claude-crap 0.1.2 → 0.2.0

package/src/scanner/runner.ts

@@ -0,0 +1,212 @@
+/**
+ * Execute a single scanner CLI and capture its raw output.
+ *
+ * Each scanner has a fixed invocation that produces the format its
+ * adapter expects:
+ *
+ *   - ESLint  → `npx eslint -f json .`  (JSON array)
+ *   - Semgrep → `semgrep --sarif --quiet .` (SARIF 2.1.0)
+ *   - Bandit  → `bandit -f json -r . -q` (JSON object)
+ *   - Stryker → `npx stryker run` then read `reports/mutation/mutation.json`
+ *
+ * ESLint and Bandit exit non-zero when findings exist — that is
+ * expected, not an error. The runner captures stdout regardless of
+ * exit code for those scanners.
+ *
+ * Stryker is special: it writes to a file instead of stdout, so we
+ * read the output file after the process exits.
+ *
+ * @module scanner/runner
+ */
+
+import { execFile } from "node:child_process";
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+import type { KnownScanner } from "../adapters/common.js";
+
+// ── Types ──────────────────────────────────────────────────────────
+
+/**
+ * Result of executing a single scanner.
+ */
+export interface ScannerRunResult {
+  /** Which scanner was executed. */
+  scanner: KnownScanner;
+  /** Whether execution completed and produced parseable output. */
+  success: boolean;
+  /** The scanner's raw output (stdout or file contents). */
+  rawOutput: string;
+  /** Error message when `success` is false. */
+  error?: string;
+  /** Wall-clock execution time in milliseconds. */
+  durationMs: number;
+}
+
+// ── Scanner command definitions ────────────────────────────────────
+
+interface ScannerCommand {
+  /** Binary or npx command. */
+  command: string;
+  /** CLI arguments. */
+  args: string[];
+  /** Maximum execution time in ms. */
+  timeoutMs: number;
+  /** If true, non-zero exit is expected when findings exist. */
+  nonZeroIsNormal: boolean;
+  /** If set, read output from this file instead of stdout. */
+  outputFile?: string;
+}
+
+function getScannerCommand(
+  scanner: KnownScanner,
+  workspaceRoot: string,
+): ScannerCommand {
+  switch (scanner) {
+    case "eslint":
+      return {
+        command: "npx",
+        args: ["eslint", "-f", "json", "."],
+        timeoutMs: 120_000,
+        nonZeroIsNormal: true,
+      };
+    case "semgrep":
+      return {
+        command: "semgrep",
+        args: ["--sarif", "--quiet", "."],
+        timeoutMs: 120_000,
+        nonZeroIsNormal: false,
+      };
+    case "bandit":
+      return {
+        command: "bandit",
+        args: ["-f", "json", "-r", ".", "-q"],
+        timeoutMs: 120_000,
+        nonZeroIsNormal: true,
+      };
+    case "stryker":
+      return {
+        command: "npx",
+        args: ["stryker", "run"],
+        timeoutMs: 300_000,
+        nonZeroIsNormal: false,
+        outputFile: join(workspaceRoot, "reports", "mutation", "mutation.json"),
+      };
+  }
+}
+
+// ── Public API ──────────────────────────────────────────────────────
+
+/**
+ * Execute a scanner CLI and return its raw output.
+ *
+ * @param scanner       Which scanner to run.
+ * @param workspaceRoot Absolute path to the project root (used as cwd).
+ * @returns             A {@link ScannerRunResult} with stdout or file output.
+ */
+export function runScanner(
+  scanner: KnownScanner,
+  workspaceRoot: string,
+): Promise<ScannerRunResult> {
+  const start = Date.now();
+  const cmd = getScannerCommand(scanner, workspaceRoot);
+
+  return new Promise((resolve) => {
+    execFile(
+      cmd.command,
+      cmd.args,
+      {
+        cwd: workspaceRoot,
+        timeout: cmd.timeoutMs,
+        maxBuffer: 50 * 1024 * 1024, // 50 MB — large codebases produce verbose output
+        env: { ...process.env, FORCE_COLOR: "0" }, // suppress ANSI in output
+      },
+      (err, stdout, stderr) => {
+        const durationMs = Date.now() - start;
+
+        // For scanners where non-zero exit means "findings exist",
+        // we still have valid output in stdout.
+        if (err && !cmd.nonZeroIsNormal) {
+          // Stryker: check if the output file was written despite the error
+          if (cmd.outputFile && existsSync(cmd.outputFile)) {
+            try {
+              const fileOutput = readFileSync(cmd.outputFile, "utf-8");
+              resolve({
+                scanner,
+                success: true,
+                rawOutput: fileOutput,
+                durationMs,
+              });
+              return;
+            } catch {
+              // Fall through to error path
+            }
+          }
+
+          resolve({
+            scanner,
+            success: false,
+            rawOutput: "",
+            error: stderr || (err as Error).message,
+            durationMs,
+          });
+          return;
+        }
+
+        // For file-based output (Stryker), read from file
+        if (cmd.outputFile) {
+          if (existsSync(cmd.outputFile)) {
+            try {
+              const fileOutput = readFileSync(cmd.outputFile, "utf-8");
+              resolve({
+                scanner,
+                success: true,
+                rawOutput: fileOutput,
+                durationMs,
+              });
+              return;
+            } catch (readErr) {
+              resolve({
+                scanner,
+                success: false,
+                rawOutput: "",
+                error: `Failed to read output file: ${(readErr as Error).message}`,
+                durationMs,
+              });
+              return;
+            }
+          }
+          resolve({
+            scanner,
+            success: false,
+            rawOutput: "",
+            error: `Scanner completed but output file not found: ${cmd.outputFile}`,
+            durationMs,
+          });
+          return;
+        }
+
+        // Stdout-based output
+        const output = stdout.trim();
+        if (!output) {
+          resolve({
+            scanner,
+            success: true,
+            rawOutput: "[]", // ESLint returns empty when no files match
+            durationMs,
+          });
+          return;
+        }
+
+        resolve({
+          scanner,
+          success: true,
+          rawOutput: output,
+          durationMs,
+        });
+      },
+    );
+  });
+}
+
+// Exported for testing
+export { getScannerCommand, type ScannerCommand };

package/src/schemas/tool-schemas.ts

@@ -199,6 +199,19 @@ export const ingestScannerOutputSchema = {
  * from an external scanner, deduplicates against the internal store, and
  * normalizes the output into claude-crap's canonical format.
  */
+/**
+ * Schema for the `auto_scan` tool. Auto-detects available scanners
+ * in the workspace, runs them, and ingests findings into the SARIF store.
+ */
+export const autoScanSchema = {
+  type: "object",
+  description:
+    "Auto-detect available scanners (ESLint, Semgrep, Bandit, Stryker) in the workspace, execute them, and ingest findings into the SARIF store. Returns detection results, per-scanner execution stats, and total findings ingested. Call this to populate findings without manual scanner invocation.",
+  properties: {},
+  required: [],
+  additionalProperties: false,
+} as const;
+
 export const ingestSarifSchema = {
   type: "object",
   description:

package/src/tests/auto-scan.test.ts

@@ -0,0 +1,137 @@
+/**
+ * Unit tests for the auto-scan orchestrator.
+ *
+ * These tests verify the orchestration logic: detection → run → ingest.
+ * They use a real (temporary) workspace with config files to trigger
+ * detection, but scanner execution will fail (binaries aren't installed
+ * in the test environment). This tests the graceful-failure path.
+ *
+ * @module tests/auto-scan.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import pino from "pino";
+
+import { autoScan, type AutoScanResult } from "../scanner/auto-scan.js";
+import { SarifStore } from "../sarif/sarif-store.js";
+
+const logger = pino({ level: "silent" });
+
+function makeTmpDir(): string {
+  return mkdtempSync(join(tmpdir(), "crap-autoscan-"));
+}
+
+describe("autoScan", () => {
+  it("returns empty results when no scanners are detected", async () => {
+    const dir = makeTmpDir();
+    try {
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await autoScan(dir, store, logger);
+      assert.equal(result.detected.length, 4);
+      assert.ok(result.totalDurationMs >= 0);
+      // No scanners available means no results
+      // (unless the host has scanner binaries installed)
+      assert.ok(Array.isArray(result.results));
+      assert.equal(typeof result.totalFindings, "number");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects scanners from config files in workspace", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "eslint.config.mjs"), "export default [];");
+      writeFileSync(join(dir, ".semgrep.yml"), "rules: []");
+
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await autoScan(dir, store, logger);
+
+      // ESLint and Semgrep should be detected
+      const eslintDetection = result.detected.find((d) => d.scanner === "eslint");
+      const semgrepDetection = result.detected.find((d) => d.scanner === "semgrep");
+      assert.ok(eslintDetection);
+      assert.equal(eslintDetection.available, true);
+      assert.ok(semgrepDetection);
+      assert.equal(semgrepDetection.available, true);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("returns correct structure even when all scanners fail", async () => {
+    const dir = makeTmpDir();
+    try {
+      // Create config files so scanners are detected but will fail to run
+      // (the temp dir isn't a real project)
+      writeFileSync(join(dir, "eslint.config.mjs"), "export default [];");
+
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await autoScan(dir, store, logger);
+
+      // Structure must be valid regardless of scanner success
+      assert.ok(Array.isArray(result.detected));
+      assert.ok(Array.isArray(result.results));
+      assert.equal(typeof result.totalFindings, "number");
+      assert.equal(typeof result.totalDurationMs, "number");
+
+      // eslint was detected, so it should appear in results
+      const eslintResult = result.results.find((r) => r.scanner === "eslint");
+      if (eslintResult) {
+        assert.equal(typeof eslintResult.success, "boolean");
+        assert.equal(typeof eslintResult.durationMs, "number");
+        assert.equal(typeof eslintResult.findingsIngested, "number");
+      }
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("totalFindings sums findings across all successful scanners", async () => {
+    const dir = makeTmpDir();
+    try {
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await autoScan(dir, store, logger);
+
+      // Sum of individual scanner findings should equal total
+      const sumFromResults = result.results
+        .filter((r) => r.success)
+        .reduce((sum, r) => sum + r.findingsIngested, 0);
+      assert.equal(result.totalFindings, sumFromResults);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("result has one ScannerDetection per known scanner", async () => {
+    const dir = makeTmpDir();
+    try {
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await autoScan(dir, store, logger);
+
+      const scannerNames = result.detected.map((d) => d.scanner).sort();
+      assert.deepEqual(scannerNames, ["bandit", "eslint", "semgrep", "stryker"]);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});

package/src/tests/integration/mcp-server.integration.test.ts

@@ -232,13 +232,14 @@ describe("MCP server integration", { skip: !serverBuilt }, () => {
     assert.ok(child && !child.killed, "server child should be running");
   });
 
-  it("exposes all seven tools via tools/list", async () => {
+  it("exposes all eight tools via tools/list", async () => {
     const response = await client!.request<{ result?: { tools?: Array<{ name: string }> } }>(
       "tools/list",
     );
     const names = (response.result?.tools ?? []).map((t) => t.name).sort();
     assert.deepEqual(names, [
       "analyze_file_ast",
+      "auto_scan",
       "compute_crap",
       "compute_tdr",
       "ingest_sarif",

package/src/tests/scanner-detector.test.ts

@@ -0,0 +1,181 @@
+/**
+ * Unit tests for the scanner auto-detector.
+ *
+ * These tests probe the detection logic for each scanner type:
+ * config file detection, package.json dependency detection, and
+ * the fallback to binary availability.
+ *
+ * @module tests/scanner-detector.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+import { detectScanners, SCANNER_SIGNALS } from "../scanner/detector.js";
+
+function makeTmpDir(): string {
+  return mkdtempSync(join(tmpdir(), "crap-detect-"));
+}
+
+describe("detectScanners", () => {
+  it("detects eslint when eslint.config.mjs exists", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "eslint.config.mjs"), "export default [];");
+      const results = await detectScanners(dir);
+      const eslint = results.find((r) => r.scanner === "eslint");
+      assert.ok(eslint);
+      assert.equal(eslint.available, true);
+      assert.ok(eslint.reason.includes("eslint.config.mjs"));
+      assert.ok(eslint.configPath);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects eslint from .eslintrc.json", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, ".eslintrc.json"), "{}");
+      const results = await detectScanners(dir);
+      const eslint = results.find((r) => r.scanner === "eslint");
+      assert.ok(eslint);
+      assert.equal(eslint.available, true);
+      assert.ok(eslint.reason.includes(".eslintrc.json"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects semgrep when .semgrep.yml exists", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, ".semgrep.yml"), "rules: []");
+      const results = await detectScanners(dir);
+      const semgrep = results.find((r) => r.scanner === "semgrep");
+      assert.ok(semgrep);
+      assert.equal(semgrep.available, true);
+      assert.ok(semgrep.reason.includes(".semgrep.yml"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects bandit when .bandit config exists", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, ".bandit"), "");
+      const results = await detectScanners(dir);
+      const bandit = results.find((r) => r.scanner === "bandit");
+      assert.ok(bandit);
+      assert.equal(bandit.available, true);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects stryker when stryker.conf.js exists", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "stryker.conf.js"), "module.exports = {};");
+      const results = await detectScanners(dir);
+      const stryker = results.find((r) => r.scanner === "stryker");
+      assert.ok(stryker);
+      assert.equal(stryker.available, true);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects eslint from package.json devDependencies", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(
+        join(dir, "package.json"),
+        JSON.stringify({ devDependencies: { eslint: "^9.0.0" } }),
+      );
+      const results = await detectScanners(dir);
+      const eslint = results.find((r) => r.scanner === "eslint");
+      assert.ok(eslint);
+      assert.equal(eslint.available, true);
+      assert.ok(eslint.reason.includes("package.json"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("detects stryker from package.json @stryker-mutator/core", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(
+        join(dir, "package.json"),
+        JSON.stringify({
+          devDependencies: { "@stryker-mutator/core": "^7.0.0" },
+        }),
+      );
+      const results = await detectScanners(dir);
+      const stryker = results.find((r) => r.scanner === "stryker");
+      assert.ok(stryker);
+      assert.equal(stryker.available, true);
+      assert.ok(stryker.reason.includes("package.json"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("returns available:false for all scanners in an empty directory", async () => {
+    const dir = makeTmpDir();
+    try {
+      const results = await detectScanners(dir);
+      // Config and package.json probes will all fail.
+      // Binary probe results depend on the host — don't assert on those,
+      // but do assert the structure is correct.
+      assert.equal(results.length, 4);
+      for (const r of results) {
+        assert.ok(["eslint", "semgrep", "bandit", "stryker"].includes(r.scanner));
+        assert.equal(typeof r.available, "boolean");
+        assert.equal(typeof r.reason, "string");
+      }
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("handles malformed package.json gracefully", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "package.json"), "not json at all");
+      // Should not throw — just skip the package.json probe
+      const results = await detectScanners(dir);
+      assert.equal(results.length, 4);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("short-circuits on config file — does not need binary", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "eslint.config.mjs"), "export default [];");
+      const results = await detectScanners(dir);
+      const eslint = results.find((r) => r.scanner === "eslint");
+      assert.ok(eslint);
+      assert.equal(eslint.available, true);
+      // Reason mentions config file, not binary
+      assert.ok(eslint.reason.includes("config file"));
+      assert.ok(!eslint.reason.includes("binary"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("SCANNER_SIGNALS covers all four scanners", () => {
+    assert.deepEqual(
+      Object.keys(SCANNER_SIGNALS).sort(),
+      ["bandit", "eslint", "semgrep", "stryker"],
+    );
+  });
+});

package/src/tests/scanner-runner.test.ts

@@ -0,0 +1,63 @@
+/**
+ * Unit tests for the scanner runner.
+ *
+ * These tests verify the command definitions and error handling of the
+ * runner module. Actual scanner execution is not tested here — that
+ * requires the scanner binaries to be installed.
+ *
+ * @module tests/scanner-runner.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { getScannerCommand, type ScannerCommand } from "../scanner/runner.js";
+
+describe("getScannerCommand", () => {
+  it("returns correct eslint command", () => {
+    const cmd = getScannerCommand("eslint", "/tmp/project");
+    assert.equal(cmd.command, "npx");
+    assert.deepEqual(cmd.args, ["eslint", "-f", "json", "."]);
+    assert.equal(cmd.nonZeroIsNormal, true);
+    assert.equal(cmd.outputFile, undefined);
+  });
+
+  it("returns correct semgrep command", () => {
+    const cmd = getScannerCommand("semgrep", "/tmp/project");
+    assert.equal(cmd.command, "semgrep");
+    assert.deepEqual(cmd.args, ["--sarif", "--quiet", "."]);
+    assert.equal(cmd.nonZeroIsNormal, false);
+    assert.equal(cmd.outputFile, undefined);
+  });
+
+  it("returns correct bandit command", () => {
+    const cmd = getScannerCommand("bandit", "/tmp/project");
+    assert.equal(cmd.command, "bandit");
+    assert.deepEqual(cmd.args, ["-f", "json", "-r", ".", "-q"]);
+    assert.equal(cmd.nonZeroIsNormal, true);
+    assert.equal(cmd.outputFile, undefined);
+  });
+
+  it("returns correct stryker command with output file", () => {
+    const cmd = getScannerCommand("stryker", "/tmp/project");
+    assert.equal(cmd.command, "npx");
+    assert.deepEqual(cmd.args, ["stryker", "run"]);
+    assert.equal(cmd.nonZeroIsNormal, false);
+    assert.ok(cmd.outputFile);
+    assert.ok(cmd.outputFile.includes("mutation.json"));
+  });
+
+  it("all scanners have reasonable timeouts", () => {
+    for (const scanner of ["eslint", "semgrep", "bandit", "stryker"] as const) {
+      const cmd = getScannerCommand(scanner, "/tmp");
+      assert.ok(cmd.timeoutMs >= 60_000, `${scanner} timeout should be >= 60s`);
+      assert.ok(cmd.timeoutMs <= 300_000, `${scanner} timeout should be <= 300s`);
+    }
+  });
+
+  it("stryker has a longer timeout than other scanners", () => {
+    const stryker = getScannerCommand("stryker", "/tmp");
+    const eslint = getScannerCommand("eslint", "/tmp");
+    assert.ok(stryker.timeoutMs > eslint.timeoutMs);
+  });
+});