@vyuhlabs/dxkit 2.6.0 → 2.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -13
- package/README.md +208 -459
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +3 -3
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +80 -3
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +31 -11
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +4 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +4 -0
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +4 -0
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +4 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +4 -0
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +4 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +54 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +5 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
package/README.md
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
# dxkit
|
|
2
2
|
|
|
3
|
-
**AI
|
|
3
|
+
**AI writes the code. dxkit helps ship it clean.**
|
|
4
4
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
5
|
+
_Deterministic guardrails for any codebase. Brownfield-friendly by default._
|
|
6
|
+
|
|
7
|
+
dxkit scores your codebase deterministically, baselines today's findings, and gates every push against net-new regressions. It ships conversational skills that walk agents (and humans) through fixes. Existing tech debt stays grandfathered. Nothing runs on an LLM. Everything runs locally.
|
|
8
|
+
|
|
9
|
+
<p align="center">
|
|
10
|
+
<img src=".github/assets/guardrail-demo.gif" width="760" alt="A git push blocked by the dxkit pre-push guardrail: 2 net-new regressions block the push while 644 pre-existing findings stay grandfathered." />
|
|
11
|
+
</p>
|
|
10
12
|
|
|
11
13
|
```bash
|
|
12
14
|
npm init @vyuhlabs/dxkit
|
|
@@ -18,98 +20,73 @@ npm init @vyuhlabs/dxkit
|
|
|
18
20
|
</a>
|
|
19
21
|
<img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
|
|
20
22
|
<img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
|
|
21
|
-
<img alt="local-first" src="https://img.shields.io/badge/local-first-green">
|
|
22
23
|
<img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
|
|
23
|
-
<img alt="
|
|
24
|
+
<img alt="local-first" src="https://img.shields.io/badge/local-first-green">
|
|
24
25
|
</p>
|
|
25
26
|
|
|
26
27
|
---
|
|
27
28
|
|
|
28
29
|
## The problem
|
|
29
30
|
|
|
30
|
-
|
|
31
|
+
Codebases drift downward in slow ways that tests do not catch.
|
|
32
|
+
|
|
33
|
+
A typical Friday. Your team ships a fix. CI passes. Review approves. Two weeks later, an auditor finds a new hardcoded secret in the diff, three new untested branches, and a previously-clean file that grew to 800 lines with three TODOs sprinkled in. None of it failed a test, because no test covered those things.
|
|
34
|
+
|
|
35
|
+
Now multiply this by every AI agent your team uses. Agents write more code than humans can review. Some of it is fine. Some of it is slop that looks fine but quietly degrades the codebase.
|
|
36
|
+
|
|
37
|
+
The conventional fix is "block any new finding via static analysis." That fails on real codebases for a predictable reason:
|
|
31
38
|
|
|
32
|
-
- The
|
|
33
|
-
|
|
34
|
-
- The agent has no project-specific context — your conventions are
|
|
35
|
-
tribal knowledge it can't access.
|
|
36
|
-
- Strict gates assume a clean codebase. Real codebases have years of
|
|
37
|
-
debt, and absolute gates either get disabled or block every PR.
|
|
38
|
-
- Most "AI code review" tools rely on another LLM to grade the work —
|
|
39
|
-
non-deterministic, gameable, and a black box.
|
|
40
|
-
- Bad agent changes silently land because the only enforcement is
|
|
41
|
-
human attention.
|
|
39
|
+
- Block every finding, and your 5-year-old repo lights up with hundreds of pre-existing issues. The team disables the gate within a week.
|
|
40
|
+
- Block no findings, and the gate is theater. Nothing changes.
|
|
42
41
|
|
|
43
|
-
|
|
44
|
-
the grading path.
|
|
42
|
+
You need an objective gate that only fires on what is actually new. That is the gap dxkit fills.
|
|
45
43
|
|
|
46
44
|
---
|
|
47
45
|
|
|
48
|
-
##
|
|
46
|
+
## How dxkit solves it
|
|
49
47
|
|
|
50
|
-
|
|
51
|
-
npm init @vyuhlabs/dxkit
|
|
52
|
-
```
|
|
48
|
+
Three ideas working together.
|
|
53
49
|
|
|
54
|
-
|
|
55
|
-
`@vyuhlabs/dxkit` as a devDep and runs `vyuh-dxkit init --full --yes`.
|
|
56
|
-
The full install lands a coordinated set of pieces:
|
|
50
|
+
### 1. Capture today's state as a baseline
|
|
57
51
|
|
|
58
|
-
|
|
59
|
-
.devcontainer/ Reproducible environment — per-stack pinned
|
|
60
|
-
toolchains (only the languages your project
|
|
61
|
-
uses), dxkit's scanner toolchain auto-installed,
|
|
62
|
-
install scripts for AI agent CLIs (auth stays
|
|
63
|
-
user-owned).
|
|
64
|
-
.githooks/ pre-push guardrail hook (pre-commit opt-in via
|
|
65
|
-
--with-precommit-hook). Postinstall auto-
|
|
66
|
-
activates `core.hooksPath` so teammates who
|
|
67
|
-
clone + `npm install` get hooks wired too.
|
|
68
|
-
.github/workflows/ PR-gate workflow + post-merge baseline-refresh
|
|
69
|
-
workflow (refresh runs only after the PR-gate
|
|
70
|
-
passes — see "Safety + trust" below).
|
|
71
|
-
AGENTS.md Open-standard project context file read by
|
|
72
|
-
Claude Code, Codex, Cursor, Aider, and any
|
|
73
|
-
AGENTS.md-compliant agent.
|
|
74
|
-
CLAUDE.md Claude Code shim that points at AGENTS.md.
|
|
75
|
-
.claude/skills/ Nine dxkit-* skills covering the full lifecycle:
|
|
76
|
-
learn / init / config / hooks / reports /
|
|
77
|
-
action / fix / update / onboard. Claude Code
|
|
78
|
-
auto-discovers via skill frontmatter.
|
|
79
|
-
.dxkit/ reports, baselines, and (optional) policy.
|
|
80
|
-
.vyuh-dxkit.json install manifest.
|
|
81
|
-
```
|
|
52
|
+
Before dxkit blocks anything, it snapshots every existing finding in your repo and fingerprints them. The fingerprints survive renames, line shifts from formatter runs, and small unrelated edits. Cross-tool overlaps (gitleaks and semgrep flagging the same line) collapse to one finding.
|
|
82
53
|
|
|
83
|
-
|
|
54
|
+
From this moment forward, the gate only fires on net-new regressions. Your existing debt is grandfathered. The team fixes old issues at their own pace. The gate stays useful because it stays reasonable.
|
|
84
55
|
|
|
85
|
-
|
|
86
|
-
vyuh-dxkit baseline create # capture today's state
|
|
87
|
-
git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
|
|
88
|
-
git commit -m "chore: enable dxkit guardrails"
|
|
89
|
-
```
|
|
56
|
+
Three modes for the baseline file:
|
|
90
57
|
|
|
91
|
-
|
|
58
|
+
- `committed-full`: rich entries committed to git. Default for private repos.
|
|
59
|
+
- `committed-sanitized`: stripped to fingerprint plus kind. For compliance-conscious teams.
|
|
60
|
+
- `ref-based`: no committed file at all. Prior side recomputed from a git ref via `git worktree add`. Default for public repos. Zero disclosure surface.
|
|
92
61
|
|
|
93
|
-
|
|
94
|
-
opt-in via `--with-precommit-hook` — slow on large repos until
|
|
95
|
-
scoped incremental scanning lands).
|
|
96
|
-
- Every PR is gated by GitHub Actions, which posts a markdown summary
|
|
97
|
-
as a comment.
|
|
98
|
-
- After the PR-gate workflow passes and the PR merges, the baseline
|
|
99
|
-
is refreshed so the next PR is gated against the up-to-date state.
|
|
62
|
+
### 2. Score the codebase deterministically
|
|
100
63
|
|
|
101
|
-
|
|
64
|
+
dxkit produces a 0 to 100 score across six dimensions: Security, Code Quality, Tests, Documentation, Maintainability, Developer Experience.
|
|
102
65
|
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
66
|
+
The score has four properties:
|
|
67
|
+
|
|
68
|
+
| Property | What it means |
|
|
69
|
+
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
70
|
+
| **Deterministic** | Same code yields the same score every time. No LLM in the grading path. Reproducible across machines, runs, and CI. Auditable. |
|
|
71
|
+
| **Comparable** | Two codebases of similar quality produce similar scores. Surface tricks do not move the needle. Adding empty comments does not improve Documentation if the code is not actually documented. |
|
|
72
|
+
| **Severity-weighted** | A critical security finding moves the score far more than a TODO comment. Penalties are anchored to real-world impact via CVSS for security and ratio thresholds for tests, coverage, file size, and other dimensions. |
|
|
73
|
+
| **Actionable** | Every deduction names the file, the line, and the recommended fix. Output is structured JSON. Agents and humans read the same thing. The "what to do next" lives in the score itself. |
|
|
74
|
+
|
|
75
|
+
### 3. Fix findings at reduced token cost
|
|
76
|
+
|
|
77
|
+
Detection is only half the job. dxkit builds a deterministic code graph of the repo (its symbols, call edges, and clustered modules), so fixing is cheap too. A coding agent works from that structure ("what calls this? what breaks if I change it?") instead of re-reading whole files, and every finding in a detailed report already carries its blast radius: the files that depend on it. The `dxkit-action` skill runs the fix, re-scores, and confirms the gate clears. Same result, far fewer tokens.
|
|
78
|
+
|
|
79
|
+
### What you get from the combination
|
|
80
|
+
|
|
81
|
+
A score on its own is a number. A baseline on its own grandfathers the past. Together they produce an objective stop signal you can trust.
|
|
82
|
+
|
|
83
|
+
```text
|
|
84
|
+
Today: 16/100 E 644 findings, all baselined
|
|
85
|
+
Next PR: 16/100 E 644 persisted, 0 new. Gate passes.
|
|
86
|
+
Bad PR: 14/100 E 644 persisted, 2 new high-severity. Gate blocks.
|
|
108
87
|
```
|
|
109
88
|
|
|
110
|
-
|
|
111
|
-
> are never destroyed. dxkit detects them and writes sidecar `.dxkit`
|
|
112
|
-
> files with merge instructions. `--force` overrides if you want.
|
|
89
|
+
The score does not lie. The baseline keeps it useful on real codebases. The combination works the same for humans, AI agents, and CI runners. That is the part that scales. And once the gate fires, the code graph makes acting on it cheap: agents fix from the structure rather than reading file after file.
|
|
113
90
|
|
|
114
91
|
---
|
|
115
92
|
|
|
@@ -117,479 +94,251 @@ rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
|
|
|
117
94
|
|
|
118
95
|
```text
|
|
119
96
|
$ npm init @vyuhlabs/dxkit
|
|
120
|
-
✓ Created:
|
|
97
|
+
✓ Created: 14 files
|
|
121
98
|
✓ Git hooks: installed 1 file(s)
|
|
99
|
+
.githooks/pre-push
|
|
122
100
|
✓ Devcontainer: installed 3 file(s)
|
|
123
101
|
✓ CI guardrails workflow: installed 1 file(s)
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
✓ Wrote .dxkit/baselines/main.json — 89 findings (32s)
|
|
128
|
-
```
|
|
102
|
+
.github/workflows/dxkit-guardrails.yml
|
|
103
|
+
✓ Done! Claude Code now has full project context.
|
|
104
|
+
→ Next: run `vyuh-dxkit baseline create` to capture today's state.
|
|
129
105
|
|
|
130
|
-
|
|
131
|
-
|
|
106
|
+
$ npx vyuh-dxkit baseline create
|
|
107
|
+
→ Baseline mode=committed-full (auto: visibility not detectable via gh; defaulting to private posture)
|
|
108
|
+
✓ Wrote .dxkit/baselines/main.json — 644 findings, salt: deterministic (208.9s)
|
|
132
109
|
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
to confirm nothing regressed. Show me what you did.
|
|
110
|
+
$ npx vyuh-dxkit guardrail check
|
|
111
|
+
## Guardrail: PASSED
|
|
112
|
+
No changes from baseline (644 pairs checked).
|
|
137
113
|
```
|
|
138
114
|
|
|
139
|
-
|
|
115
|
+
Later, an innocent-looking PR slips in a regression. The pre-push hook fires:
|
|
140
116
|
|
|
141
117
|
```text
|
|
142
|
-
$
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
Summary
|
|
155
|
-
Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
|
|
156
|
-
Verdict: BLOCKED
|
|
157
|
-
Exit: 1
|
|
118
|
+
$ git push
|
|
119
|
+
[hook] vyuh-dxkit guardrail check
|
|
120
|
+
## Guardrail: BLOCKED
|
|
121
|
+
2 new regressions found.
|
|
122
|
+
|
|
123
|
+
| Status | Kind | Severity | Location | Reason |
|
|
124
|
+
|---|---|---|---|---|
|
|
125
|
+
| added | secret | high | src/config/secrets.ts:42 | gitleaks/aws-access-key |
|
|
126
|
+
| added | code | medium | src/handlers/exec.ts:17 | semgrep/eval-use |
|
|
127
|
+
|
|
128
|
+
644 pre-existing findings persisted. Only the new changes blocked you.
|
|
129
|
+
Fix or allowlist with `npx vyuh-dxkit allowlist add ...`
|
|
158
130
|
```
|
|
159
131
|
|
|
160
|
-
The
|
|
161
|
-
|
|
162
|
-
```text
|
|
163
|
-
$ vyuh-dxkit guardrail check
|
|
164
|
-
Guardrail PASSED — 0 new regressions
|
|
165
|
-
|
|
166
|
-
Summary
|
|
167
|
-
Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
|
|
168
|
-
Verdict: PASSED
|
|
169
|
-
Exit: 0
|
|
170
|
-
```
|
|
132
|
+
The 644 pre-existing findings sit quietly. The 2 net-new ones stop the push.
|
|
171
133
|
|
|
172
134
|
---
|
|
173
135
|
|
|
174
|
-
##
|
|
136
|
+
## Features
|
|
175
137
|
|
|
176
|
-
|
|
177
|
-
# Canonical first install — collapses install + scaffold into one step
|
|
178
|
-
npm init @vyuhlabs/dxkit
|
|
179
|
-
|
|
180
|
-
# Or install dxkit globally + scaffold manually
|
|
181
|
-
npm install -g @vyuhlabs/dxkit
|
|
182
|
-
vyuh-dxkit init --full
|
|
183
|
-
vyuh-dxkit baseline create
|
|
184
|
-
vyuh-dxkit guardrail check --changed-only
|
|
185
|
-
|
|
186
|
-
# Upgrade an existing install later
|
|
187
|
-
vyuh-dxkit upgrade # plan + execute combined
|
|
188
|
-
```
|
|
189
|
-
|
|
190
|
-
À la carte if you only want specific pieces:
|
|
191
|
-
|
|
192
|
-
```bash
|
|
193
|
-
vyuh-dxkit init --with-dxkit-agents # just the nine dxkit-* skills + AGENTS.md
|
|
194
|
-
vyuh-dxkit init --with-hooks # just the pre-push hook
|
|
195
|
-
vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
|
|
196
|
-
vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
|
|
197
|
-
vyuh-dxkit init --with-ci # just the PR-gate workflow
|
|
198
|
-
vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
|
|
199
|
-
vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
|
|
200
|
-
```
|
|
201
|
-
|
|
202
|
-
Post-install, two more CLIs polish the safety surface:
|
|
138
|
+
### Eight first-class language packs
|
|
203
139
|
|
|
204
|
-
|
|
205
|
-
vyuh-dxkit setup-branch-protection # mark dxkit-guardrails as required check on default branch
|
|
206
|
-
vyuh-dxkit setup-prebuild # configure Codespaces prebuild (cold-start ~7 min → ~30s)
|
|
207
|
-
```
|
|
140
|
+
TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby. Each pack ships per-ecosystem analyzers: semgrep rulesets, dep-vuln scanners, license tools, lint adapters. Polyglot repos get unified reports without configuration.
|
|
208
141
|
|
|
209
|
-
|
|
142
|
+
<details>
|
|
143
|
+
<summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
|
|
210
144
|
|
|
211
|
-
|
|
145
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
146
|
+
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
147
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
148
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
149
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
150
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
151
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
|
|
152
|
+
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
153
|
+
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
154
|
+
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
212
155
|
|
|
213
|
-
|
|
214
|
-
|
|
156
|
+
¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
|
|
157
|
+
file-level resolver is a no-op. Downstream analyses that need an edge graph
|
|
158
|
+
(reachability, import-graph test-gap credit) degrade to conservative
|
|
159
|
+
defaults for those packs. Resolvers are tracked on the [roadmap](docs/roadmap.md).
|
|
215
160
|
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
| Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
|
|
161
|
+
² C# uses `dotnet-format` for formatting violations only. A real
|
|
162
|
+
severity-tiered C# linter (Roslyn analyzers or StyleCop) is on the
|
|
163
|
+
roadmap. Today every C# formatting violation is counted at `low` tier
|
|
164
|
+
so it does not inflate the Code Quality score.
|
|
221
165
|
|
|
222
|
-
|
|
166
|
+
</details>
|
|
223
167
|
|
|
224
|
-
|
|
225
|
-
| ------------------- | ----------------------------------------- | ---------- |
|
|
226
|
-
| `added` | Net-new finding introduced by this change | **blocks** |
|
|
227
|
-
| `relocated` | Same finding, moved (line drift, rename) | passes |
|
|
228
|
-
| `persisted` | Same finding, same place — pre-existing | passes |
|
|
229
|
-
| `removed` / `fixed` | Was there, now gone | passes |
|
|
230
|
-
| `tooling_drift` | New only because scanner version changed | warns |
|
|
231
|
-
| `config_drift` | New only because dxkit config changed | warns |
|
|
232
|
-
| `uncertain` | Below confidence threshold | warns |
|
|
168
|
+
### The matcher
|
|
233
169
|
|
|
234
|
-
|
|
235
|
-
auto-discovered when present, compiled-in defaults otherwise.
|
|
170
|
+
Multi-axis fingerprints (location, domain, content, semantic) pair findings across runs even when files were renamed, lines shifted, tools changed versions, or the branch was force-pushed. When location fails, the matcher falls back to git-aware diff lookup, then content hash, then identity-only multiset match. Every pair carries a confidence score and a reason chain.
|
|
236
171
|
|
|
237
|
-
###
|
|
172
|
+
### Per-finding suppression
|
|
238
173
|
|
|
239
|
-
|
|
240
|
-
disclosure surface matters: a `committed-full` baseline tells anyone
|
|
241
|
-
reading the repo which file/line each finding lives on, which
|
|
242
|
-
private packages you depend on, and which advisory IDs you're
|
|
243
|
-
sitting on unpatched. dxkit ships three modes:
|
|
174
|
+
Five typed categories: `false-positive`, `test-fixture`, `mitigated-externally`, `accepted-risk`, `deferred`. Each entry requires a reason. Categories that fade over time require an expiry.
|
|
244
175
|
|
|
245
|
-
|
|
246
|
-
| --------------------- | -------------------------------------------------------- | ---------------- |
|
|
247
|
-
| `committed-full` | Rich entries (file/line/rule/package/advisory) | private repos |
|
|
248
|
-
| `committed-sanitized` | Stripped to `{ id, kind }` per finding | opt-in |
|
|
249
|
-
| `ref-based` | No file — guardrail recomputes prior side from a git ref | public repos |
|
|
176
|
+
Two surfaces:
|
|
250
177
|
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
`.dxkit/policy.json`:
|
|
178
|
+
- Inline annotations: `// dxkit-allow:test-fixture reason="example placeholder"`
|
|
179
|
+
- File-level: `.dxkit/allowlist.json`, audited via `vyuh-dxkit allowlist audit`
|
|
254
180
|
|
|
255
|
-
|
|
256
|
-
{ "baseline": { "mode": "ref-based", "ref": "origin/main" } }
|
|
257
|
-
```
|
|
181
|
+
Orphaned annotations become their own findings. The TypeScript `@ts-expect-error` model applied to suppressions. Prevents the graveyard of stale allowlist entries.
|
|
258
182
|
|
|
259
|
-
|
|
260
|
-
across all three modes — sanitization only strips human-readable
|
|
261
|
-
locators, it doesn't change which findings pair across runs. See
|
|
262
|
-
[docs/commands/baseline.md](docs/commands/baseline.md#modes) for the
|
|
263
|
-
full trade-off discussion.
|
|
183
|
+
### AI-agent integration
|
|
264
184
|
|
|
265
|
-
|
|
185
|
+
dxkit ships nine Claude Code skills under `.claude/skills/dxkit-*`. They wrap the CLI in conversational flows:
|
|
266
186
|
|
|
267
|
-
|
|
187
|
+
| Skill | What it does |
|
|
188
|
+
| -------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
|
|
189
|
+
| `dxkit-onboard` | Walks a customer through the full first-install journey |
|
|
190
|
+
| `dxkit-reports` | Runs analyzers and explains the output |
|
|
191
|
+
| `dxkit-action` | Reads a report, prioritizes findings, plans and runs fixes, re-verifies |
|
|
192
|
+
| `dxkit-fix` | Repairs a broken install from doctor output |
|
|
193
|
+
| `dxkit-hooks`, `dxkit-config`, `dxkit-learn`, `dxkit-update`, `dxkit-init` | Focused flows |
|
|
268
194
|
|
|
269
|
-
The
|
|
270
|
-
mess is grandfathered; tomorrow's must be net-new improvement").
|
|
271
|
-
For per-finding decisions — false positives, intentional test
|
|
272
|
-
fixtures, externally-mitigated risks, deliberately deferred work —
|
|
273
|
-
use the [allowlist](docs/commands/allowlist.md).
|
|
195
|
+
`AGENTS.md` (the open standard read by Codex, Cursor, Aider, and others) also ships in every install. The skill flows are Claude Code-specific today; the AGENTS.md context is portable.
|
|
274
196
|
|
|
275
|
-
|
|
197
|
+
Why this matters for AI workflows: when an agent fixes a bug, you need an objective signal that says "yes, fixed cleanly" or "fix introduced four new regressions." dxkit's deterministic score plus baseline guardrail produces that signal. The agent reads the same JSON envelope a human reads, runs the verify step itself, and stops when clean.
|
|
276
198
|
|
|
277
|
-
|
|
278
|
-
| ---------------------- | ------------------------------------------------- | ------------------------------ |
|
|
279
|
-
| `false-positive` | Scanner is wrong about this finding | Optional |
|
|
280
|
-
| `test-fixture` | Intentional pattern in fixture / test code | Optional |
|
|
281
|
-
| `mitigated-externally` | Real risk neutralized at runtime (WAF, env, etc.) | Optional |
|
|
282
|
-
| `accepted-risk` | Real risk, team accepts, signed off | **Required** (default 90 days) |
|
|
283
|
-
| `deferred` | Real, will fix later, tracked work | **Required** |
|
|
199
|
+
### Code-graph context: fix at reduced token cost
|
|
284
200
|
|
|
285
|
-
|
|
201
|
+
dxkit builds a deterministic code graph of your repo (its symbols, call edges, and clustered modules) using graphify (the `graphifyy` Python package). What matters is what an agent does with it. Instead of discovering structure by grepping around and reading whole files, the agent gets just the relevant slice:
|
|
286
202
|
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
203
|
+
- **`vyuh-dxkit context <query>`** (and an opt-in PreToolUse hook) hand an agent a slim structural map: the relevant symbols, where they live, and what calls them. It navigates by the graph instead of re-reading files, which is the same work at a fraction of the tokens.
|
|
204
|
+
- **`--graph-context`** writes each finding's module and blast radius (which files call into it) straight into the detailed report, so the `dxkit-action` fix skill can plan the change, and know which callers to re-test, without rediscovering structure first.
|
|
205
|
+
- **`vyuh-dxkit explore`** and a dashboard graph tab let humans ask the same graph what the repo does, where a feature lives, and which files are load-bearing.
|
|
290
206
|
|
|
291
|
-
|
|
292
|
-
suppression that needs an expiry. New entries appear in the PR-
|
|
293
|
-
comment automation so reviewers see suppressions being introduced
|
|
294
|
-
and can sanity-check the rationale before approving. `audit` /
|
|
295
|
-
`prune` subcommands handle stale + soon-to-expire entries.
|
|
207
|
+
This is an additive, fail-open layer. When the graph is missing, or a language's call edges can't be resolved, every command behaves exactly as it did before. It's reliable on TypeScript, Python, and Go. Where the call graph can't be resolved (C#), blast radius is suppressed rather than faked, so a "no callers" reading is never mistaken for "safe to change."
|
|
296
208
|
|
|
297
|
-
|
|
298
|
-
`stale-allow` findings on the next scan. dxkit refuses to allowlist
|
|
299
|
-
those — the only remediation is to remove the annotation. This is
|
|
300
|
-
the TypeScript `@ts-expect-error` pattern: tools that surface their
|
|
301
|
-
own stale suppressions force cleanup, preventing the annotation
|
|
302
|
-
graveyard.
|
|
209
|
+
### Reproducible environments
|
|
303
210
|
|
|
304
|
-
|
|
305
|
-
# The block message from `guardrail check` prints the exact command
|
|
306
|
-
# to paste for any blocked finding — file:line for inline-compatible
|
|
307
|
-
# kinds, --fingerprint for everything else.
|
|
308
|
-
vyuh-dxkit allowlist add src/auth/oauth.ts:42 \
|
|
309
|
-
--category=test-fixture --reason="placeholder in unit test"
|
|
211
|
+
Per-stack devcontainer with only the languages your project uses. Scanner toolchain auto-installed. Install scripts for AI agent CLIs (auth stays user-owned). Codespaces prebuilds wire via `vyuh-dxkit setup-prebuild` so cold-start drops from ~7 minutes to ~30 seconds.
|
|
310
212
|
|
|
311
|
-
|
|
312
|
-
```
|
|
213
|
+
### Public-repo safe baselines
|
|
313
214
|
|
|
314
|
-
|
|
315
|
-
full surface.
|
|
215
|
+
The `ref-based` mode commits no baseline file. The guardrail check recomputes the prior side at check time from a git ref via `git worktree add`. Zero disclosure surface. File paths, package names, and advisory IDs all stay out of git. Auto-picked for public repos via `gh repo view --json visibility`.
|
|
316
216
|
|
|
317
217
|
---
|
|
318
218
|
|
|
319
|
-
##
|
|
320
|
-
|
|
321
|
-
A regression check is only useful if the matcher can tell _old issue
|
|
322
|
-
that moved_ from _new issue that appeared_. Line numbers alone aren't
|
|
323
|
-
stable — add a 20-line comment block at the top of a file and every
|
|
324
|
-
issue below it "moves."
|
|
325
|
-
|
|
326
|
-
dxkit uses layered identity, in priority order:
|
|
327
|
-
|
|
328
|
-
1. **Domain fingerprints** for entities whose identity is intrinsic:
|
|
329
|
-
- dependency vulnerabilities → `(package, version, advisory-id)`
|
|
330
|
-
- secrets → `(scanner-rule, fingerprint(value))` so a leaked
|
|
331
|
-
token recognises itself when moved
|
|
332
|
-
- licenses → `(package, version, license-type)`
|
|
333
|
-
- duplicate blocks → normalized content hash
|
|
334
|
-
2. **Location fingerprints** with a 3-line bucket for code findings.
|
|
335
|
-
3. **Git-aware line mapping** across commits, including `-M` file
|
|
336
|
-
renames and ±2 line fuzz windows.
|
|
337
|
-
4. **Content-hash fallback** when git history isn't reachable
|
|
338
|
-
(shallow clones, archived snapshots).
|
|
339
|
-
|
|
340
|
-
Every match pair carries a **confidence in [0, 1]** and structured
|
|
341
|
-
**reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
|
|
342
|
-
`git-rename`, `content-hash`, ...). No LLM in the grading path —
|
|
343
|
-
the matcher and classifier are deterministic over normalized
|
|
344
|
-
analyzer input; the same inputs produce the same classifications.
|
|
345
|
-
|
|
346
|
-
---
|
|
219
|
+
## Quickstart
|
|
347
220
|
|
|
348
|
-
|
|
221
|
+
```bash
|
|
222
|
+
# Canonical first install
|
|
223
|
+
npm init @vyuhlabs/dxkit
|
|
349
224
|
|
|
350
|
-
|
|
351
|
-
|
|
225
|
+
# Capture today's state
|
|
226
|
+
npx vyuh-dxkit baseline create
|
|
352
227
|
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
features — small image footprint, fast Codespaces prebuild.
|
|
356
|
-
- `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
|
|
357
|
-
the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
|
|
358
|
-
cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
|
|
359
|
-
ones your stack needs).
|
|
360
|
-
- Install scripts for the AI coding-agent CLIs you want available
|
|
361
|
-
inside the container. The scripts only install the binaries — auth
|
|
362
|
-
remains user-owned and is never baked into the image.
|
|
363
|
-
- Every piece is a regular script you can edit after install.
|
|
228
|
+
# Verify the install
|
|
229
|
+
npx vyuh-dxkit doctor
|
|
364
230
|
|
|
365
|
-
|
|
231
|
+
# Commit and ship
|
|
232
|
+
git add . && git commit -m "chore: enable dxkit" && git push
|
|
366
233
|
|
|
367
|
-
|
|
234
|
+
# Optional but recommended
|
|
235
|
+
npx vyuh-dxkit setup-branch-protection # mark guardrail as required CI check
|
|
236
|
+
npx vyuh-dxkit setup-prebuild # Codespaces prebuild
|
|
237
|
+
```
|
|
368
238
|
|
|
369
|
-
|
|
370
|
-
analyzers across eight language packs (Python, TypeScript, Go, Rust,
|
|
371
|
-
C#, Kotlin, Java, Ruby), with graceful degradation when a tool isn't
|
|
372
|
-
available for your stack:
|
|
373
|
-
|
|
374
|
-
| Command | Question it answers |
|
|
375
|
-
| ----------------- | ------------------------------------------------------------------------------------- |
|
|
376
|
-
| `health` | "What's the overall shape of this codebase?" — 6-dimension score |
|
|
377
|
-
| `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
|
|
378
|
-
| `test-gaps` | "Which untested files are riskiest?" |
|
|
379
|
-
| `quality` | "Where's the technical debt + duplication?" |
|
|
380
|
-
| `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
|
|
381
|
-
| `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
|
|
382
|
-
| `dev-report` | "Who's working on what, where are the hot files?" |
|
|
383
|
-
| `dashboard` | "Single HTML view of everything I've run" |
|
|
384
|
-
| `report` | Run every analyzer + dashboard in one shot |
|
|
385
|
-
|
|
386
|
-
Composable aggregate gates apply to every analyzer:
|
|
239
|
+
À la carte if you only want specific pieces:
|
|
387
240
|
|
|
388
241
|
```bash
|
|
389
|
-
vyuh-dxkit
|
|
390
|
-
vyuh-dxkit
|
|
391
|
-
vyuh-dxkit
|
|
242
|
+
npx vyuh-dxkit init --with-dxkit-agents # just the nine Claude skills + AGENTS.md
|
|
243
|
+
npx vyuh-dxkit init --with-hooks # just the pre-push hook
|
|
244
|
+
npx vyuh-dxkit init --with-precommit-hook # add pre-commit (slow on large repos)
|
|
245
|
+
npx vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
|
|
246
|
+
npx vyuh-dxkit init --with-ci # just the PR-gate workflow
|
|
392
247
|
```
|
|
393
248
|
|
|
394
|
-
|
|
395
|
-
banner so consumers can version-gate.
|
|
396
|
-
|
|
397
|
-
<details>
|
|
398
|
-
<summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
|
|
399
|
-
|
|
400
|
-
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
401
|
-
| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
|
|
402
|
-
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
403
|
-
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
404
|
-
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
405
|
-
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
406
|
-
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
|
|
407
|
-
| Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
|
|
408
|
-
| Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
|
|
409
|
-
| Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
|
|
249
|
+
---
|
|
410
250
|
|
|
411
|
-
|
|
412
|
-
file-level resolver is a no-op. Downstream analyses that need an edge graph
|
|
413
|
-
(reachability, import-graph test-gap credit) degrade to conservative
|
|
414
|
-
defaults for those packs; resolvers are tracked on the roadmap.
|
|
251
|
+
## What dxkit analyzes
|
|
415
252
|
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
253
|
+
| Dimension | Tools | What it catches |
|
|
254
|
+
| -------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
|
|
255
|
+
| Security | gitleaks, semgrep, osv-scanner, npm-audit, pip-audit, govulncheck, cargo-audit, dotnet vulnerable, bundle-audit | Secrets, dep vulnerabilities, insecure patterns, TLS bypass |
|
|
256
|
+
| Code Quality | cloc, jscpd, graphify, lint adapters | File size, duplication, complexity, hygiene markers |
|
|
257
|
+
| Tests | coverage adapters per pack, test-file detector | Missing tests, degraded tests, coverage gaps |
|
|
258
|
+
| Documentation | doc-comment ratio, README presence | Inline doc coverage, project-level docs |
|
|
259
|
+
| Maintainability | graphify call-graph metrics | God files, dead imports, cohesion, communities |
|
|
260
|
+
| Developer Experience | git hook detection, CI workflow detection, manifest presence | Pre-push hooks, CI quality gates, environment reproducibility |
|
|
420
261
|
|
|
421
|
-
|
|
262
|
+
Each analyzer reports raw findings. dxkit aggregates, deduplicates across tools, and scores deterministically.
|
|
422
263
|
|
|
423
264
|
---
|
|
424
265
|
|
|
425
|
-
##
|
|
426
|
-
|
|
427
|
-
dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
|
|
428
|
-
Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
|
|
429
|
-
things they don't:
|
|
430
|
-
|
|
431
|
-
1. **It scaffolds your AI agent.** Most tools find issues; dxkit
|
|
432
|
-
_also_ writes the project-context layer (entry-point doc, project
|
|
433
|
-
skills, commands, language-specific rules, specialized subagents)
|
|
434
|
-
that lets your agent operate on the codebase intelligently.
|
|
435
|
-
2. **It gates at commit time, deterministically.** No LLM in the
|
|
436
|
-
grading path. The matcher and classifier are deterministic over
|
|
437
|
-
normalized analyzer input.
|
|
438
|
-
3. **It assumes your repo is messy.** Other tools want clean
|
|
439
|
-
codebases and block every PR until you fix everything. dxkit
|
|
440
|
-
captures the floor, grandfathers existing debt, and only blocks
|
|
441
|
-
regressions introduced from here forward — usable on day-one
|
|
442
|
-
greenfield and 10-year-old brownfield codebases alike.
|
|
443
|
-
|
|
444
|
-
Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
|
|
445
|
-
CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
|
|
446
|
-
Scores are evidence-backed and traceable to the findings that
|
|
447
|
-
produced them.
|
|
266
|
+
## Brownfield vs greenfield
|
|
448
267
|
|
|
449
|
-
|
|
268
|
+
| | Greenfield (day 1) | Brownfield (years of debt) |
|
|
269
|
+
| ---------------- | -------------------------------------- | ------------------------------------------------- |
|
|
270
|
+
| Baseline | Near-zero on capture | Captures today's debt as floor |
|
|
271
|
+
| Behavior | Every regression matters from commit 1 | Existing debt grandfathered; net-new blocks |
|
|
272
|
+
| Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
|
|
450
273
|
|
|
451
|
-
|
|
274
|
+
The status taxonomy that drives gate decisions:
|
|
452
275
|
|
|
453
|
-
|
|
276
|
+
| Status | Meaning | Default |
|
|
277
|
+
| ------------------- | ----------------------------------------- | ---------- |
|
|
278
|
+
| `added` | Net-new finding introduced by this change | **blocks** |
|
|
279
|
+
| `relocated` | Same finding, moved (line drift, rename) | passes |
|
|
280
|
+
| `persisted` | Same finding, same place. Pre-existing. | passes |
|
|
281
|
+
| `removed` / `fixed` | Was there, now gone | passes |
|
|
282
|
+
| `tooling_drift` | New because scanner version changed | warns |
|
|
283
|
+
| `config_drift` | New because dxkit config changed | warns |
|
|
284
|
+
| `uncertain` | Below confidence threshold | warns |
|
|
454
285
|
|
|
455
|
-
|
|
456
|
-
- TypeScript frontend
|
|
457
|
-
- Large .NET WinForms project
|
|
286
|
+
Customize via [`.dxkit/policy.json`](docs/configuration/policy.md).
|
|
458
287
|
|
|
459
|
-
|
|
288
|
+
---
|
|
460
289
|
|
|
461
|
-
|
|
462
|
-
per-finding identity sets
|
|
463
|
-
- brought roughly **3,000 previously untracked findings into
|
|
464
|
-
guardrail coverage**
|
|
465
|
-
- matched identity-set counts exactly to report aggregates for
|
|
466
|
-
every finding kind
|
|
290
|
+
## Safety and trust
|
|
467
291
|
|
|
468
|
-
|
|
292
|
+
- **Local-first.** Every scan runs on the developer's machine. Nothing leaves the repo. No telemetry. No phone-home.
|
|
293
|
+
- **No LLM in the grading path.** Scores come from deterministic analyzers and arithmetic. Reproducible. Auditable. The only way to improve a score is to write better code.
|
|
294
|
+
- **Sigstore provenance.** Every npm release is signed via OIDC from GitHub Actions. Verify with `npm audit signatures`.
|
|
295
|
+
- **Open source.** MIT licensed. Inspect every score derivation.
|
|
469
296
|
|
|
470
297
|
---
|
|
471
298
|
|
|
472
|
-
##
|
|
473
|
-
|
|
474
|
-
dxkit is local-first.
|
|
475
|
-
|
|
476
|
-
- **No SaaS required.** Your code never leaves the machine.
|
|
477
|
-
- **No repo upload.** Analyzers run in-process or shell out to
|
|
478
|
-
locally-installed scanners; results stay on disk.
|
|
479
|
-
- **Secret values are never written to disk.** dxkit stores a
|
|
480
|
-
non-reversible fingerprint for matching only — the scanner sees
|
|
481
|
-
the value once and discards it after hashing.
|
|
482
|
-
- **Agent auth stays user-owned.** Install scripts ship the CLIs;
|
|
483
|
-
authentication happens in your session and is never baked into
|
|
484
|
-
the image or stored by dxkit.
|
|
485
|
-
- **CI guardrails are the enforcement layer.** Local hooks provide
|
|
486
|
-
fast feedback but are bypassable (`git commit --no-verify`); the
|
|
487
|
-
GitHub Actions PR-gate runs server-side and can be made a required
|
|
488
|
-
check via branch protection.
|
|
489
|
-
- **Post-merge baseline refresh is gated.** The refresh workflow
|
|
490
|
-
runs only after the PR-gate workflow succeeds on the merging
|
|
491
|
-
commit. **Use branch protection to make the PR-gate a required
|
|
492
|
-
check** so a bypassed merge can't codify a regression into the
|
|
493
|
-
baseline.
|
|
299
|
+
## Real-world validation
|
|
494
300
|
|
|
495
|
-
|
|
301
|
+
dxkit ships against pinned production codebases across all eight language packs. Every release runs a cross-stack walkthrough on a polyglot reference repo (TypeScript + Python) and a .NET reference repo before tagging. The cross-stack regression suite is part of CI.
|
|
496
302
|
|
|
497
|
-
|
|
303
|
+
Recent ship validation (`@vyuhlabs/dxkit@2.6.0`, 2026-05-23):
|
|
498
304
|
|
|
499
|
-
-
|
|
500
|
-
-
|
|
501
|
-
-
|
|
502
|
-
- [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
|
|
503
|
-
- [Scoring methodology](docs/SCORING.md)
|
|
504
|
-
- [Architecture](docs/ARCHITECTURE.md)
|
|
505
|
-
- [All commands](docs/README.md)
|
|
305
|
+
- 1904 tests across 110 files
|
|
306
|
+
- License findings dropped 73% on a 600-source-file polyglot codebase after the 2.6 baseline polish
|
|
307
|
+
- New `ref-based` mode verified end-to-end on both reference stacks
|
|
506
308
|
|
|
507
309
|
---
|
|
508
310
|
|
|
509
|
-
##
|
|
510
|
-
|
|
511
|
-
- [x] Local repo analysis (8 language packs)
|
|
512
|
-
- [x] Agent project scaffolding (entry-point doc, skills, commands,
|
|
513
|
-
conventions, specialized subagents — single-agent today)
|
|
514
|
-
- [x] Optional install scripts for AI coding-agent CLIs in the
|
|
515
|
-
devcontainer
|
|
516
|
-
- [x] Per-finding fingerprinting + git-aware matching
|
|
517
|
-
- [x] Baseline + guardrail commands
|
|
518
|
-
- [x] Brownfield policy classifier
|
|
519
|
-
- [x] Git hooks (pre-push default; pre-commit opt-in)
|
|
520
|
-
- [x] GitHub Actions PR-gate + gated baseline-refresh workflows
|
|
521
|
-
- [x] Devcontainer with pinned toolchains
|
|
522
|
-
- [x] Nine dxkit-\* skills + AGENTS.md (open-standard, read by every
|
|
523
|
-
AGENTS.md-compliant agent — Claude Code, Codex, Cursor, Aider)
|
|
524
|
-
- [ ] First-class plugin packaging for the Claude Code marketplace + MCP server for cross-agent reach (2.6, decision-pending)
|
|
525
|
-
- [ ] Scoped + incremental scanning — fast pre-commit on monorepos
|
|
526
|
-
(2.6)
|
|
527
|
-
- [ ] Symbol-level coverage gaps across all 8 packs (2.6)
|
|
528
|
-
- [ ] SARIF export for GitHub code scanning interop (2.6)
|
|
529
|
-
- [ ] Reachability-aware dep-vuln triage
|
|
530
|
-
- [ ] **Per-pack capability parity** — bring every cell in the
|
|
531
|
-
capability table to a green tick (2.7 / 3.0):
|
|
532
|
-
- Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
|
|
533
|
-
(so reachability + import-graph test-gap credit work for
|
|
534
|
-
every pack, not just TS/Python/Go)
|
|
535
|
-
- Severity-tiered C# linter (Roslyn analyzers or StyleCop)
|
|
536
|
-
- License providers for Kotlin, Java, Ruby
|
|
537
|
-
- [ ] AI Readiness banner — semantic anchors, function-body hashes,
|
|
538
|
-
cross-file refactor detection (3.0)
|
|
311
|
+
## Documentation
|
|
539
312
|
|
|
540
|
-
|
|
313
|
+
**Start here**:
|
|
541
314
|
|
|
542
|
-
|
|
315
|
+
- [Getting started](docs/getting-started.md): full walkthrough from install to first guardrail check
|
|
316
|
+
- [CHANGELOG](CHANGELOG.md): release notes. Latest is [2.6.0](https://github.com/vyuh-labs/dxkit/releases/tag/v2.6.0)
|
|
543
317
|
|
|
544
|
-
|
|
545
|
-
broken, or the docs are unclear, the fastest path to the dxkit team
|
|
546
|
-
is the built-in issue subcommand:
|
|
318
|
+
**Depth**:
|
|
547
319
|
|
|
548
|
-
|
|
549
|
-
|
|
550
|
-
|
|
551
|
-
|
|
320
|
+
- [Why dxkit](docs/why-dxkit.md): rationale, comparison vs SonarQube/Snyk/Semgrep/etc., open methodology
|
|
321
|
+
- [Architecture](docs/ARCHITECTURE.md): data flow, the git-aware matcher, fingerprint axes
|
|
322
|
+
- [Scoring methodology](docs/SCORING.md): how each dimension is computed, citations
|
|
323
|
+
- [Roadmap](docs/roadmap.md): shipped vs planned
|
|
552
324
|
|
|
553
|
-
|
|
325
|
+
**Reference**:
|
|
554
326
|
|
|
555
|
-
|
|
556
|
-
|
|
327
|
+
- [Command reference](docs/README.md): every subcommand at a glance
|
|
328
|
+
- [`baseline`](docs/commands/baseline.md): capture, show, modes
|
|
329
|
+
- [`guardrail`](docs/commands/guardrail.md): check, classify, render
|
|
330
|
+
- [`allowlist`](docs/commands/allowlist.md): per-finding suppression
|
|
331
|
+
- [`.dxkit/policy.json`](docs/configuration/policy.md): tune what blocks vs warns
|
|
332
|
+
- [Reporting issues](docs/commands/issue.md): `vyuh-dxkit issue --type=...`
|
|
557
333
|
|
|
558
|
-
|
|
559
|
-
in your browser with dxkit version + platform info already populated.
|
|
560
|
-
Nothing is submitted until you click "Submit" — you review the
|
|
561
|
-
prefill first. See [`vyuh-dxkit issue`](docs/commands/issue.md) for
|
|
562
|
-
the full reference.
|
|
334
|
+
---
|
|
563
335
|
|
|
564
336
|
## Contributing
|
|
565
337
|
|
|
566
|
-
|
|
567
|
-
codebase. We'd love help with:
|
|
568
|
-
|
|
569
|
-
- Additional language pack support
|
|
570
|
-
- Agent-CLI integrations (the 2.6 work)
|
|
571
|
-
- Monorepo detection
|
|
572
|
-
- Devcontainer templates per stack
|
|
573
|
-
- Custom guardrail policies
|
|
574
|
-
- SARIF output
|
|
575
|
-
- More specialized subagents
|
|
576
|
-
|
|
577
|
-
Start with the [contributing guide](CONTRIBUTING.md) and
|
|
578
|
-
[good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
|
|
338
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md). The project follows architectural rules in [CLAUDE.md](CLAUDE.md). Adding a new language pack, a new finding kind, or a new scoring dimension each have one-page recipes.
|
|
579
339
|
|
|
580
340
|
---
|
|
581
341
|
|
|
582
342
|
## License
|
|
583
343
|
|
|
584
344
|
MIT. See [LICENSE](LICENSE).
|
|
585
|
-
|
|
586
|
-
---
|
|
587
|
-
|
|
588
|
-
## Try it
|
|
589
|
-
|
|
590
|
-
```bash
|
|
591
|
-
npm init @vyuhlabs/dxkit
|
|
592
|
-
```
|
|
593
|
-
|
|
594
|
-
If dxkit helps you ship AI-assisted changes more safely, star the
|
|
595
|
-
repo — it helps others find it too.
|