@vyuhlabs/dxkit 2.5.1 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/CHANGELOG.md +318 -0
  2. package/README.md +150 -28
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  32. package/dist/analyzers/tools/tool-registry.js +25 -8
  33. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  34. package/dist/baseline/baseline-file.d.ts +7 -0
  35. package/dist/baseline/baseline-file.d.ts.map +1 -1
  36. package/dist/baseline/baseline-file.js +22 -1
  37. package/dist/baseline/baseline-file.js.map +1 -1
  38. package/dist/baseline/check-renderers.d.ts +13 -1
  39. package/dist/baseline/check-renderers.d.ts.map +1 -1
  40. package/dist/baseline/check-renderers.js +67 -1
  41. package/dist/baseline/check-renderers.js.map +1 -1
  42. package/dist/baseline/check.d.ts +33 -7
  43. package/dist/baseline/check.d.ts.map +1 -1
  44. package/dist/baseline/check.js +90 -64
  45. package/dist/baseline/check.js.map +1 -1
  46. package/dist/baseline/create.d.ts +35 -7
  47. package/dist/baseline/create.d.ts.map +1 -1
  48. package/dist/baseline/create.js +43 -5
  49. package/dist/baseline/create.js.map +1 -1
  50. package/dist/baseline/entry-to-located.d.ts +6 -1
  51. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  52. package/dist/baseline/entry-to-located.js +20 -2
  53. package/dist/baseline/entry-to-located.js.map +1 -1
  54. package/dist/baseline/finding-identity.d.ts.map +1 -1
  55. package/dist/baseline/finding-identity.js +15 -13
  56. package/dist/baseline/finding-identity.js.map +1 -1
  57. package/dist/baseline/modes.d.ts +140 -0
  58. package/dist/baseline/modes.d.ts.map +1 -0
  59. package/dist/baseline/modes.js +179 -0
  60. package/dist/baseline/modes.js.map +1 -0
  61. package/dist/baseline/policy.d.ts +64 -0
  62. package/dist/baseline/policy.d.ts.map +1 -1
  63. package/dist/baseline/policy.js +102 -1
  64. package/dist/baseline/policy.js.map +1 -1
  65. package/dist/baseline/producers/health.d.ts +2 -2
  66. package/dist/baseline/producers/health.d.ts.map +1 -1
  67. package/dist/baseline/producers/health.js.map +1 -1
  68. package/dist/baseline/producers/index.d.ts +11 -5
  69. package/dist/baseline/producers/index.d.ts.map +1 -1
  70. package/dist/baseline/producers/index.js +12 -9
  71. package/dist/baseline/producers/index.js.map +1 -1
  72. package/dist/baseline/producers/quality.d.ts +3 -3
  73. package/dist/baseline/producers/quality.d.ts.map +1 -1
  74. package/dist/baseline/producers/quality.js.map +1 -1
  75. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  76. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  77. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  78. package/dist/baseline/producers/security.d.ts +2 -2
  79. package/dist/baseline/producers/security.d.ts.map +1 -1
  80. package/dist/baseline/producers/security.js.map +1 -1
  81. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  82. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  83. package/dist/baseline/producers/stale-allow.js +111 -0
  84. package/dist/baseline/producers/stale-allow.js.map +1 -0
  85. package/dist/baseline/producers/tests.d.ts +2 -2
  86. package/dist/baseline/producers/tests.d.ts.map +1 -1
  87. package/dist/baseline/producers/tests.js.map +1 -1
  88. package/dist/baseline/ref-baseline.d.ts +114 -0
  89. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  90. package/dist/baseline/ref-baseline.js +260 -0
  91. package/dist/baseline/ref-baseline.js.map +1 -0
  92. package/dist/baseline/sanitize.d.ts +80 -0
  93. package/dist/baseline/sanitize.d.ts.map +1 -0
  94. package/dist/baseline/sanitize.js +91 -0
  95. package/dist/baseline/sanitize.js.map +1 -0
  96. package/dist/baseline/show.d.ts.map +1 -1
  97. package/dist/baseline/show.js +9 -3
  98. package/dist/baseline/show.js.map +1 -1
  99. package/dist/baseline/types.d.ts +73 -26
  100. package/dist/baseline/types.d.ts.map +1 -1
  101. package/dist/baseline/types.js +7 -1
  102. package/dist/baseline/types.js.map +1 -1
  103. package/dist/baseline/visibility.d.ts +61 -0
  104. package/dist/baseline/visibility.d.ts.map +1 -0
  105. package/dist/baseline/visibility.js +121 -0
  106. package/dist/baseline/visibility.js.map +1 -0
  107. package/dist/cli.d.ts.map +1 -1
  108. package/dist/cli.js +154 -13
  109. package/dist/cli.js.map +1 -1
  110. package/dist/constants.d.ts.map +1 -1
  111. package/dist/constants.js +0 -10
  112. package/dist/constants.js.map +1 -1
  113. package/dist/detect.d.ts.map +1 -1
  114. package/dist/detect.js +0 -15
  115. package/dist/detect.js.map +1 -1
  116. package/dist/doctor.d.ts +78 -1
  117. package/dist/doctor.d.ts.map +1 -1
  118. package/dist/doctor.js +590 -101
  119. package/dist/doctor.js.map +1 -1
  120. package/dist/generator.d.ts.map +1 -1
  121. package/dist/generator.js +15 -0
  122. package/dist/generator.js.map +1 -1
  123. package/dist/issue-cli.d.ts +62 -0
  124. package/dist/issue-cli.d.ts.map +1 -0
  125. package/dist/issue-cli.js +252 -0
  126. package/dist/issue-cli.js.map +1 -0
  127. package/dist/languages/csharp.d.ts.map +1 -1
  128. package/dist/languages/csharp.js +2 -0
  129. package/dist/languages/csharp.js.map +1 -1
  130. package/dist/languages/go.d.ts.map +1 -1
  131. package/dist/languages/go.js +2 -0
  132. package/dist/languages/go.js.map +1 -1
  133. package/dist/languages/index.d.ts +25 -0
  134. package/dist/languages/index.d.ts.map +1 -1
  135. package/dist/languages/index.js +44 -0
  136. package/dist/languages/index.js.map +1 -1
  137. package/dist/languages/java.d.ts.map +1 -1
  138. package/dist/languages/java.js +2 -0
  139. package/dist/languages/java.js.map +1 -1
  140. package/dist/languages/kotlin.d.ts.map +1 -1
  141. package/dist/languages/kotlin.js +2 -0
  142. package/dist/languages/kotlin.js.map +1 -1
  143. package/dist/languages/python.d.ts.map +1 -1
  144. package/dist/languages/python.js +11 -1
  145. package/dist/languages/python.js.map +1 -1
  146. package/dist/languages/ruby.d.ts.map +1 -1
  147. package/dist/languages/ruby.js +2 -0
  148. package/dist/languages/ruby.js.map +1 -1
  149. package/dist/languages/rust.d.ts.map +1 -1
  150. package/dist/languages/rust.js +2 -0
  151. package/dist/languages/rust.js.map +1 -1
  152. package/dist/languages/types.d.ts +45 -0
  153. package/dist/languages/types.d.ts.map +1 -1
  154. package/dist/languages/typescript.d.ts.map +1 -1
  155. package/dist/languages/typescript.js +2 -0
  156. package/dist/languages/typescript.js.map +1 -1
  157. package/dist/prompts.d.ts.map +1 -1
  158. package/dist/prompts.js +0 -5
  159. package/dist/prompts.js.map +1 -1
  160. package/dist/setup-branch-protection.d.ts +34 -0
  161. package/dist/setup-branch-protection.d.ts.map +1 -0
  162. package/dist/setup-branch-protection.js +190 -0
  163. package/dist/setup-branch-protection.js.map +1 -0
  164. package/dist/setup-gh.d.ts +75 -0
  165. package/dist/setup-gh.d.ts.map +1 -0
  166. package/dist/setup-gh.js +213 -0
  167. package/dist/setup-gh.js.map +1 -0
  168. package/dist/setup-prebuild.d.ts +34 -0
  169. package/dist/setup-prebuild.d.ts.map +1 -0
  170. package/dist/setup-prebuild.js +181 -0
  171. package/dist/setup-prebuild.js.map +1 -0
  172. package/dist/ship-installers.d.ts.map +1 -1
  173. package/dist/ship-installers.js +19 -4
  174. package/dist/ship-installers.js.map +1 -1
  175. package/dist/types.d.ts +24 -6
  176. package/dist/types.d.ts.map +1 -1
  177. package/dist/update.d.ts +41 -0
  178. package/dist/update.d.ts.map +1 -1
  179. package/dist/update.js +154 -15
  180. package/dist/update.js.map +1 -1
  181. package/dist/upgrade.d.ts +88 -0
  182. package/dist/upgrade.d.ts.map +1 -0
  183. package/dist/upgrade.js +324 -0
  184. package/dist/upgrade.js.map +1 -0
  185. package/package.json +1 -1
  186. package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
  187. package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
  188. package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
  189. package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
  190. package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
  191. package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
  192. package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
  193. package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
  194. package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
  195. package/templates/.devcontainer/devcontainer.json +6 -15
  196. package/templates/.devcontainer/post-create.sh +19 -4
  197. package/dist/baseline/producers/licenses.d.ts +0 -23
  198. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  199. package/dist/baseline/producers/licenses.js +0 -46
  200. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: dxkit-config
3
- description: Edit dxkit configuration — add/remove paths in .dxkit-ignore, tune .vyuh-dxkit.json, adjust .dxkit/policy.json guardrail severity. Use when the user wants to exclude a directory from scanning, change scoring thresholds, or modify what blocks a PR.
3
+ description: Edit dxkit configuration — add/remove paths in .dxkit-ignore, tune .npx vyuh-dxkit.json, adjust .dxkit/policy.json guardrail severity. Use when the user wants to exclude a directory from scanning, change scoring thresholds, or modify what blocks a PR.
4
4
  ---
5
5
 
6
6
  # dxkit-config
@@ -12,7 +12,7 @@ This skill modifies the three configuration files dxkit reads. Reach for it when
12
12
  | File | Purpose | When to edit |
13
13
  |---|---|---|
14
14
  | `.dxkit-ignore` | Extra paths dxkit's analyzers should skip (gitignore-style format) | Vendored code, generated code, test fixtures, large data files |
15
- | `.vyuh-dxkit.json` | Manifest of detected stack + custom settings (regenerated by `init` / `update`) | Rare — usually let `dxkit update` regenerate. Override version pins or framework detection here. |
15
+ | `.npx vyuh-dxkit.json` | Manifest of detected stack + custom settings (regenerated by `init` / `update`) | Rare — usually let `dxkit update` regenerate. Override version pins or framework detection here. |
16
16
  | `.dxkit/policy.json` | Severity policy for guardrail check | Customize what blocks a PR (e.g., demote `medium` to warning) |
17
17
 
18
18
  ## Adding a path to `.dxkit-ignore`
@@ -62,7 +62,7 @@ build/
62
62
  target/
63
63
  ```
64
64
 
65
- ## Tuning `.vyuh-dxkit.json`
65
+ ## Tuning `.npx vyuh-dxkit.json`
66
66
 
67
67
  This file is mostly auto-generated. Common manual edits:
68
68
 
@@ -80,7 +80,7 @@ This file is mostly auto-generated. Common manual edits:
80
80
  }
81
81
  ```
82
82
 
83
- When you edit this file, run `vyuh-dxkit update` to propagate changes through the rest of the scaffold (per-language rules, devcontainer features, etc.). Use `--force` only if you've also edited evolving files — otherwise `update` preserves customer changes.
83
+ When you edit this file, run `npx vyuh-dxkit update` to propagate changes through the rest of the scaffold (per-language rules, devcontainer features, etc.). Use `--force` only if you've also edited evolving files — otherwise `update` preserves customer changes.
84
84
 
85
85
  ## Customizing `.dxkit/policy.json`
86
86
 
@@ -106,15 +106,15 @@ Each finding-kind has `block` (exit 1) and `warn` (log only) lists. Adjust to yo
106
106
  { "secret": { "block": ["critical", "high"] } }
107
107
  ```
108
108
 
109
- Run `vyuh-dxkit guardrail check --policy=.dxkit/policy.json` to test the new policy. If no `policy.json` exists, dxkit uses the built-in defaults.
109
+ Run `npx vyuh-dxkit guardrail check --policy=.dxkit/policy.json` to test the new policy. If no `policy.json` exists, dxkit uses the built-in defaults.
110
110
 
111
111
  ## Workflow
112
112
 
113
113
  When the user asks for a config change:
114
114
 
115
- 1. Identify which file owns the concern (path exclusion → `.dxkit-ignore`; severity routing → `.dxkit/policy.json`; detection override → `.vyuh-dxkit.json`).
115
+ 1. Identify which file owns the concern (path exclusion → `.dxkit-ignore`; severity routing → `.dxkit/policy.json`; detection override → `.npx vyuh-dxkit.json`).
116
116
  2. Open the file, propose the edit, confirm.
117
- 3. After writing, run `vyuh-dxkit baseline create --force` if exclusions changed (so the baseline doesn't carry stale findings from the now-excluded paths).
117
+ 3. After writing, run `npx vyuh-dxkit baseline create --force` if exclusions changed (so the baseline doesn't carry stale findings from the now-excluded paths).
118
118
  4. Commit both: the config file + the regenerated baseline.
119
119
 
120
120
  ## What NOT to do
@@ -0,0 +1,165 @@
1
+ ---
2
+ name: dxkit-fix
3
+ description: Repair a broken dxkit install — read doctor's structured output and walk the customer through each fix. Use when the user asks "fix dxkit", "fix my dxkit install", "doctor says X but Y is broken", "the pre-push hook isn't firing", "vyuh-dxkit command not found", or anything else that points at a broken-install state. Hands off to dxkit-init for fresh installs and dxkit-hooks for hook-specific deep dives.
4
+ ---
5
+
6
+ # dxkit-fix
7
+
8
+ This skill repairs broken dxkit installs. It does NOT install dxkit from scratch (that's `dxkit-init`) and it does NOT triage code findings (that's `dxkit-action`). Use it when something about the install itself is wrong — hooks not firing, vyuh-dxkit not on PATH, scanner toolchain missing pieces, baseline absent, etc.
9
+
10
+ ## How dxkit-fix works
11
+
12
+ The skill consumes `npx vyuh-dxkit doctor --json` output. Doctor returns a structured `DoctorReport` with a `summary.fixable[]` array — every failing check carries:
13
+
14
+ - `label` — the problem in one line
15
+ - `fix.hint` — the human-readable explanation
16
+ - `fix.command` — the shell command that repairs it (optional)
17
+ - `fix.skill` — a more specific dxkit-* skill that can deep-dive (optional)
18
+
19
+ The skill iterates `summary.fixable[]`, asks the customer for confirmation on each fix (with the command shown), runs it, then re-runs doctor at the end to verify everything closed.
20
+
21
+ ## The repair loop
22
+
23
+ ```
24
+ [1] Run doctor in JSON mode → npx vyuh-dxkit doctor --json
25
+ [2] Read summary.fixable[] → enumerate broken signals + fix commands
26
+ [3] For each fixable:
27
+ [3a] Show the customer: label + hint + command
28
+ [3b] Confirm (default Y)
29
+ [3c] Run the command in their shell
30
+ [3d] Note success/failure
31
+ [4] Re-run doctor → verify the previously-fixable list is now empty
32
+ [5] Report what remains → any non-fixable failures + which dxkit-* skill handles them
33
+ ```
34
+
35
+ ## Steps
36
+
37
+ ### 1. Snapshot the broken state
38
+
39
+ ```bash
40
+ npx vyuh-dxkit doctor --json > /tmp/dxkit-doctor.json
41
+ ```
42
+
43
+ Capturing to a file (instead of piping inline) lets the customer re-read what was broken if a fix takes multiple iterations.
44
+
45
+ ### 2. Read the fixable list
46
+
47
+ The JSON has shape `{ schema: "doctor.v1", checks: [...], summary: { fixable: [...] } }`. Iterate `summary.fixable` only — each entry has `ok: false` AND a `fix` block. Failing checks WITHOUT a fix block are informational (e.g. a missing optional toolchain) and shouldn't be touched here.
48
+
49
+ ### 3. Walk the customer through each fix
50
+
51
+ For every fixable entry, present:
52
+
53
+ | Field | What to show |
54
+ |---|---|
55
+ | `label` | Section heading ("git hooks active — not activated") |
56
+ | `fix.hint` | One-line "what this means" explanation |
57
+ | `fix.command` | The exact shell command, in a code block |
58
+ | `fix.skill` (if present and ≠ dxkit-fix) | "For a deeper walkthrough, ask Claude Code: 'set up hooks'" (or whatever the skill's trigger is) |
59
+
60
+ Then ASK the customer: "Run this fix? [Y/n]". Default Y. If they decline, skip and move on.
61
+
62
+ When they confirm, run the command. Stream output. Note the exit code.
63
+
64
+ ### 4. Idempotency check
65
+
66
+ Every fix command in the doctor output is designed to be idempotent — re-running it on a working install is a no-op (or a refresh). So even if a customer answers Y twice by accident, nothing breaks.
67
+
68
+ ### 5. Verify with a second doctor run
69
+
70
+ After all fixes are applied (or declined), run `npx vyuh-dxkit doctor --json` again. The new `summary.fixable[]` should be a strict subset of the first run's. If something didn't close, surface it with the original `fix.hint` and offer to retry or escalate to the more specific skill.
71
+
72
+ ## What dxkit-fix can repair
73
+
74
+ Driven by doctor's tier 3 (operational health) — these are the canonical repairables today:
75
+
76
+ | Symptom (doctor label) | Fix command | Notes |
77
+ |---|---|---|
78
+ | `git hooks active` not active | `npx vyuh-dxkit hooks activate` | Sets `core.hooksPath = .githooks`. Refuses to clobber husky/lefthook configs. |
79
+ | `baseline captured` missing | `npx vyuh-dxkit baseline create` | First-run: locks in today's findings as "pre-existing." Warn customer this is value-laden — see "Capturing the FIRST baseline" below. |
80
+ | `vyuh-dxkit on PATH` not found | `npm install -g @vyuhlabs/dxkit` | Global install ensures the bare CLI works in any shell session. |
81
+ | `scanner toolchain` missing pieces | `npx vyuh-dxkit tools install --yes` | Reinstalls any ✗ tools per TOOL_DEFS. Idempotent on already-installed tools. |
82
+ | `.npmrc legacy-peer-deps persistence` missing | `echo "legacy-peer-deps=true" >> .npmrc` | Locks in the peer-dep resolution mode for future `npm install` calls. |
83
+ | `CI guardrails workflow` missing | `npx vyuh-dxkit init --with-ci --yes` | Adds the dxkit-guardrails.yml workflow. Idempotent. |
84
+ | Agent DX tier failures (manifest missing, AGENTS.md missing, .claude/* missing) | `npx vyuh-dxkit init --full --yes` or `npx vyuh-dxkit update` | Init for fresh installs; update for refreshes. |
85
+
86
+ ## Capturing the FIRST baseline — be deliberate
87
+
88
+ Of all the fixes, `baseline create` is the only one with permanent consequences. The baseline records the fingerprint of every finding currently in the repo and tells future scans "these are pre-existing — don't block on them."
89
+
90
+ If the customer's repo has uncaptured findings that are real security issues (hardcoded secrets, leaked API keys, etc.), creating a baseline NOW locks those in as accepted. They won't trip the guardrail check.
91
+
92
+ Before running `baseline create` on a customer who has NEVER captured one, surface this tradeoff:
93
+
94
+ > Capturing a baseline locks in **N** current findings as "pre-existing." If any of those are real defects you'd want to fix first (secrets to rotate, vulnerable deps to upgrade), tell me and I'll show you what's flagged so we can triage before baseline.
95
+ >
96
+ > Skip baseline now if: you have secrets in the repo, or you'd rather fix-as-you-go than accept the current state.
97
+ > Capture baseline now if: the codebase is a known-messy brownfield and you want guardrails on future regressions specifically.
98
+
99
+ If they say "show me what's flagged first," hand off to `dxkit-action` — that skill triages findings before baseline lock-in.
100
+
101
+ ## What dxkit-fix can NOT repair
102
+
103
+ These need a different skill or human action:
104
+
105
+ - **Code findings** (hardcoded secrets, lint errors, duplicates, missing tests) — `dxkit-action` handles triage + fixing. Doctor only flags that the install is working; the analyzer results are a separate surface.
106
+ - **Branch protection on the GitHub repo** — needs `gh api` credentials + repo-admin rights. The `setup-branch-protection` CLI (when available) wraps this. If doctor flags the workflow as missing but the customer's CI is healthy on PRs, this is a documentation gap, not an install gap.
107
+ - **Real secret rotation** — even after dxkit detects a hardcoded API key, the credential needs to be rotated in its issuing provider's UI by a human.
108
+ - **External tool toolchains** (e.g. a Go compiler for stacks that don't have Go) — dxkit's TOOL_DEFS install most scanner tools; toolchains for the customer's project itself are out of scope.
109
+
110
+ ## When to delegate to a more specific dxkit-* skill
111
+
112
+ Doctor's `fix.skill` field signals "this is more nuanced than a single command — walk through it via that skill." Cases:
113
+
114
+ | `fix.skill` | When to delegate |
115
+ |---|---|
116
+ | `dxkit-init` | Customer doesn't have a manifest at all — they need the full first-install flow, not a repair. |
117
+ | `dxkit-hooks` | Hook-related repair where the customer also wants chaining advice (husky/lefthook integration, bypass workflow, removal). |
118
+ | `dxkit-config` | Customer wants to tune what dxkit flags (e.g. exclude a vendored dir, adjust severity policy) rather than fix a broken state. |
119
+ | (no skill, command only) | Plain repair — apply the command and move on. |
120
+
121
+ If `fix.skill === "dxkit-fix"`, that's the default path — handle it here.
122
+
123
+ ## Idempotency + safety
124
+
125
+ Every repair this skill drives is idempotent and reversible:
126
+
127
+ - `hooks activate` is no-op if hooks already pointed at .githooks
128
+ - `baseline create` refuses to overwrite an existing baseline without `--force` — so accidentally running it twice can't corrupt state
129
+ - `tools install --yes` skips already-installed tools (per TOOL_DEFS check command)
130
+ - `npm install -g @vyuhlabs/dxkit` upgrades or installs as needed; no data loss
131
+ - `.npmrc` append is line-deduplicated
132
+
133
+ So a customer who declines a fix, then runs into it again later, can re-invoke the skill with no penalty.
134
+
135
+ ## Failure modes
136
+
137
+ If a fix command fails (non-zero exit):
138
+
139
+ 1. **Capture the stderr** so the customer can see why
140
+ 2. **Don't auto-retry** — the customer's environment may have a problem the fix can't solve (no network, permission denied, registry hiccup)
141
+ 3. **Suggest a manual workaround** if there's an obvious one (e.g. for global install failures, suggest `sudo npm install -g` on systems where the npm prefix isn't user-writable)
142
+ 4. **Continue with the remaining fixes** — one failure shouldn't block the rest
143
+
144
+ Surface failures in the final summary alongside what DID get fixed.
145
+
146
+ ## Final summary
147
+
148
+ After the loop completes, structure the report:
149
+
150
+ ```
151
+ ✓ Repaired:
152
+ • git hooks active
153
+ • vyuh-dxkit on PATH
154
+
155
+ ✗ Failed:
156
+ • baseline captured — `vyuh-dxkit baseline create` exit 1 (no .dxkit/ write permission?)
157
+
158
+ → Skipped:
159
+ • .npmrc legacy-peer-deps persistence (you declined)
160
+
161
+ Remaining issues (not auto-fixable):
162
+ • CI guardrails workflow missing → ask 'set up dxkit init' to walk through init --with-ci
163
+ ```
164
+
165
+ End with a one-line CTA: "Run `npx vyuh-dxkit doctor` to confirm the final state, or ask 'fix dxkit' again if anything new comes up."
@@ -13,7 +13,7 @@ This skill handles the git-hook surface dxkit ships. Use it to install hooks, de
13
13
 
14
14
  `.githooks/pre-commit` (opt-in via `--with-precommit-hook`) — same guardrail check but on every commit. Slower on large repos (~1-3 min on 500+ file repos). Not in `--full` by default because the wall-clock cost gates adoption.
15
15
 
16
- Both run `vyuh-dxkit guardrail check`. The check exits 1 (blocking) on net-new findings vs. the baseline.
16
+ Both run `npx vyuh-dxkit guardrail check`. The check exits 1 (blocking) on net-new findings vs. the baseline.
17
17
 
18
18
  ## Installation
19
19
 
@@ -36,21 +36,21 @@ Hooks activate by setting `core.hooksPath = .githooks` in the local git config.
36
36
 
37
37
  ```bash
38
38
  # Either of these works
39
- vyuh-dxkit hooks activate
39
+ npx vyuh-dxkit hooks activate
40
40
  git config core.hooksPath .githooks
41
41
  ```
42
42
 
43
- `vyuh-dxkit hooks activate` is idempotent — refuses to clobber a custom hooksPath (husky's `.husky`, lefthook's `.lefthook`, etc.). Run it to confirm the current state.
43
+ `npx vyuh-dxkit hooks activate` is idempotent — refuses to clobber a custom hooksPath (husky's `.husky`, lefthook's `.lefthook`, etc.). Run it to confirm the current state.
44
44
 
45
45
  ## Troubleshooting "hook didn't fire"
46
46
 
47
47
  Walk this checklist:
48
48
 
49
49
  1. **Hook file exists**: `ls -la .githooks/pre-push` — should be executable.
50
- 2. **hooksPath is wired**: `git config --local --get core.hooksPath` should print `.githooks`. If empty or pointing elsewhere, run `vyuh-dxkit hooks activate`.
51
- 3. **dxkit binary is on PATH**: from the repo root, `which vyuh-dxkit` should resolve (either project-local `./node_modules/.bin/vyuh-dxkit` or global). The hook delegates to whichever it finds.
52
- 4. **Baseline exists**: `test -f .dxkit/baselines/main.json` — without a baseline the guardrail has nothing to compare against. Run `vyuh-dxkit baseline create`.
53
- 5. **Run the check by hand**: `vyuh-dxkit guardrail check` from the repo root. Expected: exits 1 on net-new findings (red), 0 on clean diff (green).
50
+ 2. **hooksPath is wired**: `git config --local --get core.hooksPath` should print `.githooks`. If empty or pointing elsewhere, run `npx vyuh-dxkit hooks activate`.
51
+ 3. **dxkit binary is on PATH**: from the repo root, `which npx vyuh-dxkit` should resolve (either project-local `./node_modules/.bin/vyuh-dxkit` or global). The hook delegates to whichever it finds.
52
+ 4. **Baseline exists**: `test -f .dxkit/baselines/main.json` — without a baseline the guardrail has nothing to compare against. Run `npx vyuh-dxkit baseline create`.
53
+ 5. **Run the check by hand**: `npx vyuh-dxkit guardrail check` from the repo root. Expected: exits 1 on net-new findings (red), 0 on clean diff (green).
54
54
 
55
55
  If all five pass and the hook still doesn't fire, the most common cause is a competing hook system. `git config --global --get core.hooksPath` could be set globally to something else.
56
56
 
@@ -81,7 +81,7 @@ This skips ALL git hooks (not just dxkit's). After the emergency:
81
81
  2. Either fix the regression in a follow-up commit OR
82
82
  3. Re-baseline if the regression is intentional and accepted:
83
83
  ```bash
84
- vyuh-dxkit baseline create --force
84
+ npx vyuh-dxkit baseline create --force
85
85
  git add .dxkit/baselines/main.json
86
86
  git commit -m "chore(baseline): accept regression from <ref>"
87
87
  ```
@@ -66,7 +66,7 @@ Ask the user what they want, then pick the right invocation:
66
66
 
67
67
  ## Common pitfalls
68
68
 
69
- - **No package.json**: `npm init @vyuhlabs/dxkit` seeds a minimal one. For Python-only / Go-only repos, install dxkit globally instead: `npm install -g @vyuhlabs/dxkit && vyuh-dxkit init --full --yes`.
69
+ - **No package.json**: `npm init @vyuhlabs/dxkit` seeds a minimal one. For Python-only / Go-only repos, install dxkit globally instead: `npm install -g @vyuhlabs/dxkit && npx vyuh-dxkit init --full --yes`.
70
70
  - **Existing .claude/ from 2.5.0**: dxkit init is additive — your existing `.claude/` files are preserved. To switch to the new dxkit-specific shape, delete the old `.claude/` dir first, then re-init.
71
71
  - **Peer-dep ERESOLVE during `npm install`**: `npm init @vyuhlabs/dxkit` automatically retries with `--legacy-peer-deps`. Manual installs may need that flag.
72
72
  - **Brownfield repo with thousands of existing findings**: that's normal — the baseline records them all once. Guardrail only blocks net-new findings.
@@ -77,7 +77,7 @@ A complete install lays down ~15-20 files (down from the 2.5.0 ~73-file scaffold
77
77
 
78
78
  - `.dxkit/baselines/main.json` (after `baseline create`)
79
79
  - `.dxkit-ignore` (starter template)
80
- - `.vyuh-dxkit.json` (manifest)
80
+ - `.npx vyuh-dxkit.json` (manifest)
81
81
  - `.githooks/pre-push`
82
82
  - `.github/workflows/dxkit-guardrails.yml`
83
83
  - `.github/workflows/dxkit-baseline-refresh.yml`
@@ -89,5 +89,5 @@ A complete install lays down ~15-20 files (down from the 2.5.0 ~73-file scaffold
89
89
  - `.claude/settings.json` (narrowed: dxkit-binary permissions only)
90
90
  - `AGENTS.md` (project prose context for any agent — Claude, Codex, Cursor, Aider)
91
91
  - `CLAUDE.md` (shim pointing at AGENTS.md)
92
- - `package.json` (postinstall = `vyuh-dxkit hooks activate`)
92
+ - `package.json` (postinstall = `npx vyuh-dxkit hooks activate`)
93
93
  - `.gitignore` (additive: `.dxkit/reports/`, `.dxkit/cache/`, `graphify-out/`)
@@ -30,11 +30,11 @@ Each dimension is a 0-100 score with letter grade (A≥80, B≥60, C≥40, D≥2
30
30
  | **Maintainability** | Function/file size outliers, deep cyclomatic complexity, god-objects, high orphan-module count, dead imports |
31
31
  | **Developer Experience** | Missing `.gitignore` / `.editorconfig` / `package.json` engines pin / devcontainer / hooks / CI workflow |
32
32
 
33
- Run `vyuh-dxkit health` to see all six at once. Each dimension report has a "top actions" list — the changes that would lift the score the most.
33
+ Run `npx vyuh-dxkit health` to see all six at once. Each dimension report has a "top actions" list — the changes that would lift the score the most.
34
34
 
35
35
  ## The scanner toolchain
36
36
 
37
- dxkit doesn't write parsers — it orchestrates established tools and computes scores. The full list is in `TOOL_DEFS` (or run `vyuh-dxkit tools list`). Key ones:
37
+ dxkit doesn't write parsers — it orchestrates established tools and computes scores. The full list is in `TOOL_DEFS` (or run `npx vyuh-dxkit tools list`). Key ones:
38
38
 
39
39
  - **gitleaks** — secret scanning (API keys, AWS credentials, GitHub tokens)
40
40
  - **semgrep** — multi-language SAST (auto config picks rulesets per active language pack)
@@ -59,10 +59,10 @@ That's why "fix a critical, leave the medium" works — the medium's fingerprint
59
59
  Commands:
60
60
 
61
61
  ```bash
62
- vyuh-dxkit baseline create # Capture current state into .dxkit/baselines/main.json
63
- vyuh-dxkit baseline show # Summarize what's recorded
64
- vyuh-dxkit baseline show --kind secret # Drill into a specific finding kind
65
- vyuh-dxkit guardrail check # Diff current scan vs baseline; exit 1 on net-new
62
+ npx vyuh-dxkit baseline create # Capture current state into .dxkit/baselines/main.json
63
+ npx vyuh-dxkit baseline show # Summarize what's recorded
64
+ npx vyuh-dxkit baseline show --kind secret # Drill into a specific finding kind
65
+ npx vyuh-dxkit guardrail check # Diff current scan vs baseline; exit 1 on net-new
66
66
  ```
67
67
 
68
68
  ## Hooks
@@ -76,9 +76,9 @@ Activation is wired via `npm postinstall` so `npm install` after `git clone` set
76
76
 
77
77
  ## How to learn more
78
78
 
79
- - `vyuh-dxkit <subcommand> --help` — flag reference
80
- - `vyuh-dxkit baseline show` — what your repo already has recorded
79
+ - `npx vyuh-dxkit <subcommand> --help` — flag reference
80
+ - `npx vyuh-dxkit baseline show` — what your repo already has recorded
81
81
  - `.dxkit/reports/` — every analyzer's markdown + JSON output from the last run
82
- - `vyuh-dxkit dashboard` — single HTML view of every report
82
+ - `npx vyuh-dxkit dashboard` — single HTML view of every report
83
83
 
84
84
  When the user asks specifically about a scanner or a finding type, point them at the relevant report or run the relevant analyzer command directly.
@@ -0,0 +1,274 @@
1
+ ---
2
+ name: dxkit-onboard
3
+ description: Walk a customer through setting up dxkit on a repo from scratch — checks state, installs, scaffolds, configures hooks, runs doctor, fixes any gaps, captures the first baseline, sets up branch protection + Codespaces prebuild. Use when the user asks "set me up", "install dxkit on this repo", "I want to use dxkit", "walk me through dxkit setup", "help me get started with dxkit", or anything about onboarding a fresh repo. Asks for confirmation at each step with sensible defaults; hands off to dxkit-fix mid-flow when doctor surfaces gaps.
4
+ ---
5
+
6
+ # dxkit-onboard
7
+
8
+ This skill drives the FULL new-customer journey end-to-end. It's the "I have nothing — set me up" surface (complement to `dxkit-update` for existing-install upgrades and `dxkit-fix` for repairs).
9
+
10
+ Unlike the other dxkit-* skills which are each scoped to a single domain (install / config / hooks / etc.), dxkit-onboard orchestrates across them. It dispatches into `dxkit-init` for flag choices, `dxkit-fix` for gap closure, `dxkit-hooks` for hook deep-dives — composing a single coherent customer conversation.
11
+
12
+ ## When to use this skill
13
+
14
+ Use when:
15
+
16
+ - "Set me up"
17
+ - "Install dxkit on this repo"
18
+ - "I want to use dxkit"
19
+ - "Walk me through dxkit setup"
20
+ - "Help me get started with dxkit"
21
+ - "First time using dxkit"
22
+
23
+ Don't use when:
24
+
25
+ - Customer already has `.vyuh-dxkit.json` AND is asking about a specific task (use the focused skill — dxkit-reports, dxkit-action, etc.)
26
+ - Customer wants to UPGRADE an existing install (use `dxkit-update`)
27
+ - Something is broken (use `dxkit-fix`)
28
+
29
+ ## The onboarding journey
30
+
31
+ ```
32
+ [1] State check → is dxkit installed? scaffold present? baseline captured? hooks active?
33
+ [2] Install if needed → npm init @vyuhlabs/dxkit OR npx vyuh-dxkit init --full --yes
34
+ [3] Doctor → npx vyuh-dxkit doctor (parse summary.fixable[])
35
+ [4] Fix gaps → dispatch through dxkit-fix for each fixable signal
36
+ [5] Capture baseline → npx vyuh-dxkit baseline create (with explicit secrets-warning)
37
+ [6] Pre-commit ASK → opt-in based on repo size (>500 files: default no)
38
+ [7] Postinstall chain → opt-in to auto-activate hooks for teammates
39
+ [8] Branch protection → ASK to run vyuh-dxkit setup-branch-protection
40
+ [9] Codespaces prebuild → ASK to run vyuh-dxkit setup-prebuild (if customer uses Codespaces)
41
+ [10] Final verify → re-run doctor; show green; surface any remaining gaps
42
+ ```
43
+
44
+ Each step ASKS the customer with a sensible default — never silent execution. The customer can decline any step; default behavior shouldn't surprise them.
45
+
46
+ ## Steps
47
+
48
+ ### 1. State check
49
+
50
+ Before recommending anything, snapshot the customer's current state:
51
+
52
+ ```bash
53
+ # Does the manifest exist?
54
+ test -f .vyuh-dxkit.json && echo "has-manifest" || echo "fresh"
55
+
56
+ # Is dxkit on PATH?
57
+ command -v vyuh-dxkit && echo "binary-on-path" || echo "binary-missing"
58
+
59
+ # Is the workspace a git repo?
60
+ git rev-parse --is-inside-work-tree 2>/dev/null && echo "git-ok" || echo "not-a-repo"
61
+ ```
62
+
63
+ Branch the conversation on the result:
64
+
65
+ - **Fresh repo (no manifest)**: go to step 2 (install)
66
+ - **Manifest exists**: this customer already onboarded. Pivot: "Looks like dxkit is already installed. Are you trying to upgrade (→ dxkit-update) or fix something (→ dxkit-fix)?"
67
+ - **Not a git repo**: stop. "dxkit needs a git repo. Run `git init` first, then come back."
68
+
69
+ ### 2. Install if needed
70
+
71
+ For a fresh install, the canonical command is:
72
+
73
+ ```bash
74
+ npm init @vyuhlabs/dxkit
75
+ ```
76
+
77
+ This runs `create-dxkit` which installs `@vyuhlabs/dxkit` as a devDep and then runs `npx vyuh-dxkit init --full --yes` (which scaffolds everything: skills, AGENTS.md, CLAUDE.md, devcontainer, hooks, CI workflows).
78
+
79
+ Before running, ASK:
80
+
81
+ - **"Full install (recommended)?"** — yes runs the above; no asks for flag choices and routes through `dxkit-init`'s decision tree.
82
+
83
+ Optional flags worth surfacing if the customer pushes back on "full":
84
+
85
+ - `--with-dxkit-agents` — just the 8 dxkit-* skills (no hooks, no CI)
86
+ - `--with-hooks --with-dxkit-agents` — skills + pre-push hook
87
+ - `--with-precommit-hook` — also pre-commit (slow on large repos)
88
+
89
+ If the customer wants more granularity, hand off to `dxkit-init` for the full flag explanation.
90
+
91
+ ### 3. Doctor
92
+
93
+ After install, run:
94
+
95
+ ```bash
96
+ npx vyuh-dxkit doctor --json > /tmp/dxkit-onboard-doctor.json
97
+ ```
98
+
99
+ Parse `summary.fixable[]`. Most fresh-install gaps will be operational (hooks not yet activated by postinstall trigger; baseline not captured yet; etc.) rather than scaffold-missing.
100
+
101
+ ### 4. Fix gaps
102
+
103
+ For each fixable signal in doctor's output, dispatch through `dxkit-fix`'s recovery loop. Most common fresh-install gaps:
104
+
105
+ - `git hooks active` not active → `npx vyuh-dxkit hooks activate`
106
+ - `baseline captured` missing → defer to step 5 (we'll handle that explicitly with the secrets warning)
107
+ - `vyuh-dxkit on PATH` missing → `npm install -g @vyuhlabs/dxkit`
108
+ - `scanner toolchain` incomplete → `npx vyuh-dxkit tools install --yes`
109
+
110
+ Don't auto-execute baseline capture here — step 5 has a values-laden warning that needs explicit customer confirmation.
111
+
112
+ ### 5. Capture baseline (carefully)
113
+
114
+ This is the step with permanent consequences. The baseline records the fingerprint of every finding currently in the repo and tells future scans "these are pre-existing — don't block on them."
115
+
116
+ Before running `baseline create` on a fresh customer, ASK about disclosure posture (the baseline file is committed to git):
117
+
118
+ > **About to capture the first baseline. One quick choice first — which posture fits this repo?**
119
+ >
120
+ > The baseline file lives at `.dxkit/baselines/main.json`. Three modes trade disclosure for diagnostic richness:
121
+ >
122
+ > - **`committed-full`** (default for private repos) — Rich entries with file paths, package names, advisory IDs. Best diagnostic quality. Fine when only your team reads the repo.
123
+ > - **`committed-sanitized`** (compliance-conscious private) — Stripped to fingerprint + kind only. Hides location detail; matching still works. Good when many people have repo read access.
124
+ > - **`ref-based`** (default for public repos) — No baseline file at all. Each guardrail check recomputes the prior side from a git ref (e.g. `origin/main`). Zero disclosure.
125
+ >
126
+ > Auto-pick: run `vyuh-dxkit baseline create` and dxkit picks the right default by probing `gh repo view`. Or pin explicitly via `--mode=<X>` or `.dxkit/policy.json`.
127
+
128
+ Then the standard "lock-in" warning:
129
+
130
+ > **About to capture the first baseline.**
131
+ >
132
+ > This locks in ALL current findings as "pre-existing" — they won't block future PRs. If your repo has real secrets, vulnerable deps, or other defects you'd want to fix FIRST, tell me and I'll show you what's flagged so we can triage before baseline.
133
+ >
134
+ > Capture baseline now if: codebase is known-messy brownfield and you want guardrails on FUTURE regressions specifically.
135
+ >
136
+ > Skip baseline now if: you have secrets in the repo, or you'd rather fix-as-you-go than accept the current state.
137
+
138
+ If they want to triage first, hand off to `dxkit-action` — that skill prioritizes findings before baseline lock-in. Come back to step 5 after triage.
139
+
140
+ If they confirm baseline (and they're happy with auto-picked mode):
141
+
142
+ ```bash
143
+ npx vyuh-dxkit baseline create
144
+ git add .dxkit/baselines/ # only if mode wrote a file (committed-*)
145
+ git commit -m "chore: capture dxkit baseline"
146
+ ```
147
+
148
+ If they want to PIN the mode explicitly (so every developer + CI run agrees), write `.dxkit/policy.json`:
149
+
150
+ ```bash
151
+ mkdir -p .dxkit
152
+ cat > .dxkit/policy.json <<'JSON'
153
+ {
154
+ "baseline": {
155
+ "mode": "ref-based",
156
+ "ref": "origin/main"
157
+ }
158
+ }
159
+ JSON
160
+ git add .dxkit/policy.json
161
+ git commit -m "chore: pin baseline mode in policy.json"
162
+ ```
163
+
164
+ ### 6. Pre-commit ASK
165
+
166
+ Pre-commit is opt-in even under `--full` because it re-runs every analyzer on every commit (~1-3 min on 500+ file repos). Most teams skip it.
167
+
168
+ ASK:
169
+
170
+ > **Add pre-commit hook?** Default no. Pre-commit catches regressions before commit (vs pre-push catching them before push). Tradeoff: ~1-3 min wall-clock on every commit for a 500+ file repo. Most teams accept the pre-push-only model.
171
+
172
+ Default recommendation by repo size:
173
+ - `find . -type f -name "*.ts" -o -name "*.py" -o -name "*.go" 2>/dev/null | wc -l` < 200 → default Yes
174
+ - > 500 → default No
175
+ - In between → ask without a strong default
176
+
177
+ If yes, run `npx vyuh-dxkit init --with-precommit-hook --yes` to add the pre-commit hook.
178
+
179
+ ### 7. Postinstall chain
180
+
181
+ If the customer's `package.json` already has a `postinstall` script (most non-trivial repos do — patch-package, husky, monorepo bootstrap), dxkit won't auto-chain its hook activation into it. Teammates who clone the repo and run `npm install` won't get hooks wired automatically.
182
+
183
+ ASK:
184
+
185
+ > **Chain dxkit-hooks-activate into your existing postinstall?** Default yes. Without this, teammates who clone won't get hooks wired automatically.
186
+ >
187
+ > Current postinstall: `<read from package.json>`
188
+ > Proposed: `<current> && vyuh-dxkit hooks activate`
189
+
190
+ If yes, hand off to `dxkit-hooks` for the actual edit (it knows the safe append pattern + how to deal with sidecar files).
191
+
192
+ ### 8. Branch protection ASK
193
+
194
+ Local hooks are fast feedback; CI is the unbypassable enforcement. Branch protection wires CI as a required status check — without it, the dxkit-guardrails workflow is informational and PRs can merge even when it fails.
195
+
196
+ ASK:
197
+
198
+ > **Configure branch protection now?** Default yes. Adds `dxkit-guardrails` as a required status check on `<default branch>`. Requires admin permission on the GitHub repo. Without this, the CI workflow is informational — PRs can merge even on guardrail failures.
199
+
200
+ If yes:
201
+
202
+ ```bash
203
+ npx vyuh-dxkit setup-branch-protection
204
+ ```
205
+
206
+ If the customer isn't a repo admin (HTTP 403), surface the manual UI path: Settings → Branches → Add rule → Require status checks → check `dxkit-guardrails`. Or ask their repo admin to run the command.
207
+
208
+ ### 9. Codespaces prebuild ASK
209
+
210
+ Only relevant if the customer's team uses Codespaces. ASK:
211
+
212
+ > **Does your team use GitHub Codespaces?** [Y/N]
213
+ >
214
+ > If yes: configuring a prebuild drops cold-start from ~7 min to ~30s. Trivial to set up; storage costs ~$3-5/month per region.
215
+
216
+ If yes:
217
+
218
+ ```bash
219
+ npx vyuh-dxkit setup-prebuild
220
+ ```
221
+
222
+ Same admin-permission caveat as step 8.
223
+
224
+ ### 10. Final verify
225
+
226
+ Re-run doctor:
227
+
228
+ ```bash
229
+ npx vyuh-dxkit doctor
230
+ ```
231
+
232
+ Report the results:
233
+
234
+ - **All green** → "You're fully set up. dxkit will guard your next push. Run `vyuh-dxkit health` whenever you want to see scores."
235
+ - **Remaining fixable gaps** → hand off to `dxkit-fix` for each one. Don't end with broken signals.
236
+
237
+ ## What dxkit-onboard can NOT do
238
+
239
+ - **Auto-decide values-laden questions** — baseline lock-in (step 5), pre-commit opt-in (step 6), postinstall chaining (step 7), branch protection (step 8) all require explicit customer confirmation. Never silently execute these.
240
+ - **Fix repos that aren't git repos** — surface the "git init first" step and stop.
241
+ - **Triage code findings** — that's `dxkit-action`. Hand off when the customer wants to evaluate findings before baseline.
242
+ - **Install on a non-Node project** — dxkit can still scan non-Node projects but `npm init @vyuhlabs/dxkit` needs Node + npm. Surface the requirement; offer global install path as a fallback.
243
+
244
+ ## Boundary with other lifecycle skills
245
+
246
+ | Customer state | Reach for |
247
+ |---|---|
248
+ | "I have nothing" | **dxkit-onboard (this skill)** |
249
+ | "I have working install, make it newer" | `dxkit-update` |
250
+ | "Doctor says X is broken" | `dxkit-fix` |
251
+ | "Run a report" | `dxkit-reports` |
252
+ | "Fix code findings" | `dxkit-action` |
253
+ | "Edit dxkit configuration" | `dxkit-config` |
254
+ | "Set up / troubleshoot hooks" | `dxkit-hooks` |
255
+ | "Explain dxkit concepts" | `dxkit-learn` |
256
+ | "Choose init flags" | `dxkit-init` |
257
+
258
+ When in doubt, dxkit-onboard handles the full first-install journey and delegates to focused skills for sub-decisions. After step 10, the customer should never need dxkit-onboard again — they'd reach for dxkit-update (newer dxkit), dxkit-fix (broken signal), or one of the work skills (reports/action/config/hooks).
259
+
260
+ ## Final report
261
+
262
+ ```
263
+ ✓ Fresh dxkit install complete:
264
+ • Binary: 2.5.X installed globally + project-local
265
+ • Scaffold: 8 dxkit-* skills, AGENTS.md, CLAUDE.md, devcontainer, hooks, CI workflows
266
+ • Doctor: 14/14 (Reports + Agent DX + Operational health)
267
+ • Baseline: N findings locked in (or "skipped — you're triaging first")
268
+ • Pre-commit: yes/no (your choice)
269
+ • Postinstall chain: yes/no (your choice)
270
+ • Branch protection: configured / declined / failed (admin permission)
271
+ • Codespaces prebuild: configured / declined / N/A
272
+ ```
273
+
274
+ End with a one-line CTA: "Try it: edit a file, `git push`, and watch the hook fire. Or ask 'run health' to see your dxkit scores."