@mainahq/core 0.2.0

package/src/verify/coverage.ts

@@ -0,0 +1,134 @@
+/**
+ * diff-cover Integration for the Verify Engine.
+ *
+ * Runs diff-cover to find changed lines that lack test coverage.
+ * Parses JSON output into the unified Finding type.
+ * Gracefully skips if diff-cover is not installed.
+ */
+
+import { isToolAvailable } from "./detect";
+import type { Finding } from "./diff-filter";
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+export interface CoverageOptions {
+	coverageXml?: string;
+	baseBranch?: string;
+	cwd?: string;
+	/** Pre-resolved availability — skips redundant detection if provided. */
+	available?: boolean;
+}
+
+export interface CoverageResult {
+	findings: Finding[];
+	skipped: boolean;
+}
+
+// ─── JSON Parsing ─────────────────────────────────────────────────────────
+
+/**
+ * Parse diff-cover JSON output into Finding[].
+ *
+ * Expected format:
+ * ```json
+ * {
+ *   "src_stats": {
+ *     "src/app.ts": {
+ *       "covered_lines": [10, 11, 12],
+ *       "violation_lines": [15, 16],
+ *       "percent_covered": 60.0
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * Each violation line becomes a Finding with warning severity.
+ */
+export function parseDiffCoverJson(json: string): Finding[] {
+	let parsed: Record<string, unknown>;
+	try {
+		parsed = JSON.parse(json) as Record<string, unknown>;
+	} catch {
+		return [];
+	}
+
+	const srcStats = parsed.src_stats;
+	if (!srcStats || typeof srcStats !== "object") {
+		return [];
+	}
+
+	const findings: Finding[] = [];
+
+	for (const [filePath, stats] of Object.entries(
+		srcStats as Record<string, unknown>,
+	)) {
+		const s = stats as Record<string, unknown>;
+		const violationLines = s.violation_lines;
+		const percentCovered = (s.percent_covered as number) ?? 0;
+
+		if (!Array.isArray(violationLines) || violationLines.length === 0) {
+			continue;
+		}
+
+		for (const line of violationLines) {
+			if (typeof line !== "number") continue;
+
+			findings.push({
+				tool: "diff-cover",
+				file: filePath,
+				line,
+				message: `Changed line not covered by tests (file: ${Math.round(percentCovered)}% covered)`,
+				severity: "warning",
+				ruleId: "diff-cover/uncovered-line",
+			});
+		}
+	}
+
+	return findings;
+}
+
+// ─── Runner ───────────────────────────────────────────────────────────────
+
+/**
+ * Run diff-cover and return parsed findings.
+ *
+ * If diff-cover is not installed, returns `{ findings: [], skipped: true }`.
+ * If diff-cover fails, returns `{ findings: [], skipped: false }`.
+ */
+export async function runCoverage(
+	options?: CoverageOptions,
+): Promise<CoverageResult> {
+	const toolAvailable =
+		options?.available ?? (await isToolAvailable("diff-cover"));
+	if (!toolAvailable) {
+		return { findings: [], skipped: true };
+	}
+
+	const cwd = options?.cwd ?? process.cwd();
+	const coverageXml = options?.coverageXml ?? "coverage/cobertura-coverage.xml";
+	const baseBranch = options?.baseBranch ?? "main";
+
+	const args = [
+		"diff-cover",
+		coverageXml,
+		`--compare-branch=${baseBranch}`,
+		"--json",
+	];
+
+	try {
+		const proc = Bun.spawn(args, {
+			cwd,
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+
+		const stdout = await new Response(proc.stdout).text();
+		await new Response(proc.stderr).text();
+		await proc.exited;
+
+		const findings = parseDiffCoverJson(stdout);
+		return { findings, skipped: false };
+	} catch {
+		return { findings: [], skipped: false };
+	}
+}

package/src/verify/detect.ts

@@ -0,0 +1,171 @@
+/**
+ * Tool Auto-Detection for the Verify Engine.
+ *
+ * Detects which verification tools (biome, semgrep, trivy, etc.) are
+ * available on the system by attempting to run their version commands.
+ * Checks both global PATH and local node_modules/.bin/ for each tool.
+ * Missing tools are gracefully skipped.
+ */
+
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+
+export type ToolName =
+	| "biome"
+	| "semgrep"
+	| "trivy"
+	| "secretlint"
+	| "sonarqube"
+	| "stryker"
+	| "diff-cover"
+	| "ruff"
+	| "golangci-lint"
+	| "cargo-clippy"
+	| "cargo-audit"
+	| "playwright";
+
+export interface DetectedTool {
+	name: string;
+	command: string;
+	version: string | null;
+	available: boolean;
+}
+
+export const TOOL_REGISTRY: Record<
+	ToolName,
+	{ command: string; versionFlag: string }
+> = {
+	biome: { command: "biome", versionFlag: "--version" },
+	semgrep: { command: "semgrep", versionFlag: "--version" },
+	trivy: { command: "trivy", versionFlag: "--version" },
+	secretlint: { command: "secretlint", versionFlag: "--version" },
+	sonarqube: { command: "sonar-scanner", versionFlag: "--version" },
+	stryker: { command: "stryker", versionFlag: "--version" },
+	"diff-cover": { command: "diff-cover", versionFlag: "--version" },
+	ruff: { command: "ruff", versionFlag: "--version" },
+	"golangci-lint": { command: "golangci-lint", versionFlag: "--version" },
+	"cargo-clippy": { command: "cargo", versionFlag: "clippy --version" },
+	"cargo-audit": { command: "cargo-audit", versionFlag: "--version" },
+	playwright: { command: "npx", versionFlag: "playwright --version" },
+};
+
+/**
+ * Parse a version string from command output.
+ * Looks for common version patterns like "1.2.3", "v1.2.3", "Version: 1.2.3".
+ */
+function parseVersion(output: string): string | null {
+	const match = output.match(/v?(\d+\.\d+(?:\.\d+)?(?:[._-]\w+)*)/);
+	return match?.[1] ?? null;
+}
+
+/**
+ * Try to spawn a command and parse its version output.
+ * Returns the detected version string on success, or null on failure.
+ */
+async function tryCommand(
+	command: string,
+	versionFlag: string,
+): Promise<string | null> {
+	try {
+		const args = versionFlag.includes(" ")
+			? [command, ...versionFlag.split(" ")]
+			: [command, versionFlag];
+		const proc = Bun.spawn(args, {
+			stdout: "pipe",
+			stderr: "pipe",
+		});
+
+		const stdout = await new Response(proc.stdout).text();
+		const stderr = await new Response(proc.stderr).text();
+		const exitCode = await proc.exited;
+
+		if (exitCode === 0) {
+			return parseVersion(stdout) ?? parseVersion(stderr);
+		}
+		return null;
+	} catch {
+		return null;
+	}
+}
+
+/**
+ * Find the nearest node_modules/.bin directory by walking up from cwd.
+ * Returns the path if found, null otherwise.
+ */
+function findLocalBinDir(startDir: string = process.cwd()): string | null {
+	let dir = startDir;
+	const root = "/";
+
+	while (dir !== root) {
+		const binDir = join(dir, "node_modules", ".bin");
+		if (existsSync(binDir)) {
+			return binDir;
+		}
+		const parent = join(dir, "..");
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return null;
+}
+
+/**
+ * Detect whether a single tool is available on the system.
+ * Tries the global PATH first, then falls back to node_modules/.bin/.
+ * Never throws — unavailable tools return `{ available: false }`.
+ */
+export async function detectTool(name: ToolName): Promise<DetectedTool> {
+	const entry = TOOL_REGISTRY[name];
+
+	// Try global PATH first
+	const globalVersion = await tryCommand(entry.command, entry.versionFlag);
+	if (globalVersion !== null) {
+		return {
+			name,
+			command: entry.command,
+			version: globalVersion,
+			available: true,
+		};
+	}
+
+	// Try local node_modules/.bin/
+	const localBin = findLocalBinDir();
+	if (localBin) {
+		const localCommand = join(localBin, entry.command);
+		if (existsSync(localCommand)) {
+			const localVersion = await tryCommand(localCommand, entry.versionFlag);
+			if (localVersion !== null) {
+				return {
+					name,
+					command: localCommand,
+					version: localVersion,
+					available: true,
+				};
+			}
+		}
+	}
+
+	return {
+		name,
+		command: entry.command,
+		version: null,
+		available: false,
+	};
+}
+
+/**
+ * Detect all registered tools in parallel.
+ * Returns an array of DetectedTool in registry order.
+ */
+export async function detectTools(): Promise<DetectedTool[]> {
+	const names = Object.keys(TOOL_REGISTRY) as ToolName[];
+	const results = await Promise.all(names.map((name) => detectTool(name)));
+	return results;
+}
+
+/**
+ * Quick check: is a specific tool available?
+ */
+export async function isToolAvailable(name: ToolName): Promise<boolean> {
+	const tool = await detectTool(name);
+	return tool.available;
+}

package/src/verify/diff-filter.ts

@@ -0,0 +1,183 @@
+/**
+ * Diff-Only Filter — Reviewdog pattern for the Verify Engine.
+ *
+ * Filters findings to only changed lines via git diff. Pre-existing issues
+ * on unchanged lines are counted but hidden, so developers only see problems
+ * they introduced. This eliminates noise from legacy code.
+ */
+
+import { getDiff } from "../git/index";
+
+// ─── Types ────────────────────────────────────────────────────────────────
+
+export interface Finding {
+	tool: string;
+	file: string;
+	line: number;
+	column?: number;
+	message: string;
+	severity: "error" | "warning" | "info";
+	ruleId?: string;
+}
+
+export interface DiffFilterResult {
+	shown: Finding[];
+	hidden: number;
+}
+
+// ─── Diff Parsing ─────────────────────────────────────────────────────────
+
+/**
+ * Parse unified diff output to extract changed line numbers per file.
+ *
+ * Returns a Map from file path to Set of changed (added/modified) line numbers
+ * in the new version of the file. Only `+` lines are tracked — deletions don't
+ * have a line number in the new file.
+ */
+export function parseChangedLines(diff: string): Map<string, Set<number>> {
+	const result = new Map<string, Set<number>>();
+
+	if (!diff.trim()) {
+		return result;
+	}
+
+	const lines = diff.split("\n");
+	let currentFile: string | null = null;
+	let newLineNum = 0;
+
+	for (const line of lines) {
+		// Detect file header: +++ b/path/to/file
+		if (line.startsWith("+++ ")) {
+			const filePath = line.slice(4);
+			if (filePath === "/dev/null") {
+				currentFile = null;
+				continue;
+			}
+			// Strip the "b/" prefix that git uses
+			currentFile = filePath.startsWith("b/") ? filePath.slice(2) : filePath;
+			if (!result.has(currentFile)) {
+				result.set(currentFile, new Set());
+			}
+			continue;
+		}
+
+		// Skip --- header (old file)
+		if (line.startsWith("--- ")) {
+			continue;
+		}
+
+		// Parse hunk header: @@ -old,count +new,count @@
+		const hunkMatch = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
+		if (hunkMatch) {
+			newLineNum = Number.parseInt(hunkMatch[1] ?? "0", 10);
+			continue;
+		}
+
+		// Skip diff metadata lines
+		if (
+			line.startsWith("diff --git") ||
+			line.startsWith("index ") ||
+			line.startsWith("new file mode") ||
+			line.startsWith("deleted file mode") ||
+			line.startsWith("old mode") ||
+			line.startsWith("new mode") ||
+			line.startsWith("similarity index") ||
+			line.startsWith("rename from") ||
+			line.startsWith("rename to") ||
+			line.startsWith("Binary files")
+		) {
+			continue;
+		}
+
+		if (currentFile === null) {
+			continue;
+		}
+
+		// Added line: track it
+		if (line.startsWith("+")) {
+			result.get(currentFile)?.add(newLineNum);
+			newLineNum++;
+			continue;
+		}
+
+		// Deleted line: skip (no line number in new file)
+		if (line.startsWith("-")) {
+			continue;
+		}
+
+		// Context line (space prefix or empty within hunk): advance line counter
+		if (line.startsWith(" ") || line === "") {
+			newLineNum++;
+			continue;
+		}
+
+		// No-newline-at-end-of-file marker
+		if (line.startsWith("\\")) {
+			continue;
+		}
+
+		// Any other line within a hunk — advance counter as context
+		newLineNum++;
+	}
+
+	return result;
+}
+
+// ─── Filter Logic ─────────────────────────────────────────────────────────
+
+/**
+ * Filter findings against a pre-computed changed-lines map.
+ * Findings on changed lines are shown; all others are hidden.
+ *
+ * Exported for testing without needing to invoke git.
+ */
+export function filterByDiffWithMap(
+	findings: Finding[],
+	changedLines: Map<string, Set<number>>,
+): DiffFilterResult {
+	const shown: Finding[] = [];
+	let hidden = 0;
+
+	for (const finding of findings) {
+		const fileChanges = changedLines.get(finding.file);
+		if (fileChanges?.has(finding.line)) {
+			shown.push(finding);
+		} else {
+			hidden++;
+		}
+	}
+
+	return { shown, hidden };
+}
+
+/**
+ * Filter findings to only those on lines changed relative to a base branch.
+ *
+ * Uses `git diff <baseBranch>` to determine which lines are new/modified,
+ * then partitions findings into shown (on changed lines) and hidden
+ * (on unchanged lines, i.e. pre-existing issues).
+ *
+ * @param findings - All findings from verification tools
+ * @param baseBranch - The branch to diff against (defaults to "main")
+ * @param cwd - Working directory for git commands
+ * @returns Partitioned findings with hidden count
+ */
+export async function filterByDiff(
+	findings: Finding[],
+	baseBranch?: string,
+	cwd?: string,
+): Promise<DiffFilterResult> {
+	const base = baseBranch ?? "main";
+
+	// Get the diff against the base branch
+	const diff = await getDiff(base, undefined, cwd);
+
+	// If no diff (e.g. on the base branch itself, or git error),
+	// show all findings as a safe fallback
+	if (!diff.trim()) {
+		return { shown: findings, hidden: 0 };
+	}
+
+	const changedLines = parseChangedLines(diff);
+	return filterByDiffWithMap(findings, changedLines);
+}