claude-crap 0.1.2

package/dist/sdk.js

@@ -0,0 +1,44 @@
+/**
+ * Root public SDK for `claude-crap`.
+ *
+ * This is the module you get when you do
+ * `import ... from "claude-crap"`. It is intentionally
+ * **side-effect-free**: importing this file does NOT start the MCP
+ * server, does NOT open the dashboard, does NOT touch the filesystem.
+ * Only the executable entrypoint in `dist/index.js` boots the
+ * server — that file is invoked by the `.mcp.json` command and the
+ * CLI bin, never as a library.
+ *
+ * Structure:
+ *
+ *   - `./metrics` — CRAP, TDR, project score, workspace walker
+ *   - `./sarif`   — SARIF 2.1.0 builder and on-disk store
+ *   - `./ast`     — tree-sitter engine, cyclomatic complexity, language config
+ *   - `./tools`   — test-harness resolver used by `require_test_harness`
+ *
+ * Prefer deep imports
+ * (`import { computeCrap } from "claude-crap/metrics"`) over
+ * pulling everything through the root — they give TypeScript more
+ * precise type information and help tree-shakers drop unused modules.
+ *
+ * The symbols re-exported here are the ones most code paths need:
+ *
+ *   - `computeCrap`, `computeTdr`, `computeProjectScore`
+ *   - `renderProjectScoreMarkdown`
+ *   - `classifyTdr`, `ratingIsWorseThan`
+ *   - `SarifStore`, `buildSarifDocument`
+ *   - `TreeSitterEngine`
+ *
+ * @module claude-crap
+ */
+// --- metrics ---------------------------------------------------------------
+export { computeCrap, computeTdr, classifyTdr, ratingIsWorseThan, ratingToRank, computeProjectScore, renderProjectScoreMarkdown, estimateWorkspaceLoc, } from "./metrics/index.js";
+// --- sarif -----------------------------------------------------------------
+export { SarifStore, buildSarifDocument } from "./sarif/index.js";
+// --- ast -------------------------------------------------------------------
+export { TreeSitterEngine, computeCyclomaticComplexity, detectLanguageFromPath, LANGUAGE_TABLE, } from "./ast/index.js";
+// --- tools -----------------------------------------------------------------
+export { findTestFile, isTestFile, candidatePaths } from "./tools/index.js";
+// --- adapters --------------------------------------------------------------
+export { adaptScannerOutput, adaptSemgrep, adaptEslint, adaptBandit, adaptStryker, KNOWN_SCANNERS, } from "./adapters/index.js";
+//# sourceMappingURL=sdk.js.map

package/dist/sdk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk.js","sourceRoot":"","sources":["../src/sdk.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,8EAA8E;AAC9E,OAAO,EACL,WAAW,EACX,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,YAAY,EACZ,mBAAmB,EACnB,0BAA0B,EAC1B,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAiB5B,8EAA8E;AAC9E,OAAO,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAWlE,8EAA8E;AAC9E,OAAO,EACL,gBAAgB,EAChB,2BAA2B,EAC3B,sBAAsB,EACtB,cAAc,GACf,MAAM,gBAAgB,CAAC;AAWxB,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAG5E,8EAA8E;AAC9E,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,WAAW,EACX,WAAW,EACX,YAAY,EACZ,cAAc,GACf,MAAM,qBAAqB,CAAC"}

package/dist/tools/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Public SDK entry point for the tool backends that sit behind
+ * the `claude-crap` MCP server.
+ *
+ * These are the same pure functions the MCP server calls into — the
+ * server layer just wraps them in JSON-RPC. Downstream consumers can
+ * reuse them directly from any Node.js context without running the
+ * MCP server.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   findTestFile,
+ *   isTestFile,
+ *   candidatePaths,
+ * } from "claude-crap/tools";
+ * ```
+ *
+ * @module tools
+ */
+export { candidatePaths, findTestFile, isTestFile } from "./test-harness.js";
+export type { TestFileResolution } from "./test-harness.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/tools/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7E,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/tools/index.js

@@ -0,0 +1,23 @@
+/**
+ * Public SDK entry point for the tool backends that sit behind
+ * the `claude-crap` MCP server.
+ *
+ * These are the same pure functions the MCP server calls into — the
+ * server layer just wraps them in JSON-RPC. Downstream consumers can
+ * reuse them directly from any Node.js context without running the
+ * MCP server.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   findTestFile,
+ *   isTestFile,
+ *   candidatePaths,
+ * } from "claude-crap/tools";
+ * ```
+ *
+ * @module tools
+ */
+export { candidatePaths, findTestFile, isTestFile } from "./test-harness.js";
+//# sourceMappingURL=index.js.map

package/dist/tools/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/tools/test-harness.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Deterministic test-file resolver used by the `require_test_harness`
+ * MCP tool.
+ *
+ * Given a production source file (for example `src/foo/bar.ts`), this
+ * module enumerates the conventional locations where a matching test
+ * file would live and returns the first existing match — or `null` when
+ * none of the candidates exist.
+ *
+ * This is a TypeScript twin of `hooks/lib/test-harness.mjs`. The two
+ * are intentionally independent so neither side has to import files
+ * from outside its own project tree:
+ *
+ *   - Hooks use the `.mjs` copy (vanilla JS, zero deps, runs everywhere).
+ *   - The MCP server uses this typed copy so its consumers get full
+ *     type safety and so the server stays a self-contained npm package.
+ *
+ * Both copies implement the same conventions and are validated against
+ * the same unit tests — see `src/tests/test-harness.test.ts`.
+ *
+ * @module tools/test-harness
+ */
+/**
+ * Result of probing the filesystem for a matching test file.
+ */
+export interface TestFileResolution {
+    /** Absolute path of the first matching test file, or `null` when none exists. */
+    readonly testFile: string | null;
+    /** Absolute paths of every location the resolver tried. */
+    readonly candidates: ReadonlyArray<string>;
+    /** `true` when the input path itself is a test file. */
+    readonly isTestFile: boolean;
+}
+/**
+ * Return `true` when the given path is already a test file. Matching is
+ * done against the basename (`foo.test.ts`, `test_foo.py`) and against
+ * common test directory names in the path (`__tests__`, `tests`, `test`).
+ *
+ * @param filePath An absolute or relative source path.
+ */
+export declare function isTestFile(filePath: string): boolean;
+/**
+ * Enumerate every plausible test file path for a given production source
+ * file. Does not touch the filesystem — the caller is expected to probe
+ * existence separately (see {@link findTestFile}).
+ *
+ * Supported conventions, in the order they are probed:
+ *
+ *   1. Sibling `<base>.test.<ext>` / `<base>.spec.<ext>`
+ *   2. Sibling `__tests__/<base>.test.<ext>`
+ *   3. Mirror tree under `tests/`, `test/`, or `__tests__/` at the
+ *      workspace root (e.g. `tests/src/foo/bar.test.ts`)
+ *   4. **Nearest-ancestor flat test directory**: walk up from the source
+ *      file's directory toward the workspace root, and at every ancestor
+ *      check for `tests/<base>.test.<ext>`. Matches layouts where tests
+ *      live in a single flat directory near the source (this project
+ *      uses it for `src/mcp-server/src/tests/`).
+ *   5. Python-specific: sibling `test_<base>.py` and mirror-tree
+ *      `tests/.../test_<base>.py`.
+ *
+ * @param workspaceRoot Absolute workspace root.
+ * @param filePath      Absolute path to the production file.
+ * @returns             Ordered list of absolute candidate paths.
+ */
+export declare function candidatePaths(workspaceRoot: string, filePath: string): ReadonlyArray<string>;
+/**
+ * Probe the filesystem and return the first candidate that exists, or
+ * `null` when none of them do. Returns early with `isTestFile: true`
+ * when the input is already a test file.
+ *
+ * @param workspaceRoot Absolute workspace root.
+ * @param filePath      Absolute or relative path to the production file.
+ */
+export declare function findTestFile(workspaceRoot: string, filePath: string): Promise<TestFileResolution>;
+//# sourceMappingURL=test-harness.d.ts.map

package/dist/tools/test-harness.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-harness.d.ts","sourceRoot":"","sources":["../../src/tools/test-harness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAKH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,iFAAiF;IACjF,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,2DAA2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC3C,wDAAwD;IACxD,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;CAC9B;AAKD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMpD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,cAAc,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAkD7F;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAChC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,CAAC,CAe7B"}

package/dist/tools/test-harness.js

@@ -0,0 +1,137 @@
+/**
+ * Deterministic test-file resolver used by the `require_test_harness`
+ * MCP tool.
+ *
+ * Given a production source file (for example `src/foo/bar.ts`), this
+ * module enumerates the conventional locations where a matching test
+ * file would live and returns the first existing match — or `null` when
+ * none of the candidates exist.
+ *
+ * This is a TypeScript twin of `hooks/lib/test-harness.mjs`. The two
+ * are intentionally independent so neither side has to import files
+ * from outside its own project tree:
+ *
+ *   - Hooks use the `.mjs` copy (vanilla JS, zero deps, runs everywhere).
+ *   - The MCP server uses this typed copy so its consumers get full
+ *     type safety and so the server stays a self-contained npm package.
+ *
+ * Both copies implement the same conventions and are validated against
+ * the same unit tests — see `src/tests/test-harness.test.ts`.
+ *
+ * @module tools/test-harness
+ */
+import { promises as fs } from "node:fs";
+import { basename, dirname, extname, isAbsolute, join, relative, resolve, sep } from "node:path";
+/** Matches `.test.` and `.spec.` suffixes inside a file basename. */
+const TEST_SUFFIX_PATTERN = /\.(test|spec)\./;
+/**
+ * Return `true` when the given path is already a test file. Matching is
+ * done against the basename (`foo.test.ts`, `test_foo.py`) and against
+ * common test directory names in the path (`__tests__`, `tests`, `test`).
+ *
+ * @param filePath An absolute or relative source path.
+ */
+export function isTestFile(filePath) {
+    const base = basename(filePath);
+    if (TEST_SUFFIX_PATTERN.test(base))
+        return true;
+    if (base.startsWith("test_") && base.endsWith(".py"))
+        return true;
+    const parts = filePath.split(sep);
+    return parts.includes("__tests__") || parts.includes("tests") || parts.includes("test");
+}
+/**
+ * Enumerate every plausible test file path for a given production source
+ * file. Does not touch the filesystem — the caller is expected to probe
+ * existence separately (see {@link findTestFile}).
+ *
+ * Supported conventions, in the order they are probed:
+ *
+ *   1. Sibling `<base>.test.<ext>` / `<base>.spec.<ext>`
+ *   2. Sibling `__tests__/<base>.test.<ext>`
+ *   3. Mirror tree under `tests/`, `test/`, or `__tests__/` at the
+ *      workspace root (e.g. `tests/src/foo/bar.test.ts`)
+ *   4. **Nearest-ancestor flat test directory**: walk up from the source
+ *      file's directory toward the workspace root, and at every ancestor
+ *      check for `tests/<base>.test.<ext>`. Matches layouts where tests
+ *      live in a single flat directory near the source (this project
+ *      uses it for `src/mcp-server/src/tests/`).
+ *   5. Python-specific: sibling `test_<base>.py` and mirror-tree
+ *      `tests/.../test_<base>.py`.
+ *
+ * @param workspaceRoot Absolute workspace root.
+ * @param filePath      Absolute path to the production file.
+ * @returns             Ordered list of absolute candidate paths.
+ */
+export function candidatePaths(workspaceRoot, filePath) {
+    const absSource = resolve(filePath);
+    const ext = extname(absSource);
+    const base = basename(absSource, ext);
+    const dir = dirname(absSource);
+    const absWorkspace = resolve(workspaceRoot);
+    const relFromRoot = relative(absWorkspace, absSource);
+    const relDir = dirname(relFromRoot);
+    const candidates = new Set();
+    // 1. Sibling <base>.test.<ext> / <base>.spec.<ext>
+    candidates.add(join(dir, `${base}.test${ext}`));
+    candidates.add(join(dir, `${base}.spec${ext}`));
+    // 2. Sibling __tests__/<base>.test.<ext>
+    candidates.add(join(dir, "__tests__", `${base}.test${ext}`));
+    candidates.add(join(dir, "__tests__", `${base}.spec${ext}`));
+    // 3. Mirror tree under tests/, test/, or __tests__ at the workspace root.
+    for (const testRoot of ["tests", "test", "__tests__"]) {
+        candidates.add(join(absWorkspace, testRoot, relDir, `${base}.test${ext}`));
+        candidates.add(join(absWorkspace, testRoot, relDir, `${base}.spec${ext}`));
+        candidates.add(join(absWorkspace, testRoot, relDir, `${base}${ext}`));
+    }
+    // 4. Nearest-ancestor flat test directory. Walk up from `dir` to
+    //    `absWorkspace`, and at each ancestor probe for a flat
+    //    `tests/<base>.test.<ext>` (or `test/`, `__tests__/`) layout.
+    let current = dir;
+    while (current.length >= absWorkspace.length) {
+        for (const testRoot of ["tests", "test", "__tests__"]) {
+            candidates.add(join(current, testRoot, `${base}.test${ext}`));
+            candidates.add(join(current, testRoot, `${base}.spec${ext}`));
+            candidates.add(join(current, testRoot, `${base}${ext}`));
+        }
+        if (current === absWorkspace)
+            break;
+        const parent = dirname(current);
+        if (parent === current)
+            break; // reached filesystem root, stop
+        current = parent;
+    }
+    // 5. Python-specific variants.
+    if (ext === ".py") {
+        candidates.add(join(dir, `test_${base}.py`));
+        candidates.add(join(absWorkspace, "tests", `test_${base}.py`));
+        candidates.add(join(absWorkspace, "tests", relDir, `test_${base}.py`));
+    }
+    return Array.from(candidates);
+}
+/**
+ * Probe the filesystem and return the first candidate that exists, or
+ * `null` when none of them do. Returns early with `isTestFile: true`
+ * when the input is already a test file.
+ *
+ * @param workspaceRoot Absolute workspace root.
+ * @param filePath      Absolute or relative path to the production file.
+ */
+export async function findTestFile(workspaceRoot, filePath) {
+    const absolute = isAbsolute(filePath) ? filePath : resolve(workspaceRoot, filePath);
+    if (isTestFile(absolute)) {
+        return { testFile: absolute, candidates: [absolute], isTestFile: true };
+    }
+    const candidates = candidatePaths(workspaceRoot, absolute);
+    for (const candidate of candidates) {
+        try {
+            await fs.access(candidate);
+            return { testFile: candidate, candidates, isTestFile: false };
+        }
+        catch {
+            // Probe next candidate.
+        }
+    }
+    return { testFile: null, candidates, isTestFile: false };
+}
+//# sourceMappingURL=test-harness.js.map

package/dist/tools/test-harness.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-harness.js","sourceRoot":"","sources":["../../src/tools/test-harness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAcjG,qEAAqE;AACrE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC;AAE9C;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClE,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1F,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,cAAc,CAAC,aAAqB,EAAE,QAAgB;IACpE,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,QAAQ,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,QAAQ,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAEpC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IAErC,mDAAmD;IACnD,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;IAChD,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;IAEhD,yCAAyC;IACzC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;IAC7D,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;IAE7D,0EAA0E;IAC1E,KAAK,MAAM,QAAQ,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;QACtD,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3E,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3E,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,iEAAiE;IACjE,2DAA2D;IAC3D,kEAAkE;IAClE,IAAI,OAAO,GAAG,GAAG,CAAC;IAClB,OAAO,OAAO,CAAC,MAAM,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QAC7C,KAAK,MAAM,QAAQ,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;YACtD,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;YAC9D,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,QAAQ,GAAG,EAAE,CAAC,CAAC,CAAC;YAC9D,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,KAAK,YAAY;YAAE,MAAM;QACpC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,OAAO;YAAE,MAAM,CAAC,gCAAgC;QAC/D,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;IAED,+BAA+B;IAC/B,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;QAC7C,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;QAC/D,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,aAAqB,EACrB,QAAgB;IAEhB,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IACpF,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,QAAQ,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAC1E,CAAC;IACD,MAAM,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAC3D,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC3B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC3D,CAAC"}

package/dist/workspace-guard.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Workspace path containment guard.
+ *
+ * Every MCP tool that accepts a user-supplied file path routes it
+ * through {@link resolveWithinWorkspace} before touching the
+ * filesystem. The guard rejects any resolved absolute path that is
+ * outside the configured workspace root, so the agent cannot be
+ * tricked (via prompt injection through scanner output, or via its
+ * own confusion) into reading files that live next to the project
+ * but outside it.
+ *
+ * F-A01-01: the original guard in `src/index.ts` used a naive
+ * `candidate.startsWith(workspace)` check, which suffers from prefix
+ * confusion — for a workspace like `/Users/x/claude-crap`, an
+ * absolute input path such as `/Users/x/claude-crap-evil/secret.ts`
+ * would pass the check because the two share the literal prefix up
+ * to the final segment. This module replaces that check with a
+ * separator-aware comparison: the candidate is only accepted if it
+ * equals the workspace exactly OR begins with `workspace + sep`.
+ *
+ * This module is intentionally pure (no I/O, no global state) so it
+ * can be unit-tested without any fixtures.
+ *
+ * @module workspace-guard
+ */
+/**
+ * Resolve a user-supplied file path against a workspace root, returning
+ * the absolute path only if it is contained inside the root. Throws a
+ * descriptive error when the resolved candidate escapes the workspace.
+ *
+ * Rules enforced (must stay in sync with
+ * `src/tests/workspace-guard.test.ts`):
+ *
+ *   1. Relative paths are resolved against `workspaceRoot`.
+ *   2. Absolute paths are accepted as-is for resolution.
+ *   3. The resolved candidate must equal `workspaceRoot` OR begin with
+ *      `workspaceRoot + sep`. Sibling directories that merely share a
+ *      prefix (e.g. `/tmp/workspace-evil` vs `/tmp/workspace`) are
+ *      rejected.
+ *   4. The comparison uses the platform's native path separator, so
+ *      the guard works on both POSIX and Windows.
+ *
+ * @param workspaceRoot Absolute or relative path to the workspace root.
+ *                      Non-absolute values are resolved against the
+ *                      current working directory, which matches the
+ *                      behavior of the previous in-lined guard.
+ * @param filePath      User-supplied path. May be absolute or relative
+ *                      to the workspace root.
+ * @returns             The absolute, workspace-contained path.
+ * @throws              `Error` when the candidate escapes the workspace.
+ */
+export declare function resolveWithinWorkspace(workspaceRoot: string, filePath: string): string;
+//# sourceMappingURL=workspace-guard.d.ts.map

package/dist/workspace-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-guard.d.ts","sourceRoot":"","sources":["../src/workspace-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAStF"}

package/dist/workspace-guard.js

@@ -0,0 +1,61 @@
+/**
+ * Workspace path containment guard.
+ *
+ * Every MCP tool that accepts a user-supplied file path routes it
+ * through {@link resolveWithinWorkspace} before touching the
+ * filesystem. The guard rejects any resolved absolute path that is
+ * outside the configured workspace root, so the agent cannot be
+ * tricked (via prompt injection through scanner output, or via its
+ * own confusion) into reading files that live next to the project
+ * but outside it.
+ *
+ * F-A01-01: the original guard in `src/index.ts` used a naive
+ * `candidate.startsWith(workspace)` check, which suffers from prefix
+ * confusion — for a workspace like `/Users/x/claude-crap`, an
+ * absolute input path such as `/Users/x/claude-crap-evil/secret.ts`
+ * would pass the check because the two share the literal prefix up
+ * to the final segment. This module replaces that check with a
+ * separator-aware comparison: the candidate is only accepted if it
+ * equals the workspace exactly OR begins with `workspace + sep`.
+ *
+ * This module is intentionally pure (no I/O, no global state) so it
+ * can be unit-tested without any fixtures.
+ *
+ * @module workspace-guard
+ */
+import { isAbsolute, resolve, sep } from "node:path";
+/**
+ * Resolve a user-supplied file path against a workspace root, returning
+ * the absolute path only if it is contained inside the root. Throws a
+ * descriptive error when the resolved candidate escapes the workspace.
+ *
+ * Rules enforced (must stay in sync with
+ * `src/tests/workspace-guard.test.ts`):
+ *
+ *   1. Relative paths are resolved against `workspaceRoot`.
+ *   2. Absolute paths are accepted as-is for resolution.
+ *   3. The resolved candidate must equal `workspaceRoot` OR begin with
+ *      `workspaceRoot + sep`. Sibling directories that merely share a
+ *      prefix (e.g. `/tmp/workspace-evil` vs `/tmp/workspace`) are
+ *      rejected.
+ *   4. The comparison uses the platform's native path separator, so
+ *      the guard works on both POSIX and Windows.
+ *
+ * @param workspaceRoot Absolute or relative path to the workspace root.
+ *                      Non-absolute values are resolved against the
+ *                      current working directory, which matches the
+ *                      behavior of the previous in-lined guard.
+ * @param filePath      User-supplied path. May be absolute or relative
+ *                      to the workspace root.
+ * @returns             The absolute, workspace-contained path.
+ * @throws              `Error` when the candidate escapes the workspace.
+ */
+export function resolveWithinWorkspace(workspaceRoot, filePath) {
+    const workspace = resolve(workspaceRoot);
+    const candidate = isAbsolute(filePath) ? resolve(filePath) : resolve(workspace, filePath);
+    if (candidate !== workspace && !candidate.startsWith(workspace + sep)) {
+        throw new Error(`[claude-crap] Refusing to access '${filePath}' — path escapes the workspace root`);
+    }
+    return candidate;
+}
+//# sourceMappingURL=workspace-guard.js.map

package/dist/workspace-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-guard.js","sourceRoot":"","sources":["../src/workspace-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAErD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,sBAAsB,CAAC,aAAqB,EAAE,QAAgB;IAC5E,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC1F,IAAI,SAAS,KAAK,SAAS,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,qCAAqC,QAAQ,qCAAqC,CACnF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/package.json

@@ -0,0 +1,133 @@
+{
+  "name": "claude-crap",
+  "version": "0.1.2",
+  "description": "Deterministic QA plugin for Claude Code — CRAP index, Technical Debt Ratio, tree-sitter AST, SARIF 2.1.0, hooks, and a local Vue dashboard.",
+  "keywords": [
+    "claude-code",
+    "claude-code-plugin",
+    "quality-assurance",
+    "sast",
+    "sarif",
+    "crap-index",
+    "technical-debt",
+    "quality-gate",
+    "shift-left",
+    "deterministic",
+    "mutation-testing",
+    "mcp-server",
+    "mcp",
+    "tree-sitter"
+  ],
+  "homepage": "https://github.com/ahernandez-developer/claude-crap",
+  "bugs": {
+    "url": "https://github.com/ahernandez-developer/claude-crap/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ahernandez-developer/claude-crap.git"
+  },
+  "license": "MIT",
+  "author": "Alan Hernandez",
+  "type": "module",
+  "main": "./dist/sdk.js",
+  "types": "./dist/sdk.d.ts",
+  "bin": {
+    "claude-crap": "./bin/claude-crap.mjs"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/sdk.d.ts",
+      "import": "./dist/sdk.js"
+    },
+    "./metrics": {
+      "types": "./dist/metrics/index.d.ts",
+      "import": "./dist/metrics/index.js"
+    },
+    "./sarif": {
+      "types": "./dist/sarif/index.d.ts",
+      "import": "./dist/sarif/index.js"
+    },
+    "./ast": {
+      "types": "./dist/ast/index.d.ts",
+      "import": "./dist/ast/index.js"
+    },
+    "./tools": {
+      "types": "./dist/tools/index.d.ts",
+      "import": "./dist/tools/index.js"
+    },
+    "./adapters": {
+      "types": "./dist/adapters/index.d.ts",
+      "import": "./dist/adapters/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "engines": {
+    "node": ">=20.0.0",
+    "bun": ">=1.0.0"
+  },
+  "files": [
+    "CHANGELOG.md",
+    "CLAUDE.md",
+    "LICENSE",
+    "README.md",
+    "bin",
+    "dist",
+    "plugin",
+    "scripts",
+    "src",
+    "tsconfig.json"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "build:fast": "node ./scripts/build-fast.mjs",
+    "build:watch": "tsc -p tsconfig.json --watch",
+    "start": "node ./plugin/bundle/mcp-server.mjs --transport stdio",
+    "dev": "tsx ./src/index.ts --transport stdio",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "node ./scripts/run-tests.mjs \"./src/tests/**/*.test.ts\"",
+    "test:metrics": "node ./scripts/run-tests.mjs \"./src/tests/crap.test.ts\" \"./src/tests/tdr.test.ts\" \"./src/tests/score.test.ts\"",
+    "test:sarif": "node ./scripts/run-tests.mjs \"./src/tests/sarif-store.test.ts\" \"./src/tests/sarif-validator.test.ts\"",
+    "test:ast": "node ./scripts/run-tests.mjs \"./src/tests/cyclomatic.test.ts\"",
+    "test:harness": "node ./scripts/run-tests.mjs \"./src/tests/test-harness.test.ts\"",
+    "test:adapters": "node ./scripts/run-tests.mjs \"./src/tests/adapters/**/*.test.ts\"",
+    "test:integration": "node ./scripts/run-tests.mjs \"./src/tests/integration/**/*.test.ts\"",
+    "doctor": "node ./bin/claude-crap.mjs doctor",
+    "status": "node ./bin/claude-crap.mjs status",
+    "bug-report": "node ./scripts/bug-report.mjs",
+    "clean": "rm -rf ./dist",
+    "build:plugin": "node ./scripts/bundle-plugin.mjs",
+    "postinstall": "node ./scripts/postinstall.mjs",
+    "prepublishOnly": "npm run clean && npm run build && npm run build:plugin && npm test && npm audit --omit=dev --audit-level=high",
+    "release": "np",
+    "release:patch": "np patch --no-cleanup",
+    "release:minor": "np minor --no-cleanup",
+    "release:major": "np major --no-cleanup"
+  },
+  "np": {
+    "yarn": false,
+    "contents": ".",
+    "testScript": "test",
+    "2fa": false
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@fastify/static": "^8.0.3",
+    "@modelcontextprotocol/sdk": "^1.0.4",
+    "ajv": "^8.17.1",
+    "ajv-formats": "^3.0.1",
+    "fast-glob": "^3.3.2",
+    "fastify": "^5.2.0",
+    "pino": "^9.5.0",
+    "tree-sitter-wasms": "^0.1.12",
+    "web-tree-sitter": "^0.24.4"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.2",
+    "esbuild": "^0.28.0",
+    "np": "^11.0.2",
+    "tsx": "^4.19.2",
+    "typescript": "^5.7.2"
+  }
+}

package/plugin/.claude-plugin/plugin.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://code.claude.com/schemas/plugin.json",
+  "name": "claude-crap",
+  "version": "0.1.2",
+  "description": "Deterministic Quality Assurance plugin for Claude Code. Wraps every Write / Edit / Bash tool call with a PreToolUse gatekeeper, a PostToolUse verifier, and a Stop quality gate backed by CRAP index, Technical Debt Ratio, tree-sitter AST metrics, and SARIF 2.1.0 reports. Forbids the agent from writing functional code before a test safety net exists.",
+  "author": {
+    "name": "Alan Hernandez",
+    "url": "https://github.com/ahernandez-developer"
+  },
+  "homepage": "https://github.com/ahernandez-developer/claude-crap",
+  "repository": "https://github.com/ahernandez-developer/claude-crap",
+  "license": "MIT",
+  "keywords": [
+    "claude-code",
+    "claude-code-plugin",
+    "quality-assurance",
+    "sast",
+    "sarif",
+    "crap-index",
+    "technical-debt",
+    "quality-gate",
+    "shift-left",
+    "deterministic",
+    "mutation-testing",
+    "mcp-server",
+    "mcp",
+    "tree-sitter"
+  ]
+}

package/plugin/.mcp.json

@@ -0,0 +1,18 @@
+{
+  "$schema": "https://code.claude.com/schemas/mcp.json",
+  "mcpServers": {
+    "claude-crap": {
+      "type": "stdio",
+      "command": "node",
+      "args": [
+        "${CLAUDE_PLUGIN_ROOT}/bundle/mcp-server.mjs",
+        "--transport",
+        "stdio"
+      ],
+      "env": {
+        "NODE_ENV": "production",
+        "CLAUDE_CRAP_PLUGIN_ROOT": "${CLAUDE_PLUGIN_ROOT}"
+      }
+    }
+  }
+}