@sanctix/client 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ruvoni Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,25 @@
+# Sanctix Client
+
+Governed edge client for Claude Code, Codex and Cursor.
+
+## Install
+
+  npm install -g @sanctix/client
+
+## Quick start
+
+  sanctix init --hosted --invite <code>
+
+## What this package contains
+
+- sanctix CLI (init, check, status, uninstall)
+- Hook shims for Claude Code, Codex and Cursor
+- Runtime templates
+
+## What this package does NOT contain
+
+Scoring engine, failure memory, trust capability profiles,
+audit chain internals, governance policy logic or commercial
+adapter code. All governance runs server-side.
+
+Docs: https://sanctix.ai

package/bin/sanctix.js

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+import { program } from 'commander';
+import { init } from '../cli/init.js';
+import { uninstall } from '../cli/uninstall.js';
+import { status } from '../cli/status.js';
+import { start } from '../cli/start.js';
+import { stop } from '../cli/stop.js';
+
+program
+  .name('sanctix')
+  .description('Sanctix governed edge client')
+  .version('0.1.0');
+
+program
+  .command('init')
+  .description('Activate Sanctix governance in this repo')
+  .option('--hosted', 'Connect to hosted Sanctix endpoint')
+  .option('--invite <code>', 'Invite code for hosted mode')
+  .option('--audit-url <url>', 'Custom audit service URL')
+  .option('-y, --yes', 'Skip confirmations')
+  .action(init);
+
+program
+  .command('uninstall')
+  .description('Remove Sanctix from this repo')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(uninstall);
+
+program
+  .command('status')
+  .description('Check Sanctix governance health')
+  .action(status);
+
+program
+  .command('start <task>')
+  .description('Start a governed session and get export commands')
+  .option('--risk <level>', 'Risk level: low, medium, high')
+  .option('--runtime <runtime>', 'Runtime: claude_code, codex, cursor')
+  .option('-y, --yes', 'Skip confirmation for high-risk tasks')
+  .action(start);
+
+program
+  .command('stop')
+  .description('Complete the active governed session')
+  .option('-y, --yes', 'Skip confirmation')
+  .action(stop);
+
+program.parse();

package/cli/init.js

@@ -0,0 +1,278 @@
+import fs from 'fs-extra';
+import path from 'path';
+import url from 'url';
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import {
+  HOOK_FILES,
+  CLAUDE_HOOK_LAYOUT,
+  CLAUDE_MANAGED_FILES,
+  detectRuntime,
+  httpRequestJson,
+} from './runtime.js';
+
+const __filename = url.fileURLToPath(import.meta.url);
+const __dirname  = path.dirname(__filename);
+const HOOKS_SOURCE_DIR = path.resolve(__dirname, '../hooks');
+
+const HOSTED_AUDIT_URL = 'https://awf.ruvoni.com';
+
+const SANCTIX_HOOK_COMMANDS = {
+  PreToolUse: [
+    { matcher: 'Bash',  command: 'node .claude/hooks/pre-tool-use/check-bash.cjs' },
+    { matcher: '.*',    command: 'node .claude/hooks/pre-tool-use/check-file-edit.cjs' },
+    { matcher: 'Agent', command: 'node .claude/hooks/pre-tool-use/check-agent-spawn.cjs' },
+  ],
+  PostToolUse: [
+    { matcher: 'Agent', command: 'node .claude/hooks/post-tool-use/check-agent-spawn-result.cjs' },
+    { matcher: '.*',    command: 'node .claude/hooks/post-tool-use/check-file-edit-result.cjs' },
+  ],
+  SubagentStart: [
+    { matcher: null,    command: 'node .claude/hooks/sub-agent-start/check-subagent-start.cjs' },
+  ],
+};
+
+export async function init(options) {
+  const cwd = process.cwd();
+
+  // Step 1: Resolve audit URL and API key.
+  let auditUrl;
+  let apiKey;
+  let hosted = false;
+
+  if (options.hosted) {
+    if (!options.invite) {
+      console.error(chalk.red('Hosted mode requires --invite <code>'));
+      console.error('Get an invite code at https://sanctix.ai');
+      process.exit(1);
+    }
+    auditUrl = HOSTED_AUDIT_URL;
+    apiKey = 'sanctix-' + String(options.invite).trim().toLowerCase();
+    hosted = true;
+    console.log('Hosted mode: connecting to ' + HOSTED_AUDIT_URL);
+    console.log('API key generated from invite code.');
+  } else if (options.auditUrl) {
+    auditUrl = options.auditUrl;
+    apiKey = null;
+    console.log('Self-hosted mode: connecting to ' + auditUrl);
+  } else {
+    console.error(chalk.red('Specify --hosted --invite <code> or --audit-url <url>'));
+    process.exit(1);
+  }
+
+  // Step 2: Detect runtime.
+  let runtime = await detectRuntime(cwd);
+  if (!runtime) {
+    const answer = await inquirer.prompt([{
+      type: 'list',
+      name: 'runtime',
+      message: 'Which runtime are you using?',
+      choices: ['claude_code', 'codex', 'cursor'],
+    }]);
+    runtime = answer.runtime;
+  }
+  console.log('Runtime detected: ' + runtime);
+
+  // Step 3: Connectivity check.
+  const health = await httpRequestJson('GET', auditUrl.replace(/\/$/, '') + '/health', { timeoutMs: 3000, apiKey });
+  if (health.status !== 200) {
+    console.log(chalk.yellow(
+      'Warning: audit service at ' + auditUrl + ' is not reachable. ' +
+      'Hooks will be installed but events will not land until the service is available.'));
+    if (!options.yes) {
+      const answer = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'cont',
+        message: 'Continue anyway?',
+        default: false,
+      }]);
+      if (!answer.cont) {
+        console.log('Aborted.');
+        process.exit(0);
+      }
+    }
+  } else {
+    console.log('Audit service: connected');
+  }
+
+  // Step 4: Install hook files.
+  await installHooks(runtime, cwd, HOOKS_SOURCE_DIR, { auditUrl });
+
+  // Step 5: Write .env entries.
+  await writeEnv(cwd, { auditUrl, apiKey });
+
+  // Step 6: Write manifest.
+  // Note: .sanctix/session.env is a managed path created by `sanctix start`
+  // and removed by `sanctix stop` / `sanctix uninstall`. It is not created
+  // here and is not added to managedFiles (its presence is opportunistic, so
+  // including it would corrupt the status hook missing-count check).
+  const manifest = {
+    version: '0.1.0',
+    runtime,
+    auditUrl,
+    hosted,
+    installedAt: new Date().toISOString(),
+    managedFiles: managedFilesFor(runtime),
+    managedEnvKeys: [
+      'SANCTIX_AUDIT_URL',
+      'SANCTIX_API_KEY',
+      'SANCTIX_HOOK_MODE',
+    ],
+    managedSettingsEntries: managedSettingsEntriesFor(runtime),
+  };
+  await fs.ensureDir(path.join(cwd, '.sanctix'));
+  await fs.writeJSON(path.join(cwd, '.sanctix/sanctix.config.json'), manifest, { spaces: 2 });
+
+  // Step 7: Print confirmation.
+  console.log('');
+  console.log(chalk.green('[ok] Sanctix is now governing your ' + runtime + ' sessions.'));
+  console.log('');
+  console.log('  Audit endpoint: ' + auditUrl);
+  console.log('  Hook mode:      enforce');
+  console.log('  Runtime:        ' + runtime);
+  console.log('');
+  console.log('  Run sanctix status anytime to check governance health.');
+  console.log('  Run sanctix uninstall to remove Sanctix from this repo.');
+  console.log('');
+  console.log('  Docs: https://sanctix.ai');
+}
+
+function managedFilesFor(runtime) {
+  if (runtime === 'claude_code') return CLAUDE_MANAGED_FILES;
+  if (runtime === 'cursor')      return ['.cursor/rules/sanctix-governance.mdc'];
+  return [];
+}
+
+function managedSettingsEntriesFor(runtime) {
+  if (runtime === 'claude_code') return { '.claude/settings.json': true };
+  if (runtime === 'cursor')      return { '.cursor/hooks.json': true };
+  if (runtime === 'codex')       return { 'AGENTS.md': true };
+  return {};
+}
+
+async function installHooks(runtime, cwd, sourceDir, opts) {
+  if (runtime === 'claude_code') return installClaudeHooks(cwd, sourceDir);
+  if (runtime === 'cursor')      return installCursorHooks(cwd, sourceDir, opts);
+  if (runtime === 'codex')       return installCodexHooks(cwd, opts);
+  throw new Error('Unsupported runtime: ' + runtime);
+}
+
+async function installClaudeHooks(cwd, sourceDir) {
+  for (const [dir, files] of Object.entries(CLAUDE_HOOK_LAYOUT)) {
+    const target = path.join(cwd, '.claude/hooks', dir);
+    await fs.ensureDir(target);
+    for (const f of files) {
+      await fs.copy(path.join(sourceDir, f), path.join(target, f), { overwrite: true });
+    }
+  }
+  // Always copy shared helpers so hooks can require them.
+  for (const dir of Object.keys(CLAUDE_HOOK_LAYOUT)) {
+    const target = path.join(cwd, '.claude/hooks', dir);
+    await fs.copy(path.join(sourceDir, 'tool-capture.cjs'),     path.join(target, 'tool-capture.cjs'),     { overwrite: true });
+    await fs.copy(path.join(sourceDir, 'post-audit-event.cjs'), path.join(target, 'post-audit-event.cjs'), { overwrite: true });
+  }
+
+  const settingsPath = path.join(cwd, '.claude/settings.json');
+  const existing = (await fs.pathExists(settingsPath)) ? await fs.readJSON(settingsPath) : {};
+  existing.hooks = existing.hooks || {};
+
+  for (const [event, entries] of Object.entries(SANCTIX_HOOK_COMMANDS)) {
+    existing.hooks[event] = existing.hooks[event] || [];
+    for (const entry of entries) {
+      if (hasHookEntry(existing.hooks[event], entry)) continue;
+      const block = { hooks: [{ type: 'command', command: entry.command }] };
+      if (entry.matcher !== null) block.matcher = entry.matcher;
+      existing.hooks[event].push(block);
+    }
+  }
+
+  await fs.writeJSON(settingsPath, existing, { spaces: 2 });
+}
+
+function hasHookEntry(eventArray, entry) {
+  return eventArray.some((block) => {
+    const matcherMatches = entry.matcher === null
+      ? block.matcher === undefined
+      : block.matcher === entry.matcher;
+    if (!matcherMatches) return false;
+    const hooks = block.hooks || [];
+    return hooks.some((h) => h && h.type === 'command' && h.command === entry.command);
+  });
+}
+
+async function installCursorHooks(cwd, _sourceDir, { auditUrl }) {
+  const rulesDir = path.join(cwd, '.cursor/rules');
+  await fs.ensureDir(rulesDir);
+  const mdcPath = path.join(rulesDir, 'sanctix-governance.mdc');
+  const mdc = '---\nalwaysApply: true\n---\n# Sanctix Governance\nThis repository is governed by Sanctix.\nAudit endpoint: ' + auditUrl + '\nDo not bypass governance checks.\n';
+  await fs.writeFile(mdcPath, mdc);
+
+  const hooksJsonPath = path.join(cwd, '.cursor/hooks.json');
+  const existing = (await fs.pathExists(hooksJsonPath)) ? await fs.readJSON(hooksJsonPath) : {};
+  existing.sanctix = existing.sanctix || { managed: true };
+  await fs.writeJSON(hooksJsonPath, existing, { spaces: 2 });
+}
+
+async function installCodexHooks(cwd, { auditUrl }) {
+  const agentsPath = path.join(cwd, 'AGENTS.md');
+  let current = '';
+  if (await fs.pathExists(agentsPath)) current = await fs.readFile(agentsPath, 'utf8');
+  if (current.includes('## Sanctix Governance')) return;
+  const section =
+    (current.endsWith('\n') || current === '' ? '' : '\n') +
+    '\n## Sanctix Governance\n' +
+    'This repository is governed by Sanctix.\n' +
+    'Audit endpoint: ' + auditUrl + '\n' +
+    'Hook mode: enforce\n' +
+    'Do not bypass governance hooks.\n';
+  await fs.writeFile(agentsPath, current + section);
+}
+
+async function writeEnv(cwd, { auditUrl, apiKey }) {
+  const envPath = path.join(cwd, '.env');
+  const desired = {
+    SANCTIX_AUDIT_URL: auditUrl,
+    SANCTIX_API_KEY:   apiKey || '',
+    SANCTIX_HOOK_MODE: 'enforce',
+    AWF_TENANT_ID:     '',
+    AWF_CORRELATION_ID: '',
+  };
+
+  let lines = [];
+  if (await fs.pathExists(envPath)) {
+    const text = await fs.readFile(envPath, 'utf8');
+    lines = text.split('\n');
+  }
+
+  const seen = new Set();
+  const result = [];
+  for (const line of lines) {
+    const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+    if (!m) { result.push(line); continue; }
+    const key = m[1];
+    const value = m[2];
+    if (!(key in desired)) {
+      result.push(line);
+      continue;
+    }
+    seen.add(key);
+    // Sanctix-managed: overwrite only if empty or differs from desired non-empty value.
+    if (['SANCTIX_AUDIT_URL', 'SANCTIX_API_KEY', 'SANCTIX_HOOK_MODE'].includes(key)) {
+      result.push(`${key}=${desired[key]}`);
+    } else {
+      // AWF_TENANT_ID, AWF_CORRELATION_ID — never overwrite a user value.
+      result.push(value === '' ? `${key}=${desired[key]}` : line);
+    }
+  }
+  for (const [key, value] of Object.entries(desired)) {
+    if (seen.has(key)) continue;
+    result.push(`${key}=${value}`);
+  }
+
+  let out = result.join('\n');
+  if (!out.endsWith('\n')) out += '\n';
+  await fs.writeFile(envPath, out);
+}
+
+// Re-export for sibling commands (uninstall/status).
+export { HOOK_FILES, CLAUDE_MANAGED_FILES, SANCTIX_HOOK_COMMANDS };

package/cli/runtime.js

@@ -0,0 +1,85 @@
+import fs from 'fs-extra';
+import path from 'path';
+import http from 'http';
+import https from 'https';
+
+export const HOOK_FILES = [
+  'check-bash.cjs',
+  'check-file-edit.cjs',
+  'check-agent-spawn.cjs',
+  'check-agent-spawn-result.cjs',
+  'check-file-edit-result.cjs',
+  'check-subagent-start.cjs',
+];
+
+export const CLAUDE_HOOK_LAYOUT = {
+  'pre-tool-use': [
+    'check-bash.cjs',
+    'check-file-edit.cjs',
+    'check-agent-spawn.cjs',
+  ],
+  'post-tool-use': [
+    'check-agent-spawn-result.cjs',
+    'check-file-edit-result.cjs',
+  ],
+  'sub-agent-start': [
+    'check-subagent-start.cjs',
+  ],
+};
+
+export const CLAUDE_MANAGED_FILES = Object.entries(CLAUDE_HOOK_LAYOUT)
+  .flatMap(([dir, files]) => files.map((f) => `.claude/hooks/${dir}/${f}`));
+
+export async function detectRuntime(cwd) {
+  const checks = [
+    { runtime: 'claude_code', exists: await fs.pathExists(path.join(cwd, '.claude'))
+                                    || await fs.pathExists(path.join(cwd, 'CLAUDE.md')) },
+    { runtime: 'cursor',      exists: await fs.pathExists(path.join(cwd, '.cursor')) },
+    { runtime: 'codex',       exists: await fs.pathExists(path.join(cwd, 'AGENTS.md')) },
+  ];
+  for (const c of checks) {
+    if (c.exists) return c.runtime;
+  }
+  return null;
+}
+
+export function httpRequestJson(method, urlString, { timeoutMs = 3000, apiKey = null, body = null } = {}) {
+  return new Promise((resolve) => {
+    try {
+      const parsed = new URL(urlString);
+      const lib = parsed.protocol === 'https:' ? https : http;
+      const headers = {};
+      let data = null;
+      if (body) {
+        data = Buffer.from(JSON.stringify(body));
+        headers['content-type'] = 'application/json';
+        headers['content-length'] = data.length;
+      }
+      if (apiKey) headers['X-Sanctix-API-Key'] = apiKey;
+      const req = lib.request({
+        host: parsed.hostname,
+        port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+        path: parsed.pathname + (parsed.search || ''),
+        method,
+        headers,
+      }, (res) => {
+        let chunks = '';
+        res.on('data', (d) => { chunks += d.toString(); });
+        res.on('end', () => {
+          let parsedBody = null;
+          try { parsedBody = chunks ? JSON.parse(chunks) : null; } catch (_e) { parsedBody = chunks; }
+          resolve({ status: res.statusCode, body: parsedBody });
+        });
+      });
+      req.on('error', (err) => resolve({ status: 0, error: err.message }));
+      req.setTimeout(timeoutMs, () => {
+        try { req.destroy(); } catch (_e) {}
+        resolve({ status: 0, error: 'timeout' });
+      });
+      if (data) req.write(data);
+      req.end();
+    } catch (e) {
+      resolve({ status: 0, error: e.message });
+    }
+  });
+}

package/cli/start.js

@@ -0,0 +1,165 @@
+import fs from 'fs-extra';
+import path from 'path';
+import crypto from 'crypto';
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import { httpRequestJson } from './runtime.js';
+
+const HIGH_RISK_KEYWORDS = [
+  'auth', 'payment', 'stripe', 'database', 'migration', 'deploy',
+  'secret', 'credential', 'production', 'billing', 'webhook',
+];
+const LOW_RISK_KEYWORDS = [
+  'read', 'list', 'show', 'view', 'check', 'status', 'docs', 'documentation',
+];
+
+export async function start(taskDescription, options = {}) {
+  const cwd = process.cwd();
+
+  // Step 1: Read manifest.
+  const manifestPath = path.join(cwd, '.sanctix/sanctix.config.json');
+  if (!(await fs.pathExists(manifestPath))) {
+    console.error(chalk.red('Sanctix is not initialized. Run sanctix init first.'));
+    process.exit(1);
+  }
+  const manifest = await fs.readJSON(manifestPath);
+
+  // Step 2: Generate session identifiers.
+  const correlationId = crypto.randomUUID();
+  const sessionId     = crypto.randomUUID();
+  const startedAt     = new Date().toISOString();
+  const userId        = process.env.USER || process.env.USERNAME || 'user';
+
+  // Step 3: Infer risk if not provided.
+  let risk;
+  const riskInferred = !options.risk;
+  if (options.risk) {
+    risk = String(options.risk).toLowerCase();
+  } else {
+    risk = inferRisk(taskDescription);
+    console.log('Risk level: ' + risk + ' (inferred from task description)');
+  }
+
+  // Step 4: Post SANCTIX_SESSION_STARTED event.
+  const approvalType = risk === 'high' ? 'pending' : 'self';
+  const apiKey = process.env.SANCTIX_API_KEY || readEnvKey(cwd, 'SANCTIX_API_KEY');
+  const postRes = await httpRequestJson('POST', manifest.auditUrl.replace(/\/$/, '') + '/events', {
+    apiKey: apiKey || null,
+    timeoutMs: 3000,
+    body: {
+      actor_type:       'agent',
+      event_type:       'sanctix.session.started',
+      timestamp_utc:    startedAt,
+      correlation_id:   correlationId,
+      user_id:          userId,
+      runtime_provider: manifest.runtime,
+      event_data: {
+        session_id:       sessionId,
+        task_description: taskDescription,
+        risk_level:       risk,
+        risk_inferred:    riskInferred,
+        declared_by:      userId,
+        declared_at:      startedAt,
+        approved_by:      userId,
+        approved_at:      startedAt,
+        approval_type:    approvalType,
+      },
+    },
+  });
+  if (postRes.status !== 201 && postRes.status !== 200) {
+    console.warn(chalk.yellow(
+      'Warning: failed to post session.started event to ' + manifest.auditUrl +
+      (postRes.error ? ' (' + postRes.error + ')' : ' (HTTP ' + postRes.status + ')')
+    ));
+  }
+
+  // Step 5: For high risk, require explicit confirmation.
+  if (risk === 'high' && !options.yes) {
+    console.log('');
+    console.log(chalk.yellow('Risk level HIGH requires acknowledgment.'));
+    console.log('Task: ' + taskDescription);
+    console.log('This session will be fully audited.');
+    const answer = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'cont',
+      message: 'Acknowledge and proceed?',
+      default: false,
+    }]);
+    if (!answer.cont) {
+      console.log('Aborted.');
+      process.exit(0);
+    }
+  }
+
+  // Step 6: Write session env file.
+  const truncatedTask = String(taskDescription).slice(0, 200);
+  const sessionEnvLines = [
+    'AWF_CORRELATION_ID=' + correlationId,
+    'AWF_SESSION_ID=' + sessionId,
+    'AWF_USER_ID=' + userId,
+    'SANCTIX_SESSION_STARTED=' + startedAt,
+    'SANCTIX_TASK=' + truncatedTask,
+    'SANCTIX_RISK=' + risk,
+    '',
+  ];
+  await fs.ensureDir(path.join(cwd, '.sanctix'));
+  await fs.writeFile(path.join(cwd, '.sanctix/session.env'), sessionEnvLines.join('\n'));
+
+  // Step 7: Print activation instructions.
+  console.log('');
+  console.log(chalk.bold('=== Sanctix Session Started ==='));
+  console.log('Session:     ' + correlationId);
+  console.log('Task:        ' + taskDescription);
+  console.log('Risk:        ' + risk);
+  console.log('Started:     ' + startedAt);
+  console.log('');
+  console.log('Activate this session by running ONE of the following');
+  console.log('before launching your runtime:');
+  console.log('');
+  console.log('For bash/zsh (copy and run):');
+  console.log('  export AWF_CORRELATION_ID=' + correlationId);
+  console.log('  export AWF_USER_ID=' + userId);
+  if (apiKey) {
+    console.log('  export SANCTIX_API_KEY=' + apiKey);
+  }
+  console.log('  export SANCTIX_AUDIT_URL=' + manifest.auditUrl);
+  console.log('');
+  console.log('Or source the session file:');
+  console.log('  source .sanctix/session.env && export $(cat .sanctix/session.env | cut -d= -f1)');
+  console.log('');
+  console.log('Then launch your runtime normally:');
+  console.log('  claude --dangerously-skip-permissions   (Claude Code)');
+  console.log('  cursor .                                (Cursor)');
+  console.log('  codex                                   (Codex)');
+  console.log('');
+  console.log('When done, run: sanctix stop');
+  console.log('');
+  console.log(chalk.bold('================================'));
+
+  // Step 8: Exit 0.
+  process.exit(0);
+}
+
+function inferRisk(taskDescription) {
+  const text = String(taskDescription || '').toLowerCase();
+  for (const kw of HIGH_RISK_KEYWORDS) {
+    if (text.includes(kw)) return 'high';
+  }
+  for (const kw of LOW_RISK_KEYWORDS) {
+    if (text.includes(kw)) return 'low';
+  }
+  return 'medium';
+}
+
+function readEnvKey(cwd, key) {
+  try {
+    const envPath = path.join(cwd, '.env');
+    if (!fs.pathExistsSync(envPath)) return null;
+    const text = fs.readFileSync(envPath, 'utf8');
+    for (const line of text.split('\n')) {
+      const m = line.match(/^([A-Z0-9_]+)=(.*)$/);
+      if (m && m[1] === key && m[2]) return m[2];
+    }
+  } catch (_e) {}
+  return null;
+}