ | `.dxkit/workspace.json` | the participants (name, path, ref, base URLs) of a multi-repo system |
77
+ | `.dxkit/flow/served.json` / `consumed.json` | the committed contract snapshots the gate reads |
78
+
79
+ ## Boundaries
80
+
81
+ - WHETHER to gate + posture → this skill (setup) or **dxkit-config**.
82
+ - A broken integration found during a PR → this skill (fix). If it surfaced through the loop Stop-gate, **dxkit-loop** explains the block; the repair is here.
83
+ - Do not use this skill to re-extract flow by hand or to write CSVs — that is the CLI's job.
@@ -13,7 +13,7 @@ This skill handles the git-hook surface dxkit ships. Use it to install hooks, de
13
13
 
14
14
  `.githooks/pre-commit` (opt-in via `--with-precommit-hook`) — same guardrail check but on every commit. Slower on large repos (~1-3 min on 500+ file repos). Not in `--full` by default because the wall-clock cost gates adoption.
15
15
 
16
- Both run `npx vyuh-dxkit guardrail check`. The check exits 1 (blocking) on net-new findings vs. the baseline.
16
+ Both run `npx vyuh-dxkit guardrail check`. The check exits 1 (blocking) on net-new findings vs. the baseline. The same check also runs the **flow integration gate** — a net-new broken UI→API integration (a call to an endpoint no backend serves, or a removed route a consumer still calls) blocks or warns per `.dxkit/policy.json:flow.mode`. To set up, diagnose, or repair that gate, hand off to the **dxkit-flow** skill.
17
17
 
18
18
  ## Installation
19
19
 
@@ -29,9 +29,14 @@ Ask the user what they want, then pick the right invocation:
29
29
  | `--with-baseline-refresh` | `.github/workflows/dxkit-baseline-refresh.yml` (post-merge regen) | Yes |
30
30
  | `--with-pr-review` | `.github/workflows/pr-review.yml` (AI PR review; needs `ANTHROPIC_API_KEY`) | No (still opt-in) |
31
31
  | `--claude-loop` | Stop-gate hook for autonomous loops (additive merge into `.claude/settings.json` + CLAUDE.md); implies the dxkit skills. Pair with `--loop-preset security-only\|full-debt` | No (opt-in — registers a hook that blocks the agent from stopping) |
32
+ | `--flow` / `--no-flow` | Set up / suppress the UI→API integration gate. When `init` detects a UI→API surface it offers this automatically (interactive prompt for the posture); `--flow` forces it on with `warn`, `--no-flow` skips it. There is **no standalone `flow init`** — flow setup lives inside `init`. | Auto-offered when a UI→API surface is detected (silent otherwise) |
32
33
 
33
34
  `--yes` accepts all prompts; `--force` overwrites existing files instead of writing `.dxkit` sidecars on conflict.
34
35
 
36
+ ### The flow step (auto-detected)
37
+
38
+ When `init` finds client HTTP calls and/or server routes, it offers the **integration gate**: a PR that breaks a UI→API binding (a call to an endpoint no backend serves, or a removed route a consumer still calls) fails the guardrail. Interactively it asks for the posture with a one-line description of each — `warn` (default, surfaces breaks without failing a build), `block` (fails on an exact break), `off` (scaffold config only). It also confirms the dominant base-URL helper to strip and any multiple backend services. On a repo with no UI→API surface (a library, a CLI) the step is silent. Re-run or adjust later with `init --flow`; tune the posture in `.dxkit/policy.json:flow.mode`.
39
+
35
40
  ## Steps
36
41
 
37
42
  1. **Detect the stack** before installing — let the user confirm:
@@ -31,6 +31,8 @@ Don't use when:
31
31
  ```
32
32
  [1] State check → is dxkit installed? scaffold present? baseline captured? hooks active?
33
33
  [2] Install if needed → npm init @vyuhlabs/dxkit OR npx vyuh-dxkit init --full --yes
34
+ (init auto-offers the UI→API integration gate when it
35
+ detects client calls + routes — pick a posture then)
34
36
  [3] Doctor → npx vyuh-dxkit doctor (parse summary.fixable[])
35
37
  [4] Fix gaps → dispatch through dxkit-fix for each fixable signal
36
38
  [5] Capture baseline → npx vyuh-dxkit baseline create (with explicit secrets-warning)
@@ -51,6 +51,16 @@ else
51
51
  exit 1
52
52
  fi
53
53
 
54
+ # Correctness floor (liveness) — does the change still compile + do the tests
55
+ # it affects pass? This is independent of the baseline, so it runs even before
56
+ # a baseline exists (a brand-new / greenfield repo still gets push-time
57
+ # liveness). It is ADAPTIVE: on a repo that already runs its tests in CI it is
58
+ # a no-op here (opt-in), and on a repo without a test-CI it runs by default.
59
+ # A real failure blocks the push; a missing toolchain fail-opens (CI backstop).
60
+ # Tune via .dxkit/policy.json correctness.surfaces.pre-push, DXKIT_FLOOR_PREPUSH,
61
+ # or bypass everything with: git push --no-verify
62
+ "${DXKIT}" floor check --surface pre-push
63
+
54
64
  BASELINE_NAME="${DXKIT_BASELINE_NAME:-main}"
55
65
  BASELINE_FILE=".dxkit/baselines/${BASELINE_NAME}.json"
56
66
 
@@ -81,6 +81,23 @@ jobs:
81
81
  echo "✓ dxkit guardrail passed — no net-new findings vs the baseline"
82
82
  fi
83
83
 
84
+ # Correctness floor (liveness) — full-scope: does the code compile + do
85
+ # the tests pass? Runs after the finding gate. ADAPTIVE: if this repo
86
+ # already runs its tests in its own CI workflow, this is a no-op here
87
+ # (opt-in). A missing language toolchain fail-opens (this workflow sets up
88
+ # node + the dxkit scanner tools, not every language runtime), so the
89
+ # floor is most meaningful on JS/TS repos and on repos with no test-CI;
90
+ # your own test job is the place for full-language coverage. Tune via
91
+ # .dxkit/policy.json correctness.surfaces.ci or DXKIT_FLOOR_CI.
92
+ - name: Run correctness floor
93
+ run: |
94
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
95
+ DXKIT=./node_modules/.bin/vyuh-dxkit
96
+ else
97
+ DXKIT=vyuh-dxkit
98
+ fi
99
+ "${DXKIT}" floor check --surface ci
100
+
84
101
  - name: Post PR comment
85
102
  if: always()
86
103
  env: