claude-crap 0.1.2

package/dist/adapters/bandit.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Bandit adapter.
+ *
+ * Bandit is a Python security linter. When run with `-f json` it
+ * emits a JSON report shaped like this (abbreviated):
+ *
+ *   {
+ *     "results": [
+ *       {
+ *         "filename": "app.py",
+ *         "line_number": 42,
+ *         "col_offset": 5,
+ *         "test_id": "B608",
+ *         "test_name": "hardcoded_sql_expressions",
+ *         "issue_severity": "HIGH",       // LOW | MEDIUM | HIGH
+ *         "issue_confidence": "HIGH",     // LOW | MEDIUM | HIGH
+ *         "issue_text": "Possible SQL injection via string-based query construction.",
+ *         "issue_cwe": { "id": 89 }
+ *       }
+ *     ],
+ *     "metrics": { ... },
+ *     "errors": [ ... ]
+ *   }
+ *
+ * This adapter converts each `results[]` entry into a SARIF 2.1.0
+ * `result`, mapping Bandit severity levels to SARIF levels:
+ *
+ *   LOW     → "note"
+ *   MEDIUM  → "warning"
+ *   HIGH    → "error"
+ *
+ * Every finding gets a rule id of `bandit.<test_id>` (e.g.
+ * `bandit.B608`) so it is trivial to correlate with Bandit's own docs
+ * from inside the claude-crap dashboard.
+ *
+ * @module adapters/bandit
+ */
+import { type AdapterResult } from "./common.js";
+/**
+ * Accept a Bandit JSON report and return a normalized
+ * `PersistedSarif` document.
+ *
+ * @param input Raw Bandit JSON (string or parsed object).
+ * @returns     Adapter result.
+ * @throws      When the input does not look like a Bandit report.
+ */
+export declare function adaptBandit(input: unknown): AdapterResult;
+//# sourceMappingURL=bandit.d.ts.map

package/dist/adapters/bandit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bandit.d.ts","sourceRoot":"","sources":["../../src/adapters/bandit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAGH,OAAO,EAGL,KAAK,aAAa,EAEnB,MAAM,aAAa,CAAC;AAoBrB;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,aAAa,CA6DzD"}

package/dist/adapters/bandit.js

@@ -0,0 +1,145 @@
+/**
+ * Bandit adapter.
+ *
+ * Bandit is a Python security linter. When run with `-f json` it
+ * emits a JSON report shaped like this (abbreviated):
+ *
+ *   {
+ *     "results": [
+ *       {
+ *         "filename": "app.py",
+ *         "line_number": 42,
+ *         "col_offset": 5,
+ *         "test_id": "B608",
+ *         "test_name": "hardcoded_sql_expressions",
+ *         "issue_severity": "HIGH",       // LOW | MEDIUM | HIGH
+ *         "issue_confidence": "HIGH",     // LOW | MEDIUM | HIGH
+ *         "issue_text": "Possible SQL injection via string-based query construction.",
+ *         "issue_cwe": { "id": 89 }
+ *       }
+ *     ],
+ *     "metrics": { ... },
+ *     "errors": [ ... ]
+ *   }
+ *
+ * This adapter converts each `results[]` entry into a SARIF 2.1.0
+ * `result`, mapping Bandit severity levels to SARIF levels:
+ *
+ *   LOW     → "note"
+ *   MEDIUM  → "warning"
+ *   HIGH    → "error"
+ *
+ * Every finding gets a rule id of `bandit.<test_id>` (e.g.
+ * `bandit.B608`) so it is trivial to correlate with Bandit's own docs
+ * from inside the claude-crap dashboard.
+ *
+ * @module adapters/bandit
+ */
+import { estimateEffortMinutes, wrapResultsInSarif, } from "./common.js";
+const BANDIT = "bandit";
+/**
+ * Accept a Bandit JSON report and return a normalized
+ * `PersistedSarif` document.
+ *
+ * @param input Raw Bandit JSON (string or parsed object).
+ * @returns     Adapter result.
+ * @throws      When the input does not look like a Bandit report.
+ */
+export function adaptBandit(input) {
+    const parsed = typeof input === "string" ? JSON.parse(input) : input;
+    if (!parsed || typeof parsed !== "object") {
+        throw new Error(`[adapter:bandit] expected a JSON object`);
+    }
+    const report = parsed;
+    if (!Array.isArray(report.results)) {
+        throw new Error(`[adapter:bandit] report is missing a results[] array`);
+    }
+    const results = [];
+    let totalEffortMinutes = 0;
+    for (const finding of report.results) {
+        const filename = finding.filename;
+        if (typeof filename !== "string" || !filename)
+            continue;
+        const level = mapSeverity(finding.issue_severity);
+        // High-severity security findings cost more to fix than the
+        // generic default, so we bias the budget toward reality. Bandit
+        // is always security-focused, so every finding is treated as a
+        // security issue for TDR accounting downstream.
+        const effortOverride = level === "error" ? 120 : level === "warning" ? 60 : 20;
+        const effort = estimateEffortMinutes(level, effortOverride);
+        totalEffortMinutes += effort;
+        const testId = finding.test_id ?? "unknown";
+        const ruleId = `bandit.${testId}`;
+        const messageText = finding.issue_text ??
+            `${finding.test_name ?? "Bandit finding"} (${finding.issue_severity ?? "UNKNOWN"})`;
+        const startLine = typeof finding.line_number === "number" && finding.line_number > 0
+            ? finding.line_number
+            : 1;
+        const startColumn = typeof finding.col_offset === "number" && finding.col_offset >= 0
+            ? finding.col_offset + 1
+            : 1;
+        results.push(buildSarifResult({
+            ruleId,
+            level,
+            message: messageText,
+            uri: filename,
+            startLine,
+            startColumn,
+            effortMinutes: effort,
+            cwe: finding.issue_cwe?.id,
+            confidence: finding.issue_confidence,
+        }));
+    }
+    return {
+        document: wrapResultsInSarif(BANDIT, "unknown", results),
+        sourceTool: BANDIT,
+        findingCount: results.length,
+        totalEffortMinutes,
+    };
+}
+/**
+ * Map Bandit's `issue_severity` string to a SARIF level. Unknown
+ * values default to `"warning"` so findings are still surfaced.
+ */
+function mapSeverity(severity) {
+    switch ((severity ?? "").toUpperCase()) {
+        case "HIGH":
+            return "error";
+        case "MEDIUM":
+            return "warning";
+        case "LOW":
+            return "note";
+        default:
+            return "warning";
+    }
+}
+/**
+ * Build the SARIF `result` object for a single Bandit finding. We
+ * stash the CWE id and Bandit confidence in the `properties` bag so
+ * consumers can surface them in the dashboard hot-spot view.
+ */
+function buildSarifResult(opts) {
+    return {
+        ruleId: opts.ruleId,
+        level: opts.level,
+        message: { text: opts.message },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: { uri: opts.uri },
+                    region: {
+                        startLine: opts.startLine,
+                        startColumn: opts.startColumn,
+                    },
+                },
+            },
+        ],
+        properties: {
+            sourceTool: BANDIT,
+            effortMinutes: opts.effortMinutes,
+            ...(typeof opts.cwe === "number" ? { cwe: opts.cwe } : {}),
+            ...(typeof opts.confidence === "string" ? { confidence: opts.confidence } : {}),
+        },
+    };
+}
+//# sourceMappingURL=bandit.js.map

package/dist/adapters/bandit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bandit.js","sourceRoot":"","sources":["../../src/adapters/bandit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAGH,OAAO,EACL,qBAAqB,EACrB,kBAAkB,GAGnB,MAAM,aAAa,CAAC;AAErB,MAAM,MAAM,GAAiB,QAAQ,CAAC;AAkBtC;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAa,CAAC,CAAC,CAAC,KAAK,CAAC;IAClF,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,MAAM,MAAM,GAAG,MAAsB,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAA+C,EAAE,CAAC;IAC/D,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAE3B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAClC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxD,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAClD,4DAA4D;QAC5D,gEAAgE;QAChE,+DAA+D;QAC/D,gDAAgD;QAChD,MAAM,cAAc,GAAG,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;QAC5D,kBAAkB,IAAI,MAAM,CAAC;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,CAAC;QAC5C,MAAM,MAAM,GAAG,UAAU,MAAM,EAAE,CAAC;QAClC,MAAM,WAAW,GACf,OAAO,CAAC,UAAU;YAClB,GAAG,OAAO,CAAC,SAAS,IAAI,gBAAgB,KAAK,OAAO,CAAC,cAAc,IAAI,SAAS,GAAG,CAAC;QAEtF,MAAM,SAAS,GACb,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,IAAI,OAAO,CAAC,WAAW,GAAG,CAAC;YAChE,CAAC,CAAC,OAAO,CAAC,WAAW;YACrB,CAAC,CAAC,CAAC,CAAC;QACR,MAAM,WAAW,GACf,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,CAAC,UAAU,IAAI,CAAC;YAC/D,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,CAAC;YACxB,CAAC,CAAC,CAAC,CAAC;QAER,OAAO,CAAC,IAAI,CACV,gBAAgB,CAAC;YACf,MAAM;YACN,KAAK;YACL,OAAO,EAAE,WAAW;YACpB,GAAG,EAAE,QAAQ;YACb,SAAS;YACT,WAAW;YACX,aAAa,EAAE,MAAM;YACrB,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,EAAE;YAC1B,UAAU,EAAE,OAAO,CAAC,gBAAgB;SACrC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC;QACxD,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,OAAO,CAAC,MAAM;QAC5B,kBAAkB;KACnB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,QAA4B;IAC/C,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACvC,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,SAAS,CAAC;QACnB,KAAK,KAAK;YACR,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAUzB;IACC,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;QAC/B,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;oBACnC,MAAM,EAAE;wBACN,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,WAAW,EAAE,IAAI,CAAC,WAAW;qBAC9B;iBACF;aACF;SACF;QACD,UAAU,EAAE;YACV,UAAU,EAAE,MAAM;YAClB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,GAAG,CAAC,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,GAAG,CAAC,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChF;KACF,CAAC;AACJ,CAAC"}

package/dist/adapters/common.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Shared types and helpers for per-scanner SARIF adapters.
+ *
+ * Every adapter in this directory converts a scanner's native output
+ * into a `PersistedSarif` 2.1.0 document that the `SarifStore` can
+ * ingest directly. The adapters also enrich the finding `properties`
+ * bag with a stable `effortMinutes` field so the Stop quality gate and
+ * the Technical Debt Ratio computation can treat every source tool
+ * uniformly.
+ *
+ * Rule-level effort estimates live in `DEFAULT_EFFORT_BY_SEVERITY`.
+ * Individual adapters may override the default per rule id when the
+ * scanner attaches a more specific hint.
+ *
+ * @module adapters/common
+ */
+import type { PersistedSarif } from "../sarif/sarif-store.js";
+import type { SarifLevel } from "../sarif/sarif-builder.js";
+/**
+ * The canonical list of scanners claude-crap understands. The
+ * `ingest_scanner_output` MCP tool uses this as its `enum` constraint,
+ * so keeping it narrow prevents drift.
+ */
+export declare const KNOWN_SCANNERS: readonly ["semgrep", "eslint", "bandit", "stryker"];
+/**
+ * Union of supported scanner identifiers.
+ */
+export type KnownScanner = (typeof KNOWN_SCANNERS)[number];
+/**
+ * Default remediation effort in minutes per SARIF severity level. These
+ * numbers are deliberately conservative — real projects should override
+ * them per rule via adapter-specific rule maps or via SARIF properties.
+ *
+ * The mapping follows the common-sense rule that every bug takes at
+ * least a test plus a patch, so even a note-level finding costs time.
+ */
+export declare const DEFAULT_EFFORT_BY_SEVERITY: Readonly<Record<SarifLevel, number>>;
+/**
+ * Envelope common to every adapter output. Adapters return a
+ * `PersistedSarif` document and a small stats block describing what
+ * they saw, so the MCP tool handler can echo those stats back to the
+ * LLM even when the SarifStore rejects duplicates.
+ */
+export interface AdapterResult {
+    /** Normalized SARIF 2.1.0 document ready for `SarifStore.ingestRun`. */
+    readonly document: PersistedSarif;
+    /** Scanner identifier, propagated into every finding's `properties.sourceTool`. */
+    readonly sourceTool: KnownScanner;
+    /** Raw number of findings the adapter read from the scanner's native output. */
+    readonly findingCount: number;
+    /** Total estimated remediation effort across all findings, in minutes. */
+    readonly totalEffortMinutes: number;
+}
+/**
+ * Build a `PersistedSarif` document from a flat list of already-mapped
+ * result entries. Every adapter produces its results with the same
+ * shape and then calls this helper to wrap them in a valid 2.1.0 envelope.
+ *
+ * @param sourceTool  Stable scanner identifier (e.g. `"semgrep"`).
+ * @param version     Adapter version string stored in `tool.driver.version`.
+ * @param results     Pre-built SARIF `result` entries.
+ */
+export declare function wrapResultsInSarif(sourceTool: KnownScanner, version: string, results: ReadonlyArray<object>): PersistedSarif;
+/**
+ * Estimate remediation effort for a single finding given its severity
+ * and an optional rule-specific override. Returns `minutes` clamped to
+ * a non-negative integer.
+ *
+ * @param level     SARIF severity level (`"error"`, `"warning"`, ...).
+ * @param override  Optional rule-specific effort in minutes.
+ */
+export declare function estimateEffortMinutes(level: SarifLevel | undefined, override?: number): number;
+//# sourceMappingURL=common.d.ts.map

package/dist/adapters/common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../../src/adapters/common.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,cAAc,qDAAsD,CAAC;AAElF;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE3D;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAK1E,CAAC;AAEH;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,wEAAwE;IACxE,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,mFAAmF;IACnF,QAAQ,CAAC,UAAU,EAAE,YAAY,CAAC;IAClC,gFAAgF;IAChF,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,0EAA0E;IAC1E,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;CACrC;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,YAAY,EACxB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,GAC7B,cAAc,CAgBhB;AAyBD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,UAAU,GAAG,SAAS,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAM9F"}

package/dist/adapters/common.js

@@ -0,0 +1,78 @@
+/**
+ * Shared types and helpers for per-scanner SARIF adapters.
+ *
+ * Every adapter in this directory converts a scanner's native output
+ * into a `PersistedSarif` 2.1.0 document that the `SarifStore` can
+ * ingest directly. The adapters also enrich the finding `properties`
+ * bag with a stable `effortMinutes` field so the Stop quality gate and
+ * the Technical Debt Ratio computation can treat every source tool
+ * uniformly.
+ *
+ * Rule-level effort estimates live in `DEFAULT_EFFORT_BY_SEVERITY`.
+ * Individual adapters may override the default per rule id when the
+ * scanner attaches a more specific hint.
+ *
+ * @module adapters/common
+ */
+/**
+ * The canonical list of scanners claude-crap understands. The
+ * `ingest_scanner_output` MCP tool uses this as its `enum` constraint,
+ * so keeping it narrow prevents drift.
+ */
+export const KNOWN_SCANNERS = ["semgrep", "eslint", "bandit", "stryker"];
+/**
+ * Default remediation effort in minutes per SARIF severity level. These
+ * numbers are deliberately conservative — real projects should override
+ * them per rule via adapter-specific rule maps or via SARIF properties.
+ *
+ * The mapping follows the common-sense rule that every bug takes at
+ * least a test plus a patch, so even a note-level finding costs time.
+ */
+export const DEFAULT_EFFORT_BY_SEVERITY = Object.freeze({
+    error: 60,
+    warning: 30,
+    note: 10,
+    none: 5,
+});
+/**
+ * Build a `PersistedSarif` document from a flat list of already-mapped
+ * result entries. Every adapter produces its results with the same
+ * shape and then calls this helper to wrap them in a valid 2.1.0 envelope.
+ *
+ * @param sourceTool  Stable scanner identifier (e.g. `"semgrep"`).
+ * @param version     Adapter version string stored in `tool.driver.version`.
+ * @param results     Pre-built SARIF `result` entries.
+ */
+export function wrapResultsInSarif(sourceTool, version, results) {
+    return {
+        $schema: "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: sourceTool,
+                        version,
+                    },
+                },
+                results: results,
+            },
+        ],
+    };
+}
+/**
+ * Estimate remediation effort for a single finding given its severity
+ * and an optional rule-specific override. Returns `minutes` clamped to
+ * a non-negative integer.
+ *
+ * @param level     SARIF severity level (`"error"`, `"warning"`, ...).
+ * @param override  Optional rule-specific effort in minutes.
+ */
+export function estimateEffortMinutes(level, override) {
+    if (typeof override === "number" && Number.isFinite(override) && override >= 0) {
+        return Math.round(override);
+    }
+    const base = DEFAULT_EFFORT_BY_SEVERITY[level ?? "warning"];
+    return Math.max(0, Math.round(base ?? 30));
+}
+//# sourceMappingURL=common.js.map

package/dist/adapters/common.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.js","sourceRoot":"","sources":["../../src/adapters/common.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAKH;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAU,CAAC;AAOlF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAyC,MAAM,CAAC,MAAM,CAAC;IAC5F,KAAK,EAAE,EAAE;IACT,OAAO,EAAE,EAAE;IACX,IAAI,EAAE,EAAE;IACR,IAAI,EAAE,CAAC;CACR,CAAC,CAAC;AAmBH;;;;;;;;GAQG;AACH,MAAM,UAAU,kBAAkB,CAChC,UAAwB,EACxB,OAAe,EACf,OAA8B;IAE9B,OAAO;QACL,OAAO,EAAE,qEAAqE;QAC9E,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,UAAU;wBAChB,OAAO;qBACR;iBACF;gBACD,OAAO,EAAE,OAA0C;aACpD;SACF;KACgB,CAAC;AACtB,CAAC;AAyBD;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAA6B,EAAE,QAAiB;IACpF,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;QAC/E,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IACD,MAAM,IAAI,GAAG,0BAA0B,CAAC,KAAK,IAAI,SAAS,CAAC,CAAC;IAC5D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;AAC7C,CAAC"}

package/dist/adapters/eslint.d.ts

@@ -0,0 +1,52 @@
+/**
+ * ESLint adapter.
+ *
+ * ESLint's default JSON output (`eslint -f json .`) is NOT SARIF.
+ * This adapter converts it into a SARIF 2.1.0 document with one
+ * `result` per ESLint `messages[]` entry, mapping ESLint's numeric
+ * severity to SARIF levels:
+ *
+ *   severity 0 → "note"     (parser info / disabled)
+ *   severity 1 → "warning"
+ *   severity 2 → "error"
+ *
+ * ESLint's JSON shape:
+ *
+ *   [
+ *     {
+ *       "filePath": "/abs/path/to/foo.js",
+ *       "messages": [
+ *         {
+ *           "ruleId": "no-unused-vars",
+ *           "severity": 1,
+ *           "message": "'foo' is defined but never used.",
+ *           "line": 10,
+ *           "column": 5,
+ *           "endLine": 10,
+ *           "endColumn": 8
+ *         }
+ *       ],
+ *       "errorCount": 0,
+ *       "warningCount": 1,
+ *       "fatalErrorCount": 0,
+ *       "source": "...",
+ *       "usedDeprecatedRules": []
+ *     }
+ *   ]
+ *
+ * We preserve the full `line`/`column` range when ESLint provides one
+ * so the dashboard's hot-spot table can show a precise location.
+ *
+ * @module adapters/eslint
+ */
+import { type AdapterResult } from "./common.js";
+/**
+ * Accept ESLint native JSON output and return a normalized
+ * `PersistedSarif` document plus counts.
+ *
+ * @param input Raw ESLint JSON (string or parsed array).
+ * @returns     Adapter result.
+ * @throws      When the input is not a valid ESLint report.
+ */
+export declare function adaptEslint(input: unknown): AdapterResult;
+//# sourceMappingURL=eslint.d.ts.map

package/dist/adapters/eslint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eslint.d.ts","sourceRoot":"","sources":["../../src/adapters/eslint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EAGL,KAAK,aAAa,EAEnB,MAAM,aAAa,CAAC;AAyBrB;;;;;;;GAOG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,aAAa,CA0CzD"}

package/dist/adapters/eslint.js

@@ -0,0 +1,142 @@
+/**
+ * ESLint adapter.
+ *
+ * ESLint's default JSON output (`eslint -f json .`) is NOT SARIF.
+ * This adapter converts it into a SARIF 2.1.0 document with one
+ * `result` per ESLint `messages[]` entry, mapping ESLint's numeric
+ * severity to SARIF levels:
+ *
+ *   severity 0 → "note"     (parser info / disabled)
+ *   severity 1 → "warning"
+ *   severity 2 → "error"
+ *
+ * ESLint's JSON shape:
+ *
+ *   [
+ *     {
+ *       "filePath": "/abs/path/to/foo.js",
+ *       "messages": [
+ *         {
+ *           "ruleId": "no-unused-vars",
+ *           "severity": 1,
+ *           "message": "'foo' is defined but never used.",
+ *           "line": 10,
+ *           "column": 5,
+ *           "endLine": 10,
+ *           "endColumn": 8
+ *         }
+ *       ],
+ *       "errorCount": 0,
+ *       "warningCount": 1,
+ *       "fatalErrorCount": 0,
+ *       "source": "...",
+ *       "usedDeprecatedRules": []
+ *     }
+ *   ]
+ *
+ * We preserve the full `line`/`column` range when ESLint provides one
+ * so the dashboard's hot-spot table can show a precise location.
+ *
+ * @module adapters/eslint
+ */
+import { estimateEffortMinutes, wrapResultsInSarif, } from "./common.js";
+const ESLINT = "eslint";
+/**
+ * Accept ESLint native JSON output and return a normalized
+ * `PersistedSarif` document plus counts.
+ *
+ * @param input Raw ESLint JSON (string or parsed array).
+ * @returns     Adapter result.
+ * @throws      When the input is not a valid ESLint report.
+ */
+export function adaptEslint(input) {
+    const parsed = typeof input === "string" ? JSON.parse(input) : input;
+    if (!Array.isArray(parsed)) {
+        throw new Error(`[adapter:eslint] expected an array of file reports`);
+    }
+    const results = [];
+    let totalEffortMinutes = 0;
+    for (const fileReport of parsed) {
+        const filePath = fileReport?.filePath;
+        if (typeof filePath !== "string" || !filePath)
+            continue;
+        const messages = Array.isArray(fileReport.messages) ? fileReport.messages : [];
+        for (const msg of messages) {
+            const level = mapSeverity(msg.severity);
+            const ruleId = typeof msg.ruleId === "string" ? msg.ruleId : "eslint.unknown";
+            const line = typeof msg.line === "number" && msg.line > 0 ? msg.line : 1;
+            const column = typeof msg.column === "number" && msg.column > 0 ? msg.column : 1;
+            const effort = estimateEffortMinutes(level);
+            totalEffortMinutes += effort;
+            results.push(buildSarifResult({
+                ruleId,
+                level,
+                message: msg.message ?? ruleId,
+                uri: filePath,
+                startLine: line,
+                startColumn: column,
+                endLine: typeof msg.endLine === "number" ? msg.endLine : undefined,
+                endColumn: typeof msg.endColumn === "number" ? msg.endColumn : undefined,
+                effortMinutes: effort,
+            }));
+        }
+    }
+    return {
+        document: wrapResultsInSarif(ESLINT, "unknown", results),
+        sourceTool: ESLINT,
+        findingCount: results.length,
+        totalEffortMinutes,
+    };
+}
+/**
+ * Translate ESLint's numeric severity to a SARIF level. ESLint uses:
+ *
+ *   0 = off / disabled   → `"note"` (informational)
+ *   1 = warn             → `"warning"`
+ *   2 = error            → `"error"`
+ *
+ * Unknown values default to `"warning"` so the finding is still
+ * visible without being treated as a blocker.
+ */
+function mapSeverity(severity) {
+    switch (severity) {
+        case 2:
+            return "error";
+        case 1:
+            return "warning";
+        case 0:
+            return "note";
+        default:
+            return "warning";
+    }
+}
+/**
+ * Assemble a SARIF `result` object from the narrow set of fields an
+ * ESLint message provides. The shape matches what the SarifStore
+ * expects when hydrating a finding from a persisted document.
+ */
+function buildSarifResult(opts) {
+    return {
+        ruleId: opts.ruleId,
+        level: opts.level,
+        message: { text: opts.message },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: { uri: opts.uri },
+                    region: {
+                        startLine: opts.startLine,
+                        startColumn: opts.startColumn,
+                        ...(opts.endLine !== undefined ? { endLine: opts.endLine } : {}),
+                        ...(opts.endColumn !== undefined ? { endColumn: opts.endColumn } : {}),
+                    },
+                },
+            },
+        ],
+        properties: {
+            sourceTool: ESLINT,
+            effortMinutes: opts.effortMinutes,
+        },
+    };
+}
+//# sourceMappingURL=eslint.js.map

package/dist/adapters/eslint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eslint.js","sourceRoot":"","sources":["../../src/adapters/eslint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAGH,OAAO,EACL,qBAAqB,EACrB,kBAAkB,GAGnB,MAAM,aAAa,CAAC;AAErB,MAAM,MAAM,GAAiB,QAAQ,CAAC;AAuBtC;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAa,CAAC,CAAC,CAAC,KAAK,CAAC;IAClF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAA+C,EAAE,CAAC;IAC/D,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAE3B,KAAK,MAAM,UAAU,IAAI,MAAyC,EAAE,CAAC;QACnE,MAAM,QAAQ,GAAG,UAAU,EAAE,QAAQ,CAAC;QACtC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC;YAC9E,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACzE,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACjF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;YAC5C,kBAAkB,IAAI,MAAM,CAAC;YAC7B,OAAO,CAAC,IAAI,CACV,gBAAgB,CAAC;gBACf,MAAM;gBACN,KAAK;gBACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,MAAM;gBAC9B,GAAG,EAAE,QAAQ;gBACb,SAAS,EAAE,IAAI;gBACf,WAAW,EAAE,MAAM;gBACnB,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;gBAClE,SAAS,EAAE,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;gBACxE,aAAa,EAAE,MAAM;aACtB,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,kBAAkB,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC;QACxD,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,OAAO,CAAC,MAAM;QAC5B,kBAAkB;KACnB,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,WAAW,CAAC,QAA4B;IAC/C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,CAAC;YACJ,OAAO,OAAO,CAAC;QACjB,KAAK,CAAC;YACJ,OAAO,SAAS,CAAC;QACnB,KAAK,CAAC;YACJ,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAUzB;IACC,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;QAC/B,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE;oBACnC,MAAM,EAAE;wBACN,SAAS,EAAE,IAAI,CAAC,SAAS;wBACzB,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,GAAG,CAAC,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAChE,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBACvE;iBACF;aACF;SACF;QACD,UAAU,EAAE;YACV,UAAU,EAAE,MAAM;YAClB,aAAa,EAAE,IAAI,CAAC,aAAa;SAClC;KACF,CAAC;AACJ,CAAC"}

package/dist/adapters/index.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Public SDK entry point for the per-scanner SARIF adapters.
+ *
+ * Adapters convert a scanner's native output (SARIF, JSON, or some
+ * other structured format) into a normalized `PersistedSarif`
+ * document that the `SarifStore` can ingest directly. Every adapter
+ * enriches its findings with a stable `effortMinutes` value on the
+ * `properties` bag so the Stop quality gate and the project score
+ * engine can compute a Technical Debt Ratio.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   adaptScannerOutput,
+ *   adaptSemgrep,
+ *   adaptEslint,
+ *   adaptBandit,
+ *   adaptStryker,
+ * } from "claude-crap/adapters";
+ *
+ * const result = adaptScannerOutput("eslint", rawJsonFromEslint);
+ * sarifStore.ingestRun(result.document, result.sourceTool);
+ * ```
+ *
+ * @module adapters
+ */
+export { adaptSemgrep } from "./semgrep.js";
+export { adaptEslint } from "./eslint.js";
+export { adaptBandit } from "./bandit.js";
+export { adaptStryker } from "./stryker.js";
+export { DEFAULT_EFFORT_BY_SEVERITY, KNOWN_SCANNERS, estimateEffortMinutes, wrapResultsInSarif, } from "./common.js";
+export type { AdapterResult, KnownScanner } from "./common.js";
+import type { AdapterResult, KnownScanner } from "./common.js";
+/**
+ * Route a raw scanner output to the correct adapter based on its
+ * name. Preferred entry point for the `ingest_scanner_output` MCP
+ * tool — the dispatch is a single switch so the compiler can verify
+ * every case with `never` exhaustiveness.
+ *
+ * @param scanner   One of the known scanner identifiers.
+ * @param rawOutput The scanner's native output (string or parsed).
+ * @returns         A normalized `AdapterResult`.
+ * @throws          When `scanner` is unknown or the raw output is malformed.
+ */
+export declare function adaptScannerOutput(scanner: KnownScanner, rawOutput: unknown): AdapterResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,EACL,0BAA0B,EAC1B,cAAc,EACd,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AAErB,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAM/D,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE/D;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,YAAY,EACrB,SAAS,EAAE,OAAO,GACjB,aAAa,CAef"}