CODEFIX-1426 Interactively list and assign issues to Remediation Agent

[vnaskos-sonar]

No description provided.

[hashicorp-vault-sonar-prod]

CODEFIX-1426

[sonar-review-alpha]

Solid implementation overall with good test coverage, but there are two bugs that need fixing before merge.

🗣️ Give feedback

[sonar-review-alpha]

Missing test coverage: fetchEligibleIssues fetches only page 1 (p: 1, ps: MAX_PAGE_SIZE = 500). For a project with more than 500 agent-fixable issues the remaining issues are silently omitted — the user sees "500 eligible issues found" with no indication that the list is truncated. No test covers this truncation scenario.

Either add pagination or document the cap and emit a warning when issues.length === MAX_PAGE_SIZE.

• Mark as noise

[sonar-review-alpha]

Summary

This PR adds a new sonar remediate command that enables users to interactively select and submit eligible issues to the SonarQube Cloud Remediation Agent for AI-powered fixes.

What's new:

• Interactive multi-select UI for choosing issues to remediate (sorted by severity, with color-coded display)
• Validation that the organization has AI remediation entitlements enabled
• Automatic project key discovery with --project override option
• Clear error messages guiding users to documentation when feature is unavailable
• Real-time feedback on job submission with a link to track progress in SonarQube Cloud

Implementation details:

• Only works on SonarQube Cloud (rejects on-premise connections)
• Fetches eligible issues in one page to avoid overwhelming users
• Supports both project ID and key formats
• Comprehensive error handling for entitlement and API failures

What reviewers should know

Start with the command implementation:

• src/cli/commands/remediate/index.ts (215 lines) — the core logic. Key functions: remediate() (main flow), fetchEligibleIssues() (API call), formatIssueLabel() (UI formatting), mapErrorMessage() (error handling)

Review the tests next:

• tests/integration/specs/remediate/remediate.test.ts (508 lines) — comprehensive coverage of happy path, entitlement checks, auth validation, error scenarios

Quick checklist for reviewers:

• The command correctly validates Cloud-only usage (line 52)
• Entitlement statuses (not_eligible, not_enabled, unknown) map to appropriate error messages
• Issue sorting by severity (BLOCKER → CRITICAL → MAJOR → MINOR → INFO) makes high-priority issues easy to find
• The job submission payload includes triggerSource: 'CLI' for tracking
• Project key discovery (lines 84–93) handles both explicit --project and auto-detection cases
• Error messages include the docs URL for user guidance
• One-page fetch (line 183 comment) is intentional to avoid UX overload

Watch for:

• The SonarQube API client's getComponentId() method (line 136) — returns component ID if available, falls back to key. Verify this behavior matches the agent API expectations.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
93.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Two of the three previously flagged issues are resolved. The truncation concern at index.ts:185 is still open — fetchEligibleIssues caps silently at 500 issues with no user-facing warning, and no test covers that boundary.

🗣️ Give feedback