cto-ai-cli 3.1.0 → 4.0.0

package/dist/api/server.js

@@ -800,11 +800,13 @@ async function getCachedAnalysis(projectPath, config) {
 }
 
 // src/engine/selector.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile3 } from "fs/promises";
-import { resolve as resolve4, relative as relative4 } from "path";
+import { readFileSync, existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve4, relative as relative4, join as join4, dirname as dirname2 } from "path";
+import { createHash as createHash3 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -829,15 +831,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -851,7 +904,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -863,6 +916,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -910,6 +964,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -923,8 +1007,8 @@ function deduplicateFindings(findings) {
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync3 } from "fs";
+import { join as join5 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -1170,9 +1254,9 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join4(dir, "..");
-    const candidate = join4(dir, "tsconfig.json");
-    if (existsSync2(candidate)) return candidate;
+    dir = join5(dir, "..");
+    const candidate = join5(dir, "tsconfig.json");
+    if (existsSync3(candidate)) return candidate;
   }
   return void 0;
 }
@@ -1439,7 +1523,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash4("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -2836,20 +2920,20 @@ function formatCost(cost) {
 }
 
 // src/govern/audit.ts
-import { randomUUID, createHash as createHash4 } from "crypto";
+import { randomUUID, createHash as createHash5 } from "crypto";
 import { readdir as readdir3, chmod } from "fs/promises";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 import { userInfo } from "os";
 import { homedir } from "os";
 var CTO_DIR = ".cto-ai";
 var AUDIT_DIR = "audit";
 var MAX_ENTRIES_PER_FILE = 500;
 function getAuditDir() {
-  return join5(homedir(), CTO_DIR, AUDIT_DIR);
+  return join6(homedir(), CTO_DIR, AUDIT_DIR);
 }
 function getCurrentAuditFile() {
   const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
-  return join5(getAuditDir(), `audit_${date}.json`);
+  return join6(getAuditDir(), `audit_${date}.json`);
 }
 function computeIntegrityHash(entry) {
   const payload = JSON.stringify({
@@ -2860,7 +2944,7 @@ function computeIntegrityHash(entry) {
     projectPath: entry.projectPath,
     details: entry.details
   });
-  return createHash4("sha256").update(payload).digest("hex");
+  return createHash5("sha256").update(payload).digest("hex");
 }
 async function ensureDir(dirPath) {
   const { mkdir } = await import("fs/promises");
@@ -2876,9 +2960,9 @@ async function readJSON(filePath) {
   }
 }
 async function writeJSON(filePath, data) {
-  const { writeFile } = await import("fs/promises");
-  await ensureDir(join5(filePath, ".."));
-  await writeFile(filePath, JSON.stringify(data, null, 2), "utf-8");
+  const { writeFile: writeFile2 } = await import("fs/promises");
+  await ensureDir(join6(filePath, ".."));
+  await writeFile2(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
   const auditDir = getAuditDir();