@vyuhlabs/dxkit 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (221) hide show
  1. package/CHANGELOG.md +103 -13
  2. package/README.md +208 -459
  3. package/dist/analyzers/bom/discovery.d.ts +3 -4
  4. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  5. package/dist/analyzers/bom/discovery.js +3 -4
  6. package/dist/analyzers/bom/discovery.js.map +1 -1
  7. package/dist/analyzers/bom/types.d.ts +1 -1
  8. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  9. package/dist/analyzers/dashboard/index.js +42 -5
  10. package/dist/analyzers/dashboard/index.js.map +1 -1
  11. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  12. package/dist/analyzers/developer/gather.js +9 -9
  13. package/dist/analyzers/developer/gather.js.map +1 -1
  14. package/dist/analyzers/quality/detailed.d.ts +8 -1
  15. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  16. package/dist/analyzers/quality/detailed.js +43 -10
  17. package/dist/analyzers/quality/detailed.js.map +1 -1
  18. package/dist/analyzers/quality/gather.js +3 -3
  19. package/dist/analyzers/quality/gather.js.map +1 -1
  20. package/dist/analyzers/security/detailed.d.ts +8 -1
  21. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  22. package/dist/analyzers/security/detailed.js +14 -1
  23. package/dist/analyzers/security/detailed.js.map +1 -1
  24. package/dist/analyzers/security/gather.d.ts.map +1 -1
  25. package/dist/analyzers/security/gather.js +12 -3
  26. package/dist/analyzers/security/gather.js.map +1 -1
  27. package/dist/analyzers/tests/detailed.d.ts +8 -1
  28. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  29. package/dist/analyzers/tests/detailed.js +26 -7
  30. package/dist/analyzers/tests/detailed.js.map +1 -1
  31. package/dist/analyzers/tools/cloc.js +5 -5
  32. package/dist/analyzers/tools/cloc.js.map +1 -1
  33. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  34. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  35. package/dist/analyzers/tools/exclusions.js +27 -13
  36. package/dist/analyzers/tools/exclusions.js.map +1 -1
  37. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  38. package/dist/analyzers/tools/generic.js +52 -14
  39. package/dist/analyzers/tools/generic.js.map +1 -1
  40. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  41. package/dist/analyzers/tools/gitleaks.js +28 -3
  42. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  43. package/dist/analyzers/tools/graphify.d.ts +39 -5
  44. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  45. package/dist/analyzers/tools/graphify.js +609 -45
  46. package/dist/analyzers/tools/graphify.js.map +1 -1
  47. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  48. package/dist/analyzers/tools/grep-secrets.js +1 -1
  49. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  50. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  51. package/dist/analyzers/tools/jscpd.js +2 -1
  52. package/dist/analyzers/tools/jscpd.js.map +1 -1
  53. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  54. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  55. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  56. package/dist/analyzers/tools/osv-scanner-deps.js +1 -1
  57. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  58. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  59. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  60. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  61. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  62. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  63. package/dist/analyzers/tools/parallel.js +7 -0
  64. package/dist/analyzers/tools/parallel.js.map +1 -1
  65. package/dist/analyzers/tools/runner.d.ts +35 -2
  66. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  67. package/dist/analyzers/tools/runner.js +112 -3
  68. package/dist/analyzers/tools/runner.js.map +1 -1
  69. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  70. package/dist/analyzers/tools/semgrep.js +3 -1
  71. package/dist/analyzers/tools/semgrep.js.map +1 -1
  72. package/dist/analyzers/tools/tool-registry.d.ts +18 -0
  73. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  74. package/dist/analyzers/tools/tool-registry.js +140 -53
  75. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  76. package/dist/analyzers/tools/tools-config.d.ts +46 -0
  77. package/dist/analyzers/tools/tools-config.d.ts.map +1 -0
  78. package/dist/analyzers/tools/tools-config.js +129 -0
  79. package/dist/analyzers/tools/tools-config.js.map +1 -0
  80. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  81. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  82. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  83. package/dist/analyzers/tools/walk-source-files.d.ts +8 -0
  84. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
  85. package/dist/analyzers/tools/walk-source-files.js +49 -4
  86. package/dist/analyzers/tools/walk-source-files.js.map +1 -1
  87. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  88. package/dist/analyzers/xlsx/licenses.js +7 -7
  89. package/dist/baseline/baseline-file.d.ts +8 -0
  90. package/dist/baseline/baseline-file.d.ts.map +1 -1
  91. package/dist/baseline/baseline-file.js.map +1 -1
  92. package/dist/baseline/check-renderers.d.ts.map +1 -1
  93. package/dist/baseline/check-renderers.js +10 -0
  94. package/dist/baseline/check-renderers.js.map +1 -1
  95. package/dist/baseline/check.d.ts +7 -0
  96. package/dist/baseline/check.d.ts.map +1 -1
  97. package/dist/baseline/check.js +2 -0
  98. package/dist/baseline/check.js.map +1 -1
  99. package/dist/baseline/coverage.d.ts +57 -0
  100. package/dist/baseline/coverage.d.ts.map +1 -0
  101. package/dist/baseline/coverage.js +62 -0
  102. package/dist/baseline/coverage.js.map +1 -0
  103. package/dist/baseline/create.d.ts +13 -0
  104. package/dist/baseline/create.d.ts.map +1 -1
  105. package/dist/baseline/create.js +21 -0
  106. package/dist/baseline/create.js.map +1 -1
  107. package/dist/cli.d.ts.map +1 -1
  108. package/dist/cli.js +123 -4
  109. package/dist/cli.js.map +1 -1
  110. package/dist/dashboard/graph-adapter.d.ts +151 -0
  111. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  112. package/dist/dashboard/graph-adapter.js +415 -0
  113. package/dist/dashboard/graph-adapter.js.map +1 -0
  114. package/dist/dashboard/graph-tab.d.ts +109 -0
  115. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  116. package/dist/dashboard/graph-tab.js +297 -0
  117. package/dist/dashboard/graph-tab.js.map +1 -0
  118. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  119. package/dist/doctor.d.ts.map +1 -1
  120. package/dist/doctor.js +6 -7
  121. package/dist/doctor.js.map +1 -1
  122. package/dist/explore/cli/api-surface.d.ts +12 -0
  123. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  124. package/dist/explore/cli/api-surface.js +57 -0
  125. package/dist/explore/cli/api-surface.js.map +1 -0
  126. package/dist/explore/cli/communities.d.ts +10 -0
  127. package/dist/explore/cli/communities.d.ts.map +1 -0
  128. package/dist/explore/cli/communities.js +47 -0
  129. package/dist/explore/cli/communities.js.map +1 -0
  130. package/dist/explore/cli/context.d.ts +16 -0
  131. package/dist/explore/cli/context.d.ts.map +1 -0
  132. package/dist/explore/cli/context.js +118 -0
  133. package/dist/explore/cli/context.js.map +1 -0
  134. package/dist/explore/cli/entry-points.d.ts +12 -0
  135. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  136. package/dist/explore/cli/entry-points.js +85 -0
  137. package/dist/explore/cli/entry-points.js.map +1 -0
  138. package/dist/explore/cli/feature.d.ts +16 -0
  139. package/dist/explore/cli/feature.d.ts.map +1 -0
  140. package/dist/explore/cli/feature.js +89 -0
  141. package/dist/explore/cli/feature.js.map +1 -0
  142. package/dist/explore/cli/file.d.ts +12 -0
  143. package/dist/explore/cli/file.d.ts.map +1 -0
  144. package/dist/explore/cli/file.js +139 -0
  145. package/dist/explore/cli/file.js.map +1 -0
  146. package/dist/explore/cli/hot-files.d.ts +11 -0
  147. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  148. package/dist/explore/cli/hot-files.js +63 -0
  149. package/dist/explore/cli/hot-files.js.map +1 -0
  150. package/dist/explore/context-hook.d.ts +42 -0
  151. package/dist/explore/context-hook.d.ts.map +1 -0
  152. package/dist/explore/context-hook.js +131 -0
  153. package/dist/explore/context-hook.js.map +1 -0
  154. package/dist/explore/finding-context.d.ts +69 -0
  155. package/dist/explore/finding-context.d.ts.map +1 -0
  156. package/dist/explore/finding-context.js +102 -0
  157. package/dist/explore/finding-context.js.map +1 -0
  158. package/dist/explore/format.d.ts +64 -0
  159. package/dist/explore/format.d.ts.map +1 -0
  160. package/dist/explore/format.js +99 -0
  161. package/dist/explore/format.js.map +1 -0
  162. package/dist/explore/load.d.ts +50 -0
  163. package/dist/explore/load.d.ts.map +1 -0
  164. package/dist/explore/load.js +197 -0
  165. package/dist/explore/load.js.map +1 -0
  166. package/dist/explore/queries.d.ts +413 -0
  167. package/dist/explore/queries.d.ts.map +1 -0
  168. package/dist/explore/queries.js +855 -0
  169. package/dist/explore/queries.js.map +1 -0
  170. package/dist/explore/types.d.ts +130 -0
  171. package/dist/explore/types.d.ts.map +1 -0
  172. package/dist/explore/types.js +28 -0
  173. package/dist/explore/types.js.map +1 -0
  174. package/dist/explore-cli.d.ts +45 -0
  175. package/dist/explore-cli.d.ts.map +1 -0
  176. package/dist/explore-cli.js +213 -0
  177. package/dist/explore-cli.js.map +1 -0
  178. package/dist/generator.d.ts.map +1 -1
  179. package/dist/generator.js +19 -0
  180. package/dist/generator.js.map +1 -1
  181. package/dist/languages/csharp.d.ts.map +1 -1
  182. package/dist/languages/csharp.js +58 -26
  183. package/dist/languages/csharp.js.map +1 -1
  184. package/dist/languages/go.d.ts.map +1 -1
  185. package/dist/languages/go.js +17 -14
  186. package/dist/languages/go.js.map +1 -1
  187. package/dist/languages/index.d.ts +27 -0
  188. package/dist/languages/index.d.ts.map +1 -1
  189. package/dist/languages/index.js +35 -0
  190. package/dist/languages/index.js.map +1 -1
  191. package/dist/languages/java.d.ts.map +1 -1
  192. package/dist/languages/java.js +13 -10
  193. package/dist/languages/java.js.map +1 -1
  194. package/dist/languages/kotlin.d.ts.map +1 -1
  195. package/dist/languages/kotlin.js +13 -10
  196. package/dist/languages/kotlin.js.map +1 -1
  197. package/dist/languages/python.d.ts.map +1 -1
  198. package/dist/languages/python.js +31 -20
  199. package/dist/languages/python.js.map +1 -1
  200. package/dist/languages/ruby.d.ts.map +1 -1
  201. package/dist/languages/ruby.js +30 -16
  202. package/dist/languages/ruby.js.map +1 -1
  203. package/dist/languages/rust.d.ts.map +1 -1
  204. package/dist/languages/rust.js +16 -13
  205. package/dist/languages/rust.js.map +1 -1
  206. package/dist/languages/types.d.ts +54 -0
  207. package/dist/languages/types.d.ts.map +1 -1
  208. package/dist/languages/typescript.d.ts.map +1 -1
  209. package/dist/languages/typescript.js +22 -19
  210. package/dist/languages/typescript.js.map +1 -1
  211. package/dist/tools-cli.d.ts.map +1 -1
  212. package/dist/tools-cli.js +10 -4
  213. package/dist/tools-cli.js.map +1 -1
  214. package/dist/upgrade.js +2 -2
  215. package/dist/upgrade.js.map +1 -1
  216. package/package.json +2 -1
  217. package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
  218. package/templates/.claude/skills/dxkit-config/SKILL.md +26 -0
  219. package/templates/.claude/skills/dxkit-fix/SKILL.md +10 -0
  220. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  221. package/templates/AGENTS.md.template +8 -1
package/CHANGELOG.md CHANGED
@@ -7,6 +7,96 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [2.7.1] - 2026-05-31
11
+
12
+ Windows compatibility. Tool detection, the scanner toolchain, and source
13
+ enumeration now work on native Windows (cmd.exe / PowerShell), not only
14
+ on POSIX shells. Previously a Windows user could capture a baseline that
15
+ silently omitted whole finding categories because the underlying tools
16
+ were never detected or run; dxkit now detects them correctly and, when
17
+ something genuinely can't run, says so instead of recording an empty
18
+ result as clean.
19
+
20
+ ### Fixed
21
+
22
+ - **Cross-platform tool detection.** Binary resolution now walks `PATH`
23
+ in pure Node, honoring `%PATHEXT%` on Windows, instead of shelling out
24
+ to `which`. Previously every external tool — and even `git`, `node`,
25
+ and `dotnet` — was reported missing on Windows even when installed,
26
+ which `doctor` now reflects accurately.
27
+ - **Scanners run on Windows.** gitleaks, semgrep, and jscpd write their
28
+ reports under the OS temp directory and gitleaks is invoked without a
29
+ shell, so a path with spaces or a non-POSIX shell no longer produces
30
+ an empty result.
31
+ - **Source enumeration is shell-free.** Per-language import discovery,
32
+ the directory count, README/manifest reads, and the developer-
33
+ experience probes use in-process file walkers instead of
34
+ `find` / `ls` / `wc` / `cat`, which returned nothing on Windows.
35
+ - **Graph context on Windows.** The graphify interpreter is resolved via
36
+ the platform venv layout (`Scripts\python.exe` vs `bin/python`), so
37
+ `explore`, `context`, and `--graph-context` work once graphify is
38
+ installed.
39
+ - **`tools install` on Windows** selects an available shell rather than
40
+ assuming `/bin/bash`.
41
+
42
+ ### Added
43
+
44
+ - **Baseline coverage signal.** `baseline create` warns when an expected
45
+ scanner isn't available — prompting to install or continue
46
+ interactively, and requiring `--allow-incomplete` in non-interactive
47
+ runs rather than silently writing a partial baseline (`--force`
48
+ implies this opt-in, so the shipped baseline-refresh workflow keeps
49
+ working). The baseline file now records which scanners were available
50
+ at capture time, and `guardrail check` surfaces when that availability
51
+ has since changed.
52
+ - **Configurable tool locations.** A `.dxkit/tools.json` with
53
+ `probePaths` and `installDir` lets dxkit find tools in non-standard
54
+ locations and install them where you choose — useful on locked-down or
55
+ corporate-managed machines. Documented in the `dxkit-config` skill.
56
+ - **Windows CI job** that validates detection on a real Windows runner,
57
+ triggered only when detection-relevant files change.
58
+
59
+ ## [2.7.0] - 2026-05-29
60
+
61
+ The "Repo Explore" release. dxkit now builds a deterministic code graph
62
+ of your repo and exposes it three ways: a CLI to query structure, an
63
+ interactive graph in the dashboard, and per-finding blast radius in
64
+ detailed reports. The throughline is helping a coding agent fix findings
65
+ by navigating structure instead of re-reading whole files.
66
+
67
+ ### Added
68
+
69
+ - **`vyuh-dxkit explore`** with six subcommands (`entry-points`,
70
+ `hot-files`, `communities`, `file`, `feature`, `api-surface`) for
71
+ asking the code graph what the repo does, where a feature lives, which
72
+ files are load-bearing, and what the public API surface is.
73
+ - **`vyuh-dxkit context <query>`** returns a token-budgeted structural
74
+ slice for a query (an anchor symbol, its relevant neighbors, and the
75
+ blast radius), plus a fail-open Claude Code PreToolUse hook that feeds
76
+ it on Grep/Glob so agents need fewer follow-up whole-file reads.
77
+ Auto-installed with `--with-dxkit-agents`.
78
+ - **Interactive Graph tab** in `vyuh-dxkit dashboard`, embedding
79
+ graphify's code-graph viewer with the renderer bundled to work
80
+ offline. Large repos render a community-aggregated view.
81
+ - **`--graph-context`** on `vulnerabilities`, `test-gaps`, and `quality`
82
+ attaches each finding's module and blast radius (which files call into
83
+ it) to the detailed report, so a fixing agent gets the structural map
84
+ per finding without a separate lookup.
85
+ - **Per-language call-graph reliability.** Where the call graph cannot be
86
+ resolved (C#, which cannot follow `using` across assemblies), blast
87
+ radius reads "n/a" rather than a misleading "0 callers", so it is never
88
+ mistaken for "safe to change".
89
+ - **`dxkit-action`** now folds blast radius into prioritization as an
90
+ additive signal, and the generated `AGENTS.md` documents the new
91
+ commands.
92
+
93
+ ### Changed
94
+
95
+ - `vyuh-dxkit health` writes the code graph to
96
+ `.dxkit/reports/graph.json` as a side effect, so a single run
97
+ populates the artifact the explore, context, dashboard, and
98
+ graph-context surfaces read.
99
+
10
100
  ## [2.6.0] - 2026-05-23
11
101
 
12
102
  The "per-finding suppression + public-repo-safe baselines" release.
@@ -185,7 +275,7 @@ Tag: `create-dxkit@v0.2.0`. Run `npm init @vyuhlabs/dxkit` to get
185
275
  the new combined experience.
186
276
 
187
277
  Validated end-to-end with two cross-stack walkthroughs on 2026-05-22:
188
- `vyuhlabs-platform` (python + typescript) and `dpl-studio` (csharp).
278
+ a polyglot Python+TypeScript reference repo and a .NET reference repo.
189
279
  Both stacks: defect closures verified, per-pack devcontainer adapts
190
280
  correctly, doctor's new tier-3 surfaces operational gaps with
191
281
  actionable fix commands.
@@ -1621,9 +1711,9 @@ Four pieces shipped together:
1621
1711
  The post-shipment audit's master bug + its direct cascade:
1622
1712
 
1623
1713
  - **D055** — `.dxkit-ignore` multi-segment paths flatten to basenames
1624
- in cloc / graphify / grep. `Dev/Addons/VendorAddon/SAPB1/` silently
1625
- became `{Dev, Addons, VendorAddon, SAPB1}` cloc then excluded every
1626
- directory named `Dev` in the tree, killing 90% of source visibility.
1714
+ in cloc / graphify / grep. `app/vendor/generated/` silently
1715
+ became `{app, vendor, generated}`, so cloc then excluded every
1716
+ directory named `app` in the tree, killing 90% of source visibility.
1627
1717
  Fix: `getClocExcludeFlags` emits `--exclude-dir` (basenames) PLUS
1628
1718
  `--fullpath --not-match-d` (Perl regex on full path).
1629
1719
  `getPythonExcludeFilter` emits both a basename set AND a multi-
@@ -1825,7 +1915,7 @@ discipline.
1825
1915
  (osv-scanner reads Gemfile.lock directly, no `bundle env`/`bundle
1826
1916
  show` introspection ladder). Stays accepted-deferred.
1827
1917
  - **D017** (NEW) — `dxkit bom <large-project> > file.json` produces
1828
- 0-byte output intermittently on vyuhlabs-platform (1700+ deps).
1918
+ 0-byte output intermittently on a large reference repo (1700+ deps).
1829
1919
  EXIT=0, no error. Workaround: pipe through `cat`. Hypothesis:
1830
1920
  Node stdout buffer doesn't drain before process exit when output
1831
1921
  is large + stdout is a regular file. NOT a 2.4.6 ship blocker —
@@ -1835,7 +1925,7 @@ discipline.
1835
1925
  ### Pre-ship regression — clean
1836
1926
 
1837
1927
  Sequential dxkit reports captured against dxkit-on-dxkit and
1838
- vyuhlabs-platform; 12 reports each diffed against the 2.4.5-fixed
1928
+ a large reference repo; 12 reports each diffed against the 2.4.5-fixed
1839
1929
  baseline. Zero code regressions detected. All deltas explained:
1840
1930
 
1841
1931
  - dxkit/test-gaps 16 → 32 — better data (Istanbul vs import-graph
@@ -1887,7 +1977,7 @@ at every commit in the 10-commit branch.
1887
1977
  `typescript`, etc.). `unfilteredTotalPackages` 22 → 353. The
1888
1978
  analyzed project's own deps were missing from BoM whenever the
1889
1979
  bug hit. Most repos that resolve peer-deps cleanly under
1890
- `--legacy-peer-deps` weren't affected (vyuhlabs-platform's BoM
1980
+ `--legacy-peer-deps` weren't affected (the reference repo's BoM
1891
1981
  stayed correct at 145 packages); repos with subtle peer-dep
1892
1982
  issues silently lost root-dep enumeration.
1893
1983
 
@@ -2756,7 +2846,7 @@ unchanged — consumers can re-derive trivially if needed.
2756
2846
  - 715 tests passing (+18 pm-signals cases: license class mapping,
2757
2847
  compound expressions, staleness thresholds, effort semver deltas).
2758
2848
  - Typecheck + lint + format + architecture + pre-push CI-mirror gate clean.
2759
- - vyuhlabs-platform smoke: all 4 sheets render correctly, exec summary
2849
+ - reference-repo smoke: all 4 sheets render correctly, exec summary
2760
2850
  surfaces 3 ship-blockers + 9 sprint-risk findings + pm2 flagged
2761
2851
  copyleft-strong, `@loopback/rest` surfaces as highest-leverage upgrade
2762
2852
  (27 transitive advisories, worst CRITICAL).
@@ -2764,7 +2854,7 @@ unchanged — consumers can re-derive trivially if needed.
2764
2854
  ## [2.3.1] - 2026-04-24
2765
2855
 
2766
2856
  Patch release fixing three install-robustness issues reported on a
2767
- real vyuhlabs-platform install:
2857
+ real reference-repo install:
2768
2858
 
2769
2859
  ### Fixed
2770
2860
 
@@ -2810,7 +2900,7 @@ real vyuhlabs-platform install:
2810
2900
  Warnings only, no functional impact; would require either switching
2811
2901
  xlsx libraries (breaking) or upstream archiver modernization.
2812
2902
 
2813
- ### Validation on vyuhlabs-platform/userserver
2903
+ ### Validation on the polyglot reference repo
2814
2904
 
2815
2905
  - `vyuh-dxkit tools` reports 12/13 tools found (vitest-coverage
2816
2906
  correctly listed as missing since lb-mocha is in use)
@@ -2883,7 +2973,7 @@ merge → tag → CI-publishes without deviation.
2883
2973
  unions the roots each package was found in; `isTopLevel`
2884
2974
  OR-merges; vulns dedup on `(id, package, installedVersion)`.
2885
2975
  Closes **D001a** — `bom platform/` previously missed
2886
- `platform/userserver/` entirely. Side-benefit: naturally
2976
+ the product subdirectory entirely. Side-benefit: naturally
2887
2977
  addresses **D003** (C# multi-project) since each `.csproj`
2888
2978
  becomes its own root. (10h.5.0b)
2889
2979
 
@@ -3000,7 +3090,7 @@ bump required.
3000
3090
  - **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
3001
3091
  each root `dependencies` / `devDependencies` entry. Pure parser
3002
3092
  `buildTsTopLevelDepIndex` unit-tested; benchmark on
3003
- `vyuhlabs-platform`: 71/71 findings attributed across 31 vulnerable
3093
+ reference repo: 71/71 findings attributed across 31 vulnerable
3004
3094
  packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
3005
3095
 
3006
3096
  - **Python pack** — BFS over `pip show` graph from packages with empty
@@ -3066,7 +3156,7 @@ bump required.
3066
3156
  `obj/project.assets.json`. Findings still emit; `topLevelDep` stays
3067
3157
  unset.
3068
3158
 
3069
- - Release validated against `vyuhlabs-platform` TypeScript benchmark.
3159
+ - Release validated against the TypeScript reference benchmark.
3070
3160
  Python/Go/Rust/C# packs exercised via fixture-based unit tests
3071
3161
  (+53 new tests across the 4 non-TS language test files); real-world
3072
3162
  validation lands with 2.3.0's cross-ecosystem benchmark fixtures.