ai-project-maintainer 0.3.0

package/ai-project-maintainer/scripts/lib/policy.mjs

@@ -0,0 +1,150 @@
+import fs from "node:fs";
+import path from "node:path";
+import YAML from "yaml";
+
+export const defaultPolicy = {
+  profile: "oss",
+  mode: "strict",
+  tool_groups: [],
+  checks: {
+    gitleaks: "block",
+    trivy: "block",
+    semgrep: "block",
+    "osv-scanner": "warn",
+    syft: "warn",
+    grype: "warn",
+    actionlint: "block",
+    zizmor: "warn",
+    checkov: "warn",
+    "trivy-config": "warn",
+    scorecard: "warn",
+    megalinter: "warn",
+    "pre-commit": "warn",
+  },
+  fail_on: {
+    tests: true,
+    secrets: true,
+    dependency_high_or_critical: true,
+    semgrep_blocking: true,
+    trivy_unavailable: true,
+    electron_dangerous_settings: true,
+    ci_security_high: true,
+  },
+  warn_on: {
+    dev_dependency_vulnerabilities: true,
+    missing_optional_tools: true,
+  },
+};
+
+function parseYamlFile(filePath, fallback) {
+  try {
+    const text = fs.readFileSync(filePath, "utf8").replace(/^\uFEFF/, "");
+    return YAML.parse(text) || fallback;
+  } catch {
+    return fallback;
+  }
+}
+
+function mergePolicy(customPolicy) {
+  return {
+    ...defaultPolicy,
+    ...customPolicy,
+    checks: { ...defaultPolicy.checks, ...(customPolicy.checks || {}) },
+    fail_on: { ...defaultPolicy.fail_on, ...(customPolicy.fail_on || {}) },
+    warn_on: { ...defaultPolicy.warn_on, ...(customPolicy.warn_on || {}) },
+  };
+}
+
+export function loadPolicyBundle(projectRoot) {
+  const root = path.resolve(projectRoot);
+  const policyPath = path.join(root, ".ai-maintainer", "policy.yml");
+  const exceptionsPath = path.join(root, ".ai-maintainer", "exceptions.yml");
+  const customPolicy = fs.existsSync(policyPath) ? parseYamlFile(policyPath, {}) : {};
+  const exceptionDocument = fs.existsSync(exceptionsPath) ? parseYamlFile(exceptionsPath, { exceptions: [] }) : { exceptions: [] };
+  const exceptions = fs.existsSync(exceptionsPath)
+    ? (Array.isArray(exceptionDocument.exceptions) ? exceptionDocument.exceptions : [])
+    : [];
+
+  return {
+    policy: mergePolicy(customPolicy),
+    exceptions,
+    paths: { policyPath, exceptionsPath },
+  };
+}
+
+export function validateExceptions(exceptions, now = new Date()) {
+  const valid = [];
+  const invalid = [];
+  const today = new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth(), now.getUTCDate()));
+
+  for (const item of exceptions || []) {
+    const missing = ["id", "check", "reason", "expires", "owner"].filter((key) => !item[key]);
+    if (missing.length) {
+      invalid.push({ ...item, reason: `exception is missing required field(s): ${missing.join(", ")}` });
+      continue;
+    }
+
+    const expires = new Date(`${item.expires}T00:00:00Z`);
+    if (Number.isNaN(expires.getTime())) {
+      invalid.push({ ...item, reason: "exception expires date is invalid" });
+      continue;
+    }
+
+    if (expires < today) {
+      invalid.push({ ...item, reason: `exception expired on ${item.expires}` });
+      continue;
+    }
+
+    valid.push(item);
+  }
+
+  return { valid, invalid };
+}
+
+function matchesException(check, exception) {
+  const target = String(exception.check || "").toLowerCase();
+  return target === String(check.name || "").toLowerCase() || target === String(check.group || "").toLowerCase();
+}
+
+function policyKeyForCheck(check) {
+  if (check.group === "tests") return "tests";
+  if (check.group === "secrets") return "secrets";
+  if (check.group === "sast") return "semgrep_blocking";
+  if (check.group === "electron") return "electron_dangerous_settings";
+  if (check.group === "ci-security") return "ci_security_high";
+  if (check.group === "dependencies" && check.name?.includes("trivy") && ["error", "missing"].includes(check.status)) return "trivy_unavailable";
+  if (check.group === "dependencies" || check.group === "supply-chain") return "dependency_high_or_critical";
+  return null;
+}
+
+export function applyPolicy(checks, bundle, now = new Date()) {
+  const validation = validateExceptions(bundle.exceptions, now);
+  const applied = checks.map((check) => ({ ...check }));
+  const failOn = bundle.policy?.fail_on || {};
+  const checkLevels = bundle.policy?.checks || {};
+
+  for (const check of applied) {
+    if (!check.blocking) continue;
+    const checkLevel = checkLevels[check.checkId];
+    if (checkLevel === "warn" || checkLevel === "off") {
+      check.blocking = false;
+      check.policyLevel = checkLevel;
+      continue;
+    }
+    const policyKey = policyKeyForCheck(check);
+    if (policyKey && failOn[policyKey] === false) {
+      check.blocking = false;
+      check.policyDowngrade = `fail_on.${policyKey}=false`;
+      continue;
+    }
+    const exception = validation.valid.find((item) => matchesException(check, item));
+    if (!exception) continue;
+    check.blocking = false;
+    check.exception = exception;
+  }
+
+  return {
+    checks: applied,
+    invalidExceptions: validation.invalid,
+  };
+}

package/ai-project-maintainer/scripts/lib/project-detect.mjs

@@ -0,0 +1,111 @@
+import fs from "node:fs";
+import path from "node:path";
+
+const ignoredDirs = new Set([
+  ".git",
+  ".next",
+  ".turbo",
+  "build",
+  "coverage",
+  "dist",
+  "node_modules",
+  "target",
+  "vendor",
+]);
+
+export function readJson(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+export function listFiles(root, options = {}) {
+  const out = [];
+  const maxFiles = options.maxFiles || 7000;
+  const maxDepth = options.maxDepth || 8;
+
+  function walk(dir, depth) {
+    if (out.length >= maxFiles || depth > maxDepth) return;
+    let entries = [];
+    try {
+      entries = fs.readdirSync(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      if (ignoredDirs.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        walk(full, depth + 1);
+      } else if (entry.isFile()) {
+        out.push(path.relative(root, full).replaceAll(path.sep, "/"));
+      }
+    }
+  }
+
+  walk(root, 0);
+  return out;
+}
+
+function packageManagers(root, files) {
+  const managers = [];
+  if (files.includes("pnpm-lock.yaml")) managers.push("pnpm");
+  if (files.includes("yarn.lock")) managers.push("yarn");
+  if (files.includes("bun.lock") || files.includes("bun.lockb")) managers.push("bun");
+  if (files.includes("package-lock.json") || fs.existsSync(path.join(root, "package.json"))) managers.push("npm");
+  return managers;
+}
+
+function topExtensions(files) {
+  const counts = new Map();
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase() || "(none)";
+    counts.set(ext, (counts.get(ext) || 0) + 1);
+  }
+  return [...counts.entries()]
+    .sort((a, b) => b[1] - a[1])
+    .slice(0, 20)
+    .map(([extension, count]) => ({ extension, count }));
+}
+
+function riskSurfaces(files) {
+  return {
+    database: files.filter((file) => /(^|\/)(migrations?|db|database|prisma|drizzle|schema)\//i.test(file) || /\.(sql|prisma)$/i.test(file)),
+    infra: files.filter((file) => /\.(tf|ya?ml|jsonnet)$/i.test(file) && /(^|\/)(terraform|infra|k8s|kubernetes|helm|charts|\.github\/workflows)\//i.test(file)),
+    securitySensitive: files.filter((file) => /(^|\/)(auth|security|crypto|payments?|billing|permissions?|rbac|ipc|preload|main)\b/i.test(file)),
+    ci: files.filter((file) => /^\.github\/workflows\/.+\.ya?ml$/i.test(file)),
+  };
+}
+
+function detectElectron(root, files, packageJson) {
+  const deps = { ...(packageJson?.dependencies || {}), ...(packageJson?.devDependencies || {}) };
+  const detected =
+    Boolean(deps.electron) ||
+    files.some((file) => /(^|\/)(main|preload|electron)\.(js|jsx|ts|tsx|mjs|cjs)$/i.test(file));
+  return {
+    detected,
+    hasPreload: files.some((file) => /(^|\/)preload\.(js|ts|mjs|cjs)$/i.test(file)),
+    candidateFiles: files.filter((file) => /\.(js|jsx|ts|tsx|mjs|cjs)$/i.test(file)).slice(0, 1200),
+  };
+}
+
+export function detectProject(projectRoot, options = {}) {
+  const root = path.resolve(projectRoot);
+  const files = listFiles(root, options);
+  const packageJson = readJson(path.join(root, "package.json"));
+  const surfaces = riskSurfaces(files);
+
+  return {
+    root,
+    fileCount: files.length,
+    files,
+    packageJson,
+    packageManagers: packageManagers(root, files),
+    riskSurfaces: surfaces,
+    electron: detectElectron(root, files, packageJson),
+    topExtensions: topExtensions(files),
+  };
+}

package/ai-project-maintainer/scripts/lib/report.mjs

@@ -0,0 +1,227 @@
+import fs from "node:fs";
+import path from "node:path";
+
+function stableStatus(status) {
+  return status || "unknown";
+}
+
+function statusKey(status) {
+  return String(stableStatus(status)).toLowerCase();
+}
+
+function gradeForScore(score) {
+  if (score >= 90) return "A";
+  if (score >= 75) return "B";
+  if (score >= 60) return "C";
+  if (score >= 40) return "D";
+  return "F";
+}
+
+function buildMaintenanceSummary({ blockers, warnings, coverageGaps, invalidExceptions }) {
+  const score = Math.max(
+    0,
+    Math.min(100, 100 - blockers.length * 25 - warnings.length * 3 - coverageGaps.length * 2 - invalidExceptions.length * 20),
+  );
+  return {
+    score,
+    grade: gradeForScore(score),
+    basis: {
+      blockers: blockers.length,
+      warnings: warnings.length,
+      coverageGaps: coverageGaps.length,
+      invalidExceptions: invalidExceptions.length,
+    },
+  };
+}
+
+export function buildJsonReport({
+  root,
+  mode,
+  probe,
+  checks,
+  audit = null,
+  toolVersions = {},
+  invalidExceptions = [],
+  generatedAt = new Date().toISOString(),
+}) {
+  const blockers = checks.filter((check) => check.blocking);
+  const warnings = checks.filter((check) => !check.blocking && ["fail", "error", "missing", "skipped", "gap", "user_decision"].includes(statusKey(check.status)));
+  const coverageGaps = checks.filter((check) => check.coverageGap || ["missing", "skipped", "gap"].includes(statusKey(check.status)));
+  const exceptionUsage = checks.filter((check) => check.exception).map((check) => ({
+    check: check.name,
+    exception: check.exception,
+  }));
+
+  return {
+    schemaVersion: 1,
+    root,
+    mode,
+    passed: blockers.length === 0 && invalidExceptions.length === 0,
+    blockerCount: blockers.length + invalidExceptions.length,
+    warningCount: warnings.length,
+    coverageGapCount: coverageGaps.length,
+    maintenance: buildMaintenanceSummary({ blockers, warnings, coverageGaps, invalidExceptions }),
+    generatedAt,
+    probe,
+    audit,
+    blockers,
+    warnings,
+    coverageGaps,
+    toolVersions,
+    checks,
+    exceptions: {
+      used: exceptionUsage,
+      invalid: invalidExceptions,
+    },
+  };
+}
+
+export function toMarkdown(report) {
+  const lines = [];
+  lines.push(`# Local Security Gate: ${report.passed ? "PASS" : "FAIL"}`);
+  lines.push("");
+  lines.push(`Root: ${report.root}`);
+  lines.push(`Mode: strict=${Boolean(report.mode?.strict)}, release=${Boolean(report.mode?.release)}, production=${Boolean(report.mode?.production)}`);
+  lines.push(`Generated: ${report.generatedAt}`);
+  if (report.maintenance) {
+    lines.push(`Open Source Maintenance Score: ${report.maintenance.score}/100 (${report.maintenance.grade})`);
+  }
+  lines.push("");
+
+  lines.push("## Blocking Checks");
+  if (!report.blockers.length && !report.exceptions.invalid.length) lines.push("- None");
+  for (const check of report.blockers) {
+    lines.push(`- ${check.name}: ${check.status}. ${check.summary || ""}`.trim());
+  }
+  for (const exception of report.exceptions.invalid) {
+    lines.push(`- invalid exception ${exception.id || "(missing id)"}: ${exception.reason}`);
+  }
+  lines.push("");
+
+  lines.push("## Warnings");
+  if (!report.warnings.length) lines.push("- None");
+  for (const check of report.warnings) {
+    lines.push(`- ${check.name}: ${check.status}. ${check.summary || ""}`.trim());
+  }
+  lines.push("");
+
+  lines.push("## Coverage Gaps");
+  if (!report.coverageGaps.length) lines.push("- None");
+  for (const check of report.coverageGaps) {
+    lines.push(`- ${check.name}: ${check.summary || "tool unavailable"}`);
+  }
+  lines.push("");
+
+  if (report.audit) {
+    lines.push("## Production Audit");
+    lines.push(`Project Type: ${report.audit.profile?.projectType || "unknown"}`);
+    lines.push(`Database: ${Boolean(report.audit.profile?.hasDatabase)}`);
+    lines.push(`CI: ${Boolean(report.audit.profile?.hasCi)}`);
+    lines.push("");
+
+    lines.push("### Plan");
+    for (const item of report.audit.plan || []) {
+      lines.push(`- ${item.status} ${item.title}: ${item.summary}`);
+    }
+    if (!(report.audit.plan || []).length) lines.push("- None");
+    lines.push("");
+
+    lines.push("### Coverage Gaps");
+    if (!(report.audit.coverageGaps || []).length) lines.push("- None");
+    for (const gap of report.audit.coverageGaps || []) {
+      lines.push(`- ${gap.title}: ${gap.summary}${gap.recommendation ? ` Recommendation: ${gap.recommendation}` : ""}`);
+    }
+    lines.push("");
+
+    lines.push("### User Decisions");
+    if (!(report.audit.userDecisions || []).length) lines.push("- None");
+    for (const decision of report.audit.userDecisions || []) {
+      lines.push(`- ${decision.title}: ${decision.summary}${decision.recommendation ? ` Recommendation: ${decision.recommendation}` : ""}`);
+    }
+    lines.push("");
+  }
+
+  lines.push("## Tools");
+  for (const [tool, version] of Object.entries(report.toolVersions || {})) {
+    lines.push(`- ${tool}: ${version}`);
+  }
+  if (!Object.keys(report.toolVersions || {}).length) lines.push("- None recorded");
+  lines.push("");
+
+  lines.push("## Checks Run");
+  for (const check of report.checks) {
+    lines.push(`- ${check.name}: ${check.status}${check.command ? ` (${check.command})` : ""}`);
+  }
+  lines.push("");
+
+  lines.push("## Exceptions");
+  if (!report.exceptions.used.length && !report.exceptions.invalid.length) lines.push("- None");
+  for (const item of report.exceptions.used) {
+    lines.push(`- ${item.exception.id}: applied to ${item.check}, expires ${item.exception.expires}`);
+  }
+  for (const item of report.exceptions.invalid) {
+    lines.push(`- ${item.id || "(missing id)"}: invalid, ${item.reason}`);
+  }
+  lines.push("");
+
+  lines.push("## Next Step");
+  lines.push(report.passed ? "- Gate passed. Keep this command in CI before release." : "- Fix blocking checks or add narrow, owner-approved exceptions, then rerun the gate.");
+  return lines.join("\n");
+}
+
+export function toSarif(report) {
+  const rules = new Map();
+  const results = [];
+
+  for (const check of report.checks) {
+    if (["pass", "skipped", "missing", "n/a"].includes(statusKey(check.status))) continue;
+    const ruleId = check.name.replace(/\s+/g, "-").toLowerCase();
+    if (!rules.has(ruleId)) {
+      rules.set(ruleId, {
+        id: ruleId,
+        shortDescription: { text: check.name },
+        fullDescription: { text: check.summary || check.name },
+      });
+    }
+
+    results.push({
+      ruleId,
+      level: check.blocking ? "error" : "warning",
+      message: { text: check.summary || `${check.name} returned ${check.status}` },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: { uri: "." },
+          },
+        },
+      ],
+    });
+  }
+
+  return {
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "ai-project-maintainer",
+            informationUri: "https://github.com/xixifusi1213-gif/ai-project-maintainer",
+            rules: [...rules.values()],
+          },
+        },
+        results,
+      },
+    ],
+  };
+}
+
+export function writeReportFiles(report, outputPath) {
+  const jsonPath = path.resolve(outputPath);
+  const dir = path.dirname(jsonPath);
+  const base = jsonPath.replace(/\.json$/i, "");
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(jsonPath, JSON.stringify(report, null, 2));
+  fs.writeFileSync(`${base}.md`, toMarkdown(report));
+  fs.writeFileSync(`${base}.sarif`, JSON.stringify(toSarif(report), null, 2));
+}

package/ai-project-maintainer/scripts/probe-project.mjs

@@ -0,0 +1,218 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+
+const root = path.resolve(process.argv[2] || process.cwd());
+const maxFiles = 8000;
+const skipDirs = new Set([
+  ".git",
+  ".hg",
+  ".svn",
+  "node_modules",
+  "vendor",
+  ".next",
+  ".nuxt",
+  "dist",
+  "build",
+  "target",
+  "coverage",
+  ".venv",
+  "venv",
+  "__pycache__",
+]);
+
+function safeStat(filePath) {
+  try {
+    return fs.statSync(filePath);
+  } catch {
+    return null;
+  }
+}
+
+function rel(filePath) {
+  return path.relative(root, filePath).replaceAll(path.sep, "/") || ".";
+}
+
+function walk(dir, depth = 0, files = []) {
+  if (files.length >= maxFiles || depth > 8) return files;
+  let entries = [];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return files;
+  }
+
+  for (const entry of entries) {
+    if (files.length >= maxFiles) break;
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (!skipDirs.has(entry.name)) walk(full, depth + 1, files);
+    } else if (entry.isFile()) {
+      files.push(rel(full));
+    }
+  }
+  return files;
+}
+
+function hasAny(files, predicates) {
+  return files.filter((file) => predicates.some((predicate) => predicate(file)));
+}
+
+function commandExists(command) {
+  const pathValue = process.env.PATH || "";
+  const exts = process.platform === "win32"
+    ? (process.env.PATHEXT || ".EXE;.CMD;.BAT;.COM").split(";")
+    : [""];
+  for (const dir of pathValue.split(path.delimiter)) {
+    if (!dir) continue;
+    const base = path.join(dir, command);
+    for (const ext of exts) {
+      if (safeStat(base + ext)) return true;
+    }
+  }
+  return false;
+}
+
+function git(args) {
+  try {
+    return execFileSync("git", args, {
+      cwd: root,
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"],
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+
+function countExtensions(files) {
+  const counts = {};
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase() || "[none]";
+    counts[ext] = (counts[ext] || 0) + 1;
+  }
+  return Object.fromEntries(
+    Object.entries(counts).sort((a, b) => b[1] - a[1]).slice(0, 30),
+  );
+}
+
+const files = walk(root);
+const lower = files.map((file) => file.toLowerCase());
+
+const packageManagers = {
+  npm: lower.includes("package-lock.json"),
+  pnpm: lower.includes("pnpm-lock.yaml"),
+  yarn: lower.includes("yarn.lock"),
+  bun: lower.includes("bun.lockb") || lower.includes("bun.lock"),
+  pythonPip: lower.includes("requirements.txt"),
+  poetry: lower.includes("poetry.lock"),
+  pipenv: lower.includes("pipfile.lock"),
+  go: lower.includes("go.mod"),
+  rust: lower.includes("cargo.lock"),
+  maven: lower.includes("pom.xml"),
+  gradle: lower.some((file) => file.endsWith("build.gradle") || file.endsWith("build.gradle.kts")),
+  dotnet: lower.some((file) => file.endsWith(".csproj") || file.endsWith(".sln")),
+  ruby: lower.includes("gemfile.lock"),
+  php: lower.includes("composer.lock"),
+};
+
+const databaseFiles = hasAny(files, [
+  (file) => /(^|\/)(migrations?|db\/migrate|schema|alembic|flyway|liquibase)(\/|$)/i.test(file),
+  (file) => /\.(sql|prisma)$/i.test(file),
+  (file) => /drizzle|knexfile|sequelize|typeorm|schema\.rb|structure\.sql/i.test(file),
+]);
+
+const infraFiles = hasAny(files, [
+  (file) => /(^|\/)dockerfile$/i.test(file) || /docker-compose.*\.ya?ml$/i.test(file),
+  (file) => /\.(tf|tfvars)$/i.test(file),
+  (file) => /(^|\/)(charts?|helm|k8s|kubernetes|manifests)(\/|$)/i.test(file),
+  (file) => /(^|\/)(pulumi|cloudformation|serverless)\./i.test(file),
+  (file) => /(^|\/)\.github\/workflows\/.+\.ya?ml$/i.test(file),
+]);
+
+const securitySensitiveFiles = hasAny(files, [
+  (file) => /(^|\/)\.env(\.|$)/i.test(file),
+  (file) => /\.(pem|key|p12|pfx|crt)$/i.test(file),
+  (file) => /(^|\/)(auth|oauth|jwt|session|middleware|passport|security|iam|policy|cors)(\/|\.|-|_)/i.test(file),
+  (file) => /(^|\/)(api|routes|controllers|handlers)(\/|$)/i.test(file),
+]);
+
+const ciFiles = hasAny(files, [
+  (file) => /^\.github\/workflows\/.+\.ya?ml$/i.test(file),
+  (file) => /^\.gitlab-ci\.ya?ml$/i.test(file),
+  (file) => /^circle\.yml$/i.test(file),
+  (file) => /^\.circleci\/config\.ya?ml$/i.test(file),
+  (file) => /^azure-pipelines\.ya?ml$/i.test(file),
+  (file) => /^jenkinsfile$/i.test(file),
+]);
+
+const tools = [
+  "git",
+  "gh",
+  "semgrep",
+  "codeql",
+  "trivy",
+  "gitleaks",
+  "checkov",
+  "osv-scanner",
+  "actionlint",
+  "zizmor",
+  "syft",
+  "grype",
+  "nuclei",
+  "zap-baseline.py",
+  "docker",
+  "kubectl",
+  "helm",
+  "k8sgpt",
+  "holmes",
+  "kubescape",
+  "conftest",
+  "opa",
+  "atlas",
+  "bytebase",
+  "squawk",
+  "pgroll",
+  "gh-ost",
+  "pt-online-schema-change",
+  "cilium",
+  "tetragon",
+  "falcoctl",
+];
+
+const availableTools = Object.fromEntries(
+  tools.map((tool) => [tool, commandExists(tool)]),
+);
+
+const gitStatus = availableTools.git ? git(["status", "--short"]) : null;
+const gitBranch = availableTools.git ? git(["branch", "--show-current"]) : null;
+const changedFilesRaw = availableTools.git ? git(["diff", "--name-only", "HEAD"]) : null;
+
+const result = {
+  root,
+  fileCount: files.length,
+  truncated: files.length >= maxFiles,
+  git: {
+    branch: gitBranch,
+    dirty: Boolean(gitStatus),
+    statusShort: gitStatus,
+    changedFiles: changedFilesRaw ? changedFilesRaw.split(/\r?\n/).filter(Boolean) : [],
+  },
+  topExtensions: countExtensions(files),
+  packageManagers,
+  riskSurfaces: {
+    database: databaseFiles.slice(0, 80),
+    infra: infraFiles.slice(0, 80),
+    securitySensitive: securitySensitiveFiles.slice(0, 80),
+    ci: ciFiles.slice(0, 80),
+  },
+  availableTools,
+  recommendedReferences: [
+    databaseFiles.length ? "references/database.md" : null,
+    infraFiles.length || securitySensitiveFiles.length ? "references/security.md" : null,
+    ciFiles.length ? "references/ci-guardrails.md" : null,
+  ].filter(Boolean),
+};
+
+console.log(JSON.stringify(result, null, 2));