@soulbatical/tetra-dev-toolkit 1.1.0

package/lib/checks/health/gitignore.js

@@ -0,0 +1,83 @@
+/**
+ * Health Check: .gitignore Critical Entries
+ *
+ * Verifies .gitignore has entries for .env, node_modules, dist, credentials.
+ * Score: 2 (full) = all critical present, 1 = missing recommended, 0 = missing critical
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+const CRITICAL = [
+  { name: '.env files', patterns: ['.env', '.env.*', '.env.local'] },
+  { name: 'node_modules', patterns: ['node_modules'] },
+  { name: 'dist/build', patterns: ['dist', 'build'] }
+]
+
+const RECOMMENDED = [
+  { name: 'credential files (*.pem, *.key)', patterns: ['*.pem', '*.key'] },
+  { name: 'Supabase temp', patterns: ['.supabase', 'supabase/.temp'] },
+  { name: '.DS_Store', patterns: ['.DS_Store'] }
+]
+
+function isCovered(lines, pattern) {
+  const norm = pattern.replace(/\/$/, '')
+  return lines.some(line => {
+    const normLine = line.replace(/\/$/, '')
+    if (normLine === norm) return true
+    if (normLine === '.env.*' && pattern.startsWith('.env.')) return true
+    if (normLine === '.env*' && pattern.startsWith('.env')) return true
+    if (normLine.startsWith('*') && pattern.endsWith(normLine.slice(1))) return true
+    if (normLine === '/' + norm) return true
+    if (normLine === norm + '/') return true
+    if (normLine === norm + '/**') return true
+    if (normLine.endsWith('/' + norm)) return true
+    return false
+  })
+}
+
+export async function check(projectPath) {
+  const result = createCheck('gitignore', 2, {
+    exists: false, entryCount: 0, missingCritical: [], missingRecommended: []
+  })
+  result.score = 2
+
+  const gitignorePath = join(projectPath, '.gitignore')
+  if (!existsSync(gitignorePath)) {
+    result.status = 'error'
+    result.score = 0
+    result.details.message = 'No .gitignore file found'
+    return result
+  }
+
+  result.details.exists = true
+  let content
+  try { content = readFileSync(gitignorePath, 'utf-8') } catch {
+    result.status = 'error'; result.score = 0; result.details.message = 'Could not read .gitignore'; return result
+  }
+
+  const lines = content.split('\n').map(l => l.trim()).filter(l => l && !l.startsWith('#'))
+  result.details.entryCount = lines.length
+
+  for (const entry of CRITICAL) {
+    if (!entry.patterns.some(p => isCovered(lines, p))) {
+      result.details.missingCritical.push(entry.name)
+    }
+  }
+  for (const entry of RECOMMENDED) {
+    if (!entry.patterns.some(p => isCovered(lines, p))) {
+      result.details.missingRecommended.push(entry.name)
+    }
+  }
+
+  if (result.details.missingCritical.length > 0) {
+    result.score = 0; result.status = 'error'
+    result.details.message = `Missing critical entries: ${result.details.missingCritical.join(', ')}`
+  } else if (result.details.missingRecommended.length > 0) {
+    result.score = 1; result.status = 'warning'
+    result.details.message = `Missing recommended entries: ${result.details.missingRecommended.join(', ')}`
+  }
+
+  return result
+}

package/lib/checks/health/index.js

@@ -0,0 +1,26 @@
+/**
+ * Health Checks — All 15 project health checks
+ *
+ * Main entry: scanProjectHealth(projectPath, projectName, options?)
+ * Individual checks available via named imports.
+ */
+
+export { scanProjectHealth } from './scanner.js'
+export { calculateHealthStatus, createCheck, maskSecret } from './types.js'
+
+// Individual checks (for selective use)
+export { check as checkPlugins } from './plugins.js'
+export { check as checkMcps } from './mcps.js'
+export { check as checkGit } from './git.js'
+export { check as checkTests } from './tests.js'
+export { check as checkSecrets } from './secrets.js'
+export { check as checkQualityToolkit } from './quality-toolkit.js'
+export { check as checkNamingConventions } from './naming-conventions.js'
+export { check as checkRlsPolicies } from './rls-audit.js'
+export { check as checkGitignore } from './gitignore.js'
+export { check as checkRepoVisibility } from './repo-visibility.js'
+export { check as checkVinciFoxWidget } from './vincifox-widget.js'
+export { check as checkStellaIntegration } from './stella-integration.js'
+export { check as checkClaudeMd } from './claude-md.js'
+export { check as checkDopplerCompliance } from './doppler-compliance.js'
+export { check as checkInfrastructureYml } from './infrastructure-yml.js'

package/lib/checks/health/infrastructure-yml.js

@@ -0,0 +1,87 @@
+/**
+ * Health Check: .ralph/INFRASTRUCTURE.yml
+ *
+ * Checks for infrastructure documentation completeness.
+ * Score: 0=missing, 1=exists+parses, 2=all required sections, 3=no open security issues
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { parse as parseYaml } from 'yaml'
+import { createCheck } from './types.js'
+
+const REQUIRED_SECTIONS = ['hosting', 'domains', 'database', 'secrets', 'email', 'security']
+const ALL_SECTIONS = ['project', 'hosting', 'domains', 'database', 'secrets', 'email', 'monitoring', 'social', 'services', 'security', 'meta']
+
+function isFilled(value) {
+  if (value === null || value === undefined) return false
+  if (typeof value !== 'object') return true
+  if (Array.isArray(value)) return value.length > 0
+  return Object.values(value).some(v => v !== null && v !== undefined && v !== '')
+}
+
+export async function check(projectPath) {
+  const result = createCheck('infrastructure-yml', 3, {
+    exists: false, valid: false, sections: {}, missingSections: [], openSecurityIssues: []
+  })
+
+  const filePath = join(projectPath, '.ralph', 'INFRASTRUCTURE.yml')
+  if (!existsSync(filePath)) {
+    result.status = 'warning'
+    result.details.message = 'Missing .ralph/INFRASTRUCTURE.yml'
+    return result
+  }
+
+  result.details.exists = true
+
+  let data
+  try {
+    data = parseYaml(readFileSync(filePath, 'utf-8'))
+    if (!data || typeof data !== 'object') {
+      result.status = 'error'
+      result.details.message = 'YAML parsed but is not an object'
+      return result
+    }
+  } catch (e) {
+    result.status = 'error'
+    result.details.message = `YAML parse error: ${e instanceof Error ? e.message : String(e)}`
+    return result
+  }
+
+  result.details.valid = true
+  result.score = 1
+
+  for (const section of ALL_SECTIONS) {
+    result.details.sections[section] = isFilled(data[section])
+  }
+
+  const missingSections = REQUIRED_SECTIONS.filter(s => !isFilled(data[s]))
+  result.details.missingSections = missingSections
+
+  if (missingSections.length === 0) result.score = 2
+
+  // Check security open issues
+  const security = data.security
+  if (security && typeof security === 'object') {
+    const openIssues = security.open_issues
+    if (Array.isArray(openIssues) && openIssues.length > 0) {
+      result.details.openSecurityIssues = openIssues
+    }
+    if (missingSections.length === 0 && (!Array.isArray(openIssues) || openIssues.length === 0)) {
+      result.score = 3
+    }
+  } else if (missingSections.length === 0) {
+    result.score = 2
+  }
+
+  if (result.score === 0) result.status = 'error'
+  else if (result.score < result.maxScore) {
+    result.status = 'warning'
+    const issues = []
+    if (missingSections.length > 0) issues.push(`missing: ${missingSections.join(', ')}`)
+    if (result.details.openSecurityIssues.length > 0) issues.push(`${result.details.openSecurityIssues.length} open security issues`)
+    result.details.message = issues.join('; ')
+  }
+
+  return result
+}

package/lib/checks/health/mcps.js

@@ -0,0 +1,57 @@
+/**
+ * Health Check: MCP Servers
+ *
+ * Checks .mcp.json and .claude/settings.local.json for configured MCP servers.
+ * Score: 0 = none, 1 = 1+ servers
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('mcps', 1, { mcps: [], count: 0 })
+  let mcpServers = []
+
+  // Check .mcp.json
+  const mcpPath = join(projectPath, '.mcp.json')
+  if (existsSync(mcpPath)) {
+    try {
+      const content = JSON.parse(readFileSync(mcpPath, 'utf-8'))
+      mcpServers = Object.keys(content.mcpServers || content.servers || {})
+    } catch {
+      result.status = 'error'
+      result.details.error = 'Failed to parse .mcp.json'
+      return result
+    }
+  }
+
+  // Also check settings.local.json for enabledMcpjsonServers
+  const settingsLocalPath = join(projectPath, '.claude', 'settings.local.json')
+  if (existsSync(settingsLocalPath)) {
+    try {
+      const settings = JSON.parse(readFileSync(settingsLocalPath, 'utf-8'))
+      const enabled = settings.enabledMcpjsonServers || []
+      if (Array.isArray(enabled)) {
+        for (const s of enabled) {
+          if (!mcpServers.includes(s)) mcpServers.push(s)
+        }
+      }
+      if (settings.enableAllProjectMcpServers) {
+        result.details.enableAllProjectMcpServers = true
+      }
+    } catch { /* ignore */ }
+  }
+
+  result.details.mcps = mcpServers
+  result.details.count = mcpServers.length
+
+  if (mcpServers.length >= 1) {
+    result.score = 1
+  } else {
+    result.status = 'warning'
+    result.details.message = 'No MCP servers configured'
+  }
+
+  return result
+}

package/lib/checks/health/naming-conventions.js

@@ -0,0 +1,302 @@
+/**
+ * Health Check: Naming Conventions (DB + Code)
+ *
+ * Scans SQL migrations for snake_case tables/columns and source code for naming compliance.
+ * Score: up to 3 points (1 DB + 2 code)
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+const isSnakeCase = (s) => /^[a-z][a-z0-9]*(_[a-z0-9]+)*$/.test(s)
+const isPlural = (s) => s.endsWith('s') || s.endsWith('ies') || s.endsWith('data') || s.endsWith('media') || s.endsWith('info') || s.endsWith('status')
+
+const COL_TYPE_REGEX = /^["']?(\w+)["']?\s+(uuid|text|varchar|integer|int|bigint|boolean|bool|timestamp|timestamptz|jsonb?|smallint|numeric|real|double|serial|bytea|date|time|interval|citext|inet|macaddr|point|polygon|float)/i
+const BOOL_PREFIX = /^(is_|has_|can_|should_|allow_|enable_|use_|include_)/
+const JSON_SUFFIX = /_(data|json|meta|config|settings|options|payload|context|params|attributes|properties|extra|raw)$/
+const JSON_STANDALONE = /^(metadata|settings|config|configuration|options|preferences|tags|labels|permissions|context|payload|attributes|properties|extras|params|parameters)$/
+
+function scanDatabaseNaming(projectPath) {
+  const violations = []
+  let totalFields = 0
+  let compliant = 0
+
+  const migrationDirs = [
+    join(projectPath, 'supabase', 'migrations'),
+    join(projectPath, 'backend', 'supabase', 'migrations')
+  ]
+
+  const sqlFiles = []
+  for (const dir of migrationDirs) {
+    if (!existsSync(dir)) continue
+    try {
+      for (const f of readdirSync(dir).filter(f => f.endsWith('.sql'))) {
+        sqlFiles.push(join(dir, f))
+      }
+    } catch { /* ignore */ }
+  }
+
+  if (sqlFiles.length === 0) return { totalFields: 0, compliant: 0, violations: [], compliancePercent: 100 }
+
+  const globalColumns = {}
+
+  const checkColumn = (tableName, colName, colType, body, fileName) => {
+    if (!globalColumns[colName]) globalColumns[colName] = []
+    globalColumns[colName].push(tableName)
+
+    totalFields++
+    if (isSnakeCase(colName)) compliant++
+    else violations.push(`Column "${tableName}.${colName}" not snake_case (${fileName})`)
+
+    // PK must be "id"
+    const pkPattern = new RegExp(`["']?${colName}["']?\\s+\\w+[^,]*PRIMARY\\s+KEY`, 'i')
+    if (pkPattern.test(body) && colName !== 'id') {
+      totalFields++
+      violations.push(`PK "${tableName}.${colName}" should be named "id" (${fileName})`)
+    }
+
+    // FK: uuid refs should end with _id
+    if (colType === 'uuid' && colName !== 'id' && !colName.endsWith('_id') && !colName.endsWith('_at') && !colName.endsWith('_by')) {
+      if (new RegExp(`["']?${colName}["']?[^;]*REFERENCES`, 'i').test(body)) {
+        totalFields++
+        violations.push(`FK "${tableName}.${colName}" should use _id suffix (${fileName})`)
+      }
+    }
+
+    // Boolean prefix
+    if (colType === 'boolean' || colType === 'bool') {
+      totalFields++
+      if (BOOL_PREFIX.test(colName)) compliant++
+      else violations.push(`Boolean "${tableName}.${colName}" needs prefix (is_/has_/can_/...) (${fileName})`)
+      if (colName === 'is_deleted') {
+        totalFields++
+        violations.push(`Soft delete "${tableName}.is_deleted" should be "deleted_at timestamptz" (${fileName})`)
+      }
+    }
+
+    // JSON naming
+    if (colType === 'jsonb' || colType === 'json') {
+      totalFields++
+      if (JSON_SUFFIX.test(colName) || JSON_STANDALONE.test(colName)) compliant++
+      else violations.push(`JSON "${tableName}.${colName}" needs suffix (_data/_json/_meta/_config/_settings) (${fileName})`)
+    }
+  }
+
+  for (const filePath of sqlFiles) {
+    let content
+    try { content = readFileSync(filePath, 'utf-8') } catch { continue }
+    const fileName = filePath.split('/').pop() || ''
+
+    // CREATE TABLE
+    const createTableRegex = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:public\.)?["']?(\w+)["']?\s*\(([\s\S]*?)\);/gi
+    let match
+    while ((match = createTableRegex.exec(content)) !== null) {
+      const tableName = match[1]
+      const body = match[2]
+
+      totalFields++
+      if (isSnakeCase(tableName) && isPlural(tableName)) compliant++
+      else {
+        if (!isSnakeCase(tableName)) violations.push(`Table "${tableName}" not snake_case (${fileName})`)
+        else if (!isPlural(tableName)) violations.push(`Table "${tableName}" not plural (${fileName})`)
+      }
+
+      const columns = []
+      for (const line of body.split('\n')) {
+        const colMatch = line.trim().match(COL_TYPE_REGEX)
+        if (colMatch) {
+          columns.push(colMatch[1])
+          checkColumn(tableName, colMatch[1], colMatch[2].toLowerCase(), body, fileName)
+        }
+      }
+
+      // Timestamps check
+      totalFields++
+      if (columns.includes('created_at') && columns.includes('updated_at')) compliant++
+      else {
+        const missing = []
+        if (!columns.includes('created_at')) missing.push('created_at')
+        if (!columns.includes('updated_at')) missing.push('updated_at')
+        violations.push(`Table "${tableName}" missing ${missing.join(', ')} (${fileName})`)
+      }
+    }
+
+    // ALTER TABLE ADD COLUMN
+    const alterRegex = /ALTER\s+TABLE\s+(?:public\.)?["']?(\w+)["']?\s+ADD\s+(?:COLUMN\s+)?["']?(\w+)["']?\s+(uuid|text|varchar|integer|int|bigint|boolean|bool|timestamp|timestamptz|jsonb?|smallint|numeric|real|double|serial|bytea|date|time|interval|citext)/gi
+    while ((match = alterRegex.exec(content)) !== null) {
+      checkColumn(match[1], match[2], match[3].toLowerCase(), '', fileName)
+    }
+
+    // CREATE INDEX: idx_ or ix_ prefix
+    const indexRegex = /CREATE\s+(?:UNIQUE\s+)?INDEX\s+(?:IF\s+NOT\s+EXISTS\s+)?["']?(\w+)["']?\s+ON/gi
+    while ((match = indexRegex.exec(content)) !== null) {
+      totalFields++
+      if (/^(idx_|ix_)/.test(match[1])) compliant++
+      else violations.push(`Index "${match[1]}" should use idx_ or ix_ prefix (${fileName})`)
+    }
+  }
+
+  // Consistency checks
+  const consistencyGroups = [
+    { concept: 'creation timestamp', preferred: 'created_at', alternatives: ['created_on', 'creation_date', 'inserted_at', 'date_created'] },
+    { concept: 'update timestamp', preferred: 'updated_at', alternatives: ['updated_on', 'modified_at', 'changed_at', 'last_modified', 'date_updated'] },
+    { concept: 'deletion timestamp', preferred: 'deleted_at', alternatives: ['removed_at', 'date_deleted'] },
+    { concept: 'active flag', preferred: 'is_active', alternatives: ['active', 'enabled', 'is_enabled'] },
+    { concept: 'description', preferred: 'description', alternatives: ['desc', 'summary'] },
+  ]
+
+  for (const { concept, preferred, alternatives } of consistencyGroups) {
+    const preferredTables = globalColumns[preferred] || []
+    for (const alt of alternatives) {
+      const altTables = globalColumns[alt] || []
+      if (altTables.length > 0) {
+        totalFields++
+        const label = preferredTables.length > 0 ? 'Inconsistent' : 'Non-standard'
+        violations.push(`${label} ${concept}: "${alt}" in ${altTables.slice(0, 3).join(', ')} — use "${preferred}"`)
+      }
+    }
+  }
+
+  return {
+    totalFields,
+    compliant,
+    violations: violations.slice(0, 50),
+    compliancePercent: totalFields > 0 ? Math.round((compliant / totalFields) * 100) : 100
+  }
+}
+
+function scanCodeNaming(projectPath) {
+  const violations = []
+  let totalChecked = 0
+  let compliant = 0
+
+  const SKIP_DIRS = ['node_modules', 'dist', '.next', 'generated', 'coverage', '.turbo', 'build']
+  const MAX_FILES = 200
+  const MAX_LINES = 500
+  const SQL_KEYWORDS = /^\s*(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP|FROM|WHERE|JOIN|SET|VALUES|INTO|TABLE|INDEX|GRANT|REVOKE)\b/i
+
+  const tsFiles = []
+  const collectFiles = (dir) => {
+    if (tsFiles.length >= MAX_FILES || !existsSync(dir)) return
+    try {
+      for (const entry of readdirSync(dir, { withFileTypes: true })) {
+        if (tsFiles.length >= MAX_FILES) return
+        const fullPath = join(dir, entry.name)
+        if (entry.isDirectory()) {
+          if (SKIP_DIRS.includes(entry.name)) continue
+          if (!/^[a-z][a-z0-9._-]*$/.test(entry.name) && !entry.name.startsWith('.') && !entry.name.startsWith('__')) {
+            totalChecked++
+            violations.push(`Directory "${entry.name}" should be lowercase (${fullPath.replace(projectPath + '/', '')})`)
+          } else {
+            totalChecked++
+            compliant++
+          }
+          collectFiles(fullPath)
+        } else if (entry.isFile() && /\.(ts|tsx)$/.test(entry.name) && !entry.name.endsWith('.d.ts')) {
+          const baseName = entry.name.replace(/\.(ts|tsx)$/, '')
+          totalChecked++
+          const isCamel = /^[a-z][a-zA-Z0-9]*$/.test(baseName)
+          const isPascal = /^[A-Z][a-zA-Z0-9]*$/.test(baseName)
+          const isSnake = /^[a-z][a-z0-9]*([._-][a-z0-9]+)*$/.test(baseName)
+
+          if ((entry.name.endsWith('.tsx') && (isPascal || isCamel || isSnake)) ||
+              (entry.name.endsWith('.ts') && (isCamel || isSnake || isPascal))) {
+            compliant++
+          } else {
+            violations.push(`File "${entry.name}" naming issue (${fullPath.replace(projectPath + '/', '')})`)
+          }
+          tsFiles.push(fullPath)
+        }
+      }
+    } catch { /* ignore */ }
+  }
+
+  for (const dir of ['src', 'backend/src', 'frontend/src'].map(d => join(projectPath, d))) {
+    collectFiles(dir)
+  }
+
+  if (tsFiles.length === 0) return { totalChecked: 0, compliant: 0, violations: [], compliancePercent: 100 }
+
+  for (const filePath of tsFiles) {
+    let content
+    try { content = readFileSync(filePath, 'utf-8') } catch { continue }
+    const lines = content.split('\n').slice(0, MAX_LINES)
+    const relPath = filePath.replace(projectPath + '/', '')
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+      if (SQL_KEYWORDS.test(line) || /^\s*(\/\/|\/\*|\*|import\s|export\s.*from)/.test(line) || !line.trim()) continue
+
+      // Variables & functions: camelCase or CONSTANT_CASE
+      const varMatch = line.match(/(?:const|let|var|function)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\b/)
+      if (varMatch) {
+        const name = varMatch[1]
+        if (name.length <= 1) continue
+        if (/^[A-Z][A-Z0-9_]+$/.test(name)) { totalChecked++; compliant++; continue }
+        totalChecked++
+        if (/^[a-z][a-zA-Z0-9]*$/.test(name) || /^_[a-z][a-zA-Z0-9]*$/.test(name)) compliant++
+        else if (/^[A-Z][a-zA-Z0-9]*$/.test(name) && filePath.endsWith('.tsx')) compliant++
+        else violations.push(`Variable "${name}" should be camelCase (${relPath}:${i + 1})`)
+      }
+
+      // Classes, interfaces, types, enums: PascalCase
+      const classMatch = line.match(/(?:class|interface|type|enum)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\b/)
+      if (classMatch) {
+        const name = classMatch[1]
+        if (name.length <= 1) continue
+        totalChecked++
+        if (/^[A-Z][a-zA-Z0-9]*$/.test(name)) compliant++
+        else violations.push(`Type "${name}" should be PascalCase (${relPath}:${i + 1})`)
+
+        if (line.match(/\binterface\s/) && /^I[A-Z]/.test(name)) {
+          totalChecked++
+          violations.push(`Interface "${name}" should not use I-prefix (${relPath}:${i + 1})`)
+        }
+      }
+    }
+  }
+
+  return {
+    totalChecked,
+    compliant,
+    violations: violations.slice(0, 50),
+    compliancePercent: totalChecked > 0 ? Math.round((compliant / totalChecked) * 100) : 100
+  }
+}
+
+export async function check(projectPath) {
+  const result = createCheck('naming-conventions', 3, {
+    database: { totalFields: 0, compliant: 0, violations: [], compliancePercent: 0 },
+    code: { totalChecked: 0, compliant: 0, violations: [], compliancePercent: 0 },
+    overallCompliancePercent: 0
+  })
+
+  const dbResult = scanDatabaseNaming(projectPath)
+  result.details.database = dbResult
+  if (dbResult.totalFields > 0) {
+    if (dbResult.compliancePercent >= 80) result.score += 1
+    else if (dbResult.compliancePercent >= 50) result.score += 0.5
+  } else {
+    result.score += 1 // No migrations = benefit of the doubt
+  }
+
+  const codeResult = scanCodeNaming(projectPath)
+  result.details.code = codeResult
+  if (codeResult.totalChecked > 0) {
+    if (codeResult.compliancePercent >= 90) result.score += 2
+    else if (codeResult.compliancePercent >= 70) result.score += 1
+    else if (codeResult.compliancePercent >= 50) result.score += 0.5
+  }
+
+  const totalChecked = dbResult.totalFields + codeResult.totalChecked
+  const totalCompliant = dbResult.compliant + codeResult.compliant
+  result.details.overallCompliancePercent = totalChecked > 0 ? Math.round((totalCompliant / totalChecked) * 100) : 0
+
+  const totalViolations = (dbResult.violations?.length || 0) + (codeResult.violations?.length || 0)
+  if (totalViolations === 0) result.status = 'ok'
+  else if (result.score >= 1) result.status = 'warning'
+  else result.status = 'error'
+
+  return result
+}

package/lib/checks/health/plugins.js

@@ -0,0 +1,38 @@
+/**
+ * Health Check: Claude Code Plugins
+ *
+ * Checks .claude/settings.json for enabled plugins.
+ * Score: 0 = none, 1 = 1-2 plugins, 2 = 3+ plugins
+ */
+
+import { existsSync, readFileSync } from 'fs'
+import { join } from 'path'
+import { createCheck } from './types.js'
+
+export async function check(projectPath) {
+  const result = createCheck('plugins', 2, { plugins: [], count: 0 })
+  const settingsPath = join(projectPath, '.claude', 'settings.json')
+
+  if (!existsSync(settingsPath)) {
+    result.status = 'warning'
+    result.details.message = 'No settings.json found'
+    return result
+  }
+
+  try {
+    const content = JSON.parse(readFileSync(settingsPath, 'utf-8'))
+    const raw = content.enabledPlugins || {}
+    const pluginList = Array.isArray(raw) ? raw : Object.keys(raw).filter(k => raw[k])
+
+    result.details.plugins = pluginList
+    result.details.count = pluginList.length
+
+    if (pluginList.length >= 3) result.score = 2
+    else if (pluginList.length >= 1) result.score = 1
+  } catch {
+    result.status = 'error'
+    result.details.error = 'Failed to parse settings.json'
+  }
+
+  return result
+}