@vyuhlabs/dxkit 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (221) hide show
  1. package/CHANGELOG.md +103 -13
  2. package/README.md +208 -459
  3. package/dist/analyzers/bom/discovery.d.ts +3 -4
  4. package/dist/analyzers/bom/discovery.d.ts.map +1 -1
  5. package/dist/analyzers/bom/discovery.js +3 -4
  6. package/dist/analyzers/bom/discovery.js.map +1 -1
  7. package/dist/analyzers/bom/types.d.ts +1 -1
  8. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  9. package/dist/analyzers/dashboard/index.js +42 -5
  10. package/dist/analyzers/dashboard/index.js.map +1 -1
  11. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  12. package/dist/analyzers/developer/gather.js +9 -9
  13. package/dist/analyzers/developer/gather.js.map +1 -1
  14. package/dist/analyzers/quality/detailed.d.ts +8 -1
  15. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  16. package/dist/analyzers/quality/detailed.js +43 -10
  17. package/dist/analyzers/quality/detailed.js.map +1 -1
  18. package/dist/analyzers/quality/gather.js +3 -3
  19. package/dist/analyzers/quality/gather.js.map +1 -1
  20. package/dist/analyzers/security/detailed.d.ts +8 -1
  21. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  22. package/dist/analyzers/security/detailed.js +14 -1
  23. package/dist/analyzers/security/detailed.js.map +1 -1
  24. package/dist/analyzers/security/gather.d.ts.map +1 -1
  25. package/dist/analyzers/security/gather.js +12 -3
  26. package/dist/analyzers/security/gather.js.map +1 -1
  27. package/dist/analyzers/tests/detailed.d.ts +8 -1
  28. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  29. package/dist/analyzers/tests/detailed.js +26 -7
  30. package/dist/analyzers/tests/detailed.js.map +1 -1
  31. package/dist/analyzers/tools/cloc.js +5 -5
  32. package/dist/analyzers/tools/cloc.js.map +1 -1
  33. package/dist/analyzers/tools/exclusions.d.ts +12 -12
  34. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  35. package/dist/analyzers/tools/exclusions.js +27 -13
  36. package/dist/analyzers/tools/exclusions.js.map +1 -1
  37. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  38. package/dist/analyzers/tools/generic.js +52 -14
  39. package/dist/analyzers/tools/generic.js.map +1 -1
  40. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  41. package/dist/analyzers/tools/gitleaks.js +28 -3
  42. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  43. package/dist/analyzers/tools/graphify.d.ts +39 -5
  44. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  45. package/dist/analyzers/tools/graphify.js +609 -45
  46. package/dist/analyzers/tools/graphify.js.map +1 -1
  47. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  48. package/dist/analyzers/tools/grep-secrets.js +1 -1
  49. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  50. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  51. package/dist/analyzers/tools/jscpd.js +2 -1
  52. package/dist/analyzers/tools/jscpd.js.map +1 -1
  53. package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
  54. package/dist/analyzers/tools/nuget-package-reference.js +4 -4
  55. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  56. package/dist/analyzers/tools/osv-scanner-deps.js +1 -1
  57. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  58. package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
  59. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  60. package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
  61. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  62. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  63. package/dist/analyzers/tools/parallel.js +7 -0
  64. package/dist/analyzers/tools/parallel.js.map +1 -1
  65. package/dist/analyzers/tools/runner.d.ts +35 -2
  66. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  67. package/dist/analyzers/tools/runner.js +112 -3
  68. package/dist/analyzers/tools/runner.js.map +1 -1
  69. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  70. package/dist/analyzers/tools/semgrep.js +3 -1
  71. package/dist/analyzers/tools/semgrep.js.map +1 -1
  72. package/dist/analyzers/tools/tool-registry.d.ts +18 -0
  73. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  74. package/dist/analyzers/tools/tool-registry.js +140 -53
  75. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  76. package/dist/analyzers/tools/tools-config.d.ts +46 -0
  77. package/dist/analyzers/tools/tools-config.d.ts.map +1 -0
  78. package/dist/analyzers/tools/tools-config.js +129 -0
  79. package/dist/analyzers/tools/tools-config.js.map +1 -0
  80. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
  81. package/dist/analyzers/tools/vendored-advisor.js +3 -4
  82. package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
  83. package/dist/analyzers/tools/walk-source-files.d.ts +8 -0
  84. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
  85. package/dist/analyzers/tools/walk-source-files.js +49 -4
  86. package/dist/analyzers/tools/walk-source-files.js.map +1 -1
  87. package/dist/analyzers/xlsx/licenses.d.ts +7 -7
  88. package/dist/analyzers/xlsx/licenses.js +7 -7
  89. package/dist/baseline/baseline-file.d.ts +8 -0
  90. package/dist/baseline/baseline-file.d.ts.map +1 -1
  91. package/dist/baseline/baseline-file.js.map +1 -1
  92. package/dist/baseline/check-renderers.d.ts.map +1 -1
  93. package/dist/baseline/check-renderers.js +10 -0
  94. package/dist/baseline/check-renderers.js.map +1 -1
  95. package/dist/baseline/check.d.ts +7 -0
  96. package/dist/baseline/check.d.ts.map +1 -1
  97. package/dist/baseline/check.js +2 -0
  98. package/dist/baseline/check.js.map +1 -1
  99. package/dist/baseline/coverage.d.ts +57 -0
  100. package/dist/baseline/coverage.d.ts.map +1 -0
  101. package/dist/baseline/coverage.js +62 -0
  102. package/dist/baseline/coverage.js.map +1 -0
  103. package/dist/baseline/create.d.ts +13 -0
  104. package/dist/baseline/create.d.ts.map +1 -1
  105. package/dist/baseline/create.js +21 -0
  106. package/dist/baseline/create.js.map +1 -1
  107. package/dist/cli.d.ts.map +1 -1
  108. package/dist/cli.js +123 -4
  109. package/dist/cli.js.map +1 -1
  110. package/dist/dashboard/graph-adapter.d.ts +151 -0
  111. package/dist/dashboard/graph-adapter.d.ts.map +1 -0
  112. package/dist/dashboard/graph-adapter.js +415 -0
  113. package/dist/dashboard/graph-adapter.js.map +1 -0
  114. package/dist/dashboard/graph-tab.d.ts +109 -0
  115. package/dist/dashboard/graph-tab.d.ts.map +1 -0
  116. package/dist/dashboard/graph-tab.js +297 -0
  117. package/dist/dashboard/graph-tab.js.map +1 -0
  118. package/dist/dashboard/vendor/vis-network.min.js +34 -0
  119. package/dist/doctor.d.ts.map +1 -1
  120. package/dist/doctor.js +6 -7
  121. package/dist/doctor.js.map +1 -1
  122. package/dist/explore/cli/api-surface.d.ts +12 -0
  123. package/dist/explore/cli/api-surface.d.ts.map +1 -0
  124. package/dist/explore/cli/api-surface.js +57 -0
  125. package/dist/explore/cli/api-surface.js.map +1 -0
  126. package/dist/explore/cli/communities.d.ts +10 -0
  127. package/dist/explore/cli/communities.d.ts.map +1 -0
  128. package/dist/explore/cli/communities.js +47 -0
  129. package/dist/explore/cli/communities.js.map +1 -0
  130. package/dist/explore/cli/context.d.ts +16 -0
  131. package/dist/explore/cli/context.d.ts.map +1 -0
  132. package/dist/explore/cli/context.js +118 -0
  133. package/dist/explore/cli/context.js.map +1 -0
  134. package/dist/explore/cli/entry-points.d.ts +12 -0
  135. package/dist/explore/cli/entry-points.d.ts.map +1 -0
  136. package/dist/explore/cli/entry-points.js +85 -0
  137. package/dist/explore/cli/entry-points.js.map +1 -0
  138. package/dist/explore/cli/feature.d.ts +16 -0
  139. package/dist/explore/cli/feature.d.ts.map +1 -0
  140. package/dist/explore/cli/feature.js +89 -0
  141. package/dist/explore/cli/feature.js.map +1 -0
  142. package/dist/explore/cli/file.d.ts +12 -0
  143. package/dist/explore/cli/file.d.ts.map +1 -0
  144. package/dist/explore/cli/file.js +139 -0
  145. package/dist/explore/cli/file.js.map +1 -0
  146. package/dist/explore/cli/hot-files.d.ts +11 -0
  147. package/dist/explore/cli/hot-files.d.ts.map +1 -0
  148. package/dist/explore/cli/hot-files.js +63 -0
  149. package/dist/explore/cli/hot-files.js.map +1 -0
  150. package/dist/explore/context-hook.d.ts +42 -0
  151. package/dist/explore/context-hook.d.ts.map +1 -0
  152. package/dist/explore/context-hook.js +131 -0
  153. package/dist/explore/context-hook.js.map +1 -0
  154. package/dist/explore/finding-context.d.ts +69 -0
  155. package/dist/explore/finding-context.d.ts.map +1 -0
  156. package/dist/explore/finding-context.js +102 -0
  157. package/dist/explore/finding-context.js.map +1 -0
  158. package/dist/explore/format.d.ts +64 -0
  159. package/dist/explore/format.d.ts.map +1 -0
  160. package/dist/explore/format.js +99 -0
  161. package/dist/explore/format.js.map +1 -0
  162. package/dist/explore/load.d.ts +50 -0
  163. package/dist/explore/load.d.ts.map +1 -0
  164. package/dist/explore/load.js +197 -0
  165. package/dist/explore/load.js.map +1 -0
  166. package/dist/explore/queries.d.ts +413 -0
  167. package/dist/explore/queries.d.ts.map +1 -0
  168. package/dist/explore/queries.js +855 -0
  169. package/dist/explore/queries.js.map +1 -0
  170. package/dist/explore/types.d.ts +130 -0
  171. package/dist/explore/types.d.ts.map +1 -0
  172. package/dist/explore/types.js +28 -0
  173. package/dist/explore/types.js.map +1 -0
  174. package/dist/explore-cli.d.ts +45 -0
  175. package/dist/explore-cli.d.ts.map +1 -0
  176. package/dist/explore-cli.js +213 -0
  177. package/dist/explore-cli.js.map +1 -0
  178. package/dist/generator.d.ts.map +1 -1
  179. package/dist/generator.js +19 -0
  180. package/dist/generator.js.map +1 -1
  181. package/dist/languages/csharp.d.ts.map +1 -1
  182. package/dist/languages/csharp.js +58 -26
  183. package/dist/languages/csharp.js.map +1 -1
  184. package/dist/languages/go.d.ts.map +1 -1
  185. package/dist/languages/go.js +17 -14
  186. package/dist/languages/go.js.map +1 -1
  187. package/dist/languages/index.d.ts +27 -0
  188. package/dist/languages/index.d.ts.map +1 -1
  189. package/dist/languages/index.js +35 -0
  190. package/dist/languages/index.js.map +1 -1
  191. package/dist/languages/java.d.ts.map +1 -1
  192. package/dist/languages/java.js +13 -10
  193. package/dist/languages/java.js.map +1 -1
  194. package/dist/languages/kotlin.d.ts.map +1 -1
  195. package/dist/languages/kotlin.js +13 -10
  196. package/dist/languages/kotlin.js.map +1 -1
  197. package/dist/languages/python.d.ts.map +1 -1
  198. package/dist/languages/python.js +31 -20
  199. package/dist/languages/python.js.map +1 -1
  200. package/dist/languages/ruby.d.ts.map +1 -1
  201. package/dist/languages/ruby.js +30 -16
  202. package/dist/languages/ruby.js.map +1 -1
  203. package/dist/languages/rust.d.ts.map +1 -1
  204. package/dist/languages/rust.js +16 -13
  205. package/dist/languages/rust.js.map +1 -1
  206. package/dist/languages/types.d.ts +54 -0
  207. package/dist/languages/types.d.ts.map +1 -1
  208. package/dist/languages/typescript.d.ts.map +1 -1
  209. package/dist/languages/typescript.js +22 -19
  210. package/dist/languages/typescript.js.map +1 -1
  211. package/dist/tools-cli.d.ts.map +1 -1
  212. package/dist/tools-cli.js +10 -4
  213. package/dist/tools-cli.js.map +1 -1
  214. package/dist/upgrade.js +2 -2
  215. package/dist/upgrade.js.map +1 -1
  216. package/package.json +2 -1
  217. package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
  218. package/templates/.claude/skills/dxkit-config/SKILL.md +26 -0
  219. package/templates/.claude/skills/dxkit-fix/SKILL.md +10 -0
  220. package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
  221. package/templates/AGENTS.md.template +8 -1
package/README.md CHANGED
@@ -1,12 +1,14 @@
1
1
  # dxkit
2
2
 
3
- **AI-native developer experience toolkit for any codebase.**
3
+ **AI writes the code. dxkit helps ship it clean.**
4
4
 
5
- Make your existing codebase safe for Claude Code, Codex, and other AI
6
- coding agents. Equip the agent with repo-native context. Guard every
7
- commit and PR with deterministic checks. **One command scaffolds the
8
- agent DX; one baseline turns on the guardrails.** Works across major
9
- language stacks, greenfield or brownfield.
5
+ _Deterministic guardrails for any codebase. Brownfield-friendly by default._
6
+
7
+ dxkit scores your codebase deterministically, baselines today's findings, and gates every push against net-new regressions. It ships conversational skills that walk agents (and humans) through fixes. Existing tech debt stays grandfathered. Nothing runs on an LLM. Everything runs locally.
8
+
9
+ <p align="center">
10
+ <img src=".github/assets/guardrail-demo.gif" width="760" alt="A git push blocked by the dxkit pre-push guardrail: 2 net-new regressions block the push while 644 pre-existing findings stay grandfathered." />
11
+ </p>
10
12
 
11
13
  ```bash
12
14
  npm init @vyuhlabs/dxkit
@@ -18,98 +20,73 @@ npm init @vyuhlabs/dxkit
18
20
  </a>
19
21
  <img alt="license" src="https://img.shields.io/github/license/vyuh-labs/dxkit">
20
22
  <img alt="deterministic" src="https://img.shields.io/badge/scoring-deterministic-blue">
21
- <img alt="local-first" src="https://img.shields.io/badge/local-first-green">
22
23
  <img alt="brownfield" src="https://img.shields.io/badge/brownfield-baseline%20guardrails-orange">
23
- <img alt="agentic" src="https://img.shields.io/badge/agentic-ready-purple">
24
+ <img alt="local-first" src="https://img.shields.io/badge/local-first-green">
24
25
  </p>
25
26
 
26
27
  ---
27
28
 
28
29
  ## The problem
29
30
 
30
- AI coding agents are powerful, but shipping their work safely is hard:
31
+ Codebases drift downward in slow ways that tests do not catch.
32
+
33
+ A typical Friday. Your team ships a fix. CI passes. Review approves. Two weeks later, an auditor finds a new hardcoded secret in the diff, three new untested branches, and a previously-clean file that grew to 800 lines with three TODOs sprinkled in. None of it failed a test, because no test covered those things.
34
+
35
+ Now multiply this by every AI agent your team uses. Agents write more code than humans can review. Some of it is fine. Some of it is slop that looks fine but quietly degrades the codebase.
36
+
37
+ The conventional fix is "block any new finding via static analysis." That fails on real codebases for a predictable reason:
31
38
 
32
- - The agent's environment isn't reproducible different machine,
33
- different result.
34
- - The agent has no project-specific context — your conventions are
35
- tribal knowledge it can't access.
36
- - Strict gates assume a clean codebase. Real codebases have years of
37
- debt, and absolute gates either get disabled or block every PR.
38
- - Most "AI code review" tools rely on another LLM to grade the work —
39
- non-deterministic, gameable, and a black box.
40
- - Bad agent changes silently land because the only enforcement is
41
- human attention.
39
+ - Block every finding, and your 5-year-old repo lights up with hundreds of pre-existing issues. The team disables the gate within a week.
40
+ - Block no findings, and the gate is theater. Nothing changes.
42
41
 
43
- dxkit closes that loop end-to-end, deterministically, with no LLM in
44
- the grading path.
42
+ You need an objective gate that only fires on what is actually new. That is the gap dxkit fills.
45
43
 
46
44
  ---
47
45
 
48
- ## What `npm init @vyuhlabs/dxkit` creates
46
+ ## How dxkit solves it
49
47
 
50
- ```bash
51
- npm init @vyuhlabs/dxkit
52
- ```
48
+ Three ideas working together.
53
49
 
54
- This collapses install + scaffold into a single command: it installs
55
- `@vyuhlabs/dxkit` as a devDep and runs `vyuh-dxkit init --full --yes`.
56
- The full install lands a coordinated set of pieces:
50
+ ### 1. Capture today's state as a baseline
57
51
 
58
- ```text
59
- .devcontainer/ Reproducible environment — per-stack pinned
60
- toolchains (only the languages your project
61
- uses), dxkit's scanner toolchain auto-installed,
62
- install scripts for AI agent CLIs (auth stays
63
- user-owned).
64
- .githooks/ pre-push guardrail hook (pre-commit opt-in via
65
- --with-precommit-hook). Postinstall auto-
66
- activates `core.hooksPath` so teammates who
67
- clone + `npm install` get hooks wired too.
68
- .github/workflows/ PR-gate workflow + post-merge baseline-refresh
69
- workflow (refresh runs only after the PR-gate
70
- passes — see "Safety + trust" below).
71
- AGENTS.md Open-standard project context file read by
72
- Claude Code, Codex, Cursor, Aider, and any
73
- AGENTS.md-compliant agent.
74
- CLAUDE.md Claude Code shim that points at AGENTS.md.
75
- .claude/skills/ Nine dxkit-* skills covering the full lifecycle:
76
- learn / init / config / hooks / reports /
77
- action / fix / update / onboard. Claude Code
78
- auto-discovers via skill frontmatter.
79
- .dxkit/ reports, baselines, and (optional) policy.
80
- .vyuh-dxkit.json install manifest.
81
- ```
52
+ Before dxkit blocks anything, it snapshots every existing finding in your repo and fingerprints them. The fingerprints survive renames, line shifts from formatter runs, and small unrelated edits. Cross-tool overlaps (gitleaks and semgrep flagging the same line) collapse to one finding.
82
53
 
83
- After install:
54
+ From this moment forward, the gate only fires on net-new regressions. Your existing debt is grandfathered. The team fixes old issues at their own pace. The gate stays useful because it stays reasonable.
84
55
 
85
- ```bash
86
- vyuh-dxkit baseline create # capture today's state
87
- git add .dxkit/baselines/main.json .githooks .github/workflows/dxkit-*.yml
88
- git commit -m "chore: enable dxkit guardrails"
89
- ```
56
+ Three modes for the baseline file:
90
57
 
91
- From this point:
58
+ - `committed-full`: rich entries committed to git. Default for private repos.
59
+ - `committed-sanitized`: stripped to fingerprint plus kind. For compliance-conscious teams.
60
+ - `ref-based`: no committed file at all. Prior side recomputed from a git ref via `git worktree add`. Default for public repos. Zero disclosure surface.
92
61
 
93
- - Every push runs the full guardrail check (pre-commit hook is
94
- opt-in via `--with-precommit-hook` — slow on large repos until
95
- scoped incremental scanning lands).
96
- - Every PR is gated by GitHub Actions, which posts a markdown summary
97
- as a comment.
98
- - After the PR-gate workflow passes and the PR merges, the baseline
99
- is refreshed so the next PR is gated against the up-to-date state.
62
+ ### 2. Score the codebase deterministically
100
63
 
101
- Bypass + disable mechanisms:
64
+ dxkit produces a 0 to 100 score across six dimensions: Security, Code Quality, Tests, Documentation, Maintainability, Developer Experience.
102
65
 
103
- ```bash
104
- DXKIT_SKIP_HOOKS=1 git push ... # one-off bypass
105
- git push --no-verify ... # standard git bypass
106
- git config --unset core.hooksPath # disable all dxkit hooks (per-clone)
107
- rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
66
+ The score has four properties:
67
+
68
+ | Property | What it means |
69
+ | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
70
+ | **Deterministic** | Same code yields the same score every time. No LLM in the grading path. Reproducible across machines, runs, and CI. Auditable. |
71
+ | **Comparable** | Two codebases of similar quality produce similar scores. Surface tricks do not move the needle. Adding empty comments does not improve Documentation if the code is not actually documented. |
72
+ | **Severity-weighted** | A critical security finding moves the score far more than a TODO comment. Penalties are anchored to real-world impact via CVSS for security and ratio thresholds for tests, coverage, file size, and other dimensions. |
73
+ | **Actionable** | Every deduction names the file, the line, and the recommended fix. Output is structured JSON. Agents and humans read the same thing. The "what to do next" lives in the score itself. |
74
+
75
+ ### 3. Fix findings at reduced token cost
76
+
77
+ Detection is only half the job. dxkit builds a deterministic code graph of the repo (its symbols, call edges, and clustered modules), so fixing is cheap too. A coding agent works from that structure ("what calls this? what breaks if I change it?") instead of re-reading whole files, and every finding in a detailed report already carries its blast radius: the files that depend on it. The `dxkit-action` skill runs the fix, re-scores, and confirms the gate clears. Same result, far fewer tokens.
78
+
79
+ ### What you get from the combination
80
+
81
+ A score on its own is a number. A baseline on its own grandfathers the past. Together they produce an objective stop signal you can trust.
82
+
83
+ ```text
84
+ Today: 16/100 E 644 findings, all baselined
85
+ Next PR: 16/100 E 644 persisted, 0 new. Gate passes.
86
+ Bad PR: 14/100 E 644 persisted, 2 new high-severity. Gate blocks.
108
87
  ```
109
88
 
110
- > **Additive by default.** Existing hooks, devcontainer, or workflows
111
- > are never destroyed. dxkit detects them and writes sidecar `.dxkit`
112
- > files with merge instructions. `--force` overrides if you want.
89
+ The score does not lie. The baseline keeps it useful on real codebases. The combination works the same for humans, AI agents, and CI runners. That is the part that scales. And once the gate fires, the code graph makes acting on it cheap: agents fix from the structure rather than reading file after file.
113
90
 
114
91
  ---
115
92
 
@@ -117,479 +94,251 @@ rm .githooks/pre-commit # disable just pre-commit (keep pre-push)
117
94
 
118
95
  ```text
119
96
  $ npm init @vyuhlabs/dxkit
120
- ✓ Created: 11 files (AGENTS.md, CLAUDE.md, .claude/skills/dxkit-*, ...)
97
+ ✓ Created: 14 files
121
98
  ✓ Git hooks: installed 1 file(s)
99
+ .githooks/pre-push
122
100
  ✓ Devcontainer: installed 3 file(s)
123
101
  ✓ CI guardrails workflow: installed 1 file(s)
124
- ✓ CI baseline-refresh workflow: installed 1 file(s)
125
-
126
- $ vyuh-dxkit baseline create
127
- ✓ Wrote .dxkit/baselines/main.json — 89 findings (32s)
128
- ```
102
+ .github/workflows/dxkit-guardrails.yml
103
+ ✓ Done! Claude Code now has full project context.
104
+ Next: run `vyuh-dxkit baseline create` to capture today's state.
129
105
 
130
- Your AI agent has access to dxkit's reports and the nine lifecycle
131
- skills that init scaffolded. A typical request to the agent:
106
+ $ npx vyuh-dxkit baseline create
107
+ Baseline mode=committed-full (auto: visibility not detectable via gh; defaulting to private posture)
108
+ ✓ Wrote .dxkit/baselines/main.json — 644 findings, salt: deterministic (208.9s)
132
109
 
133
- ```text
134
- Read the latest dxkit health report. Pick one safe quality
135
- improvement. Apply the change. Then run `vyuh-dxkit guardrail check`
136
- to confirm nothing regressed. Show me what you did.
110
+ $ npx vyuh-dxkit guardrail check
111
+ ## Guardrail: PASSED
112
+ No changes from baseline (644 pairs checked).
137
113
  ```
138
114
 
139
- The agent introduces a change that breaks the guardrail:
115
+ Later, an innocent-looking PR slips in a regression. The pre-push hook fires:
140
116
 
141
117
  ```text
142
- $ vyuh-dxkit guardrail check
143
- Guardrail BLOCKED 2 new regressions
144
-
145
- Baseline: .dxkit/baselines/main.json (89 findings)
146
- Current: 91 findings · matcher: git-aware
147
-
148
- Blocking (2)
149
- ADDED [medium] large-file src/regression.ts
150
- no-prior-match: identity fingerprint not present in the baseline
151
- ADDED [medium] test-gap src/regression.ts
152
- no-prior-match: identity fingerprint not present in the baseline
153
-
154
- Summary
155
- Pairs: 91 (blocking: 2, warning: 0, persisted: 89, resolved: 0)
156
- Verdict: BLOCKED
157
- Exit: 1
118
+ $ git push
119
+ [hook] vyuh-dxkit guardrail check
120
+ ## Guardrail: BLOCKED
121
+ 2 new regressions found.
122
+
123
+ | Status | Kind | Severity | Location | Reason |
124
+ |---|---|---|---|---|
125
+ | added | secret | high | src/config/secrets.ts:42 | gitleaks/aws-access-key |
126
+ | added | code | medium | src/handlers/exec.ts:17 | semgrep/eval-use |
127
+
128
+ 644 pre-existing findings persisted. Only the new changes blocked you.
129
+ Fix or allowlist with `npx vyuh-dxkit allowlist add ...`
158
130
  ```
159
131
 
160
- The agent reads the failure, fixes it, and re-runs:
161
-
162
- ```text
163
- $ vyuh-dxkit guardrail check
164
- Guardrail PASSED — 0 new regressions
165
-
166
- Summary
167
- Pairs: 89 (blocking: 0, warning: 0, persisted: 89, resolved: 0)
168
- Verdict: PASSED
169
- Exit: 0
170
- ```
132
+ The 644 pre-existing findings sit quietly. The 2 net-new ones stop the push.
171
133
 
172
134
  ---
173
135
 
174
- ## Quickstart
136
+ ## Features
175
137
 
176
- ```bash
177
- # Canonical first install — collapses install + scaffold into one step
178
- npm init @vyuhlabs/dxkit
179
-
180
- # Or install dxkit globally + scaffold manually
181
- npm install -g @vyuhlabs/dxkit
182
- vyuh-dxkit init --full
183
- vyuh-dxkit baseline create
184
- vyuh-dxkit guardrail check --changed-only
185
-
186
- # Upgrade an existing install later
187
- vyuh-dxkit upgrade # plan + execute combined
188
- ```
189
-
190
- À la carte if you only want specific pieces:
191
-
192
- ```bash
193
- vyuh-dxkit init --with-dxkit-agents # just the nine dxkit-* skills + AGENTS.md
194
- vyuh-dxkit init --with-hooks # just the pre-push hook
195
- vyuh-dxkit init --with-precommit-hook # add the pre-commit hook (opt-in; slow on large repos)
196
- vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
197
- vyuh-dxkit init --with-ci # just the PR-gate workflow
198
- vyuh-dxkit init --with-baseline-refresh # just the auto-refresh
199
- vyuh-dxkit init --with-pr-review # AI PR-review workflow (opt-in, needs API key)
200
- ```
201
-
202
- Post-install, two more CLIs polish the safety surface:
138
+ ### Eight first-class language packs
203
139
 
204
- ```bash
205
- vyuh-dxkit setup-branch-protection # mark dxkit-guardrails as required check on default branch
206
- vyuh-dxkit setup-prebuild # configure Codespaces prebuild (cold-start ~7 min → ~30s)
207
- ```
140
+ TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby. Each pack ships per-ecosystem analyzers: semgrep rulesets, dep-vuln scanners, license tools, lint adapters. Polyglot repos get unified reports without configuration.
208
141
 
209
- ---
142
+ <details>
143
+ <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
210
144
 
211
- ## Baseline mode: greenfield to 10-year-old codebases
145
+ | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
146
+ | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
147
+ | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
148
+ | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
149
+ | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
150
+ | Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
151
+ | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
152
+ | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
153
+ | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
154
+ | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
212
155
 
213
- Real codebases are messy. dxkit doesn't ask whether your repo is
214
- perfect it asks whether each change made it worse.
156
+ ¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
157
+ file-level resolver is a no-op. Downstream analyses that need an edge graph
158
+ (reachability, import-graph test-gap credit) degrade to conservative
159
+ defaults for those packs. Resolvers are tracked on the [roadmap](docs/roadmap.md).
215
160
 
216
- | | **Greenfield day 1** | **Brownfield (years of debt)** |
217
- | ---------------- | -------------------------------------- | --------------------------------------------------------- |
218
- | Baseline | Captured near zero | Captures today's debt as the floor |
219
- | Behavior | Every regression matters from commit 1 | Existing debt is grandfathered; net-new regressions block |
220
- | Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
161
+ ² C# uses `dotnet-format` for formatting violations only. A real
162
+ severity-tiered C# linter (Roslyn analyzers or StyleCop) is on the
163
+ roadmap. Today every C# formatting violation is counted at `low` tier
164
+ so it does not inflate the Code Quality score.
221
165
 
222
- The classifier distinguishes:
166
+ </details>
223
167
 
224
- | Status | Meaning | Default |
225
- | ------------------- | ----------------------------------------- | ---------- |
226
- | `added` | Net-new finding introduced by this change | **blocks** |
227
- | `relocated` | Same finding, moved (line drift, rename) | passes |
228
- | `persisted` | Same finding, same place — pre-existing | passes |
229
- | `removed` / `fixed` | Was there, now gone | passes |
230
- | `tooling_drift` | New only because scanner version changed | warns |
231
- | `config_drift` | New only because dxkit config changed | warns |
232
- | `uncertain` | Below confidence threshold | warns |
168
+ ### The matcher
233
169
 
234
- Customize via [`.dxkit/policy.json`](docs/configuration/policy.md)
235
- auto-discovered when present, compiled-in defaults otherwise.
170
+ Multi-axis fingerprints (location, domain, content, semantic) pair findings across runs even when files were renamed, lines shifted, tools changed versions, or the branch was force-pushed. When location fails, the matcher falls back to git-aware diff lookup, then content hash, then identity-only multiset match. Every pair carries a confidence score and a reason chain.
236
171
 
237
- ### Baseline modes — public vs private repos
172
+ ### Per-finding suppression
238
173
 
239
- The baseline file is committed to git. On public repos that
240
- disclosure surface matters: a `committed-full` baseline tells anyone
241
- reading the repo which file/line each finding lives on, which
242
- private packages you depend on, and which advisory IDs you're
243
- sitting on unpatched. dxkit ships three modes:
174
+ Five typed categories: `false-positive`, `test-fixture`, `mitigated-externally`, `accepted-risk`, `deferred`. Each entry requires a reason. Categories that fade over time require an expiry.
244
175
 
245
- | Mode | On-disk content | Auto-default for |
246
- | --------------------- | -------------------------------------------------------- | ---------------- |
247
- | `committed-full` | Rich entries (file/line/rule/package/advisory) | private repos |
248
- | `committed-sanitized` | Stripped to `{ id, kind }` per finding | opt-in |
249
- | `ref-based` | No file — guardrail recomputes prior side from a git ref | public repos |
176
+ Two surfaces:
250
177
 
251
- `vyuh-dxkit baseline create` auto-picks via
252
- `gh repo view --json visibility`. Pin the choice repo-wide in
253
- `.dxkit/policy.json`:
178
+ - Inline annotations: `// dxkit-allow:test-fixture reason="example placeholder"`
179
+ - File-level: `.dxkit/allowlist.json`, audited via `vyuh-dxkit allowlist audit`
254
180
 
255
- ```json
256
- { "baseline": { "mode": "ref-based", "ref": "origin/main" } }
257
- ```
181
+ Orphaned annotations become their own findings. The TypeScript `@ts-expect-error` model applied to suppressions. Prevents the graveyard of stale allowlist entries.
258
182
 
259
- The cross-run matching contract (fingerprint identity) is identical
260
- across all three modes — sanitization only strips human-readable
261
- locators, it doesn't change which findings pair across runs. See
262
- [docs/commands/baseline.md](docs/commands/baseline.md#modes) for the
263
- full trade-off discussion.
183
+ ### AI-agent integration
264
184
 
265
- ---
185
+ dxkit ships nine Claude Code skills under `.claude/skills/dxkit-*`. They wrap the CLI in conversational flows:
266
186
 
267
- ## Allowlist: per-finding suppression
187
+ | Skill | What it does |
188
+ | -------------------------------------------------------------------------- | ----------------------------------------------------------------------- |
189
+ | `dxkit-onboard` | Walks a customer through the full first-install journey |
190
+ | `dxkit-reports` | Runs analyzers and explains the output |
191
+ | `dxkit-action` | Reads a report, prioritizes findings, plans and runs fixes, re-verifies |
192
+ | `dxkit-fix` | Repairs a broken install from doctor output |
193
+ | `dxkit-hooks`, `dxkit-config`, `dxkit-learn`, `dxkit-update`, `dxkit-init` | Focused flows |
268
194
 
269
- The baseline handles codebase-wide brownfield acceptance ("today's
270
- mess is grandfathered; tomorrow's must be net-new improvement").
271
- For per-finding decisions — false positives, intentional test
272
- fixtures, externally-mitigated risks, deliberately deferred work —
273
- use the [allowlist](docs/commands/allowlist.md).
195
+ `AGENTS.md` (the open standard read by Codex, Cursor, Aider, and others) also ships in every install. The skill flows are Claude Code-specific today; the AGENTS.md context is portable.
274
196
 
275
- Five typed categories signal **why** a finding is suppressed:
197
+ Why this matters for AI workflows: when an agent fixes a bug, you need an objective signal that says "yes, fixed cleanly" or "fix introduced four new regressions." dxkit's deterministic score plus baseline guardrail produces that signal. The agent reads the same JSON envelope a human reads, runs the verify step itself, and stops when clean.
276
198
 
277
- | Category | Meaning | Expiry |
278
- | ---------------------- | ------------------------------------------------- | ------------------------------ |
279
- | `false-positive` | Scanner is wrong about this finding | Optional |
280
- | `test-fixture` | Intentional pattern in fixture / test code | Optional |
281
- | `mitigated-externally` | Real risk neutralized at runtime (WAF, env, etc.) | Optional |
282
- | `accepted-risk` | Real risk, team accepts, signed off | **Required** (default 90 days) |
283
- | `deferred` | Real, will fix later, tracked work | **Required** |
199
+ ### Code-graph context: fix at reduced token cost
284
200
 
285
- Two surfaces. Inline annotation for source-anchored findings:
201
+ dxkit builds a deterministic code graph of your repo (its symbols, call edges, and clustered modules) using graphify (the `graphifyy` Python package). What matters is what an agent does with it. Instead of discovering structure by grepping around and reading whole files, the agent gets just the relevant slice:
286
202
 
287
- ```python
288
- api_key = "sk_test_xxxx" # dxkit-allow:test-fixture reason="placeholder in unit test"
289
- ```
203
+ - **`vyuh-dxkit context <query>`** (and an opt-in PreToolUse hook) hand an agent a slim structural map: the relevant symbols, where they live, and what calls them. It navigates by the graph instead of re-reading files, which is the same work at a fraction of the tokens.
204
+ - **`--graph-context`** writes each finding's module and blast radius (which files call into it) straight into the detailed report, so the `dxkit-action` fix skill can plan the change, and know which callers to re-test, without rediscovering structure first.
205
+ - **`vyuh-dxkit explore`** and a dashboard graph tab let humans ask the same graph what the repo does, where a feature lives, and which files are load-bearing.
290
206
 
291
- File-level (`.dxkit/allowlist.json`) for cross-file findings or any
292
- suppression that needs an expiry. New entries appear in the PR-
293
- comment automation so reviewers see suppressions being introduced
294
- and can sanity-check the rationale before approving. `audit` /
295
- `prune` subcommands handle stale + soon-to-expire entries.
207
+ This is an additive, fail-open layer. When the graph is missing, or a language's call edges can't be resolved, every command behaves exactly as it did before. It's reliable on TypeScript, Python, and Go. Where the call graph can't be resolved (C#), blast radius is suppressed rather than faked, so a "no callers" reading is never mistaken for "safe to change."
296
208
 
297
- **Strict cleanup**: orphaned `dxkit-allow:` annotations become
298
- `stale-allow` findings on the next scan. dxkit refuses to allowlist
299
- those — the only remediation is to remove the annotation. This is
300
- the TypeScript `@ts-expect-error` pattern: tools that surface their
301
- own stale suppressions force cleanup, preventing the annotation
302
- graveyard.
209
+ ### Reproducible environments
303
210
 
304
- ```bash
305
- # The block message from `guardrail check` prints the exact command
306
- # to paste for any blocked finding — file:line for inline-compatible
307
- # kinds, --fingerprint for everything else.
308
- vyuh-dxkit allowlist add src/auth/oauth.ts:42 \
309
- --category=test-fixture --reason="placeholder in unit test"
211
+ Per-stack devcontainer with only the languages your project uses. Scanner toolchain auto-installed. Install scripts for AI agent CLIs (auth stays user-owned). Codespaces prebuilds wire via `vyuh-dxkit setup-prebuild` so cold-start drops from ~7 minutes to ~30 seconds.
310
212
 
311
- vyuh-dxkit allowlist audit # find stale + soon-to-expire entries
312
- ```
213
+ ### Public-repo safe baselines
313
214
 
314
- See [`vyuh-dxkit allowlist`](docs/commands/allowlist.md) for the
315
- full surface.
215
+ The `ref-based` mode commits no baseline file. The guardrail check recomputes the prior side at check time from a git ref via `git worktree add`. Zero disclosure surface. File paths, package names, and advisory IDs all stay out of git. Auto-picked for public repos via `gh repo view --json visibility`.
316
216
 
317
217
  ---
318
218
 
319
- ## Git-aware identity matching
320
-
321
- A regression check is only useful if the matcher can tell _old issue
322
- that moved_ from _new issue that appeared_. Line numbers alone aren't
323
- stable — add a 20-line comment block at the top of a file and every
324
- issue below it "moves."
325
-
326
- dxkit uses layered identity, in priority order:
327
-
328
- 1. **Domain fingerprints** for entities whose identity is intrinsic:
329
- - dependency vulnerabilities → `(package, version, advisory-id)`
330
- - secrets → `(scanner-rule, fingerprint(value))` so a leaked
331
- token recognises itself when moved
332
- - licenses → `(package, version, license-type)`
333
- - duplicate blocks → normalized content hash
334
- 2. **Location fingerprints** with a 3-line bucket for code findings.
335
- 3. **Git-aware line mapping** across commits, including `-M` file
336
- renames and ±2 line fuzz windows.
337
- 4. **Content-hash fallback** when git history isn't reachable
338
- (shallow clones, archived snapshots).
339
-
340
- Every match pair carries a **confidence in [0, 1]** and structured
341
- **reasons** (`exact-id`, `git-line-exact`, `git-line-fuzz`,
342
- `git-rename`, `content-hash`, ...). No LLM in the grading path —
343
- the matcher and classifier are deterministic over normalized
344
- analyzer input; the same inputs produce the same classifications.
345
-
346
- ---
219
+ ## Quickstart
347
220
 
348
- ## Reproducible environment
221
+ ```bash
222
+ # Canonical first install
223
+ npm init @vyuhlabs/dxkit
349
224
 
350
- Agents need a stable environment to be reliable. `init --with-devcontainer`
351
- generates a Codespaces-ready setup:
225
+ # Capture today's state
226
+ npx vyuh-dxkit baseline create
352
227
 
353
- - Pinned language toolchains (Node 22, Python 3.12, Go 1.21, .NET 8,
354
- Ruby 3.3, Java 17, Rust stable) layered via standard devcontainer
355
- features — small image footprint, fast Codespaces prebuild.
356
- - `post-create.sh` runs `vyuh-dxkit tools install --yes` to provision
357
- the scanner toolchain pinned in dxkit's registry (gitleaks, semgrep,
358
- cloc, jscpd, ruff, osv-scanner, and more — language-aware, only the
359
- ones your stack needs).
360
- - Install scripts for the AI coding-agent CLIs you want available
361
- inside the container. The scripts only install the binaries — auth
362
- remains user-owned and is never baked into the image.
363
- - Every piece is a regular script you can edit after install.
228
+ # Verify the install
229
+ npx vyuh-dxkit doctor
364
230
 
365
- ---
231
+ # Commit and ship
232
+ git add . && git commit -m "chore: enable dxkit" && git push
366
233
 
367
- ## What dxkit analyzes
234
+ # Optional but recommended
235
+ npx vyuh-dxkit setup-branch-protection # mark guardrail as required CI check
236
+ npx vyuh-dxkit setup-prebuild # Codespaces prebuild
237
+ ```
368
238
 
369
- Beyond the baseline + guardrail surface, dxkit ships deterministic
370
- analyzers across eight language packs (Python, TypeScript, Go, Rust,
371
- C#, Kotlin, Java, Ruby), with graceful degradation when a tool isn't
372
- available for your stack:
373
-
374
- | Command | Question it answers |
375
- | ----------------- | ------------------------------------------------------------------------------------- |
376
- | `health` | "What's the overall shape of this codebase?" — 6-dimension score |
377
- | `vulnerabilities` | "What security issues are there?" — secrets, SAST, dependency audit, EPSS/KEV context |
378
- | `test-gaps` | "Which untested files are riskiest?" |
379
- | `quality` | "Where's the technical debt + duplication?" |
380
- | `bom` | "Full dependency × license × CVE × upgrade view" (license columns: 5 packs today) |
381
- | `licenses` | "What licenses are in my dependency tree?" (TS, Python, Go, Rust, C# today) |
382
- | `dev-report` | "Who's working on what, where are the hot files?" |
383
- | `dashboard` | "Single HTML view of everything I've run" |
384
- | `report` | Run every analyzer + dashboard in one shot |
385
-
386
- Composable aggregate gates apply to every analyzer:
239
+ À la carte if you only want specific pieces:
387
240
 
388
241
  ```bash
389
- vyuh-dxkit health --fail-on-score 60
390
- vyuh-dxkit vulnerabilities --fail-on-severity high
391
- vyuh-dxkit bom --fail-on-severity critical
242
+ npx vyuh-dxkit init --with-dxkit-agents # just the nine Claude skills + AGENTS.md
243
+ npx vyuh-dxkit init --with-hooks # just the pre-push hook
244
+ npx vyuh-dxkit init --with-precommit-hook # add pre-commit (slow on large repos)
245
+ npx vyuh-dxkit init --with-devcontainer # just the per-stack devcontainer
246
+ npx vyuh-dxkit init --with-ci # just the PR-gate workflow
392
247
  ```
393
248
 
394
- Every `--json` output carries a `schema: 'dxkit.<kind>-report.v1'`
395
- banner so consumers can version-gate.
396
-
397
- <details>
398
- <summary><strong>Per-pack capabilities</strong> (click to expand)</summary>
399
-
400
- | Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
401
- | -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |
402
- | TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
403
- | Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
404
- | Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
405
- | Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
406
- | C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ⚠️ format-only² | ✅ dotnet list --vulnerable |
407
- | Kotlin | gradle/`*.gradle{.kts,}`, `*.kt` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | detekt, osv-scanner (Maven) | ✅ detekt severity | ✅ osv-scanner + OSV.dev (Maven) |
408
- | Java | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML | ⚠️ import statements, extracted only¹ | PMD, osv-scanner (Maven) | ✅ PMD priority tiers | ✅ osv-scanner + OSV.dev (Maven) |
409
- | Ruby | `*.rb` | ✅ SimpleCov JSON | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity | ✅ bundler-audit + osv-scanner (Gemfile.lock) |
249
+ ---
410
250
 
411
- ¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the
412
- file-level resolver is a no-op. Downstream analyses that need an edge graph
413
- (reachability, import-graph test-gap credit) degrade to conservative
414
- defaults for those packs; resolvers are tracked on the roadmap.
251
+ ## What dxkit analyzes
415
252
 
416
- ² C# uses `dotnet-format` for formatting violations only. A real severity-
417
- tiered C# linter (Roslyn analyzers / StyleCop) is roadmap; today every
418
- C# formatting violation is counted at `low` tier so it doesn't inflate
419
- the Quality/Slop score.
253
+ | Dimension | Tools | What it catches |
254
+ | -------------------- | --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
255
+ | Security | gitleaks, semgrep, osv-scanner, npm-audit, pip-audit, govulncheck, cargo-audit, dotnet vulnerable, bundle-audit | Secrets, dep vulnerabilities, insecure patterns, TLS bypass |
256
+ | Code Quality | cloc, jscpd, graphify, lint adapters | File size, duplication, complexity, hygiene markers |
257
+ | Tests | coverage adapters per pack, test-file detector | Missing tests, degraded tests, coverage gaps |
258
+ | Documentation | doc-comment ratio, README presence | Inline doc coverage, project-level docs |
259
+ | Maintainability | graphify call-graph metrics | God files, dead imports, cohesion, communities |
260
+ | Developer Experience | git hook detection, CI workflow detection, manifest presence | Pre-push hooks, CI quality gates, environment reproducibility |
420
261
 
421
- </details>
262
+ Each analyzer reports raw findings. dxkit aggregates, deduplicates across tools, and scores deterministically.
422
263
 
423
264
  ---
424
265
 
425
- ## Why dxkit
426
-
427
- dxkit doesn't try to replace SonarQube, Snyk, Semgrep, GitHub
428
- Advanced Security, Trivy, Gitleaks, or OSV-Scanner. It does three
429
- things they don't:
430
-
431
- 1. **It scaffolds your AI agent.** Most tools find issues; dxkit
432
- _also_ writes the project-context layer (entry-point doc, project
433
- skills, commands, language-specific rules, specialized subagents)
434
- that lets your agent operate on the codebase intelligently.
435
- 2. **It gates at commit time, deterministically.** No LLM in the
436
- grading path. The matcher and classifier are deterministic over
437
- normalized analyzer input.
438
- 3. **It assumes your repo is messy.** Other tools want clean
439
- codebases and block every PR until you fix everything. dxkit
440
- captures the floor, grandfathers existing debt, and only blocks
441
- regressions introduced from here forward — usable on day-one
442
- greenfield and 10-year-old brownfield codebases alike.
443
-
444
- Built on **open methodology**: ISO/IEC 25010, ISO/IEC 5055, SQALE,
445
- CVSS v4 (FIRST reference port), CWE taxonomy, OpenSSF Scorecard.
446
- Scores are evidence-backed and traceable to the findings that
447
- produced them.
266
+ ## Brownfield vs greenfield
448
267
 
449
- ---
268
+ | | Greenfield (day 1) | Brownfield (years of debt) |
269
+ | ---------------- | -------------------------------------- | ------------------------------------------------- |
270
+ | Baseline | Near-zero on capture | Captures today's debt as floor |
271
+ | Behavior | Every regression matters from commit 1 | Existing debt grandfathered; net-new blocks |
272
+ | Cleanup pressure | Stay clean, easily | Improve incrementally; no required cleanup sprint |
450
273
 
451
- ## Real-world validation
274
+ The status taxonomy that drives gate decisions:
452
275
 
453
- The 2.5.0 release was pre-ship audited on three production codebases:
276
+ | Status | Meaning | Default |
277
+ | ------------------- | ----------------------------------------- | ---------- |
278
+ | `added` | Net-new finding introduced by this change | **blocks** |
279
+ | `relocated` | Same finding, moved (line drift, rename) | passes |
280
+ | `persisted` | Same finding, same place. Pre-existing. | passes |
281
+ | `removed` / `fixed` | Was there, now gone | passes |
282
+ | `tooling_drift` | New because scanner version changed | warns |
283
+ | `config_drift` | New because dxkit config changed | warns |
284
+ | `uncertain` | Below confidence threshold | warns |
454
285
 
455
- - TypeScript backend
456
- - TypeScript frontend
457
- - Large .NET WinForms project
286
+ Customize via [`.dxkit/policy.json`](docs/configuration/policy.md).
458
287
 
459
- Across **6,919 baseline findings**, the audit:
288
+ ---
460
289
 
461
- - identified four drift classes between aggregate reports and
462
- per-finding identity sets
463
- - brought roughly **3,000 previously untracked findings into
464
- guardrail coverage**
465
- - matched identity-set counts exactly to report aggregates for
466
- every finding kind
290
+ ## Safety and trust
467
291
 
468
- Details in [`CHANGELOG.md`](CHANGELOG.md#250---2026-05-18).
292
+ - **Local-first.** Every scan runs on the developer's machine. Nothing leaves the repo. No telemetry. No phone-home.
293
+ - **No LLM in the grading path.** Scores come from deterministic analyzers and arithmetic. Reproducible. Auditable. The only way to improve a score is to write better code.
294
+ - **Sigstore provenance.** Every npm release is signed via OIDC from GitHub Actions. Verify with `npm audit signatures`.
295
+ - **Open source.** MIT licensed. Inspect every score derivation.
469
296
 
470
297
  ---
471
298
 
472
- ## Safety + trust
473
-
474
- dxkit is local-first.
475
-
476
- - **No SaaS required.** Your code never leaves the machine.
477
- - **No repo upload.** Analyzers run in-process or shell out to
478
- locally-installed scanners; results stay on disk.
479
- - **Secret values are never written to disk.** dxkit stores a
480
- non-reversible fingerprint for matching only — the scanner sees
481
- the value once and discards it after hashing.
482
- - **Agent auth stays user-owned.** Install scripts ship the CLIs;
483
- authentication happens in your session and is never baked into
484
- the image or stored by dxkit.
485
- - **CI guardrails are the enforcement layer.** Local hooks provide
486
- fast feedback but are bypassable (`git commit --no-verify`); the
487
- GitHub Actions PR-gate runs server-side and can be made a required
488
- check via branch protection.
489
- - **Post-merge baseline refresh is gated.** The refresh workflow
490
- runs only after the PR-gate workflow succeeds on the merging
491
- commit. **Use branch protection to make the PR-gate a required
492
- check** so a bypassed merge can't codify a regression into the
493
- baseline.
299
+ ## Real-world validation
494
300
 
495
- ---
301
+ dxkit ships against pinned production codebases across all eight language packs. Every release runs a cross-stack walkthrough on a polyglot reference repo (TypeScript + Python) and a .NET reference repo before tagging. The cross-stack regression suite is part of CI.
496
302
 
497
- ## Docs
303
+ Recent ship validation (`@vyuhlabs/dxkit@2.6.0`, 2026-05-23):
498
304
 
499
- - [Getting started](docs/getting-started.md)
500
- - [`baseline` command](docs/commands/baseline.md)
501
- - [`guardrail` command](docs/commands/guardrail.md)
502
- - [`.dxkit/policy.json` configuration](docs/configuration/policy.md)
503
- - [Scoring methodology](docs/SCORING.md)
504
- - [Architecture](docs/ARCHITECTURE.md)
505
- - [All commands](docs/README.md)
305
+ - 1904 tests across 110 files
306
+ - License findings dropped 73% on a 600-source-file polyglot codebase after the 2.6 baseline polish
307
+ - New `ref-based` mode verified end-to-end on both reference stacks
506
308
 
507
309
  ---
508
310
 
509
- ## Roadmap
510
-
511
- - [x] Local repo analysis (8 language packs)
512
- - [x] Agent project scaffolding (entry-point doc, skills, commands,
513
- conventions, specialized subagents — single-agent today)
514
- - [x] Optional install scripts for AI coding-agent CLIs in the
515
- devcontainer
516
- - [x] Per-finding fingerprinting + git-aware matching
517
- - [x] Baseline + guardrail commands
518
- - [x] Brownfield policy classifier
519
- - [x] Git hooks (pre-push default; pre-commit opt-in)
520
- - [x] GitHub Actions PR-gate + gated baseline-refresh workflows
521
- - [x] Devcontainer with pinned toolchains
522
- - [x] Nine dxkit-\* skills + AGENTS.md (open-standard, read by every
523
- AGENTS.md-compliant agent — Claude Code, Codex, Cursor, Aider)
524
- - [ ] First-class plugin packaging for the Claude Code marketplace + MCP server for cross-agent reach (2.6, decision-pending)
525
- - [ ] Scoped + incremental scanning — fast pre-commit on monorepos
526
- (2.6)
527
- - [ ] Symbol-level coverage gaps across all 8 packs (2.6)
528
- - [ ] SARIF export for GitHub code scanning interop (2.6)
529
- - [ ] Reachability-aware dep-vuln triage
530
- - [ ] **Per-pack capability parity** — bring every cell in the
531
- capability table to a green tick (2.7 / 3.0):
532
- - Import-graph resolvers for Rust, C#, Kotlin, Java, Ruby
533
- (so reachability + import-graph test-gap credit work for
534
- every pack, not just TS/Python/Go)
535
- - Severity-tiered C# linter (Roslyn analyzers or StyleCop)
536
- - License providers for Kotlin, Java, Ruby
537
- - [ ] AI Readiness banner — semantic anchors, function-body hashes,
538
- cross-file refactor detection (3.0)
311
+ ## Documentation
539
312
 
540
- ---
313
+ **Start here**:
541
314
 
542
- ## Reporting issues
315
+ - [Getting started](docs/getting-started.md): full walkthrough from install to first guardrail check
316
+ - [CHANGELOG](CHANGELOG.md): release notes. Latest is [2.6.0](https://github.com/vyuh-labs/dxkit/releases/tag/v2.6.0)
543
317
 
544
- If a scanner is too noisy, a finding is missing, dxkit itself is
545
- broken, or the docs are unclear, the fastest path to the dxkit team
546
- is the built-in issue subcommand:
318
+ **Depth**:
547
319
 
548
- ```bash
549
- vyuh-dxkit issue --type=false-positive \
550
- --fingerprint=<id> \
551
- --about="the scanner flags my intentional X as a Y"
320
+ - [Why dxkit](docs/why-dxkit.md): rationale, comparison vs SonarQube/Snyk/Semgrep/etc., open methodology
321
+ - [Architecture](docs/ARCHITECTURE.md): data flow, the git-aware matcher, fingerprint axes
322
+ - [Scoring methodology](docs/SCORING.md): how each dimension is computed, citations
323
+ - [Roadmap](docs/roadmap.md): shipped vs planned
552
324
 
553
- vyuh-dxkit issue --type=bug --about="vyuh-dxkit doctor crashes on macOS arm64"
325
+ **Reference**:
554
326
 
555
- vyuh-dxkit issue --type=feature-request --about="add SARIF export"
556
- ```
327
+ - [Command reference](docs/README.md): every subcommand at a glance
328
+ - [`baseline`](docs/commands/baseline.md): capture, show, modes
329
+ - [`guardrail`](docs/commands/guardrail.md): check, classify, render
330
+ - [`allowlist`](docs/commands/allowlist.md): per-finding suppression
331
+ - [`.dxkit/policy.json`](docs/configuration/policy.md): tune what blocks vs warns
332
+ - [Reporting issues](docs/commands/issue.md): `vyuh-dxkit issue --type=...`
557
333
 
558
- It opens a pre-filled [GitHub issue](https://github.com/vyuh-labs/dxkit/issues)
559
- in your browser with dxkit version + platform info already populated.
560
- Nothing is submitted until you click "Submit" — you review the
561
- prefill first. See [`vyuh-dxkit issue`](docs/commands/issue.md) for
562
- the full reference.
334
+ ---
563
335
 
564
336
  ## Contributing
565
337
 
566
- dxkit aims to be the standard agentic-development layer for any
567
- codebase. We'd love help with:
568
-
569
- - Additional language pack support
570
- - Agent-CLI integrations (the 2.6 work)
571
- - Monorepo detection
572
- - Devcontainer templates per stack
573
- - Custom guardrail policies
574
- - SARIF output
575
- - More specialized subagents
576
-
577
- Start with the [contributing guide](CONTRIBUTING.md) and
578
- [good first issues](https://github.com/vyuh-labs/dxkit/labels/good%20first%20issue).
338
+ See [CONTRIBUTING.md](CONTRIBUTING.md). The project follows architectural rules in [CLAUDE.md](CLAUDE.md). Adding a new language pack, a new finding kind, or a new scoring dimension each have one-page recipes.
579
339
 
580
340
  ---
581
341
 
582
342
  ## License
583
343
 
584
344
  MIT. See [LICENSE](LICENSE).
585
-
586
- ---
587
-
588
- ## Try it
589
-
590
- ```bash
591
- npm init @vyuhlabs/dxkit
592
- ```
593
-
594
- If dxkit helps you ship AI-assisted changes more safely, star the
595
- repo — it helps others find it too.