claude-crap 0.1.2

package/src/tests/adapters/eslint.test.ts

@@ -0,0 +1,138 @@
+/**
+ * Unit tests for the ESLint adapter.
+ *
+ * ESLint's native JSON format (`eslint -f json`) is an array of file
+ * reports with a `messages[]` array inside each. The adapter flattens
+ * every message into a SARIF `result` and maps severity codes
+ * 0 / 1 / 2 to "note" / "warning" / "error".
+ *
+ * @module tests/adapters/eslint.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { adaptEslint } from "../../adapters/eslint.js";
+
+describe("adaptEslint", () => {
+  it("maps severity 2 to SARIF error", () => {
+    const raw = [
+      {
+        filePath: "/abs/src/a.js",
+        messages: [
+          {
+            ruleId: "no-undef",
+            severity: 2,
+            message: "'foo' is not defined.",
+            line: 10,
+            column: 5,
+          },
+        ],
+      },
+    ];
+    const result = adaptEslint(raw);
+    const sarifResult = result.document.runs[0]?.results?.[0] as { level?: string };
+    assert.equal(sarifResult?.level, "error");
+    assert.equal(result.sourceTool, "eslint");
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("maps severity 1 to SARIF warning and 0 to note", () => {
+    const raw = [
+      {
+        filePath: "/abs/src/b.js",
+        messages: [
+          { ruleId: "no-unused-vars", severity: 1, message: "warn", line: 1, column: 1 },
+          { ruleId: "no-console", severity: 0, message: "off", line: 2, column: 1 },
+        ],
+      },
+    ];
+    const result = adaptEslint(raw);
+    const levels = (result.document.runs[0]?.results ?? [])
+      .map((r) => (r as { level?: string }).level)
+      .sort();
+    assert.deepEqual(levels, ["note", "warning"]);
+  });
+
+  it("propagates line, column, endLine, and endColumn", () => {
+    const raw = [
+      {
+        filePath: "/abs/src/c.js",
+        messages: [
+          {
+            ruleId: "prefer-const",
+            severity: 1,
+            message: "use const",
+            line: 42,
+            column: 9,
+            endLine: 42,
+            endColumn: 15,
+          },
+        ],
+      },
+    ];
+    const result = adaptEslint(raw);
+    const first = result.document.runs[0]?.results?.[0] as {
+      locations?: Array<{
+        physicalLocation?: {
+          region?: { startLine?: number; startColumn?: number; endLine?: number; endColumn?: number };
+        };
+      }>;
+    };
+    const region = first?.locations?.[0]?.physicalLocation?.region;
+    assert.equal(region?.startLine, 42);
+    assert.equal(region?.startColumn, 9);
+    assert.equal(region?.endLine, 42);
+    assert.equal(region?.endColumn, 15);
+  });
+
+  it("flattens multiple file reports into a single run", () => {
+    const raw = [
+      {
+        filePath: "/abs/src/x.js",
+        messages: [{ ruleId: "r1", severity: 2, message: "m1", line: 1, column: 1 }],
+      },
+      {
+        filePath: "/abs/src/y.js",
+        messages: [{ ruleId: "r2", severity: 1, message: "m2", line: 2, column: 2 }],
+      },
+    ];
+    const result = adaptEslint(raw);
+    assert.equal(result.findingCount, 2);
+    assert.equal(result.document.runs.length, 1);
+  });
+
+  it("accepts a JSON string", () => {
+    const raw = JSON.stringify([
+      { filePath: "/a.js", messages: [{ ruleId: "r", severity: 2, message: "m", line: 1, column: 1 }] },
+    ]);
+    const result = adaptEslint(raw);
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("throws when the input is not an array of file reports", () => {
+    assert.throws(() => adaptEslint({ not: "an array" }));
+  });
+
+  it("ignores file reports with no filePath", () => {
+    const raw = [
+      { messages: [{ ruleId: "r", severity: 2, message: "m", line: 1, column: 1 }] },
+      {
+        filePath: "/a.js",
+        messages: [{ ruleId: "r2", severity: 1, message: "m2", line: 1, column: 1 }],
+      },
+    ];
+    const result = adaptEslint(raw);
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("propagates error budgets proportional to severity", () => {
+    const errorOnly = adaptEslint([
+      { filePath: "/a.js", messages: [{ ruleId: "r", severity: 2, message: "m", line: 1, column: 1 }] },
+    ]);
+    const warnOnly = adaptEslint([
+      { filePath: "/a.js", messages: [{ ruleId: "r", severity: 1, message: "m", line: 1, column: 1 }] },
+    ]);
+    assert.ok(errorOnly.totalEffortMinutes > warnOnly.totalEffortMinutes);
+  });
+});

package/src/tests/adapters/semgrep.test.ts

@@ -0,0 +1,125 @@
+/**
+ * Unit tests for the Semgrep SARIF adapter.
+ *
+ * Semgrep emits SARIF 2.1.0 natively, so the adapter's responsibility
+ * is enrichment: add `effortMinutes` and `sourceTool` to every
+ * finding's `properties` bag, and normalize `tool.driver.name` to the
+ * canonical `"semgrep"` string.
+ *
+ * @module tests/adapters/semgrep.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { adaptSemgrep } from "../../adapters/semgrep.js";
+import type { PersistedSarif } from "../../sarif/sarif-store.js";
+
+/**
+ * Build a minimal semgrep-style SARIF document with one finding.
+ */
+function makeSemgrepSarif(opts: {
+  ruleId?: string;
+  level?: "error" | "warning" | "note";
+  line?: number;
+  column?: number;
+}): PersistedSarif {
+  return {
+    version: "2.1.0",
+    runs: [
+      {
+        tool: { driver: { name: "Semgrep OSS", version: "1.108.0" } },
+        results: [
+          {
+            ruleId: opts.ruleId ?? "python.lang.security.dangerous-call",
+            level: opts.level ?? "warning",
+            message: { text: "Dangerous call detected" },
+            locations: [
+              {
+                physicalLocation: {
+                  artifactLocation: { uri: "src/app.py" },
+                  region: {
+                    startLine: opts.line ?? 12,
+                    startColumn: opts.column ?? 3,
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+    ],
+  };
+}
+
+describe("adaptSemgrep", () => {
+  it("normalizes tool.driver.name to the canonical 'semgrep' value", () => {
+    const result = adaptSemgrep(makeSemgrepSarif({}));
+    assert.equal(result.sourceTool, "semgrep");
+    const driver = result.document.runs[0]?.tool?.driver;
+    assert.equal(driver?.name, "semgrep");
+    // Original version should be preserved when present.
+    assert.equal(driver?.version, "1.108.0");
+  });
+
+  it("attaches effortMinutes and sourceTool to every result's properties", () => {
+    const result = adaptSemgrep(
+      makeSemgrepSarif({ ruleId: "javascript.unused-var", level: "warning" }),
+    );
+    const firstResult = result.document.runs[0]?.results?.[0] as {
+      properties?: { effortMinutes?: number; sourceTool?: string };
+    };
+    assert.equal(firstResult?.properties?.sourceTool, "semgrep");
+    assert.ok(
+      typeof firstResult?.properties?.effortMinutes === "number" &&
+        firstResult.properties.effortMinutes > 0,
+    );
+  });
+
+  it("assigns a higher effort budget to security.* rules", () => {
+    const securityResult = adaptSemgrep(
+      makeSemgrepSarif({ ruleId: "python.lang.security.audit.eval", level: "error" }),
+    );
+    const stylisticResult = adaptSemgrep(
+      makeSemgrepSarif({ ruleId: "python.lang.style.missing-semicolon", level: "warning" }),
+    );
+    assert.ok(
+      securityResult.totalEffortMinutes > stylisticResult.totalEffortMinutes,
+      "security rules should cost more than stylistic rules",
+    );
+  });
+
+  it("assigns even higher effort to named injection classes (sqli, xss, rce, ...)", () => {
+    const sqliResult = adaptSemgrep(
+      makeSemgrepSarif({ ruleId: "python.django.sqli-raw-sql", level: "error" }),
+    );
+    const genericSecurityResult = adaptSemgrep(
+      makeSemgrepSarif({ ruleId: "python.lang.security.audit.eval", level: "error" }),
+    );
+    assert.ok(
+      sqliResult.totalEffortMinutes >= genericSecurityResult.totalEffortMinutes,
+      "sqli-tagged rules should cost at least as much as generic security rules",
+    );
+  });
+
+  it("accepts a JSON string input", () => {
+    const raw = JSON.stringify(makeSemgrepSarif({}));
+    const result = adaptSemgrep(raw);
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("rejects a non-SARIF document", () => {
+    assert.throws(() => adaptSemgrep({ version: "2.0.0", runs: [] }));
+  });
+
+  it("rejects a string that is not valid JSON", () => {
+    assert.throws(() => adaptSemgrep("not json"));
+  });
+
+  it("does not mutate the caller's document", () => {
+    const doc = makeSemgrepSarif({});
+    const originalName = doc.runs[0]?.tool?.driver?.name;
+    adaptSemgrep(doc);
+    assert.equal(doc.runs[0]?.tool?.driver?.name, originalName);
+  });
+});

package/src/tests/adapters/stryker.test.ts

@@ -0,0 +1,103 @@
+/**
+ * Unit tests for the Stryker mutation-testing adapter.
+ *
+ * Stryker's mutation report is a per-file map of mutants. The adapter
+ * surfaces surviving mutants as SARIF error-level findings, uncovered
+ * mutants as warnings, and timeouts as notes. Everything else
+ * (killed, compileError, ignored, runtimeError) is suppressed.
+ *
+ * @module tests/adapters/stryker.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { adaptStryker } from "../../adapters/stryker.js";
+
+/**
+ * Helper that builds a Stryker report shell with a single mutant.
+ */
+function makeStrykerReport(opts: {
+  status: string;
+  mutator?: string;
+  line?: number;
+  column?: number;
+}) {
+  return {
+    schemaVersion: "1.0",
+    files: {
+      "src/foo.ts": {
+        language: "typescript",
+        source: "const x = 1;",
+        mutants: [
+          {
+            id: "1",
+            mutatorName: opts.mutator ?? "ConditionalExpression",
+            replacement: "false",
+            location: {
+              start: { line: opts.line ?? 10, column: opts.column ?? 5 },
+              end: { line: opts.line ?? 10, column: (opts.column ?? 5) + 6 },
+            },
+            status: opts.status,
+          },
+        ],
+      },
+    },
+  };
+}
+
+describe("adaptStryker", () => {
+  it("flags a Survived mutant as a SARIF error", () => {
+    const result = adaptStryker(makeStrykerReport({ status: "Survived" }));
+    assert.equal(result.sourceTool, "stryker");
+    const finding = result.document.runs[0]?.results?.[0] as { level?: string; ruleId?: string };
+    assert.equal(finding?.level, "error");
+    assert.equal(finding?.ruleId, "stryker.ConditionalExpression");
+  });
+
+  it("flags a NoCoverage mutant as a SARIF warning", () => {
+    const result = adaptStryker(makeStrykerReport({ status: "NoCoverage" }));
+    const finding = result.document.runs[0]?.results?.[0] as { level?: string };
+    assert.equal(finding?.level, "warning");
+  });
+
+  it("flags a Timeout mutant as a SARIF note", () => {
+    const result = adaptStryker(makeStrykerReport({ status: "Timeout" }));
+    const finding = result.document.runs[0]?.results?.[0] as { level?: string };
+    assert.equal(finding?.level, "note");
+  });
+
+  it("suppresses Killed, Ignored, CompileError, and RuntimeError mutants", () => {
+    for (const status of ["Killed", "Ignored", "CompileError", "RuntimeError"]) {
+      const result = adaptStryker(makeStrykerReport({ status }));
+      assert.equal(result.findingCount, 0, `${status} should produce no findings`);
+    }
+  });
+
+  it("preserves mutant id, mutator name, and status on properties", () => {
+    const result = adaptStryker(makeStrykerReport({ status: "Survived" }));
+    const finding = result.document.runs[0]?.results?.[0] as {
+      properties?: { mutantId?: string; mutator?: string; mutantStatus?: string };
+    };
+    assert.equal(finding?.properties?.mutantId, "1");
+    assert.equal(finding?.properties?.mutator, "ConditionalExpression");
+    assert.equal(finding?.properties?.mutantStatus, "Survived");
+  });
+
+  it("assigns the correct file URI from the Stryker files{} key", () => {
+    const result = adaptStryker(makeStrykerReport({ status: "Survived" }));
+    const finding = result.document.runs[0]?.results?.[0] as {
+      locations?: Array<{ physicalLocation?: { artifactLocation?: { uri?: string } } }>;
+    };
+    assert.equal(finding?.locations?.[0]?.physicalLocation?.artifactLocation?.uri, "src/foo.ts");
+  });
+
+  it("accepts a JSON string", () => {
+    const raw = JSON.stringify(makeStrykerReport({ status: "Survived" }));
+    assert.equal(adaptStryker(raw).findingCount, 1);
+  });
+
+  it("throws on inputs missing the files{} map", () => {
+    assert.throws(() => adaptStryker({ schemaVersion: "1.0" }));
+  });
+});

package/src/tests/crap-config.test.ts

@@ -0,0 +1,228 @@
+/**
+ * Unit tests for the workspace crap-config loader.
+ *
+ * `.claude-crap.json` lives at the user's workspace root and lets
+ * teams pick how strictly claude-crap enforces its Stop quality
+ * gate. The loader resolves a single `strictness` value from three
+ * possible sources, in priority order:
+ *
+ *   1. `CLAUDE_CRAP_STRICTNESS` environment variable (session override)
+ *   2. `.claude-crap.json` at the workspace root
+ *   3. Hardcoded default `"strict"`
+ *
+ * These tests pin both the characterization invariants (defaults,
+ * valid values, precedence) and the attack invariants (invalid
+ * values are rejected, not silently downgraded).
+ *
+ * @module tests/crap-config.test
+ */
+
+import { describe, it, before, after, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import { promises as fs } from "node:fs";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import {
+  DEFAULT_STRICTNESS,
+  STRICTNESS_VALUES,
+  CrapConfigError,
+  loadCrapConfig,
+  type Strictness,
+} from "../crap-config.js";
+
+/**
+ * Drop every `CLAUDE_CRAP_STRICTNESS` entry from `process.env` for
+ * the duration of one test so stray developer environments don't
+ * leak into the assertions.
+ */
+function unsetStrictnessEnv(): () => void {
+  const previous = process.env.CLAUDE_CRAP_STRICTNESS;
+  delete process.env.CLAUDE_CRAP_STRICTNESS;
+  return () => {
+    if (previous === undefined) delete process.env.CLAUDE_CRAP_STRICTNESS;
+    else process.env.CLAUDE_CRAP_STRICTNESS = previous;
+  };
+}
+
+describe("loadCrapConfig — characterization (defaults and valid inputs)", () => {
+  let workspace = "";
+  let restoreEnv: () => void = () => {};
+
+  before(async () => {
+    workspace = await mkdtemp(join(tmpdir(), "claude-crap-config-"));
+  });
+
+  after(async () => {
+    if (workspace) await rm(workspace, { recursive: true, force: true });
+  });
+
+  beforeEach(() => {
+    restoreEnv = unsetStrictnessEnv();
+  });
+
+  afterEach(() => {
+    restoreEnv();
+  });
+
+  it("defaults to 'strict' when neither env nor file is present", () => {
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "strict");
+    assert.equal(DEFAULT_STRICTNESS, "strict");
+  });
+
+  it("exposes the exhaustive list of strictness values as a readonly tuple", () => {
+    // Sanity check: every value in STRICTNESS_VALUES must be assignable
+    // to the Strictness type, and the list must match the intent of
+    // this plugin — strict enforces, warn reports, advisory whispers.
+    for (const value of STRICTNESS_VALUES) {
+      const typed: Strictness = value;
+      assert.ok(["strict", "warn", "advisory"].includes(typed));
+    }
+    assert.equal(STRICTNESS_VALUES.length, 3);
+  });
+
+  it("reads strictness='warn' from .claude-crap.json", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "warn" }), "utf8");
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "warn");
+    await fs.unlink(path);
+  });
+
+  it("reads strictness='advisory' from .claude-crap.json", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "advisory" }), "utf8");
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "advisory");
+    await fs.unlink(path);
+  });
+
+  it("env variable wins over .claude-crap.json", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "warn" }), "utf8");
+    process.env.CLAUDE_CRAP_STRICTNESS = "strict";
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "strict");
+    await fs.unlink(path);
+  });
+
+  it("env variable works without any file present", () => {
+    process.env.CLAUDE_CRAP_STRICTNESS = "advisory";
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "advisory");
+  });
+
+  it("env variable is trimmed and case-insensitive", () => {
+    process.env.CLAUDE_CRAP_STRICTNESS = "  WARN  ";
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "warn");
+  });
+
+  it("file value is trimmed and case-insensitive", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "Advisory" }), "utf8");
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "advisory");
+    await fs.unlink(path);
+  });
+
+  it("empty env variable is ignored and falls back to file / default", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "advisory" }), "utf8");
+    process.env.CLAUDE_CRAP_STRICTNESS = "";
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "advisory");
+    await fs.unlink(path);
+  });
+
+  it("file with no strictness key falls back to default", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ somethingElse: true }), "utf8");
+    const config = loadCrapConfig({ workspaceRoot: workspace });
+    assert.equal(config.strictness, "strict");
+    await fs.unlink(path);
+  });
+});
+
+describe("loadCrapConfig — attack invariants (invalid inputs rejected)", () => {
+  let workspace = "";
+  let restoreEnv: () => void = () => {};
+
+  before(async () => {
+    workspace = await mkdtemp(join(tmpdir(), "claude-crap-config-bad-"));
+  });
+
+  after(async () => {
+    if (workspace) await rm(workspace, { recursive: true, force: true });
+  });
+
+  beforeEach(() => {
+    restoreEnv = unsetStrictnessEnv();
+  });
+
+  afterEach(() => {
+    restoreEnv();
+  });
+
+  it("throws CrapConfigError on invalid env variable value", () => {
+    process.env.CLAUDE_CRAP_STRICTNESS = "lenient"; // not in the enum
+    assert.throws(
+      () => loadCrapConfig({ workspaceRoot: workspace }),
+      CrapConfigError,
+    );
+  });
+
+  it("throws CrapConfigError on invalid file strictness value", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: "lenient" }), "utf8");
+    assert.throws(
+      () => loadCrapConfig({ workspaceRoot: workspace }),
+      CrapConfigError,
+    );
+    await fs.unlink(path);
+  });
+
+  it("throws CrapConfigError on a malformed JSON file", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, "{ this is not json", "utf8");
+    assert.throws(
+      () => loadCrapConfig({ workspaceRoot: workspace }),
+      CrapConfigError,
+    );
+    await fs.unlink(path);
+  });
+
+  it("throws CrapConfigError when strictness is the wrong JSON type", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify({ strictness: 42 }), "utf8");
+    assert.throws(
+      () => loadCrapConfig({ workspaceRoot: workspace }),
+      CrapConfigError,
+    );
+    await fs.unlink(path);
+  });
+
+  it("throws CrapConfigError when the JSON root is not an object", async () => {
+    const path = join(workspace, ".claude-crap.json");
+    await fs.writeFile(path, JSON.stringify(["strict"]), "utf8");
+    assert.throws(
+      () => loadCrapConfig({ workspaceRoot: workspace }),
+      CrapConfigError,
+    );
+    await fs.unlink(path);
+  });
+
+  it("CrapConfigError error messages identify the source that was invalid", () => {
+    process.env.CLAUDE_CRAP_STRICTNESS = "supercritical";
+    try {
+      loadCrapConfig({ workspaceRoot: workspace });
+      assert.fail("expected loadCrapConfig to throw");
+    } catch (err) {
+      assert.ok(err instanceof CrapConfigError);
+      assert.match(err.message, /CLAUDE_CRAP_STRICTNESS/);
+      assert.match(err.message, /supercritical/);
+    }
+  });
+});

package/src/tests/crap.test.ts

@@ -0,0 +1,59 @@
+/**
+ * Unit tests for the CRAP engine.
+ *
+ * Uses Node's built-in `node:test` runner so the test suite ships with no
+ * extra dependencies. Run with `npm test` from `src/mcp-server`.
+ *
+ * @module tests/crap.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { computeCrap } from "../metrics/crap.js";
+
+describe("computeCrap", () => {
+  it("returns the baseline complexity when coverage is 100%", () => {
+    const result = computeCrap({ cyclomaticComplexity: 10, coveragePercent: 100 }, 30);
+    // With full coverage the cubic term vanishes and only the +comp(m)
+    // tail remains. This is the property that forces decomposition of
+    // functions with complexity ≥ 30 even when perfectly tested.
+    assert.equal(result.crap, 10);
+    assert.equal(result.exceedsThreshold, false);
+  });
+
+  it("explodes cubically when coverage is 0%", () => {
+    const result = computeCrap({ cyclomaticComplexity: 10, coveragePercent: 0 }, 30);
+    // CRAP = 10² × 1³ + 10 = 110
+    assert.equal(result.crap, 110);
+    assert.equal(result.exceedsThreshold, true);
+  });
+
+  it("respects the threshold for partially tested code", () => {
+    // 12 branches, 60% coverage
+    // CRAP = 12² × 0.4³ + 12 = 144 × 0.064 + 12 = 9.216 + 12 = 21.216
+    const result = computeCrap({ cyclomaticComplexity: 12, coveragePercent: 60 }, 30);
+    assert.equal(result.crap, 21.216);
+    assert.equal(result.exceedsThreshold, false);
+  });
+
+  it("blocks any function above complexity 30 regardless of coverage", () => {
+    // With comp = 31 and 100% coverage, the tail alone is 31 > 30.
+    const result = computeCrap({ cyclomaticComplexity: 31, coveragePercent: 100 }, 30);
+    assert.equal(result.crap, 31);
+    assert.equal(result.exceedsThreshold, true);
+  });
+
+  it("rejects negative complexity", () => {
+    assert.throws(() => computeCrap({ cyclomaticComplexity: 0, coveragePercent: 50 }, 30));
+  });
+
+  it("rejects coverage outside [0, 100]", () => {
+    assert.throws(() => computeCrap({ cyclomaticComplexity: 5, coveragePercent: -1 }, 30));
+    assert.throws(() => computeCrap({ cyclomaticComplexity: 5, coveragePercent: 101 }, 30));
+  });
+
+  it("rejects non-positive thresholds", () => {
+    assert.throws(() => computeCrap({ cyclomaticComplexity: 5, coveragePercent: 50 }, 0));
+  });
+});