cto-ai-cli 3.1.0 → 4.0.0

package/dist/mcp/v2.js

@@ -13778,8 +13778,8 @@ function date4(params) {
 config(en_default());
 
 // src/mcp/v2.ts
-import { resolve as resolve8, join as join7 } from "path";
-import { readFile as readFile8, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
+import { resolve as resolve8, join as join8 } from "path";
+import { readFile as readFile8, writeFile as writeFile3, mkdir as mkdir2 } from "fs/promises";
 
 // src/engine/analyzer.ts
 import { readFile as readFile2, readdir, stat as stat2 } from "fs/promises";
@@ -14716,11 +14716,13 @@ function getActiveWatchers() {
 }
 
 // src/engine/selector.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile3 } from "fs/promises";
-import { resolve as resolve5, relative as relative4 } from "path";
+import { readFileSync, existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve5, relative as relative4, join as join4, dirname as dirname2 } from "path";
+import { createHash as createHash3 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -14745,15 +14747,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom2 of customPatterns) {
     try {
       patterns.push({
@@ -14767,7 +14820,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -14779,6 +14832,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -14837,6 +14891,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain2 = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain2)) return true;
+  if (extraDomains && extraDomains.has(domain2)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -14850,8 +14934,8 @@ function deduplicateFindings(findings) {
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync3 } from "fs";
+import { join as join5 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file2, level) {
   if (level === "excluded") {
@@ -15097,9 +15181,9 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join4(dir, "..");
-    const candidate = join4(dir, "tsconfig.json");
-    if (existsSync2(candidate)) return candidate;
+    dir = join5(dir, "..");
+    const candidate = join5(dir, "tsconfig.json");
+    if (existsSync3(candidate)) return candidate;
   }
   return void 0;
 }
@@ -15366,7 +15450,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash2 = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash2 = createHash4("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -16866,25 +16950,25 @@ function fmt2(n) {
 }
 
 // src/engine/config.ts
-import { readFile as readFile6, writeFile, mkdir } from "fs/promises";
-import { join as join5 } from "path";
-import { existsSync as existsSync3 } from "fs";
+import { readFile as readFile6, writeFile as writeFile2, mkdir } from "fs/promises";
+import { join as join6 } from "path";
+import { existsSync as existsSync4 } from "fs";
 import { parse as parseYAML, stringify as stringifyYAML } from "yaml";
 var CONFIG_DIR = ".cto";
 var CONFIG_FILE = "config.yml";
 var POLICY_FILE = "policy.yml";
 function getConfigPath(projectPath) {
-  return join5(projectPath, CONFIG_DIR, CONFIG_FILE);
+  return join6(projectPath, CONFIG_DIR, CONFIG_FILE);
 }
 function getPolicyPath(projectPath) {
-  return join5(projectPath, CONFIG_DIR, POLICY_FILE);
+  return join6(projectPath, CONFIG_DIR, POLICY_FILE);
 }
 function getCTODir(projectPath) {
-  return join5(projectPath, CONFIG_DIR);
+  return join6(projectPath, CONFIG_DIR);
 }
 async function loadConfig(projectPath) {
   const configPath = getConfigPath(projectPath);
-  if (!existsSync3(configPath)) {
+  if (!existsSync4(configPath)) {
     return { ...DEFAULT_CONFIG };
   }
   try {
@@ -16900,20 +16984,20 @@ async function saveConfig(projectPath, config2) {
   await mkdir(ctoDir, { recursive: true });
   const configPath = getConfigPath(projectPath);
   const yamlContent = stringifyYAML(config2, { indent: 2 });
-  await writeFile(configPath, yamlContent, "utf-8");
+  await writeFile2(configPath, yamlContent, "utf-8");
   return configPath;
 }
 async function initProjectConfig(projectPath) {
   const ctoDir = getCTODir(projectPath);
-  await mkdir(join5(ctoDir, "snapshots"), { recursive: true });
+  await mkdir(join6(ctoDir, "snapshots"), { recursive: true });
   const created = [];
   const configPath = getConfigPath(projectPath);
-  if (!existsSync3(configPath)) {
+  if (!existsSync4(configPath)) {
     await saveConfig(projectPath, DEFAULT_CONFIG);
     created.push(configPath);
   }
   const policyPath = getPolicyPath(projectPath);
-  if (!existsSync3(policyPath)) {
+  if (!existsSync4(policyPath)) {
     const defaultPolicy = {
       version: "1.0",
       name: "default",
@@ -16956,14 +17040,14 @@ async function initProjectConfig(projectPath) {
       ]
     };
     const yamlContent = stringifyYAML(defaultPolicy, { indent: 2 });
-    await writeFile(policyPath, yamlContent, "utf-8");
+    await writeFile2(policyPath, yamlContent, "utf-8");
     created.push(policyPath);
   }
   return { configPath, policyPath, created };
 }
 async function loadPolicyFromYAML(projectPath) {
   const policyPath = getPolicyPath(projectPath);
-  if (!existsSync3(policyPath)) return null;
+  if (!existsSync4(policyPath)) return null;
   try {
     const raw = await readFile6(policyPath, "utf-8");
     return parseYAML(raw);
@@ -17031,20 +17115,20 @@ function formatCost(cost) {
 }
 
 // src/govern/audit.ts
-import { randomUUID, createHash as createHash4 } from "crypto";
+import { randomUUID, createHash as createHash5 } from "crypto";
 import { readdir as readdir3, chmod } from "fs/promises";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 import { userInfo } from "os";
 import { homedir } from "os";
 var CTO_DIR = ".cto-ai";
 var AUDIT_DIR = "audit";
 var MAX_ENTRIES_PER_FILE = 500;
 function getAuditDir() {
-  return join6(homedir(), CTO_DIR, AUDIT_DIR);
+  return join7(homedir(), CTO_DIR, AUDIT_DIR);
 }
 function getCurrentAuditFile() {
   const date5 = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
-  return join6(getAuditDir(), `audit_${date5}.json`);
+  return join7(getAuditDir(), `audit_${date5}.json`);
 }
 function computeIntegrityHash(entry) {
   const payload = JSON.stringify({
@@ -17055,7 +17139,7 @@ function computeIntegrityHash(entry) {
     projectPath: entry.projectPath,
     details: entry.details
   });
-  return createHash4("sha256").update(payload).digest("hex");
+  return createHash5("sha256").update(payload).digest("hex");
 }
 async function ensureDir(dirPath) {
   const { mkdir: mkdir3 } = await import("fs/promises");
@@ -17071,9 +17155,9 @@ async function readJSON(filePath) {
   }
 }
 async function writeJSON(filePath, data) {
-  const { writeFile: writeFile3 } = await import("fs/promises");
-  await ensureDir(join6(filePath, ".."));
-  await writeFile3(filePath, JSON.stringify(data, null, 2), "utf-8");
+  const { writeFile: writeFile4 } = await import("fs/promises");
+  await ensureDir(join7(filePath, ".."));
+  await writeFile4(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
   const auditDir = getAuditDir();
@@ -17122,7 +17206,7 @@ async function getAuditEntries(options = {}) {
   const limit = options.limit ?? 100;
   for (const file2 of auditFiles) {
     if (allEntries.length >= limit) break;
-    const entries = await readJSON(join6(auditDir, file2));
+    const entries = await readJSON(join7(auditDir, file2));
     if (!entries) continue;
     for (const entry of entries.reverse()) {
       if (allEntries.length >= limit) break;
@@ -17373,7 +17457,7 @@ function fileMatchesCategory(path, category) {
 }
 
 // src/govern/snapshot.ts
-import { randomUUID as randomUUID3, createHash as createHash5 } from "crypto";
+import { randomUUID as randomUUID3, createHash as createHash6 } from "crypto";
 import "fs/promises";
 function createSnapshot(name, analysis, selection, metadata = {}) {
   const files = selection.files.map((f) => ({
@@ -17466,13 +17550,13 @@ function compareSnapshots(older, newer) {
   };
 }
 function hashString(input) {
-  return createHash5("sha256").update(input).digest("hex").substring(0, 16);
+  return createHash6("sha256").update(input).digest("hex").substring(0, 16);
 }
 
 // src/mcp/v2.ts
 var SNAPSHOTS_DIR = ".cto/snapshots";
 async function loadSnapshotFile(projectPath, name) {
-  const filePath = join7(projectPath, SNAPSHOTS_DIR, `${name}.json`);
+  const filePath = join8(projectPath, SNAPSHOTS_DIR, `${name}.json`);
   const content = await readFile8(filePath, "utf-8");
   return JSON.parse(content);
 }
@@ -17876,10 +17960,10 @@ server.tool(
         budget: budget ?? config2.interaction.defaultBudget,
         createdBy: process.env.USER ?? "unknown"
       });
-      const dir = join7(absPath, SNAPSHOTS_DIR);
+      const dir = join8(absPath, SNAPSHOTS_DIR);
       await mkdir2(dir, { recursive: true });
-      const filePath = join7(dir, `${name}.json`);
-      await writeFile2(filePath, JSON.stringify(snapshot, null, 2), "utf-8");
+      const filePath = join8(dir, `${name}.json`);
+      await writeFile3(filePath, JSON.stringify(snapshot, null, 2), "utf-8");
       return {
         content: [{
           type: "text",