cto-ai-cli 1.3.0 → 3.0.1

package/dist/govern/index.js

@@ -0,0 +1,662 @@
+// src/govern/audit.ts
+import { randomUUID, createHash } from "crypto";
+import { readdir, chmod } from "fs/promises";
+import { join } from "path";
+import { userInfo } from "os";
+import { homedir } from "os";
+var CTO_DIR = ".cto-ai";
+var AUDIT_DIR = "audit";
+var MAX_ENTRIES_PER_FILE = 500;
+function getAuditDir() {
+  return join(homedir(), CTO_DIR, AUDIT_DIR);
+}
+function getCurrentAuditFile() {
+  const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
+  return join(getAuditDir(), `audit_${date}.json`);
+}
+function computeIntegrityHash(entry) {
+  const payload = JSON.stringify({
+    id: entry.id,
+    timestamp: entry.timestamp,
+    action: entry.action,
+    user: entry.user,
+    projectPath: entry.projectPath,
+    details: entry.details
+  });
+  return createHash("sha256").update(payload).digest("hex");
+}
+async function ensureDir(dirPath) {
+  const { mkdir } = await import("fs/promises");
+  await mkdir(dirPath, { recursive: true });
+}
+async function readJSON(filePath) {
+  const { readFile: readFile4 } = await import("fs/promises");
+  try {
+    const content = await readFile4(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function writeJSON(filePath, data) {
+  const { writeFile } = await import("fs/promises");
+  await ensureDir(join(filePath, ".."));
+  await writeFile(filePath, JSON.stringify(data, null, 2), "utf-8");
+}
+async function logAudit(action, projectPath, details = {}) {
+  const auditDir = getAuditDir();
+  await ensureDir(auditDir);
+  let currentUser;
+  try {
+    currentUser = userInfo().username;
+  } catch {
+    currentUser = process.env.USER ?? process.env.USERNAME ?? "unknown";
+  }
+  const partialEntry = {
+    id: randomUUID().substring(0, 12),
+    timestamp: /* @__PURE__ */ new Date(),
+    action,
+    user: currentUser,
+    projectPath,
+    details
+  };
+  const entry = {
+    ...partialEntry,
+    integrityHash: computeIntegrityHash(partialEntry)
+  };
+  const auditFile = getCurrentAuditFile();
+  let entries = await readJSON(auditFile) ?? [];
+  entries.push(entry);
+  if (entries.length > MAX_ENTRIES_PER_FILE) {
+    entries = entries.slice(-MAX_ENTRIES_PER_FILE);
+  }
+  await writeJSON(auditFile, entries);
+  try {
+    await chmod(auditFile, 384);
+  } catch {
+  }
+  return entry;
+}
+async function getAuditEntries(options = {}) {
+  const auditDir = getAuditDir();
+  let files;
+  try {
+    files = await readdir(auditDir);
+  } catch {
+    return [];
+  }
+  const auditFiles = files.filter((f) => f.startsWith("audit_") && f.endsWith(".json")).sort().reverse();
+  const allEntries = [];
+  const limit = options.limit ?? 100;
+  for (const file of auditFiles) {
+    if (allEntries.length >= limit) break;
+    const entries = await readJSON(join(auditDir, file));
+    if (!entries) continue;
+    for (const entry of entries.reverse()) {
+      if (allEntries.length >= limit) break;
+      if (options.projectPath && entry.projectPath !== options.projectPath) continue;
+      if (options.action && entry.action !== options.action) continue;
+      if (options.since && new Date(entry.timestamp) < options.since) continue;
+      allEntries.push(entry);
+    }
+  }
+  return allEntries;
+}
+function verifyAuditEntry(entry) {
+  const { integrityHash, ...rest } = entry;
+  const expected = computeIntegrityHash(rest);
+  return expected === integrityHash;
+}
+async function verifyAuditIntegrity() {
+  const entries = await getAuditEntries({ limit: 1e4 });
+  const invalidEntries = [];
+  for (const entry of entries) {
+    if (!verifyAuditEntry(entry)) {
+      invalidEntries.push(entry);
+    }
+  }
+  return {
+    totalEntries: entries.length,
+    validEntries: entries.length - invalidEntries.length,
+    invalidEntries
+  };
+}
+async function purgeOldAuditEntries(retentionDays) {
+  const auditDir = getAuditDir();
+  let files;
+  try {
+    files = await readdir(auditDir);
+  } catch {
+    return 0;
+  }
+  const cutoff = /* @__PURE__ */ new Date();
+  cutoff.setDate(cutoff.getDate() - retentionDays);
+  const cutoffStr = cutoff.toISOString().split("T")[0].replace(/-/g, "");
+  let purged = 0;
+  const { unlink } = await import("fs/promises");
+  for (const file of files) {
+    if (!file.startsWith("audit_") || !file.endsWith(".json")) continue;
+    const dateStr = file.replace("audit_", "").replace(".json", "");
+    if (dateStr < cutoffStr) {
+      try {
+        await unlink(join(auditDir, file));
+        purged++;
+      } catch {
+      }
+    }
+  }
+  return purged;
+}
+
+// src/govern/secrets.ts
+import { readFile } from "fs/promises";
+import { resolve, relative } from "path";
+var BUILTIN_PATTERNS = [
+  // API Keys
+  { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
+  { type: "api-key", source: "sk-[a-zA-Z0-9]{20,}", flags: "g", severity: "critical", description: "OpenAI/Anthropic API Key" },
+  { type: "api-key", source: "sk-ant-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "Anthropic API Key" },
+  // AWS
+  { type: "aws-key", source: "AKIA[0-9A-Z]{16}", flags: "g", severity: "critical", description: "AWS Access Key ID" },
+  { type: "aws-key", source: `(?:aws_secret_access_key|aws_secret)\\s*[:=]\\s*['"]?([a-zA-Z0-9/+=]{40})['"]?`, flags: "gi", severity: "critical", description: "AWS Secret Key" },
+  // Private Keys
+  { type: "private-key", source: "-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", flags: "g", severity: "critical", description: "Private Key" },
+  { type: "private-key", source: "-----BEGIN OPENSSH PRIVATE KEY-----", flags: "g", severity: "critical", description: "SSH Private Key" },
+  // Passwords
+  { type: "password", source: `(?:password|passwd|pwd)\\s*[:=]\\s*['"]([^'"]{8,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Hardcoded Password" },
+  { type: "password", source: `(?:DB_PASSWORD|DATABASE_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)\\s*[:=]\\s*['"]?([^'"{}\\s]{4,})['"]?`, flags: "gi", severity: "high", description: "Database Password" },
+  // Tokens
+  { type: "token", source: `(?:bearer|token|auth_token|access_token|refresh_token)\\s*[:=]\\s*['"]([a-zA-Z0-9_\\-.]{20,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Auth Token" },
+  { type: "token", source: "ghp_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub Personal Access Token" },
+  { type: "token", source: "gho_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub OAuth Token" },
+  { type: "token", source: "glpat-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "GitLab Personal Access Token" },
+  { type: "token", source: "npm_[a-zA-Z0-9]{36}", flags: "g", severity: "high", description: "npm Token" },
+  // Connection strings
+  { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
+  { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
+  // Environment variables with secrets
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+];
+function buildPatterns(customPatterns = []) {
+  const patterns = BUILTIN_PATTERNS.map((def) => ({
+    type: def.type,
+    pattern: new RegExp(def.source, def.flags),
+    severity: def.severity,
+    description: def.description
+  }));
+  for (const custom of customPatterns) {
+    try {
+      patterns.push({
+        type: "custom",
+        pattern: new RegExp(custom, "gi"),
+        severity: "medium",
+        description: `Custom pattern: ${custom}`
+      });
+    } catch {
+    }
+  }
+  return patterns;
+}
+function scanContentForSecrets(content, filePath, customPatterns = []) {
+  const findings = [];
+  const lines = content.split("\n");
+  const allPatterns = buildPatterns(customPatterns);
+  for (const secretPattern of allPatterns) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      secretPattern.pattern.lastIndex = 0;
+      let match;
+      while ((match = secretPattern.pattern.exec(line)) !== null) {
+        const matchText = match[0];
+        if (isTemplateOrPlaceholder(matchText)) continue;
+        findings.push({
+          type: secretPattern.type,
+          file: filePath,
+          line: i + 1,
+          match: matchText,
+          redacted: redactSecret(matchText),
+          severity: secretPattern.severity
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function scanFileForSecrets(filePath, projectPath, customPatterns = []) {
+  try {
+    const content = await readFile(filePath, "utf-8");
+    const relPath = relative(resolve(projectPath), resolve(filePath));
+    return scanContentForSecrets(content, relPath, customPatterns);
+  } catch {
+    return [];
+  }
+}
+async function scanProjectForSecrets(projectPath, filePaths, customPatterns = []) {
+  const allFindings = [];
+  for (const fp of filePaths) {
+    const findings = await scanFileForSecrets(fp, projectPath, customPatterns);
+    allFindings.push(...findings);
+  }
+  return allFindings.sort((a, b) => {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    return severityOrder[a.severity] - severityOrder[b.severity];
+  });
+}
+function sanitizeContent(content, customPatterns = []) {
+  let sanitized = content;
+  const allPatterns = buildPatterns(customPatterns);
+  for (const secretPattern of allPatterns) {
+    sanitized = sanitized.replace(secretPattern.pattern, (match) => {
+      if (isTemplateOrPlaceholder(match)) return match;
+      return redactSecret(match);
+    });
+  }
+  return sanitized;
+}
+function redactSecret(value) {
+  if (value.length <= 8) return "***REDACTED***";
+  const prefix = value.substring(0, 4);
+  const suffix = value.substring(value.length - 2);
+  return `${prefix}${"*".repeat(Math.min(value.length - 6, 20))}${suffix}`;
+}
+function isTemplateOrPlaceholder(value) {
+  const placeholders = [
+    /\$\{.*\}/,
+    /\{\{.*\}\}/,
+    /%[sd]/,
+    /<[A-Z_]+>/,
+    /YOUR_.*_HERE/i,
+    /\bCHANGE_ME\b/i,
+    /\bPLACEHOLDER\b/i,
+    /\bexample\b/i,
+    /\bTODO\b/i,
+    /xxx+/i,
+    /\breplace.?me\b/i,
+    /\bdummy\b/i,
+    /\btest_?key\b/i,
+    /\bsample\b/i
+  ];
+  return placeholders.some((p) => p.test(value));
+}
+function deduplicateFindings(findings) {
+  const seen = /* @__PURE__ */ new Set();
+  return findings.filter((f) => {
+    const key = `${f.file}:${f.line}:${f.type}:${f.match}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+// src/engine/graph-utils.ts
+function matchGlob(path, pattern) {
+  const regexStr = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "\xA7\xA7").replace(/\*/g, "[^/]*").replace(/§§/g, ".*").replace(/\?/g, ".");
+  try {
+    return new RegExp(`^${regexStr}$`).test(path);
+  } catch {
+    return false;
+  }
+}
+
+// src/govern/policy.ts
+var DEFAULT_POLICY = {
+  version: "1.0",
+  name: "default",
+  rules: [
+    {
+      id: "no-env",
+      type: "exclude-always",
+      pattern: "**/*.env*",
+      reason: "Environment files must never be sent to AI",
+      enabled: true
+    },
+    {
+      id: "no-secrets",
+      type: "secret-block",
+      reason: "Files with detected secrets are blocked",
+      enabled: true
+    },
+    {
+      id: "min-coverage",
+      type: "coverage-minimum",
+      threshold: 70,
+      reason: "Warn if context coverage drops below 70%",
+      enabled: true
+    }
+  ]
+};
+function validateSelection(selection, policies, allFiles) {
+  const violations = [];
+  const warnings = [];
+  const includedPaths = new Set(selection.files.map((f) => f.relativePath));
+  for (const rule of policies.rules) {
+    if (!rule.enabled) continue;
+    switch (rule.type) {
+      case "exclude-always": {
+        if (!rule.pattern) break;
+        const violatingFiles = selection.files.filter(
+          (f) => matchGlob(f.relativePath, rule.pattern)
+        );
+        for (const f of violatingFiles) {
+          violations.push({
+            rule,
+            message: `File "${f.relativePath}" is included but matches exclude-always pattern "${rule.pattern}"`,
+            severity: "error"
+          });
+        }
+        break;
+      }
+      case "include-always": {
+        if (!rule.pattern || !allFiles) break;
+        const requiredFiles = allFiles.filter(
+          (f) => matchGlob(f.relativePath, rule.pattern)
+        );
+        for (const f of requiredFiles) {
+          if (!includedPaths.has(f.relativePath)) {
+            violations.push({
+              rule,
+              message: `File "${f.relativePath}" matches include-always pattern "${rule.pattern}" but is not included`,
+              severity: "warning"
+            });
+          }
+        }
+        break;
+      }
+      case "coverage-minimum": {
+        const threshold = rule.threshold ?? 70;
+        if (selection.coverage.score < threshold) {
+          warnings.push({
+            rule,
+            message: `Coverage ${selection.coverage.score}% is below minimum ${threshold}%`,
+            currentValue: selection.coverage.score,
+            threshold
+          });
+        }
+        break;
+      }
+      case "risk-maximum": {
+        const threshold = rule.threshold ?? 50;
+        if (selection.riskScore > threshold) {
+          warnings.push({
+            rule,
+            message: `Exclusion risk ${selection.riskScore}/100 exceeds maximum ${threshold}`,
+            currentValue: selection.riskScore,
+            threshold
+          });
+        }
+        break;
+      }
+      case "budget-limit": {
+        if (!rule.category || !rule.threshold) break;
+        const categoryFiles = selection.files.filter(
+          (f) => fileMatchesCategory(f.relativePath, rule.category)
+        );
+        const categoryTokens = categoryFiles.reduce((s, f) => s + f.tokens, 0);
+        const categoryPercent = selection.totalTokens > 0 ? categoryTokens / selection.totalTokens * 100 : 0;
+        if (categoryPercent > rule.threshold) {
+          warnings.push({
+            rule,
+            message: `Category "${rule.category}" uses ${Math.round(categoryPercent)}% of budget (max: ${rule.threshold}%)`,
+            currentValue: Math.round(categoryPercent),
+            threshold: rule.threshold
+          });
+        }
+        break;
+      }
+    }
+  }
+  return {
+    passed: violations.filter((v) => v.severity === "error").length === 0,
+    violations,
+    warnings
+  };
+}
+function addRule(policies, rule) {
+  return {
+    ...policies,
+    rules: [...policies.rules, rule]
+  };
+}
+function removeRule(policies, ruleId) {
+  return {
+    ...policies,
+    rules: policies.rules.filter((r) => r.id !== ruleId)
+  };
+}
+function toggleRule(policies, ruleId, enabled) {
+  return {
+    ...policies,
+    rules: policies.rules.map(
+      (r) => r.id === ruleId ? { ...r, enabled } : r
+    )
+  };
+}
+function fileMatchesCategory(path, category) {
+  switch (category) {
+    case "test":
+      return /\.(test|spec)\.[jt]sx?$/.test(path) || /\/__tests__\//.test(path) || /\/tests?\//.test(path);
+    case "config":
+      return /\.(config|rc)\.[jt]s$/.test(path) || /\.json$/.test(path) || /\.ya?ml$/.test(path);
+    case "docs":
+      return /\.(md|txt|rst)$/.test(path);
+    case "types":
+      return /types?\//i.test(path) || /\.d\.ts$/.test(path);
+    default:
+      return path.includes(category);
+  }
+}
+
+// src/govern/snapshot.ts
+import { randomUUID as randomUUID2, createHash as createHash2 } from "crypto";
+import "fs/promises";
+function createSnapshot(name, analysis, selection, metadata = {}) {
+  const files = selection.files.map((f) => ({
+    relativePath: f.relativePath,
+    hash: hashString(`${f.relativePath}:${f.tokens}:${f.pruneLevel}`),
+    tokens: f.tokens,
+    pruneLevel: f.pruneLevel
+  }));
+  const snapshotData = files.map((f) => `${f.relativePath}:${f.hash}:${f.pruneLevel}`).sort().join("|");
+  return {
+    id: randomUUID2().substring(0, 8),
+    name,
+    createdAt: /* @__PURE__ */ new Date(),
+    hash: hashString(snapshotData),
+    projectHash: analysis.hash,
+    analysisHash: analysis.hash,
+    selectionHash: selection.hash,
+    files,
+    totalTokens: selection.totalTokens,
+    coverageScore: selection.coverage.score,
+    riskScore: selection.riskScore,
+    metadata
+  };
+}
+async function verifySnapshot(snapshot, currentAnalysis, currentSelection) {
+  const currentFiles = new Map(
+    currentSelection.files.map((f) => [f.relativePath, f])
+  );
+  let filesMatched = 0;
+  const filesMissing = [];
+  const filesChanged = [];
+  for (const snapFile of snapshot.files) {
+    const current = currentFiles.get(snapFile.relativePath);
+    if (!current) {
+      filesMissing.push(snapFile.relativePath);
+      continue;
+    }
+    const currentHash2 = hashString(
+      `${current.relativePath}:${current.tokens}:${current.pruneLevel}`
+    );
+    if (currentHash2 === snapFile.hash) {
+      filesMatched++;
+    } else {
+      filesChanged.push(snapFile.relativePath);
+    }
+  }
+  const currentSnapshotData = snapshot.files.map((f) => {
+    const current = currentFiles.get(f.relativePath);
+    if (!current) return `${f.relativePath}:MISSING:MISSING`;
+    return `${current.relativePath}:${hashString(`${current.relativePath}:${current.tokens}:${current.pruneLevel}`)}:${current.pruneLevel}`;
+  }).sort().join("|");
+  const currentHash = hashString(currentSnapshotData);
+  const integrityOk = currentHash === snapshot.hash && filesMissing.length === 0 && filesChanged.length === 0;
+  return {
+    valid: integrityOk,
+    snapshotId: snapshot.id,
+    filesChecked: snapshot.files.length,
+    filesMatched,
+    filesMissing,
+    filesChanged,
+    integrityOk
+  };
+}
+function compareSnapshots(older, newer) {
+  const olderFiles = new Map(older.files.map((f) => [f.relativePath, f]));
+  const newerFiles = new Map(newer.files.map((f) => [f.relativePath, f]));
+  const added = [];
+  const removed = [];
+  const changed = [];
+  for (const [path, file] of newerFiles) {
+    const old = olderFiles.get(path);
+    if (!old) {
+      added.push(path);
+    } else if (old.hash !== file.hash) {
+      changed.push(path);
+    }
+  }
+  for (const path of olderFiles.keys()) {
+    if (!newerFiles.has(path)) {
+      removed.push(path);
+    }
+  }
+  return {
+    added,
+    removed,
+    changed,
+    tokenDelta: newer.totalTokens - older.totalTokens,
+    coverageDelta: newer.coverageScore - older.coverageScore,
+    riskDelta: newer.riskScore - older.riskScore
+  };
+}
+function hashString(input) {
+  return createHash2("sha256").update(input).digest("hex").substring(0, 16);
+}
+
+// src/govern/integrity.ts
+import { createHash as createHash3 } from "crypto";
+import { readFile as readFile3, chmod as chmod2, readdir as readdir2, stat } from "fs/promises";
+import { join as join2 } from "path";
+function hashContent(content) {
+  return createHash3("sha256").update(content).digest("hex");
+}
+async function hashFile(filePath) {
+  try {
+    const content = await readFile3(filePath);
+    return hashContent(content);
+  } catch {
+    return null;
+  }
+}
+async function buildManifest(projectDir) {
+  const entries = [];
+  async function scanDir(dir, type) {
+    let files;
+    try {
+      files = await readdir2(dir);
+    } catch {
+      return;
+    }
+    for (const file of files) {
+      const fullPath = join2(dir, file);
+      try {
+        const fileStat = await stat(fullPath);
+        if (fileStat.isFile()) {
+          const hash = await hashFile(fullPath);
+          if (hash) {
+            entries.push({
+              filePath: fullPath,
+              hash,
+              size: fileStat.size,
+              createdAt: fileStat.mtime,
+              type
+            });
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  await scanDir(join2(projectDir, "snapshots"), "snapshot");
+  await scanDir(join2(projectDir, "audit"), "audit");
+  await scanDir(projectDir, "config");
+  return {
+    version: "2.0",
+    createdAt: /* @__PURE__ */ new Date(),
+    entries
+  };
+}
+async function verifyManifest(manifest) {
+  const invalidFiles = [];
+  const missingFiles = [];
+  for (const entry of manifest.entries) {
+    const currentHash = await hashFile(entry.filePath);
+    if (currentHash === null) {
+      missingFiles.push(entry.filePath);
+    } else if (currentHash !== entry.hash) {
+      invalidFiles.push(entry.filePath);
+    }
+  }
+  return {
+    totalFiles: manifest.entries.length,
+    validFiles: manifest.entries.length - invalidFiles.length - missingFiles.length,
+    invalidFiles,
+    missingFiles
+  };
+}
+async function securePermissions(dirPath) {
+  let count = 0;
+  try {
+    await chmod2(dirPath, 448);
+    count++;
+    const files = await readdir2(dirPath);
+    for (const file of files) {
+      try {
+        const fullPath = join2(dirPath, file);
+        const fileStat = await stat(fullPath);
+        if (fileStat.isFile()) {
+          await chmod2(fullPath, 384);
+          count++;
+        }
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return count;
+}
+export {
+  DEFAULT_POLICY,
+  addRule,
+  buildManifest,
+  compareSnapshots,
+  createSnapshot,
+  getAuditEntries,
+  hashContent,
+  hashFile,
+  logAudit,
+  purgeOldAuditEntries,
+  removeRule,
+  sanitizeContent,
+  scanContentForSecrets,
+  scanFileForSecrets,
+  scanProjectForSecrets,
+  securePermissions,
+  toggleRule,
+  validateSelection,
+  verifyAuditEntry,
+  verifyAuditIntegrity,
+  verifyManifest,
+  verifySnapshot
+};
+//# sourceMappingURL=index.js.map