ghagga-core 2.2.0 → 2.4.0

package/dist/tools/plugins/semgrep.js

@@ -0,0 +1,82 @@
+/**
+ * Semgrep plugin — security analysis (always-on).
+ *
+ * Adapted from:
+ * - packages/core/src/tools/semgrep.ts (parsing logic)
+ * - apps/action/src/tools/semgrep.ts (install/run flow)
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const SEMGREP_VERSION = '1.90.0';
+/**
+ * Map Semgrep severity to GHAGGA FindingSeverity.
+ * ERROR -> high, WARNING -> medium, INFO -> info, default -> low
+ */
+export function mapSemgrepSeverity(semgrepSeverity) {
+    switch (semgrepSeverity.toUpperCase()) {
+        case 'ERROR':
+            return 'high';
+        case 'WARNING':
+            return 'medium';
+        case 'INFO':
+            return 'info';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse Semgrep JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseSemgrepOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const result = JSON.parse(raw.stdout);
+        return (result.results ?? []).map((r) => ({
+            severity: mapSemgrepSeverity(r.extra.severity),
+            category: 'security',
+            file: r.path.replace(`${repoDir}/`, ''),
+            line: r.start.line,
+            message: r.extra.message,
+            source: 'semgrep',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const semgrepPlugin = {
+    name: 'semgrep',
+    displayName: 'Semgrep',
+    category: 'security',
+    tier: 'always-on',
+    version: SEMGREP_VERSION,
+    outputFormat: 'json',
+    cachePaths: ['/usr/local/bin/semgrep'],
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('semgrep', ['/usr/local/bin/semgrep']);
+        if (cached) {
+            try {
+                await ctx.exec('semgrep', ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'Semgrep cache restored but binary not functional, reinstalling');
+            }
+        }
+        await ctx.exec('pip', ['install', '--quiet', `semgrep==${SEMGREP_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('semgrep', ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('semgrep', ['/usr/local/bin/semgrep']);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec('semgrep', ['--json', '--config', 'auto', '--quiet', repoDir], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // semgrep returns 1 when findings are present
+        });
+    },
+    parse: parseSemgrepOutput,
+};
+//# sourceMappingURL=semgrep.js.map

package/dist/tools/plugins/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../../src/tools/plugins/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,eAAe,GAAG,QAAQ,CAAC;AAEjC;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,eAAuB;IACxD,QAAQ,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAkB,EAAE,OAAe;IACpE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAMnC,CAAC;QAEF,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC9C,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO;YACxB,MAAM,EAAE,SAAkB;SAC3B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,SAAS;IACtB,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,eAAe;IACxB,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,wBAAwB,CAAC;IAEtC,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,wBAAwB,CAAC,CAAC,CAAC;QAC7E,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAChE,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,gEAAgE,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,eAAe,EAAE,CAAC,EAAE;YAC3E,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAChE,MAAM,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,wBAAwB,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;YAC7E,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,8CAA8C;SACpE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,kBAAkB;CAC1B,CAAC"}

package/dist/tools/plugins/shellcheck.d.ts

@@ -0,0 +1,23 @@
+/**
+ * ShellCheck plugin — shell script linting (always-on).
+ *
+ * Lints shell scripts for common issues and portability problems.
+ * Only runs on *.sh and *.bash files; returns empty findings if none found.
+ *
+ * Pre-installed on GitHub Actions runners — install is a verification step.
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map ShellCheck level to GHAGGA FindingSeverity.
+ * error→high, warning→medium, info→info, style→low
+ */
+export declare function mapShellCheckSeverity(level: string): FindingSeverity;
+/**
+ * Parse ShellCheck JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseShellCheckOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const shellcheckPlugin: ToolDefinition;
+//# sourceMappingURL=shellcheck.d.ts.map

package/dist/tools/plugins/shellcheck.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shellcheck.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/shellcheck.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,CAapE;AAYD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiB1F;AAED,eAAO,MAAM,gBAAgB,EAAE,cAiD9B,CAAC"}

package/dist/tools/plugins/shellcheck.js

@@ -0,0 +1,87 @@
+/**
+ * ShellCheck plugin — shell script linting (always-on).
+ *
+ * Lints shell scripts for common issues and portability problems.
+ * Only runs on *.sh and *.bash files; returns empty findings if none found.
+ *
+ * Pre-installed on GitHub Actions runners — install is a verification step.
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const SHELLCHECK_VERSION = '0.10.0';
+/**
+ * Map ShellCheck level to GHAGGA FindingSeverity.
+ * error→high, warning→medium, info→info, style→low
+ */
+export function mapShellCheckSeverity(level) {
+    switch (level.toLowerCase()) {
+        case 'error':
+            return 'high';
+        case 'warning':
+            return 'medium';
+        case 'info':
+            return 'info';
+        case 'style':
+            return 'low';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse ShellCheck JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseShellCheckOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => ({
+            severity: mapShellCheckSeverity(f.level),
+            category: 'quality',
+            file: f.file.replace(`${repoDir}/`, ''),
+            line: f.line,
+            message: `SC${f.code}: ${f.message}`,
+            source: 'shellcheck',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const shellcheckPlugin = {
+    name: 'shellcheck',
+    displayName: 'ShellCheck',
+    category: 'quality',
+    tier: 'always-on',
+    version: SHELLCHECK_VERSION,
+    outputFormat: 'json',
+    async install(ctx) {
+        // ShellCheck is typically pre-installed on GitHub Actions runners
+        try {
+            await ctx.exec('shellcheck', ['--version'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'ShellCheck not found, installing...');
+        }
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sL "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar xJ --strip-components=1 -C /usr/local/bin shellcheck-v${SHELLCHECK_VERSION}/shellcheck`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec('shellcheck', ['--version'], { timeoutMs: 10_000 });
+    },
+    async run(ctx, _repoDir, files, timeout) {
+        // Filter to only shell script files
+        const shellFiles = files.filter((f) => /\.(sh|bash)$/.test(f));
+        if (shellFiles.length === 0) {
+            // No shell files — return empty output (will parse to empty findings)
+            return { stdout: '[]', stderr: '', exitCode: 0, timedOut: false };
+        }
+        return ctx.exec('shellcheck', ['--format=json', ...shellFiles], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // shellcheck returns 1 when findings are present
+        });
+    },
+    parse: parseShellCheckOutput,
+};
+//# sourceMappingURL=shellcheck.js.map

package/dist/tools/plugins/shellcheck.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shellcheck.js","sourceRoot":"","sources":["../../../src/tools/plugins/shellcheck.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,kBAAkB,GAAG,QAAQ,CAAC;AAEpC;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAa;IACjD,QAAQ,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5B,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,OAAO;YACV,OAAO,KAAK,CAAC;QACf;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAYD;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAkB,EAAE,OAAe;IACvE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAwB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE7D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,QAAQ,EAAE,qBAAqB,CAAC,CAAC,CAAC,KAAK,CAAC;YACxC,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE;YACpC,MAAM,EAAE,YAAqB;SAC9B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,IAAI,EAAE,YAAY;IAClB,WAAW,EAAE,YAAY;IACzB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,kBAAkB;IAC3B,YAAY,EAAE,MAAM;IAEpB,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,kEAAkE;QAClE,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YACnE,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,uEAAuE,kBAAkB,gBAAgB,kBAAkB,qFAAqF,kBAAkB,aAAa;SAChP,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,QAAgB,EAChB,KAAe,EACf,OAAe;QAEf,oCAAoC;QACpC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAE/D,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,sEAAsE;YACtE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QACpE,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,eAAe,EAAE,GAAG,UAAU,CAAC,EAAE;YAC9D,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,iDAAiD;SACvE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,qBAAqB;CAC7B,CAAC"}

package/dist/tools/plugins/trivy.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Trivy plugin — SCA vulnerability + license scanning (always-on).
+ *
+ * Adapted from:
+ * - packages/core/src/tools/trivy.ts (parsing logic)
+ * - apps/action/src/tools/trivy.ts (install/run flow)
+ *
+ * Enhanced: adds --scanners license to existing vuln scanner.
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map Trivy severity to GHAGGA FindingSeverity.
+ * CRITICAL -> critical, HIGH -> high, MEDIUM -> medium, LOW -> low, default -> info
+ */
+export declare function mapTrivySeverity(trivySeverity: string): FindingSeverity;
+/**
+ * Parse Trivy JSON output into ReviewFinding[].
+ * Handles both vulnerability and license findings.
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseTrivyOutput(raw: RawToolOutput, _repoDir: string): ReviewFinding[];
+export declare const trivyPlugin: ToolDefinition;
+//# sourceMappingURL=trivy.d.ts.map

package/dist/tools/plugins/trivy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,aAAa,EAAE,MAAM,GAAG,eAAe,CAavE;AA0BD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAuCtF;AAED,eAAO,MAAM,WAAW,EAAE,cAmDzB,CAAC"}

package/dist/tools/plugins/trivy.js

@@ -0,0 +1,108 @@
+/**
+ * Trivy plugin — SCA vulnerability + license scanning (always-on).
+ *
+ * Adapted from:
+ * - packages/core/src/tools/trivy.ts (parsing logic)
+ * - apps/action/src/tools/trivy.ts (install/run flow)
+ *
+ * Enhanced: adds --scanners license to existing vuln scanner.
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const TRIVY_VERSION = '0.69.3';
+/**
+ * Map Trivy severity to GHAGGA FindingSeverity.
+ * CRITICAL -> critical, HIGH -> high, MEDIUM -> medium, LOW -> low, default -> info
+ */
+export function mapTrivySeverity(trivySeverity) {
+    switch (trivySeverity.toUpperCase()) {
+        case 'CRITICAL':
+            return 'critical';
+        case 'HIGH':
+            return 'high';
+        case 'MEDIUM':
+            return 'medium';
+        case 'LOW':
+            return 'low';
+        default:
+            return 'info';
+    }
+}
+/**
+ * Parse Trivy JSON output into ReviewFinding[].
+ * Handles both vulnerability and license findings.
+ * Exported for direct testing with fixture data.
+ */
+export function parseTrivyOutput(raw, _repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const result = JSON.parse(raw.stdout);
+        const findings = [];
+        for (const target of result.Results ?? []) {
+            // Parse vulnerability findings (existing behavior)
+            for (const vuln of target.Vulnerabilities ?? []) {
+                const fixInfo = vuln.FixedVersion
+                    ? ` (fix: upgrade to ${vuln.FixedVersion})`
+                    : ' (no fix available)';
+                findings.push({
+                    severity: mapTrivySeverity(vuln.Severity),
+                    category: 'dependency-vulnerability',
+                    file: target.Target,
+                    message: `${vuln.VulnerabilityID}: ${vuln.PkgName}@${vuln.InstalledVersion} - ${vuln.Title ?? vuln.Description ?? 'Known vulnerability'}${fixInfo}`,
+                    source: 'trivy',
+                });
+            }
+            // Parse license findings (new enhancement)
+            for (const license of target.Licenses ?? []) {
+                findings.push({
+                    severity: 'info',
+                    category: 'license',
+                    file: target.Target,
+                    message: `${license.PkgName}: ${license.Name} (${license.Category})`,
+                    source: 'trivy',
+                });
+            }
+        }
+        return findings;
+    }
+    catch {
+        return [];
+    }
+}
+export const trivyPlugin = {
+    name: 'trivy',
+    displayName: 'Trivy',
+    category: 'sca',
+    tier: 'always-on',
+    version: TRIVY_VERSION,
+    outputFormat: 'json',
+    cachePaths: ['/usr/local/bin/trivy'],
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('trivy', ['/usr/local/bin/trivy']);
+        if (cached) {
+            try {
+                await ctx.exec('trivy', ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'Trivy cache restored but binary not functional, reinstalling');
+            }
+        }
+        // Install Trivy via official install script
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${TRIVY_VERSION}`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec('trivy', ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('trivy', ['/usr/local/bin/trivy']);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        // Enhanced: adds 'license' scanner alongside 'vuln'
+        return ctx.exec('trivy', ['fs', '--format', 'json', '--scanners', 'vuln,license', '--quiet', repoDir], {
+            timeoutMs: timeout,
+            allowExitCodes: [1],
+        });
+    },
+    parse: parseTrivyOutput,
+};
+//# sourceMappingURL=trivy.js.map

package/dist/tools/plugins/trivy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../../src/tools/plugins/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,MAAM,aAAa,GAAG,QAAQ,CAAC;AAE/B;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,aAAqB;IACpD,QAAQ,aAAa,CAAC,WAAW,EAAE,EAAE,CAAC;QACpC,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AA0BD;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAkB,EAAE,QAAgB;IACnE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YAC1C,mDAAmD;YACnD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAChD,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY;oBAC/B,CAAC,CAAC,qBAAqB,IAAI,CAAC,YAAY,GAAG;oBAC3C,CAAC,CAAC,qBAAqB,CAAC;gBAE1B,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACzC,QAAQ,EAAE,0BAA0B;oBACpC,IAAI,EAAE,MAAM,CAAC,MAAM;oBACnB,OAAO,EAAE,GAAG,IAAI,CAAC,eAAe,KAAK,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,MAAM,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,IAAI,qBAAqB,GAAG,OAAO,EAAE;oBACnJ,MAAM,EAAE,OAAgB;iBACzB,CAAC,CAAC;YACL,CAAC;YAED,2CAA2C;YAC3C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;gBAC5C,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,SAAS;oBACnB,IAAI,EAAE,MAAM,CAAC,MAAM;oBACnB,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,QAAQ,GAAG;oBACpE,MAAM,EAAE,OAAgB;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,OAAO;IACpB,QAAQ,EAAE,KAAK;IACf,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,sBAAsB,CAAC;IAEpC,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC;QACzE,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC9D,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,8DAA8D,CAAC,CAAC;YAClF,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,wHAAwH,aAAa,EAAE;SACxI,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,MAAM,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,oDAAoD;QACpD,OAAO,GAAG,CAAC,IAAI,CACb,OAAO,EACP,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,SAAS,EAAE,OAAO,CAAC,EAC5E;YACE,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC;SACpB,CACF,CAAC;IACJ,CAAC;IAED,KAAK,EAAE,gBAAgB;CACxB,CAAC"}

package/dist/tools/registry.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Tool Registry — central registration point for all static analysis tools.
+ *
+ * Plugins register themselves via `toolRegistry.register()`.
+ * The orchestrator discovers tools through `toolRegistry.getAll()`.
+ *
+ * Singleton pattern: one registry per process, populated at import time
+ * by `plugins/index.ts`.
+ */
+import type { ToolDefinition, ToolTier } from './types.js';
+export declare class ToolRegistry {
+    private tools;
+    /**
+     * Register a tool definition.
+     * Validates that auto-detect tools have a detect function.
+     * Throws on duplicate name registration.
+     */
+    register(tool: ToolDefinition): void;
+    /** Get all registered tools */
+    getAll(): ToolDefinition[];
+    /** Get tool by name, or undefined */
+    getByName(name: string): ToolDefinition | undefined;
+    /** Get tools by tier */
+    getByTier(tier: ToolTier): ToolDefinition[];
+    /** Get registered tool count */
+    get size(): number;
+    /** Validate all registrations (called once at startup) */
+    validateAll(): void;
+    /**
+     * Clear all registrations (useful for tests).
+     * @internal
+     */
+    clear(): void;
+}
+/** Singleton registry instance — populated by plugins/index.ts */
+export declare const toolRegistry: ToolRegistry;
+//# sourceMappingURL=registry.d.ts.map

package/dist/tools/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/tools/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3D,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAqC;IAElD;;;;OAIG;IACH,QAAQ,CAAC,IAAI,EAAE,cAAc,GAAG,IAAI;IAepC,+BAA+B;IAC/B,MAAM,IAAI,cAAc,EAAE;IAI1B,qCAAqC;IACrC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAInD,wBAAwB;IACxB,SAAS,CAAC,IAAI,EAAE,QAAQ,GAAG,cAAc,EAAE;IAI3C,gCAAgC;IAChC,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED,0DAA0D;IAC1D,WAAW,IAAI,IAAI;IAUnB;;;OAGG;IACH,KAAK,IAAI,IAAI;CAGd;AAED,kEAAkE;AAClE,eAAO,MAAM,YAAY,cAAqB,CAAC"}

package/dist/tools/registry.js

@@ -0,0 +1,61 @@
+/**
+ * Tool Registry — central registration point for all static analysis tools.
+ *
+ * Plugins register themselves via `toolRegistry.register()`.
+ * The orchestrator discovers tools through `toolRegistry.getAll()`.
+ *
+ * Singleton pattern: one registry per process, populated at import time
+ * by `plugins/index.ts`.
+ */
+export class ToolRegistry {
+    tools = new Map();
+    /**
+     * Register a tool definition.
+     * Validates that auto-detect tools have a detect function.
+     * Throws on duplicate name registration.
+     */
+    register(tool) {
+        if (this.tools.has(tool.name)) {
+            throw new Error(`Tool "${tool.name}" is already registered`);
+        }
+        if (tool.tier === 'auto-detect' && typeof tool.detect !== 'function') {
+            throw new Error(`Tool "${tool.name}" has tier "auto-detect" but no detect function. ` +
+                'Auto-detect tools must provide a detect(files) function.');
+        }
+        this.tools.set(tool.name, tool);
+    }
+    /** Get all registered tools */
+    getAll() {
+        return Array.from(this.tools.values());
+    }
+    /** Get tool by name, or undefined */
+    getByName(name) {
+        return this.tools.get(name);
+    }
+    /** Get tools by tier */
+    getByTier(tier) {
+        return this.getAll().filter((t) => t.tier === tier);
+    }
+    /** Get registered tool count */
+    get size() {
+        return this.tools.size;
+    }
+    /** Validate all registrations (called once at startup) */
+    validateAll() {
+        for (const tool of this.tools.values()) {
+            if (tool.tier === 'auto-detect' && typeof tool.detect !== 'function') {
+                throw new Error(`Validation failed: tool "${tool.name}" is auto-detect but has no detect function`);
+            }
+        }
+    }
+    /**
+     * Clear all registrations (useful for tests).
+     * @internal
+     */
+    clear() {
+        this.tools.clear();
+    }
+}
+/** Singleton registry instance — populated by plugins/index.ts */
+export const toolRegistry = new ToolRegistry();
+//# sourceMappingURL=registry.js.map

package/dist/tools/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/tools/registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,MAAM,OAAO,YAAY;IACf,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAElD;;;;OAIG;IACH,QAAQ,CAAC,IAAoB;QAC3B,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,CAAC,IAAI,yBAAyB,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CACb,SAAS,IAAI,CAAC,IAAI,mDAAmD;gBACnE,0DAA0D,CAC7D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,+BAA+B;IAC/B,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,qCAAqC;IACrC,SAAS,CAAC,IAAY;QACpB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,SAAS,CAAC,IAAc;QACtB,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACtD,CAAC;IAED,gCAAgC;IAChC,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,0DAA0D;IAC1D,WAAW;QACT,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBACrE,MAAM,IAAI,KAAK,CACb,4BAA4B,IAAI,CAAC,IAAI,6CAA6C,CACnF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAED,kEAAkE;AAClE,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC"}

package/dist/tools/resolve.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Tool Activation Resolver — determines which tools should run.
+ *
+ * Resolution order (per spec):
+ * 1. Start with all always-on tools
+ * 2. Run detect(files) for each auto-detect tool; add matches
+ * 3. Add tools from enabledTools (force-enable override)
+ * 4. Remove tools from disabledTools (force-disable override)
+ * 5. Remove tools disabled by deprecated boolean flags (fallback only)
+ *
+ * disabledTools takes precedence over everything.
+ * New fields take precedence over deprecated boolean flags.
+ */
+import type { ToolRegistry } from './registry.js';
+import type { ToolDefinition } from './types.js';
+export interface ToolActivationInput {
+    registry: ToolRegistry;
+    files: string[];
+    enabledTools?: string[];
+    disabledTools?: string[];
+    /** Deprecated boolean flags (backward compat) */
+    enableSemgrep?: boolean;
+    enableTrivy?: boolean;
+    enableCpd?: boolean;
+}
+export interface ActivatedTool {
+    definition: ToolDefinition;
+    reason: 'always-on' | 'auto-detect' | 'force-enabled';
+}
+/**
+ * Resolve which tools should run for this review.
+ *
+ * Returns activated tools in execution order: always-on first, then auto-detect,
+ * then force-enabled.
+ */
+export declare function resolveActivatedTools(input: ToolActivationInput): ActivatedTool[];
+//# sourceMappingURL=resolve.d.ts.map

package/dist/tools/resolve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/tools/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,iDAAiD;IACjD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,cAAc,CAAC;IAC3B,MAAM,EAAE,WAAW,GAAG,aAAa,GAAG,eAAe,CAAC;CACvD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,mBAAmB,GAAG,aAAa,EAAE,CAsDjF"}

package/dist/tools/resolve.js

@@ -0,0 +1,67 @@
+/**
+ * Tool Activation Resolver — determines which tools should run.
+ *
+ * Resolution order (per spec):
+ * 1. Start with all always-on tools
+ * 2. Run detect(files) for each auto-detect tool; add matches
+ * 3. Add tools from enabledTools (force-enable override)
+ * 4. Remove tools from disabledTools (force-disable override)
+ * 5. Remove tools disabled by deprecated boolean flags (fallback only)
+ *
+ * disabledTools takes precedence over everything.
+ * New fields take precedence over deprecated boolean flags.
+ */
+/**
+ * Resolve which tools should run for this review.
+ *
+ * Returns activated tools in execution order: always-on first, then auto-detect,
+ * then force-enabled.
+ */
+export function resolveActivatedTools(input) {
+    const { registry, files, enabledTools, disabledTools } = input;
+    const activated = new Map();
+    // Step 1: Start with all always-on tools
+    for (const tool of registry.getByTier('always-on')) {
+        activated.set(tool.name, { definition: tool, reason: 'always-on' });
+    }
+    // Step 2: Run detect(files) for each auto-detect tool
+    for (const tool of registry.getByTier('auto-detect')) {
+        if (tool.detect && tool.detect(files)) {
+            activated.set(tool.name, { definition: tool, reason: 'auto-detect' });
+        }
+    }
+    // Step 3: Add tools from enabledTools (force-enable)
+    if (enabledTools && enabledTools.length > 0) {
+        for (const name of enabledTools) {
+            if (!activated.has(name)) {
+                const tool = registry.getByName(name);
+                if (tool) {
+                    activated.set(name, { definition: tool, reason: 'force-enabled' });
+                }
+            }
+        }
+    }
+    // Step 4: Remove tools from disabledTools (force-disable) — takes precedence over everything
+    if (disabledTools && disabledTools.length > 0) {
+        for (const name of disabledTools) {
+            activated.delete(name);
+        }
+    }
+    // Step 5: Apply deprecated boolean flags as fallback
+    // Only apply when the new disabledTools field does NOT already handle the tool
+    const hasNewDisabledField = disabledTools !== undefined && disabledTools.length > 0;
+    if (!hasNewDisabledField) {
+        const deprecatedFlags = [
+            { flag: input.enableSemgrep, tool: 'semgrep' },
+            { flag: input.enableTrivy, tool: 'trivy' },
+            { flag: input.enableCpd, tool: 'cpd' },
+        ];
+        for (const { flag, tool } of deprecatedFlags) {
+            if (flag === false) {
+                activated.delete(tool);
+            }
+        }
+    }
+    return Array.from(activated.values());
+}
+//# sourceMappingURL=resolve.js.map

package/dist/tools/resolve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../../src/tools/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAqBH;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAA0B;IAC9D,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,KAAK,CAAC;IAE/D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;IAEnD,yCAAyC;IACzC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;QACrD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzB,MAAM,IAAI,GAAG,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,IAAI,EAAE,CAAC;oBACT,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;gBACrE,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,6FAA6F;IAC7F,IAAI,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9C,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;YACjC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,+EAA+E;IAC/E,MAAM,mBAAmB,GAAG,aAAa,KAAK,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;IACpF,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,MAAM,eAAe,GAAuD;YAC1E,EAAE,IAAI,EAAE,KAAK,CAAC,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE;YAC9C,EAAE,IAAI,EAAE,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE;YAC1C,EAAE,IAAI,EAAE,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE;SACvC,CAAC;QAEF,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,eAAe,EAAE,CAAC;YAC7C,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACnB,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC"}

package/dist/tools/runner.d.ts

@@ -4,19 +4,33 @@
  *
  * These tools are run one at a time because running them in parallel
  * (Python + JVM + Go) can exceed container memory limits (2GB on Cloud Run).
+ *
+ * Feature flag `GHAGGA_TOOL_REGISTRY`:
+ * - When true: uses the new registry-driven orchestrator (Phase 2+)
+ * - When false/unset: uses the existing hardcoded 3-tool path
+ */
+import type { ReviewSettings, StaticAnalysisResult } from '../types.js';
+/**
+ * Check if the tool registry feature flag is enabled.
  */
-import type { StaticAnalysisResult, ReviewSettings } from '../types.js';
+export declare function isToolRegistryEnabled(): boolean;
 /**
  * Run all enabled static analysis tools sequentially.
  *
+ * When GHAGGA_TOOL_REGISTRY=true, uses the registry-driven orchestrator.
+ * Otherwise, falls back to the hardcoded 3-tool path.
+ *
  * @param files - Map of file paths to file contents (for Semgrep)
  * @param scanPath - Directory path on disk (for Trivy and CPD)
  * @param settings - Which tools are enabled
  */
-export declare function runStaticAnalysis(files: Map<string, string>, scanPath: string, settings: Pick<ReviewSettings, 'enableSemgrep' | 'enableTrivy' | 'enableCpd' | 'customRules'>): Promise<StaticAnalysisResult>;
+export declare function runStaticAnalysis(files: Map<string, string>, scanPath: string, settings: Pick<ReviewSettings, 'enableSemgrep' | 'enableTrivy' | 'enableCpd' | 'customRules' | 'enabledTools' | 'disabledTools'>): Promise<StaticAnalysisResult>;
 /**
  * Format static analysis findings into a prompt context block.
  * This is injected into LLM prompts so agents don't repeat findings.
+ *
+ * Iterates all tool results dynamically (not hardcoded to semgrep/trivy/cpd).
+ * Applies a finding cap of 200 with severity-priority sorting.
  */
 export declare function formatStaticAnalysisContext(result: StaticAnalysisResult): string;
 //# sourceMappingURL=runner.d.ts.map

package/dist/tools/runner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/tools/runner.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,oBAAoB,EAAE,cAAc,EAAc,MAAM,aAAa,CAAC;AAyBpF;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC1B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,IAAI,CAAC,cAAc,EAAE,eAAe,GAAG,aAAa,GAAG,WAAW,GAAG,aAAa,CAAC,GAC5F,OAAO,CAAC,oBAAoB,CAAC,CAqB/B;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAqBhF"}
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/tools/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAiB,cAAc,EAAE,oBAAoB,EAAc,MAAM,aAAa,CAAC;AAoBnG;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAE/C;AAkBD;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC1B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,IAAI,CACZ,cAAc,EACd,eAAe,GAAG,aAAa,GAAG,WAAW,GAAG,aAAa,GAAG,cAAc,GAAG,eAAe,CACjG,GACA,OAAO,CAAC,oBAAoB,CAAC,CA6B/B;AA8CD;;;;;;GAMG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAqChF"}