opencode-sonarqube 2.0.3 → 2.1.1

package/README.md

@@ -4,16 +4,17 @@ OpenCode Plugin for SonarQube integration - Enterprise-level code quality from t
 
 [![Coverage](https://img.shields.io/badge/coverage-100%25-brightgreen)](https://sonarqube.example.com)
 [![Quality Gate](https://img.shields.io/badge/quality%20gate-passed-brightgreen)](https://sonarqube.example.com)
-[![Tests](https://img.shields.io/badge/tests-612%20passing-brightgreen)](https://sonarqube.example.com)
+[![Tests](https://img.shields.io/badge/tests-722%20passing-brightgreen)](https://sonarqube.example.com)
 [![License](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+[![npm version](https://img.shields.io/npm/v/opencode-sonarqube)](https://www.npmjs.com/package/opencode-sonarqube)
 
 ## Features
 
 - **Automatic Analysis**: Triggers SonarQube analysis when the AI agent becomes idle
-- **15 Tool Actions**: Comprehensive SonarQube integration for AI agents
+- **16 Tool Actions**: Comprehensive SonarQube integration for AI agents
 - **Clean as You Code**: Focus on new code issues with `newissues` action
 - **Custom Command**: Use `/sonarqube` command for quick analysis
-- **Security Hotspots**: Review and track security hotspots requiring manual review
+- **Security Hotspots**: Review, resolve, and bulk-dismiss security hotspots directly via API
 - **Quality Gate Integration**: Shows pass/fail status with detailed metrics
 - **Git Integration**: Detects git operations and suggests quality checks
 - **System Prompt Injection**: AI always knows current quality status
@@ -100,6 +101,44 @@ Add these to your `~/.zshrc` or `~/.bashrc` to make them permanent.
    - Tell the AI: "Setup SonarQube for this project"
    - Or use: `sonarqube({ action: "setup" })`
 
+## Updating
+
+The plugin is installed per project via `package.json`. To update to the latest version:
+
+```bash
+# Update in the current project
+bun add opencode-sonarqube@latest
+
+# Or with npm
+npm install opencode-sonarqube@latest
+```
+
+Then restart OpenCode to load the new version.
+
+**Tip — Always get the latest version automatically:**
+
+By default, `bun add` pins a specific version (e.g., `"^2.1.0"`). To always pull the newest release on every OpenCode restart, change your `package.json` dependency to:
+
+```json
+{
+  "dependencies": {
+    "opencode-sonarqube": "latest"
+  }
+}
+```
+
+This ensures you always run the most recent version without manual updates.
+
+**Update all projects at once:**
+
+```bash
+# Run this from any directory to update all projects that use the plugin
+for dir in $(grep -rl '"opencode-sonarqube"' ~/Projekte/*/package.json 2>/dev/null | xargs -I{} dirname {}); do
+  echo "Updating: $dir"
+  (cd "$dir" && bun add opencode-sonarqube@latest)
+done
+```
+
 ## Configuration
 
 ### Environment Variables (Required)
@@ -192,6 +231,7 @@ The plugin adds a `sonarqube` tool with these actions:
 | `newissues` | Get only issues in NEW code (Clean as You Code) |
 | `worstfiles` | Show files with most issues (prioritize refactoring) |
 | `hotspots` | Get security hotspots that need manual review |
+| `reviewhotspot` | Review/resolve hotspots as SAFE, FIXED, or ACKNOWLEDGED |
 | `duplications` | Find code duplications across the project |
 
 ### Status & Validation
@@ -216,15 +256,18 @@ The plugin adds a `sonarqube` tool with these actions:
 ```typescript
 sonarqube({
   action: "analyze" | "issues" | "newissues" | "worstfiles" | "status" | 
-          "validate" | "hotspots" | "duplications" | "rule" | "history" |
-          "profile" | "branches" | "metrics" | "setup",
+          "validate" | "hotspots" | "reviewhotspot" | "duplications" | "rule" |
+          "history" | "profile" | "branches" | "metrics" | "setup",
   scope: "all" | "new" | "changed",     // What to analyze
   severity: "blocker" | "critical" | "major" | "minor" | "info" | "all",
   fix: true | false,                     // Include fix suggestions
   projectKey: "override-key",            // Optional override
   force: true | false,                   // Force re-initialization
   ruleKey: "typescript:S1234",           // For "rule" action
-  branch: "feature-branch"               // For multi-branch analysis
+  branch: "feature-branch",             // For multi-branch analysis
+  hotspotKey: "uuid-of-hotspot",        // For "reviewhotspot" action (omit for bulk review)
+  resolution: "SAFE" | "FIXED" | "ACKNOWLEDGED",  // Hotspot review resolution
+  comment: "Reason for the decision"     // Optional review comment
 })
 ```
 
@@ -316,6 +359,15 @@ sonarqube({ action: "rule", ruleKey: "typescript:S3776" })
 
 // Enterprise validation before release
 sonarqube({ action: "validate" })
+
+// List security hotspots
+sonarqube({ action: "hotspots" })
+
+// Review a single hotspot as safe
+sonarqube({ action: "reviewhotspot", hotspotKey: "abc-123", resolution: "SAFE", comment: "Form field name, not a password" })
+
+// Bulk-review ALL pending hotspots as safe
+sonarqube({ action: "reviewhotspot", resolution: "SAFE" })
 ```
 
 ## CLI Usage
@@ -477,7 +529,7 @@ This project maintains enterprise-level quality:
 | Metric | Value |
 |--------|-------|
 | Test Coverage | 96% |
-| Tests | 612 |
+| Tests | 722 |
 | Bugs | 0 |
 | Vulnerabilities | 0 |
 | Code Smells | 0 |

package/dist/index.js

@@ -17808,6 +17808,36 @@ class IssuesAPI extends BaseAPI {
     const hotspots = await this.getSecurityHotspots(projectKey);
     return hotspots.filter((h) => h.status === "TO_REVIEW");
   }
+  async reviewHotspot(hotspotKey, status, resolution, comment) {
+    this.logger.info(`Reviewing hotspot ${hotspotKey}: status=${status}, resolution=${resolution}`);
+    const body = {
+      hotspot: hotspotKey,
+      status
+    };
+    if (resolution && status === "REVIEWED") {
+      body.resolution = resolution;
+    }
+    if (comment) {
+      body.comment = comment;
+    }
+    await this.client.post("/api/hotspots/change_status", body);
+    this.logger.info(`Hotspot ${hotspotKey} reviewed successfully`);
+  }
+  async bulkReviewHotspots(hotspotKeys, resolution, comment) {
+    let success2 = 0;
+    let failed = 0;
+    const errors4 = [];
+    for (const key of hotspotKeys) {
+      try {
+        await this.reviewHotspot(key, "REVIEWED", resolution, comment);
+        success2++;
+      } catch (error45) {
+        failed++;
+        errors4.push(`${key}: ${error45 instanceof Error ? error45.message : String(error45)}`);
+      }
+    }
+    return { success: success2, failed, errors: errors4 };
+  }
 }
 // src/api/quality-gate/api.ts
 init_types2();
@@ -19349,6 +19379,20 @@ function groupIssuesBySeverity(issues) {
 }
 function formatIssuesForAgent(issues, qualityGateStatus) {
   if (issues.length === 0) {
+    if (qualityGateStatus !== "OK") {
+      return `## SonarQube Analysis Results
+
+**Quality Gate: ${qualityGateStatus}**
+
+No code issues found, but the Quality Gate is not passing.
+This is typically caused by **unreviewed security hotspots** or **code duplication thresholds**.
+
+**To fix:**
+- \`sonarqube({ action: "hotspots" })\` — List security hotspots
+- \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\` — Bulk-review all hotspots as safe
+- \`sonarqube({ action: "status" })\` — See which conditions are failing
+- \`sonarqube({ action: "duplications" })\` — Check code duplication`;
+    }
     return `## SonarQube Analysis Results
 
 **Quality Gate: ${qualityGateStatus}**
@@ -20288,8 +20332,20 @@ async function handleStatus(ctx) {
     output += `
 ### Failed Conditions
 `;
+    const hasHotspotCondition = failedConditions.some((c) => c.metricKey.includes("security_hotspots") || c.metricKey.includes("hotspot"));
     for (const condition of failedConditions) {
       output += `- **${condition.metricKey}**: ${condition.actualValue} (threshold: ${condition.errorThreshold})
+`;
+    }
+    if (hasHotspotCondition) {
+      output += `
+### How to Fix Security Hotspot Condition
+The Quality Gate is failing because unreviewed security hotspots exist.
+You can review them directly:
+
+1. **List hotspots:** \`sonarqube({ action: "hotspots" })\`
+2. **Bulk-review all as safe:** \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\`
+3. **Review individually:** \`sonarqube({ action: "reviewhotspot", hotspotKey: "<key>", resolution: "SAFE", comment: "reason" })\`
 `;
     }
   }
@@ -20338,38 +20394,103 @@ async function handleHotspots(ctx) {
     output += `### Hotspots Requiring Review
 
 `;
-    output += `| Risk | File | Line | Issue |
+    output += `| # | Risk | Key | File | Line | Issue |
 `;
-    output += `|------|------|------|-------|
+    output += `|---|------|-----|------|------|-------|
 `;
-    for (const hotspot of toReview.slice(0, 20)) {
+    for (let i = 0;i < Math.min(toReview.length, 50); i++) {
+      const hotspot = toReview[i];
       const risk = hotspot.vulnerabilityProbability;
       const file2 = hotspot.component.split(":").pop() ?? hotspot.component;
       const line = hotspot.line ?? "?";
-      const msg = hotspot.message.length > 60 ? hotspot.message.substring(0, 57) + "..." : hotspot.message;
-      output += `| ${risk} | ${file2} | ${line} | ${msg} |
+      const msg = hotspot.message.length > 50 ? hotspot.message.substring(0, 47) + "..." : hotspot.message;
+      output += `| ${i + 1} | ${risk} | \`${hotspot.key.substring(0, 8)}\` | ${file2} | ${line} | ${msg} |
 `;
     }
-    if (toReview.length > 20) {
+    if (toReview.length > 50) {
       output += `
-*... and ${toReview.length - 20} more hotspots*
+*... and ${toReview.length - 50} more hotspots*
 `;
     }
     output += `
-### Review Guidelines
+### How to Review Hotspots
+
+You can review hotspots directly using this tool:
 
-1. **HIGH risk**: Review immediately - potential security vulnerability
-2. **MEDIUM risk**: Review soon - possible security concern
-3. **LOW risk**: Review when convenient - minor security consideration
+**Review a single hotspot:**
+\`\`\`
+sonarqube({ action: "reviewhotspot", hotspotKey: "<key>", resolution: "SAFE", comment: "Reviewed: no security risk because..." })
+\`\`\`
 
-For each hotspot, determine if it's:
-- **Safe**: The code is secure despite the warning
-- **Fixed**: The vulnerability has been remediated
-- **At Risk**: Requires code changes to fix
+**Review ALL pending hotspots as SAFE:**
+\`\`\`
+sonarqube({ action: "reviewhotspot", resolution: "SAFE", comment: "Bulk review: all hotspots verified safe" })
+\`\`\`
+
+**Resolutions:**
+- \`SAFE\` — The code is secure despite the warning (most common)
+- \`FIXED\` — The vulnerability has been remediated
+- \`ACKNOWLEDGED\` — Known risk, accepted
+
+### Review Guidelines
+
+1. **HIGH risk**: Review the code carefully — potential security vulnerability
+2. **MEDIUM risk**: Check regex patterns, randomness, protocol usage
+3. **LOW risk**: Usually informational — hardcoded IPs, HTTP URLs in non-production code
 `;
   }
   return output;
 }
+async function handleReviewHotspot(ctx, hotspotKey, resolution, comment) {
+  const { api: api2, projectKey } = ctx;
+  const validResolutions = ["SAFE", "FIXED", "ACKNOWLEDGED"];
+  const res = resolution?.toUpperCase() ?? "SAFE";
+  if (!validResolutions.includes(res)) {
+    return `**Error:** Invalid resolution "${resolution}". Must be one of: SAFE, FIXED, ACKNOWLEDGED`;
+  }
+  if (!hotspotKey) {
+    const toReview = await api2.issues.getSecurityHotspotsToReview(projectKey);
+    if (toReview.length === 0) {
+      return formatSuccess("Review Hotspots", "No pending hotspots to review. All hotspots have already been reviewed.");
+    }
+    const result = await api2.issues.bulkReviewHotspots(toReview.map((h) => h.key), res, comment ?? `Bulk reviewed as ${res} via opencode-sonarqube plugin`);
+    let output = `## Hotspot Bulk Review Complete
+
+**Project:** \`${projectKey}\`
+**Resolution:** ${res}
+**Reviewed:** ${result.success} hotspots
+**Failed:** ${result.failed} hotspots
+`;
+    if (result.errors.length > 0) {
+      output += `
+### Errors
+`;
+      for (const err of result.errors.slice(0, 10)) {
+        output += `- ${err}
+`;
+      }
+    }
+    output += `
+> Run \`sonarqube({ action: "status" })\` to check the updated Quality Gate.`;
+    return output;
+  }
+  try {
+    await api2.issues.reviewHotspot(hotspotKey, "REVIEWED", res, comment ?? `Reviewed as ${res} via opencode-sonarqube plugin`);
+    return `## Hotspot Reviewed
+
+**Hotspot:** \`${hotspotKey}\`
+**Status:** REVIEWED
+**Resolution:** ${res}
+${comment ? `**Comment:** ${comment}` : ""}
+
+> Run \`sonarqube({ action: "hotspots" })\` to see remaining hotspots.`;
+  } catch (error45) {
+    const msg = error45 instanceof Error ? error45.message : String(error45);
+    return `**Error reviewing hotspot:** ${msg}
+
+Make sure the hotspot key is correct. Use \`sonarqube({ action: "hotspots" })\` to list hotspot keys.`;
+  }
+}
 // src/tools/handlers/duplications.ts
 async function handleDuplications(ctx) {
   const { api: api2, projectKey } = ctx;
@@ -20496,14 +20617,17 @@ Run \`sonarqube({ action: "analyze" })\` to generate metrics.`));
 // src/tools/sonarqube.ts
 var logger10 = new Logger("sonarqube-tool");
 var SonarQubeToolArgsSchema = exports_external2.object({
-  action: exports_external2.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform: analyze (run scanner), issues (all issues), newissues (only new code issues), status (quality gate), init/setup (initialize), validate (enterprise check), hotspots (security review), duplications (code duplicates), rule (explain rule), history (past analyses), profile (quality profile), branches (branch status), metrics (detailed metrics), worstfiles (files with most issues)"),
+  action: exports_external2.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "reviewhotspot", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform: analyze (run scanner), issues (all issues), newissues (only new code issues), status (quality gate), init/setup (initialize), validate (enterprise check), hotspots (security review), duplications (code duplicates), rule (explain rule), history (past analyses), profile (quality profile), branches (branch status), metrics (detailed metrics), worstfiles (files with most issues)"),
   scope: exports_external2.enum(["all", "new", "changed"]).optional().default("all").describe("Scope of analysis: all files, only new code, or changed files"),
   severity: exports_external2.enum(["blocker", "critical", "major", "minor", "info", "all"]).optional().default("all").describe("Filter issues by minimum severity level"),
   fix: exports_external2.boolean().optional().default(false).describe("If true, include fix suggestions in the response"),
   projectKey: exports_external2.string().optional().describe("Override the project key (usually auto-detected)"),
   force: exports_external2.boolean().optional().default(false).describe("Force re-initialization even if already set up"),
   ruleKey: exports_external2.string().optional().describe("Rule key to explain (e.g., 'typescript:S1234') - required for 'rule' action"),
-  branch: exports_external2.string().optional().describe("Branch name for multi-branch analysis (default: main branch)")
+  branch: exports_external2.string().optional().describe("Branch name for multi-branch analysis (default: main branch)"),
+  hotspotKey: exports_external2.string().optional().describe("Hotspot key to review (UUID). If omitted with 'reviewhotspot' action, all TO_REVIEW hotspots are bulk-reviewed."),
+  resolution: exports_external2.enum(["SAFE", "FIXED", "ACKNOWLEDGED"]).optional().describe("Hotspot review resolution: SAFE (no risk), FIXED (remediated), ACKNOWLEDGED (accepted risk)"),
+  comment: exports_external2.string().optional().describe("Review comment explaining the decision")
 });
 async function executeSonarQubeTool(args, context) {
   const directory = context.directory ?? process.cwd();
@@ -20556,6 +20680,8 @@ ${setupResult.message}`);
         return await handleValidate(ctx);
       case "hotspots":
         return await handleHotspots(ctx);
+      case "reviewhotspot":
+        return await handleReviewHotspot(ctx, args.hotspotKey, args.resolution, args.comment);
       case "duplications":
         return await handleDuplications(ctx);
       case "rule":
@@ -21148,6 +21274,90 @@ Git operation completed with changes. Consider running:
       }
     };
   };
+  const buildSystemTransformContext = async (_input) => {
+    safeLog(`=== system.transform ENTERED ===`);
+    const inputAny = _input;
+    const sessionID = inputAny?.sessionID;
+    const sessionDir = sessionID ? getDirectoryForSession(sessionID) : undefined;
+    const dir = sessionDir || effectiveDirectory;
+    safeLog(`  dir used: "${dir}"`);
+    const now = Date.now();
+    const cachedEntry = transformCacheMap.get(dir);
+    if (cachedEntry && now - cachedEntry.timestamp < TRANSFORM_CACHE_TTL_MS) {
+      return cachedEntry.data;
+    }
+    await loadPluginConfig();
+    const sonarConfig = pluginConfig?.["sonarqube"];
+    const config3 = loadConfig(sonarConfig);
+    if (!config3 || config3.level === "off") {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const state = await getProjectState(dir);
+    if (!state?.projectKey) {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const api2 = createSonarQubeAPI(config3, state);
+    const [qgStatus, counts, newCodeResponse] = await Promise.all([
+      api2.qualityGate.getStatus(state.projectKey),
+      api2.issues.getCounts(state.projectKey),
+      api2.issues.search({
+        projectKey: state.projectKey,
+        inNewCode: true,
+        resolved: false,
+        pageSize: 1
+      }).catch(() => ({ paging: { total: 0 } }))
+    ]);
+    const qgFailed = qgStatus.projectStatus.status !== "OK";
+    const newCodeIssues = newCodeResponse.paging.total;
+    const hasIssues = counts.blocker > 0 || counts.critical > 0;
+    if (!hasIssues && !qgFailed && newCodeIssues === 0) {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const hotspotInfo = await buildHotspotInfo(api2, state.projectKey);
+    const systemContext = formatSystemContext(qgStatus.projectStatus.status, qgFailed, counts, newCodeIssues, hotspotInfo, config3.level);
+    transformCacheMap.set(dir, { data: systemContext, timestamp: now });
+    return systemContext;
+  };
+  const buildHotspotInfo = async (api2, projectKey) => {
+    try {
+      const hotspotsToReview = await api2.issues.getSecurityHotspotsToReview(projectKey);
+      if (hotspotsToReview.length > 0) {
+        return `**Security Hotspots:** ${hotspotsToReview.length} unreviewed hotspots (may cause Quality Gate to fail)
+**To fix:** \`sonarqube({ action: "hotspots" })\` to list, then \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\` to bulk-review
+`;
+      }
+    } catch {}
+    return "";
+  };
+  const formatSystemContext = (qgStatusText, qgFailed, counts, newCodeIssues, hotspotInfo, level) => {
+    const lines = [
+      "## SonarQube Code Quality Status",
+      "",
+      `**Quality Gate:** ${qgStatusText}${qgFailed ? " (FAILED)" : ""}`,
+      `**Outstanding Issues:** ${counts.blocker} blockers, ${counts.critical} critical, ${counts.major} major`
+    ];
+    if (newCodeIssues > 0) {
+      lines.push(`**New Code Issues:** ${newCodeIssues} issues in recent changes`);
+    }
+    if (hotspotInfo) {
+      lines.push(hotspotInfo);
+    }
+    if (counts.blocker > 0) {
+      lines.push("**IMPORTANT:** There are BLOCKER issues that must be fixed before shipping code.");
+    }
+    if (level === "enterprise") {
+      lines.push("This project follows enterprise-level quality standards (zero tolerance for issues).");
+    }
+    lines.push("", "**Recommended Actions:**", '- `sonarqube({ action: "newissues" })` - See issues in your recent changes (Clean as You Code)', '- `sonarqube({ action: "worstfiles" })` - Find files needing most attention', '- `sonarqube({ action: "issues" })` - See all issues');
+    if (hotspotInfo) {
+      lines.push('- `sonarqube({ action: "reviewhotspot", resolution: "SAFE" })` - Bulk-review all security hotspots as safe');
+    }
+    return lines.join(`
+`);
+  };
   safeLog(`=== PLUGIN INIT COMPLETE, returning hooks ===`);
   safeLog(`  This instance's pluginImportUrl: "${pluginImportUrl}"`);
   safeLog(`  This instance's effectiveDirectory: "${effectiveDirectory}"`);
@@ -21182,73 +21392,10 @@ Git operation completed with changes. Consider running:
       }
     }, "experimental.session.compacting"),
     "experimental.chat.system.transform": safeAsync(async (_input, output) => {
-      safeLog(`=== system.transform ENTERED ===`);
-      const inputAny = _input;
-      const sessionID = inputAny?.sessionID;
-      safeLog(`  sessionID: "${sessionID}"`);
-      const sharedState = readSharedState();
-      safeLog(`  sharedState sessions: ${JSON.stringify(sharedState.sessionToDirectory)}`);
-      safeLog(`  sharedState directories: ${JSON.stringify(sharedState.registeredDirectories)}`);
-      const sessionDir = sessionID ? getDirectoryForSession(sessionID) : undefined;
-      safeLog(`  sessionDir from shared state: "${sessionDir}"`);
-      safeLog(`  effectiveDirectory (fallback): "${effectiveDirectory}"`);
-      const dir = sessionDir || effectiveDirectory;
-      safeLog(`  FINAL dir used: "${dir}"`);
-      const now = Date.now();
-      const cachedEntry = transformCacheMap.get(dir);
-      if (cachedEntry && now - cachedEntry.timestamp < TRANSFORM_CACHE_TTL_MS) {
-        if (cachedEntry.data) {
-          output.system.push(cachedEntry.data);
-        }
-        return;
-      }
-      await loadPluginConfig();
-      const sonarConfig = pluginConfig?.["sonarqube"];
-      const config3 = loadConfig(sonarConfig);
-      if (!config3 || config3.level === "off") {
-        safeLog(`  config level is off or null, returning early`);
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
+      const systemContext = await buildSystemTransformContext(_input);
+      if (systemContext) {
+        output.system.push(systemContext);
       }
-      const state = await getProjectState(dir);
-      if (!state?.projectKey) {
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
-      }
-      const api2 = createSonarQubeAPI(config3, state);
-      const [qgStatus, counts, newCodeResponse] = await Promise.all([
-        api2.qualityGate.getStatus(state.projectKey),
-        api2.issues.getCounts(state.projectKey),
-        api2.issues.search({
-          projectKey: state.projectKey,
-          inNewCode: true,
-          resolved: false,
-          pageSize: 1
-        }).catch(() => ({ paging: { total: 0 } }))
-      ]);
-      const hasIssues = counts.blocker > 0 || counts.critical > 0;
-      const qgFailed = qgStatus.projectStatus.status !== "OK";
-      const newCodeIssues = newCodeResponse.paging.total;
-      if (!hasIssues && !qgFailed && newCodeIssues === 0) {
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
-      }
-      const systemContext = `## SonarQube Code Quality Status
-
-**Quality Gate:** ${qgStatus.projectStatus.status}${qgFailed ? " (FAILED)" : ""}
-**Outstanding Issues:** ${counts.blocker} blockers, ${counts.critical} critical, ${counts.major} major
-${newCodeIssues > 0 ? `**New Code Issues:** ${newCodeIssues} issues in recent changes
-` : ""}
-${counts.blocker > 0 ? `**IMPORTANT:** There are BLOCKER issues that must be fixed before shipping code.
-` : ""}
-${config3.level === "enterprise" ? `This project follows enterprise-level quality standards (zero tolerance for issues).
-` : ""}
-**Recommended Actions:**
-- \`sonarqube({ action: "newissues" })\` - See issues in your recent changes (Clean as You Code)
-- \`sonarqube({ action: "worstfiles" })\` - Find files needing most attention
-- \`sonarqube({ action: "issues" })\` - See all issues`;
-      transformCacheMap.set(dir, { data: systemContext, timestamp: now });
-      output.system.push(systemContext);
     }, "experimental.chat.system.transform"),
     tool: {
       sonarqube: tool({
@@ -21263,6 +21410,7 @@ Actions:
 - status: Get quality gate status and metrics
 - validate: Check if project meets enterprise quality standards
 - hotspots: Get security hotspots that need review
+- reviewhotspot: Review/resolve security hotspots (mark as SAFE, FIXED, or ACKNOWLEDGED)
 - duplications: Find code duplications across the project
 - rule: Explain a specific SonarQube rule
 - history: Show past analysis history
@@ -21276,16 +21424,22 @@ Example usage:
 - sonarqube({ action: "newissues" }) - Issues only in your recent changes
 - sonarqube({ action: "worstfiles" }) - Files needing most attention
 - sonarqube({ action: "issues", severity: "critical" }) - Get critical+ issues
-- sonarqube({ action: "status" }) - Check quality gate status`,
+- sonarqube({ action: "status" }) - Check quality gate status
+- sonarqube({ action: "hotspots" }) - List security hotspots
+- sonarqube({ action: "reviewhotspot", resolution: "SAFE" }) - Bulk-review all hotspots as SAFE
+- sonarqube({ action: "reviewhotspot", hotspotKey: "abc123", resolution: "SAFE", comment: "No risk" }) - Review single hotspot`,
         args: {
-          action: tool.schema.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform"),
+          action: tool.schema.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "reviewhotspot", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform"),
           scope: tool.schema.enum(["all", "new", "changed"]).optional().describe("Scope of analysis"),
           severity: tool.schema.enum(["blocker", "critical", "major", "minor", "info", "all"]).optional().describe("Filter issues by minimum severity"),
           fix: tool.schema.boolean().optional().describe("Include fix suggestions in response"),
           projectKey: tool.schema.string().optional().describe("Override project key"),
           force: tool.schema.boolean().optional().describe("Force re-initialization"),
           ruleKey: tool.schema.string().optional().describe("Rule key to explain (e.g., 'typescript:S1234')"),
-          branch: tool.schema.string().optional().describe("Branch name for multi-branch projects")
+          branch: tool.schema.string().optional().describe("Branch name for multi-branch projects"),
+          hotspotKey: tool.schema.string().optional().describe("Hotspot key (UUID) to review. If omitted with reviewhotspot action, all pending hotspots are bulk-reviewed."),
+          resolution: tool.schema.string().optional().describe("Hotspot review resolution: SAFE, FIXED, or ACKNOWLEDGED"),
+          comment: tool.schema.string().optional().describe("Review comment explaining the decision")
         },
         async execute(args, _ctx) {
           const result = await executeSonarQubeTool({
@@ -21296,7 +21450,10 @@ Example usage:
             projectKey: args.projectKey,
             force: args.force ?? false,
             ruleKey: args.ruleKey,
-            branch: args.branch
+            branch: args.branch,
+            hotspotKey: args.hotspotKey,
+            resolution: args.resolution,
+            comment: args.comment
           }, {
             directory: getDirectory(),
             config: pluginConfig

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sonarqube",
-  "version": "2.0.3",
+  "version": "2.1.1",
   "description": "OpenCode Plugin for SonarQube integration - Enterprise-level code quality from the start",
   "type": "module",
   "main": "dist/index.js",
@@ -38,7 +38,7 @@
   "homepage": "https://github.com/mguttmann/opencode-sonarqube#readme",
   "dependencies": {
     "@opencode-ai/plugin": "^1.1.34",
-    "opencode-sonarqube": "^1.2.45",
+    "opencode-sonarqube": "latest",
     "zod": "^3.24.0"
   },
   "devDependencies": {