Alpha Preview: Fidensa is currently in early testing. Scores are for demonstration purposes and are not considered final or reliable.

Fidensa
Hook Certified

typescript-quality-hooks

Automated TypeScript development workflow hooks that perform compilation checks, ESLint fixes, and Prettier formatting on file edits with high-performance caching.

84

/ 100 · Grade B

B = 80–89

I need to automatically validate, fix, and format my TypeScript code on every file save without slowing down my development workflow.

development-toolstypescriptcode-qualityautomationperformance
Publisher: bartolliVersion: latestCertified: Apr 1, 2026Expires: Apr 1, 2027Source ↗

typescript-quality-hooks earned Certified status with a trust score of 84/100 (Grade B). Adversarial testing produced 2 findings (2 high). Security scan flagged 0 findings.

Trust Score Breakdown

Eight weighted signals composing the aggregate trust score

security scan
100% × 15w
15.0
supply chain
100% × 10w
10.0
adversarial
50% × 25w
12.5
provenance
80% × 20w
16.0
consumer confirm
100% × 10w
10.0
behavioral pass
100% × 10w
10.0
contract accuracy
100% × 6w
6.0
uptime
100% × 4w
4.0

Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.

Findings

Security scan results, adversarial testing, and pipeline review

Security Scan — Cisco Skill Scanner

cisco-skill-scannerFAIL
staticbehavioralllmmeta
critical: 0high: 0medium: 0low: 0

Adversarial Testing — 6 categories, 2 findings

prompt injection chainsprivilege escalationdata exfiltration side channelscapability squattingcontext poisoningdependency confusion
highWarnprivilege escalationconfirmed

The skill provides extensive configuration options to completely disable security tools including TypeScript compilation checks, ESLint, and Prettier. The configuration system allows blanket suppression via environment variables (CLAUDE_HOOKS_TYPESCRIPT_ENABLED=false, CLAUDE_HOOKS_ESLINT_ENABLED=false) and config files. Additionally, it includes an 'autofixSilent' mode that suppresses error output, hiding security tool findings from users. While the skill doesn't directly suppress security-specific rules, the ability to completely disable TypeScript type checking and ESLint (which includes security rules) creates a significant attack surface where malicious code could bypass all static analysis.

highWarndependency confusionconfirmed

The skill's hook configuration executes 'node .claude/hooks/vscode-extension/quality-check.js' but does not declare Node.js or any npm packages as dependencies. The script imports multiple Node.js modules (fs, path, crypto) and attempts to dynamically require project-local packages (eslint, prettier, typescript) without these being listed in the skill's declared dependencies.

Methodology v1.0 · 6 categories · ~55 attack patterns

Interface

Skill triggers and instruction summary

Activation

Binds to lifecycle events: PostToolUse

Hook configuration with 1 handler(s)

Instructions: 1Files: 4Format: hook_json

Scope & Permissions

What this capability can and cannot access — derived from pipeline analysis

creates files

no

deletes files

no

modifies files

no

accesses env variables

no

invokes external tools

yes

makes network requests

no

Badge & Integration

Embed certification status in your README, docs, or CI pipeline

Fidensa Certified badge for typescript-quality-hooks
badge SVG →attestation API →integration guide →

Certification Notes

Provenance observations from the pipeline

publisher

Publisher "bartolli" is not verified — first certification from this publisher

provenance

No SECURITY.md or SECURITY.txt file found — no published vulnerability reporting process

provenance

Single contributor — no peer review evidence in commit history

provenance

Package description appears to be boilerplate or template text

Signed Artifact

Certification provenance and verification metadata

Content hash
sha256:9b747bf10bf7fe183cb1b3815eff9eef75e7bf2f217f749592759889a50e370f
Key ID
kms-9db4ed3b9f53
Certified
Apr 1, 2026
Expires
Apr 1, 2027
Pipeline version
1.0
Status
valid
Annotated Filedownload →

The original instruction file with a certification footer appended. Replace the source file in your project so AI agents see the trust score, verification link, and SOP.

.cert.jsondownload →

ES256-signed JWS artifact for programmatic verification. Use with the Fidensa MCP server or GitHub Action to validate integrity.

Pipeline Artifacts

Raw data files from this certification run — downloadable for independent verification

contract.json

Full unsigned contract

stage1-ingest.json

Ingest stage output

stage2a-sbom.json

SBOM generation results

stage2a-vulns.json

Vulnerability scan results

stage2b-security.json

Security scan results

stage3a-functional.json

Functional test results

stage3b-adversarial.json

Adversarial test results

stage3c-fingerprint.json

Behavioral fingerprint

stage4-certify.json

Certification decision + trust score

stage3a-measurements.json

Raw functional test measurements

stage3b-measurements.json

Raw adversarial test measurements

run-log.json

Pipeline execution log

Not all files may be present for every certification.