CLI-247 PostToolUse SQAA analysis callback

kirill-knize-sonarsource · kirill-knize-sonarsource · commit bbd8e20e2e98 · 2026-04-08T20:00:31.000+02:00
diff --git a/src/cli/command-tree.ts b/src/cli/command-tree.ts
@@ -41,6 +41,10 @@ import { apiCommand, apiExtraHelpText, type ApiCommandOptions } from './commands
 import { GENERIC_HTTP_METHODS } from '../sonarqube/client';
 import { claudePreToolUse } from './commands/callback/claude-pre-tool-use';
 import { agentPromptSubmit } from './commands/callback/agent-prompt-submit';
+import {
+  agentPostToolUse,
+  type AgentPostToolUseOptions,
+} from './commands/callback/agent-post-tool-use';
 
 const DEFAULT_PAGE_SIZE = MAX_PAGE_SIZE;
 
@@ -255,6 +259,12 @@ callbackCommand
   .description('UserPromptSubmit handler: scan prompt for secrets before sending')
   .anonymousAction(() => agentPromptSubmit());
 
+callbackCommand
+  .command('agent-post-tool-use')
+  .description('PostToolUse handler: run SQAA analysis after agent edits or writes a file')
+  .requiredOption('--project <key>', 'SonarQube Cloud project key')
+  .anonymousAction((options: AgentPostToolUseOptions) => agentPostToolUse(options));
+
 // Hidden flush command — only registered when running as a telemetry worker.
 if (process.env[TELEMETRY_FLUSH_MODE_ENV]) {
   COMMAND_TREE.command('flush-telemetry', { hidden: true }).anonymousAction(flushTelemetry);
diff --git a/src/cli/commands/callback/agent-post-tool-use.ts b/src/cli/commands/callback/agent-post-tool-use.ts
@@ -0,0 +1,106 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// PostToolUse callback handler — runs SQAA analysis after the agent edits or writes a file.
+// Replaces the bash/PowerShell logic that was previously embedded in the hook script.
+
+import { existsSync, readFileSync } from 'node:fs';
+import { relative } from 'node:path';
+import { resolveAuth } from '../../../lib/auth-resolver';
+import logger from '../../../lib/logger';
+import { SonarQubeClient } from '../../../sonarqube/client';
+import type { SqaaIssue } from '../../../sonarqube/client';
+import { readStdinJson } from './stdin';
+
+interface PostToolUsePayload {
+  tool_name?: string;
+  tool_input?: { file_path?: string };
+}
+
+export interface AgentPostToolUseOptions {
+  project?: string;
+}
+
+export async function agentPostToolUse(options: AgentPostToolUseOptions): Promise<void> {
+  let payload: PostToolUsePayload;
+  try {
+    payload = await readStdinJson<PostToolUsePayload>();
+  } catch {
+    return; // unparseable stdin — non-blocking
+  }
+
+  const toolName = payload.tool_name;
+  if (toolName !== 'Edit' && toolName !== 'Write') return;
+
+  const filePath = payload.tool_input?.file_path;
+  if (!filePath || !existsSync(filePath)) return;
+
+  const auth = await resolveAuth().catch(() => null);
+  if (auth?.connectionType !== 'cloud' || !auth.orgKey) return;
+
+  const projectKey = options.project;
+  if (!projectKey) return;
+
+  try {
+    const fileContent = readFileSync(filePath, 'utf-8');
+    const filePath_ = relative(process.cwd(), filePath);
+    const client = new SonarQubeClient(auth.serverUrl, auth.token);
+
+    const response = await client.analyzeFile({
+      organizationKey: auth.orgKey,
+      projectKey,
+      filePath: filePath_,
+      fileContent,
+    });
+
+    const text = formatSqaaResult(response.issues, response.errors);
+    process.stdout.write(
+      JSON.stringify({
+        hookSpecificOutput: { hookEventName: 'PostToolUse', additionalContext: text },
+      }) + '\n',
+    );
+  } catch (err) {
+    logger.debug(`PostToolUse SQAA analysis failed: ${(err as Error).message}`);
+  }
+}
+
+function formatSqaaResult(
+  issues: SqaaIssue[],
+  errors?: Array<{ code: string; message: string }> | null,
+): string {
+  const lines: string[] = [];
+
+  if (issues.length === 0) {
+    lines.push('SQAA analysis completed — no issues found.');
+  } else {
+    lines.push(`SQAA analysis found ${issues.length} issue${issues.length === 1 ? '' : 's'}:`);
+    issues.forEach((issue, idx) => {
+      const location = issue.textRange ? ` (line ${issue.textRange.startLine})` : '';
+      lines.push(`  [${idx + 1}] ${issue.message}${location} [${issue.rule}]`);
+    });
+  }
+
+  if (errors && errors.length > 0) {
+    lines.push('SQAA errors:');
+    errors.forEach((e) => lines.push(`  [${e.code}] ${e.message}`));
+  }
+
+  return lines.join('\n');
+}
diff --git a/tests/integration/specs/analyze/analyze-sqaa.test.ts b/tests/integration/specs/analyze/analyze-sqaa.test.ts
@@ -137,6 +137,32 @@ describe('analyze sqaa', () => {
     { timeout: 15000 },
   );
 
+  it(
+    'exits with code 0 and silently skips SQAA when --branch is provided but no project is registered',
+    async () => {
+      const server = await harness
+        .newFakeServer()
+        .withAuthToken(VALID_TOKEN)
+        .withSqaaResponse({ issues: [] })
+        .start();
+
+      // Cloud connection with orgKey but no extension registered → no projectKey → skip
+      harness.withAuth(server.baseUrl(), VALID_TOKEN, TEST_ORG);
+
+      harness.cwd.writeFile('src/index.ts', 'const x = 1;');
+
+      const result = await harness.run('analyze sqaa --file src/index.ts --branch main');
+
+      expect(result.exitCode).toBe(0);
+      // --branch is ignored, no API call is made
+      const sqaaCalls = server
+        .getRecordedRequests()
+        .filter((r) => r.path === '/a3s-analysis/analyses');
+      expect(sqaaCalls).toHaveLength(0);
+    },
+    { timeout: 15000 },
+  );
+
   it(
     'calls SQAA API and reports no issues found for clean file',
     async () => {
diff --git a/tests/unit/callback-post-tool-use.test.ts b/tests/unit/callback-post-tool-use.test.ts
@@ -0,0 +1,131 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+import { describe, it, expect, beforeEach, afterEach, spyOn } from 'bun:test';
+import * as fs from 'node:fs';
+import * as authResolver from '../../src/lib/auth-resolver';
+import * as stdinModule from '../../src/cli/commands/callback/stdin';
+import * as clientModule from '../../src/sonarqube/client';
+import { agentPostToolUse } from '../../src/cli/commands/callback/agent-post-tool-use';
+
+const TEST_FILE = '/sonar-test/src/main.ts';
+
+describe('agentPostToolUse', () => {
+  let stdoutSpy: ReturnType<typeof spyOn>;
+  let resolveAuthSpy: ReturnType<typeof spyOn>;
+  let readStdinJsonSpy: ReturnType<typeof spyOn>;
+  let existsSyncSpy: ReturnType<typeof spyOn>;
+  let readFileSyncSpy: ReturnType<typeof spyOn>;
+  let analyzeFileSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    stdoutSpy = spyOn(process.stdout, 'write').mockImplementation(() => true);
+    resolveAuthSpy = spyOn(authResolver, 'resolveAuth').mockResolvedValue({
+      token: 'tok',
+      serverUrl: 'https://sonarcloud.io',
+      connectionType: 'cloud',
+      orgKey: 'myorg',
+    });
+    readStdinJsonSpy = spyOn(stdinModule, 'readStdinJson').mockResolvedValue({
+      tool_name: 'Edit',
+      tool_input: { file_path: TEST_FILE },
+    });
+    existsSyncSpy = spyOn(fs, 'existsSync').mockReturnValue(true);
+    readFileSyncSpy = spyOn(fs, 'readFileSync').mockReturnValue('const x = 1;');
+    analyzeFileSpy = spyOn(clientModule.SonarQubeClient.prototype, 'analyzeFile').mockResolvedValue(
+      { id: 'analysis-id', issues: [], errors: null },
+    );
+  });
+
+  afterEach(() => {
+    stdoutSpy.mockRestore();
+    resolveAuthSpy.mockRestore();
+    readStdinJsonSpy.mockRestore();
+    existsSyncSpy.mockRestore();
+    readFileSyncSpy.mockRestore();
+    analyzeFileSpy.mockRestore();
+  });
+
+  it('writes additionalContext JSON when analysis returns no issues', async () => {
+    await agentPostToolUse({ project: 'my-project' });
+
+    expect(stdoutSpy).toHaveBeenCalledTimes(1);
+    const output = JSON.parse((stdoutSpy.mock.calls[0][0] as string).trim());
+    expect(output.hookSpecificOutput.hookEventName).toBe('PostToolUse');
+    expect(output.hookSpecificOutput.additionalContext).toContain('no issues');
+  });
+
+  it('includes issue details in additionalContext when issues are found', async () => {
+    analyzeFileSpy.mockResolvedValue({
+      id: 'analysis-id',
+      issues: [
+        {
+          rule: 'java:S1234',
+          message: 'Fix this',
+          textRange: { startLine: 10, endLine: 10, startOffset: 0, endOffset: 5 },
+        },
+      ],
+      errors: null,
+    });
+
+    await agentPostToolUse({ project: 'my-project' });
+
+    const output = JSON.parse((stdoutSpy.mock.calls[0][0] as string).trim());
+    expect(output.hookSpecificOutput.additionalContext).toContain('Fix this');
+    expect(output.hookSpecificOutput.additionalContext).toContain('java:S1234');
+  });
+
+  it('returns without output when tool_name is not Edit or Write', async () => {
+    readStdinJsonSpy.mockResolvedValue({ tool_name: 'Read', tool_input: { file_path: TEST_FILE } });
+
+    await agentPostToolUse({ project: 'my-project' });
+
+    expect(analyzeFileSpy).not.toHaveBeenCalled();
+    expect(stdoutSpy).not.toHaveBeenCalled();
+  });
+
+  it('returns without output when connection is not cloud', async () => {
+    resolveAuthSpy.mockResolvedValue({
+      token: 'tok',
+      serverUrl: 'https://sonar.example.com',
+      connectionType: 'on-premise',
+    });
+
+    await agentPostToolUse({ project: 'my-project' });
+
+    expect(analyzeFileSpy).not.toHaveBeenCalled();
+    expect(stdoutSpy).not.toHaveBeenCalled();
+  });
+
+  it('returns without output when project key is not provided', async () => {
+    await agentPostToolUse({});
+
+    expect(analyzeFileSpy).not.toHaveBeenCalled();
+    expect(stdoutSpy).not.toHaveBeenCalled();
+  });
+
+  it('returns without output when auth is unavailable', async () => {
+    resolveAuthSpy.mockResolvedValue(null);
+
+    await agentPostToolUse({ project: 'my-project' });
+
+    expect(analyzeFileSpy).not.toHaveBeenCalled();
+  });
+});
