@theglitchking/gimme-the-lint 2.2.0 → 2.4.0

package/.claude-plugin/marketplace.json

@@ -6,13 +6,13 @@
   },
   "metadata": {
     "description": "Official marketplace for gimme-the-lint - polyglot progressive linting with per-app baselines and drift detection",
-    "version": "2.2.0"
+    "version": "2.4.0"
   },
   "plugins": [
     {
       "name": "gimme-the-lint",
       "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, Rust, Terraform, and Ansible.",
-      "version": "2.2.0",
+      "version": "2.4.0",
       "author": {
         "name": "TheGlitchKing"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "gimme-the-lint",
   "description": "Polyglot progressive linting for monorepos — adapter-driven baselines, per-app drift detection, and idempotent skips across JavaScript/TypeScript, Python, Go, Rust, Terraform, and Ansible.",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "author": {
     "name": "TheGlitchKing",
     "email": "theglitchking@users.noreply.github.com"

package/CHANGELOG.md

@@ -5,6 +5,92 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.4.0] - 2026-05-17
+
+### Fixed
+- **tflint silent-failure on uninitialized ruleset plugins.** When a unit
+  carries a `.tflint.hcl`, tflint requires `tflint --init` before linting; the
+  adapter never ran it, so a failed run was recorded as a clean zero-violation
+  baseline that mis-gated every later commit. Adapters gain an `initCommand()`
+  hook (run once per directory); the tflint adapter runs `tflint --init` when a
+  `.tflint.hcl` is present. `parse()` now takes `(stdout, stderr, code)` — a
+  non-zero exit with no parseable JSON emits a high-severity `tflint-error`
+  violation, never a silent clean pass.
+- **eslint false-positive on a tooling-only `package.json`.** Discovery bound
+  eslint on the filename alone, so a devDependencies-only, source-free
+  `package.json` (one that merely pins a tooling dependency) became an eslint
+  app. `package.json` is now a conditional marker — eslint is bound only when
+  the directory looks like a real JS app (runtime deps / entry-point fields /
+  JS-TS source / an eslint or biome config). `EslintAdapter.detect()` is
+  likewise tightened so a bare `package.json` is insufficient.
+- **tflint `available()` over-reporting.** It returned true even when ruleset
+  plugins a `.tflint.hcl` declared were not installed, disagreeing with
+  `lint()`. It now verifies every declared plugin resolves.
+- **`.terraform.lock.hcl` removed from the tflint manifest files** — it is a
+  provider-lock file written by `terraform init`, not a tflint signal.
+
+### Added
+- **Generic ruleset-plugin version tracking.** `TflintAdapter.rulesetVersions()`
+  parses `tflint --version` into a `{ ruleset: version }` map — no ruleset name
+  is special-cased. A new `ruleset_versions` field is threaded through
+  baselines and the global manifest; drift detection emits a `ruleset` drift
+  entry when a plugin version changes, catching a plugin update under a loose
+  `.tflint.hcl` version constraint that left `config_hash` and `tool_version`
+  untouched.
+- **Rule rename/removal migration.** Per-linter rule-alias maps
+  (`lib/rule-aliases.js`) plus `gimme-the-lint migrate --rules`: re-lints each
+  unit and rewrites a renamed rule's baseline fingerprint old→new (preserving
+  the grandfather count), drops entries for rules that no longer occur, and
+  corrects `total`. A genuinely new violation is never grandfathered.
+
+### Changed
+- **`tflint.parse()` signature** is now `(stdout, stderr, code)`, matching the
+  base adapter contract.
+- **Removed the dead v1 drift path.** `lib/drift-detector.js` (superseded by
+  `lib/drift.js`) is deleted; `lib/manifest-manager.js` is slimmed to its one
+  live function, `hashFile()` — the v2 global manifest is owned by
+  `lib/gtl-manifest.js`.
+
+### Design
+- The tflint adapter never names a cloud provider. The bundled `terraform`
+  ruleset lints any Terraform repo with zero config; provider-specific rulesets
+  are opt-in and owned entirely by the target repo's own `.tflint.hcl`, which
+  the adapter parses generically for whatever `plugin` blocks it declares.
+
+## [2.3.0] - 2026-05-17
+
+### Fixed
+- **Bug A — monorepo linter binary resolution.** The ESLint and Biome adapters
+  resolved `node_modules/.bin/<linter>` only at the repo root, so in a monorepo
+  (where each JS app carries its own `node_modules`) `available()` returned
+  false and the linter was silently skipped — capturing an empty baseline.
+  Adapters now resolve the binary app-dir-first (app → repo root → PATH) and
+  run inside the app directory so the app's own flat config is discovered. The
+  Ruff adapter resolves its `.venv` the same way.
+- **Bug B — discovery bound the wrong directories.** Manifest discovery treated
+  a bare `requirements.txt` as a ruff app marker (binding nested load-test and
+  utility dirs) and discarded a repo-root config whenever any nested manifest
+  existed (leaving the real app unbound). `requirements.txt` is no longer a
+  discovery marker — `pyproject.toml`, `ruff.toml`, `.ruff.toml` and `setup.py`
+  are — and workspace-root detection is now **per linter**, so a repo-root
+  `[tool.ruff]` config binds the root even when nested `package.json` apps sit
+  below it.
+- **Bug C — "couldn't run" collapsed into "skipped".** An unavailable or
+  errored linter was recorded with the status used for "no code here", making
+  an incomplete baseline indistinguishable from a clean one — every
+  pre-existing violation later counted as new and blocked the commit. New
+  baseline statuses `unavailable` and `error` keep incomplete baselines
+  distinct; `migrate` and `baseline` print a prominent summary and exit
+  non-zero (override with `--allow-incomplete`); `hooks` refuses to install
+  against an incomplete baseline (override with `--force`); `check` reports
+  `needs-baseline` instead of flooding new violations.
+
+### Added
+- `migrate` now writes the discovered app/linter layout into
+  `gimme-the-lint.config.js` as an explicit `apps` map, so the guess is visible
+  and editable instead of silently re-derived on every run. It also emits a
+  warning when the layout is ambiguous (a repo-root config plus nested apps).
+
 ## [2.2.0] - 2026-05-17
 
 ### Added

package/bin/gimme-the-lint.js

@@ -154,6 +154,7 @@ program
   .description('Create or refresh progressive-lint baselines')
   .option('--strict', 'Fail when a linter is missing for code that is present')
   .option('--empty', 'Write empty baselines (greenfield: treat every violation as new)')
+  .option('--allow-incomplete', 'Exit 0 even if some linters could not be baselined')
   .action(async (target, opts) => {
     const chalk = require('chalk');
     const { runBaseline } = require('../lib/baseline');
@@ -166,6 +167,17 @@ program
       });
       console.log(formatBaselineReport(report, process.cwd()));
       console.log('');
+      // A baseline that could not capture a linter is incomplete — fail loudly
+      // rather than reporting success, unless the user opts in.
+      if (report.incomplete && report.incomplete.length && !opts.allowIncomplete) {
+        console.error(
+          chalk.red(
+            `✗ Baseline INCOMPLETE — ${report.incomplete.length} linter(s) not captured. ` +
+              'Install them and re-run, or pass --allow-incomplete.\n'
+          )
+        );
+        process.exit(1);
+      }
     } catch (err) {
       console.error(chalk.red(`\n✗ ${err.message}\n`));
       process.exit(1);
@@ -176,9 +188,46 @@ program
   .command('migrate')
   .description('Migrate a v1 (.lttf) project to the v2 .gtl/ layout')
   .option('--strict', 'Fail when a linter is missing for code that is present')
+  .option('--allow-incomplete', 'Exit 0 even if some linters could not be baselined')
+  .option('--rules', 'Migrate baselines through rule renames/removals (no layout change)')
   .action(async (opts) => {
     const chalk = require('chalk');
-    const { migrate } = require('../lib/migrate');
+    const { migrate, migrateRules } = require('../lib/migrate');
+
+    // --rules: rewrite baseline fingerprints through the per-linter rule-alias
+    // maps. A standalone mode — it does not touch the .gtl/ layout.
+    if (opts.rules) {
+      try {
+        const result = await migrateRules(process.cwd());
+        if (!result.migrated) {
+          console.log(
+            chalk.yellow('\nNo rule migrations applied — baselines are up to date.\n')
+          );
+          return;
+        }
+        console.log(chalk.green('\n✓ Rule migration applied\n'));
+        for (const u of result.units) {
+          for (const l of u.linters) {
+            const renames = l.renamed
+              .map((r) => `${r.from}→${r.to}`)
+              .join(', ');
+            console.log(
+              `  ${u.app} · ${l.linter}: ` +
+                `${l.renamed.length} renamed${renames ? ` (${renames})` : ''}, ` +
+                `${l.dropped} dropped`
+            );
+          }
+        }
+        console.log('');
+        console.log('Review the updated .gtl/ baselines and commit them.');
+        console.log('');
+      } catch (err) {
+        console.error(chalk.red(`\n✗ Rule migration failed: ${err.message}\n`));
+        process.exit(1);
+      }
+      return;
+    }
+
     try {
       const result = await migrate(process.cwd(), { strict: opts.strict });
       if (!result.migrated) {
@@ -188,9 +237,46 @@ program
       console.log(chalk.green('\n✓ Migrated to the v2 .gtl/ layout\n'));
       console.log(`  Legacy baselines backed up: ${result.backedUp.join(', ')}`);
       console.log(chalk.dim(`    → ${result.backupPath}`));
+      if (result.appsConfig && result.appsConfig.created) {
+        console.log(
+          `  Wrote explicit app map → ${path.basename(result.appsConfig.path)}`
+        );
+      }
       console.log(`  Re-baselined ${result.baseline.unitCount} app(s) into .gtl/`);
+      for (const w of result.discoveryWarnings || []) {
+        console.log(chalk.yellow(`  ⚠ ${w}`));
+      }
       console.log('');
-      console.log('Next: review the new .gtl/ directory and commit it.');
+
+      // An incomplete baseline must never be reported as a clean migration.
+      if (result.incomplete && result.incomplete.length) {
+        console.error(
+          chalk.red(`✗ ${result.incomplete.length} linter(s) were NOT baselined:`)
+        );
+        for (const i of result.incomplete) {
+          console.error(chalk.red(`    ${i.app} · ${i.linter} (${i.status})`));
+        }
+        console.error(
+          chalk.yellow(
+            '  The baseline is INCOMPLETE — install the missing linters and run\n' +
+              '  `gimme-the-lint baseline`, then commit .gtl/.'
+          )
+        );
+        if (!opts.allowIncomplete) {
+          console.error(
+            chalk.red(
+              '\n✗ Migration finished with an incomplete baseline ' +
+                '(pass --allow-incomplete to accept).\n'
+            )
+          );
+          process.exit(1);
+        }
+        console.log('');
+      }
+
+      console.log(
+        'Next: review the new .gtl/ directory and gimme-the-lint.config.js, then commit them.'
+      );
       console.log('');
     } catch (err) {
       console.error(chalk.red(`\n✗ Migration failed: ${err.message}\n`));
@@ -210,13 +296,43 @@ program
 program
   .command('hooks')
   .description('Install git hooks for pre-commit linting')
-  .action(async () => {
+  .option('--force', 'Install even when the baseline is incomplete')
+  .action(async (opts) => {
     const chalk = require('chalk');
     const gitHooksManager = require('../lib/git-hooks-manager');
+    const { findIncompleteBaselines } = require('../lib/baseline');
 
     try {
+      // Refuse to gate commits against an incomplete baseline: hooks would
+      // diff against linter sections that were never captured, so every
+      // pre-existing violation would count as new and block the commit.
+      const incomplete = await findIncompleteBaselines(process.cwd());
+      if (incomplete.length && !opts.force) {
+        console.error(
+          chalk.red('\n✗ Refusing to install hooks — the baseline is incomplete:\n')
+        );
+        for (const i of incomplete) {
+          console.error(chalk.red(`    ${i.app} · ${i.linter} (${i.status})`));
+        }
+        console.error(
+          chalk.yellow(
+            '\n  These linters were never baselined, so a pre-commit hook would\n' +
+              '  flag every pre-existing violation as new. Install the missing\n' +
+              '  linters and run `gimme-the-lint baseline`, or pass --force.\n'
+          )
+        );
+        process.exit(1);
+      }
+
       const installed = await gitHooksManager.installHooks(process.cwd());
       console.log(chalk.green(`\n✓ Installed git hooks: ${installed.join(', ')}\n`));
+      if (incomplete.length && opts.force) {
+        console.log(
+          chalk.yellow(
+            '⚠ Installed against an INCOMPLETE baseline (--force) — re-baseline soon.\n'
+          )
+        );
+      }
     } catch (e) {
       console.error(chalk.red(`\n✗ ${e.message}\n`));
       process.exit(1);

package/lib/adapters/adapter.js

@@ -26,8 +26,14 @@ const DEFAULT_IGNORE_DIRS = new Set([
 const SCAN_DEPTH = 5;
 
 class LinterAdapter {
-  constructor({ projectRoot } = {}) {
+  constructor({ projectRoot, appRoot } = {}) {
     this.projectRoot = projectRoot || process.cwd();
+    // appRoot is the directory of the specific app/unit being linted. In a
+    // monorepo each app carries its own node_modules / .venv, so project-local
+    // tool resolution and config discovery must start here — not at the repo
+    // root, which often has neither. Defaults to projectRoot for single-package
+    // projects and for callers that do not supply it.
+    this.appRoot = appRoot || this.projectRoot;
   }
 
   // --- identity (override in subclasses) ---
@@ -141,6 +147,33 @@ class LinterAdapter {
     throw new Error(`${this.id}: buildCommand() not implemented`);
   }
 
+  /**
+   * Optional one-time setup command run in a directory BEFORE linting it —
+   * e.g. `tflint --init` to fetch the ruleset plugins a .tflint.hcl declares.
+   * Without it tflint exits non-zero on an uninitialized plugin. Return null
+   * when no setup is needed (the default for every other adapter).
+   * @param {string} cwd  The directory linting will run in.
+   * @returns {{cmd: string, args: string[], env?: object}|null}
+   */
+  // eslint-disable-next-line no-unused-vars
+  initCommand(cwd) {
+    return null;
+  }
+
+  /** Run initCommand() once per directory, before the first lint there. */
+  _ensureInitialized(cwd) {
+    const spec = this.initCommand(cwd);
+    if (!spec) return;
+    if (!this._initialized) this._initialized = new Set();
+    if (this._initialized.has(cwd)) return;
+    this._initialized.add(cwd);
+    spawnSync(spec.cmd, spec.args, {
+      cwd,
+      env: spec.env ? { ...process.env, ...spec.env } : process.env,
+      encoding: 'utf8',
+    });
+  }
+
   // --- override: output parsing ---
   /**
    * @param {string} stdout
@@ -172,6 +205,7 @@ class LinterAdapter {
   lint(targets, opts = {}) {
     const spec = this.buildCommand(targets, opts);
     this._runCwd = spec.cwd || this.projectRoot;
+    this._ensureInitialized(this._runCwd);
     const result = spawnSync(spec.cmd, spec.args, {
       cwd: this._runCwd,
       env: spec.env ? { ...process.env, ...spec.env } : process.env,

package/lib/adapters/biome.js

@@ -38,9 +38,14 @@ class BiomeAdapter extends LinterAdapter {
     return ['.js', '.jsx', '.mjs', '.cjs', '.ts', '.tsx'];
   }
 
-  /** Prefer the project-local Biome; fall back to one on PATH. */
+  /**
+   * Prefer the app-local Biome, then the repo-root Biome, then PATH. Each JS
+   * app in a monorepo has its own node_modules; resolving only at projectRoot
+   * makes available() falsely return false for app-installed Biome.
+   */
   get binary() {
     return this.resolveBinary([
+      path.join(this.appRoot, 'node_modules', '.bin', 'biome'),
       path.join(this.projectRoot, 'node_modules', '.bin', 'biome'),
       'biome',
     ]);
@@ -52,9 +57,14 @@ class BiomeAdapter extends LinterAdapter {
 
   buildCommand(targets, opts = {}) {
     const args = ['lint', '--reporter=json'];
-    const list = targets && targets.length ? targets : ['.'];
+    // Run inside the app directory so Biome resolves the app's own biome.json.
+    const cwd = opts.cwd || this.appRoot;
+    const list = (targets && targets.length ? targets : ['.']).map((t) => {
+      const rel = path.relative(cwd, path.resolve(this.projectRoot, t));
+      return rel === '' ? '.' : rel;
+    });
     args.push(...list);
-    return { cmd: this.binary, args, cwd: opts.cwd || this.projectRoot };
+    return { cmd: this.binary, args, cwd };
   }
 
   parse(stdout) {

package/lib/adapters/eslint.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const fs = require('fs');
 const path = require('path');
 const { LinterAdapter } = require('./adapter');
 const { createViolation, SEVERITY } = require('../violation');
@@ -40,9 +41,15 @@ class EslintAdapter extends LinterAdapter {
     return ['.js', '.jsx', '.mjs', '.cjs', '.ts', '.tsx'];
   }
 
-  /** Prefer the project-local ESLint; fall back to one on PATH. */
+  /**
+   * Prefer the app-local ESLint, then the repo-root ESLint, then PATH. In a
+   * monorepo each JS app has its own node_modules; the repo root often has
+   * none, so resolving only at projectRoot makes available() falsely return
+   * false and the linter gets silently skipped.
+   */
   get binary() {
     return this.resolveBinary([
+      path.join(this.appRoot, 'node_modules', '.bin', 'eslint'),
       path.join(this.projectRoot, 'node_modules', '.bin', 'eslint'),
       'eslint',
     ]);
@@ -52,12 +59,31 @@ class EslintAdapter extends LinterAdapter {
     return ESLINT_CONFIG_FILES;
   }
 
+  /**
+   * Tighter than the base detect(): a bare `package.json` is NOT sufficient —
+   * a devDependencies-only tooling manifest is not a JS app. Require an ESLint
+   * config file, or actual JS/TS source under the directory.
+   */
+  detect(dir) {
+    if (!dir || !fs.existsSync(dir)) return false;
+    for (const name of ESLINT_CONFIG_FILES) {
+      if (fs.existsSync(path.join(dir, name))) return true;
+    }
+    return this._scanForSource(dir, 5);
+  }
+
   buildCommand(targets, opts = {}) {
     const args = ['--format=json'];
     if (opts.fix) args.push('--fix');
-    const list = targets && targets.length ? targets : ['.'];
+    // Run inside the app directory so ESLint resolves the app's own flat
+    // config (eslint.config.js) — in a monorepo the repo root often has none.
+    const cwd = opts.cwd || this.appRoot;
+    const list = (targets && targets.length ? targets : ['.']).map((t) => {
+      const rel = path.relative(cwd, path.resolve(this.projectRoot, t));
+      return rel === '' ? '.' : rel;
+    });
     args.push(...list);
-    return { cmd: this.binary, args, cwd: opts.cwd || this.projectRoot };
+    return { cmd: this.binary, args, cwd };
   }
 
   parse(stdout) {

package/lib/adapters/ruff.js

@@ -31,9 +31,10 @@ class RuffAdapter extends LinterAdapter {
     return ['.py', '.pyi'];
   }
 
-  /** Prefer the project venv's Ruff; fall back to one on PATH. */
+  /** Prefer the app venv's Ruff, then the repo-root venv, then PATH. */
   get binary() {
     return this.resolveBinary([
+      path.join(this.appRoot, '.venv', 'bin', 'ruff'),
       path.join(this.projectRoot, '.venv', 'bin', 'ruff'),
       'ruff',
     ]);

package/lib/adapters/tflint.js

@@ -7,10 +7,17 @@ const { createViolation, SEVERITY } = require('../violation');
 
 // tflint adapter. tflint is the de-facto Terraform/OpenTofu linter; it emits a
 // machine-readable report under `--format json`. Terraform has no manifest
-// file — a directory of *.tf (or *.tofu) IS the module — so detection here is
+// file — a directory of *.tf (or *.tofu) IS the module — so detection is
 // extension-based. tflint is module-scoped: it lints the .tf files of one
-// directory, so the adapter resolves and runs inside that directory, mirroring
-// the crate/module handling in the Clippy and golangci-lint adapters.
+// directory, so the adapter resolves and runs inside that directory.
+//
+// tflint's bundled `terraform` ruleset is a universal, provider-independent
+// baseline — it lints ANY Terraform repo (hyperscaler, on-prem, SaaS, network
+// appliances, local/null/random) with zero config. Provider-specific rulesets
+// (aws/google/azurerm/…) are opt-in and owned entirely by the target repo's
+// own .tflint.hcl. This adapter never names a provider: it always runs core
+// tflint and, when a .tflint.hcl is present, parses it GENERICALLY to drive
+// `--init`, availability checks and ruleset-version tracking.
 
 const TFLINT_CONFIG_FILES = ['.tflint.hcl'];
 
@@ -41,10 +48,12 @@ class TflintAdapter extends LinterAdapter {
     return true;
   }
 
-  // tflint config files double as a detection hint; the real signal is the
-  // presence of *.tf source (see sourceExtensions / project-model.js).
+  // A .tflint.hcl is a hint, not the discovery signal — *.tf source is (see
+  // sourceExtensions / project-model.js). `.terraform.lock.hcl` is NOT listed:
+  // it is a provider-lock file written by `terraform init`, frequently absent,
+  // and no signal that tflint applies.
   get manifestFiles() {
-    return ['.tflint.hcl', '.terraform.lock.hcl'];
+    return ['.tflint.hcl'];
   }
 
   get sourceExtensions() {
@@ -55,6 +64,101 @@ class TflintAdapter extends LinterAdapter {
     return TFLINT_CONFIG_FILES;
   }
 
+  // --- .tflint.hcl introspection (generic — no provider is special-cased) ---
+
+  /** True when the unit directory carries a .tflint.hcl. */
+  _hasConfig(dir) {
+    return fs.existsSync(path.join(dir || this.appRoot, '.tflint.hcl'));
+  }
+
+  /** Enumerate every `plugin "<name>"` block declared in a unit's .tflint.hcl. */
+  _declaredPlugins(dir) {
+    let hcl;
+    try {
+      hcl = fs.readFileSync(path.join(dir || this.appRoot, '.tflint.hcl'), 'utf8');
+    } catch {
+      return [];
+    }
+    const names = [];
+    const re = /plugin\s+"([^"]+)"/g;
+    let m;
+    while ((m = re.exec(hcl)) !== null) names.push(m[1]);
+    return names;
+  }
+
+  /** Cached `tflint --version` output (memoized after any --init has run). */
+  _versionOutput() {
+    if (this._versionOut == null) {
+      const result = this._probe();
+      this._versionOut = `${result.stdout || ''}\n${result.stderr || ''}`;
+      this._versionProbeFailed = Boolean(result.error) || result.status !== 0;
+    }
+    return this._versionOut;
+  }
+
+  // --- init: fetch ruleset plugins a .tflint.hcl declares -------------------
+
+  /**
+   * When the unit carries a .tflint.hcl, tflint requires `tflint --init` to
+   * fetch the declared ruleset plugins before linting — otherwise it exits
+   * non-zero with a plugin error. Run it once per directory (cached by the
+   * base adapter). A repo with no .tflint.hcl gets core linting, no init.
+   */
+  initCommand(cwd) {
+    if (this._hasConfig(cwd)) {
+      return { cmd: this.binary, args: ['--init'] };
+    }
+    return null;
+  }
+
+  // --- availability: agree with what lint() will actually see --------------
+
+  /**
+   * available() must agree with lint(). The binary must run AND every ruleset
+   * plugin the unit's .tflint.hcl declares must resolve. Plugins are fetched
+   * by `tflint --init`, so run it (idempotent, cached) before checking, then
+   * confirm each declared plugin appears in `tflint --version` output. The
+   * bundled `terraform` ruleset ships in the binary and always resolves.
+   */
+  available() {
+    const probe = this._probe();
+    if (probe.error || probe.status !== 0) return false;
+
+    const declared = this._declaredPlugins(this.appRoot).filter(
+      (name) => name !== 'terraform'
+    );
+    if (declared.length === 0) return true;
+
+    this._ensureInitialized(this.appRoot);
+    const installed = this.rulesetVersions();
+    return declared.every((name) => name in installed);
+  }
+
+  // --- version reporting ----------------------------------------------------
+
+  /** The tflint binary version, parsed deliberately from the version line. */
+  version() {
+    const match = this._versionOutput().match(/TFLint version (\d+\.\d+\.\d+)/i);
+    return match ? match[1] : 'unknown';
+  }
+
+  /**
+   * Installed ruleset-plugin versions, as a generic { name: version } map —
+   * one entry per `+ ruleset.<name> (<version>...)` line of `tflint --version`.
+   * No ruleset name is special-cased, so this tracks the bundled `terraform`
+   * ruleset and any provider ruleset a repo opts into, current or future.
+   * @returns {Object<string,string>}
+   */
+  rulesetVersions() {
+    const versions = {};
+    for (const line of this._versionOutput().split('\n')) {
+      // "+ ruleset.terraform (0.7.0, bundled)"  /  "+ ruleset.aws (0.30.0)"
+      const m = line.match(/^\s*\+\s*ruleset\.(\S+)\s*\(\s*([0-9][^,)\s]*)/);
+      if (m) versions[m[1]] = m[2];
+    }
+    return versions;
+  }
+
   buildCommand(targets, opts = {}) {
     const args = ['--format=json'];
     if (opts.fix && this.supportsFix) args.push('--fix');
@@ -77,14 +181,38 @@ class TflintAdapter extends LinterAdapter {
     return { cmd: this.binary, args, cwd };
   }
 
-  parse(stdout) {
+  /**
+   * @param {string} stdout
+   * @param {string} stderr
+   * @param {number|null} code  tflint's exit code.
+   */
+  parse(stdout, stderr, code) {
     const text = (stdout || '').trim();
-    if (!text) return [];
+    let report = null;
+    if (text) {
+      try {
+        report = JSON.parse(text);
+      } catch {
+        report = null;
+      }
+    }
 
-    let report;
-    try {
-      report = JSON.parse(text);
-    } catch {
+    // A non-zero exit with no parseable JSON is a hard failure — an
+    // uninitialized ruleset plugin, a broken config, an unusable binary. It
+    // must be LOUD: emit a synthetic high-severity violation carrying the
+    // stderr text, never let a failed run be recorded as a clean baseline.
+    if (!report) {
+      if (code != null && code !== 0) {
+        return [
+          createViolation({
+            file: '',
+            ruleId: 'tflint-error',
+            severity: SEVERITY.ERROR,
+            message: `tflint exited ${code}: ${(stderr || '').trim() || 'no output'}`,
+            source: 'tflint',
+          }),
+        ];
+      }
       return [];
     }