projscan 2.8.0 → 3.0.0

package/docs/PLUGIN-GALLERY.md

@@ -0,0 +1,61 @@
+# Plugin Gallery
+
+These examples are packaged with projscan under `docs/examples/plugins/`. Copy
+the manifest and module into `.projscan-plugins/`, then run:
+
+```bash
+projscan plugin validate .projscan-plugins/<name>.projscan-plugin.json
+projscan plugin test .projscan-plugins/<name>.projscan-plugin.json
+PROJSCAN_PLUGINS_PREVIEW=1 projscan doctor
+```
+
+Local plugins are code execution. Only enable plugins you trust.
+
+## Analyzer Plugins
+
+### `policy`
+
+Flags TypeScript files under a `legacy` path so teams can keep local migration
+rules close to the repo.
+
+Files:
+- `docs/examples/plugins/policy.projscan-plugin.json`
+- `docs/examples/plugins/policy.mjs`
+
+### `security-radar`
+
+Flags common local security review triggers:
+- committed `.env` style files
+- package scripts that pipe `curl` or `wget` output into a shell
+
+Files:
+- `docs/examples/plugins/security-radar.projscan-plugin.json`
+- `docs/examples/plugins/security-radar.mjs`
+
+## Reporter Plugins
+
+### `team-radar`
+
+Renders `doctor`, `analyze`, and `ci` output in a compact team health voice.
+
+Files:
+- `docs/examples/plugins/team-radar.projscan-plugin.json`
+- `docs/examples/plugins/team-radar.mjs`
+
+### `release-readiness`
+
+Renders `doctor`, `analyze`, and `ci` output as a release approval summary with
+score, blocking issue count, warnings, and a continue/hold decision.
+
+Files:
+- `docs/examples/plugins/release-readiness.projscan-plugin.json`
+- `docs/examples/plugins/release-readiness.mjs`
+
+## Suggested Adoption Path
+
+1. Start with `projscan init mcp --client all` to wire projscan into your MCP
+   client.
+2. Run `projscan recipes` to pick an agent workflow.
+3. Copy one gallery plugin into `.projscan-plugins/` only when you need local
+   policy or team-specific reporting.
+4. Keep MCP tools structured; use reporter plugins for human presentation.

package/docs/examples/plugins/release-readiness.mjs

@@ -0,0 +1,26 @@
+export default {
+  render: async ({ command, payload }) => {
+    if (command === 'ci') {
+      const ci = payload.ci;
+      return [
+        `release-readiness: ${ci.pass ? 'ready' : 'not ready'}`,
+        `score: ${ci.score}/100 (${ci.grade})`,
+        `issues: ${ci.totalIssues}`,
+        `threshold: ${ci.threshold}`,
+      ].join('\n');
+    }
+
+    const issues = Array.isArray(payload.issues) ? payload.issues : [];
+    const health = payload.health;
+    const errors = issues.filter((issue) => issue.severity === 'error').length;
+    const warnings = issues.filter((issue) => issue.severity === 'warning').length;
+
+    return [
+      `release-readiness ${command}`,
+      `score: ${health?.score ?? 'n/a'}/100 (${health?.grade ?? 'n/a'})`,
+      `blocking: ${errors}`,
+      `warnings: ${warnings}`,
+      errors > 0 ? 'decision: hold release' : 'decision: continue release checks',
+    ].join('\n');
+  },
+};

package/docs/examples/plugins/release-readiness.projscan-plugin.json

@@ -0,0 +1,8 @@
+{
+  "schemaVersion": 1,
+  "name": "release-readiness",
+  "kind": "reporter",
+  "module": "./release-readiness.mjs",
+  "commands": ["doctor", "analyze", "ci"],
+  "description": "Renders doctor, analyze, and ci output as a release approval summary"
+}

package/docs/examples/plugins/security-radar.mjs

@@ -0,0 +1,50 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+export default {
+  check: async (rootPath, files) => {
+    const issues = [];
+
+    for (const file of files) {
+      if (/^\.env(\.|$)/.test(path.basename(file.relativePath))) {
+        issues.push({
+          id: 'committed-env-file',
+          title: 'Committed environment file',
+          description: `${file.relativePath} looks like a committed environment file. Confirm it contains no secrets before release.`,
+          severity: 'warning',
+          category: 'security',
+          fixAvailable: false,
+          locations: [{ file: file.relativePath, line: 1 }],
+        });
+      }
+    }
+
+    const packageJson = files.find((file) => file.relativePath === 'package.json');
+    if (!packageJson) return issues;
+
+    try {
+      const parsed = JSON.parse(await fs.readFile(path.join(rootPath, 'package.json'), 'utf-8'));
+      const scripts = parsed && typeof parsed === 'object' ? parsed.scripts : undefined;
+      if (!scripts || typeof scripts !== 'object') return issues;
+
+      for (const [name, command] of Object.entries(scripts)) {
+        if (typeof command !== 'string') continue;
+        if (/\bcurl\b.*\|\s*(?:sh|bash)|\bwget\b.*\|\s*(?:sh|bash)/.test(command)) {
+          issues.push({
+            id: `script-fetch-pipe-${name}`,
+            title: 'Install script pipes network content to a shell',
+            description: `package.json script "${name}" fetches remote content and pipes it into a shell.`,
+            severity: 'warning',
+            category: 'security',
+            fixAvailable: false,
+            locations: [{ file: 'package.json', line: 1 }],
+          });
+        }
+      }
+    } catch {
+      return issues;
+    }
+
+    return issues;
+  },
+};

package/docs/examples/plugins/security-radar.projscan-plugin.json

@@ -0,0 +1,8 @@
+{
+  "schemaVersion": 1,
+  "name": "security-radar",
+  "kind": "analyzer",
+  "module": "./security-radar.mjs",
+  "category": "security",
+  "description": "Flags common local security review triggers such as committed env files and shell-fetch install scripts"
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "projscan",
   "mcpName": "io.github.abhiyoheswaran1/projscan",
-  "version": "2.8.0",
-  "description": "Agent-first code intelligence. MCP server (2025-03-26) with AST parsing for JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
+  "version": "3.0.0",
+  "description": "Agent-first code intelligence. MCP server (2025-03-26) with AST parsing for JavaScript, TypeScript, Python, Go, Java, Ruby, Rust, PHP, C#, Kotlin, Swift, and C++; stable v3 semantic graph (projscan_semantic_graph), dataflow risk engine with bridge-helper detection (projscan_dataflow), code graph, file + per-function AST cyclomatic complexity, per-function fan-in + fan-out, coupling + cycle detection, structural PR diff with HTML reporter, coverage report with HTML reporter, intent-grounded one-call PR review (projscan_review with optional `intent` arg, new taint flows, contract changes, and newDataflowRisks) and long-running PR-watch mode with structured per-bucket deltas (projscan_review_watch), agent workplans (projscan_workplan), bug-hunt queues (projscan_bug_hunt), product-line planning (projscan_release_train), evidence packs (projscan_evidence_pack), regression planning (projscan_regression_plan), agent briefs (projscan_agent_brief), quality scorecards (projscan_quality_scorecard), and preflight with supply-chain IOC evidence, rule-driven fix suggestions + mechanical apply layer with rollback (projscan_apply_fix, projscan_fix_suggest, projscan_explain_issue), source-to-sink taint analysis (projscan_taint) with truncation reporting, transitive blast-radius analysis with cross-repo mode (projscan_impact for files and symbols), cross-repo workspace registration + intelligence (projscan_workspace_graph), per-function semantic search chunks (sub-file embeddings), per-rule confidence + severity drift + cost-summary analytics with live streaming (projscan_cost_summary), stable local analyzer + reporter plugin API (projscan_plugin, CLI --reporter, opt-in via PROJSCAN_PLUGINS_PREVIEW=1), monorepo workspace awareness with cross-package import policy + per-package dependencies / outdated / audit, BM25 + optional semantic search, cursor pagination, progress notifications, context-budgeted output, and a stable-surface CI guard. CLI on the side.",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -14,6 +14,7 @@
     "README.md",
     "docs/2.0-MIGRATION.md",
     "docs/PLUGIN-AUTHORING.md",
+    "docs/PLUGIN-GALLERY.md",
     "docs/plugin.schema.json",
     "docs/examples/plugins"
   ],