@vyuhlabs/dxkit 2.5.2 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (264) hide show
  1. package/CHANGELOG.md +218 -13
  2. package/README.md +220 -369
  3. package/dist/allowlist/categories.d.ts +120 -0
  4. package/dist/allowlist/categories.d.ts.map +1 -0
  5. package/dist/allowlist/categories.js +194 -0
  6. package/dist/allowlist/categories.js.map +1 -0
  7. package/dist/allowlist/cli.d.ts +95 -0
  8. package/dist/allowlist/cli.d.ts.map +1 -0
  9. package/dist/allowlist/cli.js +454 -0
  10. package/dist/allowlist/cli.js.map +1 -0
  11. package/dist/allowlist/diff.d.ts +67 -0
  12. package/dist/allowlist/diff.d.ts.map +1 -0
  13. package/dist/allowlist/diff.js +147 -0
  14. package/dist/allowlist/diff.js.map +1 -0
  15. package/dist/allowlist/file.d.ts +249 -0
  16. package/dist/allowlist/file.d.ts.map +1 -0
  17. package/dist/allowlist/file.js +497 -0
  18. package/dist/allowlist/file.js.map +1 -0
  19. package/dist/allowlist/gather.d.ts +61 -0
  20. package/dist/allowlist/gather.d.ts.map +1 -0
  21. package/dist/allowlist/gather.js +143 -0
  22. package/dist/allowlist/gather.js.map +1 -0
  23. package/dist/allowlist/hint.d.ts +80 -0
  24. package/dist/allowlist/hint.d.ts.map +1 -0
  25. package/dist/allowlist/hint.js +271 -0
  26. package/dist/allowlist/hint.js.map +1 -0
  27. package/dist/allowlist/inline.d.ts +149 -0
  28. package/dist/allowlist/inline.d.ts.map +1 -0
  29. package/dist/allowlist/inline.js +306 -0
  30. package/dist/allowlist/inline.js.map +1 -0
  31. package/dist/analyzers/bom/discovery.d.ts +3 -4
  32. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  33. package/dist/analyzers/bom/discovery.js +3 -4
  34. package/dist/analyzers/bom/discovery.js.map +1 -1
  35. package/dist/analyzers/bom/types.d.ts +1 -1
  36. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  37. package/dist/analyzers/dashboard/index.js +42 -5
  38. package/dist/analyzers/dashboard/index.js.map +1 -1
  39. package/dist/analyzers/quality/detailed.d.ts +8 -1
  40. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  41. package/dist/analyzers/quality/detailed.js +43 -10
  42. package/dist/analyzers/quality/detailed.js.map +1 -1
  43. package/dist/analyzers/security/detailed.d.ts +8 -1
  44. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  45. package/dist/analyzers/security/detailed.js +14 -1
  46. package/dist/analyzers/security/detailed.js.map +1 -1
  47. package/dist/analyzers/tests/detailed.d.ts +8 -1
  48. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  49. package/dist/analyzers/tests/detailed.js +26 -7
  50. package/dist/analyzers/tests/detailed.js.map +1 -1
  51. package/dist/analyzers/tools/cloc.js +3 -3
  52. package/dist/analyzers/tools/cloc.js.map +1 -1
  53. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  54. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  55. package/dist/analyzers/tools/exclusions.js +27 -13
  56. package/dist/analyzers/tools/exclusions.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +39 -5
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +609 -45
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  62. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  63. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  68. package/dist/analyzers/tools/parallel.js +7 -0
  69. package/dist/analyzers/tools/parallel.js.map +1 -1
  70. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  71. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  72. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  73. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  74. package/dist/analyzers/xlsx/licenses.js +7 -7
  75. package/dist/baseline/baseline-file.d.ts +7 -0
  76. package/dist/baseline/baseline-file.d.ts.map +1 -1
  77. package/dist/baseline/baseline-file.js +22 -1
  78. package/dist/baseline/baseline-file.js.map +1 -1
  79. package/dist/baseline/check-renderers.d.ts +13 -1
  80. package/dist/baseline/check-renderers.d.ts.map +1 -1
  81. package/dist/baseline/check-renderers.js +67 -1
  82. package/dist/baseline/check-renderers.js.map +1 -1
  83. package/dist/baseline/check.d.ts +33 -7
  84. package/dist/baseline/check.d.ts.map +1 -1
  85. package/dist/baseline/check.js +90 -64
  86. package/dist/baseline/check.js.map +1 -1
  87. package/dist/baseline/create.d.ts +35 -7
  88. package/dist/baseline/create.d.ts.map +1 -1
  89. package/dist/baseline/create.js +43 -5
  90. package/dist/baseline/create.js.map +1 -1
  91. package/dist/baseline/entry-to-located.d.ts +6 -1
  92. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  93. package/dist/baseline/entry-to-located.js +20 -2
  94. package/dist/baseline/entry-to-located.js.map +1 -1
  95. package/dist/baseline/finding-identity.d.ts.map +1 -1
  96. package/dist/baseline/finding-identity.js +15 -13
  97. package/dist/baseline/finding-identity.js.map +1 -1
  98. package/dist/baseline/modes.d.ts +140 -0
  99. package/dist/baseline/modes.d.ts.map +1 -0
  100. package/dist/baseline/modes.js +179 -0
  101. package/dist/baseline/modes.js.map +1 -0
  102. package/dist/baseline/policy.d.ts +64 -0
  103. package/dist/baseline/policy.d.ts.map +1 -1
  104. package/dist/baseline/policy.js +102 -1
  105. package/dist/baseline/policy.js.map +1 -1
  106. package/dist/baseline/producers/health.d.ts +2 -2
  107. package/dist/baseline/producers/health.d.ts.map +1 -1
  108. package/dist/baseline/producers/health.js.map +1 -1
  109. package/dist/baseline/producers/index.d.ts +11 -5
  110. package/dist/baseline/producers/index.d.ts.map +1 -1
  111. package/dist/baseline/producers/index.js +12 -9
  112. package/dist/baseline/producers/index.js.map +1 -1
  113. package/dist/baseline/producers/quality.d.ts +3 -3
  114. package/dist/baseline/producers/quality.d.ts.map +1 -1
  115. package/dist/baseline/producers/quality.js.map +1 -1
  116. package/dist/baseline/producers/secret-hmac.d.ts +2 -2
  117. package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
  118. package/dist/baseline/producers/secret-hmac.js.map +1 -1
  119. package/dist/baseline/producers/security.d.ts +2 -2
  120. package/dist/baseline/producers/security.d.ts.map +1 -1
  121. package/dist/baseline/producers/security.js.map +1 -1
  122. package/dist/baseline/producers/stale-allow.d.ts +70 -0
  123. package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
  124. package/dist/baseline/producers/stale-allow.js +111 -0
  125. package/dist/baseline/producers/stale-allow.js.map +1 -0
  126. package/dist/baseline/producers/tests.d.ts +2 -2
  127. package/dist/baseline/producers/tests.d.ts.map +1 -1
  128. package/dist/baseline/producers/tests.js.map +1 -1
  129. package/dist/baseline/ref-baseline.d.ts +114 -0
  130. package/dist/baseline/ref-baseline.d.ts.map +1 -0
  131. package/dist/baseline/ref-baseline.js +260 -0
  132. package/dist/baseline/ref-baseline.js.map +1 -0
  133. package/dist/baseline/sanitize.d.ts +80 -0
  134. package/dist/baseline/sanitize.d.ts.map +1 -0
  135. package/dist/baseline/sanitize.js +91 -0
  136. package/dist/baseline/sanitize.js.map +1 -0
  137. package/dist/baseline/show.d.ts.map +1 -1
  138. package/dist/baseline/show.js +9 -3
  139. package/dist/baseline/show.js.map +1 -1
  140. package/dist/baseline/types.d.ts +73 -26
  141. package/dist/baseline/types.d.ts.map +1 -1
  142. package/dist/baseline/types.js +7 -1
  143. package/dist/baseline/types.js.map +1 -1
  144. package/dist/baseline/visibility.d.ts +61 -0
  145. package/dist/baseline/visibility.d.ts.map +1 -0
  146. package/dist/baseline/visibility.js +121 -0
  147. package/dist/baseline/visibility.js.map +1 -0
  148. package/dist/cli.d.ts.map +1 -1
  149. package/dist/cli.js +168 -6
  150. package/dist/cli.js.map +1 -1
  151. package/dist/dashboard/graph-adapter.d.ts +151 -0
  152. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  153. package/dist/dashboard/graph-adapter.js +415 -0
  154. package/dist/dashboard/graph-adapter.js.map +1 -0
  155. package/dist/dashboard/graph-tab.d.ts +109 -0
  156. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  157. package/dist/dashboard/graph-tab.js +297 -0
  158. package/dist/dashboard/graph-tab.js.map +1 -0
  159. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  160. package/dist/doctor.d.ts.map +1 -1
  161. package/dist/doctor.js +106 -16
  162. package/dist/doctor.js.map +1 -1
  163. package/dist/explore/cli/api-surface.d.ts +12 -0
  164. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  165. package/dist/explore/cli/api-surface.js +57 -0
  166. package/dist/explore/cli/api-surface.js.map +1 -0
  167. package/dist/explore/cli/communities.d.ts +10 -0
  168. package/dist/explore/cli/communities.d.ts.map +1 -0
  169. package/dist/explore/cli/communities.js +47 -0
  170. package/dist/explore/cli/communities.js.map +1 -0
  171. package/dist/explore/cli/context.d.ts +16 -0
  172. package/dist/explore/cli/context.d.ts.map +1 -0
  173. package/dist/explore/cli/context.js +118 -0
  174. package/dist/explore/cli/context.js.map +1 -0
  175. package/dist/explore/cli/entry-points.d.ts +12 -0
  176. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  177. package/dist/explore/cli/entry-points.js +85 -0
  178. package/dist/explore/cli/entry-points.js.map +1 -0
  179. package/dist/explore/cli/feature.d.ts +16 -0
  180. package/dist/explore/cli/feature.d.ts.map +1 -0
  181. package/dist/explore/cli/feature.js +89 -0
  182. package/dist/explore/cli/feature.js.map +1 -0
  183. package/dist/explore/cli/file.d.ts +12 -0
  184. package/dist/explore/cli/file.d.ts.map +1 -0
  185. package/dist/explore/cli/file.js +139 -0
  186. package/dist/explore/cli/file.js.map +1 -0
  187. package/dist/explore/cli/hot-files.d.ts +11 -0
  188. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  189. package/dist/explore/cli/hot-files.js +63 -0
  190. package/dist/explore/cli/hot-files.js.map +1 -0
  191. package/dist/explore/context-hook.d.ts +42 -0
  192. package/dist/explore/context-hook.d.ts.map +1 -0
  193. package/dist/explore/context-hook.js +131 -0
  194. package/dist/explore/context-hook.js.map +1 -0
  195. package/dist/explore/finding-context.d.ts +69 -0
  196. package/dist/explore/finding-context.d.ts.map +1 -0
  197. package/dist/explore/finding-context.js +102 -0
  198. package/dist/explore/finding-context.js.map +1 -0
  199. package/dist/explore/format.d.ts +64 -0
  200. package/dist/explore/format.d.ts.map +1 -0
  201. package/dist/explore/format.js +99 -0
  202. package/dist/explore/format.js.map +1 -0
  203. package/dist/explore/load.d.ts +50 -0
  204. package/dist/explore/load.d.ts.map +1 -0
  205. package/dist/explore/load.js +197 -0
  206. package/dist/explore/load.js.map +1 -0
  207. package/dist/explore/queries.d.ts +413 -0
  208. package/dist/explore/queries.d.ts.map +1 -0
  209. package/dist/explore/queries.js +855 -0
  210. package/dist/explore/queries.js.map +1 -0
  211. package/dist/explore/types.d.ts +130 -0
  212. package/dist/explore/types.d.ts.map +1 -0
  213. package/dist/explore/types.js +28 -0
  214. package/dist/explore/types.js.map +1 -0
  215. package/dist/explore-cli.d.ts +45 -0
  216. package/dist/explore-cli.d.ts.map +1 -0
  217. package/dist/explore-cli.js +213 -0
  218. package/dist/explore-cli.js.map +1 -0
  219. package/dist/generator.d.ts.map +1 -1
  220. package/dist/generator.js +19 -0
  221. package/dist/generator.js.map +1 -1
  222. package/dist/issue-cli.d.ts +62 -0
  223. package/dist/issue-cli.d.ts.map +1 -0
  224. package/dist/issue-cli.js +252 -0
  225. package/dist/issue-cli.js.map +1 -0
  226. package/dist/languages/csharp.d.ts.map +1 -1
  227. package/dist/languages/csharp.js +32 -11
  228. package/dist/languages/csharp.js.map +1 -1
  229. package/dist/languages/go.d.ts.map +1 -1
  230. package/dist/languages/go.js +5 -0
  231. package/dist/languages/go.js.map +1 -1
  232. package/dist/languages/index.d.ts +27 -0
  233. package/dist/languages/index.d.ts.map +1 -1
  234. package/dist/languages/index.js +35 -0
  235. package/dist/languages/index.js.map +1 -1
  236. package/dist/languages/java.d.ts.map +1 -1
  237. package/dist/languages/java.js +5 -0
  238. package/dist/languages/java.js.map +1 -1
  239. package/dist/languages/kotlin.d.ts.map +1 -1
  240. package/dist/languages/kotlin.js +5 -0
  241. package/dist/languages/kotlin.js.map +1 -1
  242. package/dist/languages/python.d.ts.map +1 -1
  243. package/dist/languages/python.js +5 -0
  244. package/dist/languages/python.js.map +1 -1
  245. package/dist/languages/ruby.d.ts.map +1 -1
  246. package/dist/languages/ruby.js +5 -0
  247. package/dist/languages/ruby.js.map +1 -1
  248. package/dist/languages/rust.d.ts.map +1 -1
  249. package/dist/languages/rust.js +5 -0
  250. package/dist/languages/rust.js.map +1 -1
  251. package/dist/languages/types.d.ts +79 -0
  252. package/dist/languages/types.d.ts.map +1 -1
  253. package/dist/languages/typescript.d.ts.map +1 -1
  254. package/dist/languages/typescript.js +6 -1
  255. package/dist/languages/typescript.js.map +1 -1
  256. package/package.json +2 -1
  257. package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
  258. package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
  259. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  260. package/templates/AGENTS.md.template +8 -1
  261. package/dist/baseline/producers/licenses.d.ts +0 -23
  262. package/dist/baseline/producers/licenses.d.ts.map +0 -1
  263. package/dist/baseline/producers/licenses.js +0 -46
  264. package/dist/baseline/producers/licenses.js.map +0 -1
package/README.md CHANGED
@@ -1,12 +1,14 @@
1
1
  # dxkit
2
2
 
3
- **AI-native developer experience toolkit for any codebase.**
3
+ **AI writes the code. dxkit helps ship it clean.**
4
4
 
5
- Make your existing codebase safe for Claude Code, Codex, and other AI
6
- coding agents. Equip the agent with repo-native context. Guard every
7
- commit and PR with deterministic checks. **One command scaffolds the
8
- agent DX; one baseline turns on the guardrails.** Works across major
9
- language stacks, greenfield or brownfield.
5
+ _Deterministic guardrails for any codebase. Brownfield-friendly by default._
6
+
7
+ dxkit scores your codebase deterministically, baselines today's findings, and gates every push against net-new regressions. It ships conversational skills that walk agents (and humans) through fixes. Existing tech debt stays grandfathered. Nothing runs on an LLM. Everything runs locally.
8
+
9
+ <p align="center">
10
+ <img src=".github/assets/guardrail-demo.gif" width="760" alt="A git push blocked by the dxkit pre-push guardrail: 2 net-new regressions block the push while 644 pre-existing findings stay grandfathered." />
11
+ </p>
10
12
 
11
13
  ```bash
12
14
  npm init @vyuhlabs/dxkit
@@ -18,98 +20,73 @@ npm init @vyuhlabs/dxkit
18
20
  </a>
19
21
  <img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
20
22
  <img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
21
- <img alt="local-first" src="https://img.shields.io/badge/local-first-green">
22
23
  <img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
23
- <img alt="agentic" src="https://img.shields.io/badge/agentic-ready-purple">
24
+ <img alt="local-first" src="https://img.shields.io/badge/local-first-green">
24
25
  </p>
25
26
 
26
27
  ---
27
28
 
28
29
  ## The problem
29
30
 
30
- AI coding agents are powerful, but shipping their work safely is hard:
31
+ Codebases drift downward in slow ways that tests do not catch.
32
+
33
+ A typical Friday. Your team ships a fix. CI passes. Review approves. Two weeks later, an auditor finds a new hardcoded secret in the diff, three new untested branches, and a previously-clean file that grew to 800 lines with three TODOs sprinkled in. None of it failed a test, because no test covered those things.
34
+
35
+ Now multiply this by every AI agent your team uses. Agents write more code than humans can review. Some of it is fine. Some of it is slop that looks fine but quietly degrades the codebase.
36
+
37
+ The conventional fix is "block any new finding via static analysis." That fails on real codebases for a predictable reason:
31
38
 
32
- - The agent's environment isn't reproducible different machine,
33
- different result.
34
- - The agent has no project-specific context — your conventions are
35
- tribal knowledge it can't access.
36
- - Strict gates assume a clean codebase. Real codebases have years of
37
- debt, and absolute gates either get disabled or block every PR.
38
- - Most "AI code review" tools rely on another LLM to grade the work —
39
- non-deterministic, gameable, and a black box.
40
- - Bad agent changes silently land because the only enforcement is
41
- human attention.
39
+ - Block every finding, and your 5-year-old repo lights up with hundreds of pre-existing issues. The team disables the gate within a week.
40
+ - Block no findings, and the gate is theater. Nothing changes.
42
41
 
43
- dxkit closes that loop end-to-end, deterministically, with no LLM in
44
- the grading path.
42
+ You need an objective gate that only fires on what is actually new. That is the gap dxkit fills.
45
43
 
46
44
  ---
47
45
 
48
- ## What `npm init @vyuhlabs/dxkit` creates
46
+ ## How dxkit solves it
49
47
 
50
- ```bash
51
- npm init @vyuhlabs/dxkit
52
- ```
48
+ Three ideas working together.
53
49
 
54
- This collapses install + scaffold into a single command: it installs
55
- `@vyuhlabs/dxkit` as a devDep and runs `vyuh-dxkit init --full --yes`.
56
- The full install lands a coordinated set of pieces:
50
+ ### 1. Capture today's state as a baseline
57
51
 
58
- ```text
59
- .devcontainer/ Reproducible environment — per-stack pinned
60
- toolchains (only the languages your project
61
- uses), dxkit's scanner toolchain auto-installed,
62
- install scripts for AI agent CLIs (auth stays
63
- user-owned).
64
- .githooks/ pre-push guardrail hook (pre-commit opt-in via
65
- --with-precommit-hook). Postinstall auto-
66
- activates `core.hooksPath` so teammates who
67
- clone + `npm install` get hooks wired too.
68
- .github/workflows/ PR-gate workflow + post-merge baseline-refresh
69
- workflow (refresh runs only after the PR-gate
70
- passes — see "Safety + trust" below).
71
- AGENTS.md Open-standard project context file read by
72
- Claude Code, Codex, Cursor, Aider, and any
73
- AGENTS.md-compliant agent.
74
- CLAUDE.md Claude Code shim that points at AGENTS.md.
75
- .claude/skills/ Nine dxkit-* skills covering the full lifecycle:
76
- learn / init / config / hooks / reports /
77
- action / fix / update / onboard. Claude Code
78
- auto-discovers via skill frontmatter.
79
- .dxkit/ reports, baselines, and (optional) policy.
80
- .vyuh-dxkit.json install manifest.
81
- ```
52
+ Before dxkit blocks anything, it snapshots every existing finding in your repo and fingerprints them. The fingerprints survive renames, line shifts from formatter runs, and small unrelated edits. Cross-tool overlaps (gitleaks and semgrep flagging the same line) collapse to one finding.
82
53
 
83
- After install:
54
+ From this moment forward, the gate only fires on net-new regressions. Your existing debt is grandfathered. The team fixes old issues at their own pace. The gate stays useful because it stays reasonable.
84
55
 
85
- ```bash
86
- vyuh-dxkit baseline create # capture today's state
87
- git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
88
- git commit -m "chore: enable dxkit guardrails"
89
- ```
56
+ Three modes for the baseline file:
90
57
 
91
- From this point:
58
+ - `committed-full`: rich entries committed to git. Default for private repos.
59
+ - `committed-sanitized`: stripped to fingerprint plus kind. For compliance-conscious teams.
60
+ - `ref-based`: no committed file at all. Prior side recomputed from a git ref via `git worktree add`. Default for public repos. Zero disclosure surface.
92
61
 
93
- - Every push runs the full guardrail check (pre-commit hook is
94
- opt-in via `--with-precommit-hook` — slow on large repos until
95
- scoped incremental scanning lands).
96
- - Every PR is gated by GitHub Actions, which posts a markdown summary
97
- as a comment.
98
- - After the PR-gate workflow passes and the PR merges, the baseline
99
- is refreshed so the next PR is gated against the up-to-date state.
62
+ ### 2. Score the codebase deterministically
100
63
 
101
- Bypass + disable mechanisms:
64
+ dxkit produces a 0 to 100 score across six dimensions: Security, Code Quality, Tests, Documentation, Maintainability, Developer Experience.
102
65
 
103
- ```bash
104
- DXKIT_SKIP_HOOKS=1 git push ... # one-off bypass
105
- git push --no-verify ... # standard git bypass
106
- git config --unset core.hooksPath # disable all dxkit hooks (per-clone)
107
- rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
66
+ The score has four properties:
67
+
68
+ | Property | What it means |
69
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
70
+ | **Deterministic** | Same code yields the same score every time. No LLM in the grading path. Reproducible across machines, runs, and CI. Auditable. |
71
+ | **Comparable** | Two codebases of similar quality produce similar scores. Surface tricks do not move the needle. Adding empty comments does not improve Documentation if the code is not actually documented. |
72
+ | **Severity-weighted** | A critical security finding moves the score far more than a TODO comment. Penalties are anchored to real-world impact via CVSS for security and ratio thresholds for tests, coverage, file size, and other dimensions. |
73
+ | **Actionable** | Every deduction names the file, the line, and the recommended fix. Output is structured JSON. Agents and humans read the same thing. The "what to do next" lives in the score itself. |
74
+
75
+ ### 3. Fix findings at reduced token cost
76
+
77
+ Detection is only half the job. dxkit builds a deterministic code graph of the repo (its symbols, call edges, and clustered modules), so fixing is cheap too. A coding agent works from that structure ("what calls this? what breaks if I change it?") instead of re-reading whole files, and every finding in a detailed report already carries its blast radius: the files that depend on it. The `dxkit-action` skill runs the fix, re-scores, and confirms the gate clears. Same result, far fewer tokens.
78
+
79
+ ### What you get from the combination
80
+
81
+ A score on its own is a number. A baseline on its own grandfathers the past. Together they produce an objective stop signal you can trust.
82
+
83
+ ```text
84
+ Today: 16/100 E 644 findings, all baselined
85
+ Next PR: 16/100 E 644 persisted, 0 new. Gate passes.
86
+ Bad PR: 14/100 E 644 persisted, 2 new high-severity. Gate blocks.
108
87
  ```
109
88
 
110
- > **Additive by default.** Existing hooks, devcontainer, or workflows
111
- > are never destroyed. dxkit detects them and writes sidecar `.dxkit`
112
- > files with merge instructions. `--force` overrides if you want.
89
+ The score does not lie. The baseline keeps it useful on real codebases. The combination works the same for humans, AI agents, and CI runners. That is the part that scales. And once the gate fires, the code graph makes acting on it cheap: agents fix from the structure rather than reading file after file.
113
90
 
114
91
  ---
115
92
 
@@ -117,377 +94,251 @@ rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
117
94
 
118
95
  ```text
119
96
  $ npm init @vyuhlabs/dxkit
120
- ✓ Created: 11 files (AGENTS.md, CLAUDE.md, .claude/skills/dxkit-*, ...)
97
+ ✓ Created: 14 files
121
98
  ✓ Git hooks: installed 1 file(s)
99
+ .githooks/pre-push
122
100
  ✓ Devcontainer: installed 3 file(s)
123
101
  ✓ CI guardrails workflow: installed 1 file(s)
124
- ✓ CI baseline-refresh workflow: installed 1 file(s)
102
+ .github/workflows/dxkit-guardrails.yml
103
+ ✓ Done! Claude Code now has full project context.
104
+ → Next: run `vyuh-dxkit baseline create` to capture today's state.
125
105
 
126
- $ vyuh-dxkit baseline create
127
- Wrote .dxkit/baselines/main.json 89 findings (32s)
106
+ $ npx vyuh-dxkit baseline create
107
+ Baseline mode=committed-full (auto: visibility not detectable via gh; defaulting to private posture)
108
+ ✓ Wrote .dxkit/baselines/main.json — 644 findings, salt: deterministic (208.9s)
109
+
110
+ $ npx vyuh-dxkit guardrail check
111
+ ## Guardrail: PASSED
112
+ No changes from baseline (644 pairs checked).
128
113
  ```
129
114
 
130
- Your AI agent has access to dxkit's reports and the nine lifecycle
131
- skills that init scaffolded. A typical request to the agent:
115
+ Later, an innocent-looking PR slips in a regression. The pre-push hook fires:
132
116
 
133
117
  ```text
134
- Read the latest dxkit health report. Pick one safe quality
135
- improvement. Apply the change. Then run `vyuh-dxkit guardrail check`
136
- to confirm nothing regressed. Show me what you did.
118
+ $ git push
119
+ [hook] vyuh-dxkit guardrail check
120
+ ## Guardrail: BLOCKED
121
+ 2 new regressions found.
122
+
123
+ | Status | Kind | Severity | Location | Reason |
124
+ |---|---|---|---|---|
125
+ | added | secret | high | src/config/secrets.ts:42 | gitleaks/aws-access-key |
126
+ | added | code | medium | src/handlers/exec.ts:17 | semgrep/eval-use |
127
+
128
+ 644 pre-existing findings persisted. Only the new changes blocked you.
129
+ Fix or allowlist with `npx vyuh-dxkit allowlist add ...`
137
130
  ```
138
131
 
139
- The agent introduces a change that breaks the guardrail:
132
+ The 644 pre-existing findings sit quietly. The 2 net-new ones stop the push.
140
133
 
141
- ```text
142
- $ vyuh-dxkit guardrail check
143
- Guardrail BLOCKED — 2 new regressions
144
-
145
- Baseline: .dxkit/baselines/main.json (89 findings)
146
- Current: 91 findings · matcher: git-aware
147
-
148
- Blocking (2)
149
- ADDED [medium] large-file src/regression.ts
150
- no-prior-match: identity fingerprint not present in the baseline
151
- ADDED [medium] test-gap src/regression.ts
152
- no-prior-match: identity fingerprint not present in the baseline
153
-
154
- Summary
155
- Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
156
- Verdict: BLOCKED
157
- Exit: 1
158
- ```
134
+ ---
159
135
 
160
- The agent reads the failure, fixes it, and re-runs:
136
+ ## Features
161
137
 
162
- ```text
163
- $ vyuh-dxkit guardrail check
164
- Guardrail PASSED — 0 new regressions
138
+ ### Eight first-class language packs
165
139
 
166
- Summary
167
- Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
168
- Verdict: PASSED
169
- Exit: 0
170
- ```
140
+ TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby. Each pack ships per-ecosystem analyzers: semgrep rulesets, dep-vuln scanners, license tools, lint adapters. Polyglot repos get unified reports without configuration.
171
141
 
172
- ---
142
+ <details>
143
+ <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
173
144
 
174
- ## Quickstart
145
+ | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
146
+ | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
147
+ | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
148
+ | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
149
+ | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
150
+ | Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
151
+ | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
152
+ | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
153
+ | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
154
+ | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
175
155
 
176
- ```bash
177
- # Canonical first install collapses install + scaffold into one step
178
- npm init @vyuhlabs/dxkit
156
+ ¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
157
+ file-level resolver is a no-op. Downstream analyses that need an edge graph
158
+ (reachability, import-graph test-gap credit) degrade to conservative
159
+ defaults for those packs. Resolvers are tracked on the [roadmap](docs/roadmap.md).
179
160
 
180
- # Or install dxkit globally + scaffold manually
181
- npm install -g @vyuhlabs/dxkit
182
- vyuh-dxkit init --full
183
- vyuh-dxkit baseline create
184
- vyuh-dxkit guardrail check --changed-only
161
+ ² C# uses `dotnet-format` for formatting violations only. A real
162
+ severity-tiered C# linter (Roslyn analyzers or StyleCop) is on the
163
+ roadmap. Today every C# formatting violation is counted at `low` tier
164
+ so it does not inflate the Code Quality score.
185
165
 
186
- # Upgrade an existing install later
187
- vyuh-dxkit upgrade # plan + execute combined
188
- ```
166
+ </details>
189
167
 
190
- À la carte if you only want specific pieces:
168
+ ### The matcher
191
169
 
192
- ```bash
193
- vyuh-dxkit init --with-dxkit-agents # just the nine dxkit-* skills + AGENTS.md
194
- vyuh-dxkit init --with-hooks # just the pre-push hook
195
- vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
196
- vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
197
- vyuh-dxkit init --with-ci # just the PR-gate workflow
198
- vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
199
- vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
200
- ```
170
+ Multi-axis fingerprints (location, domain, content, semantic) pair findings across runs even when files were renamed, lines shifted, tools changed versions, or the branch was force-pushed. When location fails, the matcher falls back to git-aware diff lookup, then content hash, then identity-only multiset match. Every pair carries a confidence score and a reason chain.
201
171
 
202
- Post-install, two more CLIs polish the safety surface:
172
+ ### Per-finding suppression
203
173
 
204
- ```bash
205
- vyuh-dxkit setup-branch-protection # mark dxkit-guardrails as required check on default branch
206
- vyuh-dxkit setup-prebuild # configure Codespaces prebuild (cold-start ~7 min → ~30s)
207
- ```
174
+ Five typed categories: `false-positive`, `test-fixture`, `mitigated-externally`, `accepted-risk`, `deferred`. Each entry requires a reason. Categories that fade over time require an expiry.
208
175
 
209
- ---
176
+ Two surfaces:
210
177
 
211
- ## Baseline mode: greenfield to 10-year-old codebases
178
+ - Inline annotations: `// dxkit-allow:test-fixture reason="example placeholder"`
179
+ - File-level: `.dxkit/allowlist.json`, audited via `vyuh-dxkit allowlist audit`
212
180
 
213
- Real codebases are messy. dxkit doesn't ask whether your repo is
214
- perfect — it asks whether each change made it worse.
181
+ Orphaned annotations become their own findings. The TypeScript `@ts-expect-error` model applied to suppressions. Prevents the graveyard of stale allowlist entries.
215
182
 
216
- | | **Greenfield day 1** | **Brownfield (years of debt)** |
217
- | ---------------- | -------------------------------------- | --------------------------------------------------------- |
218
- | Baseline | Captured near zero | Captures today's debt as the floor |
219
- | Behavior | Every regression matters from commit 1 | Existing debt is grandfathered; net-new regressions block |
220
- | Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
183
+ ### AI-agent integration
221
184
 
222
- The classifier distinguishes:
185
+ dxkit ships nine Claude Code skills under `.claude/skills/dxkit-*`. They wrap the CLI in conversational flows:
223
186
 
224
- | Status | Meaning | Default |
225
- | ------------------- | ----------------------------------------- | ---------- |
226
- | `added` | Net-new finding introduced by this change | **blocks** |
227
- | `relocated` | Same finding, moved (line drift, rename) | passes |
228
- | `persisted` | Same finding, same place pre-existing | passes |
229
- | `removed` / `fixed` | Was there, now gone | passes |
230
- | `tooling_drift` | New only because scanner version changed | warns |
231
- | `config_drift` | New only because dxkit config changed | warns |
232
- | `uncertain` | Below confidence threshold | warns |
187
+ | Skill | What it does |
188
+ | -------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
189
+ | `dxkit-onboard` | Walks a customer through the full first-install journey |
190
+ | `dxkit-reports` | Runs analyzers and explains the output |
191
+ | `dxkit-action` | Reads a report, prioritizes findings, plans and runs fixes, re-verifies |
192
+ | `dxkit-fix` | Repairs a broken install from doctor output |
193
+ | `dxkit-hooks`, `dxkit-config`, `dxkit-learn`, `dxkit-update`, `dxkit-init` | Focused flows |
233
194
 
234
- Customize via [`.dxkit/policy.json`](docs/configuration/policy.md)
235
- auto-discovered when present, compiled-in defaults otherwise.
195
+ `AGENTS.md` (the open standard read by Codex, Cursor, Aider, and others) also ships in every install. The skill flows are Claude Code-specific today; the AGENTS.md context is portable.
236
196
 
237
- ---
197
+ Why this matters for AI workflows: when an agent fixes a bug, you need an objective signal that says "yes, fixed cleanly" or "fix introduced four new regressions." dxkit's deterministic score plus baseline guardrail produces that signal. The agent reads the same JSON envelope a human reads, runs the verify step itself, and stops when clean.
238
198
 
239
- ## Git-aware identity matching
240
-
241
- A regression check is only useful if the matcher can tell _old issue
242
- that moved_ from _new issue that appeared_. Line numbers alone aren't
243
- stable — add a 20-line comment block at the top of a file and every
244
- issue below it "moves."
245
-
246
- dxkit uses layered identity, in priority order:
247
-
248
- 1. **Domain fingerprints** for entities whose identity is intrinsic:
249
- - dependency vulnerabilities → `(package, version, advisory-id)`
250
- - secrets → `(scanner-rule, fingerprint(value))` so a leaked
251
- token recognises itself when moved
252
- - licenses → `(package, version, license-type)`
253
- - duplicate blocks → normalized content hash
254
- 2. **Location fingerprints** with a 3-line bucket for code findings.
255
- 3. **Git-aware line mapping** across commits, including `-M` file
256
- renames and ±2 line fuzz windows.
257
- 4. **Content-hash fallback** when git history isn't reachable
258
- (shallow clones, archived snapshots).
259
-
260
- Every match pair carries a **confidence in [0, 1]** and structured
261
- **reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
262
- `git-rename`, `content-hash`, ...). No LLM in the grading path —
263
- the matcher and classifier are deterministic over normalized
264
- analyzer input; the same inputs produce the same classifications.
199
+ ### Code-graph context: fix at reduced token cost
265
200
 
266
- ---
201
+ dxkit builds a deterministic code graph of your repo (its symbols, call edges, and clustered modules) using graphify (the `graphifyy` Python package). What matters is what an agent does with it. Instead of discovering structure by grepping around and reading whole files, the agent gets just the relevant slice:
267
202
 
268
- ## Reproducible environment
203
+ - **`vyuh-dxkit context <query>`** (and an opt-in PreToolUse hook) hand an agent a slim structural map: the relevant symbols, where they live, and what calls them. It navigates by the graph instead of re-reading files, which is the same work at a fraction of the tokens.
204
+ - **`--graph-context`** writes each finding's module and blast radius (which files call into it) straight into the detailed report, so the `dxkit-action` fix skill can plan the change, and know which callers to re-test, without rediscovering structure first.
205
+ - **`vyuh-dxkit explore`** and a dashboard graph tab let humans ask the same graph what the repo does, where a feature lives, and which files are load-bearing.
269
206
 
270
- Agents need a stable environment to be reliable. `init --with-devcontainer`
271
- generates a Codespaces-ready setup:
207
+ This is an additive, fail-open layer. When the graph is missing, or a language's call edges can't be resolved, every command behaves exactly as it did before. It's reliable on TypeScript, Python, and Go. Where the call graph can't be resolved (C#), blast radius is suppressed rather than faked, so a "no callers" reading is never mistaken for "safe to change."
272
208
 
273
- - Pinned language toolchains (Node 22, Python 3.12, Go 1.21, .NET 8,
274
- Ruby 3.3, Java 17, Rust stable) layered via standard devcontainer
275
- features — small image footprint, fast Codespaces prebuild.
276
- - `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
277
- the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
278
- cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
279
- ones your stack needs).
280
- - Install scripts for the AI coding-agent CLIs you want available
281
- inside the container. The scripts only install the binaries — auth
282
- remains user-owned and is never baked into the image.
283
- - Every piece is a regular script you can edit after install.
209
+ ### Reproducible environments
284
210
 
285
- ---
211
+ Per-stack devcontainer with only the languages your project uses. Scanner toolchain auto-installed. Install scripts for AI agent CLIs (auth stays user-owned). Codespaces prebuilds wire via `vyuh-dxkit setup-prebuild` so cold-start drops from ~7 minutes to ~30 seconds.
286
212
 
287
- ## What dxkit analyzes
213
+ ### Public-repo safe baselines
288
214
 
289
- Beyond the baseline + guardrail surface, dxkit ships deterministic
290
- analyzers across eight language packs (Python, TypeScript, Go, Rust,
291
- C#, Kotlin, Java, Ruby), with graceful degradation when a tool isn't
292
- available for your stack:
293
-
294
- | Command | Question it answers |
295
- | ----------------- | ------------------------------------------------------------------------------------- |
296
- | `health` | "What's the overall shape of this codebase?" — 6-dimension score |
297
- | `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
298
- | `test-gaps` | "Which untested files are riskiest?" |
299
- | `quality` | "Where's the technical debt + duplication?" |
300
- | `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
301
- | `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
302
- | `dev-report` | "Who's working on what, where are the hot files?" |
303
- | `dashboard` | "Single HTML view of everything I've run" |
304
- | `report` | Run every analyzer + dashboard in one shot |
305
-
306
- Composable aggregate gates apply to every analyzer:
215
+ The `ref-based` mode commits no baseline file. The guardrail check recomputes the prior side at check time from a git ref via `git worktree add`. Zero disclosure surface. File paths, package names, and advisory IDs all stay out of git. Auto-picked for public repos via `gh repo view --json visibility`.
216
+
217
+ ---
218
+
219
+ ## Quickstart
307
220
 
308
221
  ```bash
309
- vyuh-dxkit health --fail-on-score 60
310
- vyuh-dxkit vulnerabilities --fail-on-severity high
311
- vyuh-dxkit bom --fail-on-severity critical
312
- ```
222
+ # Canonical first install
223
+ npm init @vyuhlabs/dxkit
313
224
 
314
- Every `--json` output carries a `schema: 'dxkit.<kind>-report.v1'`
315
- banner so consumers can version-gate.
225
+ # Capture today's state
226
+ npx vyuh-dxkit baseline create
316
227
 
317
- <details>
318
- <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
228
+ # Verify the install
229
+ npx vyuh-dxkit doctor
319
230
 
320
- | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
321
- | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
322
- | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
323
- | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
324
- | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
325
- | Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
326
- | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
327
- | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
328
- | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
329
- | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
231
+ # Commit and ship
232
+ git add . && git commit -m "chore: enable dxkit" && git push
330
233
 
331
- ¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
332
- file-level resolver is a no-op. Downstream analyses that need an edge graph
333
- (reachability, import-graph test-gap credit) degrade to conservative
334
- defaults for those packs; resolvers are tracked on the roadmap.
234
+ # Optional but recommended
235
+ npx vyuh-dxkit setup-branch-protection # mark guardrail as required CI check
236
+ npx vyuh-dxkit setup-prebuild # Codespaces prebuild
237
+ ```
335
238
 
336
- ² C# uses `dotnet-format` for formatting violations only. A real severity-
337
- tiered C# linter (Roslyn analyzers / StyleCop) is roadmap; today every
338
- C# formatting violation is counted at `low` tier so it doesn't inflate
339
- the Quality/Slop score.
239
+ À la carte if you only want specific pieces:
340
240
 
341
- </details>
241
+ ```bash
242
+ npx vyuh-dxkit init --with-dxkit-agents # just the nine Claude skills + AGENTS.md
243
+ npx vyuh-dxkit init --with-hooks # just the pre-push hook
244
+ npx vyuh-dxkit init --with-precommit-hook # add pre-commit (slow on large repos)
245
+ npx vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
246
+ npx vyuh-dxkit init --with-ci # just the PR-gate workflow
247
+ ```
342
248
 
343
249
  ---
344
250
 
345
- ## Why dxkit
346
-
347
- dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
348
- Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
349
- things they don't:
350
-
351
- 1. **It scaffolds your AI agent.** Most tools find issues; dxkit
352
- _also_ writes the project-context layer (entry-point doc, project
353
- skills, commands, language-specific rules, specialized subagents)
354
- that lets your agent operate on the codebase intelligently.
355
- 2. **It gates at commit time, deterministically.** No LLM in the
356
- grading path. The matcher and classifier are deterministic over
357
- normalized analyzer input.
358
- 3. **It assumes your repo is messy.** Other tools want clean
359
- codebases and block every PR until you fix everything. dxkit
360
- captures the floor, grandfathers existing debt, and only blocks
361
- regressions introduced from here forward — usable on day-one
362
- greenfield and 10-year-old brownfield codebases alike.
363
-
364
- Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
365
- CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
366
- Scores are evidence-backed and traceable to the findings that
367
- produced them.
251
+ ## What dxkit analyzes
368
252
 
369
- ---
253
+ | Dimension | Tools | What it catches |
254
+ | -------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
255
+ | Security | gitleaks, semgrep, osv-scanner, npm-audit, pip-audit, govulncheck, cargo-audit, dotnet vulnerable, bundle-audit | Secrets, dep vulnerabilities, insecure patterns, TLS bypass |
256
+ | Code Quality | cloc, jscpd, graphify, lint adapters | File size, duplication, complexity, hygiene markers |
257
+ | Tests | coverage adapters per pack, test-file detector | Missing tests, degraded tests, coverage gaps |
258
+ | Documentation | doc-comment ratio, README presence | Inline doc coverage, project-level docs |
259
+ | Maintainability | graphify call-graph metrics | God files, dead imports, cohesion, communities |
260
+ | Developer Experience | git hook detection, CI workflow detection, manifest presence | Pre-push hooks, CI quality gates, environment reproducibility |
370
261
 
371
- ## Real-world validation
262
+ Each analyzer reports raw findings. dxkit aggregates, deduplicates across tools, and scores deterministically.
372
263
 
373
- The 2.5.0 release was pre-ship audited on three production codebases:
264
+ ---
374
265
 
375
- - TypeScript backend
376
- - TypeScript frontend
377
- - Large .NET WinForms project
266
+ ## Brownfield vs greenfield
378
267
 
379
- Across **6,919 baseline findings**, the audit:
268
+ | | Greenfield (day 1) | Brownfield (years of debt) |
269
+ | ---------------- | -------------------------------------- | ------------------------------------------------- |
270
+ | Baseline | Near-zero on capture | Captures today's debt as floor |
271
+ | Behavior | Every regression matters from commit 1 | Existing debt grandfathered; net-new blocks |
272
+ | Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
380
273
 
381
- - identified four drift classes between aggregate reports and
382
- per-finding identity sets
383
- - brought roughly **3,000 previously untracked findings into
384
- guardrail coverage**
385
- - matched identity-set counts exactly to report aggregates for
386
- every finding kind
274
+ The status taxonomy that drives gate decisions:
387
275
 
388
- Details in [`CHANGELOG.md`](CHANGELOG.md#250---2026-05-18).
276
+ | Status | Meaning | Default |
277
+ | ------------------- | ----------------------------------------- | ---------- |
278
+ | `added` | Net-new finding introduced by this change | **blocks** |
279
+ | `relocated` | Same finding, moved (line drift, rename) | passes |
280
+ | `persisted` | Same finding, same place. Pre-existing. | passes |
281
+ | `removed` / `fixed` | Was there, now gone | passes |
282
+ | `tooling_drift` | New because scanner version changed | warns |
283
+ | `config_drift` | New because dxkit config changed | warns |
284
+ | `uncertain` | Below confidence threshold | warns |
285
+
286
+ Customize via [`.dxkit/policy.json`](docs/configuration/policy.md).
389
287
 
390
288
  ---
391
289
 
392
- ## Safety + trust
393
-
394
- dxkit is local-first.
395
-
396
- - **No SaaS required.** Your code never leaves the machine.
397
- - **No repo upload.** Analyzers run in-process or shell out to
398
- locally-installed scanners; results stay on disk.
399
- - **Secret values are never written to disk.** dxkit stores a
400
- non-reversible fingerprint for matching only — the scanner sees
401
- the value once and discards it after hashing.
402
- - **Agent auth stays user-owned.** Install scripts ship the CLIs;
403
- authentication happens in your session and is never baked into
404
- the image or stored by dxkit.
405
- - **CI guardrails are the enforcement layer.** Local hooks provide
406
- fast feedback but are bypassable (`git commit --no-verify`); the
407
- GitHub Actions PR-gate runs server-side and can be made a required
408
- check via branch protection.
409
- - **Post-merge baseline refresh is gated.** The refresh workflow
410
- runs only after the PR-gate workflow succeeds on the merging
411
- commit. **Use branch protection to make the PR-gate a required
412
- check** so a bypassed merge can't codify a regression into the
413
- baseline.
290
+ ## Safety and trust
291
+
292
+ - **Local-first.** Every scan runs on the developer's machine. Nothing leaves the repo. No telemetry. No phone-home.
293
+ - **No LLM in the grading path.** Scores come from deterministic analyzers and arithmetic. Reproducible. Auditable. The only way to improve a score is to write better code.
294
+ - **Sigstore provenance.** Every npm release is signed via OIDC from GitHub Actions. Verify with `npm audit signatures`.
295
+ - **Open source.** MIT licensed. Inspect every score derivation.
414
296
 
415
297
  ---
416
298
 
417
- ## Docs
299
+ ## Real-world validation
418
300
 
419
- - [Getting started](docs/getting-started.md)
420
- - [`baseline` command](docs/commands/baseline.md)
421
- - [`guardrail` command](docs/commands/guardrail.md)
422
- - [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
423
- - [Scoring methodology](docs/SCORING.md)
424
- - [Architecture](docs/ARCHITECTURE.md)
425
- - [All commands](docs/README.md)
301
+ dxkit ships against pinned production codebases across all eight language packs. Every release runs a cross-stack walkthrough on a polyglot reference repo (TypeScript + Python) and a .NET reference repo before tagging. The cross-stack regression suite is part of CI.
426
302
 
427
- ---
303
+ Recent ship validation (`@vyuhlabs/dxkit@2.6.0`, 2026-05-23):
428
304
 
429
- ## Roadmap
430
-
431
- - [x] Local repo analysis (8 language packs)
432
- - [x] Agent project scaffolding (entry-point doc, skills, commands,
433
- conventions, specialized subagents — single-agent today)
434
- - [x] Optional install scripts for AI coding-agent CLIs in the
435
- devcontainer
436
- - [x] Per-finding fingerprinting + git-aware matching
437
- - [x] Baseline + guardrail commands
438
- - [x] Brownfield policy classifier
439
- - [x] Git hooks (pre-push default; pre-commit opt-in)
440
- - [x] GitHub Actions PR-gate + gated baseline-refresh workflows
441
- - [x] Devcontainer with pinned toolchains
442
- - [x] Nine dxkit-\* skills + AGENTS.md (open-standard, read by every
443
- AGENTS.md-compliant agent — Claude Code, Codex, Cursor, Aider)
444
- - [ ] First-class plugin packaging for the Claude Code marketplace + MCP server for cross-agent reach (2.6, decision-pending)
445
- - [ ] Scoped + incremental scanning — fast pre-commit on monorepos
446
- (2.6)
447
- - [ ] Symbol-level coverage gaps across all 8 packs (2.6)
448
- - [ ] SARIF export for GitHub code scanning interop (2.6)
449
- - [ ] Reachability-aware dep-vuln triage
450
- - [ ] **Per-pack capability parity** — bring every cell in the
451
- capability table to a green tick (2.7 / 3.0):
452
- - Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
453
- (so reachability + import-graph test-gap credit work for
454
- every pack, not just TS/Python/Go)
455
- - Severity-tiered C# linter (Roslyn analyzers or StyleCop)
456
- - License providers for Kotlin, Java, Ruby
457
- - [ ] AI Readiness banner — semantic anchors, function-body hashes,
458
- cross-file refactor detection (3.0)
305
+ - 1904 tests across 110 files
306
+ - License findings dropped 73% on a 600-source-file polyglot codebase after the 2.6 baseline polish
307
+ - New `ref-based` mode verified end-to-end on both reference stacks
459
308
 
460
309
  ---
461
310
 
462
- ## Contributing
311
+ ## Documentation
463
312
 
464
- dxkit aims to be the standard agentic-development layer for any
465
- codebase. We'd love help with:
313
+ **Start here**:
466
314
 
467
- - Additional language pack support
468
- - Agent-CLI integrations (the 2.6 work)
469
- - Monorepo detection
470
- - Devcontainer templates per stack
471
- - Custom guardrail policies
472
- - SARIF output
473
- - More specialized subagents
315
+ - [Getting started](docs/getting-started.md): full walkthrough from install to first guardrail check
316
+ - [CHANGELOG](CHANGELOG.md): release notes. Latest is [2.6.0](https://github.com/vyuh-labs/dxkit/releases/tag/v2.6.0)
474
317
 
475
- Start with the [contributing guide](CONTRIBUTING.md) and
476
- [good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
318
+ **Depth**:
477
319
 
478
- ---
320
+ - [Why dxkit](docs/why-dxkit.md): rationale, comparison vs SonarQube/Snyk/Semgrep/etc., open methodology
321
+ - [Architecture](docs/ARCHITECTURE.md): data flow, the git-aware matcher, fingerprint axes
322
+ - [Scoring methodology](docs/SCORING.md): how each dimension is computed, citations
323
+ - [Roadmap](docs/roadmap.md): shipped vs planned
479
324
 
480
- ## License
325
+ **Reference**:
481
326
 
482
- MIT. See [LICENSE](LICENSE).
327
+ - [Command reference](docs/README.md): every subcommand at a glance
328
+ - [`baseline`](docs/commands/baseline.md): capture, show, modes
329
+ - [`guardrail`](docs/commands/guardrail.md): check, classify, render
330
+ - [`allowlist`](docs/commands/allowlist.md): per-finding suppression
331
+ - [`.dxkit/policy.json`](docs/configuration/policy.md): tune what blocks vs warns
332
+ - [Reporting issues](docs/commands/issue.md): `vyuh-dxkit issue --type=...`
483
333
 
484
334
  ---
485
335
 
486
- ## Try it
336
+ ## Contributing
487
337
 
488
- ```bash
489
- npm init @vyuhlabs/dxkit
490
- ```
338
+ See [CONTRIBUTING.md](CONTRIBUTING.md). The project follows architectural rules in [CLAUDE.md](CLAUDE.md). Adding a new language pack, a new finding kind, or a new scoring dimension each have one-page recipes.
339
+
340
+ ---
491
341
 
492
- If dxkit helps you ship AI-assisted changes more safely, star the
493
- repo — it helps others find it too.
342
+ ## License
343
+
344
+ MIT. See [LICENSE](LICENSE).