edsger 0.55.4 → 0.56.1

package/dist/phases/quality-benchmark/parsers.js

@@ -0,0 +1,1022 @@
+/**
+ * Tool output parsers. Each parser extracts the minimum information the
+ * LLM needs to score the dimension — either counts (Tier 1), counts plus
+ * top findings (Tier 2), or domain-specific metrics (Tier 3).
+ *
+ * Full raw outputs are saved to disk by the tool-runner and never enter
+ * the LLM context — these parsers operate on the stdout/stderr strings
+ * captured during execution.
+ *
+ * Severity mapping:
+ *   tool-specific → our 4-tier enum (critical | high | medium | low)
+ *
+ * All parsers must be:
+ *   - Defensive: never throw. Return `parsed: false` (via a counts-zero
+ *     summary) if the output is malformed.
+ *   - Cheap: simple JSON parse + small map. No regex over megabytes.
+ *   - Stable: same input → same output (no randomness, no clocks).
+ */
+import { TOOL_CATALOG_BY_ID } from './tool-catalog.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function safeJson(s) {
+    if (!s) {
+        return null;
+    }
+    try {
+        return JSON.parse(s);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Parse a newline-delimited JSON stream (one JSON value per line).
+ * Used by cargo clippy --message-format json and govulncheck -json.
+ */
+function safeJsonLines(s) {
+    if (!s) {
+        return [];
+    }
+    const out = [];
+    for (const line of s.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (!trimmed || (trimmed[0] !== '{' && trimmed[0] !== '[')) {
+            continue;
+        }
+        try {
+            out.push(JSON.parse(trimmed));
+        }
+        catch {
+            // skip non-JSON lines (some tools mix banners with JSON)
+        }
+    }
+    return out;
+}
+/** First subscore from the catalog for a tool id (used as the finding tag). */
+function primarySubscore(toolId) {
+    const entry = TOOL_CATALOG_BY_ID.get(toolId);
+    if (!entry || entry.subscores.length === 0) {
+        return 'code_quality.lint';
+    }
+    return entry.subscores[0];
+}
+function clampSnippet(s) {
+    if (!s) {
+        return undefined;
+    }
+    return s.length > 200 ? `${s.slice(0, 197)}...` : s;
+}
+function severityRank(s) {
+    return s === 'critical' ? 4 : s === 'high' ? 3 : s === 'medium' ? 2 : 1;
+}
+function topBySeverity(findings, n = 10) {
+    return [...findings]
+        .sort((a, b) => severityRank(b.severity) - severityRank(a.severity))
+        .slice(0, n);
+}
+function countBySeverity(findings) {
+    const c = { critical: 0, high: 0, medium: 0, low: 0, total: findings.length };
+    for (const f of findings) {
+        c[f.severity]++;
+    }
+    return c;
+}
+function emptyCounts() {
+    return {
+        tool_id: 'unknown',
+        summary: { tier: 'counts', counts: { errors: 0, warnings: 0, info: 0 } },
+        oneliner: 'no output parsed',
+    };
+}
+function relPath(file, ctx) {
+    if (file.startsWith(ctx.repo_root)) {
+        return file.slice(ctx.repo_root.length).replace(/^[/\\]/, '');
+    }
+    return file;
+}
+// ---------------------------------------------------------------------------
+// Tier 1 — counts only
+// ---------------------------------------------------------------------------
+const eslintParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!Array.isArray(data)) {
+        return { ...emptyCounts(), tool_id: 'eslint' };
+    }
+    let errors = 0;
+    let warnings = 0;
+    for (const file of data) {
+        for (const m of file.messages ?? []) {
+            if (m.severity === 2) {
+                errors++;
+            }
+            else if (m.severity === 1) {
+                warnings++;
+            }
+        }
+    }
+    return {
+        tool_id: 'eslint',
+        summary: { tier: 'counts', counts: { errors, warnings, info: 0 } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const tscParser = (stdout, stderr) => {
+    const body = `${stdout}\n${stderr}`;
+    const errorLines = body.match(/^[^\n]*error TS\d+/gm) ?? [];
+    const errors = errorLines.length;
+    return {
+        tool_id: 'tsc-typecheck',
+        summary: { tier: 'counts', counts: { errors, warnings: 0, info: 0 } },
+        oneliner: `${errors} type errors`,
+    };
+};
+const ruffParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!Array.isArray(data)) {
+        return { ...emptyCounts(), tool_id: 'ruff' };
+    }
+    let errors = 0;
+    let warnings = 0;
+    for (const v of data) {
+        const code = v.code ?? '';
+        // E/F prefix in ruff (and most flake8-like tools) = error severity.
+        if (/^[EF]/.test(code)) {
+            errors++;
+        }
+        else {
+            warnings++;
+        }
+    }
+    return {
+        tool_id: 'ruff',
+        summary: { tier: 'counts', counts: { errors, warnings, info: 0 } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const mypyParser = (stdout) => {
+    const lines = stdout.split(/\r?\n/);
+    let errors = 0;
+    let warnings = 0;
+    let info = 0;
+    for (const line of lines) {
+        if (/:\s*error:/.test(line)) {
+            errors++;
+        }
+        else if (/:\s*warning:/.test(line)) {
+            warnings++;
+        }
+        else if (/:\s*note:/.test(line)) {
+            info++;
+        }
+    }
+    return {
+        tool_id: 'mypy',
+        summary: { tier: 'counts', counts: { errors, warnings, info } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const golangciLintParser = (stdout) => {
+    const data = safeJson(stdout);
+    const issues = data?.Issues ?? [];
+    let errors = 0;
+    let warnings = 0;
+    for (const i of issues) {
+        if ((i.Severity ?? '').toLowerCase() === 'error') {
+            errors++;
+        }
+        else {
+            warnings++;
+        }
+    }
+    return {
+        tool_id: 'golangci-lint',
+        summary: { tier: 'counts', counts: { errors, warnings, info: 0 } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const clippyParser = (stdout) => {
+    const events = safeJsonLines(stdout);
+    let errors = 0;
+    let warnings = 0;
+    for (const e of events) {
+        if (e.reason !== 'compiler-message') {
+            continue;
+        }
+        const lvl = e.message?.level;
+        if (lvl === 'error' || lvl === 'error: internal compiler error') {
+            errors++;
+        }
+        else if (lvl === 'warning') {
+            warnings++;
+        }
+    }
+    return {
+        tool_id: 'clippy',
+        summary: { tier: 'counts', counts: { errors, warnings, info: 0 } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const rubocopParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!data) {
+        return { ...emptyCounts(), tool_id: 'rubocop' };
+    }
+    let errors = 0;
+    let warnings = 0;
+    for (const f of data.files ?? []) {
+        for (const o of f.offenses ?? []) {
+            const sev = (o.severity ?? '').toLowerCase();
+            if (sev === 'error' || sev === 'fatal') {
+                errors++;
+            }
+            else {
+                warnings++;
+            }
+        }
+    }
+    return {
+        tool_id: 'rubocop',
+        summary: { tier: 'counts', counts: { errors, warnings, info: 0 } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const depcheckParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!data) {
+        return { ...emptyCounts(), tool_id: 'depcheck' };
+    }
+    const unused = (data.dependencies?.length ?? 0) + (data.devDependencies?.length ?? 0);
+    return {
+        tool_id: 'depcheck',
+        summary: {
+            tier: 'counts',
+            counts: { errors: unused, warnings: 0, info: 0 },
+        },
+        oneliner: `${unused} unused dependencies`,
+    };
+};
+const npmOutdatedParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!data) {
+        return {
+            tool_id: 'npm-outdated',
+            summary: { tier: 'counts', counts: { errors: 0, warnings: 0, info: 0 } },
+            oneliner: 'no outdated dependencies',
+        };
+    }
+    const count = Object.keys(data).length;
+    return {
+        tool_id: 'npm-outdated',
+        summary: {
+            tier: 'counts',
+            counts: { errors: 0, warnings: count, info: 0 },
+        },
+        oneliner: `${count} outdated dependencies`,
+    };
+};
+const goModOutdatedParser = (stdout) => {
+    const items = safeJsonLines(stdout);
+    const count = items.filter((i) => i.Update).length;
+    return {
+        tool_id: 'go-mod-outdated',
+        summary: {
+            tier: 'counts',
+            counts: { errors: 0, warnings: count, info: 0 },
+        },
+        oneliner: `${count} outdated modules`,
+    };
+};
+const cargoOutdatedParser = (stdout) => {
+    const data = safeJson(stdout);
+    const items = data?.dependencies ?? [];
+    const count = items.filter((d) => d.project && d.latest && d.project !== d.latest).length;
+    return {
+        tool_id: 'cargo-outdated',
+        summary: {
+            tier: 'counts',
+            counts: { errors: 0, warnings: count, info: 0 },
+        },
+        oneliner: `${count} outdated crates`,
+    };
+};
+// ---------------------------------------------------------------------------
+// Tier 2 — counts + top-N findings (severity + file:line preserved)
+// ---------------------------------------------------------------------------
+function mapSemgrepSeverity(s) {
+    switch ((s ?? '').toUpperCase()) {
+        case 'ERROR':
+            return 'high';
+        case 'WARNING':
+            return 'medium';
+        case 'INFO':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+const semgrepParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    const results = data?.results ?? [];
+    const findings = results.map((r) => {
+        const cwe = r.extra?.metadata?.cwe;
+        const cweArr = Array.isArray(cwe) ? cwe : cwe ? [cwe] : undefined;
+        const sev = mapSemgrepSeverity(r.extra?.severity);
+        // Bump SAST findings of suspected high-severity rules to critical
+        const id = r.check_id ?? '';
+        const severity = sev === 'high' && /sqli|rce|deserialization|secret/.test(id)
+            ? 'critical'
+            : sev;
+        return {
+            file: relPath(r.path ?? '', ctx),
+            line: r.start?.line ?? 1,
+            issue: r.extra?.message ?? id,
+            severity,
+            snippet: clampSnippet(r.extra?.lines),
+            source: 'tool:semgrep',
+            rule_id: id || undefined,
+            cwe: cweArr,
+            subscore_key: primarySubscore('semgrep'),
+        };
+    });
+    return {
+        tool_id: 'semgrep',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} SAST findings`,
+    };
+};
+function mapBanditSeverity(s) {
+    switch ((s ?? '').toUpperCase()) {
+        case 'HIGH':
+            return 'high';
+        case 'MEDIUM':
+            return 'medium';
+        case 'LOW':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+const banditParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    const results = data?.results ?? [];
+    const findings = results.map((r) => ({
+        file: relPath(r.filename ?? '', ctx),
+        line: r.line_number ?? 1,
+        issue: r.issue_text ?? r.test_id ?? 'bandit issue',
+        severity: mapBanditSeverity(r.issue_severity),
+        snippet: clampSnippet(r.code),
+        source: 'tool:bandit',
+        rule_id: r.test_id,
+        cwe: r.cwe?.id ? [`CWE-${r.cwe.id}`] : undefined,
+        subscore_key: primarySubscore('bandit'),
+    }));
+    return {
+        tool_id: 'bandit',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} security findings`,
+    };
+};
+const gosecParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    const issues = data?.Issues ?? [];
+    const findings = issues.map((i) => ({
+        file: relPath(i.file ?? '', ctx),
+        line: parseInt((i.line ?? '1').split('-')[0] ?? '1', 10) || 1,
+        issue: i.details ?? i.rule_id ?? 'gosec issue',
+        severity: mapBanditSeverity(i.severity), // same HIGH/MEDIUM/LOW scheme
+        snippet: clampSnippet(i.code),
+        source: 'tool:gosec',
+        rule_id: i.rule_id,
+        cwe: i.cwe?.ID ? [`CWE-${i.cwe.ID}`] : undefined,
+        subscore_key: primarySubscore('gosec'),
+    }));
+    return {
+        tool_id: 'gosec',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} security findings`,
+    };
+};
+const brakemanParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    const warnings = data?.warnings ?? [];
+    const findings = warnings.map((w) => {
+        const conf = (w.confidence ?? '').toLowerCase();
+        const severity = conf === 'high' ? 'high' : conf === 'medium' ? 'medium' : 'low';
+        return {
+            file: relPath(w.file ?? '', ctx),
+            line: w.line ?? 1,
+            issue: w.message ?? w.warning_type ?? 'brakeman warning',
+            severity,
+            snippet: clampSnippet(w.code),
+            source: 'tool:brakeman',
+            rule_id: w.warning_type,
+            subscore_key: primarySubscore('brakeman'),
+        };
+    });
+    return {
+        tool_id: 'brakeman',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} Rails security findings`,
+    };
+};
+const gitleaksParser = (stdout, _stderr, ctx) => {
+    // gitleaks emits a JSON array of leaks. With --redact the secret value is
+    // replaced; we still get file/line/rule.
+    const data = safeJson(stdout);
+    const leaks = Array.isArray(data) ? data : [];
+    const findings = leaks.map((l) => ({
+        file: relPath(l.File ?? '', ctx),
+        line: l.StartLine ?? 1,
+        issue: l.Description ?? l.RuleID ?? 'secret leak',
+        // Every gitleaks hit is treated as critical — secrets in source are a P0.
+        severity: 'critical',
+        snippet: clampSnippet(l.Match),
+        source: 'tool:gitleaks',
+        rule_id: l.RuleID,
+        subscore_key: primarySubscore('gitleaks'),
+    }));
+    return {
+        tool_id: 'gitleaks',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} secret leaks`,
+    };
+};
+function mapNpmSeverity(s) {
+    switch ((s ?? '').toLowerCase()) {
+        case 'critical':
+            return 'critical';
+        case 'high':
+            return 'high';
+        case 'moderate':
+            return 'medium';
+        case 'low':
+        case 'info':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+function npmAuditCommon(toolId) {
+    return (stdout) => {
+        // npm/pnpm/yarn audit JSON has nested vulnerability map; we read just the
+        // metadata.vulnerabilities object which is { critical, high, moderate, low }
+        const data = safeJson(stdout);
+        const meta = data?.metadata?.vulnerabilities;
+        const critical = meta?.critical ?? 0;
+        const high = meta?.high ?? 0;
+        const medium = meta?.moderate ?? 0;
+        const low = meta?.low ?? 0;
+        const total = critical + high + medium + low;
+        // Build top findings from the vulnerabilities map. These are package-level
+        // (no file:line), so we synthesise file = "package.json" and line = 1.
+        const vulns = Object.entries(data?.vulnerabilities ?? {});
+        const findings = vulns.map(([pkg, v]) => {
+            const via = (v.via ?? []).find((x) => typeof x !== 'string');
+            return {
+                file: 'package.json',
+                line: 1,
+                issue: `${pkg}: ${via?.title ?? 'known vulnerability'}`,
+                severity: mapNpmSeverity(v.severity),
+                source: `tool:${toolId}`,
+                rule_id: pkg,
+                subscore_key: primarySubscore(toolId),
+            };
+        });
+        return {
+            tool_id: toolId,
+            summary: {
+                tier: 'findings',
+                counts: { critical, high, medium, low, total },
+                top_findings: topBySeverity(findings),
+            },
+            oneliner: `${total} vulnerable packages (${critical} critical, ${high} high)`,
+        };
+    };
+}
+const npmAuditParser = npmAuditCommon('npm-audit');
+const pnpmAuditParser = npmAuditCommon('pnpm-audit');
+const yarnAuditParser = npmAuditCommon('yarn-audit');
+function mapOsvSeverity(score) {
+    if (score === undefined) {
+        return 'medium';
+    }
+    if (score >= 9) {
+        return 'critical';
+    }
+    if (score >= 7) {
+        return 'high';
+    }
+    if (score >= 4) {
+        return 'medium';
+    }
+    return 'low';
+}
+const pipAuditParser = (stdout) => {
+    const data = safeJson(stdout);
+    const deps = data?.dependencies ?? [];
+    const findings = [];
+    for (const d of deps) {
+        for (const v of d.vulns ?? []) {
+            findings.push({
+                file: 'requirements.txt',
+                line: 1,
+                issue: `${d.name}: ${v.description ?? v.id ?? 'vulnerable'}`,
+                severity: 'high', // pip-audit doesn't surface CVSS in JSON; assume high
+                source: 'tool:pip-audit',
+                rule_id: v.id,
+                subscore_key: primarySubscore('pip-audit'),
+            });
+        }
+    }
+    return {
+        tool_id: 'pip-audit',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} vulnerable packages`,
+    };
+};
+const govulncheckParser = (stdout) => {
+    // govulncheck -json emits a stream; vulnerabilities are events with
+    // {finding: {osv, fixed_version, trace: [{module, package, function, position}]}}
+    const events = safeJsonLines(stdout);
+    const findings = [];
+    for (const e of events) {
+        const f = e.finding;
+        if (!f) {
+            continue;
+        }
+        const tr = f.trace?.[0];
+        findings.push({
+            file: tr?.position?.filename ?? tr?.module ?? 'go.mod',
+            line: tr?.position?.line ?? 1,
+            issue: `${tr?.package ?? tr?.module ?? 'module'}: ${f.osv ?? 'vulnerable'}`,
+            severity: 'high',
+            source: 'tool:govulncheck',
+            rule_id: f.osv,
+            subscore_key: primarySubscore('govulncheck'),
+        });
+    }
+    return {
+        tool_id: 'govulncheck',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} Go vulnerabilities`,
+    };
+};
+const cargoAuditParser = (stdout) => {
+    const data = safeJson(stdout);
+    const list = data?.vulnerabilities?.list ?? [];
+    const findings = list.map((v) => ({
+        file: 'Cargo.toml',
+        line: 1,
+        issue: `${v.package?.name ?? 'crate'}: ${v.advisory?.title ?? v.advisory?.id ?? 'vulnerable'}`,
+        severity: 'high',
+        source: 'tool:cargo-audit',
+        rule_id: v.advisory?.id,
+        subscore_key: primarySubscore('cargo-audit'),
+    }));
+    return {
+        tool_id: 'cargo-audit',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} Rust crate vulnerabilities`,
+    };
+};
+const cargoDenyParser = (stdout) => {
+    const events = safeJsonLines(stdout);
+    const findings = [];
+    for (const e of events) {
+        if (e.type !== 'diagnostic') {
+            continue;
+        }
+        const sev = (e.fields?.severity ?? '').toLowerCase();
+        if (sev !== 'error' && sev !== 'warning') {
+            continue;
+        }
+        findings.push({
+            file: 'Cargo.toml',
+            line: 1,
+            issue: e.fields?.message ?? 'cargo-deny violation',
+            severity: sev === 'error' ? 'high' : 'medium',
+            source: 'tool:cargo-deny',
+            rule_id: e.fields?.advisory,
+            subscore_key: primarySubscore('cargo-deny'),
+        });
+    }
+    return {
+        tool_id: 'cargo-deny',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} cargo-deny violations`,
+    };
+};
+const osvScannerParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    const results = data?.results ?? [];
+    const findings = [];
+    for (const r of results) {
+        const path = r.source?.path ?? 'manifest';
+        for (const p of r.packages ?? []) {
+            for (const v of p.vulnerabilities ?? []) {
+                // The CVSS score is encoded as a string; pull the first numeric.
+                const scoreStr = v.severity?.[0]?.score ?? '';
+                const m = scoreStr.match(/(\d+(\.\d+)?)/);
+                const score = m ? parseFloat(m[1]) : undefined;
+                findings.push({
+                    file: relPath(path, ctx),
+                    line: 1,
+                    issue: `${p.package?.name ?? 'package'}: ${v.summary ?? v.id ?? 'vulnerable'}`,
+                    severity: mapOsvSeverity(score),
+                    source: 'tool:osv-scanner',
+                    rule_id: v.id,
+                    subscore_key: primarySubscore('osv-scanner'),
+                });
+            }
+        }
+    }
+    return {
+        tool_id: 'osv-scanner',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} cross-language vulnerabilities`,
+    };
+};
+const bundlerAuditParser = (stdout) => {
+    // bundler-audit JSON format: { results: [{ gem, advisory: { id, title, ... } }] }
+    const data = safeJson(stdout);
+    const results = data?.results ?? [];
+    const findings = results.map((r) => ({
+        file: 'Gemfile.lock',
+        line: 1,
+        issue: `${r.gem?.name ?? 'gem'}: ${r.advisory?.title ?? r.advisory?.id ?? 'vulnerable'}`,
+        severity: 'high',
+        source: 'tool:bundler-audit',
+        rule_id: r.advisory?.id,
+        subscore_key: primarySubscore('bundler-audit'),
+    }));
+    return {
+        tool_id: 'bundler-audit',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} Ruby gem vulnerabilities`,
+    };
+};
+const vultureParser = (stdout, _stderr, ctx) => {
+    // vulture text output: `path:line: unused X 'name' (confidence%)`
+    const findings = [];
+    for (const line of stdout.split(/\r?\n/)) {
+        const m = line.match(/^(.+?):(\d+):\s*(.+?)\s*\((\d+)%\s*confidence\)/);
+        if (!m) {
+            continue;
+        }
+        findings.push({
+            file: relPath(m[1], ctx),
+            line: parseInt(m[2], 10),
+            issue: m[3],
+            severity: 'low',
+            source: 'tool:vulture',
+            subscore_key: primarySubscore('vulture'),
+        });
+    }
+    return {
+        tool_id: 'vulture',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings, 20),
+        },
+        oneliner: `${findings.length} dead-code candidates`,
+    };
+};
+const madgeParser = (stdout, _stderr, ctx) => {
+    const data = safeJson(stdout);
+    if (!data) {
+        return {
+            tool_id: 'madge',
+            summary: {
+                tier: 'findings',
+                counts: countBySeverity([]),
+                top_findings: [],
+            },
+            oneliner: 'no circular dependencies',
+        };
+    }
+    // Newer madge --circular --json returns array of cycles (each = array of files).
+    const cycles = Array.isArray(data) ? data : Object.values(data);
+    const findings = cycles.map((cycle) => ({
+        file: relPath(cycle[0] ?? '', ctx),
+        line: 1,
+        issue: `Circular import chain: ${cycle.map((f) => relPath(f, ctx)).join(' -> ')}`,
+        severity: 'medium',
+        source: 'tool:madge',
+        subscore_key: primarySubscore('madge'),
+    }));
+    return {
+        tool_id: 'madge',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} circular dependencies`,
+    };
+};
+const jscpdParser = (stdout, _stderr, ctx) => {
+    // jscpd writes JSON to a file, but its stdout (when --output specified) can
+    // also include the report. We accept either.
+    const data = safeJson(stdout);
+    const stats = data?.statistics?.total;
+    const dupPct = stats?.percentage ?? 0;
+    const cloneCount = stats?.clones ?? 0;
+    const dupes = data?.duplicates ?? [];
+    const findings = dupes.map((d) => ({
+        file: relPath(d.firstFile?.name ?? '', ctx),
+        line: d.firstFile?.start ?? 1,
+        issue: `Duplicated with ${relPath(d.secondFile?.name ?? '', ctx)}:${d.secondFile?.start ?? 1} (${d.lines ?? 0} lines)`,
+        severity: 'low',
+        source: 'tool:jscpd',
+        subscore_key: primarySubscore('jscpd'),
+    }));
+    return {
+        tool_id: 'jscpd',
+        summary: {
+            tier: 'metrics',
+            metrics: {
+                duplication_pct: dupPct,
+                clones: cloneCount,
+                top_clones: topBySeverity(findings, 10),
+            },
+        },
+        oneliner: `${dupPct.toFixed(1)}% duplicated (${cloneCount} clones)`,
+    };
+};
+const gocycloParser = (stdout, _stderr, ctx) => {
+    // -json returns [{ complexity, package, function, file, line }]
+    // -over 15 means only functions above 15 are reported.
+    const data = safeJson(stdout);
+    const items = data ?? [];
+    const findings = items.map((i) => ({
+        file: relPath(i.file ?? '', ctx),
+        line: i.line ?? 1,
+        issue: `${i.function ?? 'function'} has cyclomatic complexity ${i.complexity ?? '?'}`,
+        severity: (i.complexity ?? 0) >= 25 ? 'high' : 'medium',
+        source: 'tool:gocyclo',
+        subscore_key: primarySubscore('gocyclo'),
+    }));
+    return {
+        tool_id: 'gocyclo',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} high-complexity functions`,
+    };
+};
+// ---------------------------------------------------------------------------
+// Tier 3 — structured metrics
+// ---------------------------------------------------------------------------
+const sccParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!Array.isArray(data)) {
+        return {
+            tool_id: 'scc',
+            summary: { tier: 'metrics', metrics: {} },
+            oneliner: 'no LOC stats',
+        };
+    }
+    const totalLines = data.reduce((s, e) => s + (e.Lines ?? 0), 0);
+    const totalCode = data.reduce((s, e) => s + (e.Code ?? 0), 0);
+    const totalFiles = data.reduce((s, e) => s + (e.Files ?? 0), 0);
+    const byLang = data
+        .map((e) => ({
+        language: e.Name ?? 'unknown',
+        lines: e.Lines ?? 0,
+        code: e.Code ?? 0,
+        files: e.Files ?? 0,
+    }))
+        .sort((a, b) => b.code - a.code)
+        .slice(0, 10);
+    return {
+        tool_id: 'scc',
+        summary: {
+            tier: 'metrics',
+            metrics: {
+                total_lines: totalLines,
+                total_code_lines: totalCode,
+                total_files: totalFiles,
+                languages: byLang,
+            },
+        },
+        oneliner: `${totalCode.toLocaleString()} code lines across ${totalFiles} files`,
+    };
+};
+const lizardParser = (stdout) => {
+    // Lizard --xml output is structured XML; we use a minimal text extraction
+    // since we asked for thresholds (-C 15 -L 80). The summary line at the end
+    // has the format: "Total nloc Avg.NLOC AvgCCN Avg.token Fun Cnt ..."
+    // We do a defensive pass.
+    const lastLines = stdout.split(/\r?\n/).slice(-20).join('\n');
+    const m = lastLines.match(/Total\s+nloc[\s\S]+?(\d+)\s+(\d+\.?\d*)\s+(\d+\.?\d*)\s+(\d+\.?\d*)\s+(\d+)/);
+    let totalNloc = 0;
+    let avgNloc = 0;
+    let avgCcn = 0;
+    let funcCount = 0;
+    if (m) {
+        totalNloc = parseInt(m[1], 10);
+        avgNloc = parseFloat(m[2]);
+        avgCcn = parseFloat(m[3]);
+        funcCount = parseInt(m[5], 10);
+    }
+    // Count warnings (functions exceeding thresholds)
+    const warningCount = (stdout.match(/warnings? \(/g) || []).length;
+    return {
+        tool_id: 'lizard',
+        summary: {
+            tier: 'metrics',
+            metrics: {
+                total_nloc: totalNloc,
+                avg_nloc_per_function: avgNloc,
+                avg_cyclomatic_complexity: avgCcn,
+                function_count: funcCount,
+                flagged_functions: warningCount,
+            },
+        },
+        oneliner: `avg CCN ${avgCcn.toFixed(1)}, ${warningCount} flagged functions`,
+    };
+};
+const radonParser = (stdout) => {
+    // radon cc -j produces { "<file>": [ { complexity, rank, ... }, ... ] }
+    const data = safeJson(stdout);
+    const buckets = {
+        A: 0,
+        B: 0,
+        C: 0,
+        D: 0,
+        E: 0,
+        F: 0,
+    };
+    let total = 0;
+    let maxCcn = 0;
+    for (const entries of Object.values(data ?? {})) {
+        for (const e of entries) {
+            total++;
+            const r = (e.rank ?? '').toUpperCase();
+            if (r in buckets) {
+                buckets[r]++;
+            }
+            if ((e.complexity ?? 0) > maxCcn) {
+                maxCcn = e.complexity ?? 0;
+            }
+        }
+    }
+    return {
+        tool_id: 'radon',
+        summary: {
+            tier: 'metrics',
+            metrics: {
+                total_functions: total,
+                max_complexity: maxCcn,
+                rank_buckets: buckets,
+            },
+        },
+        oneliner: `${total} functions, ${buckets.D + buckets.E + buckets.F} above C-rank`,
+    };
+};
+const licenseCheckerParser = (stdout) => {
+    const data = safeJson(stdout);
+    if (!data) {
+        return {
+            tool_id: 'license-checker',
+            summary: { tier: 'metrics', metrics: {} },
+            oneliner: 'no license data',
+        };
+    }
+    const dist = {};
+    let total = 0;
+    for (const v of Object.values(data)) {
+        const l = v.licenses;
+        const lic = typeof l === 'string' ? l : Array.isArray(l) ? l.join('+') : 'UNKNOWN';
+        dist[lic] = (dist[lic] ?? 0) + 1;
+        total++;
+    }
+    // Pull suspicious license classes
+    const restricted = Object.entries(dist)
+        .filter(([k]) => /GPL|AGPL|SSPL/i.test(k))
+        .reduce((s, [, n]) => s + n, 0);
+    return {
+        tool_id: 'license-checker',
+        summary: {
+            tier: 'metrics',
+            metrics: {
+                total_packages: total,
+                license_distribution: dist,
+                restricted_licenses: restricted,
+            },
+        },
+        oneliner: `${total} packages, ${restricted} under restrictive licenses`,
+    };
+};
+// ---------------------------------------------------------------------------
+// Registry
+// ---------------------------------------------------------------------------
+export const PARSERS = {
+    // Tier 1
+    eslint: eslintParser,
+    'tsc-typecheck': tscParser,
+    ruff: ruffParser,
+    mypy: mypyParser,
+    'golangci-lint': golangciLintParser,
+    clippy: clippyParser,
+    rubocop: rubocopParser,
+    depcheck: depcheckParser,
+    'npm-outdated': npmOutdatedParser,
+    'go-mod-outdated': goModOutdatedParser,
+    'cargo-outdated': cargoOutdatedParser,
+    // Tier 2
+    semgrep: semgrepParser,
+    bandit: banditParser,
+    gosec: gosecParser,
+    brakeman: brakemanParser,
+    gitleaks: gitleaksParser,
+    'npm-audit': npmAuditParser,
+    'pnpm-audit': pnpmAuditParser,
+    'yarn-audit': yarnAuditParser,
+    'pip-audit': pipAuditParser,
+    govulncheck: govulncheckParser,
+    'cargo-audit': cargoAuditParser,
+    'cargo-deny': cargoDenyParser,
+    'osv-scanner': osvScannerParser,
+    'bundler-audit': bundlerAuditParser,
+    vulture: vultureParser,
+    madge: madgeParser,
+    gocyclo: gocycloParser,
+    // Mixed (T3 metrics + T2 sub-findings)
+    jscpd: jscpdParser,
+    // Tier 3
+    scc: sccParser,
+    lizard: lizardParser,
+    radon: radonParser,
+    'license-checker': licenseCheckerParser,
+};
+/** Run the parser for a tool, defensively swallowing errors. */
+export function parseToolOutput(toolId, stdout, stderr, ctx) {
+    const fn = PARSERS[toolId];
+    if (!fn) {
+        return {
+            tool_id: toolId,
+            summary: { tier: 'counts', counts: { errors: 0, warnings: 0, info: 0 } },
+            oneliner: `no parser for ${toolId}`,
+        };
+    }
+    try {
+        return fn(stdout, stderr, ctx);
+    }
+    catch (err) {
+        return {
+            tool_id: toolId,
+            summary: { tier: 'counts', counts: { errors: 0, warnings: 0, info: 0 } },
+            oneliner: `parser error: ${err instanceof Error ? err.message : String(err)}`,
+        };
+    }
+}