ghagga-core 2.0.0

package/dist/providers/index.d.ts

@@ -0,0 +1,40 @@
+/**
+ * LLM Provider factory using the Vercel AI SDK.
+ *
+ * Wraps @ai-sdk/anthropic, @ai-sdk/openai, @ai-sdk/google,
+ * GitHub Models, and Ollama behind a unified factory so the rest
+ * of the codebase doesn't need to know which provider is being used.
+ *
+ * GitHub Models uses the OpenAI-compatible endpoint at
+ * https://models.inference.ai.azure.com and authenticates with a
+ * GitHub Personal Access Token (PAT) with `models:read` scope.
+ *
+ * Ollama runs locally and exposes an OpenAI-compatible endpoint at
+ * http://localhost:11434/v1. No API key required.
+ */
+import type { LanguageModel } from 'ai';
+import type { LLMProvider } from '../types.js';
+/**
+ * Create a provider instance configured with the given API key.
+ *
+ * Returns the provider's model creator function, which can be called
+ * with a model ID to get a LanguageModel instance.
+ *
+ * @param provider - Provider name ('anthropic' | 'openai' | 'google' | 'github' | 'ollama')
+ * @param apiKey - Decrypted API key for the provider
+ * @returns The provider's model creator function
+ */
+export declare function createProvider(provider: LLMProvider, apiKey: string): import("@ai-sdk/anthropic").AnthropicProvider | import("@ai-sdk/openai").OpenAIProvider | import("@ai-sdk/google").GoogleGenerativeAIProvider;
+/**
+ * Create a LanguageModel instance for the given provider + model combo.
+ *
+ * This is the primary entry point for the rest of the codebase.
+ * It handles provider initialization and model creation in one step.
+ *
+ * @param provider - Provider name
+ * @param model - Model identifier (e.g., "claude-sonnet-4-20250514")
+ * @param apiKey - Decrypted API key
+ * @returns A LanguageModel ready for use with AI SDK's generateText/streamText
+ */
+export declare function createModel(provider: LLMProvider, model: string, apiKey: string): LanguageModel;
+//# sourceMappingURL=index.d.ts.map

package/dist/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAKH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACxC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAU/C;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,WAAW,EACrB,MAAM,EAAE,MAAM,iJA2Bf;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CACzB,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,aAAa,CAGf"}

package/dist/providers/index.js

@@ -0,0 +1,76 @@
+/**
+ * LLM Provider factory using the Vercel AI SDK.
+ *
+ * Wraps @ai-sdk/anthropic, @ai-sdk/openai, @ai-sdk/google,
+ * GitHub Models, and Ollama behind a unified factory so the rest
+ * of the codebase doesn't need to know which provider is being used.
+ *
+ * GitHub Models uses the OpenAI-compatible endpoint at
+ * https://models.inference.ai.azure.com and authenticates with a
+ * GitHub Personal Access Token (PAT) with `models:read` scope.
+ *
+ * Ollama runs locally and exposes an OpenAI-compatible endpoint at
+ * http://localhost:11434/v1. No API key required.
+ */
+import { createAnthropic } from '@ai-sdk/anthropic';
+import { createOpenAI } from '@ai-sdk/openai';
+import { createGoogleGenerativeAI } from '@ai-sdk/google';
+/** GitHub Models inference endpoint (OpenAI-compatible) */
+const GITHUB_MODELS_BASE_URL = 'https://models.inference.ai.azure.com';
+/** Ollama local inference endpoint (OpenAI-compatible) */
+const OLLAMA_BASE_URL = 'http://localhost:11434/v1';
+// ─── Provider Factory ───────────────────────────────────────────
+/**
+ * Create a provider instance configured with the given API key.
+ *
+ * Returns the provider's model creator function, which can be called
+ * with a model ID to get a LanguageModel instance.
+ *
+ * @param provider - Provider name ('anthropic' | 'openai' | 'google' | 'github' | 'ollama')
+ * @param apiKey - Decrypted API key for the provider
+ * @returns The provider's model creator function
+ */
+export function createProvider(provider, apiKey) {
+    switch (provider) {
+        case 'anthropic':
+            return createAnthropic({ apiKey });
+        case 'openai':
+            return createOpenAI({ apiKey });
+        case 'google':
+            return createGoogleGenerativeAI({ apiKey });
+        case 'github':
+            return createOpenAI({
+                apiKey,
+                baseURL: GITHUB_MODELS_BASE_URL,
+                name: 'github-models',
+            });
+        case 'ollama':
+            return createOpenAI({
+                apiKey: apiKey || 'ollama',
+                baseURL: OLLAMA_BASE_URL,
+                name: 'ollama',
+            });
+        default: {
+            // Exhaustive check — TypeScript will error if a provider is missing
+            const _exhaustive = provider;
+            throw new Error(`Unknown provider: ${_exhaustive}`);
+        }
+    }
+}
+// ─── Model Factory ──────────────────────────────────────────────
+/**
+ * Create a LanguageModel instance for the given provider + model combo.
+ *
+ * This is the primary entry point for the rest of the codebase.
+ * It handles provider initialization and model creation in one step.
+ *
+ * @param provider - Provider name
+ * @param model - Model identifier (e.g., "claude-sonnet-4-20250514")
+ * @param apiKey - Decrypted API key
+ * @returns A LanguageModel ready for use with AI SDK's generateText/streamText
+ */
+export function createModel(provider, model, apiKey) {
+    const providerInstance = createProvider(provider, apiKey);
+    return providerInstance(model);
+}
+//# sourceMappingURL=index.js.map

package/dist/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/providers/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAI1D,2DAA2D;AAC3D,MAAM,sBAAsB,GAAG,uCAAuC,CAAC;AAEvE,0DAA0D;AAC1D,MAAM,eAAe,GAAG,2BAA2B,CAAC;AAEpD,mEAAmE;AAEnE;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAqB,EACrB,MAAc;IAEd,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,WAAW;YACd,OAAO,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACrC,KAAK,QAAQ;YACX,OAAO,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAClC,KAAK,QAAQ;YACX,OAAO,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9C,KAAK,QAAQ;YACX,OAAO,YAAY,CAAC;gBAClB,MAAM;gBACN,OAAO,EAAE,sBAAsB;gBAC/B,IAAI,EAAE,eAAe;aACtB,CAAC,CAAC;QACL,KAAK,QAAQ;YACX,OAAO,YAAY,CAAC;gBAClB,MAAM,EAAE,MAAM,IAAI,QAAQ;gBAC1B,OAAO,EAAE,eAAe;gBACxB,IAAI,EAAE,QAAQ;aACf,CAAC,CAAC;QACL,OAAO,CAAC,CAAC,CAAC;YACR,oEAAoE;YACpE,MAAM,WAAW,GAAU,QAAQ,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,qBAAqB,WAAW,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;AACH,CAAC;AAED,mEAAmE;AAEnE;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CACzB,QAAqB,EACrB,KAAa,EACb,MAAc;IAEd,MAAM,gBAAgB,GAAG,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,gBAAgB,CAAC,KAAK,CAAkB,CAAC;AAClD,CAAC"}

package/dist/tools/cpd.d.ts

@@ -0,0 +1,24 @@
+/**
+ * PMD/CPD (Copy-Paste Detector) for duplicate code detection.
+ * Executes cpd as a child process and parses XML output.
+ */
+import type { ToolResult, ReviewFinding } from '../types.js';
+/**
+ * Simple XML parser for CPD output.
+ * CPD XML format:
+ * <pmd-cpd>
+ *   <duplication lines="N" tokens="N">
+ *     <file path="..." line="N" endline="N" />
+ *     <file path="..." line="N" endline="N" />
+ *     <codefragment>...</codefragment>
+ *   </duplication>
+ * </pmd-cpd>
+ */
+export declare function parseCpdXml(xml: string, basePath: string): ReviewFinding[];
+/**
+ * Run CPD against a directory to find duplicated code.
+ */
+export declare function runCpd(scanPath: string, options?: {
+    minimumTokens?: number;
+}): Promise<ToolResult>;
+//# sourceMappingURL=cpd.d.ts.map

package/dist/tools/cpd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cpd.d.ts","sourceRoot":"","sources":["../../src/tools/cpd.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAM7D;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAoC1E;AAsBD;;GAEG;AACH,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAA;CAAO,GACvC,OAAO,CAAC,UAAU,CAAC,CAwDrB"}

package/dist/tools/cpd.js

@@ -0,0 +1,130 @@
+/**
+ * PMD/CPD (Copy-Paste Detector) for duplicate code detection.
+ * Executes cpd as a child process and parses XML output.
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+const TIMEOUT_MS = 60_000;
+const DEFAULT_MIN_TOKENS = 100;
+/**
+ * Simple XML parser for CPD output.
+ * CPD XML format:
+ * <pmd-cpd>
+ *   <duplication lines="N" tokens="N">
+ *     <file path="..." line="N" endline="N" />
+ *     <file path="..." line="N" endline="N" />
+ *     <codefragment>...</codefragment>
+ *   </duplication>
+ * </pmd-cpd>
+ */
+export function parseCpdXml(xml, basePath) {
+    const findings = [];
+    const dupRegex = /<duplication lines="(\d+)" tokens="(\d+)">([\s\S]*?)<\/duplication>/g;
+    const fileRegex = /<file\s+path="([^"]+)"\s+line="(\d+)"/g;
+    let dupMatch;
+    while ((dupMatch = dupRegex.exec(xml)) !== null) {
+        const lines = parseInt(dupMatch[1], 10);
+        const tokens = parseInt(dupMatch[2], 10);
+        const inner = dupMatch[3];
+        const files = [];
+        let fileMatch;
+        fileRegex.lastIndex = 0;
+        while ((fileMatch = fileRegex.exec(inner)) !== null) {
+            files.push({
+                path: fileMatch[1].replace(basePath + '/', ''),
+                line: parseInt(fileMatch[2], 10),
+            });
+        }
+        if (files.length >= 2) {
+            const locations = files.map((f) => `${f.path}:${f.line}`).join(', ');
+            findings.push({
+                severity: 'medium',
+                category: 'duplication',
+                file: files[0].path,
+                line: files[0].line,
+                message: `Duplicated code block (${lines} lines, ${tokens} tokens) found in: ${locations}`,
+                suggestion: 'Extract the duplicated code into a shared function or module.',
+                source: 'cpd',
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Detect the CPD binary name. Supports both `cpd` (standalone)
+ * and `pmd cpd` (PMD 7+ CLI).
+ */
+async function findCpdBinary() {
+    // Try standalone cpd first
+    try {
+        await execFileAsync('cpd', ['--help'], { timeout: 5_000 });
+        return { cmd: 'cpd', args: [] };
+    }
+    catch {
+        // Try pmd CLI (PMD 7+)
+        try {
+            await execFileAsync('pmd', ['cpd', '--help'], { timeout: 5_000 });
+            return { cmd: 'pmd', args: ['cpd'] };
+        }
+        catch {
+            return null;
+        }
+    }
+}
+/**
+ * Run CPD against a directory to find duplicated code.
+ */
+export async function runCpd(scanPath, options = {}) {
+    const start = Date.now();
+    const minimumTokens = options.minimumTokens ?? DEFAULT_MIN_TOKENS;
+    const binary = await findCpdBinary();
+    if (!binary) {
+        return {
+            status: 'skipped',
+            findings: [],
+            error: 'CPD/PMD not available. Install from: https://pmd.github.io',
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    try {
+        const args = [
+            ...binary.args,
+            '--format', 'xml',
+            '--minimum-tokens', String(minimumTokens),
+            '--dir', scanPath,
+            '--skip-lexical-errors',
+        ];
+        const { stdout } = await execFileAsync(binary.cmd, args, {
+            timeout: TIMEOUT_MS,
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        const findings = parseCpdXml(stdout, scanPath);
+        return {
+            status: 'success',
+            findings,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    catch (error) {
+        // CPD exits with code 4 when duplications are found (not an error)
+        if (error && typeof error === 'object' && 'stdout' in error) {
+            const stdout = error.stdout;
+            if (stdout && stdout.includes('<pmd-cpd')) {
+                const findings = parseCpdXml(stdout, scanPath);
+                return {
+                    status: 'success',
+                    findings,
+                    executionTimeMs: Date.now() - start,
+                };
+            }
+        }
+        return {
+            status: 'error',
+            findings: [],
+            error: `CPD failed: ${error instanceof Error ? error.message : String(error)}`,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+}
+//# sourceMappingURL=cpd.js.map

package/dist/tools/cpd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cpd.js","sourceRoot":"","sources":["../../src/tools/cpd.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,UAAU,GAAG,MAAM,CAAC;AAC1B,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,QAAgB;IACvD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAG,sEAAsE,CAAC;IACxF,MAAM,SAAS,GAAG,wCAAwC,CAAC;IAE3D,IAAI,QAAgC,CAAC;IACrC,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAE,CAAC;QAE3B,MAAM,KAAK,GAA0C,EAAE,CAAC;QACxD,IAAI,SAAiC,CAAC;QACtC,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC;QACxB,OAAO,CAAC,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,KAAK,CAAC,IAAI,CAAC;gBACT,IAAI,EAAE,SAAS,CAAC,CAAC,CAAE,CAAC,OAAO,CAAC,QAAQ,GAAG,GAAG,EAAE,EAAE,CAAC;gBAC/C,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC;aAClC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrE,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,aAAa;gBACvB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI;gBACpB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI;gBACpB,OAAO,EAAE,0BAA0B,KAAK,WAAW,MAAM,sBAAsB,SAAS,EAAE;gBAC1F,UAAU,EAAE,+DAA+D;gBAC3E,MAAM,EAAE,KAAc;aACvB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,aAAa;IAC1B,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;QACvB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,QAAgB,EAChB,UAAsC,EAAE;IAExC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,kBAAkB,CAAC;IAElE,MAAM,MAAM,GAAG,MAAM,aAAa,EAAE,CAAC;IACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,4DAA4D;YACnE,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG;YACX,GAAG,MAAM,CAAC,IAAI;YACd,UAAU,EAAE,KAAK;YACjB,kBAAkB,EAAE,MAAM,CAAC,aAAa,CAAC;YACzC,OAAO,EAAE,QAAQ;YACjB,uBAAuB;SACxB,CAAC;QAEF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE;YACvD,OAAO,EAAE,UAAU;YACnB,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE/C,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ;YACR,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mEAAmE;QACnE,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC5D,MAAM,MAAM,GAAI,KAA4B,CAAC,MAAM,CAAC;YACpD,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC1C,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC/C,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,QAAQ;oBACR,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,eAAe,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAC9E,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/tools/runner.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Static analysis tool runner.
+ * Runs Semgrep, Trivy, and CPD in parallel and merges results.
+ */
+import type { StaticAnalysisResult, ReviewSettings } from '../types.js';
+/**
+ * Run all enabled static analysis tools in parallel.
+ *
+ * @param files - Map of file paths to file contents (for Semgrep)
+ * @param scanPath - Directory path on disk (for Trivy and CPD)
+ * @param settings - Which tools are enabled
+ */
+export declare function runStaticAnalysis(files: Map<string, string>, scanPath: string, settings: Pick<ReviewSettings, 'enableSemgrep' | 'enableTrivy' | 'enableCpd' | 'customRules'>): Promise<StaticAnalysisResult>;
+/**
+ * Format static analysis findings into a prompt context block.
+ * This is injected into LLM prompts so agents don't repeat findings.
+ */
+export declare function formatStaticAnalysisContext(result: StaticAnalysisResult): string;
+//# sourceMappingURL=runner.d.ts.map

package/dist/tools/runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/tools/runner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,oBAAoB,EAAE,cAAc,EAAc,MAAM,aAAa,CAAC;AASpF;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC1B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,IAAI,CAAC,cAAc,EAAE,eAAe,GAAG,aAAa,GAAG,WAAW,GAAG,aAAa,CAAC,GAC5F,OAAO,CAAC,oBAAoB,CAAC,CAkB/B;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAqBhF"}

package/dist/tools/runner.js

@@ -0,0 +1,61 @@
+/**
+ * Static analysis tool runner.
+ * Runs Semgrep, Trivy, and CPD in parallel and merges results.
+ */
+import { runSemgrep } from './semgrep.js';
+import { runTrivy } from './trivy.js';
+import { runCpd } from './cpd.js';
+const SKIPPED_RESULT = {
+    status: 'skipped',
+    findings: [],
+    error: 'Disabled in settings',
+    executionTimeMs: 0,
+};
+/**
+ * Run all enabled static analysis tools in parallel.
+ *
+ * @param files - Map of file paths to file contents (for Semgrep)
+ * @param scanPath - Directory path on disk (for Trivy and CPD)
+ * @param settings - Which tools are enabled
+ */
+export async function runStaticAnalysis(files, scanPath, settings) {
+    const [semgrepResult, trivyResult, cpdResult] = await Promise.allSettled([
+        settings.enableSemgrep ? runSemgrep(files) : Promise.resolve(SKIPPED_RESULT),
+        settings.enableTrivy ? runTrivy(scanPath) : Promise.resolve(SKIPPED_RESULT),
+        settings.enableCpd ? runCpd(scanPath) : Promise.resolve(SKIPPED_RESULT),
+    ]);
+    return {
+        semgrep: semgrepResult.status === 'fulfilled'
+            ? semgrepResult.value
+            : { status: 'error', findings: [], error: String(semgrepResult.reason), executionTimeMs: 0 },
+        trivy: trivyResult.status === 'fulfilled'
+            ? trivyResult.value
+            : { status: 'error', findings: [], error: String(trivyResult.reason), executionTimeMs: 0 },
+        cpd: cpdResult.status === 'fulfilled'
+            ? cpdResult.value
+            : { status: 'error', findings: [], error: String(cpdResult.reason), executionTimeMs: 0 },
+    };
+}
+/**
+ * Format static analysis findings into a prompt context block.
+ * This is injected into LLM prompts so agents don't repeat findings.
+ */
+export function formatStaticAnalysisContext(result) {
+    const allFindings = [
+        ...result.semgrep.findings,
+        ...result.trivy.findings,
+        ...result.cpd.findings,
+    ];
+    if (allFindings.length === 0)
+        return '';
+    const lines = ['## Pre-Review Static Analysis (confirmed issues - do NOT repeat these)', ''];
+    for (const finding of allFindings) {
+        const location = finding.line ? `${finding.file}:${finding.line}` : finding.file;
+        lines.push(`- **[${finding.source.toUpperCase()}]** [${finding.severity}] ${location}: ${finding.message}`);
+    }
+    lines.push('');
+    lines.push('> These issues were detected by automated tools. Do NOT repeat them in your review.');
+    lines.push('> Focus on logic, architecture, and issues that static analysis cannot detect.');
+    return lines.join('\n');
+}
+//# sourceMappingURL=runner.js.map

package/dist/tools/runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../src/tools/runner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGlC,MAAM,cAAc,GAAe;IACjC,MAAM,EAAE,SAAS;IACjB,QAAQ,EAAE,EAAE;IACZ,KAAK,EAAE,sBAAsB;IAC7B,eAAe,EAAE,CAAC;CACnB,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAA0B,EAC1B,QAAgB,EAChB,QAA6F;IAE7F,MAAM,CAAC,aAAa,EAAE,WAAW,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC;QACvE,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC;QAC5E,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC;QAC3E,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC;KACxE,CAAC,CAAC;IAEH,OAAO;QACL,OAAO,EAAE,aAAa,CAAC,MAAM,KAAK,WAAW;YAC3C,CAAC,CAAC,aAAa,CAAC,KAAK;YACrB,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE;QAC9F,KAAK,EAAE,WAAW,CAAC,MAAM,KAAK,WAAW;YACvC,CAAC,CAAC,WAAW,CAAC,KAAK;YACnB,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE;QAC5F,GAAG,EAAE,SAAS,CAAC,MAAM,KAAK,WAAW;YACnC,CAAC,CAAC,SAAS,CAAC,KAAK;YACjB,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,CAAC,EAAE;KAC3F,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAA4B;IACtE,MAAM,WAAW,GAAG;QAClB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ;QAC1B,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ;QACxB,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ;KACvB,CAAC;IAEF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAExC,MAAM,KAAK,GAAG,CAAC,wEAAwE,EAAE,EAAE,CAAC,CAAC;IAE7F,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;QACjF,KAAK,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,OAAO,CAAC,QAAQ,KAAK,QAAQ,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC9G,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,qFAAqF,CAAC,CAAC;IAClG,KAAK,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAE7F,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/tools/semgrep.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Semgrep static analysis tool runner.
+ * Executes semgrep as a child process and parses JSON output.
+ */
+import type { ToolResult, FindingSeverity } from '../types.js';
+export declare function mapSeverity(semgrepSeverity: string): FindingSeverity;
+/**
+ * Run Semgrep against file contents.
+ * Files are written to a temp directory, scanned, then cleaned up.
+ */
+export declare function runSemgrep(files: Map<string, string>, customRulesPath?: string): Promise<ToolResult>;
+//# sourceMappingURL=semgrep.d.ts.map

package/dist/tools/semgrep.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../src/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,OAAO,KAAK,EAAE,UAAU,EAAiB,eAAe,EAAE,MAAM,aAAa,CAAC;AAsB9E,wBAAgB,WAAW,CAAC,eAAe,EAAE,MAAM,GAAG,eAAe,CAWpE;AAED;;;GAGG;AACH,wBAAsB,UAAU,CAC9B,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC1B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,UAAU,CAAC,CAwErB"}

package/dist/tools/semgrep.js

@@ -0,0 +1,97 @@
+/**
+ * Semgrep static analysis tool runner.
+ * Executes semgrep as a child process and parses JSON output.
+ */
+import { execFile } from 'node:child_process';
+import { writeFile, mkdtemp, rm } from 'node:fs/promises';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { promisify } from 'node:util';
+import { fileURLToPath } from 'node:url';
+import { dirname } from 'node:path';
+const execFileAsync = promisify(execFile);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const RULES_PATH = join(__dirname, 'semgrep-rules.yml');
+const TIMEOUT_MS = 60_000;
+export function mapSeverity(semgrepSeverity) {
+    switch (semgrepSeverity.toUpperCase()) {
+        case 'ERROR':
+            return 'high';
+        case 'WARNING':
+            return 'medium';
+        case 'INFO':
+            return 'info';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Run Semgrep against file contents.
+ * Files are written to a temp directory, scanned, then cleaned up.
+ */
+export async function runSemgrep(files, customRulesPath) {
+    const start = Date.now();
+    try {
+        // Check if semgrep is available
+        await execFileAsync('semgrep', ['--version'], { timeout: 5_000 });
+    }
+    catch {
+        return {
+            status: 'skipped',
+            findings: [],
+            error: 'Semgrep not available. Install with: pip install semgrep',
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    let tempDir;
+    try {
+        // Write files to temp directory
+        tempDir = await mkdtemp(join(tmpdir(), 'ghagga-semgrep-'));
+        for (const [filePath, content] of files) {
+            const fullPath = join(tempDir, filePath);
+            const dir = dirname(fullPath);
+            await mkdtemp(dir).catch(() => { }); // ignore if exists
+            await writeFile(fullPath, content, 'utf8').catch(async () => {
+                // Create parent dirs recursively
+                const { mkdir } = await import('node:fs/promises');
+                await mkdir(dirname(fullPath), { recursive: true });
+                await writeFile(fullPath, content, 'utf8');
+            });
+        }
+        // Run semgrep
+        const configArgs = ['--config', RULES_PATH];
+        if (customRulesPath) {
+            configArgs.push('--config', customRulesPath);
+        }
+        const { stdout } = await execFileAsync('semgrep', ['--json', ...configArgs, tempDir], { timeout: TIMEOUT_MS, maxBuffer: 10 * 1024 * 1024 });
+        const result = JSON.parse(stdout);
+        const findings = result.results.map((r) => ({
+            severity: mapSeverity(r.extra.severity),
+            category: 'security',
+            file: r.path.replace(tempDir + '/', ''),
+            line: r.start.line,
+            message: r.extra.message,
+            suggestion: undefined,
+            source: 'semgrep',
+        }));
+        return {
+            status: 'success',
+            findings,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    catch (error) {
+        return {
+            status: 'error',
+            findings: [],
+            error: `Semgrep failed: ${error instanceof Error ? error.message : String(error)}`,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    finally {
+        if (tempDir) {
+            await rm(tempDir, { recursive: true, force: true }).catch(() => { });
+        }
+    }
+}
+//# sourceMappingURL=semgrep.js.map

package/dist/tools/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../src/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;AACxD,MAAM,UAAU,GAAG,MAAM,CAAC;AAiB1B,MAAM,UAAU,WAAW,CAAC,eAAuB;IACjD,QAAQ,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,KAA0B,EAC1B,eAAwB;IAExB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,IAAI,CAAC;QACH,gCAAgC;QAChC,MAAM,aAAa,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,0DAA0D;YACjE,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAED,IAAI,OAA2B,CAAC;IAChC,IAAI,CAAC;QACH,gCAAgC;QAChC,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC3D,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC9B,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC,CAAC,mBAAmB;YACvD,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE;gBAC1D,iCAAiC;gBACjC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBACnD,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;gBACpD,MAAM,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,CAAC,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,MAAM,UAAU,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAC5C,IAAI,eAAe,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,SAAS,EACT,CAAC,QAAQ,EAAE,GAAG,UAAU,EAAE,OAAO,CAAC,EAClC,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACrD,CAAC;QAEF,MAAM,MAAM,GAAkB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEjD,MAAM,QAAQ,GAAoB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC3D,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC;YACvC,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO;YACxB,UAAU,EAAE,SAAS;YACrB,MAAM,EAAE,SAAkB;SAC3B,CAAC,CAAC,CAAC;QAEJ,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ;YACR,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,mBAAmB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAClF,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/tools/trivy.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Trivy dependency vulnerability scanner.
+ * Executes trivy as a child process and parses JSON output.
+ */
+import type { ToolResult, FindingSeverity } from '../types.js';
+export declare function mapSeverity(trivySeverity: string): FindingSeverity;
+/**
+ * Run Trivy against a directory to scan for dependency vulnerabilities.
+ */
+export declare function runTrivy(scanPath: string): Promise<ToolResult>;
+//# sourceMappingURL=trivy.d.ts.map

package/dist/tools/trivy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../src/tools/trivy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAiB,eAAe,EAAE,MAAM,aAAa,CAAC;AAqB9E,wBAAgB,WAAW,CAAC,aAAa,EAAE,MAAM,GAAG,eAAe,CAalE;AAED;;GAEG;AACH,wBAAsB,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAuDpE"}

package/dist/tools/trivy.js

@@ -0,0 +1,74 @@
+/**
+ * Trivy dependency vulnerability scanner.
+ * Executes trivy as a child process and parses JSON output.
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+const TIMEOUT_MS = 120_000; // Trivy can be slow on first run (downloading DB)
+export function mapSeverity(trivySeverity) {
+    switch (trivySeverity.toUpperCase()) {
+        case 'CRITICAL':
+            return 'critical';
+        case 'HIGH':
+            return 'high';
+        case 'MEDIUM':
+            return 'medium';
+        case 'LOW':
+            return 'low';
+        default:
+            return 'info';
+    }
+}
+/**
+ * Run Trivy against a directory to scan for dependency vulnerabilities.
+ */
+export async function runTrivy(scanPath) {
+    const start = Date.now();
+    try {
+        // Check if trivy is available
+        await execFileAsync('trivy', ['--version'], { timeout: 5_000 });
+    }
+    catch {
+        return {
+            status: 'skipped',
+            findings: [],
+            error: 'Trivy not available. Install from: https://trivy.dev',
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    try {
+        const { stdout } = await execFileAsync('trivy', ['fs', '--format', 'json', '--scanners', 'vuln', '--quiet', scanPath], { timeout: TIMEOUT_MS, maxBuffer: 10 * 1024 * 1024 });
+        const result = JSON.parse(stdout);
+        const findings = [];
+        for (const target of result.Results ?? []) {
+            for (const vuln of target.Vulnerabilities ?? []) {
+                const fixInfo = vuln.FixedVersion ? ` (fix: upgrade to ${vuln.FixedVersion})` : ' (no fix available)';
+                findings.push({
+                    severity: mapSeverity(vuln.Severity),
+                    category: 'dependency-vulnerability',
+                    file: target.Target,
+                    message: `${vuln.VulnerabilityID}: ${vuln.PkgName}@${vuln.InstalledVersion} - ${vuln.Title ?? vuln.Description ?? 'Known vulnerability'}${fixInfo}`,
+                    suggestion: vuln.FixedVersion
+                        ? `Upgrade ${vuln.PkgName} to ${vuln.FixedVersion}`
+                        : undefined,
+                    source: 'trivy',
+                });
+            }
+        }
+        return {
+            status: 'success',
+            findings,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+    catch (error) {
+        return {
+            status: 'error',
+            findings: [],
+            error: `Trivy failed: ${error instanceof Error ? error.message : String(error)}`,
+            executionTimeMs: Date.now() - start,
+        };
+    }
+}
+//# sourceMappingURL=trivy.js.map

package/dist/tools/trivy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../src/tools/trivy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,kDAAkD;AAkB9E,MAAM,UAAU,WAAW,CAAC,aAAqB;IAC/C,QAAQ,aAAa,CAAC,WAAW,EAAE,EAAE,CAAC;QACpC,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,QAAgB;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,aAAa,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,sDAAsD;YAC7D,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,OAAO,EACP,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,EACrE,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACrD,CAAC;QAEF,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAChD,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,qBAAqB,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,qBAAqB,CAAC;gBAEtG,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACpC,QAAQ,EAAE,0BAA0B;oBACpC,IAAI,EAAE,MAAM,CAAC,MAAM;oBACnB,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,KAAK,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,MAAM,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,IAAI,qBAAqB,GAAG,OAAO,EAAE;oBACnJ,UAAU,EAAE,IAAI,CAAC,YAAY;wBAC3B,CAAC,CAAC,WAAW,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,YAAY,EAAE;wBACnD,CAAC,CAAC,SAAS;oBACb,MAAM,EAAE,OAAgB;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ;YACR,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,MAAM,EAAE,OAAO;YACf,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,iBAAiB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAChF,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;AACH,CAAC"}