edsger 0.76.0 → 0.77.0

package/dist/phases/find-shared/mcp.js

@@ -98,6 +98,7 @@ export async function createIssue(input) {
                     repository_id: repositoryId,
                     name: input.title,
                     description: input.description,
+                    ...(input.source ? { source: input.source } : {}),
                 })
                     .select('id')
                     .single();
@@ -115,6 +116,7 @@ export async function createIssue(input) {
             ...(repositoryId ? { repository_id: repositoryId } : {}),
             name: input.title,
             description: input.description,
+            ...(input.source ? { source: input.source } : {}),
         }));
         return result.issue?.id || result.id || null;
     }

package/dist/phases/find-shared/rule-config.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Per-scope rule-pack configuration, shared across the find-* phases.
+ *
+ * Lets a team tune which stack-aware rule packs the scanners apply via a preset
+ * plus explicit per-pack toggles — the configurable-rules capability DCM-style
+ * tools expose. Read here from the user's supabase session; edited from the
+ * desktop app (services/db/quality-rule-configs.ts). Stored in
+ * `quality_rule_configs`.
+ */
+import type { ScanScope } from './baseline.js';
+import { type RulePack } from './rule-packs.js';
+export type RulePreset = 'minimal' | 'recommended' | 'strict';
+export interface RuleConfig {
+    preset: RulePreset;
+    disabledPacks: string[];
+}
+/**
+ * Apply a rule config to the packs detection selected. Pure + exported for
+ * testing.
+ *
+ * - no config → unchanged (default is 'recommended' = all detected packs).
+ * - 'minimal' → no packs (generic categories only).
+ * - otherwise → detected packs minus the explicitly disabled ones.
+ */
+export declare function applyRuleConfig(packs: RulePack[], config: RuleConfig | null): RulePack[];
+/**
+ * Fetch the rule config for a scope, or null if none is set / no session is
+ * available. Never throws — a read failure must not abort a scan (it just
+ * degrades to the default 'recommended' behaviour).
+ */
+export declare function getRuleConfig(scope: ScanScope): Promise<RuleConfig | null>;
+/**
+ * Detect the repo's stack, apply the scope's rule config, and return the rule
+ * packs to inject — logging the detected stack and chosen packs. Shared by the
+ * pack-consuming phases (find-smells, find-architecture).
+ */
+export declare function resolveStackRulePacks(repoRoot: string, scope: ScanScope): Promise<RulePack[]>;

package/dist/phases/find-shared/rule-config.js

@@ -0,0 +1,67 @@
+/**
+ * Per-scope rule-pack configuration, shared across the find-* phases.
+ *
+ * Lets a team tune which stack-aware rule packs the scanners apply via a preset
+ * plus explicit per-pack toggles — the configurable-rules capability DCM-style
+ * tools expose. Read here from the user's supabase session; edited from the
+ * desktop app (services/db/quality-rule-configs.ts). Stored in
+ * `quality_rule_configs`.
+ */
+import { logInfo } from '../../utils/logger.js';
+import { detectProjectContext } from './detect-context.js';
+import { selectRulePacks } from './rule-packs.js';
+import { readScopedRow } from './scoped-read.js';
+/**
+ * Apply a rule config to the packs detection selected. Pure + exported for
+ * testing.
+ *
+ * - no config → unchanged (default is 'recommended' = all detected packs).
+ * - 'minimal' → no packs (generic categories only).
+ * - otherwise → detected packs minus the explicitly disabled ones.
+ */
+export function applyRuleConfig(packs, config) {
+    if (!config) {
+        return packs;
+    }
+    if (config.preset === 'minimal') {
+        return [];
+    }
+    return packs.filter((p) => !config.disabledPacks.includes(p.id));
+}
+/**
+ * Fetch the rule config for a scope, or null if none is set / no session is
+ * available. Never throws — a read failure must not abort a scan (it just
+ * degrades to the default 'recommended' behaviour).
+ */
+export async function getRuleConfig(scope) {
+    const row = await readScopedRow('quality_rule_configs', 'preset, disabled_packs', scope);
+    if (!row) {
+        return null;
+    }
+    return {
+        preset: row.preset ?? 'recommended',
+        disabledPacks: row.disabled_packs ?? [],
+    };
+}
+/**
+ * Detect the repo's stack, apply the scope's rule config, and return the rule
+ * packs to inject — logging the detected stack and chosen packs. Shared by the
+ * pack-consuming phases (find-smells, find-architecture).
+ */
+export async function resolveStackRulePacks(repoRoot, scope) {
+    const projectContext = detectProjectContext(repoRoot);
+    const ruleConfig = await getRuleConfig(scope);
+    const rulePacks = applyRuleConfig(selectRulePacks(projectContext), ruleConfig);
+    const detectedStack = [
+        ...projectContext.languages,
+        ...projectContext.frameworks,
+    ];
+    const stackLabel = detectedStack.length
+        ? detectedStack.join(', ')
+        : 'unknown';
+    const packLabel = rulePacks.length
+        ? `; applying rule packs: ${rulePacks.map((p) => p.id).join(', ')}`
+        : '; no stack-specific rule packs matched';
+    logInfo(`Detected stack: ${stackLabel}${packLabel}`);
+    return rulePacks;
+}

package/dist/phases/find-shared/rule-packs.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Stack-specific rule packs for the find-* phases.
+ *
+ * The generic smell/bug/architecture categories in the base system prompts are
+ * language-neutral and always apply. A *rule pack* adds targeted, stack-aware
+ * guidance — e.g. Flutter widget anti-patterns, TypeScript type-safety escapes
+ * — that should only fire when the relevant language/framework is actually
+ * present in the repository.
+ *
+ * The design intentionally mirrors the quality-benchmark tool catalog:
+ *   - tools gate on `applies_to: [<LanguageTag>]`, selected by
+ *     `selectToolsForContext(languages)`.
+ *   - rule packs gate on `applies_to: { languages?, frameworks?, files_present? }`,
+ *     selected by `selectRulePacks(context)`.
+ *
+ * Adding support for a new language/framework is therefore a pure data change:
+ * append one `RulePack` here (and, eventually, more of them) — no phase code
+ * branches on a specific language anywhere.
+ */
+import type { ProjectContext } from './detect-context.js';
+/**
+ * Which find-* phase a guidance block is written for. A pack only contributes
+ * to a phase it has guidance for, so the same pack can sharpen find-smells with
+ * local anti-patterns and find-architecture with structural ones without
+ * leaking smell guidance into the architecture audit (or vice versa).
+ */
+export type FindPhaseKind = 'smells' | 'architecture' | 'bugs';
+export interface RulePack {
+    /** Stable id, shown in logs and used in tests. */
+    id: string;
+    /** Human-readable label. */
+    label: string;
+    /**
+     * Gate conditions. A pack is selected when EVERY specified gate matches
+     * (AND across gates), where a gate matches if ANY of its values is present
+     * in the detected context (OR within a gate). At least one gate must be set.
+     */
+    applies_to: {
+        languages?: string[];
+        frameworks?: string[];
+        files_present?: string[];
+    };
+    /**
+     * Per-phase markdown guidance injected into the find-* system prompt when the
+     * pack is selected. Each block should enumerate concrete, file:line-citable
+     * anti-patterns that map onto that phase's existing categories (no new
+     * categories introduced). A pack may cover only some phases.
+     */
+    guidance: Partial<Record<FindPhaseKind, string>>;
+}
+export declare const RULE_PACKS: readonly RulePack[];
+/**
+ * Select the rule packs whose gates are satisfied by the detected context.
+ * Same AND-across-gates / OR-within-gate semantics as the quality-benchmark
+ * `selectToolsForContext`. Membership checks are case-insensitive.
+ */
+export declare function selectRulePacks(ctx: ProjectContext): RulePack[];
+/**
+ * Render the guidance the selected packs provide *for a given phase* into a
+ * single markdown block for appending to that phase's system prompt. Packs
+ * without guidance for `kind` are skipped, so e.g. the TypeScript pack (smells
+ * only) contributes nothing to the architecture audit. Returns '' when nothing
+ * applies, so callers can concatenate unconditionally.
+ */
+export declare function renderRulePacks(packs: RulePack[], kind: FindPhaseKind): string;

package/dist/phases/find-shared/rule-packs.js

@@ -0,0 +1,124 @@
+/**
+ * Stack-specific rule packs for the find-* phases.
+ *
+ * The generic smell/bug/architecture categories in the base system prompts are
+ * language-neutral and always apply. A *rule pack* adds targeted, stack-aware
+ * guidance — e.g. Flutter widget anti-patterns, TypeScript type-safety escapes
+ * — that should only fire when the relevant language/framework is actually
+ * present in the repository.
+ *
+ * The design intentionally mirrors the quality-benchmark tool catalog:
+ *   - tools gate on `applies_to: [<LanguageTag>]`, selected by
+ *     `selectToolsForContext(languages)`.
+ *   - rule packs gate on `applies_to: { languages?, frameworks?, files_present? }`,
+ *     selected by `selectRulePacks(context)`.
+ *
+ * Adding support for a new language/framework is therefore a pure data change:
+ * append one `RulePack` here (and, eventually, more of them) — no phase code
+ * branches on a specific language anywhere.
+ */
+// ---------------------------------------------------------------------------
+// Packs
+// ---------------------------------------------------------------------------
+const flutter = {
+    id: 'flutter',
+    label: 'Flutter / Dart',
+    applies_to: { frameworks: ['flutter'] },
+    guidance: {
+        smells: `Flutter/Dart widget and performance smells (in addition to the generic categories):
+- **Giant \`build()\` methods**: a build method spanning dozens of lines or many nested widgets — extract subtrees into named \`Widget\` classes or helper methods. (category: complexity)
+- **Missing \`const\`**: widgets with compile-time-constant configuration that are not \`const\`, forcing needless rebuilds. (category: performance)
+- **Deep widget nesting**: trees nested well beyond ~5 levels that should be decomposed into smaller widgets. (category: complexity)
+- **Unbounded list rendering**: \`Column\`/\`ListView(children: [...])\` over a growing or large collection instead of \`ListView.builder\`/\`SliverList\`. (category: performance)
+- **Work inside \`build()\`**: constructing controllers, futures, or expensive objects in \`build()\` instead of \`initState\`/memoization — they get recreated every rebuild. (category: performance)
+- **Over-broad \`setState\`**: calling \`setState\` on a large widget where a smaller \`StatefulWidget\`, \`ValueListenableBuilder\`, or \`Selector\` would localise the rebuild. (category: performance)
+- **Unkeyed dynamic lists**: reorderable/dynamic children without \`Key\`s, risking state mismatches. (category: readability)`,
+        architecture: `Flutter/Dart structural concerns (in addition to the generic categories):
+- **Business logic in widgets**: data fetching, persistence, or domain rules embedded directly in \`Widget\`/\`State\` classes instead of a dedicated layer (controller/bloc/cubit/service). (concern: layering)
+- **God widgets**: a single screen widget that builds UI, holds state, talks to the network, and formats data — split by responsibility. (concern: cohesion)
+- **Cross-feature \`BuildContext\` reach-through**: features reaching into each other's widget state instead of going through a shared layer. (concern: coupling)`,
+    },
+};
+const typescript = {
+    id: 'typescript',
+    label: 'TypeScript',
+    applies_to: { languages: ['ts'] },
+    guidance: {
+        smells: `TypeScript type-safety smells (in addition to the generic categories):
+- **Type escapes**: \`any\`/\`unknown\` casts that erase checking; prefer precise types or generics. (category: type_safety)
+- **Suppressed errors**: \`@ts-ignore\`/\`@ts-expect-error\` hiding real type errors rather than fixing them. (category: type_safety)
+- **Unsafe assertions**: \`as\` casts and non-null assertions (\`!\`) at trust boundaries instead of real narrowing/null checks. (category: type_safety)
+- **Loose contracts**: \`object\`, open index signatures, or wide unions where a tighter interface/literal type is intended. (category: type_safety)
+- **Derivable duplication**: enums/unions hand-maintained in parallel instead of derived (\`as const\` + \`keyof\`/\`typeof\`). (category: refactor)`,
+    },
+};
+const csharp = {
+    id: 'csharp',
+    label: 'C# / .NET',
+    applies_to: { languages: ['cs'] },
+    guidance: {
+        smells: `C#/.NET smells (in addition to the generic categories):
+- **Async anti-patterns**: \`.Result\`/\`.Wait()\`/\`.GetAwaiter().GetResult()\` on tasks (sync-over-async deadlock risk); \`async void\` outside event handlers. (category: performance)
+- **Multiple enumeration**: enumerating the same \`IEnumerable\` more than once (re-runs the query/LINQ); materialize with \`ToList()\`/\`ToArray()\` once. (category: performance)
+- **Disposal**: \`IDisposable\` created without \`using\`/\`await using\` or an explicit \`Dispose\`. (category: type_safety)
+- **Swallowed exceptions**: empty \`catch {}\` or \`catch (Exception)\` that hides failures. (category: refactor)
+- **Nullable ignored**: suppressing nullable warnings with \`!\` (null-forgiving) at trust boundaries instead of real checks. (category: type_safety)
+- **String building in loops**: \`+=\` string concatenation inside loops instead of \`StringBuilder\`. (category: performance)
+- **Public mutable fields**: public fields where a property is intended. (category: readability)`,
+        architecture: `C#/.NET structural concerns (in addition to the generic categories):
+- **Fat controllers**: business/data logic in ASP.NET controllers instead of a service/handler layer. (concern: layering)
+- **Leaky persistence**: \`DbContext\`/EF queries used directly across layers instead of behind a repository/service boundary. (concern: layering)
+- **Mutable static/singleton state**: static fields or singletons holding mutable shared state, complicating testing and concurrency. (concern: coupling)
+- **Project reference cycles**: circular references between projects/assemblies. (concern: cyclic dependencies)`,
+    },
+};
+// ---------------------------------------------------------------------------
+// Registry + selection
+// ---------------------------------------------------------------------------
+export const RULE_PACKS = [
+    flutter,
+    typescript,
+    csharp,
+];
+/**
+ * Select the rule packs whose gates are satisfied by the detected context.
+ * Same AND-across-gates / OR-within-gate semantics as the quality-benchmark
+ * `selectToolsForContext`. Membership checks are case-insensitive.
+ */
+export function selectRulePacks(ctx) {
+    const langSet = new Set(ctx.languages.map((l) => l.toLowerCase()));
+    const fwSet = new Set(ctx.frameworks.map((f) => f.toLowerCase()));
+    const fileSet = new Set(ctx.files_present);
+    return RULE_PACKS.filter((pack) => {
+        const { languages, frameworks, files_present } = pack.applies_to;
+        const gates = [];
+        if (languages?.length) {
+            gates.push(languages.some((l) => langSet.has(l.toLowerCase())));
+        }
+        if (frameworks?.length) {
+            gates.push(frameworks.some((f) => fwSet.has(f.toLowerCase())));
+        }
+        if (files_present?.length) {
+            gates.push(files_present.some((f) => fileSet.has(f)));
+        }
+        // A pack with no gates is a misconfiguration — never auto-select it.
+        return gates.length > 0 && gates.every(Boolean);
+    });
+}
+/**
+ * Render the guidance the selected packs provide *for a given phase* into a
+ * single markdown block for appending to that phase's system prompt. Packs
+ * without guidance for `kind` are skipped, so e.g. the TypeScript pack (smells
+ * only) contributes nothing to the architecture audit. Returns '' when nothing
+ * applies, so callers can concatenate unconditionally.
+ */
+export function renderRulePacks(packs, kind) {
+    const sections = packs
+        .map((p) => ({ label: p.label, text: p.guidance[kind] }))
+        .filter((s) => Boolean(s.text))
+        .map((s) => `### ${s.label}\n${s.text}`);
+    if (sections.length === 0) {
+        return '';
+    }
+    return `\n\n**Stack-specific checks** — the repository's detected stack triggers the following targeted checks. Apply them *in addition to* the generic categories above, using the same severity rubric and output format:\n\n${sections.join('\n\n')}`;
+}

package/dist/phases/find-shared/scoped-read.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Shared helper for reading a single scope-keyed row (product XOR repo) via the
+ * user's supabase session. Used by the find-* scan-config readers
+ * (getScanBaseline, getRuleConfig) so they don't each re-implement the
+ * session-guard + scoped query + never-throw error handling.
+ */
+import type { ScanScope } from './baseline.js';
+/**
+ * Fetch one scope-keyed row, or null when there's no session / no row / a read
+ * error. Never throws — a read failure must not abort a scan.
+ */
+export declare function readScopedRow<T>(table: string, columns: string, scope: ScanScope): Promise<T | null>;

package/dist/phases/find-shared/scoped-read.js

@@ -0,0 +1,33 @@
+/**
+ * Shared helper for reading a single scope-keyed row (product XOR repo) via the
+ * user's supabase session. Used by the find-* scan-config readers
+ * (getScanBaseline, getRuleConfig) so they don't each re-implement the
+ * session-guard + scoped query + never-throw error handling.
+ */
+import { getSupabase, hasSupabaseSession } from '../../supabase/client.js';
+import { logWarning } from '../../utils/logger.js';
+/**
+ * Fetch one scope-keyed row, or null when there's no session / no row / a read
+ * error. Never throws — a read failure must not abort a scan.
+ */
+export async function readScopedRow(table, columns, scope) {
+    if (!hasSupabaseSession()) {
+        return null;
+    }
+    try {
+        const query = getSupabase().from(table).select(columns);
+        const scoped = scope.productId
+            ? query.eq('product_id', scope.productId)
+            : query.eq('repository_id', scope.repoId);
+        const { data, error } = await scoped.maybeSingle();
+        if (error) {
+            logWarning(`Could not read ${table}: ${error.message}`);
+            return null;
+        }
+        return data ?? null;
+    }
+    catch (err) {
+        logWarning(`Could not read ${table}: ${err instanceof Error ? err.message : String(err)}`);
+        return null;
+    }
+}

package/dist/phases/find-smells/index.js

@@ -11,8 +11,11 @@ import { query } from '@anthropic-ai/claude-agent-sdk';
 import { DEFAULT_MODEL } from '../../constants.js';
 import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 import { cleanupIssueRepo, cloneIssueRepo, ensureWorkspaceDir, syncRepoToRef, } from '../../workspace/workspace-manager.js';
+import { resolveScanBase } from '../find-shared/baseline.js';
+import { resolveCustomRules } from '../find-shared/custom-rules.js';
 import { detectDefaultBranch, gitRevParse, isAncestor, listChangedPaths, } from '../find-shared/git.js';
 import { createIssue, fetchOpenIssues, fetchOpenIssuesByRepo, fetchProductBasics, fetchRepositoryBasics, } from '../find-shared/mcp.js';
+import { resolveStackRulePacks } from '../find-shared/rule-config.js';
 import { createPromptGenerator, extractTextFromContent, tryExtractResult, } from '../pr-shared/agent-utils.js';
 import { createFindSmellsSystemPrompt, createFindSmellsUserPrompt, } from './prompts.js';
 import { acquireFindSmellsLock, loadFindSmellsState, updateFindSmellsState, } from './state.js';
@@ -35,9 +38,7 @@ export async function scanForSmells(options) {
     // State/lock/workspace are keyed by an opaque scope id so product and repo
     // scans never collide; repo keys are prefixed to namespace them clearly.
     const scopeId = productId ?? `repo-${repoId}`;
-    const scopeLabel = productId
-        ? `product ${productId}`
-        : `repository ${repoId}`;
+    const scopeLabel = productId ? `product ${productId}` : `repository ${repoId}`;
     logInfo(`Starting smell scan for ${scopeLabel} (${owner}/${repo})`);
     const lock = acquireFindSmellsLock(scopeId);
     if (!lock) {
@@ -61,7 +62,7 @@ export async function scanForSmells(options) {
         syncRepoToRef(repoPath, { branch }, githubToken);
         const headSha = gitRevParse(repoPath, 'HEAD');
         const state = loadFindSmellsState(scopeId);
-        const baseSha = full ? undefined : state.lastScannedCommitSha;
+        const baseSha = await resolveScanBase({ productId, repoId }, { full, lastScannedSha: state.lastScannedCommitSha });
         let scope = 'full';
         let changedPaths;
         if (baseSha && baseSha !== headSha) {
@@ -116,7 +117,12 @@ export async function scanForSmells(options) {
             ? await fetchOpenIssues(productId)
             : await fetchOpenIssuesByRepo(repoId);
         logInfo(`Loaded ${existingIssues.length} existing issues for dedup context`);
-        const systemPrompt = createFindSmellsSystemPrompt();
+        const rulePacks = await resolveStackRulePacks(repoPath, {
+            productId,
+            repoId,
+        });
+        const customRules = await resolveCustomRules({ productId, repoId }, 'smells');
+        const systemPrompt = createFindSmellsSystemPrompt(rulePacks, customRules);
         const userPrompt = createFindSmellsUserPrompt({
             productName: product.name,
             productDescription: product.description,
@@ -250,6 +256,7 @@ async function createIssueForSmell(scope, smell) {
         repoId: scope.repoId,
         title: smell.title,
         description: formatIssueDescription(smell),
+        source: 'quality',
     });
 }
 /**

package/dist/phases/find-smells/prompts.d.ts

@@ -9,7 +9,8 @@
  *   - find-smells (this phase) handles "the code would be better if changed":
  *     refactor candidates, dead code, perf cliffs, type-safety gaps, etc.
  */
-export declare function createFindSmellsSystemPrompt(): string;
+import { type RulePack } from '../find-shared/rule-packs.js';
+export declare function createFindSmellsSystemPrompt(packs?: RulePack[], customRules?: string): string;
 export interface FindSmellsUserPromptParams {
     productName: string;
     productDescription?: string;

package/dist/phases/find-smells/prompts.js

@@ -9,7 +9,8 @@
  *   - find-smells (this phase) handles "the code would be better if changed":
  *     refactor candidates, dead code, perf cliffs, type-safety gaps, etc.
  */
-export function createFindSmellsSystemPrompt() {
+import { renderRulePacks } from '../find-shared/rule-packs.js';
+export function createFindSmellsSystemPrompt(packs = [], customRules = '') {
     return `You are a senior engineer auditing a codebase for **code smells** — concrete improvements the codebase would benefit from. You have read-only access via Read/Grep/Glob and may run shallow Bash queries (e.g. \`git log\`, \`wc -l\`) to navigate.
 
 **What counts as a smell worth filing**:
@@ -18,9 +19,9 @@ export function createFindSmellsSystemPrompt() {
 3. **Duplication**: copy-pasted blocks that should be a single helper
 4. **Complexity**: functions / files that are too long or too deeply nested to reason about, cyclomatic-complexity hotspots
 5. **Dead code**: unreferenced exports, unreachable branches, abandoned feature flags, commented-out blocks
-6. **Type safety**: \`any\` / \`unknown\` casts, \`@ts-ignore\` / \`@ts-expect-error\`, missing null checks at trust boundaries, loose interfaces that should be tightened
+6. **Type safety**: defeated or bypassed type checks — unsafe casts, suppressed type errors, missing null/undefined checks at trust boundaries, loose types that should be tightened (language-specific instances are listed under "Stack-specific checks" when applicable)
 7. **Readability**: misleading names, missing or wrong comments, magic numbers that should be named constants
-8. **Architecture**: cyclic deps, layering violations, modules that have grown into multiple responsibilities
+8. **Architecture**: cyclic deps, layering violations, modules that have grown into multiple responsibilities${renderRulePacks(packs, 'smells')}${customRules}
 
 **What does NOT count** (skip these — wrong tool):
 - Real bugs (security holes, logic errors, races, data corruption) — those belong in \`edsger find-bugs\`. **Don't drop them silently — list them in \`deferred_to_bugs\` so the user knows to run that command.**

package/dist/phases/quality-benchmark/gate.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Quality gate evaluation for the CLI.
+ *
+ * Lets `edsger quality-benchmark --gate` enforce a per-scope pass/fail
+ * threshold against the report it just produced — the "fail the build" gate
+ * NDepend/DCM-style tools expose, usable directly in a user's own CI without
+ * any webhook. The gate (overall-score floor, critical-finding cap, per-
+ * dimension minimums) is stored in `quality_gates`, mirroring the desktop
+ * evaluator in desktop-app/.../services/db/quality-gate.ts.
+ *
+ * The evaluator is pure + exported for testing; the read is RLS-scoped via the
+ * user's supabase session and never throws (a missing gate = nothing to
+ * enforce).
+ */
+import type { ScanScope } from '../find-shared/baseline.js';
+import type { Dimension, QualityReportPayload } from './types.js';
+export interface QualityGate {
+    enabled: boolean;
+    /** Minimum overall score (0–100); null = unconstrained. */
+    min_overall_score: number | null;
+    /** Maximum critical-severity findings allowed; null = unconstrained. */
+    max_critical_findings: number | null;
+    /** Per-dimension minimum scores; absent dimensions are unconstrained. */
+    min_dimension_scores: Partial<Record<Dimension, number>>;
+}
+export interface GateViolation {
+    /** Axis that failed, e.g. "Overall score" or "security". */
+    label: string;
+    /** The threshold that was required. */
+    required: string;
+    /** The actual value from the report. */
+    actual: string;
+}
+export interface GateResult {
+    passed: boolean;
+    violations: GateViolation[];
+}
+/** Count critical-severity findings across every dimension's evidence. */
+export declare function countCriticalFindings(report: QualityReportPayload): number;
+/**
+ * Evaluate a report against a gate, returning every violated axis. A disabled
+ * gate passes vacuously. A report with no overall score is not failed on the
+ * overall-score axis (there is nothing to compare). Pure + exported for tests.
+ */
+export declare function evaluateGate(report: QualityReportPayload, gate: QualityGate): GateResult;
+/**
+ * Fetch the gate configured for a scope, or null if none is set / no session.
+ * Never throws — a read failure degrades to "no gate" (nothing enforced).
+ */
+export declare function getQualityGate(scope: ScanScope): Promise<QualityGate | null>;

package/dist/phases/quality-benchmark/gate.js

@@ -0,0 +1,91 @@
+/**
+ * Quality gate evaluation for the CLI.
+ *
+ * Lets `edsger quality-benchmark --gate` enforce a per-scope pass/fail
+ * threshold against the report it just produced — the "fail the build" gate
+ * NDepend/DCM-style tools expose, usable directly in a user's own CI without
+ * any webhook. The gate (overall-score floor, critical-finding cap, per-
+ * dimension minimums) is stored in `quality_gates`, mirroring the desktop
+ * evaluator in desktop-app/.../services/db/quality-gate.ts.
+ *
+ * The evaluator is pure + exported for testing; the read is RLS-scoped via the
+ * user's supabase session and never throws (a missing gate = nothing to
+ * enforce).
+ */
+import { readScopedRow } from '../find-shared/scoped-read.js';
+/** Count critical-severity findings across every dimension's evidence. */
+export function countCriticalFindings(report) {
+    let count = 0;
+    for (const dim of Object.values(report.dimension_scores ?? {})) {
+        for (const ev of dim?.evidence ?? []) {
+            if (ev.severity === 'critical') {
+                count++;
+            }
+        }
+    }
+    return count;
+}
+/**
+ * Evaluate a report against a gate, returning every violated axis. A disabled
+ * gate passes vacuously. A report with no overall score is not failed on the
+ * overall-score axis (there is nothing to compare). Pure + exported for tests.
+ */
+export function evaluateGate(report, gate) {
+    const violations = [];
+    if (!gate.enabled) {
+        return { passed: true, violations };
+    }
+    if (gate.min_overall_score !== null &&
+        report.overall_score !== null &&
+        report.overall_score < gate.min_overall_score) {
+        violations.push({
+            label: 'Overall score',
+            required: `>= ${gate.min_overall_score}`,
+            actual: report.overall_score.toFixed(1),
+        });
+    }
+    if (gate.max_critical_findings !== null) {
+        const critical = countCriticalFindings(report);
+        if (critical > gate.max_critical_findings) {
+            violations.push({
+                label: 'Critical findings',
+                required: `<= ${gate.max_critical_findings}`,
+                actual: String(critical),
+            });
+        }
+    }
+    for (const [dim, min] of Object.entries(gate.min_dimension_scores)) {
+        if (min === null || min === undefined) {
+            continue;
+        }
+        const entry = report.dimension_scores?.[dim];
+        // A null/N-A dimension score isn't measurable against a floor — skip it.
+        if (entry?.score === null || entry?.score === undefined) {
+            continue;
+        }
+        if (entry.score < min) {
+            violations.push({
+                label: dim,
+                required: `>= ${min}`,
+                actual: entry.score.toFixed(0),
+            });
+        }
+    }
+    return { passed: violations.length === 0, violations };
+}
+/**
+ * Fetch the gate configured for a scope, or null if none is set / no session.
+ * Never throws — a read failure degrades to "no gate" (nothing enforced).
+ */
+export async function getQualityGate(scope) {
+    const row = await readScopedRow('quality_gates', 'enabled, min_overall_score, max_critical_findings, min_dimension_scores', scope);
+    if (!row) {
+        return null;
+    }
+    return {
+        enabled: row.enabled ?? true,
+        min_overall_score: row.min_overall_score ?? null,
+        max_critical_findings: row.max_critical_findings ?? null,
+        min_dimension_scores: row.min_dimension_scores ?? {},
+    };
+}

package/dist/phases/quality-benchmark/index.js

@@ -151,7 +151,7 @@ export async function runQualityBenchmark(opts) {
             ...state.unavailable_tools,
             ...(report.unavailable_tools ?? []),
         ]),
-        tool_outputs: { ...state.tool_outputs, ...(report.tool_outputs ?? {}) },
+        tool_outputs: enrichToolOutputsWithMetrics({ ...state.tool_outputs, ...(report.tool_outputs ?? {}) }, state.parsed_summaries),
         dropped_findings: Math.max(state.dropped_findings, report.dropped_findings ?? 0),
     };
     const completedAt = new Date().toISOString();
@@ -180,6 +180,20 @@ function readGitHead(repoRoot) {
     }
     return res.stdout.trim() || null;
 }
+/**
+ * Fold tier-3 (`metrics`) parser output into the persisted tool_outputs so
+ * trend charts can read numeric values (duplication %, complexity, …) without
+ * re-parsing oneliners. Count/finding tools carry no metrics and are untouched.
+ */
+function enrichToolOutputsWithMetrics(toolOutputs, parsedSummaries) {
+    const out = { ...toolOutputs };
+    for (const [id, parsed] of Object.entries(parsedSummaries)) {
+        if (parsed.summary.tier === 'metrics' && out[id]) {
+            out[id] = { ...out[id], metrics: parsed.summary.metrics };
+        }
+    }
+    return out;
+}
 function dedupUnavailable(list) {
     const seen = new Set();
     const out = [];

package/dist/phases/quality-benchmark/parsers.d.ts

@@ -17,6 +17,29 @@
  *   - Stable: same input → same output (no randomness, no clocks).
  */
 import type { ParsedToolOutput, ParserContext, ParserFn } from './types.js';
+interface DepGraphNode {
+    id: string;
+    label: string;
+    fan_in: number;
+    fan_out: number;
+    in_cycle: boolean;
+}
+interface DepGraph {
+    nodes: DepGraphNode[];
+    edges: {
+        from: string;
+        to: string;
+    }[];
+    total_modules: number;
+    truncated: boolean;
+}
+/**
+ * Build a bounded dependency graph from madge's adjacency map. Cycle nodes are
+ * always kept; the remaining slots go to the highest-degree modules. Edges are
+ * restricted to kept nodes.
+ */
+export declare function buildDependencyGraph(adjObj: Record<string, string[]>): DepGraph;
 export declare const PARSERS: Record<string, ParserFn>;
 /** Run the parser for a tool, defensively swallowing errors. */
 export declare function parseToolOutput(toolId: string, stdout: string, stderr: string, ctx: ParserContext): ParsedToolOutput;
+export {};