Min Coverage + SonarQube Collector

Queries the SonarQube/SonarCloud Web API for code-quality metrics, scoped per-commit. On default-branch commits the query uses branch=<default>; on PR commits it uses pullRequest=$LUNAR_COMPONENT_PR — the only difference between the two paths is the query param, so they share one sub-collector. Because SonarQube's Compute Engine queues analyses asynchronously — typically publishing 10–60s after sonar-scanner exits, longer for large projects — this sub-collector polls api/project_analyses/search for up to api_poll_timeout_seconds (default 180s) waiting for an analysis whose revision matches the current head_sha. If the matching analysis never appears, writes .code_quality.source.analysis_status = "pending" and no metrics, so policies can distinguish "SonarQube hasn't finished yet" from "SonarQube isn't configured". Discovers the project key from the sonarqube/project-key meta annotation (typically set by a company-specific cataloger via lunar catalog component --meta sonarqube/project-key <key>), or falls back to the explicit project_key input. Writes a tool-agnostic passing signal, coverage and duplication percentages, and severity-bucketed issue counts at the .code_quality.* top level. SonarQube-specific structure (quality gate detail, the reliability/security/maintainability rating split, SQALE debt, native metric names) lands under .code_quality.native.sonarqube for SonarQube-specific policies that need it. Runs on both default-branch and PR commits by default — users who want only one can narrow runs_on on their import in lunar-config.yml.

Runs sonar-scanner on the checked-out source against the configured SonarQube/SonarCloud server, then polls the Web API for results — an all-in-one alternative to api for users who don't trigger SonarQube from their own CI. On default-branch commits the scanner is invoked with -Dsonar.branch.name=<default>; on PR commits with -Dsonar.pullrequest.key=$LUNAR_COMPONENT_PR, -Dsonar.pullrequest.branch=$LUNAR_COMPONENT_HEAD_BRANCH, and -Dsonar.pullrequest.base=$LUNAR_COMPONENT_BASE_BRANCH. Scanner invocation metadata (version, exit code, duration) is captured under .code_quality.native.sonarqube.auto. Once the scanner exits, the same polling path used by api reads the published analysis and writes the tool-agnostic .code_quality.* fields with "integration": "auto". If the scanner fails, writes .code_quality.native.sonarqube.auto.status = "scanner-failed" with the exit code and no downstream metrics. Requires SONARQUBE_TOKEN with Execute Analysis permission (read-only Browse is not sufficient). Mutually exclusive with api and with a user-run sonar-scanner in CI on the same commit — enabling both means the scanner runs twice. A future collector-dependency feature will let auto fire only when the cicd sub-collector did not capture a scan for the same head_sha. Runs on both default-branch and PR commits by default — narrow runs_on on the import to restrict the scope.

Detects SonarQube/SonarCloud configuration in the repository — the sonar-project.properties file, the sonar-maven-plugin in pom.xml, the org.sonarqube plugin in build.gradle/build.gradle.kts, or <SonarQubeEnabled> in a .csproj. Writes discovered config file paths under .code_quality.native.sonarqube.config. Presence of this data signals that SonarQube is wired up for the component even when the api sub-collector cannot reach the project or no analysis has been published yet.

Detects sonar-scanner invocations in CI pipelines via a ci-after-command hook. Captures the command string, exit code, and scanner version. Writes to .code_quality.native.sonarqube.cicd.cmds[], mirroring the snyk/cli pattern. Maven (mvn sonar:sonar) and Gradle (gradle sonarqube) launchers are not covered in V1 — those need separate binary-match rules and will be added in follow-up PRs.