claude-crap 0.3.5 → 0.3.7

package/src/index.ts

@@ -114,6 +114,7 @@ async function main(): Promise<void> {
       sarifStore,
       workspaceStatsProvider: () => estimateWorkspaceLoc(config.pluginRoot),
       logger,
+      astEngine,
     });
   } catch (err) {
     logger.warn(
@@ -581,7 +582,10 @@ async function main(): Promise<void> {
       case "auto_scan": {
         logger.info({ tool: "auto_scan" }, "Tool call received");
         try {
-          const result = await autoScan(config.pluginRoot, sarifStore, logger);
+          const result = await autoScan(config.pluginRoot, sarifStore, logger, {
+            engine: astEngine,
+            cyclomaticMax: config.cyclomaticMax,
+          });
           const markdown = renderAutoScanMarkdown(result);
           return {
             content: [
@@ -669,7 +673,10 @@ async function main(): Promise<void> {
   // If the agent calls score_project before scanning finishes, it gets
   // whatever is in the SARIF store so far. The next call after completion
   // reflects all findings.
-  autoScan(config.pluginRoot, sarifStore, logger)
+  autoScan(config.pluginRoot, sarifStore, logger, {
+    engine: astEngine,
+    cyclomaticMax: config.cyclomaticMax,
+  })
     .then((result) => {
       const scanners = result.results
         .filter((r) => r.success)
@@ -759,6 +766,17 @@ function renderAutoScanMarkdown(result: import("./scanner/auto-scan.js").AutoSca
     lines.push("");
   }
 
+  // Complexity scan
+  if (result.complexityScan) {
+    const cs = result.complexityScan;
+    lines.push("### Cyclomatic complexity scan\n");
+    lines.push(`- Files scanned: **${cs.filesScanned}**`);
+    lines.push(`- Functions analyzed: **${cs.functionsAnalyzed}**`);
+    lines.push(`- Violations: **${cs.violations}**`);
+    lines.push(`- Duration: ${(cs.durationMs / 1000).toFixed(1)}s`);
+    lines.push("");
+  }
+
   // Summary
   lines.push(
     `**Total findings ingested:** ${result.totalFindings} in ${(result.totalDurationMs / 1000).toFixed(1)}s`,

package/src/scanner/auto-scan.ts

@@ -25,7 +25,9 @@ import type { Logger } from "pino";
 import { detectScanners, type ScannerDetection } from "./detector.js";
 import { runScanner, type ScannerRunResult } from "./runner.js";
 import { bootstrapScanner } from "./bootstrap.js";
+import { scanComplexity, type ComplexityScanResult } from "./complexity-scanner.js";
 import { adaptScannerOutput, type KnownScanner } from "../adapters/index.js";
+import type { TreeSitterEngine } from "../ast/tree-sitter-engine.js";
 import type { SarifStore } from "../sarif/sarif-store.js";
 
 // ── Types ──────────────────────────────────────────────────────────
@@ -53,6 +55,8 @@ export interface AutoScanResult {
   totalFindings: number;
   /** Wall-clock time for the entire auto-scan. */
   totalDurationMs: number;
+  /** Result of the built-in cyclomatic complexity scan, when enabled. */
+  complexityScan?: ComplexityScanResult;
 }
 
 // ── Orchestrator ───────────────────────────────────────────────────
@@ -93,6 +97,7 @@ export async function autoScan(
   workspaceRoot: string,
   sarifStore: SarifStore,
   logger: Logger,
+  options?: { engine?: TreeSitterEngine; cyclomaticMax?: number },
 ): Promise<AutoScanResult> {
   const start = Date.now();
 
@@ -246,10 +251,31 @@ export async function autoScan(
     await sarifStore.persist();
   }
 
+  // 5. Run built-in cyclomatic complexity scanner
+  let complexityScan: ComplexityScanResult | undefined;
+  if (options?.engine) {
+    try {
+      complexityScan = await scanComplexity(
+        workspaceRoot,
+        options.engine,
+        sarifStore,
+        { cyclomaticMax: options.cyclomaticMax ?? 15 },
+        logger,
+      );
+      totalFindings += complexityScan.violations;
+    } catch (err) {
+      logger.warn(
+        { err: (err as Error).message },
+        "auto-scan: complexity scanner failed — continuing without it",
+      );
+    }
+  }
+
   return {
     detected,
     results,
     totalFindings,
     totalDurationMs: Date.now() - start,
+    ...(complexityScan ? { complexityScan } : {}),
   };
 }

package/src/scanner/complexity-scanner.ts

@@ -0,0 +1,233 @@
+/**
+ * Cyclomatic complexity scanner.
+ *
+ * Walks the workspace, analyzes each supported source file with
+ * tree-sitter, and emits SARIF findings for functions whose cyclomatic
+ * complexity exceeds the configured threshold (`cyclomaticMax`).
+ *
+ * This scanner is an internal analyzer — it is NOT a "known scanner"
+ * in the `KnownScanner` union (eslint/semgrep/bandit/stryker). It
+ * bypasses the adapter pipeline and writes SARIF directly via
+ * `wrapResultsInSarif()` from the common adapter helpers.
+ *
+ * Severity mapping:
+ *   - `warning` — CC > threshold but < 2× threshold
+ *   - `error`   — CC >= 2× threshold (aligns with CRAP index hard block at CC >= 30)
+ *
+ * @module scanner/complexity-scanner
+ */
+
+import { promises as fs } from "node:fs";
+import { join, relative } from "node:path";
+import type { Logger } from "pino";
+
+import { TreeSitterEngine } from "../ast/tree-sitter-engine.js";
+import { detectLanguageFromPath } from "../ast/language-config.js";
+import { wrapResultsInSarif, estimateEffortMinutes } from "../adapters/common.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+import type { SarifLevel } from "../sarif/sarif-builder.js";
+
+// ── Constants ─────────────────────────────────────────────────────
+
+/** Directories that should never be scanned. Mirrors `workspace-walker.ts`. */
+const SKIP_DIRS: ReadonlySet<string> = new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  "out",
+  "target",
+  ".venv",
+  "venv",
+  "__pycache__",
+  ".cache",
+  ".next",
+  ".nuxt",
+  ".claude-crap",
+  ".codesight",
+]);
+
+/** Hard cap on files to prevent unbounded analysis. */
+const MAX_FILES = 20_000;
+
+/** SARIF rule ID for cyclomatic complexity violations. */
+const RULE_ID = "complexity/cyclomatic-max";
+
+/** Source tool identifier used in SARIF properties. */
+const SOURCE_TOOL = "complexity";
+
+// ── Types ─────────────────────────────────────────────────────────
+
+/** Result of a complexity scan run. */
+export interface ComplexityScanResult {
+  /** Number of source files successfully analyzed. */
+  readonly filesScanned: number;
+  /** Total number of functions found across all files. */
+  readonly functionsAnalyzed: number;
+  /** Number of functions that exceeded the threshold. */
+  readonly violations: number;
+  /** Wall-clock time for the entire scan. */
+  readonly durationMs: number;
+}
+
+/** Configuration accepted by the scanner. */
+export interface ComplexityScanConfig {
+  /** Maximum cyclomatic complexity allowed per function. */
+  readonly cyclomaticMax: number;
+}
+
+// ── Scanner ───────────────────────────────────────────────────────
+
+/**
+ * Scan a workspace for cyclomatic complexity violations.
+ *
+ * Walks the directory tree, analyzes each source file with the
+ * tree-sitter engine, and emits SARIF findings for functions above
+ * the configured threshold. Findings are ingested into the provided
+ * `SarifStore` and persisted to disk.
+ *
+ * @param workspaceRoot Absolute path to the workspace root.
+ * @param engine        Initialized tree-sitter engine instance.
+ * @param sarifStore    Live SARIF store to ingest findings into.
+ * @param config        Scanner configuration (threshold).
+ * @param logger        Pino logger for progress and error reporting.
+ * @returns             Summary of what was scanned and found.
+ */
+export async function scanComplexity(
+  workspaceRoot: string,
+  engine: TreeSitterEngine,
+  sarifStore: SarifStore,
+  config: ComplexityScanConfig,
+  logger: Logger,
+): Promise<ComplexityScanResult> {
+  const start = Date.now();
+  const threshold = config.cyclomaticMax;
+  const errorThreshold = threshold * 2;
+
+  // 1. Collect supported source files
+  const files = await collectSourceFiles(workspaceRoot);
+  logger.info(
+    { fileCount: files.length, threshold },
+    "complexity-scanner: starting analysis",
+  );
+
+  // 2. Analyze each file and collect violations
+  const sarifResults: object[] = [];
+  let filesScanned = 0;
+  let functionsAnalyzed = 0;
+  let violations = 0;
+
+  for (const filePath of files) {
+    const language = detectLanguageFromPath(filePath);
+    if (!language) continue;
+
+    try {
+      const metrics = await engine.analyzeFile({ filePath, language });
+      filesScanned += 1;
+      functionsAnalyzed += metrics.functions.length;
+
+      for (const fn of metrics.functions) {
+        if (fn.cyclomaticComplexity <= threshold) continue;
+
+        const level: SarifLevel =
+          fn.cyclomaticComplexity >= errorThreshold ? "error" : "warning";
+
+        const relPath = relative(workspaceRoot, filePath);
+
+        sarifResults.push({
+          ruleId: RULE_ID,
+          level,
+          message: {
+            text: `Function '${fn.name}' has cyclomatic complexity ${fn.cyclomaticComplexity} (threshold: ${threshold})`,
+          },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: relPath },
+                region: {
+                  startLine: fn.startLine,
+                  startColumn: 1,
+                  endLine: fn.endLine,
+                  endColumn: 1,
+                },
+              },
+            },
+          ],
+          properties: {
+            sourceTool: SOURCE_TOOL,
+            effortMinutes: estimateEffortMinutes(level),
+            cyclomaticComplexity: fn.cyclomaticComplexity,
+          },
+        });
+        violations += 1;
+      }
+    } catch (err) {
+      logger.warn(
+        { filePath, err: (err as Error).message },
+        "complexity-scanner: failed to analyze file, skipping",
+      );
+    }
+  }
+
+  // 3. Ingest findings into the SARIF store
+  if (sarifResults.length > 0) {
+    const document = wrapResultsInSarif(
+      SOURCE_TOOL as never,
+      "0.1.0",
+      sarifResults,
+    );
+    sarifStore.ingestRun(document, SOURCE_TOOL);
+    await sarifStore.persist();
+  }
+
+  const durationMs = Date.now() - start;
+  logger.info(
+    { filesScanned, functionsAnalyzed, violations, durationMs },
+    "complexity-scanner: analysis complete",
+  );
+
+  return { filesScanned, functionsAnalyzed, violations, durationMs };
+}
+
+// ── File walker ───────────────────────────────────────────────────
+
+/**
+ * Collect source files from the workspace that the tree-sitter engine
+ * can analyze. Skips directories in `SKIP_DIRS` and hidden directories.
+ * Only returns files whose extension maps to a supported language.
+ */
+async function collectSourceFiles(workspaceRoot: string): Promise<string[]> {
+  const files: string[] = [];
+  let truncated = false;
+
+  async function walk(dir: string): Promise<void> {
+    if (truncated) return;
+    let entries;
+    try {
+      entries = await fs.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (truncated) return;
+      if (entry.name.startsWith(".") && entry.name !== ".claude-plugin") continue;
+      const full = join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (SKIP_DIRS.has(entry.name)) continue;
+        await walk(full);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      // Only include files the tree-sitter engine can parse
+      if (!detectLanguageFromPath(entry.name)) continue;
+      files.push(full);
+      if (files.length >= MAX_FILES) {
+        truncated = true;
+        return;
+      }
+    }
+  }
+
+  await walk(workspaceRoot);
+  return files;
+}

package/src/tests/complexity-scanner.test.ts

@@ -0,0 +1,263 @@
+/**
+ * Unit tests for the cyclomatic complexity scanner.
+ *
+ * These tests verify that the scanner walks a workspace, analyzes source
+ * files with tree-sitter, and emits SARIF findings for functions whose
+ * cyclomatic complexity exceeds the configured threshold.
+ *
+ * @module tests/complexity-scanner.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import pino from "pino";
+
+import { scanComplexity } from "../scanner/complexity-scanner.js";
+import { TreeSitterEngine } from "../ast/tree-sitter-engine.js";
+import { SarifStore } from "../sarif/sarif-store.js";
+
+const logger = pino({ level: "silent" });
+
+function makeTmpDir(): string {
+  return mkdtempSync(join(tmpdir(), "crap-complexity-"));
+}
+
+/** Simple function: CC = 1 (straight-line). */
+const SIMPLE_TS = `
+export function greet(name: string): string {
+  return "hello " + name;
+}
+`;
+
+/** Function with CC = 5: 4 if-branches + 1 baseline. */
+const COMPLEX_TS = `
+export function classify(x: number): string {
+  if (x < 0) return "negative";
+  if (x === 0) return "zero";
+  if (x < 10) return "small";
+  if (x < 100) return "medium";
+  return "large";
+}
+`;
+
+/**
+ * Extremely complex function: many branches to push CC well above 30.
+ * Each if/else-if adds +1, plus boolean operators.
+ */
+const EXTREME_TS = `
+export function extremelyComplex(a: number, b: number, c: number): string {
+  if (a > 0) { return "a1"; }
+  if (a > 1) { return "a2"; }
+  if (a > 2) { return "a3"; }
+  if (a > 3) { return "a4"; }
+  if (a > 4) { return "a5"; }
+  if (a > 5) { return "a6"; }
+  if (a > 6) { return "a7"; }
+  if (a > 7) { return "a8"; }
+  if (a > 8) { return "a9"; }
+  if (a > 9) { return "a10"; }
+  if (b > 0) { return "b1"; }
+  if (b > 1) { return "b2"; }
+  if (b > 2) { return "b3"; }
+  if (b > 3) { return "b4"; }
+  if (b > 4) { return "b5"; }
+  if (b > 5) { return "b6"; }
+  if (b > 6) { return "b7"; }
+  if (b > 7) { return "b8"; }
+  if (b > 8) { return "b9"; }
+  if (b > 9) { return "b10"; }
+  if (c > 0) { return "c1"; }
+  if (c > 1) { return "c2"; }
+  if (c > 2) { return "c3"; }
+  if (c > 3) { return "c4"; }
+  if (c > 4) { return "c5"; }
+  if (c > 5) { return "c6"; }
+  if (c > 6) { return "c7"; }
+  if (c > 7) { return "c8"; }
+  if (c > 8) { return "c9"; }
+  if (c > 9) { return "c10"; }
+  return "default";
+}
+`;
+
+describe("scanComplexity", () => {
+  const engine = new TreeSitterEngine();
+
+  it("returns zero violations for an empty workspace", async () => {
+    const dir = makeTmpDir();
+    try {
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 15 }, logger,
+      );
+      assert.equal(result.violations, 0);
+      assert.equal(result.filesScanned, 0);
+      assert.equal(result.functionsAnalyzed, 0);
+      assert.ok(result.durationMs >= 0);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("finds no violations when all functions are below threshold", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "simple.ts"), SIMPLE_TS);
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 15 }, logger,
+      );
+      assert.equal(result.violations, 0);
+      assert.equal(result.filesScanned, 1);
+      assert.ok(result.functionsAnalyzed >= 1);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("flags functions above cyclomaticMax as warnings", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "complex.ts"), COMPLEX_TS);
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      // Set threshold to 3 so the CC=5 function triggers
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 3 }, logger,
+      );
+      assert.equal(result.violations, 1);
+
+      // Verify the finding is in the SARIF store
+      const findings = store.list();
+      const complexityFindings = findings.filter(
+        (f) => f.ruleId === "complexity/cyclomatic-max",
+      );
+      assert.equal(complexityFindings.length, 1);
+      assert.equal(complexityFindings[0]!.level, "warning");
+      assert.equal(complexityFindings[0]!.sourceTool, "complexity");
+      assert.ok(complexityFindings[0]!.message.includes("classify"));
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("emits error level for functions at >= 2x threshold", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "extreme.ts"), EXTREME_TS);
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      // threshold=15, CC=31 → 31 >= 30 (2x15) → error
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 15 }, logger,
+      );
+      assert.equal(result.violations, 1);
+
+      const findings = store.list();
+      const complexityFindings = findings.filter(
+        (f) => f.ruleId === "complexity/cyclomatic-max",
+      );
+      assert.equal(complexityFindings.length, 1);
+      assert.equal(complexityFindings[0]!.level, "error");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("skips directories in SKIP_DIRS", async () => {
+    const dir = makeTmpDir();
+    try {
+      // Put a complex file inside node_modules — should be skipped
+      const nmDir = join(dir, "node_modules", "pkg");
+      mkdirSync(nmDir, { recursive: true });
+      writeFileSync(join(nmDir, "index.ts"), COMPLEX_TS);
+
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 3 }, logger,
+      );
+      assert.equal(result.filesScanned, 0);
+      assert.equal(result.violations, 0);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("skips unsupported file extensions", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "data.json"), '{"key": "value"}');
+      writeFileSync(join(dir, "readme.md"), "# Hello");
+      writeFileSync(join(dir, "styles.css"), "body {}");
+
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 15 }, logger,
+      );
+      assert.equal(result.filesScanned, 0);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("respects custom cyclomaticMax threshold", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "complex.ts"), COMPLEX_TS);
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      // CC=5, threshold=10 → no violation
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 10 }, logger,
+      );
+      assert.equal(result.violations, 0);
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("sets effortMinutes and cyclomaticComplexity in finding properties", async () => {
+    const dir = makeTmpDir();
+    try {
+      writeFileSync(join(dir, "complex.ts"), COMPLEX_TS);
+      const store = new SarifStore({
+        workspaceRoot: dir,
+        outputDir: join(dir, ".claude-crap/reports"),
+      });
+      const result = await scanComplexity(
+        dir, engine, store, { cyclomaticMax: 3 }, logger,
+      );
+      assert.equal(result.violations, 1);
+
+      const findings = store.list();
+      const finding = findings.find((f) => f.ruleId === "complexity/cyclomatic-max");
+      assert.ok(finding);
+      assert.equal(typeof finding.properties?.effortMinutes, "number");
+      assert.ok((finding.properties?.effortMinutes as number) > 0);
+      assert.equal(typeof finding.properties?.cyclomaticComplexity, "number");
+    } finally {
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+});