Next phase: plugin API (loader, versioning, types entry, example) + CLI quick wins#166
Merged
Merged
Conversation
Selects eight open issues for the next development phase across two tracks: the v0.4 plugin API vertical (#68, #69, #70, #71, #72) and small CLI/config quick wins (#106, #145, #151), with sequencing, file-level touchpoints, PR breakdown, and validation strategy. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
Adds a Levenshtein-based suggestClosest helper applied to unknown rule ids in --rules / config rules, inline suppression directives, and the new explain command, which prints rule metadata, default thresholds, and the matching docs/rules.md section. Closes #145, closes #151. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
The config failOn field sets the CI exit-code severity policy alongside failOnConfidence; the --fail-on CLI flag takes precedence. Schema regenerated and covered by drift and CLI exit-code tests. Closes #106. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
Adds the plugin API version constant (v1), config schema entries for pluginApiVersion and plugins, and fail-fast validation at config load: plugins require a pluginApiVersion, and mismatched versions throw with an upgrade message. The rules schema now also accepts plugin rule ids as plain strings per the plugin RFC. Closes #69. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
Implements the plugin API RFC loading model: config plugins[] paths resolve relative to the config directory (traversal outside it is rejected), modules are imported as ESM, and exported detectors are validated against the Detector contract with fail-fast rule id collision errors. Plugin detectors merge into the scan registry, work with --rules selection, did-you-mean suggestions, and inline suppressions. DEBTLENS_DISABLE_PLUGINS=1 skips loading with a single stderr note for untrusted CI. RFC marked shipped; SECURITY.md updated. Closes #68, closes #71. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
Adds examples/plugin/ with a runnable no-console rule, sample config, and CI integration tests, plus a published debtlens/plugin subpath export (dist/plugin.js + dist/plugin.d.ts) exposing Detector, DetectorContext, DebtIssue, Severity, and the plugin API version for plugin authors. README and plugin RFC document both. Closes #70, closes #72. https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the next-phase plan (
docs/next-phase-plan.md): the v0.4 plugin API vertical fromdocs/plugin-api-rfc.mdplus three CLI/config quick wins, landed as five sequential commits matching the plan's PR breakdown.Closes #68, closes #69, closes #70, closes #71, closes #72, closes #106, closes #145, closes #151.
Track B — CLI/config quick wins
debtlens explain <rule>(Add debtlens explain command for rule documentation #145): prints rule metadata, default thresholds, and the matchingdocs/rules.mdsection including false-positive guidance.--rules/configrules, inline suppression directives, andexplain(e.g.todo-comments→did you mean "todo-comment"?).failOnconfig field (Add failOn severity to config file #106): sets the CI exit-code severity policy indebtlens.config.json; the--fail-onCLI flag overrides it.Track A — Plugin API (RFC → shipped)
pluginApiVersion+pluginsconfig fields (Add pluginApiVersion to config schema and runtime validation #69): JSON schema entries and fail-fast validation at config load —pluginsrequires a version, mismatches throw an upgrade message. Therulesschema also accepts plugin rule ids as plain strings per the RFC.Detectorcontract per export, and fails fast on rule-id collisions. Plugin detectors merge into the scan registry, so--rulesselection, did-you-mean, and inline suppressions all work for plugin rules. Pluginvocabularyexports are accepted but ignored with a warning (merging is follow-on Allow plugins to export naming-drift vocabulary groups #74).DEBTLENS_DISABLE_PLUGINS=1(Add DEBTLENS_DISABLE_PLUGINS CI escape hatch #71): CI escape hatch that skips plugin loading with a single stderr note; built-in rules still run. Documented in SECURITY.md and the RFC.examples/plugin/(no-console rule + sample config + fixture) with CI integration tests.debtlens/pluginentry point (Export debtlens/plugin TypeScript types entry point #70): published subpath export (dist/plugin.js+.d.ts) exposingDetector,DetectorContext,DebtIssue,Severity, andDEBTLENS_PLUGIN_API_VERSION.The plugin RFC status is updated to Shipped (v1) with follow-ons #73/#74 noted, and CHANGELOG has an Unreleased section covering all eight issues.
Test plan
npm test: 202/202 passing (baseline before this branch: 160).npm run typecheckandnpm run typecheck:tests: clean.npm run build: emitsdist/plugin.js/dist/plugin.d.ts; schema regenerated vianpm run schema:generate(guarded by the drift test).debtlens scan . --cwd examples/plugin --rules no-console: reports the plugin finding atsrc/app.ts:2.git commitin temp repos (pre-existing environment issue, verified at baseline); all suites pass with signing disabled viaGIT_CONFIG_*env vars.https://claude.ai/code/session_01GpFF5BDtey4sdyPkh7eD7v
Generated by Claude Code