CLI-244 CLI-245 callback infrastructure

[kirill-knize-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

CLI-244
CLI-245

[sonar-review-alpha]

Summary

Summary

This PR implements a callback infrastructure for the SonarQube CLI that moves hook business logic from bash/PowerShell templates into TypeScript command handlers. Instead of embedding complex shell logic in hook scripts, scripts now delegate to centralized sonar hook <event> commands.

Five new hook handlers are introduced:

• claude-pre-tool-use — Scans files for secrets before Claude reads them, blocking reads if secrets detected
• claude-prompt-submit — Scans user prompts for secrets before sending, blocking submission if secrets found
• claude-post-tool-use — Runs SonarCloud analysis on files after Claude edits/writes them
• git-pre-commit — Scans staged files for secrets before commit
• git-pre-push — Scans files in commits about to be pushed for secrets

Supporting infrastructure:

• Refactored analyze/secrets.ts to export reusable secret scanning functions (runSecretsBinary, runSecretsBinaryOnText) with proper timeout handling
• New hook/ module with stdin readers (readGitPushRefs, readStdinJson) and shared auth/binary resolution logic
• Simplified hook templates that now just pipe stdin to TypeScript handlers
• All handlers gracefully exit if auth or binary path unavailable (non-blocking)

Architecture improvements:

• Centralized, testable business logic instead of scattered shell scripts
• Consistent error handling and timeout semantics across all hooks
• Better maintainability and debugging experience

What reviewers should know

Review Guide

Start with: src/cli/command-tree.ts to see how hooks are registered as a hidden command group, then review each handler in src/cli/commands/hook/ to understand the flow.

Key design decisions:

• Handlers read JSON payloads from stdin (piped by hook scripts) and validate presence of required fields before acting
• All handlers are non-blocking by design: if auth is missing, binary isn't installed, or stdin is unparseable, they exit silently (exit 0) rather than blocking user operations
• Secrets scanner is wrapped with timeout handling and child process cleanup to prevent hanging
• Git file enumeration in git-pre-push.ts handles three cases: new branches (no remote), existing branches (diff against remote), and fallback (diff against empty tree)

Testing coverage:

• Comprehensive unit tests for stdin parsing, timeout handling, git command execution
• Integration tests verify each hook end-to-end with realistic payloads
• CLAUDE.md policy reinforces preference for e2e tests (see line 54)

Things to watch:

• Timeout values are consistent: 30s for secrets scan, 5s for stdin read
• Exit code 51 signals secrets found (defined in original secrets command, now shared constant)
• Hook handlers inherit auth resolution logic from existing auth-resolver.ts
• Binary path resolution is non-downloading (no automatic installation in hooks)
• Windows and Unix hook templates now minimal; all logic is TypeScript-based

Integration points:

• Hooks integrate with existing SonarQubeClient for SQAA analysis (agent-post-tool-use)
• Uses existing spawnProcess utility for child process management
• Leverages existing error types (InvalidOptionError, CommandFailedError)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sophio-japharidze-sonarsource]

I love the direction this is going 😍

I left a few comments & suggestions, mainly about duplication of secrets scanning logic. I will test it now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
94.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

Two of the three previously flagged issues remain open — the stale README entries and the readRawStdin timeout duplication. The git-pre-commit auth guard duplication has been fixed.

🗣️ Give feedback