test(config-audit): add marketplace-small/medium/large scanner fixtures

plugins/config-audit/tests/fixtures/marketplace-large/.claude/settings.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "permissions": {
+    "allow": [
+      "Bash(npm run *)",
+      "Read(src/**)",
+      "Read(packages/**)",
+      "Read(plugins/**)",
+      "Write(dist/**)"
+    ],
+    "deny": ["Read(./.env)", "Read(**/secrets/**)"]
+  },
+  "effortLevel": "high"
+}

plugins/config-audit/tests/fixtures/marketplace-large/.claude/shared-errors.md

@@ -0,0 +1,9 @@
+# Shared Error-Handling Patterns
+
+- Subclass `Error` with typed messages
+- Never swallow errors silently
+- Prefer `Result<T, E>` return types in business logic
+- Log only at boundaries, never inside pure functions
+- Validate inputs only at the system edge
+- Treat all third-party API responses as untrusted input
+- Bail early on contract violations rather than degrading silently

plugins/config-audit/tests/fixtures/marketplace-large/.claude/shared-naming.md

@@ -0,0 +1,7 @@
+# Shared Naming Conventions
+
+- `camelCase` for variables, function parameters, function names
+- `PascalCase` for classes, interfaces, type aliases
+- `UPPER_SNAKE_CASE` for module-level constants
+- kebab-case for filenames and directory names
+- `_leading_underscore` for unused parameters explicitly retained

plugins/config-audit/tests/fixtures/marketplace-large/.claude/shared-tests.md

@@ -0,0 +1,9 @@
+# Shared Test Patterns
+
+- One fixture per scenario under `tests/fixtures/{name}/`
+- `describe(...)` + `it(...)` from `node:test`
+- Co-locate tests with their implementation as `*.test.mjs`
+- Prefer table-driven tests for permutations
+- Reset module-level state in `beforeEach` to keep tests isolated
+- Use `execFile` for CLI subprocess tests
+- Avoid mocks for I/O at fixture boundaries — read real files instead

plugins/config-audit/tests/fixtures/marketplace-large/.mcp.json

@@ -0,0 +1,22 @@
+{
+  "mcpServers": {
+    "memory": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-memory"],
+      "trust": "workspace"
+    },
+    "filesystem": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-filesystem", "./docs"],
+      "trust": "trusted"
+    },
+    "github": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "trust": "trusted"
+    }
+  }
+}

plugins/config-audit/tests/fixtures/marketplace-large/CLAUDE.md

@@ -0,0 +1,68 @@
+# Marketplace Large
+
+A large marketplace fixture with 6+ plugins, deep CLAUDE.md content,
+multiple hook event types, multiple MCP servers, and extensive shared
+configuration. Intended to produce a strictly larger total-estimated-tokens
+count than the small or medium fixtures.
+
+## Plugins
+
+- plugin-alpha — linting and static analysis
+- plugin-beta — code formatting
+- plugin-gamma — test runner and coverage
+- plugin-delta — release automation and tagging
+- plugin-epsilon — configuration auditing
+- plugin-zeta — security scanning
+- plugin-eta — documentation generation
+- plugin-theta — dependency management
+
+## Commands
+
+- `npm run build` — Build all workspace packages
+- `npm test` — Run the entire test suite
+- `npm run lint` — Run all linters
+- `npm run format` — Auto-format all source files
+- `npm run release` — Cut a new release
+- `npm run audit` — Security audit of dependencies
+- `npm run docs:build` — Build documentation site
+- `npm run docs:serve` — Serve documentation locally
+- `npm run typecheck` — Type-check without emitting
+- `npm run clean` — Remove build artifacts
+
+## Architecture
+
+The marketplace hosts multiple plugins, each self-contained. Inter-plugin
+communication happens via well-defined contracts; no plugin imports from
+another directly. Shared primitives live in a workspace package consumed
+by every plugin.
+
+## Conventions
+
+- Conventional Commits with plugin scope: `feat(plugin-name): description`
+- Semantic versioning per plugin, coordinated via a release-please-style flow
+- Tests live alongside implementation files as `*.test.mjs`
+- Zero runtime npm dependencies in hooks and scanners where possible
+
+## Tooling
+
+- Node.js ≥ 18 (ES Modules, node:test)
+- TypeScript strict mode
+- ESLint + Prettier
+- Shared git hooks via `hooks/hooks.json`
+
+## Release Process
+
+Each plugin version-bumps independently. The marketplace root README and
+per-plugin README are updated in the same commit as the version bump. A
+tag of the form `{plugin}-v{semver}` is pushed to Forgejo alongside the
+main branch commit.
+
+## Shared Patterns
+
+Shared conventions and helper patterns are defined in the imported files
+below. Each import is a logical slice: one for naming conventions, one
+for error-handling patterns, one for test patterns.
+
+@.claude/shared-naming.md
+@.claude/shared-errors.md
+@.claude/shared-tests.md

plugins/config-audit/tests/fixtures/marketplace-large/hooks/hooks.json

@@ -0,0 +1,17 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      { "matcher": "Bash", "hooks": [{ "type": "command", "command": "echo pre-bash", "timeout": 5000 }] }
+    ],
+    "PostToolUse": [
+      { "matcher": "Write", "hooks": [{ "type": "command", "command": "echo post-write", "timeout": 5000 }] },
+      { "matcher": "Edit", "hooks": [{ "type": "command", "command": "echo post-edit", "timeout": 5000 }] }
+    ],
+    "SessionStart": [
+      { "hooks": [{ "type": "command", "command": "echo session-start", "timeout": 5000 }] }
+    ],
+    "Stop": [
+      { "hooks": [{ "type": "command", "command": "echo stop", "timeout": 5000 }] }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/marketplace-medium/.claude/settings.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "permissions": {
+    "allow": ["Bash(npm run *)", "Read(src/**)"],
+    "deny": ["Read(./.env)"]
+  },
+  "effortLevel": "medium"
+}

plugins/config-audit/tests/fixtures/marketplace-medium/.claude/shared.md

@@ -0,0 +1,13 @@
+# Shared Medium Patterns
+
+Naming conventions and common helpers shared across the four plugins.
+
+## Naming
+
+- `camelCase` for variables and functions
+- `PascalCase` for classes and types
+
+## Error Handling
+
+- Early returns over nested conditionals
+- Typed error subclasses

plugins/config-audit/tests/fixtures/marketplace-medium/.mcp.json

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "memory": {
+      "type": "stdio",
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-memory"],
+      "trust": "workspace"
+    }
+  }
+}

plugins/config-audit/tests/fixtures/marketplace-medium/CLAUDE.md

@@ -0,0 +1,24 @@
+# Marketplace Medium
+
+Marketplace with 3–4 plugins, modest hooks.json, single MCP server, and
+one @import to a shared configuration file.
+
+## Plugins
+
+- plugin-alpha — linting
+- plugin-beta — formatting
+- plugin-gamma — test runner
+- plugin-delta — release automation
+
+## Commands
+
+- `npm run build`
+- `npm test`
+- `npm run lint`
+- `npm run format`
+
+## Conventions
+
+Standard TypeScript project layout. Shared patterns imported below.
+
+@.claude/shared.md

plugins/config-audit/tests/fixtures/marketplace-medium/hooks/hooks.json

@@ -0,0 +1,10 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      { "matcher": "Bash", "hooks": [{ "type": "command", "command": "echo pre", "timeout": 5000 }] }
+    ],
+    "PostToolUse": [
+      { "matcher": "Write", "hooks": [{ "type": "command", "command": "echo post", "timeout": 5000 }] }
+    ]
+  }
+}

plugins/config-audit/tests/fixtures/marketplace-small/.claude/settings.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-settings.json",
+  "permissions": { "allow": ["Bash(npm test)"], "deny": [] }
+}

plugins/config-audit/tests/fixtures/marketplace-small/CLAUDE.md

@@ -0,0 +1,7 @@
+# Marketplace Small
+
+Single-plugin marketplace with minimal CLAUDE.md content.
+
+## Commands
+
+- `npm test`