@vyuhlabs/dxkit 2.4.8 → 2.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (319) hide show
  1. package/CHANGELOG.md +312 -0
  2. package/README.md +360 -439
  3. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  4. package/dist/analyzers/security/aggregator.js +4 -46
  5. package/dist/analyzers/security/aggregator.js.map +1 -1
  6. package/dist/analyzers/tools/fingerprint.d.ts +91 -26
  7. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  8. package/dist/analyzers/tools/fingerprint.js +111 -22
  9. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  10. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  11. package/dist/analyzers/tools/generic.js +6 -1
  12. package/dist/analyzers/tools/generic.js.map +1 -1
  13. package/dist/analyzers/tools/gitleaks.d.ts +24 -1
  14. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  15. package/dist/analyzers/tools/gitleaks.js +20 -11
  16. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  17. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  18. package/dist/analyzers/tools/graphify.js +9 -5
  19. package/dist/analyzers/tools/graphify.js.map +1 -1
  20. package/dist/analyzers/tools/tool-registry.d.ts +19 -1
  21. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  22. package/dist/analyzers/tools/tool-registry.js +25 -0
  23. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  24. package/dist/analyzers/types.d.ts +6 -4
  25. package/dist/analyzers/types.d.ts.map +1 -1
  26. package/dist/baseline/baseline-file.d.ts +104 -0
  27. package/dist/baseline/baseline-file.d.ts.map +1 -0
  28. package/dist/baseline/baseline-file.js +110 -0
  29. package/dist/baseline/baseline-file.js.map +1 -0
  30. package/dist/baseline/check-renderers.d.ts +108 -0
  31. package/dist/baseline/check-renderers.d.ts.map +1 -0
  32. package/dist/baseline/check-renderers.js +379 -0
  33. package/dist/baseline/check-renderers.js.map +1 -0
  34. package/dist/baseline/check.d.ts +127 -0
  35. package/dist/baseline/check.d.ts.map +1 -0
  36. package/dist/baseline/check.js +462 -0
  37. package/dist/baseline/check.js.map +1 -0
  38. package/dist/baseline/content-hash.d.ts +83 -0
  39. package/dist/baseline/content-hash.d.ts.map +1 -0
  40. package/dist/baseline/content-hash.js +131 -0
  41. package/dist/baseline/content-hash.js.map +1 -0
  42. package/dist/baseline/create.d.ts +96 -0
  43. package/dist/baseline/create.d.ts.map +1 -0
  44. package/dist/baseline/create.js +339 -0
  45. package/dist/baseline/create.js.map +1 -0
  46. package/dist/baseline/entry-to-located.d.ts +35 -0
  47. package/dist/baseline/entry-to-located.d.ts.map +1 -0
  48. package/dist/baseline/entry-to-located.js +72 -0
  49. package/dist/baseline/entry-to-located.js.map +1 -0
  50. package/dist/baseline/finding-identity.d.ts +47 -0
  51. package/dist/baseline/finding-identity.d.ts.map +1 -0
  52. package/dist/baseline/finding-identity.js +292 -0
  53. package/dist/baseline/finding-identity.js.map +1 -0
  54. package/dist/baseline/git-aware-match.d.ts +146 -0
  55. package/dist/baseline/git-aware-match.d.ts.map +1 -0
  56. package/dist/baseline/git-aware-match.js +439 -0
  57. package/dist/baseline/git-aware-match.js.map +1 -0
  58. package/dist/baseline/policy.d.ts +171 -0
  59. package/dist/baseline/policy.d.ts.map +1 -0
  60. package/dist/baseline/policy.js +206 -0
  61. package/dist/baseline/policy.js.map +1 -0
  62. package/dist/baseline/producers/health.d.ts +30 -0
  63. package/dist/baseline/producers/health.d.ts.map +1 -0
  64. package/dist/baseline/producers/health.js +42 -0
  65. package/dist/baseline/producers/health.js.map +1 -0
  66. package/dist/baseline/producers/index.d.ts +164 -0
  67. package/dist/baseline/producers/index.d.ts.map +1 -0
  68. package/dist/baseline/producers/index.js +200 -0
  69. package/dist/baseline/producers/index.js.map +1 -0
  70. package/dist/baseline/producers/licenses.d.ts +23 -0
  71. package/dist/baseline/producers/licenses.d.ts.map +1 -0
  72. package/dist/baseline/producers/licenses.js +46 -0
  73. package/dist/baseline/producers/licenses.js.map +1 -0
  74. package/dist/baseline/producers/quality.d.ts +39 -0
  75. package/dist/baseline/producers/quality.d.ts.map +1 -0
  76. package/dist/baseline/producers/quality.js +84 -0
  77. package/dist/baseline/producers/quality.js.map +1 -0
  78. package/dist/baseline/producers/secret-hmac.d.ts +45 -0
  79. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
  80. package/dist/baseline/producers/secret-hmac.js +70 -0
  81. package/dist/baseline/producers/secret-hmac.js.map +1 -0
  82. package/dist/baseline/producers/security.d.ts +59 -0
  83. package/dist/baseline/producers/security.d.ts.map +1 -0
  84. package/dist/baseline/producers/security.js +135 -0
  85. package/dist/baseline/producers/security.js.map +1 -0
  86. package/dist/baseline/producers/tests.d.ts +36 -0
  87. package/dist/baseline/producers/tests.d.ts.map +1 -0
  88. package/dist/baseline/producers/tests.js +69 -0
  89. package/dist/baseline/producers/tests.js.map +1 -0
  90. package/dist/baseline/salt.d.ts +45 -0
  91. package/dist/baseline/salt.d.ts.map +1 -0
  92. package/dist/baseline/salt.js +113 -0
  93. package/dist/baseline/salt.js.map +1 -0
  94. package/dist/baseline/show.d.ts +79 -0
  95. package/dist/baseline/show.d.ts.map +1 -0
  96. package/dist/baseline/show.js +233 -0
  97. package/dist/baseline/show.js.map +1 -0
  98. package/dist/baseline/types.d.ts +482 -0
  99. package/dist/baseline/types.d.ts.map +1 -0
  100. package/dist/baseline/types.js +53 -0
  101. package/dist/baseline/types.js.map +1 -0
  102. package/dist/cli.d.ts.map +1 -1
  103. package/dist/cli.js +398 -82
  104. package/dist/cli.js.map +1 -1
  105. package/dist/constants.d.ts.map +1 -1
  106. package/dist/constants.js +0 -4
  107. package/dist/constants.js.map +1 -1
  108. package/dist/doctor.d.ts.map +1 -1
  109. package/dist/doctor.js +39 -35
  110. package/dist/doctor.js.map +1 -1
  111. package/dist/fail-on.d.ts +84 -0
  112. package/dist/fail-on.d.ts.map +1 -0
  113. package/dist/fail-on.js +128 -0
  114. package/dist/fail-on.js.map +1 -0
  115. package/dist/generator.d.ts +1 -1
  116. package/dist/generator.d.ts.map +1 -1
  117. package/dist/generator.js +81 -274
  118. package/dist/generator.js.map +1 -1
  119. package/dist/hooks-cli.d.ts +20 -0
  120. package/dist/hooks-cli.d.ts.map +1 -0
  121. package/dist/hooks-cli.js +145 -0
  122. package/dist/hooks-cli.js.map +1 -0
  123. package/dist/languages/csharp.d.ts.map +1 -1
  124. package/dist/languages/csharp.js +4 -9
  125. package/dist/languages/csharp.js.map +1 -1
  126. package/dist/languages/go.d.ts.map +1 -1
  127. package/dist/languages/go.js +3 -14
  128. package/dist/languages/go.js.map +1 -1
  129. package/dist/languages/index.d.ts +19 -1
  130. package/dist/languages/index.d.ts.map +1 -1
  131. package/dist/languages/index.js +32 -0
  132. package/dist/languages/index.js.map +1 -1
  133. package/dist/languages/java.d.ts.map +1 -1
  134. package/dist/languages/java.js +4 -6
  135. package/dist/languages/java.js.map +1 -1
  136. package/dist/languages/kotlin.d.ts.map +1 -1
  137. package/dist/languages/kotlin.js +9 -11
  138. package/dist/languages/kotlin.js.map +1 -1
  139. package/dist/languages/python.d.ts.map +1 -1
  140. package/dist/languages/python.js +4 -15
  141. package/dist/languages/python.js.map +1 -1
  142. package/dist/languages/ruby.d.ts.map +1 -1
  143. package/dist/languages/ruby.js +4 -6
  144. package/dist/languages/ruby.js.map +1 -1
  145. package/dist/languages/rust.d.ts.map +1 -1
  146. package/dist/languages/rust.js +4 -4
  147. package/dist/languages/rust.js.map +1 -1
  148. package/dist/languages/types.d.ts +29 -28
  149. package/dist/languages/types.d.ts.map +1 -1
  150. package/dist/languages/typescript.d.ts.map +1 -1
  151. package/dist/languages/typescript.js +31 -4
  152. package/dist/languages/typescript.js.map +1 -1
  153. package/dist/lib.d.ts +2 -3
  154. package/dist/lib.d.ts.map +1 -1
  155. package/dist/lib.js +3 -6
  156. package/dist/lib.js.map +1 -1
  157. package/dist/prompts.d.ts.map +1 -1
  158. package/dist/prompts.js +0 -10
  159. package/dist/prompts.js.map +1 -1
  160. package/dist/report-schema.d.ts +42 -0
  161. package/dist/report-schema.d.ts.map +1 -0
  162. package/dist/report-schema.js +54 -0
  163. package/dist/report-schema.js.map +1 -0
  164. package/dist/ship-installers.d.ts +112 -0
  165. package/dist/ship-installers.d.ts.map +1 -0
  166. package/dist/ship-installers.js +530 -0
  167. package/dist/ship-installers.js.map +1 -0
  168. package/dist/tools-cli.d.ts.map +1 -1
  169. package/dist/tools-cli.js +45 -9
  170. package/dist/tools-cli.js.map +1 -1
  171. package/dist/types.d.ts +0 -4
  172. package/dist/types.d.ts.map +1 -1
  173. package/dist/update.d.ts.map +1 -1
  174. package/dist/update.js +0 -4
  175. package/dist/update.js.map +1 -1
  176. package/package.json +17 -11
  177. package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
  178. package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
  179. package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
  180. package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
  181. package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
  182. package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
  183. package/templates/.devcontainer/devcontainer.json +55 -0
  184. package/templates/.devcontainer/install-agent-clis.sh +42 -0
  185. package/templates/.devcontainer/post-create.sh +81 -0
  186. package/templates/.githooks/pre-commit +55 -0
  187. package/templates/.githooks/pre-push +63 -0
  188. package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
  189. package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
  190. package/templates/AGENTS.md.template +137 -0
  191. package/templates/CLAUDE.md.template +16 -245
  192. package/dist/codebase-scanner.d.ts +0 -36
  193. package/dist/codebase-scanner.d.ts.map +0 -1
  194. package/dist/codebase-scanner.js +0 -688
  195. package/dist/codebase-scanner.js.map +0 -1
  196. package/dist/project-yaml.d.ts +0 -13
  197. package/dist/project-yaml.d.ts.map +0 -1
  198. package/dist/project-yaml.js +0 -188
  199. package/dist/project-yaml.js.map +0 -1
  200. package/templates/.ai/README.md +0 -117
  201. package/templates/.ai/prompts/execution-prompt.md +0 -9
  202. package/templates/.ai/prompts/planning-prompt.md +0 -18
  203. package/templates/.ai/prompts/session-end-template.md +0 -182
  204. package/templates/.ai/prompts/session-end.md +0 -132
  205. package/templates/.ai/prompts/session-start.md +0 -109
  206. package/templates/.ai/prompts/step-by-step.md +0 -113
  207. package/templates/.ai/sessions/.gitkeep +0 -0
  208. package/templates/.claude/agents/doc-writer.md +0 -107
  209. package/templates/.claude/agents/knowledge-bot.md +0 -64
  210. package/templates/.claude/agents/onboarding.md +0 -61
  211. package/templates/.claude/agents/quality-reviewer.md +0 -85
  212. package/templates/.claude/agents-available/code-reviewer.md +0 -29
  213. package/templates/.claude/agents-available/codebase-explorer.md +0 -100
  214. package/templates/.claude/agents-available/dashboard-builder.md +0 -433
  215. package/templates/.claude/agents-available/debugger.md +0 -29
  216. package/templates/.claude/agents-available/dependency-mapper.md +0 -80
  217. package/templates/.claude/agents-available/dev-report.md +0 -108
  218. package/templates/.claude/agents-available/doc-writer.md +0 -107
  219. package/templates/.claude/agents-available/feature-builder.md +0 -163
  220. package/templates/.claude/agents-available/feature-planner.md +0 -185
  221. package/templates/.claude/agents-available/health-auditor.md +0 -95
  222. package/templates/.claude/agents-available/hooks-configurator.md +0 -211
  223. package/templates/.claude/agents-available/knowledge-bot.md +0 -62
  224. package/templates/.claude/agents-available/plan-executor.md +0 -133
  225. package/templates/.claude/agents-available/strategic-planner.md +0 -141
  226. package/templates/.claude/agents-available/test-gap-finder.md +0 -67
  227. package/templates/.claude/agents-available/test-writer.md +0 -34
  228. package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
  229. package/templates/.claude/commands/ask.md +0 -7
  230. package/templates/.claude/commands/build-feature.md +0 -26
  231. package/templates/.claude/commands/build.md.template +0 -30
  232. package/templates/.claude/commands/check.md.template +0 -43
  233. package/templates/.claude/commands/dashboard.md +0 -28
  234. package/templates/.claude/commands/deps.md +0 -15
  235. package/templates/.claude/commands/dev-report.md +0 -50
  236. package/templates/.claude/commands/docs.md +0 -21
  237. package/templates/.claude/commands/doctor.md +0 -21
  238. package/templates/.claude/commands/enable-agent.md +0 -12
  239. package/templates/.claude/commands/execute-plan.md +0 -25
  240. package/templates/.claude/commands/explore-codebase.md +0 -12
  241. package/templates/.claude/commands/export-pdf.md +0 -30
  242. package/templates/.claude/commands/feature.md +0 -25
  243. package/templates/.claude/commands/fix-issue.md +0 -12
  244. package/templates/.claude/commands/fix.md.template +0 -32
  245. package/templates/.claude/commands/health.md +0 -58
  246. package/templates/.claude/commands/help.md +0 -36
  247. package/templates/.claude/commands/learn.md +0 -48
  248. package/templates/.claude/commands/onboarding.md +0 -21
  249. package/templates/.claude/commands/plan.md +0 -20
  250. package/templates/.claude/commands/quality.md.template +0 -65
  251. package/templates/.claude/commands/session-end.md +0 -40
  252. package/templates/.claude/commands/session-start.md +0 -30
  253. package/templates/.claude/commands/setup-hooks.md +0 -18
  254. package/templates/.claude/commands/setup-pr-review.md +0 -72
  255. package/templates/.claude/commands/stealth-mode.md +0 -17
  256. package/templates/.claude/commands/test-gaps.md +0 -49
  257. package/templates/.claude/commands/test.md.template +0 -40
  258. package/templates/.claude/commands/vulnerabilities.md +0 -49
  259. package/templates/.claude/skills/build/SKILL.md.template +0 -98
  260. package/templates/.claude/skills/deploy/SKILL.md.template +0 -131
  261. package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
  262. package/templates/.claude/skills/doctor/SKILL.md +0 -54
  263. package/templates/.claude/skills/gcloud/SKILL.md +0 -66
  264. package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
  265. package/templates/.claude/skills/learned/SKILL.md +0 -55
  266. package/templates/.claude/skills/learned/references/conventions.md +0 -11
  267. package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
  268. package/templates/.claude/skills/learned/references/gotchas.md +0 -11
  269. package/templates/.claude/skills/pulumi/SKILL.md +0 -73
  270. package/templates/.claude/skills/quality/SKILL.md.template +0 -108
  271. package/templates/.claude/skills/quality/references/gotchas.md +0 -5
  272. package/templates/.claude/skills/review/SKILL.md.template +0 -73
  273. package/templates/.claude/skills/scaffold/SKILL.md.template +0 -123
  274. package/templates/.claude/skills/secrets/SKILL.md +0 -52
  275. package/templates/.claude/skills/session/SKILL.md +0 -43
  276. package/templates/.claude/skills/test/SKILL.md.template +0 -122
  277. package/templates/.claude/skills/test/references/gotchas.md +0 -5
  278. package/templates/.devcontainer/Dockerfile.dev.template +0 -89
  279. package/templates/.devcontainer/devcontainer.json.template +0 -184
  280. package/templates/.devcontainer/docker-compose.yml.template +0 -105
  281. package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
  282. package/templates/.devcontainer/post-create.sh.template +0 -298
  283. package/templates/.github/workflows/ci.yml.template +0 -399
  284. package/templates/.github/workflows/quality.yml.template +0 -376
  285. package/templates/.pre-commit-config.yaml.template +0 -106
  286. package/templates/.project/config/edit_config.py +0 -275
  287. package/templates/.project/config/project_config.py +0 -894
  288. package/templates/.project/scripts/codegen/generate-all.sh +0 -20
  289. package/templates/.project/scripts/codegen/validate-all.sh +0 -17
  290. package/templates/.project/scripts/docs/generate-all.sh +0 -30
  291. package/templates/.project/scripts/docs/serve.sh +0 -20
  292. package/templates/.project/scripts/quality/fix-all.sh +0 -138
  293. package/templates/.project/scripts/quality/lint-go.sh +0 -34
  294. package/templates/.project/scripts/quality/lint-python.sh +0 -54
  295. package/templates/.project/scripts/quality/run-all.sh +0 -497
  296. package/templates/.project/scripts/session/commit.sh +0 -70
  297. package/templates/.project/scripts/session/create-pr.sh +0 -165
  298. package/templates/.project/scripts/session/end.sh +0 -207
  299. package/templates/.project/scripts/session/start.sh +0 -233
  300. package/templates/.project/scripts/setup/doctor.sh +0 -404
  301. package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
  302. package/templates/.project/scripts/sync/sync-template.sh +0 -328
  303. package/templates/.project/scripts/test/run-all.sh +0 -179
  304. package/templates/.project/scripts/test/run-quick.sh +0 -25
  305. package/templates/Makefile +0 -514
  306. package/templates/config/versions.yaml +0 -57
  307. package/templates/configs/go/.golangci.yml.template +0 -172
  308. package/templates/configs/go/go.mod.template +0 -15
  309. package/templates/configs/java/README.md +0 -6
  310. package/templates/configs/kotlin/README.md +0 -6
  311. package/templates/configs/node/package.json.template +0 -67
  312. package/templates/configs/node/tsconfig.json.template +0 -53
  313. package/templates/configs/python/pyproject.toml.template +0 -92
  314. package/templates/configs/python/pytest.ini.template +0 -64
  315. package/templates/configs/python/ruff.toml.template +0 -79
  316. package/templates/configs/ruby/README.md +0 -6
  317. package/templates/configs/rust/Cargo.toml.template +0 -51
  318. package/templates/configs/shared/.editorconfig +0 -67
  319. package/templates/scripts/validate-templates.sh +0 -449
package/CHANGELOG.md CHANGED
@@ -7,6 +7,318 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.5.1] - 2026-05-20
11
+
12
+ ### Added
13
+
14
+ - New `vyuh-dxkit hooks activate` CLI subcommand. Idempotently sets
15
+ `core.hooksPath = .githooks`. Wired into `init`'s scaffolded
16
+ `package.json` as a `postinstall` script so every clone plus
17
+ `npm install` activates the dxkit hooks transparently — no more
18
+ one-time-per-clone manual step.
19
+ - New `--with-dxkit-agents` `init` flag (default-on under `--full`).
20
+ Installs six dxkit-specific skills under `.claude/skills/dxkit-*/`
21
+ (`learn` / `init` / `config` / `hooks` / `reports` / `action`)
22
+ alongside `AGENTS.md` (open-standard project context) and a small
23
+ `CLAUDE.md` shim. The skills wrap the `vyuh-dxkit` CLI as
24
+ workflow-aware surfaces that Claude Code auto-discovers via skill
25
+ frontmatter.
26
+ - New optional `LanguageSupport.devcontainerFeature?` field. Each
27
+ language pack declares its canonical `ghcr.io/devcontainers/features`
28
+ entry; `installDevcontainer` renders the per-stack features block.
29
+ Cold devcontainer rebuilds drop from ~25 minutes (every supported
30
+ toolchain installed) to ~7 minutes on a pure-TypeScript repo
31
+ (only the toolchains the repo actually needs).
32
+ - New optional `ToolDefinition.applicabilityGuard?` field. Tools
33
+ whose preconditions aren't met on the current repo
34
+ (e.g. `vitest-coverage` on a mocha-based codebase) now report as
35
+ `n/a` with an inline reason instead of inflating the
36
+ missing-count. `tools install` filters n/a entries from the
37
+ install loop.
38
+ - New `@vyuhlabs/create-dxkit` shim package (zero dependencies; code
39
+ shipped under `packages/create-dxkit/`). First npm publish is a
40
+ manual tag-and-release step after this version lands on main.
41
+ Once published, `npm init @vyuhlabs/dxkit` will collapse the
42
+ prior two-step first install (`npm i -D @vyuhlabs/dxkit && npx
43
+ vyuh-dxkit init`) into one command.
44
+
45
+ ### Changed
46
+
47
+ - The generic 73-file `.claude/` scaffold (`agents/`,
48
+ `agents-available/`, `commands/`, generic skills, etc.) is replaced
49
+ with six dxkit-specific skills plus `AGENTS.md` and the
50
+ `CLAUDE.md` shim. Customers upgrading keep their existing
51
+ `.claude/` (`init` is additive — won't overwrite without
52
+ `--force`). Fresh `--full` installs now land ~20 files instead of
53
+ ~73, focused entirely on equipping coding agents to drive the
54
+ dxkit CLI safely.
55
+ - `post-create.sh` now falls back through a three-step npm install
56
+ chain (`npm ci` → `npm install` → `npm install --legacy-peer-deps`)
57
+ so brownfield Node monorepos with peer-dep tangles survive the
58
+ devcontainer post-create cleanly.
59
+ - `doctor` no longer checks for the deleted generic scaffold files.
60
+ It now reports an `X/6 dxkit-* skills present` tally plus an
61
+ `AGENTS.md` presence check, giving customers a clearer signal of
62
+ what's missing on partially-scaffolded repos.
63
+
64
+ ### Fixed
65
+
66
+ - Graphify's on-disk cache no longer leaks `graphify-out/cache/` into
67
+ consumer repos. The temp-dir redirection monkey-patch now fires
68
+ before the first graphify call; `graphify-out/` is also added to
69
+ the scaffolded `.gitignore` defensively.
70
+
71
+ ### Deferred to next polish release
72
+
73
+ The following items rolled out of this release and will ship in
74
+ 2.5.2 (or bundle into 2.6 depending on the marketplace decision):
75
+
76
+ - `vyuh-dxkit setup-branch-protection` CLI (wraps `gh api` for
77
+ branch-protection enforcement).
78
+ - `vyuh-dxkit setup-prebuild` CLI (wraps `gh api` for Codespaces
79
+ prebuilds — cold-start cuts from ~25 minutes to ~30 seconds).
80
+ - Full `doctor` pivot to onboarding-health checks (hooks active,
81
+ branch protection set, baseline current). This release partially
82
+ shipped the pivot — the generic-scaffold checks were dropped — but
83
+ the new positive checks await the two CLI subcommands above.
84
+ - CI tool cache via `actions/cache@v4` on the scanner toolchain in
85
+ `dxkit-guardrails.yml`.
86
+
87
+ ## [2.5.0] - 2026-05-18
88
+
89
+ ### Summary
90
+
91
+ 2.5.0 introduces **commit-time guardrails** — a per-finding baseline
92
+ captured once on a brownfield repo, then diffed against every
93
+ subsequent scan to detect net-new regressions while grandfathering
94
+ existing debt. Existing issues stay where they are, new ones block.
95
+
96
+ This release also **prunes the legacy task-runner scaffolding** that
97
+ prior versions of `init --full` bundled (Makefile, `.project/` task
98
+ scripts, `.ai/` prompt scaffolding, per-language config templates,
99
+ non-dxkit CI workflows, `.editorconfig`, `.pre-commit-config.yaml`).
100
+ The agent DX surface is now the sole `init --full` output —
101
+ `init --full` lands 73 files (down from 119), every one of them
102
+ focused on equipping AI coding agents to operate safely on the
103
+ codebase. Customers who relied on the legacy scaffolding can use
104
+ `@vyuhlabs/create-devstack` for greenfield project bootstrap.
105
+
106
+ The release ships three coordinated surfaces:
107
+
108
+ 1. **A new `baseline` / `guardrail` CLI** that captures stable
109
+ per-finding identities, diffs current scans against them, and
110
+ classifies each pair (`added` / `relocated` / `tooling_drift` /
111
+ `config_drift` / `persisted` / `removed` / `fixed`) with a
112
+ confidence score and structured reasons. The classifier ships
113
+ with a **scanner-wobble demotion** that converts `added` findings
114
+ on UNCHANGED lines into `uncertain` (warn) for high-wobble kinds
115
+ (`code`, `hygiene`), so semgrep's per-run non-determinism on
116
+ large codebases doesn't trigger false-positive blocks. Findings
117
+ inside the diff's changed lines still block — real regressions
118
+ are caught. Customers can extend or clear the kind list via
119
+ `addedRequiresChangedLines` in `.dxkit/policy.json`.
120
+ 2. **Init-installable templates** for the pre-push guardrail hook,
121
+ a devcontainer with pinned toolchains + Claude Code & Codex
122
+ CLIs, a GitHub Actions PR-gate workflow that posts a markdown
123
+ summary as a PR comment, and a post-merge baseline-refresh
124
+ workflow that keeps the anchor current. Pre-commit + AI-PR-
125
+ review are opt-in via `--with-precommit-hook` and
126
+ `--with-pr-review` respectively (slow on large repos / requires
127
+ API-cost opt-in). Every `init` also seeds `.gitignore` entries
128
+ for the analyzer runtime outputs (`.dxkit/reports/`,
129
+ `.dxkit/dashboard.html`) and writes a starter `.dxkit-ignore`
130
+ template for dxkit-specific scan-exclusion tuning.
131
+ 3. **Aggregate-gate flags** (`--fail-on-score`, `--fail-on-severity`)
132
+ on every analyzer command, plus a stable JSON schema banner on
133
+ every `--json` output so consumers can version-gate.
134
+
135
+ Tests: ~1530 unit + integration cases pass on the integrated branch
136
+ (up from 1265 at the 2.4.8 baseline; +265 across fingerprinting,
137
+ producers, policy, matcher, ship installers, the smart classifier,
138
+ opt-in hook + workflow installers, and the CLI surface).
139
+
140
+ #### New CLI surface
141
+
142
+ ```bash
143
+ vyuh-dxkit baseline create [path] [--name <name>] [--force]
144
+ [--verbose]
145
+ vyuh-dxkit baseline show [path] [--name <name>] [--baseline <p>]
146
+ [--kind <kind>] [--json]
147
+ vyuh-dxkit guardrail check [path] [--name <name>] [--baseline <p>]
148
+ [--changed-only] [--policy <p>]
149
+ [--json | --markdown]
150
+ ```
151
+
152
+ - `baseline create` runs every analyzer, fingerprints each per-
153
+ finding entity through the canonical identity dispatcher
154
+ (`src/baseline/finding-identity.ts`), and writes
155
+ `.dxkit/baselines/<name>.json`. Schema-versioned
156
+ (`dxkit-baseline/v1`); commit it.
157
+ - `baseline show` pretty-prints the on-disk baseline, optionally
158
+ filtered by kind or emitted as a schema-banner-wrapped JSON.
159
+ - `guardrail check` loads the baseline, re-runs the analyzers,
160
+ matches via the git-aware matcher (`-M` renames, ±2 line fuzz,
161
+ content-hash fallback for shallow clones), classifies each pair
162
+ through the brownfield policy, and exits 1 when the policy
163
+ blocks. Output modes: console (default), `--json` (schema
164
+ `dxkit.guardrail-check.v1`), or `--markdown` (used by the PR-
165
+ gate workflow to post a comment).
166
+
167
+ The full read/write/compare triplet flows through a registered
168
+ producer pipeline (`src/baseline/producers/index.ts:PRODUCERS`) —
169
+ adding a new identity kind means registering a producer, not
170
+ editing the orchestrator. Architectural rule documented in
171
+ `CLAUDE.md` Rule 10 with three enforcement gates (arch check +
172
+ contract test + synthetic-producer playbook).
173
+
174
+ #### Aggregate gates + schema banner
175
+
176
+ Every analyzer command (`health`, `test-gaps`, `quality`,
177
+ `vulnerabilities`, `bom`) gains composable exit-code gates:
178
+
179
+ - `--fail-on-score <N>` — exit 1 when the headline score drops
180
+ below N (applies to `health`, `test-gaps`).
181
+ - `--fail-on-severity <tier>` — exit 1 when any finding at `<tier>`
182
+ or higher exists (applies to `vulnerabilities`, `bom`; tier ∈
183
+ critical / high / medium / low).
184
+
185
+ Every `--json` output carries a top-level
186
+ `schema: 'dxkit.<kind>-report.v1'` banner so consumers can version-
187
+ gate against future schema migrations.
188
+
189
+ #### `vyuh-dxkit init` ship flags
190
+
191
+ `init` gains four new flags, all implied by `--full`:
192
+
193
+ - `--with-hooks` writes `.githooks/pre-commit` (fast,
194
+ `--changed-only`) and `.githooks/pre-push` (full).
195
+ - `--with-devcontainer` writes a lightweight `.devcontainer/`
196
+ layering all seven supported language toolchains via devcontainer
197
+ features + a `post-create.sh` that runs `vyuh-dxkit tools install
198
+ --yes` to provision the scanner toolchain pinned in the registry
199
+ + `install-agent-clis.sh` that installs Claude Code + OpenAI
200
+ Codex CLIs (opt out of either with `CLAUDE_CODE_VERSION=skip` /
201
+ `CODEX_VERSION=skip`).
202
+ - `--with-ci` writes `.github/workflows/dxkit-guardrails.yml` (PR-
203
+ gate that posts a markdown summary as a PR comment, updating in
204
+ place across pushes via an HTML marker).
205
+ - `--with-baseline-refresh` writes
206
+ `.github/workflows/dxkit-baseline-refresh.yml` (regenerates the
207
+ baseline on every push to the consumer's default branch and
208
+ auto-commits with `[skip ci]`). The default-branch name is
209
+ detected at install time from the consumer's git state, with
210
+ fallbacks for `main` / `master` / `trunk` / `develop`.
211
+
212
+ Installs are **additive by default**. Existing `.githooks/<hook>`
213
+ or `.husky/<hook>` files trigger a `.dxkit` sidecar + merge note
214
+ instead of an overwrite. An existing `.devcontainer/devcontainer.json`
215
+ stashes the full dxkit set under `.devcontainer/.dxkit-reference/`
216
+ for manual merge. Workflow files are uniquely named so they don't
217
+ collide; if our exact filename already exists, init skips it. The
218
+ `--force` flag overrides every additive fallback and writes in
219
+ place.
220
+
221
+ #### Brownfield policy
222
+
223
+ `.dxkit/policy.json` (auto-discovered at the repo root) tunes which
224
+ classifications block vs warn, per-severity confidence thresholds
225
+ that demote low-quality matches to `uncertain`, and per-finding-kind
226
+ block rules (`newSecret`, `newCriticalSecurity`,
227
+ `newCriticalDependencyVulnerability`, etc.). Compiled-in defaults
228
+ ship a conservative posture: block on `added`, warn on
229
+ `tooling_drift` / `config_drift` / `newly_detected` /
230
+ `probable_existing` / `uncertain`. The `--policy <path>` flag
231
+ overrides auto-discovery; when no policy is found, the defaults
232
+ apply.
233
+
234
+ #### Architectural fixes surfaced by the customer-repo audit
235
+
236
+ A pre-ship audit on three real customer repositories (a 444-source
237
+ TypeScript backend, a 553-source TypeScript frontend, and a
238
+ .NET WinForms project) surfaced four drift classes between the
239
+ report aggregates and the per-finding identity sets the baseline
240
+ captures. All four are closed in 2.5.0:
241
+
242
+ 1. **Large-file producer was capped at top 10.** The gather layer
243
+ pre-sliced `largestFiles` to ten entries for the markdown
244
+ renderer's "Top Files by Size" table; the baseline producer
245
+ inherited the cap and silently dropped per-file identity for
246
+ every oversized file beyond the first ten. A real customer
247
+ brownfield with 47 files over 500 lines saw 10 baseline entries;
248
+ the .NET project with 926 oversized files saw 10. The gather now
249
+ emits every file over the 500-line threshold sorted descending;
250
+ the renderer adds an explicit `.slice(0, 10)` at the table site.
251
+ `HealthMetrics.filesOver500Lines` aggregate now matches the
252
+ per-kind count in the baseline byte for byte. Combined recovery
253
+ across the three audit repos: 1,087 previously-silently-missed
254
+ `large-file` findings now flow into baselines.
255
+
256
+ 2. **Secret-HMAC producer emitted duplicates.** When the same
257
+ secret value appeared at multiple locations — the same token on
258
+ two lines of one file, a leaked key in both `.env` and
259
+ `src/config.ts`, or two overlapping gitleaks rules firing on the
260
+ same line — the producer wrote multiple entries with identical
261
+ `(rule, hmac)` identity. Identity sets aren't supposed to have
262
+ duplicates by definition. Now a per-call `Set<string>` keyed on
263
+ the computed identity collapses repeats; first write wins,
264
+ output order is stable.
265
+
266
+ 3. **Tools-map version probes occasionally cached `'present'`
267
+ under load.** The per-process version cache locks the first
268
+ probe's outcome to keep `toolchainHash` byte-stable across two
269
+ back-to-back gathers (a previously-shipped flake closure). But
270
+ when the first `execSync(<tool> --version)` raced its 5-second
271
+ timeout under heavy CPU load — parallel scanner pools or the
272
+ post-merge workflow doing two scans in series — the cache locked
273
+ the `'present'` fallback for the rest of the process. The tools
274
+ map in the baseline file then read `gitleaks@present` instead of
275
+ a real version, and the next run flagged spurious tooling-drift.
276
+ The fix retries the version probe up to three times before
277
+ falling back; each attempt is fresh. The cache layer is
278
+ unchanged — once a value settles (real version or genuine
279
+ `'present'`), it's locked for the rest of the process.
280
+
281
+ 4. **TypeScript license enrichment could stall the entire licenses
282
+ capability.** `gatherTsLicensesResult` calls `enrichReleaseDates`
283
+ after license-checker returns to populate the optional
284
+ `releaseDate` field from the npm registry. The enrichment runs
285
+ with 20-way concurrency, 10s per request — usually fast — but a
286
+ flaky network or rate-limited registry can push a 700-package
287
+ run past the dispatcher's 720-second deadline. When that
288
+ happens, the entire licenses capability is dropped and the
289
+ baseline silently loses every license entry. On the TypeScript
290
+ frontend audit repo, license-checker itself returned 749KB of
291
+ JSON in under 10 seconds when invoked manually; the enrichment
292
+ stalled the whole capability. Now the enrichment is raced
293
+ against a 60-second wall-clock budget; on timeout, the license
294
+ findings still emit with their static fields and `releaseDate`
295
+ is left unset on the unenriched ones. A previously-zero baseline
296
+ now captures 1,897 license entries on that repo.
297
+
298
+ Together these four fixes recover **~3,000 baseline findings** that
299
+ were being silently dropped on real customer repos pre-2.5.0.
300
+
301
+ #### Migration guidance for 2.4.x users
302
+
303
+ No breaking changes. Existing analyzer commands continue to work
304
+ exactly as before. The new commands and flags are additive.
305
+
306
+ To start using guardrails on an existing repo:
307
+
308
+ ```bash
309
+ vyuh-dxkit init --with-hooks --with-ci --with-baseline-refresh
310
+ git config core.hooksPath .githooks
311
+ vyuh-dxkit baseline create
312
+ git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
313
+ git commit -m "chore: enable dxkit guardrails"
314
+ ```
315
+
316
+ See [`docs/getting-started.md`](docs/getting-started.md),
317
+ [`docs/commands/baseline.md`](docs/commands/baseline.md),
318
+ [`docs/commands/guardrail.md`](docs/commands/guardrail.md), and
319
+ [`docs/configuration/policy.md`](docs/configuration/policy.md) for
320
+ the full walkthrough.
321
+
10
322
  ## [2.4.8] - 2026-05-18
11
323
 
12
324
  ### Summary