@vyuhlabs/dxkit 2.4.8 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +312 -0
- package/README.md +360 -439
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +4 -46
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +91 -26
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +111 -22
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +6 -1
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +24 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +20 -11
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +9 -5
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +19 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/types.d.ts +6 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +104 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -0
- package/dist/baseline/baseline-file.js +110 -0
- package/dist/baseline/baseline-file.js.map +1 -0
- package/dist/baseline/check-renderers.d.ts +108 -0
- package/dist/baseline/check-renderers.d.ts.map +1 -0
- package/dist/baseline/check-renderers.js +379 -0
- package/dist/baseline/check-renderers.js.map +1 -0
- package/dist/baseline/check.d.ts +127 -0
- package/dist/baseline/check.d.ts.map +1 -0
- package/dist/baseline/check.js +462 -0
- package/dist/baseline/check.js.map +1 -0
- package/dist/baseline/content-hash.d.ts +83 -0
- package/dist/baseline/content-hash.d.ts.map +1 -0
- package/dist/baseline/content-hash.js +131 -0
- package/dist/baseline/content-hash.js.map +1 -0
- package/dist/baseline/create.d.ts +96 -0
- package/dist/baseline/create.d.ts.map +1 -0
- package/dist/baseline/create.js +339 -0
- package/dist/baseline/create.js.map +1 -0
- package/dist/baseline/entry-to-located.d.ts +35 -0
- package/dist/baseline/entry-to-located.d.ts.map +1 -0
- package/dist/baseline/entry-to-located.js +72 -0
- package/dist/baseline/entry-to-located.js.map +1 -0
- package/dist/baseline/finding-identity.d.ts +47 -0
- package/dist/baseline/finding-identity.d.ts.map +1 -0
- package/dist/baseline/finding-identity.js +292 -0
- package/dist/baseline/finding-identity.js.map +1 -0
- package/dist/baseline/git-aware-match.d.ts +146 -0
- package/dist/baseline/git-aware-match.d.ts.map +1 -0
- package/dist/baseline/git-aware-match.js +439 -0
- package/dist/baseline/git-aware-match.js.map +1 -0
- package/dist/baseline/policy.d.ts +171 -0
- package/dist/baseline/policy.d.ts.map +1 -0
- package/dist/baseline/policy.js +206 -0
- package/dist/baseline/policy.js.map +1 -0
- package/dist/baseline/producers/health.d.ts +30 -0
- package/dist/baseline/producers/health.d.ts.map +1 -0
- package/dist/baseline/producers/health.js +42 -0
- package/dist/baseline/producers/health.js.map +1 -0
- package/dist/baseline/producers/index.d.ts +164 -0
- package/dist/baseline/producers/index.d.ts.map +1 -0
- package/dist/baseline/producers/index.js +200 -0
- package/dist/baseline/producers/index.js.map +1 -0
- package/dist/baseline/producers/licenses.d.ts +23 -0
- package/dist/baseline/producers/licenses.d.ts.map +1 -0
- package/dist/baseline/producers/licenses.js +46 -0
- package/dist/baseline/producers/licenses.js.map +1 -0
- package/dist/baseline/producers/quality.d.ts +39 -0
- package/dist/baseline/producers/quality.d.ts.map +1 -0
- package/dist/baseline/producers/quality.js +84 -0
- package/dist/baseline/producers/quality.js.map +1 -0
- package/dist/baseline/producers/secret-hmac.d.ts +45 -0
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
- package/dist/baseline/producers/secret-hmac.js +70 -0
- package/dist/baseline/producers/secret-hmac.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +59 -0
- package/dist/baseline/producers/security.d.ts.map +1 -0
- package/dist/baseline/producers/security.js +135 -0
- package/dist/baseline/producers/security.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +36 -0
- package/dist/baseline/producers/tests.d.ts.map +1 -0
- package/dist/baseline/producers/tests.js +69 -0
- package/dist/baseline/producers/tests.js.map +1 -0
- package/dist/baseline/salt.d.ts +45 -0
- package/dist/baseline/salt.d.ts.map +1 -0
- package/dist/baseline/salt.js +113 -0
- package/dist/baseline/salt.js.map +1 -0
- package/dist/baseline/show.d.ts +79 -0
- package/dist/baseline/show.d.ts.map +1 -0
- package/dist/baseline/show.js +233 -0
- package/dist/baseline/show.js.map +1 -0
- package/dist/baseline/types.d.ts +482 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +53 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +398 -82
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -4
- package/dist/constants.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +39 -35
- package/dist/doctor.js.map +1 -1
- package/dist/fail-on.d.ts +84 -0
- package/dist/fail-on.d.ts.map +1 -0
- package/dist/fail-on.js +128 -0
- package/dist/fail-on.js.map +1 -0
- package/dist/generator.d.ts +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +81 -274
- package/dist/generator.js.map +1 -1
- package/dist/hooks-cli.d.ts +20 -0
- package/dist/hooks-cli.d.ts.map +1 -0
- package/dist/hooks-cli.js +145 -0
- package/dist/hooks-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +4 -9
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +3 -14
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +19 -1
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +32 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +4 -6
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +9 -11
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +4 -15
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +4 -6
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +4 -4
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +29 -28
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +31 -4
- package/dist/languages/typescript.js.map +1 -1
- package/dist/lib.d.ts +2 -3
- package/dist/lib.d.ts.map +1 -1
- package/dist/lib.js +3 -6
- package/dist/lib.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -10
- package/dist/prompts.js.map +1 -1
- package/dist/report-schema.d.ts +42 -0
- package/dist/report-schema.d.ts.map +1 -0
- package/dist/report-schema.js +54 -0
- package/dist/report-schema.js.map +1 -0
- package/dist/ship-installers.d.ts +112 -0
- package/dist/ship-installers.d.ts.map +1 -0
- package/dist/ship-installers.js +530 -0
- package/dist/ship-installers.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +45 -9
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +0 -4
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +0 -4
- package/dist/update.js.map +1 -1
- package/package.json +17 -11
- package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
- package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
- package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
- package/templates/.devcontainer/devcontainer.json +55 -0
- package/templates/.devcontainer/install-agent-clis.sh +42 -0
- package/templates/.devcontainer/post-create.sh +81 -0
- package/templates/.githooks/pre-commit +55 -0
- package/templates/.githooks/pre-push +63 -0
- package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
- package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
- package/templates/AGENTS.md.template +137 -0
- package/templates/CLAUDE.md.template +16 -245
- package/dist/codebase-scanner.d.ts +0 -36
- package/dist/codebase-scanner.d.ts.map +0 -1
- package/dist/codebase-scanner.js +0 -688
- package/dist/codebase-scanner.js.map +0 -1
- package/dist/project-yaml.d.ts +0 -13
- package/dist/project-yaml.d.ts.map +0 -1
- package/dist/project-yaml.js +0 -188
- package/dist/project-yaml.js.map +0 -1
- package/templates/.ai/README.md +0 -117
- package/templates/.ai/prompts/execution-prompt.md +0 -9
- package/templates/.ai/prompts/planning-prompt.md +0 -18
- package/templates/.ai/prompts/session-end-template.md +0 -182
- package/templates/.ai/prompts/session-end.md +0 -132
- package/templates/.ai/prompts/session-start.md +0 -109
- package/templates/.ai/prompts/step-by-step.md +0 -113
- package/templates/.ai/sessions/.gitkeep +0 -0
- package/templates/.claude/agents/doc-writer.md +0 -107
- package/templates/.claude/agents/knowledge-bot.md +0 -64
- package/templates/.claude/agents/onboarding.md +0 -61
- package/templates/.claude/agents/quality-reviewer.md +0 -85
- package/templates/.claude/agents-available/code-reviewer.md +0 -29
- package/templates/.claude/agents-available/codebase-explorer.md +0 -100
- package/templates/.claude/agents-available/dashboard-builder.md +0 -433
- package/templates/.claude/agents-available/debugger.md +0 -29
- package/templates/.claude/agents-available/dependency-mapper.md +0 -80
- package/templates/.claude/agents-available/dev-report.md +0 -108
- package/templates/.claude/agents-available/doc-writer.md +0 -107
- package/templates/.claude/agents-available/feature-builder.md +0 -163
- package/templates/.claude/agents-available/feature-planner.md +0 -185
- package/templates/.claude/agents-available/health-auditor.md +0 -95
- package/templates/.claude/agents-available/hooks-configurator.md +0 -211
- package/templates/.claude/agents-available/knowledge-bot.md +0 -62
- package/templates/.claude/agents-available/plan-executor.md +0 -133
- package/templates/.claude/agents-available/strategic-planner.md +0 -141
- package/templates/.claude/agents-available/test-gap-finder.md +0 -67
- package/templates/.claude/agents-available/test-writer.md +0 -34
- package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
- package/templates/.claude/commands/ask.md +0 -7
- package/templates/.claude/commands/build-feature.md +0 -26
- package/templates/.claude/commands/build.md.template +0 -30
- package/templates/.claude/commands/check.md.template +0 -43
- package/templates/.claude/commands/dashboard.md +0 -28
- package/templates/.claude/commands/deps.md +0 -15
- package/templates/.claude/commands/dev-report.md +0 -50
- package/templates/.claude/commands/docs.md +0 -21
- package/templates/.claude/commands/doctor.md +0 -21
- package/templates/.claude/commands/enable-agent.md +0 -12
- package/templates/.claude/commands/execute-plan.md +0 -25
- package/templates/.claude/commands/explore-codebase.md +0 -12
- package/templates/.claude/commands/export-pdf.md +0 -30
- package/templates/.claude/commands/feature.md +0 -25
- package/templates/.claude/commands/fix-issue.md +0 -12
- package/templates/.claude/commands/fix.md.template +0 -32
- package/templates/.claude/commands/health.md +0 -58
- package/templates/.claude/commands/help.md +0 -36
- package/templates/.claude/commands/learn.md +0 -48
- package/templates/.claude/commands/onboarding.md +0 -21
- package/templates/.claude/commands/plan.md +0 -20
- package/templates/.claude/commands/quality.md.template +0 -65
- package/templates/.claude/commands/session-end.md +0 -40
- package/templates/.claude/commands/session-start.md +0 -30
- package/templates/.claude/commands/setup-hooks.md +0 -18
- package/templates/.claude/commands/setup-pr-review.md +0 -72
- package/templates/.claude/commands/stealth-mode.md +0 -17
- package/templates/.claude/commands/test-gaps.md +0 -49
- package/templates/.claude/commands/test.md.template +0 -40
- package/templates/.claude/commands/vulnerabilities.md +0 -49
- package/templates/.claude/skills/build/SKILL.md.template +0 -98
- package/templates/.claude/skills/deploy/SKILL.md.template +0 -131
- package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
- package/templates/.claude/skills/doctor/SKILL.md +0 -54
- package/templates/.claude/skills/gcloud/SKILL.md +0 -66
- package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
- package/templates/.claude/skills/learned/SKILL.md +0 -55
- package/templates/.claude/skills/learned/references/conventions.md +0 -11
- package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
- package/templates/.claude/skills/learned/references/gotchas.md +0 -11
- package/templates/.claude/skills/pulumi/SKILL.md +0 -73
- package/templates/.claude/skills/quality/SKILL.md.template +0 -108
- package/templates/.claude/skills/quality/references/gotchas.md +0 -5
- package/templates/.claude/skills/review/SKILL.md.template +0 -73
- package/templates/.claude/skills/scaffold/SKILL.md.template +0 -123
- package/templates/.claude/skills/secrets/SKILL.md +0 -52
- package/templates/.claude/skills/session/SKILL.md +0 -43
- package/templates/.claude/skills/test/SKILL.md.template +0 -122
- package/templates/.claude/skills/test/references/gotchas.md +0 -5
- package/templates/.devcontainer/Dockerfile.dev.template +0 -89
- package/templates/.devcontainer/devcontainer.json.template +0 -184
- package/templates/.devcontainer/docker-compose.yml.template +0 -105
- package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
- package/templates/.devcontainer/post-create.sh.template +0 -298
- package/templates/.github/workflows/ci.yml.template +0 -399
- package/templates/.github/workflows/quality.yml.template +0 -376
- package/templates/.pre-commit-config.yaml.template +0 -106
- package/templates/.project/config/edit_config.py +0 -275
- package/templates/.project/config/project_config.py +0 -894
- package/templates/.project/scripts/codegen/generate-all.sh +0 -20
- package/templates/.project/scripts/codegen/validate-all.sh +0 -17
- package/templates/.project/scripts/docs/generate-all.sh +0 -30
- package/templates/.project/scripts/docs/serve.sh +0 -20
- package/templates/.project/scripts/quality/fix-all.sh +0 -138
- package/templates/.project/scripts/quality/lint-go.sh +0 -34
- package/templates/.project/scripts/quality/lint-python.sh +0 -54
- package/templates/.project/scripts/quality/run-all.sh +0 -497
- package/templates/.project/scripts/session/commit.sh +0 -70
- package/templates/.project/scripts/session/create-pr.sh +0 -165
- package/templates/.project/scripts/session/end.sh +0 -207
- package/templates/.project/scripts/session/start.sh +0 -233
- package/templates/.project/scripts/setup/doctor.sh +0 -404
- package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
- package/templates/.project/scripts/sync/sync-template.sh +0 -328
- package/templates/.project/scripts/test/run-all.sh +0 -179
- package/templates/.project/scripts/test/run-quick.sh +0 -25
- package/templates/Makefile +0 -514
- package/templates/config/versions.yaml +0 -57
- package/templates/configs/go/.golangci.yml.template +0 -172
- package/templates/configs/go/go.mod.template +0 -15
- package/templates/configs/java/README.md +0 -6
- package/templates/configs/kotlin/README.md +0 -6
- package/templates/configs/node/package.json.template +0 -67
- package/templates/configs/node/tsconfig.json.template +0 -53
- package/templates/configs/python/pyproject.toml.template +0 -92
- package/templates/configs/python/pytest.ini.template +0 -64
- package/templates/configs/python/ruff.toml.template +0 -79
- package/templates/configs/ruby/README.md +0 -6
- package/templates/configs/rust/Cargo.toml.template +0 -51
- package/templates/configs/shared/.editorconfig +0 -67
- package/templates/scripts/validate-templates.sh +0 -449
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,318 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.5.1] - 2026-05-20
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- New `vyuh-dxkit hooks activate` CLI subcommand. Idempotently sets
|
|
15
|
+
`core.hooksPath = .githooks`. Wired into `init`'s scaffolded
|
|
16
|
+
`package.json` as a `postinstall` script so every clone plus
|
|
17
|
+
`npm install` activates the dxkit hooks transparently — no more
|
|
18
|
+
one-time-per-clone manual step.
|
|
19
|
+
- New `--with-dxkit-agents` `init` flag (default-on under `--full`).
|
|
20
|
+
Installs six dxkit-specific skills under `.claude/skills/dxkit-*/`
|
|
21
|
+
(`learn` / `init` / `config` / `hooks` / `reports` / `action`)
|
|
22
|
+
alongside `AGENTS.md` (open-standard project context) and a small
|
|
23
|
+
`CLAUDE.md` shim. The skills wrap the `vyuh-dxkit` CLI as
|
|
24
|
+
workflow-aware surfaces that Claude Code auto-discovers via skill
|
|
25
|
+
frontmatter.
|
|
26
|
+
- New optional `LanguageSupport.devcontainerFeature?` field. Each
|
|
27
|
+
language pack declares its canonical `ghcr.io/devcontainers/features`
|
|
28
|
+
entry; `installDevcontainer` renders the per-stack features block.
|
|
29
|
+
Cold devcontainer rebuilds drop from ~25 minutes (every supported
|
|
30
|
+
toolchain installed) to ~7 minutes on a pure-TypeScript repo
|
|
31
|
+
(only the toolchains the repo actually needs).
|
|
32
|
+
- New optional `ToolDefinition.applicabilityGuard?` field. Tools
|
|
33
|
+
whose preconditions aren't met on the current repo
|
|
34
|
+
(e.g. `vitest-coverage` on a mocha-based codebase) now report as
|
|
35
|
+
`n/a` with an inline reason instead of inflating the
|
|
36
|
+
missing-count. `tools install` filters n/a entries from the
|
|
37
|
+
install loop.
|
|
38
|
+
- New `@vyuhlabs/create-dxkit` shim package (zero dependencies; code
|
|
39
|
+
shipped under `packages/create-dxkit/`). First npm publish is a
|
|
40
|
+
manual tag-and-release step after this version lands on main.
|
|
41
|
+
Once published, `npm init @vyuhlabs/dxkit` will collapse the
|
|
42
|
+
prior two-step first install (`npm i -D @vyuhlabs/dxkit && npx
|
|
43
|
+
vyuh-dxkit init`) into one command.
|
|
44
|
+
|
|
45
|
+
### Changed
|
|
46
|
+
|
|
47
|
+
- The generic 73-file `.claude/` scaffold (`agents/`,
|
|
48
|
+
`agents-available/`, `commands/`, generic skills, etc.) is replaced
|
|
49
|
+
with six dxkit-specific skills plus `AGENTS.md` and the
|
|
50
|
+
`CLAUDE.md` shim. Customers upgrading keep their existing
|
|
51
|
+
`.claude/` (`init` is additive — won't overwrite without
|
|
52
|
+
`--force`). Fresh `--full` installs now land ~20 files instead of
|
|
53
|
+
~73, focused entirely on equipping coding agents to drive the
|
|
54
|
+
dxkit CLI safely.
|
|
55
|
+
- `post-create.sh` now falls back through a three-step npm install
|
|
56
|
+
chain (`npm ci` → `npm install` → `npm install --legacy-peer-deps`)
|
|
57
|
+
so brownfield Node monorepos with peer-dep tangles survive the
|
|
58
|
+
devcontainer post-create cleanly.
|
|
59
|
+
- `doctor` no longer checks for the deleted generic scaffold files.
|
|
60
|
+
It now reports an `X/6 dxkit-* skills present` tally plus an
|
|
61
|
+
`AGENTS.md` presence check, giving customers a clearer signal of
|
|
62
|
+
what's missing on partially-scaffolded repos.
|
|
63
|
+
|
|
64
|
+
### Fixed
|
|
65
|
+
|
|
66
|
+
- Graphify's on-disk cache no longer leaks `graphify-out/cache/` into
|
|
67
|
+
consumer repos. The temp-dir redirection monkey-patch now fires
|
|
68
|
+
before the first graphify call; `graphify-out/` is also added to
|
|
69
|
+
the scaffolded `.gitignore` defensively.
|
|
70
|
+
|
|
71
|
+
### Deferred to next polish release
|
|
72
|
+
|
|
73
|
+
The following items rolled out of this release and will ship in
|
|
74
|
+
2.5.2 (or bundle into 2.6 depending on the marketplace decision):
|
|
75
|
+
|
|
76
|
+
- `vyuh-dxkit setup-branch-protection` CLI (wraps `gh api` for
|
|
77
|
+
branch-protection enforcement).
|
|
78
|
+
- `vyuh-dxkit setup-prebuild` CLI (wraps `gh api` for Codespaces
|
|
79
|
+
prebuilds — cold-start cuts from ~25 minutes to ~30 seconds).
|
|
80
|
+
- Full `doctor` pivot to onboarding-health checks (hooks active,
|
|
81
|
+
branch protection set, baseline current). This release partially
|
|
82
|
+
shipped the pivot — the generic-scaffold checks were dropped — but
|
|
83
|
+
the new positive checks await the two CLI subcommands above.
|
|
84
|
+
- CI tool cache via `actions/cache@v4` on the scanner toolchain in
|
|
85
|
+
`dxkit-guardrails.yml`.
|
|
86
|
+
|
|
87
|
+
## [2.5.0] - 2026-05-18
|
|
88
|
+
|
|
89
|
+
### Summary
|
|
90
|
+
|
|
91
|
+
2.5.0 introduces **commit-time guardrails** — a per-finding baseline
|
|
92
|
+
captured once on a brownfield repo, then diffed against every
|
|
93
|
+
subsequent scan to detect net-new regressions while grandfathering
|
|
94
|
+
existing debt. Existing issues stay where they are, new ones block.
|
|
95
|
+
|
|
96
|
+
This release also **prunes the legacy task-runner scaffolding** that
|
|
97
|
+
prior versions of `init --full` bundled (Makefile, `.project/` task
|
|
98
|
+
scripts, `.ai/` prompt scaffolding, per-language config templates,
|
|
99
|
+
non-dxkit CI workflows, `.editorconfig`, `.pre-commit-config.yaml`).
|
|
100
|
+
The agent DX surface is now the sole `init --full` output —
|
|
101
|
+
`init --full` lands 73 files (down from 119), every one of them
|
|
102
|
+
focused on equipping AI coding agents to operate safely on the
|
|
103
|
+
codebase. Customers who relied on the legacy scaffolding can use
|
|
104
|
+
`@vyuhlabs/create-devstack` for greenfield project bootstrap.
|
|
105
|
+
|
|
106
|
+
The release ships three coordinated surfaces:
|
|
107
|
+
|
|
108
|
+
1. **A new `baseline` / `guardrail` CLI** that captures stable
|
|
109
|
+
per-finding identities, diffs current scans against them, and
|
|
110
|
+
classifies each pair (`added` / `relocated` / `tooling_drift` /
|
|
111
|
+
`config_drift` / `persisted` / `removed` / `fixed`) with a
|
|
112
|
+
confidence score and structured reasons. The classifier ships
|
|
113
|
+
with a **scanner-wobble demotion** that converts `added` findings
|
|
114
|
+
on UNCHANGED lines into `uncertain` (warn) for high-wobble kinds
|
|
115
|
+
(`code`, `hygiene`), so semgrep's per-run non-determinism on
|
|
116
|
+
large codebases doesn't trigger false-positive blocks. Findings
|
|
117
|
+
inside the diff's changed lines still block — real regressions
|
|
118
|
+
are caught. Customers can extend or clear the kind list via
|
|
119
|
+
`addedRequiresChangedLines` in `.dxkit/policy.json`.
|
|
120
|
+
2. **Init-installable templates** for the pre-push guardrail hook,
|
|
121
|
+
a devcontainer with pinned toolchains + Claude Code & Codex
|
|
122
|
+
CLIs, a GitHub Actions PR-gate workflow that posts a markdown
|
|
123
|
+
summary as a PR comment, and a post-merge baseline-refresh
|
|
124
|
+
workflow that keeps the anchor current. Pre-commit + AI-PR-
|
|
125
|
+
review are opt-in via `--with-precommit-hook` and
|
|
126
|
+
`--with-pr-review` respectively (slow on large repos / requires
|
|
127
|
+
API-cost opt-in). Every `init` also seeds `.gitignore` entries
|
|
128
|
+
for the analyzer runtime outputs (`.dxkit/reports/`,
|
|
129
|
+
`.dxkit/dashboard.html`) and writes a starter `.dxkit-ignore`
|
|
130
|
+
template for dxkit-specific scan-exclusion tuning.
|
|
131
|
+
3. **Aggregate-gate flags** (`--fail-on-score`, `--fail-on-severity`)
|
|
132
|
+
on every analyzer command, plus a stable JSON schema banner on
|
|
133
|
+
every `--json` output so consumers can version-gate.
|
|
134
|
+
|
|
135
|
+
Tests: ~1530 unit + integration cases pass on the integrated branch
|
|
136
|
+
(up from 1265 at the 2.4.8 baseline; +265 across fingerprinting,
|
|
137
|
+
producers, policy, matcher, ship installers, the smart classifier,
|
|
138
|
+
opt-in hook + workflow installers, and the CLI surface).
|
|
139
|
+
|
|
140
|
+
#### New CLI surface
|
|
141
|
+
|
|
142
|
+
```bash
|
|
143
|
+
vyuh-dxkit baseline create [path] [--name <name>] [--force]
|
|
144
|
+
[--verbose]
|
|
145
|
+
vyuh-dxkit baseline show [path] [--name <name>] [--baseline <p>]
|
|
146
|
+
[--kind <kind>] [--json]
|
|
147
|
+
vyuh-dxkit guardrail check [path] [--name <name>] [--baseline <p>]
|
|
148
|
+
[--changed-only] [--policy <p>]
|
|
149
|
+
[--json | --markdown]
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
- `baseline create` runs every analyzer, fingerprints each per-
|
|
153
|
+
finding entity through the canonical identity dispatcher
|
|
154
|
+
(`src/baseline/finding-identity.ts`), and writes
|
|
155
|
+
`.dxkit/baselines/<name>.json`. Schema-versioned
|
|
156
|
+
(`dxkit-baseline/v1`); commit it.
|
|
157
|
+
- `baseline show` pretty-prints the on-disk baseline, optionally
|
|
158
|
+
filtered by kind or emitted as a schema-banner-wrapped JSON.
|
|
159
|
+
- `guardrail check` loads the baseline, re-runs the analyzers,
|
|
160
|
+
matches via the git-aware matcher (`-M` renames, ±2 line fuzz,
|
|
161
|
+
content-hash fallback for shallow clones), classifies each pair
|
|
162
|
+
through the brownfield policy, and exits 1 when the policy
|
|
163
|
+
blocks. Output modes: console (default), `--json` (schema
|
|
164
|
+
`dxkit.guardrail-check.v1`), or `--markdown` (used by the PR-
|
|
165
|
+
gate workflow to post a comment).
|
|
166
|
+
|
|
167
|
+
The full read/write/compare triplet flows through a registered
|
|
168
|
+
producer pipeline (`src/baseline/producers/index.ts:PRODUCERS`) —
|
|
169
|
+
adding a new identity kind means registering a producer, not
|
|
170
|
+
editing the orchestrator. Architectural rule documented in
|
|
171
|
+
`CLAUDE.md` Rule 10 with three enforcement gates (arch check +
|
|
172
|
+
contract test + synthetic-producer playbook).
|
|
173
|
+
|
|
174
|
+
#### Aggregate gates + schema banner
|
|
175
|
+
|
|
176
|
+
Every analyzer command (`health`, `test-gaps`, `quality`,
|
|
177
|
+
`vulnerabilities`, `bom`) gains composable exit-code gates:
|
|
178
|
+
|
|
179
|
+
- `--fail-on-score <N>` — exit 1 when the headline score drops
|
|
180
|
+
below N (applies to `health`, `test-gaps`).
|
|
181
|
+
- `--fail-on-severity <tier>` — exit 1 when any finding at `<tier>`
|
|
182
|
+
or higher exists (applies to `vulnerabilities`, `bom`; tier ∈
|
|
183
|
+
critical / high / medium / low).
|
|
184
|
+
|
|
185
|
+
Every `--json` output carries a top-level
|
|
186
|
+
`schema: 'dxkit.<kind>-report.v1'` banner so consumers can version-
|
|
187
|
+
gate against future schema migrations.
|
|
188
|
+
|
|
189
|
+
#### `vyuh-dxkit init` ship flags
|
|
190
|
+
|
|
191
|
+
`init` gains four new flags, all implied by `--full`:
|
|
192
|
+
|
|
193
|
+
- `--with-hooks` writes `.githooks/pre-commit` (fast,
|
|
194
|
+
`--changed-only`) and `.githooks/pre-push` (full).
|
|
195
|
+
- `--with-devcontainer` writes a lightweight `.devcontainer/`
|
|
196
|
+
layering all seven supported language toolchains via devcontainer
|
|
197
|
+
features + a `post-create.sh` that runs `vyuh-dxkit tools install
|
|
198
|
+
--yes` to provision the scanner toolchain pinned in the registry
|
|
199
|
+
+ `install-agent-clis.sh` that installs Claude Code + OpenAI
|
|
200
|
+
Codex CLIs (opt out of either with `CLAUDE_CODE_VERSION=skip` /
|
|
201
|
+
`CODEX_VERSION=skip`).
|
|
202
|
+
- `--with-ci` writes `.github/workflows/dxkit-guardrails.yml` (PR-
|
|
203
|
+
gate that posts a markdown summary as a PR comment, updating in
|
|
204
|
+
place across pushes via an HTML marker).
|
|
205
|
+
- `--with-baseline-refresh` writes
|
|
206
|
+
`.github/workflows/dxkit-baseline-refresh.yml` (regenerates the
|
|
207
|
+
baseline on every push to the consumer's default branch and
|
|
208
|
+
auto-commits with `[skip ci]`). The default-branch name is
|
|
209
|
+
detected at install time from the consumer's git state, with
|
|
210
|
+
fallbacks for `main` / `master` / `trunk` / `develop`.
|
|
211
|
+
|
|
212
|
+
Installs are **additive by default**. Existing `.githooks/<hook>`
|
|
213
|
+
or `.husky/<hook>` files trigger a `.dxkit` sidecar + merge note
|
|
214
|
+
instead of an overwrite. An existing `.devcontainer/devcontainer.json`
|
|
215
|
+
stashes the full dxkit set under `.devcontainer/.dxkit-reference/`
|
|
216
|
+
for manual merge. Workflow files are uniquely named so they don't
|
|
217
|
+
collide; if our exact filename already exists, init skips it. The
|
|
218
|
+
`--force` flag overrides every additive fallback and writes in
|
|
219
|
+
place.
|
|
220
|
+
|
|
221
|
+
#### Brownfield policy
|
|
222
|
+
|
|
223
|
+
`.dxkit/policy.json` (auto-discovered at the repo root) tunes which
|
|
224
|
+
classifications block vs warn, per-severity confidence thresholds
|
|
225
|
+
that demote low-quality matches to `uncertain`, and per-finding-kind
|
|
226
|
+
block rules (`newSecret`, `newCriticalSecurity`,
|
|
227
|
+
`newCriticalDependencyVulnerability`, etc.). Compiled-in defaults
|
|
228
|
+
ship a conservative posture: block on `added`, warn on
|
|
229
|
+
`tooling_drift` / `config_drift` / `newly_detected` /
|
|
230
|
+
`probable_existing` / `uncertain`. The `--policy <path>` flag
|
|
231
|
+
overrides auto-discovery; when no policy is found, the defaults
|
|
232
|
+
apply.
|
|
233
|
+
|
|
234
|
+
#### Architectural fixes surfaced by the customer-repo audit
|
|
235
|
+
|
|
236
|
+
A pre-ship audit on three real customer repositories (a 444-source
|
|
237
|
+
TypeScript backend, a 553-source TypeScript frontend, and a
|
|
238
|
+
.NET WinForms project) surfaced four drift classes between the
|
|
239
|
+
report aggregates and the per-finding identity sets the baseline
|
|
240
|
+
captures. All four are closed in 2.5.0:
|
|
241
|
+
|
|
242
|
+
1. **Large-file producer was capped at top 10.** The gather layer
|
|
243
|
+
pre-sliced `largestFiles` to ten entries for the markdown
|
|
244
|
+
renderer's "Top Files by Size" table; the baseline producer
|
|
245
|
+
inherited the cap and silently dropped per-file identity for
|
|
246
|
+
every oversized file beyond the first ten. A real customer
|
|
247
|
+
brownfield with 47 files over 500 lines saw 10 baseline entries;
|
|
248
|
+
the .NET project with 926 oversized files saw 10. The gather now
|
|
249
|
+
emits every file over the 500-line threshold sorted descending;
|
|
250
|
+
the renderer adds an explicit `.slice(0, 10)` at the table site.
|
|
251
|
+
`HealthMetrics.filesOver500Lines` aggregate now matches the
|
|
252
|
+
per-kind count in the baseline byte for byte. Combined recovery
|
|
253
|
+
across the three audit repos: 1,087 previously-silently-missed
|
|
254
|
+
`large-file` findings now flow into baselines.
|
|
255
|
+
|
|
256
|
+
2. **Secret-HMAC producer emitted duplicates.** When the same
|
|
257
|
+
secret value appeared at multiple locations — the same token on
|
|
258
|
+
two lines of one file, a leaked key in both `.env` and
|
|
259
|
+
`src/config.ts`, or two overlapping gitleaks rules firing on the
|
|
260
|
+
same line — the producer wrote multiple entries with identical
|
|
261
|
+
`(rule, hmac)` identity. Identity sets aren't supposed to have
|
|
262
|
+
duplicates by definition. Now a per-call `Set<string>` keyed on
|
|
263
|
+
the computed identity collapses repeats; first write wins,
|
|
264
|
+
output order is stable.
|
|
265
|
+
|
|
266
|
+
3. **Tools-map version probes occasionally cached `'present'`
|
|
267
|
+
under load.** The per-process version cache locks the first
|
|
268
|
+
probe's outcome to keep `toolchainHash` byte-stable across two
|
|
269
|
+
back-to-back gathers (a previously-shipped flake closure). But
|
|
270
|
+
when the first `execSync(<tool> --version)` raced its 5-second
|
|
271
|
+
timeout under heavy CPU load — parallel scanner pools or the
|
|
272
|
+
post-merge workflow doing two scans in series — the cache locked
|
|
273
|
+
the `'present'` fallback for the rest of the process. The tools
|
|
274
|
+
map in the baseline file then read `gitleaks@present` instead of
|
|
275
|
+
a real version, and the next run flagged spurious tooling-drift.
|
|
276
|
+
The fix retries the version probe up to three times before
|
|
277
|
+
falling back; each attempt is fresh. The cache layer is
|
|
278
|
+
unchanged — once a value settles (real version or genuine
|
|
279
|
+
`'present'`), it's locked for the rest of the process.
|
|
280
|
+
|
|
281
|
+
4. **TypeScript license enrichment could stall the entire licenses
|
|
282
|
+
capability.** `gatherTsLicensesResult` calls `enrichReleaseDates`
|
|
283
|
+
after license-checker returns to populate the optional
|
|
284
|
+
`releaseDate` field from the npm registry. The enrichment runs
|
|
285
|
+
with 20-way concurrency, 10s per request — usually fast — but a
|
|
286
|
+
flaky network or rate-limited registry can push a 700-package
|
|
287
|
+
run past the dispatcher's 720-second deadline. When that
|
|
288
|
+
happens, the entire licenses capability is dropped and the
|
|
289
|
+
baseline silently loses every license entry. On the TypeScript
|
|
290
|
+
frontend audit repo, license-checker itself returned 749KB of
|
|
291
|
+
JSON in under 10 seconds when invoked manually; the enrichment
|
|
292
|
+
stalled the whole capability. Now the enrichment is raced
|
|
293
|
+
against a 60-second wall-clock budget; on timeout, the license
|
|
294
|
+
findings still emit with their static fields and `releaseDate`
|
|
295
|
+
is left unset on the unenriched ones. A previously-zero baseline
|
|
296
|
+
now captures 1,897 license entries on that repo.
|
|
297
|
+
|
|
298
|
+
Together these four fixes recover **~3,000 baseline findings** that
|
|
299
|
+
were being silently dropped on real customer repos pre-2.5.0.
|
|
300
|
+
|
|
301
|
+
#### Migration guidance for 2.4.x users
|
|
302
|
+
|
|
303
|
+
No breaking changes. Existing analyzer commands continue to work
|
|
304
|
+
exactly as before. The new commands and flags are additive.
|
|
305
|
+
|
|
306
|
+
To start using guardrails on an existing repo:
|
|
307
|
+
|
|
308
|
+
```bash
|
|
309
|
+
vyuh-dxkit init --with-hooks --with-ci --with-baseline-refresh
|
|
310
|
+
git config core.hooksPath .githooks
|
|
311
|
+
vyuh-dxkit baseline create
|
|
312
|
+
git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
|
|
313
|
+
git commit -m "chore: enable dxkit guardrails"
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
See [`docs/getting-started.md`](docs/getting-started.md),
|
|
317
|
+
[`docs/commands/baseline.md`](docs/commands/baseline.md),
|
|
318
|
+
[`docs/commands/guardrail.md`](docs/commands/guardrail.md), and
|
|
319
|
+
[`docs/configuration/policy.md`](docs/configuration/policy.md) for
|
|
320
|
+
the full walkthrough.
|
|
321
|
+
|
|
10
322
|
## [2.4.8] - 2026-05-18
|
|
11
323
|
|
|
12
324
|
### Summary
|