@vyuhlabs/dxkit 2.4.8 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +312 -0
- package/README.md +360 -439
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +4 -46
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +91 -26
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +111 -22
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +6 -1
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +24 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +20 -11
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +9 -5
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +19 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/types.d.ts +6 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +104 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -0
- package/dist/baseline/baseline-file.js +110 -0
- package/dist/baseline/baseline-file.js.map +1 -0
- package/dist/baseline/check-renderers.d.ts +108 -0
- package/dist/baseline/check-renderers.d.ts.map +1 -0
- package/dist/baseline/check-renderers.js +379 -0
- package/dist/baseline/check-renderers.js.map +1 -0
- package/dist/baseline/check.d.ts +127 -0
- package/dist/baseline/check.d.ts.map +1 -0
- package/dist/baseline/check.js +462 -0
- package/dist/baseline/check.js.map +1 -0
- package/dist/baseline/content-hash.d.ts +83 -0
- package/dist/baseline/content-hash.d.ts.map +1 -0
- package/dist/baseline/content-hash.js +131 -0
- package/dist/baseline/content-hash.js.map +1 -0
- package/dist/baseline/create.d.ts +96 -0
- package/dist/baseline/create.d.ts.map +1 -0
- package/dist/baseline/create.js +339 -0
- package/dist/baseline/create.js.map +1 -0
- package/dist/baseline/entry-to-located.d.ts +35 -0
- package/dist/baseline/entry-to-located.d.ts.map +1 -0
- package/dist/baseline/entry-to-located.js +72 -0
- package/dist/baseline/entry-to-located.js.map +1 -0
- package/dist/baseline/finding-identity.d.ts +47 -0
- package/dist/baseline/finding-identity.d.ts.map +1 -0
- package/dist/baseline/finding-identity.js +292 -0
- package/dist/baseline/finding-identity.js.map +1 -0
- package/dist/baseline/git-aware-match.d.ts +146 -0
- package/dist/baseline/git-aware-match.d.ts.map +1 -0
- package/dist/baseline/git-aware-match.js +439 -0
- package/dist/baseline/git-aware-match.js.map +1 -0
- package/dist/baseline/policy.d.ts +171 -0
- package/dist/baseline/policy.d.ts.map +1 -0
- package/dist/baseline/policy.js +206 -0
- package/dist/baseline/policy.js.map +1 -0
- package/dist/baseline/producers/health.d.ts +30 -0
- package/dist/baseline/producers/health.d.ts.map +1 -0
- package/dist/baseline/producers/health.js +42 -0
- package/dist/baseline/producers/health.js.map +1 -0
- package/dist/baseline/producers/index.d.ts +164 -0
- package/dist/baseline/producers/index.d.ts.map +1 -0
- package/dist/baseline/producers/index.js +200 -0
- package/dist/baseline/producers/index.js.map +1 -0
- package/dist/baseline/producers/licenses.d.ts +23 -0
- package/dist/baseline/producers/licenses.d.ts.map +1 -0
- package/dist/baseline/producers/licenses.js +46 -0
- package/dist/baseline/producers/licenses.js.map +1 -0
- package/dist/baseline/producers/quality.d.ts +39 -0
- package/dist/baseline/producers/quality.d.ts.map +1 -0
- package/dist/baseline/producers/quality.js +84 -0
- package/dist/baseline/producers/quality.js.map +1 -0
- package/dist/baseline/producers/secret-hmac.d.ts +45 -0
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
- package/dist/baseline/producers/secret-hmac.js +70 -0
- package/dist/baseline/producers/secret-hmac.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +59 -0
- package/dist/baseline/producers/security.d.ts.map +1 -0
- package/dist/baseline/producers/security.js +135 -0
- package/dist/baseline/producers/security.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +36 -0
- package/dist/baseline/producers/tests.d.ts.map +1 -0
- package/dist/baseline/producers/tests.js +69 -0
- package/dist/baseline/producers/tests.js.map +1 -0
- package/dist/baseline/salt.d.ts +45 -0
- package/dist/baseline/salt.d.ts.map +1 -0
- package/dist/baseline/salt.js +113 -0
- package/dist/baseline/salt.js.map +1 -0
- package/dist/baseline/show.d.ts +79 -0
- package/dist/baseline/show.d.ts.map +1 -0
- package/dist/baseline/show.js +233 -0
- package/dist/baseline/show.js.map +1 -0
- package/dist/baseline/types.d.ts +482 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +53 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +398 -82
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -4
- package/dist/constants.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +39 -35
- package/dist/doctor.js.map +1 -1
- package/dist/fail-on.d.ts +84 -0
- package/dist/fail-on.d.ts.map +1 -0
- package/dist/fail-on.js +128 -0
- package/dist/fail-on.js.map +1 -0
- package/dist/generator.d.ts +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +81 -274
- package/dist/generator.js.map +1 -1
- package/dist/hooks-cli.d.ts +20 -0
- package/dist/hooks-cli.d.ts.map +1 -0
- package/dist/hooks-cli.js +145 -0
- package/dist/hooks-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +4 -9
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +3 -14
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +19 -1
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +32 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +4 -6
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +9 -11
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +4 -15
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +4 -6
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +4 -4
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +29 -28
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +31 -4
- package/dist/languages/typescript.js.map +1 -1
- package/dist/lib.d.ts +2 -3
- package/dist/lib.d.ts.map +1 -1
- package/dist/lib.js +3 -6
- package/dist/lib.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -10
- package/dist/prompts.js.map +1 -1
- package/dist/report-schema.d.ts +42 -0
- package/dist/report-schema.d.ts.map +1 -0
- package/dist/report-schema.js +54 -0
- package/dist/report-schema.js.map +1 -0
- package/dist/ship-installers.d.ts +112 -0
- package/dist/ship-installers.d.ts.map +1 -0
- package/dist/ship-installers.js +530 -0
- package/dist/ship-installers.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +45 -9
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +0 -4
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +0 -4
- package/dist/update.js.map +1 -1
- package/package.json +17 -11
- package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
- package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
- package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
- package/templates/.devcontainer/devcontainer.json +55 -0
- package/templates/.devcontainer/install-agent-clis.sh +42 -0
- package/templates/.devcontainer/post-create.sh +81 -0
- package/templates/.githooks/pre-commit +55 -0
- package/templates/.githooks/pre-push +63 -0
- package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
- package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
- package/templates/AGENTS.md.template +137 -0
- package/templates/CLAUDE.md.template +16 -245
- package/dist/codebase-scanner.d.ts +0 -36
- package/dist/codebase-scanner.d.ts.map +0 -1
- package/dist/codebase-scanner.js +0 -688
- package/dist/codebase-scanner.js.map +0 -1
- package/dist/project-yaml.d.ts +0 -13
- package/dist/project-yaml.d.ts.map +0 -1
- package/dist/project-yaml.js +0 -188
- package/dist/project-yaml.js.map +0 -1
- package/templates/.ai/README.md +0 -117
- package/templates/.ai/prompts/execution-prompt.md +0 -9
- package/templates/.ai/prompts/planning-prompt.md +0 -18
- package/templates/.ai/prompts/session-end-template.md +0 -182
- package/templates/.ai/prompts/session-end.md +0 -132
- package/templates/.ai/prompts/session-start.md +0 -109
- package/templates/.ai/prompts/step-by-step.md +0 -113
- package/templates/.ai/sessions/.gitkeep +0 -0
- package/templates/.claude/agents/doc-writer.md +0 -107
- package/templates/.claude/agents/knowledge-bot.md +0 -64
- package/templates/.claude/agents/onboarding.md +0 -61
- package/templates/.claude/agents/quality-reviewer.md +0 -85
- package/templates/.claude/agents-available/code-reviewer.md +0 -29
- package/templates/.claude/agents-available/codebase-explorer.md +0 -100
- package/templates/.claude/agents-available/dashboard-builder.md +0 -433
- package/templates/.claude/agents-available/debugger.md +0 -29
- package/templates/.claude/agents-available/dependency-mapper.md +0 -80
- package/templates/.claude/agents-available/dev-report.md +0 -108
- package/templates/.claude/agents-available/doc-writer.md +0 -107
- package/templates/.claude/agents-available/feature-builder.md +0 -163
- package/templates/.claude/agents-available/feature-planner.md +0 -185
- package/templates/.claude/agents-available/health-auditor.md +0 -95
- package/templates/.claude/agents-available/hooks-configurator.md +0 -211
- package/templates/.claude/agents-available/knowledge-bot.md +0 -62
- package/templates/.claude/agents-available/plan-executor.md +0 -133
- package/templates/.claude/agents-available/strategic-planner.md +0 -141
- package/templates/.claude/agents-available/test-gap-finder.md +0 -67
- package/templates/.claude/agents-available/test-writer.md +0 -34
- package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
- package/templates/.claude/commands/ask.md +0 -7
- package/templates/.claude/commands/build-feature.md +0 -26
- package/templates/.claude/commands/build.md.template +0 -30
- package/templates/.claude/commands/check.md.template +0 -43
- package/templates/.claude/commands/dashboard.md +0 -28
- package/templates/.claude/commands/deps.md +0 -15
- package/templates/.claude/commands/dev-report.md +0 -50
- package/templates/.claude/commands/docs.md +0 -21
- package/templates/.claude/commands/doctor.md +0 -21
- package/templates/.claude/commands/enable-agent.md +0 -12
- package/templates/.claude/commands/execute-plan.md +0 -25
- package/templates/.claude/commands/explore-codebase.md +0 -12
- package/templates/.claude/commands/export-pdf.md +0 -30
- package/templates/.claude/commands/feature.md +0 -25
- package/templates/.claude/commands/fix-issue.md +0 -12
- package/templates/.claude/commands/fix.md.template +0 -32
- package/templates/.claude/commands/health.md +0 -58
- package/templates/.claude/commands/help.md +0 -36
- package/templates/.claude/commands/learn.md +0 -48
- package/templates/.claude/commands/onboarding.md +0 -21
- package/templates/.claude/commands/plan.md +0 -20
- package/templates/.claude/commands/quality.md.template +0 -65
- package/templates/.claude/commands/session-end.md +0 -40
- package/templates/.claude/commands/session-start.md +0 -30
- package/templates/.claude/commands/setup-hooks.md +0 -18
- package/templates/.claude/commands/setup-pr-review.md +0 -72
- package/templates/.claude/commands/stealth-mode.md +0 -17
- package/templates/.claude/commands/test-gaps.md +0 -49
- package/templates/.claude/commands/test.md.template +0 -40
- package/templates/.claude/commands/vulnerabilities.md +0 -49
- package/templates/.claude/skills/build/SKILL.md.template +0 -98
- package/templates/.claude/skills/deploy/SKILL.md.template +0 -131
- package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
- package/templates/.claude/skills/doctor/SKILL.md +0 -54
- package/templates/.claude/skills/gcloud/SKILL.md +0 -66
- package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
- package/templates/.claude/skills/learned/SKILL.md +0 -55
- package/templates/.claude/skills/learned/references/conventions.md +0 -11
- package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
- package/templates/.claude/skills/learned/references/gotchas.md +0 -11
- package/templates/.claude/skills/pulumi/SKILL.md +0 -73
- package/templates/.claude/skills/quality/SKILL.md.template +0 -108
- package/templates/.claude/skills/quality/references/gotchas.md +0 -5
- package/templates/.claude/skills/review/SKILL.md.template +0 -73
- package/templates/.claude/skills/scaffold/SKILL.md.template +0 -123
- package/templates/.claude/skills/secrets/SKILL.md +0 -52
- package/templates/.claude/skills/session/SKILL.md +0 -43
- package/templates/.claude/skills/test/SKILL.md.template +0 -122
- package/templates/.claude/skills/test/references/gotchas.md +0 -5
- package/templates/.devcontainer/Dockerfile.dev.template +0 -89
- package/templates/.devcontainer/devcontainer.json.template +0 -184
- package/templates/.devcontainer/docker-compose.yml.template +0 -105
- package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
- package/templates/.devcontainer/post-create.sh.template +0 -298
- package/templates/.github/workflows/ci.yml.template +0 -399
- package/templates/.github/workflows/quality.yml.template +0 -376
- package/templates/.pre-commit-config.yaml.template +0 -106
- package/templates/.project/config/edit_config.py +0 -275
- package/templates/.project/config/project_config.py +0 -894
- package/templates/.project/scripts/codegen/generate-all.sh +0 -20
- package/templates/.project/scripts/codegen/validate-all.sh +0 -17
- package/templates/.project/scripts/docs/generate-all.sh +0 -30
- package/templates/.project/scripts/docs/serve.sh +0 -20
- package/templates/.project/scripts/quality/fix-all.sh +0 -138
- package/templates/.project/scripts/quality/lint-go.sh +0 -34
- package/templates/.project/scripts/quality/lint-python.sh +0 -54
- package/templates/.project/scripts/quality/run-all.sh +0 -497
- package/templates/.project/scripts/session/commit.sh +0 -70
- package/templates/.project/scripts/session/create-pr.sh +0 -165
- package/templates/.project/scripts/session/end.sh +0 -207
- package/templates/.project/scripts/session/start.sh +0 -233
- package/templates/.project/scripts/setup/doctor.sh +0 -404
- package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
- package/templates/.project/scripts/sync/sync-template.sh +0 -328
- package/templates/.project/scripts/test/run-all.sh +0 -179
- package/templates/.project/scripts/test/run-quick.sh +0 -25
- package/templates/Makefile +0 -514
- package/templates/config/versions.yaml +0 -57
- package/templates/configs/go/.golangci.yml.template +0 -172
- package/templates/configs/go/go.mod.template +0 -15
- package/templates/configs/java/README.md +0 -6
- package/templates/configs/kotlin/README.md +0 -6
- package/templates/configs/node/package.json.template +0 -67
- package/templates/configs/node/tsconfig.json.template +0 -53
- package/templates/configs/python/pyproject.toml.template +0 -92
- package/templates/configs/python/pytest.ini.template +0 -64
- package/templates/configs/python/ruff.toml.template +0 -79
- package/templates/configs/ruby/README.md +0 -6
- package/templates/configs/rust/Cargo.toml.template +0 -51
- package/templates/configs/shared/.editorconfig +0 -67
- package/templates/scripts/validate-templates.sh +0 -449
package/README.md
CHANGED
|
@@ -1,552 +1,473 @@
|
|
|
1
|
-
#
|
|
1
|
+
# dxkit
|
|
2
2
|
|
|
3
|
-
AI-native
|
|
3
|
+
**AI-native developer experience toolkit for any codebase.**
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
## Quick Start
|
|
11
|
-
|
|
12
|
-
**Analyze an existing repo:**
|
|
13
|
-
|
|
14
|
-
```bash
|
|
15
|
-
cd your-repo
|
|
16
|
-
npx @vyuhlabs/dxkit tools install --yes # one-time: install cloc, gitleaks, etc.
|
|
17
|
-
npx @vyuhlabs/dxkit health --detailed # 6-dimension score + remediation plan
|
|
18
|
-
npx @vyuhlabs/dxkit vulnerabilities # secret + SAST + dep-audit (ranked by risk)
|
|
19
|
-
npx @vyuhlabs/dxkit bom --filter=top-level # Bill of Materials w/ "This Week's Triage"
|
|
20
|
-
npx @vyuhlabs/dxkit test-gaps # import-graph + coverage-aware
|
|
21
|
-
npx @vyuhlabs/dxkit quality # slop + duplication + lint
|
|
22
|
-
npx @vyuhlabs/dxkit licenses # dependency license inventory
|
|
23
|
-
npx @vyuhlabs/dxkit dev-report # git activity + contributors
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
**Scaffold AI tooling into a repo:**
|
|
5
|
+
Make your existing codebase safe for Claude Code, Codex, and other AI
|
|
6
|
+
coding agents. Equip the agent with repo-native context. Guard every
|
|
7
|
+
commit and PR with deterministic checks. **One command scaffolds the
|
|
8
|
+
agent DX; one baseline turns on the guardrails.** Works across major
|
|
9
|
+
language stacks, greenfield or brownfield.
|
|
27
10
|
|
|
28
11
|
```bash
|
|
29
|
-
npx @vyuhlabs/dxkit init --
|
|
30
|
-
npx @vyuhlabs/dxkit init --full --yes # everything: DX + quality + hooks + CI
|
|
12
|
+
npx @vyuhlabs/dxkit@latest init --full
|
|
31
13
|
```
|
|
32
14
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
>
|
|
37
|
-
>
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
>
|
|
15
|
+
<p>
|
|
16
|
+
<a href="https://www.npmjs.com/package/@vyuhlabs/dxkit">
|
|
17
|
+
<img alt="npm version" src="https://img.shields.io/npm/v/@vyuhlabs/dxkit">
|
|
18
|
+
</a>
|
|
19
|
+
<img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
|
|
20
|
+
<img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
|
|
21
|
+
<img alt="local-first" src="https://img.shields.io/badge/local-first-green">
|
|
22
|
+
<img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
|
|
23
|
+
<img alt="agentic" src="https://img.shields.io/badge/agentic-ready-purple">
|
|
24
|
+
</p>
|
|
42
25
|
|
|
43
26
|
---
|
|
44
27
|
|
|
45
|
-
##
|
|
46
|
-
|
|
47
|
-
Seven deterministic analyzers + a one-shot orchestrator. Each emits a markdown report to `.dxkit/reports/` and a structured JSON file the dashboard reads.
|
|
48
|
-
|
|
49
|
-
| Command | What it does | Runtime | Output |
|
|
50
|
-
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------- |
|
|
51
|
-
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.dxkit/reports/health-audit-<date>.md` |
|
|
52
|
-
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (enriched with EPSS exploit probability, CISA KEV catalog, reachability from your source, composite riskScore; per-advisory detail in `--detailed`) | 5–30s | `.dxkit/reports/vulnerability-scan-<date>.md` |
|
|
53
|
-
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins). Headline coverage carries a `coverageFidelity` tier; banners surface heuristic-vs-line-coverage trust. | <1s | `.dxkit/reports/test-gaps-<date>.md` |
|
|
54
|
-
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.dxkit/reports/quality-review-<date>.md` |
|
|
55
|
-
| `dev-report` | Commits, contributors, hot files (autogen-filtered), weekly velocity (with zero-rows for empty weeks), conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
|
|
56
|
-
| `licenses` | Dependency license inventory across every active pack (TS, Python, Go, Rust, C#; Kotlin + Java omitted — no canonical CLI license tool for Maven/Gradle ecosystems) | 5–20s | `.dxkit/reports/licenses-<date>.md` |
|
|
57
|
-
| `bom` | **Bill of Materials** — joins licenses + vulns per package, groups by top-level manifest dep (Snyk-style), enriches with CISA KEV + EPSS + reachability, ranks by composite risk score with "This Week's Triage" summary, aggregates nested sub-projects, `--filter=top-level` collapses transitive rows, 15-col XLSX | 10–40s | `.dxkit/reports/bom-<date>.{md,xlsx}` |
|
|
58
|
-
| `coverage` | Side-effecting — runs each active pack's `test-with-coverage` command to materialize the artifact `test-gaps` / `health` read back. Use this once before analysis, or pass `--with-coverage` to the analyzer. | 1–10m | per-pack artifact (`coverage.json` etc.) |
|
|
59
|
-
| `dashboard` | Renders every report under `.dxkit/reports/` into a single HTML page (tiles + per-report tabs + cross-cutting "Critical Issues at a Glance"). Reads `*-detailed.json` (written unconditionally as of 2.4.7). | <1s | `.dxkit/reports/dashboard.html` |
|
|
60
|
-
| `report` | **One-shot full audit** — runs every analyzer + dashboard in dependency order. `--with-coverage` materializes coverage once upfront so both `health` and `test-gaps` benefit without re-running tests per analyzer. | 5–15m | every output above + dashboard |
|
|
61
|
-
|
|
62
|
-
Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bom` detailed JSON as the canonical 15-column XLSX.
|
|
63
|
-
|
|
64
|
-
### Flags (apply to all analyzer commands)
|
|
65
|
-
|
|
66
|
-
| Flag | Effect |
|
|
67
|
-
| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
68
|
-
| `--detailed` | Surface the success-log line for the detailed report. (As of 2.4.7 the `-detailed.json` + `-detailed.md` files are written **unconditionally** so the dashboard always finds fresh input — this flag only controls the console-side noise.) |
|
|
69
|
-
| `--json` | Emit pure JSON on stdout. Logs go to stderr so pipes stay clean |
|
|
70
|
-
| `--verbose` | Print per-tool timing to stderr |
|
|
71
|
-
| `--no-save` | Skip writing markdown; useful with `--json` |
|
|
72
|
-
| `--xlsx` | (`licenses`, `bom` only) Also write 15-col `.xlsx` — drop-in for spreadsheet workflows |
|
|
73
|
-
| `-o <file>` | (`licenses`, `bom`, `to-xlsx`) Override output path for xlsx / converted file |
|
|
74
|
-
| `--since <date>` | (`dev-report` only) Analyze commits on or after `YYYY-MM-DD` |
|
|
75
|
-
| `--filter` | (`bom` only) `all` (default) or `top-level` — keep only root manifest deps; the byTopLevelDep rollup still reflects transitives |
|
|
76
|
-
| `--no-nested` | (`bom` only) Disable nested-project aggregation. Default discovers every sub-project with a language manifest under cwd and merges their BOMs |
|
|
77
|
-
| `--with-coverage` | (`health`, `test-gaps`, `report`) Materialize coverage artifacts via per-pack `runTests()` **before** analysis. Promotes the headline from filename-match heuristic to `line-coverage` truth. With `report`, runs once upfront — health + test-gaps share the artifact. |
|
|
78
|
-
| `--lang <id>` | (`coverage`, `--with-coverage`) Restrict to one pack id when the repo is polyglot |
|
|
79
|
-
| `--no-fail-fast` | (`coverage`, `--with-coverage`) Continue running coverage across remaining packs after a `failed` outcome |
|
|
28
|
+
## The problem
|
|
80
29
|
|
|
81
|
-
|
|
30
|
+
AI coding agents are powerful, but shipping their work safely is hard:
|
|
82
31
|
|
|
83
|
-
|
|
32
|
+
- The agent's environment isn't reproducible — different machine,
|
|
33
|
+
different result.
|
|
34
|
+
- The agent has no project-specific context — your conventions are
|
|
35
|
+
tribal knowledge it can't access.
|
|
36
|
+
- Strict gates assume a clean codebase. Real codebases have years of
|
|
37
|
+
debt, and absolute gates either get disabled or block every PR.
|
|
38
|
+
- Most "AI code review" tools rely on another LLM to grade the work —
|
|
39
|
+
non-deterministic, gameable, and a black box.
|
|
40
|
+
- Bad agent changes silently land because the only enforcement is
|
|
41
|
+
human attention.
|
|
84
42
|
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
- **Projected score delta** for each remediation action — so you know which fix moves the needle most
|
|
88
|
-
- **Canonical JSON** (`schemaVersion`) that agents or dashboards can consume
|
|
89
|
-
|
|
90
|
-
### Signal precedence (for `test-gaps` and the Testing dimension in `health`)
|
|
91
|
-
|
|
92
|
-
Three signals, strongest wins for files it covers:
|
|
93
|
-
|
|
94
|
-
1. **Coverage artifact** — Istanbul JSON (TS/JS), `coverage.json` (Python), `coverage.out` (Go), cobertura XML (C#/Rust), `lcov.info` (Rust), JaCoCo XML (Kotlin/Java), SimpleCov resultset (Ruby). If the tool measured a file, that decision is authoritative.
|
|
95
|
-
2. **Import-graph reachability** — files transitively imported from an active test file (up to 3 hops). Rescues integration tests + behavior-named tests the filename matcher misses.
|
|
96
|
-
3. **Filename match** — last-resort basename similarity.
|
|
97
|
-
|
|
98
|
-
A file counts as "tested" when the strongest available signal says so.
|
|
99
|
-
|
|
100
|
-
#### Coverage fidelity tier (2.4.7+)
|
|
101
|
-
|
|
102
|
-
Test-gap reports now carry a `coverageFidelity` tier so a 0% from a heuristic can't be confused with a 0% from a real coverage run:
|
|
103
|
-
|
|
104
|
-
| Tier | Source | Trust |
|
|
105
|
-
| ---------------- | -------------------------------------------------------------------------- | ------------------ |
|
|
106
|
-
| `line-coverage` | Any of the artifacts above | Line-level truth |
|
|
107
|
-
| `import-graph` | Test-file import edges (up to N hops) | Informed heuristic |
|
|
108
|
-
| `filename-match` | Source files with a name-matched test (200-line file / 5-line test passes) | Pure heuristic |
|
|
109
|
-
|
|
110
|
-
The test-gaps markdown leads with a ⚠️ / ℹ️ banner when fidelity isn't `line-coverage`, pointing at `vyuh-dxkit coverage` and `vyuh-dxkit health --with-coverage` as the install paths to ground-truth.
|
|
43
|
+
dxkit closes that loop end-to-end, deterministically, with no LLM in
|
|
44
|
+
the grading path.
|
|
111
45
|
|
|
112
46
|
---
|
|
113
47
|
|
|
114
|
-
##
|
|
115
|
-
|
|
116
|
-
Analyzers delegate to established tools instead of reinventing them. `vyuh-dxkit tools` manages detection and installation across multiple methods (PATH, brew, npm-g, pipx, cargo, go, project `node_modules`, system probes).
|
|
48
|
+
## What `init --full` creates
|
|
117
49
|
|
|
118
50
|
```bash
|
|
119
|
-
|
|
120
|
-
vyuh-dxkit tools install --yes # install all missing tools
|
|
121
|
-
vyuh-dxkit tools install # interactive: prompts per tool
|
|
122
|
-
```
|
|
123
|
-
|
|
124
|
-
### Tools integrated
|
|
125
|
-
|
|
126
|
-
| Layer | Tools |
|
|
127
|
-
| --------- | -------------------------------------------------------------------------- |
|
|
128
|
-
| Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
|
|
129
|
-
| Node / TS | `eslint`, `npm audit`, `osv-scanner` (fix planner), `@vitest/coverage-v8` |
|
|
130
|
-
| Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
|
|
131
|
-
| Go | `golangci-lint`, `govulncheck` |
|
|
132
|
-
| Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
|
|
133
|
-
| C# | `dotnet-format` (via SDK — formatter, not a linter) |
|
|
134
|
-
| Kotlin | `detekt` (Checkstyle XML), `osv-scanner` (Maven), JaCoCo XML |
|
|
135
|
-
| Java | `pmd` (PMD 7.x JSON), `osv-scanner` (Maven), JaCoCo XML reuse |
|
|
136
|
-
| Ruby | `rubocop` (JSON), `bundler-audit`, `osv-scanner` (Gemfile.lock), SimpleCov |
|
|
137
|
-
|
|
138
|
-
Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
|
|
139
|
-
|
|
140
|
-
---
|
|
141
|
-
|
|
142
|
-
## Config Files
|
|
143
|
-
|
|
144
|
-
### `.dxkit-ignore`
|
|
145
|
-
|
|
146
|
-
Plain-text `.gitignore`-style file. Lines here are added to the analyzer's exclusion set on top of the bundled defaults and project `.gitignore`.
|
|
147
|
-
|
|
148
|
-
```
|
|
149
|
-
# .dxkit-ignore — override project exclusions for dxkit analyzers
|
|
150
|
-
vendor-bundle/
|
|
151
|
-
*.gen.ts
|
|
51
|
+
npx @vyuhlabs/dxkit@latest init --full
|
|
152
52
|
```
|
|
153
53
|
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
"paths": ["scripts/serve-static.js"],
|
|
173
|
-
"reason": "Controlled internal tool, not user-reachable"
|
|
174
|
-
}
|
|
175
|
-
]
|
|
176
|
-
}
|
|
54
|
+
`init --full` lands a coordinated set of pieces:
|
|
55
|
+
|
|
56
|
+
```text
|
|
57
|
+
.devcontainer/ Reproducible environment — pinned language
|
|
58
|
+
toolchains, dxkit's scanner toolchain auto-
|
|
59
|
+
installed, install scripts for AI agent CLIs
|
|
60
|
+
(auth stays user-owned).
|
|
61
|
+
.githooks/ pre-push guardrail hook (pre-commit opt-in
|
|
62
|
+
via --with-precommit-hook).
|
|
63
|
+
.github/workflows/ PR-gate workflow + post-merge baseline-refresh
|
|
64
|
+
workflow (refresh runs only after the PR-gate
|
|
65
|
+
passes — see "Safety + trust" below).
|
|
66
|
+
agent scaffolding Entry-point doc, project skills, slash commands,
|
|
67
|
+
per-language conventions, and specialized
|
|
68
|
+
subagents for the currently supported agent
|
|
69
|
+
(broader agent coverage in 2.6).
|
|
70
|
+
.dxkit/ reports, baselines, and (optional) policy.
|
|
71
|
+
.vyuh-dxkit.json install manifest.
|
|
177
72
|
```
|
|
178
73
|
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
### `.project.yaml` (optional, for scaffolding)
|
|
182
|
-
|
|
183
|
-
When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` reads it as the config source — skipping detection and prompts. See [Scaffolding mode](#scaffolding-mode) below.
|
|
184
|
-
|
|
185
|
-
---
|
|
186
|
-
|
|
187
|
-
## Language Support
|
|
188
|
-
|
|
189
|
-
Each language is a single `LanguageSupport` implementation in `src/languages/`. Detection, tools, coverage parsing, import extraction, and lint severity mapping live in one place per language.
|
|
190
|
-
|
|
191
|
-
Adding a new language is a single command followed by filling in TODO markers:
|
|
74
|
+
After install:
|
|
192
75
|
|
|
193
76
|
```bash
|
|
194
|
-
|
|
77
|
+
git config core.hooksPath .githooks # activate the hooks
|
|
78
|
+
vyuh-dxkit baseline create # capture today's state
|
|
79
|
+
git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
|
|
80
|
+
git commit -m "chore: enable dxkit guardrails"
|
|
195
81
|
```
|
|
196
82
|
|
|
197
|
-
|
|
83
|
+
From this point:
|
|
198
84
|
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
207
|
-
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
208
|
-
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
85
|
+
- Every push runs the full guardrail check (pre-commit hook is
|
|
86
|
+
opt-in via `--with-precommit-hook` — slow on large repos until
|
|
87
|
+
scoped incremental scanning lands).
|
|
88
|
+
- Every PR is gated by GitHub Actions, which posts a markdown summary
|
|
89
|
+
as a comment.
|
|
90
|
+
- After the PR-gate workflow passes and the PR merges, the baseline
|
|
91
|
+
is refreshed so the next PR is gated against the up-to-date state.
|
|
209
92
|
|
|
210
|
-
|
|
93
|
+
Bypass + disable mechanisms:
|
|
211
94
|
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
95
|
+
```bash
|
|
96
|
+
DXKIT_SKIP_HOOKS=1 git push ... # one-off bypass
|
|
97
|
+
git push --no-verify ... # standard git bypass
|
|
98
|
+
git config --unset core.hooksPath # disable all dxkit hooks (per-clone)
|
|
99
|
+
rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
|
|
100
|
+
```
|
|
215
101
|
|
|
216
|
-
**
|
|
102
|
+
> **Additive by default.** Existing hooks, devcontainer, or workflows
|
|
103
|
+
> are never destroyed. dxkit detects them and writes sidecar `.dxkit`
|
|
104
|
+
> files with merge instructions. `--force` overrides if you want.
|
|
217
105
|
|
|
218
106
|
---
|
|
219
107
|
|
|
220
|
-
##
|
|
108
|
+
## 60-second demo
|
|
221
109
|
|
|
222
|
-
|
|
110
|
+
```text
|
|
111
|
+
$ npx @vyuhlabs/dxkit@latest init --full
|
|
112
|
+
✓ Created: 73 files
|
|
113
|
+
✓ Git hooks: installed 2 file(s)
|
|
114
|
+
✓ Devcontainer: installed 3 file(s)
|
|
115
|
+
✓ CI guardrails workflow: installed 1 file(s)
|
|
116
|
+
✓ CI baseline-refresh workflow: installed 1 file(s)
|
|
223
117
|
|
|
224
|
-
|
|
225
|
-
.
|
|
226
|
-
settings.json # Permissions, deny list, learning hooks
|
|
227
|
-
agents/ # Active agents (auto-trigger on matching questions)
|
|
228
|
-
knowledge-bot.md # Answers codebase questions
|
|
229
|
-
onboarding.md # Interactive onboarding buddy
|
|
230
|
-
quality-reviewer.md # Reviews code before committing
|
|
231
|
-
doc-writer.md # Audits and writes documentation
|
|
232
|
-
agents-available/ # 17 dormant agents (activate with /enable-agent)
|
|
233
|
-
commands/ # 30 slash commands
|
|
234
|
-
skills/ # Domain knowledge
|
|
235
|
-
rules/ # Path-scoped rules (per language + framework)
|
|
236
|
-
CLAUDE.md # Main context file for Claude Code
|
|
237
|
-
.ai/
|
|
238
|
-
sessions/ # Session checkpoints
|
|
239
|
-
features/ # Feature-planning docs produced by `/feature`
|
|
240
|
-
.dxkit/
|
|
241
|
-
reports/ # Generated analyzer output (health, bom, licenses, …)
|
|
242
|
-
.dxkit-ignore # Extra analyzer-only exclusions (on top of .gitignore)
|
|
243
|
-
.dxkit-suppressions.json # Silence known-false positives (gitleaks, semgrep)
|
|
118
|
+
$ vyuh-dxkit baseline create
|
|
119
|
+
✓ Wrote .dxkit/baselines/main.json — 89 findings (32s)
|
|
244
120
|
```
|
|
245
121
|
|
|
246
|
-
|
|
122
|
+
Your AI agent has access to dxkit's reports and the bundled
|
|
123
|
+
subagents that init scaffolded. A typical request to the agent:
|
|
247
124
|
|
|
248
|
-
|
|
125
|
+
```text
|
|
126
|
+
Read the latest dxkit health report. Pick one safe quality
|
|
127
|
+
improvement. Apply the change. Then run `vyuh-dxkit guardrail check`
|
|
128
|
+
to confirm nothing regressed. Show me what you did.
|
|
129
|
+
```
|
|
249
130
|
|
|
250
|
-
The
|
|
131
|
+
The agent introduces a change that breaks the guardrail:
|
|
251
132
|
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
133
|
+
```text
|
|
134
|
+
$ vyuh-dxkit guardrail check
|
|
135
|
+
Guardrail BLOCKED — 2 new regressions
|
|
255
136
|
|
|
256
|
-
|
|
137
|
+
Baseline: .dxkit/baselines/main.json (89 findings)
|
|
138
|
+
Current: 91 findings · matcher: git-aware
|
|
257
139
|
|
|
258
|
-
|
|
140
|
+
Blocking (2)
|
|
141
|
+
ADDED [medium] large-file src/regression.ts
|
|
142
|
+
no-prior-match: identity fingerprint not present in the baseline
|
|
143
|
+
ADDED [medium] test-gap src/regression.ts
|
|
144
|
+
no-prior-match: identity fingerprint not present in the baseline
|
|
259
145
|
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
|
|
265
|
-
| `--full` | Everything: DX + quality + hooks + CI |
|
|
266
|
-
| `--force` | Overwrite existing files (except evolving ones) |
|
|
267
|
-
| `--stealth` | Gitignore generated files (local-only, not committed) |
|
|
268
|
-
| `--name <n>` | Override project name |
|
|
269
|
-
| `--no-scan` | Skip codebase analysis |
|
|
146
|
+
Summary
|
|
147
|
+
Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
|
|
148
|
+
Verdict: BLOCKED
|
|
149
|
+
Exit: 1
|
|
150
|
+
```
|
|
270
151
|
|
|
271
|
-
|
|
152
|
+
The agent reads the failure, fixes it, and re-runs:
|
|
272
153
|
|
|
273
|
-
|
|
154
|
+
```text
|
|
155
|
+
$ vyuh-dxkit guardrail check
|
|
156
|
+
Guardrail PASSED — 0 new regressions
|
|
274
157
|
|
|
275
|
-
|
|
158
|
+
Summary
|
|
159
|
+
Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
|
|
160
|
+
Verdict: PASSED
|
|
161
|
+
Exit: 0
|
|
162
|
+
```
|
|
276
163
|
|
|
277
|
-
|
|
164
|
+
---
|
|
278
165
|
|
|
279
|
-
|
|
166
|
+
## Quickstart
|
|
280
167
|
|
|
281
|
-
```
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
168
|
+
```bash
|
|
169
|
+
# One-shot, no install
|
|
170
|
+
npx @vyuhlabs/dxkit@latest init --full
|
|
171
|
+
|
|
172
|
+
# Or install + use repeatedly
|
|
173
|
+
npm install -g @vyuhlabs/dxkit
|
|
174
|
+
vyuh-dxkit init --full
|
|
175
|
+
vyuh-dxkit baseline create
|
|
176
|
+
vyuh-dxkit guardrail check --changed-only
|
|
286
177
|
```
|
|
287
178
|
|
|
288
|
-
|
|
179
|
+
À la carte if you only want specific pieces:
|
|
289
180
|
|
|
290
|
-
```
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
181
|
+
```bash
|
|
182
|
+
vyuh-dxkit init --with-hooks # just the pre-push hook (default for hooks)
|
|
183
|
+
vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
|
|
184
|
+
vyuh-dxkit init --with-devcontainer # just the devcontainer
|
|
185
|
+
vyuh-dxkit init --with-ci # just the PR-gate workflow
|
|
186
|
+
vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
|
|
187
|
+
vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
|
|
294
188
|
```
|
|
295
189
|
|
|
296
|
-
### PR CI (`.github/workflows/ci.yml`)
|
|
297
|
-
|
|
298
|
-
Mirrors pre-push but also runs the slop check against the PR base branch, so `--no-verify` can't ship code that introduces slop. `DXKIT_SLOP_BASE=origin/<base_ref>` flips `check-slop.sh` into diff-vs-base mode.
|
|
299
|
-
|
|
300
190
|
---
|
|
301
191
|
|
|
302
|
-
##
|
|
303
|
-
|
|
304
|
-
dxkit produces a 0-100 score + A/B/C/D/E letter rating for six
|
|
305
|
-
dimensions of every codebase. Three properties define the scoring
|
|
306
|
-
model:
|
|
307
|
-
|
|
308
|
-
- **Deterministic** — pure-function evaluator over a declarative spec
|
|
309
|
-
per dimension. Same `git rev-parse HEAD` + same dxkit version
|
|
310
|
-
produces the identical score on every run, every machine. This is
|
|
311
|
-
the moat against LLM-driven review products, where outputs drift
|
|
312
|
-
run-to-run.
|
|
313
|
-
- **Anchored** — methodology cites underlying open international
|
|
314
|
-
standards (ISO/IEC 25010, ISO/IEC 5055, SQALE method, CVSS v4,
|
|
315
|
-
CWE, OWASP, OpenSSF Scorecard) rather than invented thresholds.
|
|
316
|
-
- **Actionable** — every score is paired with structured provenance
|
|
317
|
-
so the report says what to fix and how much the score would lift.
|
|
318
|
-
Customer-facing markdown surfaces a "Top actions" block per
|
|
319
|
-
dimension; agents consume the same structured `ScoreResult` JSON
|
|
320
|
-
directly.
|
|
321
|
-
|
|
322
|
-
The customer-facing methodology document — including the per-
|
|
323
|
-
dimension penalty/cap breakdown and citations — lives at
|
|
324
|
-
**[`docs/SCORING.md`](docs/SCORING.md)**.
|
|
192
|
+
## Baseline mode: greenfield to 10-year-old codebases
|
|
325
193
|
|
|
326
|
-
|
|
194
|
+
Real codebases are messy. dxkit doesn't ask whether your repo is
|
|
195
|
+
perfect — it asks whether each change made it worse.
|
|
327
196
|
|
|
328
|
-
|
|
197
|
+
| | **Greenfield day 1** | **Brownfield (years of debt)** |
|
|
198
|
+
| ---------------- | -------------------------------------- | --------------------------------------------------------- |
|
|
199
|
+
| Baseline | Captured near zero | Captures today's debt as the floor |
|
|
200
|
+
| Behavior | Every regression matters from commit 1 | Existing debt is grandfathered; net-new regressions block |
|
|
201
|
+
| Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
|
|
329
202
|
|
|
330
|
-
|
|
203
|
+
The classifier distinguishes:
|
|
331
204
|
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
205
|
+
| Status | Meaning | Default |
|
|
206
|
+
| ------------------- | ----------------------------------------- | ---------- |
|
|
207
|
+
| `added` | Net-new finding introduced by this change | **blocks** |
|
|
208
|
+
| `relocated` | Same finding, moved (line drift, rename) | passes |
|
|
209
|
+
| `persisted` | Same finding, same place — pre-existing | passes |
|
|
210
|
+
| `removed` / `fixed` | Was there, now gone | passes |
|
|
211
|
+
| `tooling_drift` | New only because scanner version changed | warns |
|
|
212
|
+
| `config_drift` | New only because dxkit config changed | warns |
|
|
213
|
+
| `uncertain` | Below confidence threshold | warns |
|
|
336
214
|
|
|
337
|
-
|
|
215
|
+
Customize via [`.dxkit/policy.json`](docs/configuration/policy.md) —
|
|
216
|
+
auto-discovered when present, compiled-in defaults otherwise.
|
|
338
217
|
|
|
339
218
|
---
|
|
340
219
|
|
|
341
|
-
##
|
|
220
|
+
## Git-aware identity matching
|
|
221
|
+
|
|
222
|
+
A regression check is only useful if the matcher can tell _old issue
|
|
223
|
+
that moved_ from _new issue that appeared_. Line numbers alone aren't
|
|
224
|
+
stable — add a 20-line comment block at the top of a file and every
|
|
225
|
+
issue below it "moves."
|
|
226
|
+
|
|
227
|
+
dxkit uses layered identity, in priority order:
|
|
228
|
+
|
|
229
|
+
1. **Domain fingerprints** for entities whose identity is intrinsic:
|
|
230
|
+
- dependency vulnerabilities → `(package, version, advisory-id)`
|
|
231
|
+
- secrets → `(scanner-rule, fingerprint(value))` so a leaked
|
|
232
|
+
token recognises itself when moved
|
|
233
|
+
- licenses → `(package, version, license-type)`
|
|
234
|
+
- duplicate blocks → normalized content hash
|
|
235
|
+
2. **Location fingerprints** with a 3-line bucket for code findings.
|
|
236
|
+
3. **Git-aware line mapping** across commits, including `-M` file
|
|
237
|
+
renames and ±2 line fuzz windows.
|
|
238
|
+
4. **Content-hash fallback** when git history isn't reachable
|
|
239
|
+
(shallow clones, archived snapshots).
|
|
240
|
+
|
|
241
|
+
Every match pair carries a **confidence in [0, 1]** and structured
|
|
242
|
+
**reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
|
|
243
|
+
`git-rename`, `content-hash`, ...). No LLM in the grading path —
|
|
244
|
+
the matcher and classifier are deterministic over normalized
|
|
245
|
+
analyzer input; the same inputs produce the same classifications.
|
|
342
246
|
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
```typescript
|
|
346
|
-
import { detect, processTemplate, TemplateEngine } from '@vyuhlabs/dxkit';
|
|
347
|
-
import { hasProjectYaml, readProjectYaml } from '@vyuhlabs/dxkit';
|
|
348
|
-
|
|
349
|
-
const stack = detect('/path/to/project');
|
|
247
|
+
---
|
|
350
248
|
|
|
351
|
-
|
|
352
|
-
const config = readProjectYaml('/path/to/project');
|
|
353
|
-
}
|
|
249
|
+
## Reproducible environment
|
|
354
250
|
|
|
355
|
-
|
|
356
|
-
|
|
251
|
+
Agents need a stable environment to be reliable. `init --with-devcontainer`
|
|
252
|
+
generates a Codespaces-ready setup:
|
|
357
253
|
|
|
358
|
-
|
|
254
|
+
- Pinned language toolchains (Node 22, Python 3.12, Go 1.21, .NET 8,
|
|
255
|
+
Ruby 3.3, Java 17, Rust stable) layered via standard devcontainer
|
|
256
|
+
features — small image footprint, fast Codespaces prebuild.
|
|
257
|
+
- `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
|
|
258
|
+
the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
|
|
259
|
+
cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
|
|
260
|
+
ones your stack needs).
|
|
261
|
+
- Install scripts for the AI coding-agent CLIs you want available
|
|
262
|
+
inside the container. The scripts only install the binaries — auth
|
|
263
|
+
remains user-owned and is never baked into the image.
|
|
264
|
+
- Every piece is a regular script you can edit after install.
|
|
359
265
|
|
|
360
266
|
---
|
|
361
267
|
|
|
362
|
-
##
|
|
363
|
-
|
|
364
|
-
### Fix Loop: Reports → KPIs → Plans → Execution
|
|
365
|
-
|
|
366
|
-
```bash
|
|
367
|
-
# 1. Scaffold into an existing repo
|
|
368
|
-
npx @vyuhlabs/dxkit init --detect --yes
|
|
268
|
+
## What dxkit analyzes
|
|
369
269
|
|
|
370
|
-
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
270
|
+
Beyond the baseline + guardrail surface, dxkit ships deterministic
|
|
271
|
+
analyzers across eight language packs (Python, TypeScript, Go, Rust,
|
|
272
|
+
C#, Kotlin, Java, Ruby), with graceful degradation when a tool isn't
|
|
273
|
+
available for your stack:
|
|
374
274
|
|
|
375
|
-
|
|
376
|
-
|
|
275
|
+
| Command | Question it answers |
|
|
276
|
+
| ----------------- | ------------------------------------------------------------------------------------- |
|
|
277
|
+
| `health` | "What's the overall shape of this codebase?" — 6-dimension score |
|
|
278
|
+
| `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
|
|
279
|
+
| `test-gaps` | "Which untested files are riskiest?" |
|
|
280
|
+
| `quality` | "Where's the technical debt + duplication?" |
|
|
281
|
+
| `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
|
|
282
|
+
| `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
|
|
283
|
+
| `dev-report` | "Who's working on what, where are the hot files?" |
|
|
284
|
+
| `dashboard` | "Single HTML view of everything I've run" |
|
|
285
|
+
| `report` | Run every analyzer + dashboard in one shot |
|
|
377
286
|
|
|
378
|
-
|
|
379
|
-
/execute-plan security # Work through security fixes
|
|
287
|
+
Composable aggregate gates apply to every analyzer:
|
|
380
288
|
|
|
381
|
-
|
|
382
|
-
|
|
289
|
+
```bash
|
|
290
|
+
vyuh-dxkit health --fail-on-score 60
|
|
291
|
+
vyuh-dxkit vulnerabilities --fail-on-severity high
|
|
292
|
+
vyuh-dxkit bom --fail-on-severity critical
|
|
383
293
|
```
|
|
384
294
|
|
|
385
|
-
|
|
295
|
+
Every `--json` output carries a `schema: 'dxkit.<kind>-report.v1'`
|
|
296
|
+
banner so consumers can version-gate.
|
|
386
297
|
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
# Agent reads codebase, finds similar patterns, generates:
|
|
390
|
-
# .ai/features/user-roles.md with full implementation plan
|
|
298
|
+
<details>
|
|
299
|
+
<summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
|
|
391
300
|
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
301
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
302
|
+
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
303
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
304
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
305
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
306
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
307
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
|
|
308
|
+
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
309
|
+
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
310
|
+
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
396
311
|
|
|
397
|
-
|
|
312
|
+
¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
|
|
313
|
+
file-level resolver is a no-op. Downstream analyses that need an edge graph
|
|
314
|
+
(reachability, import-graph test-gap credit) degrade to conservative
|
|
315
|
+
defaults for those packs; resolvers are tracked on the roadmap.
|
|
398
316
|
|
|
399
|
-
|
|
317
|
+
² C# uses `dotnet-format` for formatting violations only. A real severity-
|
|
318
|
+
tiered C# linter (Roslyn analyzers / StyleCop) is roadmap; today every
|
|
319
|
+
C# formatting violation is counted at `low` tier so it doesn't inflate
|
|
320
|
+
the Quality/Slop score.
|
|
400
321
|
|
|
401
|
-
|
|
322
|
+
</details>
|
|
402
323
|
|
|
403
|
-
|
|
404
|
-
Every command writes a summary markdown, a detailed markdown, and a
|
|
405
|
-
canonical detailed JSON. `bom` adds an XLSX; `licenses` adds an XLSX
|
|
406
|
-
when `--xlsx` is set. `dashboard` (or `report`) writes the single-file
|
|
407
|
-
HTML view that stitches everything together.
|
|
324
|
+
---
|
|
408
325
|
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
326
|
+
## Why dxkit
|
|
327
|
+
|
|
328
|
+
dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
|
|
329
|
+
Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
|
|
330
|
+
things they don't:
|
|
331
|
+
|
|
332
|
+
1. **It scaffolds your AI agent.** Most tools find issues; dxkit
|
|
333
|
+
_also_ writes the project-context layer (entry-point doc, project
|
|
334
|
+
skills, commands, language-specific rules, specialized subagents)
|
|
335
|
+
that lets your agent operate on the codebase intelligently.
|
|
336
|
+
2. **It gates at commit time, deterministically.** No LLM in the
|
|
337
|
+
grading path. The matcher and classifier are deterministic over
|
|
338
|
+
normalized analyzer input.
|
|
339
|
+
3. **It assumes your repo is messy.** Other tools want clean
|
|
340
|
+
codebases and block every PR until you fix everything. dxkit
|
|
341
|
+
captures the floor, grandfathers existing debt, and only blocks
|
|
342
|
+
regressions introduced from here forward — usable on day-one
|
|
343
|
+
greenfield and 10-year-old brownfield codebases alike.
|
|
344
|
+
|
|
345
|
+
Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
|
|
346
|
+
CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
|
|
347
|
+
Scores are evidence-backed and traceable to the findings that
|
|
348
|
+
produced them.
|
|
414
349
|
|
|
415
|
-
|
|
416
|
-
vulnerability-scan-<date>-detailed.{md,json}
|
|
350
|
+
---
|
|
417
351
|
|
|
418
|
-
|
|
419
|
-
test-gaps-<date>-detailed.{md,json}
|
|
352
|
+
## Real-world validation
|
|
420
353
|
|
|
421
|
-
|
|
422
|
-
quality-review-<date>-detailed.{md,json}
|
|
354
|
+
The 2.5.0 release was pre-ship audited on three production codebases:
|
|
423
355
|
|
|
424
|
-
|
|
425
|
-
|
|
356
|
+
- TypeScript backend
|
|
357
|
+
- TypeScript frontend
|
|
358
|
+
- Large .NET WinForms project
|
|
426
359
|
|
|
427
|
-
|
|
428
|
-
bom-<date>-detailed.{md,json} # full per-package rows
|
|
429
|
-
bom-<date>.xlsx # 15-col XLSX (with --xlsx)
|
|
360
|
+
Across **6,919 baseline findings**, the audit:
|
|
430
361
|
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
362
|
+
- identified four drift classes between aggregate reports and
|
|
363
|
+
per-finding identity sets
|
|
364
|
+
- brought roughly **3,000 previously untracked findings into
|
|
365
|
+
guardrail coverage**
|
|
366
|
+
- matched identity-set counts exactly to report aggregates for
|
|
367
|
+
every finding kind
|
|
434
368
|
|
|
435
|
-
|
|
436
|
-
```
|
|
369
|
+
Details in [`CHANGELOG.md`](CHANGELOG.md#250---2026-05-18).
|
|
437
370
|
|
|
438
|
-
|
|
371
|
+
---
|
|
439
372
|
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
373
|
+
## Safety + trust
|
|
374
|
+
|
|
375
|
+
dxkit is local-first.
|
|
376
|
+
|
|
377
|
+
- **No SaaS required.** Your code never leaves the machine.
|
|
378
|
+
- **No repo upload.** Analyzers run in-process or shell out to
|
|
379
|
+
locally-installed scanners; results stay on disk.
|
|
380
|
+
- **Secret values are never written to disk.** dxkit stores a
|
|
381
|
+
non-reversible fingerprint for matching only — the scanner sees
|
|
382
|
+
the value once and discards it after hashing.
|
|
383
|
+
- **Agent auth stays user-owned.** Install scripts ship the CLIs;
|
|
384
|
+
authentication happens in your session and is never baked into
|
|
385
|
+
the image or stored by dxkit.
|
|
386
|
+
- **CI guardrails are the enforcement layer.** Local hooks provide
|
|
387
|
+
fast feedback but are bypassable (`git commit --no-verify`); the
|
|
388
|
+
GitHub Actions PR-gate runs server-side and can be made a required
|
|
389
|
+
check via branch protection.
|
|
390
|
+
- **Post-merge baseline refresh is gated.** The refresh workflow
|
|
391
|
+
runs only after the PR-gate workflow succeeds on the merging
|
|
392
|
+
commit. **Use branch protection to make the PR-gate a required
|
|
393
|
+
check** so a bypassed merge can't codify a regression into the
|
|
394
|
+
baseline.
|
|
443
395
|
|
|
444
396
|
---
|
|
445
397
|
|
|
446
|
-
##
|
|
398
|
+
## Docs
|
|
447
399
|
|
|
448
|
-
[
|
|
400
|
+
- [Getting started](docs/getting-started.md)
|
|
401
|
+
- [`baseline` command](docs/commands/baseline.md)
|
|
402
|
+
- [`guardrail` command](docs/commands/guardrail.md)
|
|
403
|
+
- [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
|
|
404
|
+
- [Scoring methodology](docs/SCORING.md)
|
|
405
|
+
- [Architecture](docs/ARCHITECTURE.md)
|
|
406
|
+
- [All commands](docs/README.md)
|
|
449
407
|
|
|
450
|
-
|
|
451
|
-
npm create @vyuhlabs/devstack my-project # devcontainer + .project.yaml + dxkit init
|
|
452
|
-
```
|
|
408
|
+
---
|
|
453
409
|
|
|
454
|
-
|
|
410
|
+
## Roadmap
|
|
411
|
+
|
|
412
|
+
- [x] Local repo analysis (8 language packs)
|
|
413
|
+
- [x] Agent project scaffolding (entry-point doc, skills, commands,
|
|
414
|
+
conventions, specialized subagents — single-agent today)
|
|
415
|
+
- [x] Optional install scripts for AI coding-agent CLIs in the
|
|
416
|
+
devcontainer
|
|
417
|
+
- [x] Per-finding fingerprinting + git-aware matching
|
|
418
|
+
- [x] Baseline + guardrail commands
|
|
419
|
+
- [x] Brownfield policy classifier
|
|
420
|
+
- [x] Git hooks (pre-push default; pre-commit opt-in)
|
|
421
|
+
- [x] GitHub Actions PR-gate + gated baseline-refresh workflows
|
|
422
|
+
- [x] Devcontainer with pinned toolchains
|
|
423
|
+
- [ ] First-class scaffolding for every major coding agent —
|
|
424
|
+
per-agent skills + entry-point file conventions (2.6)
|
|
425
|
+
- [ ] Scoped + incremental scanning — fast pre-commit on monorepos
|
|
426
|
+
(2.6)
|
|
427
|
+
- [ ] Symbol-level coverage gaps across all 8 packs (2.6)
|
|
428
|
+
- [ ] SARIF export for GitHub code scanning interop (2.6)
|
|
429
|
+
- [ ] Reachability-aware dep-vuln triage
|
|
430
|
+
- [ ] **Per-pack capability parity** — bring every cell in the
|
|
431
|
+
capability table to a green tick (2.7 / 3.0):
|
|
432
|
+
- Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
|
|
433
|
+
(so reachability + import-graph test-gap credit work for
|
|
434
|
+
every pack, not just TS/Python/Go)
|
|
435
|
+
- Severity-tiered C# linter (Roslyn analyzers or StyleCop)
|
|
436
|
+
- License providers for Kotlin, Java, Ruby
|
|
437
|
+
- [ ] AI Readiness banner — semantic anchors, function-body hashes,
|
|
438
|
+
cross-file refactor detection (3.0)
|
|
455
439
|
|
|
456
440
|
---
|
|
457
441
|
|
|
458
|
-
##
|
|
442
|
+
## Contributing
|
|
459
443
|
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
- **Test presence** — counts + classifies (active, commented-out, empty, schema-only)
|
|
463
|
-
- **Multi-language** — detects all languages including Python from `.py` files (no config required)
|
|
464
|
-
- **Language breakdown** — file count per language via `cloc`
|
|
444
|
+
dxkit aims to be the standard agentic-development layer for any
|
|
445
|
+
codebase. We'd love help with:
|
|
465
446
|
|
|
466
|
-
|
|
447
|
+
- Additional language pack support
|
|
448
|
+
- Agent-CLI integrations (the 2.6 work)
|
|
449
|
+
- Monorepo detection
|
|
450
|
+
- Devcontainer templates per stack
|
|
451
|
+
- Custom guardrail policies
|
|
452
|
+
- SARIF output
|
|
453
|
+
- More specialized subagents
|
|
467
454
|
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
```bash
|
|
471
|
-
# Analyzer commands — each writes to .dxkit/reports/<name>-<date>.md + <name>-<date>-detailed.{md,json}
|
|
472
|
-
vyuh-dxkit health [path] [--with-coverage] # 6-dimension score
|
|
473
|
-
vyuh-dxkit vulnerabilities [path] # Security scan, ranked by composite risk
|
|
474
|
-
vyuh-dxkit test-gaps [path] [--with-coverage] # Coverage + gaps + actions
|
|
475
|
-
vyuh-dxkit quality [path] # Slop + duplication + lint
|
|
476
|
-
vyuh-dxkit dev-report [path] [--since <date>] # Git activity report
|
|
477
|
-
vyuh-dxkit licenses [path] # Dependency license inventory
|
|
478
|
-
vyuh-dxkit bom [path] [--filter=top-level] # Bill of Materials + risk-ranked triage
|
|
479
|
-
|
|
480
|
-
# Coverage materialization (side-effecting — runs each pack's test runner)
|
|
481
|
-
vyuh-dxkit coverage [path] [--lang <id>] [--no-fail-fast]
|
|
482
|
-
|
|
483
|
-
# Dashboard + one-shot full audit
|
|
484
|
-
vyuh-dxkit dashboard [path] # render .dxkit/reports/ to a single HTML page
|
|
485
|
-
vyuh-dxkit report [path] [--with-coverage] # run every analyzer + dashboard end-to-end
|
|
486
|
-
|
|
487
|
-
# Data conversion
|
|
488
|
-
vyuh-dxkit to-xlsx <json-file> # render licenses/bom detailed JSON as 15-col XLSX
|
|
489
|
-
|
|
490
|
-
# Tool management
|
|
491
|
-
vyuh-dxkit tools # status
|
|
492
|
-
vyuh-dxkit tools install [--yes] # install missing
|
|
493
|
-
|
|
494
|
-
# Scaffolding
|
|
495
|
-
vyuh-dxkit init [--detect|--yes|--full|--stealth|--force|--name <n>]
|
|
496
|
-
vyuh-dxkit update [--force|--rescan] # re-generate (preserves evolving files)
|
|
497
|
-
vyuh-dxkit doctor # diagnose environment
|
|
498
|
-
|
|
499
|
-
# Meta
|
|
500
|
-
vyuh-dxkit --help
|
|
501
|
-
vyuh-dxkit --version
|
|
502
|
-
```
|
|
455
|
+
Start with the [contributing guide](CONTRIBUTING.md) and
|
|
456
|
+
[good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
|
|
503
457
|
|
|
504
458
|
---
|
|
505
459
|
|
|
506
|
-
##
|
|
507
|
-
|
|
508
|
-
1. **Detection** — scans for config files, source files, and tools to determine languages, frameworks, and test runners
|
|
509
|
-
2. **Tool resolution** — `findTool()` checks PATH → brew → npm-g → pipx → cargo → go → project `node_modules` → system probes (first match wins)
|
|
510
|
-
3. **Gather metrics** — each analyzer calls its registered tools and parses structured output (JSON wherever possible)
|
|
511
|
-
4. **Score** — deterministic formulas map metrics to 0–100 per dimension
|
|
512
|
-
5. **Report** — markdown for humans, JSON for agents
|
|
460
|
+
## License
|
|
513
461
|
|
|
514
|
-
|
|
462
|
+
MIT. See [LICENSE](LICENSE).
|
|
515
463
|
|
|
516
464
|
---
|
|
517
465
|
|
|
518
|
-
##
|
|
519
|
-
|
|
520
|
-
- **[`CHANGELOG.md`](CHANGELOG.md)** — release notes by version,
|
|
521
|
-
including methodology shifts that may change scores between
|
|
522
|
-
releases (e.g. the 2.4.7 scoring foundation).
|
|
523
|
-
- **[`CONTRIBUTING.md`](CONTRIBUTING.md)** — local setup, the
|
|
524
|
-
pre-commit hook stack, test conventions, and the "Adding a new
|
|
525
|
-
language" walkthrough.
|
|
526
|
-
- **[`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md)** — a short tour
|
|
527
|
-
of the analyzer data flow, the three core patterns (language
|
|
528
|
-
packs, scoring specs, centralized exclusions + tool registry),
|
|
529
|
-
the subprocess discipline, and the `AnalysisResult` cache.
|
|
530
|
-
- **[`CLAUDE.md`](CLAUDE.md)** — the authoritative architectural
|
|
531
|
-
rule set with pre-commit + CI enforcement. Required reading
|
|
532
|
-
before opening a PR that touches scoring, packs, exclusions, or
|
|
533
|
-
tool invocation.
|
|
534
|
-
- **[`docs/SCORING.md`](docs/SCORING.md)** — full scoring
|
|
535
|
-
methodology: dimensions, weights, thresholds, caps, and the
|
|
536
|
-
Layer-1 standards each spec anchors to.
|
|
537
|
-
- **[`SECURITY.md`](SECURITY.md)** — security policy, supported
|
|
538
|
-
versions, response SLAs, and the [private vulnerability
|
|
539
|
-
reporting](https://github.com/vyuh-labs/dxkit/security/advisories/new)
|
|
540
|
-
channel.
|
|
541
|
-
- **[`CODE_OF_CONDUCT.md`](CODE_OF_CONDUCT.md)** — Contributor
|
|
542
|
-
Covenant 2.1.
|
|
543
|
-
|
|
544
|
-
Bug reports, feature requests, and questions: file an
|
|
545
|
-
[issue](https://github.com/vyuh-labs/dxkit/issues/new/choose) using
|
|
546
|
-
one of the templates.
|
|
547
|
-
|
|
548
|
-
---
|
|
466
|
+
## Try it
|
|
549
467
|
|
|
550
|
-
|
|
468
|
+
```bash
|
|
469
|
+
npx @vyuhlabs/dxkit@latest init --full
|
|
470
|
+
```
|
|
551
471
|
|
|
552
|
-
|
|
472
|
+
If dxkit helps you ship AI-assisted changes more safely, star the
|
|
473
|
+
repo — it helps others find it too.
|