claude-crap 0.3.6 → 0.3.8

package/plugin/bundle/mcp-server.mjs

@@ -2977,7 +2977,7 @@ var require_compile = __commonJS({
       const schOrFunc = root.refs[ref];
       if (schOrFunc)
         return schOrFunc;
-      let _sch = resolve6.call(this, root, ref);
+      let _sch = resolve7.call(this, root, ref);
       if (_sch === void 0) {
         const schema = (_a = root.localRefs) === null || _a === void 0 ? void 0 : _a[ref];
         const { schemaId } = this.opts;
@@ -3004,7 +3004,7 @@ var require_compile = __commonJS({
     function sameSchemaEnv(s1, s2) {
       return s1.schema === s2.schema && s1.root === s2.root && s1.baseId === s2.baseId;
     }
-    function resolve6(root, ref) {
+    function resolve7(root, ref) {
       let sch;
       while (typeof (sch = this.refs[ref]) == "string")
         ref = sch;
@@ -3579,55 +3579,55 @@ var require_fast_uri = __commonJS({
       }
       return uri;
     }
-    function resolve6(baseURI, relativeURI, options) {
+    function resolve7(baseURI, relativeURI, options) {
       const schemelessOptions = options ? Object.assign({ scheme: "null" }, options) : { scheme: "null" };
       const resolved = resolveComponent(parse(baseURI, schemelessOptions), parse(relativeURI, schemelessOptions), schemelessOptions, true);
       schemelessOptions.skipEscape = true;
       return serialize(resolved, schemelessOptions);
     }
-    function resolveComponent(base, relative2, options, skipNormalization) {
+    function resolveComponent(base, relative4, options, skipNormalization) {
       const target = {};
       if (!skipNormalization) {
         base = parse(serialize(base, options), options);
-        relative2 = parse(serialize(relative2, options), options);
+        relative4 = parse(serialize(relative4, options), options);
       }
       options = options || {};
-      if (!options.tolerant && relative2.scheme) {
-        target.scheme = relative2.scheme;
-        target.userinfo = relative2.userinfo;
-        target.host = relative2.host;
-        target.port = relative2.port;
-        target.path = removeDotSegments(relative2.path || "");
-        target.query = relative2.query;
+      if (!options.tolerant && relative4.scheme) {
+        target.scheme = relative4.scheme;
+        target.userinfo = relative4.userinfo;
+        target.host = relative4.host;
+        target.port = relative4.port;
+        target.path = removeDotSegments(relative4.path || "");
+        target.query = relative4.query;
       } else {
-        if (relative2.userinfo !== void 0 || relative2.host !== void 0 || relative2.port !== void 0) {
-          target.userinfo = relative2.userinfo;
-          target.host = relative2.host;
-          target.port = relative2.port;
-          target.path = removeDotSegments(relative2.path || "");
-          target.query = relative2.query;
+        if (relative4.userinfo !== void 0 || relative4.host !== void 0 || relative4.port !== void 0) {
+          target.userinfo = relative4.userinfo;
+          target.host = relative4.host;
+          target.port = relative4.port;
+          target.path = removeDotSegments(relative4.path || "");
+          target.query = relative4.query;
         } else {
-          if (!relative2.path) {
+          if (!relative4.path) {
             target.path = base.path;
-            if (relative2.query !== void 0) {
-              target.query = relative2.query;
+            if (relative4.query !== void 0) {
+              target.query = relative4.query;
             } else {
               target.query = base.query;
             }
           } else {
-            if (relative2.path[0] === "/") {
-              target.path = removeDotSegments(relative2.path);
+            if (relative4.path[0] === "/") {
+              target.path = removeDotSegments(relative4.path);
             } else {
               if ((base.userinfo !== void 0 || base.host !== void 0 || base.port !== void 0) && !base.path) {
-                target.path = "/" + relative2.path;
+                target.path = "/" + relative4.path;
               } else if (!base.path) {
-                target.path = relative2.path;
+                target.path = relative4.path;
               } else {
-                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative2.path;
+                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative4.path;
               }
               target.path = removeDotSegments(target.path);
             }
-            target.query = relative2.query;
+            target.query = relative4.query;
           }
           target.userinfo = base.userinfo;
           target.host = base.host;
@@ -3635,7 +3635,7 @@ var require_fast_uri = __commonJS({
         }
         target.scheme = base.scheme;
       }
-      target.fragment = relative2.fragment;
+      target.fragment = relative4.fragment;
       return target;
     }
     function equal(uriA, uriB, options) {
@@ -3806,7 +3806,7 @@ var require_fast_uri = __commonJS({
     var fastUri = {
       SCHEMES,
       normalize,
-      resolve: resolve6,
+      resolve: resolve7,
       resolveComponent,
       equal,
       serialize,
@@ -6853,6 +6853,84 @@ function buildSarifResult3(opts) {
   };
 }
 
+// src/adapters/dart-analyzer.ts
+function mapSeverity3(dartSeverity) {
+  switch (dartSeverity.toUpperCase()) {
+    case "ERROR":
+      return "error";
+    case "WARNING":
+      return "warning";
+    case "INFO":
+      return "note";
+    default:
+      return "warning";
+  }
+}
+var EFFORT_BY_SEVERITY = {
+  error: 30,
+  warning: 15,
+  note: 5,
+  none: 0
+};
+function adaptDartAnalyzer(rawOutput) {
+  let parsed;
+  if (typeof rawOutput === "string") {
+    try {
+      parsed = JSON.parse(rawOutput);
+    } catch {
+      throw new Error("[dart-analyzer adapter] rawOutput is not valid JSON");
+    }
+  } else if (rawOutput && typeof rawOutput === "object" && "diagnostics" in rawOutput) {
+    parsed = rawOutput;
+  } else {
+    throw new Error(
+      "[dart-analyzer adapter] rawOutput must be a JSON string or an object with a 'diagnostics' array"
+    );
+  }
+  if (!Array.isArray(parsed.diagnostics)) {
+    throw new Error("[dart-analyzer adapter] 'diagnostics' must be an array");
+  }
+  const results = [];
+  let totalEffortMinutes = 0;
+  for (const diag of parsed.diagnostics) {
+    const level = mapSeverity3(diag.severity);
+    const effort = EFFORT_BY_SEVERITY[level] ?? estimateEffortMinutes(level);
+    totalEffortMinutes += effort;
+    results.push({
+      ruleId: diag.code,
+      level,
+      message: {
+        text: diag.problemMessage + (diag.correctionMessage ? ` ${diag.correctionMessage}` : "")
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: diag.location.file
+            },
+            region: {
+              startLine: diag.location.range.start.line,
+              startColumn: diag.location.range.start.column,
+              endLine: diag.location.range.end.line,
+              endColumn: diag.location.range.end.column
+            }
+          }
+        }
+      ],
+      properties: {
+        effortMinutes: effort,
+        ...diag.documentation ? { helpUri: diag.documentation } : {}
+      }
+    });
+  }
+  return {
+    document: wrapResultsInSarif("dart_analyze", "1.0.0", results),
+    sourceTool: "dart_analyze",
+    findingCount: parsed.diagnostics.length,
+    totalEffortMinutes
+  };
+}
+
 // src/adapters/index.ts
 function adaptScannerOutput(scanner, rawOutput) {
   switch (scanner) {
@@ -6864,6 +6942,8 @@ function adaptScannerOutput(scanner, rawOutput) {
       return adaptBandit(rawOutput);
     case "stryker":
       return adaptStryker(rawOutput);
+    case "dart_analyze":
+      return adaptDartAnalyzer(rawOutput);
     default: {
       const exhaustive = scanner;
       throw new Error(`[adapters] Unknown scanner: ${String(exhaustive)}`);
@@ -7041,6 +7121,15 @@ var LANGUAGE_TABLE = {
   python: PYTHON,
   java: JAVA
 };
+function detectLanguageFromPath(filePath) {
+  const lower = filePath.toLowerCase();
+  for (const config of Object.values(LANGUAGE_TABLE)) {
+    for (const ext of config.extensions) {
+      if (lower.endsWith(ext)) return config.id;
+    }
+  }
+  return null;
+}
 
 // src/ast/tree-sitter-engine.ts
 var TreeSitterEngine = class {
@@ -7235,12 +7324,106 @@ function loadConfig() {
 }
 
 // src/dashboard/server.ts
-import { promises as fs2, existsSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
-import { dirname as dirname2, join as join2, resolve as resolve2 } from "node:path";
+import { promises as fs3, existsSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { dirname as dirname2, join as join2, resolve as resolve3 } from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 import Fastify from "fastify";
 import fastifyStatic from "@fastify/static";
 
+// src/shared/exclusions.ts
+import picomatch from "picomatch";
+var DEFAULT_SKIP_DIRS = /* @__PURE__ */ new Set([
+  // Package managers / vendored deps
+  "node_modules",
+  "vendor",
+  // Version control
+  ".git",
+  // Build outputs (general)
+  "dist",
+  "build",
+  "bundle",
+  "out",
+  "target",
+  "coverage",
+  // Framework build outputs
+  ".next",
+  // Next.js
+  ".nuxt",
+  // Nuxt 2
+  ".output",
+  // Nuxt 3
+  ".vercel",
+  // Vercel
+  ".svelte-kit",
+  // SvelteKit
+  ".astro",
+  // Astro
+  ".angular",
+  // Angular
+  ".turbo",
+  // Turborepo
+  ".parcel-cache",
+  // Parcel
+  ".expo",
+  // Expo / React Native
+  // Language-specific caches
+  ".venv",
+  "venv",
+  "__pycache__",
+  ".cache",
+  ".dart_tool",
+  // Dart / Flutter
+  ".gradle",
+  // Gradle
+  // IDE state
+  ".idea",
+  // Plugin state
+  ".claude-crap",
+  ".codesight"
+]);
+var DEFAULT_SKIP_PATTERNS = [
+  "*.min.js",
+  "*.min.css",
+  "*.min.mjs",
+  "*.min.cjs",
+  "*.bundle.js",
+  "*.chunk.js"
+];
+function createExclusionFilter(userExclusions) {
+  const extraDirs = /* @__PURE__ */ new Set();
+  const fileGlobs = [];
+  for (const pattern of userExclusions ?? []) {
+    if (pattern.endsWith("/")) {
+      extraDirs.add(pattern.slice(0, -1));
+    } else {
+      fileGlobs.push(pattern);
+    }
+  }
+  const defaultFileMatchers = DEFAULT_SKIP_PATTERNS.map(
+    (p) => picomatch(p, { dot: true })
+  );
+  const userFileMatchers = fileGlobs.map(
+    (p) => picomatch(p, { dot: true })
+  );
+  return {
+    shouldSkipDir(dirName) {
+      if (dirName.startsWith(".") && dirName !== ".claude-plugin") {
+        return DEFAULT_SKIP_DIRS.has(dirName) || true;
+      }
+      return DEFAULT_SKIP_DIRS.has(dirName) || extraDirs.has(dirName);
+    },
+    shouldSkipFile(relativePath, fileName) {
+      for (const matcher of defaultFileMatchers) {
+        if (matcher(fileName)) return true;
+      }
+      for (const matcher of userFileMatchers) {
+        if (matcher(relativePath) || matcher(fileName)) return true;
+      }
+      return false;
+    }
+  };
+}
+
 // src/metrics/tdr.ts
 var RATING_ORDER = ["A", "B", "C", "D", "E"];
 function ratingToRank(rating) {
@@ -7403,6 +7586,105 @@ function renderProjectScoreMarkdown(score) {
   ].join("\n");
 }
 
+// src/dashboard/file-detail.ts
+import { promises as fs2 } from "node:fs";
+
+// src/workspace-guard.ts
+import { isAbsolute, resolve as resolve2, sep } from "node:path";
+function resolveWithinWorkspace(workspaceRoot, filePath) {
+  const workspace = resolve2(workspaceRoot);
+  const candidate = isAbsolute(filePath) ? resolve2(filePath) : resolve2(workspace, filePath);
+  if (candidate !== workspace && !candidate.startsWith(workspace + sep)) {
+    throw new Error(
+      `[claude-crap] Refusing to access '${filePath}' \u2014 path escapes the workspace root`
+    );
+  }
+  return candidate;
+}
+
+// src/dashboard/file-detail.ts
+async function buildFileDetail(input) {
+  const { relativePath, workspaceRoot, astEngine, sarifStore, cyclomaticMax } = input;
+  const absolutePath = resolveWithinWorkspace(workspaceRoot, relativePath);
+  const source = await fs2.readFile(absolutePath, "utf8");
+  const sourceLines = source.split(/\r?\n/);
+  if (sourceLines.length > 0 && sourceLines[sourceLines.length - 1] === "") {
+    sourceLines.pop();
+  }
+  const physicalLoc = sourceLines.length;
+  let logicalLoc = 0;
+  for (const line of sourceLines) {
+    if (line.trim().length > 0) logicalLoc += 1;
+  }
+  const language = detectLanguageFromPath(relativePath);
+  let functions = [];
+  if (language && astEngine) {
+    try {
+      const metrics = await astEngine.analyzeFile({
+        filePath: absolutePath,
+        language
+      });
+      functions = metrics.functions.map((fn) => ({
+        name: fn.name,
+        startLine: fn.startLine,
+        endLine: fn.endLine,
+        cyclomaticComplexity: fn.cyclomaticComplexity,
+        lineCount: fn.lineCount
+      }));
+    } catch {
+    }
+  }
+  const allFindings = sarifStore.list();
+  const fileFindings = allFindings.filter(
+    (f) => f.location.uri === relativePath
+  );
+  const findings = fileFindings.map((f) => ({
+    ruleId: f.ruleId,
+    level: f.level,
+    message: f.message,
+    sourceTool: f.sourceTool,
+    startLine: f.location.startLine,
+    startColumn: f.location.startColumn,
+    endLine: f.location.endLine ?? f.location.startLine,
+    endColumn: f.location.endColumn ?? 0,
+    effortMinutes: typeof f.properties?.effortMinutes === "number" ? f.properties.effortMinutes : 0
+  }));
+  let errorCount = 0;
+  let warningCount = 0;
+  let noteCount = 0;
+  let totalEffortMinutes = 0;
+  for (const f of findings) {
+    if (f.level === "error") errorCount += 1;
+    else if (f.level === "warning") warningCount += 1;
+    else if (f.level === "note") noteCount += 1;
+    totalEffortMinutes += f.effortMinutes;
+  }
+  const complexities = functions.map((f) => f.cyclomaticComplexity);
+  const maxComplexity = complexities.length > 0 ? Math.max(...complexities) : 0;
+  const avgComplexity = complexities.length > 0 ? Math.round(
+    complexities.reduce((a, b) => a + b, 0) / complexities.length * 100
+  ) / 100 : 0;
+  return {
+    filePath: relativePath,
+    language,
+    physicalLoc,
+    logicalLoc,
+    cyclomaticMax,
+    sourceLines,
+    functions,
+    findings,
+    summary: {
+      totalFindings: findings.length,
+      errorCount,
+      warningCount,
+      noteCount,
+      totalEffortMinutes,
+      avgComplexity,
+      maxComplexity
+    }
+  };
+}
+
 // src/dashboard/server.ts
 async function startDashboard(options) {
   const { config, sarifStore, workspaceStatsProvider, logger: logger2 } = options;
@@ -7416,13 +7698,45 @@ async function startDashboard(options) {
     root: publicRoot,
     prefix: "/"
   });
-  fastify.get("/api/health", async () => ({ status: "ok", server: "claude-crap", version: "0.3.6" }));
+  fastify.get("/api/health", async () => ({ status: "ok", server: "claude-crap", version: "0.3.8" }));
   fastify.get("/api/score", async () => {
     const stats = await workspaceStatsProvider();
     const score = await buildScore(config, sarifStore, stats, urlOf(fastify, config));
     return score;
   });
   fastify.get("/api/sarif", async () => sarifStore.toSarifDocument());
+  fastify.get("/api/complexity", async () => {
+    if (!options.astEngine) {
+      return { threshold: config.cyclomaticMax, totalFunctions: 0, violationCount: 0, topFunctions: [] };
+    }
+    return buildComplexityReport(config, options.astEngine, logger2, options.exclude);
+  });
+  fastify.get("/api/file-detail", async (request, reply) => {
+    const { path: filePath } = request.query;
+    if (!filePath) {
+      return reply.status(400).send({ error: "Missing required query parameter: path" });
+    }
+    try {
+      const detail = await buildFileDetail({
+        relativePath: filePath,
+        workspaceRoot: config.pluginRoot,
+        astEngine: options.astEngine,
+        sarifStore,
+        cyclomaticMax: config.cyclomaticMax
+      });
+      return detail;
+    } catch (err) {
+      const msg = err.message;
+      if (msg.includes("ENOENT") || msg.includes("not found")) {
+        return reply.status(404).send({ error: `File not found: ${filePath}` });
+      }
+      if (msg.includes("escapes the workspace")) {
+        return reply.status(400).send({ error: msg });
+      }
+      logger2.error({ err: msg, filePath }, "file-detail endpoint error");
+      return reply.status(500).send({ error: "Internal server error" });
+    }
+  });
   fastify.get("/", async (_request, reply) => {
     return reply.sendFile("index.html");
   });
@@ -7444,19 +7758,19 @@ async function resolvePublicRoot(logger2) {
   const here = dirname2(fileURLToPath2(import.meta.url));
   const candidates = [
     // 0. Bundled layout: plugin/bundle/mcp-server.mjs → ./dashboard/public
-    resolve2(here, "dashboard", "public"),
+    resolve3(here, "dashboard", "public"),
     // 1. Compiled layout: dist/dashboard/server.js → ./public next to it
     //    (only present if a build step copies the assets — not used
     //    today, but accepted so a future copy step does not break us).
-    resolve2(here, "public"),
+    resolve3(here, "public"),
     // 2. Source-relative layout: dist/dashboard/server.js → ../../src/dashboard/public
     //    This is the default — no copy step required because we resolve
     //    upward from `dist/` into `src/` at runtime.
-    resolve2(here, "..", "..", "src", "dashboard", "public")
+    resolve3(here, "..", "..", "src", "dashboard", "public")
   ];
   for (const candidate of candidates) {
     try {
-      await fs2.access(resolve2(candidate, "index.html"));
+      await fs3.access(resolve3(candidate, "index.html"));
       return candidate;
     } catch {
     }
@@ -7541,6 +7855,57 @@ async function killStaleDashboard(pidFilePath, port, logger2) {
   removePidFile(pidFilePath);
   await new Promise((r) => setTimeout(r, 300));
 }
+async function buildComplexityReport(config, engine, logger2, exclude) {
+  const threshold = config.cyclomaticMax;
+  const filter = createExclusionFilter(exclude);
+  const allFunctions = [];
+  let totalFunctions = 0;
+  async function walk2(dir) {
+    let entries;
+    try {
+      entries = await fs3.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const full = join2(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (filter.shouldSkipDir(entry.name)) continue;
+        await walk2(full);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      const language = detectLanguageFromPath(entry.name);
+      if (!language) continue;
+      try {
+        const metrics = await engine.analyzeFile({ filePath: full, language });
+        for (const fn of metrics.functions) {
+          totalFunctions += 1;
+          allFunctions.push({
+            filePath: full.startsWith(config.pluginRoot) ? full.substring(config.pluginRoot.length + 1) : full,
+            name: fn.name,
+            cyclomaticComplexity: fn.cyclomaticComplexity,
+            startLine: fn.startLine,
+            endLine: fn.endLine,
+            lineCount: fn.lineCount
+          });
+        }
+      } catch (err) {
+        logger2.warn(
+          { filePath: full, err: err.message },
+          "complexity-report: failed to analyze file"
+        );
+      }
+    }
+  }
+  await walk2(config.pluginRoot);
+  allFunctions.sort((a, b) => b.cyclomaticComplexity - a.cyclomaticComplexity);
+  const topFunctions = allFunctions.slice(0, 20);
+  const violationCount = allFunctions.filter(
+    (f) => f.cyclomaticComplexity > threshold
+  ).length;
+  return { threshold, totalFunctions, violationCount, topFunctions };
+}
 async function buildScore(config, sarifStore, workspace, dashboardUrl) {
   return computeProjectScore({
     workspaceRoot: config.pluginRoot,
@@ -7583,24 +7948,8 @@ function computeCrap(input, threshold) {
 }
 
 // src/metrics/workspace-walker.ts
-import { promises as fs3 } from "node:fs";
-import { join as join3 } from "node:path";
-var SKIP_DIRS = /* @__PURE__ */ new Set([
-  "node_modules",
-  ".git",
-  "dist",
-  "build",
-  "out",
-  "target",
-  ".venv",
-  "venv",
-  "__pycache__",
-  ".cache",
-  ".next",
-  ".nuxt",
-  ".claude-crap",
-  ".codesight"
-]);
+import { promises as fs4 } from "node:fs";
+import { join as join3, relative } from "node:path";
 var CODE_EXTENSIONS = /* @__PURE__ */ new Set([
   ".ts",
   ".tsx",
@@ -7624,7 +7973,8 @@ var CODE_EXTENSIONS = /* @__PURE__ */ new Set([
   ".vue"
 ]);
 var MAX_FILES_WALKED = 2e4;
-async function estimateWorkspaceLoc(workspaceRoot) {
+async function estimateWorkspaceLoc(workspaceRoot, options) {
+  const filter = createExclusionFilter(options?.exclude);
   let physicalLoc = 0;
   let fileCount = 0;
   let truncated = false;
@@ -7632,16 +7982,15 @@ async function estimateWorkspaceLoc(workspaceRoot) {
     if (truncated) return;
     let entries;
     try {
-      entries = await fs3.readdir(dir, { withFileTypes: true });
+      entries = await fs4.readdir(dir, { withFileTypes: true });
     } catch {
       return;
     }
     for (const entry of entries) {
       if (truncated) return;
-      if (entry.name.startsWith(".") && entry.name !== ".claude-plugin") continue;
       const full = join3(dir, entry.name);
       if (entry.isDirectory()) {
-        if (SKIP_DIRS.has(entry.name)) continue;
+        if (filter.shouldSkipDir(entry.name)) continue;
         await walk2(full);
         continue;
       }
@@ -7651,13 +8000,15 @@ async function estimateWorkspaceLoc(workspaceRoot) {
       if (dot < 0) continue;
       const ext = lower.substring(dot);
       if (!CODE_EXTENSIONS.has(ext)) continue;
+      const relPath = relative(workspaceRoot, full);
+      if (filter.shouldSkipFile(relPath, entry.name)) continue;
       fileCount += 1;
       if (fileCount > MAX_FILES_WALKED) {
         truncated = true;
         return;
       }
       try {
-        const content = await fs3.readFile(full, "utf8");
+        const content = await fs4.readFile(full, "utf8");
         if (content.length > 0) {
           const lines = content.split(/\r?\n/).length;
           physicalLoc += content.endsWith("\n") ? lines - 1 : lines;
@@ -7671,8 +8022,8 @@ async function estimateWorkspaceLoc(workspaceRoot) {
 }
 
 // src/sarif/sarif-store.ts
-import { promises as fs4 } from "node:fs";
-import { dirname as dirname3, isAbsolute, join as join4, resolve as resolve3 } from "node:path";
+import { promises as fs5 } from "node:fs";
+import { dirname as dirname3, isAbsolute as isAbsolute2, join as join4, resolve as resolve4 } from "node:path";
 
 // src/sarif/sarif-builder.ts
 function buildSarifDocument(tool, findings) {
@@ -7734,7 +8085,7 @@ var SarifStore = class {
   /** Tool invocations we have already ingested, for telemetry. */
   toolInvocations = 0;
   constructor(options) {
-    const dir = isAbsolute(options.outputDir) ? options.outputDir : resolve3(options.workspaceRoot, options.outputDir);
+    const dir = isAbsolute2(options.outputDir) ? options.outputDir : resolve4(options.workspaceRoot, options.outputDir);
     this.filePath = join4(dir, options.fileName ?? "latest.sarif");
   }
   /**
@@ -7759,7 +8110,7 @@ var SarifStore = class {
    */
   async loadLatest() {
     try {
-      const raw = await fs4.readFile(this.filePath, "utf8");
+      const raw = await fs5.readFile(this.filePath, "utf8");
       const parsed = JSON.parse(raw);
       if (parsed.version !== "2.1.0") {
         throw new Error(`Expected SARIF 2.1.0, got ${parsed.version}`);
@@ -7861,10 +8212,10 @@ var SarifStore = class {
    */
   async persist() {
     const doc = this.toSarifDocument();
-    await fs4.mkdir(dirname3(this.filePath), { recursive: true });
+    await fs5.mkdir(dirname3(this.filePath), { recursive: true });
     const tmp = `${this.filePath}.${process.pid}.tmp`;
-    await fs4.writeFile(tmp, JSON.stringify(doc, null, 2), "utf8");
-    await fs4.rename(tmp, this.filePath);
+    await fs5.writeFile(tmp, JSON.stringify(doc, null, 2), "utf8");
+    await fs5.rename(tmp, this.filePath);
   }
   /**
    * Build the current consolidated SARIF document from the in-memory
@@ -8020,6 +8371,8 @@ var CrapConfigError = class extends Error {
   }
 };
 function loadCrapConfig(options) {
+  const fileResult = readFromFile(options.workspaceRoot);
+  const exclude = fileResult?.exclude ?? [];
   const envRaw = process.env["CLAUDE_CRAP_STRICTNESS"];
   if (typeof envRaw === "string" && envRaw.trim() !== "") {
     const normalized = envRaw.trim().toLowerCase();
@@ -8028,11 +8381,12 @@ function loadCrapConfig(options) {
         `[crap-config] CLAUDE_CRAP_STRICTNESS="${envRaw}" is not a valid strictness. Expected one of: ${STRICTNESS_VALUES.join(", ")}.`
       );
     }
-    return { strictness: normalized, strictnessSource: "env" };
+    return { strictness: normalized, strictnessSource: "env", exclude };
+  }
+  if (fileResult?.strictness) {
+    return { strictness: fileResult.strictness, strictnessSource: "file", exclude };
   }
-  const fromFile = readFromFile(options.workspaceRoot);
-  if (fromFile) return { strictness: fromFile, strictnessSource: "file" };
-  return { strictness: DEFAULT_STRICTNESS, strictnessSource: "default" };
+  return { strictness: DEFAULT_STRICTNESS, strictnessSource: "default", exclude };
 }
 function readFromFile(workspaceRoot) {
   const filePath = join5(workspaceRoot, ".claude-crap.json");
@@ -8060,43 +8414,63 @@ function readFromFile(workspaceRoot) {
     );
   }
   const doc = parsed;
-  if (!("strictness" in doc)) return null;
-  const value = doc["strictness"];
-  if (typeof value !== "string") {
-    throw new CrapConfigError(
-      `[crap-config] ${filePath}: 'strictness' must be a string, got ${typeof value}`
-    );
+  let strictness = null;
+  if ("strictness" in doc) {
+    const value = doc["strictness"];
+    if (typeof value !== "string") {
+      throw new CrapConfigError(
+        `[crap-config] ${filePath}: 'strictness' must be a string, got ${typeof value}`
+      );
+    }
+    const normalized = value.trim().toLowerCase();
+    if (!isStrictness(normalized)) {
+      throw new CrapConfigError(
+        `[crap-config] ${filePath}: 'strictness' is "${value}"; expected one of ${STRICTNESS_VALUES.join(", ")}.`
+      );
+    }
+    strictness = normalized;
   }
-  const normalized = value.trim().toLowerCase();
-  if (!isStrictness(normalized)) {
-    throw new CrapConfigError(
-      `[crap-config] ${filePath}: 'strictness' is "${value}"; expected one of ${STRICTNESS_VALUES.join(", ")}.`
-    );
+  let exclude = [];
+  if ("exclude" in doc) {
+    const raw2 = doc["exclude"];
+    if (!Array.isArray(raw2)) {
+      throw new CrapConfigError(
+        `[crap-config] ${filePath}: 'exclude' must be an array of strings`
+      );
+    }
+    for (const item of raw2) {
+      if (typeof item !== "string") {
+        throw new CrapConfigError(
+          `[crap-config] ${filePath}: every entry in 'exclude' must be a string, got ${typeof item}`
+        );
+      }
+    }
+    exclude = raw2;
   }
-  return normalized;
+  return { strictness, exclude };
 }
 function isStrictness(value) {
   return STRICTNESS_VALUES.includes(value);
 }
 
 // src/tools/test-harness.ts
-import { promises as fs5 } from "node:fs";
-import { basename, dirname as dirname4, extname, isAbsolute as isAbsolute2, join as join6, relative, resolve as resolve4, sep } from "node:path";
+import { promises as fs6 } from "node:fs";
+import { basename, dirname as dirname4, extname, isAbsolute as isAbsolute3, join as join6, relative as relative2, resolve as resolve5, sep as sep2 } from "node:path";
 var TEST_SUFFIX_PATTERN = /\.(test|spec)\./;
 function isTestFile(filePath) {
   const base = basename(filePath);
   if (TEST_SUFFIX_PATTERN.test(base)) return true;
   if (base.startsWith("test_") && base.endsWith(".py")) return true;
-  const parts = filePath.split(sep);
+  const parts = filePath.split(sep2);
   return parts.includes("__tests__") || parts.includes("tests") || parts.includes("test");
 }
 function candidatePaths(workspaceRoot, filePath) {
-  const absSource = resolve4(filePath);
+  const absSource = resolve5(filePath);
   const ext = extname(absSource);
   const base = basename(absSource, ext);
   const dir = dirname4(absSource);
-  const absWorkspace = resolve4(workspaceRoot);
-  const relFromRoot = relative(absWorkspace, absSource);
+  const absWorkspace = resolve5(workspaceRoot);
+  const relFromRoot = relative2(absWorkspace, absSource);
   const relDir = dirname4(relFromRoot);
   const candidates = /* @__PURE__ */ new Set();
   candidates.add(join6(dir, `${base}.test${ext}`));
@@ -8128,14 +8502,14 @@ function candidatePaths(workspaceRoot, filePath) {
   return Array.from(candidates);
 }
 async function findTestFile(workspaceRoot, filePath) {
-  const absolute = isAbsolute2(filePath) ? filePath : resolve4(workspaceRoot, filePath);
+  const absolute = isAbsolute3(filePath) ? filePath : resolve5(workspaceRoot, filePath);
   if (isTestFile(absolute)) {
     return { testFile: absolute, candidates: [absolute], isTestFile: true };
   }
   const candidates = candidatePaths(workspaceRoot, absolute);
   for (const candidate of candidates) {
     try {
-      await fs5.access(candidate);
+      await fs6.access(candidate);
       return { testFile: candidate, candidates, isTestFile: false };
     } catch {
     }
@@ -8143,26 +8517,13 @@ async function findTestFile(workspaceRoot, filePath) {
   return { testFile: null, candidates, isTestFile: false };
 }
 
-// src/workspace-guard.ts
-import { isAbsolute as isAbsolute3, resolve as resolve5, sep as sep2 } from "node:path";
-function resolveWithinWorkspace(workspaceRoot, filePath) {
-  const workspace = resolve5(workspaceRoot);
-  const candidate = isAbsolute3(filePath) ? resolve5(filePath) : resolve5(workspace, filePath);
-  if (candidate !== workspace && !candidate.startsWith(workspace + sep2)) {
-    throw new Error(
-      `[claude-crap] Refusing to access '${filePath}' \u2014 path escapes the workspace root`
-    );
-  }
-  return candidate;
-}
-
 // src/scanner/auto-scan.ts
 import { existsSync as existsSync5 } from "node:fs";
-import { join as join10 } from "node:path";
+import { join as join11 } from "node:path";
 
 // src/scanner/detector.ts
-import { existsSync as existsSync2, readFileSync as readFileSync3 } from "node:fs";
-import { join as join7 } from "node:path";
+import { existsSync as existsSync2, readFileSync as readFileSync3, readdirSync } from "node:fs";
+import { join as join7, resolve as resolve6 } from "node:path";
 import { execFile } from "node:child_process";
 var SCANNER_SIGNALS = {
   eslint: {
@@ -8211,6 +8572,14 @@ var SCANNER_SIGNALS = {
     ],
     packageJsonKeys: ["@stryker-mutator/core"],
     binaryNames: ["stryker"]
+  },
+  dart_analyze: {
+    configFiles: [
+      "analysis_options.yaml",
+      "pubspec.yaml"
+    ],
+    packageJsonKeys: [],
+    binaryNames: ["dart"]
   }
 };
 function probeConfigFiles(workspaceRoot, scanner) {
@@ -8241,14 +8610,14 @@ function probePackageJson(workspaceRoot, scanner) {
   }
 }
 function probeBinary(binaryName) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     execFile("which", [binaryName], { timeout: 5e3 }, (err) => {
-      resolve6(err === null);
+      resolve7(err === null);
     });
   });
 }
 async function detectScanners(workspaceRoot) {
-  const scanners = ["eslint", "semgrep", "bandit", "stryker"];
+  const scanners = ["eslint", "semgrep", "bandit", "stryker", "dart_analyze"];
   const results = await Promise.all(
     scanners.map(async (scanner) => {
       const configProbe = probeConfigFiles(workspaceRoot, scanner);
@@ -8261,10 +8630,13 @@ async function detectScanners(workspaceRoot) {
         };
       }
       if (probePackageJson(workspaceRoot, scanner)) {
+        const binName = SCANNER_SIGNALS[scanner].binaryNames[0];
+        const binPath = binName ? join7(workspaceRoot, "node_modules", ".bin", binName) : null;
+        const installed = binPath !== null && existsSync2(binPath);
         return {
           scanner,
-          available: true,
-          reason: `found in package.json dependencies`
+          available: installed,
+          reason: installed ? "found in package.json and installed" : `found in package.json but not installed (run \`npm install\`)`
         };
       }
       const signals = SCANNER_SIGNALS[scanner];
@@ -8286,6 +8658,58 @@ async function detectScanners(workspaceRoot) {
   );
   return results;
 }
+var MONOREPO_DIRS = ["apps", "packages", "libs", "modules", "services"];
+async function detectMonorepoScanners(workspaceRoot) {
+  const subdirs = /* @__PURE__ */ new Set();
+  try {
+    const pkgPath = join7(workspaceRoot, "package.json");
+    const raw = readFileSync3(pkgPath, "utf-8");
+    const pkg = JSON.parse(raw);
+    if (Array.isArray(pkg.workspaces)) {
+      for (const ws of pkg.workspaces) {
+        if (typeof ws === "string" && !ws.includes("*")) {
+          const full = resolve6(workspaceRoot, ws);
+          if (existsSync2(full)) subdirs.add(full);
+        }
+      }
+    }
+  } catch {
+  }
+  for (const dir of MONOREPO_DIRS) {
+    const full = join7(workspaceRoot, dir);
+    try {
+      const entries = readdirSync(full, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory() && !entry.name.startsWith(".")) {
+          subdirs.add(join7(full, entry.name));
+        }
+      }
+    } catch {
+    }
+  }
+  if (subdirs.size === 0) return [];
+  const detections = [];
+  const scanners = ["eslint", "semgrep", "bandit", "stryker", "dart_analyze"];
+  for (const subdir of subdirs) {
+    for (const scanner of scanners) {
+      const configProbe = probeConfigFiles(subdir, scanner);
+      if (!configProbe.found) continue;
+      if (scanner === "dart_analyze") {
+        const hasBinary = await probeBinary("dart");
+        if (!hasBinary) continue;
+      }
+      const relDir = subdir.replace(workspaceRoot + "/", "");
+      detections.push({
+        scanner,
+        available: true,
+        reason: `config file found in ${relDir}/`,
+        ...configProbe.path ? { configPath: configProbe.path } : {},
+        workingDir: subdir
+      });
+    }
+  }
+  return detections;
+}
 
 // src/scanner/runner.ts
 import { execFile as execFile2 } from "node:child_process";
@@ -8322,17 +8746,26 @@ function getScannerCommand(scanner, workspaceRoot) {
         nonZeroIsNormal: false,
         outputFile: join8(workspaceRoot, "reports", "mutation", "mutation.json")
       };
+    case "dart_analyze":
+      return {
+        command: "dart",
+        args: ["analyze", "--format=json", "."],
+        timeoutMs: 12e4,
+        nonZeroIsNormal: true
+        // exits 3 when findings exist
+      };
   }
 }
-function runScanner(scanner, workspaceRoot) {
+function runScanner(scanner, workspaceRoot, options) {
   const start = Date.now();
-  const cmd = getScannerCommand(scanner, workspaceRoot);
-  return new Promise((resolve6) => {
+  const cwd = options?.workingDir ?? workspaceRoot;
+  const cmd = getScannerCommand(scanner, cwd);
+  return new Promise((resolve7) => {
     execFile2(
       cmd.command,
       cmd.args,
       {
-        cwd: workspaceRoot,
+        cwd,
         timeout: cmd.timeoutMs,
         maxBuffer: 50 * 1024 * 1024,
         // 50 MB — large codebases produce verbose output
@@ -8346,7 +8779,7 @@ function runScanner(scanner, workspaceRoot) {
           if (cmd.outputFile && existsSync3(cmd.outputFile)) {
             try {
               const fileOutput = readFileSync4(cmd.outputFile, "utf-8");
-              resolve6({
+              resolve7({
                 scanner,
                 success: true,
                 rawOutput: fileOutput,
@@ -8356,7 +8789,7 @@ function runScanner(scanner, workspaceRoot) {
             } catch {
             }
           }
-          resolve6({
+          resolve7({
             scanner,
             success: false,
             rawOutput: "",
@@ -8369,7 +8802,7 @@ function runScanner(scanner, workspaceRoot) {
           if (existsSync3(cmd.outputFile)) {
             try {
               const fileOutput = readFileSync4(cmd.outputFile, "utf-8");
-              resolve6({
+              resolve7({
                 scanner,
                 success: true,
                 rawOutput: fileOutput,
@@ -8377,7 +8810,7 @@ function runScanner(scanner, workspaceRoot) {
               });
               return;
             } catch (readErr) {
-              resolve6({
+              resolve7({
                 scanner,
                 success: false,
                 rawOutput: "",
@@ -8387,7 +8820,7 @@ function runScanner(scanner, workspaceRoot) {
               return;
             }
           }
-          resolve6({
+          resolve7({
             scanner,
             success: false,
             rawOutput: "",
@@ -8398,7 +8831,7 @@ function runScanner(scanner, workspaceRoot) {
         }
         const output = stdout.trim();
         if (!output) {
-          resolve6({
+          resolve7({
             scanner,
             success: true,
             rawOutput: "[]",
@@ -8407,7 +8840,7 @@ function runScanner(scanner, workspaceRoot) {
           });
           return;
         }
-        resolve6({
+        resolve7({
           scanner,
           success: true,
           rawOutput: output,
@@ -8419,7 +8852,7 @@ function runScanner(scanner, workspaceRoot) {
 }
 
 // src/scanner/bootstrap.ts
-import { existsSync as existsSync4, writeFileSync as writeFileSync2, readdirSync } from "node:fs";
+import { existsSync as existsSync4, writeFileSync as writeFileSync2, readdirSync as readdirSync2 } from "node:fs";
 import { join as join9 } from "node:path";
 import { execFile as execFile3 } from "node:child_process";
 function detectProjectType(workspaceRoot) {
@@ -8436,12 +8869,13 @@ function detectProjectType(workspaceRoot) {
   }
   if (has("Directory.Build.props")) return "csharp";
   try {
-    const entries = readdirSync(workspaceRoot);
+    const entries = readdirSync2(workspaceRoot);
     if (entries.some((e) => e.endsWith(".csproj") || e.endsWith(".sln"))) {
       return "csharp";
     }
   } catch {
   }
+  if (has("pubspec.yaml")) return "dart";
   return "unknown";
 }
 function generateEslintConfig(isTypeScript) {
@@ -8483,7 +8917,7 @@ export default [
 `;
 }
 function npmInstall(workspaceRoot, packages) {
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     execFile3(
       "npm",
       ["install", "--save-dev", ...packages],
@@ -8494,14 +8928,14 @@ function npmInstall(workspaceRoot, packages) {
       },
       (err, stdout, stderr) => {
         if (err) {
-          resolve6({
+          resolve7({
             action: `npm install --save-dev ${packages.join(" ")}`,
             success: false,
             detail: stderr || err.message
           });
           return;
         }
-        resolve6({
+        resolve7({
           action: `npm install --save-dev ${packages.join(" ")}`,
           success: true,
           detail: `installed ${packages.join(", ")}`
@@ -8556,6 +8990,12 @@ function getRecommendation(projectType) {
         canAutoInstall: false,
         installInstructions: "brew install semgrep  (or: pip install semgrep, pipx install semgrep)"
       };
+    case "dart":
+      return {
+        scanner: "dart_analyze",
+        canAutoInstall: false,
+        installInstructions: "Install the Dart SDK: https://dart.dev/get-dart  (or Flutter SDK which includes Dart)"
+      };
     case "unknown":
       return {
         scanner: "semgrep",
@@ -8700,6 +9140,121 @@ function buildResult(projectType, steps, autoScanResult, recommendation) {
   };
 }
 
+// src/scanner/complexity-scanner.ts
+import { promises as fs7 } from "node:fs";
+import { join as join10, relative as relative3 } from "node:path";
+var MAX_FILES = 2e4;
+var RULE_ID = "complexity/cyclomatic-max";
+var SOURCE_TOOL = "complexity";
+async function scanComplexity(workspaceRoot, engine, sarifStore, config, logger2) {
+  const start = Date.now();
+  const threshold = config.cyclomaticMax;
+  const errorThreshold = threshold * 2;
+  const filter = createExclusionFilter(config.exclude);
+  const files = await collectSourceFiles(workspaceRoot, filter);
+  logger2.info(
+    { fileCount: files.length, threshold },
+    "complexity-scanner: starting analysis"
+  );
+  const sarifResults = [];
+  let filesScanned = 0;
+  let functionsAnalyzed = 0;
+  let violations = 0;
+  for (const filePath of files) {
+    const language = detectLanguageFromPath(filePath);
+    if (!language) continue;
+    try {
+      const metrics = await engine.analyzeFile({ filePath, language });
+      filesScanned += 1;
+      functionsAnalyzed += metrics.functions.length;
+      for (const fn of metrics.functions) {
+        if (fn.cyclomaticComplexity <= threshold) continue;
+        const level = fn.cyclomaticComplexity >= errorThreshold ? "error" : "warning";
+        const relPath = relative3(workspaceRoot, filePath);
+        sarifResults.push({
+          ruleId: RULE_ID,
+          level,
+          message: {
+            text: `Function '${fn.name}' has cyclomatic complexity ${fn.cyclomaticComplexity} (threshold: ${threshold})`
+          },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: relPath },
+                region: {
+                  startLine: fn.startLine,
+                  startColumn: 1,
+                  endLine: fn.endLine,
+                  endColumn: 1
+                }
+              }
+            }
+          ],
+          properties: {
+            sourceTool: SOURCE_TOOL,
+            effortMinutes: estimateEffortMinutes(level),
+            cyclomaticComplexity: fn.cyclomaticComplexity
+          }
+        });
+        violations += 1;
+      }
+    } catch (err) {
+      logger2.warn(
+        { filePath, err: err.message },
+        "complexity-scanner: failed to analyze file, skipping"
+      );
+    }
+  }
+  if (sarifResults.length > 0) {
+    const document = wrapResultsInSarif(
+      SOURCE_TOOL,
+      "0.1.0",
+      sarifResults
+    );
+    sarifStore.ingestRun(document, SOURCE_TOOL);
+    await sarifStore.persist();
+  }
+  const durationMs = Date.now() - start;
+  logger2.info(
+    { filesScanned, functionsAnalyzed, violations, durationMs },
+    "complexity-scanner: analysis complete"
+  );
+  return { filesScanned, functionsAnalyzed, violations, durationMs };
+}
+async function collectSourceFiles(workspaceRoot, filter) {
+  const files = [];
+  let truncated = false;
+  async function walk2(dir) {
+    if (truncated) return;
+    let entries;
+    try {
+      entries = await fs7.readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (truncated) return;
+      const full = join10(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (filter.shouldSkipDir(entry.name)) continue;
+        await walk2(full);
+        continue;
+      }
+      if (!entry.isFile()) continue;
+      if (!detectLanguageFromPath(entry.name)) continue;
+      const relPath = relative3(workspaceRoot, full);
+      if (filter.shouldSkipFile(relPath, entry.name)) continue;
+      files.push(full);
+      if (files.length >= MAX_FILES) {
+        truncated = true;
+        return;
+      }
+    }
+  }
+  await walk2(workspaceRoot);
+  return files;
+}
+
 // src/scanner/auto-scan.ts
 function ingestScannerRun(scanner, rawOutput, sarifStore) {
   let parsed;
@@ -8712,13 +9267,21 @@ function ingestScannerRun(scanner, rawOutput, sarifStore) {
   const stats = sarifStore.ingestRun(adapted.document, adapted.sourceTool);
   return { accepted: stats.accepted };
 }
-async function autoScan(workspaceRoot, sarifStore, logger2) {
+async function autoScan(workspaceRoot, sarifStore, logger2, options) {
   const start = Date.now();
   const detected = await detectScanners(workspaceRoot);
+  const monorepoDetected = await detectMonorepoScanners(workspaceRoot);
+  const rootScannerSet = new Set(detected.filter((d) => d.available).map((d) => d.scanner));
+  for (const md of monorepoDetected) {
+    if (!rootScannerSet.has(md.scanner)) {
+      detected.push(md);
+    }
+  }
   const available = detected.filter((d) => d.available);
   logger2.info(
     {
       detected: detected.map((d) => `${d.scanner}:${d.available}`),
+      monorepo: monorepoDetected.length,
       available: available.length
     },
     "auto-scan: detection complete"
@@ -8737,7 +9300,7 @@ async function autoScan(workspaceRoot, sarifStore, logger2) {
     ".eslintrc.json"
   ];
   const eslintDetected = available.some((d) => d.scanner === "eslint");
-  const hasEslintConfig = eslintConfigFiles.some((f) => existsSync5(join10(workspaceRoot, f)));
+  const hasEslintConfig = eslintConfigFiles.some((f) => existsSync5(join11(workspaceRoot, f)));
   if (eslintDetected && !hasEslintConfig) {
     logger2.info("auto-scan: ESLint detected but no config \u2014 running bootstrap");
     try {
@@ -8773,7 +9336,7 @@ async function autoScan(workspaceRoot, sarifStore, logger2) {
     };
   }
   const runResults = await Promise.allSettled(
-    available.map((d) => runScanner(d.scanner, workspaceRoot))
+    available.map((d) => runScanner(d.scanner, workspaceRoot, d.workingDir ? { workingDir: d.workingDir } : void 0))
   );
   const results = [];
   let totalFindings = 0;
@@ -8847,11 +9410,30 @@ async function autoScan(workspaceRoot, sarifStore, logger2) {
   if (persistNeeded) {
     await sarifStore.persist();
   }
+  let complexityScan;
+  if (options?.engine) {
+    try {
+      complexityScan = await scanComplexity(
+        workspaceRoot,
+        options.engine,
+        sarifStore,
+        { cyclomaticMax: options.cyclomaticMax ?? 15, ...options.exclude ? { exclude: options.exclude } : {} },
+        logger2
+      );
+      totalFindings += complexityScan.violations;
+    } catch (err) {
+      logger2.warn(
+        { err: err.message },
+        "auto-scan: complexity scanner failed \u2014 continuing without it"
+      );
+    }
+  }
   return {
     detected,
     results,
     totalFindings,
-    totalDurationMs: Date.now() - start
+    totalDurationMs: Date.now() - start,
+    ...complexityScan ? { complexityScan } : {}
   };
 }
 
@@ -8971,7 +9553,7 @@ var ingestScannerOutputSchema = {
   properties: {
     scanner: {
       type: "string",
-      enum: ["semgrep", "eslint", "bandit", "stryker"],
+      enum: ["semgrep", "eslint", "bandit", "stryker", "dart_analyze"],
       description: "Identifier of the producing scanner."
     },
     rawOutput: {
@@ -9031,6 +9613,15 @@ async function main() {
     { config: { ...config, pluginRoot: "<redacted>" } },
     "claude-crap MCP server starting"
   );
+  let userExclusions = [];
+  try {
+    const crapConfig = loadCrapConfig({ workspaceRoot: config.pluginRoot });
+    userExclusions = crapConfig.exclude;
+    if (userExclusions.length > 0) {
+      logger.info({ exclude: userExclusions }, "user exclusions loaded from .claude-crap.json");
+    }
+  } catch {
+  }
   const astEngine = new TreeSitterEngine();
   const sarifStore = new SarifStore({
     workspaceRoot: config.pluginRoot,
@@ -9046,8 +9637,10 @@ async function main() {
     dashboard = await startDashboard({
       config,
       sarifStore,
-      workspaceStatsProvider: () => estimateWorkspaceLoc(config.pluginRoot),
-      logger
+      workspaceStatsProvider: () => estimateWorkspaceLoc(config.pluginRoot, { exclude: userExclusions }),
+      logger,
+      astEngine,
+      exclude: userExclusions
     });
   } catch (err) {
     logger.warn(
@@ -9217,7 +9810,7 @@ async function main() {
         const typed = args ?? {};
         const format = typed.format ?? "both";
         try {
-          const workspace = await estimateWorkspaceLoc(config.pluginRoot);
+          const workspace = await estimateWorkspaceLoc(config.pluginRoot, { exclude: userExclusions });
           const score = computeProjectScore({
             workspaceRoot: config.pluginRoot,
             minutesPerLoc: config.minutesPerLoc,
@@ -9438,7 +10031,11 @@ async function main() {
       case "auto_scan": {
         logger.info({ tool: "auto_scan" }, "Tool call received");
         try {
-          const result = await autoScan(config.pluginRoot, sarifStore, logger);
+          const result = await autoScan(config.pluginRoot, sarifStore, logger, {
+            engine: astEngine,
+            cyclomaticMax: config.cyclomaticMax,
+            exclude: userExclusions
+          });
           const markdown = renderAutoScanMarkdown(result);
           return {
             content: [
@@ -9514,7 +10111,11 @@ async function main() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
   logger.info("claude-crap MCP server ready (stdio)");
-  autoScan(config.pluginRoot, sarifStore, logger).then((result) => {
+  autoScan(config.pluginRoot, sarifStore, logger, {
+    engine: astEngine,
+    cyclomaticMax: config.cyclomaticMax,
+    exclude: userExclusions
+  }).then((result) => {
     const scanners = result.results.filter((r) => r.success).map((r) => r.scanner);
     logger.info(
       {
@@ -9581,6 +10182,15 @@ function renderAutoScanMarkdown(result) {
     }
     lines.push("");
   }
+  if (result.complexityScan) {
+    const cs = result.complexityScan;
+    lines.push("### Cyclomatic complexity scan\n");
+    lines.push(`- Files scanned: **${cs.filesScanned}**`);
+    lines.push(`- Functions analyzed: **${cs.functionsAnalyzed}**`);
+    lines.push(`- Violations: **${cs.violations}**`);
+    lines.push(`- Duration: ${(cs.durationMs / 1e3).toFixed(1)}s`);
+    lines.push("");
+  }
   lines.push(
     `**Total findings ingested:** ${result.totalFindings} in ${(result.totalDurationMs / 1e3).toFixed(1)}s`
   );