claude-crap 0.1.2

package/dist/metrics/crap.d.ts

@@ -0,0 +1,71 @@
+/**
+ * CRAP (Change Risk Anti-Patterns) index — deterministic computation.
+ *
+ * The CRAP index is a single number that summarizes how dangerous it is
+ * to change a given function. It combines two signals:
+ *
+ *   1. Cyclomatic complexity (`comp`) — how many independent paths the
+ *      function has. Tracks how easy it is to reason about the code.
+ *   2. Test coverage percentage (`cov`) — empirical safety net provided
+ *      by the automated test suite.
+ *
+ * The formula (see docs/quality-gate.md) is:
+ *
+ *     CRAP(m) = comp(m)² × (1 − cov(m)/100)³ + comp(m)
+ *
+ * The cubic uncovered-weight term makes CRAP punish uncovered, branchy
+ * code extremely aggressively. A function with complexity 10 and 0%
+ * coverage scores CRAP = 10² × 1³ + 10 = 110, well above the 30 threshold.
+ *
+ * The additive `+ comp(m)` tail is intentional: it means that any function
+ * with `comp ≥ 30` can NEVER reach a passing CRAP score, even with 100%
+ * coverage (because the final term alone equals the threshold). This
+ * encodes the policy "functions above complexity 30 must be decomposed,
+ * period" — you cannot test your way out of structural complexity.
+ *
+ * @module metrics/crap
+ */
+/**
+ * Inputs required to compute CRAP for a single function.
+ */
+export interface CrapInput {
+    /** Cyclomatic complexity of the function. Must be an integer ≥ 1. */
+    readonly cyclomaticComplexity: number;
+    /** Test coverage percentage for the function. Must be in `[0, 100]`. */
+    readonly coveragePercent: number;
+}
+/**
+ * Result of a CRAP computation, including the inputs used so callers can
+ * echo the context back to the LLM or dump it to a SARIF result's
+ * `properties` bag without re-reading the source data.
+ */
+export interface CrapResult {
+    /** The CRAP score, rounded to 4 decimals for stable serialization. */
+    readonly crap: number;
+    /** Cyclomatic complexity echoed from the input. */
+    readonly cyclomaticComplexity: number;
+    /** Coverage percentage echoed from the input. */
+    readonly coveragePercent: number;
+    /** `true` when `crap > threshold` — caller should block on this. */
+    readonly exceedsThreshold: boolean;
+    /** The threshold used for the `exceedsThreshold` decision. */
+    readonly threshold: number;
+}
+/**
+ * Compute the CRAP index for a single function, against a configurable
+ * block threshold. This function is pure, deterministic, and performs no
+ * I/O — it can be called from any context (MCP tool handler, hook, unit
+ * test) without side effects.
+ *
+ * @param input     Cyclomatic complexity and coverage for the function.
+ * @param threshold The CRAP score above which the caller should block.
+ * @returns         A {@link CrapResult} containing the score and decision.
+ * @throws          When any input is out of range or not finite.
+ *
+ * @example
+ * // 12 branches, 60% coverage, threshold = 30
+ * computeCrap({ cyclomaticComplexity: 12, coveragePercent: 60 }, 30)
+ * // → { crap: 21.216, exceedsThreshold: false, ... }
+ */
+export declare function computeCrap(input: CrapInput, threshold: number): CrapResult;
+//# sourceMappingURL=crap.d.ts.map

package/dist/metrics/crap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crap.d.ts","sourceRoot":"","sources":["../../src/metrics/crap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,qEAAqE;IACrE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,wEAAwE;IACxE,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,sEAAsE;IACtE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,iDAAiD;IACjD,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,oEAAoE;IACpE,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACnC,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,UAAU,CA4B3E"}

package/dist/metrics/crap.js

@@ -0,0 +1,67 @@
+/**
+ * CRAP (Change Risk Anti-Patterns) index — deterministic computation.
+ *
+ * The CRAP index is a single number that summarizes how dangerous it is
+ * to change a given function. It combines two signals:
+ *
+ *   1. Cyclomatic complexity (`comp`) — how many independent paths the
+ *      function has. Tracks how easy it is to reason about the code.
+ *   2. Test coverage percentage (`cov`) — empirical safety net provided
+ *      by the automated test suite.
+ *
+ * The formula (see docs/quality-gate.md) is:
+ *
+ *     CRAP(m) = comp(m)² × (1 − cov(m)/100)³ + comp(m)
+ *
+ * The cubic uncovered-weight term makes CRAP punish uncovered, branchy
+ * code extremely aggressively. A function with complexity 10 and 0%
+ * coverage scores CRAP = 10² × 1³ + 10 = 110, well above the 30 threshold.
+ *
+ * The additive `+ comp(m)` tail is intentional: it means that any function
+ * with `comp ≥ 30` can NEVER reach a passing CRAP score, even with 100%
+ * coverage (because the final term alone equals the threshold). This
+ * encodes the policy "functions above complexity 30 must be decomposed,
+ * period" — you cannot test your way out of structural complexity.
+ *
+ * @module metrics/crap
+ */
+/**
+ * Compute the CRAP index for a single function, against a configurable
+ * block threshold. This function is pure, deterministic, and performs no
+ * I/O — it can be called from any context (MCP tool handler, hook, unit
+ * test) without side effects.
+ *
+ * @param input     Cyclomatic complexity and coverage for the function.
+ * @param threshold The CRAP score above which the caller should block.
+ * @returns         A {@link CrapResult} containing the score and decision.
+ * @throws          When any input is out of range or not finite.
+ *
+ * @example
+ * // 12 branches, 60% coverage, threshold = 30
+ * computeCrap({ cyclomaticComplexity: 12, coveragePercent: 60 }, 30)
+ * // → { crap: 21.216, exceedsThreshold: false, ... }
+ */
+export function computeCrap(input, threshold) {
+    if (!Number.isFinite(input.cyclomaticComplexity) || input.cyclomaticComplexity < 1) {
+        throw new Error(`[crap] cyclomaticComplexity must be ≥ 1, got ${input.cyclomaticComplexity}`);
+    }
+    if (!Number.isFinite(input.coveragePercent) || input.coveragePercent < 0 || input.coveragePercent > 100) {
+        throw new Error(`[crap] coveragePercent must be in [0, 100], got ${input.coveragePercent}`);
+    }
+    if (!Number.isFinite(threshold) || threshold <= 0) {
+        throw new Error(`[crap] threshold must be > 0, got ${threshold}`);
+    }
+    const comp = input.cyclomaticComplexity;
+    const uncovered = 1 - input.coveragePercent / 100;
+    const crap = comp * comp * Math.pow(uncovered, 3) + comp;
+    return {
+        // Round to 4 decimals so JSON serialization is stable across runs
+        // (important for SARIF diffing and dashboard caching).
+        crap: Number(crap.toFixed(4)),
+        cyclomaticComplexity: comp,
+        coveragePercent: input.coveragePercent,
+        exceedsThreshold: crap > threshold,
+        threshold,
+    };
+}
+//# sourceMappingURL=crap.js.map

package/dist/metrics/crap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crap.js","sourceRoot":"","sources":["../../src/metrics/crap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AA8BH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,WAAW,CAAC,KAAgB,EAAE,SAAiB;IAC7D,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,EAAE,CAAC;QACnF,MAAM,IAAI,KAAK,CACb,gDAAgD,KAAK,CAAC,oBAAoB,EAAE,CAC7E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,eAAe,GAAG,CAAC,IAAI,KAAK,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC;QACxG,MAAM,IAAI,KAAK,CACb,mDAAmD,KAAK,CAAC,eAAe,EAAE,CAC3E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,qCAAqC,SAAS,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,IAAI,GAAG,KAAK,CAAC,oBAAoB,CAAC;IACxC,MAAM,SAAS,GAAG,CAAC,GAAG,KAAK,CAAC,eAAe,GAAG,GAAG,CAAC;IAClD,MAAM,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;IAEzD,OAAO;QACL,kEAAkE;QAClE,uDAAuD;QACvD,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAC7B,oBAAoB,EAAE,IAAI;QAC1B,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,gBAAgB,EAAE,IAAI,GAAG,SAAS;QAClC,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/metrics/index.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Public SDK entry point for the deterministic metrics engines.
+ *
+ * Everything re-exported from this barrel is part of the stable public
+ * API of `claude-crap/metrics`. Downstream consumers can rely
+ * on the shapes here remaining semver-stable — breaking changes only
+ * land in major versions.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   computeCrap,
+ *   computeTdr,
+ *   computeProjectScore,
+ *   classifyTdr,
+ *   ratingIsWorseThan,
+ * } from "claude-crap/metrics";
+ * ```
+ *
+ * @module metrics
+ */
+export { computeCrap } from "./crap.js";
+export type { CrapInput, CrapResult } from "./crap.js";
+export { classifyTdr, computeTdr, ratingIsWorseThan, ratingToRank, } from "./tdr.js";
+export type { TdrInput, TdrResult } from "./tdr.js";
+export { computeProjectScore, renderProjectScoreMarkdown, } from "./score.js";
+export type { ComputeProjectScoreInput, DimensionScore, FindingsSummary, MaintainabilityScore, ProjectScore, ScoreLocation, SeverityRating, WorkspaceStats, } from "./score.js";
+export { estimateWorkspaceLoc, MAX_FILES_WALKED } from "./workspace-walker.js";
+export type { WorkspaceWalkResult } from "./workspace-walker.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/metrics/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/metrics/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvD,OAAO,EACL,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,GACb,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAEpD,OAAO,EACL,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,wBAAwB,EACxB,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,YAAY,EACZ,aAAa,EACb,cAAc,EACd,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAC/E,YAAY,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/metrics/index.js

@@ -0,0 +1,27 @@
+/**
+ * Public SDK entry point for the deterministic metrics engines.
+ *
+ * Everything re-exported from this barrel is part of the stable public
+ * API of `claude-crap/metrics`. Downstream consumers can rely
+ * on the shapes here remaining semver-stable — breaking changes only
+ * land in major versions.
+ *
+ * Usage:
+ *
+ * ```ts
+ * import {
+ *   computeCrap,
+ *   computeTdr,
+ *   computeProjectScore,
+ *   classifyTdr,
+ *   ratingIsWorseThan,
+ * } from "claude-crap/metrics";
+ * ```
+ *
+ * @module metrics
+ */
+export { computeCrap } from "./crap.js";
+export { classifyTdr, computeTdr, ratingIsWorseThan, ratingToRank, } from "./tdr.js";
+export { computeProjectScore, renderProjectScoreMarkdown, } from "./score.js";
+export { estimateWorkspaceLoc, MAX_FILES_WALKED } from "./workspace-walker.js";
+//# sourceMappingURL=index.js.map

package/dist/metrics/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/metrics/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAGxC,OAAO,EACL,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,GACb,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,YAAY,CAAC;AAYpB,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/metrics/score.d.ts

@@ -0,0 +1,143 @@
+/**
+ * Aggregate project score engine.
+ *
+ * Given a fully resolved configuration, the live SARIF store, and a
+ * workspace LOC walker, this module produces a single immutable
+ * `ProjectScore` snapshot describing the entire project's quality
+ * posture across three dimensions:
+ *
+ *   - **Maintainability** — derived from the Technical Debt Ratio (TDR)
+ *     using the existing `metrics/tdr.ts` engine.
+ *   - **Reliability**     — derived from the worst non-security finding.
+ *   - **Security**        — derived from the worst security finding.
+ *
+ * Each dimension produces a letter grade A..E and the `overall` field
+ * collapses them by taking the worst grade. The `passes` field tells
+ * the caller whether the overall grade is within the configured
+ * `tdrMaxRating` tolerance — handy for the Stop quality gate and the
+ * `score_project` MCP tool.
+ *
+ * Security vs reliability is determined by a heuristic on the `ruleId`:
+ * any rule whose identifier matches a security keyword (`sec`, `sql`,
+ * `xss`, `csrf`, `injection`, `crypt`, `auth`, `secret`, `password`,
+ * `cve`, `vuln`) is treated as security. Everything else is reliability.
+ * This is intentionally coarse: adapters that stamp a richer SARIF
+ * taxonomy (e.g. `properties.tags = ["security"]`) could replace this
+ * classifier with an exact match, but the regex is sufficient for the
+ * scanners this plugin ships with.
+ *
+ * The score engine is pure: it does no I/O, takes a `WorkspaceStats`
+ * value (which the caller produces from the bounded LOC walker), and
+ * returns a brand new score object on every call. Tests can construct
+ * a `SarifStore` in memory and verify the boundaries directly.
+ *
+ * @module metrics/score
+ */
+import type { MaintainabilityRating } from "../config.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+/**
+ * Letter rating shared by every dimension. The same A..E scale used by
+ * SonarQube's reliability and security ratings, where A is best and E
+ * is unmaintainable / blocker-class.
+ */
+export type SeverityRating = MaintainabilityRating;
+/**
+ * Workspace size statistics produced by an external bounded walker.
+ * The score engine does not walk the disk itself — pass these in.
+ */
+export interface WorkspaceStats {
+    /** Total physical lines of code under the workspace root. */
+    readonly physicalLoc: number;
+    /** Number of files visited by the walker. */
+    readonly fileCount: number;
+}
+/**
+ * Per-dimension breakdown.
+ */
+export interface DimensionScore {
+    readonly rating: SeverityRating;
+    readonly findings: number;
+    readonly errorFindings: number;
+    readonly warningFindings: number;
+    readonly noteFindings: number;
+}
+/**
+ * Per-finding-level summary plus per-tool counts.
+ */
+export interface FindingsSummary {
+    readonly total: number;
+    readonly error: number;
+    readonly warning: number;
+    readonly note: number;
+    readonly byTool: Readonly<Record<string, number>>;
+    readonly byFile: Readonly<Record<string, number>>;
+}
+/**
+ * Maintainability dimension expressed as a TDR percentage.
+ */
+export interface MaintainabilityScore {
+    readonly rating: MaintainabilityRating;
+    readonly tdrPercent: number;
+    readonly remediationMinutes: number;
+    readonly developmentCostMinutes: number;
+}
+/**
+ * Pointer to where the consolidated report can be found.
+ */
+export interface ScoreLocation {
+    /** Local dashboard URL when the HTTP server is running, otherwise `null`. */
+    readonly dashboardUrl: string | null;
+    /** Absolute path to the consolidated SARIF document on disk. */
+    readonly sarifReportPath: string;
+}
+/**
+ * The full project score snapshot. Returned from {@link computeProjectScore}.
+ */
+export interface ProjectScore {
+    readonly generatedAt: string;
+    readonly workspaceRoot: string;
+    readonly loc: {
+        readonly physical: number;
+        readonly files: number;
+    };
+    readonly findings: FindingsSummary;
+    readonly maintainability: MaintainabilityScore;
+    readonly reliability: DimensionScore;
+    readonly security: DimensionScore;
+    readonly overall: {
+        readonly rating: SeverityRating;
+        /** True when `overall.rating` is no worse than `policyRating`. */
+        readonly passes: boolean;
+        /** Echoed from the configured policy. */
+        readonly policyRating: MaintainabilityRating;
+    };
+    readonly location: ScoreLocation;
+}
+/**
+ * Inputs accepted by {@link computeProjectScore}.
+ */
+export interface ComputeProjectScoreInput {
+    readonly workspaceRoot: string;
+    readonly minutesPerLoc: number;
+    readonly tdrMaxRating: MaintainabilityRating;
+    readonly workspace: WorkspaceStats;
+    readonly sarifStore: SarifStore;
+    readonly dashboardUrl: string | null;
+    readonly sarifReportPath: string;
+}
+/**
+ * Compute the full project score. Pure function — no side effects.
+ *
+ * @param input Aggregated inputs.
+ * @returns     A {@link ProjectScore} ready to be serialized.
+ */
+export declare function computeProjectScore(input: ComputeProjectScoreInput): ProjectScore;
+/**
+ * Render a project score as a compact Markdown summary suitable for
+ * display directly in a chat session. Keep it under ~30 lines so it
+ * does not dominate the conversation context.
+ *
+ * @param score The score to render.
+ */
+export declare function renderProjectScoreMarkdown(score: ProjectScore): string;
+//# sourceMappingURL=score.d.ts.map

package/dist/metrics/score.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.d.ts","sourceRoot":"","sources":["../../src/metrics/score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAG1D;;;;GAIG;AACH,MAAM,MAAM,cAAc,GAAG,qBAAqB,CAAC;AAEnD;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,6DAA6D;IAC7D,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,6CAA6C;IAC7C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAClD,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,MAAM,EAAE,qBAAqB,CAAC;IACvC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,QAAQ,CAAC,sBAAsB,EAAE,MAAM,CAAC;CACzC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,6EAA6E;IAC7E,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,gEAAgE;IAChE,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,GAAG,EAAE;QAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IACpE,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,eAAe,EAAE,oBAAoB,CAAC;IAC/C,QAAQ,CAAC,WAAW,EAAE,cAAc,CAAC;IACrC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;QAChC,kEAAkE;QAClE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;QACzB,yCAAyC;QACzC,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC;KAC9C,CAAC;IACF,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,YAAY,EAAE,qBAAqB,CAAC;IAC7C,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC;IACnC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;CAClC;AAWD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,wBAAwB,GAAG,YAAY,CAsFjF;AA6DD;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM,CAwBtE"}

package/dist/metrics/score.js

@@ -0,0 +1,224 @@
+/**
+ * Aggregate project score engine.
+ *
+ * Given a fully resolved configuration, the live SARIF store, and a
+ * workspace LOC walker, this module produces a single immutable
+ * `ProjectScore` snapshot describing the entire project's quality
+ * posture across three dimensions:
+ *
+ *   - **Maintainability** — derived from the Technical Debt Ratio (TDR)
+ *     using the existing `metrics/tdr.ts` engine.
+ *   - **Reliability**     — derived from the worst non-security finding.
+ *   - **Security**        — derived from the worst security finding.
+ *
+ * Each dimension produces a letter grade A..E and the `overall` field
+ * collapses them by taking the worst grade. The `passes` field tells
+ * the caller whether the overall grade is within the configured
+ * `tdrMaxRating` tolerance — handy for the Stop quality gate and the
+ * `score_project` MCP tool.
+ *
+ * Security vs reliability is determined by a heuristic on the `ruleId`:
+ * any rule whose identifier matches a security keyword (`sec`, `sql`,
+ * `xss`, `csrf`, `injection`, `crypt`, `auth`, `secret`, `password`,
+ * `cve`, `vuln`) is treated as security. Everything else is reliability.
+ * This is intentionally coarse: adapters that stamp a richer SARIF
+ * taxonomy (e.g. `properties.tags = ["security"]`) could replace this
+ * classifier with an exact match, but the regex is sufficient for the
+ * scanners this plugin ships with.
+ *
+ * The score engine is pure: it does no I/O, takes a `WorkspaceStats`
+ * value (which the caller produces from the bounded LOC walker), and
+ * returns a brand new score object on every call. Tests can construct
+ * a `SarifStore` in memory and verify the boundaries directly.
+ *
+ * @module metrics/score
+ */
+import { classifyTdr, ratingIsWorseThan } from "./tdr.js";
+/**
+ * Pattern that classifies a rule identifier as security-relevant.
+ * Matches case-insensitively against the rule id text. Intentionally
+ * permissive — false positives in classification are recoverable, but
+ * a missed security finding being graded as reliability is not.
+ */
+const SECURITY_RULE_PATTERN = /(sec|sql|xss|csrf|ssrf|injection|crypt|auth|secret|password|token|cve|vuln|jwt|cors|rce|deserial|prototype-pollution)/i;
+/**
+ * Compute the full project score. Pure function — no side effects.
+ *
+ * @param input Aggregated inputs.
+ * @returns     A {@link ProjectScore} ready to be serialized.
+ */
+export function computeProjectScore(input) {
+    const findingsList = input.sarifStore.list();
+    // ---- Findings summary ----
+    /** @type {Record<string, number>} */
+    const byTool = {};
+    const byFile = {};
+    let errorCount = 0;
+    let warningCount = 0;
+    let noteCount = 0;
+    let remediationMinutes = 0;
+    /** Findings split by classification. */
+    const securityFindings = [];
+    const reliabilityFindings = [];
+    for (const finding of findingsList) {
+        if (finding.level === "error")
+            errorCount += 1;
+        else if (finding.level === "warning")
+            warningCount += 1;
+        else if (finding.level === "note")
+            noteCount += 1;
+        byTool[finding.sourceTool] = (byTool[finding.sourceTool] ?? 0) + 1;
+        byFile[finding.location.uri] = (byFile[finding.location.uri] ?? 0) + 1;
+        const effort = typeof finding.properties?.effortMinutes === "number"
+            ? finding.properties.effortMinutes
+            : 0;
+        remediationMinutes += effort;
+        if (SECURITY_RULE_PATTERN.test(finding.ruleId)) {
+            securityFindings.push({ level: finding.level });
+        }
+        else {
+            reliabilityFindings.push({ level: finding.level });
+        }
+    }
+    const findings = {
+        total: findingsList.length,
+        error: errorCount,
+        warning: warningCount,
+        note: noteCount,
+        byTool,
+        byFile,
+    };
+    // ---- Maintainability (TDR) ----
+    // Guard against an empty workspace; the TDR formula divides by LOC.
+    const safeLoc = Math.max(input.workspace.physicalLoc, 1);
+    const developmentCostMinutes = input.minutesPerLoc * safeLoc;
+    const tdrPercent = (remediationMinutes / developmentCostMinutes) * 100;
+    const tdrRating = classifyTdr(tdrPercent);
+    const maintainability = {
+        rating: tdrRating,
+        tdrPercent: Number(tdrPercent.toFixed(4)),
+        remediationMinutes,
+        developmentCostMinutes,
+    };
+    // ---- Reliability and security dimensions ----
+    const reliability = scoreDimension(reliabilityFindings);
+    const security = scoreDimension(securityFindings);
+    // ---- Overall = the worst of the three ----
+    const overallRating = worstOf(maintainability.rating, reliability.rating, security.rating);
+    const passes = !ratingIsWorseThan(overallRating, input.tdrMaxRating);
+    return {
+        generatedAt: new Date().toISOString(),
+        workspaceRoot: input.workspaceRoot,
+        loc: { physical: input.workspace.physicalLoc, files: input.workspace.fileCount },
+        findings,
+        maintainability,
+        reliability,
+        security,
+        overall: {
+            rating: overallRating,
+            passes,
+            policyRating: input.tdrMaxRating,
+        },
+        location: {
+            dashboardUrl: input.dashboardUrl,
+            sarifReportPath: input.sarifReportPath,
+        },
+    };
+}
+/**
+ * Score a single dimension (reliability or security) from its findings.
+ *
+ * The mapping is intentionally coarse and maps directly from SARIF
+ * levels to letter ratings:
+ *
+ *   - 0 findings                    → A
+ *   - only `note` findings          → B
+ *   - 1+ `warning`, 0 `error`       → C
+ *   - 1–2 `error`                   → D
+ *   - 3+ `error`                    → E
+ *
+ * Projects that stamp explicit blocker / major / minor categories on
+ * their SARIF properties can wrap this function with their own
+ * taxonomy-aware classifier.
+ *
+ * @param findings Findings classified into this dimension.
+ */
+function scoreDimension(findings) {
+    let errorCount = 0;
+    let warningCount = 0;
+    let noteCount = 0;
+    for (const f of findings) {
+        if (f.level === "error")
+            errorCount += 1;
+        else if (f.level === "warning")
+            warningCount += 1;
+        else if (f.level === "note")
+            noteCount += 1;
+    }
+    let rating;
+    if (errorCount >= 3)
+        rating = "E";
+    else if (errorCount >= 1)
+        rating = "D";
+    else if (warningCount >= 1)
+        rating = "C";
+    else if (noteCount >= 1)
+        rating = "B";
+    else
+        rating = "A";
+    return {
+        rating,
+        findings: findings.length,
+        errorFindings: errorCount,
+        warningFindings: warningCount,
+        noteFindings: noteCount,
+    };
+}
+/**
+ * Return the worst (alphabetically highest) of an arbitrary number of
+ * letter ratings. Used to collapse the three dimension ratings into the
+ * overall project rating.
+ *
+ * @param ratings Two or more letter ratings.
+ * @returns       The worst rating.
+ */
+function worstOf(...ratings) {
+    let worst = "A";
+    for (const r of ratings) {
+        if (ratingIsWorseThan(r, worst))
+            worst = r;
+    }
+    return worst;
+}
+/**
+ * Render a project score as a compact Markdown summary suitable for
+ * display directly in a chat session. Keep it under ~30 lines so it
+ * does not dominate the conversation context.
+ *
+ * @param score The score to render.
+ */
+export function renderProjectScoreMarkdown(score) {
+    const verdict = score.overall.passes ? "✅ passes policy" : "❌ FAILS policy";
+    const dashboardLine = score.location.dashboardUrl
+        ? `📊 Dashboard:   ${score.location.dashboardUrl}`
+        : `📊 Dashboard:   <not running — start the MCP server to enable>`;
+    return [
+        `## claude-crap :: project score`,
+        ``,
+        `**Overall: ${score.overall.rating}** (${verdict}, policy ceiling = ${score.overall.policyRating})`,
+        ``,
+        `| Dimension       | Rating | Detail                                              |`,
+        `| --------------- | :----: | --------------------------------------------------- |`,
+        `| Maintainability |   ${score.maintainability.rating}    | TDR ${score.maintainability.tdrPercent}% (${score.maintainability.remediationMinutes} min over ${score.loc.physical} LOC) |`,
+        `| Reliability     |   ${score.reliability.rating}    | ${score.reliability.errorFindings} error · ${score.reliability.warningFindings} warning · ${score.reliability.noteFindings} note |`,
+        `| Security        |   ${score.security.rating}    | ${score.security.errorFindings} error · ${score.security.warningFindings} warning · ${score.security.noteFindings} note |`,
+        ``,
+        `Workspace: **${score.loc.physical} LOC** across **${score.loc.files} files**`,
+        `Findings:  **${score.findings.total} total** (${score.findings.error} error · ${score.findings.warning} warning · ${score.findings.note} note)`,
+        `Tools:     ${Object.keys(score.findings.byTool).join(", ") || "<none ingested>"}`,
+        ``,
+        dashboardLine,
+        `📄 Report:      ${score.location.sarifReportPath}`,
+    ].join("\n");
+}
+//# sourceMappingURL=score.js.map

package/dist/metrics/score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.js","sourceRoot":"","sources":["../../src/metrics/score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAiG1D;;;;;GAKG;AACH,MAAM,qBAAqB,GACzB,wHAAwH,CAAC;AAE3H;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAA+B;IACjE,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAE7C,6BAA6B;IAC7B,qCAAqC;IACrC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAE3B,wCAAwC;IACxC,MAAM,gBAAgB,GAA6B,EAAE,CAAC;IACtD,MAAM,mBAAmB,GAA6B,EAAE,CAAC;IAEzD,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,IAAI,OAAO,CAAC,KAAK,KAAK,OAAO;YAAE,UAAU,IAAI,CAAC,CAAC;aAC1C,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;YAAE,YAAY,IAAI,CAAC,CAAC;aACnD,IAAI,OAAO,CAAC,KAAK,KAAK,MAAM;YAAE,SAAS,IAAI,CAAC,CAAC;QAElD,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAEvE,MAAM,MAAM,GACV,OAAO,OAAO,CAAC,UAAU,EAAE,aAAa,KAAK,QAAQ;YACnD,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa;YAClC,CAAC,CAAC,CAAC,CAAC;QACR,kBAAkB,IAAI,MAAM,CAAC;QAE7B,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,gBAAgB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,mBAAmB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAoB;QAChC,KAAK,EAAE,YAAY,CAAC,MAAM;QAC1B,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,YAAY;QACrB,IAAI,EAAE,SAAS;QACf,MAAM;QACN,MAAM;KACP,CAAC;IAEF,kCAAkC;IAClC,oEAAoE;IACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACzD,MAAM,sBAAsB,GAAG,KAAK,CAAC,aAAa,GAAG,OAAO,CAAC;IAC7D,MAAM,UAAU,GAAG,CAAC,kBAAkB,GAAG,sBAAsB,CAAC,GAAG,GAAG,CAAC;IACvE,MAAM,SAAS,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAE1C,MAAM,eAAe,GAAyB;QAC5C,MAAM,EAAE,SAAS;QACjB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACzC,kBAAkB;QAClB,sBAAsB;KACvB,CAAC;IAEF,gDAAgD;IAChD,MAAM,WAAW,GAAG,cAAc,CAAC,mBAAmB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;IAElD,6CAA6C;IAC7C,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3F,MAAM,MAAM,GAAG,CAAC,iBAAiB,CAAC,aAAa,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IAErE,OAAO;QACL,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,aAAa,EAAE,KAAK,CAAC,aAAa;QAClC,GAAG,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE;QAChF,QAAQ;QACR,eAAe;QACf,WAAW;QACX,QAAQ;QACR,OAAO,EAAE;YACP,MAAM,EAAE,aAAa;YACrB,MAAM;YACN,YAAY,EAAE,KAAK,CAAC,YAAY;SACjC;QACD,QAAQ,EAAE;YACR,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,eAAe,EAAE,KAAK,CAAC,eAAe;SACvC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAS,cAAc,CAAC,QAA0C;IAChE,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO;YAAE,UAAU,IAAI,CAAC,CAAC;aACpC,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS;YAAE,YAAY,IAAI,CAAC,CAAC;aAC7C,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM;YAAE,SAAS,IAAI,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,MAAsB,CAAC;IAC3B,IAAI,UAAU,IAAI,CAAC;QAAE,MAAM,GAAG,GAAG,CAAC;SAC7B,IAAI,UAAU,IAAI,CAAC;QAAE,MAAM,GAAG,GAAG,CAAC;SAClC,IAAI,YAAY,IAAI,CAAC;QAAE,MAAM,GAAG,GAAG,CAAC;SACpC,IAAI,SAAS,IAAI,CAAC;QAAE,MAAM,GAAG,GAAG,CAAC;;QACjC,MAAM,GAAG,GAAG,CAAC;IAElB,OAAO;QACL,MAAM;QACN,QAAQ,EAAE,QAAQ,CAAC,MAAM;QACzB,aAAa,EAAE,UAAU;QACzB,eAAe,EAAE,YAAY;QAC7B,YAAY,EAAE,SAAS;KACxB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,OAAO,CAAC,GAAG,OAAsC;IACxD,IAAI,KAAK,GAAmB,GAAG,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,iBAAiB,CAAC,CAAC,EAAE,KAAK,CAAC;YAAE,KAAK,GAAG,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,KAAmB;IAC5D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAC5E,MAAM,aAAa,GAAG,KAAK,CAAC,QAAQ,CAAC,YAAY;QAC/C,CAAC,CAAC,mBAAmB,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;QAClD,CAAC,CAAC,gEAAgE,CAAC;IAErE,OAAO;QACL,iCAAiC;QACjC,EAAE;QACF,cAAc,KAAK,CAAC,OAAO,CAAC,MAAM,OAAO,OAAO,sBAAsB,KAAK,CAAC,OAAO,CAAC,YAAY,GAAG;QACnG,EAAE;QACF,oFAAoF;QACpF,oFAAoF;QACpF,yBAAyB,KAAK,CAAC,eAAe,CAAC,MAAM,aAAa,KAAK,CAAC,eAAe,CAAC,UAAU,MAAM,KAAK,CAAC,eAAe,CAAC,kBAAkB,aAAa,KAAK,CAAC,GAAG,CAAC,QAAQ,SAAS;QACxL,yBAAyB,KAAK,CAAC,WAAW,CAAC,MAAM,SAAS,KAAK,CAAC,WAAW,CAAC,aAAa,YAAY,KAAK,CAAC,WAAW,CAAC,eAAe,cAAc,KAAK,CAAC,WAAW,CAAC,YAAY,SAAS;QAC3L,yBAAyB,KAAK,CAAC,QAAQ,CAAC,MAAM,SAAS,KAAK,CAAC,QAAQ,CAAC,aAAa,YAAY,KAAK,CAAC,QAAQ,CAAC,eAAe,cAAc,KAAK,CAAC,QAAQ,CAAC,YAAY,SAAS;QAC/K,EAAE;QACF,gBAAgB,KAAK,CAAC,GAAG,CAAC,QAAQ,mBAAmB,KAAK,CAAC,GAAG,CAAC,KAAK,UAAU;QAC9E,gBAAgB,KAAK,CAAC,QAAQ,CAAC,KAAK,aAAa,KAAK,CAAC,QAAQ,CAAC,KAAK,YAAY,KAAK,CAAC,QAAQ,CAAC,OAAO,cAAc,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ;QAChJ,cAAc,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,iBAAiB,EAAE;QAClF,EAAE;QACF,aAAa;QACb,mBAAmB,KAAK,CAAC,QAAQ,CAAC,eAAe,EAAE;KACpD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC"}