@rigour-labs/cli 3.0.3 → 3.0.5

package/README.md

@@ -12,6 +12,7 @@ Rigour forces AI agents to meet strict engineering standards before marking task
 ## 🚀 Quick Start
 
 ```bash
+npx rigour scan     # Zero-config scan (auto-detect stack)
 npx rigour init     # Initialize quality gates
 npx rigour check    # Verify code quality
 npx rigour run -- claude "Build feature X"  # Agent loop
@@ -62,6 +63,7 @@ All gates support **TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET**.
 
 | Command | Purpose |
 |:---|:---|
+| `rigour scan` | Zero-config stack-aware scan using existing gates |
 | `rigour init` | Setup Rigour in your project |
 | `rigour check` | Validate code against quality gates |
 | `rigour check --ci` | CI mode with appropriate output |

package/dist/cli.js

@@ -2,6 +2,7 @@
 import { Command } from 'commander';
 import { initCommand } from './commands/init.js';
 import { checkCommand } from './commands/check.js';
+import { scanCommand } from './commands/scan.js';
 import { explainCommand } from './commands/explain.js';
 import { runLoop } from './commands/run.js';
 import { guideCommand } from './commands/guide.js';
@@ -69,6 +70,23 @@ Examples:
     .action(async (files, options) => {
     await checkCommand(process.cwd(), files, options);
 });
+program
+    .command('scan')
+    .description('Run zero-config scan with auto-detected stack and existing gates')
+    .argument('[files...]', 'Specific files or directories to scan')
+    .option('--ci', 'CI mode (minimal output, non-zero exit on fail)')
+    .option('--json', 'Output report in JSON format')
+    .option('-c, --config <path>', 'Path to custom rigour.yml configuration (optional)')
+    .addHelpText('after', `
+Examples:
+  $ rigour scan                       # Zero-config scan in current repo
+  $ rigour scan ./src                 # Scan only src
+  $ rigour scan --json                # Machine-readable output
+  $ rigour scan --ci                  # CI-friendly output
+    `)
+    .action(async (files, options) => {
+    await scanCommand(process.cwd(), files, options);
+});
 program
     .command('explain')
     .description('Explain the last quality gate report with actionable bullets')

package/dist/commands/scan.d.ts

@@ -0,0 +1,6 @@
+export interface ScanOptions {
+    ci?: boolean;
+    json?: boolean;
+    config?: string;
+}
+export declare function scanCommand(cwd: string, files?: string[], options?: ScanOptions): Promise<void>;

package/dist/commands/scan.js

@@ -0,0 +1,236 @@
+import fs from 'fs-extra';
+import path from 'path';
+import chalk from 'chalk';
+import yaml from 'yaml';
+import { globby } from 'globby';
+import { GateRunner, ConfigSchema, DiscoveryService, FixPacketService, recordScore, getScoreTrend, } from '@rigour-labs/core';
+// Exit codes per spec
+const EXIT_PASS = 0;
+const EXIT_FAIL = 1;
+const EXIT_CONFIG_ERROR = 2;
+const EXIT_INTERNAL_ERROR = 3;
+const LANGUAGE_PATTERNS = {
+    'TypeScript': ['**/*.ts', '**/*.tsx'],
+    'JavaScript': ['**/*.js', '**/*.jsx', '**/*.mjs', '**/*.cjs'],
+    'Python': ['**/*.py'],
+    'Go': ['**/*.go'],
+    'Java': ['**/*.java'],
+    'Kotlin': ['**/*.kt'],
+    'C#': ['**/*.cs'],
+    'Ruby': ['**/*.rb', '**/*.rake'],
+    'Rust': ['**/*.rs'],
+};
+const COMMON_IGNORE = [
+    '**/node_modules/**',
+    '**/.git/**',
+    '**/dist/**',
+    '**/build/**',
+    '**/.next/**',
+    '**/coverage/**',
+    '**/vendor/**',
+    '**/.venv/**',
+    '**/venv/**',
+    '**/target/**',
+    '**/.terraform/**',
+    '**/*.min.js',
+];
+const HEADLINE_GATE_SUPPORT = {
+    'hallucinated-imports': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Ruby', 'C#', 'Rust', 'Java', 'Kotlin'],
+    'phantom-apis': ['TypeScript', 'JavaScript', 'Python', 'Go', 'C#', 'Java', 'Kotlin'],
+    'deprecated-apis': ['TypeScript', 'JavaScript', 'Python', 'Go', 'C#', 'Java', 'Kotlin'],
+    'promise-safety': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Ruby', 'C#'],
+    'security-patterns': ['TypeScript', 'JavaScript', 'Python', 'Go', 'Java', 'Kotlin'],
+    'duplication-drift': ['TypeScript', 'JavaScript', 'Python'],
+    'inconsistent-error-handling': ['TypeScript', 'JavaScript'],
+    'context-window-artifacts': ['TypeScript', 'JavaScript', 'Python'],
+};
+export async function scanCommand(cwd, files = [], options = {}) {
+    try {
+        const scanCtx = await resolveScanConfig(cwd, options);
+        const stackSignals = await detectStackSignals(cwd);
+        if (!options.ci && !options.json) {
+            renderScanHeader(scanCtx, stackSignals);
+        }
+        const runner = new GateRunner(scanCtx.config);
+        const report = await runner.run(cwd, files.length > 0 ? files : undefined);
+        // Write machine report and score history
+        const reportPath = path.join(cwd, scanCtx.config.output.report_path);
+        await fs.writeJson(reportPath, report, { spaces: 2 });
+        recordScore(cwd, report);
+        // Generate fix packet on failure
+        if (report.status === 'FAIL') {
+            const fixPacketService = new FixPacketService();
+            const fixPacket = fixPacketService.generate(report, scanCtx.config);
+            const fixPacketPath = path.join(cwd, 'rigour-fix-packet.json');
+            await fs.writeJson(fixPacketPath, fixPacket, { spaces: 2 });
+        }
+        if (options.json) {
+            process.stdout.write(JSON.stringify({
+                mode: scanCtx.mode,
+                preset: scanCtx.detectedPreset ?? scanCtx.config.preset,
+                paradigm: scanCtx.detectedParadigm ?? scanCtx.config.paradigm,
+                stack: stackSignals,
+                report,
+            }, null, 2) + '\n');
+            process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+        }
+        if (options.ci) {
+            const score = report.stats.score ?? 0;
+            if (report.status === 'PASS') {
+                console.log(`PASS (${score}/100)`);
+            }
+            else {
+                console.log(`FAIL: ${report.failures.length} violation(s) | Score: ${score}/100`);
+            }
+            process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+        }
+        renderScanResults(report, stackSignals, scanCtx.config.output.report_path, cwd);
+        process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
+    }
+    catch (error) {
+        if (error.name === 'ZodError') {
+            console.error(chalk.red('\nInvalid configuration for scan mode:'));
+            error.issues.forEach((issue) => {
+                console.error(chalk.red(`  • ${issue.path.join('.')}: ${issue.message}`));
+            });
+            process.exit(EXIT_CONFIG_ERROR);
+        }
+        console.error(chalk.red(`Internal error: ${error.message}`));
+        process.exit(EXIT_INTERNAL_ERROR);
+    }
+}
+async function resolveScanConfig(cwd, options) {
+    const explicitConfig = options.config ? path.resolve(cwd, options.config) : undefined;
+    const defaultConfig = path.join(cwd, 'rigour.yml');
+    const configPath = explicitConfig || defaultConfig;
+    if (await fs.pathExists(configPath)) {
+        const configContent = await fs.readFile(configPath, 'utf-8');
+        const rawConfig = yaml.parse(configContent);
+        const config = ConfigSchema.parse(rawConfig);
+        return {
+            mode: 'existing-config',
+            config,
+            configPath,
+            detectedPreset: config.preset,
+            detectedParadigm: config.paradigm,
+        };
+    }
+    const discovery = new DiscoveryService();
+    const discovered = await discovery.discover(cwd);
+    return {
+        mode: 'auto-discovered',
+        config: ConfigSchema.parse(discovered.config),
+        detectedPreset: discovered.matches.preset?.name,
+        detectedParadigm: discovered.matches.paradigm?.name,
+    };
+}
+async function detectStackSignals(cwd) {
+    const languageChecks = await Promise.all(Object.entries(LANGUAGE_PATTERNS).map(async ([language, patterns]) => {
+        const matches = await globby(patterns, { cwd, gitignore: true, ignore: COMMON_IGNORE });
+        return { language, found: matches.length > 0 };
+    }));
+    const languages = languageChecks.filter(item => item.found).map(item => item.language);
+    const [dockerMatches, terraformMatches, sqlMatches] = await Promise.all([
+        globby(['**/Dockerfile', '**/docker-compose*.yml', '**/*.dockerfile'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+        globby(['**/*.tf', '**/*.tfvars', '**/*.hcl'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+        globby(['**/*.sql'], { cwd, gitignore: true, ignore: COMMON_IGNORE }),
+    ]);
+    return {
+        languages,
+        hasDocker: dockerMatches.length > 0,
+        hasTerraform: terraformMatches.length > 0,
+        hasSql: sqlMatches.length > 0,
+    };
+}
+function renderScanHeader(scanCtx, stackSignals) {
+    console.log(chalk.bold.cyan('\nRigour Scan'));
+    console.log(chalk.dim('Zero-config security and AI-drift sweep using existing Rigour gates.\n'));
+    const modeLabel = scanCtx.mode === 'existing-config'
+        ? `Using existing config: ${path.basename(scanCtx.configPath || 'rigour.yml')}`
+        : 'Auto-discovered config (no rigour.yml required)';
+    const preset = scanCtx.detectedPreset || scanCtx.config.preset || 'universal';
+    const paradigm = scanCtx.detectedParadigm || scanCtx.config.paradigm || 'general';
+    console.log(chalk.bold(`Mode:`) + ` ${modeLabel}`);
+    console.log(chalk.bold(`Detected profile:`) + ` preset=${preset}, paradigm=${paradigm}`);
+    console.log(chalk.bold(`Detected stack:`) + ` ${stackSignals.languages.join(', ') || 'No major language signatures detected'}`);
+    console.log('');
+}
+function renderScanResults(report, stackSignals, reportPath, cwd) {
+    const fakePackages = extractHallucinatedImports(report.failures);
+    if (fakePackages.length > 0) {
+        const unique = [...new Set(fakePackages)];
+        console.log(chalk.red.bold(`oh shit: ${unique.length} fake package/path import(s) detected`));
+        console.log(chalk.dim(`Examples: ${unique.slice(0, 5).join(', ')}${unique.length > 5 ? ', ...' : ''}`));
+        console.log('');
+    }
+    const statusColor = report.status === 'PASS' ? chalk.green.bold : chalk.red.bold;
+    const statusLabel = report.status === 'PASS' ? 'PASS' : 'FAIL';
+    const score = report.stats.score ?? 0;
+    const aiHealth = report.stats.ai_health_score ?? 0;
+    const structural = report.stats.structural_score ?? 0;
+    console.log(statusColor(`${statusLabel} | Score ${score}/100 | AI Health ${aiHealth}/100 | Structural ${structural}/100`));
+    const severity = report.stats.severity_breakdown || {};
+    const sevParts = ['critical', 'high', 'medium', 'low', 'info']
+        .filter(level => (severity[level] || 0) > 0)
+        .map(level => `${level}: ${severity[level]}`);
+    if (sevParts.length > 0) {
+        console.log(`Severity: ${sevParts.join(', ')}`);
+    }
+    renderCoverageWarnings(stackSignals);
+    console.log('');
+    if (report.status === 'FAIL') {
+        const topFindings = report.failures.slice(0, 8);
+        for (const failure of topFindings) {
+            const sev = (failure.severity || 'medium').toUpperCase().padEnd(8, ' ');
+            console.log(`${sev} [${failure.id}] ${failure.title}`);
+            if (failure.files && failure.files.length > 0) {
+                console.log(chalk.dim(`  files: ${failure.files.slice(0, 3).join(', ')}`));
+            }
+        }
+        if (report.failures.length > topFindings.length) {
+            console.log(chalk.dim(`...and ${report.failures.length - topFindings.length} more findings`));
+        }
+    }
+    const trend = getScoreTrend(cwd);
+    if (trend && trend.recentScores.length >= 3) {
+        console.log(chalk.dim(`\nTrend: ${trend.recentScores.join(' -> ')} (${trend.direction})`));
+    }
+    console.log(chalk.yellow(`\nFull report: ${reportPath}`));
+    if (report.status === 'FAIL') {
+        console.log(chalk.yellow('Fix packet: rigour-fix-packet.json'));
+    }
+    console.log(chalk.dim(`Finished in ${report.stats.duration_ms}ms`));
+}
+function renderCoverageWarnings(stackSignals) {
+    const gaps = [];
+    for (const language of stackSignals.languages) {
+        const supportedBy = Object.entries(HEADLINE_GATE_SUPPORT)
+            .filter(([, languages]) => languages.includes(language))
+            .map(([gateId]) => gateId);
+        if (supportedBy.length < 3) {
+            gaps.push(`${language}: partial support (${supportedBy.join(', ') || 'none'})`);
+        }
+    }
+    if (stackSignals.hasDocker || stackSignals.hasTerraform) {
+        gaps.push('Infra files detected (Docker/Terraform) but no dedicated vulnerability/drift gate yet');
+    }
+    if (stackSignals.hasSql) {
+        gaps.push('SQL files detected but no dedicated .sql static gate yet (string-level SQL checks only)');
+    }
+    if (gaps.length > 0) {
+        console.log(chalk.yellow('Coverage gaps to close:'));
+        gaps.forEach(gap => console.log(chalk.yellow(`  - ${gap}`)));
+    }
+}
+function extractHallucinatedImports(failures) {
+    const fakeImports = [];
+    for (const failure of failures) {
+        if (failure.id !== 'hallucinated-imports')
+            continue;
+        const matches = failure.details.matchAll(/import '([^']+)'/g);
+        for (const match of matches) {
+            fakeImports.push(match[1]);
+        }
+    }
+    return fakeImports;
+}

package/dist/commands/scan.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/commands/scan.test.js

@@ -0,0 +1,64 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+import { scanCommand } from './scan.js';
+describe('scanCommand', () => {
+    let testDir;
+    beforeEach(async () => {
+        testDir = await fs.mkdtemp(path.join(os.tmpdir(), 'rigour-scan-test-'));
+        vi.spyOn(process, 'exit').mockImplementation(() => undefined);
+        vi.spyOn(console, 'log').mockImplementation(() => { });
+        vi.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    afterEach(async () => {
+        await fs.remove(testDir);
+        vi.restoreAllMocks();
+    });
+    it('runs in zero-config mode without rigour.yml', async () => {
+        await fs.writeJson(path.join(testDir, 'package.json'), { name: 'scan-zero-config-test' });
+        await fs.writeFile(path.join(testDir, 'index.js'), "import fake from 'totally-fake-package';\nconsole.log(fake);\n");
+        await expect(scanCommand(testDir, [], {})).resolves.not.toThrow();
+        expect(process.exit).toHaveBeenCalled();
+        expect(await fs.pathExists(path.join(testDir, 'rigour-report.json'))).toBe(true);
+    }, 30_000);
+    it('uses provided config path when passed', async () => {
+        await fs.writeFile(path.join(testDir, 'app.js'), "export const ok = 42;\n");
+        await fs.writeFile(path.join(testDir, 'scan-config.yml'), `
+version: 1
+gates:
+  required_files: []
+  forbid_todos: false
+  forbid_fixme: false
+  context:
+    enabled: false
+  environment:
+    enabled: false
+  retry_loop_breaker:
+    enabled: false
+  security:
+    enabled: false
+  duplication_drift:
+    enabled: false
+  hallucinated_imports:
+    enabled: false
+  inconsistent_error_handling:
+    enabled: false
+  context_window_artifacts:
+    enabled: false
+  promise_safety:
+    enabled: false
+  phantom_apis:
+    enabled: false
+  deprecated_apis:
+    enabled: false
+  test_quality:
+    enabled: false
+output:
+  report_path: scan-report.json
+`);
+        await expect(scanCommand(testDir, [], { config: 'scan-config.yml' })).resolves.not.toThrow();
+        expect(process.exit).toHaveBeenCalledWith(0);
+        expect(await fs.pathExists(path.join(testDir, 'scan-report.json'))).toBe(true);
+    }, 30_000);
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/cli",
-  "version": "3.0.3",
+  "version": "3.0.5",
   "description": "CLI quality gates for AI-generated code. Forces AI agents (Claude, Cursor, Copilot) to meet strict engineering standards with PASS/FAIL enforcement.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -44,7 +44,7 @@
     "inquirer": "9.2.16",
     "ora": "^8.0.1",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "3.0.3"
+    "@rigour-labs/core": "3.0.5"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",