|
| 1 | +This is a great conversation — the UCM-lite concept is exactly the kind of abstraction that would let you expand beyond WordPress/PHP while keeping the detection engine language-agnostic. |
| 2 | + |
| 3 | +## Quick Wins: From JSON + AI Triage → Developer Action |
| 4 | + |
| 5 | +Here are practical, shippable ideas that leverage what you already have: |
| 6 | + |
| 7 | +### 1. **Inline Fix Suggestions in HTML Reports** |
| 8 | + |
| 9 | +You already have file + line number + rule ID. Add a `suggested_fix` field to the AI triage output: |
| 10 | + |
| 11 | +```json |
| 12 | +{ |
| 13 | + "rule_id": "unbounded-query", |
| 14 | + "file": "includes/query.php", |
| 15 | + "line": 45, |
| 16 | + "suggested_fix": "Add 'posts_per_page' => 100 or use pagination with 'paged' parameter", |
| 17 | + "fix_snippet": "'posts_per_page' => 100, // WP Code Check: bounded query" |
| 18 | +} |
| 19 | +``` |
| 20 | + |
| 21 | +The HTML report becomes actionable — developers see *what* to do, not just *what's wrong*. |
| 22 | + |
| 23 | +### 2. **Copy-Paste Fix Buttons** |
| 24 | + |
| 25 | +In the HTML report, add a button next to each finding that copies a ready-to-use code snippet: |
| 26 | + |
| 27 | +```html |
| 28 | +<button onclick="copyToClipboard(\"'posts_per_page' => 100,\")">📋 Copy Fix</button> |
| 29 | +``` |
| 30 | + |
| 31 | +Low effort, high developer happiness. |
| 32 | + |
| 33 | +### 3. **GitHub/GitLab PR Comments via CI** |
| 34 | + |
| 35 | +Export findings as **SARIF** or use the GitHub Checks API to post inline comments directly on the PR diff. Developers see issues exactly where they introduced them: |
| 36 | + |
| 37 | +```yaml |
| 38 | +# In your CI workflow |
| 39 | +- name: Post findings to PR |
| 40 | + run: | |
| 41 | + python3 dist/bin/sarif-export.py dist/logs/latest.json > results.sarif |
| 42 | + # GitHub automatically picks up SARIF files |
| 43 | +``` |
| 44 | +
|
| 45 | +### 4. **"Fix This" Deep Links to IDE** |
| 46 | +
|
| 47 | +Generate `vscode://` or `cursor://` links that open the exact file and line: |
| 48 | + |
| 49 | +``` |
| 50 | +vscode://file//path/to/plugin/includes/query.php:45 |
| 51 | +``` |
| 52 | +
|
| 53 | +One click from HTML report → cursor on the problematic line. |
| 54 | +
|
| 55 | +### 5. **Prioritized Fix Queue (JSON → Task List)** |
| 56 | +
|
| 57 | +Transform the AI triage output into a developer checklist: |
| 58 | +
|
| 59 | +```markdown |
| 60 | +## Fix Queue (3 confirmed issues) |
| 61 | +
|
| 62 | +- [ ] **P1** `includes/query.php:45` — Unbounded query (est. 5 min) |
| 63 | +- [ ] **P2** `admin/ajax.php:112` — Missing nonce check (est. 10 min) |
| 64 | +- [ ] **P3** `assets/js/admin.js:293` — Debug code in production (est. 2 min) |
| 65 | +
|
| 66 | +**Estimated total: 17 minutes** |
| 67 | +``` |
| 68 | + |
| 69 | +Export as GitHub Issue, Linear ticket, or just markdown. |
| 70 | + |
| 71 | +### 6. **Baseline Diff Reports** |
| 72 | + |
| 73 | +When running against a baseline, show *what changed*: |
| 74 | + |
| 75 | +``` |
| 76 | ++2 new issues introduced |
| 77 | +-1 issue fixed |
| 78 | + 3 issues unchanged (baselined) |
| 79 | +``` |
| 80 | + |
| 81 | +This makes the report useful for PR review — "did this PR make things better or worse?" |
| 82 | + |
| 83 | +--- |
| 84 | + |
| 85 | +## Slightly Bigger Win: AI-Generated Fix PRs |
| 86 | + |
| 87 | +If you're already doing AI triage, the next step is AI-generated patches: |
| 88 | + |
| 89 | +1. AI reads the finding + surrounding code context |
| 90 | +2. Generates a minimal diff |
| 91 | +3. Opens a draft PR or outputs a `.patch` file |
| 92 | + |
| 93 | +This is where the JSON structure really pays off — you have everything needed to prompt an LLM with precise context. |
| 94 | + |
| 95 | +--- |
| 96 | + |
| 97 | +Which of these feels most aligned with where you want to take the tool? I can help sketch out implementation details for any of them. |
| 98 | + |
| 99 | + |
| 100 | +==== |
| 101 | + |
| 102 | +Great question. Here's what I found: |
| 103 | + |
| 104 | +## Current State: No Universal "Send to Agent" Right-Click Action (Yet) |
| 105 | + |
| 106 | +There's **no standardized "right-click → send to AI agent" API** that works across all VS Code AI extensions. However, there are several paths forward: |
| 107 | + |
| 108 | +--- |
| 109 | + |
| 110 | +## What's Actually Available |
| 111 | + |
| 112 | +### 1. **MCP (Model Context Protocol)** — The Emerging Standard |
| 113 | + |
| 114 | +MCP is an open standard that lets AI models use external tools and services through a unified interface. In agent mode, these tools are automatically invoked based on the user's chat prompt. |
| 115 | + |
| 116 | +This is your best bet for "universal" integration: |
| 117 | +- You can create an MCP server that exposes WP Code Check findings as tools |
| 118 | +- You can explicitly reference MCP tools by typing `#` followed by the tool name in chat |
| 119 | +- Works with Copilot, Claude, Cline, and other MCP-compatible agents |
| 120 | + |
| 121 | +### 2. **VS Code Command URIs** — For Clickable Links |
| 122 | + |
| 123 | +Command URIs are links that execute a given command. They can be used as clickable links in hover text, completion item details, or inside of webviews. |
| 124 | + |
| 125 | +You could embed these in your HTML reports: |
| 126 | +``` |
| 127 | +command:workbench.action.chat.open?{"query":"Fix this unbounded query in file.php:45"} |
| 128 | +``` |
| 129 | + |
| 130 | +### 3. **Copilot Coding Agent Delegation** |
| 131 | + |
| 132 | +Now, you can delegate the task you're working on directly to the Coding Agent. All of the context that's part of your current chat session will be handed off to the Coding Agent. |
| 133 | + |
| 134 | +This requires the GitHub Pull Requests extension and this setting: |
| 135 | +```json |
| 136 | +"githubPullRequests.codingAgent.uiIntegration": true |
| 137 | +``` |
| 138 | + |
| 139 | +### 4. **Extension-to-Extension Commands** |
| 140 | + |
| 141 | +The `vscode.commands.executeCommand` API programmatically executes a command. This lets you use VS Code's built-in functionality, and build on extensions. |
| 142 | + |
| 143 | +If you build a VS Code extension, you could call Copilot/agent commands directly — though these APIs are often undocumented or unstable. |
| 144 | + |
| 145 | +--- |
| 146 | + |
| 147 | +## Practical Path for WP Code Check |
| 148 | + |
| 149 | +**Option A: Build an MCP Server** (recommended) |
| 150 | + |
| 151 | +Create a simple MCP server that exposes: |
| 152 | +- `wp_code_check_scan` — runs a scan |
| 153 | +- `wp_code_check_get_findings` — returns JSON findings |
| 154 | +- `wp_code_check_fix_suggestion` — returns fix for a specific finding |
| 155 | + |
| 156 | +Then any MCP-compatible agent (Copilot, Claude, Cline) can invoke these automatically. |
| 157 | + |
| 158 | +**Option B: Command URI Links in HTML Reports** |
| 159 | + |
| 160 | +Add links like: |
| 161 | +```html |
| 162 | +<a href="command:workbench.action.chat.open?%7B%22query%22%3A%22Fix%20unbounded%20query%22%7D"> |
| 163 | + 🤖 Ask Agent to Fix |
| 164 | +</a> |
| 165 | +``` |
| 166 | + |
| 167 | +**Option C: VS Code Extension with Context Menu** |
| 168 | + |
| 169 | +Build a small extension that adds a right-click menu item on findings, which then opens chat with a pre-filled prompt. |
| 170 | + |
| 171 | +--- |
| 172 | + |
| 173 | +## The "Universal Send-to-Agent" You're Imagining |
| 174 | + |
| 175 | +It doesn't exist yet as a first-class API, but **MCP is the closest thing to it** — it's being adopted by Microsoft, Anthropic, and the broader ecosystem as the standard way to connect tools to agents. |
| 176 | + |
| 177 | +Want me to sketch out what a WP Code Check MCP server would look like? |
0 commit comments