pronto-rubycritic 0.12.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d06797042b9ba142db8bbd28c624b767db0d87d84e1013bc81c9d0379e64b61c
+  data.tar.gz: f134fbfaeb1fdfaec256850dcd534e3f03b9f5f09e5cb2b62adc5e046d4d12a3
+SHA512:
+  metadata.gz: 54d29e6a0262b192e5f54deb0893b7bdade9e0e2fb3eab50f4546d2d06c5e4db4126907eb8ea7b88328e2620eb0b7a98decd1c622db49d04f56646f473577007
+  data.tar.gz: 422f6e93e604dfe071d1c4f853bd836f86a920d14979527a28f7274a663a832767b0f6899245498b304ba7645accd0d4470974fafd136f47957c07ab202d8fe5

data/.rubycritic-pronto.yml

@@ -0,0 +1,65 @@
+# Example configuration for pronto-rubycritic.
+# Copy to your repo root as .rubycritic-pronto.yml and adjust thresholds.
+#
+# ──────────────────────────────────────────────────────────────────────────────
+# reek  — detects code smells (long methods, feature envy, bad naming, etc.).
+#         Each smell is a potential design issue attached to a specific location.
+#   smell_types: allow-list of reek smell types (see list below).
+#                Only reek smells are filtered — flay/flog smells pass through.
+#   max_smells:  cap total reported smells per module (across all analysers).
+#
+# flay  — structural code duplication. Score is duplication mass; higher = more.
+#   max_score: drop flay smells above this score.
+#   exclude:   repo-relative globs to skip for flay.
+#
+# flog  — method complexity score. Higher = more complex.
+#   max_score: drop flog smells above this score.
+#   exclude:   repo-relative globs to skip for flog.
+#
+# complexity — cyclomatic complexity (per module).
+#   max: drop modules above this complexity.
+#
+# churn — how often the file changes in git history.
+#   max: drop modules with churn above this.
+#
+# ──────────────────────────────────────────────────────────────────────────────
+# Reek smell types you can list under reek.smell_types:
+#   Attribute, BooleanParameter, ClassVariable, ControlParameter, DataClump,
+#   DuplicateMethodCall, FeatureEnvy, InstanceVariableAssumption,
+#   IrresponsibleModule, LongParameterList, LongYieldList, ManualDispatch,
+#   MissingSafeMethod, ModuleInitialize, NestedIterators, NilCheck,
+#   RepeatedConditional, SelfAssignment, SingletonMethodCall, TooManyConstants,
+#   TooManyInstanceVariables, TooManyMethods, UncommunicativeMethodName,
+#   UncommunicativeModuleName, UncommunicativeParameterName,
+#   UncommunicativeVariableName, UnusedParameters, UnusedPrivateMethod,
+#   UtilityFunction
+#
+# NOTE (0.12.0): reek.min_severity was REMOVED — RubyCritic smells do not
+# expose a severity field, so the key was always a no-op that silently
+# dropped every smell. Use reek.smell_types or flay/flog.max_score instead.
+
+reek:
+  smell_types:
+    - UncommunicativeMethodName
+    - UncommunicativeVariableName
+    - DuplicateMethodCall
+    - FeatureEnvy
+  max_smells: 5
+
+flay:
+  max_score: 100
+  exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+
+flog:
+  max_score: 20
+  exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+
+complexity:
+  max: 10
+
+churn:
+  max: 5

data/CHANGELOG.md

@@ -0,0 +1,102 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.12.0] — 2026-06-16
+
+Major forensic refactor. **Breaking changes** — see migration notes below.
+
+### Added
+- `PRONTO_RUBYCRITIC_SEVERITY_LEVEL` environment variable (preferred).
+- `PRONTO_RUBYCRITIC_DEBUG` for verbose error output (prints backtrace head).
+- `PRONTO_RUBYCRITIC_RAISE_ERRORS` to fail fast in CI instead of swallowing errors.
+- GitHub Actions / GitLab CI auto-detection via `Pronto::RubyCritic::Formatter`.
+  GitHub gets HTML `<details>` blocks; GitLab gets plain Markdown.
+- `flay.max_score`, `flog.max_score`, `flay.exclude`, `flog.exclude` now map to
+  real `Smell#analyser` / `Smell#score` fields and actually filter smells.
+- Internal modules: `ConfigLoader`, `Analyser`, `SmellFilter`, `MessageBuilder`,
+  `Formatter`. Each has its own test file.
+- `.gitignore`, `Rakefile`, `.reek.yml`, `.rubycritic.yml`, `.gitlab-ci.yml`.
+- Ruby 4.0 to the CI test matrix (GitHub Actions + GitLab); verified green on
+  4.0.5. Single-version CI jobs (lint / self-analysis / build) moved off the
+  now-security-only Ruby 3.3 onto the fully-supported 3.4.
+- Convenience `Pronto::RubyCritic::VERSION` alongside
+  `Pronto::RubyCriticVersion::VERSION`.
+
+### Changed (breaking)
+- Default severity level: `:info` → `:warning`.
+  Rationale: `:info` messages are often ignored in Pronto reports.
+- `rubycritic` dependency: `>= 4.9, < 6.0` (was unpinned).
+- `pronto` dependency: `>= 0.11, < 2.0` (was `~> 0.11`).
+- `File.fnmatch` exclude patterns now use `FNM_PATHNAME | FNM_DOTMATCH` and
+  are matched against repo-relative paths (absolute paths never matched before).
+
+### Removed
+- `reek.min_severity` config key. RubyCritic's `Smell` has no `severity` field
+  (only `status`, `score`, `cost`), so the previous implementation silently
+  filtered out *every* smell whenever this key was set.
+  **Migration:** use `reek.smell_types` to allow-list specific smell types, or
+  `flay.max_score` / `flog.max_score` for score-based filtering.
+
+### Fixed
+- `reek.min_severity` silently dropping every smell (dead code).
+- `flay.max_score` / `flog.max_score` never matching any module (dead code —
+  `AnalysedModule` has no `flay_score` / `flog_score` attributes).
+- `File.fnmatch` exclude patterns silently never matching due to absolute path.
+- Unbounded `YAML.load_file` on user config (now `YAML.safe_load_file` with an
+  explicit permitted_classes list — defence in depth against CVE-style YAML
+  RCE vectors on older Psych versions).
+- Env var typo: `PRONTO_REEK_SEVERITY_LEVEL` is now read with a deprecation
+  warning; `PRONTO_RUBYCRITIC_SEVERITY_LEVEL` is the canonical name.
+- Broad `rescue StandardError` now emits class name + message, and prints
+  backtrace head when `PRONTO_RUBYCRITIC_DEBUG` is set.
+- `patch_for_smell` O(N·M) scan replaced with pre-built hash index.
+- `smell.message.capitalize` crash on nil message.
+- GitLab comments no longer show literal `&nbsp;` entities and unrendered
+  `<details>` blocks.
+- **Malformed config no longer silently disables the runner.** A valid-YAML-but-
+  wrong-shape config (e.g. `reek: false`, `complexity: 10`, a scalar `exclude`,
+  a non-string `exclude` entry, or a non-numeric / negative `max_smells` /
+  `max_score` / `max`) used to raise inside `SmellFilter`, get swallowed by the
+  top-level rescue, and report **zero** smells — a false "all clear" for the CI
+  gate. Each of these is now coerced or ignored defensively, and `ConfigLoader`
+  warns and drops a section whose value is not a mapping.
+- `.pronto.yml` with a non-Hash `rubycritic:` section no longer raises in
+  severity resolution.
+- Boolean env vars (`PRONTO_RUBYCRITIC_RAISE_ERRORS`, `PRONTO_RUBYCRITIC_DEBUG`)
+  now require a truthy value (`1`/`true`/`yes`/`on`); previously `=0`/`=false`
+  also activated them because only presence was checked.
+- GitHub output escapes HTML-significant characters (`&`, `<`, `>`) in smell
+  type/context/message, so an operator method name (e.g. `Foo#<=>`) or a message
+  containing markup can no longer break the comment's `<details>`/table layout.
+
+### Security
+- YAML aliases are no longer permitted when loading `.rubycritic-pronto.yml`
+  (`YAML.safe_load_file` is called without `aliases: true`). The gem's config
+  schema never used anchors/aliases, and enabling them exposed an alias-expansion
+  ("billion laughs") DoS on a config file that, in CI, can be supplied by an
+  untrusted pull request. An aliased config now degrades to `{}` with a warning.
+
+### Known limitations
+- RubyCritic self-analysis sits at ≈ 78 (floor 75). The remaining gap is the
+  `SmellFilter` per-analyser branch fan-out and `MessageBuilder`'s `filter_map`
+  chains; lifting the floor toward 85 is tracked as tech debt for a future
+  release rather than chased with premature extraction.
+- `reek.smell_types` filters reek smells only; flay/flog smells always pass that
+  filter (use `flay.max_score` / `flog.max_score` to bound them).
+
+### Migration from 0.11.x
+- If you use `reek.min_severity` in `.rubycritic-pronto.yml`, remove it. It
+  never worked; removing it will restore visibility into your smells.
+- If you use `flay.max_score` or `flog.max_score`, no action needed — they now
+  actually filter (previously were a no-op).
+- If you rely on the default severity being `:info`, set
+  `severity_level: info` under the `rubycritic:` key of `.pronto.yml` or export
+  `PRONTO_RUBYCRITIC_SEVERITY_LEVEL=info`.
+- If you import `Pronto::RubyCriticVersion::VERSION`, no change required — it
+  is preserved. `Pronto::RubyCritic::VERSION` is a new equivalent.
+
+## [0.11.1] and earlier
+See git history (`git log --oneline lib/pronto/rubycritic.rb`).

data/CONTRIBUTING.md

@@ -0,0 +1,22 @@
+# Contributing
+
+Thank you for considering contributing to `pronto-rubycritic`!
+
+## How to contribute
+
+- Fork the repository
+- Create a new branch for your feature or bugfix
+- Write tests for your changes
+- Run the full quality gate locally before opening a PR:
+
+  ```bash
+  bundle exec rake ci   # RuboCop + Reek + RSpec + RubyCritic
+  ```
+
+  Contributions must pass RuboCop, Reek, RSpec with ≥ 90 % line coverage
+  (run with `COVERAGE=1`), and RubyCritic with a score ≥ 75.
+- Submit a pull request with a clear description
+
+## Code of Conduct
+
+Please be respectful and considerate in all interactions.

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-2026 Rishabh Singh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,342 @@
+# pronto-rubycritic
+
+[![CI](https://github.com/Rishabhs343/custom-pronto-gem/actions/workflows/ci.yml/badge.svg)](https://github.com/Rishabhs343/custom-pronto-gem/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/pronto-rubycritic.svg)](https://rubygems.org/gems/pronto-rubycritic)
+[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%203.2.2-ruby.svg)](https://www.ruby-lang.org/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+A production-grade [Pronto](https://github.com/prontolabs/pronto) runner for
+[RubyCritic](https://github.com/whitesmith/rubycritic). It reports
+**reek / flay / flog / complexity / churn** issues as Pronto messages —
+**only on lines added or changed in the pull request**, never on untouched code.
+
+> **New in 0.12.0** — forensic refactor: real working filters for flay/flog scores,
+> safe YAML loading, GitHub/GitLab auto-detection, six independently-tested
+> modules, and ≥90 % line-coverage CI gates.
+
+---
+
+## Table of contents
+
+- [Why this gem](#why-this-gem)
+- [At a glance](#at-a-glance)
+- [Installation](#installation)
+- [Quickstart](#quickstart)
+- [Configuration](#configuration)
+- [Environment variables](#environment-variables)
+- [CI integration](#ci-integration)
+- [Architecture](#architecture)
+- [Development](#development)
+- [Troubleshooting](#troubleshooting)
+- [Migrating from 0.11.x](#migrating-from-011x)
+- [Contributing](#contributing)
+- [License](#license)
+
+---
+
+## Why this gem
+
+Running the full [RubyCritic](https://github.com/whitesmith/rubycritic) report
+on every PR is **noisy** — contributors get flagged for code they never touched.
+This gem scopes RubyCritic output to diff-changed lines, making it actionable:
+
+- **Only added / modified lines are flagged.** A smell on line 42 that existed
+  before the PR is silently ignored; a smell introduced by the PR on line 7 is
+  reported as a Pronto message.
+- **Every RubyCritic analyser is supported** — reek, flay, flog, complexity,
+  churn — behind one config file.
+- **Per-CI formatting.** GitHub renders HTML `<details>` blocks in PR comments;
+  GitLab gets plain Markdown (detected automatically).
+- **Fails loud in CI when asked, fails soft in local dev.** Set
+  `PRONTO_RUBYCRITIC_RAISE_ERRORS=1` in CI to surface runner bugs; locally the
+  runner degrades to an empty result set with a stderr warning.
+
+## At a glance
+
+| | |
+|---|---|
+| **Ruby** | ≥ 3.2.2 |
+| **Pronto** | ≥ 0.11, < 2.0 |
+| **RubyCritic** | ≥ 4.9, < 6.0 |
+| **Analysers** | reek · flay · flog · complexity · churn |
+| **Output modes** | GitHub HTML · GitLab Markdown · Plain |
+| **Tests** | RSpec · 123 examples · ≥ 90 % line coverage (enforced) |
+| **Lint** | RuboCop · Reek · RubyCritic (self-analysis) |
+| **CI** | GitHub Actions (3.2 / 3.3 / 3.4 / 4.0) + GitLab CI |
+| **License** | MIT |
+
+## Installation
+
+Add to your `Gemfile`:
+
+```ruby
+gem 'pronto-rubycritic', '~> 0.12', require: false
+```
+
+Then:
+
+```bash
+bundle install
+```
+
+Or install standalone:
+
+```bash
+gem install pronto-rubycritic
+```
+
+## Quickstart
+
+Run on the current diff:
+
+```bash
+bundle exec pronto run -r rubycritic
+```
+
+Run on the last N commits:
+
+```bash
+bundle exec pronto run -r rubycritic -c HEAD~3
+```
+
+Run against a specific commit range (CI-friendly):
+
+```bash
+bundle exec pronto run -r rubycritic --commit="origin/main" -f github_pr -c origin/main
+```
+
+### Example output
+
+Given a PR that introduces a smell on a new line, the **local / plain** output
+looks like this (Pronto prefixes each message with `path:line` and a level letter):
+
+```text
+app/services/order.rb:42 W: [warning] FeatureEnvy — Order#calculate_total (reek)
+  Message:     Order#calculate_total refers to 'customer' more than self
+  Locations:   app/services/order.rb:42
+  Complexity:  14.50  Duplication: 0  Methods: 7  Cost: 2.10  Churn: 3
+  Docs:        https://github.com/troessner/reek/blob/master/docs/Feature-Envy.md
+```
+
+Under **GitHub Actions** the same finding is posted as an inline PR review comment
+with a severity emoji, the smell type, a collapsible `<details>` metrics table,
+and a docs link; under **GitLab CI** it is the same content rendered as flat
+Markdown (a single-row metrics table, no `<details>`). See the
+[output differences table](#output-differences-table) below.
+
+## Configuration
+
+Create `.rubycritic-pronto.yml` at your repo root. **All keys are optional** —
+an empty file (or no file at all) reports every smell on changed lines at the
+default severity.
+
+```yaml
+# Filter by reek smell type and cap total smells per module.
+reek:
+  smell_types:
+    - FeatureEnvy
+    - UncommunicativeMethodName
+    - UncommunicativeVariableName
+    - DuplicateMethodCall
+    - LongParameterList
+  max_smells: 5            # cap total smells per module (all analysers)
+
+# Drop flay smells above this duplication-mass score.
+flay:
+  max_score: 100
+  exclude:
+    - 'spec/**/*'
+    - 'db/migrate/**/*'
+
+# Drop flog smells above this complexity score.
+flog:
+  max_score: 20
+  exclude:
+    - 'spec/**/*'
+
+# Drop entire modules above these thresholds.
+complexity:
+  max: 10
+
+churn:
+  max: 5
+```
+
+### Configuration keys reference
+
+| Key | Scope | Behaviour |
+|---|---|---|
+| `reek.smell_types` | reek smells only | Allow-list of reek smell type names. Non-listed reek smells are dropped. flay/flog smells are unaffected. |
+| `reek.max_smells` | all smells per module | Cap total reported smells per module. |
+| `flay.max_score` | flay smells only | Drop flay smells with `score > max_score`. |
+| `flay.exclude` | flay smells only | Repo-relative globs (`FNM_PATHNAME`) to skip. |
+| `flog.max_score` | flog smells only | Drop flog smells with `score > max_score`. |
+| `flog.exclude` | flog smells only | Same as `flay.exclude`. |
+| `complexity.max` | module | Drop modules with complexity > max. |
+| `churn.max` | module | Drop modules with churn > max. |
+
+### Recognised reek smell types
+
+Use any of these under `reek.smell_types`:
+
+```
+Attribute · BooleanParameter · ClassVariable · ControlParameter · DataClump
+DuplicateMethodCall · FeatureEnvy · InstanceVariableAssumption
+IrresponsibleModule · LongParameterList · LongYieldList · ManualDispatch
+MissingSafeMethod · ModuleInitialize · NestedIterators · NilCheck
+RepeatedConditional · SelfAssignment · SingletonMethodCall · TooManyConstants
+TooManyInstanceVariables · TooManyMethods · UncommunicativeMethodName
+UncommunicativeModuleName · UncommunicativeParameterName
+UncommunicativeVariableName · UnusedParameters · UnusedPrivateMethod
+UtilityFunction
+```
+
+## Environment variables
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `PRONTO_RUBYCRITIC_SEVERITY_LEVEL` | `warning` | Severity of emitted messages: `info`, `warning`, `error`, or `fatal`. |
+| `PRONTO_RUBYCRITIC_DEBUG` | unset | Set to `1`/`true`/`yes`/`on` to print the first 10 backtrace lines on any internal error. |
+| `PRONTO_RUBYCRITIC_RAISE_ERRORS` | unset | Set to `1`/`true`/`yes`/`on` to re-raise internal errors instead of returning `[]`. Recommended in CI. |
+| `PRONTO_REEK_SEVERITY_LEVEL` | unset | **Deprecated.** Read for back-compat with a deprecation warning. Use `PRONTO_RUBYCRITIC_SEVERITY_LEVEL`. |
+
+Severity can also be set in `.pronto.yml`:
+
+```yaml
+# .pronto.yml
+rubycritic:
+  severity_level: warning
+```
+
+Precedence: `PRONTO_RUBYCRITIC_SEVERITY_LEVEL` → `PRONTO_REEK_SEVERITY_LEVEL`
+(deprecated) → `.pronto.yml` → `:warning` default.
+
+## CI integration
+
+### GitHub Actions
+
+The runner auto-detects `$GITHUB_ACTIONS` and emits rich HTML with `<details>`
+blocks. Example step:
+
+```yaml
+- name: Pronto
+  env:
+    PRONTO_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
+    PRONTO_GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    PRONTO_RUBYCRITIC_RAISE_ERRORS: '1'
+  run: |
+    bundle exec pronto run -f github_pr -c origin/${{ github.base_ref }}
+```
+
+### GitLab CI
+
+The runner auto-detects `$GITLAB_CI` and emits plain Markdown (GitLab discussion
+comments do not render `<details>` reliably). Example:
+
+```yaml
+pronto:
+  stage: lint
+  script:
+    - bundle exec pronto run -f gitlab_mr -c origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
+  variables:
+    PRONTO_GITLAB_API_PRIVATE_TOKEN: $PRONTO_GITLAB_TOKEN
+    PRONTO_RUBYCRITIC_RAISE_ERRORS: '1'
+```
+
+### Output differences table
+
+| Feature | GitHub Actions | GitLab CI | Local CLI |
+|---|---|---|---|
+| Markup | HTML `<details>` + table | Flat Markdown table | Indented plain text |
+| Source location | Anchored to the diff line | Anchored to the diff line | Printed on a `Locations:` line |
+| Detected via | `$GITHUB_ACTIONS` | `$GITLAB_CI` | neither |
+
+## Architecture
+
+```
+Pronto::RubyCritic (Runner)
+├── ConfigLoader     — safe YAML + severity resolution
+├── Analyser         — owns ::RubyCritic::Config global, runs AnalysersRunner
+├── SmellFilter      — pure filter against user config
+├── MessageBuilder   — maps smells → Pronto::Message on added lines
+└── Formatter        — GitHub HTML / GitLab Markdown / Plain
+```
+
+Each module has its own spec file (`spec/pronto/rubycritic/*_spec.rb`) and
+mocks only the boundary between layers. Integration tests in
+`spec/integration/` exercise the full runner end-to-end against real fixtures.
+
+See [CHANGELOG.md](CHANGELOG.md) for the rationale behind every change in 0.12.0.
+
+## Development
+
+```bash
+git clone https://github.com/Rishabhs343/custom-pronto-gem.git
+cd custom-pronto-gem
+bundle install
+
+bundle exec rake              # RuboCop + RSpec
+bundle exec rake ci           # RuboCop + Reek + RSpec + RubyCritic (full CI)
+bundle exec rake reek         # Reek only
+bundle exec rake critic       # RubyCritic self-analysis
+```
+
+Run a single spec file:
+
+```bash
+bundle exec rspec spec/pronto/rubycritic_spec.rb
+```
+
+Generate a coverage report (opens `coverage/index.html`):
+
+```bash
+COVERAGE=1 bundle exec rspec
+```
+
+Debug the runner against a real project:
+
+```bash
+cd /path/to/your/project
+PRONTO_RUBYCRITIC_DEBUG=1 bundle exec pronto run -r rubycritic --unstaged
+```
+
+## Troubleshooting
+
+| Symptom | Cause | Fix |
+|---|---|---|
+| `no messages reported, but smells exist` | You set the now-removed `reek.min_severity` key | Remove it from `.rubycritic-pronto.yml`; see [migration](#migrating-from-011x) |
+| `undefined method new_file? for Pronto::Git::Patch` | Running a test that was written against ≤ 0.11.x mocks | Upgrade test mocks to use `instance_double(Pronto::Git::Patch)` |
+| `invalid YAML in .rubycritic-pronto.yml` on stderr, no messages | Config file has a syntax error | Run `yamllint .rubycritic-pronto.yml` or check your editor's linter |
+| `pronto-rubycritic: PRONTO_REEK_SEVERITY_LEVEL is deprecated…` | Legacy env var still set | Switch to `PRONTO_RUBYCRITIC_SEVERITY_LEVEL` |
+| All smells reported as `:warning` regardless of config | Default severity is `:warning` in 0.12.0 | Set `severity_level: info` in `.pronto.yml` under `rubycritic:` |
+| `RubyCritic::SourceControlSystem::NotFoundError` in CI | Working dir is not a git repo | Ensure `actions/checkout@v4` uses `fetch-depth: 0` |
+
+Set `PRONTO_RUBYCRITIC_DEBUG=1` for the first 10 lines of any backtrace.
+
+## Migrating from 0.11.x
+
+| Change | Action needed |
+|---|---|
+| `reek.min_severity` removed | Delete the key from `.rubycritic-pronto.yml`. It was dead code that silently filtered out every smell. |
+| `flay.max_score` / `flog.max_score` now actually filter | Expect more accurate filtering — previously these keys were no-ops. |
+| Default severity `:info` → `:warning` | To keep `:info`, set `PRONTO_RUBYCRITIC_SEVERITY_LEVEL=info` or add `rubycritic.severity_level: info` to `.pronto.yml`. |
+| `PRONTO_REEK_SEVERITY_LEVEL` deprecated | Rename to `PRONTO_RUBYCRITIC_SEVERITY_LEVEL`. The legacy var still works with a deprecation warning. |
+| `Pronto::RubyCritic::VERSION` added | Existing `Pronto::RubyCriticVersion::VERSION` still works. |
+| `rubycritic` dependency now pinned `< 6.0` | If you pin RubyCritic 6.x in your own `Gemfile`, wait for pronto-rubycritic 0.13. |
+
+Full breaking-change rationale in [CHANGELOG.md](CHANGELOG.md).
+
+## Contributing
+
+1. Fork the repo
+2. Create a feature branch (`git checkout -b feature/amazing-thing`)
+3. Make your changes with tests
+4. Run the full CI suite locally: `bundle exec rake ci`
+5. Open a PR
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for more detail. All contributions must
+pass RuboCop, Reek, RSpec with ≥ 90 % line coverage, and RubyCritic ≥ 75 score.
+
+## License
+
+[MIT](LICENSE) © Rishabh Singh. See [LICENSE](LICENSE) for the full text.

data/lib/pronto/rubycritic/analyser.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'rubycritic'
+require 'rubycritic/analysers_runner'
+
+module Pronto
+  class RubyCritic < Runner
+    # Thin wrapper around RubyCritic's AnalysersRunner. Owns the side-effect
+    # of configuring RubyCritic's global Config; no other class in this gem
+    # touches ::RubyCritic::Config.
+    class Analyser
+      def initialize(paths)
+        @paths = Array(paths).map(&:to_s).uniq.reject(&:empty?)
+      end
+
+      def call
+        return [] if @paths.empty?
+
+        configure_rubycritic
+        ::RubyCritic::AnalysersRunner.new(@paths).run
+      end
+
+      private
+
+      def configure_rubycritic
+        ::RubyCritic::Config.source_control_system =
+          ::RubyCritic::SourceControlSystem::Base.create
+        ::RubyCritic::Config.set(paths: @paths)
+      end
+    end
+  end
+end

data/lib/pronto/rubycritic/config_loader.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'pronto/config_file'
+
+module Pronto
+  class RubyCritic < Runner
+    module ConfigLoader
+      module_function
+
+      # Top-level keys that SmellFilter expects to be sub-mappings. A non-Hash
+      # value here (e.g. `reek: false`, `complexity: 10`) is a user typo; we
+      # drop it with a warning rather than letting it crash SmellFilter#dig.
+      RECOGNISED_SECTIONS = %w[reek flay flog complexity churn].freeze
+
+      def load_runner_config(filename, cwd: Dir.pwd)
+        path = File.join(cwd, filename)
+        return {} unless File.exist?(path)
+
+        # aliases are deliberately NOT permitted: YAML anchors/aliases are not
+        # used by this gem's config schema, and enabling them exposes a
+        # billion-laughs expansion DoS on a config file that, in CI, can be
+        # supplied by an untrusted pull request.
+        parsed = YAML.safe_load_file(path, permitted_classes: [Symbol])
+        return {} if parsed.nil?
+        return validate_sections(parsed, filename) if parsed.is_a?(Hash)
+
+        # YAML like ":\n:\n- [" parses to a Symbol / Array / scalar — not a
+        # Hash. SmellFilter expects a Hash (calls #dig). Reject anything else.
+        warn("pronto-rubycritic: #{filename} must be a YAML mapping (Hash); " \
+             "got #{parsed.class}. Ignoring.")
+        {}
+      rescue Psych::Exception => e
+        # Covers SyntaxError, DisallowedClass, and AliasesNotEnabled (the last
+        # one fires when a config uses a YAML alias, which we intentionally
+        # disable above).
+        warn("pronto-rubycritic: invalid YAML in #{filename}: #{e.class}: #{e.message}")
+        {}
+      end
+
+      def validate_sections(config, filename)
+        config.each_with_object({}) do |(key, value), acc|
+          if RECOGNISED_SECTIONS.include?(key) && !value.is_a?(Hash)
+            warn("pronto-rubycritic: #{filename}: section '#{key}' must be a mapping " \
+                 "(got #{value.class}); ignoring it.")
+            next
+          end
+
+          acc[key] = value
+        end
+      end
+
+      def load_pronto_config
+        Pronto::ConfigFile.new.to_h
+      rescue StandardError => e
+        warn("pronto-rubycritic: could not load .pronto.yml: #{e.class}: #{e.message}")
+        {}
+      end
+
+      def resolve_severity(env_value:, pronto_config:, valid_levels:, default:)
+        raw = first_non_blank(env_value, pronto_severity(pronto_config))
+        return default if raw.nil?
+
+        sym = raw.to_s.strip.downcase.to_sym
+        return sym if valid_levels.include?(sym)
+
+        warn("pronto-rubycritic: invalid severity #{raw.inspect}, falling back to #{default}.")
+        default
+      end
+
+      # Reads severity_level from .pronto.yml's `rubycritic:` section without
+      # assuming the section is a Hash — a non-Hash section (e.g. `rubycritic: x`)
+      # would otherwise raise TypeError from Hash#dig and be swallowed upstream.
+      def pronto_severity(pronto_config)
+        section = pronto_config['rubycritic'] if pronto_config.is_a?(Hash)
+        section.is_a?(Hash) ? section['severity_level'] : nil
+      end
+
+      def first_non_blank(*values)
+        values.find { |v| !v.nil? && !v.to_s.strip.empty? }
+      end
+    end
+  end
+end