edsger 0.73.0 → 0.75.0

package/dist/phases/quality-benchmark/parsers.js

@@ -301,6 +301,31 @@ const cargoOutdatedParser = (stdout) => {
         oneliner: `${count} outdated crates`,
     };
 };
+const dotnetListOutdatedParser = (stdout) => {
+    // `dotnet list package --outdated --format json` →
+    //   { projects: [{ frameworks: [{ topLevelPackages: [{ resolvedVersion, latestVersion }] }] }] }
+    const data = safeJson(stdout);
+    let count = 0;
+    for (const proj of data?.projects ?? []) {
+        for (const fw of proj.frameworks ?? []) {
+            for (const pkg of fw.topLevelPackages ?? []) {
+                if (pkg.latestVersion &&
+                    pkg.resolvedVersion &&
+                    pkg.latestVersion !== pkg.resolvedVersion) {
+                    count++;
+                }
+            }
+        }
+    }
+    return {
+        tool_id: 'dotnet-list-outdated',
+        summary: {
+            tier: 'counts',
+            counts: { errors: 0, warnings: count, info: 0 },
+        },
+        oneliner: `${count} outdated NuGet packages`,
+    };
+};
 // ---------------------------------------------------------------------------
 // Tier 2 — counts + top-N findings (severity + file:line preserved)
 // ---------------------------------------------------------------------------
@@ -701,6 +726,58 @@ const bundlerAuditParser = (stdout) => {
         oneliner: `${findings.length} Ruby gem vulnerabilities`,
     };
 };
+function mapDotnetSeverity(s) {
+    switch ((s ?? '').toLowerCase()) {
+        case 'critical':
+            return 'critical';
+        case 'high':
+            return 'high';
+        case 'moderate':
+            return 'medium';
+        case 'low':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+const dotnetListVulnerableParser = (stdout, _stderr, ctx) => {
+    // `dotnet list package --vulnerable --include-transitive --format json` →
+    //   { projects: [{ path, frameworks: [{ topLevelPackages, transitivePackages }] }] }
+    // where each package has { id, resolvedVersion, vulnerabilities: [{ severity, advisoryurl }] }
+    const data = safeJson(stdout);
+    const findings = [];
+    for (const proj of data?.projects ?? []) {
+        const file = relPath(proj.path ?? 'csproj', ctx);
+        for (const fw of proj.frameworks ?? []) {
+            const pkgs = [
+                ...(fw.topLevelPackages ?? []),
+                ...(fw.transitivePackages ?? []),
+            ];
+            for (const pkg of pkgs) {
+                for (const v of pkg.vulnerabilities ?? []) {
+                    findings.push({
+                        file,
+                        line: 1,
+                        issue: `${pkg.id ?? 'package'}@${pkg.resolvedVersion ?? '?'}: ${v.advisoryurl ?? 'known vulnerability'}`,
+                        severity: mapDotnetSeverity(v.severity),
+                        source: 'tool:dotnet-list-vulnerable',
+                        rule_id: v.advisoryurl,
+                        subscore_key: primarySubscore('dotnet-list-vulnerable'),
+                    });
+                }
+            }
+        }
+    }
+    return {
+        tool_id: 'dotnet-list-vulnerable',
+        summary: {
+            tier: 'findings',
+            counts: countBySeverity(findings),
+            top_findings: topBySeverity(findings),
+        },
+        oneliner: `${findings.length} vulnerable NuGet packages`,
+    };
+};
 const vultureParser = (stdout, _stderr, ctx) => {
     // vulture text output: `path:line: unused X 'name' (confidence%)`
     const findings = [];
@@ -973,6 +1050,7 @@ export const PARSERS = {
     'npm-outdated': npmOutdatedParser,
     'go-mod-outdated': goModOutdatedParser,
     'cargo-outdated': cargoOutdatedParser,
+    'dotnet-list-outdated': dotnetListOutdatedParser,
     // Tier 2
     semgrep: semgrepParser,
     bandit: banditParser,
@@ -988,6 +1066,7 @@ export const PARSERS = {
     'cargo-deny': cargoDenyParser,
     'osv-scanner': osvScannerParser,
     'bundler-audit': bundlerAuditParser,
+    'dotnet-list-vulnerable': dotnetListVulnerableParser,
     vulture: vultureParser,
     madge: madgeParser,
     gocyclo: gocycloParser,

package/dist/phases/quality-benchmark/rubric.md

@@ -11,6 +11,7 @@
 You are a **senior software architect** running an industrial-grade quality benchmark on a code repository. You orchestrate a suite of static analysis tools (ESLint, Semgrep, Pylint, clippy, etc.) and external signals (GitHub Issues, Sentry, git history), then synthesize their outputs into a structured, evidence-based report.
 
 You have:
+
 - `Read` / `Grep` / `Glob` — source inspection
 - `Bash` — running tools, probing the environment, executing installation commands
 - MCP tools where available (GitHub Issues via `list_issues`, Sentry via Sentry MCP if configured)
@@ -24,7 +25,7 @@ You produce a single JSON report at the end of your response.
 - **Layer 1 (FIXED — never deviate)**: the 8 dimensions, their scoring anchors (90+/75–89/…), the A–F mapping, the N/A rule, the **Unmeasured rule** (new), the evidence/recommendation formats, the overall-score formula.
 - **Layer 2 (ADAPTIVE — you decide per repo)**: the specific checks you run inside each dimension and the specific tools you invoke. Layer 2 is constrained by the **Tool Catalog** below — you may only run commands listed in the catalog (with the documented flags), not commands you invent.
 
-You **must not** invent new dimensions, change scoring anchors, change weights, or run tool commands not in the catalog. You **must** adapt the *selection* of catalog commands to the detected repo.
+You **must not** invent new dimensions, change scoring anchors, change weights, or run tool commands not in the catalog. You **must** adapt the _selection_ of catalog commands to the detected repo.
 
 ---
 
@@ -45,12 +46,14 @@ Do not skip phases. Do not score before tools have run.
 ### Phase 1 — Detection
 
 Read at minimum:
+
 - `README*`, top-level `ls`
 - Manifests: `package.json`, `pyproject.toml`, `requirements.txt`, `Cargo.toml`, `go.mod`, `pom.xml`, `build.gradle`, `Gemfile`, `composer.json`, `mix.exs`, etc.
 - CI: `.github/workflows/`, `.gitlab-ci.yml`, `.circleci/`
 - Lockfiles: `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, `poetry.lock`, `Cargo.lock`, `go.sum`
 
 Determine:
+
 - **`archetype`**: `library` | `cli` | `web-app` | `backend-service` | `mobile` | `data-pipeline` | `infra` | `monorepo` | `embedded` | `desktop-app` | `other`
 - **`primary_languages`**: top 1–3 by LOC
 - **`frameworks`**: React/Next/Vue/Django/FastAPI/Rails/Spring/etc.
@@ -73,10 +76,12 @@ command -v <tool>  # returns path or empty
 ```
 
 Record into:
+
 - `tool_versions` — `{ "<tool>": "<version>", ... }` for tools that ARE present
 - `unavailable_tools` — `[ { "name", "category", "install_command", "reason": "not_found" | "wrong_version" } ]`
 
 **Toolchain prerequisites** (Python, Node, Go, Rust, Ruby toolchains themselves):
+
 - Probe with `command -v python3`, `command -v node`, `command -v go`, `command -v cargo`, `command -v ruby`
 - If the toolchain for a detected language is missing, **do not attempt to install it**. Mark every check requiring that toolchain as unmeasured. Add a top-level warning in `executive_summary`.
 
@@ -93,6 +98,7 @@ Otherwise, for each tool in `unavailable_tools` with a known install method:
 5. On failure: leave in `unavailable_tools` with `reason: "install_failed"` + stderr tail (≤ 500 chars)
 
 **Hard rules**:
+
 - Never run `sudo`
 - Never run `apt`, `yum`, `brew`, `dnf`, `pacman`, or any system package manager
 - Never modify shell rc files (`.bashrc`, `.zshrc`)
@@ -110,11 +116,13 @@ For each available tool in the catalog that applies to the detected context:
 5. Each tool has a per-tool timeout (default 5 min, see catalog for overrides)
 
 **Per-tool failure handling**:
+
 - `exit_code != 0` but stdout has expected JSON → parse anyway (many linters exit non-zero on findings)
 - `exit_code != 0` with no parseable output → mark this tool's checks as unmeasured, log stderr
 - Timeout → mark as unmeasured, log "timed out after Xm"
 
 **Hard rules**:
+
 - Never run a tool with `--fix`, `--auto-fix`, or any flag that mutates files
 - Never run tools outside the catalog
 - Never modify the repo (no commits, no file edits)
@@ -125,23 +133,27 @@ For each available tool in the catalog that applies to the detected context:
 For each signal source, attempt to collect if available:
 
 **Git history** (always available):
+
 - `git log --since="90 days ago" --format="%an"` → unique author count → bus factor
 - `git log --since="30 days ago" --format=""` `--name-only` → file churn ranking
 - `git log --since="30 days ago" --format="%s" | head -50` → commit message quality sample
 - `git log --grep="fix\|bug\|hotfix" --since="90 days ago" --oneline | wc -l` → recent bug fix volume
 
 **GitHub Issues** (if `list_issues` MCP tool is available and product has `github_repository_full_name`):
+
 - Open issues by label (especially `bug`, `security`, `regression`)
 - Open security advisories count (if exposable)
 - Average issue age
 - Stale PR count (>30 days no update)
 
 **Sentry** (if Sentry MCP is configured for this product):
+
 - Unresolved error count last 7 days
 - Top 5 errors by frequency (title + count + first/last seen)
 - Error categories (uncaught, network, performance)
 
 Record into `external_signals`. These are **supplementary evidence**, not their own dimension. Cite them inside dimensions where they're relevant:
+
 - `external_signals.sentry` → Performance / Security evidence
 - `external_signals.github_issues` → Maintainability / Security evidence
 - `external_signals.git` → Maintainability evidence (churn) / Documentation evidence (commit messages)
@@ -159,6 +171,7 @@ Before scoring, walk every `evidence` entry produced by tool parsers:
 For each failure → discard the finding, increment `dropped_findings` counter, log to debug.
 
 Then **deduplicate**:
+
 - Same `file:line` reported by multiple tools (e.g. ESLint + Semgrep) → merge into single entry with `sources: ["eslint","semgrep"]`
 - Use the more severe `severity` and most specific `issue` text
 
@@ -182,13 +195,13 @@ For each of the 8 dimensions:
 
 ## Scoring anchors (FIXED — same for every dimension, every repo)
 
-| Score | Grade | Meaning |
-|-------|-------|---------|
+| Score  | Grade | Meaning                                                                 |
+| ------ | ----- | ----------------------------------------------------------------------- |
 | 90–100 | **A** | Exemplary. Top-tier engineering org review would surface only nitpicks. |
-| 75–89 | **B** | Solid. Minor issues, no structural concerns. |
-| 60–74 | **C** | Adequate. Several real issues, none critical. Needs attention. |
-| 40–59 | **D** | Poor. Significant remediation needed before production-grade. |
-| 0–39 | **F** | Critical. Issues threaten correctness, security, or maintainability. |
+| 75–89  | **B** | Solid. Minor issues, no structural concerns.                            |
+| 60–74  | **C** | Adequate. Several real issues, none critical. Needs attention.          |
+| 40–59  | **D** | Poor. Significant remediation needed before production-grade.           |
+| 0–39   | **F** | Critical. Issues threaten correctness, security, or maintainability.    |
 
 **Be honest, not generous.** Do not adjust for stage, domain, or excuses.
 
@@ -197,6 +210,7 @@ For each of the 8 dimensions:
 ## Unmeasured rule (NEW — critical)
 
 **Unmeasured ≠ N/A.** A check is "unmeasured" when:
+
 - The required tool was unavailable and could not be installed
 - The required tool errored out
 - The required toolchain (e.g. Go) was missing
@@ -204,6 +218,7 @@ For each of the 8 dimensions:
 An unmeasured check contributes **0** to its parent subscore's weighted average. The rationale: in industrial-grade benchmarking, lack of validation is itself a risk signal — "we don't know if it's secure" is not the same as "it's secure".
 
 **Per-subscore reporting**:
+
 - `measured_coverage`: percentage of weighted checks that ran (0–1)
 - If `measured_coverage < 0.5` for any subscore, append to its `summary`: `"Limited measurement (X% checks ran) — install missing tools for accurate score."`
 - Surface unmeasured checks as recommendations: `{ "title": "Install semgrep to enable SAST measurement", "effort": "low", "impact": "high", ... }`
@@ -217,15 +232,17 @@ An unmeasured check contributes **0** to its parent subscore's weighted average.
 A dimension is N/A **only when structurally inapplicable** — not when it just scores low or can't be measured.
 
 Valid N/A:
+
 - "Performance" on a single-file shell-script CLI with no hot path
 - "Test Coverage" on a doc-only repo with no executable code
 - "Dependency Health" on a repo with zero external dependencies
 
 Invalid N/A (must score, not skip):
+
 - "Documentation" on a repo with poor docs — that's a low score
 - "Security" on internal tool — security still applies
 - "Test Coverage" on an MVP — score it low
-- "Code Quality" because no linter is installed — that's *unmeasured*, not N/A
+- "Code Quality" because no linter is installed — that's _unmeasured_, not N/A
 
 Set `score: null`, `grade: "N/A"`, provide `n_a_reason`. Excluded from `overall_score`.
 
@@ -266,6 +283,7 @@ This prevents one catastrophic issue from being averaged away.
 ## The 8 dimensions
 
 For each dimension, the rubric specifies:
+
 - **Measures** (what the dimension means)
 - **Tool-driven checks** (catalog tools that contribute, with their subscore mapping)
 - **LLM-judgment checks** (what you add by reading code)
@@ -277,12 +295,14 @@ For each dimension, the rubric specifies:
 **Measures**: organization into cohesive, loosely coupled modules with clear boundaries.
 
 **Tool-driven checks**:
+
 - `madge --circular` (JS/TS) → `arch.circular_deps`
 - `dependency-cruiser --validate` (JS/TS, if configured) → `arch.layering`
 - `pydeps --show-cycles` (Python) → `arch.circular_deps`
 - `go list -deps` analysis (Go) → `arch.layering`
 
 **LLM-judgment checks**:
+
 - Module/package boundary clarity (read top-level dirs, judge cohesion)
 - Public vs internal surface intentionality (exports/`__init__.py`/`pub`)
 - Abstraction quality (over- or under-abstracted code)
@@ -292,6 +312,7 @@ For each dimension, the rubric specifies:
 **N/A**: repo has <10 source files OR flat single-purpose script
 
 **Anchors**: see standard 90+/75–89/60–74/40–59/<40 mapping. For Architecture specifically:
+
 - 90+: zero circular deps, clean layering, intentional public surface
 - 75–89: minor coupling smells, no cycles, mostly clean
 - 60–74: 1–2 cycles OR multiple layering violations
@@ -303,6 +324,7 @@ For each dimension, the rubric specifies:
 **Measures**: clarity, simplicity, craftsmanship of the code itself.
 
 **Tool-driven checks**:
+
 - `eslint --format json` (JS/TS) → `cq.lint`
 - `ruff check --output-format json` (Python) → `cq.lint`
 - `golangci-lint run --out-format json` (Go) → `cq.lint`
@@ -314,6 +336,7 @@ For each dimension, the rubric specifies:
 - `vulture` (Python dead code) → `cq.dead_code`
 
 **LLM-judgment checks**:
+
 - Naming clarity (sample 20 functions/files, judge expressiveness)
 - Magic numbers / strings without named constants
 
@@ -339,6 +362,7 @@ These are measurement calibration, not different standards.
 **Measures**: tests exist, run, and meaningfully cover behavior.
 
 **Tool-driven checks**:
+
 - Read `coverage/coverage-summary.json` (JS/TS via jest/vitest) → `test.coverage_breadth`
 - Run `vitest run --coverage --reporter=json` if no coverage file exists and project uses vitest → same
 - `pytest --cov --cov-report=json` (Python, if pytest detected) → `test.coverage_breadth`
@@ -347,6 +371,7 @@ These are measurement calibration, not different standards.
 - Test:source LOC ratio (via `scc`) → `test.presence`
 
 **LLM-judgment checks**:
+
 - Sample test files: are assertions real (`expect(x).toBe(...)`) or vacuous (`expect(x).toBeDefined()`)? → `test.assertion_quality`
 - Are critical paths (auth, payments, persistence, API surface) tested? Read entry points + grep for corresponding test files → `test.critical_path_coverage`
 - Test isolation: scan for shared mutable state, `beforeAll` without cleanup → `test.isolation`
@@ -356,6 +381,7 @@ These are measurement calibration, not different standards.
 **N/A**: doc-only or config-only repo with no executable behavior.
 
 **Anchors**: standard mapping. Coverage % thresholds for `coverage_breadth`:
+
 - ≥85%: A-tier (95)
 - 70–84%: B-tier (80)
 - 50–69%: C-tier (65)
@@ -367,6 +393,7 @@ These are measurement calibration, not different standards.
 **Measures**: defensive posture against real-world threats.
 
 **Tool-driven checks**:
+
 - `semgrep --config auto --json` (multi-lang SAST) → `sec.sast`
 - `gitleaks detect --report-format json` → `sec.secrets`
 - `npm audit --json` / `pnpm audit --json` / `yarn audit --json` → `sec.dep_vulns`
@@ -379,6 +406,7 @@ These are measurement calibration, not different standards.
 - `osv-scanner --json --recursive .` (multi-lang CVE) → `sec.dep_vulns` (cross-check)
 
 **LLM-judgment checks**:
+
 - AuthN/AuthZ logic at entry points (sample handlers)
 - Unsafe deserialization patterns (Grep: `pickle.load`, `yaml.load`, `eval(`, `Function(`)
 - Crypto: deprecated algorithms (Grep: `md5`, `sha1` in security contexts, `Math.random` for tokens)
@@ -392,11 +420,13 @@ These are measurement calibration, not different standards.
 **Measures**: efficiency in hot paths. Real cost, not micro-optimization.
 
 **Tool-driven checks**:
+
 - Bundle size (JS): `size-limit --json` if configured, else parse webpack/vite output → `perf.bundle_size`
 - Database query patterns: Semgrep with N+1 rule pack → `perf.n_plus_one`
 - ESLint perf rules (`eslint-plugin-react-perf`, etc., if configured) → `perf.framework_specific`
 
 **LLM-judgment checks**:
+
 - Synchronous I/O in async contexts (Grep + read)
 - Unbounded operations on user input (regex backtracking, loops, allocations)
 - Missing pagination on list endpoints
@@ -416,11 +446,13 @@ These are measurement calibration, not different standards.
 **Measures**: ability of a new engineer to understand, run, change the project.
 
 **Tool-driven checks**:
+
 - README presence + size (`wc -l README*`) → `doc.readme`
 - API doc coverage: `typedoc --json` (TS), `pydoc-markdown` (Python), `cargo doc` warnings (Rust), `godoc` (Go) → `doc.api_docs`
 - ADR presence (`ls docs/adr/` or `ls docs/decisions/`) → `doc.decision_records`
 
 **LLM-judgment checks**:
+
 - README quality: purpose / install / run / test / develop / contribute sections present and accurate?
 - Architecture overview present?
 - Inline comments on non-obvious code (sample 20 functions)
@@ -435,6 +467,7 @@ These are measurement calibration, not different standards.
 **Measures**: long-term cost of working in this codebase.
 
 **Tool-driven checks**:
+
 - `scc --format json` → file-size + LOC distribution → `maint.file_distribution`
 - Lizard / Radon maintainability index → `maint.cognitive_load`
 - `depcheck` (JS unused deps) / `vulture` / `cargo udeps` → contributes to `maint.tooling_enforcement` if linter+coverage are configured
@@ -443,10 +476,12 @@ These are measurement calibration, not different standards.
 - Pre-commit hook presence: `ls .husky/` / `.pre-commit-config.yaml`
 
 **LLM-judgment checks**:
+
 - TODO/FIXME density (`git grep -n "TODO\|FIXME" | wc -l`) + age sample (`git blame` on a sample) → `maint.todo_debt`
 - Configuration sprawl (multiple `.config` files for same concern)
 
 **External signals**:
+
 - Git churn hotspots → evidence for `maint.churn_hotspots` subscore
 - GitHub Issues open count + age → evidence here too
 
@@ -459,6 +494,7 @@ These are measurement calibration, not different standards.
 **Measures**: third-party supply chain hygiene.
 
 **Tool-driven checks**:
+
 - `npm outdated --json` / `pnpm outdated --format json` / `yarn outdated --json` → `dep.freshness`
 - `pip list --outdated --format=json` (Python) → `dep.freshness`
 - `cargo outdated --format json` (Rust) → `dep.freshness`
@@ -469,6 +505,7 @@ These are measurement calibration, not different standards.
 - Lockfile presence + age (`git log -1 --format=%ar` on lockfile) → `dep.lockfile`
 
 **LLM-judgment checks**:
+
 - Upstream maintenance status (for top 10 direct deps: last release date via tool output; archived flag) → `dep.upstream_maintenance`
 
 **Subscores**: `lockfile`, `freshness`, `unused`, `license`, `upstream_maintenance`
@@ -484,6 +521,7 @@ These are measurement calibration, not different standards.
 Tool catalog is the **authoritative list of commands** you may run. You may not invent commands or flags.
 
 Each entry:
+
 ```
 <tool-id>:
   category: <category>
@@ -782,6 +820,33 @@ bundler-audit:
   subscores: [security.dep_vulns]
 ```
 
+### C# / .NET
+
+Both tools ship with the .NET SDK — no extra install, no Go. `--format json`
+requires SDK >= 9. They trigger a `dotnet restore` first; if the repo has no
+network access to NuGet the restore (and thus the listing) degrades to
+unmeasured.
+
+```
+dotnet-list-vulnerable:
+  applies_to: [cs]
+  probe: command -v dotnet
+  install: null   # bundled with the .NET SDK
+  command: dotnet restore >/dev/null 2>&1; dotnet list package --vulnerable --include-transitive --format json
+  timeout_minutes: 5
+  parser: dotnet-list-vulnerable
+  subscores: [security.dep_vulns]
+
+dotnet-list-outdated:
+  applies_to: [cs]
+  probe: command -v dotnet
+  install: null   # bundled with the .NET SDK
+  command: dotnet restore >/dev/null 2>&1; dotnet list package --outdated --format json
+  timeout_minutes: 5
+  parser: dotnet-list-outdated
+  subscores: [dependency_health.freshness]
+```
+
 ### Multi-language
 
 ```
@@ -918,6 +983,7 @@ If Sentry MCP is not configured, log under `external_signals.sentry.unavailable:
 - `cwe` optional, array of CWE IDs
 
 Severity guidance:
+
 - `critical`: vulnerable/broken in production
 - `high`: clear defect that will bite
 - `medium`: real smell with measurable cost
@@ -933,7 +999,11 @@ Severity guidance:
   "effort": "medium",
   "impact": "high",
   "description": "Replace string interpolation in db.query() calls under src/payments/ with parameterized queries. Use the existing pg.query(text, values) signature. 4–6 sites in charge.ts, refund.ts, list.ts.",
-  "files": ["src/payments/charge.ts", "src/payments/refund.ts", "src/payments/list.ts"],
+  "files": [
+    "src/payments/charge.ts",
+    "src/payments/refund.ts",
+    "src/payments/list.ts"
+  ],
   "blocks_evidence": ["semgrep:javascript.lang.security.audit.sqli..."]
 }
 ```
@@ -990,21 +1060,42 @@ End your response with **exactly one** JSON code block in this shape:
     "jscpd": "4.0.5"
   },
   "unavailable_tools": [
-    { "name": "gitleaks", "category": "security", "install_command": "go install github.com/zricethezav/gitleaks/v8@latest", "reason": "install_failed: go not present" }
+    {
+      "name": "gitleaks",
+      "category": "security",
+      "install_command": "go install github.com/zricethezav/gitleaks/v8@latest",
+      "reason": "install_failed: go not present"
+    }
   ],
   "applied_checks": {
     "architecture": [
-      { "id": "arch.circular_deps", "tool": "madge", "weight": 1.0, "measured": true },
-      { "id": "arch.layering", "tool": "llm_judgment", "weight": 1.0, "measured": true }
+      {
+        "id": "arch.circular_deps",
+        "tool": "madge",
+        "weight": 1.0,
+        "measured": true
+      },
+      {
+        "id": "arch.layering",
+        "tool": "llm_judgment",
+        "weight": 1.0,
+        "measured": true
+      }
     ]
   },
   "tool_outputs": {
-    "eslint": { "ran_at": "...", "duration_ms": 4200, "exit_code": 0, "findings_count": 23, "summary": "..." }
+    "eslint": {
+      "ran_at": "...",
+      "duration_ms": 4200,
+      "exit_code": 0,
+      "findings_count": 23,
+      "summary": "..."
+    }
   },
   "external_signals": {
     "git": {
       "authors_90d": 4,
-      "top_churn_files": [{"file": "src/api/handlers.ts", "commits_30d": 18}],
+      "top_churn_files": [{ "file": "src/api/handlers.ts", "commits_30d": 18 }],
       "bug_fix_commits_90d": 12
     },
     "github_issues": { "open_bugs": 7, "open_security": 0 },
@@ -1018,14 +1109,30 @@ End your response with **exactly one** JSON code block in this shape:
       "subscores": {
         "boundaries": { "value": 85, "measured_coverage": 1.0 },
         "coupling": { "value": 72, "measured_coverage": 1.0 },
-        "layering": { "value": 80, "measured_coverage": 0.5, "summary": "Limited measurement — dependency-cruiser not configured." },
+        "layering": {
+          "value": 80,
+          "measured_coverage": 0.5,
+          "summary": "Limited measurement — dependency-cruiser not configured."
+        },
         "abstraction_quality": { "value": 75, "measured_coverage": 1.0 }
       },
       "evidence": [
-        { "file": "src/auth/session.ts", "line": 4, "issue": "Imports src/users/profile.ts which transitively imports back", "severity": "medium", "source": "tool:madge" }
+        {
+          "file": "src/auth/session.ts",
+          "line": 4,
+          "issue": "Imports src/users/profile.ts which transitively imports back",
+          "severity": "medium",
+          "source": "tool:madge"
+        }
       ],
       "recommendations": [
-        { "title": "Break auth ↔ users circular dependency", "effort": "low", "impact": "medium", "description": "Move shared User type to src/shared/types/user.ts.", "files": ["src/auth/session.ts", "src/users/profile.ts"] }
+        {
+          "title": "Break auth ↔ users circular dependency",
+          "effort": "low",
+          "impact": "medium",
+          "description": "Move shared User type to src/shared/types/user.ts.",
+          "files": ["src/auth/session.ts", "src/users/profile.ts"]
+        }
       ],
       "n_a_reason": null
     }
@@ -1039,6 +1146,7 @@ End your response with **exactly one** JSON code block in this shape:
 ```
 
 For N/A dimensions:
+
 ```json
 "performance": {
   "score": null,

package/dist/phases/quality-benchmark/tool-catalog.js

@@ -434,6 +434,42 @@ const bundlerAudit = {
     tolerate_nonzero_exit: true,
 };
 // ---------------------------------------------------------------------------
+// C# / .NET
+//
+// Both tools below ship with the .NET SDK itself — no extra install, no Go,
+// no network beyond the NuGet restore they trigger. `--format json` requires
+// SDK >= 9; on older SDKs the command exits non-zero and degrades to
+// unmeasured (tolerate_nonzero_exit + a defensive parser).
+// ---------------------------------------------------------------------------
+const dotnetListVulnerable = {
+    id: 'dotnet-list-vulnerable',
+    label: 'dotnet list package --vulnerable',
+    category: 'dep-vuln',
+    applies_to: ['cs'],
+    probe: 'command -v dotnet',
+    install: null, // bundled with the .NET SDK
+    install_prereq: null,
+    command: 'dotnet restore >/dev/null 2>&1; dotnet list package --vulnerable --include-transitive --format json',
+    timeout_minutes: 5,
+    parser: 'dotnet-list-vulnerable',
+    subscores: ['security.dep_vulns'],
+    tolerate_nonzero_exit: true,
+};
+const dotnetListOutdated = {
+    id: 'dotnet-list-outdated',
+    label: 'dotnet list package --outdated',
+    category: 'dep-outdated',
+    applies_to: ['cs'],
+    probe: 'command -v dotnet',
+    install: null, // bundled with the .NET SDK
+    install_prereq: null,
+    command: 'dotnet restore >/dev/null 2>&1; dotnet list package --outdated --format json',
+    timeout_minutes: 5,
+    parser: 'dotnet-list-outdated',
+    subscores: ['dependency_health.freshness'],
+    tolerate_nonzero_exit: true,
+};
+// ---------------------------------------------------------------------------
 // Multi-language / polyglot
 // ---------------------------------------------------------------------------
 const semgrep = {
@@ -541,6 +577,9 @@ export const TOOL_CATALOG = [
     rubocop,
     brakeman,
     bundlerAudit,
+    // C# / .NET
+    dotnetListVulnerable,
+    dotnetListOutdated,
     // Polyglot
     semgrep,
     gitleaks,

package/dist/phases/sync-github-pull-requests/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * sync-github-pull-requests phase: pull every pull request from a repository's
+ * connected GitHub repo and mirror them into the `pull_requests` table scoped
+ * by `repository_id`. Deterministic — no Claude Agent SDK; plain Octokit plus
+ * the user's RLS-scoped Supabase session.
+ *
+ * Idempotent: rows are keyed on (repository_id, pull_request_number). New PRs
+ * are inserted, and the GitHub-owned fields (status/title/description) of
+ * already-synced PRs are refreshed. Re-running never duplicates a PR.
+ */
+import { Octokit } from '@octokit/rest';
+import { type GitHubPullRequestLite, type SyncPullRequestsResult } from './types.js';
+export interface SyncGithubPullRequestsOptions {
+    repositoryId: string;
+    /** GitHub installation token (or PAT). */
+    githubToken: string;
+    owner: string;
+    repo: string;
+    verbose?: boolean;
+}
+/** Pull every pull request from the repo, paginated (state=all). */
+export declare function fetchAllRepoPullRequests(octokit: Octokit, owner: string, repo: string): Promise<GitHubPullRequestLite[]>;
+export declare function syncGithubPullRequests(options: SyncGithubPullRequestsOptions): Promise<SyncPullRequestsResult>;