cto-ai-cli 3.0.2 → 3.2.0

package/dist/govern/index.d.ts

@@ -0,0 +1,284 @@
+interface AuditEntry {
+    id: string;
+    timestamp: Date;
+    action: AuditAction;
+    user: string;
+    projectPath: string;
+    contextHash?: string;
+    filesIncluded?: number;
+    filesExcluded?: number;
+    tokensUsed?: number;
+    coverageScore?: number;
+    riskScore?: number;
+    model?: string;
+    estimatedCost?: number;
+    integrityHash: string;
+    details: Record<string, unknown>;
+}
+type AuditAction = 'init' | 'analyze' | 'interact' | 'snapshot-create' | 'snapshot-verify' | 'policy-change' | 'secret-detected' | 'integrity-check';
+interface PolicySet {
+    version: string;
+    name: string;
+    rules: PolicyRule[];
+}
+interface PolicyRule {
+    id: string;
+    type: PolicyRuleType;
+    pattern?: string;
+    threshold?: number;
+    category?: string;
+    reason: string;
+    enabled: boolean;
+}
+type PolicyRuleType = 'include-always' | 'exclude-always' | 'budget-limit' | 'coverage-minimum' | 'risk-maximum' | 'secret-block';
+interface PolicyValidation {
+    passed: boolean;
+    violations: PolicyViolation[];
+    warnings: PolicyWarning[];
+}
+interface PolicyViolation {
+    rule: PolicyRule;
+    message: string;
+    severity: 'error' | 'warning';
+}
+interface PolicyWarning {
+    rule: PolicyRule;
+    message: string;
+    currentValue: number;
+    threshold: number;
+}
+interface ContextSnapshot {
+    id: string;
+    name: string;
+    createdAt: Date;
+    hash: string;
+    projectHash: string;
+    analysisHash: string;
+    selectionHash: string;
+    files: SnapshotFile[];
+    totalTokens: number;
+    coverageScore: number;
+    riskScore: number;
+    metadata: Record<string, unknown>;
+}
+interface SnapshotFile {
+    relativePath: string;
+    hash: string;
+    tokens: number;
+    pruneLevel: string;
+}
+interface SnapshotVerification {
+    valid: boolean;
+    snapshotId: string;
+    filesChecked: number;
+    filesMatched: number;
+    filesMissing: string[];
+    filesChanged: string[];
+    integrityOk: boolean;
+}
+interface SecretFinding {
+    type: SecretType;
+    file: string;
+    line: number;
+    match: string;
+    redacted: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+}
+type SecretType = 'api-key' | 'aws-key' | 'private-key' | 'password' | 'token' | 'connection-string' | 'env-variable' | 'pii' | 'high-entropy' | 'custom';
+interface IntegrityManifest {
+    version: string;
+    createdAt: Date;
+    entries: IntegrityEntry[];
+}
+interface IntegrityEntry {
+    filePath: string;
+    hash: string;
+    size: number;
+    createdAt: Date;
+    type: 'snapshot' | 'audit' | 'config' | 'policy';
+}
+
+declare function logAudit(action: AuditAction, projectPath: string, details?: Record<string, unknown>): Promise<AuditEntry>;
+declare function getAuditEntries(options?: {
+    projectPath?: string;
+    action?: AuditAction;
+    since?: Date;
+    limit?: number;
+}): Promise<AuditEntry[]>;
+declare function verifyAuditEntry(entry: AuditEntry): boolean;
+declare function verifyAuditIntegrity(): Promise<{
+    totalEntries: number;
+    validEntries: number;
+    invalidEntries: AuditEntry[];
+}>;
+declare function purgeOldAuditEntries(retentionDays: number): Promise<number>;
+
+declare function scanContentForSecrets(content: string, filePath: string, customPatterns?: string[]): SecretFinding[];
+declare function scanFileForSecrets(filePath: string, projectPath: string, customPatterns?: string[]): Promise<SecretFinding[]>;
+declare function scanProjectForSecrets(projectPath: string, filePaths: string[], customPatterns?: string[]): Promise<SecretFinding[]>;
+declare function sanitizeContent(content: string, customPatterns?: string[]): string;
+declare function scanContentForHighEntropy(content: string, filePath: string, threshold?: number): SecretFinding[];
+interface AuditResult {
+    findings: SecretFinding[];
+    summary: {
+        totalFiles: number;
+        filesScanned: number;
+        filesWithSecrets: number;
+        totalFindings: number;
+        bySeverity: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+        };
+        byType: Record<string, number>;
+    };
+    recommendations: string[];
+}
+declare function auditProject(projectPath: string, filePaths: string[], options?: {
+    customPatterns?: string[];
+    entropyThreshold?: number;
+    includePII?: boolean;
+}): Promise<AuditResult>;
+
+interface AnalyzedFile {
+    path: string;
+    relativePath: string;
+    extension: string;
+    size: number;
+    tokens: number;
+    lines: number;
+    lastModified: Date;
+    kind: FileKind;
+    imports: string[];
+    importedBy: string[];
+    isHub: boolean;
+    complexity: number;
+    riskScore: number;
+    riskFactors: RiskFactor[];
+    exclusionImpact: ExclusionImpact;
+}
+type FileKind = 'source' | 'type' | 'test' | 'config' | 'entry' | 'asset';
+type ExclusionImpact = 'critical' | 'high' | 'medium' | 'low' | 'none';
+interface ProjectAnalysis {
+    projectPath: string;
+    projectName: string;
+    analyzedAt: Date;
+    hash: string;
+    files: AnalyzedFile[];
+    totalFiles: number;
+    totalTokens: number;
+    graph: ProjectGraph;
+    riskProfile: RiskProfile;
+    stack: string[];
+    tokenMethod: 'chars4' | 'tiktoken';
+}
+interface ProjectGraph {
+    nodes: string[];
+    edges: GraphEdge[];
+    hubs: HubNode[];
+    leaves: string[];
+    orphans: string[];
+    clusters: FileCluster[];
+}
+interface GraphEdge {
+    from: string;
+    to: string;
+    type: 'import' | 'export' | 're-export';
+}
+interface HubNode {
+    relativePath: string;
+    dependents: number;
+    dependencies: number;
+    score: number;
+}
+interface FileCluster {
+    id: string;
+    name: string;
+    files: string[];
+    totalTokens: number;
+    internalEdges: number;
+    externalEdges: number;
+    cohesion: number;
+}
+interface RiskProfile {
+    distribution: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    topRiskFiles: AnalyzedFile[];
+    overallComplexity: number;
+}
+interface RiskFactor {
+    type: RiskFactorType;
+    score: number;
+    weight: number;
+    detail: string;
+}
+type RiskFactorType = 'hub' | 'type-provider' | 'complexity' | 'recency' | 'config' | 'churn';
+interface CoverageResult {
+    score: number;
+    relevantFiles: string[];
+    includedRelevant: string[];
+    missingRelevant: string[];
+    missingCritical: string[];
+    explanation: string;
+}
+interface ContextSelection {
+    files: SelectedFile[];
+    totalTokens: number;
+    budget: number;
+    usedPercent: number;
+    coverage: CoverageResult;
+    riskScore: number;
+    deterministic: boolean;
+    hash: string;
+    decisions: SelectionDecision[];
+}
+interface SelectedFile {
+    relativePath: string;
+    tokens: number;
+    originalTokens: number;
+    pruneLevel: PruneLevel;
+    riskScore: number;
+    reason: string;
+}
+type PruneLevel = 'full' | 'signatures' | 'skeleton' | 'excluded';
+interface SelectionDecision {
+    file: string;
+    action: 'include-full' | 'include-signatures' | 'include-skeleton' | 'exclude';
+    reason: string;
+    alternatives?: string;
+}
+
+declare const DEFAULT_POLICY: PolicySet;
+declare function validateSelection(selection: ContextSelection, policies: PolicySet, allFiles?: AnalyzedFile[]): PolicyValidation;
+declare function addRule(policies: PolicySet, rule: PolicyRule): PolicySet;
+declare function removeRule(policies: PolicySet, ruleId: string): PolicySet;
+declare function toggleRule(policies: PolicySet, ruleId: string, enabled: boolean): PolicySet;
+
+declare function createSnapshot(name: string, analysis: ProjectAnalysis, selection: ContextSelection, metadata?: Record<string, unknown>): ContextSnapshot;
+declare function verifySnapshot(snapshot: ContextSnapshot, currentAnalysis: ProjectAnalysis, currentSelection: ContextSelection): Promise<SnapshotVerification>;
+declare function compareSnapshots(older: ContextSnapshot, newer: ContextSnapshot): {
+    added: string[];
+    removed: string[];
+    changed: string[];
+    tokenDelta: number;
+    coverageDelta: number;
+    riskDelta: number;
+};
+
+declare function hashContent(content: Buffer | string): string;
+declare function hashFile(filePath: string): Promise<string | null>;
+declare function buildManifest(projectDir: string): Promise<IntegrityManifest>;
+declare function verifyManifest(manifest: IntegrityManifest): Promise<{
+    totalFiles: number;
+    validFiles: number;
+    invalidFiles: string[];
+    missingFiles: string[];
+}>;
+declare function securePermissions(dirPath: string): Promise<number>;
+
+export { type AuditResult, DEFAULT_POLICY, addRule, auditProject, buildManifest, compareSnapshots, createSnapshot, getAuditEntries, hashContent, hashFile, logAudit, purgeOldAuditEntries, removeRule, sanitizeContent, scanContentForHighEntropy, scanContentForSecrets, scanFileForSecrets, scanProjectForSecrets, securePermissions, toggleRule, validateSelection, verifyAuditEntry, verifyAuditIntegrity, verifyManifest, verifySnapshot };

package/dist/govern/index.js

@@ -175,7 +175,29 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b\\d{3}[-.]?\\d{2}[-.]?\\d{4}\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
 function buildPatterns(customPatterns = []) {
   const patterns = BUILTIN_PATTERNS.map((def) => ({
@@ -287,6 +309,136 @@ function deduplicateFindings(findings) {
     return true;
   });
 }
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / str.length;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
+var ENTROPY_SKIP = [
+  /^[a-f0-9]{32,}$/i,
+  // hex hashes
+  /^[A-Z_]{30,}$/,
+  // all-caps constants
+  /^[a-z_]{30,}$/,
+  // all-lowercase identifiers
+  /^[a-zA-Z0-9+/]+=+$/,
+  // base64 padding
+  /^[a-z]+[A-Z][a-zA-Z]+$/,
+  // camelCase identifiers
+  /sha\d+-/i
+  // integrity hashes (sha256-, sha512-)
+];
+function scanContentForHighEntropy(content, filePath, threshold = 5) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
+    HIGH_ENTROPY_RE.lastIndex = 0;
+    let match;
+    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
+      const value = match[1] || match[2];
+      if (!value || value.length < 40) continue;
+      if (isTemplateOrPlaceholder(value)) continue;
+      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
+      const entropy = shannonEntropy(value);
+      if (entropy >= threshold) {
+        findings.push({
+          type: "high-entropy",
+          file: filePath,
+          line: i + 1,
+          match: value,
+          redacted: redactSecret(value),
+          severity: entropy >= 5 ? "high" : "medium"
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function auditProject(projectPath, filePaths, options = {}) {
+  const { customPatterns = [], entropyThreshold = 4.5, includePII = true } = options;
+  const allFindings = [];
+  const filesWithSecrets = /* @__PURE__ */ new Set();
+  for (const fp of filePaths) {
+    try {
+      const content = await readFile(fp, "utf-8");
+      const relPath = relative(resolve(projectPath), resolve(fp));
+      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
+      const isDtsFile = relPath.endsWith(".d.ts");
+      let findings = scanContentForSecrets(content, relPath, customPatterns);
+      if (!includePII) {
+        findings = findings.filter((f) => f.type !== "pii");
+      }
+      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
+      const combined = [...findings, ...entropyFindings];
+      if (combined.length > 0) {
+        filesWithSecrets.add(relPath);
+        allFindings.push(...combined);
+      }
+    } catch {
+    }
+  }
+  allFindings.sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byType = {};
+  for (const f of allFindings) {
+    bySeverity[f.severity]++;
+    byType[f.type] = (byType[f.type] || 0) + 1;
+  }
+  const recommendations = [];
+  if (bySeverity.critical > 0) {
+    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
+  }
+  if (byType["password"] > 0) {
+    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
+  }
+  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
+    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
+  }
+  if (byType["connection-string"] > 0) {
+    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
+  }
+  if (byType["private-key"] > 0) {
+    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
+  }
+  if (byType["pii"] > 0) {
+    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
+  }
+  if (byType["high-entropy"] > 0) {
+    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
+  }
+  if (allFindings.length > 0) {
+    recommendations.push("Add a .gitignore entry for .env files if not already present.");
+    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
+  }
+  if (allFindings.length === 0) {
+    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
+  }
+  return {
+    findings: allFindings,
+    summary: {
+      totalFiles: filePaths.length,
+      filesScanned: filePaths.length,
+      filesWithSecrets: filesWithSecrets.size,
+      totalFindings: allFindings.length,
+      bySeverity,
+      byType
+    },
+    recommendations
+  };
+}
 
 // src/engine/graph-utils.ts
 function matchGlob(path, pattern) {
@@ -638,6 +790,7 @@ async function securePermissions(dirPath) {
 export {
   DEFAULT_POLICY,
   addRule,
+  auditProject,
   buildManifest,
   compareSnapshots,
   createSnapshot,
@@ -648,6 +801,7 @@ export {
   purgeOldAuditEntries,
   removeRule,
   sanitizeContent,
+  scanContentForHighEntropy,
   scanContentForSecrets,
   scanFileForSecrets,
   scanProjectForSecrets,