@vyuhlabs/dxkit 2.5.0 → 2.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +231 -0
- package/README.md +48 -28
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +9 -5
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +19 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +50 -8
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +104 -11
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -10
- package/dist/constants.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +0 -15
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts +78 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +509 -103
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +96 -135
- package/dist/generator.js.map +1 -1
- package/dist/hooks-cli.d.ts +20 -0
- package/dist/hooks-cli.d.ts.map +1 -0
- package/dist/hooks-cli.js +145 -0
- package/dist/hooks-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +5 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +43 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +76 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +10 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +13 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +47 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -5
- package/dist/prompts.js.map +1 -1
- package/dist/setup-branch-protection.d.ts +34 -0
- package/dist/setup-branch-protection.d.ts.map +1 -0
- package/dist/setup-branch-protection.js +190 -0
- package/dist/setup-branch-protection.js.map +1 -0
- package/dist/setup-gh.d.ts +75 -0
- package/dist/setup-gh.d.ts.map +1 -0
- package/dist/setup-gh.js +213 -0
- package/dist/setup-gh.js.map +1 -0
- package/dist/setup-prebuild.d.ts +34 -0
- package/dist/setup-prebuild.d.ts.map +1 -0
- package/dist/setup-prebuild.js +181 -0
- package/dist/setup-prebuild.js.map +1 -0
- package/dist/ship-installers.d.ts +6 -0
- package/dist/ship-installers.d.ts.map +1 -1
- package/dist/ship-installers.js +135 -5
- package/dist/ship-installers.js.map +1 -1
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +45 -9
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +24 -6
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts +41 -0
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +154 -15
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts +88 -0
- package/dist/upgrade.d.ts.map +1 -0
- package/dist/upgrade.js +324 -0
- package/dist/upgrade.js.map +1 -0
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
- package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
- package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
- package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +246 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
- package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
- package/templates/.devcontainer/devcontainer.json +13 -48
- package/templates/.devcontainer/post-create.sh +37 -8
- package/templates/AGENTS.md.template +137 -0
- package/templates/CLAUDE.md.template +16 -111
- package/dist/codebase-scanner.d.ts +0 -36
- package/dist/codebase-scanner.d.ts.map +0 -1
- package/dist/codebase-scanner.js +0 -687
- package/dist/codebase-scanner.js.map +0 -1
- package/templates/.claude/agents/doc-writer.md +0 -107
- package/templates/.claude/agents/knowledge-bot.md +0 -64
- package/templates/.claude/agents/onboarding.md +0 -62
- package/templates/.claude/agents/quality-reviewer.md +0 -85
- package/templates/.claude/agents-available/code-reviewer.md +0 -29
- package/templates/.claude/agents-available/codebase-explorer.md +0 -100
- package/templates/.claude/agents-available/dashboard-builder.md +0 -433
- package/templates/.claude/agents-available/debugger.md +0 -29
- package/templates/.claude/agents-available/dependency-mapper.md +0 -80
- package/templates/.claude/agents-available/dev-report.md +0 -108
- package/templates/.claude/agents-available/doc-writer.md +0 -107
- package/templates/.claude/agents-available/feature-builder.md +0 -163
- package/templates/.claude/agents-available/feature-planner.md +0 -185
- package/templates/.claude/agents-available/health-auditor.md +0 -95
- package/templates/.claude/agents-available/hooks-configurator.md +0 -211
- package/templates/.claude/agents-available/knowledge-bot.md +0 -62
- package/templates/.claude/agents-available/plan-executor.md +0 -133
- package/templates/.claude/agents-available/strategic-planner.md +0 -141
- package/templates/.claude/agents-available/test-gap-finder.md +0 -67
- package/templates/.claude/agents-available/test-writer.md +0 -34
- package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
- package/templates/.claude/commands/ask.md +0 -7
- package/templates/.claude/commands/build-feature.md +0 -26
- package/templates/.claude/commands/build.md.template +0 -30
- package/templates/.claude/commands/check.md.template +0 -43
- package/templates/.claude/commands/dashboard.md +0 -28
- package/templates/.claude/commands/deps.md +0 -15
- package/templates/.claude/commands/dev-report.md +0 -50
- package/templates/.claude/commands/docs.md +0 -21
- package/templates/.claude/commands/doctor.md +0 -29
- package/templates/.claude/commands/enable-agent.md +0 -12
- package/templates/.claude/commands/execute-plan.md +0 -25
- package/templates/.claude/commands/explore-codebase.md +0 -12
- package/templates/.claude/commands/export-pdf.md +0 -30
- package/templates/.claude/commands/feature.md +0 -25
- package/templates/.claude/commands/fix-issue.md +0 -12
- package/templates/.claude/commands/fix.md.template +0 -32
- package/templates/.claude/commands/health.md +0 -58
- package/templates/.claude/commands/help.md +0 -36
- package/templates/.claude/commands/learn.md +0 -48
- package/templates/.claude/commands/onboarding.md +0 -21
- package/templates/.claude/commands/plan.md +0 -20
- package/templates/.claude/commands/quality.md.template +0 -65
- package/templates/.claude/commands/session-end.md +0 -40
- package/templates/.claude/commands/session-start.md +0 -30
- package/templates/.claude/commands/setup-hooks.md +0 -18
- package/templates/.claude/commands/stealth-mode.md +0 -17
- package/templates/.claude/commands/test-gaps.md +0 -49
- package/templates/.claude/commands/test.md.template +0 -40
- package/templates/.claude/commands/vulnerabilities.md +0 -49
- package/templates/.claude/skills/build/SKILL.md.template +0 -90
- package/templates/.claude/skills/deploy/SKILL.md.template +0 -111
- package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
- package/templates/.claude/skills/doctor/SKILL.md +0 -31
- package/templates/.claude/skills/gcloud/SKILL.md +0 -66
- package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
- package/templates/.claude/skills/learned/SKILL.md +0 -55
- package/templates/.claude/skills/learned/references/conventions.md +0 -11
- package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
- package/templates/.claude/skills/learned/references/gotchas.md +0 -11
- package/templates/.claude/skills/pulumi/SKILL.md +0 -73
- package/templates/.claude/skills/quality/SKILL.md.template +0 -89
- package/templates/.claude/skills/quality/references/gotchas.md +0 -5
- package/templates/.claude/skills/review/SKILL.md.template +0 -74
- package/templates/.claude/skills/scaffold/SKILL.md.template +0 -113
- package/templates/.claude/skills/secrets/SKILL.md +0 -51
- package/templates/.claude/skills/session/SKILL.md +0 -32
- package/templates/.claude/skills/test/SKILL.md.template +0 -116
- package/templates/.claude/skills/test/references/gotchas.md +0 -5
|
@@ -0,0 +1,246 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dxkit-onboard
|
|
3
|
+
description: Walk a customer through setting up dxkit on a repo from scratch — checks state, installs, scaffolds, configures hooks, runs doctor, fixes any gaps, captures the first baseline, sets up branch protection + Codespaces prebuild. Use when the user asks "set me up", "install dxkit on this repo", "I want to use dxkit", "walk me through dxkit setup", "help me get started with dxkit", or anything about onboarding a fresh repo. Asks for confirmation at each step with sensible defaults; hands off to dxkit-fix mid-flow when doctor surfaces gaps.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# dxkit-onboard
|
|
7
|
+
|
|
8
|
+
This skill drives the FULL new-customer journey end-to-end. It's the "I have nothing — set me up" surface (complement to `dxkit-update` for existing-install upgrades and `dxkit-fix` for repairs).
|
|
9
|
+
|
|
10
|
+
Unlike the other dxkit-* skills which are each scoped to a single domain (install / config / hooks / etc.), dxkit-onboard orchestrates across them. It dispatches into `dxkit-init` for flag choices, `dxkit-fix` for gap closure, `dxkit-hooks` for hook deep-dives — composing a single coherent customer conversation.
|
|
11
|
+
|
|
12
|
+
## When to use this skill
|
|
13
|
+
|
|
14
|
+
Use when:
|
|
15
|
+
|
|
16
|
+
- "Set me up"
|
|
17
|
+
- "Install dxkit on this repo"
|
|
18
|
+
- "I want to use dxkit"
|
|
19
|
+
- "Walk me through dxkit setup"
|
|
20
|
+
- "Help me get started with dxkit"
|
|
21
|
+
- "First time using dxkit"
|
|
22
|
+
|
|
23
|
+
Don't use when:
|
|
24
|
+
|
|
25
|
+
- Customer already has `.vyuh-dxkit.json` AND is asking about a specific task (use the focused skill — dxkit-reports, dxkit-action, etc.)
|
|
26
|
+
- Customer wants to UPGRADE an existing install (use `dxkit-update`)
|
|
27
|
+
- Something is broken (use `dxkit-fix`)
|
|
28
|
+
|
|
29
|
+
## The onboarding journey
|
|
30
|
+
|
|
31
|
+
```
|
|
32
|
+
[1] State check → is dxkit installed? scaffold present? baseline captured? hooks active?
|
|
33
|
+
[2] Install if needed → npm init @vyuhlabs/dxkit OR npx vyuh-dxkit init --full --yes
|
|
34
|
+
[3] Doctor → npx vyuh-dxkit doctor (parse summary.fixable[])
|
|
35
|
+
[4] Fix gaps → dispatch through dxkit-fix for each fixable signal
|
|
36
|
+
[5] Capture baseline → npx vyuh-dxkit baseline create (with explicit secrets-warning)
|
|
37
|
+
[6] Pre-commit ASK → opt-in based on repo size (>500 files: default no)
|
|
38
|
+
[7] Postinstall chain → opt-in to auto-activate hooks for teammates
|
|
39
|
+
[8] Branch protection → ASK to run vyuh-dxkit setup-branch-protection
|
|
40
|
+
[9] Codespaces prebuild → ASK to run vyuh-dxkit setup-prebuild (if customer uses Codespaces)
|
|
41
|
+
[10] Final verify → re-run doctor; show green; surface any remaining gaps
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Each step ASKS the customer with a sensible default — never silent execution. The customer can decline any step; default behavior shouldn't surprise them.
|
|
45
|
+
|
|
46
|
+
## Steps
|
|
47
|
+
|
|
48
|
+
### 1. State check
|
|
49
|
+
|
|
50
|
+
Before recommending anything, snapshot the customer's current state:
|
|
51
|
+
|
|
52
|
+
```bash
|
|
53
|
+
# Does the manifest exist?
|
|
54
|
+
test -f .vyuh-dxkit.json && echo "has-manifest" || echo "fresh"
|
|
55
|
+
|
|
56
|
+
# Is dxkit on PATH?
|
|
57
|
+
command -v vyuh-dxkit && echo "binary-on-path" || echo "binary-missing"
|
|
58
|
+
|
|
59
|
+
# Is the workspace a git repo?
|
|
60
|
+
git rev-parse --is-inside-work-tree 2>/dev/null && echo "git-ok" || echo "not-a-repo"
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
Branch the conversation on the result:
|
|
64
|
+
|
|
65
|
+
- **Fresh repo (no manifest)**: go to step 2 (install)
|
|
66
|
+
- **Manifest exists**: this customer already onboarded. Pivot: "Looks like dxkit is already installed. Are you trying to upgrade (→ dxkit-update) or fix something (→ dxkit-fix)?"
|
|
67
|
+
- **Not a git repo**: stop. "dxkit needs a git repo. Run `git init` first, then come back."
|
|
68
|
+
|
|
69
|
+
### 2. Install if needed
|
|
70
|
+
|
|
71
|
+
For a fresh install, the canonical command is:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
npm init @vyuhlabs/dxkit
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
This runs `create-dxkit` which installs `@vyuhlabs/dxkit` as a devDep and then runs `npx vyuh-dxkit init --full --yes` (which scaffolds everything: skills, AGENTS.md, CLAUDE.md, devcontainer, hooks, CI workflows).
|
|
78
|
+
|
|
79
|
+
Before running, ASK:
|
|
80
|
+
|
|
81
|
+
- **"Full install (recommended)?"** — yes runs the above; no asks for flag choices and routes through `dxkit-init`'s decision tree.
|
|
82
|
+
|
|
83
|
+
Optional flags worth surfacing if the customer pushes back on "full":
|
|
84
|
+
|
|
85
|
+
- `--with-dxkit-agents` — just the 8 dxkit-* skills (no hooks, no CI)
|
|
86
|
+
- `--with-hooks --with-dxkit-agents` — skills + pre-push hook
|
|
87
|
+
- `--with-precommit-hook` — also pre-commit (slow on large repos)
|
|
88
|
+
|
|
89
|
+
If the customer wants more granularity, hand off to `dxkit-init` for the full flag explanation.
|
|
90
|
+
|
|
91
|
+
### 3. Doctor
|
|
92
|
+
|
|
93
|
+
After install, run:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
npx vyuh-dxkit doctor --json > /tmp/dxkit-onboard-doctor.json
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
Parse `summary.fixable[]`. Most fresh-install gaps will be operational (hooks not yet activated by postinstall trigger; baseline not captured yet; etc.) rather than scaffold-missing.
|
|
100
|
+
|
|
101
|
+
### 4. Fix gaps
|
|
102
|
+
|
|
103
|
+
For each fixable signal in doctor's output, dispatch through `dxkit-fix`'s recovery loop. Most common fresh-install gaps:
|
|
104
|
+
|
|
105
|
+
- `git hooks active` not active → `npx vyuh-dxkit hooks activate`
|
|
106
|
+
- `baseline captured` missing → defer to step 5 (we'll handle that explicitly with the secrets warning)
|
|
107
|
+
- `vyuh-dxkit on PATH` missing → `npm install -g @vyuhlabs/dxkit`
|
|
108
|
+
- `scanner toolchain` incomplete → `npx vyuh-dxkit tools install --yes`
|
|
109
|
+
|
|
110
|
+
Don't auto-execute baseline capture here — step 5 has a values-laden warning that needs explicit customer confirmation.
|
|
111
|
+
|
|
112
|
+
### 5. Capture baseline (carefully)
|
|
113
|
+
|
|
114
|
+
This is the step with permanent consequences. The baseline records the fingerprint of every finding currently in the repo and tells future scans "these are pre-existing — don't block on them."
|
|
115
|
+
|
|
116
|
+
Before running `baseline create` on a fresh customer:
|
|
117
|
+
|
|
118
|
+
> **About to capture the first baseline.**
|
|
119
|
+
>
|
|
120
|
+
> This locks in ALL current findings as "pre-existing" — they won't block future PRs. If your repo has real secrets, vulnerable deps, or other defects you'd want to fix FIRST, tell me and I'll show you what's flagged so we can triage before baseline.
|
|
121
|
+
>
|
|
122
|
+
> Capture baseline now if: codebase is known-messy brownfield and you want guardrails on FUTURE regressions specifically.
|
|
123
|
+
>
|
|
124
|
+
> Skip baseline now if: you have secrets in the repo, or you'd rather fix-as-you-go than accept the current state.
|
|
125
|
+
|
|
126
|
+
If they want to triage first, hand off to `dxkit-action` — that skill prioritizes findings before baseline lock-in. Come back to step 5 after triage.
|
|
127
|
+
|
|
128
|
+
If they confirm baseline:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
npx vyuh-dxkit baseline create
|
|
132
|
+
git add .dxkit/baselines/
|
|
133
|
+
git commit -m "chore: capture dxkit baseline"
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
### 6. Pre-commit ASK
|
|
137
|
+
|
|
138
|
+
Pre-commit is opt-in even under `--full` because it re-runs every analyzer on every commit (~1-3 min on 500+ file repos). Most teams skip it.
|
|
139
|
+
|
|
140
|
+
ASK:
|
|
141
|
+
|
|
142
|
+
> **Add pre-commit hook?** Default no. Pre-commit catches regressions before commit (vs pre-push catching them before push). Tradeoff: ~1-3 min wall-clock on every commit for a 500+ file repo. Most teams accept the pre-push-only model.
|
|
143
|
+
|
|
144
|
+
Default recommendation by repo size:
|
|
145
|
+
- `find . -type f -name "*.ts" -o -name "*.py" -o -name "*.go" 2>/dev/null | wc -l` < 200 → default Yes
|
|
146
|
+
- > 500 → default No
|
|
147
|
+
- In between → ask without a strong default
|
|
148
|
+
|
|
149
|
+
If yes, run `npx vyuh-dxkit init --with-precommit-hook --yes` to add the pre-commit hook.
|
|
150
|
+
|
|
151
|
+
### 7. Postinstall chain
|
|
152
|
+
|
|
153
|
+
If the customer's `package.json` already has a `postinstall` script (most non-trivial repos do — patch-package, husky, monorepo bootstrap), dxkit won't auto-chain its hook activation into it. Teammates who clone the repo and run `npm install` won't get hooks wired automatically.
|
|
154
|
+
|
|
155
|
+
ASK:
|
|
156
|
+
|
|
157
|
+
> **Chain dxkit-hooks-activate into your existing postinstall?** Default yes. Without this, teammates who clone won't get hooks wired automatically.
|
|
158
|
+
>
|
|
159
|
+
> Current postinstall: `<read from package.json>`
|
|
160
|
+
> Proposed: `<current> && vyuh-dxkit hooks activate`
|
|
161
|
+
|
|
162
|
+
If yes, hand off to `dxkit-hooks` for the actual edit (it knows the safe append pattern + how to deal with sidecar files).
|
|
163
|
+
|
|
164
|
+
### 8. Branch protection ASK
|
|
165
|
+
|
|
166
|
+
Local hooks are fast feedback; CI is the unbypassable enforcement. Branch protection wires CI as a required status check — without it, the dxkit-guardrails workflow is informational and PRs can merge even when it fails.
|
|
167
|
+
|
|
168
|
+
ASK:
|
|
169
|
+
|
|
170
|
+
> **Configure branch protection now?** Default yes. Adds `dxkit-guardrails` as a required status check on `<default branch>`. Requires admin permission on the GitHub repo. Without this, the CI workflow is informational — PRs can merge even on guardrail failures.
|
|
171
|
+
|
|
172
|
+
If yes:
|
|
173
|
+
|
|
174
|
+
```bash
|
|
175
|
+
npx vyuh-dxkit setup-branch-protection
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
If the customer isn't a repo admin (HTTP 403), surface the manual UI path: Settings → Branches → Add rule → Require status checks → check `dxkit-guardrails`. Or ask their repo admin to run the command.
|
|
179
|
+
|
|
180
|
+
### 9. Codespaces prebuild ASK
|
|
181
|
+
|
|
182
|
+
Only relevant if the customer's team uses Codespaces. ASK:
|
|
183
|
+
|
|
184
|
+
> **Does your team use GitHub Codespaces?** [Y/N]
|
|
185
|
+
>
|
|
186
|
+
> If yes: configuring a prebuild drops cold-start from ~7 min to ~30s. Trivial to set up; storage costs ~$3-5/month per region.
|
|
187
|
+
|
|
188
|
+
If yes:
|
|
189
|
+
|
|
190
|
+
```bash
|
|
191
|
+
npx vyuh-dxkit setup-prebuild
|
|
192
|
+
```
|
|
193
|
+
|
|
194
|
+
Same admin-permission caveat as step 8.
|
|
195
|
+
|
|
196
|
+
### 10. Final verify
|
|
197
|
+
|
|
198
|
+
Re-run doctor:
|
|
199
|
+
|
|
200
|
+
```bash
|
|
201
|
+
npx vyuh-dxkit doctor
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
Report the results:
|
|
205
|
+
|
|
206
|
+
- **All green** → "You're fully set up. dxkit will guard your next push. Run `vyuh-dxkit health` whenever you want to see scores."
|
|
207
|
+
- **Remaining fixable gaps** → hand off to `dxkit-fix` for each one. Don't end with broken signals.
|
|
208
|
+
|
|
209
|
+
## What dxkit-onboard can NOT do
|
|
210
|
+
|
|
211
|
+
- **Auto-decide values-laden questions** — baseline lock-in (step 5), pre-commit opt-in (step 6), postinstall chaining (step 7), branch protection (step 8) all require explicit customer confirmation. Never silently execute these.
|
|
212
|
+
- **Fix repos that aren't git repos** — surface the "git init first" step and stop.
|
|
213
|
+
- **Triage code findings** — that's `dxkit-action`. Hand off when the customer wants to evaluate findings before baseline.
|
|
214
|
+
- **Install on a non-Node project** — dxkit can still scan non-Node projects but `npm init @vyuhlabs/dxkit` needs Node + npm. Surface the requirement; offer global install path as a fallback.
|
|
215
|
+
|
|
216
|
+
## Boundary with other lifecycle skills
|
|
217
|
+
|
|
218
|
+
| Customer state | Reach for |
|
|
219
|
+
|---|---|
|
|
220
|
+
| "I have nothing" | **dxkit-onboard (this skill)** |
|
|
221
|
+
| "I have working install, make it newer" | `dxkit-update` |
|
|
222
|
+
| "Doctor says X is broken" | `dxkit-fix` |
|
|
223
|
+
| "Run a report" | `dxkit-reports` |
|
|
224
|
+
| "Fix code findings" | `dxkit-action` |
|
|
225
|
+
| "Edit dxkit configuration" | `dxkit-config` |
|
|
226
|
+
| "Set up / troubleshoot hooks" | `dxkit-hooks` |
|
|
227
|
+
| "Explain dxkit concepts" | `dxkit-learn` |
|
|
228
|
+
| "Choose init flags" | `dxkit-init` |
|
|
229
|
+
|
|
230
|
+
When in doubt, dxkit-onboard handles the full first-install journey and delegates to focused skills for sub-decisions. After step 10, the customer should never need dxkit-onboard again — they'd reach for dxkit-update (newer dxkit), dxkit-fix (broken signal), or one of the work skills (reports/action/config/hooks).
|
|
231
|
+
|
|
232
|
+
## Final report
|
|
233
|
+
|
|
234
|
+
```
|
|
235
|
+
✓ Fresh dxkit install complete:
|
|
236
|
+
• Binary: 2.5.X installed globally + project-local
|
|
237
|
+
• Scaffold: 8 dxkit-* skills, AGENTS.md, CLAUDE.md, devcontainer, hooks, CI workflows
|
|
238
|
+
• Doctor: 14/14 (Reports + Agent DX + Operational health)
|
|
239
|
+
• Baseline: N findings locked in (or "skipped — you're triaging first")
|
|
240
|
+
• Pre-commit: yes/no (your choice)
|
|
241
|
+
• Postinstall chain: yes/no (your choice)
|
|
242
|
+
• Branch protection: configured / declined / failed (admin permission)
|
|
243
|
+
• Codespaces prebuild: configured / declined / N/A
|
|
244
|
+
```
|
|
245
|
+
|
|
246
|
+
End with a one-line CTA: "Try it: edit a file, `git push`, and watch the hook fire. Or ask 'run health' to see your dxkit scores."
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dxkit-reports
|
|
3
|
+
description: Run dxkit reports and explain their output, including the consolidated dashboard view. Use when the user asks "run health", "check security", "show me the dashboard", "open the dashboard", "tour the dashboard", "explain the dashboard", "what does this score mean", or anything about generating / interpreting dxkit analyzer output. Always reach for this skill even when the user names a specific subcommand (health, vulnerabilities, dashboard, bom, etc.) — running the command is only half of the value; the skill wraps the output with the right framing. Hands off to dxkit-action for fixing findings.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# dxkit-reports
|
|
7
|
+
|
|
8
|
+
This skill runs dxkit analyzers and reads their output back to the user. It's the "tell me how my codebase is doing" surface.
|
|
9
|
+
|
|
10
|
+
## Command map
|
|
11
|
+
|
|
12
|
+
| User asks | Command | Output |
|
|
13
|
+
|---|---|---|
|
|
14
|
+
| "Overall health" / "give me the score" | `npx vyuh-dxkit health` | 6-dimension score table + top actions per dimension |
|
|
15
|
+
| "Check security" / "find vulns" | `npx vyuh-dxkit vulnerabilities` | Code-level SAST + dep-vuln + secret findings, grouped by severity |
|
|
16
|
+
| "Test coverage gaps" | `npx vyuh-dxkit test-gaps` | Source files without matching tests, prioritized by architectural role |
|
|
17
|
+
| "Code quality" | `npx vyuh-dxkit quality` | Lint findings + duplication + slop score |
|
|
18
|
+
| "Who's been working on what" | `npx vyuh-dxkit dev-report` | Per-author activity, hot files, churn |
|
|
19
|
+
| "License inventory" | `npx vyuh-dxkit licenses` | Every dependency's declared license |
|
|
20
|
+
| "Bill of materials" | `npx vyuh-dxkit bom` | Licenses + dep vulnerabilities joined (15-col XLSX-ready output) |
|
|
21
|
+
| "Run everything" | `npx vyuh-dxkit report` | Every analyzer in one shot, ~3-5 min |
|
|
22
|
+
| "Show me the dashboard" | `npx vyuh-dxkit dashboard` | Single HTML view of all reports — opens at `.dxkit/reports/dashboard.html` |
|
|
23
|
+
|
|
24
|
+
## Where output lands
|
|
25
|
+
|
|
26
|
+
Every analyzer writes to `.dxkit/reports/` with a date-stamped filename:
|
|
27
|
+
|
|
28
|
+
```
|
|
29
|
+
.dxkit/reports/
|
|
30
|
+
health-2026-05-19.md
|
|
31
|
+
health-2026-05-19.json
|
|
32
|
+
vulnerability-scan-2026-05-19.md
|
|
33
|
+
vulnerability-scan-2026-05-19-detailed.json
|
|
34
|
+
...
|
|
35
|
+
dashboard.html
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
The `.md` files are human-readable; the `.json` files are machine-readable (for CI consumption or custom tooling). Reports are gitignored by default — they regenerate on every run.
|
|
39
|
+
|
|
40
|
+
## Reading the health report
|
|
41
|
+
|
|
42
|
+
The 6 dimensions each get an A-E grade. Below each grade the "top actions" list shows what would lift the score the most (sorted by potential uplift). Example:
|
|
43
|
+
|
|
44
|
+
```
|
|
45
|
+
Security: B (72)
|
|
46
|
+
Top actions:
|
|
47
|
+
1. Pin @types/node to ≥18.19.0 (closes 2 dep-vuln entries)
|
|
48
|
+
2. Add gitleaks pre-commit hook (closes 1 secret-scan finding)
|
|
49
|
+
3. Replace `Math.random()` in src/auth/token.ts (closes 1 SAST finding)
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Score → rating: A ≥ 80, B ≥ 60, C ≥ 40, D ≥ 20, E < 20. **Cap tiers** can pin a score below its arithmetic value when trust is broken (e.g., uncommitted state caps at 79). The report explains the cap if one fires.
|
|
53
|
+
|
|
54
|
+
## Common patterns
|
|
55
|
+
|
|
56
|
+
### Quick health check (warm cache)
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
npx vyuh-dxkit health
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
Re-uses cached scanner outputs where possible. ~5-15s on warm cache, ~30-60s cold.
|
|
63
|
+
|
|
64
|
+
### Pre-merge audit (thorough)
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
npx vyuh-dxkit health --with-coverage # Runs tests + materializes coverage before scoring
|
|
68
|
+
npx vyuh-dxkit vulnerabilities # Always re-runs the deep security scan
|
|
69
|
+
npx vyuh-dxkit dashboard # Renders the latest reports into one HTML view
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
`--with-coverage` is slow (runs your test suite) but switches the Tests dimension from heuristic ("files match a test pattern") to real ("line coverage from your reporter"). Worth it for pre-merge audits.
|
|
73
|
+
|
|
74
|
+
### Per-PR scope
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
npx vyuh-dxkit guardrail check
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
Diffs the current scan vs the baseline. Exit 1 on net-new findings (the same logic the pre-push hook uses).
|
|
81
|
+
|
|
82
|
+
### Failing CI on a threshold
|
|
83
|
+
|
|
84
|
+
```bash
|
|
85
|
+
npx vyuh-dxkit health --fail-on-score=70 # Exit 1 if overall score < 70
|
|
86
|
+
npx vyuh-dxkit vulnerabilities --fail-on-severity=high # Exit 1 if any high-severity finding
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
Use these in CI for hard floors.
|
|
90
|
+
|
|
91
|
+
## Reading dependency findings
|
|
92
|
+
|
|
93
|
+
`vulnerabilities` (and `bom`) carry severity + CVSS where available. The severity column is computed via OSV.dev's enrichment — when OSV reports no severity, dxkit assigns one via CVSS v4.0 base-score math (see `src/analyzers/tools/cvss-v4.ts`).
|
|
94
|
+
|
|
95
|
+
When the user asks "is this CVE worth fixing today" the answer depends on:
|
|
96
|
+
1. **Reachability** — does the codebase actually call the vulnerable function? (Today: heuristic via graphify call-graph; reachability tiers are a roadmap item.)
|
|
97
|
+
2. **Exploitability** — public PoC? Authentication required? Network exposure?
|
|
98
|
+
3. **Patch availability** — is there a fixed version?
|
|
99
|
+
|
|
100
|
+
Surface those three when summarizing a dep-vuln finding. The detailed JSON has the OSV/GHSA reference URL — link to it.
|
|
101
|
+
|
|
102
|
+
## When the user wants to ACT on findings
|
|
103
|
+
|
|
104
|
+
Hand off to the `dxkit-action` skill — that's the workflow for prioritizing + fixing + re-baselining. This skill stops at "here's what's wrong."
|
|
105
|
+
|
|
106
|
+
## Troubleshooting
|
|
107
|
+
|
|
108
|
+
- **"Scanner X unavailable"** → run `npx vyuh-dxkit tools list` to see status; `npx vyuh-dxkit tools install` to install missing ones.
|
|
109
|
+
- **"N/A for this stack"** → applicability-guard fired (e.g., vitest-coverage on a mocha repo). Not a problem; the scanner doesn't apply here.
|
|
110
|
+
- **Report looks stale** → `.dxkit/reports/` is keyed by date. Re-run the analyzer to get a fresh date-stamped file.
|
|
111
|
+
- **Numbers don't match between two reports** → check whether `--with-coverage` was used. Without it, Tests dimension uses heuristic; with it, real coverage. They legitimately differ.
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dxkit-update
|
|
3
|
+
description: Walk the customer through upgrading dxkit to a newer version safely. Use when the user asks "update dxkit", "upgrade to latest", "what's new in dxkit", "is there a new dxkit version", "should I upgrade dxkit", or anything about moving an existing dxkit install forward. Reads version delta + changelog + recommended steps; confirms each step. Hands off to dxkit-fix if post-upgrade doctor surfaces broken signals.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# dxkit-update
|
|
7
|
+
|
|
8
|
+
This skill drives the dxkit upgrade flow conversationally. It's the "I have something working — make it newer" surface (complement to `dxkit-onboard` for fresh installs and `dxkit-fix` for repairs).
|
|
9
|
+
|
|
10
|
+
## When to use this skill
|
|
11
|
+
|
|
12
|
+
Use when:
|
|
13
|
+
|
|
14
|
+
- "Is there a new dxkit version?"
|
|
15
|
+
- "Update dxkit"
|
|
16
|
+
- "Upgrade to latest"
|
|
17
|
+
- "What changed in dxkit recently?"
|
|
18
|
+
- "What's new in 2.5.5?" (or any other specific version)
|
|
19
|
+
- "Should I upgrade?"
|
|
20
|
+
|
|
21
|
+
Don't use when:
|
|
22
|
+
|
|
23
|
+
- Customer has no `.vyuh-dxkit.json` (they need `dxkit-init`, not update)
|
|
24
|
+
- Something is BROKEN — use `dxkit-fix` first; then maybe update after
|
|
25
|
+
- Customer wants to roll back to an older version (downgrade — surface the risk + manual command, don't auto-execute)
|
|
26
|
+
|
|
27
|
+
## How the upgrade works (two stages)
|
|
28
|
+
|
|
29
|
+
dxkit ships in two layers and an upgrade touches both:
|
|
30
|
+
|
|
31
|
+
1. **The binary** — `@vyuhlabs/dxkit` npm package. `npm update` or `npm install @vyuhlabs/dxkit@<version>` replaces the local binary.
|
|
32
|
+
2. **The scaffold** — files in the customer's repo (`.devcontainer/`, `.githooks/`, `.claude/skills/dxkit-*/`, `AGENTS.md`, `CLAUDE.md`, `.github/workflows/dxkit-*.yml`). `npx vyuh-dxkit update` refreshes these to match the new binary's templates.
|
|
33
|
+
|
|
34
|
+
Both run for any non-trivial upgrade. The CLI subcommand `vyuh-dxkit upgrade` orchestrates them; this skill drives the customer through the orchestration with explanations and confirmations.
|
|
35
|
+
|
|
36
|
+
## The upgrade loop
|
|
37
|
+
|
|
38
|
+
```
|
|
39
|
+
[1] Read the plan → npx vyuh-dxkit upgrade --plan --json
|
|
40
|
+
[2] Explain the delta → current vs target, classification, what's new
|
|
41
|
+
[3] Surface warnings → major bumps, breaking changes, scaffold drift
|
|
42
|
+
[4] Confirm → "proceed?" (default Y for low-risk; default N for major/downgrade)
|
|
43
|
+
[5] Execute → drive each step with per-step status
|
|
44
|
+
[6] Verify → run doctor + report operational health post-upgrade
|
|
45
|
+
[7] Surface manual steps → devcontainer rebuild instructions if .devcontainer/ changed
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## Steps
|
|
49
|
+
|
|
50
|
+
### 1. Snapshot the plan
|
|
51
|
+
|
|
52
|
+
```bash
|
|
53
|
+
npx vyuh-dxkit upgrade --plan --json > /tmp/dxkit-upgrade-plan.json
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
The JSON has shape `{ schema: "upgrade-plan.v1", current: { binary, scaffold }, target, delta, steps: [...], warnings: [...], changelogNote }`. Capturing to a file (instead of piping inline) lets the customer re-read the plan if they pause mid-flow.
|
|
57
|
+
|
|
58
|
+
### 2. Explain what's about to happen
|
|
59
|
+
|
|
60
|
+
Translate the structured plan into customer-friendly prose:
|
|
61
|
+
|
|
62
|
+
| Plan field | What to say |
|
|
63
|
+
|---|---|
|
|
64
|
+
| `current.binary` + `current.scaffold` | "You're on dxkit X (scaffold also X). Latest: Y." |
|
|
65
|
+
| `delta: 'none'` | "Already up to date — nothing to do." Skip to End. |
|
|
66
|
+
| `delta: 'patch'` | "N patch versions between you and latest. Low risk — bug fixes + small features only." |
|
|
67
|
+
| `delta: 'minor'` | "Minor bump — new features + scaffold changes likely. Probably safe; CHANGELOG.md has details." |
|
|
68
|
+
| `delta: 'major'` | "**Major bump** — read CHANGELOG.md for breaking changes BEFORE upgrading. Possible baseline/manifest schema migrations; possibly broken policy files; possibly removed CLI flags." |
|
|
69
|
+
| `delta: 'downgrade'` | "Target is OLDER than installed. Downgrades aren't officially supported — baseline/manifest schemas may differ. Surface this and let the customer decide." |
|
|
70
|
+
|
|
71
|
+
### 3. Surface every warning
|
|
72
|
+
|
|
73
|
+
Iterate `plan.warnings` and present each as its own bullet. Don't bury them. If `warnings` is empty, mention "No warnings — proceed when ready."
|
|
74
|
+
|
|
75
|
+
### 4. Confirm before execution
|
|
76
|
+
|
|
77
|
+
Ask:
|
|
78
|
+
|
|
79
|
+
> **Proceed with the upgrade?**
|
|
80
|
+
|
|
81
|
+
Default Y for patch/minor; default N for major/downgrade. If they decline, end gracefully — leave the plan in their hands.
|
|
82
|
+
|
|
83
|
+
### 5. Execute step-by-step
|
|
84
|
+
|
|
85
|
+
For each step in `plan.steps`:
|
|
86
|
+
|
|
87
|
+
- Skip `optional: true` steps from auto-execution (devcontainer rebuild is the only one today; surface it after)
|
|
88
|
+
- Show: "[i/N] purpose"
|
|
89
|
+
- Run: the command via Bash
|
|
90
|
+
- Note: success/failure based on exit code
|
|
91
|
+
|
|
92
|
+
If any step fails, **stop**. Don't continue with downstream steps. Surface:
|
|
93
|
+
|
|
94
|
+
- Which step failed + its stderr
|
|
95
|
+
- Suggested recovery: "Run `npx vyuh-dxkit doctor` to see current state, or invoke the `dxkit-fix` skill to walk through repair."
|
|
96
|
+
|
|
97
|
+
### 6. Verify with doctor
|
|
98
|
+
|
|
99
|
+
If all steps succeeded, run `npx vyuh-dxkit doctor` and report. If doctor surfaces operational issues post-upgrade (e.g. `summary.fixable[]` not empty), **hand off to dxkit-fix** — say "Upgrade complete, but doctor surfaced N gaps. Walking through dxkit-fix to close them."
|
|
100
|
+
|
|
101
|
+
### 7. Surface manual follow-ups
|
|
102
|
+
|
|
103
|
+
Iterate optional steps in the plan:
|
|
104
|
+
|
|
105
|
+
```
|
|
106
|
+
⚠ Your .devcontainer/ was refreshed. Rebuild your container to pick up:
|
|
107
|
+
VSCode: Command Palette → "Dev Containers: Rebuild Container"
|
|
108
|
+
Codespaces: Command Palette → "Codespaces: Rebuild Container"
|
|
109
|
+
Local Docker: `docker compose down && docker compose up -d --build`
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## What dxkit-update can NOT do
|
|
113
|
+
|
|
114
|
+
- **Cross-major migrations** — major bumps may need MIGRATION.md guidance + manual policy edits. Surface the link; don't auto-execute.
|
|
115
|
+
- **Customer code changes** — if the upgrade requires changes to the customer's scoring policy, baseline schema, or workflow file customizations, point at the CHANGELOG.md section and stop.
|
|
116
|
+
- **Downgrades** — never auto-execute. Always confirm; warn about schema differences; suggest backing up `.dxkit/baselines/` first.
|
|
117
|
+
- **Rollback** — if execution mid-step fails, dxkit-update can't undo the binary install. Customer needs to `npm install @vyuhlabs/dxkit@<previous-version>` themselves.
|
|
118
|
+
|
|
119
|
+
## Boundary with other lifecycle skills
|
|
120
|
+
|
|
121
|
+
| Customer state | Reach for |
|
|
122
|
+
|---|---|
|
|
123
|
+
| "I have nothing" | `dxkit-onboard` |
|
|
124
|
+
| "I have working install, make it newer" | **dxkit-update (this skill)** |
|
|
125
|
+
| "Doctor says X is broken" | `dxkit-fix` |
|
|
126
|
+
| "I want to run a report" | `dxkit-reports` |
|
|
127
|
+
| "Fix these findings" | `dxkit-action` |
|
|
128
|
+
| "Configure dxkit" | `dxkit-config` |
|
|
129
|
+
| "Set up hooks" | `dxkit-hooks` |
|
|
130
|
+
| "Explain dxkit" | `dxkit-learn` |
|
|
131
|
+
|
|
132
|
+
If the customer asks something that spans skills (e.g. "update dxkit and then fix the new issues"), chain: dxkit-update first, then auto-invoke dxkit-fix on the post-upgrade doctor output.
|
|
133
|
+
|
|
134
|
+
## CHANGELOG hygiene (worth raising)
|
|
135
|
+
|
|
136
|
+
The plan's `changelogNote` field points at the canonical CHANGELOG.md URL. Currently it's just a pointer — future versions of `vyuh-dxkit upgrade --plan` may parse the changelog and surface per-version highlights inline. For now, when the customer asks "what changed?", offer to fetch + summarize the CHANGELOG.md for the version range:
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
# Fetch the changelog locally (the installed package ships it)
|
|
140
|
+
cat node_modules/@vyuhlabs/dxkit/CHANGELOG.md
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
Or for content between current and target (which isn't in the installed tarball until AFTER upgrade), suggest visiting the URL in `plan.changelogNote`.
|
|
144
|
+
|
|
145
|
+
## Final report
|
|
146
|
+
|
|
147
|
+
After the loop completes:
|
|
148
|
+
|
|
149
|
+
```
|
|
150
|
+
✓ Upgraded: dxkit X → Y
|
|
151
|
+
✓ Scaffold refreshed: N files updated, M new (e.g. dxkit-fix skill if upgrading from <2.5.2)
|
|
152
|
+
✓ Doctor: all green
|
|
153
|
+
○ Manual: rebuild devcontainer to pick up changes
|
|
154
|
+
```
|
|
155
|
+
|
|
156
|
+
Or if something failed:
|
|
157
|
+
|
|
158
|
+
```
|
|
159
|
+
✗ Upgrade halted at step [i/N]: <purpose>
|
|
160
|
+
stderr: <captured>
|
|
161
|
+
→ Recovery: `npx vyuh-dxkit doctor` to see current state; ask "fix dxkit" to walk through repair
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
End with a one-line CTA: "Anything else? Ask 'check dxkit health' to see current scores on the new version."
|
|
@@ -1,41 +1,15 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "dxkit dev environment",
|
|
3
3
|
|
|
4
|
-
// Universal base + composable features.
|
|
5
|
-
//
|
|
6
|
-
//
|
|
7
|
-
//
|
|
8
|
-
//
|
|
4
|
+
// Universal base + per-stack composable features. The features
|
|
5
|
+
// block below is generated by `vyuh-dxkit init` from the detected
|
|
6
|
+
// stack — only toolchains your project actually uses get installed.
|
|
7
|
+
// Always-on: Node (dxkit's own runtime) + GitHub CLI. Add or
|
|
8
|
+
// remove entries by hand if you want to over- or under-ride the
|
|
9
|
+
// auto-detected set.
|
|
9
10
|
"image": "mcr.microsoft.com/devcontainers/base:ubuntu-22.04",
|
|
10
11
|
|
|
11
|
-
"features":
|
|
12
|
-
"ghcr.io/devcontainers/features/node:1": {
|
|
13
|
-
"version": "22",
|
|
14
|
-
"nvmVersion": "latest"
|
|
15
|
-
},
|
|
16
|
-
"ghcr.io/devcontainers/features/python:1": {
|
|
17
|
-
"version": "3.12",
|
|
18
|
-
"installTools": true
|
|
19
|
-
},
|
|
20
|
-
"ghcr.io/devcontainers/features/go:1": {
|
|
21
|
-
"version": "1.21"
|
|
22
|
-
},
|
|
23
|
-
"ghcr.io/devcontainers/features/dotnet:2": {
|
|
24
|
-
"version": "8.0"
|
|
25
|
-
},
|
|
26
|
-
"ghcr.io/devcontainers/features/ruby:1": {
|
|
27
|
-
"version": "3.3"
|
|
28
|
-
},
|
|
29
|
-
"ghcr.io/devcontainers/features/java:1": {
|
|
30
|
-
"version": "17",
|
|
31
|
-
"installGradle": true
|
|
32
|
-
},
|
|
33
|
-
"ghcr.io/devcontainers/features/rust:1": {
|
|
34
|
-
"version": "stable",
|
|
35
|
-
"profile": "default"
|
|
36
|
-
},
|
|
37
|
-
"ghcr.io/devcontainers/features/github-cli:1": {}
|
|
38
|
-
},
|
|
12
|
+
"features": __DXKIT_DEVCONTAINER_FEATURES__,
|
|
39
13
|
|
|
40
14
|
// Reproducibility note: language toolchains are pinned in the
|
|
41
15
|
// features block above. Scanner tools (gitleaks, semgrep, cloc,
|
|
@@ -50,23 +24,14 @@
|
|
|
50
24
|
// registry pinned-versions advanced since last use.
|
|
51
25
|
"postStartCommand": "command -v vyuh-dxkit >/dev/null 2>&1 && vyuh-dxkit tools list || true",
|
|
52
26
|
|
|
27
|
+
// Extensions list is generated by `vyuh-dxkit init` from the detected
|
|
28
|
+
// stack — only active packs' editor support gets installed. Always-on
|
|
29
|
+
// entries (anthropic.claude-code + GitHub Actions/PR) ship on every
|
|
30
|
+
// container regardless. Add or remove entries by hand to override the
|
|
31
|
+
// auto-detected set.
|
|
53
32
|
"customizations": {
|
|
54
33
|
"vscode": {
|
|
55
|
-
"extensions":
|
|
56
|
-
"anthropic.claude-code",
|
|
57
|
-
"dbaeumer.vscode-eslint",
|
|
58
|
-
"esbenp.prettier-vscode",
|
|
59
|
-
"ms-python.python",
|
|
60
|
-
"ms-python.vscode-pylance",
|
|
61
|
-
"golang.go",
|
|
62
|
-
"rust-lang.rust-analyzer",
|
|
63
|
-
"ms-dotnettools.csharp",
|
|
64
|
-
"redhat.java",
|
|
65
|
-
"fwcd.kotlin",
|
|
66
|
-
"rebornix.ruby",
|
|
67
|
-
"github.vscode-github-actions",
|
|
68
|
-
"github.vscode-pull-request-github"
|
|
69
|
-
],
|
|
34
|
+
"extensions": __DXKIT_DEVCONTAINER_EXTENSIONS__,
|
|
70
35
|
"settings": {
|
|
71
36
|
"editor.formatOnSave": true,
|
|
72
37
|
"files.eol": "\n"
|
|
@@ -23,31 +23,60 @@ echo "==> dxkit post-create starting in $(pwd)"
|
|
|
23
23
|
# annoying but shouldn't take down the rest of the post-create. The
|
|
24
24
|
# user can re-run `npm install` after authenticating or fixing the
|
|
25
25
|
# lockfile.
|
|
26
|
+
#
|
|
27
|
+
# The fallback chain layers three install strategies before giving up:
|
|
28
|
+
#
|
|
29
|
+
# 1. `npm ci` (lockfile path only) — strict, fast, uses the lockfile
|
|
30
|
+
# verbatim. Happy path on a healthy tree.
|
|
31
|
+
# 2. `npm install` — looser; rebuilds lockfile entries if the
|
|
32
|
+
# lockfile drifted (lockfile vs package.json mismatch after a
|
|
33
|
+
# merge, for example).
|
|
34
|
+
# 3. `npm install --legacy-peer-deps` — last resort. npm v7+ defaults
|
|
35
|
+
# to strict peer-dep resolution; brownfield monorepos almost
|
|
36
|
+
# always carry unresolved peers (eslint 8↔10, react cross-pkg
|
|
37
|
+
# peer mismatches, etc.) which fail both prior steps with
|
|
38
|
+
# multi-line ERESOLVE dumps. Legacy mode skips the peer-dep
|
|
39
|
+
# check and gets a working node_modules/.
|
|
26
40
|
if [ -f package.json ]; then
|
|
27
41
|
echo "==> Installing project dependencies..."
|
|
28
42
|
if [ -f package-lock.json ]; then
|
|
29
|
-
npm ci || npm install || {
|
|
30
|
-
echo "WARN: project dependency install failed — re-run 'npm install' manually
|
|
43
|
+
npm ci || npm install || npm install --legacy-peer-deps || {
|
|
44
|
+
echo "WARN: project dependency install failed even with --legacy-peer-deps — re-run 'npm install --legacy-peer-deps' manually after fixing the cause." >&2
|
|
31
45
|
}
|
|
32
46
|
else
|
|
33
|
-
npm install || {
|
|
34
|
-
echo "WARN: project dependency install failed — re-run 'npm install' manually
|
|
47
|
+
npm install || npm install --legacy-peer-deps || {
|
|
48
|
+
echo "WARN: project dependency install failed even with --legacy-peer-deps — re-run 'npm install --legacy-peer-deps' manually after fixing the cause." >&2
|
|
35
49
|
}
|
|
36
50
|
fi
|
|
37
51
|
fi
|
|
38
52
|
|
|
39
|
-
# Resolve dxkit. Prefer the project-local install if a
|
|
40
|
-
# pinned dxkit in devDependencies
|
|
41
|
-
#
|
|
53
|
+
# Resolve dxkit for THIS script. Prefer the project-local install if a
|
|
54
|
+
# package.json pinned dxkit in devDependencies (so the script uses the
|
|
55
|
+
# project's pinned version); otherwise install globally and use that.
|
|
42
56
|
if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
|
|
43
57
|
DXKIT="./node_modules/.bin/vyuh-dxkit"
|
|
44
58
|
elif command -v vyuh-dxkit >/dev/null 2>&1; then
|
|
45
59
|
DXKIT="vyuh-dxkit"
|
|
46
60
|
else
|
|
47
|
-
echo "==> Installing @vyuhlabs/dxkit globally..."
|
|
61
|
+
echo "==> Installing @vyuhlabs/dxkit globally (for script use)..."
|
|
48
62
|
npm install -g @vyuhlabs/dxkit
|
|
49
63
|
DXKIT="vyuh-dxkit"
|
|
50
64
|
fi
|
|
65
|
+
|
|
66
|
+
# Make sure `vyuh-dxkit` is on the CUSTOMER's interactive shell PATH
|
|
67
|
+
# regardless of where the script-local resolution above ended up.
|
|
68
|
+
# Project-local installs (./node_modules/.bin/) are NOT on PATH for
|
|
69
|
+
# terminal sessions or for the dxkit-* agent skills' bash invocations
|
|
70
|
+
# — only the global install puts the bare command on PATH. Without
|
|
71
|
+
# this, the customer types `vyuh-dxkit doctor` and gets "command not
|
|
72
|
+
# found" until they discover `npx vyuh-dxkit`. Soft-fail: if global
|
|
73
|
+
# install fails (offline / registry hiccup), `npx vyuh-dxkit` still
|
|
74
|
+
# works as a fallback.
|
|
75
|
+
if ! command -v vyuh-dxkit >/dev/null 2>&1; then
|
|
76
|
+
echo "==> Installing @vyuhlabs/dxkit globally (for shell PATH)..."
|
|
77
|
+
npm install -g @vyuhlabs/dxkit || \
|
|
78
|
+
echo "WARN: global install failed — customer terminal will need 'npx vyuh-dxkit'." >&2
|
|
79
|
+
fi
|
|
51
80
|
echo "==> Using dxkit binary: ${DXKIT}"
|
|
52
81
|
|
|
53
82
|
echo "==> Installing scanner toolchain via dxkit registry..."
|