@vyuhlabs/dxkit 2.6.0 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (151) hide show
  1. package/CHANGELOG.md +54 -13
  2. package/README.md +208 -459
  3. package/dist/analyzers/bom/discovery.d.ts +3 -4
  4. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  5. package/dist/analyzers/bom/discovery.js +3 -4
  6. package/dist/analyzers/bom/discovery.js.map +1 -1
  7. package/dist/analyzers/bom/types.d.ts +1 -1
  8. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  9. package/dist/analyzers/dashboard/index.js +42 -5
  10. package/dist/analyzers/dashboard/index.js.map +1 -1
  11. package/dist/analyzers/quality/detailed.d.ts +8 -1
  12. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  13. package/dist/analyzers/quality/detailed.js +43 -10
  14. package/dist/analyzers/quality/detailed.js.map +1 -1
  15. package/dist/analyzers/security/detailed.d.ts +8 -1
  16. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  17. package/dist/analyzers/security/detailed.js +14 -1
  18. package/dist/analyzers/security/detailed.js.map +1 -1
  19. package/dist/analyzers/tests/detailed.d.ts +8 -1
  20. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  21. package/dist/analyzers/tests/detailed.js +26 -7
  22. package/dist/analyzers/tests/detailed.js.map +1 -1
  23. package/dist/analyzers/tools/cloc.js +3 -3
  24. package/dist/analyzers/tools/cloc.js.map +1 -1
  25. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  26. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  27. package/dist/analyzers/tools/exclusions.js +27 -13
  28. package/dist/analyzers/tools/exclusions.js.map +1 -1
  29. package/dist/analyzers/tools/graphify.d.ts +39 -5
  30. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  31. package/dist/analyzers/tools/graphify.js +609 -45
  32. package/dist/analyzers/tools/graphify.js.map +1 -1
  33. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  34. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  35. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  36. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  37. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  38. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  39. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  40. package/dist/analyzers/tools/parallel.js +7 -0
  41. package/dist/analyzers/tools/parallel.js.map +1 -1
  42. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  43. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  44. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  45. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  46. package/dist/analyzers/xlsx/licenses.js +7 -7
  47. package/dist/cli.d.ts.map +1 -1
  48. package/dist/cli.js +80 -3
  49. package/dist/cli.js.map +1 -1
  50. package/dist/dashboard/graph-adapter.d.ts +151 -0
  51. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  52. package/dist/dashboard/graph-adapter.js +415 -0
  53. package/dist/dashboard/graph-adapter.js.map +1 -0
  54. package/dist/dashboard/graph-tab.d.ts +109 -0
  55. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  56. package/dist/dashboard/graph-tab.js +297 -0
  57. package/dist/dashboard/graph-tab.js.map +1 -0
  58. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  59. package/dist/explore/cli/api-surface.d.ts +12 -0
  60. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  61. package/dist/explore/cli/api-surface.js +57 -0
  62. package/dist/explore/cli/api-surface.js.map +1 -0
  63. package/dist/explore/cli/communities.d.ts +10 -0
  64. package/dist/explore/cli/communities.d.ts.map +1 -0
  65. package/dist/explore/cli/communities.js +47 -0
  66. package/dist/explore/cli/communities.js.map +1 -0
  67. package/dist/explore/cli/context.d.ts +16 -0
  68. package/dist/explore/cli/context.d.ts.map +1 -0
  69. package/dist/explore/cli/context.js +118 -0
  70. package/dist/explore/cli/context.js.map +1 -0
  71. package/dist/explore/cli/entry-points.d.ts +12 -0
  72. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  73. package/dist/explore/cli/entry-points.js +85 -0
  74. package/dist/explore/cli/entry-points.js.map +1 -0
  75. package/dist/explore/cli/feature.d.ts +16 -0
  76. package/dist/explore/cli/feature.d.ts.map +1 -0
  77. package/dist/explore/cli/feature.js +89 -0
  78. package/dist/explore/cli/feature.js.map +1 -0
  79. package/dist/explore/cli/file.d.ts +12 -0
  80. package/dist/explore/cli/file.d.ts.map +1 -0
  81. package/dist/explore/cli/file.js +139 -0
  82. package/dist/explore/cli/file.js.map +1 -0
  83. package/dist/explore/cli/hot-files.d.ts +11 -0
  84. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  85. package/dist/explore/cli/hot-files.js +63 -0
  86. package/dist/explore/cli/hot-files.js.map +1 -0
  87. package/dist/explore/context-hook.d.ts +42 -0
  88. package/dist/explore/context-hook.d.ts.map +1 -0
  89. package/dist/explore/context-hook.js +131 -0
  90. package/dist/explore/context-hook.js.map +1 -0
  91. package/dist/explore/finding-context.d.ts +69 -0
  92. package/dist/explore/finding-context.d.ts.map +1 -0
  93. package/dist/explore/finding-context.js +102 -0
  94. package/dist/explore/finding-context.js.map +1 -0
  95. package/dist/explore/format.d.ts +64 -0
  96. package/dist/explore/format.d.ts.map +1 -0
  97. package/dist/explore/format.js +99 -0
  98. package/dist/explore/format.js.map +1 -0
  99. package/dist/explore/load.d.ts +50 -0
  100. package/dist/explore/load.d.ts.map +1 -0
  101. package/dist/explore/load.js +197 -0
  102. package/dist/explore/load.js.map +1 -0
  103. package/dist/explore/queries.d.ts +413 -0
  104. package/dist/explore/queries.d.ts.map +1 -0
  105. package/dist/explore/queries.js +855 -0
  106. package/dist/explore/queries.js.map +1 -0
  107. package/dist/explore/types.d.ts +130 -0
  108. package/dist/explore/types.d.ts.map +1 -0
  109. package/dist/explore/types.js +28 -0
  110. package/dist/explore/types.js.map +1 -0
  111. package/dist/explore-cli.d.ts +45 -0
  112. package/dist/explore-cli.d.ts.map +1 -0
  113. package/dist/explore-cli.js +213 -0
  114. package/dist/explore-cli.js.map +1 -0
  115. package/dist/generator.d.ts.map +1 -1
  116. package/dist/generator.js +19 -0
  117. package/dist/generator.js.map +1 -1
  118. package/dist/languages/csharp.d.ts.map +1 -1
  119. package/dist/languages/csharp.js +31 -11
  120. package/dist/languages/csharp.js.map +1 -1
  121. package/dist/languages/go.d.ts.map +1 -1
  122. package/dist/languages/go.js +4 -0
  123. package/dist/languages/go.js.map +1 -1
  124. package/dist/languages/index.d.ts +27 -0
  125. package/dist/languages/index.d.ts.map +1 -1
  126. package/dist/languages/index.js +35 -0
  127. package/dist/languages/index.js.map +1 -1
  128. package/dist/languages/java.d.ts.map +1 -1
  129. package/dist/languages/java.js +4 -0
  130. package/dist/languages/java.js.map +1 -1
  131. package/dist/languages/kotlin.d.ts.map +1 -1
  132. package/dist/languages/kotlin.js +4 -0
  133. package/dist/languages/kotlin.js.map +1 -1
  134. package/dist/languages/python.d.ts.map +1 -1
  135. package/dist/languages/python.js +4 -0
  136. package/dist/languages/python.js.map +1 -1
  137. package/dist/languages/ruby.d.ts.map +1 -1
  138. package/dist/languages/ruby.js +4 -0
  139. package/dist/languages/ruby.js.map +1 -1
  140. package/dist/languages/rust.d.ts.map +1 -1
  141. package/dist/languages/rust.js +4 -0
  142. package/dist/languages/rust.js.map +1 -1
  143. package/dist/languages/types.d.ts +54 -0
  144. package/dist/languages/types.d.ts.map +1 -1
  145. package/dist/languages/typescript.d.ts.map +1 -1
  146. package/dist/languages/typescript.js +5 -1
  147. package/dist/languages/typescript.js.map +1 -1
  148. package/package.json +2 -1
  149. package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
  150. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  151. package/templates/AGENTS.md.template +8 -1
@@ -11,7 +11,7 @@ This skill takes a dxkit report and drives the fix loop with the user. Reach for
11
11
 
12
12
  ```
13
13
  [1] Read the report → understand what's flagged
14
- [2] Prioritize → severity + reachability + cost
14
+ [2] Prioritize → severity + reachability + blast radius + cost
15
15
  [3] Plan → ordered list of edits
16
16
  [4] Execute → fix one finding at a time
17
17
  [5] Verify → re-run the analyzer, confirm score moved
@@ -20,6 +20,14 @@ This skill takes a dxkit report and drives the fix loop with the user. Reach for
20
20
 
21
21
  Don't skip [5]. Re-running the analyzer is the only way to confirm the fix landed correctly.
22
22
 
23
+ For the richest input, read the **detailed** report with graph context attached:
24
+
25
+ ```bash
26
+ npx vyuh-dxkit vulnerabilities --detailed --graph-context # or test-gaps / quality
27
+ ```
28
+
29
+ `--graph-context` adds a "Graph context" column (the module a finding lives in + its blast radius — how many files call into it) so you can plan the fix without separately discovering structure. It's a structural HINT, not ground truth — read "Graph context" below for how to use it safely.
30
+
23
31
  ## Priority order
24
32
 
25
33
  Walk findings in this order (highest to lowest):
@@ -33,6 +41,18 @@ Walk findings in this order (highest to lowest):
33
41
 
34
42
  Skip items where reachability is "no" (graphify can't find a call path) UNLESS the finding is a secret leak (those don't depend on reachability).
35
43
 
44
+ ## Graph context (structural blast radius)
45
+
46
+ When the report was generated with `--graph-context`, each finding carries a "Graph context" cell: the module/role it belongs to and its **blast radius** (`role · N caller files`) — how many other files call into the finding's file. Use it to sharpen prioritization and planning, under three hard rules.
47
+
48
+ **1. Additive only — it never overrides severity or reachability.** Blast radius is a tie-breaker between findings of similar severity, not a re-ranking of the priority list above. Among two HIGH findings, fix the one with the larger blast radius first (more depends on it). A LOW finding never jumps a HIGH one because its blast radius is bigger.
49
+
50
+ **2. A blank or zero blast radius is NOT "safe to change".** The cell reads `blast radius n/a (call graph)` for languages whose call graph the analyzer can't resolve (C# is the known case — cross-assembly references aren't followed, so heavily-used files look like they have zero callers). Treat n/a — and even a literal `0 caller files` — as **unknown**, never as evidence the file is safe to edit freely. When blast radius is n/a, fall back to the module/role label (that part is reliable) and verify callers the normal way (grep / read) before a risky edit. Do **not** deprioritize a real finding just because its blast radius is empty.
51
+
52
+ **3. Confirm the symbol before you act on it.** The context may name an enclosing symbol (the function the finding sits in). It's a best-effort guess (the graph stores declaration lines, not end lines), so open the file and confirm the finding is actually inside that symbol before editing or writing a test against it.
53
+
54
+ Used within those rules, the win is concrete: a high blast radius tells you which caller files to re-check and re-test in step [5] after the fix, and the module label orients you fast. Same-name symbols can inflate the count — a suspiciously huge number is usually conflation, not reality.
55
+
36
56
  ## Common fix recipes
37
57
 
38
58
  ### Secret in code
@@ -19,7 +19,9 @@ This skill runs dxkit analyzers and reads their output back to the user. It's th
19
19
  | "License inventory" | `npx vyuh-dxkit licenses` | Every dependency's declared license |
20
20
  | "Bill of materials" | `npx vyuh-dxkit bom` | Licenses + dep vulnerabilities joined (15-col XLSX-ready output) |
21
21
  | "Run everything" | `npx vyuh-dxkit report` | Every analyzer in one shot, ~3-5 min |
22
- | "Show me the dashboard" | `npx vyuh-dxkit dashboard` | Single HTML view of all reports — opens at `.dxkit/reports/dashboard.html` |
22
+ | "Show me the dashboard" | `npx vyuh-dxkit dashboard` | Single HTML view of all reports — opens at `.dxkit/reports/dashboard.html`, incl. an interactive **Graph** tab (code structure) |
23
+ | "What does this repo do / where is X" | `npx vyuh-dxkit explore <sub>` | Query the code graph: entry-points / hot-files / communities / file / feature / api-surface |
24
+ | "Token-efficient context for a query" | `npx vyuh-dxkit context <query>` | Slim structural slice for an LLM (also a fix-time hint via `--graph-context`) |
23
25
 
24
26
  ## Where output lands
25
27
 
@@ -114,12 +114,19 @@ Reach for the relevant skill when working in this repo. They wrap the `vyuh-dxki
114
114
  | Test coverage gaps | `npx vyuh-dxkit test-gaps` |
115
115
  | Code quality + slop | `npx vyuh-dxkit quality` |
116
116
  | Bill of materials | `npx vyuh-dxkit bom` |
117
- | Dashboard (HTML) | `npx vyuh-dxkit dashboard` |
117
+ | Dashboard (HTML, incl. interactive Graph tab) | `npx vyuh-dxkit dashboard` |
118
+ | What does this repo do / where does X live | `npx vyuh-dxkit explore <sub>` |
119
+ | Token-efficient structural context for a query | `npx vyuh-dxkit context <query>` |
118
120
  | Guardrail check (baseline diff) | `npx vyuh-dxkit guardrail check` |
119
121
  | Doctor (verify setup) | `npx vyuh-dxkit doctor` |
120
122
 
121
123
  The pre-push hook runs `guardrail check` automatically — blocks net-new regressions before they leave your machine.
122
124
 
125
+ When fixing findings, run the detailed report with `--graph-context`
126
+ (e.g. `npx vyuh-dxkit vulnerabilities --detailed --graph-context`) — it
127
+ attaches each finding's module + blast radius so you can navigate by the
128
+ code graph instead of repeated whole-file reads.
129
+
123
130
  ## Security rules — never violate
124
131
 
125
132
  1. **Never output, log, or commit secrets** — no API keys, tokens, passwords, or credentials in code, commits, or files Claude writes