claude-crap 0.1.2 → 0.3.0

package/dist/scanner/auto-scan.js

@@ -0,0 +1,138 @@
+/**
+ * Orchestrator: detect available scanners, run them, and ingest results.
+ *
+ * This module ties together the detector, runner, and adapter pipeline
+ * into a single `autoScan()` function that:
+ *
+ *   1. Probes the workspace for available scanners
+ *   2. Executes detected scanners in parallel
+ *   3. Routes each scanner's output through its adapter
+ *   4. Ingests the normalized SARIF into the store
+ *
+ * The function is designed to be called:
+ *   - At MCP server boot (fire-and-forget, non-blocking)
+ *   - On demand via the `auto_scan` MCP tool
+ *
+ * Failures in individual scanners are logged and skipped — a broken
+ * Semgrep install should not prevent ESLint from running.
+ *
+ * @module scanner/auto-scan
+ */
+import { detectScanners } from "./detector.js";
+import { runScanner } from "./runner.js";
+import { adaptScannerOutput } from "../adapters/index.js";
+// ── Orchestrator ───────────────────────────────────────────────────
+/**
+ * Ingest a single scanner's raw output through its adapter and into
+ * the SARIF store. Returns the number of accepted findings.
+ */
+function ingestScannerRun(scanner, rawOutput, sarifStore) {
+    // Parse the raw output — adapters accept string or object
+    let parsed;
+    try {
+        parsed = JSON.parse(rawOutput);
+    }
+    catch {
+        // Semgrep outputs SARIF as a string, others are JSON.
+        // If parsing fails, pass the raw string to the adapter.
+        parsed = rawOutput;
+    }
+    const adapted = adaptScannerOutput(scanner, parsed);
+    const stats = sarifStore.ingestRun(adapted.document, adapted.sourceTool);
+    return { accepted: stats.accepted };
+}
+/**
+ * Auto-detect, run, and ingest all available scanners.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @param sarifStore    Live SARIF store to ingest findings into.
+ * @param logger        Pino logger for progress and error reporting.
+ * @returns             Summary of what was detected, run, and ingested.
+ */
+export async function autoScan(workspaceRoot, sarifStore, logger) {
+    const start = Date.now();
+    // 1. Detect available scanners
+    const detected = await detectScanners(workspaceRoot);
+    const available = detected.filter((d) => d.available);
+    logger.info({
+        detected: detected.map((d) => `${d.scanner}:${d.available}`),
+        available: available.length,
+    }, "auto-scan: detection complete");
+    if (available.length === 0) {
+        return {
+            detected,
+            results: [],
+            totalFindings: 0,
+            totalDurationMs: Date.now() - start,
+        };
+    }
+    // 2. Run all available scanners in parallel
+    const runResults = await Promise.allSettled(available.map((d) => runScanner(d.scanner, workspaceRoot)));
+    // 3. Ingest results
+    const results = [];
+    let totalFindings = 0;
+    let persistNeeded = false;
+    for (let i = 0; i < available.length; i++) {
+        const detection = available[i];
+        const settled = runResults[i];
+        if (settled.status === "rejected") {
+            const error = String(settled.reason);
+            logger.warn({ scanner: detection.scanner, error }, "auto-scan: scanner execution rejected");
+            results.push({
+                scanner: detection.scanner,
+                success: false,
+                findingsIngested: 0,
+                durationMs: 0,
+                error,
+            });
+            continue;
+        }
+        const runResult = settled.value;
+        if (!runResult.success) {
+            logger.warn({ scanner: runResult.scanner, error: runResult.error }, "auto-scan: scanner returned failure");
+            results.push({
+                scanner: runResult.scanner,
+                success: false,
+                findingsIngested: 0,
+                durationMs: runResult.durationMs,
+                error: runResult.error ?? "unknown error",
+            });
+            continue;
+        }
+        // Ingest through adapter pipeline
+        try {
+            const { accepted } = ingestScannerRun(runResult.scanner, runResult.rawOutput, sarifStore);
+            totalFindings += accepted;
+            persistNeeded = true;
+            logger.info({ scanner: runResult.scanner, accepted, durationMs: runResult.durationMs }, "auto-scan: scanner ingested");
+            results.push({
+                scanner: runResult.scanner,
+                success: true,
+                findingsIngested: accepted,
+                durationMs: runResult.durationMs,
+            });
+        }
+        catch (err) {
+            const error = err.message;
+            logger.warn({ scanner: runResult.scanner, error }, "auto-scan: adapter/ingestion failed");
+            results.push({
+                scanner: runResult.scanner,
+                success: false,
+                findingsIngested: 0,
+                durationMs: runResult.durationMs,
+                error,
+            });
+        }
+    }
+    // 4. Persist consolidated SARIF if anything was ingested
+    if (persistNeeded) {
+        await sarifStore.persist();
+    }
+    return {
+        detected,
+        results,
+        totalFindings,
+        totalDurationMs: Date.now() - start,
+    };
+}
+//# sourceMappingURL=auto-scan.js.map

package/dist/scanner/auto-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-scan.js","sourceRoot":"","sources":["../../src/scanner/auto-scan.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAGH,OAAO,EAAE,cAAc,EAAyB,MAAM,eAAe,CAAC;AACtE,OAAO,EAAE,UAAU,EAAyB,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,kBAAkB,EAAqB,MAAM,sBAAsB,CAAC;AA8B7E,sEAAsE;AAEtE;;;GAGG;AACH,SAAS,gBAAgB,CACvB,OAAqB,EACrB,SAAiB,EACjB,UAAsB;IAEtB,0DAA0D;IAC1D,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,wDAAwD;QACxD,MAAM,GAAG,SAAS,CAAC;IACrB,CAAC;IAED,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACzE,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,aAAqB,EACrB,UAAsB,EACtB,MAAc;IAEd,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,CAAC,IAAI,CACT;QACE,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAC5D,SAAS,EAAE,SAAS,CAAC,MAAM;KAC5B,EACD,+BAA+B,CAChC,CAAC;IAEF,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,QAAQ;YACR,OAAO,EAAE,EAAE;YACX,aAAa,EAAE,CAAC;YAChB,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,UAAU,CACzC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAC3D,CAAC;IAEF,oBAAoB;IACpB,MAAM,OAAO,GAAoB,EAAE,CAAC;IACpC,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,aAAa,GAAG,KAAK,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QAChC,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC;QAE/B,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACrC,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,EACrC,uCAAuC,CACxC,CAAC;YACF,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,OAAO,EAAE,KAAK;gBACd,gBAAgB,EAAE,CAAC;gBACnB,UAAU,EAAE,CAAC;gBACb,KAAK;aACN,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAqB,OAAO,CAAC,KAAK,CAAC;QAElD,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,EACtD,qCAAqC,CACtC,CAAC;YACF,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,OAAO,EAAE,KAAK;gBACd,gBAAgB,EAAE,CAAC;gBACnB,UAAU,EAAE,SAAS,CAAC,UAAU;gBAChC,KAAK,EAAE,SAAS,CAAC,KAAK,IAAI,eAAe;aAC1C,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CACnC,SAAS,CAAC,OAAO,EACjB,SAAS,CAAC,SAAS,EACnB,UAAU,CACX,CAAC;YACF,aAAa,IAAI,QAAQ,CAAC;YAC1B,aAAa,GAAG,IAAI,CAAC;YAErB,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,CAAC,UAAU,EAAE,EAC1E,6BAA6B,CAC9B,CAAC;YAEF,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,QAAQ;gBAC1B,UAAU,EAAE,SAAS,CAAC,UAAU;aACjC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAI,GAAa,CAAC,OAAO,CAAC;YACrC,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,EACrC,qCAAqC,CACtC,CAAC;YACF,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,OAAO,EAAE,KAAK;gBACd,gBAAgB,EAAE,CAAC;gBACnB,UAAU,EAAE,SAAS,CAAC,UAAU;gBAChC,KAAK;aACN,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,UAAU,CAAC,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO;QACL,QAAQ;QACR,OAAO;QACP,aAAa;QACb,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;KACpC,CAAC;AACJ,CAAC"}

package/dist/scanner/bootstrap.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Bootstrap a scanner for projects that don't have one configured.
+ *
+ * Detects the project type from workspace signals (package.json,
+ * tsconfig.json, pyproject.toml, pom.xml, *.csproj, etc.), installs
+ * the appropriate scanner, creates a minimal config file, and runs
+ * `autoScan()` to verify and ingest findings immediately.
+ *
+ * Coverage maps to the five languages the tree-sitter engine supports:
+ *
+ *   - JavaScript / TypeScript → ESLint (npm install + flat config)
+ *   - Python → Bandit (install instructions only — virtualenv boundary)
+ *   - Java → Semgrep (install instructions)
+ *   - C# → Semgrep (install instructions)
+ *   - Unknown → Semgrep (polyglot fallback)
+ *
+ * For JS/TS projects the tool runs `npm install --save-dev` and writes
+ * an `eslint.config.mjs`. For all other languages it returns manual
+ * install instructions rather than executing package managers whose
+ * environment assumptions may not hold.
+ *
+ * @module scanner/bootstrap
+ */
+import type { Logger } from "pino";
+import { type AutoScanResult } from "./auto-scan.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+/**
+ * Detected project type, aligned with tree-sitter supported languages.
+ */
+export type ProjectType = "javascript" | "typescript" | "python" | "java" | "csharp" | "unknown";
+/**
+ * A single step in the bootstrap process.
+ */
+export interface BootstrapStep {
+    /** What was attempted (e.g. "install eslint", "create eslint.config.mjs"). */
+    action: string;
+    /** Whether the step completed successfully. */
+    success: boolean;
+    /** Human-readable detail (command output, error message, or instruction). */
+    detail: string;
+}
+/**
+ * Complete result of a bootstrap_scanner invocation.
+ */
+export interface BootstrapResult {
+    /** Detected project type based on workspace signals. */
+    projectType: ProjectType;
+    /** Whether a scanner was already configured (detected by detector.ts). */
+    alreadyConfigured: boolean;
+    /** Which scanners were already available, if any. */
+    existingScanners: string[];
+    /** Steps executed (or instructions returned) during bootstrap. */
+    steps: BootstrapStep[];
+    /** The auto-scan result after installation (null if skipped). */
+    autoScanResult: AutoScanResult | null;
+    /** Whether the overall bootstrap succeeded. */
+    success: boolean;
+    /** Summary message suitable for display. */
+    summary: string;
+}
+/**
+ * Detect the project type from workspace signals.
+ *
+ * Checks in priority order: TypeScript, JavaScript, Python, Java,
+ * C#, then unknown. TypeScript wins over plain JavaScript because
+ * `tsconfig.json` implies a superset.
+ */
+export declare function detectProjectType(workspaceRoot: string): ProjectType;
+/**
+ * Generate a minimal ESLint flat config (ESLint 9+).
+ *
+ * @param isTypeScript Include typescript-eslint when true.
+ * @returns The config file content as a string.
+ */
+export declare function generateEslintConfig(isTypeScript: boolean): string;
+/**
+ * Bootstrap a scanner for the current workspace.
+ *
+ * 1. Check if a scanner is already configured (short-circuit if so)
+ * 2. Detect the project type
+ * 3. Install the recommended scanner (or return instructions)
+ * 4. Run auto_scan to verify and ingest findings
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @param sarifStore    Live SARIF store for auto-scan ingestion.
+ * @param logger        Pino logger for progress reporting.
+ */
+export declare function bootstrapScanner(workspaceRoot: string, sarifStore: SarifStore, logger: Logger): Promise<BootstrapResult>;
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/scanner/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../../src/scanner/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAKH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAGnC,OAAO,EAAY,KAAK,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAI1D;;GAEG;AACH,MAAM,MAAM,WAAW,GACnB,YAAY,GACZ,YAAY,GACZ,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,8EAA8E;IAC9E,MAAM,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,0EAA0E;IAC1E,iBAAiB,EAAE,OAAO,CAAC;IAC3B,qDAAqD;IACrD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,kEAAkE;IAClE,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,iEAAiE;IACjE,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IACtC,+CAA+C;IAC/C,OAAO,EAAE,OAAO,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,aAAa,EAAE,MAAM,GAAG,WAAW,CA+BpE;AAID;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,OAAO,GAAG,MAAM,CAwBlE;AAuHD;;;;;;;;;;;GAWG;AACH,wBAAsB,gBAAgB,CACpC,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CA+F1B"}

package/dist/scanner/bootstrap.js

@@ -0,0 +1,278 @@
+/**
+ * Bootstrap a scanner for projects that don't have one configured.
+ *
+ * Detects the project type from workspace signals (package.json,
+ * tsconfig.json, pyproject.toml, pom.xml, *.csproj, etc.), installs
+ * the appropriate scanner, creates a minimal config file, and runs
+ * `autoScan()` to verify and ingest findings immediately.
+ *
+ * Coverage maps to the five languages the tree-sitter engine supports:
+ *
+ *   - JavaScript / TypeScript → ESLint (npm install + flat config)
+ *   - Python → Bandit (install instructions only — virtualenv boundary)
+ *   - Java → Semgrep (install instructions)
+ *   - C# → Semgrep (install instructions)
+ *   - Unknown → Semgrep (polyglot fallback)
+ *
+ * For JS/TS projects the tool runs `npm install --save-dev` and writes
+ * an `eslint.config.mjs`. For all other languages it returns manual
+ * install instructions rather than executing package managers whose
+ * environment assumptions may not hold.
+ *
+ * @module scanner/bootstrap
+ */
+import { existsSync, writeFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
+import { execFile } from "node:child_process";
+import { detectScanners } from "./detector.js";
+import { autoScan } from "./auto-scan.js";
+// ── Project type detection ─────────────────────────────────────────
+/**
+ * Detect the project type from workspace signals.
+ *
+ * Checks in priority order: TypeScript, JavaScript, Python, Java,
+ * C#, then unknown. TypeScript wins over plain JavaScript because
+ * `tsconfig.json` implies a superset.
+ */
+export function detectProjectType(workspaceRoot) {
+    const has = (file) => existsSync(join(workspaceRoot, file));
+    // JS/TS detection — package.json is the anchor
+    if (has("package.json")) {
+        if (has("tsconfig.json"))
+            return "typescript";
+        return "javascript";
+    }
+    // Python detection
+    if (has("pyproject.toml") || has("setup.py") || has("requirements.txt")) {
+        return "python";
+    }
+    // Java detection
+    if (has("pom.xml") || has("build.gradle") || has("build.gradle.kts")) {
+        return "java";
+    }
+    // C# detection
+    if (has("Directory.Build.props"))
+        return "csharp";
+    try {
+        const entries = readdirSync(workspaceRoot);
+        if (entries.some((e) => e.endsWith(".csproj") || e.endsWith(".sln"))) {
+            return "csharp";
+        }
+    }
+    catch {
+        // readdirSync can fail on permissions — fall through
+    }
+    return "unknown";
+}
+// ── ESLint config generation ───────────────────────────────────────
+/**
+ * Generate a minimal ESLint flat config (ESLint 9+).
+ *
+ * @param isTypeScript Include typescript-eslint when true.
+ * @returns The config file content as a string.
+ */
+export function generateEslintConfig(isTypeScript) {
+    if (isTypeScript) {
+        return `import js from "@eslint/js";
+import tseslint from "typescript-eslint";
+
+export default tseslint.config(
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    ignores: ["dist/", "node_modules/", "coverage/"],
+  },
+);
+`;
+    }
+    return `import js from "@eslint/js";
+
+export default [
+  js.configs.recommended,
+  {
+    ignores: ["dist/", "node_modules/", "coverage/"],
+  },
+];
+`;
+}
+// ── Installation helpers ───────────────────────────────────────────
+/**
+ * Run `npm install --save-dev` for the given packages.
+ */
+function npmInstall(workspaceRoot, packages) {
+    return new Promise((resolve) => {
+        execFile("npm", ["install", "--save-dev", ...packages], {
+            cwd: workspaceRoot,
+            timeout: 120_000,
+            env: { ...process.env, FORCE_COLOR: "0" },
+        }, (err, stdout, stderr) => {
+            if (err) {
+                resolve({
+                    action: `npm install --save-dev ${packages.join(" ")}`,
+                    success: false,
+                    detail: stderr || err.message,
+                });
+                return;
+            }
+            resolve({
+                action: `npm install --save-dev ${packages.join(" ")}`,
+                success: true,
+                detail: `installed ${packages.join(", ")}`,
+            });
+        });
+    });
+}
+/**
+ * Write the ESLint config file to the workspace root.
+ * Returns failure if the file already exists.
+ */
+function writeEslintConfigFile(workspaceRoot, isTypeScript) {
+    const configPath = join(workspaceRoot, "eslint.config.mjs");
+    if (existsSync(configPath)) {
+        return {
+            action: "create eslint.config.mjs",
+            success: true,
+            detail: "eslint.config.mjs already exists — skipped",
+        };
+    }
+    try {
+        writeFileSync(configPath, generateEslintConfig(isTypeScript), "utf-8");
+        return {
+            action: "create eslint.config.mjs",
+            success: true,
+            detail: `created eslint.config.mjs (${isTypeScript ? "TypeScript" : "JavaScript"} template)`,
+        };
+    }
+    catch (err) {
+        return {
+            action: "create eslint.config.mjs",
+            success: false,
+            detail: err.message,
+        };
+    }
+}
+function getRecommendation(projectType) {
+    switch (projectType) {
+        case "javascript":
+        case "typescript":
+            return {
+                scanner: "eslint",
+                canAutoInstall: true,
+                installInstructions: "npm install --save-dev eslint @eslint/js",
+            };
+        case "python":
+            return {
+                scanner: "bandit",
+                canAutoInstall: false,
+                installInstructions: "pip install bandit  (or: pipx install bandit, poetry add --group dev bandit)",
+            };
+        case "java":
+        case "csharp":
+            return {
+                scanner: "semgrep",
+                canAutoInstall: false,
+                installInstructions: "brew install semgrep  (or: pip install semgrep, pipx install semgrep)",
+            };
+        case "unknown":
+            return {
+                scanner: "semgrep",
+                canAutoInstall: false,
+                installInstructions: "brew install semgrep  (or: pip install semgrep, pipx install semgrep)",
+            };
+    }
+}
+// ── Main orchestrator ──────────────────────────────────────────────
+/**
+ * Bootstrap a scanner for the current workspace.
+ *
+ * 1. Check if a scanner is already configured (short-circuit if so)
+ * 2. Detect the project type
+ * 3. Install the recommended scanner (or return instructions)
+ * 4. Run auto_scan to verify and ingest findings
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @param sarifStore    Live SARIF store for auto-scan ingestion.
+ * @param logger        Pino logger for progress reporting.
+ */
+export async function bootstrapScanner(workspaceRoot, sarifStore, logger) {
+    // 1. Check existing scanners
+    const detections = await detectScanners(workspaceRoot);
+    const available = detections.filter((d) => d.available);
+    if (available.length > 0) {
+        const existingScanners = available.map((d) => d.scanner);
+        logger.info({ existingScanners }, "bootstrap: scanner(s) already configured — skipping");
+        return {
+            projectType: detectProjectType(workspaceRoot),
+            alreadyConfigured: true,
+            existingScanners,
+            steps: [],
+            autoScanResult: null,
+            success: true,
+            summary: `Scanner(s) already configured: ${existingScanners.join(", ")}. Run auto_scan to ingest findings.`,
+        };
+    }
+    // 2. Detect project type
+    const projectType = detectProjectType(workspaceRoot);
+    const recommendation = getRecommendation(projectType);
+    const steps = [];
+    logger.info({ projectType, scanner: recommendation.scanner }, "bootstrap: detected project type");
+    // 3. Install scanner
+    if (recommendation.canAutoInstall) {
+        // JS/TS: auto-install ESLint
+        const isTypeScript = projectType === "typescript";
+        const packages = isTypeScript
+            ? ["eslint", "@eslint/js", "typescript-eslint"]
+            : ["eslint", "@eslint/js"];
+        const installStep = await npmInstall(workspaceRoot, packages);
+        steps.push(installStep);
+        if (installStep.success) {
+            const configStep = writeEslintConfigFile(workspaceRoot, isTypeScript);
+            steps.push(configStep);
+        }
+    }
+    else {
+        // Python / Java / C# / Unknown: return instructions
+        steps.push({
+            action: `suggest ${recommendation.scanner} install`,
+            success: true,
+            detail: recommendation.installInstructions,
+        });
+    }
+    // 4. Run auto_scan if installation succeeded
+    const installSucceeded = steps.every((s) => s.success);
+    let autoScanResult = null;
+    if (installSucceeded && recommendation.canAutoInstall) {
+        try {
+            autoScanResult = await autoScan(workspaceRoot, sarifStore, logger);
+        }
+        catch (err) {
+            logger.warn({ err: err.message }, "bootstrap: auto_scan after install failed");
+        }
+    }
+    // 5. Build result
+    const findings = autoScanResult?.totalFindings ?? 0;
+    const scannerInstalled = recommendation.canAutoInstall && installSucceeded;
+    let summary;
+    if (scannerInstalled && autoScanResult) {
+        summary = `Installed ${recommendation.scanner} for ${projectType} project. Auto-scan found ${findings} finding(s).`;
+    }
+    else if (scannerInstalled) {
+        summary = `Installed ${recommendation.scanner} for ${projectType} project. Auto-scan did not run.`;
+    }
+    else if (!recommendation.canAutoInstall) {
+        summary = `Detected ${projectType} project. Install ${recommendation.scanner} manually: ${recommendation.installInstructions}`;
+    }
+    else {
+        summary = `Failed to install ${recommendation.scanner}. Check the error details in the steps.`;
+    }
+    return {
+        projectType,
+        alreadyConfigured: false,
+        existingScanners: [],
+        steps,
+        autoScanResult,
+        success: installSucceeded,
+        summary,
+    };
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/scanner/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/scanner/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAG9C,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAuB,MAAM,gBAAgB,CAAC;AAgD/D,sEAAsE;AAEtE;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,aAAqB;IACrD,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC,CAAC;IAEpE,+CAA+C;IAC/C,IAAI,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;QACxB,IAAI,GAAG,CAAC,eAAe,CAAC;YAAE,OAAO,YAAY,CAAC;QAC9C,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,mBAAmB;IACnB,IAAI,GAAG,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACxE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,iBAAiB;IACjB,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACrE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,eAAe;IACf,IAAI,GAAG,CAAC,uBAAuB,CAAC;QAAE,OAAO,QAAQ,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,WAAW,CAAC,aAAa,CAAC,CAAC;QAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YACrE,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;IACvD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,sEAAsE;AAEtE;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,YAAqB;IACxD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;;;;;;;;;;CAUV,CAAC;IACA,CAAC;IAED,OAAO;;;;;;;;CAQR,CAAC;AACF,CAAC;AAED,sEAAsE;AAEtE;;GAEG;AACH,SAAS,UAAU,CACjB,aAAqB,EACrB,QAAkB;IAElB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,QAAQ,CACN,KAAK,EACL,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,QAAQ,CAAC,EACtC;YACE,GAAG,EAAE,aAAa;YAClB,OAAO,EAAE,OAAO;YAChB,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE;SAC1C,EACD,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACtB,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,CAAC;oBACN,MAAM,EAAE,0BAA0B,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;oBACtD,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,MAAM,IAAK,GAAa,CAAC,OAAO;iBACzC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,OAAO,CAAC;gBACN,MAAM,EAAE,0BAA0B,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;gBACtD,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,aAAa,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aAC3C,CAAC,CAAC;QACL,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAC5B,aAAqB,EACrB,YAAqB;IAErB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;IAC5D,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,0BAA0B;YAClC,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,4CAA4C;SACrD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,aAAa,CAAC,UAAU,EAAE,oBAAoB,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,OAAO;YACL,MAAM,EAAE,0BAA0B;YAClC,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,8BAA8B,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,YAAY;SAC7F,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,0BAA0B;YAClC,OAAO,EAAE,KAAK;YACd,MAAM,EAAG,GAAa,CAAC,OAAO;SAC/B,CAAC;IACJ,CAAC;AACH,CAAC;AAaD,SAAS,iBAAiB,CAAC,WAAwB;IACjD,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,YAAY,CAAC;QAClB,KAAK,YAAY;YACf,OAAO;gBACL,OAAO,EAAE,QAAQ;gBACjB,cAAc,EAAE,IAAI;gBACpB,mBAAmB,EAAE,0CAA0C;aAChE,CAAC;QACJ,KAAK,QAAQ;YACX,OAAO;gBACL,OAAO,EAAE,QAAQ;gBACjB,cAAc,EAAE,KAAK;gBACrB,mBAAmB,EACjB,8EAA8E;aACjF,CAAC;QACJ,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO;gBACL,OAAO,EAAE,SAAS;gBAClB,cAAc,EAAE,KAAK;gBACrB,mBAAmB,EACjB,uEAAuE;aAC1E,CAAC;QACJ,KAAK,SAAS;YACZ,OAAO;gBACL,OAAO,EAAE,SAAS;gBAClB,cAAc,EAAE,KAAK;gBACrB,mBAAmB,EACjB,uEAAuE;aAC1E,CAAC;IACN,CAAC;AACH,CAAC;AAED,sEAAsE;AAEtE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,aAAqB,EACrB,UAAsB,EACtB,MAAc;IAEd,6BAA6B;IAC7B,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,aAAa,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAExD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,gBAAgB,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,CAAC,IAAI,CACT,EAAE,gBAAgB,EAAE,EACpB,qDAAqD,CACtD,CAAC;QACF,OAAO;YACL,WAAW,EAAE,iBAAiB,CAAC,aAAa,CAAC;YAC7C,iBAAiB,EAAE,IAAI;YACvB,gBAAgB;YAChB,KAAK,EAAE,EAAE;YACT,cAAc,EAAE,IAAI;YACpB,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,kCAAkC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC;SAC5G,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,iBAAiB,CAAC,aAAa,CAAC,CAAC;IACrD,MAAM,cAAc,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACtD,MAAM,KAAK,GAAoB,EAAE,CAAC;IAElC,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,CAAC,OAAO,EAAE,EAChD,kCAAkC,CACnC,CAAC;IAEF,qBAAqB;IACrB,IAAI,cAAc,CAAC,cAAc,EAAE,CAAC;QAClC,6BAA6B;QAC7B,MAAM,YAAY,GAAG,WAAW,KAAK,YAAY,CAAC;QAClD,MAAM,QAAQ,GAAG,YAAY;YAC3B,CAAC,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,mBAAmB,CAAC;YAC/C,CAAC,CAAC,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE7B,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAC9D,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAExB,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,UAAU,GAAG,qBAAqB,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;YACtE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,oDAAoD;QACpD,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,WAAW,cAAc,CAAC,OAAO,UAAU;YACnD,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,cAAc,CAAC,mBAAmB;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,cAAc,GAA0B,IAAI,CAAC;IAEjD,IAAI,gBAAgB,IAAI,cAAc,CAAC,cAAc,EAAE,CAAC;QACtD,IAAI,CAAC;YACH,cAAc,GAAG,MAAM,QAAQ,CAAC,aAAa,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,EAC/B,2CAA2C,CAC5C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,MAAM,QAAQ,GAAG,cAAc,EAAE,aAAa,IAAI,CAAC,CAAC;IACpD,MAAM,gBAAgB,GAAG,cAAc,CAAC,cAAc,IAAI,gBAAgB,CAAC;IAE3E,IAAI,OAAe,CAAC;IACpB,IAAI,gBAAgB,IAAI,cAAc,EAAE,CAAC;QACvC,OAAO,GAAG,aAAa,cAAc,CAAC,OAAO,QAAQ,WAAW,6BAA6B,QAAQ,cAAc,CAAC;IACtH,CAAC;SAAM,IAAI,gBAAgB,EAAE,CAAC;QAC5B,OAAO,GAAG,aAAa,cAAc,CAAC,OAAO,QAAQ,WAAW,kCAAkC,CAAC;IACrG,CAAC;SAAM,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,GAAG,YAAY,WAAW,qBAAqB,cAAc,CAAC,OAAO,cAAc,cAAc,CAAC,mBAAmB,EAAE,CAAC;IACjI,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,qBAAqB,cAAc,CAAC,OAAO,yCAAyC,CAAC;IACjG,CAAC;IAED,OAAO;QACL,WAAW;QACX,iBAAiB,EAAE,KAAK;QACxB,gBAAgB,EAAE,EAAE;QACpB,KAAK;QACL,cAAc;QACd,OAAO,EAAE,gBAAgB;QACzB,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/scanner/detector.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Auto-detect which scanners are available in the current workspace.
+ *
+ * For each of the four supported scanners (ESLint, Semgrep, Bandit,
+ * Stryker) the detector probes three signal layers in order:
+ *
+ *   1. Config file existence (fastest — a single `fs.stat`)
+ *   2. Package.json dependency (for JS-ecosystem scanners)
+ *   3. Binary availability via `which` (slowest — spawns a child process)
+ *
+ * Detection short-circuits on the first hit, so a project that has an
+ * `eslint.config.mjs` will never shell out to `which eslint`.
+ *
+ * The module is side-effect-free beyond filesystem reads and one
+ * `child_process.execFile` per binary probe.
+ *
+ * @module scanner/detector
+ */
+import type { KnownScanner } from "../adapters/common.js";
+/**
+ * Result of probing a single scanner's availability.
+ */
+export interface ScannerDetection {
+    /** Which scanner was probed. */
+    scanner: KnownScanner;
+    /** Whether the scanner is available and can be executed. */
+    available: boolean;
+    /** Human-readable reason for the verdict. */
+    reason: string;
+    /** Path to the config file that triggered detection, if any. */
+    configPath?: string;
+}
+/**
+ * Config file globs and package.json keys per scanner. Order matters:
+ * the first matching config file short-circuits further probes.
+ */
+interface ScannerSignals {
+    configFiles: string[];
+    packageJsonKeys: string[];
+    binaryNames: string[];
+}
+declare const SCANNER_SIGNALS: Record<KnownScanner, ScannerSignals>;
+/**
+ * Detect which of the four supported scanners are available in the
+ * given workspace. Probes config files, package.json, and binary
+ * availability in order, short-circuiting on first match.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @returns One {@link ScannerDetection} per known scanner.
+ */
+export declare function detectScanners(workspaceRoot: string): Promise<ScannerDetection[]>;
+export { SCANNER_SIGNALS };
+//# sourceMappingURL=detector.d.ts.map

package/dist/scanner/detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detector.d.ts","sourceRoot":"","sources":["../../src/scanner/detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAI1D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,OAAO,EAAE,YAAY,CAAC;IACtB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IACnB,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;IACf,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;GAGG;AACH,UAAU,cAAc;IACtB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,QAAA,MAAM,eAAe,EAAE,MAAM,CAAC,YAAY,EAAE,cAAc,CAgDzD,CAAC;AAgEF;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,gBAAgB,EAAE,CAAC,CA8C7B;AAGD,OAAO,EAAE,eAAe,EAAE,CAAC"}