{"id":48644615,"url":"https://github.com/vyuh-labs/dxkit","last_synced_at":"2026-07-05T02:01:21.593Z","repository":{"id":349601748,"uuid":"1203027054","full_name":"vyuh-labs/dxkit","owner":"vyuh-labs","description":"Deterministic Stop-gate and code-graph context for AI coding agents: blocks only net-new findings and gives the loop a structural map of the codebase, locally, with no model in the gate.","archived":false,"fork":false,"pushed_at":"2026-07-02T01:19:24.000Z","size":5118,"stargazers_count":5,"open_issues_count":7,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T01:24:13.236Z","etag":null,"topics":["agentic-development","ai-coding-agents","brownfield","ci-cd","claude-code","code-quality","codeql","codex","coding-agents","developer-tools","guardrails","loop-engineering","nodejs","pre-commit-hooks","sarif","security-scanning","semgrep","snyk","static-analysis","typescript"],"latest_commit_sha":null,"homepage":"https://vyuhlabs.ai/open-source/dxkit","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vyuh-labs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-06T16:42:30.000Z","updated_at":"2026-07-01T23:50:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"b968105a-b113-4b7e-bf1b-d8048aad7a3c","html_url":"https://github.com/vyuh-labs/dxkit","commit_stats":null,"previous_names":["vyuh-labs/dxkit"],"tags_count":71,"template":false,"template_full_name":null,"purl":"pkg:github/vyuh-labs/dxkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vyuh-labs%2Fdxkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vyuh-labs%2Fdxkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vyuh-labs%2Fdxkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vyuh-labs%2Fdxkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vyuh-labs","download_url":"https://codeload.github.com/vyuh-labs/dxkit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vyuh-labs%2Fdxkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35141083,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic-development","ai-coding-agents","brownfield","ci-cd","claude-code","code-quality","codeql","codex","coding-agents","developer-tools","guardrails","loop-engineering","nodejs","pre-commit-hooks","sarif","security-scanning","semgrep","snyk","static-analysis","typescript"],"created_at":"2026-04-10T01:01:22.139Z","updated_at":"2026-07-05T02:01:21.558Z","avatar_url":"https://github.com/vyuh-labs.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dxkit\n\n**A deterministic stop condition and code-graph context layer for AI coding agents.**\n\nAutonomous coding loops face two control problems: orienting in the code while\nthey make a change, and deciding whether that change made the repository worse\nbefore they stop.\n\ndxkit addresses both. While the agent works, it provides a code graph of\ncallers, callees, blast radius, and the files a change touches. Then, when the\nagent tries to stop, dxkit baselines existing findings, reruns trusted checks,\nand blocks only net-new detector-backed regressions with a concrete repair\nreason.\n\nIn our loop benchmark, vanilla Claude Code-style loops stopped with net-new\ndebt in **11 of 16 runs**. A prompt that told the agent to self-check still\nescaped **9 of 16**. With dxkit's Stop-gate, we observed **0 of 16** escapes:\nwhen the loop tried to stop dirty, dxkit blocked, handed back the exact net-new\nfinding, and the agent repaired before stopping clean.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\".github/assets/loop-stop-gate-demo.gif\" width=\"820\" alt=\"dxkit's Stop-gate blocks a coding-agent loop on a net-new critical dependency vulnerability, the agent bumps the version, and the gate goes clean.\" /\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003csub\u003eRecorded from a real run on a synthetic repo, shortened for readability. Blocked and repaired inside the same warm loop.\u003c/sub\u003e\u003c/p\u003e\n\ndxkit does not reinvent detection. It runs trusted open source scanners\n(gitleaks, Semgrep, OSV, npm audit, and more), and it can ingest results from\nSnyk and CodeQL. What dxkit adds is the agent-loop layer around those tools: a\nper-stop, baseline-relative verdict of whether this change introduced a new\nfinding, returned to the agent with the exact repair reason while the loop is\nstill warm.\n\n```bash\nnpm init @vyuhlabs/dxkit -- --claude-loop --yes   # install dxkit + register the Claude Code Stop hook\nnpx vyuh-dxkit baseline create                    # grandfather today's findings\nnpx vyuh-dxkit loop doctor                         # verify the gate is wired\n```\n\nThe stop verdict has no model in the path: same input, same verdict.\nExisting debt stays grandfathered; only net-new regressions block.\n\n[Read the benchmark](docs/benchmarks.md) · [Try it on your repo](#try-it-on-your-repo) · [Run the fixture gate](#run-a-local-fixture-gate)\n\n\u003cp\u003e\n  \u003ca href=\"https://www.npmjs.com/package/@vyuhlabs/dxkit\"\u003e\u003cimg alt=\"npm\" src=\"https://img.shields.io/npm/v/@vyuhlabs/dxkit\"\u003e\u003c/a\u003e\n  \u003cimg alt=\"license: MIT\" src=\"https://img.shields.io/badge/license-MIT-green\"\u003e\n  \u003cimg alt=\"deterministic gate\" src=\"https://img.shields.io/badge/gate-deterministic-blue\"\u003e\n  \u003cimg alt=\"local-first\" src=\"https://img.shields.io/badge/local--first-success\"\u003e\n\u003c/p\u003e\n\n---\n\n## The problem: loops do not know when they made things worse\n\nAn autonomous loop runs until the agent decides it is done. The common checks in\nthat loop (tests, linters, scanners, CI-style commands) usually answer whether\nsomething is broken or flagged. They do not, by themselves, maintain a\nbrownfield baseline and answer the loop-level question: did this change\nintroduce something net-new? So an agent can add a feature, leave a new untested\npath or a hardcoded credential behind, run the tests, see green, and declare\nsuccess.\n\nIn our benchmark this happened in most vanilla runs, and telling the agent to\ncheck its own work only helped a little.\n\n## What dxkit does\n\n1. **Build a structural code graph.** dxkit gives the agent callers, callees,\n   blast radius, and relevant files so it can orient before editing.\n2. **Baseline today's debt.** `baseline create` records current findings, so\n   pre-existing issues are grandfathered and never block.\n3. **Run a deterministic Stop-gate on every stop.** A Claude Code Stop hook\n   reruns the guardrail against that baseline. Same input gives the same\n   verdict; no model decides whether the gate passes.\n4. **Feed net-new findings back to the agent.** If the change introduced a\n   finding, the gate blocks the stop and hands the agent the exact finding to\n   fix: do not refresh the baseline, do not touch unrelated debt, fix what this\n   branch introduced. The loop stops only when clean.\n\n## Why only net-new findings?\n\nGrandfathered does not mean accepted.\n\ndxkit blocks only net-new findings for two reasons: agent-loop attribution and\nbrownfield adoption.\n\nFirst, an autonomous coding loop needs a scoped stop condition. When an agent\ntries to declare done, the relevant question is not \"is this entire repository\ndebt-free?\" It is:\n\n\u003e did this loop make the repository worse than the baseline?\n\nIf the gate asks the agent to fix every pre-existing finding before it may stop,\nthe repair target becomes noisy and unbounded. The agent may churn unrelated\ncode, spend context on old debt, or refresh the baseline to escape. dxkit instead\nholds the loop accountable for the change it just made: fix what this branch\nintroduced, do not touch unrelated debt, and do not move the baseline.\n\nSecond, dxkit is designed for brownfield repositories. Existing debt may include\nhundreds or thousands of findings. If the first gate required a repo to reach\nzero findings, most teams could not adopt agentic development workflows until\nafter a large cleanup project. That is backwards. The first control invariant is\nsimpler and stricter:\n\n\u003e this agent must not make the repository worse than the baseline.\n\n`baseline create` records the current state so existing findings remain visible\nand auditable, but they do not block the current loop. When an agent changes the\nrepo, dxkit blocks only findings introduced by that change. This lets teams adopt\nagentic workflows immediately, prevent regression from day one, and pay down the\nold baseline as a separate, deliberate workstream.\n\nA baseline refresh is a governance action, not a repair action. If the Stop-gate\nblocks, the agent should fix the net-new finding it introduced and should not move the\nbaseline.\n\n## Who this is for\n\nUse dxkit if you let coding agents:\n\n- run unattended or semi-attended,\n- fix CI or review comments in loops,\n- touch brownfield repos that already carry debt,\n- or work where \"new debt\" matters more than \"all debt.\"\n\n## What dxkit is, and is not\n\n**It is a deterministic verification layer.** It baselines today's findings,\nfingerprints them across churn, and blocks only net-new regressions.\n\n**It is not a scanner replacement.** It runs and ingests scanners (gitleaks,\nSemgrep, CodeQL, Snyk, SARIF) and makes their findings enforceable. It does not\nclaim to find more bugs than they do.\n\n**It is not an LLM judge.** No model decides whether the gate passes. The model\ncan repair findings. The gate itself is deterministic, and the prompt does not\ngrow as the baseline grows.\n\n**It is not a guarantee of safe code.** It blocks detector-backed net-new\nfindings it can observe. You still need tests, review, scanners, and judgment.\n\n## Built on tools you already trust\n\ndxkit is an orchestration and enforcement layer, not another scanner. It runs\nestablished open source tools and treats their output as one stream. Which tools\nrun depends on the languages in your repo. dxkit covers **8 ecosystems**\n(TypeScript / JavaScript, Python, Go, Rust, C# / .NET, Java, Kotlin, Ruby).\n\nUniversal, on every repo:\n\n- secrets: gitleaks\n- code patterns: Semgrep\n- dependency advisories: OSV.dev\n- size, duplication, and the code graph: cloc, jscpd, graphify\n\nPer language, dxkit adds that ecosystem's own linter and audit tool. For\nexample, npm audit + ESLint (JS / TS), pip-audit + ruff (Python), govulncheck +\ngolangci-lint (Go), cargo-audit + clippy (Rust), `dotnet list --vulnerable`\n(C#), osv-scanner + PMD (Java), osv-scanner + detekt (Kotlin), and\nbundler-audit + RuboCop (Ruby). The full per-language matrix is in **Per-pack\ncapabilities** below.\n\nFor deep interprocedural analysis, it ingests findings from **Snyk Code** and\n**CodeQL** (or any SARIF file), fingerprints them the same way as native\nfindings, and runs them through the same baseline and gate. You keep the\ndetectors you already have. dxkit makes their findings enforceable inside CI\nand inside the agent loop.\n\n| Layer     | Examples                                               | Job                                                     |\n| --------- | ------------------------------------------------------ | ------------------------------------------------------- |\n| Detection | gitleaks, Semgrep, OSV, npm audit, Snyk, CodeQL, SARIF | Find issues                                             |\n| dxkit     | baseline, fingerprint matcher, Stop-gate, loop ledger  | Decide whether this change introduced something net-new |\n| Agent     | Claude Code or another coding loop                     | Repair the exact finding and try to stop again          |\n\n## Try it on your repo\n\nThe Stop hook runs dxkit on every stop, so install dxkit into the repo. This\none command adds it as a devDependency and registers the hook additively, so your\nexisting `.claude` settings are preserved:\n\n```bash\nnpm init @vyuhlabs/dxkit -- --claude-loop --yes\nnpx vyuh-dxkit baseline create      # grandfather today's findings\nnpx vyuh-dxkit loop doctor          # verify the gate is wired safely and dxkit resolves\n# then run Claude Code as you normally would. The Stop-gate fires on every stop.\nnpx vyuh-dxkit loop ledger summarize  # afterwards: blocked vs allowed, repaired-after-block\n```\n\nWhen the agent tries to stop, dxkit runs the net-new gate against the baseline.\nExisting findings are grandfathered; only findings this change introduced block.\n\n## Run a local fixture gate\n\nWant to see the Stop-gate before installing dxkit into your repo?\n\n```bash\nnpx -y @vyuhlabs/dxkit@latest demo loop-guardrail\n```\n\nThis runs the **real** gate on a temporary fixture repo: baseline → introduce a\nnet-new secret → BLOCK → repair → CLEAN, then it tears the fixture down. No API\nkey and no Claude Code, and your own repo is never touched. It needs gitleaks\ninstalled and takes about 20 seconds; without gitleaks it shows a clearly\nlabelled illustration instead. (It does a one-time `npx` download, so it is not\nfully offline, though the gate itself is.)\n\n### Presets: what blocks the loop\n\n```text\nsecurity-only  (default)  secrets and critical or high vulnerabilities. Bounded, must-fix, cheap to gate.\nfull-debt      (opt-in)   also gates test gaps and maintainability regressions. Repairs can be expensive.\n```\n\nThe default is `security-only`. The headline escape-rate benchmark used\n`full-debt` (it gated both the secret trap and the test-gap trap); the default\ninstall starts narrower so a first run does not trap users in expensive\ntest-generation loops. Switch with\n`npm init @vyuhlabs/dxkit -- --claude-loop --loop-preset full-debt`.\n\n## Give the agent a map, not just a gate\n\nThe Stop-gate controls what a loop is allowed to ship. The code graph controls\nhow the agent does the work in between. When dxkit scaffolds a repo it builds a\ncode graph and installs skills that drive real development off it, so the agent\norients by querying structure instead of grepping and re-reading whole files.\n\n- **Build a feature** (`dxkit-feature` skill): query the graph for where the\n  feature plugs in, what patterns already exist, and what the change will\n  touch, then implement against those patterns and run the analyzers on the\n  result before it stops.\n- **Fix a finding** (`dxkit-action` skill): take a flagged finding, pull its\n  callers, callees, and blast radius from the graph, repair it, and confirm the\n  change did not introduce something net-new.\n\nThe agent gets callers, callees, and blast radius up front as a budget-bounded\nslice, not a pile of file reads. It is the same graph, the same baseline, and\nthe same identity contract the gate already uses.\n\nWhat the benchmarks actually show is predictable spend, not guaranteed cheaper\nspend. On a large repo the median was roughly tied, the worst-case session used\nabout **57% fewer tokens**, and the variance was **roughly halved**. On a small\nrepo the overhead was about zero. The graph caps the expensive tail. It does\nnot promise a lower average, and it does not make the agent write better code on\nits own.\n\nThis is a different axis from detection. Snyk, SonarQube, and CodeQL tell you\nwhat is wrong. They do not give the agent a map of the code or bound how much it\nspends finding its way around. dxkit does both: the gate bounds what the loop\nships, the graph bounds how the loop works.\n\n## The numbers\n\nThree independent benchmark results, one theme: dxkit makes agent work more\npredictable.\n\n| Layer                      | What it bounds                       | Observed result                                                                                                                     |\n| -------------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |\n| **Stop-gate**              | net-new detector-backed debt         | vanilla loops escaped **11/16** times, prompt-only checklist escaped **9/16**, dxkit escaped **0/16**                               |\n| **Deterministic identity** | false \"net-new\" findings under churn | caught **all 3** seeded regressions with **0/2** false blocks on clean edits; **0 false net-new** on tested line shifts and renames |\n| **Graph context**          | large-repo exploration tails         | median roughly tied, but large-repo mean tokens **30% lower**, worst case **57% lower**, variance roughly halved                    |\n\n**Deferral has a re-orientation cost.** A fourth arm of the\nloop-safety study measured the \"detect on CI, fix later\" model: on the test-gap\ntask, deferring a net-new finding to a cold session cost **~49% more in\nequivalent cost** and **~51% more turns** than repairing it inside the warm loop,\nbecause the cold fixer has to re-orient in a context it no longer holds. (The\nsecret-task premium pointed the same way but was weak (mean +19%, median\nslightly negative), so we lean on the robust test-gap result.) So the gate is not\njust safer than deferring, it is plausibly cheaper too.\n\n**And the gate is fast enough to run on every stop.** dxkit 2.14.0 scopes the\nStop-gate scan to the active preset's blockable finding kinds and re-scans only\nthe changed files, reusing cached results for everything unchanged. The verdict\nis identical to a full scan; the cost is seconds per stop, not minutes, even on\nlarge repositories.\n\n\u003e **Benchmark caveats:** the loop-safety study uses controlled synthetic tasks\n\u003e plus real-repo validation, detector-backed findings, and Sonnet runs. It is\n\u003e not a CVE corpus, not a claim of better detection, and not a guarantee that\n\u003e dxkit catches every possible bug. The claim is narrower: for findings the\n\u003e detector observes, dxkit gives the loop a deterministic net-new stop decision.\n\nFull methodology, reproducibility notes, artifact status, and caveats are in\n**[docs/benchmarks.md](docs/benchmarks.md)**.\n\n## Why not just Snyk, SonarQube, or CodeQL?\n\nUse them. dxkit can ingest their findings. The difference is tempo and control,\nnot detection. Cloud scanners are strong detection engines, and they usually\nrun on a CI or PR cadence. A coding-agent loop needs a local stop decision\nevery time the agent tries to declare done.\n\n| Loop Stop-gate need                                         | dxkit | Cloud or CI scanners                   |\n| ----------------------------------------------------------- | ----- | -------------------------------------- |\n| Runs locally on every stop, in seconds                      | yes   | usually CI or cloud cadence            |\n| Deterministic verdict, no model in the gate                 | yes   | varies (some add an LLM judge)         |\n| Grandfathers existing debt                                  | yes   | tool-dependent                         |\n| Feeds the exact block reason back to the warm agent session | yes   | usually a human-facing dashboard or PR |\n\nThe goal is not to replace scanners. It is to make their findings enforceable\nat the speed of the agent loop.\n\n## Beyond loops\n\nThe same deterministic core powers the rest of dxkit: pre-push and CI\nguardrails, brownfield baselines, durable finding identity, SARIF, CodeQL, and\nSnyk ingest, a six-dimension health report, code-graph context, and a set of\nClaude Code skills. See **[the docs](docs/README.md)**.\n\n## Languages\n\ndxkit covers 8 ecosystems. Detection is automatic from your manifests and\nsource; each language brings its own native linter, dependency-audit tool, and\ncoverage parser, layered on the universal scanners (gitleaks, Semgrep, OSV,\ncloc, jscpd, graphify).\n\n| Language                | Detected by                 | Native linter + audit                     |\n| ----------------------- | --------------------------- | ----------------------------------------- |\n| TypeScript / JavaScript | `package.json`              | ESLint, npm audit                         |\n| Python                  | `pyproject.toml`, `*.py`    | ruff, pip-audit                           |\n| Go                      | `go.mod`                    | golangci-lint, govulncheck                |\n| Rust                    | `Cargo.toml`                | clippy, cargo-audit                       |\n| C# / .NET               | `*.csproj`, `*.sln`         | dotnet-format, `dotnet list --vulnerable` |\n| Java                    | `pom.xml`, `src/main/java/` | PMD, osv-scanner                          |\n| Kotlin                  | `*.gradle{.kts,}`, `*.kt`   | detekt, osv-scanner                       |\n| Ruby                    | `Gemfile`, `*.rb`           | RuboCop, bundler-audit                    |\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003ePer-pack capabilities\u003c/strong\u003e: coverage import, import-graph, severity tiers (click to expand)\u003c/summary\u003e\n\n| Language | Detection                             | Coverage import     | Import-graph                                 | Native tools                        | Lint severity tiers    | Vuln severity tiers                           |\n| -------- | ------------------------------------- | ------------------- | -------------------------------------------- | ----------------------------------- | ---------------------- | --------------------------------------------- |\n| TS / JS  | `package.json`                        | ✅ Istanbul         | ✅ import/require/re-export                  | eslint, npm audit, vitest-coverage  | ✅ ESLint rule ID      | ✅ npm audit native                           |\n| Python   | `pyproject.toml`, `setup.py`, `*.py`  | ✅ coverage.py      | ✅ import/from                               | ruff, pip-audit, coverage           | ✅ ruff code prefix    | ✅ pip-audit + OSV.dev (CVSS v3+v4)           |\n| Go       | `go.mod`                              | ✅ coverprofile     | ✅ import blocks                             | golangci-lint, govulncheck          | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev             |\n| Rust     | `Cargo.toml`                          | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹           | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group        | ✅ cargo-audit native                         |\n| C#       | `*.csproj`, `*.sln`                   | ✅ cobertura XML    | ⚠️ using declarations, extracted only¹       | dotnet-format (formatter)           | ⚠️ format-only²        | ✅ dotnet list --vulnerable                   |\n| Kotlin   | gradle/`*.gradle{.kts,}`, `*.kt`      | ✅ JaCoCo XML       | ⚠️ import statements, extracted only¹        | detekt, osv-scanner (Maven)         | ✅ detekt severity     | ✅ osv-scanner + OSV.dev (Maven)              |\n| Java     | `pom.xml`, `src/main/java/`, `*.java` | ✅ JaCoCo XML       | ⚠️ import statements, extracted only¹        | PMD, osv-scanner (Maven)            | ✅ PMD priority tiers  | ✅ osv-scanner + OSV.dev (Maven)              |\n| Ruby     | `*.rb`                                | ✅ SimpleCov JSON   | ⚠️ require/require_relative, extracted only¹ | rubocop, bundler-audit, osv-scanner | ✅ rubocop severity    | ✅ bundler-audit + osv-scanner (Gemfile.lock) |\n\n¹ Rust, C#, Kotlin, Java, and Ruby populate `imports.extracted` but the\nfile-level resolver is a no-op. Downstream analyses that need an edge graph\n(reachability, import-graph test-gap credit) degrade to conservative\ndefaults for those packs. Resolvers are tracked on the [roadmap](docs/roadmap.md).\n\n² C# uses `dotnet-format` for formatting violations only. A real\nseverity-tiered C# linter (Roslyn analyzers or StyleCop) is on the\nroadmap. Today every C# formatting violation is counted at `low` tier\nso it does not inflate the Code Quality score.\n\n\u003c/details\u003e\n\n## Reproduce the deterministic tier\n\nThe deterministic results (the net-new gate decision and the finding-identity\nmatcher) reproduce offline with no API key, so you do not have to trust our\nnumbers. These harnesses live in `benchmarks/`:\n\n```bash\nnode benchmarks/bench-guardrail.mjs config.json        # block/allow on seeded findings\nnode benchmarks/bench-netnew-isolation.mjs config.json # net-new isolation under churn\nnode benchmarks/bench-matcher.mjs config.json          # false net-new on line shifts + renames\n```\n\nSee `benchmarks/README.md` to point them at a repo. The agent-driven harnesses\n(loop safety, cost of deferral, gate-vs-LLM, and the graph-context sessions) need\na model subscription or API key and are published under `benchmarks/agentic/`.\nFull methodology, the per-study reports, caveats, and repro steps:\n**[docs/benchmarks.md](docs/benchmarks.md)**.\n\n## Credits\n\ndxkit stands on excellent open source tools. It orchestrates them, it does not\nreplace them. Thank you to the maintainers of\n[graphify](https://github.com/safishamsi/graphify) (the code graph),\n[gitleaks](https://github.com/gitleaks/gitleaks),\n[Semgrep](https://github.com/semgrep/semgrep),\n[OSV-Scanner](https://github.com/google/osv-scanner),\n[jscpd](https://github.com/kucherenko/jscpd), and\n[cloc](https://github.com/AlDanial/cloc). Each tool is installed separately and\nkeeps its own license.\n\n## Contributing and roadmap\n\n- Contributing guide: [CONTRIBUTING.md](CONTRIBUTING.md)\n- Roadmap: [docs/roadmap.md](docs/roadmap.md)\n- License: MIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvyuh-labs%2Fdxkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvyuh-labs%2Fdxkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvyuh-labs%2Fdxkit/lists"}