claude-crap 0.3.6 → 0.3.8

package/src/index.ts

@@ -93,6 +93,18 @@ async function main(): Promise<void> {
     "claude-crap MCP server starting",
   );
 
+  // Load user-defined exclusions from .claude-crap.json (non-fatal).
+  let userExclusions: ReadonlyArray<string> = [];
+  try {
+    const crapConfig = loadCrapConfig({ workspaceRoot: config.pluginRoot });
+    userExclusions = crapConfig.exclude;
+    if (userExclusions.length > 0) {
+      logger.info({ exclude: userExclusions }, "user exclusions loaded from .claude-crap.json");
+    }
+  } catch {
+    // Non-fatal — use empty exclusions.
+  }
+
   // Long-lived engines. Created once at boot and reused for every call.
   const astEngine = new TreeSitterEngine();
   const sarifStore = new SarifStore({
@@ -112,8 +124,10 @@ async function main(): Promise<void> {
     dashboard = await startDashboard({
       config,
       sarifStore,
-      workspaceStatsProvider: () => estimateWorkspaceLoc(config.pluginRoot),
+      workspaceStatsProvider: () => estimateWorkspaceLoc(config.pluginRoot, { exclude: userExclusions }),
       logger,
+      astEngine,
+      exclude: userExclusions,
     });
   } catch (err) {
     logger.warn(
@@ -332,7 +346,7 @@ async function main(): Promise<void> {
         const typed = (args ?? {}) as { format?: "markdown" | "json" | "both" };
         const format = typed.format ?? "both";
         try {
-          const workspace = await estimateWorkspaceLoc(config.pluginRoot);
+          const workspace = await estimateWorkspaceLoc(config.pluginRoot, { exclude: userExclusions });
           const score: ProjectScore = computeProjectScore({
             workspaceRoot: config.pluginRoot,
             minutesPerLoc: config.minutesPerLoc,
@@ -581,7 +595,11 @@ async function main(): Promise<void> {
       case "auto_scan": {
         logger.info({ tool: "auto_scan" }, "Tool call received");
         try {
-          const result = await autoScan(config.pluginRoot, sarifStore, logger);
+          const result = await autoScan(config.pluginRoot, sarifStore, logger, {
+            engine: astEngine,
+            cyclomaticMax: config.cyclomaticMax,
+            exclude: userExclusions,
+          });
           const markdown = renderAutoScanMarkdown(result);
           return {
             content: [
@@ -669,7 +687,11 @@ async function main(): Promise<void> {
   // If the agent calls score_project before scanning finishes, it gets
   // whatever is in the SARIF store so far. The next call after completion
   // reflects all findings.
-  autoScan(config.pluginRoot, sarifStore, logger)
+  autoScan(config.pluginRoot, sarifStore, logger, {
+    engine: astEngine,
+    cyclomaticMax: config.cyclomaticMax,
+    exclude: userExclusions,
+  })
     .then((result) => {
       const scanners = result.results
         .filter((r) => r.success)
@@ -759,6 +781,17 @@ function renderAutoScanMarkdown(result: import("./scanner/auto-scan.js").AutoSca
     lines.push("");
   }
 
+  // Complexity scan
+  if (result.complexityScan) {
+    const cs = result.complexityScan;
+    lines.push("### Cyclomatic complexity scan\n");
+    lines.push(`- Files scanned: **${cs.filesScanned}**`);
+    lines.push(`- Functions analyzed: **${cs.functionsAnalyzed}**`);
+    lines.push(`- Violations: **${cs.violations}**`);
+    lines.push(`- Duration: ${(cs.durationMs / 1000).toFixed(1)}s`);
+    lines.push("");
+  }
+
   // Summary
   lines.push(
     `**Total findings ingested:** ${result.totalFindings} in ${(result.totalDurationMs / 1000).toFixed(1)}s`,

package/src/metrics/workspace-walker.ts

@@ -15,7 +15,9 @@
  */
 
 import { promises as fs } from "node:fs";
-import { join } from "node:path";
+import { join, relative } from "node:path";
+
+import { createExclusionFilter } from "../shared/exclusions.js";
 
 /**
  * Result returned by {@link estimateWorkspaceLoc}.
@@ -29,26 +31,9 @@ export interface WorkspaceWalkResult {
   readonly truncated: boolean;
 }
 
-/**
- * Directories that should never contribute to the LOC count. Dependency
- * caches, build artifacts, VCS metadata, claude-crap's own state.
- */
-const SKIP_DIRS: ReadonlySet<string> = new Set([
-  "node_modules",
-  ".git",
-  "dist",
-  "build",
-  "out",
-  "target",
-  ".venv",
-  "venv",
-  "__pycache__",
-  ".cache",
-  ".next",
-  ".nuxt",
-  ".claude-crap",
-  ".codesight",
-]);
+// Directory exclusions are now centralized in src/shared/exclusions.ts.
+// The createExclusionFilter() factory is called once per walk with
+// optional user-defined patterns from .claude-crap.json.
 
 /**
  * Extensions the walker treats as "code". Anything else is ignored,
@@ -91,9 +76,14 @@ export const MAX_FILES_WALKED = 20_000;
  * (which is tiny and contains the manifest).
  *
  * @param workspaceRoot Absolute path to the workspace root.
+ * @param options       Optional settings including user-defined exclusion patterns.
  * @returns             A {@link WorkspaceWalkResult} snapshot.
  */
-export async function estimateWorkspaceLoc(workspaceRoot: string): Promise<WorkspaceWalkResult> {
+export async function estimateWorkspaceLoc(
+  workspaceRoot: string,
+  options?: { exclude?: ReadonlyArray<string> },
+): Promise<WorkspaceWalkResult> {
+  const filter = createExclusionFilter(options?.exclude);
   let physicalLoc = 0;
   let fileCount = 0;
   let truncated = false;
@@ -108,11 +98,9 @@ export async function estimateWorkspaceLoc(workspaceRoot: string): Promise<Works
     }
     for (const entry of entries) {
       if (truncated) return;
-      // Skip hidden files except the plugin manifest dir.
-      if (entry.name.startsWith(".") && entry.name !== ".claude-plugin") continue;
       const full = join(dir, entry.name);
       if (entry.isDirectory()) {
-        if (SKIP_DIRS.has(entry.name)) continue;
+        if (filter.shouldSkipDir(entry.name)) continue;
         await walk(full);
         continue;
       }
@@ -122,6 +110,8 @@ export async function estimateWorkspaceLoc(workspaceRoot: string): Promise<Works
       if (dot < 0) continue;
       const ext = lower.substring(dot);
       if (!CODE_EXTENSIONS.has(ext)) continue;
+      const relPath = relative(workspaceRoot, full);
+      if (filter.shouldSkipFile(relPath, entry.name)) continue;
       fileCount += 1;
       if (fileCount > MAX_FILES_WALKED) {
         truncated = true;
@@ -130,8 +120,6 @@ export async function estimateWorkspaceLoc(workspaceRoot: string): Promise<Works
       try {
         const content = await fs.readFile(full, "utf8");
         if (content.length > 0) {
-          // Subtract 1 for trailing newline, matching what most editors
-          // report as the file's line count.
           const lines = content.split(/\r?\n/).length;
           physicalLoc += content.endsWith("\n") ? lines - 1 : lines;
         }

package/src/scanner/auto-scan.ts

@@ -22,10 +22,12 @@
 import { existsSync } from "node:fs";
 import { join } from "node:path";
 import type { Logger } from "pino";
-import { detectScanners, type ScannerDetection } from "./detector.js";
+import { detectScanners, detectMonorepoScanners, type ScannerDetection } from "./detector.js";
 import { runScanner, type ScannerRunResult } from "./runner.js";
 import { bootstrapScanner } from "./bootstrap.js";
+import { scanComplexity, type ComplexityScanResult } from "./complexity-scanner.js";
 import { adaptScannerOutput, type KnownScanner } from "../adapters/index.js";
+import type { TreeSitterEngine } from "../ast/tree-sitter-engine.js";
 import type { SarifStore } from "../sarif/sarif-store.js";
 
 // ── Types ──────────────────────────────────────────────────────────
@@ -53,6 +55,8 @@ export interface AutoScanResult {
   totalFindings: number;
   /** Wall-clock time for the entire auto-scan. */
   totalDurationMs: number;
+  /** Result of the built-in cyclomatic complexity scan, when enabled. */
+  complexityScan?: ComplexityScanResult;
 }
 
 // ── Orchestrator ───────────────────────────────────────────────────
@@ -93,16 +97,28 @@ export async function autoScan(
   workspaceRoot: string,
   sarifStore: SarifStore,
   logger: Logger,
+  options?: { engine?: TreeSitterEngine; cyclomaticMax?: number; exclude?: ReadonlyArray<string> },
 ): Promise<AutoScanResult> {
   const start = Date.now();
 
-  // 1. Detect available scanners
+  // 1. Detect available scanners (root + monorepo subdirs)
   const detected = await detectScanners(workspaceRoot);
+  const monorepoDetected = await detectMonorepoScanners(workspaceRoot);
+
+  // Merge monorepo detections — skip duplicates (same scanner already found at root)
+  const rootScannerSet = new Set(detected.filter((d) => d.available).map((d) => d.scanner));
+  for (const md of monorepoDetected) {
+    if (!rootScannerSet.has(md.scanner)) {
+      detected.push(md);
+    }
+  }
+
   const available = detected.filter((d) => d.available);
 
   logger.info(
     {
       detected: detected.map((d) => `${d.scanner}:${d.available}`),
+      monorepo: monorepoDetected.length,
       available: available.length,
     },
     "auto-scan: detection complete",
@@ -157,9 +173,9 @@ export async function autoScan(
     };
   }
 
-  // 2. Run all available scanners in parallel
+  // 2. Run all available scanners in parallel (each from its detected workingDir)
   const runResults = await Promise.allSettled(
-    available.map((d) => runScanner(d.scanner, workspaceRoot)),
+    available.map((d) => runScanner(d.scanner, workspaceRoot, d.workingDir ? { workingDir: d.workingDir } : undefined)),
   );
 
   // 3. Ingest results
@@ -246,10 +262,31 @@ export async function autoScan(
     await sarifStore.persist();
   }
 
+  // 5. Run built-in cyclomatic complexity scanner
+  let complexityScan: ComplexityScanResult | undefined;
+  if (options?.engine) {
+    try {
+      complexityScan = await scanComplexity(
+        workspaceRoot,
+        options.engine,
+        sarifStore,
+        { cyclomaticMax: options.cyclomaticMax ?? 15, ...(options.exclude ? { exclude: options.exclude } : {}) },
+        logger,
+      );
+      totalFindings += complexityScan.violations;
+    } catch (err) {
+      logger.warn(
+        { err: (err as Error).message },
+        "auto-scan: complexity scanner failed — continuing without it",
+      );
+    }
+  }
+
   return {
     detected,
     results,
     totalFindings,
     totalDurationMs: Date.now() - start,
+    ...(complexityScan ? { complexityScan } : {}),
   };
 }

package/src/scanner/bootstrap.ts

@@ -44,6 +44,7 @@ export type ProjectType =
   | "python"
   | "java"
   | "csharp"
+  | "dart"
   | "unknown";
 
 /**
@@ -117,6 +118,9 @@ export function detectProjectType(workspaceRoot: string): ProjectType {
     // readdirSync can fail on permissions — fall through
   }
 
+  // Dart / Flutter detection
+  if (has("pubspec.yaml")) return "dart";
+
   return "unknown";
 }
 
@@ -273,6 +277,13 @@ function getRecommendation(projectType: ProjectType): ScannerRecommendation {
         installInstructions:
           "brew install semgrep  (or: pip install semgrep, pipx install semgrep)",
       };
+    case "dart":
+      return {
+        scanner: "dart_analyze",
+        canAutoInstall: false,
+        installInstructions:
+          "Install the Dart SDK: https://dart.dev/get-dart  (or Flutter SDK which includes Dart)",
+      };
     case "unknown":
       return {
         scanner: "semgrep",

package/src/scanner/complexity-scanner.ts

@@ -0,0 +1,222 @@
+/**
+ * Cyclomatic complexity scanner.
+ *
+ * Walks the workspace, analyzes each supported source file with
+ * tree-sitter, and emits SARIF findings for functions whose cyclomatic
+ * complexity exceeds the configured threshold (`cyclomaticMax`).
+ *
+ * This scanner is an internal analyzer — it is NOT a "known scanner"
+ * in the `KnownScanner` union (eslint/semgrep/bandit/stryker). It
+ * bypasses the adapter pipeline and writes SARIF directly via
+ * `wrapResultsInSarif()` from the common adapter helpers.
+ *
+ * Severity mapping:
+ *   - `warning` — CC > threshold but < 2× threshold
+ *   - `error`   — CC >= 2× threshold (aligns with CRAP index hard block at CC >= 30)
+ *
+ * @module scanner/complexity-scanner
+ */
+
+import { promises as fs } from "node:fs";
+import { join, relative } from "node:path";
+import type { Logger } from "pino";
+
+import { TreeSitterEngine } from "../ast/tree-sitter-engine.js";
+import { detectLanguageFromPath } from "../ast/language-config.js";
+import { wrapResultsInSarif, estimateEffortMinutes } from "../adapters/common.js";
+import { createExclusionFilter } from "../shared/exclusions.js";
+import type { SarifStore } from "../sarif/sarif-store.js";
+import type { SarifLevel } from "../sarif/sarif-builder.js";
+
+// Directory exclusions are now centralized in src/shared/exclusions.ts.
+
+/** Hard cap on files to prevent unbounded analysis. */
+const MAX_FILES = 20_000;
+
+/** SARIF rule ID for cyclomatic complexity violations. */
+const RULE_ID = "complexity/cyclomatic-max";
+
+/** Source tool identifier used in SARIF properties. */
+const SOURCE_TOOL = "complexity";
+
+// ── Types ─────────────────────────────────────────────────────────
+
+/** Result of a complexity scan run. */
+export interface ComplexityScanResult {
+  /** Number of source files successfully analyzed. */
+  readonly filesScanned: number;
+  /** Total number of functions found across all files. */
+  readonly functionsAnalyzed: number;
+  /** Number of functions that exceeded the threshold. */
+  readonly violations: number;
+  /** Wall-clock time for the entire scan. */
+  readonly durationMs: number;
+}
+
+/** Configuration accepted by the scanner. */
+export interface ComplexityScanConfig {
+  /** Maximum cyclomatic complexity allowed per function. */
+  readonly cyclomaticMax: number;
+  /** User-defined exclusion patterns from .claude-crap.json. */
+  readonly exclude?: ReadonlyArray<string>;
+}
+
+// ── Scanner ───────────────────────────────────────────────────────
+
+/**
+ * Scan a workspace for cyclomatic complexity violations.
+ *
+ * Walks the directory tree, analyzes each source file with the
+ * tree-sitter engine, and emits SARIF findings for functions above
+ * the configured threshold. Findings are ingested into the provided
+ * `SarifStore` and persisted to disk.
+ *
+ * @param workspaceRoot Absolute path to the workspace root.
+ * @param engine        Initialized tree-sitter engine instance.
+ * @param sarifStore    Live SARIF store to ingest findings into.
+ * @param config        Scanner configuration (threshold).
+ * @param logger        Pino logger for progress and error reporting.
+ * @returns             Summary of what was scanned and found.
+ */
+export async function scanComplexity(
+  workspaceRoot: string,
+  engine: TreeSitterEngine,
+  sarifStore: SarifStore,
+  config: ComplexityScanConfig,
+  logger: Logger,
+): Promise<ComplexityScanResult> {
+  const start = Date.now();
+  const threshold = config.cyclomaticMax;
+  const errorThreshold = threshold * 2;
+
+  // 1. Collect supported source files
+  const filter = createExclusionFilter(config.exclude);
+  const files = await collectSourceFiles(workspaceRoot, filter);
+  logger.info(
+    { fileCount: files.length, threshold },
+    "complexity-scanner: starting analysis",
+  );
+
+  // 2. Analyze each file and collect violations
+  const sarifResults: object[] = [];
+  let filesScanned = 0;
+  let functionsAnalyzed = 0;
+  let violations = 0;
+
+  for (const filePath of files) {
+    const language = detectLanguageFromPath(filePath);
+    if (!language) continue;
+
+    try {
+      const metrics = await engine.analyzeFile({ filePath, language });
+      filesScanned += 1;
+      functionsAnalyzed += metrics.functions.length;
+
+      for (const fn of metrics.functions) {
+        if (fn.cyclomaticComplexity <= threshold) continue;
+
+        const level: SarifLevel =
+          fn.cyclomaticComplexity >= errorThreshold ? "error" : "warning";
+
+        const relPath = relative(workspaceRoot, filePath);
+
+        sarifResults.push({
+          ruleId: RULE_ID,
+          level,
+          message: {
+            text: `Function '${fn.name}' has cyclomatic complexity ${fn.cyclomaticComplexity} (threshold: ${threshold})`,
+          },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: relPath },
+                region: {
+                  startLine: fn.startLine,
+                  startColumn: 1,
+                  endLine: fn.endLine,
+                  endColumn: 1,
+                },
+              },
+            },
+          ],
+          properties: {
+            sourceTool: SOURCE_TOOL,
+            effortMinutes: estimateEffortMinutes(level),
+            cyclomaticComplexity: fn.cyclomaticComplexity,
+          },
+        });
+        violations += 1;
+      }
+    } catch (err) {
+      logger.warn(
+        { filePath, err: (err as Error).message },
+        "complexity-scanner: failed to analyze file, skipping",
+      );
+    }
+  }
+
+  // 3. Ingest findings into the SARIF store
+  if (sarifResults.length > 0) {
+    const document = wrapResultsInSarif(
+      SOURCE_TOOL as never,
+      "0.1.0",
+      sarifResults,
+    );
+    sarifStore.ingestRun(document, SOURCE_TOOL);
+    await sarifStore.persist();
+  }
+
+  const durationMs = Date.now() - start;
+  logger.info(
+    { filesScanned, functionsAnalyzed, violations, durationMs },
+    "complexity-scanner: analysis complete",
+  );
+
+  return { filesScanned, functionsAnalyzed, violations, durationMs };
+}
+
+// ── File walker ───────────────────────────────────────────────────
+
+/**
+ * Collect source files from the workspace that the tree-sitter engine
+ * can analyze. Uses the shared exclusion filter for directory and file
+ * filtering. Only returns files whose extension maps to a supported language.
+ */
+async function collectSourceFiles(
+  workspaceRoot: string,
+  filter: import("../shared/exclusions.js").ExclusionFilter,
+): Promise<string[]> {
+  const files: string[] = [];
+  let truncated = false;
+
+  async function walk(dir: string): Promise<void> {
+    if (truncated) return;
+    let entries;
+    try {
+      entries = await fs.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (truncated) return;
+      const full = join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (filter.shouldSkipDir(entry.name)) continue;
+        await walk(full);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      if (!detectLanguageFromPath(entry.name)) continue;
+      const relPath = relative(workspaceRoot, full);
+      if (filter.shouldSkipFile(relPath, entry.name)) continue;
+      files.push(full);
+      if (files.length >= MAX_FILES) {
+        truncated = true;
+        return;
+      }
+    }
+  }
+
+  await walk(workspaceRoot);
+  return files;
+}

package/src/scanner/detector.ts

@@ -17,8 +17,8 @@
  * @module scanner/detector
  */
 
-import { existsSync, readFileSync } from "node:fs";
-import { join } from "node:path";
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join, resolve } from "node:path";
 import { execFile } from "node:child_process";
 import type { KnownScanner } from "../adapters/common.js";
 
@@ -36,6 +36,8 @@ export interface ScannerDetection {
   reason: string;
   /** Path to the config file that triggered detection, if any. */
   configPath?: string;
+  /** Working directory to run the scanner from (defaults to workspace root). */
+  workingDir?: string;
 }
 
 // ── Detection signals ──────────────────────────────────────────────
@@ -98,6 +100,14 @@ const SCANNER_SIGNALS: Record<KnownScanner, ScannerSignals> = {
     packageJsonKeys: ["@stryker-mutator/core"],
     binaryNames: ["stryker"],
   },
+  dart_analyze: {
+    configFiles: [
+      "analysis_options.yaml",
+      "pubspec.yaml",
+    ],
+    packageJsonKeys: [],
+    binaryNames: ["dart"],
+  },
 };
 
 // ── Probes ──────────────────────────────────────────────────────────
@@ -163,9 +173,9 @@ function probeBinary(binaryName: string): Promise<boolean> {
 // ── Public API ──────────────────────────────────────────────────────
 
 /**
- * Detect which of the four supported scanners are available in the
- * given workspace. Probes config files, package.json, and binary
- * availability in order, short-circuiting on first match.
+ * Detect which supported scanners are available in the given workspace.
+ * Probes config files, package.json, and binary availability in order,
+ * short-circuiting on first match.
  *
  * @param workspaceRoot Absolute path to the project root.
  * @returns One {@link ScannerDetection} per known scanner.
@@ -173,7 +183,7 @@ function probeBinary(binaryName: string): Promise<boolean> {
 export async function detectScanners(
   workspaceRoot: string,
 ): Promise<ScannerDetection[]> {
-  const scanners: KnownScanner[] = ["eslint", "semgrep", "bandit", "stryker"];
+  const scanners: KnownScanner[] = ["eslint", "semgrep", "bandit", "stryker", "dart_analyze"];
 
   const results = await Promise.all(
     scanners.map(async (scanner): Promise<ScannerDetection> => {
@@ -188,12 +198,18 @@ export async function detectScanners(
         };
       }
 
-      // 2. Package.json probe
+      // 2. Package.json probe — declared in deps/devDeps, but is it
+      //    actually installed? Check node_modules/.bin/ for the binary.
       if (probePackageJson(workspaceRoot, scanner)) {
+        const binName = SCANNER_SIGNALS[scanner].binaryNames[0];
+        const binPath = binName ? join(workspaceRoot, "node_modules", ".bin", binName) : null;
+        const installed = binPath !== null && existsSync(binPath);
         return {
           scanner,
-          available: true,
-          reason: `found in package.json dependencies`,
+          available: installed,
+          reason: installed
+            ? "found in package.json and installed"
+            : `found in package.json but not installed (run \`npm install\`)`,
         };
       }
 
@@ -220,5 +236,93 @@ export async function detectScanners(
   return results;
 }
 
+// ── Monorepo subdirectory probing ────────────────────────────────
+
+/**
+ * Common monorepo directory names that may contain workspace
+ * subdirectories. Checked one level deep only.
+ */
+const MONOREPO_DIRS = ["apps", "packages", "libs", "modules", "services"];
+
+/**
+ * Detect scanners in monorepo subdirectories. Probes first-level
+ * children of common monorepo directories (apps/, packages/, etc.)
+ * and npm workspaces for scanner config files. Returns detections
+ * with a `workingDir` pointing to the subdirectory.
+ *
+ * This catches e.g. `apps/mobile/pubspec.yaml` in a polyglot monorepo
+ * where the root-level detector only finds ESLint.
+ *
+ * @param workspaceRoot Absolute path to the project root.
+ * @returns Additional detections from subdirectories (may be empty).
+ */
+export async function detectMonorepoScanners(
+  workspaceRoot: string,
+): Promise<ScannerDetection[]> {
+  const subdirs = new Set<string>();
+
+  // 1. Read npm workspaces from package.json
+  try {
+    const pkgPath = join(workspaceRoot, "package.json");
+    const raw = readFileSync(pkgPath, "utf-8");
+    const pkg = JSON.parse(raw) as Record<string, unknown>;
+    if (Array.isArray(pkg.workspaces)) {
+      for (const ws of pkg.workspaces) {
+        if (typeof ws === "string" && !ws.includes("*")) {
+          const full = resolve(workspaceRoot, ws);
+          if (existsSync(full)) subdirs.add(full);
+        }
+      }
+    }
+  } catch {
+    // No package.json or not parseable — continue
+  }
+
+  // 2. Scan common monorepo directories one level deep
+  for (const dir of MONOREPO_DIRS) {
+    const full = join(workspaceRoot, dir);
+    try {
+      const entries = readdirSync(full, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith(".")) {
+          subdirs.add(join(full, entry.name));
+        }
+      }
+    } catch {
+      // Directory doesn't exist — skip
+    }
+  }
+
+  if (subdirs.size === 0) return [];
+
+  // 3. Probe each subdirectory for scanner config files
+  const detections: ScannerDetection[] = [];
+  const scanners: KnownScanner[] = ["eslint", "semgrep", "bandit", "stryker", "dart_analyze"];
+
+  for (const subdir of subdirs) {
+    for (const scanner of scanners) {
+      const configProbe = probeConfigFiles(subdir, scanner);
+      if (!configProbe.found) continue;
+
+      // For dart_analyze, also verify the binary is on PATH
+      if (scanner === "dart_analyze") {
+        const hasBinary = await probeBinary("dart");
+        if (!hasBinary) continue;
+      }
+
+      const relDir = subdir.replace(workspaceRoot + "/", "");
+      detections.push({
+        scanner,
+        available: true,
+        reason: `config file found in ${relDir}/`,
+        ...(configProbe.path ? { configPath: configProbe.path } : {}),
+        workingDir: subdir,
+      });
+    }
+  }
+
+  return detections;
+}
+
 // Exported for testing
-export { SCANNER_SIGNALS };
+export { SCANNER_SIGNALS, MONOREPO_DIRS };