@vyuhlabs/dxkit 2.5.2 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -13
- package/README.md +220 -369
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +168 -6
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +32 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +5 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +5 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +79 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,211 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.7.0] - 2026-05-29
|
|
11
|
+
|
|
12
|
+
The "Repo Explore" release. dxkit now builds a deterministic code graph
|
|
13
|
+
of your repo and exposes it three ways: a CLI to query structure, an
|
|
14
|
+
interactive graph in the dashboard, and per-finding blast radius in
|
|
15
|
+
detailed reports. The throughline is helping a coding agent fix findings
|
|
16
|
+
by navigating structure instead of re-reading whole files.
|
|
17
|
+
|
|
18
|
+
### Added
|
|
19
|
+
|
|
20
|
+
- **`vyuh-dxkit explore`** with six subcommands (`entry-points`,
|
|
21
|
+
`hot-files`, `communities`, `file`, `feature`, `api-surface`) for
|
|
22
|
+
asking the code graph what the repo does, where a feature lives, which
|
|
23
|
+
files are load-bearing, and what the public API surface is.
|
|
24
|
+
- **`vyuh-dxkit context <query>`** returns a token-budgeted structural
|
|
25
|
+
slice for a query (an anchor symbol, its relevant neighbors, and the
|
|
26
|
+
blast radius), plus a fail-open Claude Code PreToolUse hook that feeds
|
|
27
|
+
it on Grep/Glob so agents need fewer follow-up whole-file reads.
|
|
28
|
+
Auto-installed with `--with-dxkit-agents`.
|
|
29
|
+
- **Interactive Graph tab** in `vyuh-dxkit dashboard`, embedding
|
|
30
|
+
graphify's code-graph viewer with the renderer bundled to work
|
|
31
|
+
offline. Large repos render a community-aggregated view.
|
|
32
|
+
- **`--graph-context`** on `vulnerabilities`, `test-gaps`, and `quality`
|
|
33
|
+
attaches each finding's module and blast radius (which files call into
|
|
34
|
+
it) to the detailed report, so a fixing agent gets the structural map
|
|
35
|
+
per finding without a separate lookup.
|
|
36
|
+
- **Per-language call-graph reliability.** Where the call graph cannot be
|
|
37
|
+
resolved (C#, which cannot follow `using` across assemblies), blast
|
|
38
|
+
radius reads "n/a" rather than a misleading "0 callers", so it is never
|
|
39
|
+
mistaken for "safe to change".
|
|
40
|
+
- **`dxkit-action`** now folds blast radius into prioritization as an
|
|
41
|
+
additive signal, and the generated `AGENTS.md` documents the new
|
|
42
|
+
commands.
|
|
43
|
+
|
|
44
|
+
### Changed
|
|
45
|
+
|
|
46
|
+
- `vyuh-dxkit health` writes the code graph to
|
|
47
|
+
`.dxkit/reports/graph.json` as a side effect, so a single run
|
|
48
|
+
populates the artifact the explore, context, dashboard, and
|
|
49
|
+
graph-context surfaces read.
|
|
50
|
+
|
|
51
|
+
## [2.6.0] - 2026-05-23
|
|
52
|
+
|
|
53
|
+
The "per-finding suppression + public-repo-safe baselines" release.
|
|
54
|
+
Adds the typed-category allowlist surface for false-positive /
|
|
55
|
+
test-fixture / mitigated-externally / accepted-risk / deferred
|
|
56
|
+
suppression with inline + file-level modes; retires license
|
|
57
|
+
findings from the baseline (~73% size drop on real customer repos);
|
|
58
|
+
introduces three baseline modes with visibility-aware defaults so
|
|
59
|
+
public repos no longer leak file paths, package names, and
|
|
60
|
+
advisory IDs through a committed baseline.
|
|
61
|
+
|
|
62
|
+
### Added
|
|
63
|
+
|
|
64
|
+
- **Per-finding allowlist** — `vyuh-dxkit allowlist add/list/show/audit/prune`.
|
|
65
|
+
Typed-category suppression (`false-positive`, `test-fixture`,
|
|
66
|
+
`mitigated-externally`, `accepted-risk`, `deferred`) with required
|
|
67
|
+
reason + (where relevant) expiry. Two surfaces: inline
|
|
68
|
+
`// dxkit-allow:<category> reason="..."` annotations and a
|
|
69
|
+
file-level `.dxkit/allowlist.json`. `accepted-risk` and `deferred`
|
|
70
|
+
require expiry (default 90 days). See
|
|
71
|
+
[docs/commands/allowlist.md](docs/commands/allowlist.md).
|
|
72
|
+
- **Strict stale-annotation detection** — orphaned `dxkit-allow:`
|
|
73
|
+
annotations (where the underlying finding is now gone) emit a
|
|
74
|
+
new `stale-allow` baseline kind on the next scan. The
|
|
75
|
+
TypeScript `@ts-expect-error` pattern, applied to suppressions —
|
|
76
|
+
forces cleanup, prevents the annotation graveyard. Allowlisting
|
|
77
|
+
a `stale-allow` finding is forbidden; only remediation is to
|
|
78
|
+
remove the orphaned comment.
|
|
79
|
+
- **Allowlist activity in PR comments** — the
|
|
80
|
+
`dxkit-guardrails.yml` workflow's sticky PR comment now includes
|
|
81
|
+
an "Allowlist activity" section listing every entry added (or
|
|
82
|
+
removed) on this branch versus the baseline commit. Reviewers
|
|
83
|
+
see new suppressions being introduced and can sanity-check
|
|
84
|
+
category + reason + expiry before approving.
|
|
85
|
+
- **`vyuh-dxkit issue`** — pre-filled GitHub Issues for false
|
|
86
|
+
positives, missing findings, bugs, feature requests, and docs
|
|
87
|
+
gaps. Nothing submits automatically — the CLI opens the
|
|
88
|
+
customer's browser at a new-issue URL with env metadata
|
|
89
|
+
pre-populated, customer reviews + clicks "Submit." See
|
|
90
|
+
[docs/commands/issue.md](docs/commands/issue.md).
|
|
91
|
+
- **`commentSyntax` on language packs** — each pack declares its
|
|
92
|
+
line-comment marker (`#` for python/ruby; `//` for
|
|
93
|
+
typescript/go/rust/csharp/kotlin/java). Drives the inline
|
|
94
|
+
allowlist-annotation generator across every language uniformly.
|
|
95
|
+
Recipe-enforced: scaffolder ships an empty placeholder so
|
|
96
|
+
unfilled packs fail the contract test until populated.
|
|
97
|
+
- Three preemptive architecture rules in `scripts/check-architecture.sh`
|
|
98
|
+
lock down the allowlist canonical entry points: no `createHash`
|
|
99
|
+
inside `src/allowlist/`, no direct `allowlist.json` IO outside
|
|
100
|
+
the canonical loader, no language-comment fallback literals
|
|
101
|
+
(`?? '//'`) anywhere in the module.
|
|
102
|
+
|
|
103
|
+
### Changed
|
|
104
|
+
|
|
105
|
+
- **License findings retired from the baseline.** Per-package
|
|
106
|
+
license attributions no longer flow through the baseline
|
|
107
|
+
producer registry — they were informational, not regression
|
|
108
|
+
material, and dominated baselines on real customer repos
|
|
109
|
+
(~73% of entries). The canonical license inventory now lives
|
|
110
|
+
solely in `.dxkit/bom.json` (`vyuh-dxkit bom`), which already
|
|
111
|
+
carries richer per-package data (licenseType, licenseText,
|
|
112
|
+
sourceUrl, supplier, releaseDate). Lenient migration:
|
|
113
|
+
baselines written by older dxkit versions still load — the
|
|
114
|
+
reader silently filters retired `license` entries on the way
|
|
115
|
+
in (no file rewrite until the next `baseline create --force`).
|
|
116
|
+
Dependency vulnerability tracking is unchanged — `dep-vuln`
|
|
117
|
+
is a separate identity kind on a separate producer and still
|
|
118
|
+
blocks via the guardrail check.
|
|
119
|
+
- **Sanitization machinery for baseline entries.** New pure
|
|
120
|
+
module `src/baseline/sanitize.ts` introduces a stripped
|
|
121
|
+
`SanitizedBaselineEntry` variant (`{ id, kind, sanitized: true }`)
|
|
122
|
+
carrying identity + kind only. The `sanitizeEntry` /
|
|
123
|
+
`sanitizeFile` pass collapses every rich field; cross-run
|
|
124
|
+
matching still works at full confidence via the fingerprint
|
|
125
|
+
multiset pass. Producers now emit the rich
|
|
126
|
+
`RichBaselineEntry` shape (a `BaselineEntry` excluding the
|
|
127
|
+
sanitized variant); sanitization is a write-time
|
|
128
|
+
transformation, never a producer concern. Consumers walking
|
|
129
|
+
a baseline narrow via the `isSanitized` type guard before
|
|
130
|
+
switching on `entry.kind`. Write-path wiring + visibility-
|
|
131
|
+
aware mode selection ship in a follow-up commit.
|
|
132
|
+
|
|
133
|
+
### Added
|
|
134
|
+
|
|
135
|
+
- **Three baseline modes with visibility-aware defaults.**
|
|
136
|
+
`committed-full` (today's behavior, rich entries), `committed-
|
|
137
|
+
sanitized` (stripped per-entry payload via the sanitization
|
|
138
|
+
pass), and `ref-based` (no committed file; guardrail check
|
|
139
|
+
recomputes the prior side from a git ref via `git worktree
|
|
140
|
+
add`). The mode is picked by a single resolver
|
|
141
|
+
(`src/baseline/modes.ts`) with precedence: CLI flag →
|
|
142
|
+
`.dxkit/policy.json:baseline.mode` → visibility-derived default
|
|
143
|
+
(public repos auto-pick `ref-based`; everything else picks
|
|
144
|
+
`committed-full`). `committed-sanitized` is never auto-picked
|
|
145
|
+
— it's the explicit opt-in for compliance-conscious private
|
|
146
|
+
repos.
|
|
147
|
+
- `vyuh-dxkit baseline create [--mode <m>] [--ref <r>]` and
|
|
148
|
+
`vyuh-dxkit guardrail check [--mode <m>] [--ref <r>]` — flags
|
|
149
|
+
override `policy.json` for one-off runs.
|
|
150
|
+
- `gh repo view --json visibility` probe + per-process cache
|
|
151
|
+
in `src/baseline/visibility.ts`. Every failure path returns
|
|
152
|
+
`'unknown'`; the resolver treats unknown as private to avoid
|
|
153
|
+
surprise sanitization when `gh auth` lapses.
|
|
154
|
+
- Ref-based gather mechanics in `src/baseline/ref-baseline.ts` —
|
|
155
|
+
`withRefWorktree(opts, fn)` is the reusable primitive; tears
|
|
156
|
+
down the worktree on success + failure. Mirrors file-mode
|
|
157
|
+
`.dxkit/salt` into the worktree so secret-HMAC entries pair
|
|
158
|
+
across cwd + worktree.
|
|
159
|
+
|
|
160
|
+
### Architectural notes
|
|
161
|
+
|
|
162
|
+
- New CLAUDE.md rule 11: baseline mode resolution flows through
|
|
163
|
+
`resolveBaselineMode`. Two arch-check rules lock the contract:
|
|
164
|
+
no `gh repo view --json visibility` outside
|
|
165
|
+
`src/baseline/visibility.ts`; no `git worktree add` / `remove`
|
|
166
|
+
outside `src/baseline/ref-baseline.ts`.
|
|
167
|
+
- `resolvePolicy` lifted from `check.ts` to `policy.ts` so
|
|
168
|
+
`createBaseline` and `runGuardrailCheck` share one canonical
|
|
169
|
+
loader.
|
|
170
|
+
|
|
171
|
+
### Discovery surfaces
|
|
172
|
+
|
|
173
|
+
- **PR-comment markdown** now shows the resolved baseline mode in
|
|
174
|
+
the sticky footer (`_Mode_: \`ref-based\` (ref: \`origin/main\`)`).
|
|
175
|
+
Reviewers see WHY a guardrail run picked a given posture.
|
|
176
|
+
- **JSON renderer** carries `baseline.mode = { value, source,
|
|
177
|
+
explanation, ref? }` so agents + dashboards can read the audit
|
|
178
|
+
trail without re-deriving it.
|
|
179
|
+
- **`vyuh-dxkit doctor`** has two new operational checks:
|
|
180
|
+
- "baseline mode: ref-based" / "baseline captured (mode: ...)" —
|
|
181
|
+
the existing baseline-captured check now understands ref-based
|
|
182
|
+
mode (where no on-disk file is expected) so the doctor stops
|
|
183
|
+
reporting a false-negative on public repos.
|
|
184
|
+
- "baseline mode aligned with repo visibility" — warns when an
|
|
185
|
+
explicit `committed-full` pin is in use on a public repo (the
|
|
186
|
+
posture leaks file paths + package names; the auto-picker
|
|
187
|
+
would have chosen ref-based).
|
|
188
|
+
- **`dxkit-onboard` skill** — step 5 now ASKs about disclosure
|
|
189
|
+
posture before running `baseline create`, walks customers through
|
|
190
|
+
the three modes, and offers a one-shot `.dxkit/policy.json` snippet
|
|
191
|
+
for pinning the choice repo-wide.
|
|
192
|
+
- **`dxkit-action` skill** — new section explains how to act on a
|
|
193
|
+
blocked finding when the baseline is sanitized / ref-based
|
|
194
|
+
(locator stripped at write time; re-run the analyzer for full
|
|
195
|
+
context or allowlist by fingerprint).
|
|
196
|
+
- **README + getting-started.md** — call out the public-repo
|
|
197
|
+
posture explicitly so customers don't accidentally commit a
|
|
198
|
+
rich baseline to an open-source repo.
|
|
199
|
+
|
|
200
|
+
### Architectural notes
|
|
201
|
+
|
|
202
|
+
- Added `stale-allow` as a new `IdentityKind` (Rule 9 + Rule 10
|
|
203
|
+
compliant: identityFor case + producer + fixture row +
|
|
204
|
+
removed from `DEFERRED_KINDS` once the gather pass landed).
|
|
205
|
+
- The hint formatter (block-time guidance for blocked findings)
|
|
206
|
+
consumes the canonical `BaselineEntry` discriminated union
|
|
207
|
+
directly — no invented intermediate "BlockingFinding" shape.
|
|
208
|
+
TypeScript exhaustiveness across 6+ switches guarantees new
|
|
209
|
+
finding kinds can't ship without matching cases.
|
|
210
|
+
- `dxkit-action` skill extended with the typed-category +
|
|
211
|
+
surfaces description; SAST recipe redirects from semgrep's
|
|
212
|
+
`// nosemgrep:` to dxkit's `// dxkit-allow:` (single canonical
|
|
213
|
+
suppression surface across all scanners).
|
|
214
|
+
|
|
10
215
|
## [2.5.2] - 2026-05-22
|
|
11
216
|
|
|
12
217
|
The "scaffold UX + lifecycle skills + setup automation" release. Closes
|
|
@@ -21,7 +226,7 @@ Tag: `create-dxkit@v0.2.0`. Run `npm init @vyuhlabs/dxkit` to get
|
|
|
21
226
|
the new combined experience.
|
|
22
227
|
|
|
23
228
|
Validated end-to-end with two cross-stack walkthroughs on 2026-05-22:
|
|
24
|
-
|
|
229
|
+
a polyglot Python+TypeScript reference repo and a .NET reference repo.
|
|
25
230
|
Both stacks: defect closures verified, per-pack devcontainer adapts
|
|
26
231
|
correctly, doctor's new tier-3 surfaces operational gaps with
|
|
27
232
|
actionable fix commands.
|
|
@@ -1457,9 +1662,9 @@ Four pieces shipped together:
|
|
|
1457
1662
|
The post-shipment audit's master bug + its direct cascade:
|
|
1458
1663
|
|
|
1459
1664
|
- **D055** — `.dxkit-ignore` multi-segment paths flatten to basenames
|
|
1460
|
-
in cloc / graphify / grep. `
|
|
1461
|
-
became `{
|
|
1462
|
-
directory named `
|
|
1665
|
+
in cloc / graphify / grep. `app/vendor/generated/` silently
|
|
1666
|
+
became `{app, vendor, generated}`, so cloc then excluded every
|
|
1667
|
+
directory named `app` in the tree, killing 90% of source visibility.
|
|
1463
1668
|
Fix: `getClocExcludeFlags` emits `--exclude-dir` (basenames) PLUS
|
|
1464
1669
|
`--fullpath --not-match-d` (Perl regex on full path).
|
|
1465
1670
|
`getPythonExcludeFilter` emits both a basename set AND a multi-
|
|
@@ -1661,7 +1866,7 @@ discipline.
|
|
|
1661
1866
|
(osv-scanner reads Gemfile.lock directly, no `bundle env`/`bundle
|
|
1662
1867
|
show` introspection ladder). Stays accepted-deferred.
|
|
1663
1868
|
- **D017** (NEW) — `dxkit bom <large-project> > file.json` produces
|
|
1664
|
-
0-byte output intermittently on
|
|
1869
|
+
0-byte output intermittently on a large reference repo (1700+ deps).
|
|
1665
1870
|
EXIT=0, no error. Workaround: pipe through `cat`. Hypothesis:
|
|
1666
1871
|
Node stdout buffer doesn't drain before process exit when output
|
|
1667
1872
|
is large + stdout is a regular file. NOT a 2.4.6 ship blocker —
|
|
@@ -1671,7 +1876,7 @@ discipline.
|
|
|
1671
1876
|
### Pre-ship regression — clean
|
|
1672
1877
|
|
|
1673
1878
|
Sequential dxkit reports captured against dxkit-on-dxkit and
|
|
1674
|
-
|
|
1879
|
+
a large reference repo; 12 reports each diffed against the 2.4.5-fixed
|
|
1675
1880
|
baseline. Zero code regressions detected. All deltas explained:
|
|
1676
1881
|
|
|
1677
1882
|
- dxkit/test-gaps 16 → 32 — better data (Istanbul vs import-graph
|
|
@@ -1723,7 +1928,7 @@ at every commit in the 10-commit branch.
|
|
|
1723
1928
|
`typescript`, etc.). `unfilteredTotalPackages` 22 → 353. The
|
|
1724
1929
|
analyzed project's own deps were missing from BoM whenever the
|
|
1725
1930
|
bug hit. Most repos that resolve peer-deps cleanly under
|
|
1726
|
-
`--legacy-peer-deps` weren't affected (
|
|
1931
|
+
`--legacy-peer-deps` weren't affected (the reference repo's BoM
|
|
1727
1932
|
stayed correct at 145 packages); repos with subtle peer-dep
|
|
1728
1933
|
issues silently lost root-dep enumeration.
|
|
1729
1934
|
|
|
@@ -2592,7 +2797,7 @@ unchanged — consumers can re-derive trivially if needed.
|
|
|
2592
2797
|
- 715 tests passing (+18 pm-signals cases: license class mapping,
|
|
2593
2798
|
compound expressions, staleness thresholds, effort semver deltas).
|
|
2594
2799
|
- Typecheck + lint + format + architecture + pre-push CI-mirror gate clean.
|
|
2595
|
-
-
|
|
2800
|
+
- reference-repo smoke: all 4 sheets render correctly, exec summary
|
|
2596
2801
|
surfaces 3 ship-blockers + 9 sprint-risk findings + pm2 flagged
|
|
2597
2802
|
copyleft-strong, `@loopback/rest` surfaces as highest-leverage upgrade
|
|
2598
2803
|
(27 transitive advisories, worst CRITICAL).
|
|
@@ -2600,7 +2805,7 @@ unchanged — consumers can re-derive trivially if needed.
|
|
|
2600
2805
|
## [2.3.1] - 2026-04-24
|
|
2601
2806
|
|
|
2602
2807
|
Patch release fixing three install-robustness issues reported on a
|
|
2603
|
-
real
|
|
2808
|
+
real reference-repo install:
|
|
2604
2809
|
|
|
2605
2810
|
### Fixed
|
|
2606
2811
|
|
|
@@ -2646,7 +2851,7 @@ real vyuhlabs-platform install:
|
|
|
2646
2851
|
Warnings only, no functional impact; would require either switching
|
|
2647
2852
|
xlsx libraries (breaking) or upstream archiver modernization.
|
|
2648
2853
|
|
|
2649
|
-
### Validation on
|
|
2854
|
+
### Validation on the polyglot reference repo
|
|
2650
2855
|
|
|
2651
2856
|
- `vyuh-dxkit tools` reports 12/13 tools found (vitest-coverage
|
|
2652
2857
|
correctly listed as missing since lb-mocha is in use)
|
|
@@ -2719,7 +2924,7 @@ merge → tag → CI-publishes without deviation.
|
|
|
2719
2924
|
unions the roots each package was found in; `isTopLevel`
|
|
2720
2925
|
OR-merges; vulns dedup on `(id, package, installedVersion)`.
|
|
2721
2926
|
Closes **D001a** — `bom platform/` previously missed
|
|
2722
|
-
|
|
2927
|
+
the product subdirectory entirely. Side-benefit: naturally
|
|
2723
2928
|
addresses **D003** (C# multi-project) since each `.csproj`
|
|
2724
2929
|
becomes its own root. (10h.5.0b)
|
|
2725
2930
|
|
|
@@ -2836,7 +3041,7 @@ bump required.
|
|
|
2836
3041
|
- **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
|
|
2837
3042
|
each root `dependencies` / `devDependencies` entry. Pure parser
|
|
2838
3043
|
`buildTsTopLevelDepIndex` unit-tested; benchmark on
|
|
2839
|
-
|
|
3044
|
+
reference repo: 71/71 findings attributed across 31 vulnerable
|
|
2840
3045
|
packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
|
|
2841
3046
|
|
|
2842
3047
|
- **Python pack** — BFS over `pip show` graph from packages with empty
|
|
@@ -2902,7 +3107,7 @@ bump required.
|
|
|
2902
3107
|
`obj/project.assets.json`. Findings still emit; `topLevelDep` stays
|
|
2903
3108
|
unset.
|
|
2904
3109
|
|
|
2905
|
-
- Release validated against
|
|
3110
|
+
- Release validated against the TypeScript reference benchmark.
|
|
2906
3111
|
Python/Go/Rust/C# packs exercised via fixture-based unit tests
|
|
2907
3112
|
(+53 new tests across the 4 non-TS language test files); real-world
|
|
2908
3113
|
validation lands with 2.3.0's cross-ecosystem benchmark fixtures.
|