claude-crap 0.1.2

package/src/tests/score.test.ts

@@ -0,0 +1,260 @@
+/**
+ * Unit tests for the project score engine.
+ *
+ * Builds in-memory `SarifStore` instances with hand-crafted finding
+ * sets so we can verify each dimension's letter-grade boundaries and
+ * the overall worst-of aggregation in isolation, with no filesystem.
+ *
+ * @module tests/score.test
+ */
+
+import { describe, it, before, after } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+
+import { SarifStore, type PersistedSarif } from "../sarif/sarif-store.js";
+import {
+  computeProjectScore,
+  renderProjectScoreMarkdown,
+  type ProjectScore,
+} from "../metrics/score.js";
+
+/**
+ * Build a minimal SARIF doc with one finding. The `ruleId`, `level`,
+ * and `effortMinutes` parameters drive how the score engine classifies
+ * the finding (security vs reliability, severity, TDR contribution).
+ */
+function makeSarif(opts: {
+  ruleId: string;
+  uri?: string;
+  line?: number;
+  column?: number;
+  level?: "error" | "warning" | "note";
+  effortMinutes?: number;
+  sourceTool?: string;
+}): PersistedSarif {
+  return {
+    version: "2.1.0",
+    runs: [
+      {
+        tool: { driver: { name: opts.sourceTool ?? "test", version: "0" } },
+        results: [
+          {
+            ruleId: opts.ruleId,
+            level: opts.level ?? "warning",
+            message: { text: opts.ruleId },
+            locations: [
+              {
+                physicalLocation: {
+                  artifactLocation: { uri: opts.uri ?? "src/foo.ts" },
+                  region: { startLine: opts.line ?? 1, startColumn: opts.column ?? 1 },
+                },
+              },
+            ],
+            properties: { effortMinutes: opts.effortMinutes ?? 0 },
+          },
+        ],
+      },
+    ],
+  };
+}
+
+/**
+ * Construct a fresh in-memory SarifStore in a temp directory and ingest
+ * a list of findings. Each doc carries its own `tool.driver.name`, and
+ * we pass that exact name to `ingestRun()` so the per-tool aggregation
+ * tests can distinguish between scanners.
+ */
+async function buildStore(workspace: string, docs: PersistedSarif[]): Promise<SarifStore> {
+  const store = new SarifStore({ workspaceRoot: workspace, outputDir: "reports" });
+  await store.loadLatest();
+  for (const doc of docs) {
+    const sourceTool = doc.runs[0]?.tool?.driver?.name ?? "test-tool";
+    store.ingestRun(doc, sourceTool);
+  }
+  return store;
+}
+
+/**
+ * Helper that runs the score engine with a minimal sane config.
+ */
+function score(store: SarifStore, workspaceRoot: string, loc = 1000, files = 10): ProjectScore {
+  return computeProjectScore({
+    workspaceRoot,
+    minutesPerLoc: 30,
+    tdrMaxRating: "C",
+    workspace: { physicalLoc: loc, fileCount: files },
+    sarifStore: store,
+    dashboardUrl: "http://127.0.0.1:5117",
+    sarifReportPath: store.consolidatedReportPath,
+  });
+}
+
+describe("computeProjectScore", () => {
+  let workspace = "";
+
+  before(async () => {
+    workspace = await mkdtemp(join(tmpdir(), "claude-crap-score-"));
+  });
+
+  after(async () => {
+    if (workspace) await rm(workspace, { recursive: true, force: true });
+  });
+
+  it("rates an empty project as A across the board", async () => {
+    const store = await buildStore(workspace, []);
+    const s = score(store, workspace);
+    assert.equal(s.maintainability.rating, "A");
+    assert.equal(s.reliability.rating, "A");
+    assert.equal(s.security.rating, "A");
+    assert.equal(s.overall.rating, "A");
+    assert.equal(s.overall.passes, true);
+  });
+
+  it("classifies a SQL injection rule as security", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "python.lang.sql-injection", level: "error" }),
+    ]);
+    const s = score(store, workspace);
+    assert.equal(s.security.errorFindings, 1);
+    assert.equal(s.reliability.errorFindings, 0);
+    assert.equal(s.security.rating, "D"); // 1 error → D
+  });
+
+  it("classifies a non-security rule as reliability", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.unused-variable", level: "warning" }),
+    ]);
+    const s = score(store, workspace);
+    assert.equal(s.reliability.warningFindings, 1);
+    assert.equal(s.security.warningFindings, 0);
+    assert.equal(s.reliability.rating, "C"); // 1 warning → C
+  });
+
+  it("escalates reliability to E with 3+ errors", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "rule.a", level: "error", line: 1 }),
+      makeSarif({ ruleId: "rule.b", level: "error", line: 2 }),
+      makeSarif({ ruleId: "rule.c", level: "error", line: 3 }),
+    ]);
+    const s = score(store, workspace);
+    assert.equal(s.reliability.rating, "E");
+  });
+
+  it("collapses overall to the worst dimension", async () => {
+    const store = await buildStore(workspace, [
+      // 1 security error → security D, reliability A, maintainability A → overall D
+      makeSarif({ ruleId: "auth.broken", level: "error" }),
+    ]);
+    const s = score(store, workspace);
+    assert.equal(s.security.rating, "D");
+    assert.equal(s.reliability.rating, "A");
+    assert.equal(s.maintainability.rating, "A");
+    assert.equal(s.overall.rating, "D");
+  });
+
+  it("marks overall as failing when worse than the policy ceiling", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "auth.broken", level: "error" }),
+    ]);
+    const s = score(store, workspace);
+    // Overall = D, policy ceiling = C → fails
+    assert.equal(s.overall.passes, false);
+  });
+
+  it("marks overall as passing when within policy", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.style", level: "warning" }),
+    ]);
+    const s = score(store, workspace);
+    // Reliability = C, ceiling = C → equal, not worse, so passes
+    assert.equal(s.overall.rating, "C");
+    assert.equal(s.overall.passes, true);
+  });
+
+  it("derives maintainability rating from TDR boundaries", async () => {
+    // 360 minutes of remediation over 1000 LOC × 30 min/LOC = 30000 cost
+    // → TDR = 360 / 30000 = 1.2% → A
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.todo", level: "note", effortMinutes: 360 }),
+    ]);
+    const s = score(store, workspace);
+    assert.ok(s.maintainability.tdrPercent < 5);
+    assert.equal(s.maintainability.rating, "A");
+
+    // 6000 minutes / 30000 = 20% → C
+    const store2 = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.todo2", level: "note", effortMinutes: 6000 }),
+    ]);
+    const s2 = score(store2, workspace);
+    assert.equal(s2.maintainability.rating, "C");
+
+    // 18000 minutes / 30000 = 60% → E
+    const store3 = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.todo3", level: "note", effortMinutes: 18000 }),
+    ]);
+    const s3 = score(store3, workspace);
+    assert.equal(s3.maintainability.rating, "E");
+  });
+
+  it("aggregates findings by tool and by file", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "rule.a", uri: "src/a.ts", line: 1, sourceTool: "semgrep" }),
+      makeSarif({ ruleId: "rule.b", uri: "src/a.ts", line: 2, sourceTool: "semgrep" }),
+      makeSarif({ ruleId: "rule.c", uri: "src/b.ts", line: 1, sourceTool: "eslint" }),
+    ]);
+    const s = score(store, workspace);
+    assert.equal(s.findings.byTool.semgrep, 2);
+    assert.equal(s.findings.byTool.eslint, 1);
+    assert.equal(s.findings.byFile["src/a.ts"], 2);
+    assert.equal(s.findings.byFile["src/b.ts"], 1);
+  });
+
+  it("propagates the dashboard URL into the location block", async () => {
+    const store = await buildStore(workspace, []);
+    const s = score(store, workspace);
+    assert.equal(s.location.dashboardUrl, "http://127.0.0.1:5117");
+    assert.ok(s.location.sarifReportPath.endsWith("latest.sarif"));
+  });
+});
+
+describe("renderProjectScoreMarkdown", () => {
+  let workspace = "";
+
+  before(async () => {
+    workspace = await mkdtemp(join(tmpdir(), "claude-crap-score-md-"));
+  });
+
+  after(async () => {
+    if (workspace) await rm(workspace, { recursive: true, force: true });
+  });
+
+  it("renders a compact summary that includes the overall rating and dashboard URL", async () => {
+    const store = await buildStore(workspace, [
+      makeSarif({ ruleId: "ts.style", level: "warning" }),
+    ]);
+    const s = score(store, workspace);
+    const md = renderProjectScoreMarkdown(s);
+    assert.match(md, /## claude-crap :: project score/);
+    assert.match(md, /\*\*Overall: C\*\*/);
+    assert.match(md, /Dashboard:.*127\.0\.0\.1:5117/);
+    assert.match(md, /Report:.*latest\.sarif/);
+  });
+
+  it("renders a fallback line when no dashboard URL is configured", async () => {
+    const store = await buildStore(workspace, []);
+    const s = computeProjectScore({
+      workspaceRoot: workspace,
+      minutesPerLoc: 30,
+      tdrMaxRating: "C",
+      workspace: { physicalLoc: 100, fileCount: 1 },
+      sarifStore: store,
+      dashboardUrl: null,
+      sarifReportPath: store.consolidatedReportPath,
+    });
+    const md = renderProjectScoreMarkdown(s);
+    assert.match(md, /not running/);
+  });
+});

package/src/tests/skills-frontmatter.test.ts

@@ -0,0 +1,172 @@
+/**
+ * Frontmatter contract for claude-crap's shipped skills.
+ *
+ * Every directory under `skills/` at the plugin root must contain a
+ * SKILL.md file with YAML frontmatter declaring at minimum `name`
+ * and `description`. The `name` has to match the directory name so
+ * Claude Code's slash-command namespace (`/claude-crap:<name>`)
+ * resolves cleanly. The `description` drives model-invocation
+ * triggering — the skill-creator skill's guidance is emphatic that
+ * undertriggering is the common failure mode, so descriptions need
+ * "pushy" language like "use this skill whenever..." to bias Claude
+ * toward invoking them when context matches.
+ *
+ * These tests pin the shape of every SKILL.md the plugin ships so
+ * a future drive-by edit that removes the `description` field or
+ * renames a directory without updating the frontmatter cannot slip
+ * through CI silently. They also pin the minimum substantive length
+ * of descriptions (>100 chars) so terse one-liners like
+ * "run a command" do not count as valid skills.
+ *
+ * @module tests/skills-frontmatter.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { readFile, readdir } from "node:fs/promises";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const HERE = dirname(fileURLToPath(import.meta.url));
+const SKILLS_DIR = resolve(HERE, "..", "..", "plugin", "skills");
+
+/**
+ * Minimal YAML frontmatter parser covering the subset claude-crap
+ * actually uses: top-level string scalars only, no nested objects,
+ * no arrays, no quoting edge cases. The full-fat YAML parsers in
+ * the ecosystem would add 100+ KB of dependencies for something we
+ * can solve in 20 lines; this stays self-contained.
+ *
+ * @param content Raw file contents of a SKILL.md file.
+ * @returns       Parsed frontmatter fields, or `null` if the file
+ *                does not start with a `---` delimited block.
+ */
+function parseFrontmatter(
+  content: string,
+): { name?: string; description?: string; body: string } | null {
+  const match = content.match(/^---\r?\n([\s\S]+?)\r?\n---\r?\n([\s\S]*)$/);
+  if (!match) return null;
+  const [, yaml, body] = match as unknown as [string, string, string];
+  const result: { name?: string; description?: string; body: string } = { body };
+  for (const rawLine of yaml.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) continue;
+    const kv = line.match(/^([a-zA-Z_-]+)\s*:\s*(.+)$/);
+    if (!kv) continue;
+    const [, key, value] = kv as unknown as [string, string, string];
+    const clean = value.replace(/^['"]|['"]$/g, "");
+    if (key === "name") result.name = clean;
+    if (key === "description") result.description = clean;
+  }
+  return result;
+}
+
+/**
+ * Return every immediate subdirectory of `skills/`. If the root
+ * itself does not exist, returns an empty list so the test suite
+ * can still run on a fresh clone before any skills have been added.
+ */
+async function listSkillDirs(): Promise<string[]> {
+  let entries;
+  try {
+    entries = await readdir(SKILLS_DIR, { withFileTypes: true });
+  } catch (err) {
+    const error = err as NodeJS.ErrnoException;
+    if (error.code === "ENOENT") return [];
+    throw error;
+  }
+  return entries.filter((e) => e.isDirectory()).map((e) => e.name);
+}
+
+describe("claude-crap skills — frontmatter contract", () => {
+  it("ships at least one user-invocable skill", async () => {
+    const dirs = await listSkillDirs();
+    assert.ok(
+      dirs.length > 0,
+      "expected at least one skill directory under skills/ — v0.1.1 introduces /claude-crap:score, /claude-crap:check-test, /claude-crap:analyze, /claude-crap:adopt",
+    );
+  });
+
+  it("every skills/<name>/ directory contains a SKILL.md file", async () => {
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const skillMd = join(SKILLS_DIR, dir, "SKILL.md");
+      const content = await readFile(skillMd, "utf8").catch(() => null);
+      assert.ok(content, `skills/${dir}/SKILL.md is missing`);
+    }
+  });
+
+  it("every SKILL.md starts with a --- delimited YAML frontmatter block", async () => {
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const content = await readFile(join(SKILLS_DIR, dir, "SKILL.md"), "utf8");
+      const fm = parseFrontmatter(content);
+      assert.ok(
+        fm,
+        `skills/${dir}/SKILL.md must start with '---' ... '---' YAML frontmatter`,
+      );
+    }
+  });
+
+  it("every frontmatter declares a non-empty name matching the directory", async () => {
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const content = await readFile(join(SKILLS_DIR, dir, "SKILL.md"), "utf8");
+      const fm = parseFrontmatter(content);
+      assert.ok(fm?.name, `skills/${dir}/SKILL.md frontmatter must have a 'name' field`);
+      assert.equal(
+        fm.name,
+        dir,
+        `skills/${dir}/SKILL.md frontmatter name '${fm.name}' must match the directory basename '${dir}'`,
+      );
+    }
+  });
+
+  it("every frontmatter declares a substantive description (>100 chars)", async () => {
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const content = await readFile(join(SKILLS_DIR, dir, "SKILL.md"), "utf8");
+      const fm = parseFrontmatter(content);
+      assert.ok(
+        fm?.description,
+        `skills/${dir}/SKILL.md frontmatter must have a 'description' field`,
+      );
+      assert.ok(
+        fm.description.length > 100,
+        `skills/${dir}/SKILL.md description is only ${fm.description.length} chars; Claude Code's trigger matcher needs substantive context to invoke the skill. Rewrite it with 'use this skill whenever ...' phrasing and at least one example context.`,
+      );
+    }
+  });
+
+  it("every description uses 'use this skill when/whenever' trigger language", async () => {
+    // Rationale: the skill-creator guidance flags undertriggering as the
+    // common failure mode and recommends 'pushy' descriptions that bias
+    // Claude toward invoking the skill. Enforcing a minimal version of
+    // that discipline at the lint level means every future skill has to
+    // at least consider when it should trigger before merging.
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const content = await readFile(join(SKILLS_DIR, dir, "SKILL.md"), "utf8");
+      const fm = parseFrontmatter(content);
+      assert.ok(fm?.description);
+      assert.match(
+        fm.description,
+        /use this skill (when|whenever)/i,
+        `skills/${dir}/SKILL.md description should include 'use this skill when/whenever ...' trigger language (see the skill-creator guidance on combating undertriggering)`,
+      );
+    }
+  });
+
+  it("every SKILL.md body is non-empty", async () => {
+    const dirs = await listSkillDirs();
+    for (const dir of dirs) {
+      const content = await readFile(join(SKILLS_DIR, dir, "SKILL.md"), "utf8");
+      const fm = parseFrontmatter(content);
+      assert.ok(fm, `${dir}/SKILL.md must parse`);
+      assert.ok(
+        fm.body.trim().length > 0,
+        `skills/${dir}/SKILL.md must have instructions after the frontmatter`,
+      );
+    }
+  });
+});

package/src/tests/stop-quality-gate-strictness.test.ts

@@ -0,0 +1,243 @@
+/**
+ * End-to-end tests for the Stop quality-gate hook under each of the
+ * three supported strictness modes.
+ *
+ * The test spawns `hooks/stop-quality-gate.mjs` as a subprocess with
+ * a hand-crafted fixture workspace containing:
+ *
+ *   - `.claude-crap/reports/latest.sarif` — one error-level finding
+ *     so the gate has a reason to fail.
+ *   - (optional) `.claude-crap.json` — exercises file-based config.
+ *   - One small `.ts` file so the workspace walker returns a non-zero
+ *     LOC denominator and TDR math does not divide by one.
+ *
+ * The test then asserts on the subprocess exit code and where the
+ * verdict was written (stdout vs stderr) for each mode, matching the
+ * design in the CHANGELOG:
+ *
+ *   - `strict`   — exit 2, verdict on stderr   (hard block)
+ *   - `warn`     — exit 0, verdict on stdout   (soft nudge, agent sees it)
+ *   - `advisory` — exit 0, one-liner on stdout (minimal pressure)
+ *
+ * These tests require `dist/` to be built because the Stop hook
+ * imports `dist/metrics/tdr.js` at runtime. The suite skips cleanly
+ * on fresh checkouts before the first build.
+ *
+ * @module tests/stop-quality-gate-strictness.test
+ */
+
+import { describe, it, before, after } from "node:test";
+import assert from "node:assert/strict";
+import { spawn } from "node:child_process";
+import { promises as fs, statSync } from "node:fs";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const HERE = dirname(fileURLToPath(import.meta.url));
+const PLUGIN_ROOT = resolve(HERE, "..", "..");
+const HOOK_PATH = join(PLUGIN_ROOT, "plugin", "hooks", "stop-quality-gate.mjs");
+const TDR_ENTRY = process.env.SONAR_TDR_ENTRY
+  ? resolve(process.env.SONAR_TDR_ENTRY)
+  : join(PLUGIN_ROOT, "plugin", "bundle", "tdr-engine.mjs");
+
+let bundleBuilt = false;
+try {
+  statSync(TDR_ENTRY);
+  bundleBuilt = true;
+} catch {
+  bundleBuilt = false;
+}
+
+interface HookResult {
+  readonly code: number;
+  readonly stdout: string;
+  readonly stderr: string;
+}
+
+/**
+ * Spawn the Stop hook against a fixture workspace, passing an empty
+ * JSON payload on stdin (the Stop hook does not depend on the hook
+ * input — the verdict is entirely a function of the on-disk SARIF
+ * plus the workspace LOC walk).
+ */
+function runStopHook(
+  workspace: string,
+  envOverrides: Record<string, string | undefined> = {},
+): Promise<HookResult> {
+  return new Promise((resolvePromise, reject) => {
+    const env: Record<string, string> = {
+      PATH: process.env.PATH ?? "",
+      NODE_ENV: "test",
+      CLAUDE_PROJECT_DIR: workspace,
+    };
+    for (const [key, value] of Object.entries(envOverrides)) {
+      if (value === undefined) delete env[key];
+      else env[key] = value;
+    }
+    const child = spawn(process.execPath, [HOOK_PATH], {
+      stdio: ["pipe", "pipe", "pipe"],
+      cwd: workspace,
+      env,
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", reject);
+    child.on("exit", (code) => {
+      resolvePromise({ code: code ?? -1, stdout, stderr });
+    });
+    child.stdin.write("{}");
+    child.stdin.end();
+  });
+}
+
+/**
+ * Build a fixture workspace with a failing SARIF report on disk and
+ * one minimal source file so the LOC walk returns a sensible
+ * denominator for the TDR computation.
+ */
+async function createFailingFixture(): Promise<string> {
+  const workspace = await mkdtemp(join(tmpdir(), "claude-crap-strict-"));
+  const reportsDir = join(workspace, ".claude-crap", "reports");
+  await fs.mkdir(reportsDir, { recursive: true });
+
+  // One error-level finding guarantees the SONAR-GATE-ERRORS policy fails.
+  const sarif = {
+    version: "2.1.0",
+    runs: [
+      {
+        tool: { driver: { name: "claude-crap-fixture", version: "0.0.0" } },
+        results: [
+          {
+            ruleId: "FIXTURE-ERR-001",
+            level: "error",
+            message: { text: "fixture error so the gate has something to block on" },
+            locations: [
+              {
+                physicalLocation: {
+                  artifactLocation: { uri: "src/a.ts" },
+                  region: { startLine: 1, startColumn: 1 },
+                },
+              },
+            ],
+            properties: {
+              sourceTool: "claude-crap-fixture",
+              effortMinutes: 90,
+            },
+          },
+        ],
+      },
+    ],
+  };
+  await fs.writeFile(
+    join(reportsDir, "latest.sarif"),
+    JSON.stringify(sarif, null, 2),
+    "utf8",
+  );
+
+  // A non-zero physical LOC means TDR math is well-defined.
+  await fs.mkdir(join(workspace, "src"), { recursive: true });
+  await fs.writeFile(
+    join(workspace, "src", "a.ts"),
+    "export const answer = 42;\n",
+    "utf8",
+  );
+
+  return workspace;
+}
+
+describe(
+  "stop-quality-gate hook — strictness matrix",
+  { skip: !bundleBuilt },
+  () => {
+    let workspace = "";
+
+    before(async () => {
+      workspace = await createFailingFixture();
+    });
+
+    after(async () => {
+      if (workspace) await rm(workspace, { recursive: true, force: true });
+    });
+
+    it("default (no env, no file) → exit 2 + stderr box (strict is the default)", async () => {
+      const result = await runStopHook(workspace, {
+        CLAUDE_CRAP_STRICTNESS: undefined,
+      });
+      assert.equal(result.code, 2, `stderr was: ${result.stderr}`);
+      assert.match(result.stderr, /Stop quality gate BLOCKED/);
+      assert.match(result.stderr, /SONAR-GATE-ERRORS/);
+    });
+
+    it("CLAUDE_CRAP_STRICTNESS=strict → exit 2 + stderr box", async () => {
+      const result = await runStopHook(workspace, {
+        CLAUDE_CRAP_STRICTNESS: "strict",
+      });
+      assert.equal(result.code, 2);
+      assert.match(result.stderr, /Stop quality gate BLOCKED/);
+    });
+
+    it("CLAUDE_CRAP_STRICTNESS=warn → exit 0 + full verdict on stdout", async () => {
+      const result = await runStopHook(workspace, {
+        CLAUDE_CRAP_STRICTNESS: "warn",
+      });
+      assert.equal(result.code, 0, `stderr was: ${result.stderr}`);
+      // The full verdict must still reach the hook transcript so the
+      // agent can choose to remediate on its next turn.
+      assert.match(result.stdout, /Stop quality gate WARNING/);
+      assert.match(result.stdout, /SONAR-GATE-ERRORS/);
+    });
+
+    it("CLAUDE_CRAP_STRICTNESS=advisory → exit 0 + one-line summary on stdout", async () => {
+      const result = await runStopHook(workspace, {
+        CLAUDE_CRAP_STRICTNESS: "advisory",
+      });
+      assert.equal(result.code, 0, `stderr was: ${result.stderr}`);
+      assert.match(result.stdout, /Stop quality gate ADVISORY/);
+      // Advisory must NOT render the heavy multi-line verdict box —
+      // the point is minimal pressure. Walking the stdout for the
+      // "policy failure(s)" decorator from the blocking/warning box
+      // would be a robust negative assertion.
+      assert.doesNotMatch(result.stdout, /policy failure\(s\)/);
+    });
+
+    it(".claude-crap.json with strictness='warn' is honored when env is unset", async () => {
+      const configPath = join(workspace, ".claude-crap.json");
+      await fs.writeFile(configPath, JSON.stringify({ strictness: "warn" }), "utf8");
+      try {
+        const result = await runStopHook(workspace, {
+          CLAUDE_CRAP_STRICTNESS: undefined,
+        });
+        assert.equal(result.code, 0, `stderr was: ${result.stderr}`);
+        assert.match(result.stdout, /Stop quality gate WARNING/);
+      } finally {
+        await fs.unlink(configPath);
+      }
+    });
+
+    it("env variable wins over .claude-crap.json even when the file disagrees", async () => {
+      const configPath = join(workspace, ".claude-crap.json");
+      await fs.writeFile(
+        configPath,
+        JSON.stringify({ strictness: "advisory" }),
+        "utf8",
+      );
+      try {
+        const result = await runStopHook(workspace, {
+          CLAUDE_CRAP_STRICTNESS: "strict",
+        });
+        assert.equal(result.code, 2, `stderr was: ${result.stderr}`);
+        assert.match(result.stderr, /Stop quality gate BLOCKED/);
+      } finally {
+        await fs.unlink(configPath);
+      }
+    });
+  },
+);