claude-crap 0.1.2 → 0.3.0

package/plugin/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-crap-plugin",
-  "version": "0.1.2",
+  "version": "0.3.0",
   "private": true,
   "description": "Runtime dependencies for the claude-crap plugin bundle",
   "type": "module",

package/src/index.ts

@@ -57,7 +57,11 @@ import { validateSarifDocument } from "./sarif/sarif-validator.js";
 import { loadCrapConfig, CrapConfigError } from "./crap-config.js";
 import { findTestFile } from "./tools/test-harness.js";
 import { resolveWithinWorkspace } from "./workspace-guard.js";
+import { autoScan } from "./scanner/auto-scan.js";
+import { bootstrapScanner } from "./scanner/bootstrap.js";
 import {
+  autoScanSchema,
+  bootstrapScannerSchema,
   computeCrapSchema,
   computeTdrSchema,
   analyzeFileAstSchema,
@@ -205,6 +209,18 @@ async function main(): Promise<void> {
           "Aggregate the project score across Maintainability, Reliability, Security and Overall, returning a chat-friendly Markdown summary, the structured JSON, the local dashboard URL, and the consolidated SARIF report path.",
         inputSchema: scoreProjectSchema,
       },
+      {
+        name: "auto_scan",
+        description:
+          "Auto-detect available scanners (ESLint, Semgrep, Bandit, Stryker) in the workspace, run them, and ingest findings into the SARIF store.",
+        inputSchema: autoScanSchema,
+      },
+      {
+        name: "bootstrap_scanner",
+        description:
+          "Detect project type, install the right scanner (ESLint for JS/TS, Bandit for Python, Semgrep for Java/C#), create minimal config, and run auto_scan to verify.",
+        inputSchema: bootstrapScannerSchema,
+      },
     ],
   }));
 
@@ -532,6 +548,65 @@ async function main(): Promise<void> {
         }
       }
 
+      case "bootstrap_scanner": {
+        logger.info({ tool: "bootstrap_scanner" }, "Tool call received");
+        try {
+          const result = await bootstrapScanner(config.pluginRoot, sarifStore, logger);
+          const markdown = renderBootstrapMarkdown(result);
+          return {
+            content: [
+              { type: "text", text: markdown },
+              { type: "text", text: JSON.stringify(result, null, 2) },
+            ],
+            isError: !result.success,
+          };
+        } catch (err) {
+          logger.error({ err }, "bootstrap_scanner failed");
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify(
+                  { tool: "bootstrap_scanner", status: "error", message: (err as Error).message },
+                  null,
+                  2,
+                ),
+              },
+            ],
+            isError: true,
+          };
+        }
+      }
+
+      case "auto_scan": {
+        logger.info({ tool: "auto_scan" }, "Tool call received");
+        try {
+          const result = await autoScan(config.pluginRoot, sarifStore, logger);
+          const markdown = renderAutoScanMarkdown(result);
+          return {
+            content: [
+              { type: "text", text: markdown },
+              { type: "text", text: JSON.stringify(result, null, 2) },
+            ],
+          };
+        } catch (err) {
+          logger.error({ err }, "auto_scan failed");
+          return {
+            content: [
+              {
+                type: "text",
+                text: JSON.stringify(
+                  { tool: "auto_scan", status: "error", message: (err as Error).message },
+                  null,
+                  2,
+                ),
+              },
+            ],
+            isError: true,
+          };
+        }
+      }
+
       default:
         throw new Error(`[claude-crap] Unknown tool: ${name}`);
     }
@@ -589,6 +664,107 @@ async function main(): Promise<void> {
   const transport = new StdioServerTransport();
   await server.connect(transport);
   logger.info("claude-crap MCP server ready (stdio)");
+
+  // Fire-and-forget: auto-scan runs in background, doesn't block tool calls.
+  // If the agent calls score_project before scanning finishes, it gets
+  // whatever is in the SARIF store so far. The next call after completion
+  // reflects all findings.
+  autoScan(config.pluginRoot, sarifStore, logger)
+    .then((result) => {
+      const scanners = result.results
+        .filter((r) => r.success)
+        .map((r) => r.scanner);
+      logger.info(
+        {
+          scannersRun: scanners,
+          totalFindings: result.totalFindings,
+          durationMs: result.totalDurationMs,
+        },
+        "auto-scan completed",
+      );
+    })
+    .catch((err) => {
+      logger.warn(
+        { err: (err as Error).message },
+        "auto-scan failed — continuing without it",
+      );
+    });
+}
+
+/**
+ * Render a human-readable Markdown summary of a bootstrap result.
+ */
+function renderBootstrapMarkdown(result: import("./scanner/bootstrap.js").BootstrapResult): string {
+  const lines: string[] = ["## claude-crap :: bootstrap scanner\n"];
+
+  lines.push(`**Project type:** ${result.projectType}`);
+
+  if (result.alreadyConfigured) {
+    lines.push(`**Status:** Scanner(s) already configured: ${result.existingScanners.join(", ")}`);
+    lines.push("\nNo installation needed. Run `auto_scan` to ingest findings.");
+    return lines.join("\n");
+  }
+
+  lines.push("");
+
+  if (result.steps.length > 0) {
+    lines.push("### Steps\n");
+    lines.push("| Action | Status | Detail |");
+    lines.push("| ------ | :----: | ------ |");
+    for (const s of result.steps) {
+      const status = s.success ? "ok" : "failed";
+      lines.push(`| ${s.action} | ${status} | ${s.detail} |`);
+    }
+    lines.push("");
+  }
+
+  if (result.autoScanResult) {
+    const r = result.autoScanResult;
+    const scanners = r.results.filter((s) => s.success).map((s) => s.scanner);
+    lines.push(
+      `**Auto-scan:** ${r.totalFindings} finding(s) ingested from ${scanners.join(", ") || "no scanners"} in ${(r.totalDurationMs / 1000).toFixed(1)}s`,
+    );
+    lines.push("");
+  }
+
+  lines.push(`**Summary:** ${result.summary}`);
+  return lines.join("\n");
+}
+
+/**
+ * Render a human-readable Markdown summary of an auto-scan result.
+ */
+function renderAutoScanMarkdown(result: import("./scanner/auto-scan.js").AutoScanResult): string {
+  const lines: string[] = ["## claude-crap :: auto-scan results\n"];
+
+  // Detection summary
+  lines.push("### Detected scanners\n");
+  lines.push("| Scanner | Available | Reason |");
+  lines.push("| ------- | :-------: | ------ |");
+  for (const d of result.detected) {
+    lines.push(`| ${d.scanner} | ${d.available ? "yes" : "no"} | ${d.reason} |`);
+  }
+  lines.push("");
+
+  // Execution results
+  if (result.results.length > 0) {
+    lines.push("### Execution results\n");
+    lines.push("| Scanner | Status | Findings | Duration |");
+    lines.push("| ------- | :----: | :------: | -------: |");
+    for (const r of result.results) {
+      const status = r.success ? "ok" : "failed";
+      const duration = `${(r.durationMs / 1000).toFixed(1)}s`;
+      lines.push(`| ${r.scanner} | ${status} | ${r.findingsIngested} | ${duration} |`);
+    }
+    lines.push("");
+  }
+
+  // Summary
+  lines.push(
+    `**Total findings ingested:** ${result.totalFindings} in ${(result.totalDurationMs / 1000).toFixed(1)}s`,
+  );
+
+  return lines.join("\n");
 }
 
 /**

package/src/scanner/auto-scan.ts

@@ -0,0 +1,212 @@
+/**
+ * Orchestrator: detect available scanners, run them, and ingest results.
+ *
+ * This module ties together the detector, runner, and adapter pipeline
+ * into a single `autoScan()` function that:
+ *
+ *   1. Probes the workspace for available scanners
+ *   2. Executes detected scanners in parallel
+ *   3. Routes each scanner's output through its adapter
+ *   4. Ingests the normalized SARIF into the store
+ *
+ * The function is designed to be called:
+ *   - At MCP server boot (fire-and-forget, non-blocking)
+ *   - On demand via the `auto_scan` MCP tool
+ *
+ * Failures in individual scanners are logged and skipped — a broken
+ * Semgrep install should not prevent ESLint from running.
+ *
+ * @module scanner/auto-scan
+ */
+
+import type { Logger } from "pino";
+import { detectScanners, type ScannerDetection } from "./detector.js";
+import { runScanner, type ScannerRunResult } from "./runner.js";
+import { adaptScannerOutput, type KnownScanner } from "../adapters/index.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+
+// ── Types ──────────────────────────────────────────────────────────
+
+/**
+ * Per-scanner result within the auto-scan summary.
+ */
+export interface ScannerResult {
+  scanner: KnownScanner;
+  success: boolean;
+  findingsIngested: number;
+  durationMs: number;
+  error?: string;
+}
+
+/**
+ * Complete result of an auto-scan run.
+ */
+export interface AutoScanResult {
+  /** Detection results for all four scanners. */
+  detected: ScannerDetection[];
+  /** Execution + ingestion results for scanners that were available. */
+  results: ScannerResult[];
+  /** Total findings ingested across all scanners. */
+  totalFindings: number;
+  /** Wall-clock time for the entire auto-scan. */
+  totalDurationMs: number;
+}
+
+// ── Orchestrator ───────────────────────────────────────────────────
+
+/**
+ * Ingest a single scanner's raw output through its adapter and into
+ * the SARIF store. Returns the number of accepted findings.
+ */
+function ingestScannerRun(
+  scanner: KnownScanner,
+  rawOutput: string,
+  sarifStore: SarifStore,
+): { accepted: number } {
+  // Parse the raw output — adapters accept string or object
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(rawOutput);
+  } catch {
+    // Semgrep outputs SARIF as a string, others are JSON.
+    // If parsing fails, pass the raw string to the adapter.
+    parsed = rawOutput;
+  }
+
+  const adapted = adaptScannerOutput(scanner, parsed);
+  const stats = sarifStore.ingestRun(adapted.document, adapted.sourceTool);
+  return { accepted: stats.accepted };
+}
+
+/**
+ * Auto-detect, run, and ingest all available scanners.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @param sarifStore    Live SARIF store to ingest findings into.
+ * @param logger        Pino logger for progress and error reporting.
+ * @returns             Summary of what was detected, run, and ingested.
+ */
+export async function autoScan(
+  workspaceRoot: string,
+  sarifStore: SarifStore,
+  logger: Logger,
+): Promise<AutoScanResult> {
+  const start = Date.now();
+
+  // 1. Detect available scanners
+  const detected = await detectScanners(workspaceRoot);
+  const available = detected.filter((d) => d.available);
+
+  logger.info(
+    {
+      detected: detected.map((d) => `${d.scanner}:${d.available}`),
+      available: available.length,
+    },
+    "auto-scan: detection complete",
+  );
+
+  if (available.length === 0) {
+    return {
+      detected,
+      results: [],
+      totalFindings: 0,
+      totalDurationMs: Date.now() - start,
+    };
+  }
+
+  // 2. Run all available scanners in parallel
+  const runResults = await Promise.allSettled(
+    available.map((d) => runScanner(d.scanner, workspaceRoot)),
+  );
+
+  // 3. Ingest results
+  const results: ScannerResult[] = [];
+  let totalFindings = 0;
+  let persistNeeded = false;
+
+  for (let i = 0; i < available.length; i++) {
+    const detection = available[i]!;
+    const settled = runResults[i]!;
+
+    if (settled.status === "rejected") {
+      const error = String(settled.reason);
+      logger.warn(
+        { scanner: detection.scanner, error },
+        "auto-scan: scanner execution rejected",
+      );
+      results.push({
+        scanner: detection.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: 0,
+        error,
+      });
+      continue;
+    }
+
+    const runResult: ScannerRunResult = settled.value;
+
+    if (!runResult.success) {
+      logger.warn(
+        { scanner: runResult.scanner, error: runResult.error },
+        "auto-scan: scanner returned failure",
+      );
+      results.push({
+        scanner: runResult.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: runResult.durationMs,
+        error: runResult.error ?? "unknown error",
+      });
+      continue;
+    }
+
+    // Ingest through adapter pipeline
+    try {
+      const { accepted } = ingestScannerRun(
+        runResult.scanner,
+        runResult.rawOutput,
+        sarifStore,
+      );
+      totalFindings += accepted;
+      persistNeeded = true;
+
+      logger.info(
+        { scanner: runResult.scanner, accepted, durationMs: runResult.durationMs },
+        "auto-scan: scanner ingested",
+      );
+
+      results.push({
+        scanner: runResult.scanner,
+        success: true,
+        findingsIngested: accepted,
+        durationMs: runResult.durationMs,
+      });
+    } catch (err) {
+      const error = (err as Error).message;
+      logger.warn(
+        { scanner: runResult.scanner, error },
+        "auto-scan: adapter/ingestion failed",
+      );
+      results.push({
+        scanner: runResult.scanner,
+        success: false,
+        findingsIngested: 0,
+        durationMs: runResult.durationMs,
+        error,
+      });
+    }
+  }
+
+  // 4. Persist consolidated SARIF if anything was ingested
+  if (persistNeeded) {
+    await sarifStore.persist();
+  }
+
+  return {
+    detected,
+    results,
+    totalFindings,
+    totalDurationMs: Date.now() - start,
+  };
+}