crucible-mcp 0.1.0__py3-none-any.whl

crucible/tools/delegation.py

@@ -0,0 +1,326 @@
+"""Tool delegation - shell out to static analysis tools."""
+
+import json
+import shutil
+import subprocess
+from dataclasses import dataclass
+from pathlib import Path
+
+from crucible.errors import Result, err, ok
+from crucible.models import Domain, Severity, ToolFinding
+
+# Semgrep configs by domain
+SEMGREP_CONFIGS: dict[Domain, list[str]] = {
+    Domain.SMART_CONTRACT: ["p/smart-contracts", "p/solidity"],
+    Domain.FRONTEND: ["p/javascript", "p/typescript", "p/react"],
+    Domain.BACKEND: ["p/python", "p/golang", "p/rust"],
+    Domain.INFRASTRUCTURE: ["p/terraform", "p/dockerfile", "p/kubernetes"],
+    Domain.UNKNOWN: ["auto"],
+}
+
+
+@dataclass(frozen=True)
+class ToolStatus:
+    """Status of an external tool."""
+
+    name: str
+    installed: bool
+    path: str | None
+    version: str | None
+
+
+def check_tool(name: str) -> ToolStatus:
+    """Check if a tool is installed and get its version."""
+    path = shutil.which(name)
+    if not path:
+        return ToolStatus(name=name, installed=False, path=None, version=None)
+
+    # Try to get version
+    version = None
+    try:
+        if name == "semgrep":
+            result = subprocess.run([name, "--version"], capture_output=True, text=True, timeout=5)
+            version = result.stdout.strip().split("\n")[0] if result.returncode == 0 else None
+        elif name == "ruff" or name == "slither":
+            result = subprocess.run([name, "--version"], capture_output=True, text=True, timeout=5)
+            version = result.stdout.strip() if result.returncode == 0 else None
+    except (subprocess.TimeoutExpired, FileNotFoundError):
+        pass
+
+    return ToolStatus(name=name, installed=True, path=path, version=version)
+
+
+def check_all_tools() -> dict[str, ToolStatus]:
+    """Check status of all supported tools."""
+    tools = ["semgrep", "ruff", "slither", "bandit"]
+    return {name: check_tool(name) for name in tools}
+
+
+def get_semgrep_config(domain: Domain) -> str:
+    """Get the appropriate semgrep config for a domain."""
+    configs = SEMGREP_CONFIGS.get(domain, SEMGREP_CONFIGS[Domain.UNKNOWN])
+    # Join multiple configs with --config flags handled by semgrep
+    return configs[0] if configs else "auto"
+
+
+def _severity_from_semgrep(level: str) -> Severity:
+    """Map semgrep severity to our Severity enum."""
+    mapping = {
+        "ERROR": Severity.HIGH,
+        "WARNING": Severity.MEDIUM,
+        "INFO": Severity.INFO,
+    }
+    return mapping.get(level.upper(), Severity.INFO)
+
+
+def delegate_semgrep(
+    path: str,
+    config: str = "auto",
+    timeout: int = 120,
+) -> Result[list[ToolFinding], str]:
+    """
+    Run semgrep on a file or directory.
+
+    Args:
+        path: File or directory to scan
+        config: Semgrep config (auto, p/python, p/javascript, etc.)
+        timeout: Timeout in seconds
+
+    Returns:
+        Result containing list of findings or error message
+    """
+    if not Path(path).exists():
+        return err(f"Path does not exist: {path}")
+
+    try:
+        result = subprocess.run(
+            ["semgrep", "--config", config, "--json", "--quiet", path],
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+    except FileNotFoundError:
+        return err("semgrep not found. Install with: pip install semgrep")
+    except subprocess.TimeoutExpired:
+        return err(f"semgrep timed out after {timeout}s")
+
+    if result.returncode not in (0, 1):  # 1 means findings found
+        return err(f"semgrep failed: {result.stderr}")
+
+    try:
+        output = json.loads(result.stdout) if result.stdout else {"results": []}
+    except json.JSONDecodeError as e:
+        return err(f"Failed to parse semgrep output: {e}")
+
+    findings: list[ToolFinding] = []
+    for r in output.get("results", []):
+        finding = ToolFinding(
+            tool="semgrep",
+            rule=r.get("check_id", "unknown"),
+            severity=_severity_from_semgrep(r.get("extra", {}).get("severity", "INFO")),
+            message=r.get("extra", {}).get("message", r.get("check_id", "")),
+            location=f"{r.get('path', '?')}:{r.get('start', {}).get('line', '?')}",
+            suggestion=r.get("extra", {}).get("fix", None),
+        )
+        findings.append(finding)
+
+    return ok(findings)
+
+
+def delegate_ruff(
+    path: str,
+    timeout: int = 60,
+) -> Result[list[ToolFinding], str]:
+    """
+    Run ruff on a Python file or directory.
+
+    Args:
+        path: File or directory to scan
+        timeout: Timeout in seconds
+
+    Returns:
+        Result containing list of findings or error message
+    """
+    if not Path(path).exists():
+        return err(f"Path does not exist: {path}")
+
+    try:
+        result = subprocess.run(
+            ["ruff", "check", "--output-format=json", path],
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+    except FileNotFoundError:
+        return err("ruff not found. Install with: pip install ruff")
+    except subprocess.TimeoutExpired:
+        return err(f"ruff timed out after {timeout}s")
+
+    try:
+        output = json.loads(result.stdout) if result.stdout else []
+    except json.JSONDecodeError as e:
+        return err(f"Failed to parse ruff output: {e}")
+
+    findings: list[ToolFinding] = []
+    for r in output:
+        finding = ToolFinding(
+            tool="ruff",
+            rule=r.get("code", "unknown"),
+            severity=_severity_from_ruff(r.get("code", "")),
+            message=r.get("message", ""),
+            location=f"{r.get('filename', '?')}:{r.get('location', {}).get('row', '?')}",
+            suggestion=r.get("fix", {}).get("message") if r.get("fix") else None,
+        )
+        findings.append(finding)
+
+    return ok(findings)
+
+
+def _severity_from_ruff(code: str) -> Severity:
+    """Map ruff rule codes to severity based on category."""
+    if not code:
+        return Severity.LOW
+
+    # Security-related rules are higher severity
+    # S = bandit (security), T = flake8-print (debug code)
+    if code.startswith("S"):
+        # S1xx = security issues
+        if code.startswith("S1"):
+            return Severity.HIGH
+        return Severity.MEDIUM
+
+    # Error-prone patterns
+    # B = bugbear, E9xx = syntax errors, F = pyflakes
+    if code.startswith("B") or code.startswith("E9") or code.startswith("F"):
+        return Severity.MEDIUM
+
+    # Everything else is low (style, formatting)
+    return Severity.LOW
+
+
+def delegate_bandit(
+    path: str,
+    timeout: int = 60,
+) -> Result[list[ToolFinding], str]:
+    """
+    Run bandit on a Python file or directory.
+
+    Bandit catches hardcoded secrets (B105, B106, B107) that semgrep's
+    p/bandit config doesn't include.
+
+    Args:
+        path: File or directory to scan
+        timeout: Timeout in seconds
+
+    Returns:
+        Result containing list of findings or error message
+    """
+    if not Path(path).exists():
+        return err(f"Path does not exist: {path}")
+
+    try:
+        result = subprocess.run(
+            ["bandit", "-f", "json", "-r", path],
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+    except FileNotFoundError:
+        return err("bandit not found. Install with: pip install bandit")
+    except subprocess.TimeoutExpired:
+        return err(f"bandit timed out after {timeout}s")
+
+    try:
+        output = json.loads(result.stdout) if result.stdout else {"results": []}
+    except json.JSONDecodeError as e:
+        return err(f"Failed to parse bandit output: {e}")
+
+    # Map bandit severity to our Severity
+    severity_map = {
+        "HIGH": Severity.HIGH,
+        "MEDIUM": Severity.MEDIUM,
+        "LOW": Severity.LOW,
+    }
+
+    findings: list[ToolFinding] = []
+    for r in output.get("results", []):
+        finding = ToolFinding(
+            tool="bandit",
+            rule=r.get("test_id", "unknown"),
+            severity=severity_map.get(r.get("issue_severity", ""), Severity.INFO),
+            message=r.get("issue_text", ""),
+            location=f"{r.get('filename', '?')}:{r.get('line_number', '?')}",
+            suggestion=None,
+        )
+        findings.append(finding)
+
+    return ok(findings)
+
+
+def delegate_slither(
+    path: str,
+    detectors: list[str] | None = None,
+    timeout: int = 300,
+) -> Result[list[ToolFinding], str]:
+    """
+    Run slither on a Solidity file or project.
+
+    Args:
+        path: File or directory to scan
+        detectors: Specific detectors to run (None = all)
+        timeout: Timeout in seconds
+
+    Returns:
+        Result containing list of findings or error message
+    """
+    if not Path(path).exists():
+        return err(f"Path does not exist: {path}")
+
+    cmd = ["slither", path, "--json", "-"]
+    if detectors:
+        cmd.extend(["--detect", ",".join(detectors)])
+
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout,
+        )
+    except FileNotFoundError:
+        return err("slither not found. Install with: pip install slither-analyzer")
+    except subprocess.TimeoutExpired:
+        return err(f"slither timed out after {timeout}s")
+
+    try:
+        output = json.loads(result.stdout) if result.stdout else {"results": {"detectors": []}}
+    except json.JSONDecodeError as e:
+        return err(f"Failed to parse slither output: {e}")
+
+    # Map slither impact to severity
+    impact_map = {
+        "High": Severity.HIGH,
+        "Medium": Severity.MEDIUM,
+        "Low": Severity.LOW,
+        "Informational": Severity.INFO,
+    }
+
+    findings: list[ToolFinding] = []
+    for d in output.get("results", {}).get("detectors", []):
+        elements = d.get("elements", [])
+        location = "unknown"
+        if elements:
+            first = elements[0]
+            location = f"{first.get('source_mapping', {}).get('filename_relative', '?')}"
+
+        finding = ToolFinding(
+            tool="slither",
+            rule=d.get("check", "unknown"),
+            severity=impact_map.get(d.get("impact", ""), Severity.INFO),
+            message=d.get("description", ""),
+            location=location,
+            suggestion=None,
+        )
+        findings.append(finding)
+
+    return ok(findings)

crucible_mcp-0.1.0.dist-info/METADATA

@@ -0,0 +1,158 @@
+Metadata-Version: 2.4
+Name: crucible-mcp
+Version: 0.1.0
+Summary: Code review MCP server for Claude. Not affiliated with Atlassian.
+Author: be.nvy
+License-Expression: MIT
+Keywords: mcp,code-review,static-analysis,claude
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: mcp>=1.0.0
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-asyncio>=0.23; extra == "dev"
+Requires-Dist: mypy>=1.8; extra == "dev"
+Requires-Dist: ruff>=0.3; extra == "dev"
+
+# Crucible
+
+Code review MCP server for Claude. Runs static analysis and loads review skills based on what kind of code you're looking at.
+
+> **Note:** This project is not affiliated with Atlassian or their Crucible code review tool. Just an unfortunate naming collision.
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│  Your Code  ──→  Crucible  ──→  Claude                                       │
+│                  (analysis)     (synthesis)                                  │
+│                                                                             │
+│  .sol file  ──→  slither, semgrep  ──→  web3-engineer skill loaded          │
+│  .py file   ──→  ruff, bandit      ──→  backend-engineer skill loaded       │
+└─────────────────────────────────────────────────────────────────────────────┘
+```
+
+**MCP provides data. Skills provide perspective. Claude orchestrates.**
+
+## Quick Start
+
+```bash
+# Install from PyPI
+pip install crucible-mcp
+
+# Or install from source
+pip install -e ".[dev]"
+
+# Install skills to ~/.claude/crucible/skills/
+crucible skills install
+
+# Install analysis tools for your stack
+pip install semgrep ruff              # Python
+pip install slither-analyzer          # Solidity
+pip install bandit                    # Python security
+```
+
+> **Tools are separate by design.** Different workflows need different analyzers. Install what you need, skip what you don't. Crucible gracefully handles missing tools.
+
+## MCP Setup
+
+Works with any MCP client (Claude Code, Cursor, etc.). Add to your `.mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "crucible": {
+      "command": "crucible-mcp"
+    }
+  }
+}
+```
+
+Then in Claude:
+
+```
+Review src/Vault.sol
+
+→ Crucible: domains_detected: [solidity, smart_contract, web3]
+→ Crucible: severity_summary: {critical: 1, high: 3}
+→ Claude loads: web3-engineer, security-engineer skills
+→ Claude synthesizes multi-perspective review
+```
+
+## MCP Tools
+
+| Tool | Purpose |
+|------|---------|
+| `quick_review(path)` | Run analysis, return findings + domains |
+| `get_principles(topic)` | Load engineering knowledge |
+| `delegate_*` | Direct tool access (semgrep, ruff, slither, bandit) |
+| `check_tools()` | Show installed analysis tools |
+
+## CLI
+
+```bash
+crucible skills list              # List all skills
+crucible skills show <skill>      # Show which version is active
+crucible skills init <skill>      # Copy to .crucible/ for customization
+
+crucible knowledge list           # List all knowledge files
+crucible knowledge init <file>    # Copy for customization
+```
+
+## How It Works
+
+Crucible detects what kind of code you're reviewing, runs the right analysis tools, and returns findings with domain metadata. Claude uses this to load appropriate review skills.
+
+```
+.sol file  →  slither + semgrep  →  web3-engineer, gas-optimizer skills
+.py file   →  ruff + bandit      →  backend-engineer, security-engineer skills
+```
+
+See [ARCHITECTURE.md](docs/ARCHITECTURE.md) for the full flow.
+
+## Customization
+
+Override skills and knowledge for your project or personal preferences:
+
+```bash
+# Customize a skill for your project
+crucible skills init security-engineer
+# Creates .crucible/skills/security-engineer/SKILL.md
+
+# Add project-specific concerns, team conventions, etc.
+```
+
+Resolution order (first found wins):
+1. `.crucible/` — Project overrides
+2. `~/.claude/crucible/` — User preferences
+3. Bundled — Package defaults
+
+See [CUSTOMIZATION.md](docs/CUSTOMIZATION.md) for the full guide.
+
+## What's Included
+
+**18 Review Skills** — Different review perspectives (security, performance, accessibility, web3, etc.)
+
+See [SKILLS.md](docs/SKILLS.md) for the full list with triggers and focus areas.
+
+**12 Knowledge Files** — Engineering principles for security, testing, APIs, databases, smart contracts, etc.
+
+See [KNOWLEDGE.md](docs/KNOWLEDGE.md) for topics covered and skill linkages.
+
+## Documentation
+
+| Doc | What's In It |
+|-----|--------------|
+| [FEATURES.md](docs/FEATURES.md) | Complete feature reference |
+| [ARCHITECTURE.md](docs/ARCHITECTURE.md) | How MCP, tools, skills, and knowledge fit together |
+| [CUSTOMIZATION.md](docs/CUSTOMIZATION.md) | Override skills and knowledge for your project |
+| [SKILLS.md](docs/SKILLS.md) | All 18 review personas with triggers and key questions |
+| [KNOWLEDGE.md](docs/KNOWLEDGE.md) | All 12 knowledge files with topics covered |
+| [CONTRIBUTING.md](docs/CONTRIBUTING.md) | Adding tools, skills, and knowledge |
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest                    # Run tests (263 tests)
+ruff check src/ --fix     # Lint
+```

crucible_mcp-0.1.0.dist-info/RECORD

@@ -0,0 +1,17 @@
+crucible/__init__.py,sha256=ZLZQWKmjTHaeeDijcOl3xmaEgoI2W3a8FCFwcieZGv0,77
+crucible/cli.py,sha256=2-aHRpNoSyLSsiDPBYGyg-16dsylHL-opTVUpshKgAE,17149
+crucible/errors.py,sha256=HrX_yvJEhXJoKodXGo_iY9wqx2J3ONYy0a_LbrVC5As,819
+crucible/models.py,sha256=9bEsNUvKcmq0r_-pCiZ8lv7RaelDQcPgiDia5eghxl4,1624
+crucible/server.py,sha256=9_rxelihpZEpYc4axoRNP5rh_PsuzJZpj6qwCdBtz4M,12857
+crucible/domain/__init__.py,sha256=2fsoB5wH2Pl3vtGRt4voYOSZ04-zLoW8pNq6nvzVMgU,118
+crucible/domain/detection.py,sha256=TNeLB_VQgS1AsT5BKDf_tIpGa47THrFoRXwU4u54VB0,1797
+crucible/knowledge/__init__.py,sha256=unb7kyO1MtB3Zt-TGx_O8LE79KyrGrNHoFFHgUWUvGU,40
+crucible/knowledge/loader.py,sha256=VuMSZCEkKTP0vTGkju9tHIzokXfq5RRWHYjSo54WDPs,4525
+crucible/synthesis/__init__.py,sha256=CYrkZG4bdAjp8XdOh1smfKscd3YU5lZlaDLGwLE9c-0,46
+crucible/tools/__init__.py,sha256=gFRThTk1E-fHzpe8bB5rtBG6Z6G-ysPzjVEHfKGbEYU,400
+crucible/tools/delegation.py,sha256=A5NM7snJOptwhuaqxfMfPmVoAvWjzpyx3vZoyvRIh_A,10183
+crucible_mcp-0.1.0.dist-info/METADATA,sha256=-wOJb1OYlrxQ3Z872Nc3EwIG0KwHkeImrsezKV1cZNM,5529
+crucible_mcp-0.1.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+crucible_mcp-0.1.0.dist-info/entry_points.txt,sha256=18BZaH1OlFSFYtKuHq0Z8yYX8Wmx7Ikfqay-P00ZX3Q,83
+crucible_mcp-0.1.0.dist-info/top_level.txt,sha256=4hzuFgqbFPOO-WiU_DYxTm8VYIxTXh7Wlp0gRcWR0Cs,9
+crucible_mcp-0.1.0.dist-info/RECORD,,

crucible_mcp-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

crucible_mcp-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+crucible = crucible.cli:main
+crucible-mcp = crucible.server:main

crucible_mcp-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+crucible