chapterhouse 0.5.1 → 0.6.0

package/dist/copilot/orchestrator.test.js

@@ -158,6 +158,117 @@ async function loadOrchestratorModule(t, overrides = {}) {
             DEFAULT_MODEL: "fallback-model",
         },
     });
+    t.mock.module("./memory-coordinator.js", {
+        namedExports: {
+            MemoryCoordinator: class {
+                checkpointTrackers = new Map();
+                checkpointTurnsBySession = new Map();
+                housekeepingTurnsBySession = new Map();
+                constructor(_options) { }
+                getCheckpointTracker(sessionKey) {
+                    let tracker = this.checkpointTrackers.get(sessionKey);
+                    if (!tracker) {
+                        tracker = { turns: 0 };
+                        this.checkpointTrackers.set(sessionKey, tracker);
+                    }
+                    return tracker;
+                }
+                async onTurnComplete(sessionKey, prompt, response, source) {
+                    if (source === "background") {
+                        return;
+                    }
+                    const tracker = this.getCheckpointTracker(sessionKey);
+                    state.checkpointTickCalls++;
+                    tracker.turns++;
+                    const turns = this.checkpointTurnsBySession.get(sessionKey) ?? [];
+                    turns.push({ user: prompt.trim(), assistant: response.trim() });
+                    this.checkpointTurnsBySession.set(sessionKey, turns);
+                    if (state.config.memoryCheckpointEnabled !== false && tracker.turns >= state.checkpointShouldFireAfter && !state.checkpointInFlight) {
+                        state.checkpointMarkFiredCalls++;
+                        tracker.turns = 0;
+                        state.checkpointRuns.push({
+                            sessionKey,
+                            turns: turns.slice(-5),
+                            activeScope: state.activeScope ?? null,
+                            trigger: "cadence",
+                        });
+                    }
+                    if (state.config.memoryHousekeepingEnabled === false) {
+                        return;
+                    }
+                    const count = (this.housekeepingTurnsBySession.get(sessionKey) ?? 0) + 1;
+                    const cadence = state.config.memoryHousekeepingTurns ?? 50;
+                    if (count < cadence) {
+                        this.housekeepingTurnsBySession.set(sessionKey, count);
+                        return;
+                    }
+                    this.housekeepingTurnsBySession.set(sessionKey, 0);
+                    if (!state.activeScope || state.housekeepingInFlight) {
+                        return;
+                    }
+                    state.housekeepingRuns.push({ scopeIds: [state.activeScope.id] });
+                }
+                async onScopeChange(sessionKey, prev, next) {
+                    if (!prev || state.config.memoryCheckpointOnScopeChange === false || state.checkpointInFlight) {
+                        return;
+                    }
+                    const tracker = this.getCheckpointTracker(sessionKey);
+                    if (tracker.turns < (state.config.memoryCheckpointMinTurnsForScopeFire ?? 2)) {
+                        return;
+                    }
+                    const turns = this.checkpointTurnsBySession.get(sessionKey) ?? [];
+                    if (turns.length === 0) {
+                        return;
+                    }
+                    state.checkpointMarkScopeChangeFireCalls++;
+                    tracker.turns = 0;
+                    state.checkpointRuns.push({
+                        sessionKey,
+                        turns: turns.slice(-5),
+                        activeScope: { slug: prev },
+                        trigger: "scope_change",
+                        scopeChangeContext: { from: prev, to: next || "no active scope" },
+                    });
+                }
+                async buildHotTierContext(sessionKey) {
+                    if (state.config.memoryInjectEnabled === false) {
+                        return "";
+                    }
+                    if (sessionKey.startsWith("agent:")) {
+                        const agent = state.registry.find((entry) => `agent:${entry.slug}` === sessionKey);
+                        if (agent?.scope) {
+                            return (state.hotTierByScope?.get(agent.scope) ?? "").trimEnd();
+                        }
+                    }
+                    const xml = state.hotTierXml ?? state.hotTierByScope?.get(state.activeScope?.slug ?? "") ?? "";
+                    return xml.trimEnd();
+                }
+                buildPerTurnHooks(sessionKey) {
+                    if (state.config.memoryInjectEnabled === false) {
+                        return undefined;
+                    }
+                    return {
+                        onUserPromptSubmitted: async () => {
+                            const additionalContext = await this.buildHotTierContext(sessionKey);
+                            return additionalContext ? { additionalContext } : undefined;
+                        },
+                    };
+                }
+                async onAgentTaskComplete(_taskId, _result) { }
+                reset(sessionKey) {
+                    state.checkpointResetCalls++;
+                    this.getCheckpointTracker(sessionKey).turns = 0;
+                    this.checkpointTurnsBySession.delete(sessionKey);
+                    this.housekeepingTurnsBySession.delete(sessionKey);
+                }
+                shutdown() {
+                    this.checkpointTrackers.clear();
+                    this.checkpointTurnsBySession.clear();
+                    this.housekeepingTurnsBySession.clear();
+                }
+            },
+        },
+    });
     t.mock.module("../memory/hot-tier.js", {
         namedExports: {
             renderHotTierForActiveScope: () => state.hotTierXml ?? "",

package/dist/copilot/pr-title.js

@@ -0,0 +1,92 @@
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PR_TYPES_CONFIG_PATH = join(__dirname, "..", "..", ".pr-types.json");
+function loadPrTitleTypes() {
+    const parsed = JSON.parse(readFileSync(PR_TYPES_CONFIG_PATH, "utf-8"));
+    if (!Array.isArray(parsed) || parsed.some((value) => typeof value !== "string" || value.trim().length === 0)) {
+        throw new Error(`Invalid PR title types config at ${PR_TYPES_CONFIG_PATH}`);
+    }
+    return parsed;
+}
+const VALID_PR_TITLE_TYPES = loadPrTitleTypes();
+const PR_TITLE_PATTERN = new RegExp(`^(?<type>${VALID_PR_TITLE_TYPES.join("|")})(?:\\((?<scope>[^()\\r\\n]+)\\))?: (?<description>.+)$`);
+function examplesBlock() {
+    return [
+        "Examples:",
+        "  Valid: feat: add user search",
+        "  Valid: fix(auth): handle token expiry",
+        "  Valid: test: memory tiering edge cases",
+        "  Invalid: adding new thing",
+        "  Invalid: WIP",
+        "  Invalid: HOTFIX",
+    ].join("\n");
+}
+function allowedTypesLine() {
+    return `Allowed types: ${VALID_PR_TITLE_TYPES.join(", ")}.`;
+}
+function isAllCapsDescription(description) {
+    const lettersOnly = description.replace(/[^A-Za-z]/g, "");
+    return lettersOnly.length > 0 && lettersOnly === lettersOnly.toUpperCase();
+}
+export function explainPrTitleValidation(title) {
+    const normalizedTitle = title.trim();
+    if (!normalizedTitle) {
+        return {
+            valid: false,
+            message: [
+                "PR title is required.",
+                "Use conventional commit format: type(optional-scope): description",
+                allowedTypesLine(),
+                examplesBlock(),
+            ].join("\n"),
+        };
+    }
+    const match = PR_TITLE_PATTERN.exec(normalizedTitle);
+    if (!match?.groups) {
+        return {
+            valid: false,
+            message: [
+                `PR title \"${normalizedTitle}\" must match conventional commit format: type(optional-scope): description`,
+                allowedTypesLine(),
+                examplesBlock(),
+            ].join("\n"),
+        };
+    }
+    const description = match.groups.description.trim();
+    if (!description) {
+        return {
+            valid: false,
+            message: [
+                "PR title description must be non-empty.",
+                examplesBlock(),
+            ].join("\n"),
+        };
+    }
+    if (isAllCapsDescription(description)) {
+        return {
+            valid: false,
+            message: [
+                `PR title description must not be ALL CAPS: \"${description}\".`,
+                "Use a short, sentence-style description after the conventional type prefix.",
+                examplesBlock(),
+            ].join("\n"),
+        };
+    }
+    return {
+        valid: true,
+        message: `PR title is valid: ${normalizedTitle}`,
+    };
+}
+export function isValidPrTitle(title) {
+    return explainPrTitleValidation(title).valid;
+}
+export function assertValidPrTitle(title) {
+    const result = explainPrTitleValidation(title);
+    if (!result.valid) {
+        throw new Error(result.message);
+    }
+}
+export { VALID_PR_TITLE_TYPES };
+//# sourceMappingURL=pr-title.js.map

package/dist/copilot/pr-title.test.js

@@ -0,0 +1,54 @@
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import test from "node:test";
+import { fileURLToPath } from "node:url";
+import { explainPrTitleValidation, isValidPrTitle } from "./pr-title.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PR_TYPES_CONFIG_PATH = join(__dirname, "..", "..", ".pr-types.json");
+test("accepts conventional PR titles with and without scopes", () => {
+    assert.equal(isValidPrTitle("feat: add user search"), true);
+    assert.equal(isValidPrTitle("fix(auth): handle token expiry"), true);
+    assert.equal(isValidPrTitle("test: memory tiering edge cases"), true);
+    assert.equal(isValidPrTitle("release: v1.2.3"), true);
+});
+test("rejects blank or malformed PR titles with clear guidance", () => {
+    const blank = explainPrTitleValidation("   ");
+    assert.equal(blank.valid, false);
+    assert.match(blank.message, /PR title is required/i);
+    assert.match(blank.message, /feat: add user search/);
+    const malformed = explainPrTitleValidation("adding new thing");
+    assert.equal(malformed.valid, false);
+    assert.match(malformed.message, /must match conventional commit format/i);
+    assert.match(malformed.message, /type\(optional-scope\): description/i);
+});
+test("rejects all-caps descriptions even when the prefix is valid", () => {
+    const result = explainPrTitleValidation("fix: HOTFIX");
+    assert.equal(result.valid, false);
+    assert.match(result.message, /description must not be all caps/i);
+});
+test("rejects unsupported types", () => {
+    const result = explainPrTitleValidation("hotfix: patch prod issue");
+    assert.equal(result.valid, false);
+    assert.match(result.message, /allowed types/i);
+    assert.match(result.message, /feat, fix, docs, style, refactor, perf, test, chore, build, ci, revert, release/);
+});
+test("loads PR title types from the shared config file", () => {
+    const raw = readFileSync(PR_TYPES_CONFIG_PATH, "utf-8");
+    const types = JSON.parse(raw);
+    assert.deepEqual(types, [
+        "feat",
+        "fix",
+        "docs",
+        "style",
+        "refactor",
+        "perf",
+        "test",
+        "chore",
+        "build",
+        "ci",
+        "revert",
+        "release",
+    ]);
+});
+//# sourceMappingURL=pr-title.test.js.map

package/dist/copilot/router.js

@@ -1,16 +1,19 @@
 import { getState, setState } from "../store/db.js";
+import { config } from "../config.js";
 import { classifyWithLLM } from "./classifier.js";
 import { childLogger } from "../util/logger.js";
 const log = childLogger("router");
 // ---------------------------------------------------------------------------
 // Default configuration
 // ---------------------------------------------------------------------------
+const STANDARD_MODEL = "claude-sonnet-4.6";
+const PREMIUM_MODEL = "claude-opus-4.6";
 const DEFAULT_CONFIG = {
-    enabled: false,
+    enabled: config.chapterhouseMode === "personal",
     tierModels: {
         fast: "gpt-4.1",
-        standard: "claude-sonnet-4.6",
-        premium: "claude-opus-4.6",
+        standard: STANDARD_MODEL,
+        premium: PREMIUM_MODEL,
     },
     overrides: [
         {
@@ -19,11 +22,32 @@ const DEFAULT_CONFIG = {
                 "design", "ui", "ux", "css", "layout", "styling", "visual",
                 "mockup", "wireframe", "frontend design", "tailwind", "responsive",
             ],
-            model: "claude-opus-4.6",
+            model: PREMIUM_MODEL,
         },
     ],
     cooldownMessages: 2,
 };
+function cloneRouterConfig(routerConfig) {
+    return {
+        ...routerConfig,
+        tierModels: { ...routerConfig.tierModels },
+        overrides: routerConfig.overrides.map((rule) => ({
+            ...rule,
+            keywords: [...rule.keywords],
+        })),
+    };
+}
+function getDefaultRouterConfig(hasStoredConfig) {
+    const defaults = cloneRouterConfig(DEFAULT_CONFIG);
+    if (config.chapterhouseMode === "personal" && !hasStoredConfig) {
+        defaults.tierModels.premium = defaults.tierModels.standard;
+        defaults.overrides = defaults.overrides.map((rule) => ({
+            ...rule,
+            model: rule.model === PREMIUM_MODEL ? defaults.tierModels.standard : rule.model,
+        }));
+    }
+    return defaults;
+}
 // ---------------------------------------------------------------------------
 // Module-level state
 // ---------------------------------------------------------------------------
@@ -51,18 +75,29 @@ function wordMatch(text, keyword) {
 // ---------------------------------------------------------------------------
 export function getRouterConfig() {
     const stored = getState("router_config");
+    const defaults = getDefaultRouterConfig(stored !== undefined);
     if (stored) {
         try {
-            return { ...DEFAULT_CONFIG, ...JSON.parse(stored) };
+            const parsed = JSON.parse(stored);
+            return {
+                ...defaults,
+                ...parsed,
+                tierModels: {
+                    ...defaults.tierModels,
+                    ...(parsed.tierModels ?? {}),
+                },
+                overrides: parsed.overrides ?? defaults.overrides,
+            };
         }
         catch {
-            return { ...DEFAULT_CONFIG };
+            return defaults;
         }
     }
-    return { ...DEFAULT_CONFIG };
+    return defaults;
 }
 export function updateRouterConfig(partial) {
-    const current = getRouterConfig();
+    const hasStoredConfig = getState("router_config") !== undefined;
+    const current = hasStoredConfig ? getRouterConfig() : cloneRouterConfig(DEFAULT_CONFIG);
     const merged = {
         ...current,
         ...partial,

package/dist/copilot/router.test.js

@@ -13,6 +13,13 @@ async function loadRouterModule(t, options = {}) {
             },
         },
     });
+    t.mock.module("../config.js", {
+        namedExports: {
+            config: {
+                chapterhouseMode: options.mode ?? "personal",
+            },
+        },
+    });
     t.mock.module("./classifier.js", {
         namedExports: {
             classifyWithLLM: async (_client, prompt) => await (options.classify?.(prompt) ?? null),
@@ -21,16 +28,15 @@ async function loadRouterModule(t, options = {}) {
     const router = await import(new URL(`./router.js?case=${Date.now()}-${Math.random()}`, import.meta.url).href);
     return { router, state };
 }
-test("router config falls back safely and deep-merges tier model updates", async (t) => {
-    const { router, state } = await loadRouterModule(t, {
-        storedConfig: "{not-json}",
-    });
+test("router config defaults personal-mode auto-routing to standard-cost routes before opt-in", async (t) => {
+    // Security/Billing: personal mode must not silently spend premium quota until the user explicitly opts in.
+    const { router } = await loadRouterModule(t, { mode: "personal" });
     assert.deepEqual(router.getRouterConfig(), {
-        enabled: false,
+        enabled: true,
         tierModels: {
             fast: "gpt-4.1",
             standard: "claude-sonnet-4.6",
-            premium: "claude-opus-4.6",
+            premium: "claude-sonnet-4.6",
         },
         overrides: [
             {
@@ -39,19 +45,29 @@ test("router config falls back safely and deep-merges tier model updates", async
                     "design", "ui", "ux", "css", "layout", "styling", "visual",
                     "mockup", "wireframe", "frontend design", "tailwind", "responsive",
                 ],
-                model: "claude-opus-4.6",
+                model: "claude-sonnet-4.6",
             },
         ],
         cooldownMessages: 2,
     });
+});
+test("router config keeps auto-routing off by default in team mode", async (t) => {
+    const { router } = await loadRouterModule(t, { mode: "team" });
+    assert.equal(router.getRouterConfig().enabled, false);
+});
+test("saving router config in personal mode opts into premium defaults and deep-merges tier model updates", async (t) => {
+    // Security/Billing: persisted router_config is the explicit consent boundary for premium model usage.
+    const { router, state } = await loadRouterModule(t, { mode: "personal" });
+    const saved = router.updateRouterConfig({ enabled: true });
+    assert.equal(saved.enabled, true);
+    assert.equal(saved.tierModels.premium, "claude-opus-4.6");
+    assert.equal(saved.overrides[0]?.model, "claude-opus-4.6");
     const updated = router.updateRouterConfig({
-        enabled: true,
         tierModels: {
-            ...router.getRouterConfig().tierModels,
+            ...saved.tierModels,
             premium: "gpt-5.5",
         },
     });
-    assert.equal(updated.enabled, true);
     assert.deepEqual(updated.tierModels, {
         fast: "gpt-4.1",
         standard: "claude-sonnet-4.6",
@@ -60,7 +76,7 @@ test("router config falls back safely and deep-merges tier model updates", async
     assert.equal(JSON.parse(state.get("router_config") || "{}").tierModels.premium, "gpt-5.5");
 });
 test("resolveModel stays in manual mode when the router is disabled", async (t) => {
-    const { router } = await loadRouterModule(t);
+    const { router } = await loadRouterModule(t, { mode: "team" });
     const result = await router.resolveModel("Ship it", "claude-sonnet-4.6", []);
     assert.deepEqual(result, {
         model: "claude-sonnet-4.6",
@@ -69,28 +85,54 @@ test("resolveModel stays in manual mode when the router is disabled", async (t)
         routerMode: "manual",
     });
 });
-test("resolveModel applies overrides by whole word and ignores partial-word matches", async (t) => {
+test("resolveModel applies safe design overrides before personal-mode opt-in and ignores partial-word matches", async (t) => {
+    // Security/Billing: premium-looking prompts like design work must still stay on standard-cost models until opt-in is stored.
     const { router } = await loadRouterModule(t, {
         classify: async () => "fast",
     });
-    router.updateRouterConfig({ enabled: true });
     const override = await router.resolveModel("Need a UI refresh", "gpt-4.1", [], {});
     const noOverride = await router.resolveModel("Fruit salad", "gpt-4.1", [], {});
     assert.equal(override.overrideName, "design");
-    assert.equal(override.model, "claude-opus-4.6");
+    assert.equal(override.model, "claude-sonnet-4.6");
     assert.equal(override.switched, true);
     assert.equal(noOverride.overrideName, undefined);
     assert.equal(noOverride.model, "gpt-4.1");
     assert.equal(noOverride.tier, "fast");
 });
-test("short follow-ups inherit the previous tier", async (t) => {
+test("stored router opt-in re-enables premium design overrides in personal mode", async (t) => {
+    // Security/Billing: once the user explicitly opts in, premium routing should activate so future regressions do not strand consented users on downgraded routing.
+    const { router } = await loadRouterModule(t, {
+        mode: "personal",
+        storedConfig: JSON.stringify({
+            enabled: true,
+            tierModels: {
+                fast: "gpt-4.1",
+                standard: "claude-sonnet-4.6",
+                premium: "claude-opus-4.6",
+            },
+            overrides: [
+                {
+                    name: "design",
+                    keywords: ["design", "ui"],
+                    model: "claude-opus-4.6",
+                },
+            ],
+            cooldownMessages: 2,
+        }),
+    });
+    const result = await router.resolveModel("Need a UI refresh", "claude-sonnet-4.6", [], {});
+    assert.equal(result.overrideName, "design");
+    assert.equal(result.model, "claude-opus-4.6");
+    assert.equal(result.switched, true);
+});
+test("short follow-ups inherit the previous tier without forcing premium before opt-in", async (t) => {
+    // Security/Billing: follow-up replies must not become a backdoor that silently upgrades personal-mode users to premium routing.
     const { router } = await loadRouterModule(t);
-    router.updateRouterConfig({ enabled: true });
     const result = await router.resolveModel("yes", "claude-sonnet-4.6", ["premium"]);
     assert.deepEqual(result, {
-        model: "claude-opus-4.6",
+        model: "claude-sonnet-4.6",
         tier: "premium",
-        switched: true,
+        switched: false,
         routerMode: "auto",
     });
 });

package/dist/copilot/threat-model.js

@@ -0,0 +1,50 @@
+const THREAT_MODEL_PATTERNS = [
+    /(^|[\/._-])auth([\/._-]|$)/i,
+    /credential/i,
+    /(auth|access|bearer|refresh|session|payment|api)[-_.]?token|token[-_.]?(auth|key|secret|refresh|access|session|payment)/i,
+    /billing/i,
+    /subscription/i,
+    /api[-_]?key/i,
+    /(^|[\/._-])tiers?([\/._-]|$)/i,
+];
+function normalizeChangedFiles(changedFiles) {
+    return changedFiles.map((file) => file.trim()).filter(Boolean);
+}
+export function findThreatModelMatches(changedFiles) {
+    return normalizeChangedFiles(changedFiles).filter((file) => THREAT_MODEL_PATTERNS.some((pattern) => pattern.test(file)));
+}
+export function hasThreatModelSection(prBody) {
+    const stripped = (prBody ?? "").replace(/<!--[\s\S]*?-->/g, "");
+    return /^##+\s+Threat Model\b/im.test(stripped);
+}
+export function evaluateThreatModelCheck(input) {
+    const matchedFiles = findThreatModelMatches(input.changedFiles);
+    if (matchedFiles.length === 0) {
+        return {
+            required: false,
+            valid: true,
+            matchedFiles: [],
+            message: "✅ No auth/credentials/billing file changes detected — a threat model section is not required.",
+        };
+    }
+    if (hasThreatModelSection(input.prBody)) {
+        return {
+            required: true,
+            valid: true,
+            matchedFiles,
+            message: "✅ Threat model section present for auth/credentials/billing changes.",
+        };
+    }
+    return {
+        required: true,
+        valid: false,
+        matchedFiles,
+        message: [
+            "⚠️ This PR modifies auth/credentials/billing files. Add a '## Threat Model' section to the PR description explaining the security implications.",
+            "",
+            "Matched files:",
+            ...matchedFiles.map((file) => `- ${file}`),
+        ].join("\n"),
+    };
+}
+//# sourceMappingURL=threat-model.js.map

package/dist/copilot/threat-model.test.js

@@ -0,0 +1,129 @@
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import test from "node:test";
+async function loadThreatModelModule() {
+    const nonce = `${Date.now()}-${Math.random()}`;
+    const moduleUrl = new URL(`./threat-model.js?case=${nonce}`, import.meta.url);
+    const module = await import(moduleUrl.href).catch(() => null);
+    assert.ok(module, "expected threat-model module to exist");
+    return module;
+}
+test("requires a threat model section when auth, credential, token, or billing files change", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: [
+            "src/api/auth.ts",
+            "src/auth/session-token.ts",
+            "docs/architecture.md",
+            "src/billing/subscription-plan.ts",
+        ],
+        prBody: "## Summary\nAdds validation for token refresh.\n",
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, false);
+    assert.deepEqual(result.matchedFiles, [
+        "src/api/auth.ts",
+        "src/auth/session-token.ts",
+        "src/billing/subscription-plan.ts",
+    ]);
+    assert.match(result.message, /This PR modifies auth\/credentials\/billing files/i);
+    assert.match(result.message, /## Threat Model/);
+});
+test("accepts PRs with matching files once the threat model section is present", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/copilot/auth.ts", "src/config.ts"],
+        prBody: [
+            "## Summary",
+            "Hardens auth bootstrap behavior.",
+            "",
+            "## Threat Model",
+            "Tokens stay in-memory only; no new credentials are persisted.",
+        ].join("\n"),
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, ["src/copilot/auth.ts"]);
+});
+test("skips the requirement when changed files are outside auth, credentials, and billing", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/wiki/index.ts", "web/src/routes/Chat.tsx"],
+        prBody: "## Summary\nUI cleanup only.\n",
+    });
+    assert.equal(result.required, false);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, []);
+    assert.match(result.message, /not required/i);
+});
+test("does NOT flag lexer or NLP files with 'token' in the name (false-positive guard)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const result = evaluateThreatModelCheck({
+        changedFiles: [
+            "src/parser/tokenizer.ts",
+            "src/nlp/token-embeddings.ts",
+            "src/utils/tokenize.ts",
+            "src/copilot/token-cache.ts",
+            "web/src/components/TokenDisplay.tsx",
+        ],
+        prBody: "## Summary\nRefactors NLP pipeline.\n",
+    });
+    assert.equal(result.required, false);
+    assert.equal(result.valid, true);
+    assert.deepEqual(result.matchedFiles, []);
+    assert.match(result.message, /not required/i);
+});
+test("correctly flags security-relevant token files (auth-token, session-token, payment-token)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    const securityFiles = [
+        "src/auth/session-token.ts",
+        "src/billing/payment-token.ts",
+        "src/credentials/access-token-store.ts",
+        "src/api/bearer-token-middleware.ts",
+        "src/copilot/refresh-token.ts",
+        "src/auth/token-secret.ts",
+    ];
+    for (const file of securityFiles) {
+        const result = evaluateThreatModelCheck({
+            changedFiles: [file],
+            prBody: "## Summary\nNo threat model section.\n",
+        });
+        assert.equal(result.required, true, `Expected ${file} to trigger threat-model gate`);
+        assert.deepEqual(result.matchedFiles, [file]);
+    }
+});
+test("hasThreatModelSection returns false when the section exists only inside an HTML comment (template placeholder)", async () => {
+    const { evaluateThreatModelCheck } = await loadThreatModelModule();
+    // Simulates a PR body where the author left the default template untouched —
+    // the Threat Model heading is present only inside an HTML comment block.
+    const templatePlaceholderBody = [
+        "## Summary",
+        "Adds a new auth flow.",
+        "",
+        "<!--",
+        "## Threat Model",
+        "",
+        "If this PR touches auth, credentials, API keys, billing tiers, or subscription logic — fill in the Threat Model section.",
+        "Otherwise delete it.",
+        "",
+        "- Risk:",
+        "- Mitigations:",
+        "- Reviewer focus:",
+        "-->",
+    ].join("\n");
+    const result = evaluateThreatModelCheck({
+        changedFiles: ["src/auth/session-token.ts"],
+        prBody: templatePlaceholderBody,
+    });
+    assert.equal(result.required, true);
+    assert.equal(result.valid, false, "A Threat Model section inside an HTML comment must NOT satisfy the gate");
+    assert.match(result.message, /## Threat Model/);
+});
+test("PR template reminds authors about the threat model section", () => {
+    const template = readFileSync(join(process.cwd(), ".github", "PULL_REQUEST_TEMPLATE.md"), "utf8");
+    assert.match(template, /Threat Model/);
+    assert.match(template, /If this PR touches auth, credentials, API keys, billing tiers, or subscription logic/i);
+    assert.match(template, /Otherwise delete it/i);
+});
+//# sourceMappingURL=threat-model.test.js.map