@vyuhlabs/dxkit 2.6.0 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (151) hide show
  1. package/CHANGELOG.md +54 -13
  2. package/README.md +208 -459
  3. package/dist/analyzers/bom/discovery.d.ts +3 -4
  4. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  5. package/dist/analyzers/bom/discovery.js +3 -4
  6. package/dist/analyzers/bom/discovery.js.map +1 -1
  7. package/dist/analyzers/bom/types.d.ts +1 -1
  8. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  9. package/dist/analyzers/dashboard/index.js +42 -5
  10. package/dist/analyzers/dashboard/index.js.map +1 -1
  11. package/dist/analyzers/quality/detailed.d.ts +8 -1
  12. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  13. package/dist/analyzers/quality/detailed.js +43 -10
  14. package/dist/analyzers/quality/detailed.js.map +1 -1
  15. package/dist/analyzers/security/detailed.d.ts +8 -1
  16. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  17. package/dist/analyzers/security/detailed.js +14 -1
  18. package/dist/analyzers/security/detailed.js.map +1 -1
  19. package/dist/analyzers/tests/detailed.d.ts +8 -1
  20. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  21. package/dist/analyzers/tests/detailed.js +26 -7
  22. package/dist/analyzers/tests/detailed.js.map +1 -1
  23. package/dist/analyzers/tools/cloc.js +3 -3
  24. package/dist/analyzers/tools/cloc.js.map +1 -1
  25. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  26. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  27. package/dist/analyzers/tools/exclusions.js +27 -13
  28. package/dist/analyzers/tools/exclusions.js.map +1 -1
  29. package/dist/analyzers/tools/graphify.d.ts +39 -5
  30. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  31. package/dist/analyzers/tools/graphify.js +609 -45
  32. package/dist/analyzers/tools/graphify.js.map +1 -1
  33. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  34. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  35. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  36. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  37. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  38. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  39. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  40. package/dist/analyzers/tools/parallel.js +7 -0
  41. package/dist/analyzers/tools/parallel.js.map +1 -1
  42. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  43. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  44. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  45. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  46. package/dist/analyzers/xlsx/licenses.js +7 -7
  47. package/dist/cli.d.ts.map +1 -1
  48. package/dist/cli.js +80 -3
  49. package/dist/cli.js.map +1 -1
  50. package/dist/dashboard/graph-adapter.d.ts +151 -0
  51. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  52. package/dist/dashboard/graph-adapter.js +415 -0
  53. package/dist/dashboard/graph-adapter.js.map +1 -0
  54. package/dist/dashboard/graph-tab.d.ts +109 -0
  55. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  56. package/dist/dashboard/graph-tab.js +297 -0
  57. package/dist/dashboard/graph-tab.js.map +1 -0
  58. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  59. package/dist/explore/cli/api-surface.d.ts +12 -0
  60. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  61. package/dist/explore/cli/api-surface.js +57 -0
  62. package/dist/explore/cli/api-surface.js.map +1 -0
  63. package/dist/explore/cli/communities.d.ts +10 -0
  64. package/dist/explore/cli/communities.d.ts.map +1 -0
  65. package/dist/explore/cli/communities.js +47 -0
  66. package/dist/explore/cli/communities.js.map +1 -0
  67. package/dist/explore/cli/context.d.ts +16 -0
  68. package/dist/explore/cli/context.d.ts.map +1 -0
  69. package/dist/explore/cli/context.js +118 -0
  70. package/dist/explore/cli/context.js.map +1 -0
  71. package/dist/explore/cli/entry-points.d.ts +12 -0
  72. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  73. package/dist/explore/cli/entry-points.js +85 -0
  74. package/dist/explore/cli/entry-points.js.map +1 -0
  75. package/dist/explore/cli/feature.d.ts +16 -0
  76. package/dist/explore/cli/feature.d.ts.map +1 -0
  77. package/dist/explore/cli/feature.js +89 -0
  78. package/dist/explore/cli/feature.js.map +1 -0
  79. package/dist/explore/cli/file.d.ts +12 -0
  80. package/dist/explore/cli/file.d.ts.map +1 -0
  81. package/dist/explore/cli/file.js +139 -0
  82. package/dist/explore/cli/file.js.map +1 -0
  83. package/dist/explore/cli/hot-files.d.ts +11 -0
  84. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  85. package/dist/explore/cli/hot-files.js +63 -0
  86. package/dist/explore/cli/hot-files.js.map +1 -0
  87. package/dist/explore/context-hook.d.ts +42 -0
  88. package/dist/explore/context-hook.d.ts.map +1 -0
  89. package/dist/explore/context-hook.js +131 -0
  90. package/dist/explore/context-hook.js.map +1 -0
  91. package/dist/explore/finding-context.d.ts +69 -0
  92. package/dist/explore/finding-context.d.ts.map +1 -0
  93. package/dist/explore/finding-context.js +102 -0
  94. package/dist/explore/finding-context.js.map +1 -0
  95. package/dist/explore/format.d.ts +64 -0
  96. package/dist/explore/format.d.ts.map +1 -0
  97. package/dist/explore/format.js +99 -0
  98. package/dist/explore/format.js.map +1 -0
  99. package/dist/explore/load.d.ts +50 -0
  100. package/dist/explore/load.d.ts.map +1 -0
  101. package/dist/explore/load.js +197 -0
  102. package/dist/explore/load.js.map +1 -0
  103. package/dist/explore/queries.d.ts +413 -0
  104. package/dist/explore/queries.d.ts.map +1 -0
  105. package/dist/explore/queries.js +855 -0
  106. package/dist/explore/queries.js.map +1 -0
  107. package/dist/explore/types.d.ts +130 -0
  108. package/dist/explore/types.d.ts.map +1 -0
  109. package/dist/explore/types.js +28 -0
  110. package/dist/explore/types.js.map +1 -0
  111. package/dist/explore-cli.d.ts +45 -0
  112. package/dist/explore-cli.d.ts.map +1 -0
  113. package/dist/explore-cli.js +213 -0
  114. package/dist/explore-cli.js.map +1 -0
  115. package/dist/generator.d.ts.map +1 -1
  116. package/dist/generator.js +19 -0
  117. package/dist/generator.js.map +1 -1
  118. package/dist/languages/csharp.d.ts.map +1 -1
  119. package/dist/languages/csharp.js +31 -11
  120. package/dist/languages/csharp.js.map +1 -1
  121. package/dist/languages/go.d.ts.map +1 -1
  122. package/dist/languages/go.js +4 -0
  123. package/dist/languages/go.js.map +1 -1
  124. package/dist/languages/index.d.ts +27 -0
  125. package/dist/languages/index.d.ts.map +1 -1
  126. package/dist/languages/index.js +35 -0
  127. package/dist/languages/index.js.map +1 -1
  128. package/dist/languages/java.d.ts.map +1 -1
  129. package/dist/languages/java.js +4 -0
  130. package/dist/languages/java.js.map +1 -1
  131. package/dist/languages/kotlin.d.ts.map +1 -1
  132. package/dist/languages/kotlin.js +4 -0
  133. package/dist/languages/kotlin.js.map +1 -1
  134. package/dist/languages/python.d.ts.map +1 -1
  135. package/dist/languages/python.js +4 -0
  136. package/dist/languages/python.js.map +1 -1
  137. package/dist/languages/ruby.d.ts.map +1 -1
  138. package/dist/languages/ruby.js +4 -0
  139. package/dist/languages/ruby.js.map +1 -1
  140. package/dist/languages/rust.d.ts.map +1 -1
  141. package/dist/languages/rust.js +4 -0
  142. package/dist/languages/rust.js.map +1 -1
  143. package/dist/languages/types.d.ts +54 -0
  144. package/dist/languages/types.d.ts.map +1 -1
  145. package/dist/languages/typescript.d.ts.map +1 -1
  146. package/dist/languages/typescript.js +5 -1
  147. package/dist/languages/typescript.js.map +1 -1
  148. package/package.json +2 -1
  149. package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
  150. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  151. package/templates/AGENTS.md.template +8 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.7.0] - 2026-05-29
11
+
12
+ The "Repo Explore" release. dxkit now builds a deterministic code graph
13
+ of your repo and exposes it three ways: a CLI to query structure, an
14
+ interactive graph in the dashboard, and per-finding blast radius in
15
+ detailed reports. The throughline is helping a coding agent fix findings
16
+ by navigating structure instead of re-reading whole files.
17
+
18
+ ### Added
19
+
20
+ - **`vyuh-dxkit explore`** with six subcommands (`entry-points`,
21
+ `hot-files`, `communities`, `file`, `feature`, `api-surface`) for
22
+ asking the code graph what the repo does, where a feature lives, which
23
+ files are load-bearing, and what the public API surface is.
24
+ - **`vyuh-dxkit context <query>`** returns a token-budgeted structural
25
+ slice for a query (an anchor symbol, its relevant neighbors, and the
26
+ blast radius), plus a fail-open Claude Code PreToolUse hook that feeds
27
+ it on Grep/Glob so agents need fewer follow-up whole-file reads.
28
+ Auto-installed with `--with-dxkit-agents`.
29
+ - **Interactive Graph tab** in `vyuh-dxkit dashboard`, embedding
30
+ graphify's code-graph viewer with the renderer bundled to work
31
+ offline. Large repos render a community-aggregated view.
32
+ - **`--graph-context`** on `vulnerabilities`, `test-gaps`, and `quality`
33
+ attaches each finding's module and blast radius (which files call into
34
+ it) to the detailed report, so a fixing agent gets the structural map
35
+ per finding without a separate lookup.
36
+ - **Per-language call-graph reliability.** Where the call graph cannot be
37
+ resolved (C#, which cannot follow `using` across assemblies), blast
38
+ radius reads "n/a" rather than a misleading "0 callers", so it is never
39
+ mistaken for "safe to change".
40
+ - **`dxkit-action`** now folds blast radius into prioritization as an
41
+ additive signal, and the generated `AGENTS.md` documents the new
42
+ commands.
43
+
44
+ ### Changed
45
+
46
+ - `vyuh-dxkit health` writes the code graph to
47
+ `.dxkit/reports/graph.json` as a side effect, so a single run
48
+ populates the artifact the explore, context, dashboard, and
49
+ graph-context surfaces read.
50
+
10
51
  ## [2.6.0] - 2026-05-23
11
52
 
12
53
  The "per-finding suppression + public-repo-safe baselines" release.
@@ -185,7 +226,7 @@ Tag: `create-dxkit@v0.2.0`. Run `npm init @vyuhlabs/dxkit` to get
185
226
  the new combined experience.
186
227
 
187
228
  Validated end-to-end with two cross-stack walkthroughs on 2026-05-22:
188
- `vyuhlabs-platform` (python + typescript) and `dpl-studio` (csharp).
229
+ a polyglot Python+TypeScript reference repo and a .NET reference repo.
189
230
  Both stacks: defect closures verified, per-pack devcontainer adapts
190
231
  correctly, doctor's new tier-3 surfaces operational gaps with
191
232
  actionable fix commands.
@@ -1621,9 +1662,9 @@ Four pieces shipped together:
1621
1662
  The post-shipment audit's master bug + its direct cascade:
1622
1663
 
1623
1664
  - **D055** — `.dxkit-ignore` multi-segment paths flatten to basenames
1624
- in cloc / graphify / grep. `Dev/Addons/VendorAddon/SAPB1/` silently
1625
- became `{Dev, Addons, VendorAddon, SAPB1}` cloc then excluded every
1626
- directory named `Dev` in the tree, killing 90% of source visibility.
1665
+ in cloc / graphify / grep. `app/vendor/generated/` silently
1666
+ became `{app, vendor, generated}`, so cloc then excluded every
1667
+ directory named `app` in the tree, killing 90% of source visibility.
1627
1668
  Fix: `getClocExcludeFlags` emits `--exclude-dir` (basenames) PLUS
1628
1669
  `--fullpath --not-match-d` (Perl regex on full path).
1629
1670
  `getPythonExcludeFilter` emits both a basename set AND a multi-
@@ -1825,7 +1866,7 @@ discipline.
1825
1866
  (osv-scanner reads Gemfile.lock directly, no `bundle env`/`bundle
1826
1867
  show` introspection ladder). Stays accepted-deferred.
1827
1868
  - **D017** (NEW) — `dxkit bom <large-project> > file.json` produces
1828
- 0-byte output intermittently on vyuhlabs-platform (1700+ deps).
1869
+ 0-byte output intermittently on a large reference repo (1700+ deps).
1829
1870
  EXIT=0, no error. Workaround: pipe through `cat`. Hypothesis:
1830
1871
  Node stdout buffer doesn't drain before process exit when output
1831
1872
  is large + stdout is a regular file. NOT a 2.4.6 ship blocker —
@@ -1835,7 +1876,7 @@ discipline.
1835
1876
  ### Pre-ship regression — clean
1836
1877
 
1837
1878
  Sequential dxkit reports captured against dxkit-on-dxkit and
1838
- vyuhlabs-platform; 12 reports each diffed against the 2.4.5-fixed
1879
+ a large reference repo; 12 reports each diffed against the 2.4.5-fixed
1839
1880
  baseline. Zero code regressions detected. All deltas explained:
1840
1881
 
1841
1882
  - dxkit/test-gaps 16 → 32 — better data (Istanbul vs import-graph
@@ -1887,7 +1928,7 @@ at every commit in the 10-commit branch.
1887
1928
  `typescript`, etc.). `unfilteredTotalPackages` 22 → 353. The
1888
1929
  analyzed project's own deps were missing from BoM whenever the
1889
1930
  bug hit. Most repos that resolve peer-deps cleanly under
1890
- `--legacy-peer-deps` weren't affected (vyuhlabs-platform's BoM
1931
+ `--legacy-peer-deps` weren't affected (the reference repo's BoM
1891
1932
  stayed correct at 145 packages); repos with subtle peer-dep
1892
1933
  issues silently lost root-dep enumeration.
1893
1934
 
@@ -2756,7 +2797,7 @@ unchanged — consumers can re-derive trivially if needed.
2756
2797
  - 715 tests passing (+18 pm-signals cases: license class mapping,
2757
2798
  compound expressions, staleness thresholds, effort semver deltas).
2758
2799
  - Typecheck + lint + format + architecture + pre-push CI-mirror gate clean.
2759
- - vyuhlabs-platform smoke: all 4 sheets render correctly, exec summary
2800
+ - reference-repo smoke: all 4 sheets render correctly, exec summary
2760
2801
  surfaces 3 ship-blockers + 9 sprint-risk findings + pm2 flagged
2761
2802
  copyleft-strong, `@loopback/rest` surfaces as highest-leverage upgrade
2762
2803
  (27 transitive advisories, worst CRITICAL).
@@ -2764,7 +2805,7 @@ unchanged — consumers can re-derive trivially if needed.
2764
2805
  ## [2.3.1] - 2026-04-24
2765
2806
 
2766
2807
  Patch release fixing three install-robustness issues reported on a
2767
- real vyuhlabs-platform install:
2808
+ real reference-repo install:
2768
2809
 
2769
2810
  ### Fixed
2770
2811
 
@@ -2810,7 +2851,7 @@ real vyuhlabs-platform install:
2810
2851
  Warnings only, no functional impact; would require either switching
2811
2852
  xlsx libraries (breaking) or upstream archiver modernization.
2812
2853
 
2813
- ### Validation on vyuhlabs-platform/userserver
2854
+ ### Validation on the polyglot reference repo
2814
2855
 
2815
2856
  - `vyuh-dxkit tools` reports 12/13 tools found (vitest-coverage
2816
2857
  correctly listed as missing since lb-mocha is in use)
@@ -2883,7 +2924,7 @@ merge → tag → CI-publishes without deviation.
2883
2924
  unions the roots each package was found in; `isTopLevel`
2884
2925
  OR-merges; vulns dedup on `(id, package, installedVersion)`.
2885
2926
  Closes **D001a** — `bom platform/` previously missed
2886
- `platform/userserver/` entirely. Side-benefit: naturally
2927
+ the product subdirectory entirely. Side-benefit: naturally
2887
2928
  addresses **D003** (C# multi-project) since each `.csproj`
2888
2929
  becomes its own root. (10h.5.0b)
2889
2930
 
@@ -3000,7 +3041,7 @@ bump required.
3000
3041
  - **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
3001
3042
  each root `dependencies` / `devDependencies` entry. Pure parser
3002
3043
  `buildTsTopLevelDepIndex` unit-tested; benchmark on
3003
- `vyuhlabs-platform`: 71/71 findings attributed across 31 vulnerable
3044
+ reference repo: 71/71 findings attributed across 31 vulnerable
3004
3045
  packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
3005
3046
 
3006
3047
  - **Python pack** — BFS over `pip show` graph from packages with empty
@@ -3066,7 +3107,7 @@ bump required.
3066
3107
  `obj/project.assets.json`. Findings still emit; `topLevelDep` stays
3067
3108
  unset.
3068
3109
 
3069
- - Release validated against `vyuhlabs-platform` TypeScript benchmark.
3110
+ - Release validated against the TypeScript reference benchmark.
3070
3111
  Python/Go/Rust/C# packs exercised via fixture-based unit tests
3071
3112
  (+53 new tests across the 4 non-TS language test files); real-world
3072
3113
  validation lands with 2.3.0's cross-ecosystem benchmark fixtures.