@vyuhlabs/dxkit 2.5.2 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +218 -13
- package/README.md +220 -369
- package/dist/allowlist/categories.d.ts +120 -0
- package/dist/allowlist/categories.d.ts.map +1 -0
- package/dist/allowlist/categories.js +194 -0
- package/dist/allowlist/categories.js.map +1 -0
- package/dist/allowlist/cli.d.ts +95 -0
- package/dist/allowlist/cli.d.ts.map +1 -0
- package/dist/allowlist/cli.js +454 -0
- package/dist/allowlist/cli.js.map +1 -0
- package/dist/allowlist/diff.d.ts +67 -0
- package/dist/allowlist/diff.d.ts.map +1 -0
- package/dist/allowlist/diff.js +147 -0
- package/dist/allowlist/diff.js.map +1 -0
- package/dist/allowlist/file.d.ts +249 -0
- package/dist/allowlist/file.d.ts.map +1 -0
- package/dist/allowlist/file.js +497 -0
- package/dist/allowlist/file.js.map +1 -0
- package/dist/allowlist/gather.d.ts +61 -0
- package/dist/allowlist/gather.d.ts.map +1 -0
- package/dist/allowlist/gather.js +143 -0
- package/dist/allowlist/gather.js.map +1 -0
- package/dist/allowlist/hint.d.ts +80 -0
- package/dist/allowlist/hint.d.ts.map +1 -0
- package/dist/allowlist/hint.js +271 -0
- package/dist/allowlist/hint.js.map +1 -0
- package/dist/allowlist/inline.d.ts +149 -0
- package/dist/allowlist/inline.d.ts.map +1 -0
- package/dist/allowlist/inline.js +306 -0
- package/dist/allowlist/inline.js.map +1 -0
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +7 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js +22 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +13 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +67 -1
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -7
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +90 -64
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +35 -7
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +43 -5
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +6 -1
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +20 -2
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +15 -13
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/modes.d.ts +140 -0
- package/dist/baseline/modes.d.ts.map +1 -0
- package/dist/baseline/modes.js +179 -0
- package/dist/baseline/modes.js.map +1 -0
- package/dist/baseline/policy.d.ts +64 -0
- package/dist/baseline/policy.d.ts.map +1 -1
- package/dist/baseline/policy.js +102 -1
- package/dist/baseline/policy.js.map +1 -1
- package/dist/baseline/producers/health.d.ts +2 -2
- package/dist/baseline/producers/health.d.ts.map +1 -1
- package/dist/baseline/producers/health.js.map +1 -1
- package/dist/baseline/producers/index.d.ts +11 -5
- package/dist/baseline/producers/index.d.ts.map +1 -1
- package/dist/baseline/producers/index.js +12 -9
- package/dist/baseline/producers/index.js.map +1 -1
- package/dist/baseline/producers/quality.d.ts +3 -3
- package/dist/baseline/producers/quality.d.ts.map +1 -1
- package/dist/baseline/producers/quality.js.map +1 -1
- package/dist/baseline/producers/secret-hmac.d.ts +2 -2
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -1
- package/dist/baseline/producers/secret-hmac.js.map +1 -1
- package/dist/baseline/producers/security.d.ts +2 -2
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/producers/stale-allow.d.ts +70 -0
- package/dist/baseline/producers/stale-allow.d.ts.map +1 -0
- package/dist/baseline/producers/stale-allow.js +111 -0
- package/dist/baseline/producers/stale-allow.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +2 -2
- package/dist/baseline/producers/tests.d.ts.map +1 -1
- package/dist/baseline/producers/tests.js.map +1 -1
- package/dist/baseline/ref-baseline.d.ts +114 -0
- package/dist/baseline/ref-baseline.d.ts.map +1 -0
- package/dist/baseline/ref-baseline.js +260 -0
- package/dist/baseline/ref-baseline.js.map +1 -0
- package/dist/baseline/sanitize.d.ts +80 -0
- package/dist/baseline/sanitize.d.ts.map +1 -0
- package/dist/baseline/sanitize.js +91 -0
- package/dist/baseline/sanitize.js.map +1 -0
- package/dist/baseline/show.d.ts.map +1 -1
- package/dist/baseline/show.js +9 -3
- package/dist/baseline/show.js.map +1 -1
- package/dist/baseline/types.d.ts +73 -26
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +7 -1
- package/dist/baseline/types.js.map +1 -1
- package/dist/baseline/visibility.d.ts +61 -0
- package/dist/baseline/visibility.d.ts.map +1 -0
- package/dist/baseline/visibility.js +121 -0
- package/dist/baseline/visibility.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +168 -6
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +106 -16
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/issue-cli.d.ts +62 -0
- package/dist/issue-cli.d.ts.map +1 -0
- package/dist/issue-cli.js +252 -0
- package/dist/issue-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +32 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +5 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +5 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +5 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +5 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +5 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +5 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +79 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +6 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +126 -12
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +31 -3
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
- package/dist/baseline/producers/licenses.d.ts +0 -23
- package/dist/baseline/producers/licenses.d.ts.map +0 -1
- package/dist/baseline/producers/licenses.js +0 -46
- package/dist/baseline/producers/licenses.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
# dxkit
|
|
2
2
|
|
|
3
|
-
**AI
|
|
3
|
+
**AI writes the code. dxkit helps ship it clean.**
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
5
|
+
_Deterministic guardrails for any codebase. Brownfield-friendly by default._
|
|
6
|
+
|
|
7
|
+
dxkit scores your codebase deterministically, baselines today's findings, and gates every push against net-new regressions. It ships conversational skills that walk agents (and humans) through fixes. Existing tech debt stays grandfathered. Nothing runs on an LLM. Everything runs locally.
|
|
8
|
+
|
|
9
|
+
<p align="center">
|
|
10
|
+
<img src=".github/assets/guardrail-demo.gif" width="760" alt="A git push blocked by the dxkit pre-push guardrail: 2 net-new regressions block the push while 644 pre-existing findings stay grandfathered." />
|
|
11
|
+
</p>
|
|
10
12
|
|
|
11
13
|
```bash
|
|
12
14
|
npm init @vyuhlabs/dxkit
|
|
@@ -18,98 +20,73 @@ npm init @vyuhlabs/dxkit
|
|
|
18
20
|
</a>
|
|
19
21
|
<img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
|
|
20
22
|
<img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
|
|
21
|
-
<img alt="local-first" src="https://img.shields.io/badge/local-first-green">
|
|
22
23
|
<img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
|
|
23
|
-
<img alt="
|
|
24
|
+
<img alt="local-first" src="https://img.shields.io/badge/local-first-green">
|
|
24
25
|
</p>
|
|
25
26
|
|
|
26
27
|
---
|
|
27
28
|
|
|
28
29
|
## The problem
|
|
29
30
|
|
|
30
|
-
|
|
31
|
+
Codebases drift downward in slow ways that tests do not catch.
|
|
32
|
+
|
|
33
|
+
A typical Friday. Your team ships a fix. CI passes. Review approves. Two weeks later, an auditor finds a new hardcoded secret in the diff, three new untested branches, and a previously-clean file that grew to 800 lines with three TODOs sprinkled in. None of it failed a test, because no test covered those things.
|
|
34
|
+
|
|
35
|
+
Now multiply this by every AI agent your team uses. Agents write more code than humans can review. Some of it is fine. Some of it is slop that looks fine but quietly degrades the codebase.
|
|
36
|
+
|
|
37
|
+
The conventional fix is "block any new finding via static analysis." That fails on real codebases for a predictable reason:
|
|
31
38
|
|
|
32
|
-
- The
|
|
33
|
-
|
|
34
|
-
- The agent has no project-specific context — your conventions are
|
|
35
|
-
tribal knowledge it can't access.
|
|
36
|
-
- Strict gates assume a clean codebase. Real codebases have years of
|
|
37
|
-
debt, and absolute gates either get disabled or block every PR.
|
|
38
|
-
- Most "AI code review" tools rely on another LLM to grade the work —
|
|
39
|
-
non-deterministic, gameable, and a black box.
|
|
40
|
-
- Bad agent changes silently land because the only enforcement is
|
|
41
|
-
human attention.
|
|
39
|
+
- Block every finding, and your 5-year-old repo lights up with hundreds of pre-existing issues. The team disables the gate within a week.
|
|
40
|
+
- Block no findings, and the gate is theater. Nothing changes.
|
|
42
41
|
|
|
43
|
-
|
|
44
|
-
the grading path.
|
|
42
|
+
You need an objective gate that only fires on what is actually new. That is the gap dxkit fills.
|
|
45
43
|
|
|
46
44
|
---
|
|
47
45
|
|
|
48
|
-
##
|
|
46
|
+
## How dxkit solves it
|
|
49
47
|
|
|
50
|
-
|
|
51
|
-
npm init @vyuhlabs/dxkit
|
|
52
|
-
```
|
|
48
|
+
Three ideas working together.
|
|
53
49
|
|
|
54
|
-
|
|
55
|
-
`@vyuhlabs/dxkit` as a devDep and runs `vyuh-dxkit init --full --yes`.
|
|
56
|
-
The full install lands a coordinated set of pieces:
|
|
50
|
+
### 1. Capture today's state as a baseline
|
|
57
51
|
|
|
58
|
-
|
|
59
|
-
.devcontainer/ Reproducible environment — per-stack pinned
|
|
60
|
-
toolchains (only the languages your project
|
|
61
|
-
uses), dxkit's scanner toolchain auto-installed,
|
|
62
|
-
install scripts for AI agent CLIs (auth stays
|
|
63
|
-
user-owned).
|
|
64
|
-
.githooks/ pre-push guardrail hook (pre-commit opt-in via
|
|
65
|
-
--with-precommit-hook). Postinstall auto-
|
|
66
|
-
activates `core.hooksPath` so teammates who
|
|
67
|
-
clone + `npm install` get hooks wired too.
|
|
68
|
-
.github/workflows/ PR-gate workflow + post-merge baseline-refresh
|
|
69
|
-
workflow (refresh runs only after the PR-gate
|
|
70
|
-
passes — see "Safety + trust" below).
|
|
71
|
-
AGENTS.md Open-standard project context file read by
|
|
72
|
-
Claude Code, Codex, Cursor, Aider, and any
|
|
73
|
-
AGENTS.md-compliant agent.
|
|
74
|
-
CLAUDE.md Claude Code shim that points at AGENTS.md.
|
|
75
|
-
.claude/skills/ Nine dxkit-* skills covering the full lifecycle:
|
|
76
|
-
learn / init / config / hooks / reports /
|
|
77
|
-
action / fix / update / onboard. Claude Code
|
|
78
|
-
auto-discovers via skill frontmatter.
|
|
79
|
-
.dxkit/ reports, baselines, and (optional) policy.
|
|
80
|
-
.vyuh-dxkit.json install manifest.
|
|
81
|
-
```
|
|
52
|
+
Before dxkit blocks anything, it snapshots every existing finding in your repo and fingerprints them. The fingerprints survive renames, line shifts from formatter runs, and small unrelated edits. Cross-tool overlaps (gitleaks and semgrep flagging the same line) collapse to one finding.
|
|
82
53
|
|
|
83
|
-
|
|
54
|
+
From this moment forward, the gate only fires on net-new regressions. Your existing debt is grandfathered. The team fixes old issues at their own pace. The gate stays useful because it stays reasonable.
|
|
84
55
|
|
|
85
|
-
|
|
86
|
-
vyuh-dxkit baseline create # capture today's state
|
|
87
|
-
git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
|
|
88
|
-
git commit -m "chore: enable dxkit guardrails"
|
|
89
|
-
```
|
|
56
|
+
Three modes for the baseline file:
|
|
90
57
|
|
|
91
|
-
|
|
58
|
+
- `committed-full`: rich entries committed to git. Default for private repos.
|
|
59
|
+
- `committed-sanitized`: stripped to fingerprint plus kind. For compliance-conscious teams.
|
|
60
|
+
- `ref-based`: no committed file at all. Prior side recomputed from a git ref via `git worktree add`. Default for public repos. Zero disclosure surface.
|
|
92
61
|
|
|
93
|
-
|
|
94
|
-
opt-in via `--with-precommit-hook` — slow on large repos until
|
|
95
|
-
scoped incremental scanning lands).
|
|
96
|
-
- Every PR is gated by GitHub Actions, which posts a markdown summary
|
|
97
|
-
as a comment.
|
|
98
|
-
- After the PR-gate workflow passes and the PR merges, the baseline
|
|
99
|
-
is refreshed so the next PR is gated against the up-to-date state.
|
|
62
|
+
### 2. Score the codebase deterministically
|
|
100
63
|
|
|
101
|
-
|
|
64
|
+
dxkit produces a 0 to 100 score across six dimensions: Security, Code Quality, Tests, Documentation, Maintainability, Developer Experience.
|
|
102
65
|
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
66
|
+
The score has four properties:
|
|
67
|
+
|
|
68
|
+
| Property | What it means |
|
|
69
|
+
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
70
|
+
| **Deterministic** | Same code yields the same score every time. No LLM in the grading path. Reproducible across machines, runs, and CI. Auditable. |
|
|
71
|
+
| **Comparable** | Two codebases of similar quality produce similar scores. Surface tricks do not move the needle. Adding empty comments does not improve Documentation if the code is not actually documented. |
|
|
72
|
+
| **Severity-weighted** | A critical security finding moves the score far more than a TODO comment. Penalties are anchored to real-world impact via CVSS for security and ratio thresholds for tests, coverage, file size, and other dimensions. |
|
|
73
|
+
| **Actionable** | Every deduction names the file, the line, and the recommended fix. Output is structured JSON. Agents and humans read the same thing. The "what to do next" lives in the score itself. |
|
|
74
|
+
|
|
75
|
+
### 3. Fix findings at reduced token cost
|
|
76
|
+
|
|
77
|
+
Detection is only half the job. dxkit builds a deterministic code graph of the repo (its symbols, call edges, and clustered modules), so fixing is cheap too. A coding agent works from that structure ("what calls this? what breaks if I change it?") instead of re-reading whole files, and every finding in a detailed report already carries its blast radius: the files that depend on it. The `dxkit-action` skill runs the fix, re-scores, and confirms the gate clears. Same result, far fewer tokens.
|
|
78
|
+
|
|
79
|
+
### What you get from the combination
|
|
80
|
+
|
|
81
|
+
A score on its own is a number. A baseline on its own grandfathers the past. Together they produce an objective stop signal you can trust.
|
|
82
|
+
|
|
83
|
+
```text
|
|
84
|
+
Today: 16/100 E 644 findings, all baselined
|
|
85
|
+
Next PR: 16/100 E 644 persisted, 0 new. Gate passes.
|
|
86
|
+
Bad PR: 14/100 E 644 persisted, 2 new high-severity. Gate blocks.
|
|
108
87
|
```
|
|
109
88
|
|
|
110
|
-
|
|
111
|
-
> are never destroyed. dxkit detects them and writes sidecar `.dxkit`
|
|
112
|
-
> files with merge instructions. `--force` overrides if you want.
|
|
89
|
+
The score does not lie. The baseline keeps it useful on real codebases. The combination works the same for humans, AI agents, and CI runners. That is the part that scales. And once the gate fires, the code graph makes acting on it cheap: agents fix from the structure rather than reading file after file.
|
|
113
90
|
|
|
114
91
|
---
|
|
115
92
|
|
|
@@ -117,377 +94,251 @@ rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
|
|
|
117
94
|
|
|
118
95
|
```text
|
|
119
96
|
$ npm init @vyuhlabs/dxkit
|
|
120
|
-
✓ Created:
|
|
97
|
+
✓ Created: 14 files
|
|
121
98
|
✓ Git hooks: installed 1 file(s)
|
|
99
|
+
.githooks/pre-push
|
|
122
100
|
✓ Devcontainer: installed 3 file(s)
|
|
123
101
|
✓ CI guardrails workflow: installed 1 file(s)
|
|
124
|
-
|
|
102
|
+
.github/workflows/dxkit-guardrails.yml
|
|
103
|
+
✓ Done! Claude Code now has full project context.
|
|
104
|
+
→ Next: run `vyuh-dxkit baseline create` to capture today's state.
|
|
125
105
|
|
|
126
|
-
$ vyuh-dxkit baseline create
|
|
127
|
-
|
|
106
|
+
$ npx vyuh-dxkit baseline create
|
|
107
|
+
→ Baseline mode=committed-full (auto: visibility not detectable via gh; defaulting to private posture)
|
|
108
|
+
✓ Wrote .dxkit/baselines/main.json — 644 findings, salt: deterministic (208.9s)
|
|
109
|
+
|
|
110
|
+
$ npx vyuh-dxkit guardrail check
|
|
111
|
+
## Guardrail: PASSED
|
|
112
|
+
No changes from baseline (644 pairs checked).
|
|
128
113
|
```
|
|
129
114
|
|
|
130
|
-
|
|
131
|
-
skills that init scaffolded. A typical request to the agent:
|
|
115
|
+
Later, an innocent-looking PR slips in a regression. The pre-push hook fires:
|
|
132
116
|
|
|
133
117
|
```text
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
118
|
+
$ git push
|
|
119
|
+
[hook] vyuh-dxkit guardrail check
|
|
120
|
+
## Guardrail: BLOCKED
|
|
121
|
+
2 new regressions found.
|
|
122
|
+
|
|
123
|
+
| Status | Kind | Severity | Location | Reason |
|
|
124
|
+
|---|---|---|---|---|
|
|
125
|
+
| added | secret | high | src/config/secrets.ts:42 | gitleaks/aws-access-key |
|
|
126
|
+
| added | code | medium | src/handlers/exec.ts:17 | semgrep/eval-use |
|
|
127
|
+
|
|
128
|
+
644 pre-existing findings persisted. Only the new changes blocked you.
|
|
129
|
+
Fix or allowlist with `npx vyuh-dxkit allowlist add ...`
|
|
137
130
|
```
|
|
138
131
|
|
|
139
|
-
The
|
|
132
|
+
The 644 pre-existing findings sit quietly. The 2 net-new ones stop the push.
|
|
140
133
|
|
|
141
|
-
|
|
142
|
-
$ vyuh-dxkit guardrail check
|
|
143
|
-
Guardrail BLOCKED — 2 new regressions
|
|
144
|
-
|
|
145
|
-
Baseline: .dxkit/baselines/main.json (89 findings)
|
|
146
|
-
Current: 91 findings · matcher: git-aware
|
|
147
|
-
|
|
148
|
-
Blocking (2)
|
|
149
|
-
ADDED [medium] large-file src/regression.ts
|
|
150
|
-
no-prior-match: identity fingerprint not present in the baseline
|
|
151
|
-
ADDED [medium] test-gap src/regression.ts
|
|
152
|
-
no-prior-match: identity fingerprint not present in the baseline
|
|
153
|
-
|
|
154
|
-
Summary
|
|
155
|
-
Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
|
|
156
|
-
Verdict: BLOCKED
|
|
157
|
-
Exit: 1
|
|
158
|
-
```
|
|
134
|
+
---
|
|
159
135
|
|
|
160
|
-
|
|
136
|
+
## Features
|
|
161
137
|
|
|
162
|
-
|
|
163
|
-
$ vyuh-dxkit guardrail check
|
|
164
|
-
Guardrail PASSED — 0 new regressions
|
|
138
|
+
### Eight first-class language packs
|
|
165
139
|
|
|
166
|
-
|
|
167
|
-
Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
|
|
168
|
-
Verdict: PASSED
|
|
169
|
-
Exit: 0
|
|
170
|
-
```
|
|
140
|
+
TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby. Each pack ships per-ecosystem analyzers: semgrep rulesets, dep-vuln scanners, license tools, lint adapters. Polyglot repos get unified reports without configuration.
|
|
171
141
|
|
|
172
|
-
|
|
142
|
+
<details>
|
|
143
|
+
<summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
|
|
173
144
|
|
|
174
|
-
|
|
145
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
146
|
+
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
147
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
148
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
149
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
150
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
151
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
|
|
152
|
+
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
153
|
+
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
154
|
+
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
175
155
|
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
156
|
+
¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
|
|
157
|
+
file-level resolver is a no-op. Downstream analyses that need an edge graph
|
|
158
|
+
(reachability, import-graph test-gap credit) degrade to conservative
|
|
159
|
+
defaults for those packs. Resolvers are tracked on the [roadmap](docs/roadmap.md).
|
|
179
160
|
|
|
180
|
-
#
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
vyuh-dxkit guardrail check --changed-only
|
|
161
|
+
² C# uses `dotnet-format` for formatting violations only. A real
|
|
162
|
+
severity-tiered C# linter (Roslyn analyzers or StyleCop) is on the
|
|
163
|
+
roadmap. Today every C# formatting violation is counted at `low` tier
|
|
164
|
+
so it does not inflate the Code Quality score.
|
|
185
165
|
|
|
186
|
-
|
|
187
|
-
vyuh-dxkit upgrade # plan + execute combined
|
|
188
|
-
```
|
|
166
|
+
</details>
|
|
189
167
|
|
|
190
|
-
|
|
168
|
+
### The matcher
|
|
191
169
|
|
|
192
|
-
|
|
193
|
-
vyuh-dxkit init --with-dxkit-agents # just the nine dxkit-* skills + AGENTS.md
|
|
194
|
-
vyuh-dxkit init --with-hooks # just the pre-push hook
|
|
195
|
-
vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
|
|
196
|
-
vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
|
|
197
|
-
vyuh-dxkit init --with-ci # just the PR-gate workflow
|
|
198
|
-
vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
|
|
199
|
-
vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
|
|
200
|
-
```
|
|
170
|
+
Multi-axis fingerprints (location, domain, content, semantic) pair findings across runs even when files were renamed, lines shifted, tools changed versions, or the branch was force-pushed. When location fails, the matcher falls back to git-aware diff lookup, then content hash, then identity-only multiset match. Every pair carries a confidence score and a reason chain.
|
|
201
171
|
|
|
202
|
-
|
|
172
|
+
### Per-finding suppression
|
|
203
173
|
|
|
204
|
-
|
|
205
|
-
vyuh-dxkit setup-branch-protection # mark dxkit-guardrails as required check on default branch
|
|
206
|
-
vyuh-dxkit setup-prebuild # configure Codespaces prebuild (cold-start ~7 min → ~30s)
|
|
207
|
-
```
|
|
174
|
+
Five typed categories: `false-positive`, `test-fixture`, `mitigated-externally`, `accepted-risk`, `deferred`. Each entry requires a reason. Categories that fade over time require an expiry.
|
|
208
175
|
|
|
209
|
-
|
|
176
|
+
Two surfaces:
|
|
210
177
|
|
|
211
|
-
|
|
178
|
+
- Inline annotations: `// dxkit-allow:test-fixture reason="example placeholder"`
|
|
179
|
+
- File-level: `.dxkit/allowlist.json`, audited via `vyuh-dxkit allowlist audit`
|
|
212
180
|
|
|
213
|
-
|
|
214
|
-
perfect — it asks whether each change made it worse.
|
|
181
|
+
Orphaned annotations become their own findings. The TypeScript `@ts-expect-error` model applied to suppressions. Prevents the graveyard of stale allowlist entries.
|
|
215
182
|
|
|
216
|
-
|
|
217
|
-
| ---------------- | -------------------------------------- | --------------------------------------------------------- |
|
|
218
|
-
| Baseline | Captured near zero | Captures today's debt as the floor |
|
|
219
|
-
| Behavior | Every regression matters from commit 1 | Existing debt is grandfathered; net-new regressions block |
|
|
220
|
-
| Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
|
|
183
|
+
### AI-agent integration
|
|
221
184
|
|
|
222
|
-
|
|
185
|
+
dxkit ships nine Claude Code skills under `.claude/skills/dxkit-*`. They wrap the CLI in conversational flows:
|
|
223
186
|
|
|
224
|
-
|
|
|
225
|
-
|
|
|
226
|
-
| `
|
|
227
|
-
| `
|
|
228
|
-
| `
|
|
229
|
-
| `
|
|
230
|
-
| `
|
|
231
|
-
| `config_drift` | New only because dxkit config changed | warns |
|
|
232
|
-
| `uncertain` | Below confidence threshold | warns |
|
|
187
|
+
| Skill | What it does |
|
|
188
|
+
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
|
|
189
|
+
| `dxkit-onboard` | Walks a customer through the full first-install journey |
|
|
190
|
+
| `dxkit-reports` | Runs analyzers and explains the output |
|
|
191
|
+
| `dxkit-action` | Reads a report, prioritizes findings, plans and runs fixes, re-verifies |
|
|
192
|
+
| `dxkit-fix` | Repairs a broken install from doctor output |
|
|
193
|
+
| `dxkit-hooks`, `dxkit-config`, `dxkit-learn`, `dxkit-update`, `dxkit-init` | Focused flows |
|
|
233
194
|
|
|
234
|
-
|
|
235
|
-
auto-discovered when present, compiled-in defaults otherwise.
|
|
195
|
+
`AGENTS.md` (the open standard read by Codex, Cursor, Aider, and others) also ships in every install. The skill flows are Claude Code-specific today; the AGENTS.md context is portable.
|
|
236
196
|
|
|
237
|
-
|
|
197
|
+
Why this matters for AI workflows: when an agent fixes a bug, you need an objective signal that says "yes, fixed cleanly" or "fix introduced four new regressions." dxkit's deterministic score plus baseline guardrail produces that signal. The agent reads the same JSON envelope a human reads, runs the verify step itself, and stops when clean.
|
|
238
198
|
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
A regression check is only useful if the matcher can tell _old issue
|
|
242
|
-
that moved_ from _new issue that appeared_. Line numbers alone aren't
|
|
243
|
-
stable — add a 20-line comment block at the top of a file and every
|
|
244
|
-
issue below it "moves."
|
|
245
|
-
|
|
246
|
-
dxkit uses layered identity, in priority order:
|
|
247
|
-
|
|
248
|
-
1. **Domain fingerprints** for entities whose identity is intrinsic:
|
|
249
|
-
- dependency vulnerabilities → `(package, version, advisory-id)`
|
|
250
|
-
- secrets → `(scanner-rule, fingerprint(value))` so a leaked
|
|
251
|
-
token recognises itself when moved
|
|
252
|
-
- licenses → `(package, version, license-type)`
|
|
253
|
-
- duplicate blocks → normalized content hash
|
|
254
|
-
2. **Location fingerprints** with a 3-line bucket for code findings.
|
|
255
|
-
3. **Git-aware line mapping** across commits, including `-M` file
|
|
256
|
-
renames and ±2 line fuzz windows.
|
|
257
|
-
4. **Content-hash fallback** when git history isn't reachable
|
|
258
|
-
(shallow clones, archived snapshots).
|
|
259
|
-
|
|
260
|
-
Every match pair carries a **confidence in [0, 1]** and structured
|
|
261
|
-
**reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
|
|
262
|
-
`git-rename`, `content-hash`, ...). No LLM in the grading path —
|
|
263
|
-
the matcher and classifier are deterministic over normalized
|
|
264
|
-
analyzer input; the same inputs produce the same classifications.
|
|
199
|
+
### Code-graph context: fix at reduced token cost
|
|
265
200
|
|
|
266
|
-
|
|
201
|
+
dxkit builds a deterministic code graph of your repo (its symbols, call edges, and clustered modules) using graphify (the `graphifyy` Python package). What matters is what an agent does with it. Instead of discovering structure by grepping around and reading whole files, the agent gets just the relevant slice:
|
|
267
202
|
|
|
268
|
-
|
|
203
|
+
- **`vyuh-dxkit context <query>`** (and an opt-in PreToolUse hook) hand an agent a slim structural map: the relevant symbols, where they live, and what calls them. It navigates by the graph instead of re-reading files, which is the same work at a fraction of the tokens.
|
|
204
|
+
- **`--graph-context`** writes each finding's module and blast radius (which files call into it) straight into the detailed report, so the `dxkit-action` fix skill can plan the change, and know which callers to re-test, without rediscovering structure first.
|
|
205
|
+
- **`vyuh-dxkit explore`** and a dashboard graph tab let humans ask the same graph what the repo does, where a feature lives, and which files are load-bearing.
|
|
269
206
|
|
|
270
|
-
|
|
271
|
-
generates a Codespaces-ready setup:
|
|
207
|
+
This is an additive, fail-open layer. When the graph is missing, or a language's call edges can't be resolved, every command behaves exactly as it did before. It's reliable on TypeScript, Python, and Go. Where the call graph can't be resolved (C#), blast radius is suppressed rather than faked, so a "no callers" reading is never mistaken for "safe to change."
|
|
272
208
|
|
|
273
|
-
|
|
274
|
-
Ruby 3.3, Java 17, Rust stable) layered via standard devcontainer
|
|
275
|
-
features — small image footprint, fast Codespaces prebuild.
|
|
276
|
-
- `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
|
|
277
|
-
the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
|
|
278
|
-
cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
|
|
279
|
-
ones your stack needs).
|
|
280
|
-
- Install scripts for the AI coding-agent CLIs you want available
|
|
281
|
-
inside the container. The scripts only install the binaries — auth
|
|
282
|
-
remains user-owned and is never baked into the image.
|
|
283
|
-
- Every piece is a regular script you can edit after install.
|
|
209
|
+
### Reproducible environments
|
|
284
210
|
|
|
285
|
-
|
|
211
|
+
Per-stack devcontainer with only the languages your project uses. Scanner toolchain auto-installed. Install scripts for AI agent CLIs (auth stays user-owned). Codespaces prebuilds wire via `vyuh-dxkit setup-prebuild` so cold-start drops from ~7 minutes to ~30 seconds.
|
|
286
212
|
|
|
287
|
-
|
|
213
|
+
### Public-repo safe baselines
|
|
288
214
|
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
| Command | Question it answers |
|
|
295
|
-
| ----------------- | ------------------------------------------------------------------------------------- |
|
|
296
|
-
| `health` | "What's the overall shape of this codebase?" — 6-dimension score |
|
|
297
|
-
| `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
|
|
298
|
-
| `test-gaps` | "Which untested files are riskiest?" |
|
|
299
|
-
| `quality` | "Where's the technical debt + duplication?" |
|
|
300
|
-
| `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
|
|
301
|
-
| `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
|
|
302
|
-
| `dev-report` | "Who's working on what, where are the hot files?" |
|
|
303
|
-
| `dashboard` | "Single HTML view of everything I've run" |
|
|
304
|
-
| `report` | Run every analyzer + dashboard in one shot |
|
|
305
|
-
|
|
306
|
-
Composable aggregate gates apply to every analyzer:
|
|
215
|
+
The `ref-based` mode commits no baseline file. The guardrail check recomputes the prior side at check time from a git ref via `git worktree add`. Zero disclosure surface. File paths, package names, and advisory IDs all stay out of git. Auto-picked for public repos via `gh repo view --json visibility`.
|
|
216
|
+
|
|
217
|
+
---
|
|
218
|
+
|
|
219
|
+
## Quickstart
|
|
307
220
|
|
|
308
221
|
```bash
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
vyuh-dxkit bom --fail-on-severity critical
|
|
312
|
-
```
|
|
222
|
+
# Canonical first install
|
|
223
|
+
npm init @vyuhlabs/dxkit
|
|
313
224
|
|
|
314
|
-
|
|
315
|
-
|
|
225
|
+
# Capture today's state
|
|
226
|
+
npx vyuh-dxkit baseline create
|
|
316
227
|
|
|
317
|
-
|
|
318
|
-
|
|
228
|
+
# Verify the install
|
|
229
|
+
npx vyuh-dxkit doctor
|
|
319
230
|
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
323
|
-
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
324
|
-
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
325
|
-
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
326
|
-
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
|
|
327
|
-
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
328
|
-
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
329
|
-
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
231
|
+
# Commit and ship
|
|
232
|
+
git add . && git commit -m "chore: enable dxkit" && git push
|
|
330
233
|
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
234
|
+
# Optional but recommended
|
|
235
|
+
npx vyuh-dxkit setup-branch-protection # mark guardrail as required CI check
|
|
236
|
+
npx vyuh-dxkit setup-prebuild # Codespaces prebuild
|
|
237
|
+
```
|
|
335
238
|
|
|
336
|
-
|
|
337
|
-
tiered C# linter (Roslyn analyzers / StyleCop) is roadmap; today every
|
|
338
|
-
C# formatting violation is counted at `low` tier so it doesn't inflate
|
|
339
|
-
the Quality/Slop score.
|
|
239
|
+
À la carte if you only want specific pieces:
|
|
340
240
|
|
|
341
|
-
|
|
241
|
+
```bash
|
|
242
|
+
npx vyuh-dxkit init --with-dxkit-agents # just the nine Claude skills + AGENTS.md
|
|
243
|
+
npx vyuh-dxkit init --with-hooks # just the pre-push hook
|
|
244
|
+
npx vyuh-dxkit init --with-precommit-hook # add pre-commit (slow on large repos)
|
|
245
|
+
npx vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
|
|
246
|
+
npx vyuh-dxkit init --with-ci # just the PR-gate workflow
|
|
247
|
+
```
|
|
342
248
|
|
|
343
249
|
---
|
|
344
250
|
|
|
345
|
-
##
|
|
346
|
-
|
|
347
|
-
dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
|
|
348
|
-
Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
|
|
349
|
-
things they don't:
|
|
350
|
-
|
|
351
|
-
1. **It scaffolds your AI agent.** Most tools find issues; dxkit
|
|
352
|
-
_also_ writes the project-context layer (entry-point doc, project
|
|
353
|
-
skills, commands, language-specific rules, specialized subagents)
|
|
354
|
-
that lets your agent operate on the codebase intelligently.
|
|
355
|
-
2. **It gates at commit time, deterministically.** No LLM in the
|
|
356
|
-
grading path. The matcher and classifier are deterministic over
|
|
357
|
-
normalized analyzer input.
|
|
358
|
-
3. **It assumes your repo is messy.** Other tools want clean
|
|
359
|
-
codebases and block every PR until you fix everything. dxkit
|
|
360
|
-
captures the floor, grandfathers existing debt, and only blocks
|
|
361
|
-
regressions introduced from here forward — usable on day-one
|
|
362
|
-
greenfield and 10-year-old brownfield codebases alike.
|
|
363
|
-
|
|
364
|
-
Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
|
|
365
|
-
CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
|
|
366
|
-
Scores are evidence-backed and traceable to the findings that
|
|
367
|
-
produced them.
|
|
251
|
+
## What dxkit analyzes
|
|
368
252
|
|
|
369
|
-
|
|
253
|
+
| Dimension | Tools | What it catches |
|
|
254
|
+
| -------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
|
|
255
|
+
| Security | gitleaks, semgrep, osv-scanner, npm-audit, pip-audit, govulncheck, cargo-audit, dotnet vulnerable, bundle-audit | Secrets, dep vulnerabilities, insecure patterns, TLS bypass |
|
|
256
|
+
| Code Quality | cloc, jscpd, graphify, lint adapters | File size, duplication, complexity, hygiene markers |
|
|
257
|
+
| Tests | coverage adapters per pack, test-file detector | Missing tests, degraded tests, coverage gaps |
|
|
258
|
+
| Documentation | doc-comment ratio, README presence | Inline doc coverage, project-level docs |
|
|
259
|
+
| Maintainability | graphify call-graph metrics | God files, dead imports, cohesion, communities |
|
|
260
|
+
| Developer Experience | git hook detection, CI workflow detection, manifest presence | Pre-push hooks, CI quality gates, environment reproducibility |
|
|
370
261
|
|
|
371
|
-
|
|
262
|
+
Each analyzer reports raw findings. dxkit aggregates, deduplicates across tools, and scores deterministically.
|
|
372
263
|
|
|
373
|
-
|
|
264
|
+
---
|
|
374
265
|
|
|
375
|
-
|
|
376
|
-
- TypeScript frontend
|
|
377
|
-
- Large .NET WinForms project
|
|
266
|
+
## Brownfield vs greenfield
|
|
378
267
|
|
|
379
|
-
|
|
268
|
+
| | Greenfield (day 1) | Brownfield (years of debt) |
|
|
269
|
+
| ---------------- | -------------------------------------- | ------------------------------------------------- |
|
|
270
|
+
| Baseline | Near-zero on capture | Captures today's debt as floor |
|
|
271
|
+
| Behavior | Every regression matters from commit 1 | Existing debt grandfathered; net-new blocks |
|
|
272
|
+
| Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
|
|
380
273
|
|
|
381
|
-
|
|
382
|
-
per-finding identity sets
|
|
383
|
-
- brought roughly **3,000 previously untracked findings into
|
|
384
|
-
guardrail coverage**
|
|
385
|
-
- matched identity-set counts exactly to report aggregates for
|
|
386
|
-
every finding kind
|
|
274
|
+
The status taxonomy that drives gate decisions:
|
|
387
275
|
|
|
388
|
-
|
|
276
|
+
| Status | Meaning | Default |
|
|
277
|
+
| ------------------- | ----------------------------------------- | ---------- |
|
|
278
|
+
| `added` | Net-new finding introduced by this change | **blocks** |
|
|
279
|
+
| `relocated` | Same finding, moved (line drift, rename) | passes |
|
|
280
|
+
| `persisted` | Same finding, same place. Pre-existing. | passes |
|
|
281
|
+
| `removed` / `fixed` | Was there, now gone | passes |
|
|
282
|
+
| `tooling_drift` | New because scanner version changed | warns |
|
|
283
|
+
| `config_drift` | New because dxkit config changed | warns |
|
|
284
|
+
| `uncertain` | Below confidence threshold | warns |
|
|
285
|
+
|
|
286
|
+
Customize via [`.dxkit/policy.json`](docs/configuration/policy.md).
|
|
389
287
|
|
|
390
288
|
---
|
|
391
289
|
|
|
392
|
-
## Safety
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
- **
|
|
397
|
-
- **
|
|
398
|
-
locally-installed scanners; results stay on disk.
|
|
399
|
-
- **Secret values are never written to disk.** dxkit stores a
|
|
400
|
-
non-reversible fingerprint for matching only — the scanner sees
|
|
401
|
-
the value once and discards it after hashing.
|
|
402
|
-
- **Agent auth stays user-owned.** Install scripts ship the CLIs;
|
|
403
|
-
authentication happens in your session and is never baked into
|
|
404
|
-
the image or stored by dxkit.
|
|
405
|
-
- **CI guardrails are the enforcement layer.** Local hooks provide
|
|
406
|
-
fast feedback but are bypassable (`git commit --no-verify`); the
|
|
407
|
-
GitHub Actions PR-gate runs server-side and can be made a required
|
|
408
|
-
check via branch protection.
|
|
409
|
-
- **Post-merge baseline refresh is gated.** The refresh workflow
|
|
410
|
-
runs only after the PR-gate workflow succeeds on the merging
|
|
411
|
-
commit. **Use branch protection to make the PR-gate a required
|
|
412
|
-
check** so a bypassed merge can't codify a regression into the
|
|
413
|
-
baseline.
|
|
290
|
+
## Safety and trust
|
|
291
|
+
|
|
292
|
+
- **Local-first.** Every scan runs on the developer's machine. Nothing leaves the repo. No telemetry. No phone-home.
|
|
293
|
+
- **No LLM in the grading path.** Scores come from deterministic analyzers and arithmetic. Reproducible. Auditable. The only way to improve a score is to write better code.
|
|
294
|
+
- **Sigstore provenance.** Every npm release is signed via OIDC from GitHub Actions. Verify with `npm audit signatures`.
|
|
295
|
+
- **Open source.** MIT licensed. Inspect every score derivation.
|
|
414
296
|
|
|
415
297
|
---
|
|
416
298
|
|
|
417
|
-
##
|
|
299
|
+
## Real-world validation
|
|
418
300
|
|
|
419
|
-
-
|
|
420
|
-
- [`baseline` command](docs/commands/baseline.md)
|
|
421
|
-
- [`guardrail` command](docs/commands/guardrail.md)
|
|
422
|
-
- [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
|
|
423
|
-
- [Scoring methodology](docs/SCORING.md)
|
|
424
|
-
- [Architecture](docs/ARCHITECTURE.md)
|
|
425
|
-
- [All commands](docs/README.md)
|
|
301
|
+
dxkit ships against pinned production codebases across all eight language packs. Every release runs a cross-stack walkthrough on a polyglot reference repo (TypeScript + Python) and a .NET reference repo before tagging. The cross-stack regression suite is part of CI.
|
|
426
302
|
|
|
427
|
-
|
|
303
|
+
Recent ship validation (`@vyuhlabs/dxkit@2.6.0`, 2026-05-23):
|
|
428
304
|
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
-
|
|
432
|
-
- [x] Agent project scaffolding (entry-point doc, skills, commands,
|
|
433
|
-
conventions, specialized subagents — single-agent today)
|
|
434
|
-
- [x] Optional install scripts for AI coding-agent CLIs in the
|
|
435
|
-
devcontainer
|
|
436
|
-
- [x] Per-finding fingerprinting + git-aware matching
|
|
437
|
-
- [x] Baseline + guardrail commands
|
|
438
|
-
- [x] Brownfield policy classifier
|
|
439
|
-
- [x] Git hooks (pre-push default; pre-commit opt-in)
|
|
440
|
-
- [x] GitHub Actions PR-gate + gated baseline-refresh workflows
|
|
441
|
-
- [x] Devcontainer with pinned toolchains
|
|
442
|
-
- [x] Nine dxkit-\* skills + AGENTS.md (open-standard, read by every
|
|
443
|
-
AGENTS.md-compliant agent — Claude Code, Codex, Cursor, Aider)
|
|
444
|
-
- [ ] First-class plugin packaging for the Claude Code marketplace + MCP server for cross-agent reach (2.6, decision-pending)
|
|
445
|
-
- [ ] Scoped + incremental scanning — fast pre-commit on monorepos
|
|
446
|
-
(2.6)
|
|
447
|
-
- [ ] Symbol-level coverage gaps across all 8 packs (2.6)
|
|
448
|
-
- [ ] SARIF export for GitHub code scanning interop (2.6)
|
|
449
|
-
- [ ] Reachability-aware dep-vuln triage
|
|
450
|
-
- [ ] **Per-pack capability parity** — bring every cell in the
|
|
451
|
-
capability table to a green tick (2.7 / 3.0):
|
|
452
|
-
- Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
|
|
453
|
-
(so reachability + import-graph test-gap credit work for
|
|
454
|
-
every pack, not just TS/Python/Go)
|
|
455
|
-
- Severity-tiered C# linter (Roslyn analyzers or StyleCop)
|
|
456
|
-
- License providers for Kotlin, Java, Ruby
|
|
457
|
-
- [ ] AI Readiness banner — semantic anchors, function-body hashes,
|
|
458
|
-
cross-file refactor detection (3.0)
|
|
305
|
+
- 1904 tests across 110 files
|
|
306
|
+
- License findings dropped 73% on a 600-source-file polyglot codebase after the 2.6 baseline polish
|
|
307
|
+
- New `ref-based` mode verified end-to-end on both reference stacks
|
|
459
308
|
|
|
460
309
|
---
|
|
461
310
|
|
|
462
|
-
##
|
|
311
|
+
## Documentation
|
|
463
312
|
|
|
464
|
-
|
|
465
|
-
codebase. We'd love help with:
|
|
313
|
+
**Start here**:
|
|
466
314
|
|
|
467
|
-
-
|
|
468
|
-
-
|
|
469
|
-
- Monorepo detection
|
|
470
|
-
- Devcontainer templates per stack
|
|
471
|
-
- Custom guardrail policies
|
|
472
|
-
- SARIF output
|
|
473
|
-
- More specialized subagents
|
|
315
|
+
- [Getting started](docs/getting-started.md): full walkthrough from install to first guardrail check
|
|
316
|
+
- [CHANGELOG](CHANGELOG.md): release notes. Latest is [2.6.0](https://github.com/vyuh-labs/dxkit/releases/tag/v2.6.0)
|
|
474
317
|
|
|
475
|
-
|
|
476
|
-
[good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
|
|
318
|
+
**Depth**:
|
|
477
319
|
|
|
478
|
-
|
|
320
|
+
- [Why dxkit](docs/why-dxkit.md): rationale, comparison vs SonarQube/Snyk/Semgrep/etc., open methodology
|
|
321
|
+
- [Architecture](docs/ARCHITECTURE.md): data flow, the git-aware matcher, fingerprint axes
|
|
322
|
+
- [Scoring methodology](docs/SCORING.md): how each dimension is computed, citations
|
|
323
|
+
- [Roadmap](docs/roadmap.md): shipped vs planned
|
|
479
324
|
|
|
480
|
-
|
|
325
|
+
**Reference**:
|
|
481
326
|
|
|
482
|
-
|
|
327
|
+
- [Command reference](docs/README.md): every subcommand at a glance
|
|
328
|
+
- [`baseline`](docs/commands/baseline.md): capture, show, modes
|
|
329
|
+
- [`guardrail`](docs/commands/guardrail.md): check, classify, render
|
|
330
|
+
- [`allowlist`](docs/commands/allowlist.md): per-finding suppression
|
|
331
|
+
- [`.dxkit/policy.json`](docs/configuration/policy.md): tune what blocks vs warns
|
|
332
|
+
- [Reporting issues](docs/commands/issue.md): `vyuh-dxkit issue --type=...`
|
|
483
333
|
|
|
484
334
|
---
|
|
485
335
|
|
|
486
|
-
##
|
|
336
|
+
## Contributing
|
|
487
337
|
|
|
488
|
-
|
|
489
|
-
|
|
490
|
-
|
|
338
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md). The project follows architectural rules in [CLAUDE.md](CLAUDE.md). Adding a new language pack, a new finding kind, or a new scoring dimension each have one-page recipes.
|
|
339
|
+
|
|
340
|
+
---
|
|
491
341
|
|
|
492
|
-
|
|
493
|
-
|
|
342
|
+
## License
|
|
343
|
+
|
|
344
|
+
MIT. See [LICENSE](LICENSE).
|