ghagga-core 2.3.0 → 2.4.1

package/dist/tools/plugins/markdownlint.js

@@ -0,0 +1,70 @@
+/**
+ * markdownlint-cli2 plugin — Markdown documentation linting (always-on).
+ *
+ * Lints Markdown files for style and formatting issues.
+ * Only runs on *.md files; returns empty findings if none found.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const MARKDOWNLINT_VERSION = '0.17.1';
+/**
+ * Parse markdownlint-cli2 JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseMarkdownlintOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => {
+            const ruleName = f.ruleNames[0] ?? 'unknown';
+            const detail = f.errorDetail ? ` (${f.errorDetail})` : '';
+            return {
+                severity: 'info',
+                category: 'docs',
+                file: f.fileName.replace(`${repoDir}/`, ''),
+                line: f.lineNumber,
+                message: `${ruleName}: ${f.ruleDescription}${detail}`,
+                source: 'markdownlint',
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+export const markdownlintPlugin = {
+    name: 'markdownlint',
+    displayName: 'markdownlint-cli2',
+    category: 'docs',
+    tier: 'always-on',
+    version: MARKDOWNLINT_VERSION,
+    outputFormat: 'json',
+    async install(ctx) {
+        try {
+            await ctx.exec('markdownlint-cli2', ['--help'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'markdownlint-cli2 not found, installing...');
+        }
+        await ctx.exec('npm', ['install', '-g', `markdownlint-cli2@${MARKDOWNLINT_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('markdownlint-cli2', ['--help'], { timeoutMs: 10_000 });
+    },
+    async run(ctx, _repoDir, files, timeout) {
+        // Filter to only Markdown files
+        const mdFiles = files.filter((f) => f.endsWith('.md'));
+        if (mdFiles.length === 0) {
+            // No Markdown files — return empty output
+            return { stdout: '[]', stderr: '', exitCode: 0, timedOut: false };
+        }
+        return ctx.exec('markdownlint-cli2', ['--config', '{}', ...mdFiles], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // markdownlint returns 1 when findings are present
+        });
+    },
+    parse: parseMarkdownlintOutput,
+};
+//# sourceMappingURL=markdownlint.js.map

package/dist/tools/plugins/markdownlint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"markdownlint.js","sourceRoot":"","sources":["../../../src/tools/plugins/markdownlint.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,oBAAoB,GAAG,QAAQ,CAAC;AAWtC;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAkB,EAAE,OAAe;IACzE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAA0B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE/D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACxB,MAAM,QAAQ,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;YAC7C,MAAM,MAAM,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAE1D,OAAO;gBACL,QAAQ,EAAE,MAAe;gBACzB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;gBAC3C,IAAI,EAAE,CAAC,CAAC,UAAU;gBAClB,OAAO,EAAE,GAAG,QAAQ,KAAK,CAAC,CAAC,eAAe,GAAG,MAAM,EAAE;gBACrD,MAAM,EAAE,cAAuB;aAChC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAmB;IAChD,IAAI,EAAE,cAAc;IACpB,WAAW,EAAE,mBAAmB;IAChC,QAAQ,EAAE,MAAM;IAChB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,oBAAoB;IAC7B,YAAY,EAAE,MAAM;IAEpB,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YACvE,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,IAAI,EAAE,qBAAqB,oBAAoB,EAAE,CAAC,EAAE;YACpF,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,QAAgB,EAChB,KAAe,EACf,OAAe;QAEf,gCAAgC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QAEvD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,0CAA0C;YAC1C,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;QACpE,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,EAAE;YACnE,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,mDAAmD;SACzE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,uBAAuB;CAC/B,CAAC"}

package/dist/tools/plugins/pmd.d.ts

@@ -0,0 +1,23 @@
+/**
+ * PMD plugin — Java code quality analysis (auto-detect).
+ *
+ * Runs PMD static analysis with the quickstart ruleset.
+ * Shares installation with CPD (both use the PMD binary at /opt/pmd).
+ * Activates when Java or Kotlin files are detected.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map PMD violation priority to GHAGGA FindingSeverity.
+ * 1→critical, 2→high, 3→medium, 4→low, 5→info
+ */
+export declare function mapPmdPriority(priority: number): FindingSeverity;
+/**
+ * Parse PMD JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parsePmdOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const pmdPlugin: ToolDefinition;
+//# sourceMappingURL=pmd.d.ts.map

package/dist/tools/plugins/pmd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pmd.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/pmd.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAMnF;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,CAehE;AAgBD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAwBnF;AAED,eAAO,MAAM,SAAS,EAAE,cA+DvB,CAAC"}

package/dist/tools/plugins/pmd.js

@@ -0,0 +1,108 @@
+/**
+ * PMD plugin — Java code quality analysis (auto-detect).
+ *
+ * Runs PMD static analysis with the quickstart ruleset.
+ * Shares installation with CPD (both use the PMD binary at /opt/pmd).
+ * Activates when Java or Kotlin files are detected.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const PMD_VERSION = '7.8.0';
+const PMD_HOME = '/opt/pmd';
+const PMD_BIN = `${PMD_HOME}/bin/pmd`;
+/**
+ * Map PMD violation priority to GHAGGA FindingSeverity.
+ * 1→critical, 2→high, 3→medium, 4→low, 5→info
+ */
+export function mapPmdPriority(priority) {
+    switch (priority) {
+        case 1:
+            return 'critical';
+        case 2:
+            return 'high';
+        case 3:
+            return 'medium';
+        case 4:
+            return 'low';
+        case 5:
+            return 'info';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse PMD JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parsePmdOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const result = JSON.parse(raw.stdout);
+        const findings = [];
+        for (const file of result.files ?? []) {
+            for (const violation of file.violations) {
+                findings.push({
+                    severity: mapPmdPriority(violation.priority),
+                    category: 'quality',
+                    file: file.filename.replace(`${repoDir}/`, ''),
+                    line: violation.beginline,
+                    message: `[${violation.rule}] ${violation.description}`,
+                    source: 'pmd',
+                });
+            }
+        }
+        return findings;
+    }
+    catch {
+        return [];
+    }
+}
+export const pmdPlugin = {
+    name: 'pmd',
+    displayName: 'PMD',
+    category: 'quality',
+    tier: 'auto-detect',
+    version: PMD_VERSION,
+    outputFormat: 'json',
+    detect(files) {
+        return files.some((f) => /\.(java|kt)$/.test(f));
+    },
+    async install(ctx) {
+        // PMD may already be installed via CPD plugin (shared binary)
+        try {
+            await ctx.exec(PMD_BIN, ['--version'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'PMD not found, installing (shared with CPD)...');
+        }
+        const cached = await ctx.cacheRestore('cpd', [PMD_HOME]);
+        if (cached) {
+            try {
+                await ctx.exec(PMD_BIN, ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'PMD cache restored but binary not functional, reinstalling');
+            }
+        }
+        await ctx.exec('bash', [
+            '-c',
+            `curl -sL "https://github.com/pmd/pmd/releases/download/pmd_releases%2F${PMD_VERSION}/pmd-dist-${PMD_VERSION}-bin.zip" -o /tmp/pmd.zip && ` +
+                `unzip -q /tmp/pmd.zip -d /opt && ` +
+                `mv /opt/pmd-bin-${PMD_VERSION} ${PMD_HOME} && ` +
+                `rm -f /tmp/pmd.zip`,
+        ], { timeoutMs: 120_000 });
+        await ctx.exec(PMD_BIN, ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('cpd', [PMD_HOME]);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec(PMD_BIN, ['check', '--format', 'json', '--dir', repoDir, '--rulesets', 'rulesets/java/quickstart.xml'], {
+            timeoutMs: timeout,
+            allowExitCodes: [4], // PMD returns 4 when violations are found
+        });
+    },
+    parse: parsePmdOutput,
+};
+//# sourceMappingURL=pmd.js.map

package/dist/tools/plugins/pmd.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pmd.js","sourceRoot":"","sources":["../../../src/tools/plugins/pmd.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,GAAG,OAAO,CAAC;AAC5B,MAAM,QAAQ,GAAG,UAAU,CAAC;AAC5B,MAAM,OAAO,GAAG,GAAG,QAAQ,UAAU,CAAC;AAEtC;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,CAAC;YACJ,OAAO,UAAU,CAAC;QACpB,KAAK,CAAC;YACJ,OAAO,MAAM,CAAC;QAChB,KAAK,CAAC;YACJ,OAAO,QAAQ,CAAC;QAClB,KAAK,CAAC;YACJ,OAAO,KAAK,CAAC;QACf,KAAK,CAAC;YACJ,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAgBD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,GAAkB,EAAE,OAAe;IAChE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACxC,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,cAAc,CAAC,SAAS,CAAC,QAAQ,CAAC;oBAC5C,QAAQ,EAAE,SAAS;oBACnB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;oBAC9C,IAAI,EAAE,SAAS,CAAC,SAAS;oBACzB,OAAO,EAAE,IAAI,SAAS,CAAC,IAAI,KAAK,SAAS,CAAC,WAAW,EAAE;oBACvD,MAAM,EAAE,KAAc;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC,IAAI,EAAE,KAAK;IACX,WAAW,EAAE,KAAK;IAClB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,WAAW;IACpB,YAAY,EAAE,MAAM;IAEpB,MAAM,CAAC,KAAe;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,8DAA8D;QAC9D,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzD,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC9D,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,4DAA4D,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CACZ,MAAM,EACN;YACE,IAAI;YACJ,yEAAyE,WAAW,aAAa,WAAW,+BAA+B;gBACzI,mCAAmC;gBACnC,mBAAmB,WAAW,IAAI,QAAQ,MAAM;gBAChD,oBAAoB;SACvB,EACD,EAAE,SAAS,EAAE,OAAO,EAAE,CACvB,CAAC;QACF,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,MAAM,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CACb,OAAO,EACP,CAAC,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,8BAA8B,CAAC,EAC7F;YACE,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,0CAA0C;SAChE,CACF,CAAC;IACJ,CAAC;IAED,KAAK,EAAE,cAAc;CACtB,CAAC"}

package/dist/tools/plugins/psalm.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Psalm plugin — PHP static analysis (auto-detect).
+ *
+ * Runs Psalm for type checking and security analysis on PHP codebases.
+ * Activates when PHP files or composer.json is detected.
+ * Maps taint-related findings to critical severity.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map Psalm finding to GHAGGA FindingSeverity.
+ * Taint findings (e.g., TaintedHtml, TaintedSql) → critical.
+ * error → high, info → low, default → medium
+ */
+export declare function mapPsalmSeverity(severity: string, type: string): FindingSeverity;
+/**
+ * Parse Psalm JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parsePsalmOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const psalmPlugin: ToolDefinition;
+//# sourceMappingURL=psalm.d.ts.map

package/dist/tools/plugins/psalm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"psalm.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/psalm.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,CAYhF;AAYD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiBrF;AAED,eAAO,MAAM,WAAW,EAAE,cA0CzB,CAAC"}

package/dist/tools/plugins/psalm.js

@@ -0,0 +1,85 @@
+/**
+ * Psalm plugin — PHP static analysis (auto-detect).
+ *
+ * Runs Psalm for type checking and security analysis on PHP codebases.
+ * Activates when PHP files or composer.json is detected.
+ * Maps taint-related findings to critical severity.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const PSALM_VERSION = '6.5.1';
+/**
+ * Map Psalm finding to GHAGGA FindingSeverity.
+ * Taint findings (e.g., TaintedHtml, TaintedSql) → critical.
+ * error → high, info → low, default → medium
+ */
+export function mapPsalmSeverity(severity, type) {
+    // Taint findings are always critical regardless of severity
+    if (type.toLowerCase().startsWith('tainted'))
+        return 'critical';
+    switch (severity.toLowerCase()) {
+        case 'error':
+            return 'high';
+        case 'info':
+            return 'low';
+        default:
+            return 'medium';
+    }
+}
+/**
+ * Parse Psalm JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parsePsalmOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => ({
+            severity: mapPsalmSeverity(f.severity, f.type),
+            category: 'quality',
+            file: f.file_path.replace(`${repoDir}/`, ''),
+            line: f.line_from,
+            message: `[${f.type}] ${f.message}`,
+            source: 'psalm',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const psalmPlugin = {
+    name: 'psalm',
+    displayName: 'Psalm',
+    category: 'quality',
+    tier: 'auto-detect',
+    version: PSALM_VERSION,
+    outputFormat: 'json',
+    detect(files) {
+        return files.some((f) => f.endsWith('.php') || f === 'composer.json');
+    },
+    async install(ctx) {
+        // Check if Psalm PHAR is already available
+        try {
+            await ctx.exec('psalm', ['--version'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'Psalm not found, installing...');
+        }
+        // Install via Composer global
+        await ctx.exec('composer', ['global', 'require', `vimeo/psalm:${PSALM_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('psalm', ['--version'], { timeoutMs: 10_000 });
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec('psalm', ['--output-format=json', '--no-cache'], {
+            timeoutMs: timeout,
+            cwd: repoDir,
+            allowExitCodes: [1, 2], // psalm returns 1 for info, 2 for errors
+        });
+    },
+    parse: parsePsalmOutput,
+};
+//# sourceMappingURL=psalm.js.map

package/dist/tools/plugins/psalm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"psalm.js","sourceRoot":"","sources":["../../../src/tools/plugins/psalm.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,aAAa,GAAG,OAAO,CAAC;AAE9B;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,IAAY;IAC7D,4DAA4D;IAC5D,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,UAAU,CAAC;IAEhE,QAAQ,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/B,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,KAAK,CAAC;QACf;YACE,OAAO,QAAQ,CAAC;IACpB,CAAC;AACH,CAAC;AAYD;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAkB,EAAE,OAAe;IAClE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAmB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAExD,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC;YAC9C,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YAC5C,IAAI,EAAE,CAAC,CAAC,SAAS;YACjB,OAAO,EAAE,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE;YACnC,MAAM,EAAE,OAAgB;SACzB,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,OAAO;IACpB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,MAAM;IAEpB,MAAM,CAAC,KAAe;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,2CAA2C;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,8BAA8B;QAC9B,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,eAAe,aAAa,EAAE,CAAC,EAAE;YAChF,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,sBAAsB,EAAE,YAAY,CAAC,EAAE;YAC/D,SAAS,EAAE,OAAO;YAClB,GAAG,EAAE,OAAO;YACZ,cAAc,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,yCAAyC;SAClE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,gBAAgB;CACxB,CAAC"}

package/dist/tools/plugins/ruff.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Ruff plugin — Python linting (auto-detect).
+ *
+ * Fast Python linter. Activates when Python files are detected.
+ * Maps ruff rule code prefixes to severity levels.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map Ruff code prefix to GHAGGA FindingSeverity.
+ * F (Pyflakes) → high, E (errors) → medium, W (warnings) → low, others → low
+ */
+export declare function mapRuffSeverity(code: string): FindingSeverity;
+/**
+ * Parse Ruff JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseRuffOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const ruffPlugin: ToolDefinition;
+//# sourceMappingURL=ruff.d.ts.map

package/dist/tools/plugins/ruff.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruff.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/ruff.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAY7D;AAWD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiBpF;AAED,eAAO,MAAM,UAAU,EAAE,cAuCxB,CAAC"}

package/dist/tools/plugins/ruff.js

@@ -0,0 +1,80 @@
+/**
+ * Ruff plugin — Python linting (auto-detect).
+ *
+ * Fast Python linter. Activates when Python files are detected.
+ * Maps ruff rule code prefixes to severity levels.
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const RUFF_VERSION = '0.9.7';
+/**
+ * Map Ruff code prefix to GHAGGA FindingSeverity.
+ * F (Pyflakes) → high, E (errors) → medium, W (warnings) → low, others → low
+ */
+export function mapRuffSeverity(code) {
+    const prefix = code.charAt(0).toUpperCase();
+    switch (prefix) {
+        case 'F':
+            return 'high';
+        case 'E':
+            return 'medium';
+        case 'W':
+            return 'low';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse Ruff JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseRuffOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const findings = JSON.parse(raw.stdout);
+        return findings.map((f) => ({
+            severity: mapRuffSeverity(f.code),
+            category: 'quality',
+            file: f.filename.replace(`${repoDir}/`, ''),
+            line: f.location.row,
+            message: `${f.code}: ${f.message}`,
+            source: 'ruff',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const ruffPlugin = {
+    name: 'ruff',
+    displayName: 'Ruff',
+    category: 'quality',
+    tier: 'auto-detect',
+    version: RUFF_VERSION,
+    outputFormat: 'json',
+    detect(files) {
+        return files.some((f) => f.endsWith('.py') || f.endsWith('.pyi'));
+    },
+    async install(ctx) {
+        try {
+            await ctx.exec('ruff', ['--version'], { timeoutMs: 10_000 });
+            return;
+        }
+        catch {
+            ctx.log('info', 'Ruff not found, installing...');
+        }
+        await ctx.exec('pip', ['install', '--quiet', `ruff==${RUFF_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('ruff', ['--version'], { timeoutMs: 10_000 });
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec('ruff', ['check', '--output-format', 'json', repoDir], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // ruff returns 1 when findings are present
+        });
+    },
+    parse: parseRuffOutput,
+};
+//# sourceMappingURL=ruff.js.map

package/dist/tools/plugins/ruff.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruff.js","sourceRoot":"","sources":["../../../src/tools/plugins/ruff.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,MAAM,YAAY,GAAG,OAAO,CAAC;AAE7B;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,GAAG;YACN,OAAO,MAAM,CAAC;QAChB,KAAK,GAAG;YACN,OAAO,QAAQ,CAAC;QAClB,KAAK,GAAG;YACN,OAAO,KAAK,CAAC;QACf;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAWD;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAkB,EAAE,OAAe;IACjE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAkB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEvD,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1B,QAAQ,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC;YACjC,QAAQ,EAAE,SAAS;YACnB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YAC3C,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG;YACpB,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE;YAClC,MAAM,EAAE,MAAe;SACxB,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAmB;IACxC,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,MAAM;IACnB,QAAQ,EAAE,SAAS;IACnB,IAAI,EAAE,aAAa;IACnB,OAAO,EAAE,YAAY;IACrB,YAAY,EAAE,MAAM;IAEpB,MAAM,CAAC,KAAe;QACpB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,YAAY,EAAE,CAAC,EAAE;YACrE,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;YACrE,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,2CAA2C;SACjE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,eAAe;CACvB,CAAC"}

package/dist/tools/plugins/semgrep.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Semgrep plugin — security analysis (always-on).
+ *
+ * Adapted from:
+ * - packages/core/src/tools/semgrep.ts (parsing logic)
+ * - apps/action/src/tools/semgrep.ts (install/run flow)
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map Semgrep severity to GHAGGA FindingSeverity.
+ * ERROR -> high, WARNING -> medium, INFO -> info, default -> low
+ */
+export declare function mapSemgrepSeverity(semgrepSeverity: string): FindingSeverity;
+/**
+ * Parse Semgrep JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseSemgrepOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const semgrepPlugin: ToolDefinition;
+//# sourceMappingURL=semgrep.d.ts.map

package/dist/tools/plugins/semgrep.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,eAAe,EAAE,MAAM,GAAG,eAAe,CAW3E;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAuBvF;AAED,eAAO,MAAM,aAAa,EAAE,cAwC3B,CAAC"}

package/dist/tools/plugins/semgrep.js

@@ -0,0 +1,82 @@
+/**
+ * Semgrep plugin — security analysis (always-on).
+ *
+ * Adapted from:
+ * - packages/core/src/tools/semgrep.ts (parsing logic)
+ * - apps/action/src/tools/semgrep.ts (install/run flow)
+ *
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+const SEMGREP_VERSION = '1.90.0';
+/**
+ * Map Semgrep severity to GHAGGA FindingSeverity.
+ * ERROR -> high, WARNING -> medium, INFO -> info, default -> low
+ */
+export function mapSemgrepSeverity(semgrepSeverity) {
+    switch (semgrepSeverity.toUpperCase()) {
+        case 'ERROR':
+            return 'high';
+        case 'WARNING':
+            return 'medium';
+        case 'INFO':
+            return 'info';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Parse Semgrep JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export function parseSemgrepOutput(raw, repoDir) {
+    if (raw.timedOut)
+        return [];
+    try {
+        const result = JSON.parse(raw.stdout);
+        return (result.results ?? []).map((r) => ({
+            severity: mapSemgrepSeverity(r.extra.severity),
+            category: 'security',
+            file: r.path.replace(`${repoDir}/`, ''),
+            line: r.start.line,
+            message: r.extra.message,
+            source: 'semgrep',
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export const semgrepPlugin = {
+    name: 'semgrep',
+    displayName: 'Semgrep',
+    category: 'security',
+    tier: 'always-on',
+    version: SEMGREP_VERSION,
+    outputFormat: 'json',
+    cachePaths: ['/usr/local/bin/semgrep'],
+    async install(ctx) {
+        const cached = await ctx.cacheRestore('semgrep', ['/usr/local/bin/semgrep']);
+        if (cached) {
+            try {
+                await ctx.exec('semgrep', ['--version'], { timeoutMs: 10_000 });
+                return;
+            }
+            catch {
+                ctx.log('warn', 'Semgrep cache restored but binary not functional, reinstalling');
+            }
+        }
+        await ctx.exec('pip', ['install', '--quiet', `semgrep==${SEMGREP_VERSION}`], {
+            timeoutMs: 120_000,
+        });
+        await ctx.exec('semgrep', ['--version'], { timeoutMs: 10_000 });
+        await ctx.cacheSave('semgrep', ['/usr/local/bin/semgrep']);
+    },
+    async run(ctx, repoDir, _files, timeout) {
+        return ctx.exec('semgrep', ['--json', '--config', 'auto', '--quiet', repoDir], {
+            timeoutMs: timeout,
+            allowExitCodes: [1], // semgrep returns 1 when findings are present
+        });
+    },
+    parse: parseSemgrepOutput,
+};
+//# sourceMappingURL=semgrep.js.map

package/dist/tools/plugins/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../../src/tools/plugins/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,eAAe,GAAG,QAAQ,CAAC;AAEjC;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,eAAuB;IACxD,QAAQ,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAkB,EAAE,OAAe;IACpE,IAAI,GAAG,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAMnC,CAAC;QAEF,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACxC,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC9C,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,EAAE,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO;YACxB,MAAM,EAAE,SAAkB;SAC3B,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,SAAS;IACtB,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,eAAe;IACxB,YAAY,EAAE,MAAM;IACpB,UAAU,EAAE,CAAC,wBAAwB,CAAC;IAEtC,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,wBAAwB,CAAC,CAAC,CAAC;QAC7E,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC;gBACH,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;gBAChE,OAAO;YACT,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,gEAAgE,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;QAED,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,eAAe,EAAE,CAAC,EAAE;YAC3E,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAChE,MAAM,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,wBAAwB,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAqB,EACrB,OAAe,EACf,MAAgB,EAChB,OAAe;QAEf,OAAO,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;YAC7E,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,8CAA8C;SACpE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,EAAE,kBAAkB;CAC1B,CAAC"}

package/dist/tools/plugins/shellcheck.d.ts

@@ -0,0 +1,23 @@
+/**
+ * ShellCheck plugin — shell script linting (always-on).
+ *
+ * Lints shell scripts for common issues and portability problems.
+ * Only runs on *.sh and *.bash files; returns empty findings if none found.
+ *
+ * Pre-installed on GitHub Actions runners — install is a verification step.
+ * Uses ExecutionContext for DI instead of direct child_process.
+ */
+import type { FindingSeverity, ReviewFinding } from '../../types.js';
+import type { RawToolOutput, ToolDefinition } from '../types.js';
+/**
+ * Map ShellCheck level to GHAGGA FindingSeverity.
+ * error→high, warning→medium, info→info, style→low
+ */
+export declare function mapShellCheckSeverity(level: string): FindingSeverity;
+/**
+ * Parse ShellCheck JSON output into ReviewFinding[].
+ * Exported for direct testing with fixture data.
+ */
+export declare function parseShellCheckOutput(raw: RawToolOutput, repoDir: string): ReviewFinding[];
+export declare const shellcheckPlugin: ToolDefinition;
+//# sourceMappingURL=shellcheck.d.ts.map

package/dist/tools/plugins/shellcheck.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shellcheck.d.ts","sourceRoot":"","sources":["../../../src/tools/plugins/shellcheck.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,KAAK,EAAoB,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAInF;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,eAAe,CAapE;AAYD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa,EAAE,CAiB1F;AAED,eAAO,MAAM,gBAAgB,EAAE,cAiD9B,CAAC"}