xp-gate 0.5.1

package/adapter-common.sh

@@ -0,0 +1,192 @@
+#!/usr/bin/env bash
+
+# Common adapter functions for language detection and routing
+
+detect_project_lang() {
+  if [[ -f "tsconfig.json" ]]; then
+    echo "typescript"
+  elif [[ -f "pyproject.toml" ]] || [[ -f "requirements.txt" ]] || [[ -f "setup.py" ]]; then
+    echo "python"
+  elif [[ -f "go.mod" ]]; then
+    echo "go"
+  elif [[ -f "build.gradle" ]] || [[ -f "build.gradle.kts" ]]; then
+    if [[ -n "$(find . -name "*.kt" -type f | head -n 1)" ]]; then
+      echo "kotlin"
+    else
+      echo "java"
+    fi
+  elif [[ -f "pom.xml" ]]; then
+    echo "java"
+  elif [[ -f "pubspec.yaml" ]]; then
+    if grep -q "flutter:" "pubspec.yaml" 2>/dev/null || [[ -f ".metadata" ]]; then
+      echo "flutter"
+    else
+      echo "dart"
+    fi
+  elif [[ -n "$(find . -name "*.ps1" -type f | head -n 1)" ]]; then
+    echo "powershell"
+  elif [[ -f "Package.swift" ]]; then
+    echo "swift"
+  elif [[ -f "CMakeLists.txt" ]] || [[ -n "$(find . -name "*.cpp" -o -name "*.cc" -type f | head -n 1)" ]]; then
+    echo "cpp"
+  elif [[ -n "$(find . -name "*.m" -o -name "*.mm" -type f | head -n 1)" ]]; then
+    echo "objectivec"
+  elif [[ -n "$(find . -name "*.sh" -type f | head -n 1)" ]] || [[ -n "$(find . -name "Dockerfile" -o -name "*.dockerfile" -type f | head -n 1)" ]]; then
+    echo "shell"
+  elif [[ -n "$(find . -name "*.ps1" -type f -not -path "./.git/*" | head -n 1)" ]]; then
+    echo "powershell"
+  else
+    if [[ -n "$(find . -name "*.ts" -o -name "*.tsx" -type f | head -n 1)" ]]; then
+      echo "typescript"
+    elif [[ -n "$(find . -name "*.py" -type f | head -n 1)" ]]; then
+      echo "python"
+    elif [[ -n "$(find . -name "*.go" -type f | head -n 1)" ]]; then
+      echo "go"
+    elif [[ -n "$(find . -name "*.kt" -type f | head -n 1)" ]]; then
+      echo "kotlin"
+    elif [[ -n "$(find . -name "*.java" -type f | head -n 1)" ]]; then
+      echo "java"
+    elif [[ -n "$(find . -name "*.dart" -type f | head -n 1)" ]]; then
+      if grep -q "flutter:" "pubspec.yaml" 2>/dev/null || [[ -f ".flutter" ]]; then
+        echo "flutter"
+      else
+        echo "dart"
+      fi
+    elif [[ -n "$(find . -name "*.swift" -type f | head -n 1)" ]]; then
+      echo "swift"
+    elif [[ -n "$(find . -name "*.cpp" -o -name "*.cc" -o -name "*.c" -o -name "*.h" -type f | head -n 1)" ]]; then
+      echo "cpp"
+    elif [[ -n "$(find . -name "*.m" -o -name "*.mm" -type f | head -n 1)" ]]; then
+      echo "objectivec"
+    elif [[ -n "$(find . -name "*.sh" -type f | head -n 1)" ]]; then
+      echo "shell"
+    elif [[ -n "$(find . -name "*.ps1" -type f -not -path "./.git/*" | head -n 1)" ]]; then
+      echo "powershell"
+    else
+      echo "unknown"
+    fi
+  fi
+}
+
+route_to_adapter() {
+  local action="$1"
+  local lang
+  lang=$(detect_project_lang)
+  
+  # Source the appropriate adapter
+  if [[ -f "githooks/adapters/${lang}.sh" ]]; then
+    # shellcheck source=githooks/adapters/"${lang}".sh
+    source "githooks/adapters/${lang}.sh"
+    
+    # Execute the requested action
+    case "$action" in
+      "static_analysis") run_static_analysis ;;
+      "lint") run_lint ;;
+      "tests") run_tests ;;
+      "coverage") run_coverage ;;
+      *) return 1 ;;
+    esac
+  elif [[ -f "./githooks/adapters/${lang}.sh" ]]; then
+    # Alternative: source with ./ prefix
+    # shellcheck source=./githooks/adapters/"${lang}".sh
+    source "./githooks/adapters/${lang}.sh"
+    
+    # Execute the requested action
+    case "$action" in
+      "static_analysis") run_static_analysis ;;
+      "lint") run_lint ;;
+      "tests") run_tests ;;
+      "coverage") run_coverage ;;
+      *) return 1 ;;
+    esac
+  else
+    echo "No adapter found for language: $lang"
+    return 1
+  fi
+}
+
+check_if_tool_available() {
+  local tool_name="$1"
+  
+  # Check if command exists
+  if command -v "$tool_name" >/dev/null 2>&1; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+require_tool() {
+  local tool_name="$1"
+  local gate_name="${2:-Gate}"
+  local install_hint="${3:-}"
+  
+  if command -v "$tool_name" >/dev/null 2>&1; then
+    return 0
+  fi
+  
+  if command -v npx >/dev/null 2>&1 && npx --no-install "$tool_name" --version >/dev/null 2>&1; then
+    return 0
+  fi
+  
+  echo "❌ BLOCKED - Required tool '$tool_name' not available for $gate_name"
+  if [[ -n "$install_hint" ]]; then
+    echo "   Install: $install_hint"
+  fi
+  echo "   Per QUALITY-GATES-CODE-OF-CONDUCT.md: tool unavailable = BLOCK, not SKIP"
+  return 1
+}
+
+# Detect if project has IaC files (Terraform, Kubernetes, Docker)
+detect_iac_project() {
+  local has_iac=false
+  
+  # Check for Terraform files
+  if [[ -n "$(find . -maxdepth 2 -name "*.tf" -not -path "./.git/*" 2>/dev/null | head -1)" ]]; then
+    has_iac=true
+  fi
+  
+  # Check for Kubernetes manifests (YAML with apiVersion/kind)
+  if [[ -n "$(find . -maxdepth 2 \( -name "*.yaml" -o -name "*.yml" \) -not -path "./.git/*" 2>/dev/null | head -1)" ]]; then
+    local yaml_file=$(find . -maxdepth 2 \( -name "*.yaml" -o -name "*.yml" \) -not -path "./.git/*" 2>/dev/null | head -1)
+    if grep -qE "^(apiVersion|kind):" "$yaml_file" 2>/dev/null; then
+      has_iac=true
+    fi
+  fi
+  
+  # Check for Dockerfiles
+  if [[ -n "$(find . -maxdepth 2 -name "Dockerfile" -o -name "*.dockerfile" -not -path "./.git/*" 2>/dev/null | head -1)" ]]; then
+    has_iac=true
+  fi
+  
+  if [ "$has_iac" = true ]; then
+    echo "iac"
+  else
+    echo ""
+  fi
+}
+
+# Stryker 9.x config files (new format, takes priority)
+detect_mutation_testable() {
+  if [[ -f "stryker.config.mjs" ]] || [[ -f "stryker.config.js" ]] || \
+     [[ -f "stryker.config.cjs" ]] || [[ -f "stryker.config.json" ]]; then
+    if [[ -f "package.json" ]] && grep -qE '"@stryker-mutator[^"]*"' package.json 2>/dev/null; then
+      return 0
+    fi
+    if command -v npx >/dev/null 2>&1 && npx --no-install stryker --version >/dev/null 2>&1; then
+      return 0
+    fi
+  fi
+
+  # Legacy Stryker config files (backwards compatibility)
+  if [[ -f "stryker.conf.json" ]] || [[ -f "stryker.prepush.conf.json" ]]; then
+    if [[ -f "package.json" ]] && grep -qE '"@stryker-mutator[^"]*"' package.json 2>/dev/null; then
+      return 0
+    fi
+    if command -v npx >/dev/null 2>&1 && npx --no-install stryker --version >/dev/null 2>&1; then
+      return 0
+    fi
+  fi
+
+  return 1
+}

package/adapters/cpp.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+_detect_cpp_build() {
+  if command -v cmake &>/dev/null && [ -f "CMakeLists.txt" ]; then
+    echo "cmake"
+  elif [ -f "Makefile" ]; then
+    echo "make"
+  else
+    echo "none"
+  fi
+}
+
+run_static_analysis() {
+  if command -v clang-tidy &>/dev/null; then
+    local files
+    files=$(find . -name "*.cpp" -o -name "*.cc" -o -name "*.c" -o -name "*.h" 2>/dev/null | head -20)
+    if [ -n "$files" ]; then
+      echo "$files" | xargs clang-tidy 2>&1 | head -20
+    fi
+  elif command -v cppcheck &>/dev/null; then
+    cppcheck --enable=all --inline-suppr . 2>&1 | head -20
+  else
+    echo "No C++ analysis tools (clang-tidy/cppcheck)"
+    return 1
+  fi
+  return 0
+}
+
+run_lint() {
+  run_static_analysis
+}
+
+run_tests() {
+  local build_system
+  build_system=$(_detect_cpp_build)
+
+  if [ "$build_system" = "cmake" ]; then
+    if [ -d "build" ]; then
+      cmake --build build/ 2>&1 | tail -5
+      cd build && ctest --output-on-failure 2>&1 | tail -15
+      return ${PIPESTATUS[1]}
+    else
+      cmake -B build -G Ninja 2>/dev/null || cmake -B build 2>/dev/null
+      cmake --build build/ 2>&1 | tail -5
+      cd build && ctest --output-on-failure 2>&1 | tail -15
+      return ${PIPESTATUS[1]}
+    fi
+  elif [ "$build_system" = "make" ]; then
+    make 2>&1 | tail -5
+    make test 2>&1 | tail -15
+    return ${PIPESTATUS[1]}
+  else
+    echo "No C++ build system detected"
+    return 1
+  fi
+}
+
+run_coverage() {
+  local build_system
+  build_system=$(_detect_cpp_build)
+
+  if command -v gcovr &>/dev/null; then
+    if [ "$build_system" = "cmake" ] && [ -d "build" ]; then
+      cd build && gcovr --root .. 2>&1 | tail -10
+      return $?
+    fi
+    gcovr --root . 2>&1 | tail -10
+    return $?
+  elif command -v llvm-cov &>/dev/null; then
+    llvm-cov report 2>&1 | tail -10
+    return $?
+  else
+    echo "No C++ coverage tools (gcovr/llvm-cov)"
+    return 1
+  fi
+}

package/adapters/dart.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+run_static_analysis() {
+  if command -v dart &>/dev/null; then
+    dart analyze 2>&1 | head -30
+    return $?
+  else
+    echo "Dart SDK not available"
+    return 1
+  fi
+}
+
+run_lint() {
+  if command -v dart &>/dev/null; then
+    dart format --output=none --set-exit-if-changed . 2>&1 | head -30
+    return $?
+  else
+    echo "Dart SDK not available"
+    return 1
+  fi
+}
+
+run_tests() {
+  if command -v dart &>/dev/null; then
+    dart test 2>&1 | tail -20
+    return $?
+  else
+    echo "Dart SDK not available"
+    return 1
+  fi
+}
+
+run_coverage() {
+  if command -v dart &>/dev/null; then
+    dart test --coverage=coverage 2>&1 | tail -10
+    return $?
+  else
+    echo "Dart SDK not available"
+    return 1
+  fi
+}

package/adapters/flutter.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+run_static_analysis() {
+  if command -v flutter &>/dev/null; then
+    flutter analyze 2>&1 | head -30
+    return $?
+  else
+    echo "Flutter SDK not available"
+    return 1
+  fi
+}
+
+run_lint() {
+  if command -v flutter &>/dev/null; then
+    flutter format --output=none --set-exit-if-changed . 2>&1 | head -30
+    return $?
+  else
+    echo "Flutter SDK not available"
+    return 1
+  fi
+}
+
+run_tests() {
+  if command -v flutter &>/dev/null; then
+    flutter test 2>&1 | tail -20
+    return $?
+  else
+    echo "Flutter SDK not available"
+    return 1
+  fi
+}
+
+run_coverage() {
+  if command -v flutter &>/dev/null; then
+    flutter test --coverage 2>&1 | tail -10
+    return $?
+  else
+    echo "Flutter SDK not available"
+    return 1
+  fi
+}

package/adapters/go.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Go adapter for quality gates
+# Tools: go vet, golangci-lint, arch-go (architecture), go test
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../adapter-common.sh" 2>/dev/null || true
+
+run_static_analysis() {
+  require_tool go "Go SDK" || return 1
+
+  echo "Running Go static analysis (go vet)..."
+  go vet ./...
+  return $?
+}
+
+run_lint() {
+  if ! require_tool golangci-lint "golangci-lint" 2>/dev/null; then
+    echo "⚠ golangci-lint not available, installing..."
+    go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest 2>/dev/null
+    require_tool golangci-lint "golangci-lint" || return 0
+  fi
+
+  echo "Running Go linting (golangci-lint)..."
+  golangci-lint run ./...
+  return $?
+}
+
+run_architecture() {
+  if ! require_tool arch-go "arch-go (Go architecture checker)" 2>/dev/null; then
+    echo "⚠ arch-go not available, installing..."
+    go install github.com/arch-go/arch-go@latest 2>/dev/null
+    require_tool arch-go "arch-go" || return 0
+  fi
+
+  echo "Running Go architecture checks (arch-go)..."
+  arch-go check
+  return $?
+}
+
+run_tests() {
+  require_tool go "Go SDK" || return 1
+
+  echo "Running Go tests..."
+  go test ./...
+  return $?
+}
+
+run_coverage() {
+  require_tool go "Go SDK" || return 1
+
+  echo "Running Go coverage..."
+  go test -coverprofile=coverage.out ./...
+  local rc=$?
+  if [ $rc -eq 0 ]; then
+    go tool cover -func=coverage.out 2>/dev/null | tail -1
+  fi
+  return $rc
+}

package/adapters/iac.sh

@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+
+# IaC (Infrastructure as Code) adapter for quality gates
+# Supports: Terraform (.tf), Kubernetes (K8s *.yaml), Docker, CloudFormation
+# Tools: checkov (primary), hadolint (Docker), kube-score (K8s)
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../adapter-common.sh" 2>/dev/null || true
+
+# Detect IaC files in changed files
+detect_iac_files() {
+  local files="$1"
+  local tf_files=""
+  local yaml_files=""
+  local dockerfile_files=""
+  
+  for file in $files; do
+    case "$file" in
+      *.tf)
+        tf_files="$tf_files $file"
+        ;;
+      *.yaml|*.yml)
+        # Check if it's a K8s manifest (has apiVersion and kind)
+        if grep -qE "^(apiVersion|kind):" "$file" 2>/dev/null; then
+          yaml_files="$yaml_files $file"
+        fi
+        ;;
+      Dockerfile|*.dockerfile|Dockerfile.*)
+        dockerfile_files="$dockerfile_files $file"
+        ;;
+    esac
+  done
+  
+  echo "TERRAFORM:$tf_files"
+  echo "KUBERNETES:$yaml_files"
+  echo "DOCKER:$dockerfile_files"
+}
+
+run_static_analysis() {
+  local changed_files="$1"
+  local iac_files=$(detect_iac_files "$changed_files")
+  
+  # Check if any IaC files are present
+  local has_iac=false
+  if echo "$iac_files" | grep -qE "TERRAFORM:.*[^\s]|KUBERNETES:.*[^\s]|DOCKER:.*[^\s]"; then
+    has_iac=true
+  fi
+  
+  if [ "$has_iac" = false ]; then
+    return 0  # No IaC files, skip
+  fi
+  
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  echo "   GATE: IaC Security Scan"
+  echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+  
+  local exit_code=0
+  
+  # Try checkov first (recommended - supports multiple platforms)
+  if command -v checkov >/dev/null 2>&1; then
+    echo "Running checkov IaC security scan..."
+    
+    # Run checkov on all detected IaC files
+    local tf_files=$(echo "$iac_files" | grep "TERRAFORM:" | sed 's/TERRAFORM://')
+    local k8s_files=$(echo "$iac_files" | grep "KUBERNETES:" | sed 's/KUBERNETES://')
+    local docker_files=$(echo "$iac_files" | grep "DOCKER:" | sed 's/DOCKER://')
+    
+    if [ -n "$tf_files" ]; then
+      echo "Scanning Terraform files..."
+      for file in $tf_files; do
+        if [ -f "$file" ]; then
+          checkov --file "$file" --compact 2>&1 | tail -20
+          local tf_exit=${PIPESTATUS[0]}
+          if [ $tf_exit -ne 0 ]; then
+            exit_code=$tf_exit
+          fi
+        fi
+      done
+    fi
+    
+    if [ -n "$k8s_files" ]; then
+      echo "Scanning Kubernetes manifests..."
+      for file in $k8s_files; do
+        if [ -f "$file" ]; then
+          checkov --file "$file" --compact 2>&1 | tail -20
+          local k8s_exit=${PIPESTATUS[0]}
+          if [ $k8s_exit -ne 0 ]; then
+            exit_code=$k8s_exit
+          fi
+        fi
+      done
+    fi
+    
+    if [ -n "$docker_files" ]; then
+      echo "Scanning Dockerfiles..."
+      for file in $docker_files; do
+        if [ -f "$file" ]; then
+          checkov --file "$file" --compact 2>&1 | tail -20
+          local docker_exit=${PIPESTATUS[0]}
+          if [ $docker_exit -ne 0 ]; then
+            exit_code=$docker_exit
+          fi
+        fi
+      done
+    fi
+    
+    echo "checkov scan completed with exit code: $exit_code"
+    return $exit_code
+  fi
+  
+  # Fallback to individual tools if checkov not available
+  
+  # Try hadolint for Docker
+  local docker_files=$(echo "$iac_files" | grep "DOCKER:" | sed 's/DOCKER://')
+  if [ -n "$docker_files" ] && command -v hadolint >/dev/null 2>&1; then
+    echo "Running hadolint for Dockerfiles..."
+    for file in $docker_files; do
+      if [ -f "$file" ]; then
+        hadolint "$file" 2>&1 | tail -20
+        local hadolint_exit=${PIPESTATUS[0]}
+        if [ $hadolint_exit -ne 0 ]; then
+          exit_code=$hadolint_exit
+        fi
+      fi
+    done
+  fi
+  
+  # Try kube-score for Kubernetes
+  local k8s_files=$(echo "$iac_files" | grep "KUBERNETES:" | sed 's/KUBERNETES://')
+  if [ -n "$k8s_files" ] && command -v kube-score >/dev/null 2>&1; then
+    echo "Running kube-score for Kubernetes..."
+    for file in $k8s_files; do
+      if [ -f "$file" ]; then
+        kube-score score "$file" 2>&1 | tail -20
+        local kube_exit=${PIPESTATUS[0]}
+        if [ $kube_exit -ne 0 ]; then
+          exit_code=$kube_exit
+        fi
+      fi
+    done
+  fi
+  
+  # Try tflint for Terraform
+  local tf_files=$(echo "$iac_files" | grep "TERRAFORM:" | sed 's/TERRAFORM://')
+  if [ -n "$tf_files" ] && command -v tflint >/dev/null 2>&1; then
+    echo "Running tflint for Terraform..."
+    for file in $tf_files; do
+      if [ -f "$file" ]; then
+        tflint --chdir "$(dirname "$file")" 2>&1 | tail -20
+        local tflint_exit=${PIPESTATUS[0]}
+        if [ $tflint_exit -ne 0 ]; then
+          exit_code=$tflint_exit
+        fi
+      fi
+    done
+  fi
+  
+  # If no tools available but IaC files detected, warn user
+  if [ $exit_code -eq 0 ]; then
+    echo "⚠ IaC files detected but no scanning tools available."
+    echo "  Install checkov (recommended) or individual tools:"
+    echo "  - checkov: pip install checkov"
+    echo "  - hadolint: https://github.com/hadolint/hadolint"
+    echo "  - kube-score: https://github.com/zegl/kube-score"
+    echo "  - tflint: https://github.com/terraform-linters/tflint"
+    echo ""
+    echo "  Per QUALITY-GATES-CODE-OF-CONDUCT.md: tool unavailable = BLOCK, not SKIP"
+    return 1
+  fi
+  
+  return $exit_code
+}
+
+run_lint() {
+  # IaC linting is handled by run_static_analysis
+  run_static_analysis "$1"
+}
+
+run_tests() {
+  # IaC typically doesn't have unit tests in the traditional sense
+  # Could add integration tests with terratest (Go) or pytest (Python)
+  echo "IaC tests not configured"
+  return 0
+}
+
+run_coverage() {
+  echo "IaC coverage not available"
+  return 0
+}