@vyuhlabs/dxkit 2.5.2 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. package/CHANGELOG.md +218 -13
  2. package/README.md +220 -369
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/bom/discovery.d.ts +3 -4
  32. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  33. package/dist/analyzers/bom/discovery.js +3 -4
  34. package/dist/analyzers/bom/discovery.js.map +1 -1
  35. package/dist/analyzers/bom/types.d.ts +1 -1
  36. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  37. package/dist/analyzers/dashboard/index.js +42 -5
  38. package/dist/analyzers/dashboard/index.js.map +1 -1
  39. package/dist/analyzers/quality/detailed.d.ts +8 -1
  40. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  41. package/dist/analyzers/quality/detailed.js +43 -10
  42. package/dist/analyzers/quality/detailed.js.map +1 -1
  43. package/dist/analyzers/security/detailed.d.ts +8 -1
  44. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  45. package/dist/analyzers/security/detailed.js +14 -1
  46. package/dist/analyzers/security/detailed.js.map +1 -1
  47. package/dist/analyzers/tests/detailed.d.ts +8 -1
  48. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  49. package/dist/analyzers/tests/detailed.js +26 -7
  50. package/dist/analyzers/tests/detailed.js.map +1 -1
  51. package/dist/analyzers/tools/cloc.js +3 -3
  52. package/dist/analyzers/tools/cloc.js.map +1 -1
  53. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  54. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  55. package/dist/analyzers/tools/exclusions.js +27 -13
  56. package/dist/analyzers/tools/exclusions.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +39 -5
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +609 -45
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  62. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  63. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  68. package/dist/analyzers/tools/parallel.js +7 -0
  69. package/dist/analyzers/tools/parallel.js.map +1 -1
  70. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  71. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  72. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  73. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  74. package/dist/analyzers/xlsx/licenses.js +7 -7
  75. package/dist/baseline/baseline-file.d.ts +7 -0
  76. package/dist/baseline/baseline-file.d.ts.map +1 -1
  77. package/dist/baseline/baseline-file.js +22 -1
  78. package/dist/baseline/baseline-file.js.map +1 -1
  79. package/dist/baseline/check-renderers.d.ts +13 -1
  80. package/dist/baseline/check-renderers.d.ts.map +1 -1
  81. package/dist/baseline/check-renderers.js +67 -1
  82. package/dist/baseline/check-renderers.js.map +1 -1
  83. package/dist/baseline/check.d.ts +33 -7
  84. package/dist/baseline/check.d.ts.map +1 -1
  85. package/dist/baseline/check.js +90 -64
  86. package/dist/baseline/check.js.map +1 -1
  87. package/dist/baseline/create.d.ts +35 -7
  88. package/dist/baseline/create.d.ts.map +1 -1
  89. package/dist/baseline/create.js +43 -5
  90. package/dist/baseline/create.js.map +1 -1
  91. package/dist/baseline/entry-to-located.d.ts +6 -1
  92. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  93. package/dist/baseline/entry-to-located.js +20 -2
  94. package/dist/baseline/entry-to-located.js.map +1 -1
  95. package/dist/baseline/finding-identity.d.ts.map +1 -1
  96. package/dist/baseline/finding-identity.js +15 -13
  97. package/dist/baseline/finding-identity.js.map +1 -1
  98. package/dist/baseline/modes.d.ts +140 -0
  99. package/dist/baseline/modes.d.ts.map +1 -0
  100. package/dist/baseline/modes.js +179 -0
  101. package/dist/baseline/modes.js.map +1 -0
  102. package/dist/baseline/policy.d.ts +64 -0
  103. package/dist/baseline/policy.d.ts.map +1 -1
  104. package/dist/baseline/policy.js +102 -1
  105. package/dist/baseline/policy.js.map +1 -1
  106. package/dist/baseline/producers/health.d.ts +2 -2
  107. package/dist/baseline/producers/health.d.ts.map +1 -1
  108. package/dist/baseline/producers/health.js.map +1 -1
  109. package/dist/baseline/producers/index.d.ts +11 -5
  110. package/dist/baseline/producers/index.d.ts.map +1 -1
  111. package/dist/baseline/producers/index.js +12 -9
  112. package/dist/baseline/producers/index.js.map +1 -1
  113. package/dist/baseline/producers/quality.d.ts +3 -3
  114. package/dist/baseline/producers/quality.d.ts.map +1 -1
  115. package/dist/baseline/producers/quality.js.map +1 -1
  116. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  117. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  118. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  119. package/dist/baseline/producers/security.d.ts +2 -2
  120. package/dist/baseline/producers/security.d.ts.map +1 -1
  121. package/dist/baseline/producers/security.js.map +1 -1
  122. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  123. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  124. package/dist/baseline/producers/stale-allow.js +111 -0
  125. package/dist/baseline/producers/stale-allow.js.map +1 -0
  126. package/dist/baseline/producers/tests.d.ts +2 -2
  127. package/dist/baseline/producers/tests.d.ts.map +1 -1
  128. package/dist/baseline/producers/tests.js.map +1 -1
  129. package/dist/baseline/ref-baseline.d.ts +114 -0
  130. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  131. package/dist/baseline/ref-baseline.js +260 -0
  132. package/dist/baseline/ref-baseline.js.map +1 -0
  133. package/dist/baseline/sanitize.d.ts +80 -0
  134. package/dist/baseline/sanitize.d.ts.map +1 -0
  135. package/dist/baseline/sanitize.js +91 -0
  136. package/dist/baseline/sanitize.js.map +1 -0
  137. package/dist/baseline/show.d.ts.map +1 -1
  138. package/dist/baseline/show.js +9 -3
  139. package/dist/baseline/show.js.map +1 -1
  140. package/dist/baseline/types.d.ts +73 -26
  141. package/dist/baseline/types.d.ts.map +1 -1
  142. package/dist/baseline/types.js +7 -1
  143. package/dist/baseline/types.js.map +1 -1
  144. package/dist/baseline/visibility.d.ts +61 -0
  145. package/dist/baseline/visibility.d.ts.map +1 -0
  146. package/dist/baseline/visibility.js +121 -0
  147. package/dist/baseline/visibility.js.map +1 -0
  148. package/dist/cli.d.ts.map +1 -1
  149. package/dist/cli.js +168 -6
  150. package/dist/cli.js.map +1 -1
  151. package/dist/dashboard/graph-adapter.d.ts +151 -0
  152. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  153. package/dist/dashboard/graph-adapter.js +415 -0
  154. package/dist/dashboard/graph-adapter.js.map +1 -0
  155. package/dist/dashboard/graph-tab.d.ts +109 -0
  156. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  157. package/dist/dashboard/graph-tab.js +297 -0
  158. package/dist/dashboard/graph-tab.js.map +1 -0
  159. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  160. package/dist/doctor.d.ts.map +1 -1
  161. package/dist/doctor.js +106 -16
  162. package/dist/doctor.js.map +1 -1
  163. package/dist/explore/cli/api-surface.d.ts +12 -0
  164. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  165. package/dist/explore/cli/api-surface.js +57 -0
  166. package/dist/explore/cli/api-surface.js.map +1 -0
  167. package/dist/explore/cli/communities.d.ts +10 -0
  168. package/dist/explore/cli/communities.d.ts.map +1 -0
  169. package/dist/explore/cli/communities.js +47 -0
  170. package/dist/explore/cli/communities.js.map +1 -0
  171. package/dist/explore/cli/context.d.ts +16 -0
  172. package/dist/explore/cli/context.d.ts.map +1 -0
  173. package/dist/explore/cli/context.js +118 -0
  174. package/dist/explore/cli/context.js.map +1 -0
  175. package/dist/explore/cli/entry-points.d.ts +12 -0
  176. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  177. package/dist/explore/cli/entry-points.js +85 -0
  178. package/dist/explore/cli/entry-points.js.map +1 -0
  179. package/dist/explore/cli/feature.d.ts +16 -0
  180. package/dist/explore/cli/feature.d.ts.map +1 -0
  181. package/dist/explore/cli/feature.js +89 -0
  182. package/dist/explore/cli/feature.js.map +1 -0
  183. package/dist/explore/cli/file.d.ts +12 -0
  184. package/dist/explore/cli/file.d.ts.map +1 -0
  185. package/dist/explore/cli/file.js +139 -0
  186. package/dist/explore/cli/file.js.map +1 -0
  187. package/dist/explore/cli/hot-files.d.ts +11 -0
  188. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  189. package/dist/explore/cli/hot-files.js +63 -0
  190. package/dist/explore/cli/hot-files.js.map +1 -0
  191. package/dist/explore/context-hook.d.ts +42 -0
  192. package/dist/explore/context-hook.d.ts.map +1 -0
  193. package/dist/explore/context-hook.js +131 -0
  194. package/dist/explore/context-hook.js.map +1 -0
  195. package/dist/explore/finding-context.d.ts +69 -0
  196. package/dist/explore/finding-context.d.ts.map +1 -0
  197. package/dist/explore/finding-context.js +102 -0
  198. package/dist/explore/finding-context.js.map +1 -0
  199. package/dist/explore/format.d.ts +64 -0
  200. package/dist/explore/format.d.ts.map +1 -0
  201. package/dist/explore/format.js +99 -0
  202. package/dist/explore/format.js.map +1 -0
  203. package/dist/explore/load.d.ts +50 -0
  204. package/dist/explore/load.d.ts.map +1 -0
  205. package/dist/explore/load.js +197 -0
  206. package/dist/explore/load.js.map +1 -0
  207. package/dist/explore/queries.d.ts +413 -0
  208. package/dist/explore/queries.d.ts.map +1 -0
  209. package/dist/explore/queries.js +855 -0
  210. package/dist/explore/queries.js.map +1 -0
  211. package/dist/explore/types.d.ts +130 -0
  212. package/dist/explore/types.d.ts.map +1 -0
  213. package/dist/explore/types.js +28 -0
  214. package/dist/explore/types.js.map +1 -0
  215. package/dist/explore-cli.d.ts +45 -0
  216. package/dist/explore-cli.d.ts.map +1 -0
  217. package/dist/explore-cli.js +213 -0
  218. package/dist/explore-cli.js.map +1 -0
  219. package/dist/generator.d.ts.map +1 -1
  220. package/dist/generator.js +19 -0
  221. package/dist/generator.js.map +1 -1
  222. package/dist/issue-cli.d.ts +62 -0
  223. package/dist/issue-cli.d.ts.map +1 -0
  224. package/dist/issue-cli.js +252 -0
  225. package/dist/issue-cli.js.map +1 -0
  226. package/dist/languages/csharp.d.ts.map +1 -1
  227. package/dist/languages/csharp.js +32 -11
  228. package/dist/languages/csharp.js.map +1 -1
  229. package/dist/languages/go.d.ts.map +1 -1
  230. package/dist/languages/go.js +5 -0
  231. package/dist/languages/go.js.map +1 -1
  232. package/dist/languages/index.d.ts +27 -0
  233. package/dist/languages/index.d.ts.map +1 -1
  234. package/dist/languages/index.js +35 -0
  235. package/dist/languages/index.js.map +1 -1
  236. package/dist/languages/java.d.ts.map +1 -1
  237. package/dist/languages/java.js +5 -0
  238. package/dist/languages/java.js.map +1 -1
  239. package/dist/languages/kotlin.d.ts.map +1 -1
  240. package/dist/languages/kotlin.js +5 -0
  241. package/dist/languages/kotlin.js.map +1 -1
  242. package/dist/languages/python.d.ts.map +1 -1
  243. package/dist/languages/python.js +5 -0
  244. package/dist/languages/python.js.map +1 -1
  245. package/dist/languages/ruby.d.ts.map +1 -1
  246. package/dist/languages/ruby.js +5 -0
  247. package/dist/languages/ruby.js.map +1 -1
  248. package/dist/languages/rust.d.ts.map +1 -1
  249. package/dist/languages/rust.js +5 -0
  250. package/dist/languages/rust.js.map +1 -1
  251. package/dist/languages/types.d.ts +79 -0
  252. package/dist/languages/types.d.ts.map +1 -1
  253. package/dist/languages/typescript.d.ts.map +1 -1
  254. package/dist/languages/typescript.js +6 -1
  255. package/dist/languages/typescript.js.map +1 -1
  256. package/package.json +2 -1
  257. package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
  258. package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
  259. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  260. package/templates/AGENTS.md.template +8 -1
  261. package/dist/baseline/producers/licenses.d.ts +0 -23
  262. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  263. package/dist/baseline/producers/licenses.js +0 -46
  264. package/dist/baseline/producers/licenses.js.map +0 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,211 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.7.0] - 2026-05-29
11
+
12
+ The "Repo Explore" release. dxkit now builds a deterministic code graph
13
+ of your repo and exposes it three ways: a CLI to query structure, an
14
+ interactive graph in the dashboard, and per-finding blast radius in
15
+ detailed reports. The throughline is helping a coding agent fix findings
16
+ by navigating structure instead of re-reading whole files.
17
+
18
+ ### Added
19
+
20
+ - **`vyuh-dxkit explore`** with six subcommands (`entry-points`,
21
+ `hot-files`, `communities`, `file`, `feature`, `api-surface`) for
22
+ asking the code graph what the repo does, where a feature lives, which
23
+ files are load-bearing, and what the public API surface is.
24
+ - **`vyuh-dxkit context <query>`** returns a token-budgeted structural
25
+ slice for a query (an anchor symbol, its relevant neighbors, and the
26
+ blast radius), plus a fail-open Claude Code PreToolUse hook that feeds
27
+ it on Grep/Glob so agents need fewer follow-up whole-file reads.
28
+ Auto-installed with `--with-dxkit-agents`.
29
+ - **Interactive Graph tab** in `vyuh-dxkit dashboard`, embedding
30
+ graphify's code-graph viewer with the renderer bundled to work
31
+ offline. Large repos render a community-aggregated view.
32
+ - **`--graph-context`** on `vulnerabilities`, `test-gaps`, and `quality`
33
+ attaches each finding's module and blast radius (which files call into
34
+ it) to the detailed report, so a fixing agent gets the structural map
35
+ per finding without a separate lookup.
36
+ - **Per-language call-graph reliability.** Where the call graph cannot be
37
+ resolved (C#, which cannot follow `using` across assemblies), blast
38
+ radius reads "n/a" rather than a misleading "0 callers", so it is never
39
+ mistaken for "safe to change".
40
+ - **`dxkit-action`** now folds blast radius into prioritization as an
41
+ additive signal, and the generated `AGENTS.md` documents the new
42
+ commands.
43
+
44
+ ### Changed
45
+
46
+ - `vyuh-dxkit health` writes the code graph to
47
+ `.dxkit/reports/graph.json` as a side effect, so a single run
48
+ populates the artifact the explore, context, dashboard, and
49
+ graph-context surfaces read.
50
+
51
+ ## [2.6.0] - 2026-05-23
52
+
53
+ The "per-finding suppression + public-repo-safe baselines" release.
54
+ Adds the typed-category allowlist surface for false-positive /
55
+ test-fixture / mitigated-externally / accepted-risk / deferred
56
+ suppression with inline + file-level modes; retires license
57
+ findings from the baseline (~73% size drop on real customer repos);
58
+ introduces three baseline modes with visibility-aware defaults so
59
+ public repos no longer leak file paths, package names, and
60
+ advisory IDs through a committed baseline.
61
+
62
+ ### Added
63
+
64
+ - **Per-finding allowlist** — `vyuh-dxkit allowlist add/list/show/audit/prune`.
65
+ Typed-category suppression (`false-positive`, `test-fixture`,
66
+ `mitigated-externally`, `accepted-risk`, `deferred`) with required
67
+ reason + (where relevant) expiry. Two surfaces: inline
68
+ `// dxkit-allow:<category> reason="..."` annotations and a
69
+ file-level `.dxkit/allowlist.json`. `accepted-risk` and `deferred`
70
+ require expiry (default 90 days). See
71
+ [docs/commands/allowlist.md](docs/commands/allowlist.md).
72
+ - **Strict stale-annotation detection** — orphaned `dxkit-allow:`
73
+ annotations (where the underlying finding is now gone) emit a
74
+ new `stale-allow` baseline kind on the next scan. The
75
+ TypeScript `@ts-expect-error` pattern, applied to suppressions —
76
+ forces cleanup, prevents the annotation graveyard. Allowlisting
77
+ a `stale-allow` finding is forbidden; only remediation is to
78
+ remove the orphaned comment.
79
+ - **Allowlist activity in PR comments** — the
80
+ `dxkit-guardrails.yml` workflow's sticky PR comment now includes
81
+ an "Allowlist activity" section listing every entry added (or
82
+ removed) on this branch versus the baseline commit. Reviewers
83
+ see new suppressions being introduced and can sanity-check
84
+ category + reason + expiry before approving.
85
+ - **`vyuh-dxkit issue`** — pre-filled GitHub Issues for false
86
+ positives, missing findings, bugs, feature requests, and docs
87
+ gaps. Nothing submits automatically — the CLI opens the
88
+ customer's browser at a new-issue URL with env metadata
89
+ pre-populated, customer reviews + clicks "Submit." See
90
+ [docs/commands/issue.md](docs/commands/issue.md).
91
+ - **`commentSyntax` on language packs** — each pack declares its
92
+ line-comment marker (`#` for python/ruby; `//` for
93
+ typescript/go/rust/csharp/kotlin/java). Drives the inline
94
+ allowlist-annotation generator across every language uniformly.
95
+ Recipe-enforced: scaffolder ships an empty placeholder so
96
+ unfilled packs fail the contract test until populated.
97
+ - Three preemptive architecture rules in `scripts/check-architecture.sh`
98
+ lock down the allowlist canonical entry points: no `createHash`
99
+ inside `src/allowlist/`, no direct `allowlist.json` IO outside
100
+ the canonical loader, no language-comment fallback literals
101
+ (`?? '//'`) anywhere in the module.
102
+
103
+ ### Changed
104
+
105
+ - **License findings retired from the baseline.** Per-package
106
+ license attributions no longer flow through the baseline
107
+ producer registry — they were informational, not regression
108
+ material, and dominated baselines on real customer repos
109
+ (~73% of entries). The canonical license inventory now lives
110
+ solely in `.dxkit/bom.json` (`vyuh-dxkit bom`), which already
111
+ carries richer per-package data (licenseType, licenseText,
112
+ sourceUrl, supplier, releaseDate). Lenient migration:
113
+ baselines written by older dxkit versions still load — the
114
+ reader silently filters retired `license` entries on the way
115
+ in (no file rewrite until the next `baseline create --force`).
116
+ Dependency vulnerability tracking is unchanged — `dep-vuln`
117
+ is a separate identity kind on a separate producer and still
118
+ blocks via the guardrail check.
119
+ - **Sanitization machinery for baseline entries.** New pure
120
+ module `src/baseline/sanitize.ts` introduces a stripped
121
+ `SanitizedBaselineEntry` variant (`{ id, kind, sanitized: true }`)
122
+ carrying identity + kind only. The `sanitizeEntry` /
123
+ `sanitizeFile` pass collapses every rich field; cross-run
124
+ matching still works at full confidence via the fingerprint
125
+ multiset pass. Producers now emit the rich
126
+ `RichBaselineEntry` shape (a `BaselineEntry` excluding the
127
+ sanitized variant); sanitization is a write-time
128
+ transformation, never a producer concern. Consumers walking
129
+ a baseline narrow via the `isSanitized` type guard before
130
+ switching on `entry.kind`. Write-path wiring + visibility-
131
+ aware mode selection ship in a follow-up commit.
132
+
133
+ ### Added
134
+
135
+ - **Three baseline modes with visibility-aware defaults.**
136
+ `committed-full` (today's behavior, rich entries), `committed-
137
+ sanitized` (stripped per-entry payload via the sanitization
138
+ pass), and `ref-based` (no committed file; guardrail check
139
+ recomputes the prior side from a git ref via `git worktree
140
+ add`). The mode is picked by a single resolver
141
+ (`src/baseline/modes.ts`) with precedence: CLI flag →
142
+ `.dxkit/policy.json:baseline.mode` → visibility-derived default
143
+ (public repos auto-pick `ref-based`; everything else picks
144
+ `committed-full`). `committed-sanitized` is never auto-picked
145
+ — it's the explicit opt-in for compliance-conscious private
146
+ repos.
147
+ - `vyuh-dxkit baseline create [--mode <m>] [--ref <r>]` and
148
+ `vyuh-dxkit guardrail check [--mode <m>] [--ref <r>]` — flags
149
+ override `policy.json` for one-off runs.
150
+ - `gh repo view --json visibility` probe + per-process cache
151
+ in `src/baseline/visibility.ts`. Every failure path returns
152
+ `'unknown'`; the resolver treats unknown as private to avoid
153
+ surprise sanitization when `gh auth` lapses.
154
+ - Ref-based gather mechanics in `src/baseline/ref-baseline.ts` —
155
+ `withRefWorktree(opts, fn)` is the reusable primitive; tears
156
+ down the worktree on success + failure. Mirrors file-mode
157
+ `.dxkit/salt` into the worktree so secret-HMAC entries pair
158
+ across cwd + worktree.
159
+
160
+ ### Architectural notes
161
+
162
+ - New CLAUDE.md rule 11: baseline mode resolution flows through
163
+ `resolveBaselineMode`. Two arch-check rules lock the contract:
164
+ no `gh repo view --json visibility` outside
165
+ `src/baseline/visibility.ts`; no `git worktree add` / `remove`
166
+ outside `src/baseline/ref-baseline.ts`.
167
+ - `resolvePolicy` lifted from `check.ts` to `policy.ts` so
168
+ `createBaseline` and `runGuardrailCheck` share one canonical
169
+ loader.
170
+
171
+ ### Discovery surfaces
172
+
173
+ - **PR-comment markdown** now shows the resolved baseline mode in
174
+ the sticky footer (`_Mode_: \`ref-based\` (ref: \`origin/main\`)`).
175
+ Reviewers see WHY a guardrail run picked a given posture.
176
+ - **JSON renderer** carries `baseline.mode = { value, source,
177
+ explanation, ref? }` so agents + dashboards can read the audit
178
+ trail without re-deriving it.
179
+ - **`vyuh-dxkit doctor`** has two new operational checks:
180
+ - "baseline mode: ref-based" / "baseline captured (mode: ...)" —
181
+ the existing baseline-captured check now understands ref-based
182
+ mode (where no on-disk file is expected) so the doctor stops
183
+ reporting a false-negative on public repos.
184
+ - "baseline mode aligned with repo visibility" — warns when an
185
+ explicit `committed-full` pin is in use on a public repo (the
186
+ posture leaks file paths + package names; the auto-picker
187
+ would have chosen ref-based).
188
+ - **`dxkit-onboard` skill** — step 5 now ASKs about disclosure
189
+ posture before running `baseline create`, walks customers through
190
+ the three modes, and offers a one-shot `.dxkit/policy.json` snippet
191
+ for pinning the choice repo-wide.
192
+ - **`dxkit-action` skill** — new section explains how to act on a
193
+ blocked finding when the baseline is sanitized / ref-based
194
+ (locator stripped at write time; re-run the analyzer for full
195
+ context or allowlist by fingerprint).
196
+ - **README + getting-started.md** — call out the public-repo
197
+ posture explicitly so customers don't accidentally commit a
198
+ rich baseline to an open-source repo.
199
+
200
+ ### Architectural notes
201
+
202
+ - Added `stale-allow` as a new `IdentityKind` (Rule 9 + Rule 10
203
+ compliant: identityFor case + producer + fixture row +
204
+ removed from `DEFERRED_KINDS` once the gather pass landed).
205
+ - The hint formatter (block-time guidance for blocked findings)
206
+ consumes the canonical `BaselineEntry` discriminated union
207
+ directly — no invented intermediate "BlockingFinding" shape.
208
+ TypeScript exhaustiveness across 6+ switches guarantees new
209
+ finding kinds can't ship without matching cases.
210
+ - `dxkit-action` skill extended with the typed-category +
211
+ surfaces description; SAST recipe redirects from semgrep's
212
+ `// nosemgrep:` to dxkit's `// dxkit-allow:` (single canonical
213
+ suppression surface across all scanners).
214
+
10
215
  ## [2.5.2] - 2026-05-22
11
216
 
12
217
  The "scaffold UX + lifecycle skills + setup automation" release. Closes
@@ -21,7 +226,7 @@ Tag: `create-dxkit@v0.2.0`. Run `npm init @vyuhlabs/dxkit` to get
21
226
  the new combined experience.
22
227
 
23
228
  Validated end-to-end with two cross-stack walkthroughs on 2026-05-22:
24
- `vyuhlabs-platform` (python + typescript) and `dpl-studio` (csharp).
229
+ a polyglot Python+TypeScript reference repo and a .NET reference repo.
25
230
  Both stacks: defect closures verified, per-pack devcontainer adapts
26
231
  correctly, doctor's new tier-3 surfaces operational gaps with
27
232
  actionable fix commands.
@@ -1457,9 +1662,9 @@ Four pieces shipped together:
1457
1662
  The post-shipment audit's master bug + its direct cascade:
1458
1663
 
1459
1664
  - **D055** — `.dxkit-ignore` multi-segment paths flatten to basenames
1460
- in cloc / graphify / grep. `Dev/Addons/VendorAddon/SAPB1/` silently
1461
- became `{Dev, Addons, VendorAddon, SAPB1}` cloc then excluded every
1462
- directory named `Dev` in the tree, killing 90% of source visibility.
1665
+ in cloc / graphify / grep. `app/vendor/generated/` silently
1666
+ became `{app, vendor, generated}`, so cloc then excluded every
1667
+ directory named `app` in the tree, killing 90% of source visibility.
1463
1668
  Fix: `getClocExcludeFlags` emits `--exclude-dir` (basenames) PLUS
1464
1669
  `--fullpath --not-match-d` (Perl regex on full path).
1465
1670
  `getPythonExcludeFilter` emits both a basename set AND a multi-
@@ -1661,7 +1866,7 @@ discipline.
1661
1866
  (osv-scanner reads Gemfile.lock directly, no `bundle env`/`bundle
1662
1867
  show` introspection ladder). Stays accepted-deferred.
1663
1868
  - **D017** (NEW) — `dxkit bom <large-project> > file.json` produces
1664
- 0-byte output intermittently on vyuhlabs-platform (1700+ deps).
1869
+ 0-byte output intermittently on a large reference repo (1700+ deps).
1665
1870
  EXIT=0, no error. Workaround: pipe through `cat`. Hypothesis:
1666
1871
  Node stdout buffer doesn't drain before process exit when output
1667
1872
  is large + stdout is a regular file. NOT a 2.4.6 ship blocker —
@@ -1671,7 +1876,7 @@ discipline.
1671
1876
  ### Pre-ship regression — clean
1672
1877
 
1673
1878
  Sequential dxkit reports captured against dxkit-on-dxkit and
1674
- vyuhlabs-platform; 12 reports each diffed against the 2.4.5-fixed
1879
+ a large reference repo; 12 reports each diffed against the 2.4.5-fixed
1675
1880
  baseline. Zero code regressions detected. All deltas explained:
1676
1881
 
1677
1882
  - dxkit/test-gaps 16 → 32 — better data (Istanbul vs import-graph
@@ -1723,7 +1928,7 @@ at every commit in the 10-commit branch.
1723
1928
  `typescript`, etc.). `unfilteredTotalPackages` 22 → 353. The
1724
1929
  analyzed project's own deps were missing from BoM whenever the
1725
1930
  bug hit. Most repos that resolve peer-deps cleanly under
1726
- `--legacy-peer-deps` weren't affected (vyuhlabs-platform's BoM
1931
+ `--legacy-peer-deps` weren't affected (the reference repo's BoM
1727
1932
  stayed correct at 145 packages); repos with subtle peer-dep
1728
1933
  issues silently lost root-dep enumeration.
1729
1934
 
@@ -2592,7 +2797,7 @@ unchanged — consumers can re-derive trivially if needed.
2592
2797
  - 715 tests passing (+18 pm-signals cases: license class mapping,
2593
2798
  compound expressions, staleness thresholds, effort semver deltas).
2594
2799
  - Typecheck + lint + format + architecture + pre-push CI-mirror gate clean.
2595
- - vyuhlabs-platform smoke: all 4 sheets render correctly, exec summary
2800
+ - reference-repo smoke: all 4 sheets render correctly, exec summary
2596
2801
  surfaces 3 ship-blockers + 9 sprint-risk findings + pm2 flagged
2597
2802
  copyleft-strong, `@loopback/rest` surfaces as highest-leverage upgrade
2598
2803
  (27 transitive advisories, worst CRITICAL).
@@ -2600,7 +2805,7 @@ unchanged — consumers can re-derive trivially if needed.
2600
2805
  ## [2.3.1] - 2026-04-24
2601
2806
 
2602
2807
  Patch release fixing three install-robustness issues reported on a
2603
- real vyuhlabs-platform install:
2808
+ real reference-repo install:
2604
2809
 
2605
2810
  ### Fixed
2606
2811
 
@@ -2646,7 +2851,7 @@ real vyuhlabs-platform install:
2646
2851
  Warnings only, no functional impact; would require either switching
2647
2852
  xlsx libraries (breaking) or upstream archiver modernization.
2648
2853
 
2649
- ### Validation on vyuhlabs-platform/userserver
2854
+ ### Validation on the polyglot reference repo
2650
2855
 
2651
2856
  - `vyuh-dxkit tools` reports 12/13 tools found (vitest-coverage
2652
2857
  correctly listed as missing since lb-mocha is in use)
@@ -2719,7 +2924,7 @@ merge → tag → CI-publishes without deviation.
2719
2924
  unions the roots each package was found in; `isTopLevel`
2720
2925
  OR-merges; vulns dedup on `(id, package, installedVersion)`.
2721
2926
  Closes **D001a** — `bom platform/` previously missed
2722
- `platform/userserver/` entirely. Side-benefit: naturally
2927
+ the product subdirectory entirely. Side-benefit: naturally
2723
2928
  addresses **D003** (C# multi-project) since each `.csproj`
2724
2929
  becomes its own root. (10h.5.0b)
2725
2930
 
@@ -2836,7 +3041,7 @@ bump required.
2836
3041
  - **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
2837
3042
  each root `dependencies` / `devDependencies` entry. Pure parser
2838
3043
  `buildTsTopLevelDepIndex` unit-tested; benchmark on
2839
- `vyuhlabs-platform`: 71/71 findings attributed across 31 vulnerable
3044
+ reference repo: 71/71 findings attributed across 31 vulnerable
2840
3045
  packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
2841
3046
 
2842
3047
  - **Python pack** — BFS over `pip show` graph from packages with empty
@@ -2902,7 +3107,7 @@ bump required.
2902
3107
  `obj/project.assets.json`. Findings still emit; `topLevelDep` stays
2903
3108
  unset.
2904
3109
 
2905
- - Release validated against `vyuhlabs-platform` TypeScript benchmark.
3110
+ - Release validated against the TypeScript reference benchmark.
2906
3111
  Python/Go/Rust/C# packs exercised via fixture-based unit tests
2907
3112
  (+53 new tests across the 4 non-TS language test files); real-world
2908
3113
  validation lands with 2.3.0's cross-ecosystem benchmark fixtures.