@vyuhlabs/dxkit 2.4.8 → 2.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (319) hide show
  1. package/CHANGELOG.md +312 -0
  2. package/README.md +360 -439
  3. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  4. package/dist/analyzers/security/aggregator.js +4 -46
  5. package/dist/analyzers/security/aggregator.js.map +1 -1
  6. package/dist/analyzers/tools/fingerprint.d.ts +91 -26
  7. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  8. package/dist/analyzers/tools/fingerprint.js +111 -22
  9. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  10. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  11. package/dist/analyzers/tools/generic.js +6 -1
  12. package/dist/analyzers/tools/generic.js.map +1 -1
  13. package/dist/analyzers/tools/gitleaks.d.ts +24 -1
  14. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  15. package/dist/analyzers/tools/gitleaks.js +20 -11
  16. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  17. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  18. package/dist/analyzers/tools/graphify.js +9 -5
  19. package/dist/analyzers/tools/graphify.js.map +1 -1
  20. package/dist/analyzers/tools/tool-registry.d.ts +19 -1
  21. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  22. package/dist/analyzers/tools/tool-registry.js +25 -0
  23. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  24. package/dist/analyzers/types.d.ts +6 -4
  25. package/dist/analyzers/types.d.ts.map +1 -1
  26. package/dist/baseline/baseline-file.d.ts +104 -0
  27. package/dist/baseline/baseline-file.d.ts.map +1 -0
  28. package/dist/baseline/baseline-file.js +110 -0
  29. package/dist/baseline/baseline-file.js.map +1 -0
  30. package/dist/baseline/check-renderers.d.ts +108 -0
  31. package/dist/baseline/check-renderers.d.ts.map +1 -0
  32. package/dist/baseline/check-renderers.js +379 -0
  33. package/dist/baseline/check-renderers.js.map +1 -0
  34. package/dist/baseline/check.d.ts +127 -0
  35. package/dist/baseline/check.d.ts.map +1 -0
  36. package/dist/baseline/check.js +462 -0
  37. package/dist/baseline/check.js.map +1 -0
  38. package/dist/baseline/content-hash.d.ts +83 -0
  39. package/dist/baseline/content-hash.d.ts.map +1 -0
  40. package/dist/baseline/content-hash.js +131 -0
  41. package/dist/baseline/content-hash.js.map +1 -0
  42. package/dist/baseline/create.d.ts +96 -0
  43. package/dist/baseline/create.d.ts.map +1 -0
  44. package/dist/baseline/create.js +339 -0
  45. package/dist/baseline/create.js.map +1 -0
  46. package/dist/baseline/entry-to-located.d.ts +35 -0
  47. package/dist/baseline/entry-to-located.d.ts.map +1 -0
  48. package/dist/baseline/entry-to-located.js +72 -0
  49. package/dist/baseline/entry-to-located.js.map +1 -0
  50. package/dist/baseline/finding-identity.d.ts +47 -0
  51. package/dist/baseline/finding-identity.d.ts.map +1 -0
  52. package/dist/baseline/finding-identity.js +292 -0
  53. package/dist/baseline/finding-identity.js.map +1 -0
  54. package/dist/baseline/git-aware-match.d.ts +146 -0
  55. package/dist/baseline/git-aware-match.d.ts.map +1 -0
  56. package/dist/baseline/git-aware-match.js +439 -0
  57. package/dist/baseline/git-aware-match.js.map +1 -0
  58. package/dist/baseline/policy.d.ts +171 -0
  59. package/dist/baseline/policy.d.ts.map +1 -0
  60. package/dist/baseline/policy.js +206 -0
  61. package/dist/baseline/policy.js.map +1 -0
  62. package/dist/baseline/producers/health.d.ts +30 -0
  63. package/dist/baseline/producers/health.d.ts.map +1 -0
  64. package/dist/baseline/producers/health.js +42 -0
  65. package/dist/baseline/producers/health.js.map +1 -0
  66. package/dist/baseline/producers/index.d.ts +164 -0
  67. package/dist/baseline/producers/index.d.ts.map +1 -0
  68. package/dist/baseline/producers/index.js +200 -0
  69. package/dist/baseline/producers/index.js.map +1 -0
  70. package/dist/baseline/producers/licenses.d.ts +23 -0
  71. package/dist/baseline/producers/licenses.d.ts.map +1 -0
  72. package/dist/baseline/producers/licenses.js +46 -0
  73. package/dist/baseline/producers/licenses.js.map +1 -0
  74. package/dist/baseline/producers/quality.d.ts +39 -0
  75. package/dist/baseline/producers/quality.d.ts.map +1 -0
  76. package/dist/baseline/producers/quality.js +84 -0
  77. package/dist/baseline/producers/quality.js.map +1 -0
  78. package/dist/baseline/producers/secret-hmac.d.ts +45 -0
  79. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
  80. package/dist/baseline/producers/secret-hmac.js +70 -0
  81. package/dist/baseline/producers/secret-hmac.js.map +1 -0
  82. package/dist/baseline/producers/security.d.ts +59 -0
  83. package/dist/baseline/producers/security.d.ts.map +1 -0
  84. package/dist/baseline/producers/security.js +135 -0
  85. package/dist/baseline/producers/security.js.map +1 -0
  86. package/dist/baseline/producers/tests.d.ts +36 -0
  87. package/dist/baseline/producers/tests.d.ts.map +1 -0
  88. package/dist/baseline/producers/tests.js +69 -0
  89. package/dist/baseline/producers/tests.js.map +1 -0
  90. package/dist/baseline/salt.d.ts +45 -0
  91. package/dist/baseline/salt.d.ts.map +1 -0
  92. package/dist/baseline/salt.js +113 -0
  93. package/dist/baseline/salt.js.map +1 -0
  94. package/dist/baseline/show.d.ts +79 -0
  95. package/dist/baseline/show.d.ts.map +1 -0
  96. package/dist/baseline/show.js +233 -0
  97. package/dist/baseline/show.js.map +1 -0
  98. package/dist/baseline/types.d.ts +482 -0
  99. package/dist/baseline/types.d.ts.map +1 -0
  100. package/dist/baseline/types.js +53 -0
  101. package/dist/baseline/types.js.map +1 -0
  102. package/dist/cli.d.ts.map +1 -1
  103. package/dist/cli.js +398 -82
  104. package/dist/cli.js.map +1 -1
  105. package/dist/constants.d.ts.map +1 -1
  106. package/dist/constants.js +0 -4
  107. package/dist/constants.js.map +1 -1
  108. package/dist/doctor.d.ts.map +1 -1
  109. package/dist/doctor.js +39 -35
  110. package/dist/doctor.js.map +1 -1
  111. package/dist/fail-on.d.ts +84 -0
  112. package/dist/fail-on.d.ts.map +1 -0
  113. package/dist/fail-on.js +128 -0
  114. package/dist/fail-on.js.map +1 -0
  115. package/dist/generator.d.ts +1 -1
  116. package/dist/generator.d.ts.map +1 -1
  117. package/dist/generator.js +81 -274
  118. package/dist/generator.js.map +1 -1
  119. package/dist/hooks-cli.d.ts +20 -0
  120. package/dist/hooks-cli.d.ts.map +1 -0
  121. package/dist/hooks-cli.js +145 -0
  122. package/dist/hooks-cli.js.map +1 -0
  123. package/dist/languages/csharp.d.ts.map +1 -1
  124. package/dist/languages/csharp.js +4 -9
  125. package/dist/languages/csharp.js.map +1 -1
  126. package/dist/languages/go.d.ts.map +1 -1
  127. package/dist/languages/go.js +3 -14
  128. package/dist/languages/go.js.map +1 -1
  129. package/dist/languages/index.d.ts +19 -1
  130. package/dist/languages/index.d.ts.map +1 -1
  131. package/dist/languages/index.js +32 -0
  132. package/dist/languages/index.js.map +1 -1
  133. package/dist/languages/java.d.ts.map +1 -1
  134. package/dist/languages/java.js +4 -6
  135. package/dist/languages/java.js.map +1 -1
  136. package/dist/languages/kotlin.d.ts.map +1 -1
  137. package/dist/languages/kotlin.js +9 -11
  138. package/dist/languages/kotlin.js.map +1 -1
  139. package/dist/languages/python.d.ts.map +1 -1
  140. package/dist/languages/python.js +4 -15
  141. package/dist/languages/python.js.map +1 -1
  142. package/dist/languages/ruby.d.ts.map +1 -1
  143. package/dist/languages/ruby.js +4 -6
  144. package/dist/languages/ruby.js.map +1 -1
  145. package/dist/languages/rust.d.ts.map +1 -1
  146. package/dist/languages/rust.js +4 -4
  147. package/dist/languages/rust.js.map +1 -1
  148. package/dist/languages/types.d.ts +29 -28
  149. package/dist/languages/types.d.ts.map +1 -1
  150. package/dist/languages/typescript.d.ts.map +1 -1
  151. package/dist/languages/typescript.js +31 -4
  152. package/dist/languages/typescript.js.map +1 -1
  153. package/dist/lib.d.ts +2 -3
  154. package/dist/lib.d.ts.map +1 -1
  155. package/dist/lib.js +3 -6
  156. package/dist/lib.js.map +1 -1
  157. package/dist/prompts.d.ts.map +1 -1
  158. package/dist/prompts.js +0 -10
  159. package/dist/prompts.js.map +1 -1
  160. package/dist/report-schema.d.ts +42 -0
  161. package/dist/report-schema.d.ts.map +1 -0
  162. package/dist/report-schema.js +54 -0
  163. package/dist/report-schema.js.map +1 -0
  164. package/dist/ship-installers.d.ts +112 -0
  165. package/dist/ship-installers.d.ts.map +1 -0
  166. package/dist/ship-installers.js +530 -0
  167. package/dist/ship-installers.js.map +1 -0
  168. package/dist/tools-cli.d.ts.map +1 -1
  169. package/dist/tools-cli.js +45 -9
  170. package/dist/tools-cli.js.map +1 -1
  171. package/dist/types.d.ts +0 -4
  172. package/dist/types.d.ts.map +1 -1
  173. package/dist/update.d.ts.map +1 -1
  174. package/dist/update.js +0 -4
  175. package/dist/update.js.map +1 -1
  176. package/package.json +17 -11
  177. package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
  178. package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
  179. package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
  180. package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
  181. package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
  182. package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
  183. package/templates/.devcontainer/devcontainer.json +55 -0
  184. package/templates/.devcontainer/install-agent-clis.sh +42 -0
  185. package/templates/.devcontainer/post-create.sh +81 -0
  186. package/templates/.githooks/pre-commit +55 -0
  187. package/templates/.githooks/pre-push +63 -0
  188. package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
  189. package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
  190. package/templates/AGENTS.md.template +137 -0
  191. package/templates/CLAUDE.md.template +16 -245
  192. package/dist/codebase-scanner.d.ts +0 -36
  193. package/dist/codebase-scanner.d.ts.map +0 -1
  194. package/dist/codebase-scanner.js +0 -688
  195. package/dist/codebase-scanner.js.map +0 -1
  196. package/dist/project-yaml.d.ts +0 -13
  197. package/dist/project-yaml.d.ts.map +0 -1
  198. package/dist/project-yaml.js +0 -188
  199. package/dist/project-yaml.js.map +0 -1
  200. package/templates/.ai/README.md +0 -117
  201. package/templates/.ai/prompts/execution-prompt.md +0 -9
  202. package/templates/.ai/prompts/planning-prompt.md +0 -18
  203. package/templates/.ai/prompts/session-end-template.md +0 -182
  204. package/templates/.ai/prompts/session-end.md +0 -132
  205. package/templates/.ai/prompts/session-start.md +0 -109
  206. package/templates/.ai/prompts/step-by-step.md +0 -113
  207. package/templates/.ai/sessions/.gitkeep +0 -0
  208. package/templates/.claude/agents/doc-writer.md +0 -107
  209. package/templates/.claude/agents/knowledge-bot.md +0 -64
  210. package/templates/.claude/agents/onboarding.md +0 -61
  211. package/templates/.claude/agents/quality-reviewer.md +0 -85
  212. package/templates/.claude/agents-available/code-reviewer.md +0 -29
  213. package/templates/.claude/agents-available/codebase-explorer.md +0 -100
  214. package/templates/.claude/agents-available/dashboard-builder.md +0 -433
  215. package/templates/.claude/agents-available/debugger.md +0 -29
  216. package/templates/.claude/agents-available/dependency-mapper.md +0 -80
  217. package/templates/.claude/agents-available/dev-report.md +0 -108
  218. package/templates/.claude/agents-available/doc-writer.md +0 -107
  219. package/templates/.claude/agents-available/feature-builder.md +0 -163
  220. package/templates/.claude/agents-available/feature-planner.md +0 -185
  221. package/templates/.claude/agents-available/health-auditor.md +0 -95
  222. package/templates/.claude/agents-available/hooks-configurator.md +0 -211
  223. package/templates/.claude/agents-available/knowledge-bot.md +0 -62
  224. package/templates/.claude/agents-available/plan-executor.md +0 -133
  225. package/templates/.claude/agents-available/strategic-planner.md +0 -141
  226. package/templates/.claude/agents-available/test-gap-finder.md +0 -67
  227. package/templates/.claude/agents-available/test-writer.md +0 -34
  228. package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
  229. package/templates/.claude/commands/ask.md +0 -7
  230. package/templates/.claude/commands/build-feature.md +0 -26
  231. package/templates/.claude/commands/build.md.template +0 -30
  232. package/templates/.claude/commands/check.md.template +0 -43
  233. package/templates/.claude/commands/dashboard.md +0 -28
  234. package/templates/.claude/commands/deps.md +0 -15
  235. package/templates/.claude/commands/dev-report.md +0 -50
  236. package/templates/.claude/commands/docs.md +0 -21
  237. package/templates/.claude/commands/doctor.md +0 -21
  238. package/templates/.claude/commands/enable-agent.md +0 -12
  239. package/templates/.claude/commands/execute-plan.md +0 -25
  240. package/templates/.claude/commands/explore-codebase.md +0 -12
  241. package/templates/.claude/commands/export-pdf.md +0 -30
  242. package/templates/.claude/commands/feature.md +0 -25
  243. package/templates/.claude/commands/fix-issue.md +0 -12
  244. package/templates/.claude/commands/fix.md.template +0 -32
  245. package/templates/.claude/commands/health.md +0 -58
  246. package/templates/.claude/commands/help.md +0 -36
  247. package/templates/.claude/commands/learn.md +0 -48
  248. package/templates/.claude/commands/onboarding.md +0 -21
  249. package/templates/.claude/commands/plan.md +0 -20
  250. package/templates/.claude/commands/quality.md.template +0 -65
  251. package/templates/.claude/commands/session-end.md +0 -40
  252. package/templates/.claude/commands/session-start.md +0 -30
  253. package/templates/.claude/commands/setup-hooks.md +0 -18
  254. package/templates/.claude/commands/setup-pr-review.md +0 -72
  255. package/templates/.claude/commands/stealth-mode.md +0 -17
  256. package/templates/.claude/commands/test-gaps.md +0 -49
  257. package/templates/.claude/commands/test.md.template +0 -40
  258. package/templates/.claude/commands/vulnerabilities.md +0 -49
  259. package/templates/.claude/skills/build/SKILL.md.template +0 -98
  260. package/templates/.claude/skills/deploy/SKILL.md.template +0 -131
  261. package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
  262. package/templates/.claude/skills/doctor/SKILL.md +0 -54
  263. package/templates/.claude/skills/gcloud/SKILL.md +0 -66
  264. package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
  265. package/templates/.claude/skills/learned/SKILL.md +0 -55
  266. package/templates/.claude/skills/learned/references/conventions.md +0 -11
  267. package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
  268. package/templates/.claude/skills/learned/references/gotchas.md +0 -11
  269. package/templates/.claude/skills/pulumi/SKILL.md +0 -73
  270. package/templates/.claude/skills/quality/SKILL.md.template +0 -108
  271. package/templates/.claude/skills/quality/references/gotchas.md +0 -5
  272. package/templates/.claude/skills/review/SKILL.md.template +0 -73
  273. package/templates/.claude/skills/scaffold/SKILL.md.template +0 -123
  274. package/templates/.claude/skills/secrets/SKILL.md +0 -52
  275. package/templates/.claude/skills/session/SKILL.md +0 -43
  276. package/templates/.claude/skills/test/SKILL.md.template +0 -122
  277. package/templates/.claude/skills/test/references/gotchas.md +0 -5
  278. package/templates/.devcontainer/Dockerfile.dev.template +0 -89
  279. package/templates/.devcontainer/devcontainer.json.template +0 -184
  280. package/templates/.devcontainer/docker-compose.yml.template +0 -105
  281. package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
  282. package/templates/.devcontainer/post-create.sh.template +0 -298
  283. package/templates/.github/workflows/ci.yml.template +0 -399
  284. package/templates/.github/workflows/quality.yml.template +0 -376
  285. package/templates/.pre-commit-config.yaml.template +0 -106
  286. package/templates/.project/config/edit_config.py +0 -275
  287. package/templates/.project/config/project_config.py +0 -894
  288. package/templates/.project/scripts/codegen/generate-all.sh +0 -20
  289. package/templates/.project/scripts/codegen/validate-all.sh +0 -17
  290. package/templates/.project/scripts/docs/generate-all.sh +0 -30
  291. package/templates/.project/scripts/docs/serve.sh +0 -20
  292. package/templates/.project/scripts/quality/fix-all.sh +0 -138
  293. package/templates/.project/scripts/quality/lint-go.sh +0 -34
  294. package/templates/.project/scripts/quality/lint-python.sh +0 -54
  295. package/templates/.project/scripts/quality/run-all.sh +0 -497
  296. package/templates/.project/scripts/session/commit.sh +0 -70
  297. package/templates/.project/scripts/session/create-pr.sh +0 -165
  298. package/templates/.project/scripts/session/end.sh +0 -207
  299. package/templates/.project/scripts/session/start.sh +0 -233
  300. package/templates/.project/scripts/setup/doctor.sh +0 -404
  301. package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
  302. package/templates/.project/scripts/sync/sync-template.sh +0 -328
  303. package/templates/.project/scripts/test/run-all.sh +0 -179
  304. package/templates/.project/scripts/test/run-quick.sh +0 -25
  305. package/templates/Makefile +0 -514
  306. package/templates/config/versions.yaml +0 -57
  307. package/templates/configs/go/.golangci.yml.template +0 -172
  308. package/templates/configs/go/go.mod.template +0 -15
  309. package/templates/configs/java/README.md +0 -6
  310. package/templates/configs/kotlin/README.md +0 -6
  311. package/templates/configs/node/package.json.template +0 -67
  312. package/templates/configs/node/tsconfig.json.template +0 -53
  313. package/templates/configs/python/pyproject.toml.template +0 -92
  314. package/templates/configs/python/pytest.ini.template +0 -64
  315. package/templates/configs/python/ruff.toml.template +0 -79
  316. package/templates/configs/ruby/README.md +0 -6
  317. package/templates/configs/rust/Cargo.toml.template +0 -51
  318. package/templates/configs/shared/.editorconfig +0 -67
  319. package/templates/scripts/validate-templates.sh +0 -449
package/README.md CHANGED
@@ -1,552 +1,473 @@
1
- # @vyuhlabs/dxkit
1
+ # dxkit
2
2
 
3
- AI-native analyzer and scaffolder for any repository. Two modes in one CLI:
3
+ **AI-native developer experience toolkit for any codebase.**
4
4
 
5
- 1. **Analyze** any repo deterministically health, security, test gaps, code quality, developer activity — in seconds, no LLM required.
6
- 2. **Scaffold** `.claude/` agents, skills, commands, and hooks tuned to your stack.
7
-
8
- Built so agent-written code has deterministic guardrails before it ships. Scores don't move just because an LLM had a different mood today.
9
-
10
- ## Quick Start
11
-
12
- **Analyze an existing repo:**
13
-
14
- ```bash
15
- cd your-repo
16
- npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
17
- npx @vyuhlabs/dxkit health --detailed # 6-dimension score + remediation plan
18
- npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit (ranked by risk)
19
- npx @vyuhlabs/dxkit bom --filter=top-level # Bill of Materials w/ "This Week's Triage"
20
- npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
21
- npx @vyuhlabs/dxkit quality # slop + duplication + lint
22
- npx @vyuhlabs/dxkit licenses # dependency license inventory
23
- npx @vyuhlabs/dxkit dev-report # git activity + contributors
24
- ```
25
-
26
- **Scaffold AI tooling into a repo:**
5
+ Make your existing codebase safe for Claude Code, Codex, and other AI
6
+ coding agents. Equip the agent with repo-native context. Guard every
7
+ commit and PR with deterministic checks. **One command scaffolds the
8
+ agent DX; one baseline turns on the guardrails.** Works across major
9
+ language stacks, greenfield or brownfield.
27
10
 
28
11
  ```bash
29
- npx @vyuhlabs/dxkit init --detect # auto-detect stack, minimal prompts
30
- npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
12
+ npx @vyuhlabs/dxkit@latest init --full
31
13
  ```
32
14
 
33
- The two modes are complementary. The analyzers run anywhere; the scaffolder writes `.claude/` so Claude Code and other agents have project-specific context and slash commands that delegate to the same analyzers.
34
-
35
- > **Already installed dxkit globally?** Globals don't auto-update. If you previously ran `npm install -g @vyuhlabs/dxkit`, the `vyuh-dxkit` binary on your PATH stays pinned to whatever version was installed then; running `vyuh-dxkit` (without `npx`) keeps using the pinned version. To pick up the latest fixes, either upgrade the global or remove it and rely on `npx` (which fetches the requested version on demand):
36
- >
37
- > ```bash
38
- > npm install -g @vyuhlabs/dxkit@latest
39
- > # or:
40
- > npm uninstall -g @vyuhlabs/dxkit
41
- > ```
15
+ <p>
16
+ <a href="https://www.npmjs.com/package/@vyuhlabs/dxkit">
17
+ <img alt="npm version" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit">
18
+ </a>
19
+ <img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
20
+ <img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
21
+ <img alt="local-first" src="https://img.shields.io/badge/local-first-green">
22
+ <img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
23
+ <img alt="agentic" src="https://img.shields.io/badge/agentic-ready-purple">
24
+ </p>
42
25
 
43
26
  ---
44
27
 
45
- ## Analyzer CLI (`vyuh-dxkit <command>`)
46
-
47
- Seven deterministic analyzers + a one-shot orchestrator. Each emits a markdown report to `.dxkit/reports/` and a structured JSON file the dashboard reads.
48
-
49
- | Command | What it does | Runtime | Output |
50
- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------- |
51
- | `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.dxkit/reports/health-audit-<date>.md` |
52
- | `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (enriched with EPSS exploit probability, CISA KEV catalog, reachability from your source, composite riskScore; per-advisory detail in `--detailed`) | 5–30s | `.dxkit/reports/vulnerability-scan-<date>.md` |
53
- | `test-gaps` | Coverage artifact → import-graph → filename (strongest wins). Headline coverage carries a `coverageFidelity` tier; banners surface heuristic-vs-line-coverage trust. | <1s | `.dxkit/reports/test-gaps-<date>.md` |
54
- | `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.dxkit/reports/quality-review-<date>.md` |
55
- | `dev-report` | Commits, contributors, hot files (autogen-filtered), weekly velocity (with zero-rows for empty weeks), conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
56
- | `licenses` | Dependency license inventory across every active pack (TS, Python, Go, Rust, C#; Kotlin + Java omitted — no canonical CLI license tool for Maven/Gradle ecosystems) | 5–20s | `.dxkit/reports/licenses-<date>.md` |
57
- | `bom` | **Bill of Materials** — joins licenses + vulns per package, groups by top-level manifest dep (Snyk-style), enriches with CISA KEV + EPSS + reachability, ranks by composite risk score with "This Week's Triage" summary, aggregates nested sub-projects, `--filter=top-level` collapses transitive rows, 15-col XLSX | 10–40s | `.dxkit/reports/bom-<date>.{md,xlsx}` |
58
- | `coverage` | Side-effecting — runs each active pack's `test-with-coverage` command to materialize the artifact `test-gaps` / `health` read back. Use this once before analysis, or pass `--with-coverage` to the analyzer. | 1–10m | per-pack artifact (`coverage.json` etc.) |
59
- | `dashboard` | Renders every report under `.dxkit/reports/` into a single HTML page (tiles + per-report tabs + cross-cutting "Critical Issues at a Glance"). Reads `*-detailed.json` (written unconditionally as of 2.4.7). | <1s | `.dxkit/reports/dashboard.html` |
60
- | `report` | **One-shot full audit** — runs every analyzer + dashboard in dependency order. `--with-coverage` materializes coverage once upfront so both `health` and `test-gaps` benefit without re-running tests per analyzer. | 5–15m | every output above + dashboard |
61
-
62
- Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bom` detailed JSON as the canonical 15-column XLSX.
63
-
64
- ### Flags (apply to all analyzer commands)
65
-
66
- | Flag | Effect |
67
- | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
68
- | `--detailed` | Surface the success-log line for the detailed report. (As of 2.4.7 the `-detailed.json` + `-detailed.md` files are written **unconditionally** so the dashboard always finds fresh input — this flag only controls the console-side noise.) |
69
- | `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
70
- | `--verbose` | Print per-tool timing to stderr |
71
- | `--no-save` | Skip writing markdown; useful with `--json` |
72
- | `--xlsx` | (`licenses`, `bom` only) Also write 15-col `.xlsx` — drop-in for spreadsheet workflows |
73
- | `-o <file>` | (`licenses`, `bom`, `to-xlsx`) Override output path for xlsx / converted file |
74
- | `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
75
- | `--filter` | (`bom` only) `all` (default) or `top-level` — keep only root manifest deps; the byTopLevelDep rollup still reflects transitives |
76
- | `--no-nested` | (`bom` only) Disable nested-project aggregation. Default discovers every sub-project with a language manifest under cwd and merges their BOMs |
77
- | `--with-coverage` | (`health`, `test-gaps`, `report`) Materialize coverage artifacts via per-pack `runTests()` **before** analysis. Promotes the headline from filename-match heuristic to `line-coverage` truth. With `report`, runs once upfront — health + test-gaps share the artifact. |
78
- | `--lang <id>` | (`coverage`, `--with-coverage`) Restrict to one pack id when the repo is polyglot |
79
- | `--no-fail-fast` | (`coverage`, `--with-coverage`) Continue running coverage across remaining packs after a `failed` outcome |
28
+ ## The problem
80
29
 
81
- ### Detailed mode evidence + ranked fixes
30
+ AI coding agents are powerful, but shipping their work safely is hard:
82
31
 
83
- `--detailed` writes a second pair of files with:
32
+ - The agent's environment isn't reproducible different machine,
33
+ different result.
34
+ - The agent has no project-specific context — your conventions are
35
+ tribal knowledge it can't access.
36
+ - Strict gates assume a clean codebase. Real codebases have years of
37
+ debt, and absolute gates either get disabled or block every PR.
38
+ - Most "AI code review" tools rely on another LLM to grade the work —
39
+ non-deterministic, gameable, and a black box.
40
+ - Bad agent changes silently land because the only enforcement is
41
+ human attention.
84
42
 
85
- - **Per-dimension plans** with a prioritized fix list
86
- - **Evidence** for every finding (file, line, rule ID, tool, snippet)
87
- - **Projected score delta** for each remediation action — so you know which fix moves the needle most
88
- - **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
89
-
90
- ### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
91
-
92
- Three signals, strongest wins for files it covers:
93
-
94
- 1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin/Java), SimpleCov resultset (Ruby). If the tool measured a file, that decision is authoritative.
95
- 2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
96
- 3. **Filename match** — last-resort basename similarity.
97
-
98
- A file counts as "tested" when the strongest available signal says so.
99
-
100
- #### Coverage fidelity tier (2.4.7+)
101
-
102
- Test-gap reports now carry a `coverageFidelity` tier so a 0% from a heuristic can't be confused with a 0% from a real coverage run:
103
-
104
- | Tier | Source | Trust |
105
- | ---------------- | -------------------------------------------------------------------------- | ------------------ |
106
- | `line-coverage` | Any of the artifacts above | Line-level truth |
107
- | `import-graph` | Test-file import edges (up to N hops) | Informed heuristic |
108
- | `filename-match` | Source files with a name-matched test (200-line file / 5-line test passes) | Pure heuristic |
109
-
110
- The test-gaps markdown leads with a ⚠️ / ℹ️ banner when fidelity isn't `line-coverage`, pointing at `vyuh-dxkit coverage` and `vyuh-dxkit health --with-coverage` as the install paths to ground-truth.
43
+ dxkit closes that loop end-to-end, deterministically, with no LLM in
44
+ the grading path.
111
45
 
112
46
  ---
113
47
 
114
- ## Tool Registry
115
-
116
- Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
48
+ ## What `init --full` creates
117
49
 
118
50
  ```bash
119
- vyuh-dxkit tools # list tool status for the detected stack
120
- vyuh-dxkit tools install --yes # install all missing tools
121
- vyuh-dxkit tools install # interactive: prompts per tool
122
- ```
123
-
124
- ### Tools integrated
125
-
126
- | Layer | Tools |
127
- | --------- | -------------------------------------------------------------------------- |
128
- | Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
129
- | Node / TS | `eslint`, `npm audit`, `osv-scanner` (fix planner), `@vitest/coverage-v8` |
130
- | Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
131
- | Go | `golangci-lint`, `govulncheck` |
132
- | Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
133
- | C# | `dotnet-format` (via SDK — formatter, not a linter) |
134
- | Kotlin | `detekt` (Checkstyle XML), `osv-scanner` (Maven), JaCoCo XML |
135
- | Java | `pmd` (PMD 7.x JSON), `osv-scanner` (Maven), JaCoCo XML reuse |
136
- | Ruby | `rubocop` (JSON), `bundler-audit`, `osv-scanner` (Gemfile.lock), SimpleCov |
137
-
138
- Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
139
-
140
- ---
141
-
142
- ## Config Files
143
-
144
- ### `.dxkit-ignore`
145
-
146
- Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
147
-
148
- ```
149
- # .dxkit-ignore — override project exclusions for dxkit analyzers
150
- vendor-bundle/
151
- *.gen.ts
51
+ npx @vyuhlabs/dxkit@latest init --full
152
52
  ```
153
53
 
154
- Three layers merge: bundled defaults repo `.gitignore` → repo `.dxkit-ignore`.
155
-
156
- ### `.dxkit-suppressions.json`
157
-
158
- Silence known-false positives without touching code. Wired to `gitleaks` (secrets) and `semgrep` (code patterns). Slop-hook wiring remains a follow-up.
159
-
160
- ```json
161
- {
162
- "gitleaks": [
163
- {
164
- "rule": "generic-api-key",
165
- "paths": ["test/fixtures/**", "**/*.test.ts"],
166
- "reason": "Fake keys in test fixtures"
167
- }
168
- ],
169
- "semgrep": [
170
- {
171
- "rule": "javascript.express.security.audit.express-check-directory-traversal",
172
- "paths": ["scripts/serve-static.js"],
173
- "reason": "Controlled internal tool, not user-reachable"
174
- }
175
- ]
176
- }
54
+ `init --full` lands a coordinated set of pieces:
55
+
56
+ ```text
57
+ .devcontainer/ Reproducible environment — pinned language
58
+ toolchains, dxkit's scanner toolchain auto-
59
+ installed, install scripts for AI agent CLIs
60
+ (auth stays user-owned).
61
+ .githooks/ pre-push guardrail hook (pre-commit opt-in
62
+ via --with-precommit-hook).
63
+ .github/workflows/ PR-gate workflow + post-merge baseline-refresh
64
+ workflow (refresh runs only after the PR-gate
65
+ passes — see "Safety + trust" below).
66
+ agent scaffolding Entry-point doc, project skills, slash commands,
67
+ per-language conventions, and specialized
68
+ subagents for the currently supported agent
69
+ (broader agent coverage in 2.6).
70
+ .dxkit/ reports, baselines, and (optional) policy.
71
+ .vyuh-dxkit.json install manifest.
177
72
  ```
178
73
 
179
- A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`. Suppressed counts are reported separately in the analyzer output so "zero visible" is distinguishable from "zero real".
180
-
181
- ### `.project.yaml` (optional, for scaffolding)
182
-
183
- When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
184
-
185
- ---
186
-
187
- ## Language Support
188
-
189
- Each language is a single `LanguageSupport` implementation in `src/languages/`. Detection, tools, coverage parsing, import extraction, and lint severity mapping live in one place per language.
190
-
191
- Adding a new language is a single command followed by filling in TODO markers:
74
+ After install:
192
75
 
193
76
  ```bash
194
- npm run new-lang kotlin "Kotlin (Android)"
77
+ git config core.hooksPath .githooks # activate the hooks
78
+ vyuh-dxkit baseline create # capture today's state
79
+ git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
80
+ git commit -m "chore: enable dxkit guardrails"
195
81
  ```
196
82
 
197
- This scaffolds the 7 recipe files (pack module, test stub, fixture skeleton, Claude rule file, template-config dir, plus `LanguageId` union extension and `LANGUAGES` registration). See [CONTRIBUTING.md](./CONTRIBUTING.md) for the full walkthrough. Recipe enforcement (architecture greps + contract tests + synthetic 6th-pack playbook) runs in pre-commit so packs that miss required metadata fail CI.
83
+ From this point:
198
84
 
199
- | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
200
- | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
201
- | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
202
- | Python | `pyproject.toml`, `setup.py`, `*.py` | coverage.py | ✅ import/from | ruff, pip-audit, coverage | ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
203
- | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
204
- | Rust | `Cargo.toml` | lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
205
- | C# | `*.csproj`, `*.sln` | cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ❌ (no linter yet) | ✅ dotnet list --vulnerable |
206
- | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
207
- | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
208
- | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
85
+ - Every push runs the full guardrail check (pre-commit hook is
86
+ opt-in via `--with-precommit-hook` slow on large repos until
87
+ scoped incremental scanning lands).
88
+ - Every PR is gated by GitHub Actions, which posts a markdown summary
89
+ as a comment.
90
+ - After the PR-gate workflow passes and the PR merges, the baseline
91
+ is refreshed so the next PR is gated against the up-to-date state.
209
92
 
210
- ¹ Rust, C#, Kotlin, Java, and Ruby packs populate `imports.extracted` but the file-level resolver is a no-op — Rust's `use` paths, C#'s `using` namespaces, Kotlin's and Java's `import` package paths, and Ruby's dynamic `require` semantics don't map 1:1 to source files. Downstream analyses that need an edge graph (reachability for dep-vulns, import-graph credit for test-gaps) degrade to conservative defaults for these five languages. Resolvers are planned; see Phase 10i-L.2 in the roadmap.
93
+ Bypass + disable mechanisms:
211
94
 
212
- ✅ full support. Multi-language repos fully supported — every detected language's tools run, and dep-vuln counts aggregate across all language packs via the `depVulns` capability (pip-audit findings don't silently replace npm-audit ones).
213
-
214
- **Severity enrichment.** Scanners that don't publish per-finding severity (pip-audit, govulncheck) are enriched via the OSV.dev API. DXKit ships a complete CVSS v4.0 base-score calculator (macrovector lookup + severity-distance refinement, ported from [FIRST's reference implementation](https://github.com/FIRSTdotorg/cvss-v4-calculator)) since modern CVEs (2025+) increasingly publish v4 vectors exclusively. Unreachable IDs keep the scanner's legacy default bucket — the analyzer never fails because OSV was slow.
95
+ ```bash
96
+ DXKIT_SKIP_HOOKS=1 git push ... # one-off bypass
97
+ git push --no-verify ... # standard git bypass
98
+ git config --unset core.hooksPath # disable all dxkit hooks (per-clone)
99
+ rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
100
+ ```
215
101
 
216
- **Lint severity tiering.** Every lint finding is categorized into critical/high/medium/low by rule ID, linter name, or lint group. The `lint` capability envelope carries the tiered counts; `HealthReport.dimensions.quality.details` collapses them into an `"N errors, M warnings"` rendering (critical + high → errors, medium + low → warnings) for human readability. Consumers that want finer granularity read `report.capabilities.lint.counts` directly.
102
+ > **Additive by default.** Existing hooks, devcontainer, or workflows
103
+ > are never destroyed. dxkit detects them and writes sidecar `.dxkit`
104
+ > files with merge instructions. `--force` overrides if you want.
217
105
 
218
106
  ---
219
107
 
220
- ## Scaffolding Mode
108
+ ## 60-second demo
221
109
 
222
- Running `init` auto-detects your tech stack and generates a complete `.claude/` directory with 4 active + 17 opt-in agents, 30 slash commands, skills, path-scoped rules, and hooks.
110
+ ```text
111
+ $ npx @vyuhlabs/dxkit@latest init --full
112
+ ✓ Created: 73 files
113
+ ✓ Git hooks: installed 2 file(s)
114
+ ✓ Devcontainer: installed 3 file(s)
115
+ ✓ CI guardrails workflow: installed 1 file(s)
116
+ ✓ CI baseline-refresh workflow: installed 1 file(s)
223
117
 
224
- ```
225
- .claude/
226
- settings.json # Permissions, deny list, learning hooks
227
- agents/ # Active agents (auto-trigger on matching questions)
228
- knowledge-bot.md # Answers codebase questions
229
- onboarding.md # Interactive onboarding buddy
230
- quality-reviewer.md # Reviews code before committing
231
- doc-writer.md # Audits and writes documentation
232
- agents-available/ # 17 dormant agents (activate with /enable-agent)
233
- commands/ # 30 slash commands
234
- skills/ # Domain knowledge
235
- rules/ # Path-scoped rules (per language + framework)
236
- CLAUDE.md # Main context file for Claude Code
237
- .ai/
238
- sessions/ # Session checkpoints
239
- features/ # Feature-planning docs produced by `/feature`
240
- .dxkit/
241
- reports/ # Generated analyzer output (health, bom, licenses, …)
242
- .dxkit-ignore # Extra analyzer-only exclusions (on top of .gitignore)
243
- .dxkit-suppressions.json # Silence known-false positives (gitleaks, semgrep)
118
+ $ vyuh-dxkit baseline create
119
+ ✓ Wrote .dxkit/baselines/main.json — 89 findings (32s)
244
120
  ```
245
121
 
246
- The `.dxkit/` directory holds analyzer state and was split out from `.ai/` in v2.3.0 so tool output (regeneratable, safe to gitignore) is separated from agent context (session history, feature plans).
122
+ Your AI agent has access to dxkit's reports and the bundled
123
+ subagents that init scaffolded. A typical request to the agent:
247
124
 
248
- ### Slash commands → native CLI delegation
125
+ ```text
126
+ Read the latest dxkit health report. Pick one safe quality
127
+ improvement. Apply the change. Then run `vyuh-dxkit guardrail check`
128
+ to confirm nothing regressed. Show me what you did.
129
+ ```
249
130
 
250
- The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
131
+ The agent introduces a change that breaks the guardrail:
251
132
 
252
- 1. **Check for an existing report** in `.dxkit/reports/` from today
253
- 2. **Run `vyuh-dxkit <command>`** — deterministic, fast, same output
254
- 3. **Fall back to LLM analysis** only if the CLI isn't available
133
+ ```text
134
+ $ vyuh-dxkit guardrail check
135
+ Guardrail BLOCKED 2 new regressions
255
136
 
256
- This means slash commands return the same report whether invoked by a human or an agent — and the analysis is reproducible across runs.
137
+ Baseline: .dxkit/baselines/main.json (89 findings)
138
+ Current: 91 findings · matcher: git-aware
257
139
 
258
- ### Init flags
140
+ Blocking (2)
141
+ ADDED [medium] large-file src/regression.ts
142
+ no-prior-match: identity fingerprint not present in the baseline
143
+ ADDED [medium] test-gap src/regression.ts
144
+ no-prior-match: identity fingerprint not present in the baseline
259
145
 
260
- | Flag | Description |
261
- | ------------ | ----------------------------------------------------- |
262
- | `--detect` | Auto-detect stack, minimal prompts |
263
- | `--yes` | Accept all defaults |
264
- | `--dx-only` | Just `.claude/` + `CLAUDE.md` (default) |
265
- | `--full` | Everything: DX + quality + hooks + CI |
266
- | `--force` | Overwrite existing files (except evolving ones) |
267
- | `--stealth` | Gitignore generated files (local-only, not committed) |
268
- | `--name <n>` | Override project name |
269
- | `--no-scan` | Skip codebase analysis |
146
+ Summary
147
+ Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
148
+ Verdict: BLOCKED
149
+ Exit: 1
150
+ ```
270
151
 
271
- ### Stealth mode
152
+ The agent reads the failure, fixes it, and re-runs:
272
153
 
273
- `--stealth` keeps DXKit local: `.claude/`, `.ai/`, `CLAUDE.md` added to `.gitignore`, only `.githooks/` committed so all devs get the hooks without committing the scaffold.
154
+ ```text
155
+ $ vyuh-dxkit guardrail check
156
+ Guardrail PASSED — 0 new regressions
274
157
 
275
- ---
158
+ Summary
159
+ Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
160
+ Verdict: PASSED
161
+ Exit: 0
162
+ ```
276
163
 
277
- ## CI + Hooks
164
+ ---
278
165
 
279
- ### Pre-commit (set up automatically by `init --full` or husky)
166
+ ## Quickstart
280
167
 
281
- ```
282
- architecture check → validates imports + tool-registry + exclusions rules
283
- slop check → blocks new console.log, `: any`, debugger, committed temp files
284
- lint-staged → eslint --fix + prettier --write on changed files
285
- typecheck → tsc --noEmit
168
+ ```bash
169
+ # One-shot, no install
170
+ npx @vyuhlabs/dxkit@latest init --full
171
+
172
+ # Or install + use repeatedly
173
+ npm install -g @vyuhlabs/dxkit
174
+ vyuh-dxkit init --full
175
+ vyuh-dxkit baseline create
176
+ vyuh-dxkit guardrail check --changed-only
286
177
  ```
287
178
 
288
- ### Pre-push
179
+ À la carte if you only want specific pieces:
289
180
 
290
- ```
291
- build → ensure dist/ is current
292
- tests with coverage → vitest run --coverage (or equivalent per language)
293
- coverage threshold → scripts/check-coverage.sh; fails below configurable threshold
181
+ ```bash
182
+ vyuh-dxkit init --with-hooks # just the pre-push hook (default for hooks)
183
+ vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
184
+ vyuh-dxkit init --with-devcontainer # just the devcontainer
185
+ vyuh-dxkit init --with-ci # just the PR-gate workflow
186
+ vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
187
+ vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
294
188
  ```
295
189
 
296
- ### PR CI (`.github/workflows/ci.yml`)
297
-
298
- Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
299
-
300
190
  ---
301
191
 
302
- ## Scoring
303
-
304
- dxkit produces a 0-100 score + A/B/C/D/E letter rating for six
305
- dimensions of every codebase. Three properties define the scoring
306
- model:
307
-
308
- - **Deterministic** — pure-function evaluator over a declarative spec
309
- per dimension. Same `git rev-parse HEAD` + same dxkit version
310
- produces the identical score on every run, every machine. This is
311
- the moat against LLM-driven review products, where outputs drift
312
- run-to-run.
313
- - **Anchored** — methodology cites underlying open international
314
- standards (ISO/IEC 25010, ISO/IEC 5055, SQALE method, CVSS v4,
315
- CWE, OWASP, OpenSSF Scorecard) rather than invented thresholds.
316
- - **Actionable** — every score is paired with structured provenance
317
- so the report says what to fix and how much the score would lift.
318
- Customer-facing markdown surfaces a "Top actions" block per
319
- dimension; agents consume the same structured `ScoreResult` JSON
320
- directly.
321
-
322
- The customer-facing methodology document — including the per-
323
- dimension penalty/cap breakdown and citations — lives at
324
- **[`docs/SCORING.md`](docs/SCORING.md)**.
192
+ ## Baseline mode: greenfield to 10-year-old codebases
325
193
 
326
- ---
194
+ Real codebases are messy. dxkit doesn't ask whether your repo is
195
+ perfect — it asks whether each change made it worse.
327
196
 
328
- ## Quality Gates for Agent-Written Code
197
+ | | **Greenfield day 1** | **Brownfield (years of debt)** |
198
+ | ---------------- | -------------------------------------- | --------------------------------------------------------- |
199
+ | Baseline | Captured near zero | Captures today's debt as the floor |
200
+ | Behavior | Every regression matters from commit 1 | Existing debt is grandfathered; net-new regressions block |
201
+ | Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
329
202
 
330
- dxkit's guiding principle: **deterministic guardrails that catch bad output regardless of who wrote it.** Scaffolded hooks + CI give every repo:
203
+ The classifier distinguishes:
331
204
 
332
- 1. **Pre-commit** fast local checks (architecture, slop, lint, typecheck)
333
- 2. **Pre-push** thorough local checks (full suite + coverage threshold)
334
- 3. **PR CI** unbypassable server-side checks (everything above + slop-vs-base + pack-dry)
335
- 4. **Coverage threshold** enforced at both local and CI tiers; agents can't silently lower it
205
+ | Status | Meaning | Default |
206
+ | ------------------- | ----------------------------------------- | ---------- |
207
+ | `added` | Net-new finding introduced by this change | **blocks** |
208
+ | `relocated` | Same finding, moved (line drift, rename) | passes |
209
+ | `persisted` | Same finding, same place — pre-existing | passes |
210
+ | `removed` / `fixed` | Was there, now gone | passes |
211
+ | `tooling_drift` | New only because scanner version changed | warns |
212
+ | `config_drift` | New only because dxkit config changed | warns |
213
+ | `uncertain` | Below confidence threshold | warns |
336
214
 
337
- The same pattern is what dxkit itself uses. See `scripts/check-coverage.sh` + `scripts/check-slop.sh`.
215
+ Customize via [`.dxkit/policy.json`](docs/configuration/policy.md)
216
+ auto-discovered when present, compiled-in defaults otherwise.
338
217
 
339
218
  ---
340
219
 
341
- ## Library API
220
+ ## Git-aware identity matching
221
+
222
+ A regression check is only useful if the matcher can tell _old issue
223
+ that moved_ from _new issue that appeared_. Line numbers alone aren't
224
+ stable — add a 20-line comment block at the top of a file and every
225
+ issue below it "moves."
226
+
227
+ dxkit uses layered identity, in priority order:
228
+
229
+ 1. **Domain fingerprints** for entities whose identity is intrinsic:
230
+ - dependency vulnerabilities → `(package, version, advisory-id)`
231
+ - secrets → `(scanner-rule, fingerprint(value))` so a leaked
232
+ token recognises itself when moved
233
+ - licenses → `(package, version, license-type)`
234
+ - duplicate blocks → normalized content hash
235
+ 2. **Location fingerprints** with a 3-line bucket for code findings.
236
+ 3. **Git-aware line mapping** across commits, including `-M` file
237
+ renames and ±2 line fuzz windows.
238
+ 4. **Content-hash fallback** when git history isn't reachable
239
+ (shallow clones, archived snapshots).
240
+
241
+ Every match pair carries a **confidence in [0, 1]** and structured
242
+ **reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
243
+ `git-rename`, `content-hash`, ...). No LLM in the grading path —
244
+ the matcher and classifier are deterministic over normalized
245
+ analyzer input; the same inputs produce the same classifications.
342
246
 
343
- dxkit exports functions for programmatic use by downstream packages (e.g. `@vyuhlabs/create-devstack`):
344
-
345
- ```typescript
346
- import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
347
- import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
348
-
349
- const stack = detect('/path/to/project');
247
+ ---
350
248
 
351
- if (hasProjectYaml('/path/to/project')) {
352
- const config = readProjectYaml('/path/to/project');
353
- }
249
+ ## Reproducible environment
354
250
 
355
- const output = processTemplate('Hello {{PROJECT_NAME}}', vars, conditions);
356
- ```
251
+ Agents need a stable environment to be reliable. `init --with-devcontainer`
252
+ generates a Codespaces-ready setup:
357
253
 
358
- The CLI binary (`vyuh-dxkit`) is separate; the library import is for build-time and programmatic consumers.
254
+ - Pinned language toolchains (Node 22, Python 3.12, Go 1.21, .NET 8,
255
+ Ruby 3.3, Java 17, Rust stable) layered via standard devcontainer
256
+ features — small image footprint, fast Codespaces prebuild.
257
+ - `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
258
+ the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
259
+ cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
260
+ ones your stack needs).
261
+ - Install scripts for the AI coding-agent CLIs you want available
262
+ inside the container. The scripts only install the binaries — auth
263
+ remains user-owned and is never baked into the image.
264
+ - Every piece is a regular script you can edit after install.
359
265
 
360
266
  ---
361
267
 
362
- ## Two Workflows
363
-
364
- ### Fix Loop: Reports → KPIs → Plans → Execution
365
-
366
- ```bash
367
- # 1. Scaffold into an existing repo
368
- npx @vyuhlabs/dxkit init --detect --yes
268
+ ## What dxkit analyzes
369
269
 
370
- # 2. Run analyzers (any of these work standalone too)
371
- /health # Codebase health (6 dimensions)
372
- /vulnerabilities # Security scan
373
- /test-gaps # Untested critical code
270
+ Beyond the baseline + guardrail surface, dxkit ships deterministic
271
+ analyzers across eight language packs (Python, TypeScript, Go, Rust,
272
+ C#, Kotlin, Java, Ruby), with graceful degradation when a tool isn't
273
+ available for your stack:
374
274
 
375
- # 3. Generate improvement plans
376
- /plan # Proposes KPIs + actionable plans
275
+ | Command | Question it answers |
276
+ | ----------------- | ------------------------------------------------------------------------------------- |
277
+ | `health` | "What's the overall shape of this codebase?" — 6-dimension score |
278
+ | `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
279
+ | `test-gaps` | "Which untested files are riskiest?" |
280
+ | `quality` | "Where's the technical debt + duplication?" |
281
+ | `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
282
+ | `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
283
+ | `dev-report` | "Who's working on what, where are the hot files?" |
284
+ | `dashboard` | "Single HTML view of everything I've run" |
285
+ | `report` | Run every analyzer + dashboard in one shot |
377
286
 
378
- # 4. Execute plans with session management
379
- /execute-plan security # Work through security fixes
287
+ Composable aggregate gates apply to every analyzer:
380
288
 
381
- # 5. Track progress
382
- /dashboard # HTML dashboard with all reports
289
+ ```bash
290
+ vyuh-dxkit health --fail-on-score 60
291
+ vyuh-dxkit vulnerabilities --fail-on-severity high
292
+ vyuh-dxkit bom --fail-on-severity critical
383
293
  ```
384
294
 
385
- ### Feature Loop: Description Design → Plan → Build
295
+ Every `--json` output carries a `schema: 'dxkit.<kind>-report.v1'`
296
+ banner so consumers can version-gate.
386
297
 
387
- ```bash
388
- /feature add user roles with admin, editor, viewer tiers
389
- # Agent reads codebase, finds similar patterns, generates:
390
- # .ai/features/user-roles.md with full implementation plan
298
+ <details>
299
+ <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
391
300
 
392
- /build-feature user-roles
393
- # Agent executes tasks: model migration repository service tests controller
394
- # Session checkpoints after each task
395
- ```
301
+ | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
302
+ | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
303
+ | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
304
+ | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
305
+ | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
306
+ | Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
307
+ | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
308
+ | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
309
+ | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
310
+ | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
396
311
 
397
- Both loops use the session framework checkpoints, skill evolution, progress tracking.
312
+ ¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
313
+ file-level resolver is a no-op. Downstream analyses that need an edge graph
314
+ (reachability, import-graph test-gap credit) degrade to conservative
315
+ defaults for those packs; resolvers are tracked on the roadmap.
398
316
 
399
- ---
317
+ ² C# uses `dotnet-format` for formatting violations only. A real severity-
318
+ tiered C# linter (Roslyn analyzers / StyleCop) is roadmap; today every
319
+ C# formatting violation is counted at `low` tier so it doesn't inflate
320
+ the Quality/Slop score.
400
321
 
401
- ## Reports
322
+ </details>
402
323
 
403
- All analyzer commands save timestamped reports to `.dxkit/reports/`.
404
- Every command writes a summary markdown, a detailed markdown, and a
405
- canonical detailed JSON. `bom` adds an XLSX; `licenses` adds an XLSX
406
- when `--xlsx` is set. `dashboard` (or `report`) writes the single-file
407
- HTML view that stitches everything together.
324
+ ---
408
325
 
409
- ```
410
- .dxkit/reports/
411
- health-audit-<date>.md # 6-dimension summary
412
- health-audit-<date>-detailed.md # with per-dim plans + evidence
413
- health-audit-<date>-detailed.json # agent-consumable schema
326
+ ## Why dxkit
327
+
328
+ dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
329
+ Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
330
+ things they don't:
331
+
332
+ 1. **It scaffolds your AI agent.** Most tools find issues; dxkit
333
+ _also_ writes the project-context layer (entry-point doc, project
334
+ skills, commands, language-specific rules, specialized subagents)
335
+ that lets your agent operate on the codebase intelligently.
336
+ 2. **It gates at commit time, deterministically.** No LLM in the
337
+ grading path. The matcher and classifier are deterministic over
338
+ normalized analyzer input.
339
+ 3. **It assumes your repo is messy.** Other tools want clean
340
+ codebases and block every PR until you fix everything. dxkit
341
+ captures the floor, grandfathers existing debt, and only blocks
342
+ regressions introduced from here forward — usable on day-one
343
+ greenfield and 10-year-old brownfield codebases alike.
344
+
345
+ Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
346
+ CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
347
+ Scores are evidence-backed and traceable to the findings that
348
+ produced them.
414
349
 
415
- vulnerability-scan-<date>.md
416
- vulnerability-scan-<date>-detailed.{md,json}
350
+ ---
417
351
 
418
- test-gaps-<date>.md
419
- test-gaps-<date>-detailed.{md,json}
352
+ ## Real-world validation
420
353
 
421
- quality-review-<date>.md
422
- quality-review-<date>-detailed.{md,json}
354
+ The 2.5.0 release was pre-ship audited on three production codebases:
423
355
 
424
- developer-report-<date>.md
425
- developer-report-<date>-detailed.{md,json}
356
+ - TypeScript backend
357
+ - TypeScript frontend
358
+ - Large .NET WinForms project
426
359
 
427
- bom-<date>.md # Bill of Materials summary
428
- bom-<date>-detailed.{md,json} # full per-package rows
429
- bom-<date>.xlsx # 15-col XLSX (with --xlsx)
360
+ Across **6,919 baseline findings**, the audit:
430
361
 
431
- licenses-<date>.md # license inventory
432
- licenses-<date>-detailed.{md,json}
433
- licenses-<date>.xlsx # with --xlsx
362
+ - identified four drift classes between aggregate reports and
363
+ per-finding identity sets
364
+ - brought roughly **3,000 previously untracked findings into
365
+ guardrail coverage**
366
+ - matched identity-set counts exactly to report aggregates for
367
+ every finding kind
434
368
 
435
- dashboard.html # single-file HTML view
436
- ```
369
+ Details in [`CHANGELOG.md`](CHANGELOG.md#250---2026-05-18).
437
370
 
438
- Export options:
371
+ ---
439
372
 
440
- - **HTML dashboard**: `vyuh-dxkit dashboard` or the `/dashboard` slash command — dark-themed sidebar navigation, reads every `*-detailed.json` under `.dxkit/reports/`
441
- - **PDF**: `/export-pdf all` — converts every report to PDF
442
- - **Structured JSON**: every command writes a `-detailed.json` unconditionally as of 2.4.7, so agents and dashboards always have the structured schema available
373
+ ## Safety + trust
374
+
375
+ dxkit is local-first.
376
+
377
+ - **No SaaS required.** Your code never leaves the machine.
378
+ - **No repo upload.** Analyzers run in-process or shell out to
379
+ locally-installed scanners; results stay on disk.
380
+ - **Secret values are never written to disk.** dxkit stores a
381
+ non-reversible fingerprint for matching only — the scanner sees
382
+ the value once and discards it after hashing.
383
+ - **Agent auth stays user-owned.** Install scripts ship the CLIs;
384
+ authentication happens in your session and is never baked into
385
+ the image or stored by dxkit.
386
+ - **CI guardrails are the enforcement layer.** Local hooks provide
387
+ fast feedback but are bypassable (`git commit --no-verify`); the
388
+ GitHub Actions PR-gate runs server-side and can be made a required
389
+ check via branch protection.
390
+ - **Post-merge baseline refresh is gated.** The refresh workflow
391
+ runs only after the PR-gate workflow succeeds on the merging
392
+ commit. **Use branch protection to make the PR-gate a required
393
+ check** so a bypassed merge can't codify a regression into the
394
+ baseline.
443
395
 
444
396
  ---
445
397
 
446
- ## Using with create-devstack
398
+ ## Docs
447
399
 
448
- [`@vyuhlabs/create-devstack`](https://github.com/vyuh-labs/create-devstack) scaffolds dev environments (devcontainers, `.project.yaml`) and delegates to dxkit for everything else.
400
+ - [Getting started](docs/getting-started.md)
401
+ - [`baseline` command](docs/commands/baseline.md)
402
+ - [`guardrail` command](docs/commands/guardrail.md)
403
+ - [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
404
+ - [Scoring methodology](docs/SCORING.md)
405
+ - [Architecture](docs/ARCHITECTURE.md)
406
+ - [All commands](docs/README.md)
449
407
 
450
- ```bash
451
- npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
452
- ```
408
+ ---
453
409
 
454
- When create-devstack writes `.project.yaml` before calling dxkit, detection and prompts are skipped.
410
+ ## Roadmap
411
+
412
+ - [x] Local repo analysis (8 language packs)
413
+ - [x] Agent project scaffolding (entry-point doc, skills, commands,
414
+ conventions, specialized subagents — single-agent today)
415
+ - [x] Optional install scripts for AI coding-agent CLIs in the
416
+ devcontainer
417
+ - [x] Per-finding fingerprinting + git-aware matching
418
+ - [x] Baseline + guardrail commands
419
+ - [x] Brownfield policy classifier
420
+ - [x] Git hooks (pre-push default; pre-commit opt-in)
421
+ - [x] GitHub Actions PR-gate + gated baseline-refresh workflows
422
+ - [x] Devcontainer with pinned toolchains
423
+ - [ ] First-class scaffolding for every major coding agent —
424
+ per-agent skills + entry-point file conventions (2.6)
425
+ - [ ] Scoped + incremental scanning — fast pre-commit on monorepos
426
+ (2.6)
427
+ - [ ] Symbol-level coverage gaps across all 8 packs (2.6)
428
+ - [ ] SARIF export for GitHub code scanning interop (2.6)
429
+ - [ ] Reachability-aware dep-vuln triage
430
+ - [ ] **Per-pack capability parity** — bring every cell in the
431
+ capability table to a green tick (2.7 / 3.0):
432
+ - Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
433
+ (so reachability + import-graph test-gap credit work for
434
+ every pack, not just TS/Python/Go)
435
+ - Severity-tiered C# linter (Roslyn analyzers or StyleCop)
436
+ - License providers for Kotlin, Java, Ruby
437
+ - [ ] AI Readiness banner — semantic anchors, function-body hashes,
438
+ cross-file refactor detection (3.0)
455
439
 
456
440
  ---
457
441
 
458
- ## Smart Detection
442
+ ## Contributing
459
443
 
460
- - **Test runner** Jest, Mocha, Vitest, Ava, Tap, pytest, go test
461
- - **Framework** LoopBack, Express, NestJS, FastAPI, Gin, etc. with framework-specific rules
462
- - **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
463
- - **Multi-language** — detects all languages including Python from `.py` files (no config required)
464
- - **Language breakdown** — file count per language via `cloc`
444
+ dxkit aims to be the standard agentic-development layer for any
445
+ codebase. We'd love help with:
465
446
 
466
- ---
447
+ - Additional language pack support
448
+ - Agent-CLI integrations (the 2.6 work)
449
+ - Monorepo detection
450
+ - Devcontainer templates per stack
451
+ - Custom guardrail policies
452
+ - SARIF output
453
+ - More specialized subagents
467
454
 
468
- ## CLI Reference
469
-
470
- ```bash
471
- # Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md + <name>-<date>-detailed.{md,json}
472
- vyuh-dxkit health [path] [--with-coverage] # 6-dimension score
473
- vyuh-dxkit vulnerabilities [path] # Security scan, ranked by composite risk
474
- vyuh-dxkit test-gaps [path] [--with-coverage] # Coverage + gaps + actions
475
- vyuh-dxkit quality [path] # Slop + duplication + lint
476
- vyuh-dxkit dev-report [path] [--since <date>] # Git activity report
477
- vyuh-dxkit licenses [path] # Dependency license inventory
478
- vyuh-dxkit bom [path] [--filter=top-level] # Bill of Materials + risk-ranked triage
479
-
480
- # Coverage materialization (side-effecting — runs each pack's test runner)
481
- vyuh-dxkit coverage [path] [--lang <id>] [--no-fail-fast]
482
-
483
- # Dashboard + one-shot full audit
484
- vyuh-dxkit dashboard [path] # render .dxkit/reports/ to a single HTML page
485
- vyuh-dxkit report [path] [--with-coverage] # run every analyzer + dashboard end-to-end
486
-
487
- # Data conversion
488
- vyuh-dxkit to-xlsx <json-file> # render licenses/bom detailed JSON as 15-col XLSX
489
-
490
- # Tool management
491
- vyuh-dxkit tools # status
492
- vyuh-dxkit tools install [--yes] # install missing
493
-
494
- # Scaffolding
495
- vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
496
- vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
497
- vyuh-dxkit doctor # diagnose environment
498
-
499
- # Meta
500
- vyuh-dxkit --help
501
- vyuh-dxkit --version
502
- ```
455
+ Start with the [contributing guide](CONTRIBUTING.md) and
456
+ [good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
503
457
 
504
458
  ---
505
459
 
506
- ## How It Works
507
-
508
- 1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
509
- 2. **Tool resolution** — `findTool()` checks PATH → brew → npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
510
- 3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
511
- 4. **Score** — deterministic formulas map metrics to 0–100 per dimension
512
- 5. **Report** — markdown for humans, JSON for agents
460
+ ## License
513
461
 
514
- No LLM in the analysis path. Scores are reproducible: same repo state → same report.
462
+ MIT. See [LICENSE](LICENSE).
515
463
 
516
464
  ---
517
465
 
518
- ## Community + Contributing
519
-
520
- - **[`CHANGELOG.md`](CHANGELOG.md)** — release notes by version,
521
- including methodology shifts that may change scores between
522
- releases (e.g. the 2.4.7 scoring foundation).
523
- - **[`CONTRIBUTING.md`](CONTRIBUTING.md)** — local setup, the
524
- pre-commit hook stack, test conventions, and the "Adding a new
525
- language" walkthrough.
526
- - **[`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md)** — a short tour
527
- of the analyzer data flow, the three core patterns (language
528
- packs, scoring specs, centralized exclusions + tool registry),
529
- the subprocess discipline, and the `AnalysisResult` cache.
530
- - **[`CLAUDE.md`](CLAUDE.md)** — the authoritative architectural
531
- rule set with pre-commit + CI enforcement. Required reading
532
- before opening a PR that touches scoring, packs, exclusions, or
533
- tool invocation.
534
- - **[`docs/SCORING.md`](docs/SCORING.md)** — full scoring
535
- methodology: dimensions, weights, thresholds, caps, and the
536
- Layer-1 standards each spec anchors to.
537
- - **[`SECURITY.md`](SECURITY.md)** — security policy, supported
538
- versions, response SLAs, and the [private vulnerability
539
- reporting](https://github.com/vyuh-labs/dxkit/security/advisories/new)
540
- channel.
541
- - **[`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md)** — Contributor
542
- Covenant 2.1.
543
-
544
- Bug reports, feature requests, and questions: file an
545
- [issue](https://github.com/vyuh-labs/dxkit/issues/new/choose) using
546
- one of the templates.
547
-
548
- ---
466
+ ## Try it
549
467
 
550
- ## License
468
+ ```bash
469
+ npx @vyuhlabs/dxkit@latest init --full
470
+ ```
551
471
 
552
- MIT
472
+ If dxkit helps you ship AI-assisted changes more safely, star the
473
+ repo — it helps others find it too.