@mmnto/cli 1.5.3 → 1.5.5

package/dist/commands/add-lesson.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"add-lesson.d.ts","sourceRoot":"","sources":["../../src/commands/add-lesson.ts"],"names":[],"mappings":"AAAA,wBAAsB,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqGxE"}
+{"version":3,"file":"add-lesson.d.ts","sourceRoot":"","sources":["../../src/commands/add-lesson.ts"],"names":[],"mappings":"AAEA,wBAAsB,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAsHxE"}

package/dist/commands/add-lesson.js

@@ -1,3 +1,4 @@
+const TAG = 'AddLesson';
 export async function addLessonCommand(lessonArg) {
     const { spawn } = await import('node:child_process');
     const fs = await import('node:fs');
@@ -19,10 +20,13 @@ export async function addLessonCommand(lessonArg) {
         }
         return { cmd: IS_WIN ? 'npx.cmd' : 'npx', args: ['totem', 'sync', '--incremental'] };
     }
+    const { loadCustomSecrets, maskSecrets } = await import('@mmnto/totem'); // totem-ignore
     const cwd = process.cwd();
     const configPath = resolveConfigPath(cwd);
     loadEnv(cwd);
     const config = await loadConfig(configPath);
+    // Load user-defined custom secrets for DLP (#921)
+    const customSecrets = loadCustomSecrets(cwd, config.totemDir, (msg) => log.warn(TAG, msg));
     const totemDir = path.join(cwd, config.totemDir);
     if (!fs.existsSync(totemDir)) {
         fs.mkdirSync(totemDir, { recursive: true });
@@ -61,6 +65,14 @@ export async function addLessonCommand(lessonArg) {
         log.error('Totem Error', 'Lesson text cannot be empty.');
         return;
     }
+    // Warn and redact if lesson text contains custom secret patterns (#921)
+    if (customSecrets.length > 0) {
+        const redacted = maskSecrets(lessonText, customSecrets);
+        if (redacted !== lessonText) {
+            log.warn(TAG, 'Custom secret pattern detected in lesson text. The text will be automatically redacted.');
+            lessonText = redacted;
+        }
+    }
     const safeLesson = sanitize(lessonText);
     const safeTagString = tags.length > 0 ? tags.map((t) => sanitize(t).replace(/\n/g, ' ')).join(', ') : 'manual';
     const heading = generateLessonHeading(safeLesson);

package/dist/commands/add-lesson.js.map

@@ -1 +1 @@
-{"version":3,"file":"add-lesson.js","sourceRoot":"","sources":["../../src/commands/add-lesson.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAkB;IACvD,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IACtE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACxD,MAAM,EAAE,qBAAqB,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,eAAe;IAChG,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAEjG,SAAS,iBAAiB,CAAC,GAAW;QACpC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO;gBACL,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;gBACjC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC;aACjD,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,CAAC;QACzF,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,CAAC;IACvF,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,CAAC;IACb,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;IAE5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,IAAI,UAAU,GAAG,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,oDAAoD,CAAC,CAAC;YACxF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC,CAAC;YAClF,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,0DAA0D,CAAC,CAAC;YAC1F,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;YAE/D,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,IAAI,CAAC,IAAI,CACP,GAAG,MAAM;qBACN,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;qBACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACjE,IAAI,GAAG,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAE1D,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;QACtC,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,8BAA8B,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,aAAa,GACjB,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC3F,MAAM,OAAO,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAElD,MAAM,KAAK,GAAG,eAAe,OAAO,iBAAiB,aAAa,OAAO,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC;IAE/F,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5C,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,mBAAmB,MAAM,CAAC,QAAQ,YAAY,QAAQ,EAAE,CAAC,CAAC,CAAC,eAAe;IAE/F,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,mCAAmC,CAAC,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,GAAG;YACH,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC;YAC/B,KAAK,EAAE,MAAM;YACb,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,sCAAsC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC"}
+{"version":3,"file":"add-lesson.js","sourceRoot":"","sources":["../../src/commands/add-lesson.ts"],"names":[],"mappings":"AAAA,MAAM,GAAG,GAAG,WAAW,CAAC;AAExB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAkB;IACvD,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC;IACtE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IACxD,MAAM,EAAE,qBAAqB,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,eAAe;IAChG,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAEjG,SAAS,iBAAiB,CAAC,GAAW;QACpC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO;gBACL,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;gBACjC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC;aACjD,CAAC;QACJ,CAAC;QACD,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,CAAC;QACzF,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE,CAAC;IACvF,CAAC;IAED,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,eAAe;IAExF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,CAAC;IACb,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;IAE5C,kDAAkD;IAClD,MAAM,aAAa,GAAG,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAE3F,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,IAAI,UAAU,GAAG,SAAS,CAAC;IAC3B,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACvD,IAAI,CAAC;YACH,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,oDAAoD,CAAC,CAAC;YACxF,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC,CAAC;YAClF,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,0DAA0D,CAAC,CAAC;YAC1F,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;YAE/D,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClB,IAAI,CAAC,IAAI,CACP,GAAG,MAAM;qBACN,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;qBACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACjE,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACjE,IAAI,GAAG,CAAC,IAAI,EAAE;gBAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAE1D,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC;QACtC,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,8BAA8B,CAAC,CAAC;QACzD,OAAO;IACT,CAAC;IAED,wEAAwE;IACxE,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC5B,GAAG,CAAC,IAAI,CACN,GAAG,EACH,yFAAyF,CAC1F,CAAC;YACF,UAAU,GAAG,QAAQ,CAAC;QACxB,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,aAAa,GACjB,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC3F,MAAM,OAAO,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAElD,MAAM,KAAK,GAAG,eAAe,OAAO,iBAAiB,aAAa,OAAO,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC;IAE/F,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5C,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,mBAAmB,MAAM,CAAC,QAAQ,YAAY,QAAQ,EAAE,CAAC,CAAC,CAAC,eAAe;IAE/F,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IACpD,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,mCAAmC,CAAC,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,GAAG;YACH,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC;YAC/B,KAAK,EAAE,MAAM;YACb,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,sCAAsC,OAAO,EAAE,CAAC,CAAC;IACrE,CAAC;AACH,CAAC"}

package/dist/commands/add-lesson.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=add-lesson.test.d.ts.map

package/dist/commands/add-lesson.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-lesson.test.d.ts","sourceRoot":"","sources":["../../src/commands/add-lesson.test.ts"],"names":[],"mappings":""}

package/dist/commands/add-lesson.test.js

@@ -0,0 +1,63 @@
+import { describe, expect, it } from 'vitest';
+import { compileCustomSecrets, maskSecrets } from '@mmnto/totem';
+// ─── Custom secrets DLP in add-lesson pipeline (#921) ──
+describe('add-lesson custom secrets detection and redaction', () => {
+    const customSecrets = [
+        { type: 'literal', value: 'MY_INTERNAL_TOKEN_XYZ' },
+        { type: 'pattern', value: 'corp-secret-[0-9a-f]{8}' },
+    ];
+    it('detects custom secret in lesson text', () => {
+        const lessonText = 'When authenticating, use MY_INTERNAL_TOKEN_XYZ in the header.';
+        const compiled = compileCustomSecrets(customSecrets);
+        const hasMatch = compiled.some((re) => {
+            re.lastIndex = 0;
+            return re.test(lessonText);
+        });
+        expect(hasMatch).toBe(true);
+    });
+    it('detects pattern-based custom secret in lesson text', () => {
+        const lessonText = 'The service uses corp-secret-abcd1234 for internal auth.';
+        const compiled = compileCustomSecrets(customSecrets);
+        const hasMatch = compiled.some((re) => {
+            re.lastIndex = 0;
+            return re.test(lessonText);
+        });
+        expect(hasMatch).toBe(true);
+    });
+    it('does not flag text without custom secrets', () => {
+        const lessonText = 'Always validate input before writing to disk.';
+        const compiled = compileCustomSecrets(customSecrets);
+        const hasMatch = compiled.some((re) => {
+            re.lastIndex = 0;
+            return re.test(lessonText);
+        });
+        expect(hasMatch).toBe(false);
+    });
+    it('redacts literal custom secrets before saving', () => {
+        const lessonText = 'Auth token is MY_INTERNAL_TOKEN_XYZ in the config.';
+        const redacted = maskSecrets(lessonText, customSecrets);
+        expect(redacted).not.toContain('MY_INTERNAL_TOKEN_XYZ');
+        expect(redacted).toContain('[REDACTED_CUSTOM]');
+    });
+    it('redacts pattern-based custom secrets before saving', () => {
+        const lessonText = 'Found corp-secret-deadbeef in the environment.';
+        const redacted = maskSecrets(lessonText, customSecrets);
+        expect(redacted).not.toContain('corp-secret-deadbeef');
+        expect(redacted).toContain('[REDACTED_CUSTOM]');
+    });
+    it('preserves lesson text when no custom secrets match', () => {
+        const lessonText = 'Use structured error handling in async functions.';
+        const redacted = maskSecrets(lessonText, customSecrets);
+        expect(redacted).toBe(lessonText);
+        expect(redacted).not.toContain('[REDACTED_CUSTOM]');
+    });
+    it('redacts multiple occurrences of the same secret', () => {
+        const lessonText = 'First use MY_INTERNAL_TOKEN_XYZ, then verify MY_INTERNAL_TOKEN_XYZ again.';
+        const redacted = maskSecrets(lessonText, customSecrets);
+        expect(redacted).not.toContain('MY_INTERNAL_TOKEN_XYZ');
+        // Should have two [REDACTED_CUSTOM] replacements
+        const matches = redacted.match(/\[REDACTED_CUSTOM\]/g);
+        expect(matches).toHaveLength(2);
+    });
+});
+//# sourceMappingURL=add-lesson.test.js.map

package/dist/commands/add-lesson.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-lesson.test.js","sourceRoot":"","sources":["../../src/commands/add-lesson.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAG9C,OAAO,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEjE,0DAA0D;AAE1D,QAAQ,CAAC,mDAAmD,EAAE,GAAG,EAAE;IACjE,MAAM,aAAa,GAAmB;QACpC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE;QACnD,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,yBAAyB,EAAE;KACtD,CAAC;IAEF,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,UAAU,GAAG,+DAA+D,CAAC;QACnF,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE;YACpC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;YACjB,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,UAAU,GAAG,0DAA0D,CAAC;QAC9E,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE;YACpC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;YACjB,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,UAAU,GAAG,+CAA+C,CAAC;QACnE,MAAM,QAAQ,GAAG,oBAAoB,CAAC,aAAa,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE;YACpC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;YACjB,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,UAAU,GAAG,oDAAoD,CAAC;QACxE,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,UAAU,GAAG,gDAAgD,CAAC;QACpE,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,UAAU,GAAG,mDAAmD,CAAC;QACvE,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,MAAM,UAAU,GAAG,2EAA2E,CAAC;QAC/F,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QACxD,iDAAiD;QACjD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACvD,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/commands/add-secret.d.ts

@@ -0,0 +1,5 @@
+export interface AddSecretOptions {
+    pattern?: boolean;
+}
+export declare function addSecretCommand(value: string, opts: AddSecretOptions, cwd?: string): Promise<void>;
+//# sourceMappingURL=add-secret.d.ts.map

package/dist/commands/add-secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-secret.d.ts","sourceRoot":"","sources":["../../src/commands/add-secret.ts"],"names":[],"mappings":"AAkCA,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,gBAAgB,EACtB,GAAG,SAAgB,GAClB,OAAO,CAAC,IAAI,CAAC,CAsEf"}

package/dist/commands/add-secret.js

@@ -0,0 +1,85 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { SecretsFileSchema } from '@mmnto/totem';
+// ─── Constants ──────────────────────────────────────────
+const TAG = 'AddSecret';
+const MIN_LENGTH = 4;
+const SECRETS_REL_PATH = '.totem/secrets.json';
+const GITIGNORE_ENTRY = '.totem/secrets.json';
+// ─── Helpers ────────────────────────────────────────────
+function ensureGitignore(cwd) {
+    const gitignorePath = path.join(cwd, '.gitignore');
+    if (fs.existsSync(gitignorePath)) {
+        const content = fs.readFileSync(gitignorePath, 'utf-8');
+        const lines = content.split(/\r?\n/);
+        if (lines.some((line) => line.trim() === GITIGNORE_ENTRY)) {
+            return; // Already present
+        }
+        // Append with a preceding newline if file doesn't end with one
+        const separator = content.endsWith('\n') ? '' : '\n';
+        fs.writeFileSync(gitignorePath, `${content}${separator}${GITIGNORE_ENTRY}\n`, 'utf-8');
+    }
+    else {
+        fs.writeFileSync(gitignorePath, `${GITIGNORE_ENTRY}\n`, 'utf-8');
+    }
+}
+export async function addSecretCommand(value, opts, cwd = process.cwd()) {
+    const { log } = await import('../ui.js');
+    // 1. Validate length
+    if (value.length < MIN_LENGTH) {
+        log.error('Totem Error', `Secret must be at least ${MIN_LENGTH} characters to prevent over-redaction.`);
+        return;
+    }
+    // 2. Validate regex if --pattern
+    const type = opts.pattern ? 'pattern' : 'literal';
+    if (type === 'pattern') {
+        try {
+            new RegExp(value);
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            log.error('Totem Error', `Invalid regex pattern: ${msg}`);
+            return;
+        }
+    }
+    // 3. Read existing secrets.json
+    const secretsPath = path.join(cwd, SECRETS_REL_PATH);
+    const totemDir = path.join(cwd, '.totem');
+    let data = { secrets: [] };
+    if (fs.existsSync(secretsPath)) {
+        try {
+            const content = fs.readFileSync(secretsPath, 'utf-8');
+            const parsed = JSON.parse(content);
+            const result = SecretsFileSchema.safeParse(parsed);
+            if (result.success) {
+                data = result.data;
+            }
+            else {
+                log.warn(TAG, 'secrets.json has invalid structure; starting fresh.');
+                data = { secrets: [] };
+            }
+        }
+        catch (err) {
+            log.warn(TAG, `Existing secrets.json was corrupted; starting fresh. ${err instanceof Error ? err.message : String(err)}`);
+            data = { secrets: [] };
+        }
+    }
+    // 4. Check for duplicates
+    const isDuplicate = data.secrets.some((entry) => entry.type === type && entry.value === value);
+    if (isDuplicate) {
+        log.warn(TAG, `Duplicate: a ${type} secret with this value already exists.`);
+        return;
+    }
+    // 5. Append new secret
+    data.secrets.push({ type, value });
+    // 6. Write back
+    if (!fs.existsSync(totemDir)) {
+        fs.mkdirSync(totemDir, { recursive: true });
+    }
+    fs.writeFileSync(secretsPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+    // 7. Ensure .gitignore contains secrets.json path
+    ensureGitignore(cwd);
+    // 8. Success message
+    log.success(TAG, `Added ${type} secret (${value.length} chars) → ${SECRETS_REL_PATH}`);
+}
+//# sourceMappingURL=add-secret.js.map

package/dist/commands/add-secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-secret.js","sourceRoot":"","sources":["../../src/commands/add-secret.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD,2DAA2D;AAE3D,MAAM,GAAG,GAAG,WAAW,CAAC;AACxB,MAAM,UAAU,GAAG,CAAC,CAAC;AACrB,MAAM,gBAAgB,GAAG,qBAAqB,CAAC;AAC/C,MAAM,eAAe,GAAG,qBAAqB,CAAC;AAE9C,2DAA2D;AAE3D,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAEnD,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,eAAe,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,kBAAkB;QAC5B,CAAC;QACD,+DAA+D;QAC/D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QACrD,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,GAAG,OAAO,GAAG,SAAS,GAAG,eAAe,IAAI,EAAE,OAAO,CAAC,CAAC;IACzF,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,GAAG,eAAe,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;AACH,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAa,EACb,IAAsB,EACtB,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAEnB,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;IAEzC,qBAAqB;IACrB,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAC9B,GAAG,CAAC,KAAK,CACP,aAAa,EACb,2BAA2B,UAAU,wCAAwC,CAC9E,CAAC;QACF,OAAO;IACT,CAAC;IAED,iCAAiC;IACjC,MAAM,IAAI,GAA0B,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IACzE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,0BAA0B,GAAG,EAAE,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAE1C,IAAI,IAAI,GAAgB,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACxC,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAY,CAAC;YAC9C,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;YACrB,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,qDAAqD,CAAC,CAAC;gBACrE,IAAI,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YACzB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,IAAI,CACN,GAAG,EACH,wDAAwD,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC3G,CAAC;YACF,IAAI,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzB,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IAC/F,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,IAAI,yCAAyC,CAAC,CAAC;QAC7E,OAAO;IACT,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEnC,gBAAgB;IAChB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IAE7E,kDAAkD;IAClD,eAAe,CAAC,GAAG,CAAC,CAAC;IAErB,qBAAqB;IACrB,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,IAAI,YAAY,KAAK,CAAC,MAAM,aAAa,gBAAgB,EAAE,CAAC,CAAC;AACzF,CAAC"}

package/dist/commands/add-secret.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=add-secret.test.d.ts.map

package/dist/commands/add-secret.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-secret.test.d.ts","sourceRoot":"","sources":["../../src/commands/add-secret.test.ts"],"names":[],"mappings":""}

package/dist/commands/add-secret.test.js

@@ -0,0 +1,97 @@
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { addSecretCommand } from './add-secret.js';
+// ─── Helpers ────────────────────────────────────────────
+function makeTmpDir() {
+    return fs.mkdtempSync(path.join(os.tmpdir(), 'totem-add-secret-'));
+}
+function readSecrets(cwd) {
+    const content = fs.readFileSync(path.join(cwd, '.totem', 'secrets.json'), 'utf-8');
+    return JSON.parse(content);
+}
+// ─── Tests ──────────────────────────────────────────────
+describe('addSecretCommand', () => {
+    let tmpDir;
+    let stderrSpy;
+    beforeEach(() => {
+        tmpDir = makeTmpDir();
+        stderrSpy = vi.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    afterEach(() => {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+        stderrSpy.mockRestore();
+    });
+    it('creates secrets.json with new literal secret', async () => {
+        await addSecretCommand('my-secret-value', {}, tmpDir);
+        const data = readSecrets(tmpDir);
+        expect(data.secrets).toHaveLength(1);
+        expect(data.secrets[0]).toEqual({ type: 'literal', value: 'my-secret-value' });
+    });
+    it('appends to existing secrets.json', async () => {
+        const totemDir = path.join(tmpDir, '.totem');
+        fs.mkdirSync(totemDir, { recursive: true });
+        const existing = { secrets: [{ type: 'literal', value: 'existing-secret' }] };
+        fs.writeFileSync(path.join(totemDir, 'secrets.json'), JSON.stringify(existing, null, 2));
+        await addSecretCommand('second-secret', {}, tmpDir);
+        const data = readSecrets(tmpDir);
+        expect(data.secrets).toHaveLength(2);
+        expect(data.secrets[0]).toEqual({ type: 'literal', value: 'existing-secret' });
+        expect(data.secrets[1]).toEqual({ type: 'literal', value: 'second-secret' });
+    });
+    it('rejects values shorter than 4 characters', async () => {
+        await addSecretCommand('abc', {}, tmpDir);
+        const output = stderrSpy.mock.calls.map((args) => String(args[0])).join('\n');
+        expect(output).toContain('at least 4 characters');
+        expect(fs.existsSync(path.join(tmpDir, '.totem', 'secrets.json'))).toBe(false);
+    });
+    it('rejects invalid regex with --pattern', async () => {
+        await addSecretCommand('[invalid(', { pattern: true }, tmpDir);
+        const output = stderrSpy.mock.calls.map((args) => String(args[0])).join('\n');
+        expect(output).toContain('Invalid regex');
+        expect(fs.existsSync(path.join(tmpDir, '.totem', 'secrets.json'))).toBe(false);
+    });
+    it('stores pattern type with --pattern flag', async () => {
+        await addSecretCommand('ACME_[A-Z0-9]{8}', { pattern: true }, tmpDir);
+        const data = readSecrets(tmpDir);
+        expect(data.secrets).toHaveLength(1);
+        expect(data.secrets[0]).toEqual({ type: 'pattern', value: 'ACME_[A-Z0-9]{8}' });
+    });
+    it('ensures .gitignore contains secrets.json path', async () => {
+        // Create a .gitignore without the secrets entry
+        fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\n.env\n');
+        await addSecretCommand('test-secret', {}, tmpDir);
+        const gitignore = fs.readFileSync(path.join(tmpDir, '.gitignore'), 'utf-8');
+        expect(gitignore).toContain('.totem/secrets.json');
+        // Should not duplicate existing lines
+        expect(gitignore).toContain('node_modules');
+        expect(gitignore).toContain('.env');
+    });
+    it('creates .gitignore if it does not exist', async () => {
+        expect(fs.existsSync(path.join(tmpDir, '.gitignore'))).toBe(false);
+        await addSecretCommand('test-secret', {}, tmpDir);
+        expect(fs.existsSync(path.join(tmpDir, '.gitignore'))).toBe(true);
+        const gitignore = fs.readFileSync(path.join(tmpDir, '.gitignore'), 'utf-8');
+        expect(gitignore.trim()).toBe('.totem/secrets.json');
+    });
+    it('rejects duplicate entries', async () => {
+        // First add
+        await addSecretCommand('duplicate-val', {}, tmpDir);
+        // Second add — same type + value
+        await addSecretCommand('duplicate-val', {}, tmpDir);
+        const output = stderrSpy.mock.calls.map((args) => String(args[0])).join('\n');
+        expect(output).toContain('Duplicate');
+        // Should still only have one entry
+        const data = readSecrets(tmpDir);
+        expect(data.secrets).toHaveLength(1);
+    });
+    it('does not duplicate .gitignore entry when already present', async () => {
+        fs.writeFileSync(path.join(tmpDir, '.gitignore'), '.totem/secrets.json\n');
+        await addSecretCommand('test-secret', {}, tmpDir);
+        const gitignore = fs.readFileSync(path.join(tmpDir, '.gitignore'), 'utf-8');
+        const matches = gitignore.split('\n').filter((line) => line.trim() === '.totem/secrets.json');
+        expect(matches).toHaveLength(1);
+    });
+});
+//# sourceMappingURL=add-secret.test.js.map

package/dist/commands/add-secret.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"add-secret.test.js","sourceRoot":"","sources":["../../src/commands/add-secret.test.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAIzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEnD,2DAA2D;AAE3D,SAAS,UAAU;IACjB,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;IACnF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAgB,CAAC;AAC5C,CAAC;AAED,2DAA2D;AAE3D,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,IAAI,MAAc,CAAC;IACnB,IAAI,SAAsC,CAAC;IAE3C,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,UAAU,EAAE,CAAC;QACtB,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,SAAS,CAAC,WAAW,EAAE,CAAC;IAC1B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,gBAAgB,CAAC,iBAAiB,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAEtD,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC7C,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAgB,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC;QAC3F,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAEzF,MAAM,gBAAgB,CAAC,eAAe,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAEpD,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC/E,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,gBAAgB,CAAC,KAAK,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAe,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAClD,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,gBAAgB,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAe,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,gBAAgB,CAAC,kBAAkB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QAEtE,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,gDAAgD;QAChD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAE1E,MAAM,gBAAgB,CAAC,aAAa,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAElD,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5E,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QACnD,sCAAsC;QACtC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC5C,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEnE,MAAM,gBAAgB,CAAC,aAAa,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAElD,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5E,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QACzC,YAAY;QACZ,MAAM,gBAAgB,CAAC,eAAe,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAEpD,iCAAiC;QACjC,MAAM,gBAAgB,CAAC,eAAe,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAe,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzF,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAEtC,mCAAmC;QACnC,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,uBAAuB,CAAC,CAAC;QAE3E,MAAM,gBAAgB,CAAC,aAAa,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;QAElD,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;QAC5E,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,qBAAqB,CAAC,CAAC;QAC9F,MAAM,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/commands/doctor.d.ts

@@ -11,5 +11,14 @@ export declare function checkGitHooks(cwd: string): DiagnosticResult;
 export declare function checkEmbeddingConfig(cwd: string): DiagnosticResult;
 export declare function checkIndex(cwd: string, lanceDir?: string): DiagnosticResult;
 export declare function checkSecretLeaks(cwd: string, totemDir?: string): DiagnosticResult;
-export declare function doctorCommand(): Promise<DiagnosticResult[]>;
+export declare function checkSecretsFileTracked(cwd: string, totemDir?: string): DiagnosticResult;
+/** Bypass rate above which a rule is considered "struggling" and eligible for downgrade. */
+export declare const BYPASS_THRESHOLD = 0.3;
+/** Minimum total events (triggers + bypasses) required before acting on a rule. */
+export declare const MIN_EVENTS = 5;
+export interface DoctorOptions {
+    pr?: boolean;
+}
+export declare function runSelfHealing(cwd: string): Promise<void>;
+export declare function doctorCommand(options?: DoctorOptions): Promise<DiagnosticResult[]>;
 //# sourceMappingURL=doctor.d.ts.map

package/dist/commands/doctor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAyBD,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAiBzD;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAW,GAAG,gBAAgB,CAiCrF;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAmD3D;AAsBD,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CA2FlE;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAa,GAAG,gBAAgB,CA4C/E;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAW,GAAG,gBAAgB,CAwEnF;AA2CD,wBAAsB,aAAa,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAmCjE"}
+{"version":3,"file":"doctor.d.ts","sourceRoot":"","sources":["../../src/commands/doctor.ts"],"names":[],"mappings":"AAaA,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE5D,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAyBD,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAiBzD;AAED,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAW,GAAG,gBAAgB,CAiCrF;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAmD3D;AAsBD,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CA2FlE;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAa,GAAG,gBAAgB,CA4C/E;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAW,GAAG,gBAAgB,CA6EnF;AAED,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,SAAW,GAAG,gBAAgB,CAyB1F;AA2CD,4FAA4F;AAC5F,eAAO,MAAM,gBAAgB,MAAM,CAAC;AAEpC,mFAAmF;AACnF,eAAO,MAAM,UAAU,IAAI,CAAC;AAI5B,MAAM,WAAW,aAAa;IAC5B,EAAE,CAAC,EAAE,OAAO,CAAC;CACd;AAID,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA+J/D;AAID,wBAAsB,aAAa,CAAC,OAAO,GAAE,aAAkB,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAyC5F"}

package/dist/commands/doctor.js

@@ -1,6 +1,8 @@
+import { spawnSync } from 'node:child_process';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import pc from 'picocolors';
+import { compileCustomSecrets, loadCustomSecrets } from '@mmnto/totem';
 import { resolveGitRoot } from '../git.js';
 import { CONFIG_FILES } from '../utils.js';
 // ─── Secret leak patterns ───────────────────────────────
@@ -301,11 +303,15 @@ export function checkSecretLeaks(cwd, totemDir = '.totem') {
             message: 'No files to scan',
         };
     }
+    // Load user-defined custom secrets
+    const customSecrets = loadCustomSecrets(cwd, totemDir);
+    const customPatterns = compileCustomSecrets(customSecrets);
+    const allPatterns = [...SECRET_PATTERNS, ...customPatterns];
     const leaks = [];
     for (const filePath of filesToScan) {
         try {
             const content = fs.readFileSync(filePath, 'utf-8');
-            for (const pattern of SECRET_PATTERNS) {
+            for (const pattern of allPatterns) {
                 const matches = content.match(new RegExp(pattern.source, 'g'));
                 if (matches) {
                     for (const match of matches) {
@@ -337,6 +343,34 @@ export function checkSecretLeaks(cwd, totemDir = '.totem') {
         message: 'No leaked keys detected',
     };
 }
+export function checkSecretsFileTracked(cwd, totemDir = '.totem') {
+    const secretsPath = path.join(totemDir, 'secrets.json');
+    try {
+        const result = spawnSync('git', ['ls-files', '--recurse-submodules', secretsPath], {
+            cwd,
+            encoding: 'utf-8',
+        });
+        if (result.error)
+            throw result.error;
+        const output = (result.stdout ?? '').trim();
+        if (output.length > 0) {
+            return {
+                name: 'Secrets File Security',
+                status: 'fail',
+                message: `${secretsPath} is tracked by git — secrets may be exposed`,
+                remediation: `Run: git rm --cached ${secretsPath}`,
+            };
+        }
+    }
+    catch {
+        // git not available or not a repo — skip
+    }
+    return {
+        name: 'Secrets File Security',
+        status: 'pass',
+        message: 'secrets.json is not tracked by git',
+    };
+}
 // ─── Output formatting ──────────────────────────────────
 function statusIcon(status) {
     switch (status) {
@@ -372,8 +406,144 @@ function formatResult(result) {
     }
     return line;
 }
+// ─── Self-healing constants ─────────────────────────────
+/** Bypass rate above which a rule is considered "struggling" and eligible for downgrade. */
+export const BYPASS_THRESHOLD = 0.3;
+/** Minimum total events (triggers + bypasses) required before acting on a rule. */
+export const MIN_EVENTS = 5;
+// ─── Self-healing flow ──────────────────────────────────
+export async function runSelfHealing(cwd) {
+    // Load config to get totemDir
+    const { loadConfig, resolveConfigPath } = await import('../utils.js');
+    const configPath = resolveConfigPath(cwd);
+    const config = await loadConfig(configPath);
+    const totemDir = path.join(cwd, config.totemDir);
+    const rulesPath = path.join(totemDir, 'compiled-rules.json');
+    console.error(`\n${pc.cyan('[Auto-Healing]')} Analyzing Trap Ledger...`);
+    const { analyzeLedger } = await import('./ledger-analyzer.js');
+    const stats = await analyzeLedger(totemDir, (msg) => console.error(pc.dim(`  ${msg}`)));
+    if (stats.size === 0) {
+        console.error(pc.dim('  No ledger data. Run totem lint with some // totem-context: overrides first.'));
+        return;
+    }
+    // Find struggling rules
+    const struggling = [...stats.entries()]
+        .filter(([, s]) => s.bypassRate > BYPASS_THRESHOLD && s.totalEvents >= MIN_EVENTS)
+        .sort((a, b) => b[1].bypassRate - a[1].bypassRate);
+    if (struggling.length === 0) {
+        console.error(pc.green('  No rules exceed the 30% bypass threshold. All healthy.'));
+        return;
+    }
+    console.error(`  Found ${struggling.length} rule(s) exceeding ${BYPASS_THRESHOLD * 100}% bypass rate:\n`);
+    // Check git status before modifying files
+    try {
+        const gitResult = spawnSync('git', ['status', '--porcelain', rulesPath], {
+            cwd,
+            encoding: 'utf-8',
+        });
+        const gitStatus = (gitResult.stdout ?? '').trim();
+        if (gitStatus) {
+            console.error(pc.red('  ERROR: compiled-rules.json has uncommitted changes. Commit or stash first.'));
+            return;
+        }
+    }
+    catch {
+        // Not a git repo or git not available — proceed anyway
+    }
+    // Downgrade each struggling rule
+    const { downgradeRuleToWarning } = await import('./rule-mutator.js');
+    const downgraded = [];
+    for (const [ruleId, ruleStats] of struggling) {
+        const result = downgradeRuleToWarning(rulesPath, ruleId);
+        if (result.downgraded) {
+            const pct = (ruleStats.bypassRate * 100).toFixed(0);
+            console.error(`  ${pc.yellow('↓')} ${result.ruleHeading ?? ruleId} — ${pct}% bypass rate (${ruleStats.bypassCount}/${ruleStats.totalEvents} events)`);
+            downgraded.push({
+                ruleId,
+                heading: result.ruleHeading ?? ruleId,
+                rate: ruleStats.bypassRate,
+            });
+        }
+        else {
+            console.error(pc.dim(`  - ${result.ruleHeading ?? ruleId} — already at warning, skipping`));
+        }
+    }
+    if (downgraded.length === 0) {
+        console.error(pc.green('\n  All struggling rules already downgraded. Nothing to do.'));
+        return;
+    }
+    console.error(`\n  ${pc.green(`Downgraded ${downgraded.length} rule(s) from error → warning.`)}`);
+    // Create branch and PR
+    const branchName = `totem/auto-downgrade-${Date.now()}`;
+    // Capture current branch so we can restore on failure
+    const currentBranchRes = spawnSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
+        cwd,
+        stdio: 'pipe',
+        encoding: 'utf-8',
+    });
+    const originalBranch = currentBranchRes.error ? null : (currentBranchRes.stdout ?? '').trim();
+    let branchCreated = false;
+    /** Run a shell command via spawnSync, throw on failure */
+    function run(cmd, args) {
+        const res = spawnSync(cmd, args, { cwd, stdio: 'pipe', encoding: 'utf-8' });
+        if (res.error)
+            throw res.error;
+        if (res.status !== 0) {
+            const stderr = (res.stderr ?? '').trim();
+            throw new Error(`${cmd} ${args[0]} failed (exit ${res.status})${stderr ? ': ' + stderr : ''}`);
+        }
+    }
+    try {
+        run('git', ['checkout', '-b', branchName]);
+        branchCreated = true;
+        run('git', ['add', rulesPath]);
+        // Build commit message
+        const ruleList = downgraded
+            .map((d) => `- ${d.heading} (${(d.rate * 100).toFixed(0)}% bypass)`)
+            .join('\n');
+        const commitMsg = `fix: auto-downgrade ${downgraded.length} noisy rule(s)\n\n${ruleList}\n\nGenerated by totem doctor --pr`;
+        run('git', ['commit', '-m', commitMsg]);
+        run('git', ['push', '-u', 'origin', branchName]);
+        // Build PR body
+        const prBody = [
+            '## Auto-Healing: Rule Downgrade',
+            '',
+            `${downgraded.length} compiled rule(s) exceeded the 30% bypass rate threshold and have been downgraded from \`error\` to \`warning\`.`,
+            '',
+            '| Rule | Bypass Rate | Events |',
+            '|---|---|---|',
+            ...downgraded.map((d) => {
+                const ruleStats = struggling.find(([id]) => id === d.ruleId)?.[1];
+                return `| ${d.heading} | ${(d.rate * 100).toFixed(0)}% | ${ruleStats?.totalEvents ?? '?'} |`;
+            }),
+            '',
+            'These rules are not deleted (ADR-027). They continue to fire as warnings, feeding into local telemetry. If the underlying issue is fixed, the rule can be re-promoted to error.',
+            '',
+            'Generated by `totem doctor --pr`',
+        ].join('\n');
+        const prTitle = `fix: auto-downgrade ${downgraded.length} noisy rule(s)`;
+        run('gh', ['pr', 'create', '--title', prTitle, '--body', prBody]);
+        console.error(pc.green(`\n  PR created on branch ${branchName}`));
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(pc.red(`\n  Failed to create PR: ${msg}`));
+        if (branchCreated) {
+            console.error(pc.dim(`  Changes are committed on branch ${branchName}. Push manually with: git push -u origin ${branchName}`));
+        }
+        else {
+            console.error(pc.dim('  The compiled-rules.json changes are in your working tree. Commit manually.'));
+        }
+    }
+    finally {
+        // Only switch back if we created the branch (otherwise we'd change the user's branch)
+        if (branchCreated && originalBranch) {
+            spawnSync('git', ['checkout', originalBranch], { cwd, stdio: 'pipe' });
+        }
+    }
+}
 // ─── Main command ───────────────────────────────────────
-export async function doctorCommand() {
+export async function doctorCommand(options = {}) {
     const cwd = process.cwd();
     console.error(`${pc.cyan('[Totem]')} Running diagnostics...\n`);
     const results = [
@@ -383,6 +553,7 @@ export async function doctorCommand() {
         checkEmbeddingConfig(cwd),
         checkIndex(cwd),
         checkSecretLeaks(cwd),
+        checkSecretsFileTracked(cwd),
     ];
     for (const result of results) {
         console.error(formatResult(result));
@@ -404,6 +575,10 @@ export async function doctorCommand() {
     else
         parts.push(`${counts.fail} failures`);
     console.error(`\n${pc.cyan('[Totem]')} ${parts.join(', ')}`);
+    // After diagnostics, if --pr is passed, run self-healing
+    if (options.pr) {
+        await runSelfHealing(cwd);
+    }
     return results;
 }
 //# sourceMappingURL=doctor.js.map