cto-ai-cli 3.1.0 → 4.0.0

package/dist/engine/index.js

@@ -1360,11 +1360,13 @@ function emptyResult(baseBranch) {
 }
 
 // src/engine/selector.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile4 } from "fs/promises";
-import { resolve as resolve6, relative as relative4 } from "path";
+import { readFileSync, existsSync as existsSync3, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve6, relative as relative4, join as join5, dirname as dirname2 } from "path";
+import { createHash as createHash3 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -1389,15 +1391,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -1411,7 +1464,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -1423,6 +1476,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -1470,6 +1524,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -1483,8 +1567,8 @@ function deduplicateFindings(findings) {
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile5 } from "fs/promises";
-import { existsSync as existsSync3 } from "fs";
-import { join as join5 } from "path";
+import { existsSync as existsSync4 } from "fs";
+import { join as join6 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -1739,9 +1823,9 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join5(dir, "..");
-    const candidate = join5(dir, "tsconfig.json");
-    if (existsSync3(candidate)) return candidate;
+    dir = join6(dir, "..");
+    const candidate = join6(dir, "tsconfig.json");
+    if (existsSync4(candidate)) return candidate;
   }
   return void 0;
 }
@@ -2020,7 +2104,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash4("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -3168,8 +3252,8 @@ function fmt2(n) {
 }
 
 // src/engine/predictor.ts
-import { resolve as resolve8, join as join6 } from "path";
-import { readFile as readFile7, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { resolve as resolve8, join as join7 } from "path";
+import { readFile as readFile7, writeFile as writeFile3, mkdir as mkdir2 } from "fs/promises";
 var DEFAULT_PREDICTOR_CONFIG = {
   maxCoSelectionPairs: 500,
   decayFactor: 0.95,
@@ -3178,9 +3262,9 @@ var DEFAULT_PREDICTOR_CONFIG = {
   // need at least 2 observations before predicting
 };
 async function getModelPath(projectPath) {
-  const ctoDir = join6(resolve8(projectPath), ".cto");
+  const ctoDir = join7(resolve8(projectPath), ".cto");
   await mkdir2(ctoDir, { recursive: true });
-  return join6(ctoDir, "predictor.json");
+  return join7(ctoDir, "predictor.json");
 }
 async function loadModel(projectPath) {
   try {
@@ -3193,7 +3277,7 @@ async function loadModel(projectPath) {
 }
 async function saveModel(projectPath, model) {
   const path = await getModelPath(projectPath);
-  await writeFile2(path, JSON.stringify(model, null, 2));
+  await writeFile3(path, JSON.stringify(model, null, 2));
 }
 function createEmptyModel() {
   return {
@@ -3430,8 +3514,8 @@ function pruneCoSelection(model, maxPairs) {
 }
 
 // src/engine/cross-repo.ts
-import { join as join7, basename as basename3 } from "path";
-import { readFile as readFile8, writeFile as writeFile3, mkdir as mkdir3 } from "fs/promises";
+import { join as join8, basename as basename3 } from "path";
+import { readFile as readFile8, writeFile as writeFile4, mkdir as mkdir3 } from "fs/promises";
 function computeFingerprint2(analysis) {
   const totalFiles = analysis.totalFiles;
   const sizeClass = totalFiles < 20 ? "tiny" : totalFiles < 100 ? "small" : totalFiles < 500 ? "medium" : totalFiles < 2e3 ? "large" : "huge";
@@ -3463,7 +3547,7 @@ function fingerprintHash(fp) {
 }
 function getGlobalModelPath() {
   const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
-  return join7(home, ".cto", "global-intelligence.json");
+  return join8(home, ".cto", "global-intelligence.json");
 }
 async function loadGlobalModel() {
   try {
@@ -3474,9 +3558,9 @@ async function loadGlobalModel() {
   }
 }
 async function saveGlobalModel(model) {
-  const dir = join7(getGlobalModelPath(), "..");
+  const dir = join8(getGlobalModelPath(), "..");
   await mkdir3(dir, { recursive: true });
-  await writeFile3(getGlobalModelPath(), JSON.stringify(model, null, 2));
+  await writeFile4(getGlobalModelPath(), JSON.stringify(model, null, 2));
 }
 function createEmptyModel2() {
   return {
@@ -3695,17 +3779,17 @@ function getCrossRepoStats(model) {
 }
 
 // src/engine/feedback.ts
-import { resolve as resolve10, join as join8 } from "path";
-import { readFile as readFile9, writeFile as writeFile4, mkdir as mkdir4 } from "fs/promises";
+import { resolve as resolve10, join as join9 } from "path";
+import { readFile as readFile9, writeFile as writeFile5, mkdir as mkdir4 } from "fs/promises";
 async function getFeedbackPath(projectPath) {
-  const ctoDir = join8(resolve10(projectPath), ".cto");
+  const ctoDir = join9(resolve10(projectPath), ".cto");
   await mkdir4(ctoDir, { recursive: true });
-  return join8(ctoDir, "feedback.json");
+  return join9(ctoDir, "feedback.json");
 }
 async function getModelPath2(projectPath) {
-  const ctoDir = join8(resolve10(projectPath), ".cto");
+  const ctoDir = join9(resolve10(projectPath), ".cto");
   await mkdir4(ctoDir, { recursive: true });
-  return join8(ctoDir, "feedback-model.json");
+  return join9(ctoDir, "feedback-model.json");
 }
 async function loadFeedback(projectPath) {
   try {
@@ -3716,7 +3800,7 @@ async function loadFeedback(projectPath) {
   }
 }
 async function saveFeedback(projectPath, entries) {
-  await writeFile4(await getFeedbackPath(projectPath), JSON.stringify(entries, null, 2));
+  await writeFile5(await getFeedbackPath(projectPath), JSON.stringify(entries, null, 2));
 }
 async function loadFeedbackModel(projectPath) {
   try {
@@ -3727,7 +3811,7 @@ async function loadFeedbackModel(projectPath) {
   }
 }
 async function saveFeedbackModel(projectPath, model) {
-  await writeFile4(await getModelPath2(projectPath), JSON.stringify(model, null, 2));
+  await writeFile5(await getModelPath2(projectPath), JSON.stringify(model, null, 2));
 }
 function createEmptyModel3() {
   return {
@@ -4402,8 +4486,8 @@ function fmt3(n) {
 }
 
 // src/engine/compile-proof.ts
-import { resolve as resolve11, join as join9, dirname as dirname2, basename as basename4 } from "path";
-import { writeFile as writeFile5, mkdir as mkdir5, rm, cp } from "fs/promises";
+import { resolve as resolve11, join as join10, dirname as dirname3, basename as basename4 } from "path";
+import { writeFile as writeFile6, mkdir as mkdir5, rm, cp } from "fs/promises";
 import { execSync } from "child_process";
 async function runCompileProof(analysis, task, budget = 5e4) {
   const projectPath = resolve11(analysis.projectPath);
@@ -4604,21 +4688,21 @@ function extractKnownTypes(analysis, typePaths) {
   return types;
 }
 async function runTscWithContext(name, projectPath, selectedPaths, tokensUsed, typePaths, consumerCode) {
-  const tmpDir = join9(projectPath, ".cto", `compile-proof-${name.toLowerCase()}`);
+  const tmpDir = join10(projectPath, ".cto", `compile-proof-${name.toLowerCase()}`);
   try {
     await rm(tmpDir, { recursive: true, force: true });
     await mkdir5(tmpDir, { recursive: true });
     for (const filePath of selectedPaths) {
-      const src = join9(projectPath, filePath);
-      const dest = join9(tmpDir, filePath);
+      const src = join10(projectPath, filePath);
+      const dest = join10(tmpDir, filePath);
       try {
-        await mkdir5(dirname2(dest), { recursive: true });
+        await mkdir5(dirname3(dest), { recursive: true });
         await cp(src, dest);
       } catch {
       }
     }
-    await writeFile5(join9(tmpDir, "_compile_test.ts"), consumerCode);
-    await writeFile5(join9(tmpDir, "tsconfig.json"), JSON.stringify({
+    await writeFile6(join10(tmpDir, "_compile_test.ts"), consumerCode);
+    await writeFile6(join10(tmpDir, "tsconfig.json"), JSON.stringify({
       compilerOptions: {
         target: "ES2022",
         module: "nodenext",
@@ -4923,9 +5007,541 @@ function fmt5(n) {
   if (n >= 1e3) return `${(n / 1e3).toFixed(1)}K`;
   return n.toString();
 }
+
+// src/engine/monorepo.ts
+import { readFile as readFile11, readdir as readdir4 } from "fs/promises";
+import { join as join11, relative as relative6, basename as basename5 } from "path";
+import { existsSync as existsSync5 } from "fs";
+async function detectMonorepoTool(rootPath) {
+  const checks = [
+    { file: "nx.json", tool: "nx" },
+    { file: "turbo.json", tool: "turborepo" },
+    { file: "lerna.json", tool: "lerna" },
+    { file: "pnpm-workspace.yaml", tool: "pnpm-workspaces" },
+    {
+      file: "package.json",
+      tool: "npm-workspaces",
+      validate: (content) => {
+        try {
+          const pkg = JSON.parse(content);
+          return Array.isArray(pkg.workspaces) || typeof pkg.workspaces?.packages !== "undefined";
+        } catch {
+          return false;
+        }
+      }
+    }
+  ];
+  for (const check of checks) {
+    const filePath = join11(rootPath, check.file);
+    if (existsSync5(filePath)) {
+      if (!check.validate) return check.tool;
+      try {
+        const content = await readFile11(filePath, "utf-8");
+        if (check.validate(content)) {
+          if (check.tool === "npm-workspaces") {
+            if (existsSync5(join11(rootPath, "yarn.lock"))) return "yarn-workspaces";
+            return "npm-workspaces";
+          }
+          return check.tool;
+        }
+      } catch {
+      }
+    }
+  }
+  return "none";
+}
+async function resolveWorkspaceGlobs(rootPath, globs) {
+  const packagePaths = [];
+  for (const glob of globs) {
+    const cleanGlob = glob.replace(/\/?\*\*?$/, "");
+    const searchDir = join11(rootPath, cleanGlob);
+    if (!existsSync5(searchDir)) continue;
+    try {
+      const entries = await readdir4(searchDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const pkgJsonPath = join11(searchDir, entry.name, "package.json");
+        if (existsSync5(pkgJsonPath)) {
+          packagePaths.push(join11(searchDir, entry.name));
+        }
+      }
+    } catch {
+    }
+  }
+  return packagePaths;
+}
+async function discoverPackages(rootPath, tool) {
+  switch (tool) {
+    case "npm-workspaces":
+    case "yarn-workspaces": {
+      const pkgJson = JSON.parse(await readFile11(join11(rootPath, "package.json"), "utf-8"));
+      const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : pkgJson.workspaces?.packages || [];
+      return resolveWorkspaceGlobs(rootPath, workspaces);
+    }
+    case "pnpm-workspaces": {
+      const content = await readFile11(join11(rootPath, "pnpm-workspace.yaml"), "utf-8");
+      const packages = [];
+      let inPackages = false;
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed === "packages:") {
+          inPackages = true;
+          continue;
+        }
+        if (inPackages && trimmed.startsWith("- ")) {
+          packages.push(trimmed.slice(2).replace(/['"]/g, ""));
+        } else if (inPackages && !trimmed.startsWith("-") && trimmed.length > 0) {
+          inPackages = false;
+        }
+      }
+      return resolveWorkspaceGlobs(rootPath, packages);
+    }
+    case "turborepo": {
+      const pkgJson = JSON.parse(await readFile11(join11(rootPath, "package.json"), "utf-8"));
+      const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : pkgJson.workspaces?.packages || [];
+      if (workspaces.length > 0) return resolveWorkspaceGlobs(rootPath, workspaces);
+      if (existsSync5(join11(rootPath, "pnpm-workspace.yaml"))) {
+        return discoverPackages(rootPath, "pnpm-workspaces");
+      }
+      return [];
+    }
+    case "nx": {
+      const standardDirs = ["packages", "apps", "libs"];
+      const globs = standardDirs.filter((d) => existsSync5(join11(rootPath, d)));
+      if (globs.length > 0) return resolveWorkspaceGlobs(rootPath, globs);
+      try {
+        const pkgJson = JSON.parse(await readFile11(join11(rootPath, "package.json"), "utf-8"));
+        const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : [];
+        if (workspaces.length > 0) return resolveWorkspaceGlobs(rootPath, workspaces);
+      } catch {
+      }
+      return [];
+    }
+    case "lerna": {
+      const lernaJson = JSON.parse(await readFile11(join11(rootPath, "lerna.json"), "utf-8"));
+      const packages = lernaJson.packages || ["packages/*"];
+      return resolveWorkspaceGlobs(rootPath, packages);
+    }
+    default:
+      return [];
+  }
+}
+function buildCrossPackageEdges(packages, allFiles, graphEdges, rootPath) {
+  const fileToPackage = /* @__PURE__ */ new Map();
+  for (const pkg of packages) {
+    const pkgRel = relative6(rootPath, pkg.path);
+    for (const f of allFiles) {
+      if (f.relativePath.startsWith(pkgRel + "/") || f.relativePath.startsWith(pkgRel + "\\")) {
+        fileToPackage.set(f.relativePath, pkg.name);
+      }
+    }
+  }
+  const edgeMap = /* @__PURE__ */ new Map();
+  for (const edge of graphEdges) {
+    const fromPkg = fileToPackage.get(edge.from);
+    const toPkg = fileToPackage.get(edge.to);
+    if (fromPkg && toPkg && fromPkg !== toPkg) {
+      const key = `${fromPkg}\u2192${toPkg}`;
+      if (!edgeMap.has(key)) {
+        edgeMap.set(key, { files: /* @__PURE__ */ new Set(), type: "dependency" });
+      }
+      edgeMap.get(key).files.add(edge.from);
+    }
+  }
+  return Array.from(edgeMap.entries()).map(([key, val]) => {
+    const [from, to] = key.split("\u2192");
+    return { from, to, files: val.files.size, type: val.type };
+  });
+}
+async function analyzeMonorepo(rootPath, analysis) {
+  const tool = await detectMonorepoTool(rootPath);
+  if (tool === "none") {
+    return {
+      detected: false,
+      tool: "none",
+      rootPath,
+      packages: [],
+      sharedPackages: [],
+      crossPackageEdges: [],
+      isolationScore: 100,
+      totalTokens: analysis?.totalTokens ?? 0,
+      packageTokenMap: {}
+    };
+  }
+  const packagePaths = await discoverPackages(rootPath, tool);
+  const packages = [];
+  const packageTokenMap = {};
+  for (const pkgPath of packagePaths) {
+    const pkgJsonPath = join11(pkgPath, "package.json");
+    let name = basename5(pkgPath);
+    let pkgDeps = [];
+    try {
+      const pkgJson = JSON.parse(await readFile11(pkgJsonPath, "utf-8"));
+      name = pkgJson.name || name;
+      const allDeps = {
+        ...pkgJson.dependencies || {},
+        ...pkgJson.devDependencies || {},
+        ...pkgJson.peerDependencies || {}
+      };
+      pkgDeps = Object.keys(allDeps);
+    } catch {
+    }
+    const relPath = relative6(rootPath, pkgPath);
+    let fileCount = 0;
+    let tokenCount = 0;
+    const entryPoints = [];
+    if (analysis) {
+      for (const f of analysis.files) {
+        if (f.relativePath.startsWith(relPath + "/") || f.relativePath.startsWith(relPath + "\\")) {
+          fileCount++;
+          tokenCount += f.tokens;
+          if (f.kind === "entry") entryPoints.push(f.relativePath);
+        }
+      }
+    }
+    packageTokenMap[name] = tokenCount;
+    packages.push({
+      name,
+      path: pkgPath,
+      relativePath: relPath,
+      files: fileCount,
+      tokens: tokenCount,
+      dependencies: [],
+      // Filled below after we know all package names
+      dependents: [],
+      isShared: false,
+      entryPoints
+    });
+  }
+  const pkgNames = new Set(packages.map((p) => p.name));
+  for (const pkg of packages) {
+    const pkgJsonPath = join11(pkg.path, "package.json");
+    try {
+      const pkgJson = JSON.parse(await readFile11(pkgJsonPath, "utf-8"));
+      const allDeps = {
+        ...pkgJson.dependencies || {},
+        ...pkgJson.devDependencies || {}
+      };
+      pkg.dependencies = Object.keys(allDeps).filter((d) => pkgNames.has(d));
+    } catch {
+    }
+  }
+  for (const pkg of packages) {
+    for (const depName of pkg.dependencies) {
+      const dep = packages.find((p) => p.name === depName);
+      if (dep) dep.dependents.push(pkg.name);
+    }
+  }
+  for (const pkg of packages) {
+    pkg.isShared = pkg.dependents.length >= 2;
+  }
+  const sharedPackages = packages.filter((p) => p.isShared);
+  const crossPackageEdges = analysis ? buildCrossPackageEdges(packages, analysis.files, analysis.graph.edges, rootPath) : [];
+  const maxPossibleEdges = packages.length * (packages.length - 1);
+  const actualEdges = crossPackageEdges.length;
+  const isolationScore = maxPossibleEdges > 0 ? Math.round(100 * (1 - actualEdges / maxPossibleEdges)) : 100;
+  return {
+    detected: true,
+    tool,
+    rootPath,
+    packages,
+    sharedPackages,
+    crossPackageEdges,
+    isolationScore,
+    totalTokens: analysis?.totalTokens ?? packages.reduce((s, p) => s + p.tokens, 0),
+    packageTokenMap
+  };
+}
+function selectPackageContext(monorepo, targetPackage) {
+  const target = monorepo.packages.find((p) => p.name === targetPackage || p.relativePath === targetPackage);
+  if (!target) {
+    return {
+      targetPackage,
+      includedPackages: [],
+      excludedPackages: monorepo.packages.map((p) => p.name),
+      originalTokens: monorepo.totalTokens,
+      optimizedTokens: 0,
+      savedTokens: monorepo.totalTokens,
+      savedPercent: 100
+    };
+  }
+  const includedNames = /* @__PURE__ */ new Set([target.name]);
+  for (const depName of target.dependencies) {
+    includedNames.add(depName);
+    const dep = monorepo.packages.find((p) => p.name === depName);
+    if (dep) {
+      for (const transDep of dep.dependencies) {
+        const transDepPkg = monorepo.packages.find((p) => p.name === transDep);
+        if (transDepPkg?.isShared) includedNames.add(transDep);
+      }
+    }
+  }
+  const includedPackages = Array.from(includedNames);
+  const excludedPackages = monorepo.packages.filter((p) => !includedNames.has(p.name)).map((p) => p.name);
+  const optimizedTokens = monorepo.packages.filter((p) => includedNames.has(p.name)).reduce((s, p) => s + p.tokens, 0);
+  const savedTokens = monorepo.totalTokens - optimizedTokens;
+  const savedPercent = monorepo.totalTokens > 0 ? Math.round(savedTokens / monorepo.totalTokens * 100) : 0;
+  return {
+    targetPackage: target.name,
+    includedPackages,
+    excludedPackages,
+    originalTokens: monorepo.totalTokens,
+    optimizedTokens,
+    savedTokens,
+    savedPercent
+  };
+}
+function renderMonorepoAnalysis(mono) {
+  if (!mono.detected) {
+    return "  \u2139\uFE0F  No monorepo detected (single-package project).\n";
+  }
+  const lines = [];
+  lines.push("");
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push(`  \u{1F4E6} Monorepo Analysis \u2014 ${mono.tool}`);
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push("");
+  lines.push(`  Packages:         ${mono.packages.length}`);
+  lines.push(`  Shared packages:  ${mono.sharedPackages.length}`);
+  lines.push(`  Isolation score:  ${mono.isolationScore}/100`);
+  lines.push(`  Total tokens:     ${mono.totalTokens.toLocaleString()}`);
+  lines.push("");
+  lines.push("  Package breakdown:");
+  lines.push("");
+  const sorted = [...mono.packages].sort((a, b) => b.tokens - a.tokens);
+  const maxNameLen = Math.max(...sorted.map((p) => p.name.length), 10);
+  for (const pkg of sorted) {
+    const name = pkg.name.padEnd(maxNameLen);
+    const tokens = `${(pkg.tokens / 1e3).toFixed(1)}K`.padStart(8);
+    const files = `${pkg.files} files`.padStart(10);
+    const deps = pkg.dependencies.length > 0 ? ` \u2192 ${pkg.dependencies.join(", ")}` : "";
+    const shared = pkg.isShared ? " [shared]" : "";
+    lines.push(`  ${name} ${tokens} ${files}${shared}${deps}`);
+  }
+  if (mono.crossPackageEdges.length > 0) {
+    lines.push("");
+    lines.push("  Cross-package dependencies:");
+    for (const edge of mono.crossPackageEdges.slice(0, 10)) {
+      lines.push(`    ${edge.from} \u2192 ${edge.to} (${edge.files} files)`);
+    }
+    if (mono.crossPackageEdges.length > 10) {
+      lines.push(`    ... and ${mono.crossPackageEdges.length - 10} more`);
+    }
+  }
+  lines.push("");
+  lines.push("  \u{1F4A1} Use --monorepo --package <name> to see context savings for a specific package.");
+  lines.push("");
+  return lines.join("\n");
+}
+function renderPackageContext(result) {
+  const lines = [];
+  lines.push("");
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push(`  \u{1F3AF} Package Context \u2014 ${result.targetPackage}`);
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push("");
+  lines.push(`  Included packages:  ${result.includedPackages.length}`);
+  lines.push(`  Excluded packages:  ${result.excludedPackages.length}`);
+  lines.push("");
+  lines.push(`  Original tokens:    ${result.originalTokens.toLocaleString()}`);
+  lines.push(`  Optimized tokens:   ${result.optimizedTokens.toLocaleString()}`);
+  lines.push(`  Token savings:      ${result.savedTokens.toLocaleString()} (${result.savedPercent}%)`);
+  lines.push("");
+  if (result.includedPackages.length > 0) {
+    lines.push("  \u2705 Included:");
+    for (const p of result.includedPackages) {
+      lines.push(`     ${p}`);
+    }
+  }
+  if (result.excludedPackages.length > 0) {
+    lines.push("  \u2B1C Excluded (not needed for this package):");
+    for (const p of result.excludedPackages.slice(0, 10)) {
+      lines.push(`     ${p}`);
+    }
+    if (result.excludedPackages.length > 10) {
+      lines.push(`     ... and ${result.excludedPackages.length - 10} more`);
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/engine/quality-gate.ts
+import { readFile as readFile12, writeFile as writeFile7, mkdir as mkdir6 } from "fs/promises";
+import { resolve as resolve13 } from "path";
+import { existsSync as existsSync6 } from "fs";
+var DEFAULT_GATE_CONFIG = {
+  threshold: 70,
+  failOnSecrets: true,
+  failOnRegression: true,
+  regressionLimit: 5,
+  baselinePath: ".cto/baseline.json",
+  secretSeverities: ["critical", "high"]
+};
+async function loadBaseline(projectPath, baselinePath) {
+  const filePath = resolve13(projectPath, baselinePath || ".cto/baseline.json");
+  if (!existsSync6(filePath)) return null;
+  try {
+    const content = await readFile12(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function saveBaseline(projectPath, score, commit, branch, baselinePath) {
+  const dir = resolve13(projectPath, ".cto");
+  if (!existsSync6(dir)) await mkdir6(dir, { recursive: true });
+  const baseline = {
+    score: score.overall,
+    grade: score.grade,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    commit,
+    branch,
+    dimensions: {
+      efficiency: score.dimensions.efficiency.score,
+      coverage: score.dimensions.coverage.score,
+      riskControl: score.dimensions.riskControl.score,
+      structure: score.dimensions.structure.score,
+      governance: score.dimensions.governance.score
+    }
+  };
+  const filePath = resolve13(projectPath, baselinePath || ".cto/baseline.json");
+  await writeFile7(filePath, JSON.stringify(baseline, null, 2));
+}
+async function runQualityGate(score, analysis, secretFindings, config = {}) {
+  const cfg = { ...DEFAULT_GATE_CONFIG, ...config };
+  const checks = [];
+  const baseline = await loadBaseline(analysis.projectPath, cfg.baselinePath);
+  const previousScore = baseline?.score ?? null;
+  const delta = previousScore !== null ? score.overall - previousScore : null;
+  const thresholdPassed = score.overall >= cfg.threshold;
+  checks.push({
+    name: "Score threshold",
+    passed: thresholdPassed,
+    detail: thresholdPassed ? `Score ${score.overall} \u2265 threshold ${cfg.threshold}` : `Score ${score.overall} < threshold ${cfg.threshold}`,
+    severity: thresholdPassed ? "info" : "error"
+  });
+  const dangerousSecrets = secretFindings.filter(
+    (f) => cfg.secretSeverities.includes(f.severity)
+  );
+  const secretsPassed = !cfg.failOnSecrets || dangerousSecrets.length === 0;
+  checks.push({
+    name: "No secrets detected",
+    passed: secretsPassed,
+    detail: secretsPassed ? "No critical/high severity secrets found" : `${dangerousSecrets.length} secret(s) with ${cfg.secretSeverities.join("/")} severity`,
+    severity: secretsPassed ? "info" : "error"
+  });
+  let regressionPassed = true;
+  if (cfg.failOnRegression && delta !== null) {
+    regressionPassed = delta >= -cfg.regressionLimit;
+  }
+  checks.push({
+    name: "No score regression",
+    passed: regressionPassed,
+    detail: delta !== null ? regressionPassed ? `Score changed by ${delta >= 0 ? "+" : ""}${delta} (limit: -${cfg.regressionLimit})` : `Score dropped by ${Math.abs(delta)} points (limit: -${cfg.regressionLimit})` : "No baseline found (first run)",
+    severity: regressionPassed ? delta !== null && delta < 0 ? "warning" : "info" : "error"
+  });
+  const weakDimensions = Object.entries(score.dimensions).filter(([_, d]) => d.score < 50).map(([name]) => name);
+  const dimensionsPassed = weakDimensions.length === 0;
+  checks.push({
+    name: "Dimension health",
+    passed: dimensionsPassed,
+    detail: dimensionsPassed ? "All dimensions above 50%" : `Weak dimensions: ${weakDimensions.join(", ")}`,
+    severity: dimensionsPassed ? "info" : "warning"
+  });
+  const passed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const prComment = generatePRComment(score, analysis, checks, baseline, delta);
+  const summary = generateSummary(score, checks, passed);
+  return {
+    passed,
+    score: score.overall,
+    grade: score.grade,
+    previousScore,
+    delta,
+    checks,
+    baseline,
+    prComment,
+    summary
+  };
+}
+function generatePRComment(score, analysis, checks, baseline, delta) {
+  const gradeEmoji = score.grade.startsWith("A") ? "\u{1F7E2}" : score.grade.startsWith("B") ? "\u{1F535}" : score.grade.startsWith("C") ? "\u{1F7E1}" : "\u{1F534}";
+  const allPassed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const statusIcon = allPassed ? "\u2705" : "\u274C";
+  const deltaStr = delta !== null ? ` (${delta >= 0 ? "+" : ""}${delta})` : "";
+  const lines = [
+    `## ${statusIcon} CTO Quality Gate ${allPassed ? "Passed" : "Failed"}`,
+    "",
+    `### ${gradeEmoji} Context Score: ${score.overall}/100 (${score.grade})${deltaStr}`,
+    "",
+    `> **${analysis.projectName}** \xB7 ${analysis.totalFiles} files \xB7 ${Math.round(analysis.totalTokens / 1e3)}K tokens`,
+    "",
+    "### Checks",
+    "",
+    "| Check | Status | Detail |",
+    "|-------|--------|--------|"
+  ];
+  for (const check of checks) {
+    const icon = check.passed ? "\u2705" : check.severity === "warning" ? "\u26A0\uFE0F" : "\u274C";
+    lines.push(`| ${check.name} | ${icon} | ${check.detail} |`);
+  }
+  lines.push("");
+  lines.push("### Dimensions");
+  lines.push("");
+  lines.push("| Dimension | Score | vs Baseline |");
+  lines.push("|-----------|-------|-------------|");
+  for (const [name, dim] of Object.entries(score.dimensions)) {
+    const prev = baseline?.dimensions[name];
+    const diff = prev !== void 0 ? dim.score - prev : null;
+    const diffStr = diff !== null ? `${diff >= 0 ? "+" : ""}${diff}` : "\u2014";
+    const bar = renderBar2(dim.score);
+    lines.push(`| ${name} | ${bar} ${dim.score}% | ${diffStr} |`);
+  }
+  lines.push("");
+  lines.push("### Savings");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Tokens saved | ${score.comparison.savedTokens.toLocaleString()} (${score.comparison.savedPercent}%) |`);
+  lines.push(`| Monthly savings | $${score.comparison.monthlySavingsUSD.toFixed(2)} |`);
+  if (score.insights.length > 0) {
+    lines.push("");
+    lines.push("### Insights");
+    lines.push("");
+    for (const insight of score.insights.slice(0, 5)) {
+      const icon = insight.type === "strength" ? "\u2705" : insight.type === "weakness" ? "\u26A0\uFE0F" : "\u{1F4A1}";
+      lines.push(`- ${icon} **${insight.title}** \u2014 ${insight.detail}`);
+    }
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push(`<sub>Generated by [CTO Quality Gate](https://npmjs.com/package/cto-ai-cli) \xB7 ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}</sub>`);
+  return lines.join("\n");
+}
+function renderBar2(score) {
+  const filled = Math.round(score / 10);
+  return "\u2588".repeat(filled) + "\u2591".repeat(10 - filled);
+}
+function generateSummary(score, checks, passed) {
+  const status = passed ? "\u2705 PASSED" : "\u274C FAILED";
+  const failedChecks = checks.filter((c) => !c.passed && c.severity === "error");
+  const warnings = checks.filter((c) => !c.passed && c.severity === "warning");
+  let summary = `Quality Gate ${status} \u2014 Score: ${score.overall}/100 (${score.grade})`;
+  if (failedChecks.length > 0) {
+    summary += `
+Failed: ${failedChecks.map((c) => c.name).join(", ")}`;
+  }
+  if (warnings.length > 0) {
+    summary += `
+Warnings: ${warnings.map((c) => c.name).join(", ")}`;
+  }
+  return summary;
+}
 export {
+  DEFAULT_GATE_CONFIG,
   MODEL_REGISTRY2 as MODEL_REGISTRY,
   ProjectWatcher,
+  analyzeMonorepo,
   analyzeProject,
   analyzeSemantics,
   bfsBidirectional,
@@ -4939,6 +5555,7 @@ export {
   countTokensChars4,
   countTokensTiktoken,
   createProject,
+  detectMonorepoTool,
   detectStack,
   estimateFileTokens,
   estimateTokens,
@@ -4957,6 +5574,7 @@ export {
   getPruneLevelForRisk,
   initProjectConfig,
   invalidateCache,
+  loadBaseline,
   loadConfig,
   loadFeedbackModel,
   loadGlobalModel,
@@ -4977,17 +5595,22 @@ export {
   renderCompileProof,
   renderContextScore,
   renderFeedbackReport,
+  renderMonorepoAnalysis,
   renderMultiModelResult,
+  renderPackageContext,
   renderQualityBenchmark,
   renderSemanticAnalysis,
   runBenchmark,
   runCompilabilityBenchmark,
   runCompileProof,
   runQualityBenchmark,
+  runQualityGate,
+  saveBaseline,
   saveConfig,
   scoreAllFiles,
   scoreFile,
   selectContext,
+  selectPackageContext,
   semanticBoosts,
   unwatchAll,
   unwatchProject,