feat: add altimate-code check CLI command for deterministic SQL checks (#453)

* feat: add `altimate-code check` CLI command for deterministic SQL checks

Add a new `check` subcommand that runs deterministic SQL analysis
(lint, validate, safety, policy, PII, semantic, grade) without
requiring an LLM. The command:

- Accepts SQL files as positional args or globs (defaults to `**/*.sql`)
- Calls `Dispatcher.call()` for each check category (no direct napi imports)
- Processes files in batches of 10 for concurrency
- Supports `--format json|text`, `--severity`, `--fail-on` flags
- Outputs diagnostics to stderr, structured JSON to stdout
- Does NOT call `bootstrap()` — no session/db/server needed
- Registered in `index.ts` with proper `altimate_change` markers

* docs: add comprehensive documentation and tests for `altimate-code check` command

- Add `docs/docs/usage/check.md` with full documentation covering all 7 check
  types, CLI options, JSON output schema, policy file format, schema file format,
  severity levels, CI/CD integration (GitHub Actions, pre-commit, GitLab CI),
  and real-world usage examples
- Update `docs/docs/usage/cli.md` to reference the `check` command in the
  subcommands table
- Add `check` page to `docs/mkdocs.yml` navigation under Interfaces
- Extract helper functions (`normalizeSeverity`, `filterBySeverity`,
  `toCategoryResult`, `formatText`, `buildCheckOutput`) into
  `check-helpers.ts` for testability
- Refactor `check.ts` to import from `check-helpers.ts` (no behavior change)
- Add 53 unit tests covering: severity normalization, severity filtering,
  category result building, text formatting, output assembly, constants
  validation, and edge cases

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: add comprehensive E2E + adversarial tests for `check` command

- 58 new tests covering full handler flow with mocked `Dispatcher.call()`
- E2E: all 7 check types, `--fail-on` exit codes, `--severity` filtering,
  `--policy` validation, unknown check names, schema resolution, batching,
  text/JSON output, mixed success/failure across checks
- Adversarial: null bytes, shell metacharacters, 100K-char lines, Unicode/emoji,
  CRLF, spaces in filenames, deeply nested paths, malformed policy JSON, 1MB
  policy files, undefined/null finding fields, 5000 findings, XSS-like content,
  non-string severity, `__proto__` pollution, binary `.sql` content, symlinks,
  directory with `.sql` extension, duplicate file args, empty checks string
- Fix: `normalizeSeverity()` now handles non-string inputs without crashing
  (previously threw on numeric/boolean/object severity from Dispatcher)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address 4 major review findings in `check` command

1. `--fail-on` now evaluates UNFILTERED findings before `--severity`
   filtering. Previously, `--severity error --fail-on warning` would
   false-pass because warnings were filtered out before exit logic.

2. Removed unused CLI options (`--dialect`, `--dbt-project`, `--manifest`)
   that were documented but had no effect — misleading for CI users.

3. `runPii` now checks `result.success` before processing data,
   consistent with all other check runners.

4. Dispatcher failures now emit error-severity findings instead of
   silently returning `[]`. A broken native bridge no longer reports
   PASS with zero findings.

Also:
- Use `buildCheckOutput()` helper instead of duplicated inline logic
- Remove dead `|| ("error" as const)` fallbacks after `normalizeSeverity`
- Add 4 new tests: severity/fail-on interaction, runPii failure,
  Dispatcher failure exit code

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address CodeRabbit review comments

1. Replace `process.exit()` with `process.exitCode` + `return` so the
   outer `finally` block in `index.ts` can run `Telemetry.shutdown()`.

2. Preserve A-F grade value from `altimate_core.grade` response in
   `CheckCategoryResult` metadata (`grade`, `score` fields).

3. Skip DB migration for `check` command — it only needs `Dispatcher`
   and has zero database dependencies. Prevents startup failure on
   read-only CI environments and removes multi-minute overhead.

4. Remove unused `--dialect`, `--dbt-project`, `--manifest` from docs
   options table (code already removed in prior commit).

5. Add `text` language specifier to fenced code block in `check.md`.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove unnecessary `undefined as any` casts for optional `schema_context`

`schema_context` is already optional (`?`) in the Dispatcher types.
The `undefined as any` casts were unnecessary type safety bypasses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: anandgupta42

docs/docs/usage/check.md

@@ -22,6 +22,7 @@ altimate --agent analyst
 | Command     | Description                    |
 | ----------- | ------------------------------ |
 | `run`       | Run a prompt non-interactively |
+| `check`     | Run deterministic SQL checks (no LLM required) -- see [SQL Check](check.md) |
 | `serve`     | Start the HTTP API server      |
 | `web`       | Start the web UI               |
 | `agent`     | Agent management               |

docs/docs/usage/cli.md

@@ -101,6 +101,7 @@ nav:
       - Interfaces:
           - TUI: usage/tui.md
           - CLI: usage/cli.md
+          - SQL Check: usage/check.md
           - Web UI: usage/web.md
           - CI: usage/ci-headless.md
           - IDE: usage/ide.md

docs/mkdocs.yml

@@ -0,0 +1,142 @@
+// altimate_change start — check-helpers: extracted helpers for deterministic SQL check command
+// These are exported separately so they can be unit-tested without importing
+// the full CLI command (which has side-effects via yargs).
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface Finding {
+  file: string
+  line?: number
+  column?: number
+  code?: string
+  rule?: string
+  severity: "error" | "warning" | "info"
+  message: string
+  suggestion?: string
+}
+
+export interface CheckCategoryResult {
+  findings: Finding[]
+  error_count: number
+  warning_count: number
+  [key: string]: unknown
+}
+
+export interface CheckOutput {
+  version: 1
+  files_checked: number
+  checks_run: string[]
+  schema_resolved: boolean
+  results: Record<string, CheckCategoryResult>
+  summary: {
+    total_findings: number
+    errors: number
+    warnings: number
+    info: number
+    pass: boolean
+  }
+}
+
+export type Severity = "error" | "warning" | "info"
+
+export const SEVERITY_RANK: Record<Severity, number> = { error: 2, warning: 1, info: 0 }
+
+export const VALID_CHECKS = new Set(["lint", "validate", "safety", "policy", "pii", "semantic", "grade"])
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+export function normalizeSeverity(s?: string | unknown): Severity {
+  if (!s || typeof s !== "string") return "warning"
+  const lower = s.toLowerCase()
+  if (lower === "error" || lower === "fatal" || lower === "critical") return "error"
+  if (lower === "warning" || lower === "warn") return "warning"
+  return "info"
+}
+
+export function filterBySeverity(findings: Finding[], minSeverity: Severity): Finding[] {
+  const minRank = SEVERITY_RANK[minSeverity]
+  return findings.filter((f) => SEVERITY_RANK[f.severity] >= minRank)
+}
+
+export function toCategoryResult(findings: Finding[]): CheckCategoryResult {
+  return {
+    findings,
+    error_count: findings.filter((f) => f.severity === "error").length,
+    warning_count: findings.filter((f) => f.severity === "warning").length,
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Text formatter
+// ---------------------------------------------------------------------------
+
+export function formatText(output: CheckOutput): string {
+  const lines: string[] = []
+
+  lines.push(`Checked ${output.files_checked} file(s) with [${output.checks_run.join(", ")}]`)
+  if (output.schema_resolved) {
+    lines.push("Schema: resolved")
+  }
+  lines.push("")
+
+  for (const [category, catResult] of Object.entries(output.results)) {
+    if (catResult.findings.length === 0) continue
+    lines.push(`--- ${category.toUpperCase()} ---`)
+    for (const f of catResult.findings) {
+      const loc = f.line ? `:${f.line}${f.column ? `:${f.column}` : ""}` : ""
+      const rule = f.rule ? ` [${f.rule}]` : ""
+      lines.push(`  ${f.severity.toUpperCase()} ${f.file}${loc}${rule}: ${f.message}`)
+      if (f.suggestion) {
+        lines.push(`    suggestion: ${f.suggestion}`)
+      }
+    }
+    lines.push("")
+  }
+
+  const s = output.summary
+  lines.push(`${s.total_findings} finding(s): ${s.errors} error(s), ${s.warnings} warning(s), ${s.info} info`)
+  lines.push(s.pass ? "PASS" : "FAIL")
+
+  return lines.join("\n")
+}
+
+// ---------------------------------------------------------------------------
+// Output builder
+// ---------------------------------------------------------------------------
+
+export function buildCheckOutput(opts: {
+  filesChecked: number
+  checksRun: string[]
+  schemaResolved: boolean
+  results: Record<string, CheckCategoryResult>
+  failOn: "none" | "warning" | "error"
+}): CheckOutput {
+  const allFindings = Object.values(opts.results).flatMap((r) => r.findings)
+  const errors = allFindings.filter((f) => f.severity === "error").length
+  const warnings = allFindings.filter((f) => f.severity === "warning").length
+  const info = allFindings.filter((f) => f.severity === "info").length
+
+  let pass = true
+  if (opts.failOn === "error" && errors > 0) pass = false
+  if (opts.failOn === "warning" && (errors > 0 || warnings > 0)) pass = false
+
+  return {
+    version: 1,
+    files_checked: opts.filesChecked,
+    checks_run: opts.checksRun,
+    schema_resolved: opts.schemaResolved,
+    results: opts.results,
+    summary: {
+      total_findings: allFindings.length,
+      errors,
+      warnings,
+      info,
+      pass,
+    },
+  }
+}
+// altimate_change end