ghagga-core 2.3.0 → 2.4.1

package/dist/tools/plugins/gitleaks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/gitleaks.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAanF;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiBxF;AAED,eAAO,MAAM,cAAc,EAAE,cAgE5B,CAAC"}

package/dist/tools/plugins/gitleaks.js

@@ -0,0 +1,81 @@
+/**
+ * Gitleaks plugin — secret detection (always-on).
+ *
+ * Scans the repository for hardcoded secrets, API keys, and credentials.
+ * All secret findings are reported as critical severity.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const GITLEAKS_VERSION = '8.21.2';
+const GITLEAKS_BIN = '/usr/local/bin/gitleaks';
+/**
+ * Parse Gitleaks JSON output into ReviewFinding[].
+ * Gitleaks writes results to a report file; we read from stdout or the report.
+ * Exported for direct testing with fixture data.
+ */
+export function parseGitleaksOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => ({
+            severity: 'critical',
+            category: 'secrets',
+            file: f.File.replace(`${repoDir}/`, ''),
+            line: f.StartLine,
+            message: `${f.Description} (rule: ${f.RuleID})`,
+            source: 'gitleaks',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const gitleaksPlugin = {
+    name: 'gitleaks',
+    displayName: 'Gitleaks',
+    category: 'secrets',
+    tier: 'always-on',
+    version: GITLEAKS_VERSION,
+    outputFormat: 'json',
+    cachePaths: [GITLEAKS_BIN],
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('gitleaks', [GITLEAKS_BIN]);
+        if (cached) {
+            try {
+                await ctx.exec('gitleaks', ['version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'Gitleaks cache restored but binary not functional, reinstalling');
+            }
+        }
+        // Download Gitleaks binary from GitHub Releases
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar xz -C /usr/local/bin gitleaks`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec('gitleaks', ['version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('gitleaks', [GITLEAKS_BIN]);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        const reportPath = '/tmp/gitleaks-result.json';
+        await ctx.exec('gitleaks', [
+            'detect',
+            `--source=${repoDir}`,
+            '--report-format=json',
+            `--report-path=${reportPath}`,
+            '--no-git',
+            '--exit-code=0',
+        ], {
+            timeoutMs: timeout,
+        });
+        // Read the report file and return it as stdout
+        return ctx.exec('cat', [reportPath], {
+            timeoutMs: 10_000,
+            allowExitCodes: [1], // cat may fail if no findings file
+        });
+    },
+    parse: parseGitleaksOutput,
+};
+//# sourceMappingURL=gitleaks.js.map

package/dist/tools/plugins/gitleaks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitleaks.js","sourceRoot":"","sources":["../../../src/tools/plugins/gitleaks.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,gBAAgB,GAAG,QAAQ,CAAC;AAClC,MAAM,YAAY,GAAG,yBAAyB,CAAC;AAU/C;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAkB,EAAE,OAAe;IACrE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAsB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE3D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,QAAQ,EAAE,UAAmB;YAC7B,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,SAAS;YACjB,OAAO,EAAE,GAAG,CAAC,CAAC,WAAW,WAAW,CAAC,CAAC,MAAM,GAAG;YAC/C,MAAM,EAAE,UAAmB;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAmB;IAC5C,IAAI,EAAE,UAAU;IAChB,WAAW,EAAE,UAAU;IACvB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,gBAAgB;IACzB,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,YAAY,CAAC;IAE1B,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC/D,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,iEAAiE,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,qEAAqE,gBAAgB,aAAa,gBAAgB,wDAAwD;SAC3K,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/D,MAAM,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,MAAM,UAAU,GAAG,2BAA2B,CAAC;QAE/C,MAAM,GAAG,CAAC,IAAI,CACZ,UAAU,EACV;YACE,QAAQ;YACR,YAAY,OAAO,EAAE;YACrB,sBAAsB;YACtB,iBAAiB,UAAU,EAAE;YAC7B,UAAU;YACV,eAAe;SAChB,EACD;YACE,SAAS,EAAE,OAAO;SACnB,CACF,CAAC;QAEF,+CAA+C;QAC/C,OAAO,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,EAAE;YACnC,SAAS,EAAE,MAAM;YACjB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,mCAAmC;SACzD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,mBAAmB;CAC3B,CAAC"}

package/dist/tools/plugins/golangci-lint.d.ts

@@ -0,0 +1,27 @@
+/**
+ * golangci-lint plugin — Go code analysis (auto-detect).
+ *
+ * Runs multiple Go linters in a single pass.
+ * Activates when Go files or go.mod is detected.
+ * Maps gosec linter findings to security/high, others to quality/medium.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map golangci-lint issue to GHAGGA FindingSeverity and category.
+ * gosec linter → security category with high severity.
+ * Other linters → quality category with medium severity.
+ */
+export declare function mapGolangciLintFinding(fromLinter: string): {
+    severity: FindingSeverity;
+    category: string;
+};
+/**
+ * Parse golangci-lint JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseGolangciLintOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const golangciLintPlugin: ToolDefinition;
+//# sourceMappingURL=golangci-lint.d.ts.map

package/dist/tools/plugins/golangci-lint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"golangci-lint.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/golangci-lint.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKnF;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG;IAC1D,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;CAClB,CAKA;AAgBD;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAqB5F;AAED,eAAO,MAAM,kBAAkB,EAAE,cAwDhC,CAAC"}

package/dist/tools/plugins/golangci-lint.js

@@ -0,0 +1,87 @@
+/**
+ * golangci-lint plugin — Go code analysis (auto-detect).
+ *
+ * Runs multiple Go linters in a single pass.
+ * Activates when Go files or go.mod is detected.
+ * Maps gosec linter findings to security/high, others to quality/medium.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const GOLANGCI_LINT_VERSION = '1.63.4';
+const GOLANGCI_LINT_BIN = '/usr/local/bin/golangci-lint';
+/**
+ * Map golangci-lint issue to GHAGGA FindingSeverity and category.
+ * gosec linter → security category with high severity.
+ * Other linters → quality category with medium severity.
+ */
+export function mapGolangciLintFinding(fromLinter) {
+    if (fromLinter === 'gosec') {
+        return { severity: 'high', category: 'security' };
+    }
+    return { severity: 'medium', category: 'quality' };
+}
+/**
+ * Parse golangci-lint JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseGolangciLintOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const result = JSON.parse(raw.stdout);
+        return (result.Issues ?? []).map((issue) => {
+            const { severity, category } = mapGolangciLintFinding(issue.FromLinter);
+            return {
+                severity,
+                category,
+                file: issue.Pos.Filename.replace(`${repoDir}/`, ''),
+                line: issue.Pos.Line,
+                message: `[${issue.FromLinter}] ${issue.Text}`,
+                source: 'golangci-lint',
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+export const golangciLintPlugin = {
+    name: 'golangci-lint',
+    displayName: 'golangci-lint',
+    category: 'quality',
+    tier: 'auto-detect',
+    version: GOLANGCI_LINT_VERSION,
+    outputFormat: 'json',
+    cachePaths: [GOLANGCI_LINT_BIN],
+    detect(files) {
+        return files.some((f) => f === 'go.mod' || f.endsWith('.go'));
+    },
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('golangci-lint', [GOLANGCI_LINT_BIN]);
+        if (cached) {
+            try {
+                await ctx.exec('golangci-lint', ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'golangci-lint cache restored but binary not functional, reinstalling');
+            }
+        }
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin v${GOLANGCI_LINT_VERSION}`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec('golangci-lint', ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('golangci-lint', [GOLANGCI_LINT_BIN]);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        const timeoutSec = Math.max(60, Math.floor(timeout / 1000));
+        return ctx.exec('golangci-lint', ['run', '--out-format', 'json', '--timeout', `${timeoutSec}s`], {
+            timeoutMs: timeout,
+            cwd: repoDir,
+            allowExitCodes: [1], // returns 1 when findings are present
+        });
+    },
+    parse: parseGolangciLintOutput,
+};
+//# sourceMappingURL=golangci-lint.js.map

package/dist/tools/plugins/golangci-lint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"golangci-lint.js","sourceRoot":"","sources":["../../../src/tools/plugins/golangci-lint.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,qBAAqB,GAAG,QAAQ,CAAC;AACvC,MAAM,iBAAiB,GAAG,8BAA8B,CAAC;AAEzD;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,UAAkB;IAIvD,IAAI,UAAU,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IACpD,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACrD,CAAC;AAgBD;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAkB,EAAE,OAAe;IACzE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAuB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE1D,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACzC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,sBAAsB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAExE,OAAO;gBACL,QAAQ;gBACR,QAAQ;gBACR,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;gBACnD,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI;gBACpB,OAAO,EAAE,IAAI,KAAK,CAAC,UAAU,KAAK,KAAK,CAAC,IAAI,EAAE;gBAC9C,MAAM,EAAE,eAAwB;aACjC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAmB;IAChD,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,eAAe;IAC5B,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,qBAAqB;IAC9B,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,iBAAiB,CAAC;IAE/B,MAAM,CAAC,KAAe;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAC5E,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,sEAAsE,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,uHAAuH,qBAAqB,EAAE;SAC/I,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QACtE,MAAM,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;QAE5D,OAAO,GAAG,CAAC,IAAI,CACb,eAAe,EACf,CAAC,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,GAAG,CAAC,EAC9D;YACE,SAAS,EAAE,OAAO;YAClB,GAAG,EAAE,OAAO;YACZ,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,sCAAsC;SAC5D,CACF,CAAC;IACJ,CAAC;IAED,KAAK,EAAE,uBAAuB;CAC/B,CAAC"}

package/dist/tools/plugins/hadolint.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Hadolint plugin — Dockerfile linting (auto-detect).
+ *
+ * Lints Dockerfiles for best practices and common issues.
+ * Activates when Dockerfile-named files are detected.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map Hadolint level to GHAGGA FindingSeverity.
+ * error→high, warning→medium, info→info, style→low
+ */
+export declare function mapHadolintSeverity(level: string): FindingSeverity;
+/**
+ * Parse Hadolint JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseHadolintOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const hadolintPlugin: ToolDefinition;
+//# sourceMappingURL=hadolint.d.ts.map

package/dist/tools/plugins/hadolint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hadolint.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/hadolint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKnF;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,CAalE;AAYD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiBxF;AAED,eAAO,MAAM,cAAc,EAAE,cA8D5B,CAAC"}

package/dist/tools/plugins/hadolint.js

@@ -0,0 +1,99 @@
+/**
+ * Hadolint plugin — Dockerfile linting (auto-detect).
+ *
+ * Lints Dockerfiles for best practices and common issues.
+ * Activates when Dockerfile-named files are detected.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const HADOLINT_VERSION = '2.12.0';
+const HADOLINT_BIN = '/usr/local/bin/hadolint';
+/**
+ * Map Hadolint level to GHAGGA FindingSeverity.
+ * error→high, warning→medium, info→info, style→low
+ */
+export function mapHadolintSeverity(level) {
+    switch (level.toLowerCase()) {
+        case 'error':
+            return 'high';
+        case 'warning':
+            return 'medium';
+        case 'info':
+            return 'info';
+        case 'style':
+            return 'low';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse Hadolint JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseHadolintOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => ({
+            severity: mapHadolintSeverity(f.level),
+            category: 'quality',
+            file: f.file.replace(`${repoDir}/`, ''),
+            line: f.line,
+            message: `${f.code}: ${f.message}`,
+            source: 'hadolint',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const hadolintPlugin = {
+    name: 'hadolint',
+    displayName: 'Hadolint',
+    category: 'quality',
+    tier: 'auto-detect',
+    version: HADOLINT_VERSION,
+    outputFormat: 'json',
+    cachePaths: [HADOLINT_BIN],
+    detect(files) {
+        return files.some((f) => {
+            const basename = f.split('/').pop() ?? '';
+            return /Dockerfile/.test(basename);
+        });
+    },
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('hadolint', [HADOLINT_BIN]);
+        if (cached) {
+            try {
+                await ctx.exec('hadolint', ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'Hadolint cache restored but binary not functional, reinstalling');
+            }
+        }
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sL "https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" -o ${HADOLINT_BIN} && chmod +x ${HADOLINT_BIN}`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec('hadolint', ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('hadolint', [HADOLINT_BIN]);
+    },
+    async run(ctx, _repoDir, files, timeout) {
+        // Filter to only Dockerfile-matching files
+        const dockerfiles = files.filter((f) => {
+            const basename = f.split('/').pop() ?? '';
+            return /Dockerfile/.test(basename);
+        });
+        if (dockerfiles.length === 0) {
+            return { stdout: '[]', stderr: '', exitCode: 0, timedOut: false };
+        }
+        return ctx.exec('hadolint', ['--format', 'json', ...dockerfiles], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // hadolint returns 1 when findings are present
+        });
+    },
+    parse: parseHadolintOutput,
+};
+//# sourceMappingURL=hadolint.js.map

package/dist/tools/plugins/hadolint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hadolint.js","sourceRoot":"","sources":["../../../src/tools/plugins/hadolint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,gBAAgB,GAAG,QAAQ,CAAC;AAClC,MAAM,YAAY,GAAG,yBAAyB,CAAC;AAE/C;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,QAAQ,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5B,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,OAAO;YACV,OAAO,KAAK,CAAC;QACf;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAYD;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAkB,EAAE,OAAe;IACrE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAsB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE3D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,QAAQ,EAAE,mBAAmB,CAAC,CAAC,CAAC,KAAK,CAAC;YACtC,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE;YAClC,MAAM,EAAE,UAAmB;SAC5B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAmB;IAC5C,IAAI,EAAE,UAAU;IAChB,WAAW,EAAE,UAAU;IACvB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,gBAAgB;IACzB,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,YAAY,CAAC;IAE1B,MAAM,CAAC,KAAe;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACtB,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAC1C,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;QAClE,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBACjE,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,iEAAiE,CAAC,CAAC;YACrF,CAAC;QACH,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,qEAAqE,gBAAgB,8BAA8B,YAAY,gBAAgB,YAAY,EAAE;SAC9J,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QACjE,MAAM,GAAG,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,QAAgB,EAChB,KAAe,EACf,OAAe;QAEf,2CAA2C;QAC3C,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACrC,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;YAC1C,OAAO,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QACpE,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE;YAChE,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,+CAA+C;SACrE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,mBAAmB;CAC3B,CAAC"}

package/dist/tools/plugins/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Plugin registry initialization.
+ *
+ * Imports all tool plugins and registers them with the singleton toolRegistry.
+ * Call `initializeDefaultTools()` to populate the registry.
+ *
+ * Phase 2: semgrep, trivy, cpd (always-on)
+ * Phase 3: gitleaks, shellcheck, markdownlint, lizard (always-on)
+ * Phase 4: ruff, bandit, golangci-lint (auto-detect)
+ * Phase 5: biome, pmd, psalm, clippy, hadolint (auto-detect)
+ */
+/**
+ * Register all default tool plugins with the registry.
+ * Safe to call multiple times — only registers once.
+ */
+export declare function initializeDefaultTools(): void;
+/**
+ * Reset the initialization flag (for tests).
+ * @internal
+ */
+export declare function resetInitialization(): void;
+export { banditPlugin } from './bandit.js';
+export { biomePlugin } from './biome.js';
+export { clippyPlugin } from './clippy.js';
+export { cpdPlugin } from './cpd.js';
+export { gitleaksPlugin } from './gitleaks.js';
+export { golangciLintPlugin } from './golangci-lint.js';
+export { hadolintPlugin } from './hadolint.js';
+export { lizardPlugin } from './lizard.js';
+export { markdownlintPlugin } from './markdownlint.js';
+export { pmdPlugin } from './pmd.js';
+export { psalmPlugin } from './psalm.js';
+export { ruffPlugin } from './ruff.js';
+export { semgrepPlugin } from './semgrep.js';
+export { shellcheckPlugin } from './shellcheck.js';
+export { trivyPlugin } from './trivy.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/tools/plugins/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAgDH;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,IAAI,CAQ7C;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AAED,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAErC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC"}

package/dist/tools/plugins/index.js

@@ -0,0 +1,93 @@
+/**
+ * Plugin registry initialization.
+ *
+ * Imports all tool plugins and registers them with the singleton toolRegistry.
+ * Call `initializeDefaultTools()` to populate the registry.
+ *
+ * Phase 2: semgrep, trivy, cpd (always-on)
+ * Phase 3: gitleaks, shellcheck, markdownlint, lizard (always-on)
+ * Phase 4: ruff, bandit, golangci-lint (auto-detect)
+ * Phase 5: biome, pmd, psalm, clippy, hadolint (auto-detect)
+ */
+import { toolRegistry } from '../registry.js';
+// Phase 4: auto-detect (Python + Go)
+import { banditPlugin } from './bandit.js';
+// Phase 5: auto-detect (remaining)
+import { biomePlugin } from './biome.js';
+import { clippyPlugin } from './clippy.js';
+// Phase 2: always-on (adapted)
+import { cpdPlugin } from './cpd.js';
+// Phase 3: always-on (new)
+import { gitleaksPlugin } from './gitleaks.js';
+import { golangciLintPlugin } from './golangci-lint.js';
+import { hadolintPlugin } from './hadolint.js';
+import { lizardPlugin } from './lizard.js';
+import { markdownlintPlugin } from './markdownlint.js';
+import { pmdPlugin } from './pmd.js';
+import { psalmPlugin } from './psalm.js';
+import { ruffPlugin } from './ruff.js';
+import { semgrepPlugin } from './semgrep.js';
+import { shellcheckPlugin } from './shellcheck.js';
+import { trivyPlugin } from './trivy.js';
+/** All built-in plugins. Grows as more phases are implemented. */
+const DEFAULT_PLUGINS = [
+    // Phase 2: always-on (adapted)
+    semgrepPlugin,
+    trivyPlugin,
+    cpdPlugin,
+    // Phase 3: always-on (new)
+    gitleaksPlugin,
+    shellcheckPlugin,
+    markdownlintPlugin,
+    lizardPlugin,
+    // Phase 4: auto-detect (Python + Go)
+    ruffPlugin,
+    banditPlugin,
+    golangciLintPlugin,
+    // Phase 5: auto-detect (remaining)
+    biomePlugin,
+    pmdPlugin,
+    psalmPlugin,
+    clippyPlugin,
+    hadolintPlugin,
+];
+let initialized = false;
+/**
+ * Register all default tool plugins with the registry.
+ * Safe to call multiple times — only registers once.
+ */
+export function initializeDefaultTools() {
+    if (initialized)
+        return;
+    for (const plugin of DEFAULT_PLUGINS) {
+        toolRegistry.register(plugin);
+    }
+    initialized = true;
+}
+/**
+ * Reset the initialization flag (for tests).
+ * @internal
+ */
+export function resetInitialization() {
+    initialized = false;
+}
+export { banditPlugin } from './bandit.js';
+// Phase 5
+export { biomePlugin } from './biome.js';
+export { clippyPlugin } from './clippy.js';
+// Re-export plugins for direct access
+export { cpdPlugin } from './cpd.js';
+// Phase 3
+export { gitleaksPlugin } from './gitleaks.js';
+export { golangciLintPlugin } from './golangci-lint.js';
+export { hadolintPlugin } from './hadolint.js';
+export { lizardPlugin } from './lizard.js';
+export { markdownlintPlugin } from './markdownlint.js';
+export { pmdPlugin } from './pmd.js';
+export { psalmPlugin } from './psalm.js';
+// Phase 4
+export { ruffPlugin } from './ruff.js';
+export { semgrepPlugin } from './semgrep.js';
+export { shellcheckPlugin } from './shellcheck.js';
+export { trivyPlugin } from './trivy.js';
+//# sourceMappingURL=index.js.map

package/dist/tools/plugins/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/tools/plugins/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,qCAAqC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,mCAAmC;AACnC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,+BAA+B;AAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,2BAA2B;AAC3B,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAEzC,kEAAkE;AAClE,MAAM,eAAe,GAAG;IACtB,+BAA+B;IAC/B,aAAa;IACb,WAAW;IACX,SAAS;IACT,2BAA2B;IAC3B,cAAc;IACd,gBAAgB;IAChB,kBAAkB;IAClB,YAAY;IACZ,qCAAqC;IACrC,UAAU;IACV,YAAY;IACZ,kBAAkB;IAClB,mCAAmC;IACnC,WAAW;IACX,SAAS;IACT,WAAW;IACX,YAAY;IACZ,cAAc;CACf,CAAC;AAEF,IAAI,WAAW,GAAG,KAAK,CAAC;AAExB;;;GAGG;AACH,MAAM,UAAU,sBAAsB;IACpC,IAAI,WAAW;QAAE,OAAO;IAExB,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;QACrC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,WAAW,GAAG,IAAI,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,WAAW,GAAG,KAAK,CAAC;AACtB,CAAC;AAED,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,UAAU;AACV,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,sCAAsC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,UAAU;AACV,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,UAAU;AACV,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC"}

package/dist/tools/plugins/lizard.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Lizard plugin — cyclomatic complexity analysis (always-on).
+ *
+ * Analyzes function-level cyclomatic complexity across all languages.
+ * Flags functions exceeding complexity thresholds:
+ *   CCN > 20 → high, CCN > 15 → medium, CCN > 10 → low, CCN ≤ 10 → skip
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map cyclomatic complexity to GHAGGA FindingSeverity.
+ * Returns null for functions below threshold (CCN ≤ 10).
+ */
+export declare function mapComplexitySeverity(ccn: number): FindingSeverity | null;
+/**
+ * Parse Lizard JSON output into ReviewFinding[].
+ * Only includes functions with CCN > 10.
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseLizardOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const lizardPlugin: ToolDefinition;
+//# sourceMappingURL=lizard.d.ts.map

package/dist/tools/plugins/lizard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lizard.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/lizard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAKzE;AAgBD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CA2BtF;AAED,eAAO,MAAM,YAAY,EAAE,cAkC1B,CAAC"}

package/dist/tools/plugins/lizard.js

@@ -0,0 +1,83 @@
+/**
+ * Lizard plugin — cyclomatic complexity analysis (always-on).
+ *
+ * Analyzes function-level cyclomatic complexity across all languages.
+ * Flags functions exceeding complexity thresholds:
+ *   CCN > 20 → high, CCN > 15 → medium, CCN > 10 → low, CCN ≤ 10 → skip
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const LIZARD_VERSION = '1.17.13';
+/**
+ * Map cyclomatic complexity to GHAGGA FindingSeverity.
+ * Returns null for functions below threshold (CCN ≤ 10).
+ */
+export function mapComplexitySeverity(ccn) {
+    if (ccn > 20)
+        return 'high';
+    if (ccn > 15)
+        return 'medium';
+    if (ccn > 10)
+        return 'low';
+    return null;
+}
+/**
+ * Parse Lizard JSON output into ReviewFinding[].
+ * Only includes functions with CCN > 10.
+ * Exported for direct testing with fixture data.
+ */
+export function parseLizardOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const files = JSON.parse(raw.stdout);
+        const findings = [];
+        for (const file of files) {
+            for (const func of file.function_list) {
+                const severity = mapComplexitySeverity(func.cyclomatic_complexity);
+                if (severity === null)
+                    continue;
+                findings.push({
+                    severity,
+                    category: 'complexity',
+                    file: file.filename.replace(`${repoDir}/`, ''),
+                    line: func.start_line,
+                    message: `Function '${func.name}' has cyclomatic complexity of ${func.cyclomatic_complexity} (threshold: 10)`,
+                    source: 'lizard',
+                });
+            }
+        }
+        return findings;
+    }
+    catch {
+        return [];
+    }
+}
+export const lizardPlugin = {
+    name: 'lizard',
+    displayName: 'Lizard',
+    category: 'complexity',
+    tier: 'always-on',
+    version: LIZARD_VERSION,
+    outputFormat: 'json',
+    async install(ctx) {
+        try {
+            await ctx.exec('lizard', ['--version'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'Lizard not found, installing...');
+        }
+        await ctx.exec('pip', ['install', '--quiet', `lizard==${LIZARD_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('lizard', ['--version'], { timeoutMs: 10_000 });
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec('lizard', ['--json', repoDir], {
+            timeoutMs: timeout,
+        });
+    },
+    parse: parseLizardOutput,
+};
+//# sourceMappingURL=lizard.js.map

package/dist/tools/plugins/lizard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lizard.js","sourceRoot":"","sources":["../../../src/tools/plugins/lizard.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,cAAc,GAAG,SAAS,CAAC;AAEjC;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAW;IAC/C,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,MAAM,CAAC;IAC5B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,QAAQ,CAAC;IAC9B,IAAI,GAAG,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3B,OAAO,IAAI,CAAC;AACd,CAAC;AAgBD;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAkB,EAAE,OAAe;IACnE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,KAAK,GAAiB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;gBACtC,MAAM,QAAQ,GAAG,qBAAqB,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;gBACnE,IAAI,QAAQ,KAAK,IAAI;oBAAE,SAAS;gBAEhC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ;oBACR,QAAQ,EAAE,YAAY;oBACtB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;oBAC9C,IAAI,EAAE,IAAI,CAAC,UAAU;oBACrB,OAAO,EAAE,aAAa,IAAI,CAAC,IAAI,kCAAkC,IAAI,CAAC,qBAAqB,kBAAkB;oBAC7G,MAAM,EAAE,QAAiB;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,QAAQ;IACrB,QAAQ,EAAE,YAAY;IACtB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,cAAc;IACvB,YAAY,EAAE,MAAM;IAEpB,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YAC/D,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,cAAc,EAAE,CAAC,EAAE;YACzE,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE;YAC7C,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,iBAAiB;CACzB,CAAC"}

package/dist/tools/plugins/markdownlint.d.ts

@@ -0,0 +1,17 @@
+/**
+ * markdownlint-cli2 plugin — Markdown documentation linting (always-on).
+ *
+ * Lints Markdown files for style and formatting issues.
+ * Only runs on *.md files; returns empty findings if none found.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Parse markdownlint-cli2 JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseMarkdownlintOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const markdownlintPlugin: ToolDefinition;
+//# sourceMappingURL=markdownlint.d.ts.map

package/dist/tools/plugins/markdownlint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdownlint.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/markdownlint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAanF;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAsB5F;AAED,eAAO,MAAM,kBAAkB,EAAE,cA2ChC,CAAC"}