karajan-code 1.2.0

package/src/session-store.js

@@ -0,0 +1,80 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { ensureDir, exists } from "./utils/fs.js";
+import { getSessionRoot } from "./utils/paths.js";
+
+const SESSION_ROOT = getSessionRoot();
+
+export function newSessionId() {
+  const now = new Date();
+  const stamp = now.toISOString().replace(/[:.]/g, "-");
+  return `s_${stamp}`;
+}
+
+export async function createSession(initial = {}) {
+  const id = initial.id || newSessionId();
+  const dir = path.join(SESSION_ROOT, id);
+  await ensureDir(dir);
+  const data = {
+    id,
+    created_at: new Date().toISOString(),
+    updated_at: new Date().toISOString(),
+    status: "running",
+    checkpoints: [],
+    ...initial
+  };
+  await saveSession(data);
+  return data;
+}
+
+export async function saveSession(session) {
+  const dir = path.join(SESSION_ROOT, session.id);
+  await ensureDir(dir);
+  session.updated_at = new Date().toISOString();
+  await fs.writeFile(path.join(dir, "session.json"), JSON.stringify(session, null, 2), "utf8");
+}
+
+export async function loadSession(sessionId) {
+  const file = path.join(SESSION_ROOT, sessionId, "session.json");
+  if (!(await exists(file))) {
+    throw new Error(`Session not found: ${sessionId}`);
+  }
+  const raw = await fs.readFile(file, "utf8");
+  return JSON.parse(raw);
+}
+
+export async function addCheckpoint(session, checkpoint) {
+  session.checkpoints.push({ at: new Date().toISOString(), ...checkpoint });
+  await saveSession(session);
+}
+
+export async function markSessionStatus(session, status) {
+  session.status = status;
+  await saveSession(session);
+}
+
+export async function pauseSession(session, { question, context: pauseContext }) {
+  session.status = "paused";
+  session.paused_state = {
+    question,
+    context: pauseContext,
+    paused_at: new Date().toISOString()
+  };
+  await saveSession(session);
+}
+
+export async function resumeSessionWithAnswer(sessionId, answer) {
+  const session = await loadSession(sessionId);
+  if (session.status !== "paused") {
+    throw new Error(`Session ${sessionId} is not paused (status: ${session.status})`);
+  }
+  const pausedState = session.paused_state;
+  if (!pausedState) {
+    throw new Error(`Session ${sessionId} has no paused state`);
+  }
+  session.paused_state.answer = answer;
+  session.paused_state.resumed_at = new Date().toISOString();
+  session.status = "running";
+  await saveSession(session);
+  return session;
+}

package/src/sonar/api.js

@@ -0,0 +1,78 @@
+import { runCommand } from "../utils/process.js";
+import { resolveSonarProjectKey } from "./project-key.js";
+
+export class SonarApiError extends Error {
+  constructor(message, { url, httpStatus, hint } = {}) {
+    super(message);
+    this.name = "SonarApiError";
+    this.url = url;
+    this.httpStatus = httpStatus;
+    this.hint = hint;
+  }
+}
+
+function tokenFromConfig(config) {
+  return process.env.KJ_SONAR_TOKEN || config.sonarqube.token || "";
+}
+
+function parseHttpResponse(stdout) {
+  const lines = stdout.split("\n");
+  const httpCode = parseInt(lines.pop(), 10) || 0;
+  const body = lines.join("\n");
+  return { httpCode, body };
+}
+
+async function sonarFetch(config, urlPath) {
+  const token = tokenFromConfig(config);
+  const url = `${config.sonarqube.host}${urlPath}`;
+  const res = await runCommand("curl", ["-s", "-w", "\n%{http_code}", "-u", `${token}:`, url]);
+
+  if (res.exitCode !== 0) {
+    throw new SonarApiError(
+      `SonarQube is not reachable at ${config.sonarqube.host}. Check that SonarQube is running ('kj sonar start').`,
+      { url, hint: "Run 'kj sonar start' or verify Docker is running." }
+    );
+  }
+
+  const { httpCode, body } = parseHttpResponse(res.stdout);
+
+  if (httpCode === 401) {
+    throw new SonarApiError(
+      `SonarQube authentication failed (HTTP 401). Token may be invalid or expired. Regenerate with 'kj init'.`,
+      { url, httpStatus: 401, hint: "Run 'kj init' to regenerate the SonarQube token." }
+    );
+  }
+
+  if (httpCode >= 400) {
+    throw new SonarApiError(
+      `SonarQube API returned HTTP ${httpCode} for ${url}.`,
+      { url, httpStatus: httpCode }
+    );
+  }
+
+  return body;
+}
+
+export async function getQualityGateStatus(config, projectKey = null) {
+  const effectiveProjectKey = await resolveSonarProjectKey(config, { projectKey });
+  const body = await sonarFetch(config, `/api/qualitygates/project_status?projectKey=${effectiveProjectKey}`);
+
+  try {
+    const parsed = JSON.parse(body);
+    return { ok: true, status: parsed.projectStatus?.status || "ERROR", raw: parsed };
+  } catch {
+    return { ok: false, status: "ERROR", raw: body };
+  }
+}
+
+export async function getOpenIssues(config, projectKey = null) {
+  const effectiveProjectKey = await resolveSonarProjectKey(config, { projectKey });
+  const body = await sonarFetch(config, `/api/issues/search?projectKeys=${effectiveProjectKey}&statuses=OPEN`);
+
+  try {
+    const parsed = JSON.parse(body);
+    return { total: parsed.total || 0, issues: parsed.issues || [], raw: parsed };
+  } catch {
+    return { total: 0, issues: [], raw: body };
+  }
+}

package/src/sonar/enforcer.js

@@ -0,0 +1,19 @@
+export function shouldBlockByProfile({ gateStatus, profile = "pragmatic" }) {
+  if (profile === "paranoid") {
+    return gateStatus !== "OK";
+  }
+
+  return gateStatus === "ERROR";
+}
+
+export function summarizeIssues(issues) {
+  const bySeverity = issues.reduce((acc, issue) => {
+    const severity = issue.severity || "UNKNOWN";
+    acc[severity] = (acc[severity] || 0) + 1;
+    return acc;
+  }, {});
+
+  return Object.entries(bySeverity)
+    .map(([severity, count]) => `${severity}: ${count}`)
+    .join(", ");
+}

package/src/sonar/manager.js

@@ -0,0 +1,163 @@
+import fs from "node:fs/promises";
+import { ensureDir } from "../utils/fs.js";
+import { runCommand } from "../utils/process.js";
+import { getKarajanHome, getSonarComposePath } from "../utils/paths.js";
+import { loadConfig } from "../config.js";
+
+const KARAJAN_HOME = getKarajanHome();
+const COMPOSE_PATH = getSonarComposePath();
+
+function normalizeSonarConfig(sonarqube = {}) {
+  const timeouts = sonarqube.timeouts || {};
+  return {
+    host: sonarqube.host || "http://localhost:9000",
+    external: sonarqube.external === true,
+    containerName: sonarqube.container_name || "karajan-sonarqube",
+    network: sonarqube.network || "karajan_sonar_net",
+    volumes: {
+      data: sonarqube?.volumes?.data || "karajan_sonar_data",
+      logs: sonarqube?.volumes?.logs || "karajan_sonar_logs",
+      extensions: sonarqube?.volumes?.extensions || "karajan_sonar_extensions"
+    },
+    timeouts: {
+      healthcheckSeconds: Number(timeouts.healthcheck_seconds) > 0 ? Number(timeouts.healthcheck_seconds) : 5,
+      composeUpMs: Number(timeouts.compose_up_ms) > 0 ? Number(timeouts.compose_up_ms) : 5 * 60 * 1000,
+      composeControlMs: Number(timeouts.compose_control_ms) > 0 ? Number(timeouts.compose_control_ms) : 2 * 60 * 1000,
+      logsMs: Number(timeouts.logs_ms) > 0 ? Number(timeouts.logs_ms) : 30 * 1000
+    }
+  };
+}
+
+function buildComposeTemplate(sonarConfig) {
+  return `services:
+  sonarqube:
+    image: sonarqube:community
+    container_name: ${sonarConfig.containerName}
+    ports:
+      - "9000:9000"
+    volumes:
+      - ${sonarConfig.volumes.data}:/opt/sonarqube/data
+      - ${sonarConfig.volumes.logs}:/opt/sonarqube/logs
+      - ${sonarConfig.volumes.extensions}:/opt/sonarqube/extensions
+    environment:
+      - SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true
+    networks:
+      - ${sonarConfig.network}
+    restart: unless-stopped
+
+volumes:
+  ${sonarConfig.volumes.data}:
+  ${sonarConfig.volumes.logs}:
+  ${sonarConfig.volumes.extensions}:
+
+networks:
+  ${sonarConfig.network}:
+    name: ${sonarConfig.network}
+`;
+}
+
+export async function ensureComposeFile(sonarqube = null) {
+  const sonarConfig = sonarqube ? normalizeSonarConfig(sonarqube) : normalizeSonarConfig((await loadConfig()).config.sonarqube);
+  const composeTemplate = buildComposeTemplate(sonarConfig);
+  await ensureDir(KARAJAN_HOME);
+  await fs.writeFile(COMPOSE_PATH, composeTemplate, "utf8");
+  return COMPOSE_PATH;
+}
+
+export async function isSonarReachable(host, healthcheckSeconds = 5) {
+  const timeout = Number(healthcheckSeconds) > 0 ? String(Number(healthcheckSeconds)) : "5";
+  const res = await runCommand("curl", ["-s", "-o", "/dev/null", "-w", "%{http_code}", "--max-time", timeout, `${host}/api/system/status`]);
+  return res.exitCode === 0 && res.stdout.trim().startsWith("2");
+}
+
+export async function sonarUp(hostOverride = null) {
+  const { config } = await loadConfig();
+  const sonarConfig = normalizeSonarConfig(config.sonarqube);
+  const host = hostOverride || sonarConfig.host;
+
+  if (await isSonarReachable(host, sonarConfig.timeouts.healthcheckSeconds)) {
+    return { exitCode: 0, stdout: `SonarQube already reachable at ${host}, skipping container start.`, stderr: "" };
+  }
+
+  if (sonarConfig.external) {
+    return {
+      exitCode: 1,
+      stdout: "",
+      stderr: `Configured external SonarQube is not reachable at ${host}.`
+    };
+  }
+
+  const compose = await ensureComposeFile(config.sonarqube);
+  return runCommand("docker", ["compose", "-f", compose, "up", "-d"], { timeout: sonarConfig.timeouts.composeUpMs });
+}
+
+export async function sonarDown() {
+  const { config } = await loadConfig();
+  const sonarConfig = normalizeSonarConfig(config.sonarqube);
+  if (sonarConfig.external) {
+    return { exitCode: 0, stdout: "sonarqube.external=true, skipping Docker stop.", stderr: "" };
+  }
+  const compose = await ensureComposeFile(config.sonarqube);
+  return runCommand("docker", ["compose", "-f", compose, "stop"], { timeout: sonarConfig.timeouts.composeControlMs });
+}
+
+export async function sonarStatus() {
+  const { config } = await loadConfig();
+  const sonarConfig = normalizeSonarConfig(config.sonarqube);
+  const host = sonarConfig.host;
+
+  if (sonarConfig.external) {
+    if (await isSonarReachable(host, sonarConfig.timeouts.healthcheckSeconds)) {
+      return { exitCode: 0, stdout: `external SonarQube running at ${host}`, stderr: "" };
+    }
+    return { exitCode: 1, stdout: "", stderr: `external SonarQube is not reachable at ${host}` };
+  }
+
+  const containerRes = await runCommand("docker", ["ps", "--filter", `name=${sonarConfig.containerName}`, "--format", "{{.Status}}"]);
+  if (containerRes.stdout?.trim()) return containerRes;
+
+  if (await isSonarReachable(host, sonarConfig.timeouts.healthcheckSeconds)) {
+    return { exitCode: 0, stdout: `external SonarQube running at ${host}`, stderr: "" };
+  }
+
+  return containerRes;
+}
+
+export async function sonarLogs() {
+  const { config } = await loadConfig();
+  const sonarConfig = normalizeSonarConfig(config.sonarqube);
+  if (sonarConfig.external) {
+    return { exitCode: 1, stdout: "", stderr: "sonarqube.external=true, Docker logs are not available." };
+  }
+  return runCommand("docker", ["logs", "--tail", "100", sonarConfig.containerName], { timeout: sonarConfig.timeouts.logsMs });
+}
+
+const MIN_MAP_COUNT = 262144;
+
+export async function checkVmMaxMapCount(platform) {
+  if (platform === "darwin" || platform === "win32") {
+    return { ok: true, reason: "vm.max_map_count check not required on this platform" };
+  }
+
+  const res = await runCommand("sysctl", ["vm.max_map_count"]);
+  if (res.exitCode !== 0) {
+    return {
+      ok: false,
+      reason: "Could not read vm.max_map_count",
+      fix: `sudo sysctl -w vm.max_map_count=${MIN_MAP_COUNT}`
+    };
+  }
+
+  const match = res.stdout.match(/=\s*(\d+)/);
+  const current = match ? Number(match[1]) : 0;
+
+  if (current >= MIN_MAP_COUNT) {
+    return { ok: true, reason: `vm.max_map_count = ${current}` };
+  }
+
+  return {
+    ok: false,
+    reason: `vm.max_map_count = ${current} (needs >= ${MIN_MAP_COUNT})`,
+    fix: `sudo sysctl -w vm.max_map_count=${MIN_MAP_COUNT} && echo "vm.max_map_count=${MIN_MAP_COUNT}" | sudo tee -a /etc/sysctl.conf`
+  };
+}

package/src/sonar/project-key.js

@@ -0,0 +1,83 @@
+import crypto from "node:crypto";
+import { runCommand } from "../utils/process.js";
+
+function slug(value) {
+  return String(value || "")
+    .toLowerCase()
+    .replace(/[^a-z0-9._:-]+/g, "-")
+    .replace(/-{2,}/g, "-")
+    .replace(/^-+|-+$/g, "");
+}
+
+export function normalizeProjectKey(value) {
+  const out = slug(value);
+  if (!out) return "kj-default";
+  return /[a-z]/.test(out) ? out : `kj-${out}`;
+}
+
+function digest(input) {
+  return crypto.createHash("sha1").update(String(input)).digest("hex").slice(0, 12);
+}
+
+function parseScpLikeRemote(remoteUrl) {
+  // Example: git@github.com:owner/repo.git
+  const match = String(remoteUrl || "").trim().match(/^(?:[^@]+@)?([^:]+):(.+)$/);
+  if (!match) return null;
+  return { host: match[1], path: match[2] };
+}
+
+function parseUrlLikeRemote(remoteUrl) {
+  try {
+    const parsed = new URL(String(remoteUrl || "").trim());
+    return { host: parsed.hostname, path: parsed.pathname.replace(/^\/+/, "") };
+  } catch {
+    return null;
+  }
+}
+
+function canonicalRepoId(remoteUrl) {
+  const raw = String(remoteUrl || "").trim();
+  if (!raw) return null;
+
+  const parsed = raw.includes("://") ? parseUrlLikeRemote(raw) : (parseScpLikeRemote(raw) || parseUrlLikeRemote(raw));
+  if (!parsed) return null;
+
+  const host = String(parsed.host || "").trim().toLowerCase();
+  const cleanPath = String(parsed.path || "")
+    .trim()
+    .replace(/^\/+|\/+$/g, "")
+    .replace(/\.git$/i, "")
+    .toLowerCase();
+  const segments = cleanPath.split("/").filter(Boolean);
+  if (!host || segments.length < 2) return null;
+
+  // Keep full repository path (owner/subgroups/repo) to avoid collisions in nested groups.
+  return `${host}/${segments.join("/")}`;
+}
+
+export async function resolveSonarProjectKey(config, options = {}) {
+  const explicit = String(
+    options.projectKey || process.env.KJ_SONAR_PROJECT_KEY || config?.sonarqube?.project_key || ""
+  ).trim();
+  if (explicit) {
+    return normalizeProjectKey(explicit);
+  }
+
+  const remote = await runCommand("git", ["config", "--get", "remote.origin.url"]);
+  const remoteUrl = String(remote.stdout || "").trim();
+  if (remote.exitCode !== 0 || !remoteUrl) {
+    throw new Error(
+      "Missing git remote.origin.url. Configure remote origin or set sonarqube.project_key explicitly."
+    );
+  }
+
+  const repoId = canonicalRepoId(remoteUrl);
+  if (!repoId) {
+    throw new Error(
+      "Unable to parse git remote.origin.url. Use a valid SSH/HTTPS remote or set sonarqube.project_key explicitly."
+    );
+  }
+
+  const repo = slug(repoId.split("/").pop());
+  return normalizeProjectKey(`kj-${repo}-${digest(repoId)}`);
+}

package/src/sonar/scanner.js

@@ -0,0 +1,267 @@
+import fs from "node:fs";
+import { runCommand } from "../utils/process.js";
+import { sonarUp } from "./manager.js";
+import { resolveSonarProjectKey } from "./project-key.js";
+
+export function buildScannerOpts(projectKey, scanner = {}) {
+  const opts = [`-Dsonar.projectKey=${projectKey}`];
+  if (scanner.sources) opts.push(`-Dsonar.sources=${scanner.sources}`);
+  if (scanner.exclusions) opts.push(`-Dsonar.exclusions=${scanner.exclusions}`);
+  if (scanner.test_inclusions) opts.push(`-Dsonar.test.inclusions=${scanner.test_inclusions}`);
+  if (scanner.coverage_exclusions) opts.push(`-Dsonar.coverage.exclusions=${scanner.coverage_exclusions}`);
+  if (scanner.javascript_lcov_report_paths) {
+    opts.push(`-Dsonar.javascript.lcov.reportPaths=${scanner.javascript_lcov_report_paths}`);
+  }
+  const rules = scanner.disabled_rules || [];
+  rules.forEach((rule, i) => {
+    opts.push(`-Dsonar.issue.ignore.multicriteria=e${i + 1}`);
+    opts.push(`-Dsonar.issue.ignore.multicriteria.e${i + 1}.ruleKey=${rule}`);
+    opts.push(`-Dsonar.issue.ignore.multicriteria.e${i + 1}.resourceKey=**/*`);
+  });
+  return opts.join(" ");
+}
+
+function normalizeScannerConfig(scanner = {}) {
+  const out = { ...scanner };
+  if (typeof out.sources === "string" && out.sources.trim()) {
+    const existing = out.sources
+      .split(",")
+      .map((s) => s.trim())
+      .filter(Boolean)
+      .filter((entry) => fs.existsSync(entry));
+
+    if (existing.length > 0) {
+      out.sources = existing.join(",");
+    }
+  }
+  return out;
+}
+
+function parseJsonSafe(text) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+function normalizeApiHost(rawHost) {
+  return String(rawHost || "http://localhost:9000").replace(/host\.docker\.internal/g, "localhost");
+}
+
+async function validateAdminCredentials(host, user, password) {
+  const res = await runCommand("curl", [
+    "-sS",
+    "-u",
+    `${user}:${password}`,
+    `${host}/api/authentication/validate`
+  ]);
+  if (res.exitCode !== 0) return false;
+  const parsed = parseJsonSafe(res.stdout);
+  return Boolean(parsed?.valid);
+}
+
+async function generateUserToken(host, user, password) {
+  const tokenName = `karajan-${Date.now()}`;
+  const res = await runCommand("curl", [
+    "-sS",
+    "-u",
+    `${user}:${password}`,
+    "-X",
+    "POST",
+    "--data-urlencode",
+    `name=${tokenName}`,
+    `${host}/api/user_tokens/generate`
+  ]);
+  if (res.exitCode !== 0) return null;
+  const parsed = parseJsonSafe(res.stdout);
+  return parsed?.token || null;
+}
+
+function coverageConfig(config) {
+  return config?.sonarqube?.coverage || {};
+}
+
+async function maybeRunCoverage(config) {
+  const coverage = coverageConfig(config);
+  if (!coverage.enabled) {
+    return { ok: true, scannerPatch: {} };
+  }
+
+  const lcovPath = String(coverage.lcov_report_path || "").trim();
+  const blockOnFailure = coverage.block_on_failure !== false;
+
+  // Allow "consume existing lcov only" mode without running any coverage command.
+  if (!String(coverage.command || "").trim()) {
+    if (!lcovPath) {
+      return {
+        ok: false,
+        exitCode: 1,
+        stdout: "",
+        stderr:
+          "Sonar coverage is enabled but neither coverage.command nor coverage.lcov_report_path is configured."
+      };
+    }
+    if (!fs.existsSync(lcovPath)) {
+      if (blockOnFailure) {
+        return {
+          ok: false,
+          exitCode: 1,
+          stdout: "",
+          stderr: `Configured lcov report path does not exist: ${lcovPath}`
+        };
+      }
+      return { ok: true, scannerPatch: {} };
+    }
+    return {
+      ok: true,
+      scannerPatch: {
+        javascript_lcov_report_paths: lcovPath
+      }
+    };
+  }
+
+  const command = String(coverage.command || "").trim();
+  const timeout = Number(coverage.timeout_ms) > 0 ? Number(coverage.timeout_ms) : 5 * 60 * 1000;
+  const run = await runCommand("bash", ["-lc", command], { timeout });
+
+  if (run.exitCode !== 0) {
+    if (blockOnFailure) {
+      return {
+        ok: false,
+        exitCode: run.exitCode,
+        stdout: run.stdout || "",
+        stderr: run.stderr || "Coverage command failed"
+      };
+    }
+    return { ok: true, scannerPatch: {} };
+  }
+
+  if (!lcovPath) {
+    return { ok: true, scannerPatch: {} };
+  }
+
+  if (!fs.existsSync(lcovPath)) {
+    if (blockOnFailure) {
+      return {
+        ok: false,
+        exitCode: 1,
+        stdout: run.stdout || "",
+        stderr: `Configured lcov report path does not exist: ${lcovPath}`
+      };
+    }
+    return { ok: true, scannerPatch: {} };
+  }
+
+  return {
+    ok: true,
+    scannerPatch: {
+      javascript_lcov_report_paths: lcovPath
+    }
+  };
+}
+
+async function resolveSonarToken(config, apiHost) {
+  const explicitToken = process.env.KJ_SONAR_TOKEN || process.env.SONAR_TOKEN || config.sonarqube.token;
+  if (explicitToken) return explicitToken;
+
+  const adminUser = process.env.KJ_SONAR_ADMIN_USER || config.sonarqube.admin_user || "admin";
+  const candidates = [
+    process.env.KJ_SONAR_ADMIN_PASSWORD,
+    config.sonarqube.admin_password,
+    "admin"
+  ].filter(Boolean);
+
+  for (const password of [...new Set(candidates)]) {
+    const valid = await validateAdminCredentials(apiHost, adminUser, password);
+    if (!valid) continue;
+    const token = await generateUserToken(apiHost, adminUser, password);
+    if (token) return token;
+  }
+
+  return null;
+}
+
+export async function runSonarScan(config, projectKey = null) {
+  let effectiveProjectKey;
+  try {
+    effectiveProjectKey = await resolveSonarProjectKey(config, { projectKey });
+  } catch (error) {
+    return {
+      ok: false,
+      projectKey: null,
+      stdout: "",
+      stderr: error?.message || String(error),
+      exitCode: 1
+    };
+  }
+  const sonarConfig = config?.sonarqube || {};
+  const rawHost = sonarConfig.host || "http://localhost:9000";
+  const isExternalSonar = sonarConfig.external === true;
+  const scannerTimeout = Number(sonarConfig?.timeouts?.scanner_ms) > 0
+    ? Number(sonarConfig.timeouts.scanner_ms)
+    : 15 * 60 * 1000;
+  const sonarNetwork = sonarConfig.network || "karajan_sonar_net";
+  const apiHost = normalizeApiHost(rawHost);
+  const isLocalHost = /localhost|127\.0\.0\.1/.test(rawHost);
+  const host = isLocalHost ? rawHost.replace(/localhost|127\.0\.0\.1/g, "host.docker.internal") : rawHost;
+
+  const start = await sonarUp(rawHost);
+  if (start.exitCode !== 0) {
+    return {
+      ok: false,
+      stdout: start.stdout || "",
+      stderr: start.stderr || "Failed to start SonarQube service",
+      exitCode: start.exitCode
+    };
+  }
+  const token = await resolveSonarToken(config, apiHost);
+  if (!token) {
+    return {
+      ok: false,
+      stdout: "",
+      stderr:
+        "Unable to resolve Sonar token. Tried configured token/password and fallback admin/admin.",
+      exitCode: 1
+    };
+  }
+  process.env.KJ_SONAR_TOKEN = token;
+  const coverage = await maybeRunCoverage(config);
+  if (!coverage.ok) {
+    return {
+      ok: false,
+      stdout: coverage.stdout || "",
+      stderr: coverage.stderr || "Failed to generate coverage report for SonarQube",
+      exitCode: coverage.exitCode || 1
+    };
+  }
+  const scannerConfig = normalizeScannerConfig({
+    ...sonarConfig.scanner,
+    ...coverage.scannerPatch
+  });
+
+  const args = [
+    "run",
+    "--rm",
+    "-v",
+    `${process.cwd()}:/usr/src`,
+    ...(isLocalHost ? ["--add-host", "host.docker.internal:host-gateway"] : []),
+    ...(!isLocalHost && !isExternalSonar ? ["--network", sonarNetwork] : []),
+    "-e",
+    `SONAR_HOST_URL=${host}`,
+    "-e",
+    `SONAR_TOKEN=${token || ""}`,
+    "-e",
+    `SONAR_SCANNER_OPTS=${buildScannerOpts(effectiveProjectKey, scannerConfig)}`,
+    "sonarsource/sonar-scanner-cli"
+  ];
+
+  const result = await runCommand("docker", args, { timeout: scannerTimeout });
+  return {
+    ok: result.exitCode === 0,
+    projectKey: effectiveProjectKey,
+    stdout: result.stdout,
+    stderr: result.stderr,
+    exitCode: result.exitCode
+  };
+}