CLI-77 Auto-install sonar-secrets during sonar integrate claude

kirill-knize-sonarsource · kirill-knize-sonarsource · commit 15425448e15c · 2026-03-17T15:01:12.000+01:00
diff --git a/README.md b/README.md
@@ -119,40 +119,6 @@ sonar auth status
 
 ---
 
-### `sonar install`
-
-Install Sonar tools
-
-#### `sonar install secrets`
-
-Install sonar-secrets binary from https://binaries.sonarsource.com
-
-**Options:**
-
-| Option     | Type    | Required | Description                                     | Default |
-| ---------- | ------- | -------- | ----------------------------------------------- | ------- |
-| `--force`  | boolean | No       | Force reinstall even if already installed       | -       |
-| `--status` | boolean | No       | Check installation status instead of installing | -       |
-
-**Examples:**
-
-Install latest sonar-secrets binary
-```bash
-sonar install secrets
-```
-
-Reinstall sonar-secrets (overwrite existing)
-```bash
-sonar install secrets --force
-```
-
-Check if sonar-secrets is installed and up to date
-```bash
-sonar install secrets --status
-```
-
----
-
 ### `sonar integrate`
 
 Setup SonarQube integration for AI coding agents, git and others.
diff --git a/src/cli/command-tree.ts b/src/cli/command-tree.ts
@@ -28,7 +28,6 @@ import { authLogin, type AuthLoginOptions } from './commands/auth/login';
 import { authLogout, type AuthLogoutOptions } from './commands/auth/logout';
 import { authPurge } from './commands/auth/purge';
 import { authStatus } from './commands/auth/status';
-import { installSecrets, type InstallSecretsOptions } from './commands/install/secrets';
 import { integrateClaude, type IntegrateClaudeOptions } from './commands/integrate/claude';
 import { analyzeSecrets, type AnalyzeSecretsOptions } from './commands/analyze/secrets';
 import { analyzeSqaa, type AnalyzeSqaaOptions } from './commands/analyze/sqaa';
@@ -65,16 +64,6 @@ COMMAND_TREE.name('sonar')
   .addHelpText('beforeAll', getHelpBanner())
   .enablePositionalOptions();
 
-// Install Sonar tools
-const install = COMMAND_TREE.command('install').description('Install Sonar tools');
-
-install
-  .command('secrets')
-  .description('Install sonar-secrets binary from https://binaries.sonarsource.com')
-  .option('--force', 'Force reinstall even if already installed')
-  .option('--status', 'Check installation status instead of installing')
-  .action((options: InstallSecretsOptions) => runCommand(() => installSecrets(options)));
-
 // Setup SonarQube integration for AI coding agent
 const integrateCommand = COMMAND_TREE.command('integrate').description(
   'Setup SonarQube integration for AI coding agents, git and others.',
diff --git a/src/cli/commands/integrate/claude/index.ts b/src/cli/commands/integrate/claude/index.ts
@@ -29,6 +29,7 @@ import { blank, info, intro, note, outro, success, text, warn } from '../../../.
 import type { DiscoveredProject } from '../../_common/discovery';
 import { discoverProject } from '../../_common/discovery';
 import { CommandFailedError } from '../../_common/error';
+import { performSecretInstall } from '../../install/secrets';
 import { runHealthChecks } from './health';
 import { installHooks } from './hooks';
 import { repairToken } from './repair';
@@ -74,6 +75,10 @@ export async function integrateClaude(options: IntegrateClaudeOptions): Promise<
   text('Phase 2/3: Health Check & Repair');
   blank();
 
+  text('Installing sonar-secrets...');
+  await performSecretInstall({ force: false });
+  blank();
+
   const healthResult = await runHealthChecks(
     config.serverURL,
     token || 'INVALID',
diff --git a/tests/integration/specs/install/install-secrets.test.ts b/tests/integration/specs/install/install-secrets.test.ts
diff --git a/tests/integration/specs/integrate/integrate.test.ts b/tests/integration/specs/integrate/integrate.test.ts
@@ -32,6 +32,7 @@ describe('integrate claude', () => {
 
   beforeEach(async () => {
     harness = await TestHarness.create();
+    harness.state().withSecretsBinaryInstalled();
   });
 
   afterEach(async () => {
@@ -436,6 +437,7 @@ describe('integrate claude — A3S entitlement guard', () => {
 
   beforeEach(async () => {
     harness = await TestHarness.create();
+    harness.state().withSecretsBinaryInstalled();
   });
 
   afterEach(async () => {
@@ -552,6 +554,7 @@ describe('integrate claude — file placement (local vs global)', () => {
 
   beforeEach(async () => {
     harness = await TestHarness.create();
+    harness.state().withSecretsBinaryInstalled();
   });
 
   afterEach(async () => {
@@ -848,6 +851,7 @@ describe('integrate claude — legacy state without agentExtensions', () => {
 
   beforeEach(async () => {
     harness = await TestHarness.create();
+    harness.state().withSecretsBinaryInstalled();
   });
 
   afterEach(async () => {
@@ -1092,3 +1096,62 @@ describe('integrate — argument validation', () => {
     { timeout: 15000 },
   );
 });
+
+// ─── sonar-secrets auto-install ───────────────────────────────────────────────
+
+describe('integrate claude — sonar-secrets auto-install', () => {
+  let harness: TestHarness;
+
+  beforeEach(async () => {
+    harness = await TestHarness.create();
+  });
+
+  afterEach(async () => {
+    await harness.dispose();
+  });
+
+  it(
+    'downloads and installs sonar-secrets when binary is not present',
+    async () => {
+      const server = await harness
+        .newFakeServer()
+        .withAuthToken('test-token')
+        .withProject('my-project')
+        .start();
+      await harness.newFakeBinariesServer().start();
+      harness.cwd.writeFile(
+        'sonar-project.properties',
+        [`sonar.host.url=${server.baseUrl()}`, 'sonar.projectKey=my-project'].join('\n'),
+      );
+
+      const result = await harness.run('integrate claude --token test-token --non-interactive');
+
+      expect(result.exitCode).toBe(0);
+      expect(harness.cliHome.file('bin', 'sonar-secrets').exists()).toBe(true);
+    },
+    { timeout: 30000 },
+  );
+
+  it(
+    'skips download when sonar-secrets is already installed at the correct version',
+    async () => {
+      const server = await harness
+        .newFakeServer()
+        .withAuthToken('test-token')
+        .withProject('my-project')
+        .start();
+      const fakeBinariesServer = await harness.newFakeBinariesServer().start();
+      harness.state().withSecretsBinaryInstalled();
+      harness.cwd.writeFile(
+        'sonar-project.properties',
+        [`sonar.host.url=${server.baseUrl()}`, 'sonar.projectKey=my-project'].join('\n'),
+      );
+
+      const result = await harness.run('integrate claude --token test-token --non-interactive');
+
+      expect(result.exitCode).toBe(0);
+      expect(fakeBinariesServer.getRecordedRequests()).toHaveLength(0);
+    },
+    { timeout: 30000 },
+  );
+});
diff --git a/tests/unit/integrate.test.ts b/tests/unit/integrate.test.ts
@@ -31,6 +31,7 @@ import * as repair from '../../src/cli/commands/integrate/claude/repair';
 import * as state from '../../src/cli/commands/integrate/claude/state';
 import * as authResolver from '../../src/lib/auth-resolver';
 import { ResolvedAuth } from '../../src/lib/auth-resolver';
+import * as installSecrets from '../../src/cli/commands/install/secrets';
 import * as migration from '../../src/lib/migration';
 import { getDefaultState } from '../../src/lib/state';
 import * as stateManager from '../../src/lib/state-manager';
@@ -80,6 +81,9 @@ describe('integrateCommand', () => {
   let updateStateAfterConfigurationSpy: Mock<
     Extract<(typeof state)['updateStateAfterConfiguration'], (...args: any[]) => any>
   >;
+  let performSecretInstallSpy: Mock<
+    Extract<(typeof installSecrets)['performSecretInstall'], (...args: any[]) => any>
+  >;
 
   beforeEach(() => {
     setMockUi(true);
@@ -99,6 +103,10 @@ describe('integrateCommand', () => {
     runMigrationsSpy = spyOn(migration, 'runMigrations');
     updateStateAfterConfigurationSpy = spyOn(state, 'updateStateAfterConfiguration');
 
+    performSecretInstallSpy = spyOn(installSecrets, 'performSecretInstall').mockResolvedValue(
+      '/fake/path/sonar-secrets',
+    );
+
     mockDiscoveredProject({}); // Default mock to prevent tests from reading the real filesystem. Individual tests are overriding this with specific project data as needed.
     mockHealthCheck(); // Default mock to healthy checks. Individual tests are overriding this with specific health data as needed.
   });
@@ -117,6 +125,7 @@ describe('integrateCommand', () => {
     installHooksSpy.mockRestore();
     runMigrationsSpy.mockRestore();
     updateStateAfterConfigurationSpy.mockRestore();
+    performSecretInstallSpy.mockRestore();
   });
 
   it('shows intro message', async () => {
