cto-ai-cli 3.1.0 → 4.0.0

package/dist/action/index.js

@@ -2053,9 +2053,9 @@ var require_dispatcher_base = __commonJS({
       }
       close(callback) {
         if (callback === void 0) {
-          return new Promise((resolve6, reject) => {
+          return new Promise((resolve7, reject) => {
             this.close((err, data) => {
-              return err ? reject(err) : resolve6(data);
+              return err ? reject(err) : resolve7(data);
             });
           });
         }
@@ -2093,12 +2093,12 @@ var require_dispatcher_base = __commonJS({
           err = null;
         }
         if (callback === void 0) {
-          return new Promise((resolve6, reject) => {
+          return new Promise((resolve7, reject) => {
             this.destroy(err, (err2, data) => {
               return err2 ? (
                 /* istanbul ignore next: should never error */
                 reject(err2)
-              ) : resolve6(data);
+              ) : resolve7(data);
             });
           });
         }
@@ -4365,8 +4365,8 @@ var require_util2 = __commonJS({
     function createDeferredPromise() {
       let res;
       let rej;
-      const promise = new Promise((resolve6, reject) => {
-        res = resolve6;
+      const promise = new Promise((resolve7, reject) => {
+        res = resolve7;
         rej = reject;
       });
       return { promise, resolve: res, reject: rej };
@@ -6507,12 +6507,12 @@ upgrade: ${upgrade}\r
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve6, reject) => {
+      const waitForDrain = () => new Promise((resolve7, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve6;
+          callback = resolve7;
         }
       });
       socket.on("close", onDrain).on("drain", onDrain);
@@ -7149,12 +7149,12 @@ var require_client_h2 = __commonJS({
           cb();
         }
       }
-      const waitForDrain = () => new Promise((resolve6, reject) => {
+      const waitForDrain = () => new Promise((resolve7, reject) => {
         assert(callback === null);
         if (socket[kError]) {
           reject(socket[kError]);
         } else {
-          callback = resolve6;
+          callback = resolve7;
         }
       });
       h2stream.on("close", onDrain).on("drain", onDrain);
@@ -7631,16 +7631,16 @@ var require_client = __commonJS({
         return this[kNeedDrain] < 2;
       }
       async [kClose]() {
-        return new Promise((resolve6) => {
+        return new Promise((resolve7) => {
           if (this[kSize]) {
-            this[kClosedResolve] = resolve6;
+            this[kClosedResolve] = resolve7;
           } else {
-            resolve6(null);
+            resolve7(null);
           }
         });
       }
       async [kDestroy](err) {
-        return new Promise((resolve6) => {
+        return new Promise((resolve7) => {
           const requests = this[kQueue].splice(this[kPendingIdx]);
           for (let i = 0; i < requests.length; i++) {
             const request2 = requests[i];
@@ -7651,7 +7651,7 @@ var require_client = __commonJS({
               this[kClosedResolve]();
               this[kClosedResolve] = null;
             }
-            resolve6(null);
+            resolve7(null);
           };
           if (this[kHTTPContext]) {
             this[kHTTPContext].destroy(err, callback);
@@ -7702,7 +7702,7 @@ var require_client = __commonJS({
         });
       }
       try {
-        const socket = await new Promise((resolve6, reject) => {
+        const socket = await new Promise((resolve7, reject) => {
           client[kConnector]({
             host,
             hostname,
@@ -7714,7 +7714,7 @@ var require_client = __commonJS({
             if (err) {
               reject(err);
             } else {
-              resolve6(socket2);
+              resolve7(socket2);
             }
           });
         });
@@ -8051,8 +8051,8 @@ var require_pool_base = __commonJS({
         if (this[kQueue].isEmpty()) {
           await Promise.all(this[kClients].map((c) => c.close()));
         } else {
-          await new Promise((resolve6) => {
-            this[kClosedResolve] = resolve6;
+          await new Promise((resolve7) => {
+            this[kClosedResolve] = resolve7;
           });
         }
       }
@@ -9267,7 +9267,7 @@ var require_readable = __commonJS({
         if (this._readableState.closeEmitted) {
           return null;
         }
-        return await new Promise((resolve6, reject) => {
+        return await new Promise((resolve7, reject) => {
           if (this[kContentLength] > limit) {
             this.destroy(new AbortError());
           }
@@ -9280,7 +9280,7 @@ var require_readable = __commonJS({
             if (signal?.aborted) {
               reject(signal.reason ?? new AbortError());
             } else {
-              resolve6(null);
+              resolve7(null);
             }
           }).on("error", noop3).on("data", function(chunk) {
             limit -= chunk.length;
@@ -9299,7 +9299,7 @@ var require_readable = __commonJS({
     }
     async function consume(stream, type) {
       assert(!stream[kConsume]);
-      return new Promise((resolve6, reject) => {
+      return new Promise((resolve7, reject) => {
         if (isUnusable(stream)) {
           const rState = stream._readableState;
           if (rState.destroyed && rState.closeEmitted === false) {
@@ -9316,7 +9316,7 @@ var require_readable = __commonJS({
             stream[kConsume] = {
               type,
               stream,
-              resolve: resolve6,
+              resolve: resolve7,
               reject,
               length: 0,
               body: []
@@ -9386,18 +9386,18 @@ var require_readable = __commonJS({
       return buffer;
     }
     function consumeEnd(consume2) {
-      const { type, body, resolve: resolve6, stream, length } = consume2;
+      const { type, body, resolve: resolve7, stream, length } = consume2;
       try {
         if (type === "text") {
-          resolve6(chunksDecode(body, length));
+          resolve7(chunksDecode(body, length));
         } else if (type === "json") {
-          resolve6(JSON.parse(chunksDecode(body, length)));
+          resolve7(JSON.parse(chunksDecode(body, length)));
         } else if (type === "arrayBuffer") {
-          resolve6(chunksConcat(body, length).buffer);
+          resolve7(chunksConcat(body, length).buffer);
         } else if (type === "blob") {
-          resolve6(new Blob(body, { type: stream[kContentType] }));
+          resolve7(new Blob(body, { type: stream[kContentType] }));
         } else if (type === "bytes") {
-          resolve6(chunksConcat(body, length));
+          resolve7(chunksConcat(body, length));
         }
         consumeFinish(consume2);
       } catch (err) {
@@ -9655,9 +9655,9 @@ var require_api_request = __commonJS({
     };
     function request2(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve7, reject) => {
           request2.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve6(data);
+            return err ? reject(err) : resolve7(data);
           });
         });
       }
@@ -9881,9 +9881,9 @@ var require_api_stream = __commonJS({
     };
     function stream(opts, factory, callback) {
       if (callback === void 0) {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve7, reject) => {
           stream.call(this, opts, factory, (err, data) => {
-            return err ? reject(err) : resolve6(data);
+            return err ? reject(err) : resolve7(data);
           });
         });
       }
@@ -10168,9 +10168,9 @@ var require_api_upgrade = __commonJS({
     };
     function upgrade(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve7, reject) => {
           upgrade.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve6(data);
+            return err ? reject(err) : resolve7(data);
           });
         });
       }
@@ -10262,9 +10262,9 @@ var require_api_connect = __commonJS({
     };
     function connect(opts, callback) {
       if (callback === void 0) {
-        return new Promise((resolve6, reject) => {
+        return new Promise((resolve7, reject) => {
           connect.call(this, opts, (err, data) => {
-            return err ? reject(err) : resolve6(data);
+            return err ? reject(err) : resolve7(data);
           });
         });
       }
@@ -14126,7 +14126,7 @@ var require_fetch = __commonJS({
       function dispatch({ body }) {
         const url = requestCurrentURL(request2);
         const agent = fetchParams.controller.dispatcher;
-        return new Promise((resolve6, reject) => agent.dispatch(
+        return new Promise((resolve7, reject) => agent.dispatch(
           {
             path: url.pathname + url.search,
             origin: url.origin,
@@ -14202,7 +14202,7 @@ var require_fetch = __commonJS({
                 }
               }
               const onError = this.onError.bind(this);
-              resolve6({
+              resolve7({
                 status,
                 statusText,
                 headersList,
@@ -14248,7 +14248,7 @@ var require_fetch = __commonJS({
               for (let i = 0; i < rawHeaders.length; i += 2) {
                 headersList.append(bufferToLowerCasedHeaderName(rawHeaders[i]), rawHeaders[i + 1].toString("latin1"), true);
               }
-              resolve6({
+              resolve7({
                 status,
                 statusText: STATUS_CODES[status],
                 headersList,
@@ -17841,8 +17841,8 @@ var require_util8 = __commonJS({
       return true;
     }
     function delay(ms) {
-      return new Promise((resolve6) => {
-        setTimeout(resolve6, ms).unref();
+      return new Promise((resolve7) => {
+        setTimeout(resolve7, ms).unref();
       });
     }
     module.exports = {
@@ -18646,11 +18646,11 @@ var require_lib = __commonJS({
     })();
     var __awaiter3 = exports && exports.__awaiter || function(thisArg, _arguments, P, generator) {
       function adopt(value) {
-        return value instanceof P ? value : new P(function(resolve6) {
-          resolve6(value);
+        return value instanceof P ? value : new P(function(resolve7) {
+          resolve7(value);
         });
       }
-      return new (P || (P = Promise))(function(resolve6, reject) {
+      return new (P || (P = Promise))(function(resolve7, reject) {
         function fulfilled(value) {
           try {
             step(generator.next(value));
@@ -18666,7 +18666,7 @@ var require_lib = __commonJS({
           }
         }
         function step(result) {
-          result.done ? resolve6(result.value) : adopt(result.value).then(fulfilled, rejected);
+          result.done ? resolve7(result.value) : adopt(result.value).then(fulfilled, rejected);
         }
         step((generator = generator.apply(thisArg, _arguments || [])).next());
       });
@@ -18753,26 +18753,26 @@ var require_lib = __commonJS({
       }
       readBody() {
         return __awaiter3(this, void 0, void 0, function* () {
-          return new Promise((resolve6) => __awaiter3(this, void 0, void 0, function* () {
+          return new Promise((resolve7) => __awaiter3(this, void 0, void 0, function* () {
             let output = Buffer.alloc(0);
             this.message.on("data", (chunk) => {
               output = Buffer.concat([output, chunk]);
             });
             this.message.on("end", () => {
-              resolve6(output.toString());
+              resolve7(output.toString());
             });
           }));
         });
       }
       readBodyBuffer() {
         return __awaiter3(this, void 0, void 0, function* () {
-          return new Promise((resolve6) => __awaiter3(this, void 0, void 0, function* () {
+          return new Promise((resolve7) => __awaiter3(this, void 0, void 0, function* () {
             const chunks = [];
             this.message.on("data", (chunk) => {
               chunks.push(chunk);
             });
             this.message.on("end", () => {
-              resolve6(Buffer.concat(chunks));
+              resolve7(Buffer.concat(chunks));
             });
           }));
         });
@@ -18980,14 +18980,14 @@ var require_lib = __commonJS({
        */
       requestRaw(info2, data) {
         return __awaiter3(this, void 0, void 0, function* () {
-          return new Promise((resolve6, reject) => {
+          return new Promise((resolve7, reject) => {
             function callbackForResult(err, res) {
               if (err) {
                 reject(err);
               } else if (!res) {
                 reject(new Error("Unknown error"));
               } else {
-                resolve6(res);
+                resolve7(res);
               }
             }
             this.requestRawWithCallback(info2, data, callbackForResult);
@@ -19231,12 +19231,12 @@ var require_lib = __commonJS({
         return __awaiter3(this, void 0, void 0, function* () {
           retryNumber = Math.min(ExponentialBackoffCeiling, retryNumber);
           const ms = ExponentialBackoffTimeSlice * Math.pow(2, retryNumber);
-          return new Promise((resolve6) => setTimeout(() => resolve6(), ms));
+          return new Promise((resolve7) => setTimeout(() => resolve7(), ms));
         });
       }
       _processResponse(res, options) {
         return __awaiter3(this, void 0, void 0, function* () {
-          return new Promise((resolve6, reject) => __awaiter3(this, void 0, void 0, function* () {
+          return new Promise((resolve7, reject) => __awaiter3(this, void 0, void 0, function* () {
             const statusCode = res.message.statusCode || 0;
             const response = {
               statusCode,
@@ -19244,7 +19244,7 @@ var require_lib = __commonJS({
               headers: {}
             };
             if (statusCode === HttpCodes2.NotFound) {
-              resolve6(response);
+              resolve7(response);
             }
             function dateTimeDeserializer(key, value) {
               if (typeof value === "string") {
@@ -19283,7 +19283,7 @@ var require_lib = __commonJS({
               err.result = response.result;
               reject(err);
             } else {
-              resolve6(response);
+              resolve7(response);
             }
           }));
         });
@@ -19552,11 +19552,11 @@ import { EOL as EOL3 } from "os";
 import { constants, promises } from "fs";
 var __awaiter = function(thisArg, _arguments, P, generator) {
   function adopt(value) {
-    return value instanceof P ? value : new P(function(resolve6) {
-      resolve6(value);
+    return value instanceof P ? value : new P(function(resolve7) {
+      resolve7(value);
     });
   }
-  return new (P || (P = Promise))(function(resolve6, reject) {
+  return new (P || (P = Promise))(function(resolve7, reject) {
     function fulfilled(value) {
       try {
         step(generator.next(value));
@@ -19572,7 +19572,7 @@ var __awaiter = function(thisArg, _arguments, P, generator) {
       }
     }
     function step(result) {
-      result.done ? resolve6(result.value) : adopt(result.value).then(fulfilled, rejected);
+      result.done ? resolve7(result.value) : adopt(result.value).then(fulfilled, rejected);
     }
     step((generator = generator.apply(thisArg, _arguments || [])).next());
   });
@@ -19939,11 +19939,11 @@ var httpClient = __toESM(require_lib(), 1);
 var import_undici2 = __toESM(require_undici(), 1);
 var __awaiter2 = function(thisArg, _arguments, P, generator) {
   function adopt(value) {
-    return value instanceof P ? value : new P(function(resolve6) {
-      resolve6(value);
+    return value instanceof P ? value : new P(function(resolve7) {
+      resolve7(value);
     });
   }
-  return new (P || (P = Promise))(function(resolve6, reject) {
+  return new (P || (P = Promise))(function(resolve7, reject) {
     function fulfilled(value) {
       try {
         step(generator.next(value));
@@ -19959,7 +19959,7 @@ var __awaiter2 = function(thisArg, _arguments, P, generator) {
       }
     }
     function step(result) {
-      result.done ? resolve6(result.value) : adopt(result.value).then(fulfilled, rejected);
+      result.done ? resolve7(result.value) : adopt(result.value).then(fulfilled, rejected);
     }
     step((generator = generator.apply(thisArg, _arguments || [])).next());
   });
@@ -23589,7 +23589,7 @@ function getOctokit(token, options, ...additionalPlugins) {
 }
 
 // src/action/index.ts
-import { resolve as resolve5 } from "path";
+import { resolve as resolve6 } from "path";
 
 // src/engine/analyzer.ts
 import { readFile as readFile2, readdir as readdir2, stat as stat3 } from "fs/promises";
@@ -24295,11 +24295,13 @@ function mergeConfig(base, overrides) {
 }
 
 // src/engine/selector.ts
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile3 } from "fs/promises";
-import { resolve as resolve3, relative as relative3 } from "path";
+import { readFileSync as readFileSync2, existsSync as existsSync4, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve3, relative as relative3, join as join3, dirname as dirname2 } from "path";
+import { createHash as createHash2 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -24324,15 +24326,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -24346,7 +24399,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -24358,6 +24411,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -24405,6 +24459,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -24414,12 +24498,281 @@ function deduplicateFindings(findings) {
     return true;
   });
 }
+function fingerprintFinding(f) {
+  return createHash2("sha256").update(`${f.file}:${f.type}:${f.match}`).digest("hex").slice(0, 32);
+}
+function getAllowlistPath(projectPath) {
+  return join3(projectPath, ".cto", "audit", "allowlist.json");
+}
+function loadAllowlist(projectPath) {
+  const filePath = getAllowlistPath(projectPath);
+  if (!existsSync4(filePath)) return [];
+  try {
+    return JSON.parse(readFileSync2(filePath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+function filterByAllowlist(findings, projectPath) {
+  const allowlist = loadAllowlist(projectPath);
+  if (allowlist.length === 0) return { filtered: findings, allowed: [] };
+  const allowedFingerprints = new Set(allowlist.map((e) => e.fingerprint));
+  const filtered = [];
+  const allowed = [];
+  for (const f of findings) {
+    if (allowedFingerprints.has(fingerprintFinding(f))) {
+      allowed.push(f);
+    } else {
+      filtered.push(f);
+    }
+  }
+  return { filtered, allowed };
+}
+function getHashCachePath(projectPath) {
+  return join3(projectPath, ".cto", "audit", ".hashcache.json");
+}
+function loadHashCache(projectPath) {
+  const filePath = getHashCachePath(projectPath);
+  if (!existsSync4(filePath)) return {};
+  try {
+    return JSON.parse(readFileSync2(filePath, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveHashCache(projectPath, cache) {
+  const filePath = getHashCachePath(projectPath);
+  mkdirSync(dirname2(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(cache));
+}
+function hashContent(content) {
+  return createHash2("sha256").update(content).digest("hex").slice(0, 16);
+}
+function getChangedFiles(projectPath, filePaths) {
+  const oldCache = loadHashCache(projectPath);
+  const newCache = {};
+  const changed = [];
+  const unchanged = [];
+  for (const fp of filePaths) {
+    try {
+      const content = readFileSync2(fp, "utf-8");
+      const relPath = relative3(resolve3(projectPath), resolve3(fp));
+      const hash = hashContent(content);
+      newCache[relPath] = hash;
+      if (oldCache[relPath] === hash) {
+        unchanged.push(fp);
+      } else {
+        changed.push(fp);
+      }
+    } catch {
+      changed.push(fp);
+    }
+  }
+  return { changed, unchanged, cache: newCache };
+}
+var DEFAULT_AUDIT_CONFIG = {
+  severityOverrides: {},
+  piiSafeDomains: [],
+  customPatterns: [],
+  entropyThreshold: 5,
+  includePII: true,
+  incrementalScan: true
+};
+function getAuditConfigPath(projectPath) {
+  return join3(projectPath, ".cto", "audit", "config.json");
+}
+function loadAuditConfig(projectPath) {
+  const filePath = getAuditConfigPath(projectPath);
+  if (!existsSync4(filePath)) return { ...DEFAULT_AUDIT_CONFIG };
+  try {
+    const loaded = JSON.parse(readFileSync2(filePath, "utf-8"));
+    return { ...DEFAULT_AUDIT_CONFIG, ...loaded };
+  } catch {
+    return { ...DEFAULT_AUDIT_CONFIG };
+  }
+}
+function applySeverityOverrides(findings, overrides) {
+  if (Object.keys(overrides).length === 0) return findings;
+  return findings.map((f) => {
+    const override = overrides[f.type];
+    if (override) return { ...f, severity: override };
+    return f;
+  });
+}
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / str.length;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
+var ENTROPY_SKIP = [
+  /^[a-f0-9]{32,}$/i,
+  // hex hashes
+  /^[A-Z_]{30,}$/,
+  // all-caps constants
+  /^[a-z_]{30,}$/,
+  // all-lowercase identifiers
+  /^[a-zA-Z0-9+/]+=+$/,
+  // base64 padding
+  /^[a-z]+[A-Z][a-zA-Z]+$/,
+  // camelCase identifiers
+  /sha\d+-/i
+  // integrity hashes (sha256-, sha512-)
+];
+function scanContentForHighEntropy(content, filePath, threshold = 5) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
+    HIGH_ENTROPY_RE.lastIndex = 0;
+    let match;
+    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
+      const value = match[1] || match[2];
+      if (!value || value.length < 40) continue;
+      if (isTemplateOrPlaceholder(value)) continue;
+      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
+      const entropy = shannonEntropy(value);
+      if (entropy >= threshold) {
+        findings.push({
+          type: "high-entropy",
+          file: filePath,
+          line: i + 1,
+          match: value,
+          redacted: redactSecret(value),
+          severity: entropy >= 5 ? "high" : "medium"
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function auditProject(projectPath, filePaths, options = {}) {
+  const savedConfig = loadAuditConfig(projectPath);
+  const customPatterns = options.customPatterns ?? savedConfig.customPatterns;
+  const entropyThreshold = options.entropyThreshold ?? savedConfig.entropyThreshold;
+  const includePII = options.includePII ?? savedConfig.includePII;
+  const useAllowlist = options.useAllowlist ?? true;
+  const incrementalScan = options.incrementalScan ?? savedConfig.incrementalScan;
+  const severityOverrides = options.severityOverrides ?? savedConfig.severityOverrides;
+  let extraPiiDomains;
+  const allExtraDomains = [...options.piiSafeDomains || [], ...savedConfig.piiSafeDomains];
+  if (allExtraDomains.length > 0) {
+    extraPiiDomains = new Set(allExtraDomains.map((d) => d.toLowerCase()));
+  }
+  let filesToScan = filePaths;
+  let unchangedCount = 0;
+  let newCache = null;
+  if (incrementalScan) {
+    const { changed, unchanged, cache } = getChangedFiles(projectPath, filePaths);
+    newCache = cache;
+    if (changed.length < filePaths.length) {
+      filesToScan = changed;
+      unchangedCount = unchanged.length;
+    }
+  }
+  const allFindings = [];
+  const filesWithSecrets = /* @__PURE__ */ new Set();
+  for (const fp of filesToScan) {
+    try {
+      const content = await readFile3(fp, "utf-8");
+      const relPath = relative3(resolve3(projectPath), resolve3(fp));
+      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
+      const isDtsFile = relPath.endsWith(".d.ts");
+      let findings = scanContentForSecrets(content, relPath, customPatterns, extraPiiDomains);
+      if (!includePII) {
+        findings = findings.filter((f) => f.type !== "pii");
+      }
+      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
+      const combined = [...findings, ...entropyFindings];
+      if (combined.length > 0) {
+        filesWithSecrets.add(relPath);
+        allFindings.push(...combined);
+      }
+    } catch {
+    }
+  }
+  let finalFindings = applySeverityOverrides(allFindings, severityOverrides);
+  let allowedCount = 0;
+  if (useAllowlist) {
+    const { filtered, allowed } = filterByAllowlist(finalFindings, projectPath);
+    finalFindings = filtered;
+    allowedCount = allowed.length;
+  }
+  finalFindings.sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  if (newCache) {
+    saveHashCache(projectPath, newCache);
+  }
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byType = {};
+  for (const f of finalFindings) {
+    bySeverity[f.severity]++;
+    byType[f.type] = (byType[f.type] || 0) + 1;
+  }
+  const recommendations = [];
+  if (bySeverity.critical > 0) {
+    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
+  }
+  if (byType["password"] > 0) {
+    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
+  }
+  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
+    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
+  }
+  if (byType["connection-string"] > 0) {
+    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
+  }
+  if (byType["private-key"] > 0) {
+    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
+  }
+  if (byType["pii"] > 0) {
+    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
+  }
+  if (byType["high-entropy"] > 0) {
+    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
+  }
+  if (finalFindings.length > 0) {
+    recommendations.push("Add a .gitignore entry for .env files if not already present.");
+    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
+  }
+  if (finalFindings.length === 0) {
+    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
+  }
+  if (allowedCount > 0) {
+    recommendations.push(`${allowedCount} finding(s) skipped via allowlist (.cto/audit/allowlist.json).`);
+  }
+  if (unchangedCount > 0) {
+    recommendations.push(`${unchangedCount} unchanged file(s) skipped (incremental scan).`);
+  }
+  return {
+    findings: finalFindings,
+    summary: {
+      totalFiles: filePaths.length,
+      filesScanned: filesToScan.length,
+      filesWithSecrets: filesWithSecrets.size,
+      totalFindings: finalFindings.length,
+      bySeverity,
+      byType
+    },
+    recommendations
+  };
+}
 
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync4 } from "fs";
-import { join as join3 } from "path";
+import { existsSync as existsSync5 } from "fs";
+import { join as join4 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -24665,9 +25018,9 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join3(dir, "..");
-    const candidate = join3(dir, "tsconfig.json");
-    if (existsSync4(candidate)) return candidate;
+    dir = join4(dir, "..");
+    const candidate = join4(dir, "tsconfig.json");
+    if (existsSync5(candidate)) return candidate;
   }
   return void 0;
 }
@@ -24934,7 +25287,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash2("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -25578,10 +25931,182 @@ function emptyResult2(baseBranch) {
   };
 }
 
+// src/engine/quality-gate.ts
+import { readFile as readFile5, writeFile as writeFile3, mkdir as mkdir2 } from "fs/promises";
+import { resolve as resolve5 } from "path";
+import { existsSync as existsSync6 } from "fs";
+var DEFAULT_GATE_CONFIG = {
+  threshold: 70,
+  failOnSecrets: true,
+  failOnRegression: true,
+  regressionLimit: 5,
+  baselinePath: ".cto/baseline.json",
+  secretSeverities: ["critical", "high"]
+};
+async function loadBaseline(projectPath, baselinePath) {
+  const filePath = resolve5(projectPath, baselinePath || ".cto/baseline.json");
+  if (!existsSync6(filePath)) return null;
+  try {
+    const content = await readFile5(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function saveBaseline(projectPath, score, commit, branch, baselinePath) {
+  const dir = resolve5(projectPath, ".cto");
+  if (!existsSync6(dir)) await mkdir2(dir, { recursive: true });
+  const baseline = {
+    score: score.overall,
+    grade: score.grade,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    commit,
+    branch,
+    dimensions: {
+      efficiency: score.dimensions.efficiency.score,
+      coverage: score.dimensions.coverage.score,
+      riskControl: score.dimensions.riskControl.score,
+      structure: score.dimensions.structure.score,
+      governance: score.dimensions.governance.score
+    }
+  };
+  const filePath = resolve5(projectPath, baselinePath || ".cto/baseline.json");
+  await writeFile3(filePath, JSON.stringify(baseline, null, 2));
+}
+async function runQualityGate(score, analysis, secretFindings, config = {}) {
+  const cfg = { ...DEFAULT_GATE_CONFIG, ...config };
+  const checks = [];
+  const baseline = await loadBaseline(analysis.projectPath, cfg.baselinePath);
+  const previousScore = baseline?.score ?? null;
+  const delta = previousScore !== null ? score.overall - previousScore : null;
+  const thresholdPassed = score.overall >= cfg.threshold;
+  checks.push({
+    name: "Score threshold",
+    passed: thresholdPassed,
+    detail: thresholdPassed ? `Score ${score.overall} \u2265 threshold ${cfg.threshold}` : `Score ${score.overall} < threshold ${cfg.threshold}`,
+    severity: thresholdPassed ? "info" : "error"
+  });
+  const dangerousSecrets = secretFindings.filter(
+    (f) => cfg.secretSeverities.includes(f.severity)
+  );
+  const secretsPassed = !cfg.failOnSecrets || dangerousSecrets.length === 0;
+  checks.push({
+    name: "No secrets detected",
+    passed: secretsPassed,
+    detail: secretsPassed ? "No critical/high severity secrets found" : `${dangerousSecrets.length} secret(s) with ${cfg.secretSeverities.join("/")} severity`,
+    severity: secretsPassed ? "info" : "error"
+  });
+  let regressionPassed = true;
+  if (cfg.failOnRegression && delta !== null) {
+    regressionPassed = delta >= -cfg.regressionLimit;
+  }
+  checks.push({
+    name: "No score regression",
+    passed: regressionPassed,
+    detail: delta !== null ? regressionPassed ? `Score changed by ${delta >= 0 ? "+" : ""}${delta} (limit: -${cfg.regressionLimit})` : `Score dropped by ${Math.abs(delta)} points (limit: -${cfg.regressionLimit})` : "No baseline found (first run)",
+    severity: regressionPassed ? delta !== null && delta < 0 ? "warning" : "info" : "error"
+  });
+  const weakDimensions = Object.entries(score.dimensions).filter(([_, d]) => d.score < 50).map(([name]) => name);
+  const dimensionsPassed = weakDimensions.length === 0;
+  checks.push({
+    name: "Dimension health",
+    passed: dimensionsPassed,
+    detail: dimensionsPassed ? "All dimensions above 50%" : `Weak dimensions: ${weakDimensions.join(", ")}`,
+    severity: dimensionsPassed ? "info" : "warning"
+  });
+  const passed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const prComment = generatePRComment(score, analysis, checks, baseline, delta);
+  const summary2 = generateSummary(score, checks, passed);
+  return {
+    passed,
+    score: score.overall,
+    grade: score.grade,
+    previousScore,
+    delta,
+    checks,
+    baseline,
+    prComment,
+    summary: summary2
+  };
+}
+function generatePRComment(score, analysis, checks, baseline, delta) {
+  const gradeEmoji = score.grade.startsWith("A") ? "\u{1F7E2}" : score.grade.startsWith("B") ? "\u{1F535}" : score.grade.startsWith("C") ? "\u{1F7E1}" : "\u{1F534}";
+  const allPassed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const statusIcon = allPassed ? "\u2705" : "\u274C";
+  const deltaStr = delta !== null ? ` (${delta >= 0 ? "+" : ""}${delta})` : "";
+  const lines = [
+    `## ${statusIcon} CTO Quality Gate ${allPassed ? "Passed" : "Failed"}`,
+    "",
+    `### ${gradeEmoji} Context Score: ${score.overall}/100 (${score.grade})${deltaStr}`,
+    "",
+    `> **${analysis.projectName}** \xB7 ${analysis.totalFiles} files \xB7 ${Math.round(analysis.totalTokens / 1e3)}K tokens`,
+    "",
+    "### Checks",
+    "",
+    "| Check | Status | Detail |",
+    "|-------|--------|--------|"
+  ];
+  for (const check of checks) {
+    const icon = check.passed ? "\u2705" : check.severity === "warning" ? "\u26A0\uFE0F" : "\u274C";
+    lines.push(`| ${check.name} | ${icon} | ${check.detail} |`);
+  }
+  lines.push("");
+  lines.push("### Dimensions");
+  lines.push("");
+  lines.push("| Dimension | Score | vs Baseline |");
+  lines.push("|-----------|-------|-------------|");
+  for (const [name, dim] of Object.entries(score.dimensions)) {
+    const prev = baseline?.dimensions[name];
+    const diff = prev !== void 0 ? dim.score - prev : null;
+    const diffStr = diff !== null ? `${diff >= 0 ? "+" : ""}${diff}` : "\u2014";
+    const bar = renderBar(dim.score);
+    lines.push(`| ${name} | ${bar} ${dim.score}% | ${diffStr} |`);
+  }
+  lines.push("");
+  lines.push("### Savings");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Tokens saved | ${score.comparison.savedTokens.toLocaleString()} (${score.comparison.savedPercent}%) |`);
+  lines.push(`| Monthly savings | $${score.comparison.monthlySavingsUSD.toFixed(2)} |`);
+  if (score.insights.length > 0) {
+    lines.push("");
+    lines.push("### Insights");
+    lines.push("");
+    for (const insight of score.insights.slice(0, 5)) {
+      const icon = insight.type === "strength" ? "\u2705" : insight.type === "weakness" ? "\u26A0\uFE0F" : "\u{1F4A1}";
+      lines.push(`- ${icon} **${insight.title}** \u2014 ${insight.detail}`);
+    }
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push(`<sub>Generated by [CTO Quality Gate](https://npmjs.com/package/cto-ai-cli) \xB7 ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}</sub>`);
+  return lines.join("\n");
+}
+function renderBar(score) {
+  const filled = Math.round(score / 10);
+  return "\u2588".repeat(filled) + "\u2591".repeat(10 - filled);
+}
+function generateSummary(score, checks, passed) {
+  const status = passed ? "\u2705 PASSED" : "\u274C FAILED";
+  const failedChecks = checks.filter((c) => !c.passed && c.severity === "error");
+  const warnings = checks.filter((c) => !c.passed && c.severity === "warning");
+  let summary2 = `Quality Gate ${status} \u2014 Score: ${score.overall}/100 (${score.grade})`;
+  if (failedChecks.length > 0) {
+    summary2 += `
+Failed: ${failedChecks.map((c) => c.name).join(", ")}`;
+  }
+  if (warnings.length > 0) {
+    summary2 += `
+Warnings: ${warnings.map((c) => c.name).join(", ")}`;
+  }
+  return summary2;
+}
+
 // src/action/index.ts
 async function run() {
   try {
-    const projectPath = resolve5(getInput("path") || ".");
+    const projectPath = resolve6(getInput("path") || ".");
     const budget = parseInt(getInput("budget") || "50000", 10);
     const task = getInput("task") || "general code review and refactoring";
     const token = getInput("github-token") || process.env.GITHUB_TOKEN || "";
@@ -25658,11 +26183,30 @@ async function run() {
       `---`,
       `<sub>Generated by [CTO Context Score](https://github.com/cto-ai/cto-ai-cli) \xB7 ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}</sub>`
     ].join("\n");
+    const threshold = parseInt(getInput("threshold") || "70", 10);
+    const failOnSecrets = getInput("fail-on-secrets") !== "false";
+    const failOnRegression = getInput("fail-on-regression") !== "false";
+    const shouldSaveBaseline = getInput("save-baseline") !== "false";
+    const filePaths = analysis.files.map((f) => f.path);
+    const auditResult = await auditProject(projectPath, filePaths, { includePII: false });
+    info(`  Secrets scan: ${auditResult.summary.totalFindings} findings`);
+    const gateResult = await runQualityGate(score, analysis, auditResult.findings, {
+      threshold,
+      failOnSecrets,
+      failOnRegression
+    });
+    info(`  Quality Gate: ${gateResult.passed ? "PASSED" : "FAILED"}`);
+    if (shouldSaveBaseline) {
+      await saveBaseline(projectPath, score);
+      info("  Baseline saved");
+    }
     setOutput("score", score.overall.toString());
     setOutput("grade", score.grade);
+    setOutput("passed", gateResult.passed.toString());
     setOutput("saved-percent", score.comparison.savedPercent.toString());
     setOutput("monthly-savings", score.comparison.monthlySavingsUSD.toFixed(2));
-    setOutput("json", JSON.stringify({ score, benchmark }));
+    setOutput("gate-summary", gateResult.summary);
+    setOutput("json", JSON.stringify({ score, benchmark, gate: gateResult }));
     if (commentOnPR && isPR && token) {
       const octokit = getOctokit(token);
       const { owner, repo } = context2.repo;
@@ -25698,6 +26242,8 @@ async function run() {
     summary.addHeading(`${gradeEmoji} Context Score: ${score.overall}/100 (${score.grade})`).addRaw(body).write();
     if (failBelow > 0 && score.overall < failBelow) {
       setFailed(`Context Score ${score.overall} is below threshold ${failBelow}`);
+    } else if (!gateResult.passed) {
+      setFailed(gateResult.summary);
     }
   } catch (error2) {
     if (error2 instanceof Error) {