@vyuhlabs/dxkit 2.5.1 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/CHANGELOG.md +318 -0
  2. package/README.md +150 -28
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  32. package/dist/analyzers/tools/tool-registry.js +25 -8
  33. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  34. package/dist/baseline/baseline-file.d.ts +7 -0
  35. package/dist/baseline/baseline-file.d.ts.map +1 -1
  36. package/dist/baseline/baseline-file.js +22 -1
  37. package/dist/baseline/baseline-file.js.map +1 -1
  38. package/dist/baseline/check-renderers.d.ts +13 -1
  39. package/dist/baseline/check-renderers.d.ts.map +1 -1
  40. package/dist/baseline/check-renderers.js +67 -1
  41. package/dist/baseline/check-renderers.js.map +1 -1
  42. package/dist/baseline/check.d.ts +33 -7
  43. package/dist/baseline/check.d.ts.map +1 -1
  44. package/dist/baseline/check.js +90 -64
  45. package/dist/baseline/check.js.map +1 -1
  46. package/dist/baseline/create.d.ts +35 -7
  47. package/dist/baseline/create.d.ts.map +1 -1
  48. package/dist/baseline/create.js +43 -5
  49. package/dist/baseline/create.js.map +1 -1
  50. package/dist/baseline/entry-to-located.d.ts +6 -1
  51. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  52. package/dist/baseline/entry-to-located.js +20 -2
  53. package/dist/baseline/entry-to-located.js.map +1 -1
  54. package/dist/baseline/finding-identity.d.ts.map +1 -1
  55. package/dist/baseline/finding-identity.js +15 -13
  56. package/dist/baseline/finding-identity.js.map +1 -1
  57. package/dist/baseline/modes.d.ts +140 -0
  58. package/dist/baseline/modes.d.ts.map +1 -0
  59. package/dist/baseline/modes.js +179 -0
  60. package/dist/baseline/modes.js.map +1 -0
  61. package/dist/baseline/policy.d.ts +64 -0
  62. package/dist/baseline/policy.d.ts.map +1 -1
  63. package/dist/baseline/policy.js +102 -1
  64. package/dist/baseline/policy.js.map +1 -1
  65. package/dist/baseline/producers/health.d.ts +2 -2
  66. package/dist/baseline/producers/health.d.ts.map +1 -1
  67. package/dist/baseline/producers/health.js.map +1 -1
  68. package/dist/baseline/producers/index.d.ts +11 -5
  69. package/dist/baseline/producers/index.d.ts.map +1 -1
  70. package/dist/baseline/producers/index.js +12 -9
  71. package/dist/baseline/producers/index.js.map +1 -1
  72. package/dist/baseline/producers/quality.d.ts +3 -3
  73. package/dist/baseline/producers/quality.d.ts.map +1 -1
  74. package/dist/baseline/producers/quality.js.map +1 -1
  75. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  76. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  77. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  78. package/dist/baseline/producers/security.d.ts +2 -2
  79. package/dist/baseline/producers/security.d.ts.map +1 -1
  80. package/dist/baseline/producers/security.js.map +1 -1
  81. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  82. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  83. package/dist/baseline/producers/stale-allow.js +111 -0
  84. package/dist/baseline/producers/stale-allow.js.map +1 -0
  85. package/dist/baseline/producers/tests.d.ts +2 -2
  86. package/dist/baseline/producers/tests.d.ts.map +1 -1
  87. package/dist/baseline/producers/tests.js.map +1 -1
  88. package/dist/baseline/ref-baseline.d.ts +114 -0
  89. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  90. package/dist/baseline/ref-baseline.js +260 -0
  91. package/dist/baseline/ref-baseline.js.map +1 -0
  92. package/dist/baseline/sanitize.d.ts +80 -0
  93. package/dist/baseline/sanitize.d.ts.map +1 -0
  94. package/dist/baseline/sanitize.js +91 -0
  95. package/dist/baseline/sanitize.js.map +1 -0
  96. package/dist/baseline/show.d.ts.map +1 -1
  97. package/dist/baseline/show.js +9 -3
  98. package/dist/baseline/show.js.map +1 -1
  99. package/dist/baseline/types.d.ts +73 -26
  100. package/dist/baseline/types.d.ts.map +1 -1
  101. package/dist/baseline/types.js +7 -1
  102. package/dist/baseline/types.js.map +1 -1
  103. package/dist/baseline/visibility.d.ts +61 -0
  104. package/dist/baseline/visibility.d.ts.map +1 -0
  105. package/dist/baseline/visibility.js +121 -0
  106. package/dist/baseline/visibility.js.map +1 -0
  107. package/dist/cli.d.ts.map +1 -1
  108. package/dist/cli.js +154 -13
  109. package/dist/cli.js.map +1 -1
  110. package/dist/constants.d.ts.map +1 -1
  111. package/dist/constants.js +0 -10
  112. package/dist/constants.js.map +1 -1
  113. package/dist/detect.d.ts.map +1 -1
  114. package/dist/detect.js +0 -15
  115. package/dist/detect.js.map +1 -1
  116. package/dist/doctor.d.ts +78 -1
  117. package/dist/doctor.d.ts.map +1 -1
  118. package/dist/doctor.js +590 -101
  119. package/dist/doctor.js.map +1 -1
  120. package/dist/generator.d.ts.map +1 -1
  121. package/dist/generator.js +15 -0
  122. package/dist/generator.js.map +1 -1
  123. package/dist/issue-cli.d.ts +62 -0
  124. package/dist/issue-cli.d.ts.map +1 -0
  125. package/dist/issue-cli.js +252 -0
  126. package/dist/issue-cli.js.map +1 -0
  127. package/dist/languages/csharp.d.ts.map +1 -1
  128. package/dist/languages/csharp.js +2 -0
  129. package/dist/languages/csharp.js.map +1 -1
  130. package/dist/languages/go.d.ts.map +1 -1
  131. package/dist/languages/go.js +2 -0
  132. package/dist/languages/go.js.map +1 -1
  133. package/dist/languages/index.d.ts +25 -0
  134. package/dist/languages/index.d.ts.map +1 -1
  135. package/dist/languages/index.js +44 -0
  136. package/dist/languages/index.js.map +1 -1
  137. package/dist/languages/java.d.ts.map +1 -1
  138. package/dist/languages/java.js +2 -0
  139. package/dist/languages/java.js.map +1 -1
  140. package/dist/languages/kotlin.d.ts.map +1 -1
  141. package/dist/languages/kotlin.js +2 -0
  142. package/dist/languages/kotlin.js.map +1 -1
  143. package/dist/languages/python.d.ts.map +1 -1
  144. package/dist/languages/python.js +11 -1
  145. package/dist/languages/python.js.map +1 -1
  146. package/dist/languages/ruby.d.ts.map +1 -1
  147. package/dist/languages/ruby.js +2 -0
  148. package/dist/languages/ruby.js.map +1 -1
  149. package/dist/languages/rust.d.ts.map +1 -1
  150. package/dist/languages/rust.js +2 -0
  151. package/dist/languages/rust.js.map +1 -1
  152. package/dist/languages/types.d.ts +45 -0
  153. package/dist/languages/types.d.ts.map +1 -1
  154. package/dist/languages/typescript.d.ts.map +1 -1
  155. package/dist/languages/typescript.js +2 -0
  156. package/dist/languages/typescript.js.map +1 -1
  157. package/dist/prompts.d.ts.map +1 -1
  158. package/dist/prompts.js +0 -5
  159. package/dist/prompts.js.map +1 -1
  160. package/dist/setup-branch-protection.d.ts +34 -0
  161. package/dist/setup-branch-protection.d.ts.map +1 -0
  162. package/dist/setup-branch-protection.js +190 -0
  163. package/dist/setup-branch-protection.js.map +1 -0
  164. package/dist/setup-gh.d.ts +75 -0
  165. package/dist/setup-gh.d.ts.map +1 -0
  166. package/dist/setup-gh.js +213 -0
  167. package/dist/setup-gh.js.map +1 -0
  168. package/dist/setup-prebuild.d.ts +34 -0
  169. package/dist/setup-prebuild.d.ts.map +1 -0
  170. package/dist/setup-prebuild.js +181 -0
  171. package/dist/setup-prebuild.js.map +1 -0
  172. package/dist/ship-installers.d.ts.map +1 -1
  173. package/dist/ship-installers.js +19 -4
  174. package/dist/ship-installers.js.map +1 -1
  175. package/dist/types.d.ts +24 -6
  176. package/dist/types.d.ts.map +1 -1
  177. package/dist/update.d.ts +41 -0
  178. package/dist/update.d.ts.map +1 -1
  179. package/dist/update.js +154 -15
  180. package/dist/update.js.map +1 -1
  181. package/dist/upgrade.d.ts +88 -0
  182. package/dist/upgrade.d.ts.map +1 -0
  183. package/dist/upgrade.js +324 -0
  184. package/dist/upgrade.js.map +1 -0
  185. package/package.json +1 -1
  186. package/templates/.claude/skills/dxkit-action/SKILL.md +111 -17
  187. package/templates/.claude/skills/dxkit-config/SKILL.md +7 -7
  188. package/templates/.claude/skills/dxkit-fix/SKILL.md +165 -0
  189. package/templates/.claude/skills/dxkit-hooks/SKILL.md +8 -8
  190. package/templates/.claude/skills/dxkit-init/SKILL.md +3 -3
  191. package/templates/.claude/skills/dxkit-learn/SKILL.md +9 -9
  192. package/templates/.claude/skills/dxkit-onboard/SKILL.md +274 -0
  193. package/templates/.claude/skills/dxkit-reports/SKILL.md +18 -18
  194. package/templates/.claude/skills/dxkit-update/SKILL.md +164 -0
  195. package/templates/.devcontainer/devcontainer.json +6 -15
  196. package/templates/.devcontainer/post-create.sh +19 -4
  197. package/dist/baseline/producers/licenses.d.ts +0 -23
  198. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  199. package/dist/baseline/producers/licenses.js +0 -46
  200. package/dist/baseline/producers/licenses.js.map +0 -1
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: dxkit-reports
3
- description: Run dxkit reports and explain their output. Use when the user asks "run health", "check security", "show me the dashboard", "what does this score mean", or anything about generating / reading dxkit analyzer output. Hands off to dxkit-action for fixing findings.
3
+ description: Run dxkit reports and explain their output, including the consolidated dashboard view. Use when the user asks "run health", "check security", "show me the dashboard", "open the dashboard", "tour the dashboard", "explain the dashboard", "what does this score mean", or anything about generating / interpreting dxkit analyzer output. Always reach for this skill even when the user names a specific subcommand (health, vulnerabilities, dashboard, bom, etc.) — running the command is only half of the value; the skill wraps the output with the right framing. Hands off to dxkit-action for fixing findings.
4
4
  ---
5
5
 
6
6
  # dxkit-reports
@@ -11,15 +11,15 @@ This skill runs dxkit analyzers and reads their output back to the user. It's th
11
11
 
12
12
  | User asks | Command | Output |
13
13
  |---|---|---|
14
- | "Overall health" / "give me the score" | `vyuh-dxkit health` | 6-dimension score table + top actions per dimension |
15
- | "Check security" / "find vulns" | `vyuh-dxkit vulnerabilities` | Code-level SAST + dep-vuln + secret findings, grouped by severity |
16
- | "Test coverage gaps" | `vyuh-dxkit test-gaps` | Source files without matching tests, prioritized by architectural role |
17
- | "Code quality" | `vyuh-dxkit quality` | Lint findings + duplication + slop score |
18
- | "Who's been working on what" | `vyuh-dxkit dev-report` | Per-author activity, hot files, churn |
19
- | "License inventory" | `vyuh-dxkit licenses` | Every dependency's declared license |
20
- | "Bill of materials" | `vyuh-dxkit bom` | Licenses + dep vulnerabilities joined (15-col XLSX-ready output) |
21
- | "Run everything" | `vyuh-dxkit report` | Every analyzer in one shot, ~3-5 min |
22
- | "Show me the dashboard" | `vyuh-dxkit dashboard` | Single HTML view of all reports — opens at `.dxkit/reports/dashboard.html` |
14
+ | "Overall health" / "give me the score" | `npx vyuh-dxkit health` | 6-dimension score table + top actions per dimension |
15
+ | "Check security" / "find vulns" | `npx vyuh-dxkit vulnerabilities` | Code-level SAST + dep-vuln + secret findings, grouped by severity |
16
+ | "Test coverage gaps" | `npx vyuh-dxkit test-gaps` | Source files without matching tests, prioritized by architectural role |
17
+ | "Code quality" | `npx vyuh-dxkit quality` | Lint findings + duplication + slop score |
18
+ | "Who's been working on what" | `npx vyuh-dxkit dev-report` | Per-author activity, hot files, churn |
19
+ | "License inventory" | `npx vyuh-dxkit licenses` | Every dependency's declared license |
20
+ | "Bill of materials" | `npx vyuh-dxkit bom` | Licenses + dep vulnerabilities joined (15-col XLSX-ready output) |
21
+ | "Run everything" | `npx vyuh-dxkit report` | Every analyzer in one shot, ~3-5 min |
22
+ | "Show me the dashboard" | `npx vyuh-dxkit dashboard` | Single HTML view of all reports — opens at `.dxkit/reports/dashboard.html` |
23
23
 
24
24
  ## Where output lands
25
25
 
@@ -56,7 +56,7 @@ Score → rating: A ≥ 80, B ≥ 60, C ≥ 40, D ≥ 20, E < 20. **Cap tiers**
56
56
  ### Quick health check (warm cache)
57
57
 
58
58
  ```bash
59
- vyuh-dxkit health
59
+ npx vyuh-dxkit health
60
60
  ```
61
61
 
62
62
  Re-uses cached scanner outputs where possible. ~5-15s on warm cache, ~30-60s cold.
@@ -64,9 +64,9 @@ Re-uses cached scanner outputs where possible. ~5-15s on warm cache, ~30-60s col
64
64
  ### Pre-merge audit (thorough)
65
65
 
66
66
  ```bash
67
- vyuh-dxkit health --with-coverage # Runs tests + materializes coverage before scoring
68
- vyuh-dxkit vulnerabilities # Always re-runs the deep security scan
69
- vyuh-dxkit dashboard # Renders the latest reports into one HTML view
67
+ npx vyuh-dxkit health --with-coverage # Runs tests + materializes coverage before scoring
68
+ npx vyuh-dxkit vulnerabilities # Always re-runs the deep security scan
69
+ npx vyuh-dxkit dashboard # Renders the latest reports into one HTML view
70
70
  ```
71
71
 
72
72
  `--with-coverage` is slow (runs your test suite) but switches the Tests dimension from heuristic ("files match a test pattern") to real ("line coverage from your reporter"). Worth it for pre-merge audits.
@@ -74,7 +74,7 @@ vyuh-dxkit dashboard # Renders the latest reports into one HTML
74
74
  ### Per-PR scope
75
75
 
76
76
  ```bash
77
- vyuh-dxkit guardrail check
77
+ npx vyuh-dxkit guardrail check
78
78
  ```
79
79
 
80
80
  Diffs the current scan vs the baseline. Exit 1 on net-new findings (the same logic the pre-push hook uses).
@@ -82,8 +82,8 @@ Diffs the current scan vs the baseline. Exit 1 on net-new findings (the same log
82
82
  ### Failing CI on a threshold
83
83
 
84
84
  ```bash
85
- vyuh-dxkit health --fail-on-score=70 # Exit 1 if overall score < 70
86
- vyuh-dxkit vulnerabilities --fail-on-severity=high # Exit 1 if any high-severity finding
85
+ npx vyuh-dxkit health --fail-on-score=70 # Exit 1 if overall score < 70
86
+ npx vyuh-dxkit vulnerabilities --fail-on-severity=high # Exit 1 if any high-severity finding
87
87
  ```
88
88
 
89
89
  Use these in CI for hard floors.
@@ -105,7 +105,7 @@ Hand off to the `dxkit-action` skill — that's the workflow for prioritizing +
105
105
 
106
106
  ## Troubleshooting
107
107
 
108
- - **"Scanner X unavailable"** → run `vyuh-dxkit tools list` to see status; `vyuh-dxkit tools install` to install missing ones.
108
+ - **"Scanner X unavailable"** → run `npx vyuh-dxkit tools list` to see status; `npx vyuh-dxkit tools install` to install missing ones.
109
109
  - **"N/A for this stack"** → applicability-guard fired (e.g., vitest-coverage on a mocha repo). Not a problem; the scanner doesn't apply here.
110
110
  - **Report looks stale** → `.dxkit/reports/` is keyed by date. Re-run the analyzer to get a fresh date-stamped file.
111
111
  - **Numbers don't match between two reports** → check whether `--with-coverage` was used. Without it, Tests dimension uses heuristic; with it, real coverage. They legitimately differ.
@@ -0,0 +1,164 @@
1
+ ---
2
+ name: dxkit-update
3
+ description: Walk the customer through upgrading dxkit to a newer version safely. Use when the user asks "update dxkit", "upgrade to latest", "what's new in dxkit", "is there a new dxkit version", "should I upgrade dxkit", or anything about moving an existing dxkit install forward. Reads version delta + changelog + recommended steps; confirms each step. Hands off to dxkit-fix if post-upgrade doctor surfaces broken signals.
4
+ ---
5
+
6
+ # dxkit-update
7
+
8
+ This skill drives the dxkit upgrade flow conversationally. It's the "I have something working — make it newer" surface (complement to `dxkit-onboard` for fresh installs and `dxkit-fix` for repairs).
9
+
10
+ ## When to use this skill
11
+
12
+ Use when:
13
+
14
+ - "Is there a new dxkit version?"
15
+ - "Update dxkit"
16
+ - "Upgrade to latest"
17
+ - "What changed in dxkit recently?"
18
+ - "What's new in 2.5.5?" (or any other specific version)
19
+ - "Should I upgrade?"
20
+
21
+ Don't use when:
22
+
23
+ - Customer has no `.vyuh-dxkit.json` (they need `dxkit-init`, not update)
24
+ - Something is BROKEN — use `dxkit-fix` first; then maybe update after
25
+ - Customer wants to roll back to an older version (downgrade — surface the risk + manual command, don't auto-execute)
26
+
27
+ ## How the upgrade works (two stages)
28
+
29
+ dxkit ships in two layers and an upgrade touches both:
30
+
31
+ 1. **The binary** — `@vyuhlabs/dxkit` npm package. `npm update` or `npm install @vyuhlabs/dxkit@<version>` replaces the local binary.
32
+ 2. **The scaffold** — files in the customer's repo (`.devcontainer/`, `.githooks/`, `.claude/skills/dxkit-*/`, `AGENTS.md`, `CLAUDE.md`, `.github/workflows/dxkit-*.yml`). `npx vyuh-dxkit update` refreshes these to match the new binary's templates.
33
+
34
+ Both run for any non-trivial upgrade. The CLI subcommand `vyuh-dxkit upgrade` orchestrates them; this skill drives the customer through the orchestration with explanations and confirmations.
35
+
36
+ ## The upgrade loop
37
+
38
+ ```
39
+ [1] Read the plan → npx vyuh-dxkit upgrade --plan --json
40
+ [2] Explain the delta → current vs target, classification, what's new
41
+ [3] Surface warnings → major bumps, breaking changes, scaffold drift
42
+ [4] Confirm → "proceed?" (default Y for low-risk; default N for major/downgrade)
43
+ [5] Execute → drive each step with per-step status
44
+ [6] Verify → run doctor + report operational health post-upgrade
45
+ [7] Surface manual steps → devcontainer rebuild instructions if .devcontainer/ changed
46
+ ```
47
+
48
+ ## Steps
49
+
50
+ ### 1. Snapshot the plan
51
+
52
+ ```bash
53
+ npx vyuh-dxkit upgrade --plan --json > /tmp/dxkit-upgrade-plan.json
54
+ ```
55
+
56
+ The JSON has shape `{ schema: "upgrade-plan.v1", current: { binary, scaffold }, target, delta, steps: [...], warnings: [...], changelogNote }`. Capturing to a file (instead of piping inline) lets the customer re-read the plan if they pause mid-flow.
57
+
58
+ ### 2. Explain what's about to happen
59
+
60
+ Translate the structured plan into customer-friendly prose:
61
+
62
+ | Plan field | What to say |
63
+ |---|---|
64
+ | `current.binary` + `current.scaffold` | "You're on dxkit X (scaffold also X). Latest: Y." |
65
+ | `delta: 'none'` | "Already up to date — nothing to do." Skip to End. |
66
+ | `delta: 'patch'` | "N patch versions between you and latest. Low risk — bug fixes + small features only." |
67
+ | `delta: 'minor'` | "Minor bump — new features + scaffold changes likely. Probably safe; CHANGELOG.md has details." |
68
+ | `delta: 'major'` | "**Major bump** — read CHANGELOG.md for breaking changes BEFORE upgrading. Possible baseline/manifest schema migrations; possibly broken policy files; possibly removed CLI flags." |
69
+ | `delta: 'downgrade'` | "Target is OLDER than installed. Downgrades aren't officially supported — baseline/manifest schemas may differ. Surface this and let the customer decide." |
70
+
71
+ ### 3. Surface every warning
72
+
73
+ Iterate `plan.warnings` and present each as its own bullet. Don't bury them. If `warnings` is empty, mention "No warnings — proceed when ready."
74
+
75
+ ### 4. Confirm before execution
76
+
77
+ Ask:
78
+
79
+ > **Proceed with the upgrade?**
80
+
81
+ Default Y for patch/minor; default N for major/downgrade. If they decline, end gracefully — leave the plan in their hands.
82
+
83
+ ### 5. Execute step-by-step
84
+
85
+ For each step in `plan.steps`:
86
+
87
+ - Skip `optional: true` steps from auto-execution (devcontainer rebuild is the only one today; surface it after)
88
+ - Show: "[i/N] purpose"
89
+ - Run: the command via Bash
90
+ - Note: success/failure based on exit code
91
+
92
+ If any step fails, **stop**. Don't continue with downstream steps. Surface:
93
+
94
+ - Which step failed + its stderr
95
+ - Suggested recovery: "Run `npx vyuh-dxkit doctor` to see current state, or invoke the `dxkit-fix` skill to walk through repair."
96
+
97
+ ### 6. Verify with doctor
98
+
99
+ If all steps succeeded, run `npx vyuh-dxkit doctor` and report. If doctor surfaces operational issues post-upgrade (e.g. `summary.fixable[]` not empty), **hand off to dxkit-fix** — say "Upgrade complete, but doctor surfaced N gaps. Walking through dxkit-fix to close them."
100
+
101
+ ### 7. Surface manual follow-ups
102
+
103
+ Iterate optional steps in the plan:
104
+
105
+ ```
106
+ ⚠ Your .devcontainer/ was refreshed. Rebuild your container to pick up:
107
+ VSCode: Command Palette → "Dev Containers: Rebuild Container"
108
+ Codespaces: Command Palette → "Codespaces: Rebuild Container"
109
+ Local Docker: `docker compose down && docker compose up -d --build`
110
+ ```
111
+
112
+ ## What dxkit-update can NOT do
113
+
114
+ - **Cross-major migrations** — major bumps may need MIGRATION.md guidance + manual policy edits. Surface the link; don't auto-execute.
115
+ - **Customer code changes** — if the upgrade requires changes to the customer's scoring policy, baseline schema, or workflow file customizations, point at the CHANGELOG.md section and stop.
116
+ - **Downgrades** — never auto-execute. Always confirm; warn about schema differences; suggest backing up `.dxkit/baselines/` first.
117
+ - **Rollback** — if execution mid-step fails, dxkit-update can't undo the binary install. Customer needs to `npm install @vyuhlabs/dxkit@<previous-version>` themselves.
118
+
119
+ ## Boundary with other lifecycle skills
120
+
121
+ | Customer state | Reach for |
122
+ |---|---|
123
+ | "I have nothing" | `dxkit-onboard` |
124
+ | "I have working install, make it newer" | **dxkit-update (this skill)** |
125
+ | "Doctor says X is broken" | `dxkit-fix` |
126
+ | "I want to run a report" | `dxkit-reports` |
127
+ | "Fix these findings" | `dxkit-action` |
128
+ | "Configure dxkit" | `dxkit-config` |
129
+ | "Set up hooks" | `dxkit-hooks` |
130
+ | "Explain dxkit" | `dxkit-learn` |
131
+
132
+ If the customer asks something that spans skills (e.g. "update dxkit and then fix the new issues"), chain: dxkit-update first, then auto-invoke dxkit-fix on the post-upgrade doctor output.
133
+
134
+ ## CHANGELOG hygiene (worth raising)
135
+
136
+ The plan's `changelogNote` field points at the canonical CHANGELOG.md URL. Currently it's just a pointer — future versions of `vyuh-dxkit upgrade --plan` may parse the changelog and surface per-version highlights inline. For now, when the customer asks "what changed?", offer to fetch + summarize the CHANGELOG.md for the version range:
137
+
138
+ ```bash
139
+ # Fetch the changelog locally (the installed package ships it)
140
+ cat node_modules/@vyuhlabs/dxkit/CHANGELOG.md
141
+ ```
142
+
143
+ Or for content between current and target (which isn't in the installed tarball until AFTER upgrade), suggest visiting the URL in `plan.changelogNote`.
144
+
145
+ ## Final report
146
+
147
+ After the loop completes:
148
+
149
+ ```
150
+ ✓ Upgraded: dxkit X → Y
151
+ ✓ Scaffold refreshed: N files updated, M new (e.g. dxkit-fix skill if upgrading from <2.5.2)
152
+ ✓ Doctor: all green
153
+ ○ Manual: rebuild devcontainer to pick up changes
154
+ ```
155
+
156
+ Or if something failed:
157
+
158
+ ```
159
+ ✗ Upgrade halted at step [i/N]: <purpose>
160
+ stderr: <captured>
161
+ → Recovery: `npx vyuh-dxkit doctor` to see current state; ask "fix dxkit" to walk through repair
162
+ ```
163
+
164
+ End with a one-line CTA: "Anything else? Ask 'check dxkit health' to see current scores on the new version."
@@ -24,23 +24,14 @@
24
24
  // registry pinned-versions advanced since last use.
25
25
  "postStartCommand": "command -v vyuh-dxkit >/dev/null 2>&1 && vyuh-dxkit tools list || true",
26
26
 
27
+ // Extensions list is generated by `vyuh-dxkit init` from the detected
28
+ // stack — only active packs' editor support gets installed. Always-on
29
+ // entries (anthropic.claude-code + GitHub Actions/PR) ship on every
30
+ // container regardless. Add or remove entries by hand to override the
31
+ // auto-detected set.
27
32
  "customizations": {
28
33
  "vscode": {
29
- "extensions": [
30
- "anthropic.claude-code",
31
- "dbaeumer.vscode-eslint",
32
- "esbenp.prettier-vscode",
33
- "ms-python.python",
34
- "ms-python.vscode-pylance",
35
- "golang.go",
36
- "rust-lang.rust-analyzer",
37
- "ms-dotnettools.csharp",
38
- "redhat.java",
39
- "fwcd.kotlin",
40
- "rebornix.ruby",
41
- "github.vscode-github-actions",
42
- "github.vscode-pull-request-github"
43
- ],
34
+ "extensions": __DXKIT_DEVCONTAINER_EXTENSIONS__,
44
35
  "settings": {
45
36
  "editor.formatOnSave": true,
46
37
  "files.eol": "\n"
@@ -50,18 +50,33 @@ if [ -f package.json ]; then
50
50
  fi
51
51
  fi
52
52
 
53
- # Resolve dxkit. Prefer the project-local install if a `package.json`
54
- # pinned dxkit in devDependencies; otherwise install globally so the
55
- # binary is on PATH for the rest of the script and any subshell.
53
+ # Resolve dxkit for THIS script. Prefer the project-local install if a
54
+ # package.json pinned dxkit in devDependencies (so the script uses the
55
+ # project's pinned version); otherwise install globally and use that.
56
56
  if [ -x ./node_modules/.bin/vyuh-dxkit ]; then
57
57
  DXKIT="./node_modules/.bin/vyuh-dxkit"
58
58
  elif command -v vyuh-dxkit >/dev/null 2>&1; then
59
59
  DXKIT="vyuh-dxkit"
60
60
  else
61
- echo "==> Installing @vyuhlabs/dxkit globally..."
61
+ echo "==> Installing @vyuhlabs/dxkit globally (for script use)..."
62
62
  npm install -g @vyuhlabs/dxkit
63
63
  DXKIT="vyuh-dxkit"
64
64
  fi
65
+
66
+ # Make sure `vyuh-dxkit` is on the CUSTOMER's interactive shell PATH
67
+ # regardless of where the script-local resolution above ended up.
68
+ # Project-local installs (./node_modules/.bin/) are NOT on PATH for
69
+ # terminal sessions or for the dxkit-* agent skills' bash invocations
70
+ # — only the global install puts the bare command on PATH. Without
71
+ # this, the customer types `vyuh-dxkit doctor` and gets "command not
72
+ # found" until they discover `npx vyuh-dxkit`. Soft-fail: if global
73
+ # install fails (offline / registry hiccup), `npx vyuh-dxkit` still
74
+ # works as a fallback.
75
+ if ! command -v vyuh-dxkit >/dev/null 2>&1; then
76
+ echo "==> Installing @vyuhlabs/dxkit globally (for shell PATH)..."
77
+ npm install -g @vyuhlabs/dxkit || \
78
+ echo "WARN: global install failed — customer terminal will need 'npx vyuh-dxkit'." >&2
79
+ fi
65
80
  echo "==> Using dxkit binary: ${DXKIT}"
66
81
 
67
82
  echo "==> Installing scanner toolchain via dxkit registry..."
@@ -1,23 +0,0 @@
1
- /**
2
- * Licenses → baseline-entry producer.
3
- *
4
- * One kind: `license` — per-package license attribution.
5
- * `(package, version, licenseType)` is the identity tuple, so a
6
- * re-licensing event on the same pinned version (compliance teams'
7
- * canonical concern) registers as a fresh finding even when no
8
- * version bump happened.
9
- *
10
- * Reads from `CapabilityReport.licenses.findings` — already in the
11
- * cached `AnalysisResult`, no extra gather work needed. Pure
12
- * function over its input.
13
- */
14
- import type { BaselineEntry } from '../types';
15
- import type { LicensesResult } from '../../languages/capabilities/types';
16
- /**
17
- * Build `license` entries from a licenses capability envelope.
18
- * Findings with an empty `licenseType` are emitted with the literal
19
- * `'UNKNOWN'` so identity stays stable across runs even when the
20
- * underlying tool can't resolve the SPDX id.
21
- */
22
- export declare function licensesToBaselineEntries(licenses: LicensesResult | undefined): BaselineEntry[];
23
- //# sourceMappingURL=licenses.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"licenses.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/licenses.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAwB,MAAM,UAAU,CAAC;AACpE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,cAAc,GAAG,SAAS,GAAG,aAAa,EAAE,CAoB/F"}
@@ -1,46 +0,0 @@
1
- "use strict";
2
- /**
3
- * Licenses → baseline-entry producer.
4
- *
5
- * One kind: `license` — per-package license attribution.
6
- * `(package, version, licenseType)` is the identity tuple, so a
7
- * re-licensing event on the same pinned version (compliance teams'
8
- * canonical concern) registers as a fresh finding even when no
9
- * version bump happened.
10
- *
11
- * Reads from `CapabilityReport.licenses.findings` — already in the
12
- * cached `AnalysisResult`, no extra gather work needed. Pure
13
- * function over its input.
14
- */
15
- Object.defineProperty(exports, "__esModule", { value: true });
16
- exports.licensesToBaselineEntries = licensesToBaselineEntries;
17
- const finding_identity_1 = require("../finding-identity");
18
- /**
19
- * Build `license` entries from a licenses capability envelope.
20
- * Findings with an empty `licenseType` are emitted with the literal
21
- * `'UNKNOWN'` so identity stays stable across runs even when the
22
- * underlying tool can't resolve the SPDX id.
23
- */
24
- function licensesToBaselineEntries(licenses) {
25
- if (!licenses)
26
- return [];
27
- const out = [];
28
- for (const f of licenses.findings) {
29
- const licenseType = f.licenseType.length > 0 ? f.licenseType : 'UNKNOWN';
30
- const input = {
31
- kind: 'license',
32
- package: f.package,
33
- version: f.version,
34
- licenseType,
35
- };
36
- out.push({
37
- id: (0, finding_identity_1.identityFor)(input),
38
- kind: 'license',
39
- package: f.package,
40
- version: f.version,
41
- licenseType,
42
- });
43
- }
44
- return out;
45
- }
46
- //# sourceMappingURL=licenses.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"licenses.js","sourceRoot":"","sources":["../../../src/baseline/producers/licenses.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AAYH,8DAoBC;AA9BD,0DAAkD;AAIlD;;;;;GAKG;AACH,SAAgB,yBAAyB,CAAC,QAAoC;IAC5E,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IACzB,MAAM,GAAG,GAAoB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,WAAW;SACZ,CAAC;QACF,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}