claude-crap 0.1.2 → 0.2.0

package/plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-crap-plugin",
-  "version": "0.1.2",
+  "version": "0.2.0",
   "private": true,
   "description": "Runtime dependencies for the claude-crap plugin bundle",
   "type": "module",

package/src/index.ts

@@ -57,7 +57,9 @@ import { validateSarifDocument } from "./sarif/sarif-validator.js";
 import { loadCrapConfig, CrapConfigError } from "./crap-config.js";
 import { findTestFile } from "./tools/test-harness.js";
 import { resolveWithinWorkspace } from "./workspace-guard.js";
+import { autoScan } from "./scanner/auto-scan.js";
 import {
+  autoScanSchema,
   computeCrapSchema,
   computeTdrSchema,
   analyzeFileAstSchema,
@@ -205,6 +207,12 @@ async function main(): Promise<void> {
           "Aggregate the project score across Maintainability, Reliability, Security and Overall, returning a chat-friendly Markdown summary, the structured JSON, the local dashboard URL, and the consolidated SARIF report path.",
         inputSchema: scoreProjectSchema,
       },
+      {
+        name: "auto_scan",
+        description:
+          "Auto-detect available scanners (ESLint, Semgrep, Bandit, Stryker) in the workspace, run them, and ingest findings into the SARIF store.",
+        inputSchema: autoScanSchema,
+      },
     ],
   }));
 
@@ -532,6 +540,35 @@ async function main(): Promise<void> {
         }
       }
 
+      case "auto_scan": {
+        logger.info({ tool: "auto_scan" }, "Tool call received");
+        try {
+          const result = await autoScan(config.pluginRoot, sarifStore, logger);
+          const markdown = renderAutoScanMarkdown(result);
+          return {
+            content: [
+              { type: "text", text: markdown },
+              { type: "text", text: JSON.stringify(result, null, 2) },
+            ],
+          };
+        } catch (err) {
+          logger.error({ err }, "auto_scan failed");
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify(
+                  { tool: "auto_scan", status: "error", message: (err as Error).message },
+                  null,
+                  2,
+                ),
+              },
+            ],
+            isError: true,
+          };
+        }
+      }
+
       default:
         throw new Error(`[claude-crap] Unknown tool: ${name}`);
     }
@@ -589,6 +626,67 @@ async function main(): Promise<void> {
   const transport = new StdioServerTransport();
   await server.connect(transport);
   logger.info("claude-crap MCP server ready (stdio)");
+
+  // Fire-and-forget: auto-scan runs in background, doesn't block tool calls.
+  // If the agent calls score_project before scanning finishes, it gets
+  // whatever is in the SARIF store so far. The next call after completion
+  // reflects all findings.
+  autoScan(config.pluginRoot, sarifStore, logger)
+    .then((result) => {
+      const scanners = result.results
+        .filter((r) => r.success)
+        .map((r) => r.scanner);
+      logger.info(
+        {
+          scannersRun: scanners,
+          totalFindings: result.totalFindings,
+          durationMs: result.totalDurationMs,
+        },
+        "auto-scan completed",
+      );
+    })
+    .catch((err) => {
+      logger.warn(
+        { err: (err as Error).message },
+        "auto-scan failed — continuing without it",
+      );
+    });
+}
+
+/**
+ * Render a human-readable Markdown summary of an auto-scan result.
+ */
+function renderAutoScanMarkdown(result: import("./scanner/auto-scan.js").AutoScanResult): string {
+  const lines: string[] = ["## claude-crap :: auto-scan results\n"];
+
+  // Detection summary
+  lines.push("### Detected scanners\n");
+  lines.push("| Scanner | Available | Reason |");
+  lines.push("| ------- | :-------: | ------ |");
+  for (const d of result.detected) {
+    lines.push(`| ${d.scanner} | ${d.available ? "yes" : "no"} | ${d.reason} |`);
+  }
+  lines.push("");
+
+  // Execution results
+  if (result.results.length > 0) {
+    lines.push("### Execution results\n");
+    lines.push("| Scanner | Status | Findings | Duration |");
+    lines.push("| ------- | :----: | :------: | -------: |");
+    for (const r of result.results) {
+      const status = r.success ? "ok" : "failed";
+      const duration = `${(r.durationMs / 1000).toFixed(1)}s`;
+      lines.push(`| ${r.scanner} | ${status} | ${r.findingsIngested} | ${duration} |`);
+    }
+    lines.push("");
+  }
+
+  // Summary
+  lines.push(
+    `**Total findings ingested:** ${result.totalFindings} in ${(result.totalDurationMs / 1000).toFixed(1)}s`,
+  );
+
+  return lines.join("\n");
 }
 
 /**

package/src/scanner/auto-scan.ts

@@ -0,0 +1,212 @@
+/**
+ * Orchestrator: detect available scanners, run them, and ingest results.
+ *
+ * This module ties together the detector, runner, and adapter pipeline
+ * into a single `autoScan()` function that:
+ *
+ *   1. Probes the workspace for available scanners
+ *   2. Executes detected scanners in parallel
+ *   3. Routes each scanner's output through its adapter
+ *   4. Ingests the normalized SARIF into the store
+ *
+ * The function is designed to be called:
+ *   - At MCP server boot (fire-and-forget, non-blocking)
+ *   - On demand via the `auto_scan` MCP tool
+ *
+ * Failures in individual scanners are logged and skipped — a broken
+ * Semgrep install should not prevent ESLint from running.
+ *
+ * @module scanner/auto-scan
+ */
+
+import type { Logger } from "pino";
+import { detectScanners, type ScannerDetection } from "./detector.js";
+import { runScanner, type ScannerRunResult } from "./runner.js";
+import { adaptScannerOutput, type KnownScanner } from "../adapters/index.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+
+// ── Types ──────────────────────────────────────────────────────────
+
+/**
+ * Per-scanner result within the auto-scan summary.
+ */
+export interface ScannerResult {
+  scanner: KnownScanner;
+  success: boolean;
+  findingsIngested: number;
+  durationMs: number;
+  error?: string;
+}
+
+/**
+ * Complete result of an auto-scan run.
+ */
+export interface AutoScanResult {
+  /** Detection results for all four scanners. */
+  detected: ScannerDetection[];
+  /** Execution + ingestion results for scanners that were available. */
+  results: ScannerResult[];
+  /** Total findings ingested across all scanners. */
+  totalFindings: number;
+  /** Wall-clock time for the entire auto-scan. */
+  totalDurationMs: number;
+}
+
+// ── Orchestrator ───────────────────────────────────────────────────
+
+/**
+ * Ingest a single scanner's raw output through its adapter and into
+ * the SARIF store. Returns the number of accepted findings.
+ */
+function ingestScannerRun(
+  scanner: KnownScanner,
+  rawOutput: string,
+  sarifStore: SarifStore,
+): { accepted: number } {
+  // Parse the raw output — adapters accept string or object
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(rawOutput);
+  } catch {
+    // Semgrep outputs SARIF as a string, others are JSON.
+    // If parsing fails, pass the raw string to the adapter.
+    parsed = rawOutput;
+  }
+
+  const adapted = adaptScannerOutput(scanner, parsed);
+  const stats = sarifStore.ingestRun(adapted.document, adapted.sourceTool);
+  return { accepted: stats.accepted };
+}
+
+/**
+ * Auto-detect, run, and ingest all available scanners.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @param sarifStore    Live SARIF store to ingest findings into.
+ * @param logger        Pino logger for progress and error reporting.
+ * @returns             Summary of what was detected, run, and ingested.
+ */
+export async function autoScan(
+  workspaceRoot: string,
+  sarifStore: SarifStore,
+  logger: Logger,
+): Promise<AutoScanResult> {
+  const start = Date.now();
+
+  // 1. Detect available scanners
+  const detected = await detectScanners(workspaceRoot);
+  const available = detected.filter((d) => d.available);
+
+  logger.info(
+    {
+      detected: detected.map((d) => `${d.scanner}:${d.available}`),
+      available: available.length,
+    },
+    "auto-scan: detection complete",
+  );
+
+  if (available.length === 0) {
+    return {
+      detected,
+      results: [],
+      totalFindings: 0,
+      totalDurationMs: Date.now() - start,
+    };
+  }
+
+  // 2. Run all available scanners in parallel
+  const runResults = await Promise.allSettled(
+    available.map((d) => runScanner(d.scanner, workspaceRoot)),
+  );
+
+  // 3. Ingest results
+  const results: ScannerResult[] = [];
+  let totalFindings = 0;
+  let persistNeeded = false;
+
+  for (let i = 0; i < available.length; i++) {
+    const detection = available[i]!;
+    const settled = runResults[i]!;
+
+    if (settled.status === "rejected") {
+      const error = String(settled.reason);
+      logger.warn(
+        { scanner: detection.scanner, error },
+        "auto-scan: scanner execution rejected",
+      );
+      results.push({
+        scanner: detection.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: 0,
+        error,
+      });
+      continue;
+    }
+
+    const runResult: ScannerRunResult = settled.value;
+
+    if (!runResult.success) {
+      logger.warn(
+        { scanner: runResult.scanner, error: runResult.error },
+        "auto-scan: scanner returned failure",
+      );
+      results.push({
+        scanner: runResult.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: runResult.durationMs,
+        error: runResult.error ?? "unknown error",
+      });
+      continue;
+    }
+
+    // Ingest through adapter pipeline
+    try {
+      const { accepted } = ingestScannerRun(
+        runResult.scanner,
+        runResult.rawOutput,
+        sarifStore,
+      );
+      totalFindings += accepted;
+      persistNeeded = true;
+
+      logger.info(
+        { scanner: runResult.scanner, accepted, durationMs: runResult.durationMs },
+        "auto-scan: scanner ingested",
+      );
+
+      results.push({
+        scanner: runResult.scanner,
+        success: true,
+        findingsIngested: accepted,
+        durationMs: runResult.durationMs,
+      });
+    } catch (err) {
+      const error = (err as Error).message;
+      logger.warn(
+        { scanner: runResult.scanner, error },
+        "auto-scan: adapter/ingestion failed",
+      );
+      results.push({
+        scanner: runResult.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: runResult.durationMs,
+        error,
+      });
+    }
+  }
+
+  // 4. Persist consolidated SARIF if anything was ingested
+  if (persistNeeded) {
+    await sarifStore.persist();
+  }
+
+  return {
+    detected,
+    results,
+    totalFindings,
+    totalDurationMs: Date.now() - start,
+  };
+}

package/src/scanner/detector.ts

@@ -0,0 +1,224 @@
+/**
+ * Auto-detect which scanners are available in the current workspace.
+ *
+ * For each of the four supported scanners (ESLint, Semgrep, Bandit,
+ * Stryker) the detector probes three signal layers in order:
+ *
+ *   1. Config file existence (fastest — a single `fs.stat`)
+ *   2. Package.json dependency (for JS-ecosystem scanners)
+ *   3. Binary availability via `which` (slowest — spawns a child process)
+ *
+ * Detection short-circuits on the first hit, so a project that has an
+ * `eslint.config.mjs` will never shell out to `which eslint`.
+ *
+ * The module is side-effect-free beyond filesystem reads and one
+ * `child_process.execFile` per binary probe.
+ *
+ * @module scanner/detector
+ */
+
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { execFile } from "node:child_process";
+import type { KnownScanner } from "../adapters/common.js";
+
+// ── Types ──────────────────────────────────────────────────────────
+
+/**
+ * Result of probing a single scanner's availability.
+ */
+export interface ScannerDetection {
+  /** Which scanner was probed. */
+  scanner: KnownScanner;
+  /** Whether the scanner is available and can be executed. */
+  available: boolean;
+  /** Human-readable reason for the verdict. */
+  reason: string;
+  /** Path to the config file that triggered detection, if any. */
+  configPath?: string;
+}
+
+// ── Detection signals ──────────────────────────────────────────────
+
+/**
+ * Config file globs and package.json keys per scanner. Order matters:
+ * the first matching config file short-circuits further probes.
+ */
+interface ScannerSignals {
+  configFiles: string[];
+  packageJsonKeys: string[];
+  binaryNames: string[];
+}
+
+const SCANNER_SIGNALS: Record<KnownScanner, ScannerSignals> = {
+  eslint: {
+    configFiles: [
+      "eslint.config.js",
+      "eslint.config.mjs",
+      "eslint.config.cjs",
+      "eslint.config.ts",
+      "eslint.config.mts",
+      "eslint.config.cts",
+      ".eslintrc.js",
+      ".eslintrc.cjs",
+      ".eslintrc.yaml",
+      ".eslintrc.yml",
+      ".eslintrc.json",
+    ],
+    packageJsonKeys: ["eslint"],
+    binaryNames: ["eslint"],
+  },
+  semgrep: {
+    configFiles: [
+      ".semgrep.yml",
+      ".semgrep.yaml",
+      ".semgrep.json",
+    ],
+    packageJsonKeys: [],
+    binaryNames: ["semgrep"],
+  },
+  bandit: {
+    configFiles: [
+      ".bandit",
+      "bandit.yaml",
+      "bandit.yml",
+    ],
+    packageJsonKeys: [],
+    binaryNames: ["bandit"],
+  },
+  stryker: {
+    configFiles: [
+      "stryker.conf.js",
+      "stryker.conf.mjs",
+      "stryker.conf.cjs",
+      "stryker.conf.json",
+      ".strykerrc",
+      ".strykerrc.json",
+    ],
+    packageJsonKeys: ["@stryker-mutator/core"],
+    binaryNames: ["stryker"],
+  },
+};
+
+// ── Probes ──────────────────────────────────────────────────────────
+
+/**
+ * Check if any of the scanner's config files exist in the workspace.
+ */
+function probeConfigFiles(
+  workspaceRoot: string,
+  scanner: KnownScanner,
+): { found: boolean; path?: string } {
+  const signals = SCANNER_SIGNALS[scanner];
+  for (const file of signals.configFiles) {
+    const fullPath = join(workspaceRoot, file);
+    if (existsSync(fullPath)) {
+      return { found: true, path: fullPath };
+    }
+  }
+  return { found: false };
+}
+
+/**
+ * Check if the scanner appears in package.json deps or devDeps.
+ */
+function probePackageJson(
+  workspaceRoot: string,
+  scanner: KnownScanner,
+): boolean {
+  const signals = SCANNER_SIGNALS[scanner];
+  if (signals.packageJsonKeys.length === 0) return false;
+
+  const pkgPath = join(workspaceRoot, "package.json");
+  if (!existsSync(pkgPath)) return false;
+
+  try {
+    const raw = readFileSync(pkgPath, "utf-8");
+    const pkg = JSON.parse(raw) as Record<string, unknown>;
+    const deps = {
+      ...(typeof pkg.dependencies === "object" && pkg.dependencies !== null
+        ? (pkg.dependencies as Record<string, string>)
+        : {}),
+      ...(typeof pkg.devDependencies === "object" && pkg.devDependencies !== null
+        ? (pkg.devDependencies as Record<string, string>)
+        : {}),
+    };
+    return signals.packageJsonKeys.some((key) => key in deps);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if a binary is available on PATH via `which`.
+ */
+function probeBinary(binaryName: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    execFile("which", [binaryName], { timeout: 5_000 }, (err) => {
+      resolve(err === null);
+    });
+  });
+}
+
+// ── Public API ──────────────────────────────────────────────────────
+
+/**
+ * Detect which of the four supported scanners are available in the
+ * given workspace. Probes config files, package.json, and binary
+ * availability in order, short-circuiting on first match.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @returns One {@link ScannerDetection} per known scanner.
+ */
+export async function detectScanners(
+  workspaceRoot: string,
+): Promise<ScannerDetection[]> {
+  const scanners: KnownScanner[] = ["eslint", "semgrep", "bandit", "stryker"];
+
+  const results = await Promise.all(
+    scanners.map(async (scanner): Promise<ScannerDetection> => {
+      // 1. Config file probe (fastest)
+      const configProbe = probeConfigFiles(workspaceRoot, scanner);
+      if (configProbe.found && configProbe.path) {
+        return {
+          scanner,
+          available: true,
+          reason: `config file found: ${configProbe.path.replace(workspaceRoot + "/", "")}`,
+          configPath: configProbe.path,
+        };
+      }
+
+      // 2. Package.json probe
+      if (probePackageJson(workspaceRoot, scanner)) {
+        return {
+          scanner,
+          available: true,
+          reason: `found in package.json dependencies`,
+        };
+      }
+
+      // 3. Binary probe (slowest)
+      const signals = SCANNER_SIGNALS[scanner];
+      for (const bin of signals.binaryNames) {
+        if (await probeBinary(bin)) {
+          return {
+            scanner,
+            available: true,
+            reason: `binary "${bin}" found on PATH`,
+          };
+        }
+      }
+
+      return {
+        scanner,
+        available: false,
+        reason: "no config file, package.json entry, or binary found",
+      };
+    }),
+  );
+
+  return results;
+}
+
+// Exported for testing
+export { SCANNER_SIGNALS };

package/src/scanner/index.ts

@@ -0,0 +1,22 @@
+/**
+ * Public SDK entry point for the scanner auto-detection and execution
+ * pipeline.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import { autoScan, detectScanners } from "claude-crap/scanner";
+ *
+ * // Full pipeline: detect → run → ingest
+ * const result = await autoScan(workspaceRoot, sarifStore, logger);
+ *
+ * // Detection only (no execution)
+ * const detections = await detectScanners(workspaceRoot);
+ * ```
+ *
+ * @module scanner
+ */
+
+export { detectScanners, type ScannerDetection } from "./detector.js";
+export { runScanner, type ScannerRunResult } from "./runner.js";
+export { autoScan, type AutoScanResult, type ScannerResult } from "./auto-scan.js";