claude-crap 0.1.2

package/dist/metrics/tdr.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Technical Debt Ratio (TDR) — deterministic computation and rating.
+ *
+ * The Technical Debt Ratio expresses how expensive it would be to remediate
+ * all known issues in a scope, relative to how much it would have cost to
+ * write the code in the first place. Formally (see docs/quality-gate.md):
+ *
+ *     TDR = remediationCost / (costPerLine × totalLinesOfCode)
+ *
+ * Where the remediation cost is the sum (in minutes) of every linter /
+ * scanner / mutator finding's individual estimated effort, and the per-line
+ * cost is assumed to be a constant `minutesPerLoc` (industry default: 30
+ * minutes per line of code, including design, writing and review).
+ *
+ * The resulting ratio is converted to a percentage and mapped to a letter
+ * grade A..E. The thresholds are strict and non-negotiable:
+ *
+ *   | Rating | TDR %        | Meaning                                   |
+ *   |--------|--------------|-------------------------------------------|
+ *   | A      | 0..5%        | Excellent — remediation cost is noise     |
+ *   | B      | >5..10%      | Low risk                                  |
+ *   | C      | >10..20%     | Moderate, watch closely                   |
+ *   | D      | >20..50%     | Critical, remediation plan required       |
+ *   | E      | >50%         | Unmaintainable — halt feature work        |
+ *
+ * Rating E always halts the workflow at the Stop quality gate, regardless
+ * of the configured `TDR_MAX_RATING` tolerance.
+ *
+ * @module metrics/tdr
+ */
+import type { MaintainabilityRating } from "../config.js";
+/**
+ * Inputs required to compute a Technical Debt Ratio over any scope
+ * (project, module, or file).
+ */
+export interface TdrInput {
+    /** Sum of all finding remediation estimates, in minutes. Must be ≥ 0. */
+    readonly remediationMinutes: number;
+    /** Total lines of code in the scope. Must be > 0 (division denominator). */
+    readonly totalLinesOfCode: number;
+    /** Assumed development cost per LOC, in minutes. Must be > 0. */
+    readonly minutesPerLoc: number;
+}
+/**
+ * Result of a TDR computation with both the raw ratio and the letter grade.
+ */
+export interface TdrResult {
+    /** Raw ratio (remediation / development), rounded to 6 decimals. */
+    readonly ratio: number;
+    /** Same ratio expressed as a percentage, rounded to 4 decimals. */
+    readonly percent: number;
+    /** Letter grade derived from `percent` via {@link classifyTdr}. */
+    readonly rating: MaintainabilityRating;
+    /** Remediation input, echoed for traceability. */
+    readonly remediationMinutes: number;
+    /** LOC input, echoed for traceability. */
+    readonly totalLinesOfCode: number;
+    /** Computed `minutesPerLoc × totalLinesOfCode`, useful for the dashboard. */
+    readonly developmentCostMinutes: number;
+}
+/**
+ * Convert a letter rating to its numeric rank (A=0, E=4). Useful when
+ * comparing two ratings without relying on lexical order.
+ *
+ * @param rating The rating letter.
+ * @returns      Its rank in `[0, 4]`.
+ */
+export declare function ratingToRank(rating: MaintainabilityRating): number;
+/**
+ * Return `true` when `actual` is strictly worse than `limit`, false otherwise.
+ * Used by the Stop quality gate to decide whether to block task completion.
+ *
+ * @param actual Rating currently achieved by the project.
+ * @param limit  Maximum tolerated rating (worst allowed).
+ * @returns      `true` if `actual` should trigger a block.
+ *
+ * @example
+ * ratingIsWorseThan("D", "C") // → true
+ * ratingIsWorseThan("B", "C") // → false
+ * ratingIsWorseThan("C", "C") // → false (equal, not worse)
+ */
+export declare function ratingIsWorseThan(actual: MaintainabilityRating, limit: MaintainabilityRating): boolean;
+/**
+ * Map a TDR percentage to its letter rating. The boundaries are inclusive
+ * on the upper end (5% is still an A, 10% is still a B, etc.).
+ *
+ * @param percent TDR expressed as a percentage. Must be ≥ 0.
+ * @returns       Letter rating A..E.
+ * @throws        When `percent` is negative or not finite.
+ */
+export declare function classifyTdr(percent: number): MaintainabilityRating;
+/**
+ * Compute the Technical Debt Ratio for a scope and return the full result.
+ * This function is pure and deterministic.
+ *
+ * @param input Remediation minutes, total LOC and the cost-per-line assumption.
+ * @returns     A {@link TdrResult} ready to be serialized to SARIF properties.
+ * @throws      When any numeric input is out of range.
+ *
+ * @example
+ * // 240 minutes of remediation across 500 LOC at 30 min/LOC
+ * computeTdr({ remediationMinutes: 240, totalLinesOfCode: 500, minutesPerLoc: 30 })
+ * // → { ratio: 0.016, percent: 1.6, rating: "A", ... }
+ */
+export declare function computeTdr(input: TdrInput): TdrResult;
+//# sourceMappingURL=tdr.d.ts.map

package/dist/metrics/tdr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tdr.d.ts","sourceRoot":"","sources":["../../src/metrics/tdr.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACvB,yEAAyE;IACzE,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,4EAA4E;IAC5E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,iEAAiE;IACjE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,oEAAoE;IACpE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,mEAAmE;IACnE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mEAAmE;IACnE,QAAQ,CAAC,MAAM,EAAE,qBAAqB,CAAC;IACvC,kDAAkD;IAClD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,0CAA0C;IAC1C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,6EAA6E;IAC7E,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;CACzC;AAKD;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,qBAAqB,GAAG,MAAM,CAElE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,qBAAqB,EAC7B,KAAK,EAAE,qBAAqB,GAC3B,OAAO,CAET;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,qBAAqB,CASlE;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,QAAQ,GAAG,SAAS,CAwBrD"}

package/dist/metrics/tdr.js

@@ -0,0 +1,117 @@
+/**
+ * Technical Debt Ratio (TDR) — deterministic computation and rating.
+ *
+ * The Technical Debt Ratio expresses how expensive it would be to remediate
+ * all known issues in a scope, relative to how much it would have cost to
+ * write the code in the first place. Formally (see docs/quality-gate.md):
+ *
+ *     TDR = remediationCost / (costPerLine × totalLinesOfCode)
+ *
+ * Where the remediation cost is the sum (in minutes) of every linter /
+ * scanner / mutator finding's individual estimated effort, and the per-line
+ * cost is assumed to be a constant `minutesPerLoc` (industry default: 30
+ * minutes per line of code, including design, writing and review).
+ *
+ * The resulting ratio is converted to a percentage and mapped to a letter
+ * grade A..E. The thresholds are strict and non-negotiable:
+ *
+ *   | Rating | TDR %        | Meaning                                   |
+ *   |--------|--------------|-------------------------------------------|
+ *   | A      | 0..5%        | Excellent — remediation cost is noise     |
+ *   | B      | >5..10%      | Low risk                                  |
+ *   | C      | >10..20%     | Moderate, watch closely                   |
+ *   | D      | >20..50%     | Critical, remediation plan required       |
+ *   | E      | >50%         | Unmaintainable — halt feature work        |
+ *
+ * Rating E always halts the workflow at the Stop quality gate, regardless
+ * of the configured `TDR_MAX_RATING` tolerance.
+ *
+ * @module metrics/tdr
+ */
+/** Canonical ordering used by {@link ratingToRank}. */
+const RATING_ORDER = ["A", "B", "C", "D", "E"];
+/**
+ * Convert a letter rating to its numeric rank (A=0, E=4). Useful when
+ * comparing two ratings without relying on lexical order.
+ *
+ * @param rating The rating letter.
+ * @returns      Its rank in `[0, 4]`.
+ */
+export function ratingToRank(rating) {
+    return RATING_ORDER.indexOf(rating);
+}
+/**
+ * Return `true` when `actual` is strictly worse than `limit`, false otherwise.
+ * Used by the Stop quality gate to decide whether to block task completion.
+ *
+ * @param actual Rating currently achieved by the project.
+ * @param limit  Maximum tolerated rating (worst allowed).
+ * @returns      `true` if `actual` should trigger a block.
+ *
+ * @example
+ * ratingIsWorseThan("D", "C") // → true
+ * ratingIsWorseThan("B", "C") // → false
+ * ratingIsWorseThan("C", "C") // → false (equal, not worse)
+ */
+export function ratingIsWorseThan(actual, limit) {
+    return ratingToRank(actual) > ratingToRank(limit);
+}
+/**
+ * Map a TDR percentage to its letter rating. The boundaries are inclusive
+ * on the upper end (5% is still an A, 10% is still a B, etc.).
+ *
+ * @param percent TDR expressed as a percentage. Must be ≥ 0.
+ * @returns       Letter rating A..E.
+ * @throws        When `percent` is negative or not finite.
+ */
+export function classifyTdr(percent) {
+    if (!Number.isFinite(percent) || percent < 0) {
+        throw new Error(`[tdr] percent is invalid: ${percent}`);
+    }
+    if (percent <= 5)
+        return "A";
+    if (percent <= 10)
+        return "B";
+    if (percent <= 20)
+        return "C";
+    if (percent <= 50)
+        return "D";
+    return "E";
+}
+/**
+ * Compute the Technical Debt Ratio for a scope and return the full result.
+ * This function is pure and deterministic.
+ *
+ * @param input Remediation minutes, total LOC and the cost-per-line assumption.
+ * @returns     A {@link TdrResult} ready to be serialized to SARIF properties.
+ * @throws      When any numeric input is out of range.
+ *
+ * @example
+ * // 240 minutes of remediation across 500 LOC at 30 min/LOC
+ * computeTdr({ remediationMinutes: 240, totalLinesOfCode: 500, minutesPerLoc: 30 })
+ * // → { ratio: 0.016, percent: 1.6, rating: "A", ... }
+ */
+export function computeTdr(input) {
+    if (input.totalLinesOfCode <= 0) {
+        throw new Error(`[tdr] totalLinesOfCode must be > 0, got ${input.totalLinesOfCode}`);
+    }
+    if (input.minutesPerLoc <= 0) {
+        throw new Error(`[tdr] minutesPerLoc must be > 0, got ${input.minutesPerLoc}`);
+    }
+    if (input.remediationMinutes < 0) {
+        throw new Error(`[tdr] remediationMinutes must be ≥ 0, got ${input.remediationMinutes}`);
+    }
+    const developmentCostMinutes = input.minutesPerLoc * input.totalLinesOfCode;
+    const ratio = input.remediationMinutes / developmentCostMinutes;
+    const percent = ratio * 100;
+    const rating = classifyTdr(percent);
+    return {
+        ratio: Number(ratio.toFixed(6)),
+        percent: Number(percent.toFixed(4)),
+        rating,
+        remediationMinutes: input.remediationMinutes,
+        totalLinesOfCode: input.totalLinesOfCode,
+        developmentCostMinutes,
+    };
+}
+//# sourceMappingURL=tdr.js.map

package/dist/metrics/tdr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tdr.js","sourceRoot":"","sources":["../../src/metrics/tdr.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAmCH,uDAAuD;AACvD,MAAM,YAAY,GAAyC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAErF;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,MAA6B;IACxD,OAAO,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAA6B,EAC7B,KAA4B;IAE5B,OAAO,YAAY,CAAC,MAAM,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,OAAO,IAAI,CAAC;QAAE,OAAO,GAAG,CAAC;IAC7B,IAAI,OAAO,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC9B,IAAI,OAAO,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC9B,IAAI,OAAO,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC9B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,UAAU,CAAC,KAAe;IACxC,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,2CAA2C,KAAK,CAAC,gBAAgB,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,KAAK,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,wCAAwC,KAAK,CAAC,aAAa,EAAE,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,KAAK,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,6CAA6C,KAAK,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,sBAAsB,GAAG,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAC5E,MAAM,KAAK,GAAG,KAAK,CAAC,kBAAkB,GAAG,sBAAsB,CAAC;IAChE,MAAM,OAAO,GAAG,KAAK,GAAG,GAAG,CAAC;IAC5B,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IAEpC,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM;QACN,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;QACxC,sBAAsB;KACvB,CAAC;AACJ,CAAC"}

package/dist/metrics/workspace-walker.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Bounded workspace walker.
+ *
+ * Counts physical lines of code across a workspace, skipping directories
+ * that should not contribute to the Technical Debt Ratio (dependency
+ * caches, build artifacts, VCS metadata, etc.) and capping the file
+ * count to keep the walk well under the Stop hook's 120-second budget
+ * even on pathological repositories.
+ *
+ * This is the TypeScript twin of `hooks/lib/quality-gate.mjs#estimateWorkspaceLoc`.
+ * The two are independent so neither side has to import files from outside
+ * its own project tree.
+ *
+ * @module metrics/workspace-walker
+ */
+/**
+ * Result returned by {@link estimateWorkspaceLoc}.
+ */
+export interface WorkspaceWalkResult {
+    /** Total physical lines of code across every file the walker read. */
+    readonly physicalLoc: number;
+    /** Number of code files the walker visited. */
+    readonly fileCount: number;
+    /** `true` when the walker hit {@link MAX_FILES_WALKED} and stopped early. */
+    readonly truncated: boolean;
+}
+/**
+ * Hard cap on the number of files the walker will read. Protects against
+ * pathological repositories where the walk would otherwise dominate the
+ * Stop hook's budget. When hit, the walker returns the partial count
+ * with `truncated: true` and the caller may decide how to react.
+ */
+export declare const MAX_FILES_WALKED = 20000;
+/**
+ * Walk a workspace and return its physical LOC + file count. Never
+ * follows symbolic links. Skips hidden directories except `.claude-plugin`
+ * (which is tiny and contains the manifest).
+ *
+ * @param workspaceRoot Absolute path to the workspace root.
+ * @returns             A {@link WorkspaceWalkResult} snapshot.
+ */
+export declare function estimateWorkspaceLoc(workspaceRoot: string): Promise<WorkspaceWalkResult>;
+//# sourceMappingURL=workspace-walker.d.ts.map

package/dist/metrics/workspace-walker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-walker.d.ts","sourceRoot":"","sources":["../../src/metrics/workspace-walker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,sEAAsE;IACtE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,+CAA+C;IAC/C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,6EAA6E;IAC7E,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;CAC7B;AAkDD;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,QAAS,CAAC;AAEvC;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAkD9F"}

package/dist/metrics/workspace-walker.js

@@ -0,0 +1,137 @@
+/**
+ * Bounded workspace walker.
+ *
+ * Counts physical lines of code across a workspace, skipping directories
+ * that should not contribute to the Technical Debt Ratio (dependency
+ * caches, build artifacts, VCS metadata, etc.) and capping the file
+ * count to keep the walk well under the Stop hook's 120-second budget
+ * even on pathological repositories.
+ *
+ * This is the TypeScript twin of `hooks/lib/quality-gate.mjs#estimateWorkspaceLoc`.
+ * The two are independent so neither side has to import files from outside
+ * its own project tree.
+ *
+ * @module metrics/workspace-walker
+ */
+import { promises as fs } from "node:fs";
+import { join } from "node:path";
+/**
+ * Directories that should never contribute to the LOC count. Dependency
+ * caches, build artifacts, VCS metadata, claude-crap's own state.
+ */
+const SKIP_DIRS = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "out",
+    "target",
+    ".venv",
+    "venv",
+    "__pycache__",
+    ".cache",
+    ".next",
+    ".nuxt",
+    ".claude-crap",
+    ".codesight",
+]);
+/**
+ * Extensions the walker treats as "code". Anything else is ignored,
+ * including markdown, JSON, YAML, lockfiles, and binaries.
+ */
+const CODE_EXTENSIONS = new Set([
+    ".ts",
+    ".tsx",
+    ".mts",
+    ".cts",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".py",
+    ".java",
+    ".cs",
+    ".go",
+    ".rs",
+    ".rb",
+    ".php",
+    ".swift",
+    ".kt",
+    ".scala",
+    ".dart",
+    ".vue",
+]);
+/**
+ * Hard cap on the number of files the walker will read. Protects against
+ * pathological repositories where the walk would otherwise dominate the
+ * Stop hook's budget. When hit, the walker returns the partial count
+ * with `truncated: true` and the caller may decide how to react.
+ */
+export const MAX_FILES_WALKED = 20_000;
+/**
+ * Walk a workspace and return its physical LOC + file count. Never
+ * follows symbolic links. Skips hidden directories except `.claude-plugin`
+ * (which is tiny and contains the manifest).
+ *
+ * @param workspaceRoot Absolute path to the workspace root.
+ * @returns             A {@link WorkspaceWalkResult} snapshot.
+ */
+export async function estimateWorkspaceLoc(workspaceRoot) {
+    let physicalLoc = 0;
+    let fileCount = 0;
+    let truncated = false;
+    async function walk(dir) {
+        if (truncated)
+            return;
+        let entries;
+        try {
+            entries = await fs.readdir(dir, { withFileTypes: true });
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (truncated)
+                return;
+            // Skip hidden files except the plugin manifest dir.
+            if (entry.name.startsWith(".") && entry.name !== ".claude-plugin")
+                continue;
+            const full = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                if (SKIP_DIRS.has(entry.name))
+                    continue;
+                await walk(full);
+                continue;
+            }
+            if (!entry.isFile())
+                continue;
+            const lower = entry.name.toLowerCase();
+            const dot = lower.lastIndexOf(".");
+            if (dot < 0)
+                continue;
+            const ext = lower.substring(dot);
+            if (!CODE_EXTENSIONS.has(ext))
+                continue;
+            fileCount += 1;
+            if (fileCount > MAX_FILES_WALKED) {
+                truncated = true;
+                return;
+            }
+            try {
+                const content = await fs.readFile(full, "utf8");
+                if (content.length > 0) {
+                    // Subtract 1 for trailing newline, matching what most editors
+                    // report as the file's line count.
+                    const lines = content.split(/\r?\n/).length;
+                    physicalLoc += content.endsWith("\n") ? lines - 1 : lines;
+                }
+            }
+            catch {
+                // Unreadable file (permissions, binary). Skip silently.
+            }
+        }
+    }
+    await walk(workspaceRoot);
+    return { physicalLoc, fileCount, truncated };
+}
+//# sourceMappingURL=workspace-walker.js.map

package/dist/metrics/workspace-walker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-walker.js","sourceRoot":"","sources":["../../src/metrics/workspace-walker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAcjC;;;GAGG;AACH,MAAM,SAAS,GAAwB,IAAI,GAAG,CAAC;IAC7C,cAAc;IACd,MAAM;IACN,MAAM;IACN,OAAO;IACP,KAAK;IACL,QAAQ;IACR,OAAO;IACP,MAAM;IACN,aAAa;IACb,QAAQ;IACR,OAAO;IACP,OAAO;IACP,cAAc;IACd,YAAY;CACb,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,QAAQ;IACR,KAAK;IACL,QAAQ;IACR,OAAO;IACP,MAAM;CACP,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEvC;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,aAAqB;IAC9D,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,KAAK,UAAU,IAAI,CAAC,GAAW;QAC7B,IAAI,SAAS;YAAE,OAAO;QACtB,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,SAAS;gBAAE,OAAO;YACtB,oDAAoD;YACpD,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB;gBAAE,SAAS;YAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,IAAI,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACxC,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;gBAAE,SAAS;YAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACvC,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YACnC,IAAI,GAAG,GAAG,CAAC;gBAAE,SAAS;YACtB,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YACxC,SAAS,IAAI,CAAC,CAAC;YACf,IAAI,SAAS,GAAG,gBAAgB,EAAE,CAAC;gBACjC,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBAChD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,8DAA8D;oBAC9D,mCAAmC;oBACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;oBAC5C,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC5D,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,wDAAwD;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,aAAa,CAAC,CAAC;IAC1B,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AAC/C,CAAC"}

package/dist/sarif/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Public SDK entry point for the SARIF 2.1.0 builder and store.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   SarifStore,
+ *   buildSarifDocument,
+ *   type SarifFinding,
+ *   type SarifLevel,
+ * } from "claude-crap/sarif";
+ * ```
+ *
+ * @module sarif
+ */
+export { buildSarifDocument } from "./sarif-builder.js";
+export type { SarifFinding, SarifLevel, SarifLocation, SarifToolInfo, } from "./sarif-builder.js";
+export { SarifStore } from "./sarif-store.js";
+export type { IngestedFinding, PersistedSarif, SarifStoreOptions, } from "./sarif-store.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/sarif/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sarif/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,YAAY,EACV,YAAY,EACZ,UAAU,EACV,aAAa,EACb,aAAa,GACd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,YAAY,EACV,eAAe,EACf,cAAc,EACd,iBAAiB,GAClB,MAAM,kBAAkB,CAAC"}

package/dist/sarif/index.js

@@ -0,0 +1,19 @@
+/**
+ * Public SDK entry point for the SARIF 2.1.0 builder and store.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   SarifStore,
+ *   buildSarifDocument,
+ *   type SarifFinding,
+ *   type SarifLevel,
+ * } from "claude-crap/sarif";
+ * ```
+ *
+ * @module sarif
+ */
+export { buildSarifDocument } from "./sarif-builder.js";
+export { SarifStore } from "./sarif-store.js";
+//# sourceMappingURL=index.js.map

package/dist/sarif/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sarif/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAQxD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/sarif/sarif-builder.d.ts

@@ -0,0 +1,128 @@
+/**
+ * Minimal SARIF 2.1.0 document builder.
+ *
+ * Every report that leaves the MCP server on its way to the agent is
+ * normalized to SARIF 2.1.0 first. This module provides the typed
+ * helpers used to wrap raw findings in the canonical
+ * `tool → runs → results` taxonomy with exact file coordinates.
+ *
+ * Per-scanner adapters (Semgrep, ESLint, Bandit, Stryker) live under
+ * `src/adapters/` and call into `buildSarifDocument` through the
+ * `wrapResultsInSarif` helper in `src/adapters/common.ts`. The
+ * on-disk deduplication store lives in `./sarif-store.ts`.
+ *
+ * The SARIF 2.1.0 spec lives at:
+ *   https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ *
+ * @module sarif/sarif-builder
+ */
+/**
+ * Severity levels supported by SARIF 2.1.0. They map 1:1 to the
+ * `result.level` field. `"error"` is the strongest, `"none"` is informational.
+ */
+export type SarifLevel = "none" | "note" | "warning" | "error";
+/**
+ * Physical location of a finding inside a source artifact. `startLine` and
+ * `startColumn` are 1-based, matching the SARIF spec. `endLine` and
+ * `endColumn` are optional — omit them for point-like findings.
+ */
+export interface SarifLocation {
+    /** Artifact URI, typically a file path relative to the workspace root. */
+    readonly uri: string;
+    /** 1-based line number where the finding starts. */
+    readonly startLine: number;
+    /** 1-based column number where the finding starts. */
+    readonly startColumn: number;
+    /** Optional 1-based line number where the finding ends. */
+    readonly endLine?: number;
+    /** Optional 1-based column number where the finding ends. */
+    readonly endColumn?: number;
+}
+/**
+ * A single finding ready to be embedded in a SARIF run. This is the
+ * internal shape used by claude-crap adapters; it is converted into the
+ * official SARIF `result` object by {@link buildSarifDocument}.
+ */
+export interface SarifFinding {
+    /** Stable rule identifier (e.g. `"SONAR-CRAP-001"`, `"semgrep.python.sqli"`). */
+    readonly ruleId: string;
+    /** Severity level for this finding. */
+    readonly level: SarifLevel;
+    /** Human-readable message describing the finding. */
+    readonly message: string;
+    /** Physical location where the finding was detected. */
+    readonly location: SarifLocation;
+    /** Optional extra metadata stored in the SARIF `properties` bag. */
+    readonly properties?: Record<string, unknown>;
+}
+/**
+ * Metadata describing the tool that produced a SARIF run. The `name` is
+ * required by the spec; `version` is strongly recommended so that dashboard
+ * diffs can distinguish between scanner releases.
+ */
+export interface SarifToolInfo {
+    /** Tool display name (e.g. `"claude-crap"`, `"semgrep"`). */
+    readonly name: string;
+    /** Tool semantic version. */
+    readonly version: string;
+    /** Optional URL pointing to the tool's documentation or home page. */
+    readonly informationUri?: string;
+}
+/**
+ * Build a minimal but valid SARIF 2.1.0 document from a list of findings.
+ *
+ * The returned object conforms to the SARIF JSON schema hosted at:
+ *   https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json
+ *
+ * Rules are deduplicated by `ruleId` and emitted in the `tool.driver.rules`
+ * array so that downstream consumers (Claude Code, the dashboard, or any
+ * third-party SARIF viewer) can render a rule index.
+ *
+ * @param tool     Metadata about the producing tool.
+ * @param findings Findings to include in the single run.
+ * @returns        A SARIF 2.1.0 document literal (frozen by `as const`).
+ */
+export declare function buildSarifDocument(tool: SarifToolInfo, findings: ReadonlyArray<SarifFinding>): {
+    readonly $schema: "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json";
+    readonly version: "2.1.0";
+    readonly runs: readonly [{
+        readonly tool: {
+            readonly driver: {
+                readonly name: string;
+                readonly version: string;
+                readonly informationUri: string;
+                readonly rules: {
+                    id: string;
+                    shortDescription: {
+                        text: string;
+                    };
+                    defaultConfiguration: {
+                        level: SarifLevel;
+                    };
+                }[];
+            };
+        };
+        readonly results: {
+            properties?: Record<string, unknown>;
+            ruleId: string;
+            level: SarifLevel;
+            message: {
+                text: string;
+            };
+            locations: {
+                physicalLocation: {
+                    artifactLocation: {
+                        uri: string;
+                    };
+                    region: {
+                        endColumn?: number;
+                        endLine?: number;
+                        startLine: number;
+                        startColumn: number;
+                    };
+                };
+            }[];
+        }[];
+    }];
+};
+//# sourceMappingURL=sarif-builder.d.ts.map

package/dist/sarif/sarif-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif-builder.d.ts","sourceRoot":"","sources":["../../src/sarif/sarif-builder.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;AAE/D;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,0EAA0E;IAC1E,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,oDAAoD;IACpD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,sDAAsD;IACtD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,2DAA2D;IAC3D,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,6DAA6D;IAC7D,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,iFAAiF;IACjF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC;IAC3B,qDAAqD;IACrD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,wDAAwD;IACxD,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;IACjC,oEAAoE;IACpE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC/C;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,aAAa,CAAC,YAAY,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiD5F"}