@vyuhlabs/dxkit 2.7.1 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/CHANGELOG.md +73 -0
  2. package/dist/analyzers/tools/grep-secrets.d.ts +6 -1
  3. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  4. package/dist/analyzers/tools/grep-secrets.js +80 -60
  5. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  6. package/dist/baseline/create.d.ts.map +1 -1
  7. package/dist/baseline/create.js +18 -6
  8. package/dist/baseline/create.js.map +1 -1
  9. package/dist/doctor.d.ts.map +1 -1
  10. package/dist/doctor.js +2 -0
  11. package/dist/doctor.js.map +1 -1
  12. package/dist/explore/cli/context.d.ts +1 -1
  13. package/dist/explore/cli/context.d.ts.map +1 -1
  14. package/dist/explore/cli/context.js +173 -4
  15. package/dist/explore/cli/context.js.map +1 -1
  16. package/dist/explore/queries.d.ts +71 -0
  17. package/dist/explore/queries.d.ts.map +1 -1
  18. package/dist/explore/queries.js +76 -0
  19. package/dist/explore/queries.js.map +1 -1
  20. package/dist/explore/source-slice.d.ts +51 -0
  21. package/dist/explore/source-slice.d.ts.map +1 -0
  22. package/dist/explore/source-slice.js +88 -0
  23. package/dist/explore/source-slice.js.map +1 -0
  24. package/dist/explore-cli.js +6 -4
  25. package/dist/explore-cli.js.map +1 -1
  26. package/dist/generator.d.ts.map +1 -1
  27. package/dist/generator.js +12 -0
  28. package/dist/generator.js.map +1 -1
  29. package/dist/languages/csharp.d.ts +9 -0
  30. package/dist/languages/csharp.d.ts.map +1 -1
  31. package/dist/languages/csharp.js +85 -7
  32. package/dist/languages/csharp.js.map +1 -1
  33. package/package.json +1 -1
  34. package/templates/.claude/skills/dxkit-docs/SKILL.md +148 -0
  35. package/templates/.claude/skills/dxkit-feature/SKILL.md +189 -0
@@ -0,0 +1,148 @@
1
+ ---
2
+ name: dxkit-docs
3
+ description: Generate the documentation a repo is missing — read the Documentation dimension's gaps, orient on the real code via the graph, then write a grounded README / docstrings / API + architecture docs that move the score without tripping the slop check. Use when the user says "write docs", "document this module", "improve the documentation score", "generate a README", "add docstrings", or after a health report flags Documentation.
4
+ ---
5
+
6
+ # dxkit-docs
7
+
8
+ This skill closes the gap `dxkit-action` doesn't: it **generates** missing
9
+ documentation rather than fixing flagged findings. It's built around one
10
+ hard constraint — dxkit's own quality scan flags AI-slop prose, so
11
+ documentation that reads like generated filler *lowers* the Quality score
12
+ while raising Documentation. The whole point of this skill is docs that
13
+ are **grounded in the real code** and **survive the slop check**.
14
+
15
+ ## The docs loop
16
+
17
+ ```
18
+ [1] Read the gap → health Documentation deductions + top actions
19
+ [2] Orient → graph: what are the real entry points, modules, public API
20
+ [3] Generate → write the missing artifact, grounded in actual symbols/paths
21
+ [4] De-slop → write like a human; re-run quality so it doesn't trip slop
22
+ [5] Verify → re-run health; Documentation up, slop not down
23
+ ```
24
+
25
+ Don't skip [2] or [4]. [2] is what keeps the docs true; [4] is what keeps
26
+ them from costing you on another dimension.
27
+
28
+ ## [1] Read the gap — what's actually missing
29
+
30
+ The Documentation dimension scores a fixed checklist. Read its deductions
31
+ and ranked actions instead of guessing:
32
+
33
+ ```bash
34
+ npx vyuh-dxkit health --detailed --json | jq '.dimensions.documentation'
35
+ ```
36
+
37
+ The `deductions` array names each missing/substandard artifact; `topActions`
38
+ ranks them by score uplift. The scored artifacts are:
39
+
40
+ | Artifact | What moves the score |
41
+ |---|---|
42
+ | **README** | Present, and substantial (not a 5-line stub) |
43
+ | **Doc-comment density** | Share of source files carrying docstrings / JSDoc / Rustdoc |
44
+ | **API docs** | `docs/api/`, OpenAPI/Swagger spec |
45
+ | **Architecture docs** | `ARCHITECTURE.md` or `docs/architecture/` |
46
+ | **CONTRIBUTING** | `CONTRIBUTING.md` |
47
+ | **CHANGELOG** | `CHANGELOG.md` |
48
+
49
+ Work the `topActions` order — the README and doc-comment density weigh
50
+ heaviest, CHANGELOG lightest.
51
+
52
+ ## [2] Orient — document the code that's actually there
53
+
54
+ Docs that describe code which doesn't exist are worse than no docs. Before
55
+ writing a word, learn the real shape from the graph (cheap, structural):
56
+
57
+ ```bash
58
+ npx vyuh-dxkit explore entry-points # what this repo does — the surfaces to lead a README with
59
+ npx vyuh-dxkit explore communities # the natural modules — the spine of an ARCHITECTURE.md
60
+ npx vyuh-dxkit explore api-surface # exported symbols — what API docs must cover
61
+ npx vyuh-dxkit explore hot-files # the foundational files — docstring these first
62
+ npx vyuh-dxkit context <symbol> # one area's structure before you docstring it
63
+ ```
64
+
65
+ Then **read the actual code** you're about to document — the graph points
66
+ you at it; it doesn't replace reading it. Also read any existing docs
67
+ first and match their voice, structure, and terminology.
68
+
69
+ ## [3] Generate — grounded, specific, real
70
+
71
+ Per artifact:
72
+
73
+ - **README** — lead with what the repo *does* (from `entry-points`), then
74
+ real install + usage steps you've verified against the actual scripts /
75
+ entry points, not a generic template. Reference real commands, real file
76
+ paths, real module names.
77
+ - **Doc-comments** — docstring the highest-value undocumented files first
78
+ (public API from `api-surface`, foundational files from `hot-files`).
79
+ Describe *why* and the contract (params, returns, invariants, gotchas) —
80
+ not a restatement of the signature.
81
+ - **Architecture docs** — structure an `ARCHITECTURE.md` around the real
82
+ `communities` / `hot-files`: what each module owns, how they depend on
83
+ each other (the graph already knows the edges).
84
+ - **API docs** — generate from the actual exported surface; prefer the
85
+ ecosystem's doc generator (`typedoc`, `sphinx`, `godoc`, `yard`, …) over
86
+ hand-rolled prose when one fits.
87
+ - **CONTRIBUTING / CHANGELOG** — real build/test commands from the repo;
88
+ real recent changes from `git log` for a CHANGELOG seed.
89
+
90
+ ## [4] De-slop — the rule that makes this skill different
91
+
92
+ dxkit's slop check flags AI-generated boilerplate. **Generated docs are
93
+ the single biggest source of slop**, so this step is mandatory, not
94
+ optional. Write to pass it:
95
+
96
+ - **No filler openers.** Not "This module provides functionality for
97
+ handling…" — say what it does and why it exists.
98
+ - **Be concrete.** Name real symbols, real paths, real commands. Specifics
99
+ don't read as slop; generic scaffolding does.
100
+ - **No hedging padding** ("it's worth noting that", "in order to",
101
+ "leverage", "robust", "seamless", "comprehensive solution").
102
+ - **Match the repo's register** — terse repos get terse docs.
103
+
104
+ Then prove it:
105
+
106
+ ```bash
107
+ npx vyuh-dxkit quality # slop score must not drop
108
+ ```
109
+
110
+ If a genuine false positive trips the slop check on prose you stand
111
+ behind, annotate the line (`// slop-ok: <reason>`, or `# slop-ok` for
112
+ hash-comment languages) — but fix first, suppress second.
113
+
114
+ ## [5] Verify — Documentation up, nothing else down
115
+
116
+ ```bash
117
+ npx vyuh-dxkit health --detailed # Documentation score moved in the right direction
118
+ npx vyuh-dxkit quality # slop / quality did NOT regress
119
+ ```
120
+
121
+ The work is done when the Documentation deduction you targeted is gone
122
+ **and** the Quality score held. A docs change that raises Documentation by
123
+ moving slop into Quality is a net loss — re-do it more concretely.
124
+
125
+ Then run the guardrail before pushing, same as any change:
126
+
127
+ ```bash
128
+ npx vyuh-dxkit guardrail check
129
+ ```
130
+
131
+ ## Scope — what NOT to document
132
+
133
+ - Don't docstring self-evident one-liners; density credit comes from
134
+ documenting the files that need it (public API, foundational modules),
135
+ not papering every getter.
136
+ - Don't document auto-generated or vendored code.
137
+ - Don't invent behavior to fill a section — if you're unsure what
138
+ something does, read it or ask, don't guess in prose.
139
+
140
+ ## Hand-offs
141
+
142
+ - Running / interpreting the health report → `dxkit-reports`.
143
+ - Documentation surfaced as one finding inside a broader fix pass →
144
+ `dxkit-action`.
145
+ - Documenting a feature you're building → `dxkit-feature` (its build step
146
+ should leave the new surface documented).
147
+ - Slop findings outside docs (AI-generated code prose, CHANGELOG slop) →
148
+ `dxkit-action`'s slop recipe.
@@ -0,0 +1,189 @@
1
+ ---
2
+ name: dxkit-feature
3
+ description: Develop a new feature with the code graph as your map — orient cheaply by querying structure instead of reading whole files, implement following the patterns already in the repo, then verify the change did not regress security, tests, or quality before you push. Use when the user says "add a feature", "implement X", "build the Y flow", "where should this live", or otherwise starts net-new development in a dxkit-scaffolded repo.
4
+ ---
5
+
6
+ # dxkit-feature
7
+
8
+ This skill drives forward development — building something new — the way
9
+ `dxkit-action` drives the reverse (fixing what's flagged). Its two jobs:
10
+
11
+ 1. **Orient by graph, not by grep.** Use the code graph to find where the
12
+ feature plugs in, what patterns already exist, and what a change will
13
+ touch — at a fraction of the tokens that repeated whole-file reads cost.
14
+ 2. **Close the loop a plain coding agent skips.** After the edit, run the
15
+ dxkit analyzers on the change and the guardrail check, so the new feature
16
+ doesn't quietly ship a vuln, a test gap, or a quality regression.
17
+
18
+ ## The feature loop
19
+
20
+ ```
21
+ [1] Clarify → what's the feature + what does "done" mean
22
+ [2] Orient → query the graph: where it lives, patterns, blast radius
23
+ [3] Plan → ordered edits, reusing the patterns found in [2]
24
+ [4] Build → read only the files the graph named, then implement
25
+ [5] Verify → run the analyzers on the change; confirm nothing regressed
26
+ [6] Decide baseline→ commit, or re-baseline if the change is deliberately accepted
27
+ ```
28
+
29
+ Don't skip [2] or [5]. [2] is where the token saving lives; [5] is the whole
30
+ reason to use dxkit for forward work instead of a generic agent.
31
+
32
+ ## [2] Orient — query structure before you read files
33
+
34
+ This is the step that differentiates this skill. **Orientation (discovery)
35
+ is where direct agents burn the most tokens** — grep, read a 2,000-line
36
+ file, grep again, read another. The graph answers the same questions from a
37
+ budget-bounded slice instead.
38
+
39
+ Run `health` once first if there's no graph yet (it writes
40
+ `.dxkit/reports/graph.json` as a side effect), then query:
41
+
42
+ ```bash
43
+ # "Where is this feature area implemented?" — clusters of matching symbols
44
+ npx vyuh-dxkit explore feature auth
45
+
46
+ # Token-budgeted structural slice for an area you're about to extend:
47
+ # anchor symbol, its callers/callees grouped by module, blast radius
48
+ npx vyuh-dxkit context "checkout session"
49
+
50
+ # Zoom into one symbol's exact neighborhood (curated AST chunk, not the
51
+ # whole file) — read 500 focused lines instead of ingesting 15k
52
+ npx vyuh-dxkit context src/payments/checkout.ts:142
53
+
54
+ # One file's structural neighborhood — symbols, callers, callees, imports
55
+ npx vyuh-dxkit explore file src/payments/checkout.ts
56
+
57
+ # The repo's public API / dead surface — useful when adding an entry point
58
+ npx vyuh-dxkit explore api-surface
59
+ ```
60
+
61
+ Use the answers to decide three things before you write anything:
62
+
63
+ - **Where the feature plugs in** — which module/cluster owns this area, so
64
+ the new code lands next to its neighbors rather than in a new island.
65
+ - **Which pattern to copy** — read the anchor symbol the graph points at;
66
+ it's the highest-in-degree example of "how this repo already does X."
67
+ Match its shape (error handling, validation, naming) so the feature reads
68
+ like the surrounding code.
69
+ - **The blast radius** — how many caller files a change to the touched
70
+ symbols reaches. That's your re-test list for step [5].
71
+
72
+ ### Honest scope of the graph win (don't oversell it)
73
+
74
+ The reduction is a **navigation-phase win, not an end-to-end multiplier.**
75
+ The graph cuts the cost of *finding and orienting*; the *edit* phase still
76
+ reads the real files you change, and *verification* still runs the real
77
+ analyzers. The win is largest in big, unfamiliar codebases (orientation-by-
78
+ grep is expensive there) and near-zero in a small repo whose relevant files
79
+ already fit in context. Lead with the graph for discovery; then read the
80
+ actual code you're about to modify — `context` is a map, not a substitute
81
+ for the territory.
82
+
83
+ ### Three hard rules for graph context (same as dxkit-action)
84
+
85
+ 1. **It's a hint, never ground truth.** Confirm the symbol and call sites by
86
+ opening the file before you act on them — the graph stores declaration
87
+ lines, not end lines, and same-name symbols can conflate.
88
+ 2. **A blank or `n/a` blast radius is NOT "safe to change".** Languages whose
89
+ call graph dxkit can't fully resolve (C# is the known case) report no
90
+ callers even for heavily-used files. Treat empty as *unknown* — fall back
91
+ to grep/read to find callers before a risky edit. Never read "no callers"
92
+ as "free to rewrite."
93
+ 3. **Fall open — the graph is an accelerator, never a dependency.** If
94
+ graphify hasn't built a graph yet, `context` / `explore` print
95
+ `No graph.json … Run vyuh-dxkit health or pass --refresh` and exit
96
+ non-zero (they never crash or hang). Two responses, in order:
97
+ - Build it once: `npx vyuh-dxkit health` writes `graph.json` as a side
98
+ effect, or add `--refresh` to any explore/context call. Do this if the
99
+ repo is large enough that the orientation saving is worth one scan.
100
+ - Or just orient the normal way — grep + read — and carry on. You lose
101
+ the token saving, not the ability to build the feature.
102
+
103
+ ### If graphify isn't installed at all
104
+
105
+ The graph is built by **graphify** (a registry tool). If it isn't installed,
106
+ `health` won't produce a `graph.json`, so step [2]'s graph queries are
107
+ unavailable — fall back to grep + read as above, or install it to unlock the
108
+ saving:
109
+
110
+ ```bash
111
+ npx vyuh-dxkit tools install # installs graphify + the other scanners
112
+ ```
113
+
114
+ **Steps [5] and [6] do not need graphify.** The `vulnerabilities`,
115
+ `test-gaps`, `quality`, and `guardrail check` commands run fully without a
116
+ graph — only the `--graph-context` *enrichment* is suppressed (drop the flag
117
+ and the reports are still complete). So verification never depends on the
118
+ graph being present; only the orientation *speed-up* does.
119
+
120
+ ## [3] Plan
121
+
122
+ Write an ordered list of edits. For each, name the file and the existing
123
+ pattern it mirrors (from step [2]). Prefer extending an existing module over
124
+ creating a new one unless the graph showed no natural home. Call out the
125
+ caller files in the blast radius that will need updating or re-testing.
126
+
127
+ ## [4] Build
128
+
129
+ Read only the files the orientation step named — that's the point of doing
130
+ [2] first. Implement following the matched pattern. Keep the change tight:
131
+ comment density, naming, and idioms should match the surrounding code, not a
132
+ generic template.
133
+
134
+ ## [5] Verify — never skip
135
+
136
+ A new feature can introduce exactly the things dxkit scans for: a SAST
137
+ finding, a vulnerable dependency you just added, an untested new surface, a
138
+ quality/slop regression. Run the analyzers on the changed area, with graph
139
+ context attached so you see each finding's blast radius:
140
+
141
+ ```bash
142
+ npx vyuh-dxkit vulnerabilities --detailed --graph-context # new code + new deps
143
+ npx vyuh-dxkit test-gaps --graph-context # is the new surface tested?
144
+ npx vyuh-dxkit quality --graph-context # slop / duplication / complexity
145
+ ```
146
+
147
+ Then gate the change the same way CI will:
148
+
149
+ ```bash
150
+ npx vyuh-dxkit guardrail check
151
+ ```
152
+
153
+ Exit 0 = the feature added no net-new regressions. Exit 1 = something new
154
+ appeared — **a finding you introduced.** Address it before pushing:
155
+
156
+ - A real finding in your new code → fix it now (hand off to `dxkit-action`
157
+ for the fix recipes — secret rotation, dep upgrade, writing the missing
158
+ test, etc.).
159
+ - A genuine false positive / intentional pattern → allowlist with a typed
160
+ category + reason (see `dxkit-action`'s allowlisting section). Fix first;
161
+ allowlist second.
162
+
163
+ The feature isn't done when it works — it's done when it works **and** the
164
+ guardrail is green.
165
+
166
+ ## [6] Baseline decision
167
+
168
+ | Scenario | Action |
169
+ |---|---|
170
+ | Feature is clean; guardrail green | Just commit the code. Baseline + allowlist unchanged. |
171
+ | You fixed an introduced finding | Commit the code + fix together. Baseline unchanged. |
172
+ | Introduced finding is a true false positive / intentional | `vyuh-dxkit allowlist add` with `category=false-positive` or `test-fixture`; commit the annotation. |
173
+ | Feature deliberately accepts a known trade-off (documented) | `vyuh-dxkit allowlist add` with `category=accepted-risk` + `--expires`; never re-baseline silently. |
174
+
175
+ Prefer the allowlist over re-baselining for per-finding calls — it carries a
176
+ typed reason a future maintainer can read. Reserve "accept as baseline" for
177
+ the deliberate codebase-wide line-in-the-sand, not for hiding a finding your
178
+ own feature introduced.
179
+
180
+ ## Hand-offs
181
+
182
+ - A finding the guardrail blocked needs fixing → `dxkit-action` (the fix-loop
183
+ recipes for secrets, dep-vulns, SAST, test gaps).
184
+ - Re-running reports between iterations → `dxkit-reports`.
185
+ - Ignore-file / config edits as part of the feature → `dxkit-config`.
186
+ - Hook problems on the verify push → `dxkit-hooks`.
187
+ - Deeper structural exploration than `context` gives (entry-points,
188
+ communities, hot-files) → run `npx vyuh-dxkit explore <subcommand>`
189
+ directly; see the `explore` command docs.