edsger 0.75.1 → 0.77.0

package/dist/phases/quality-benchmark/gate.js

@@ -0,0 +1,91 @@
+/**
+ * Quality gate evaluation for the CLI.
+ *
+ * Lets `edsger quality-benchmark --gate` enforce a per-scope pass/fail
+ * threshold against the report it just produced — the "fail the build" gate
+ * NDepend/DCM-style tools expose, usable directly in a user's own CI without
+ * any webhook. The gate (overall-score floor, critical-finding cap, per-
+ * dimension minimums) is stored in `quality_gates`, mirroring the desktop
+ * evaluator in desktop-app/.../services/db/quality-gate.ts.
+ *
+ * The evaluator is pure + exported for testing; the read is RLS-scoped via the
+ * user's supabase session and never throws (a missing gate = nothing to
+ * enforce).
+ */
+import { readScopedRow } from '../find-shared/scoped-read.js';
+/** Count critical-severity findings across every dimension's evidence. */
+export function countCriticalFindings(report) {
+    let count = 0;
+    for (const dim of Object.values(report.dimension_scores ?? {})) {
+        for (const ev of dim?.evidence ?? []) {
+            if (ev.severity === 'critical') {
+                count++;
+            }
+        }
+    }
+    return count;
+}
+/**
+ * Evaluate a report against a gate, returning every violated axis. A disabled
+ * gate passes vacuously. A report with no overall score is not failed on the
+ * overall-score axis (there is nothing to compare). Pure + exported for tests.
+ */
+export function evaluateGate(report, gate) {
+    const violations = [];
+    if (!gate.enabled) {
+        return { passed: true, violations };
+    }
+    if (gate.min_overall_score !== null &&
+        report.overall_score !== null &&
+        report.overall_score < gate.min_overall_score) {
+        violations.push({
+            label: 'Overall score',
+            required: `>= ${gate.min_overall_score}`,
+            actual: report.overall_score.toFixed(1),
+        });
+    }
+    if (gate.max_critical_findings !== null) {
+        const critical = countCriticalFindings(report);
+        if (critical > gate.max_critical_findings) {
+            violations.push({
+                label: 'Critical findings',
+                required: `<= ${gate.max_critical_findings}`,
+                actual: String(critical),
+            });
+        }
+    }
+    for (const [dim, min] of Object.entries(gate.min_dimension_scores)) {
+        if (min === null || min === undefined) {
+            continue;
+        }
+        const entry = report.dimension_scores?.[dim];
+        // A null/N-A dimension score isn't measurable against a floor — skip it.
+        if (entry?.score === null || entry?.score === undefined) {
+            continue;
+        }
+        if (entry.score < min) {
+            violations.push({
+                label: dim,
+                required: `>= ${min}`,
+                actual: entry.score.toFixed(0),
+            });
+        }
+    }
+    return { passed: violations.length === 0, violations };
+}
+/**
+ * Fetch the gate configured for a scope, or null if none is set / no session.
+ * Never throws — a read failure degrades to "no gate" (nothing enforced).
+ */
+export async function getQualityGate(scope) {
+    const row = await readScopedRow('quality_gates', 'enabled, min_overall_score, max_critical_findings, min_dimension_scores', scope);
+    if (!row) {
+        return null;
+    }
+    return {
+        enabled: row.enabled ?? true,
+        min_overall_score: row.min_overall_score ?? null,
+        max_critical_findings: row.max_critical_findings ?? null,
+        min_dimension_scores: row.min_dimension_scores ?? {},
+    };
+}

package/dist/phases/quality-benchmark/index.js

@@ -151,7 +151,7 @@ export async function runQualityBenchmark(opts) {
             ...state.unavailable_tools,
             ...(report.unavailable_tools ?? []),
         ]),
-        tool_outputs: { ...state.tool_outputs, ...(report.tool_outputs ?? {}) },
+        tool_outputs: enrichToolOutputsWithMetrics({ ...state.tool_outputs, ...(report.tool_outputs ?? {}) }, state.parsed_summaries),
         dropped_findings: Math.max(state.dropped_findings, report.dropped_findings ?? 0),
     };
     const completedAt = new Date().toISOString();
@@ -180,6 +180,20 @@ function readGitHead(repoRoot) {
     }
     return res.stdout.trim() || null;
 }
+/**
+ * Fold tier-3 (`metrics`) parser output into the persisted tool_outputs so
+ * trend charts can read numeric values (duplication %, complexity, …) without
+ * re-parsing oneliners. Count/finding tools carry no metrics and are untouched.
+ */
+function enrichToolOutputsWithMetrics(toolOutputs, parsedSummaries) {
+    const out = { ...toolOutputs };
+    for (const [id, parsed] of Object.entries(parsedSummaries)) {
+        if (parsed.summary.tier === 'metrics' && out[id]) {
+            out[id] = { ...out[id], metrics: parsed.summary.metrics };
+        }
+    }
+    return out;
+}
 function dedupUnavailable(list) {
     const seen = new Set();
     const out = [];

package/dist/phases/quality-benchmark/parsers.d.ts

@@ -17,6 +17,29 @@
  *   - Stable: same input → same output (no randomness, no clocks).
  */
 import type { ParsedToolOutput, ParserContext, ParserFn } from './types.js';
+interface DepGraphNode {
+    id: string;
+    label: string;
+    fan_in: number;
+    fan_out: number;
+    in_cycle: boolean;
+}
+interface DepGraph {
+    nodes: DepGraphNode[];
+    edges: {
+        from: string;
+        to: string;
+    }[];
+    total_modules: number;
+    truncated: boolean;
+}
+/**
+ * Build a bounded dependency graph from madge's adjacency map. Cycle nodes are
+ * always kept; the remaining slots go to the highest-degree modules. Edges are
+ * restricted to kept nodes.
+ */
+export declare function buildDependencyGraph(adjObj: Record<string, string[]>): DepGraph;
 export declare const PARSERS: Record<string, ParserFn>;
 /** Run the parser for a tool, defensively swallowing errors. */
 export declare function parseToolOutput(toolId: string, stdout: string, stderr: string, ctx: ParserContext): ParsedToolOutput;
+export {};

package/dist/phases/quality-benchmark/parsers.js

@@ -326,6 +326,55 @@ const dotnetListOutdatedParser = (stdout) => {
         oneliner: `${count} outdated NuGet packages`,
     };
 };
+const dartAnalyzeParser = (stdout) => {
+    // `dart analyze --format=machine` emits one finding per line, pipe-separated:
+    //   SEVERITY|TYPE|ERROR_CODE|FILE|LINE|COLUMN|LENGTH|MESSAGE
+    // SEVERITY is INFO | WARNING | ERROR. Message pipes are backslash-escaped, so
+    // reading the first field (the severity) is unambiguous.
+    let errors = 0;
+    let warnings = 0;
+    let info = 0;
+    for (const line of stdout.split(/\r?\n/)) {
+        const pipe = line.indexOf('|');
+        if (pipe === -1) {
+            continue; // not a machine-format finding line (banner / blank)
+        }
+        const sev = line.slice(0, pipe).trim().toUpperCase();
+        if (sev === 'ERROR') {
+            errors++;
+        }
+        else if (sev === 'WARNING') {
+            warnings++;
+        }
+        else if (sev === 'INFO') {
+            info++;
+        }
+    }
+    return {
+        tool_id: 'dart-analyze',
+        summary: { tier: 'counts', counts: { errors, warnings, info } },
+        oneliner: `${errors} errors, ${warnings} warnings`,
+    };
+};
+const dartPubOutdatedParser = (stdout) => {
+    // `dart pub outdated --json` →
+    //   { packages: [{ package, current: {version} | null, latest: {version} | null }] }
+    const data = safeJson(stdout);
+    const pkgs = data?.packages ?? [];
+    const count = pkgs.filter((p) => {
+        const cur = p.current?.version;
+        const latest = p.latest?.version;
+        return Boolean(cur) && Boolean(latest) && cur !== latest;
+    }).length;
+    return {
+        tool_id: 'dart-pub-outdated',
+        summary: {
+            tier: 'counts',
+            counts: { errors: 0, warnings: count, info: 0 },
+        },
+        oneliner: `${count} outdated packages`,
+    };
+};
 // ---------------------------------------------------------------------------
 // Tier 2 — counts + top-N findings (severity + file:line preserved)
 // ---------------------------------------------------------------------------
@@ -891,6 +940,164 @@ const gocycloParser = (stdout, _stderr, ctx) => {
     };
 };
 // ---------------------------------------------------------------------------
+// Dependency graph (madge --json) — a bounded module graph for visualization
+// ---------------------------------------------------------------------------
+/** Max nodes kept in the persisted graph (cycle nodes prioritised). */
+const MAX_GRAPH_NODES = 80;
+/** Last two path segments — enough to disambiguate without the full path. */
+function shortLabel(path) {
+    const parts = path.split('/');
+    return parts.slice(-2).join('/');
+}
+/**
+ * Nodes that participate in an import cycle, via iterative Tarjan SCC (any SCC
+ * of size > 1, plus self-loops). Iterative to stay safe on large repos.
+ */
+function findCycleNodes(adj) {
+    const index = new Map();
+    const low = new Map();
+    const onStack = new Set();
+    const stack = [];
+    const cycleNodes = new Set();
+    let idx = 0;
+    for (const start of adj.keys()) {
+        if (index.has(start)) {
+            continue;
+        }
+        const work = [{ node: start, i: 0 }];
+        while (work.length > 0) {
+            const frame = work[work.length - 1];
+            const node = frame.node;
+            if (frame.i === 0) {
+                index.set(node, idx);
+                low.set(node, idx);
+                idx++;
+                stack.push(node);
+                onStack.add(node);
+            }
+            const succs = adj.get(node) ?? [];
+            if (frame.i < succs.length) {
+                const w = succs[frame.i];
+                frame.i++;
+                if (!index.has(w)) {
+                    work.push({ node: w, i: 0 });
+                }
+                else if (onStack.has(w)) {
+                    low.set(node, Math.min(low.get(node) ?? 0, index.get(w) ?? 0));
+                }
+            }
+            else {
+                if (low.get(node) === index.get(node)) {
+                    const scc = [];
+                    let w = '';
+                    do {
+                        w = stack.pop();
+                        onStack.delete(w);
+                        scc.push(w);
+                    } while (w !== node);
+                    if (scc.length > 1) {
+                        for (const n of scc) {
+                            cycleNodes.add(n);
+                        }
+                    }
+                    else if ((adj.get(node) ?? []).includes(node)) {
+                        cycleNodes.add(node);
+                    }
+                }
+                work.pop();
+                const parent = work[work.length - 1]?.node;
+                if (parent !== undefined) {
+                    low.set(parent, Math.min(low.get(parent) ?? 0, low.get(node) ?? 0));
+                }
+            }
+        }
+    }
+    return cycleNodes;
+}
+/**
+ * Build a bounded dependency graph from madge's adjacency map. Cycle nodes are
+ * always kept; the remaining slots go to the highest-degree modules. Edges are
+ * restricted to kept nodes.
+ */
+export function buildDependencyGraph(adjObj) {
+    // Normalise: every referenced module is a node (targets may have no key).
+    const adj = new Map();
+    for (const [k, deps] of Object.entries(adjObj)) {
+        const list = Array.isArray(deps) ? deps : [];
+        if (!adj.has(k)) {
+            adj.set(k, []);
+        }
+        adj.get(k).push(...list);
+        for (const d of list) {
+            if (!adj.has(d)) {
+                adj.set(d, []);
+            }
+        }
+    }
+    const fanOut = new Map();
+    const fanIn = new Map();
+    for (const [k, deps] of adj) {
+        fanOut.set(k, deps.length);
+        for (const d of deps) {
+            fanIn.set(d, (fanIn.get(d) ?? 0) + 1);
+        }
+    }
+    const cycleNodes = findCycleNodes(adj);
+    const allIds = [...adj.keys()];
+    const degree = (id) => (fanIn.get(id) ?? 0) + (fanOut.get(id) ?? 0);
+    // Prioritise cycle nodes, then highest-degree modules, capped at the limit
+    // so even a large strongly-connected cluster can't blow past the bound.
+    const ranked = [...allIds].sort((a, b) => {
+        const ca = cycleNodes.has(a) ? 1 : 0;
+        const cb = cycleNodes.has(b) ? 1 : 0;
+        return ca !== cb ? cb - ca : degree(b) - degree(a);
+    });
+    const kept = new Set(ranked.slice(0, MAX_GRAPH_NODES));
+    const nodes = [...kept].map((id) => ({
+        id,
+        label: shortLabel(id),
+        fan_in: fanIn.get(id) ?? 0,
+        fan_out: fanOut.get(id) ?? 0,
+        in_cycle: cycleNodes.has(id),
+    }));
+    const edges = [];
+    const seen = new Set();
+    for (const [from, deps] of adj) {
+        if (!kept.has(from)) {
+            continue;
+        }
+        for (const to of deps) {
+            if (!kept.has(to) || from === to) {
+                continue;
+            }
+            const key = `${from}\n${to}`;
+            if (seen.has(key)) {
+                continue;
+            }
+            seen.add(key);
+            edges.push({ from, to });
+        }
+    }
+    return {
+        nodes,
+        edges,
+        total_modules: allIds.length,
+        truncated: allIds.length > kept.size,
+    };
+}
+const madgeGraphParser = (stdout) => {
+    const adjObj = safeJson(stdout);
+    const graph = adjObj
+        ? buildDependencyGraph(adjObj)
+        : { nodes: [], edges: [], total_modules: 0, truncated: false };
+    const cycleCount = graph.nodes.filter((n) => n.in_cycle).length;
+    return {
+        tool_id: 'madge-graph',
+        summary: { tier: 'metrics', metrics: { graph } },
+        oneliner: `${graph.total_modules} modules, ${cycleCount} in cycles`,
+    };
+};
+// ---------------------------------------------------------------------------
 // Tier 3 — structured metrics
 // ---------------------------------------------------------------------------
 const sccParser = (stdout) => {
@@ -1051,6 +1258,8 @@ export const PARSERS = {
     'go-mod-outdated': goModOutdatedParser,
     'cargo-outdated': cargoOutdatedParser,
     'dotnet-list-outdated': dotnetListOutdatedParser,
+    'dart-analyze': dartAnalyzeParser,
+    'dart-pub-outdated': dartPubOutdatedParser,
     // Tier 2
     semgrep: semgrepParser,
     bandit: banditParser,
@@ -1072,6 +1281,7 @@ export const PARSERS = {
     gocyclo: gocycloParser,
     // Mixed (T3 metrics + T2 sub-findings)
     jscpd: jscpdParser,
+    'madge-graph': madgeGraphParser,
     // Tier 3
     scc: sccParser,
     lizard: lizardParser,

package/dist/phases/quality-benchmark/rubric.md

@@ -352,6 +352,7 @@ For each dimension, the rubric specifies:
 | JS/TS | 60 | 100 |
 | Rust | 80 | 120 |
 | Ruby | 30 | 60 |
+| Dart | 60 | 100 |
 
 These are measurement calibration, not different standards.
 
@@ -575,6 +576,15 @@ madge:
   parser: madge
   subscores: [architecture.circular_deps]
 
+madge-graph:
+  applies_to: [js, ts]   # full module graph for visualization (bounded)
+  probe: command -v madge
+  install: null   # use npx
+  command: npx --yes madge --json --extensions js,jsx,ts,tsx %REPO_ROOT%
+  timeout_minutes: 5
+  parser: madge-graph
+  subscores: [architecture.circular_deps]
+
 depcheck:
   applies_to: [js, ts]
   probe: command -v depcheck
@@ -847,6 +857,33 @@ dotnet-list-outdated:
   subscores: [dependency_health.freshness]
 ```
 
+### Dart / Flutter
+
+Both tools ship with the Dart (and Flutter) SDK — no extra install. We never
+auto-install an SDK, so on a machine without `dart` they degrade to unmeasured.
+`dart analyze` is AST-based (same analyzer as the IDE plugins); duplication is
+covered by the polyglot `jscpd` entry (Dart is in its `applies_to`).
+
+```
+dart-analyze:
+  applies_to: [dart]
+  probe: command -v dart
+  install: null   # bundled with the Dart / Flutter SDK
+  command: dart analyze %REPO_ROOT% --format=machine
+  timeout_minutes: 5
+  parser: dart-analyze
+  subscores: [code_quality.lint]
+
+dart-pub-outdated:
+  applies_to: [dart]  # only when pubspec.yaml present
+  probe: command -v dart
+  install: null   # bundled with the Dart / Flutter SDK
+  command: dart pub outdated --json
+  timeout_minutes: 3
+  parser: dart-pub-outdated
+  subscores: [dependency_health.freshness]
+```
+
 ### Multi-language
 
 ```

package/dist/phases/quality-benchmark/tool-catalog.js

@@ -58,7 +58,7 @@ const jscpd = {
     id: 'jscpd',
     label: 'jscpd (duplication)',
     category: 'duplication',
-    applies_to: ['js', 'ts', 'py', 'java', 'go', 'cs', 'ruby'],
+    applies_to: ['js', 'ts', 'py', 'java', 'go', 'cs', 'ruby', 'dart'],
     probe: 'command -v jscpd',
     install: null, // always use npx
     install_prereq: 'npx',
@@ -82,6 +82,20 @@ const madge = {
     subscores: ['architecture.circular_deps'],
     tolerate_nonzero_exit: true,
 };
+const madgeGraph = {
+    id: 'madge-graph',
+    label: 'madge (dependency graph)',
+    category: 'cycles',
+    applies_to: ['js', 'ts'],
+    probe: 'command -v madge',
+    install: null,
+    install_prereq: 'npx',
+    command: 'npx --yes madge --json --extensions js,jsx,ts,tsx %REPO_ROOT%',
+    timeout_minutes: 5,
+    parser: 'madge-graph',
+    subscores: ['architecture.circular_deps'],
+    tolerate_nonzero_exit: true,
+};
 const depcheck = {
     id: 'depcheck',
     label: 'depcheck (unused deps)',
@@ -470,6 +484,45 @@ const dotnetListOutdated = {
     tolerate_nonzero_exit: true,
 };
 // ---------------------------------------------------------------------------
+// Dart / Flutter
+//
+// Both tools ship with the Dart (and Flutter) SDK itself — no extra install,
+// no pipx/go/cargo. We never auto-install an SDK (`install: null`), so on a
+// machine without Dart they degrade to unmeasured rather than triggering a
+// multi-hundred-MB toolchain download. `dart analyze` is AST-based (the same
+// analyzer the IDE plugins use); duplication is covered by the polyglot jscpd
+// entry above (Dart is in its `applies_to`).
+// ---------------------------------------------------------------------------
+const dartAnalyze = {
+    id: 'dart-analyze',
+    label: 'dart analyze',
+    category: 'lint',
+    applies_to: ['dart'],
+    probe: 'command -v dart',
+    install: null, // bundled with the Dart / Flutter SDK
+    install_prereq: null,
+    command: 'dart analyze %REPO_ROOT% --format=machine',
+    timeout_minutes: 5,
+    parser: 'dart-analyze',
+    subscores: ['code_quality.lint'],
+    tolerate_nonzero_exit: true, // exits 1/2/3 when analysis issues are found
+};
+const dartPubOutdated = {
+    id: 'dart-pub-outdated',
+    label: 'dart pub outdated',
+    category: 'dep-outdated',
+    applies_to: ['dart'],
+    probe: 'command -v dart',
+    install: null, // bundled with the Dart / Flutter SDK
+    install_prereq: null,
+    command: 'dart pub outdated --json',
+    timeout_minutes: 3,
+    parser: 'dart-pub-outdated',
+    subscores: ['dependency_health.freshness'],
+    tolerate_nonzero_exit: true,
+    requires: { file_present: ['pubspec.yaml'] },
+};
+// ---------------------------------------------------------------------------
 // Multi-language / polyglot
 // ---------------------------------------------------------------------------
 const semgrep = {
@@ -549,6 +602,7 @@ export const TOOL_CATALOG = [
     tscTypecheck,
     jscpd,
     madge,
+    madgeGraph,
     depcheck,
     npmAudit,
     pnpmAudit,
@@ -580,6 +634,9 @@ export const TOOL_CATALOG = [
     // C# / .NET
     dotnetListVulnerable,
     dotnetListOutdated,
+    // Dart / Flutter
+    dartAnalyze,
+    dartPubOutdated,
     // Polyglot
     semgrep,
     gitleaks,

package/dist/phases/quality-benchmark/types.d.ts

@@ -29,7 +29,7 @@ export interface DetectedContext {
     total_loc_approx: number;
 }
 /** Language tag used to gate tool applicability. `'all'` = polyglot tools. */
-export type LanguageTag = 'js' | 'ts' | 'py' | 'go' | 'rust' | 'java' | 'kotlin' | 'ruby' | 'c' | 'cpp' | 'cs' | 'swift' | 'all';
+export type LanguageTag = 'js' | 'ts' | 'py' | 'go' | 'rust' | 'java' | 'kotlin' | 'ruby' | 'c' | 'cpp' | 'cs' | 'swift' | 'dart' | 'all';
 export type ToolCategory = 'lint' | 'sast' | 'duplication' | 'complexity' | 'dead-code' | 'cycles' | 'coverage' | 'dep-vuln' | 'dep-outdated' | 'dep-unused' | 'dep-license' | 'secrets' | 'loc-stats' | 'typecheck';
 export type InstallerPrereq = 'pipx' | 'go' | 'cargo' | 'npx' | 'gem' | null;
 export interface ToolCatalogEntry {
@@ -102,6 +102,13 @@ export interface ToolRunOutput {
     stderr_tail?: string;
     /** Path on disk where the full tool output is saved for audit. */
     raw_output_path?: string;
+    /**
+     * Structured metrics from a tier-3 (`metrics`) parser, persisted so trend
+     * charts can read numeric values (e.g. jscpd `duplication_pct`, lizard
+     * `avg_cyclomatic_complexity`) without re-parsing the oneliner. Absent for
+     * count/finding tools.
+     */
+    metrics?: Record<string, unknown>;
 }
 /**
  * Tier 1 — counts only. Used for style/quality linters where individual

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "edsger",
-  "version": "0.75.1",
+  "version": "0.77.0",
   "type": "module",
   "bin": {
     "edsger": "dist/index.js"