codegate-ai 0.1.0

package/dist/commands/scan-command.js

@@ -0,0 +1,403 @@
+import { mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join, resolve } from "node:path";
+import { applyConfigPolicy } from "../config.js";
+import { buildMetaAgentCommand, } from "../layer3-dynamic/command-builder.js";
+import { buildPromptEvidenceText, supportsToollessLocalTextAnalysis, } from "../layer3-dynamic/local-text-analysis.js";
+import { buildLocalTextAnalysisPrompt, buildSecurityAnalysisPrompt, } from "../layer3-dynamic/meta-agent.js";
+import { layer3OutcomesToFindings, mergeLayer3Findings, runDeepScanWithConsent, } from "../pipeline.js";
+import { mergeMetaAgentMetadata, metadataSummary, noEligibleDeepResourceNotes, parseLocalTextFindings, parseMetaAgentOutput, remediationSummaryLines, renderByFormat, withMetaAgentFinding, } from "./scan-command/helpers.js";
+function toMetaAgentPreference(value) {
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "claude" || normalized === "claude-code") {
+        return "claude";
+    }
+    if (normalized === "codex" || normalized === "codex-cli") {
+        return "codex";
+    }
+    if (normalized === "opencode") {
+        return "opencode";
+    }
+    return null;
+}
+function deepAgentOptions(report, config) {
+    const detected = new Set(report.tools_detected);
+    const skipTools = new Set(config.tool_discovery.skip_tools.map((tool) => tool.trim().toLowerCase()));
+    const preferred = toMetaAgentPreference(config.tool_discovery.preferred_agent);
+    const candidates = [];
+    if (detected.has("claude-code") && !skipTools.has("claude") && !skipTools.has("claude-code")) {
+        candidates.push({
+            id: "claude",
+            label: "Claude Code",
+            metaTool: "claude",
+            binary: config.tool_discovery.agent_paths.claude ??
+                config.tool_discovery.agent_paths["claude-code"] ??
+                "claude",
+            detectedTool: "claude-code",
+        });
+    }
+    if (detected.has("codex-cli") && !skipTools.has("codex") && !skipTools.has("codex-cli")) {
+        candidates.push({
+            id: "codex",
+            label: "Codex CLI",
+            metaTool: "codex",
+            binary: config.tool_discovery.agent_paths.codex ??
+                config.tool_discovery.agent_paths["codex-cli"] ??
+                "codex",
+            detectedTool: "codex-cli",
+        });
+    }
+    if (detected.has("opencode") && !skipTools.has("opencode")) {
+        candidates.push({
+            id: "opencode",
+            label: "OpenCode",
+            metaTool: "generic",
+            binary: config.tool_discovery.agent_paths.opencode ?? "opencode",
+            detectedTool: "opencode",
+        });
+    }
+    const order = ["claude", "codex", "opencode"];
+    return candidates.sort((left, right) => {
+        if (preferred && left.id === preferred && right.id !== preferred) {
+            return -1;
+        }
+        if (preferred && right.id === preferred && left.id !== preferred) {
+            return 1;
+        }
+        return order.indexOf(left.id) - order.indexOf(right.id);
+    });
+}
+export async function executeScanCommand(input, deps) {
+    try {
+        const interactivePromptsEnabled = deps.isTTY() && input.options.noTui !== true;
+        const discoveryContext = deps.prepareScanDiscovery
+            ? await deps.prepareScanDiscovery(input.scanTarget, input.config, {
+                explicitCandidates: input.explicitCandidates,
+            })
+            : undefined;
+        let report = await deps.runScan({
+            version: input.version,
+            scanTarget: input.scanTarget,
+            config: input.config,
+            flags: input.options,
+            discoveryContext,
+        });
+        if (input.displayTarget && input.displayTarget !== report.scan_target) {
+            report = {
+                ...report,
+                scan_target: input.displayTarget,
+            };
+        }
+        const deepScanNotes = [];
+        if (input.options.deep) {
+            const discoverResources = deps.discoverDeepResources ?? (async () => []);
+            const discoverLocalTextTargets = deps.discoverLocalTextTargets ?? (async () => []);
+            const resources = await discoverResources(input.scanTarget, input.config, discoveryContext);
+            const localTextTargets = await discoverLocalTextTargets(input.scanTarget, input.config, discoveryContext);
+            const optionsForAgent = deepAgentOptions(report, input.config);
+            let selectedAgent = null;
+            if ((resources.length > 0 || localTextTargets.length > 0) && optionsForAgent.length > 0) {
+                if (input.options.force || !interactivePromptsEnabled) {
+                    selectedAgent = optionsForAgent[0] ?? null;
+                }
+                else if (deps.requestDeepAgentSelection) {
+                    selectedAgent = await deps.requestDeepAgentSelection(optionsForAgent);
+                }
+            }
+            if (resources.length === 0 && localTextTargets.length === 0) {
+                deepScanNotes.push(...noEligibleDeepResourceNotes());
+            }
+            else {
+                if (selectedAgent) {
+                    deepScanNotes.push(`Deep scan meta-agent selected: ${selectedAgent.label} (${selectedAgent.binary})`);
+                }
+                else if (optionsForAgent.length > 0) {
+                    deepScanNotes.push("Deep scan meta-agent skipped. Running deterministic Layer 3 checks only.");
+                }
+                else {
+                    deepScanNotes.push("No supported deep-scan agent detected (Claude Code, Codex CLI, or OpenCode). Running deterministic Layer 3 checks only.");
+                }
+                if (resources.length > 0) {
+                    if (!deps.executeDeepResource) {
+                        throw new Error("Deep resource executor not configured");
+                    }
+                    let resourcesWithFetchedMetadata = 0;
+                    let executedMetaAgentCommands = 0;
+                    const outcomes = await runDeepScanWithConsent(resources, async (resource) => {
+                        if (input.options.force) {
+                            return true;
+                        }
+                        if (deps.requestDeepScanConsent) {
+                            return await deps.requestDeepScanConsent(resource);
+                        }
+                        return false;
+                    }, async (resource) => {
+                        const fetched = await deps.executeDeepResource(resource);
+                        if (fetched.status !== "ok" || !selectedAgent) {
+                            return fetched;
+                        }
+                        resourcesWithFetchedMetadata += 1;
+                        const prompt = buildSecurityAnalysisPrompt({
+                            resourceId: resource.id,
+                            resourceSummary: metadataSummary(fetched.metadata),
+                        });
+                        const command = buildMetaAgentCommand({
+                            tool: selectedAgent.metaTool,
+                            prompt,
+                            workingDirectory: input.scanTarget,
+                            binaryPath: selectedAgent.binary,
+                        });
+                        const commandContext = {
+                            resource,
+                            agent: selectedAgent,
+                            command,
+                        };
+                        const approvedCommand = input.options.force ||
+                            (deps.requestMetaAgentCommandConsent
+                                ? await deps.requestMetaAgentCommandConsent(commandContext)
+                                : false);
+                        if (!approvedCommand) {
+                            return {
+                                ...fetched,
+                                metadata: withMetaAgentFinding(fetched.metadata, {
+                                    id: `layer3-meta-agent-skipped-${resource.id}`,
+                                    severity: "INFO",
+                                    description: `Deep scan meta-agent command skipped for ${resource.id}`,
+                                }),
+                            };
+                        }
+                        if (!deps.runMetaAgentCommand) {
+                            throw new Error("Meta-agent command runner not configured");
+                        }
+                        executedMetaAgentCommands += 1;
+                        const commandResult = await deps.runMetaAgentCommand(commandContext);
+                        if (commandResult.code !== 0) {
+                            return {
+                                ...fetched,
+                                metadata: withMetaAgentFinding(fetched.metadata, {
+                                    id: `layer3-meta-agent-command-error-${resource.id}`,
+                                    severity: "LOW",
+                                    description: `Deep scan meta-agent command failed for ${resource.id}`,
+                                    evidence: commandResult.stderr || `exit code: ${commandResult.code}`,
+                                }),
+                            };
+                        }
+                        const parsedOutput = parseMetaAgentOutput(commandResult.stdout);
+                        if (parsedOutput === null) {
+                            return {
+                                ...fetched,
+                                metadata: withMetaAgentFinding(fetched.metadata, {
+                                    id: `layer3-meta-agent-parse-error-${resource.id}`,
+                                    severity: "LOW",
+                                    description: `Deep scan meta-agent output was not valid JSON for ${resource.id}`,
+                                    evidence: commandResult.stdout.slice(0, 400),
+                                }),
+                            };
+                        }
+                        const normalizedOutput = Array.isArray(parsedOutput)
+                            ? { findings: parsedOutput }
+                            : parsedOutput;
+                        return {
+                            ...fetched,
+                            metadata: mergeMetaAgentMetadata(fetched.metadata, normalizedOutput),
+                        };
+                    });
+                    const layer3Findings = layer3OutcomesToFindings(outcomes, {
+                        unicodeAnalysis: input.config.unicode_analysis,
+                    });
+                    report = mergeLayer3Findings(report, layer3Findings);
+                    if (selectedAgent) {
+                        if (resourcesWithFetchedMetadata === 0) {
+                            deepScanNotes.push("Selected meta-agent was not executed because no approved resources returned metadata successfully.");
+                        }
+                        else if (executedMetaAgentCommands === 0) {
+                            deepScanNotes.push("Selected meta-agent was not executed because meta-agent command execution was not approved.");
+                        }
+                        else {
+                            const suffix = executedMetaAgentCommands === 1 ? "" : "s";
+                            deepScanNotes.push(`Deep scan meta-agent executed for ${executedMetaAgentCommands} resource${suffix}.`);
+                        }
+                    }
+                }
+                if (localTextTargets.length > 0) {
+                    if (!selectedAgent) {
+                        deepScanNotes.push("Local instruction-file analysis skipped because no meta-agent was selected.");
+                    }
+                    else if (!supportsToollessLocalTextAnalysis(selectedAgent.metaTool)) {
+                        deepScanNotes.push("Local instruction-file analysis was skipped because the selected agent does not support tool-less analysis.");
+                    }
+                    else {
+                        // Local instruction files are analyzed as inert text only; referenced URLs stay as evidence, not inputs.
+                        if (!deps.runMetaAgentCommand) {
+                            throw new Error("Meta-agent command runner not configured");
+                        }
+                        const isolatedWorkingDirectory = mkdtempSync(join(tmpdir(), "codegate-local-analysis-"));
+                        let executedLocalAnalyses = 0;
+                        try {
+                            for (const target of localTextTargets) {
+                                const prompt = buildLocalTextAnalysisPrompt({
+                                    filePath: target.reportPath,
+                                    textContent: buildPromptEvidenceText(target.textContent),
+                                    referencedUrls: target.referencedUrls,
+                                });
+                                const command = buildMetaAgentCommand({
+                                    tool: selectedAgent.metaTool,
+                                    prompt,
+                                    workingDirectory: isolatedWorkingDirectory,
+                                    binaryPath: selectedAgent.binary,
+                                });
+                                command.timeoutMs = 60_000;
+                                const commandContext = {
+                                    localFile: target,
+                                    agent: selectedAgent,
+                                    command,
+                                };
+                                const approvedCommand = input.options.force ||
+                                    (deps.requestMetaAgentCommandConsent
+                                        ? await deps.requestMetaAgentCommandConsent(commandContext)
+                                        : false);
+                                if (!approvedCommand) {
+                                    continue;
+                                }
+                                executedLocalAnalyses += 1;
+                                const commandResult = await deps.runMetaAgentCommand(commandContext);
+                                if (commandResult.code !== 0) {
+                                    deepScanNotes.push(`Local instruction-file analysis failed for ${target.reportPath}: ${commandResult.stderr || `exit code: ${commandResult.code}`}`);
+                                    continue;
+                                }
+                                const parsedOutput = parseMetaAgentOutput(commandResult.stdout);
+                                if (parsedOutput === null) {
+                                    deepScanNotes.push(`Local instruction-file analysis returned invalid JSON for ${target.reportPath}.`);
+                                    continue;
+                                }
+                                const normalizedOutput = Array.isArray(parsedOutput)
+                                    ? { findings: parsedOutput }
+                                    : parsedOutput;
+                                const localFindings = parseLocalTextFindings(target.reportPath, normalizedOutput);
+                                report = mergeLayer3Findings(report, localFindings);
+                            }
+                        }
+                        finally {
+                            rmSync(isolatedWorkingDirectory, { recursive: true, force: true });
+                        }
+                        if (executedLocalAnalyses > 0) {
+                            const suffix = executedLocalAnalyses === 1 ? "" : "s";
+                            deepScanNotes.push(`Local instruction-file analysis executed for ${executedLocalAnalyses} file${suffix}.`);
+                        }
+                    }
+                }
+            }
+        }
+        report = applyConfigPolicy(report, input.config);
+        const remediationRequested = input.options.remediate ||
+            input.options.fixSafe ||
+            input.options.dryRun ||
+            input.options.patch;
+        let remediationResult = null;
+        const executeRemediation = async () => {
+            if (!deps.runRemediation) {
+                throw new Error("Remediation runner not configured");
+            }
+            const nextResult = await deps.runRemediation({
+                scanTarget: input.scanTarget,
+                report,
+                config: input.config,
+                flags: {
+                    remediate: input.options.remediate,
+                    fixSafe: input.options.fixSafe,
+                    dryRun: input.options.dryRun,
+                    patch: input.options.patch,
+                    output: input.options.output,
+                },
+                isTTY: deps.isTTY(),
+            });
+            remediationResult = nextResult;
+            report = nextResult.report;
+            if (nextResult.patchContent) {
+                deps.stdout(nextResult.patchContent);
+            }
+            if (nextResult.patchPath) {
+                deps.stdout(`Patch written: ${nextResult.patchPath}`);
+            }
+        };
+        if (remediationRequested) {
+            const beforeRemediation = report;
+            const hasFixableFindings = report.summary.fixable > 0;
+            if (!hasFixableFindings &&
+                input.options.remediate === true &&
+                input.options.fixSafe !== true &&
+                input.options.dryRun !== true &&
+                input.options.patch !== true) {
+                deps.stdout("No fixable findings available for remediation.");
+            }
+            else {
+                const needsConsent = input.options.remediate === true &&
+                    input.options.dryRun !== true &&
+                    input.options.force !== true &&
+                    interactivePromptsEnabled &&
+                    hasFixableFindings;
+                if (needsConsent) {
+                    const context = {
+                        scanTarget: input.scanTarget,
+                        totalFindings: report.summary.total,
+                        fixableFindings: report.summary.fixable,
+                        criticalFindings: report.summary.by_severity.CRITICAL ?? 0,
+                    };
+                    const approved = deps.requestRemediationConsent
+                        ? await deps.requestRemediationConsent(context)
+                        : false;
+                    if (approved) {
+                        await executeRemediation();
+                    }
+                    else {
+                        deps.stdout("Remediation skipped by user.");
+                    }
+                }
+                else {
+                    await executeRemediation();
+                }
+                if (remediationResult) {
+                    for (const line of remediationSummaryLines({
+                        scanTarget: input.scanTarget,
+                        options: input.options,
+                        before: beforeRemediation,
+                        result: remediationResult,
+                    })) {
+                        deps.stdout(line);
+                    }
+                }
+            }
+        }
+        const shouldUseTui = input.config.output_format === "terminal" &&
+            input.config.tui.enabled &&
+            !input.options.output &&
+            deps.isTTY() &&
+            deps.renderTui !== undefined;
+        if (shouldUseTui) {
+            deps.renderTui?.({ view: "dashboard", report, notices: deepScanNotes });
+            deps.renderTui?.({ view: "summary", report });
+        }
+        else {
+            if (deepScanNotes.length > 0) {
+                for (const note of deepScanNotes) {
+                    deps.stdout(note);
+                }
+            }
+            const rendered = renderByFormat(input.config.output_format, report, {
+                verbose: input.options.verbose,
+            });
+            if (input.options.output) {
+                deps.writeFile(resolve(input.cwd, input.options.output), rendered);
+            }
+            else {
+                deps.stdout(rendered);
+            }
+        }
+        deps.setExitCode(report.summary.exit_code);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        deps.stderr(`Scan failed: ${message}`);
+        deps.setExitCode(3);
+    }
+}

package/dist/commands/undo.d.ts

@@ -0,0 +1,5 @@
+import { type RestoreBackupSessionResult } from "../layer4-remediation/backup-manager.js";
+export interface UndoLatestSessionInput {
+    projectRoot: string;
+}
+export declare function undoLatestSession(input: UndoLatestSessionInput): RestoreBackupSessionResult;

package/dist/commands/undo.js

@@ -0,0 +1,14 @@
+import { resolve } from "node:path";
+import { listBackupSessions, restoreBackupSession, } from "../layer4-remediation/backup-manager.js";
+export function undoLatestSession(input) {
+    const projectRoot = resolve(input.projectRoot);
+    const sessions = listBackupSessions(projectRoot);
+    if (sessions.length === 0) {
+        throw new Error("No backup sessions found.");
+    }
+    const latestSession = sessions[0];
+    return restoreBackupSession({
+        projectRoot,
+        sessionId: latestSession,
+    });
+}

package/dist/config.d.ts

@@ -0,0 +1,50 @@
+import type { Finding } from "./types/finding.js";
+import type { CodeGateReport } from "./types/report.js";
+export declare const OUTPUT_FORMATS: readonly ["terminal", "json", "sarif", "markdown", "html"];
+export type OutputFormat = (typeof OUTPUT_FORMATS)[number];
+export declare const SEVERITY_THRESHOLDS: readonly ["critical", "high", "medium", "low", "info"];
+export type SeverityThreshold = (typeof SEVERITY_THRESHOLDS)[number];
+export interface TuiConfig {
+    enabled: boolean;
+    colour_scheme: string;
+    compact_mode: boolean;
+}
+export interface ToolDiscoveryConfig {
+    preferred_agent: string;
+    agent_paths: Record<string, string>;
+    skip_tools: string[];
+}
+export interface CodeGateConfig {
+    severity_threshold: SeverityThreshold;
+    auto_proceed_below_threshold: boolean;
+    output_format: OutputFormat;
+    scan_state_path?: string;
+    scan_user_scope?: boolean;
+    tui: TuiConfig;
+    tool_discovery: ToolDiscoveryConfig;
+    trusted_directories: string[];
+    blocked_commands: string[];
+    known_safe_mcp_servers: string[];
+    known_safe_formatters: string[];
+    known_safe_lsp_servers: string[];
+    known_safe_hooks: string[];
+    unicode_analysis: boolean;
+    check_ide_settings: boolean;
+    owasp_mapping: boolean;
+    trusted_api_domains: string[];
+    suppress_findings: string[];
+}
+export interface CliConfigOverrides {
+    format?: OutputFormat;
+    configPath?: string;
+    noTui?: boolean;
+}
+export interface ResolveConfigOptions {
+    scanTarget: string;
+    homeDir?: string;
+    cli?: CliConfigOverrides;
+}
+export declare const DEFAULT_CONFIG: CodeGateConfig;
+export declare function resolveEffectiveConfig(options: ResolveConfigOptions): CodeGateConfig;
+export declare function computeExitCode(findings: Finding[], threshold: SeverityThreshold): number;
+export declare function applyConfigPolicy(report: CodeGateReport, config: CodeGateConfig): CodeGateReport;

package/dist/config.js

@@ -0,0 +1,187 @@
+import { existsSync, readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+import { parse as parseJsonc } from "jsonc-parser";
+import { applyReportSummary, computeExitCode as computeReportExitCode } from "./report-summary.js";
+export const OUTPUT_FORMATS = ["terminal", "json", "sarif", "markdown", "html"];
+export const SEVERITY_THRESHOLDS = ["critical", "high", "medium", "low", "info"];
+export const DEFAULT_CONFIG = {
+    severity_threshold: "high",
+    auto_proceed_below_threshold: true,
+    output_format: "terminal",
+    scan_state_path: "~/.codegate/scan-state.json",
+    scan_user_scope: true,
+    tui: {
+        enabled: true,
+        colour_scheme: "default",
+        compact_mode: false,
+    },
+    tool_discovery: {
+        preferred_agent: "claude",
+        agent_paths: {},
+        skip_tools: [],
+    },
+    trusted_directories: [],
+    blocked_commands: ["bash", "sh", "curl", "wget", "nc", "python", "node"],
+    known_safe_mcp_servers: [
+        "@anthropic/mcp-server-filesystem",
+        "@modelcontextprotocol/server-github",
+    ],
+    known_safe_formatters: ["prettier", "black", "gofmt", "rustfmt", "clang-format"],
+    known_safe_lsp_servers: ["typescript-language-server", "pyright", "rust-analyzer", "gopls"],
+    known_safe_hooks: [],
+    unicode_analysis: true,
+    check_ide_settings: true,
+    owasp_mapping: true,
+    trusted_api_domains: [],
+    suppress_findings: [],
+};
+function normalizeOutputFormat(value) {
+    if (!value) {
+        return undefined;
+    }
+    return OUTPUT_FORMATS.find((format) => format === value) ?? undefined;
+}
+function normalizeSeverityThreshold(value) {
+    if (!value) {
+        return undefined;
+    }
+    return SEVERITY_THRESHOLDS.find((threshold) => threshold === value) ?? undefined;
+}
+function normalizeOptionalPath(value) {
+    if (!value) {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : undefined;
+}
+function unique(values) {
+    const merged = values.flatMap((entry) => entry ?? []);
+    const seen = new Set();
+    const ordered = [];
+    for (const value of merged) {
+        if (typeof value !== "string") {
+            continue;
+        }
+        const trimmed = value.trim();
+        if (trimmed.length === 0 || seen.has(trimmed)) {
+            continue;
+        }
+        seen.add(trimmed);
+        ordered.push(trimmed);
+    }
+    return ordered;
+}
+function readConfigFile(path) {
+    if (!existsSync(path)) {
+        return {};
+    }
+    const raw = readFileSync(path, "utf8");
+    const parsed = parseJsonc(raw);
+    if (!parsed || typeof parsed !== "object") {
+        throw new Error(`Invalid config file: ${path}`);
+    }
+    return parsed;
+}
+function pickFirst(...values) {
+    for (const value of values) {
+        if (value !== undefined) {
+            return value;
+        }
+    }
+    return undefined;
+}
+export function resolveEffectiveConfig(options) {
+    const home = options.homeDir ?? homedir();
+    const scanTarget = resolve(options.scanTarget);
+    const globalConfigPath = options.cli?.configPath ?? join(home, ".codegate", "config.json");
+    const globalConfig = readConfigFile(globalConfigPath);
+    const projectConfig = readConfigFile(join(scanTarget, ".codegate.json"));
+    const severity_threshold = pickFirst(normalizeSeverityThreshold(undefined), normalizeSeverityThreshold(projectConfig.severity_threshold), normalizeSeverityThreshold(globalConfig.severity_threshold), DEFAULT_CONFIG.severity_threshold) ?? DEFAULT_CONFIG.severity_threshold;
+    const output_format = pickFirst(options.cli?.format, normalizeOutputFormat(projectConfig.output_format), normalizeOutputFormat(globalConfig.output_format), DEFAULT_CONFIG.output_format) ?? DEFAULT_CONFIG.output_format;
+    return {
+        severity_threshold,
+        auto_proceed_below_threshold: pickFirst(projectConfig.auto_proceed_below_threshold, globalConfig.auto_proceed_below_threshold, DEFAULT_CONFIG.auto_proceed_below_threshold) ?? DEFAULT_CONFIG.auto_proceed_below_threshold,
+        output_format,
+        scan_state_path: pickFirst(normalizeOptionalPath(projectConfig.scan_state_path), normalizeOptionalPath(globalConfig.scan_state_path), normalizeOptionalPath(DEFAULT_CONFIG.scan_state_path)) ?? undefined,
+        scan_user_scope: pickFirst(projectConfig.scan_user_scope, globalConfig.scan_user_scope, DEFAULT_CONFIG.scan_user_scope) ?? DEFAULT_CONFIG.scan_user_scope,
+        tui: {
+            enabled: options.cli?.noTui
+                ? false
+                : (pickFirst(projectConfig.tui?.enabled, globalConfig.tui?.enabled, DEFAULT_CONFIG.tui.enabled) ?? DEFAULT_CONFIG.tui.enabled),
+            colour_scheme: pickFirst(projectConfig.tui?.colour_scheme, globalConfig.tui?.colour_scheme, DEFAULT_CONFIG.tui.colour_scheme) ?? DEFAULT_CONFIG.tui.colour_scheme,
+            compact_mode: pickFirst(projectConfig.tui?.compact_mode, globalConfig.tui?.compact_mode, DEFAULT_CONFIG.tui.compact_mode) ?? DEFAULT_CONFIG.tui.compact_mode,
+        },
+        tool_discovery: {
+            preferred_agent: pickFirst(projectConfig.tool_discovery?.preferred_agent, globalConfig.tool_discovery?.preferred_agent, DEFAULT_CONFIG.tool_discovery.preferred_agent) ?? DEFAULT_CONFIG.tool_discovery.preferred_agent,
+            agent_paths: {
+                ...DEFAULT_CONFIG.tool_discovery.agent_paths,
+                ...(globalConfig.tool_discovery?.agent_paths ?? {}),
+                ...(projectConfig.tool_discovery?.agent_paths ?? {}),
+            },
+            skip_tools: unique([
+                DEFAULT_CONFIG.tool_discovery.skip_tools,
+                globalConfig.tool_discovery?.skip_tools,
+                projectConfig.tool_discovery?.skip_tools,
+            ]),
+        },
+        trusted_directories: unique([
+            DEFAULT_CONFIG.trusted_directories,
+            globalConfig.trusted_directories,
+            // Project config cannot set trusted directories.
+        ]),
+        blocked_commands: unique([
+            DEFAULT_CONFIG.blocked_commands,
+            globalConfig.blocked_commands,
+            projectConfig.blocked_commands,
+        ]),
+        known_safe_mcp_servers: unique([
+            DEFAULT_CONFIG.known_safe_mcp_servers,
+            globalConfig.known_safe_mcp_servers,
+            projectConfig.known_safe_mcp_servers,
+        ]),
+        known_safe_formatters: unique([
+            DEFAULT_CONFIG.known_safe_formatters,
+            globalConfig.known_safe_formatters,
+            projectConfig.known_safe_formatters,
+        ]),
+        known_safe_lsp_servers: unique([
+            DEFAULT_CONFIG.known_safe_lsp_servers,
+            globalConfig.known_safe_lsp_servers,
+            projectConfig.known_safe_lsp_servers,
+        ]),
+        known_safe_hooks: unique([
+            DEFAULT_CONFIG.known_safe_hooks,
+            globalConfig.known_safe_hooks,
+            projectConfig.known_safe_hooks,
+        ]),
+        unicode_analysis: pickFirst(projectConfig.unicode_analysis, globalConfig.unicode_analysis, DEFAULT_CONFIG.unicode_analysis) ?? DEFAULT_CONFIG.unicode_analysis,
+        check_ide_settings: pickFirst(projectConfig.check_ide_settings, globalConfig.check_ide_settings, DEFAULT_CONFIG.check_ide_settings) ?? DEFAULT_CONFIG.check_ide_settings,
+        owasp_mapping: pickFirst(projectConfig.owasp_mapping, globalConfig.owasp_mapping, DEFAULT_CONFIG.owasp_mapping) ?? DEFAULT_CONFIG.owasp_mapping,
+        trusted_api_domains: unique([
+            DEFAULT_CONFIG.trusted_api_domains,
+            globalConfig.trusted_api_domains,
+            projectConfig.trusted_api_domains,
+        ]),
+        suppress_findings: unique([
+            DEFAULT_CONFIG.suppress_findings,
+            globalConfig.suppress_findings,
+            projectConfig.suppress_findings,
+        ]),
+    };
+}
+export function computeExitCode(findings, threshold) {
+    return computeReportExitCode(findings, threshold);
+}
+export function applyConfigPolicy(report, config) {
+    const suppressionSet = new Set(config.suppress_findings);
+    const findings = report.findings.map((finding) => ({
+        ...finding,
+        owasp: config.owasp_mapping ? finding.owasp : [],
+        suppressed: finding.suppressed || suppressionSet.has(finding.finding_id),
+    }));
+    return applyReportSummary({
+        ...report,
+        findings,
+    }, config.severity_threshold);
+}

package/dist/index.d.ts

@@ -0,0 +1 @@
+export declare const APP_NAME = "codegate";

package/dist/index.js

@@ -0,0 +1 @@
+export const APP_NAME = "codegate";