@vyuhlabs/dxkit 2.4.8 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (243) hide show
  1. package/CHANGELOG.md +235 -0
  2. package/README.md +360 -439
  3. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  4. package/dist/analyzers/security/aggregator.js +4 -46
  5. package/dist/analyzers/security/aggregator.js.map +1 -1
  6. package/dist/analyzers/tools/fingerprint.d.ts +91 -26
  7. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  8. package/dist/analyzers/tools/fingerprint.js +111 -22
  9. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  10. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  11. package/dist/analyzers/tools/generic.js +6 -1
  12. package/dist/analyzers/tools/generic.js.map +1 -1
  13. package/dist/analyzers/tools/gitleaks.d.ts +24 -1
  14. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  15. package/dist/analyzers/tools/gitleaks.js +20 -11
  16. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  17. package/dist/analyzers/types.d.ts +6 -4
  18. package/dist/analyzers/types.d.ts.map +1 -1
  19. package/dist/baseline/baseline-file.d.ts +104 -0
  20. package/dist/baseline/baseline-file.d.ts.map +1 -0
  21. package/dist/baseline/baseline-file.js +110 -0
  22. package/dist/baseline/baseline-file.js.map +1 -0
  23. package/dist/baseline/check-renderers.d.ts +108 -0
  24. package/dist/baseline/check-renderers.d.ts.map +1 -0
  25. package/dist/baseline/check-renderers.js +379 -0
  26. package/dist/baseline/check-renderers.js.map +1 -0
  27. package/dist/baseline/check.d.ts +127 -0
  28. package/dist/baseline/check.d.ts.map +1 -0
  29. package/dist/baseline/check.js +462 -0
  30. package/dist/baseline/check.js.map +1 -0
  31. package/dist/baseline/content-hash.d.ts +83 -0
  32. package/dist/baseline/content-hash.d.ts.map +1 -0
  33. package/dist/baseline/content-hash.js +131 -0
  34. package/dist/baseline/content-hash.js.map +1 -0
  35. package/dist/baseline/create.d.ts +96 -0
  36. package/dist/baseline/create.d.ts.map +1 -0
  37. package/dist/baseline/create.js +339 -0
  38. package/dist/baseline/create.js.map +1 -0
  39. package/dist/baseline/entry-to-located.d.ts +35 -0
  40. package/dist/baseline/entry-to-located.d.ts.map +1 -0
  41. package/dist/baseline/entry-to-located.js +72 -0
  42. package/dist/baseline/entry-to-located.js.map +1 -0
  43. package/dist/baseline/finding-identity.d.ts +47 -0
  44. package/dist/baseline/finding-identity.d.ts.map +1 -0
  45. package/dist/baseline/finding-identity.js +292 -0
  46. package/dist/baseline/finding-identity.js.map +1 -0
  47. package/dist/baseline/git-aware-match.d.ts +146 -0
  48. package/dist/baseline/git-aware-match.d.ts.map +1 -0
  49. package/dist/baseline/git-aware-match.js +439 -0
  50. package/dist/baseline/git-aware-match.js.map +1 -0
  51. package/dist/baseline/policy.d.ts +171 -0
  52. package/dist/baseline/policy.d.ts.map +1 -0
  53. package/dist/baseline/policy.js +206 -0
  54. package/dist/baseline/policy.js.map +1 -0
  55. package/dist/baseline/producers/health.d.ts +30 -0
  56. package/dist/baseline/producers/health.d.ts.map +1 -0
  57. package/dist/baseline/producers/health.js +42 -0
  58. package/dist/baseline/producers/health.js.map +1 -0
  59. package/dist/baseline/producers/index.d.ts +164 -0
  60. package/dist/baseline/producers/index.d.ts.map +1 -0
  61. package/dist/baseline/producers/index.js +200 -0
  62. package/dist/baseline/producers/index.js.map +1 -0
  63. package/dist/baseline/producers/licenses.d.ts +23 -0
  64. package/dist/baseline/producers/licenses.d.ts.map +1 -0
  65. package/dist/baseline/producers/licenses.js +46 -0
  66. package/dist/baseline/producers/licenses.js.map +1 -0
  67. package/dist/baseline/producers/quality.d.ts +39 -0
  68. package/dist/baseline/producers/quality.d.ts.map +1 -0
  69. package/dist/baseline/producers/quality.js +84 -0
  70. package/dist/baseline/producers/quality.js.map +1 -0
  71. package/dist/baseline/producers/secret-hmac.d.ts +45 -0
  72. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
  73. package/dist/baseline/producers/secret-hmac.js +70 -0
  74. package/dist/baseline/producers/secret-hmac.js.map +1 -0
  75. package/dist/baseline/producers/security.d.ts +59 -0
  76. package/dist/baseline/producers/security.d.ts.map +1 -0
  77. package/dist/baseline/producers/security.js +135 -0
  78. package/dist/baseline/producers/security.js.map +1 -0
  79. package/dist/baseline/producers/tests.d.ts +36 -0
  80. package/dist/baseline/producers/tests.d.ts.map +1 -0
  81. package/dist/baseline/producers/tests.js +69 -0
  82. package/dist/baseline/producers/tests.js.map +1 -0
  83. package/dist/baseline/salt.d.ts +45 -0
  84. package/dist/baseline/salt.d.ts.map +1 -0
  85. package/dist/baseline/salt.js +113 -0
  86. package/dist/baseline/salt.js.map +1 -0
  87. package/dist/baseline/show.d.ts +79 -0
  88. package/dist/baseline/show.d.ts.map +1 -0
  89. package/dist/baseline/show.js +233 -0
  90. package/dist/baseline/show.js.map +1 -0
  91. package/dist/baseline/types.d.ts +482 -0
  92. package/dist/baseline/types.d.ts.map +1 -0
  93. package/dist/baseline/types.js +53 -0
  94. package/dist/baseline/types.js.map +1 -0
  95. package/dist/cli.d.ts.map +1 -1
  96. package/dist/cli.js +360 -81
  97. package/dist/cli.js.map +1 -1
  98. package/dist/codebase-scanner.d.ts.map +1 -1
  99. package/dist/codebase-scanner.js +0 -1
  100. package/dist/codebase-scanner.js.map +1 -1
  101. package/dist/constants.d.ts.map +1 -1
  102. package/dist/constants.js +0 -4
  103. package/dist/constants.js.map +1 -1
  104. package/dist/doctor.d.ts.map +1 -1
  105. package/dist/doctor.js +22 -25
  106. package/dist/doctor.js.map +1 -1
  107. package/dist/fail-on.d.ts +84 -0
  108. package/dist/fail-on.d.ts.map +1 -0
  109. package/dist/fail-on.js +128 -0
  110. package/dist/fail-on.js.map +1 -0
  111. package/dist/generator.d.ts.map +1 -1
  112. package/dist/generator.js +2 -141
  113. package/dist/generator.js.map +1 -1
  114. package/dist/languages/csharp.d.ts.map +1 -1
  115. package/dist/languages/csharp.js +0 -9
  116. package/dist/languages/csharp.js.map +1 -1
  117. package/dist/languages/go.d.ts.map +1 -1
  118. package/dist/languages/go.js +0 -15
  119. package/dist/languages/go.js.map +1 -1
  120. package/dist/languages/index.d.ts +1 -1
  121. package/dist/languages/index.d.ts.map +1 -1
  122. package/dist/languages/index.js.map +1 -1
  123. package/dist/languages/java.d.ts.map +1 -1
  124. package/dist/languages/java.js +0 -6
  125. package/dist/languages/java.js.map +1 -1
  126. package/dist/languages/kotlin.d.ts.map +1 -1
  127. package/dist/languages/kotlin.js +0 -11
  128. package/dist/languages/kotlin.js.map +1 -1
  129. package/dist/languages/python.d.ts.map +1 -1
  130. package/dist/languages/python.js +0 -15
  131. package/dist/languages/python.js.map +1 -1
  132. package/dist/languages/ruby.d.ts.map +1 -1
  133. package/dist/languages/ruby.js +0 -6
  134. package/dist/languages/ruby.js.map +1 -1
  135. package/dist/languages/rust.d.ts.map +1 -1
  136. package/dist/languages/rust.js +0 -4
  137. package/dist/languages/rust.js.map +1 -1
  138. package/dist/languages/types.d.ts +2 -28
  139. package/dist/languages/types.d.ts.map +1 -1
  140. package/dist/languages/typescript.d.ts.map +1 -1
  141. package/dist/languages/typescript.js +26 -4
  142. package/dist/languages/typescript.js.map +1 -1
  143. package/dist/lib.d.ts +2 -3
  144. package/dist/lib.d.ts.map +1 -1
  145. package/dist/lib.js +3 -6
  146. package/dist/lib.js.map +1 -1
  147. package/dist/prompts.d.ts.map +1 -1
  148. package/dist/prompts.js +0 -10
  149. package/dist/prompts.js.map +1 -1
  150. package/dist/report-schema.d.ts +42 -0
  151. package/dist/report-schema.d.ts.map +1 -0
  152. package/dist/report-schema.js +54 -0
  153. package/dist/report-schema.js.map +1 -0
  154. package/dist/ship-installers.d.ts +106 -0
  155. package/dist/ship-installers.d.ts.map +1 -0
  156. package/dist/ship-installers.js +415 -0
  157. package/dist/ship-installers.js.map +1 -0
  158. package/dist/types.d.ts +0 -4
  159. package/dist/types.d.ts.map +1 -1
  160. package/dist/update.d.ts.map +1 -1
  161. package/dist/update.js +0 -4
  162. package/dist/update.js.map +1 -1
  163. package/package.json +17 -11
  164. package/templates/.claude/agents/onboarding.md +5 -4
  165. package/templates/.claude/agents-available/codebase-explorer.md +1 -1
  166. package/templates/.claude/agents-available/debugger.md +2 -2
  167. package/templates/.claude/agents-available/health-auditor.md +2 -2
  168. package/templates/.claude/commands/doctor.md +20 -12
  169. package/templates/.claude/skills/build/SKILL.md.template +22 -30
  170. package/templates/.claude/skills/deploy/SKILL.md.template +5 -25
  171. package/templates/.claude/skills/doctor/SKILL.md +24 -47
  172. package/templates/.claude/skills/gcloud/SKILL.md +5 -5
  173. package/templates/.claude/skills/learned/SKILL.md +1 -1
  174. package/templates/.claude/skills/pulumi/SKILL.md +2 -2
  175. package/templates/.claude/skills/quality/SKILL.md.template +4 -23
  176. package/templates/.claude/skills/review/SKILL.md.template +4 -3
  177. package/templates/.claude/skills/scaffold/SKILL.md.template +5 -15
  178. package/templates/.claude/skills/secrets/SKILL.md +20 -21
  179. package/templates/.claude/skills/session/SKILL.md +20 -31
  180. package/templates/.claude/skills/test/SKILL.md.template +1 -7
  181. package/templates/.devcontainer/devcontainer.json +81 -0
  182. package/templates/.devcontainer/install-agent-clis.sh +42 -0
  183. package/templates/.devcontainer/post-create.sh +67 -0
  184. package/templates/.githooks/pre-commit +55 -0
  185. package/templates/.githooks/pre-push +63 -0
  186. package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
  187. package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
  188. package/templates/CLAUDE.md.template +62 -196
  189. package/dist/project-yaml.d.ts +0 -13
  190. package/dist/project-yaml.d.ts.map +0 -1
  191. package/dist/project-yaml.js +0 -188
  192. package/dist/project-yaml.js.map +0 -1
  193. package/templates/.ai/README.md +0 -117
  194. package/templates/.ai/prompts/execution-prompt.md +0 -9
  195. package/templates/.ai/prompts/planning-prompt.md +0 -18
  196. package/templates/.ai/prompts/session-end-template.md +0 -182
  197. package/templates/.ai/prompts/session-end.md +0 -132
  198. package/templates/.ai/prompts/session-start.md +0 -109
  199. package/templates/.ai/prompts/step-by-step.md +0 -113
  200. package/templates/.ai/sessions/.gitkeep +0 -0
  201. package/templates/.claude/commands/setup-pr-review.md +0 -72
  202. package/templates/.devcontainer/Dockerfile.dev.template +0 -89
  203. package/templates/.devcontainer/devcontainer.json.template +0 -184
  204. package/templates/.devcontainer/docker-compose.yml.template +0 -105
  205. package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
  206. package/templates/.devcontainer/post-create.sh.template +0 -298
  207. package/templates/.github/workflows/ci.yml.template +0 -399
  208. package/templates/.github/workflows/quality.yml.template +0 -376
  209. package/templates/.pre-commit-config.yaml.template +0 -106
  210. package/templates/.project/config/edit_config.py +0 -275
  211. package/templates/.project/config/project_config.py +0 -894
  212. package/templates/.project/scripts/codegen/generate-all.sh +0 -20
  213. package/templates/.project/scripts/codegen/validate-all.sh +0 -17
  214. package/templates/.project/scripts/docs/generate-all.sh +0 -30
  215. package/templates/.project/scripts/docs/serve.sh +0 -20
  216. package/templates/.project/scripts/quality/fix-all.sh +0 -138
  217. package/templates/.project/scripts/quality/lint-go.sh +0 -34
  218. package/templates/.project/scripts/quality/lint-python.sh +0 -54
  219. package/templates/.project/scripts/quality/run-all.sh +0 -497
  220. package/templates/.project/scripts/session/commit.sh +0 -70
  221. package/templates/.project/scripts/session/create-pr.sh +0 -165
  222. package/templates/.project/scripts/session/end.sh +0 -207
  223. package/templates/.project/scripts/session/start.sh +0 -233
  224. package/templates/.project/scripts/setup/doctor.sh +0 -404
  225. package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
  226. package/templates/.project/scripts/sync/sync-template.sh +0 -328
  227. package/templates/.project/scripts/test/run-all.sh +0 -179
  228. package/templates/.project/scripts/test/run-quick.sh +0 -25
  229. package/templates/Makefile +0 -514
  230. package/templates/config/versions.yaml +0 -57
  231. package/templates/configs/go/.golangci.yml.template +0 -172
  232. package/templates/configs/go/go.mod.template +0 -15
  233. package/templates/configs/java/README.md +0 -6
  234. package/templates/configs/kotlin/README.md +0 -6
  235. package/templates/configs/node/package.json.template +0 -67
  236. package/templates/configs/node/tsconfig.json.template +0 -53
  237. package/templates/configs/python/pyproject.toml.template +0 -92
  238. package/templates/configs/python/pytest.ini.template +0 -64
  239. package/templates/configs/python/ruff.toml.template +0 -79
  240. package/templates/configs/ruby/README.md +0 -6
  241. package/templates/configs/rust/Cargo.toml.template +0 -51
  242. package/templates/configs/shared/.editorconfig +0 -67
  243. package/templates/scripts/validate-templates.sh +0 -449
@@ -0,0 +1,81 @@
1
+ {
2
+ "name": "dxkit dev environment",
3
+
4
+ // Universal base + composable features. Each language pack dxkit
5
+ // supports has a corresponding feature here so the same image works
6
+ // for monorepos that span multiple ecosystems. Tune by removing
7
+ // features your project does not need — smaller image, faster
8
+ // Codespaces prebuild.
9
+ "image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
10
+
11
+ "features": {
12
+ "ghcr.io/devcontainers/features/node:1": {
13
+ "version": "22",
14
+ "nvmVersion": "latest"
15
+ },
16
+ "ghcr.io/devcontainers/features/python:1": {
17
+ "version": "3.12",
18
+ "installTools": true
19
+ },
20
+ "ghcr.io/devcontainers/features/go:1": {
21
+ "version": "1.21"
22
+ },
23
+ "ghcr.io/devcontainers/features/dotnet:2": {
24
+ "version": "8.0"
25
+ },
26
+ "ghcr.io/devcontainers/features/ruby:1": {
27
+ "version": "3.3"
28
+ },
29
+ "ghcr.io/devcontainers/features/java:1": {
30
+ "version": "17",
31
+ "installGradle": true
32
+ },
33
+ "ghcr.io/devcontainers/features/rust:1": {
34
+ "version": "stable",
35
+ "profile": "default"
36
+ },
37
+ "ghcr.io/devcontainers/features/github-cli:1": {}
38
+ },
39
+
40
+ // Reproducibility note: language toolchains are pinned in the
41
+ // features block above. Scanner tools (gitleaks, semgrep, cloc,
42
+ // jscpd, ruff, osv-scanner, ...) are pinned in dxkit's TOOL_DEFS
43
+ // registry and installed by `vyuh-dxkit tools install --yes` in
44
+ // post-create.sh. Bumping a scanner version is a dxkit upgrade,
45
+ // not a Dockerfile edit.
46
+ "postCreateCommand": "bash .devcontainer/post-create.sh",
47
+
48
+ // Run on every container start (incl. Codespaces resume). Keeps
49
+ // `dxkit tools list` accurate if a tool was uninstalled or the
50
+ // registry pinned-versions advanced since last use.
51
+ "postStartCommand": "command -v vyuh-dxkit >/dev/null 2>&1 && vyuh-dxkit tools list || true",
52
+
53
+ "customizations": {
54
+ "vscode": {
55
+ "extensions": [
56
+ "anthropic.claude-code",
57
+ "dbaeumer.vscode-eslint",
58
+ "esbenp.prettier-vscode",
59
+ "ms-python.python",
60
+ "ms-python.vscode-pylance",
61
+ "golang.go",
62
+ "rust-lang.rust-analyzer",
63
+ "ms-dotnettools.csharp",
64
+ "redhat.java",
65
+ "fwcd.kotlin",
66
+ "rebornix.ruby",
67
+ "github.vscode-github-actions",
68
+ "github.vscode-pull-request-github"
69
+ ],
70
+ "settings": {
71
+ "editor.formatOnSave": true,
72
+ "files.eol": "\n"
73
+ }
74
+ }
75
+ },
76
+
77
+ "remoteUser": "vscode",
78
+
79
+ // Forward dxkit's HTTP analyzer dashboard if you run it locally.
80
+ "forwardPorts": []
81
+ }
@@ -0,0 +1,42 @@
1
+ #!/usr/bin/env bash
2
+ #
3
+ # Install the AI coding-agent CLIs that pair with dxkit's commit-time
4
+ # guardrails. Pinned versions so devcontainer rebuilds produce a
5
+ # deterministic environment; bump these intentionally.
6
+ #
7
+ # Both CLIs are published to npm and install globally into the
8
+ # devcontainer image's Node toolchain (provided by the features
9
+ # block in devcontainer.json).
10
+
11
+ set -euo pipefail
12
+
13
+ # Pinned at devcontainer template publish time. Loosen to `@latest`
14
+ # if you want each container start to pull the newest CLI — at the
15
+ # cost of non-deterministic builds. Set to `skip` to skip the install
16
+ # entirely (useful if you only use one of the two agents).
17
+ CLAUDE_CODE_VERSION="${CLAUDE_CODE_VERSION:-latest}"
18
+ CODEX_VERSION="${CODEX_VERSION:-latest}"
19
+
20
+ if [ "${CLAUDE_CODE_VERSION}" = "skip" ]; then
21
+ echo "==> Claude Code CLI install skipped (CLAUDE_CODE_VERSION=skip)."
22
+ else
23
+ echo "==> Installing Claude Code CLI..."
24
+ if command -v claude >/dev/null 2>&1; then
25
+ echo " Already installed: $(claude --version 2>&1 | head -n1)"
26
+ else
27
+ npm install -g "@anthropic-ai/claude-code@${CLAUDE_CODE_VERSION}" \
28
+ || echo "WARN: Claude Code install failed — try manually with 'npm install -g @anthropic-ai/claude-code'." >&2
29
+ fi
30
+ fi
31
+
32
+ if [ "${CODEX_VERSION}" = "skip" ]; then
33
+ echo "==> OpenAI Codex CLI install skipped (CODEX_VERSION=skip)."
34
+ else
35
+ echo "==> Installing OpenAI Codex CLI..."
36
+ if command -v codex >/dev/null 2>&1; then
37
+ echo " Already installed: $(codex --version 2>&1 | head -n1)"
38
+ else
39
+ npm install -g "@openai/codex@${CODEX_VERSION}" \
40
+ || echo "WARN: Codex CLI install failed — try manually with 'npm install -g @openai/codex'." >&2
41
+ fi
42
+ fi
@@ -0,0 +1,67 @@
1
+ #!/usr/bin/env bash
2
+ #
3
+ # Devcontainer post-create. Runs once after the container is built
4
+ # (and again on Codespaces prebuild). Idempotent — safe to re-run.
5
+ #
6
+ # Responsibilities:
7
+ # 1. Install project dependencies if this is a Node project.
8
+ # 2. Ensure dxkit is on PATH (project-local first, global fallback).
9
+ # 3. Install dxkit's scanner toolchain (gitleaks, semgrep, cloc, etc.)
10
+ # via the TOOL_DEFS registry — pinned versions, language-aware.
11
+ # 4. Install the AI coding-agent CLIs for the AI-native dev loop.
12
+ #
13
+ # Run from the repo root — the devcontainer's workspaceFolder is set
14
+ # by `devcontainer.json` so the post-create command starts there.
15
+
16
+ set -euo pipefail
17
+
18
+ echo "==> dxkit post-create starting in $(pwd)"
19
+
20
+ # Install project dependencies if this is a Node project. Soft-fail
21
+ # the whole step: a lockfile that won't resolve (tarball moved,
22
+ # private-registry auth not configured yet, peer-dep churn) is
23
+ # annoying but shouldn't take down the rest of the post-create. The
24
+ # user can re-run `npm install` after authenticating or fixing the
25
+ # lockfile.
26
+ if [ -f package.json ]; then
27
+ echo "==> Installing project dependencies..."
28
+ if [ -f package-lock.json ]; then
29
+ npm ci || npm install || {
30
+ echo "WARN: project dependency install failed — re-run 'npm install' manually if needed." >&2
31
+ }
32
+ else
33
+ npm install || {
34
+ echo "WARN: project dependency install failed — re-run 'npm install' manually if needed." >&2
35
+ }
36
+ fi
37
+ fi
38
+
39
+ # Resolve dxkit. Prefer the project-local install if a `package.json`
40
+ # pinned dxkit in devDependencies; otherwise install globally so the
41
+ # binary is on PATH for the rest of the script and any subshell.
42
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
43
+ DXKIT="./node_modules/.bin/vyuh-dxkit"
44
+ elif command -v vyuh-dxkit >/dev/null 2>&1; then
45
+ DXKIT="vyuh-dxkit"
46
+ else
47
+ echo "==> Installing @vyuhlabs/dxkit globally..."
48
+ npm install -g @vyuhlabs/dxkit
49
+ DXKIT="vyuh-dxkit"
50
+ fi
51
+ echo "==> Using dxkit binary: ${DXKIT}"
52
+
53
+ echo "==> Installing scanner toolchain via dxkit registry..."
54
+ # `tools install --yes` reads the detector's required-tools list and
55
+ # runs the pinned install command for each one. Tools already present
56
+ # are no-ops, so this is fast on warm containers. Soft-fail so a
57
+ # single tool's install hiccup doesn't break the whole container.
58
+ "${DXKIT}" tools install --yes || {
59
+ echo "WARN: some scanner tools failed to install — run 'vyuh-dxkit tools list' to see status." >&2
60
+ }
61
+
62
+ echo "==> Installing AI coding-agent CLIs..."
63
+ bash "$(dirname "$0")/install-agent-clis.sh" || {
64
+ echo "WARN: agent CLI install had issues — install manually if needed." >&2
65
+ }
66
+
67
+ echo "==> dxkit post-create done. Run 'vyuh-dxkit health' to verify."
@@ -0,0 +1,55 @@
1
+ #!/usr/bin/env sh
2
+ #
3
+ # dxkit pre-commit hook — fast guardrail check against the baseline.
4
+ #
5
+ # Runs `vyuh-dxkit guardrail check --changed-only` so only findings
6
+ # overlapping lines you just changed can block the commit. The full
7
+ # guardrail (without --changed-only) runs in the pre-push hook and
8
+ # in the CI PR-gate workflow; this one prioritises feedback speed.
9
+ #
10
+ # Install:
11
+ # git config core.hooksPath .githooks
12
+ #
13
+ # Escape hatches:
14
+ # DXKIT_SKIP_HOOKS=1 git commit ... # one-off bypass
15
+ # git commit --no-verify ... # standard git bypass
16
+ #
17
+ # First-time setup: this hook does NOT block when no baseline exists
18
+ # yet. Run `vyuh-dxkit baseline create` once to capture today's state,
19
+ # then commits start being gated against it.
20
+
21
+ set -e
22
+
23
+ if [ "${DXKIT_SKIP_HOOKS:-0}" = "1" ]; then
24
+ echo "[dxkit pre-commit] DXKIT_SKIP_HOOKS=1 set — skipping guardrail check."
25
+ exit 0
26
+ fi
27
+
28
+ # Resolve the dxkit binary: prefer the project-local install, fall
29
+ # back to a global one. We deliberately do NOT shell out to `npx`
30
+ # here — npx may try to fetch from the registry, which makes the
31
+ # hook fail offline and slow down every commit.
32
+ if [ -x "./node_modules/.bin/vyuh-dxkit" ]; then
33
+ DXKIT="./node_modules/.bin/vyuh-dxkit"
34
+ elif command -v vyuh-dxkit >/dev/null 2>&1; then
35
+ DXKIT="vyuh-dxkit"
36
+ else
37
+ echo "[dxkit pre-commit] vyuh-dxkit not found on PATH or in ./node_modules/.bin." >&2
38
+ echo " Install it with: npm install --save-dev @vyuhlabs/dxkit" >&2
39
+ echo " Or skip this hook for this commit: DXKIT_SKIP_HOOKS=1 git commit ..." >&2
40
+ exit 1
41
+ fi
42
+
43
+ BASELINE_NAME="${DXKIT_BASELINE_NAME:-main}"
44
+ BASELINE_FILE=".dxkit/baselines/${BASELINE_NAME}.json"
45
+
46
+ if [ ! -f "${BASELINE_FILE}" ]; then
47
+ echo "[dxkit pre-commit] No baseline at ${BASELINE_FILE} — not blocking."
48
+ echo " Run \`${DXKIT} baseline create\` once to start gating commits."
49
+ exit 0
50
+ fi
51
+
52
+ # `--changed-only` restricts blocking to findings whose anchor line
53
+ # overlaps the diff between the baseline's anchor commit and HEAD.
54
+ # Pre-commit is fast-mode by design; the pre-push hook runs full.
55
+ "${DXKIT}" guardrail check --changed-only --name "${BASELINE_NAME}"
@@ -0,0 +1,63 @@
1
+ #!/usr/bin/env sh
2
+ #
3
+ # dxkit pre-push hook — full guardrail check against the baseline.
4
+ #
5
+ # Runs the full `vyuh-dxkit guardrail check` (no --changed-only),
6
+ # so every regression introduced since the baseline blocks the push.
7
+ # Slower than pre-commit, but the push boundary is the last point
8
+ # we can stop bad code from leaving the developer's machine.
9
+ #
10
+ # Install:
11
+ # git config core.hooksPath .githooks
12
+ #
13
+ # Escape hatches:
14
+ # DXKIT_SKIP_HOOKS=1 git push ... # one-off bypass
15
+ # git push --no-verify ... # standard git bypass
16
+
17
+ set -e
18
+
19
+ if [ "${DXKIT_SKIP_HOOKS:-0}" = "1" ]; then
20
+ echo "[dxkit pre-push] DXKIT_SKIP_HOOKS=1 set — skipping guardrail check."
21
+ exit 0
22
+ fi
23
+
24
+ # Delete-only pushes (e.g. `git push origin --delete <branch>`) carry
25
+ # no commits to gate. Git invokes pre-push with stdin lines of the
26
+ # form: <local-ref> <local-sha> <remote-ref> <remote-sha>. A delete
27
+ # has local-sha = 40 zeros. Skip rather than failing the gate on an
28
+ # empty diff.
29
+ all_zero=true
30
+ while read -r _local_ref local_sha _remote_ref _remote_sha; do
31
+ if [ "${local_sha}" != "0000000000000000000000000000000000000000" ]; then
32
+ all_zero=false
33
+ break
34
+ fi
35
+ done
36
+ if [ "${all_zero}" = "true" ]; then
37
+ echo "[dxkit pre-push] Delete-only push detected — skipping guardrail check."
38
+ exit 0
39
+ fi
40
+
41
+ # Resolve the dxkit binary: prefer the project-local install, fall
42
+ # back to a global one. Match the pre-commit hook's resolution order.
43
+ if [ -x "./node_modules/.bin/vyuh-dxkit" ]; then
44
+ DXKIT="./node_modules/.bin/vyuh-dxkit"
45
+ elif command -v vyuh-dxkit >/dev/null 2>&1; then
46
+ DXKIT="vyuh-dxkit"
47
+ else
48
+ echo "[dxkit pre-push] vyuh-dxkit not found on PATH or in ./node_modules/.bin." >&2
49
+ echo " Install it with: npm install --save-dev @vyuhlabs/dxkit" >&2
50
+ echo " Or skip this hook for this push: DXKIT_SKIP_HOOKS=1 git push ..." >&2
51
+ exit 1
52
+ fi
53
+
54
+ BASELINE_NAME="${DXKIT_BASELINE_NAME:-main}"
55
+ BASELINE_FILE=".dxkit/baselines/${BASELINE_NAME}.json"
56
+
57
+ if [ ! -f "${BASELINE_FILE}" ]; then
58
+ echo "[dxkit pre-push] No baseline at ${BASELINE_FILE} — not blocking."
59
+ echo " Run \`${DXKIT} baseline create\` once to start gating pushes."
60
+ exit 0
61
+ fi
62
+
63
+ "${DXKIT}" guardrail check --name "${BASELINE_NAME}"
@@ -0,0 +1,78 @@
1
+ name: dxkit baseline refresh
2
+
3
+ # After every merge to main, regenerate `.dxkit/baselines/main.json`
4
+ # to capture the new "approved" state of the repo. The next PR's
5
+ # guardrail check is gated against this refreshed anchor, so a
6
+ # regression introduced in PR N+1 stands out from the noise of
7
+ # whatever was merged in PR N.
8
+ #
9
+ # The auto-commit carries `[skip ci]` so it doesn't re-trigger this
10
+ # workflow or the guardrails PR-gate.
11
+
12
+ on:
13
+ push:
14
+ branches: [__DXKIT_DEFAULT_BRANCH__]
15
+ # Ignore pushes that only changed the baseline file — those are
16
+ # this workflow's own commits, and re-running would be a no-op
17
+ # anyway. Belt-and-braces with [skip ci] below.
18
+ paths-ignore:
19
+ - '.dxkit/baselines/**'
20
+
21
+ permissions:
22
+ contents: write
23
+
24
+ jobs:
25
+ refresh:
26
+ runs-on: ubuntu-latest
27
+ # Don't re-run on our own auto-commit (defensive — paths-ignore
28
+ # above already filters the common case).
29
+ if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
30
+ steps:
31
+ - uses: actions/checkout@v6
32
+ with:
33
+ fetch-depth: 0
34
+ # `persist-credentials: true` (the default) leaves the
35
+ # token in .git/config so the final `git push` reuses it.
36
+
37
+ - uses: actions/setup-node@v6
38
+ with:
39
+ node-version: '22'
40
+
41
+ - name: Install dxkit
42
+ run: |
43
+ if [ -f package-lock.json ]; then
44
+ npm ci
45
+ elif [ -f package.json ]; then
46
+ npm install
47
+ else
48
+ npm install -g @vyuhlabs/dxkit
49
+ fi
50
+
51
+ - name: Install scanner tools
52
+ run: |
53
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
54
+ ./node_modules/.bin/vyuh-dxkit tools install --yes
55
+ else
56
+ vyuh-dxkit tools install --yes
57
+ fi
58
+
59
+ - name: Recompute baseline
60
+ run: |
61
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
62
+ DXKIT=./node_modules/.bin/vyuh-dxkit
63
+ else
64
+ DXKIT=vyuh-dxkit
65
+ fi
66
+ "${DXKIT}" baseline create --force
67
+
68
+ - name: Commit and push refreshed baseline
69
+ run: |
70
+ git config user.name "github-actions[bot]"
71
+ git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
72
+ if git diff --quiet -- .dxkit/baselines/; then
73
+ echo "Baseline unchanged — nothing to commit."
74
+ exit 0
75
+ fi
76
+ git add .dxkit/baselines/
77
+ git commit -m "chore(baseline): refresh main anchor [skip ci]"
78
+ git push
@@ -0,0 +1,98 @@
1
+ name: dxkit guardrails
2
+
3
+ # Runs the dxkit guardrail check on every pull request. New regressions
4
+ # vs. the committed `.dxkit/baselines/main.json` block the PR. Existing
5
+ # findings (your "brownfield debt") are allowed — they were already
6
+ # captured when you ran `vyuh-dxkit baseline create`.
7
+ #
8
+ # Customise by editing your project's `.dxkit/policy.json` (created by
9
+ # `vyuh-dxkit init --with-ci`). The matcher's classifications
10
+ # (added / relocated / tooling_drift / config_drift / persisted /
11
+ # removed / fixed) map to block/warn buckets there.
12
+
13
+ on:
14
+ pull_request:
15
+
16
+ permissions:
17
+ contents: read
18
+ pull-requests: write
19
+
20
+ jobs:
21
+ guardrail:
22
+ runs-on: ubuntu-latest
23
+ steps:
24
+ - uses: actions/checkout@v6
25
+ with:
26
+ # Full history so the git-aware matcher can resolve the
27
+ # baseline's anchor commit + diff against HEAD.
28
+ fetch-depth: 0
29
+
30
+ - uses: actions/setup-node@v6
31
+ with:
32
+ node-version: '22'
33
+
34
+ # Install dxkit. Prefers a project-local install (devDependencies)
35
+ # so the version is pinned alongside the project. Falls back to a
36
+ # global install for non-JS projects.
37
+ - name: Install dxkit
38
+ run: |
39
+ if [ -f package-lock.json ]; then
40
+ npm ci
41
+ elif [ -f package.json ]; then
42
+ npm install
43
+ else
44
+ npm install -g @vyuhlabs/dxkit
45
+ fi
46
+
47
+ # Install the scanner toolchain dxkit needs for this stack
48
+ # (gitleaks, semgrep, cloc, jscpd, ruff, osv-scanner, etc.).
49
+ # `--yes` makes the install non-interactive; the registry
50
+ # decides what to install based on detected languages.
51
+ - name: Install scanner tools
52
+ run: |
53
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
54
+ ./node_modules/.bin/vyuh-dxkit tools install --yes
55
+ else
56
+ vyuh-dxkit tools install --yes
57
+ fi
58
+
59
+ # Capture the markdown report regardless of exit code so we can
60
+ # post it as a PR comment even when the guardrail blocks.
61
+ - name: Run guardrail check
62
+ id: guardrail
63
+ run: |
64
+ if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
65
+ DXKIT=./node_modules/.bin/vyuh-dxkit
66
+ else
67
+ DXKIT=vyuh-dxkit
68
+ fi
69
+ set +e
70
+ "${DXKIT}" guardrail check --markdown > guardrail-report.md
71
+ echo "exit_code=$?" >> "$GITHUB_OUTPUT"
72
+
73
+ - name: Post PR comment
74
+ if: always()
75
+ env:
76
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
77
+ PR_NUMBER: ${{ github.event.pull_request.number }}
78
+ run: |
79
+ # Find a previous dxkit-guardrails comment by marker so we
80
+ # update in place rather than appending a new one per push.
81
+ MARKER='<!-- dxkit-guardrails -->'
82
+ {
83
+ printf '%s\n' "$MARKER"
84
+ cat guardrail-report.md
85
+ } > comment.md
86
+ existing=$(gh api "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
87
+ --jq ".[] | select(.body | startswith(\"${MARKER}\")) | .id" \
88
+ | head -n1)
89
+ if [ -n "${existing}" ]; then
90
+ gh api -X PATCH \
91
+ "repos/${{ github.repository }}/issues/comments/${existing}" \
92
+ -F body=@comment.md
93
+ else
94
+ gh pr comment "${PR_NUMBER}" --body-file comment.md
95
+ fi
96
+
97
+ - name: Fail if guardrail blocked
98
+ run: exit ${{ steps.guardrail.outputs.exit_code }}