cto-ai-cli 3.1.0 → 4.0.0

package/dist/govern/index.d.ts

@@ -84,7 +84,7 @@ interface SecretFinding {
     redacted: string;
     severity: 'critical' | 'high' | 'medium' | 'low';
 }
-type SecretType = 'api-key' | 'aws-key' | 'private-key' | 'password' | 'token' | 'connection-string' | 'env-variable' | 'custom';
+type SecretType = 'api-key' | 'aws-key' | 'private-key' | 'password' | 'token' | 'connection-string' | 'env-variable' | 'pii' | 'high-entropy' | 'custom';
 interface IntegrityManifest {
     version: string;
     createdAt: Date;
@@ -113,10 +113,74 @@ declare function verifyAuditIntegrity(): Promise<{
 }>;
 declare function purgeOldAuditEntries(retentionDays: number): Promise<number>;
 
-declare function scanContentForSecrets(content: string, filePath: string, customPatterns?: string[]): SecretFinding[];
+declare function scanContentForSecrets(content: string, filePath: string, customPatterns?: string[], extraPiiSafeDomains?: Set<string>): SecretFinding[];
 declare function scanFileForSecrets(filePath: string, projectPath: string, customPatterns?: string[]): Promise<SecretFinding[]>;
 declare function scanProjectForSecrets(projectPath: string, filePaths: string[], customPatterns?: string[]): Promise<SecretFinding[]>;
 declare function sanitizeContent(content: string, customPatterns?: string[]): string;
+interface AllowlistEntry {
+    fingerprint: string;
+    file: string;
+    type: string;
+    redacted: string;
+    reason: string;
+    reviewedBy: string;
+    reviewedAt: string;
+}
+declare function loadAllowlist(projectPath: string): AllowlistEntry[];
+declare function saveAllowlist(projectPath: string, entries: AllowlistEntry[]): void;
+declare function addToAllowlist(projectPath: string, finding: SecretFinding, reason: string, reviewedBy?: string): AllowlistEntry;
+declare function filterByAllowlist(findings: SecretFinding[], projectPath: string): {
+    filtered: SecretFinding[];
+    allowed: SecretFinding[];
+};
+interface FileHashMap {
+    [relativePath: string]: string;
+}
+declare function getChangedFiles(projectPath: string, filePaths: string[]): {
+    changed: string[];
+    unchanged: string[];
+    cache: FileHashMap;
+};
+interface AuditConfig {
+    severityOverrides: Partial<Record<SecretType, SecretFinding['severity']>>;
+    piiSafeDomains: string[];
+    customPatterns: string[];
+    entropyThreshold: number;
+    includePII: boolean;
+    incrementalScan: boolean;
+}
+declare const DEFAULT_AUDIT_CONFIG: AuditConfig;
+declare function loadAuditConfig(projectPath: string): AuditConfig;
+declare function saveAuditConfig(projectPath: string, config: AuditConfig): void;
+declare function generatePreCommitHook(projectPath: string, hookType?: 'husky' | 'githooks'): string;
+declare function scanContentForHighEntropy(content: string, filePath: string, threshold?: number): SecretFinding[];
+interface AuditResult {
+    findings: SecretFinding[];
+    summary: {
+        totalFiles: number;
+        filesScanned: number;
+        filesWithSecrets: number;
+        totalFindings: number;
+        bySeverity: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+        };
+        byType: Record<string, number>;
+    };
+    recommendations: string[];
+}
+interface AuditOptions {
+    customPatterns?: string[];
+    entropyThreshold?: number;
+    includePII?: boolean;
+    useAllowlist?: boolean;
+    incrementalScan?: boolean;
+    severityOverrides?: Partial<Record<SecretType, SecretFinding['severity']>>;
+    piiSafeDomains?: string[];
+}
+declare function auditProject(projectPath: string, filePaths: string[], options?: AuditOptions): Promise<AuditResult>;
 
 interface AnalyzedFile {
     path: string;
@@ -258,4 +322,4 @@ declare function verifyManifest(manifest: IntegrityManifest): Promise<{
 }>;
 declare function securePermissions(dirPath: string): Promise<number>;
 
-export { DEFAULT_POLICY, addRule, buildManifest, compareSnapshots, createSnapshot, getAuditEntries, hashContent, hashFile, logAudit, purgeOldAuditEntries, removeRule, sanitizeContent, scanContentForSecrets, scanFileForSecrets, scanProjectForSecrets, securePermissions, toggleRule, validateSelection, verifyAuditEntry, verifyAuditIntegrity, verifyManifest, verifySnapshot };
+export { type AllowlistEntry, type AuditConfig, type AuditOptions, type AuditResult, DEFAULT_AUDIT_CONFIG, DEFAULT_POLICY, addRule, addToAllowlist, auditProject, buildManifest, compareSnapshots, createSnapshot, filterByAllowlist, generatePreCommitHook, getAuditEntries, getChangedFiles, hashContent, hashFile, loadAllowlist, loadAuditConfig, logAudit, purgeOldAuditEntries, removeRule, sanitizeContent, saveAllowlist, saveAuditConfig, scanContentForHighEntropy, scanContentForSecrets, scanFileForSecrets, scanProjectForSecrets, securePermissions, toggleRule, validateSelection, verifyAuditEntry, verifyAuditIntegrity, verifyManifest, verifySnapshot };

package/dist/govern/index.js

@@ -39,9 +39,9 @@ async function readJSON(filePath) {
   }
 }
 async function writeJSON(filePath, data) {
-  const { writeFile } = await import("fs/promises");
+  const { writeFile: writeFile2 } = await import("fs/promises");
   await ensureDir(join(filePath, ".."));
-  await writeFile(filePath, JSON.stringify(data, null, 2), "utf-8");
+  await writeFile2(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
   const auditDir = getAuditDir();
@@ -150,7 +150,9 @@ async function purgeOldAuditEntries(retentionDays) {
 
 // src/govern/secrets.ts
 import { readFile } from "fs/promises";
-import { resolve, relative } from "path";
+import { readFileSync, existsSync, mkdirSync, writeFileSync } from "fs";
+import { resolve, relative, join as join2, dirname } from "path";
+import { createHash as createHash2 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -175,15 +177,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -197,7 +250,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -209,6 +262,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -278,6 +332,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -287,6 +371,350 @@ function deduplicateFindings(findings) {
     return true;
   });
 }
+function fingerprintFinding(f) {
+  return createHash2("sha256").update(`${f.file}:${f.type}:${f.match}`).digest("hex").slice(0, 32);
+}
+function getAllowlistPath(projectPath) {
+  return join2(projectPath, ".cto", "audit", "allowlist.json");
+}
+function loadAllowlist(projectPath) {
+  const filePath = getAllowlistPath(projectPath);
+  if (!existsSync(filePath)) return [];
+  try {
+    return JSON.parse(readFileSync(filePath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+function saveAllowlist(projectPath, entries) {
+  const filePath = getAllowlistPath(projectPath);
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(entries, null, 2) + "\n");
+}
+function addToAllowlist(projectPath, finding, reason, reviewedBy = "manual") {
+  const entries = loadAllowlist(projectPath);
+  const entry = {
+    fingerprint: fingerprintFinding(finding),
+    file: finding.file,
+    type: finding.type,
+    redacted: finding.redacted,
+    reason,
+    reviewedBy,
+    reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const existing = entries.findIndex((e) => e.fingerprint === entry.fingerprint);
+  if (existing >= 0) {
+    entries[existing] = entry;
+  } else {
+    entries.push(entry);
+  }
+  saveAllowlist(projectPath, entries);
+  return entry;
+}
+function filterByAllowlist(findings, projectPath) {
+  const allowlist = loadAllowlist(projectPath);
+  if (allowlist.length === 0) return { filtered: findings, allowed: [] };
+  const allowedFingerprints = new Set(allowlist.map((e) => e.fingerprint));
+  const filtered = [];
+  const allowed = [];
+  for (const f of findings) {
+    if (allowedFingerprints.has(fingerprintFinding(f))) {
+      allowed.push(f);
+    } else {
+      filtered.push(f);
+    }
+  }
+  return { filtered, allowed };
+}
+function getHashCachePath(projectPath) {
+  return join2(projectPath, ".cto", "audit", ".hashcache.json");
+}
+function loadHashCache(projectPath) {
+  const filePath = getHashCachePath(projectPath);
+  if (!existsSync(filePath)) return {};
+  try {
+    return JSON.parse(readFileSync(filePath, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveHashCache(projectPath, cache) {
+  const filePath = getHashCachePath(projectPath);
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(cache));
+}
+function hashContent(content) {
+  return createHash2("sha256").update(content).digest("hex").slice(0, 16);
+}
+function getChangedFiles(projectPath, filePaths) {
+  const oldCache = loadHashCache(projectPath);
+  const newCache = {};
+  const changed = [];
+  const unchanged = [];
+  for (const fp of filePaths) {
+    try {
+      const content = readFileSync(fp, "utf-8");
+      const relPath = relative(resolve(projectPath), resolve(fp));
+      const hash = hashContent(content);
+      newCache[relPath] = hash;
+      if (oldCache[relPath] === hash) {
+        unchanged.push(fp);
+      } else {
+        changed.push(fp);
+      }
+    } catch {
+      changed.push(fp);
+    }
+  }
+  return { changed, unchanged, cache: newCache };
+}
+var DEFAULT_AUDIT_CONFIG = {
+  severityOverrides: {},
+  piiSafeDomains: [],
+  customPatterns: [],
+  entropyThreshold: 5,
+  includePII: true,
+  incrementalScan: true
+};
+function getAuditConfigPath(projectPath) {
+  return join2(projectPath, ".cto", "audit", "config.json");
+}
+function loadAuditConfig(projectPath) {
+  const filePath = getAuditConfigPath(projectPath);
+  if (!existsSync(filePath)) return { ...DEFAULT_AUDIT_CONFIG };
+  try {
+    const loaded = JSON.parse(readFileSync(filePath, "utf-8"));
+    return { ...DEFAULT_AUDIT_CONFIG, ...loaded };
+  } catch {
+    return { ...DEFAULT_AUDIT_CONFIG };
+  }
+}
+function saveAuditConfig(projectPath, config) {
+  const filePath = getAuditConfigPath(projectPath);
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(config, null, 2) + "\n");
+}
+function applySeverityOverrides(findings, overrides) {
+  if (Object.keys(overrides).length === 0) return findings;
+  return findings.map((f) => {
+    const override = overrides[f.type];
+    if (override) return { ...f, severity: override };
+    return f;
+  });
+}
+function generatePreCommitHook(projectPath, hookType = "husky") {
+  const hookContent = `#!/bin/sh
+# CTO Secret Detection \u2014 Pre-commit hook
+# Auto-generated by: npx cto-ai-cli --audit --init-hook
+# Scans ONLY staged files for secrets before allowing commit.
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+
+echo "\u{1F50D} CTO: Scanning $(echo "$STAGED_FILES" | wc -l | tr -d ' ') staged files for secrets..."
+
+# Write staged files to temp list
+TMPFILE=$(mktemp)
+echo "$STAGED_FILES" > "$TMPFILE"
+
+# Run audit in CI mode on staged files only
+CI=true npx cto-ai-cli --audit --files "$TMPFILE"
+RESULT=$?
+
+rm -f "$TMPFILE"
+
+if [ $RESULT -ne 0 ]; then
+  echo ""
+  echo "\u274C Commit blocked: secrets detected in staged files."
+  echo "   Run 'npx cto-ai-cli --audit' to see details."
+  echo "   Use allowlist to mark reviewed findings as safe."
+  echo ""
+  exit 1
+fi
+
+echo "\u2705 No secrets detected. Proceeding with commit."
+`;
+  let hookPath;
+  if (hookType === "husky") {
+    hookPath = join2(projectPath, ".husky", "pre-commit");
+  } else {
+    hookPath = join2(projectPath, ".git", "hooks", "pre-commit");
+  }
+  mkdirSync(dirname(hookPath), { recursive: true });
+  writeFileSync(hookPath, hookContent, { mode: 493 });
+  return hookPath;
+}
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / str.length;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
+var ENTROPY_SKIP = [
+  /^[a-f0-9]{32,}$/i,
+  // hex hashes
+  /^[A-Z_]{30,}$/,
+  // all-caps constants
+  /^[a-z_]{30,}$/,
+  // all-lowercase identifiers
+  /^[a-zA-Z0-9+/]+=+$/,
+  // base64 padding
+  /^[a-z]+[A-Z][a-zA-Z]+$/,
+  // camelCase identifiers
+  /sha\d+-/i
+  // integrity hashes (sha256-, sha512-)
+];
+function scanContentForHighEntropy(content, filePath, threshold = 5) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
+    HIGH_ENTROPY_RE.lastIndex = 0;
+    let match;
+    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
+      const value = match[1] || match[2];
+      if (!value || value.length < 40) continue;
+      if (isTemplateOrPlaceholder(value)) continue;
+      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
+      const entropy = shannonEntropy(value);
+      if (entropy >= threshold) {
+        findings.push({
+          type: "high-entropy",
+          file: filePath,
+          line: i + 1,
+          match: value,
+          redacted: redactSecret(value),
+          severity: entropy >= 5 ? "high" : "medium"
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function auditProject(projectPath, filePaths, options = {}) {
+  const savedConfig = loadAuditConfig(projectPath);
+  const customPatterns = options.customPatterns ?? savedConfig.customPatterns;
+  const entropyThreshold = options.entropyThreshold ?? savedConfig.entropyThreshold;
+  const includePII = options.includePII ?? savedConfig.includePII;
+  const useAllowlist = options.useAllowlist ?? true;
+  const incrementalScan = options.incrementalScan ?? savedConfig.incrementalScan;
+  const severityOverrides = options.severityOverrides ?? savedConfig.severityOverrides;
+  let extraPiiDomains;
+  const allExtraDomains = [...options.piiSafeDomains || [], ...savedConfig.piiSafeDomains];
+  if (allExtraDomains.length > 0) {
+    extraPiiDomains = new Set(allExtraDomains.map((d) => d.toLowerCase()));
+  }
+  let filesToScan = filePaths;
+  let unchangedCount = 0;
+  let newCache = null;
+  if (incrementalScan) {
+    const { changed, unchanged, cache } = getChangedFiles(projectPath, filePaths);
+    newCache = cache;
+    if (changed.length < filePaths.length) {
+      filesToScan = changed;
+      unchangedCount = unchanged.length;
+    }
+  }
+  const allFindings = [];
+  const filesWithSecrets = /* @__PURE__ */ new Set();
+  for (const fp of filesToScan) {
+    try {
+      const content = await readFile(fp, "utf-8");
+      const relPath = relative(resolve(projectPath), resolve(fp));
+      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
+      const isDtsFile = relPath.endsWith(".d.ts");
+      let findings = scanContentForSecrets(content, relPath, customPatterns, extraPiiDomains);
+      if (!includePII) {
+        findings = findings.filter((f) => f.type !== "pii");
+      }
+      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
+      const combined = [...findings, ...entropyFindings];
+      if (combined.length > 0) {
+        filesWithSecrets.add(relPath);
+        allFindings.push(...combined);
+      }
+    } catch {
+    }
+  }
+  let finalFindings = applySeverityOverrides(allFindings, severityOverrides);
+  let allowedCount = 0;
+  if (useAllowlist) {
+    const { filtered, allowed } = filterByAllowlist(finalFindings, projectPath);
+    finalFindings = filtered;
+    allowedCount = allowed.length;
+  }
+  finalFindings.sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  if (newCache) {
+    saveHashCache(projectPath, newCache);
+  }
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byType = {};
+  for (const f of finalFindings) {
+    bySeverity[f.severity]++;
+    byType[f.type] = (byType[f.type] || 0) + 1;
+  }
+  const recommendations = [];
+  if (bySeverity.critical > 0) {
+    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
+  }
+  if (byType["password"] > 0) {
+    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
+  }
+  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
+    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
+  }
+  if (byType["connection-string"] > 0) {
+    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
+  }
+  if (byType["private-key"] > 0) {
+    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
+  }
+  if (byType["pii"] > 0) {
+    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
+  }
+  if (byType["high-entropy"] > 0) {
+    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
+  }
+  if (finalFindings.length > 0) {
+    recommendations.push("Add a .gitignore entry for .env files if not already present.");
+    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
+  }
+  if (finalFindings.length === 0) {
+    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
+  }
+  if (allowedCount > 0) {
+    recommendations.push(`${allowedCount} finding(s) skipped via allowlist (.cto/audit/allowlist.json).`);
+  }
+  if (unchangedCount > 0) {
+    recommendations.push(`${unchangedCount} unchanged file(s) skipped (incremental scan).`);
+  }
+  return {
+    findings: finalFindings,
+    summary: {
+      totalFiles: filePaths.length,
+      filesScanned: filesToScan.length,
+      filesWithSecrets: filesWithSecrets.size,
+      totalFindings: finalFindings.length,
+      bySeverity,
+      byType
+    },
+    recommendations
+  };
+}
 
 // src/engine/graph-utils.ts
 function matchGlob(path, pattern) {
@@ -447,7 +875,7 @@ function fileMatchesCategory(path, category) {
 }
 
 // src/govern/snapshot.ts
-import { randomUUID as randomUUID2, createHash as createHash2 } from "crypto";
+import { randomUUID as randomUUID2, createHash as createHash3 } from "crypto";
 import "fs/promises";
 function createSnapshot(name, analysis, selection, metadata = {}) {
   const files = selection.files.map((f) => ({
@@ -540,20 +968,20 @@ function compareSnapshots(older, newer) {
   };
 }
 function hashString(input) {
-  return createHash2("sha256").update(input).digest("hex").substring(0, 16);
+  return createHash3("sha256").update(input).digest("hex").substring(0, 16);
 }
 
 // src/govern/integrity.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 import { readFile as readFile3, chmod as chmod2, readdir as readdir2, stat } from "fs/promises";
-import { join as join2 } from "path";
-function hashContent(content) {
-  return createHash3("sha256").update(content).digest("hex");
+import { join as join3 } from "path";
+function hashContent2(content) {
+  return createHash4("sha256").update(content).digest("hex");
 }
 async function hashFile(filePath) {
   try {
     const content = await readFile3(filePath);
-    return hashContent(content);
+    return hashContent2(content);
   } catch {
     return null;
   }
@@ -568,7 +996,7 @@ async function buildManifest(projectDir) {
       return;
     }
     for (const file of files) {
-      const fullPath = join2(dir, file);
+      const fullPath = join3(dir, file);
       try {
         const fileStat = await stat(fullPath);
         if (fileStat.isFile()) {
@@ -587,8 +1015,8 @@ async function buildManifest(projectDir) {
       }
     }
   }
-  await scanDir(join2(projectDir, "snapshots"), "snapshot");
-  await scanDir(join2(projectDir, "audit"), "audit");
+  await scanDir(join3(projectDir, "snapshots"), "snapshot");
+  await scanDir(join3(projectDir, "audit"), "audit");
   await scanDir(projectDir, "config");
   return {
     version: "2.0",
@@ -622,7 +1050,7 @@ async function securePermissions(dirPath) {
     const files = await readdir2(dirPath);
     for (const file of files) {
       try {
-        const fullPath = join2(dirPath, file);
+        const fullPath = join3(dirPath, file);
         const fileStat = await stat(fullPath);
         if (fileStat.isFile()) {
           await chmod2(fullPath, 384);
@@ -636,18 +1064,29 @@ async function securePermissions(dirPath) {
   return count;
 }
 export {
+  DEFAULT_AUDIT_CONFIG,
   DEFAULT_POLICY,
   addRule,
+  addToAllowlist,
+  auditProject,
   buildManifest,
   compareSnapshots,
   createSnapshot,
+  filterByAllowlist,
+  generatePreCommitHook,
   getAuditEntries,
-  hashContent,
+  getChangedFiles,
+  hashContent2 as hashContent,
   hashFile,
+  loadAllowlist,
+  loadAuditConfig,
   logAudit,
   purgeOldAuditEntries,
   removeRule,
   sanitizeContent,
+  saveAllowlist,
+  saveAuditConfig,
+  scanContentForHighEntropy,
   scanContentForSecrets,
   scanFileForSecrets,
   scanProjectForSecrets,