@vyuhlabs/dxkit 2.7.0 → 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +122 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +9 -9
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/quality/gather.js +3 -3
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +12 -3
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +2 -2
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +52 -14
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +28 -3
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts +6 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +80 -60
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +2 -1
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/runner.d.ts +35 -2
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +112 -3
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +3 -1
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +18 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +140 -53
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-config.d.ts +46 -0
- package/dist/analyzers/tools/tools-config.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-config.js +129 -0
- package/dist/analyzers/tools/tools-config.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +8 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
- package/dist/analyzers/tools/walk-source-files.js +49 -4
- package/dist/analyzers/tools/walk-source-files.js.map +1 -1
- package/dist/baseline/baseline-file.d.ts +8 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +10 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +7 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +2 -0
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/coverage.d.ts +57 -0
- package/dist/baseline/coverage.d.ts.map +1 -0
- package/dist/baseline/coverage.js +62 -0
- package/dist/baseline/coverage.js.map +1 -0
- package/dist/baseline/create.d.ts +13 -0
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +39 -6
- package/dist/baseline/create.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +43 -1
- package/dist/cli.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +8 -7
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/context.d.ts +1 -1
- package/dist/explore/cli/context.d.ts.map +1 -1
- package/dist/explore/cli/context.js +173 -4
- package/dist/explore/cli/context.js.map +1 -1
- package/dist/explore/queries.d.ts +71 -0
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +76 -0
- package/dist/explore/queries.js.map +1 -1
- package/dist/explore/source-slice.d.ts +51 -0
- package/dist/explore/source-slice.d.ts.map +1 -0
- package/dist/explore/source-slice.js +88 -0
- package/dist/explore/source-slice.js.map +1 -0
- package/dist/explore-cli.js +6 -4
- package/dist/explore-cli.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +12 -0
- package/dist/generator.js.map +1 -1
- package/dist/languages/csharp.d.ts +9 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +112 -22
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.js +13 -14
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/java.js +9 -10
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +9 -10
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +27 -20
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +26 -16
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.js +12 -13
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/typescript.js +17 -18
- package/dist/languages/typescript.js.map +1 -1
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +10 -4
- package/dist/tools-cli.js.map +1 -1
- package/dist/upgrade.js +2 -2
- package/dist/upgrade.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-config/SKILL.md +26 -0
- package/templates/.claude/skills/dxkit-docs/SKILL.md +148 -0
- package/templates/.claude/skills/dxkit-feature/SKILL.md +189 -0
- package/templates/.claude/skills/dxkit-fix/SKILL.md +10 -0
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: dxkit-feature
|
|
3
|
+
description: Develop a new feature with the code graph as your map — orient cheaply by querying structure instead of reading whole files, implement following the patterns already in the repo, then verify the change did not regress security, tests, or quality before you push. Use when the user says "add a feature", "implement X", "build the Y flow", "where should this live", or otherwise starts net-new development in a dxkit-scaffolded repo.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# dxkit-feature
|
|
7
|
+
|
|
8
|
+
This skill drives forward development — building something new — the way
|
|
9
|
+
`dxkit-action` drives the reverse (fixing what's flagged). Its two jobs:
|
|
10
|
+
|
|
11
|
+
1. **Orient by graph, not by grep.** Use the code graph to find where the
|
|
12
|
+
feature plugs in, what patterns already exist, and what a change will
|
|
13
|
+
touch — at a fraction of the tokens that repeated whole-file reads cost.
|
|
14
|
+
2. **Close the loop a plain coding agent skips.** After the edit, run the
|
|
15
|
+
dxkit analyzers on the change and the guardrail check, so the new feature
|
|
16
|
+
doesn't quietly ship a vuln, a test gap, or a quality regression.
|
|
17
|
+
|
|
18
|
+
## The feature loop
|
|
19
|
+
|
|
20
|
+
```
|
|
21
|
+
[1] Clarify → what's the feature + what does "done" mean
|
|
22
|
+
[2] Orient → query the graph: where it lives, patterns, blast radius
|
|
23
|
+
[3] Plan → ordered edits, reusing the patterns found in [2]
|
|
24
|
+
[4] Build → read only the files the graph named, then implement
|
|
25
|
+
[5] Verify → run the analyzers on the change; confirm nothing regressed
|
|
26
|
+
[6] Decide baseline→ commit, or re-baseline if the change is deliberately accepted
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
Don't skip [2] or [5]. [2] is where the token saving lives; [5] is the whole
|
|
30
|
+
reason to use dxkit for forward work instead of a generic agent.
|
|
31
|
+
|
|
32
|
+
## [2] Orient — query structure before you read files
|
|
33
|
+
|
|
34
|
+
This is the step that differentiates this skill. **Orientation (discovery)
|
|
35
|
+
is where direct agents burn the most tokens** — grep, read a 2,000-line
|
|
36
|
+
file, grep again, read another. The graph answers the same questions from a
|
|
37
|
+
budget-bounded slice instead.
|
|
38
|
+
|
|
39
|
+
Run `health` once first if there's no graph yet (it writes
|
|
40
|
+
`.dxkit/reports/graph.json` as a side effect), then query:
|
|
41
|
+
|
|
42
|
+
```bash
|
|
43
|
+
# "Where is this feature area implemented?" — clusters of matching symbols
|
|
44
|
+
npx vyuh-dxkit explore feature auth
|
|
45
|
+
|
|
46
|
+
# Token-budgeted structural slice for an area you're about to extend:
|
|
47
|
+
# anchor symbol, its callers/callees grouped by module, blast radius
|
|
48
|
+
npx vyuh-dxkit context "checkout session"
|
|
49
|
+
|
|
50
|
+
# Zoom into one symbol's exact neighborhood (curated AST chunk, not the
|
|
51
|
+
# whole file) — read 500 focused lines instead of ingesting 15k
|
|
52
|
+
npx vyuh-dxkit context src/payments/checkout.ts:142
|
|
53
|
+
|
|
54
|
+
# One file's structural neighborhood — symbols, callers, callees, imports
|
|
55
|
+
npx vyuh-dxkit explore file src/payments/checkout.ts
|
|
56
|
+
|
|
57
|
+
# The repo's public API / dead surface — useful when adding an entry point
|
|
58
|
+
npx vyuh-dxkit explore api-surface
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
Use the answers to decide three things before you write anything:
|
|
62
|
+
|
|
63
|
+
- **Where the feature plugs in** — which module/cluster owns this area, so
|
|
64
|
+
the new code lands next to its neighbors rather than in a new island.
|
|
65
|
+
- **Which pattern to copy** — read the anchor symbol the graph points at;
|
|
66
|
+
it's the highest-in-degree example of "how this repo already does X."
|
|
67
|
+
Match its shape (error handling, validation, naming) so the feature reads
|
|
68
|
+
like the surrounding code.
|
|
69
|
+
- **The blast radius** — how many caller files a change to the touched
|
|
70
|
+
symbols reaches. That's your re-test list for step [5].
|
|
71
|
+
|
|
72
|
+
### Honest scope of the graph win (don't oversell it)
|
|
73
|
+
|
|
74
|
+
The reduction is a **navigation-phase win, not an end-to-end multiplier.**
|
|
75
|
+
The graph cuts the cost of *finding and orienting*; the *edit* phase still
|
|
76
|
+
reads the real files you change, and *verification* still runs the real
|
|
77
|
+
analyzers. The win is largest in big, unfamiliar codebases (orientation-by-
|
|
78
|
+
grep is expensive there) and near-zero in a small repo whose relevant files
|
|
79
|
+
already fit in context. Lead with the graph for discovery; then read the
|
|
80
|
+
actual code you're about to modify — `context` is a map, not a substitute
|
|
81
|
+
for the territory.
|
|
82
|
+
|
|
83
|
+
### Three hard rules for graph context (same as dxkit-action)
|
|
84
|
+
|
|
85
|
+
1. **It's a hint, never ground truth.** Confirm the symbol and call sites by
|
|
86
|
+
opening the file before you act on them — the graph stores declaration
|
|
87
|
+
lines, not end lines, and same-name symbols can conflate.
|
|
88
|
+
2. **A blank or `n/a` blast radius is NOT "safe to change".** Languages whose
|
|
89
|
+
call graph dxkit can't fully resolve (C# is the known case) report no
|
|
90
|
+
callers even for heavily-used files. Treat empty as *unknown* — fall back
|
|
91
|
+
to grep/read to find callers before a risky edit. Never read "no callers"
|
|
92
|
+
as "free to rewrite."
|
|
93
|
+
3. **Fall open — the graph is an accelerator, never a dependency.** If
|
|
94
|
+
graphify hasn't built a graph yet, `context` / `explore` print
|
|
95
|
+
`No graph.json … Run vyuh-dxkit health or pass --refresh` and exit
|
|
96
|
+
non-zero (they never crash or hang). Two responses, in order:
|
|
97
|
+
- Build it once: `npx vyuh-dxkit health` writes `graph.json` as a side
|
|
98
|
+
effect, or add `--refresh` to any explore/context call. Do this if the
|
|
99
|
+
repo is large enough that the orientation saving is worth one scan.
|
|
100
|
+
- Or just orient the normal way — grep + read — and carry on. You lose
|
|
101
|
+
the token saving, not the ability to build the feature.
|
|
102
|
+
|
|
103
|
+
### If graphify isn't installed at all
|
|
104
|
+
|
|
105
|
+
The graph is built by **graphify** (a registry tool). If it isn't installed,
|
|
106
|
+
`health` won't produce a `graph.json`, so step [2]'s graph queries are
|
|
107
|
+
unavailable — fall back to grep + read as above, or install it to unlock the
|
|
108
|
+
saving:
|
|
109
|
+
|
|
110
|
+
```bash
|
|
111
|
+
npx vyuh-dxkit tools install # installs graphify + the other scanners
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
**Steps [5] and [6] do not need graphify.** The `vulnerabilities`,
|
|
115
|
+
`test-gaps`, `quality`, and `guardrail check` commands run fully without a
|
|
116
|
+
graph — only the `--graph-context` *enrichment* is suppressed (drop the flag
|
|
117
|
+
and the reports are still complete). So verification never depends on the
|
|
118
|
+
graph being present; only the orientation *speed-up* does.
|
|
119
|
+
|
|
120
|
+
## [3] Plan
|
|
121
|
+
|
|
122
|
+
Write an ordered list of edits. For each, name the file and the existing
|
|
123
|
+
pattern it mirrors (from step [2]). Prefer extending an existing module over
|
|
124
|
+
creating a new one unless the graph showed no natural home. Call out the
|
|
125
|
+
caller files in the blast radius that will need updating or re-testing.
|
|
126
|
+
|
|
127
|
+
## [4] Build
|
|
128
|
+
|
|
129
|
+
Read only the files the orientation step named — that's the point of doing
|
|
130
|
+
[2] first. Implement following the matched pattern. Keep the change tight:
|
|
131
|
+
comment density, naming, and idioms should match the surrounding code, not a
|
|
132
|
+
generic template.
|
|
133
|
+
|
|
134
|
+
## [5] Verify — never skip
|
|
135
|
+
|
|
136
|
+
A new feature can introduce exactly the things dxkit scans for: a SAST
|
|
137
|
+
finding, a vulnerable dependency you just added, an untested new surface, a
|
|
138
|
+
quality/slop regression. Run the analyzers on the changed area, with graph
|
|
139
|
+
context attached so you see each finding's blast radius:
|
|
140
|
+
|
|
141
|
+
```bash
|
|
142
|
+
npx vyuh-dxkit vulnerabilities --detailed --graph-context # new code + new deps
|
|
143
|
+
npx vyuh-dxkit test-gaps --graph-context # is the new surface tested?
|
|
144
|
+
npx vyuh-dxkit quality --graph-context # slop / duplication / complexity
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
Then gate the change the same way CI will:
|
|
148
|
+
|
|
149
|
+
```bash
|
|
150
|
+
npx vyuh-dxkit guardrail check
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
Exit 0 = the feature added no net-new regressions. Exit 1 = something new
|
|
154
|
+
appeared — **a finding you introduced.** Address it before pushing:
|
|
155
|
+
|
|
156
|
+
- A real finding in your new code → fix it now (hand off to `dxkit-action`
|
|
157
|
+
for the fix recipes — secret rotation, dep upgrade, writing the missing
|
|
158
|
+
test, etc.).
|
|
159
|
+
- A genuine false positive / intentional pattern → allowlist with a typed
|
|
160
|
+
category + reason (see `dxkit-action`'s allowlisting section). Fix first;
|
|
161
|
+
allowlist second.
|
|
162
|
+
|
|
163
|
+
The feature isn't done when it works — it's done when it works **and** the
|
|
164
|
+
guardrail is green.
|
|
165
|
+
|
|
166
|
+
## [6] Baseline decision
|
|
167
|
+
|
|
168
|
+
| Scenario | Action |
|
|
169
|
+
|---|---|
|
|
170
|
+
| Feature is clean; guardrail green | Just commit the code. Baseline + allowlist unchanged. |
|
|
171
|
+
| You fixed an introduced finding | Commit the code + fix together. Baseline unchanged. |
|
|
172
|
+
| Introduced finding is a true false positive / intentional | `vyuh-dxkit allowlist add` with `category=false-positive` or `test-fixture`; commit the annotation. |
|
|
173
|
+
| Feature deliberately accepts a known trade-off (documented) | `vyuh-dxkit allowlist add` with `category=accepted-risk` + `--expires`; never re-baseline silently. |
|
|
174
|
+
|
|
175
|
+
Prefer the allowlist over re-baselining for per-finding calls — it carries a
|
|
176
|
+
typed reason a future maintainer can read. Reserve "accept as baseline" for
|
|
177
|
+
the deliberate codebase-wide line-in-the-sand, not for hiding a finding your
|
|
178
|
+
own feature introduced.
|
|
179
|
+
|
|
180
|
+
## Hand-offs
|
|
181
|
+
|
|
182
|
+
- A finding the guardrail blocked needs fixing → `dxkit-action` (the fix-loop
|
|
183
|
+
recipes for secrets, dep-vulns, SAST, test gaps).
|
|
184
|
+
- Re-running reports between iterations → `dxkit-reports`.
|
|
185
|
+
- Ignore-file / config edits as part of the feature → `dxkit-config`.
|
|
186
|
+
- Hook problems on the verify push → `dxkit-hooks`.
|
|
187
|
+
- Deeper structural exploration than `context` gives (entry-points,
|
|
188
|
+
communities, hot-files) → run `npx vyuh-dxkit explore <subcommand>`
|
|
189
|
+
directly; see the `explore` command docs.
|
|
@@ -83,6 +83,16 @@ Driven by doctor's tier 3 (operational health) — these are the canonical repai
|
|
|
83
83
|
| `CI guardrails workflow` missing | `npx vyuh-dxkit init --with-ci --yes` | Adds the dxkit-guardrails.yml workflow. Idempotent. |
|
|
84
84
|
| Agent DX tier failures (manifest missing, AGENTS.md missing, .claude/* missing) | `npx vyuh-dxkit init --full --yes` or `npx vyuh-dxkit update` | Init for fresh installs; update for refreshes. |
|
|
85
85
|
|
|
86
|
+
### Tool reported missing but the customer says it IS installed
|
|
87
|
+
|
|
88
|
+
If doctor flags a tool (git, dotnet, node, npm, a scanner) as missing but the customer insists it's installed, it's almost always a detection gap — the binary lives somewhere dxkit doesn't probe (common on Windows / locked-down corporate machines). Don't tell them to reinstall. Instead:
|
|
89
|
+
|
|
90
|
+
1. Find where it actually lives: `where <tool>` (Windows) / `which <tool>` (POSIX).
|
|
91
|
+
2. Add that directory to `.dxkit/tools.json` `probePaths` (hand off to **dxkit-config**, which documents the file).
|
|
92
|
+
3. Re-run `npx vyuh-dxkit doctor` to confirm it now resolves.
|
|
93
|
+
|
|
94
|
+
This matters: an undetected scanner means `baseline create` silently captured ZERO findings for that tool's category — re-baseline (`baseline create --force`) once detection is fixed.
|
|
95
|
+
|
|
86
96
|
## Capturing the FIRST baseline — be deliberate
|
|
87
97
|
|
|
88
98
|
Of all the fixes, `baseline create` is the only one with permanent consequences. The baseline records the fingerprint of every finding currently in the repo and tells future scans "these are pre-existing — don't block on them."
|