cto-ai-cli 3.1.0 → 4.0.0

package/dist/cli/score.js

@@ -1,68 +1,78 @@
 #!/usr/bin/env node
-
-// src/cli/score.ts
-import { resolve as resolve4, join as join4 } from "path";
-import { mkdirSync, writeFileSync, readFileSync } from "fs";
-
-// src/engine/analyzer.ts
-import { readFile as readFile2, readdir, stat as stat2 } from "fs/promises";
-import { join as join2, extname, relative as relative2, resolve as resolve2, basename as basename2 } from "path";
-import { createHash } from "crypto";
-
-// src/types/engine.ts
-var DEFAULT_RISK_WEIGHTS = {
-  hub: 30,
-  typeProvider: 25,
-  complexity: 15,
-  recency: 15,
-  config: 10,
-  churn: 5
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
 
-// src/types/config.ts
-var DEFAULT_CONFIG = {
-  version: "2.0",
-  analysis: {
-    extensions: {
-      code: ["ts", "tsx", "js", "jsx", "py", "go", "rs", "java", "kt", "rb", "php", "c", "cpp", "h", "hpp", "cs"],
-      config: ["json", "yml", "yaml", "toml"],
-      docs: ["md", "txt", "rst"]
-    },
-    ignore: {
-      dirs: ["node_modules", "dist", "build", ".git", "coverage", "__pycache__", ".next", "vendor", ".cto"],
-      patterns: ["*.min.js", "*.map", "*.lock", "*.generated.*"]
-    },
-    maxDepth: 20
-  },
-  risk: {
-    weights: {
+// src/types/engine.ts
+var DEFAULT_RISK_WEIGHTS;
+var init_engine = __esm({
+  "src/types/engine.ts"() {
+    "use strict";
+    DEFAULT_RISK_WEIGHTS = {
       hub: 30,
       typeProvider: 25,
       complexity: 15,
       recency: 15,
       config: 10,
       churn: 5
-    }
-  },
-  interaction: {
-    defaultBudget: 5e4,
-    defaultModel: "claude-sonnet-4"
-  },
-  tokens: {
-    method: "chars4"
-  },
-  governance: {
-    auditEnabled: true,
-    secretDetection: true,
-    retentionDays: 90
+    };
   }
-};
+});
+
+// src/types/config.ts
+var DEFAULT_CONFIG;
+var init_config = __esm({
+  "src/types/config.ts"() {
+    "use strict";
+    DEFAULT_CONFIG = {
+      version: "2.0",
+      analysis: {
+        extensions: {
+          code: ["ts", "tsx", "js", "jsx", "py", "go", "rs", "java", "kt", "rb", "php", "c", "cpp", "h", "hpp", "cs"],
+          config: ["json", "yml", "yaml", "toml"],
+          docs: ["md", "txt", "rst"]
+        },
+        ignore: {
+          dirs: ["node_modules", "dist", "build", ".git", "coverage", "__pycache__", ".next", "vendor", ".cto"],
+          patterns: ["*.min.js", "*.map", "*.lock", "*.generated.*"]
+        },
+        maxDepth: 20
+      },
+      risk: {
+        weights: {
+          hub: 30,
+          typeProvider: 25,
+          complexity: 15,
+          recency: 15,
+          config: 10,
+          churn: 5
+        }
+      },
+      interaction: {
+        defaultBudget: 5e4,
+        defaultModel: "claude-sonnet-4"
+      },
+      tokens: {
+        method: "chars4"
+      },
+      governance: {
+        auditEnabled: true,
+        secretDetection: true,
+        retentionDays: 90
+      }
+    };
+  }
+});
 
 // src/engine/tokenizer.ts
 import { encodingForModel } from "js-tiktoken";
 import { readFile, stat } from "fs/promises";
-var CHARS_PER_TOKEN = 4;
-var encoder = null;
 function getEncoder() {
   if (!encoder) {
     encoder = encodingForModel("claude-3-5-sonnet-20241022");
@@ -87,12 +97,19 @@ function estimateTokens(content, sizeInBytes, method = "chars4") {
   }
   return countTokensChars4(sizeInBytes);
 }
+var CHARS_PER_TOKEN, encoder;
+var init_tokenizer = __esm({
+  "src/engine/tokenizer.ts"() {
+    "use strict";
+    CHARS_PER_TOKEN = 4;
+    encoder = null;
+  }
+});
 
 // src/engine/graph.ts
 import { Project, SyntaxKind } from "ts-morph";
 import { resolve, relative, dirname, join } from "path";
 import { existsSync } from "fs";
-var TS_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs", "cts", "cjs"]);
 function createProject(projectPath, filePaths) {
   const tsConfigPath = join(projectPath, "tsconfig.json");
   const hasTsConfig = existsSync(tsConfigPath);
@@ -191,41 +208,6 @@ function buildProjectGraph(projectPath, files) {
   enrichComplexity(project, absPath, files);
   return { nodes, edges, hubs, leaves, orphans, clusters };
 }
-var UnionFind = class {
-  parent;
-  rank;
-  constructor(nodes) {
-    this.parent = /* @__PURE__ */ new Map();
-    this.rank = /* @__PURE__ */ new Map();
-    for (const n of nodes) {
-      this.parent.set(n, n);
-      this.rank.set(n, 0);
-    }
-  }
-  find(x) {
-    const p = this.parent.get(x);
-    if (p === void 0) return x;
-    if (p !== x) {
-      this.parent.set(x, this.find(p));
-    }
-    return this.parent.get(x);
-  }
-  union(a, b) {
-    const ra = this.find(a);
-    const rb = this.find(b);
-    if (ra === rb) return;
-    const rankA = this.rank.get(ra) ?? 0;
-    const rankB = this.rank.get(rb) ?? 0;
-    if (rankA < rankB) {
-      this.parent.set(ra, rb);
-    } else if (rankA > rankB) {
-      this.parent.set(rb, ra);
-    } else {
-      this.parent.set(rb, ra);
-      this.rank.set(ra, rankA + 1);
-    }
-  }
-};
 function detectClusters(nodes, edges, files) {
   const uf = new UnionFind(nodes);
   for (const edge of edges) {
@@ -363,6 +345,48 @@ function emptyGraph(files) {
     clusters: []
   };
 }
+var TS_EXTENSIONS, UnionFind;
+var init_graph = __esm({
+  "src/engine/graph.ts"() {
+    "use strict";
+    TS_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs", "cts", "cjs"]);
+    UnionFind = class {
+      parent;
+      rank;
+      constructor(nodes) {
+        this.parent = /* @__PURE__ */ new Map();
+        this.rank = /* @__PURE__ */ new Map();
+        for (const n of nodes) {
+          this.parent.set(n, n);
+          this.rank.set(n, 0);
+        }
+      }
+      find(x) {
+        const p = this.parent.get(x);
+        if (p === void 0) return x;
+        if (p !== x) {
+          this.parent.set(x, this.find(p));
+        }
+        return this.parent.get(x);
+      }
+      union(a, b) {
+        const ra = this.find(a);
+        const rb = this.find(b);
+        if (ra === rb) return;
+        const rankA = this.rank.get(ra) ?? 0;
+        const rankB = this.rank.get(rb) ?? 0;
+        if (rankA < rankB) {
+          this.parent.set(ra, rb);
+        } else if (rankA > rankB) {
+          this.parent.set(rb, ra);
+        } else {
+          this.parent.set(rb, ra);
+          this.rank.set(ra, rankA + 1);
+        }
+      }
+    };
+  }
+});
 
 // src/engine/risk.ts
 function scoreAllFiles(files, graph, weights = DEFAULT_RISK_WEIGHTS) {
@@ -480,8 +504,17 @@ function computeTypeProviderUsage(files, graph) {
   }
   return usage;
 }
+var init_risk = __esm({
+  "src/engine/risk.ts"() {
+    "use strict";
+    init_engine();
+  }
+});
 
 // src/engine/analyzer.ts
+import { readFile as readFile2, readdir, stat as stat2 } from "fs/promises";
+import { join as join2, extname, relative as relative2, resolve as resolve2, basename as basename2 } from "path";
+import { createHash } from "crypto";
 function matchesPattern(filename, patterns) {
   for (const pattern of patterns) {
     if (pattern.startsWith("*.")) {
@@ -544,10 +577,6 @@ async function walkProject(rootPath, options) {
   await walk(rootPath, 0);
   return results;
 }
-var TYPE_PATTERNS = [/types?\//i, /\.d\.ts$/, /interfaces?\//i];
-var TEST_PATTERNS = [/\.test\.[jt]sx?$/, /\.spec\.[jt]sx?$/, /\/__tests__\//, /\/tests?\//];
-var CONFIG_PATTERNS = [/\.config\.[jt]s$/, /rc\.[jt]s$/, /\.env/, /tsconfig/, /package\.json$/, /\.yml$/, /\.yaml$/, /\.toml$/];
-var ENTRY_PATTERNS = [/^index\.[jt]sx?$/, /^main\.[jt]sx?$/, /^app\.[jt]sx?$/, /^server\.[jt]sx?$/];
 function classifyFileKind(relativePath) {
   const filename = basename2(relativePath);
   if (TYPE_PATTERNS.some((p) => p.test(relativePath))) return "type";
@@ -706,46 +735,60 @@ function mergeConfig(base, overrides) {
     }
   };
 }
-
-// src/engine/selector.ts
-import { createHash as createHash2 } from "crypto";
+var TYPE_PATTERNS, TEST_PATTERNS, CONFIG_PATTERNS, ENTRY_PATTERNS;
+var init_analyzer = __esm({
+  "src/engine/analyzer.ts"() {
+    "use strict";
+    init_engine();
+    init_config();
+    init_tokenizer();
+    init_graph();
+    init_risk();
+    TYPE_PATTERNS = [/types?\//i, /\.d\.ts$/, /interfaces?\//i];
+    TEST_PATTERNS = [/\.test\.[jt]sx?$/, /\.spec\.[jt]sx?$/, /\/__tests__\//, /\/tests?\//];
+    CONFIG_PATTERNS = [/\.config\.[jt]s$/, /rc\.[jt]s$/, /\.env/, /tsconfig/, /package\.json$/, /\.yml$/, /\.yaml$/, /\.toml$/];
+    ENTRY_PATTERNS = [/^index\.[jt]sx?$/, /^main\.[jt]sx?$/, /^app\.[jt]sx?$/, /^server\.[jt]sx?$/];
+  }
+});
 
 // src/govern/secrets.ts
+var secrets_exports = {};
+__export(secrets_exports, {
+  DEFAULT_AUDIT_CONFIG: () => DEFAULT_AUDIT_CONFIG,
+  addToAllowlist: () => addToAllowlist,
+  auditProject: () => auditProject,
+  filterByAllowlist: () => filterByAllowlist,
+  generatePreCommitHook: () => generatePreCommitHook,
+  getChangedFiles: () => getChangedFiles,
+  loadAllowlist: () => loadAllowlist,
+  loadAuditConfig: () => loadAuditConfig,
+  sanitizeContent: () => sanitizeContent,
+  saveAllowlist: () => saveAllowlist,
+  saveAuditConfig: () => saveAuditConfig,
+  scanContentForHighEntropy: () => scanContentForHighEntropy,
+  scanContentForSecrets: () => scanContentForSecrets,
+  scanFileForSecrets: () => scanFileForSecrets,
+  scanProjectForSecrets: () => scanProjectForSecrets
+});
 import { readFile as readFile3 } from "fs/promises";
-import { resolve as resolve3, relative as relative3 } from "path";
-var BUILTIN_PATTERNS = [
-  // API Keys
-  { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
-  { type: "api-key", source: "sk-[a-zA-Z0-9]{20,}", flags: "g", severity: "critical", description: "OpenAI/Anthropic API Key" },
-  { type: "api-key", source: "sk-ant-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "Anthropic API Key" },
-  // AWS
-  { type: "aws-key", source: "AKIA[0-9A-Z]{16}", flags: "g", severity: "critical", description: "AWS Access Key ID" },
-  { type: "aws-key", source: `(?:aws_secret_access_key|aws_secret)\\s*[:=]\\s*['"]?([a-zA-Z0-9/+=]{40})['"]?`, flags: "gi", severity: "critical", description: "AWS Secret Key" },
-  // Private Keys
-  { type: "private-key", source: "-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", flags: "g", severity: "critical", description: "Private Key" },
-  { type: "private-key", source: "-----BEGIN OPENSSH PRIVATE KEY-----", flags: "g", severity: "critical", description: "SSH Private Key" },
-  // Passwords
-  { type: "password", source: `(?:password|passwd|pwd)\\s*[:=]\\s*['"]([^'"]{8,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Hardcoded Password" },
-  { type: "password", source: `(?:DB_PASSWORD|DATABASE_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)\\s*[:=]\\s*['"]?([^'"{}\\s]{4,})['"]?`, flags: "gi", severity: "high", description: "Database Password" },
-  // Tokens
-  { type: "token", source: `(?:bearer|token|auth_token|access_token|refresh_token)\\s*[:=]\\s*['"]([a-zA-Z0-9_\\-.]{20,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Auth Token" },
-  { type: "token", source: "ghp_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub Personal Access Token" },
-  { type: "token", source: "gho_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub OAuth Token" },
-  { type: "token", source: "glpat-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "GitLab Personal Access Token" },
-  { type: "token", source: "npm_[a-zA-Z0-9]{36}", flags: "g", severity: "high", description: "npm Token" },
-  // Connection strings
-  { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
-  { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
-  // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
-];
+import { readFileSync, existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve3, relative as relative3, join as join3, dirname as dirname2 } from "path";
+import { createHash as createHash2 } from "crypto";
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -759,7 +802,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -771,6 +814,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -793,6 +837,28 @@ async function scanFileForSecrets(filePath, projectPath, customPatterns = []) {
     return [];
   }
 }
+async function scanProjectForSecrets(projectPath, filePaths, customPatterns = []) {
+  const allFindings = [];
+  for (const fp of filePaths) {
+    const findings = await scanFileForSecrets(fp, projectPath, customPatterns);
+    allFindings.push(...findings);
+  }
+  return allFindings.sort((a, b) => {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    return severityOrder[a.severity] - severityOrder[b.severity];
+  });
+}
+function sanitizeContent(content, customPatterns = []) {
+  let sanitized = content;
+  const allPatterns = buildPatterns(customPatterns);
+  for (const secretPattern of allPatterns) {
+    sanitized = sanitized.replace(secretPattern.pattern, (match) => {
+      if (isTemplateOrPlaceholder(match)) return match;
+      return redactSecret(match);
+    });
+  }
+  return sanitized;
+}
 function redactSecret(value) {
   if (value.length <= 8) return "***REDACTED***";
   const prefix = value.substring(0, 4);
@@ -818,6 +884,14 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -827,13 +901,453 @@ function deduplicateFindings(findings) {
     return true;
   });
 }
+function fingerprintFinding(f) {
+  return createHash2("sha256").update(`${f.file}:${f.type}:${f.match}`).digest("hex").slice(0, 32);
+}
+function getAllowlistPath(projectPath) {
+  return join3(projectPath, ".cto", "audit", "allowlist.json");
+}
+function loadAllowlist(projectPath) {
+  const filePath = getAllowlistPath(projectPath);
+  if (!existsSync2(filePath)) return [];
+  try {
+    return JSON.parse(readFileSync(filePath, "utf-8"));
+  } catch {
+    return [];
+  }
+}
+function saveAllowlist(projectPath, entries) {
+  const filePath = getAllowlistPath(projectPath);
+  mkdirSync(dirname2(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(entries, null, 2) + "\n");
+}
+function addToAllowlist(projectPath, finding, reason, reviewedBy = "manual") {
+  const entries = loadAllowlist(projectPath);
+  const entry = {
+    fingerprint: fingerprintFinding(finding),
+    file: finding.file,
+    type: finding.type,
+    redacted: finding.redacted,
+    reason,
+    reviewedBy,
+    reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const existing = entries.findIndex((e) => e.fingerprint === entry.fingerprint);
+  if (existing >= 0) {
+    entries[existing] = entry;
+  } else {
+    entries.push(entry);
+  }
+  saveAllowlist(projectPath, entries);
+  return entry;
+}
+function filterByAllowlist(findings, projectPath) {
+  const allowlist = loadAllowlist(projectPath);
+  if (allowlist.length === 0) return { filtered: findings, allowed: [] };
+  const allowedFingerprints = new Set(allowlist.map((e) => e.fingerprint));
+  const filtered = [];
+  const allowed = [];
+  for (const f of findings) {
+    if (allowedFingerprints.has(fingerprintFinding(f))) {
+      allowed.push(f);
+    } else {
+      filtered.push(f);
+    }
+  }
+  return { filtered, allowed };
+}
+function getHashCachePath(projectPath) {
+  return join3(projectPath, ".cto", "audit", ".hashcache.json");
+}
+function loadHashCache(projectPath) {
+  const filePath = getHashCachePath(projectPath);
+  if (!existsSync2(filePath)) return {};
+  try {
+    return JSON.parse(readFileSync(filePath, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveHashCache(projectPath, cache) {
+  const filePath = getHashCachePath(projectPath);
+  mkdirSync(dirname2(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(cache));
+}
+function hashContent(content) {
+  return createHash2("sha256").update(content).digest("hex").slice(0, 16);
+}
+function getChangedFiles(projectPath, filePaths) {
+  const oldCache = loadHashCache(projectPath);
+  const newCache = {};
+  const changed = [];
+  const unchanged = [];
+  for (const fp of filePaths) {
+    try {
+      const content = readFileSync(fp, "utf-8");
+      const relPath = relative3(resolve3(projectPath), resolve3(fp));
+      const hash = hashContent(content);
+      newCache[relPath] = hash;
+      if (oldCache[relPath] === hash) {
+        unchanged.push(fp);
+      } else {
+        changed.push(fp);
+      }
+    } catch {
+      changed.push(fp);
+    }
+  }
+  return { changed, unchanged, cache: newCache };
+}
+function getAuditConfigPath(projectPath) {
+  return join3(projectPath, ".cto", "audit", "config.json");
+}
+function loadAuditConfig(projectPath) {
+  const filePath = getAuditConfigPath(projectPath);
+  if (!existsSync2(filePath)) return { ...DEFAULT_AUDIT_CONFIG };
+  try {
+    const loaded = JSON.parse(readFileSync(filePath, "utf-8"));
+    return { ...DEFAULT_AUDIT_CONFIG, ...loaded };
+  } catch {
+    return { ...DEFAULT_AUDIT_CONFIG };
+  }
+}
+function saveAuditConfig(projectPath, config) {
+  const filePath = getAuditConfigPath(projectPath);
+  mkdirSync(dirname2(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(config, null, 2) + "\n");
+}
+function applySeverityOverrides(findings, overrides) {
+  if (Object.keys(overrides).length === 0) return findings;
+  return findings.map((f) => {
+    const override = overrides[f.type];
+    if (override) return { ...f, severity: override };
+    return f;
+  });
+}
+function generatePreCommitHook(projectPath, hookType = "husky") {
+  const hookContent = `#!/bin/sh
+# CTO Secret Detection \u2014 Pre-commit hook
+# Auto-generated by: npx cto-ai-cli --audit --init-hook
+# Scans ONLY staged files for secrets before allowing commit.
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+
+echo "\u{1F50D} CTO: Scanning $(echo "$STAGED_FILES" | wc -l | tr -d ' ') staged files for secrets..."
+
+# Write staged files to temp list
+TMPFILE=$(mktemp)
+echo "$STAGED_FILES" > "$TMPFILE"
+
+# Run audit in CI mode on staged files only
+CI=true npx cto-ai-cli --audit --files "$TMPFILE"
+RESULT=$?
+
+rm -f "$TMPFILE"
+
+if [ $RESULT -ne 0 ]; then
+  echo ""
+  echo "\u274C Commit blocked: secrets detected in staged files."
+  echo "   Run 'npx cto-ai-cli --audit' to see details."
+  echo "   Use allowlist to mark reviewed findings as safe."
+  echo ""
+  exit 1
+fi
+
+echo "\u2705 No secrets detected. Proceeding with commit."
+`;
+  let hookPath;
+  if (hookType === "husky") {
+    hookPath = join3(projectPath, ".husky", "pre-commit");
+  } else {
+    hookPath = join3(projectPath, ".git", "hooks", "pre-commit");
+  }
+  mkdirSync(dirname2(hookPath), { recursive: true });
+  writeFileSync(hookPath, hookContent, { mode: 493 });
+  return hookPath;
+}
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / str.length;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+function scanContentForHighEntropy(content, filePath, threshold = 5) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
+    HIGH_ENTROPY_RE.lastIndex = 0;
+    let match;
+    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
+      const value = match[1] || match[2];
+      if (!value || value.length < 40) continue;
+      if (isTemplateOrPlaceholder(value)) continue;
+      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
+      const entropy = shannonEntropy(value);
+      if (entropy >= threshold) {
+        findings.push({
+          type: "high-entropy",
+          file: filePath,
+          line: i + 1,
+          match: value,
+          redacted: redactSecret(value),
+          severity: entropy >= 5 ? "high" : "medium"
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function auditProject(projectPath, filePaths, options = {}) {
+  const savedConfig = loadAuditConfig(projectPath);
+  const customPatterns = options.customPatterns ?? savedConfig.customPatterns;
+  const entropyThreshold = options.entropyThreshold ?? savedConfig.entropyThreshold;
+  const includePII = options.includePII ?? savedConfig.includePII;
+  const useAllowlist = options.useAllowlist ?? true;
+  const incrementalScan = options.incrementalScan ?? savedConfig.incrementalScan;
+  const severityOverrides = options.severityOverrides ?? savedConfig.severityOverrides;
+  let extraPiiDomains;
+  const allExtraDomains = [...options.piiSafeDomains || [], ...savedConfig.piiSafeDomains];
+  if (allExtraDomains.length > 0) {
+    extraPiiDomains = new Set(allExtraDomains.map((d) => d.toLowerCase()));
+  }
+  let filesToScan = filePaths;
+  let unchangedCount = 0;
+  let newCache = null;
+  if (incrementalScan) {
+    const { changed, unchanged, cache } = getChangedFiles(projectPath, filePaths);
+    newCache = cache;
+    if (changed.length < filePaths.length) {
+      filesToScan = changed;
+      unchangedCount = unchanged.length;
+    }
+  }
+  const allFindings = [];
+  const filesWithSecrets = /* @__PURE__ */ new Set();
+  for (const fp of filesToScan) {
+    try {
+      const content = await readFile3(fp, "utf-8");
+      const relPath = relative3(resolve3(projectPath), resolve3(fp));
+      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
+      const isDtsFile = relPath.endsWith(".d.ts");
+      let findings = scanContentForSecrets(content, relPath, customPatterns, extraPiiDomains);
+      if (!includePII) {
+        findings = findings.filter((f) => f.type !== "pii");
+      }
+      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
+      const combined = [...findings, ...entropyFindings];
+      if (combined.length > 0) {
+        filesWithSecrets.add(relPath);
+        allFindings.push(...combined);
+      }
+    } catch {
+    }
+  }
+  let finalFindings = applySeverityOverrides(allFindings, severityOverrides);
+  let allowedCount = 0;
+  if (useAllowlist) {
+    const { filtered, allowed } = filterByAllowlist(finalFindings, projectPath);
+    finalFindings = filtered;
+    allowedCount = allowed.length;
+  }
+  finalFindings.sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  if (newCache) {
+    saveHashCache(projectPath, newCache);
+  }
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byType = {};
+  for (const f of finalFindings) {
+    bySeverity[f.severity]++;
+    byType[f.type] = (byType[f.type] || 0) + 1;
+  }
+  const recommendations = [];
+  if (bySeverity.critical > 0) {
+    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
+  }
+  if (byType["password"] > 0) {
+    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
+  }
+  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
+    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
+  }
+  if (byType["connection-string"] > 0) {
+    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
+  }
+  if (byType["private-key"] > 0) {
+    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
+  }
+  if (byType["pii"] > 0) {
+    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
+  }
+  if (byType["high-entropy"] > 0) {
+    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
+  }
+  if (finalFindings.length > 0) {
+    recommendations.push("Add a .gitignore entry for .env files if not already present.");
+    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
+  }
+  if (finalFindings.length === 0) {
+    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
+  }
+  if (allowedCount > 0) {
+    recommendations.push(`${allowedCount} finding(s) skipped via allowlist (.cto/audit/allowlist.json).`);
+  }
+  if (unchangedCount > 0) {
+    recommendations.push(`${unchangedCount} unchanged file(s) skipped (incremental scan).`);
+  }
+  return {
+    findings: finalFindings,
+    summary: {
+      totalFiles: filePaths.length,
+      filesScanned: filesToScan.length,
+      filesWithSecrets: filesWithSecrets.size,
+      totalFindings: finalFindings.length,
+      bySeverity,
+      byType
+    },
+    recommendations
+  };
+}
+var BUILTIN_PATTERNS, _cachedBuiltinPatterns, PII_SAFE_EMAIL_DOMAINS, DEFAULT_AUDIT_CONFIG, HIGH_ENTROPY_RE, ENTROPY_SKIP;
+var init_secrets = __esm({
+  "src/govern/secrets.ts"() {
+    "use strict";
+    BUILTIN_PATTERNS = [
+      // API Keys
+      { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
+      { type: "api-key", source: "sk-[a-zA-Z0-9]{20,}", flags: "g", severity: "critical", description: "OpenAI/Anthropic API Key" },
+      { type: "api-key", source: "sk-ant-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "Anthropic API Key" },
+      // AWS
+      { type: "aws-key", source: "AKIA[0-9A-Z]{16}", flags: "g", severity: "critical", description: "AWS Access Key ID" },
+      { type: "aws-key", source: `(?:aws_secret_access_key|aws_secret)\\s*[:=]\\s*['"]?([a-zA-Z0-9/+=]{40})['"]?`, flags: "gi", severity: "critical", description: "AWS Secret Key" },
+      // Private Keys
+      { type: "private-key", source: "-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", flags: "g", severity: "critical", description: "Private Key" },
+      { type: "private-key", source: "-----BEGIN OPENSSH PRIVATE KEY-----", flags: "g", severity: "critical", description: "SSH Private Key" },
+      // Passwords
+      { type: "password", source: `(?:password|passwd|pwd)\\s*[:=]\\s*['"]([^'"]{8,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Hardcoded Password" },
+      { type: "password", source: `(?:DB_PASSWORD|DATABASE_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)\\s*[:=]\\s*['"]?([^'"{}\\s]{4,})['"]?`, flags: "gi", severity: "high", description: "Database Password" },
+      // Tokens
+      { type: "token", source: `(?:bearer|token|auth_token|access_token|refresh_token)\\s*[:=]\\s*['"]([a-zA-Z0-9_\\-.]{20,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Auth Token" },
+      { type: "token", source: "ghp_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub Personal Access Token" },
+      { type: "token", source: "gho_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub OAuth Token" },
+      { type: "token", source: "glpat-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "GitLab Personal Access Token" },
+      { type: "token", source: "npm_[a-zA-Z0-9]{36}", flags: "g", severity: "high", description: "npm Token" },
+      // Connection strings
+      { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
+      { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
+      // Environment variables with secrets
+      { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+      // Stripe
+      { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+      { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+      { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+      // Slack
+      { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+      { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+      { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+      // Google
+      { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+      { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+      // Azure
+      { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+      // Twilio
+      { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+      // SendGrid
+      { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+      // JWT
+      { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+      // Datadog
+      { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+      { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+      // Sentry
+      { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+      // Firebase
+      { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+      { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+      // Supabase
+      { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+      { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+      // Vercel
+      { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+      // Heroku
+      { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+      // DigitalOcean
+      { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+      { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+      // Mailgun
+      { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+      // PII
+      { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+      { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
+    ];
+    _cachedBuiltinPatterns = null;
+    PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+      "example.com",
+      "example.org",
+      "example.net",
+      "test.com",
+      "test.org",
+      "test.net",
+      "localhost",
+      "localhost.localdomain",
+      "email.com",
+      "mail.com",
+      "foo.com",
+      "bar.com",
+      "baz.com",
+      "acme.com",
+      "company.com",
+      "corp.com",
+      "noreply.com",
+      "no-reply.com",
+      "users.noreply.github.com",
+      "placeholder.com"
+    ]);
+    DEFAULT_AUDIT_CONFIG = {
+      severityOverrides: {},
+      piiSafeDomains: [],
+      customPatterns: [],
+      entropyThreshold: 5,
+      includePII: true,
+      incrementalScan: true
+    };
+    HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
+    ENTROPY_SKIP = [
+      /^[a-f0-9]{32,}$/i,
+      // hex hashes
+      /^[A-Z_]{30,}$/,
+      // all-caps constants
+      /^[a-z_]{30,}$/,
+      // all-lowercase identifiers
+      /^[a-zA-Z0-9+/]+=+$/,
+      // base64 padding
+      /^[a-z]+[A-Z][a-zA-Z]+$/,
+      // camelCase identifiers
+      /sha\d+-/i
+      // integrity hashes (sha256-, sha512-)
+    ];
+  }
+});
 
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
-import { join as join3 } from "path";
-var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
+import { existsSync as existsSync3 } from "fs";
+import { join as join4 } from "path";
 async function pruneFile(file, level) {
   if (level === "excluded") {
     return emptyResult(file, "excluded");
@@ -1078,12 +1592,20 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join3(dir, "..");
-    const candidate = join3(dir, "tsconfig.json");
-    if (existsSync2(candidate)) return candidate;
+    dir = join4(dir, "..");
+    const candidate = join4(dir, "tsconfig.json");
+    if (existsSync3(candidate)) return candidate;
   }
   return void 0;
 }
+var TS_EXTENSIONS2;
+var init_pruner = __esm({
+  "src/engine/pruner.ts"() {
+    "use strict";
+    init_tokenizer();
+    TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
+  }
+});
 
 // src/engine/graph-utils.ts
 function buildAdjacencyList(edges) {
@@ -1137,6 +1659,11 @@ function matchGlob(path, pattern) {
     return false;
   }
 }
+var init_graph_utils = __esm({
+  "src/engine/graph-utils.ts"() {
+    "use strict";
+  }
+});
 
 // src/engine/coverage.ts
 function calculateCoverage(targetPaths, includedPaths, allFiles, graph, depth = 2) {
@@ -1197,6 +1724,12 @@ function calculateCoverage(targetPaths, includedPaths, allFiles, graph, depth =
     explanation
   };
 }
+var init_coverage = __esm({
+  "src/engine/coverage.ts"() {
+    "use strict";
+    init_graph_utils();
+  }
+});
 
 // src/engine/budget.ts
 function getPruneLevelForRisk(riskScore) {
@@ -1205,8 +1738,15 @@ function getPruneLevelForRisk(riskScore) {
   if (riskScore >= 30) return "signatures";
   return "skeleton";
 }
+var init_budget = __esm({
+  "src/engine/budget.ts"() {
+    "use strict";
+    init_pruner();
+  }
+});
 
 // src/engine/selector.ts
+import { createHash as createHash3 } from "crypto";
 async function selectContext(input) {
   const { task, analysis, budget, policies, depth = 2 } = input;
   const decisions = [];
@@ -1347,7 +1887,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash2("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -1413,94 +1953,1443 @@ function buildReason(file, level, isTarget, isMustInclude) {
   if (impact === "medium") return `Medium relevance (risk ${file.riskScore}) \u2014 ${levelStr}`;
   return `Low relevance (risk ${file.riskScore}) \u2014 ${levelStr}`;
 }
+var init_selector = __esm({
+  "src/engine/selector.ts"() {
+    "use strict";
+    init_secrets();
+    init_pruner();
+    init_coverage();
+    init_budget();
+    init_graph_utils();
+  }
+});
 
-// src/engine/score.ts
-async function computeContextScore(analysis, task = "general code review and refactoring", budget = 5e4) {
-  const selection = await selectContext({ task, analysis, budget });
-  const insights = [];
-  const efficiency = scoreEfficiency(analysis, selection, insights);
-  const coverage = scoreCoverage(analysis, selection, insights);
-  const riskControl = scoreRiskControl(analysis, selection, insights);
-  const structure = scoreStructure(analysis, insights);
-  const governance = scoreGovernance(analysis, insights);
-  const overall = Math.round(
-    efficiency.weighted + coverage.weighted + riskControl.weighted + structure.weighted + governance.weighted
-  );
-  const grade = scoreToGrade(overall);
-  const naiveTokens = analysis.totalTokens;
-  const optimizedTokens = selection.totalTokens;
-  const savedTokens = naiveTokens - optimizedTokens;
-  const savedPercent = naiveTokens > 0 ? Math.round(savedTokens / naiveTokens * 100) : 0;
-  const interactionsPerMonth = 40 * 20;
-  const costPerMToken = 3;
-  const naiveMonthlyCost = naiveTokens / 1e6 * costPerMToken * interactionsPerMonth;
-  const optimizedMonthlyCost = optimizedTokens / 1e6 * costPerMToken * interactionsPerMonth;
-  const monthlySavingsUSD = Math.round((naiveMonthlyCost - optimizedMonthlyCost) * 100) / 100;
+// src/gateway/types.ts
+var types_exports = {};
+__export(types_exports, {
+  DEFAULT_ALLOWED_DOMAINS: () => DEFAULT_ALLOWED_DOMAINS,
+  DEFAULT_GATEWAY_CONFIG: () => DEFAULT_GATEWAY_CONFIG,
+  isAllowedTarget: () => isAllowedTarget,
+  isPrivateIP: () => isPrivateIP
+});
+function isPrivateIP(ip) {
+  return PRIVATE_IP_PATTERNS.some((p) => p.test(ip));
+}
+function isAllowedTarget(hostname, config) {
+  if (config.allowedTargetDomains.length > 0) {
+    return config.allowedTargetDomains.some(
+      (d) => hostname === d || hostname.endsWith("." + d)
+    );
+  }
+  if (DEFAULT_ALLOWED_DOMAINS.has(hostname)) return true;
+  if (hostname.endsWith(".openai.azure.com")) return true;
+  return false;
+}
+var DEFAULT_GATEWAY_CONFIG, DEFAULT_ALLOWED_DOMAINS, PRIVATE_IP_PATTERNS;
+var init_types = __esm({
+  "src/gateway/types.ts"() {
+    "use strict";
+    DEFAULT_GATEWAY_CONFIG = {
+      port: 8787,
+      host: "127.0.0.1",
+      optimize: true,
+      projectPath: ".",
+      budget: 5e4,
+      redactSecrets: true,
+      blockOnSecrets: false,
+      apiKey: "",
+      allowedTargetDomains: [],
+      // Empty = default LLM provider allowlist
+      maxBodyBytes: 10 * 1024 * 1024,
+      // 10MB
+      upstreamTimeoutMs: 12e4,
+      // 2 minutes (streaming can be slow)
+      costTracking: true,
+      budgetDaily: 0,
+      budgetMonthly: 0,
+      alertThreshold: 0.8,
+      auditLog: true,
+      logDir: ".cto/gateway",
+      dashboard: true,
+      dashboardPath: "/__cto"
+    };
+    DEFAULT_ALLOWED_DOMAINS = /* @__PURE__ */ new Set([
+      "api.openai.com",
+      "api.anthropic.com",
+      "generativelanguage.googleapis.com",
+      "aiplatform.googleapis.com"
+      // Azure uses custom subdomains: *.openai.azure.com
+    ]);
+    PRIVATE_IP_PATTERNS = [
+      /^127\./,
+      // Loopback
+      /^10\./,
+      // Class A private
+      /^172\.(1[6-9]|2\d|3[01])\./,
+      // Class B private
+      /^192\.168\./,
+      // Class C private
+      /^169\.254\./,
+      // Link-local (AWS metadata!)
+      /^0\./,
+      // Current network
+      /^::1$/,
+      // IPv6 loopback
+      /^f[cd]/i,
+      // IPv6 private
+      /^fe80:/i
+      // IPv6 link-local
+    ];
+  }
+});
+
+// src/gateway/providers.ts
+function parseOpenAIRequest(body) {
+  const messages = (body.messages || []).map((m) => ({
+    role: m.role || "user",
+    content: typeof m.content === "string" ? m.content : JSON.stringify(m.content)
+  }));
   return {
-    overall,
-    grade,
-    dimensions: {
-      efficiency,
-      coverage,
-      riskControl,
-      structure,
-      governance
-    },
-    insights: insights.sort((a, b) => {
-      const order = { high: 0, medium: 1, low: 2 };
-      return order[a.impact] - order[b.impact];
-    }),
-    comparison: {
-      naiveTokens,
-      optimizedTokens,
-      savedTokens,
-      savedPercent,
-      monthlySavingsUSD
-    },
-    meta: {
-      projectName: analysis.projectName,
-      totalFiles: analysis.totalFiles,
-      totalTokens: analysis.totalTokens,
-      analyzedAt: analysis.analyzedAt
-    }
+    model: body.model || "unknown",
+    messages,
+    stream: body.stream === true,
+    maxTokens: body.max_tokens ?? body.max_completion_tokens,
+    temperature: body.temperature
   };
 }
-function scoreEfficiency(analysis, selection, insights) {
-  const weight = 30;
-  const ratio = analysis.totalTokens > 0 ? 1 - selection.totalTokens / analysis.totalTokens : 0;
-  const selectivity = analysis.totalFiles > 0 ? 1 - selection.files.length / analysis.totalFiles : 0;
-  const prunedFiles = selection.files.filter(
-    (f) => f.pruneLevel === "signatures" || f.pruneLevel === "skeleton"
-  ).length;
-  const pruneRatio = selection.files.length > 0 ? prunedFiles / selection.files.length : 0;
-  const raw = (ratio * 0.5 + selectivity * 0.3 + pruneRatio * 0.2) * 100;
-  const score = Math.min(100, Math.max(0, Math.round(raw)));
-  const weighted = score / 100 * weight;
-  if (ratio > 0.7) {
-    insights.push({
-      type: "strength",
-      title: "Excellent compression",
-      detail: `${Math.round(ratio * 100)}% token reduction while maintaining context quality`,
-      impact: "high"
-    });
+function parseOpenAIResponse(body, streaming) {
+  if (streaming) {
+    return {
+      model: body.model || "unknown",
+      inputTokens: body.usage?.prompt_tokens || 0,
+      outputTokens: body.usage?.completion_tokens || 0,
+      content: body.choices?.[0]?.message?.content || "",
+      finishReason: body.choices?.[0]?.finish_reason || "stop"
+    };
   }
-  if (ratio < 0.3 && analysis.totalTokens > 2e4) {
-    insights.push({
-      type: "weakness",
-      title: "Low compression opportunity",
-      detail: "Most files are needed. Consider splitting the project into smaller modules.",
-      impact: "medium"
+  return {
+    model: body.model || "unknown",
+    inputTokens: body.usage?.prompt_tokens || 0,
+    outputTokens: body.usage?.completion_tokens || 0,
+    content: body.choices?.[0]?.message?.content || "",
+    finishReason: body.choices?.[0]?.finish_reason || "stop"
+  };
+}
+function parseAnthropicRequest(body) {
+  const messages = [];
+  if (body.system) {
+    messages.push({ role: "system", content: body.system });
+  }
+  for (const m of body.messages || []) {
+    messages.push({
+      role: m.role || "user",
+      content: typeof m.content === "string" ? m.content : m.content?.map((b) => b.text || "").join("\n") || ""
     });
   }
   return {
-    score,
-    weight,
-    weighted,
-    detail: `${Math.round(ratio * 100)}% compression, ${prunedFiles}/${selection.files.length} files pruned`
+    model: body.model || "unknown",
+    messages,
+    stream: body.stream === true,
+    maxTokens: body.max_tokens,
+    temperature: body.temperature
   };
 }
-function scoreCoverage(analysis, selection, insights) {
-  const weight = 25;
+function parseAnthropicResponse(body, _streaming) {
+  return {
+    model: body.model || "unknown",
+    inputTokens: body.usage?.input_tokens || 0,
+    outputTokens: body.usage?.output_tokens || 0,
+    content: body.content?.map((b) => b.text || "").join("\n") || "",
+    finishReason: body.stop_reason || "end_turn"
+  };
+}
+function parseGoogleRequest(body) {
+  const messages = [];
+  if (body.systemInstruction?.parts) {
+    messages.push({
+      role: "system",
+      content: body.systemInstruction.parts.map((p) => p.text || "").join("\n")
+    });
+  }
+  for (const item of body.contents || []) {
+    const role = item.role === "model" ? "assistant" : "user";
+    const content = item.parts?.map((p) => p.text || "").join("\n") || "";
+    messages.push({ role, content });
+  }
+  const model = body.model || body.modelId || "gemini-2.0-flash";
+  return {
+    model,
+    messages,
+    stream: body.stream === true,
+    maxTokens: body.generationConfig?.maxOutputTokens,
+    temperature: body.generationConfig?.temperature
+  };
+}
+function parseGoogleResponse(body, _streaming) {
+  const candidate = body.candidates?.[0];
+  return {
+    model: body.modelVersion || body.model || "gemini-2.0-flash",
+    inputTokens: body.usageMetadata?.promptTokenCount || 0,
+    outputTokens: body.usageMetadata?.candidatesTokenCount || 0,
+    content: candidate?.content?.parts?.map((p) => p.text || "").join("\n") || "",
+    finishReason: candidate?.finishReason || "STOP"
+  };
+}
+function detectProvider(url, headers) {
+  for (const provider of Object.values(PROVIDERS)) {
+    if (provider.name === "custom") continue;
+    if (provider.detectProvider(url, headers)) return provider;
+  }
+  return PROVIDERS.custom;
+}
+function getModelConfig(provider, modelId) {
+  const exact = provider.models.find((m) => m.id === modelId);
+  if (exact) return exact;
+  return provider.models.find((m) => modelId.startsWith(m.id) || m.id.startsWith(modelId));
+}
+function estimateCost(provider, modelId, inputTokens, outputTokens) {
+  const model = getModelConfig(provider, modelId);
+  if (!model) return 0;
+  const inputCost = inputTokens / 1e6 * model.costPerMInput;
+  const outputCost = outputTokens / 1e6 * model.costPerMOutput;
+  return Math.round((inputCost + outputCost) * 1e6) / 1e6;
+}
+var OPENAI_MODELS, ANTHROPIC_MODELS, GOOGLE_MODELS, PROVIDERS;
+var init_providers = __esm({
+  "src/gateway/providers.ts"() {
+    "use strict";
+    OPENAI_MODELS = [
+      { id: "gpt-4o", contextWindow: 128e3, costPerMInput: 2.5, costPerMOutput: 10, maxOutput: 16384 },
+      { id: "gpt-4o-mini", contextWindow: 128e3, costPerMInput: 0.15, costPerMOutput: 0.6, maxOutput: 16384 },
+      { id: "gpt-4-turbo", contextWindow: 128e3, costPerMInput: 10, costPerMOutput: 30, maxOutput: 4096 },
+      { id: "gpt-3.5-turbo", contextWindow: 16385, costPerMInput: 0.5, costPerMOutput: 1.5, maxOutput: 4096 },
+      { id: "o1", contextWindow: 2e5, costPerMInput: 15, costPerMOutput: 60, maxOutput: 1e5 },
+      { id: "o1-mini", contextWindow: 128e3, costPerMInput: 3, costPerMOutput: 12, maxOutput: 65536 },
+      { id: "o3-mini", contextWindow: 2e5, costPerMInput: 1.1, costPerMOutput: 4.4, maxOutput: 1e5 }
+    ];
+    ANTHROPIC_MODELS = [
+      { id: "claude-sonnet-4-20250514", contextWindow: 2e5, costPerMInput: 3, costPerMOutput: 15, maxOutput: 64e3 },
+      { id: "claude-3-5-haiku-20241022", contextWindow: 2e5, costPerMInput: 0.8, costPerMOutput: 4, maxOutput: 8192 },
+      { id: "claude-3-opus-20240229", contextWindow: 2e5, costPerMInput: 15, costPerMOutput: 75, maxOutput: 4096 }
+    ];
+    GOOGLE_MODELS = [
+      { id: "gemini-2.5-pro", contextWindow: 1e6, costPerMInput: 1.25, costPerMOutput: 10, maxOutput: 65536 },
+      { id: "gemini-2.0-flash", contextWindow: 1e6, costPerMInput: 0.1, costPerMOutput: 0.4, maxOutput: 8192 },
+      { id: "gemini-1.5-pro", contextWindow: 2e6, costPerMInput: 1.25, costPerMOutput: 5, maxOutput: 8192 }
+    ];
+    PROVIDERS = {
+      openai: {
+        name: "openai",
+        displayName: "OpenAI",
+        baseUrl: "https://api.openai.com",
+        authHeader: "Authorization",
+        chatPath: "/v1/chat/completions",
+        models: OPENAI_MODELS,
+        parseRequest: parseOpenAIRequest,
+        parseResponse: parseOpenAIResponse,
+        detectProvider: (url, _headers) => url.includes("api.openai.com") || url.includes("/v1/chat/completions")
+      },
+      anthropic: {
+        name: "anthropic",
+        displayName: "Anthropic",
+        baseUrl: "https://api.anthropic.com",
+        authHeader: "x-api-key",
+        chatPath: "/v1/messages",
+        models: ANTHROPIC_MODELS,
+        parseRequest: parseAnthropicRequest,
+        parseResponse: parseAnthropicResponse,
+        detectProvider: (url, headers) => url.includes("api.anthropic.com") || url.includes("/v1/messages") || !!headers["x-api-key"] || !!headers["anthropic-version"]
+      },
+      google: {
+        name: "google",
+        displayName: "Google AI",
+        baseUrl: "https://generativelanguage.googleapis.com",
+        authHeader: "x-goog-api-key",
+        chatPath: "/v1beta/models",
+        models: GOOGLE_MODELS,
+        parseRequest: parseGoogleRequest,
+        parseResponse: parseGoogleResponse,
+        detectProvider: (url, _headers) => url.includes("generativelanguage.googleapis.com") || url.includes("aiplatform.googleapis.com")
+      },
+      "azure-openai": {
+        name: "azure-openai",
+        displayName: "Azure OpenAI",
+        baseUrl: "",
+        authHeader: "api-key",
+        chatPath: "/openai/deployments",
+        models: OPENAI_MODELS,
+        // Same models, different hosting
+        parseRequest: parseOpenAIRequest,
+        parseResponse: parseOpenAIResponse,
+        detectProvider: (url, headers) => url.includes(".openai.azure.com") || !!headers["api-key"]
+      },
+      custom: {
+        name: "custom",
+        displayName: "Custom (OpenAI-compatible)",
+        baseUrl: "",
+        authHeader: "Authorization",
+        chatPath: "/v1/chat/completions",
+        models: [],
+        parseRequest: parseOpenAIRequest,
+        parseResponse: parseOpenAIResponse,
+        detectProvider: () => false
+        // Fallback only
+      }
+    };
+  }
+});
+
+// src/gateway/interceptor.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve6 } from "path";
+function estimateTokensFromString(s) {
+  return Math.ceil(Buffer.byteLength(s, "utf-8") / 4);
+}
+async function interceptRequest(messages, config, analysis) {
+  const decisions = [];
+  let secretsRedacted = 0;
+  let secretsBlocked = false;
+  let contextInjected = false;
+  const originalTokens = messages.reduce((sum, m) => sum + estimateTokensFromString(m.content), 0);
+  let processedMessages = messages;
+  if (config.redactSecrets || config.blockOnSecrets) {
+    const { messages: scannedMessages, redactedCount, blocked, scanDecisions } = scanMessages(messages, config);
+    processedMessages = scannedMessages;
+    secretsRedacted = redactedCount;
+    secretsBlocked = blocked;
+    decisions.push(...scanDecisions);
+    if (blocked) {
+      return {
+        modified: true,
+        messages: processedMessages,
+        originalTokens,
+        optimizedTokens: 0,
+        secretsRedacted,
+        secretsBlocked: true,
+        contextInjected: false,
+        decisions
+      };
+    }
+  }
+  if (config.optimize && analysis) {
+    const { messages: optimizedMessages, injected, optimizeDecisions } = await optimizeContext(processedMessages, analysis, config);
+    processedMessages = optimizedMessages;
+    contextInjected = injected;
+    decisions.push(...optimizeDecisions);
+  }
+  const optimizedTokens = processedMessages.reduce((sum, m) => sum + estimateTokensFromString(m.content), 0);
+  return {
+    modified: secretsRedacted > 0 || contextInjected,
+    messages: processedMessages,
+    originalTokens,
+    optimizedTokens,
+    secretsRedacted,
+    secretsBlocked,
+    contextInjected,
+    decisions
+  };
+}
+function scanMessages(messages, config) {
+  const scanDecisions = [];
+  let redactedCount = 0;
+  let blocked = false;
+  const scannedMessages = messages.map((msg) => {
+    const findings = scanContentForSecrets(msg.content, `message:${msg.role}`);
+    if (findings.length === 0) return msg;
+    const criticalCount = findings.filter((f) => f.severity === "critical").length;
+    if (config.blockOnSecrets && criticalCount > 0) {
+      blocked = true;
+      scanDecisions.push(
+        `BLOCKED: ${criticalCount} critical secret(s) in ${msg.role} message. Types: ${[...new Set(findings.map((f) => f.type))].join(", ")}`
+      );
+      return msg;
+    }
+    const sanitized = sanitizeContent(msg.content);
+    redactedCount += findings.length;
+    scanDecisions.push(
+      `Redacted ${findings.length} secret(s) in ${msg.role} message: ${[...new Set(findings.map((f) => f.type))].join(", ")}`
+    );
+    return { ...msg, content: sanitized };
+  });
+  return { messages: scannedMessages, redactedCount, blocked, scanDecisions };
+}
+async function optimizeContext(messages, analysis, config) {
+  const optimizeDecisions = [];
+  const lastUserMsg = [...messages].reverse().find((m) => m.role === "user");
+  if (!lastUserMsg) {
+    optimizeDecisions.push("No user message found \u2014 skipping optimization");
+    return { messages, injected: false, optimizeDecisions };
+  }
+  const hasCtxContext = messages.some(
+    (m) => m.role === "system" && m.content.includes("[CTO Context]")
+  );
+  if (hasCtxContext) {
+    optimizeDecisions.push("CTO context already present \u2014 skipping injection");
+    return { messages, injected: false, optimizeDecisions };
+  }
+  try {
+    const selection = await selectContext({
+      task: lastUserMsg.content.slice(0, 500),
+      analysis,
+      budget: config.budget
+    });
+    if (selection.files.length === 0) {
+      optimizeDecisions.push("No relevant files found for task \u2014 skipping injection");
+      return { messages, injected: false, optimizeDecisions };
+    }
+    const contentBudget = Math.floor(config.budget * 0.6);
+    let usedTokens = 0;
+    const contextLines = [
+      "[CTO Context] Optimized project context (auto-injected by CTO Gateway)",
+      "",
+      `Project: ${analysis.projectName} (${analysis.totalFiles} files, ${Math.round(analysis.totalTokens / 1e3)}K tokens)`,
+      `Selected: ${selection.files.length} files, ${selection.totalTokens.toLocaleString()} tokens (${selection.coverage.score}% coverage)`,
+      ""
+    ];
+    const topFiles = selection.files.sort((a, b) => b.riskScore - a.riskScore);
+    const injectedFiles = [];
+    const skippedFiles = [];
+    for (const f of topFiles) {
+      if (usedTokens >= contentBudget) {
+        skippedFiles.push(f.relativePath);
+        continue;
+      }
+      try {
+        const fullPath = resolve6(config.projectPath, f.relativePath);
+        const content = readFileSync2(fullPath, "utf-8");
+        const fileTokens = estimateTokensFromString(content);
+        const remainingBudget = contentBudget - usedTokens;
+        let fileContent;
+        let truncated = false;
+        if (fileTokens > remainingBudget) {
+          const charLimit = remainingBudget * 4;
+          fileContent = content.slice(0, charLimit);
+          truncated = true;
+        } else {
+          fileContent = content;
+        }
+        const ext = f.relativePath.split(".").pop() || "";
+        contextLines.push(`### ${f.relativePath}${truncated ? " [truncated]" : ""}`);
+        contextLines.push("```" + ext);
+        contextLines.push(fileContent);
+        contextLines.push("```");
+        contextLines.push("");
+        usedTokens += estimateTokensFromString(fileContent);
+        injectedFiles.push(f.relativePath);
+      } catch {
+        skippedFiles.push(f.relativePath);
+      }
+    }
+    const typeFiles = analysis.files.filter((f) => f.kind === "type").map((f) => f.relativePath);
+    if (typeFiles.length > 0) {
+      contextLines.push("Type definitions (always import from these):");
+      for (const tf of typeFiles.slice(0, 10)) {
+        contextLines.push(`  - ${tf}`);
+      }
+      contextLines.push("");
+    }
+    if (analysis.graph.hubs.length > 0) {
+      contextLines.push("Hub files (central modules with many dependents):");
+      for (const hub of analysis.graph.hubs.slice(0, 5)) {
+        contextLines.push(`  - ${hub.relativePath} (${hub.dependents} dependents)`);
+      }
+      contextLines.push("");
+    }
+    if (skippedFiles.length > 0) {
+      contextLines.push(`Additional relevant files (not included due to token budget):`);
+      for (const sf of skippedFiles.slice(0, 15)) {
+        contextLines.push(`  - ${sf}`);
+      }
+      if (skippedFiles.length > 15) {
+        contextLines.push(`  ... and ${skippedFiles.length - 15} more`);
+      }
+    }
+    const contextBlock = contextLines.join("\n");
+    const systemMsg = {
+      role: "system",
+      content: contextBlock
+    };
+    const existingSystemIdx = messages.findIndex((m) => m.role === "system");
+    let optimizedMessages;
+    if (existingSystemIdx >= 0) {
+      optimizedMessages = [...messages];
+      optimizedMessages[existingSystemIdx] = {
+        ...optimizedMessages[existingSystemIdx],
+        content: optimizedMessages[existingSystemIdx].content + "\n\n" + contextBlock
+      };
+    } else {
+      optimizedMessages = [systemMsg, ...messages];
+    }
+    optimizeDecisions.push(
+      `Injected CTO context: ${injectedFiles.length} files with contents (${usedTokens.toLocaleString()} tokens), ${skippedFiles.length} listed without contents, ${selection.coverage.score}% coverage`
+    );
+    return { messages: optimizedMessages, injected: true, optimizeDecisions };
+  } catch (err) {
+    optimizeDecisions.push(`Context optimization failed: ${err.message}`);
+    return { messages, injected: false, optimizeDecisions };
+  }
+}
+var init_interceptor = __esm({
+  "src/gateway/interceptor.ts"() {
+    "use strict";
+    init_secrets();
+    init_selector();
+  }
+});
+
+// src/gateway/tracker.ts
+import { mkdirSync as mkdirSync2, appendFileSync, readFileSync as readFileSync3, readdirSync, existsSync as existsSync6 } from "fs";
+import { join as join7 } from "path";
+import { randomUUID } from "crypto";
+var UsageTracker;
+var init_tracker = __esm({
+  "src/gateway/tracker.ts"() {
+    "use strict";
+    UsageTracker = class {
+      logDir;
+      config;
+      eventHandlers = [];
+      cache = null;
+      cacheMonth = null;
+      // In-memory cost accumulators — survive async disk writes
+      memRecords = [];
+      constructor(config) {
+        this.config = config;
+        this.logDir = join7(config.logDir, "usage");
+        mkdirSync2(this.logDir, { recursive: true });
+      }
+      // ===== EVENT SYSTEM =====
+      onEvent(handler) {
+        this.eventHandlers.push(handler);
+      }
+      emit(event) {
+        for (const handler of this.eventHandlers) {
+          try {
+            handler(event);
+          } catch {
+          }
+        }
+      }
+      // ===== RECORD =====
+      record(params) {
+        const record = {
+          id: randomUUID().slice(0, 8),
+          timestamp: /* @__PURE__ */ new Date(),
+          ...params
+        };
+        const monthKey = this.getMonthKey(record.timestamp);
+        const logFile = join7(this.logDir, `${monthKey}.jsonl`);
+        const line = JSON.stringify({
+          ...record,
+          timestamp: record.timestamp.toISOString()
+        });
+        appendFileSync(logFile, line + "\n");
+        this.memRecords.push(record);
+        this.cache = null;
+        this.emit({ type: "request", record });
+        this.checkBudget(record.timestamp);
+        return record;
+      }
+      // ===== BUDGET CHECKS =====
+      checkBudget(now) {
+        if (this.config.budgetDaily > 0) {
+          const dailyCost = this.getDailyCost(now);
+          const threshold = this.config.budgetDaily * this.config.alertThreshold;
+          if (dailyCost >= this.config.budgetDaily) {
+            this.emit({
+              type: "budget-exceeded",
+              current: dailyCost,
+              limit: this.config.budgetDaily,
+              period: "daily"
+            });
+          } else if (dailyCost >= threshold) {
+            this.emit({
+              type: "budget-alert",
+              current: dailyCost,
+              limit: this.config.budgetDaily,
+              period: "daily"
+            });
+          }
+        }
+        if (this.config.budgetMonthly > 0) {
+          const monthlyCost = this.getMonthlyCost(now);
+          const threshold = this.config.budgetMonthly * this.config.alertThreshold;
+          if (monthlyCost >= this.config.budgetMonthly) {
+            this.emit({
+              type: "budget-exceeded",
+              current: monthlyCost,
+              limit: this.config.budgetMonthly,
+              period: "monthly"
+            });
+          } else if (monthlyCost >= threshold) {
+            this.emit({
+              type: "budget-alert",
+              current: monthlyCost,
+              limit: this.config.budgetMonthly,
+              period: "monthly"
+            });
+          }
+        }
+      }
+      isDailyBudgetExceeded(now = /* @__PURE__ */ new Date()) {
+        if (this.config.budgetDaily <= 0) return false;
+        return this.getDailyCost(now) >= this.config.budgetDaily;
+      }
+      isMonthlyBudgetExceeded(now = /* @__PURE__ */ new Date()) {
+        if (this.config.budgetMonthly <= 0) return false;
+        return this.getMonthlyCost(now) >= this.config.budgetMonthly;
+      }
+      // ===== QUERIES =====
+      getDailyCost(date = /* @__PURE__ */ new Date()) {
+        const dayStr = date.toISOString().split("T")[0];
+        const diskRecords = this.getMonthRecords(date);
+        const allRecords = this.mergeWithMemRecords(diskRecords);
+        return allRecords.filter((r) => r.timestamp.toISOString().startsWith(dayStr)).reduce((sum, r) => sum + r.costUSD, 0);
+      }
+      getMonthlyCost(date = /* @__PURE__ */ new Date()) {
+        const diskRecords = this.getMonthRecords(date);
+        const allRecords = this.mergeWithMemRecords(diskRecords);
+        return allRecords.reduce((sum, r) => sum + r.costUSD, 0);
+      }
+      mergeWithMemRecords(diskRecords) {
+        if (this.memRecords.length === 0) return diskRecords;
+        const diskIds = new Set(diskRecords.map((r) => r.id));
+        const newRecords = this.memRecords.filter((r) => !diskIds.has(r.id));
+        return [...diskRecords, ...newRecords];
+      }
+      getSummary(period = "month") {
+        const now = /* @__PURE__ */ new Date();
+        let records;
+        switch (period) {
+          case "day": {
+            const dayStr = now.toISOString().split("T")[0];
+            records = this.mergeWithMemRecords(this.getMonthRecords(now)).filter(
+              (r) => r.timestamp.toISOString().startsWith(dayStr)
+            );
+            break;
+          }
+          case "week": {
+            const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3);
+            const weekAgoKey = this.getMonthKey(weekAgo);
+            const nowKey = this.getMonthKey(now);
+            const baseRecs = weekAgoKey !== nowKey ? [...this.getMonthRecordsByKey(weekAgoKey), ...this.getMonthRecords(now)] : this.getMonthRecords(now);
+            records = this.mergeWithMemRecords(baseRecs).filter((r) => r.timestamp >= weekAgo);
+            break;
+          }
+          case "month":
+            records = this.mergeWithMemRecords(this.getMonthRecords(now));
+            break;
+          case "all":
+            records = this.mergeWithMemRecords(this.getAllRecords());
+            break;
+        }
+        const byModel = {};
+        const byProvider = {};
+        for (const r of records) {
+          if (!byModel[r.model]) byModel[r.model] = { requests: 0, costUSD: 0, tokens: 0 };
+          byModel[r.model].requests++;
+          byModel[r.model].costUSD += r.costUSD;
+          byModel[r.model].tokens += r.inputTokens + r.outputTokens;
+          if (!byProvider[r.provider]) byProvider[r.provider] = { requests: 0, costUSD: 0 };
+          byProvider[r.provider].requests++;
+          byProvider[r.provider].costUSD += r.costUSD;
+        }
+        return {
+          period,
+          totalRequests: records.length,
+          totalInputTokens: records.reduce((s, r) => s + r.inputTokens, 0),
+          totalOutputTokens: records.reduce((s, r) => s + r.outputTokens, 0),
+          totalCostUSD: records.reduce((s, r) => s + r.costUSD, 0),
+          totalSavedTokens: records.reduce((s, r) => s + r.savedTokens, 0),
+          totalSavedUSD: records.reduce((s, r) => s + r.savedUSD, 0),
+          totalSecretsRedacted: records.reduce((s, r) => s + r.secretsRedacted, 0),
+          byModel,
+          byProvider
+        };
+      }
+      // ===== STORAGE =====
+      getMonthKey(date) {
+        return date.toISOString().slice(0, 7);
+      }
+      getMonthRecordsByKey(monthKey) {
+        const filePath = join7(this.logDir, `${monthKey}.jsonl`);
+        if (!existsSync6(filePath)) return [];
+        return readFileSync3(filePath, "utf-8").split("\n").filter((line) => line.trim()).map((line) => {
+          try {
+            const parsed = JSON.parse(line);
+            parsed.timestamp = new Date(parsed.timestamp);
+            return parsed;
+          } catch {
+            return null;
+          }
+        }).filter((r) => r !== null);
+      }
+      getMonthRecords(date) {
+        const monthKey = this.getMonthKey(date);
+        if (this.cache && this.cacheMonth === monthKey) return this.cache;
+        const filePath = join7(this.logDir, `${monthKey}.jsonl`);
+        if (!existsSync6(filePath)) return [];
+        const records = readFileSync3(filePath, "utf-8").split("\n").filter((line) => line.trim()).map((line) => {
+          try {
+            const parsed = JSON.parse(line);
+            parsed.timestamp = new Date(parsed.timestamp);
+            return parsed;
+          } catch {
+            return null;
+          }
+        }).filter((r) => r !== null);
+        this.cache = records;
+        this.cacheMonth = monthKey;
+        return records;
+      }
+      getAllRecords() {
+        if (!existsSync6(this.logDir)) return [];
+        const files = readdirSync(this.logDir).filter((f) => f.endsWith(".jsonl")).sort();
+        const allRecords = [];
+        for (const file of files) {
+          const content = readFileSync3(join7(this.logDir, file), "utf-8");
+          const records = content.split("\n").filter((line) => line.trim()).map((line) => {
+            try {
+              const parsed = JSON.parse(line);
+              parsed.timestamp = new Date(parsed.timestamp);
+              return parsed;
+            } catch {
+              return null;
+            }
+          }).filter((r) => r !== null);
+          allRecords.push(...records);
+        }
+        return allRecords;
+      }
+    };
+  }
+});
+
+// src/gateway/server.ts
+var server_exports = {};
+__export(server_exports, {
+  ContextGateway: () => ContextGateway
+});
+import { createServer, Agent as HttpAgent } from "http";
+import { request as httpsRequest, Agent as HttpsAgent } from "https";
+import { request as httpRequest } from "http";
+import { URL } from "url";
+import { lookup } from "dns/promises";
+function readBody(req, maxBytes = 0) {
+  return new Promise((resolve8, reject) => {
+    const chunks = [];
+    let totalBytes = 0;
+    req.on("data", (chunk) => {
+      totalBytes += chunk.length;
+      if (maxBytes > 0 && totalBytes > maxBytes) {
+        req.destroy();
+        reject(new Error("body-too-large"));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => resolve8(Buffer.concat(chunks).toString()));
+    req.on("error", reject);
+  });
+}
+function flattenHeaders(headers) {
+  const flat = {};
+  for (const [key, value] of Object.entries(headers)) {
+    if (value) flat[key] = Array.isArray(value) ? value[0] : value;
+  }
+  return flat;
+}
+function rebuildRequestBody(original, messages, provider) {
+  const body = { ...original };
+  if (provider === "anthropic") {
+    const systemMsg = messages.find((m) => m.role === "system");
+    const otherMsgs = messages.filter((m) => m.role !== "system");
+    if (systemMsg) body.system = systemMsg.content;
+    body.messages = otherMsgs;
+  } else if (provider === "google") {
+    const systemMsg = messages.find((m) => m.role === "system");
+    const otherMsgs = messages.filter((m) => m.role !== "system");
+    if (systemMsg) {
+      body.systemInstruction = { parts: [{ text: systemMsg.content }] };
+    }
+    body.contents = otherMsgs.map((m) => ({
+      role: m.role === "assistant" ? "model" : "user",
+      parts: [{ text: m.content }]
+    }));
+  } else {
+    body.messages = messages;
+  }
+  return JSON.stringify(body);
+}
+function generateDashboardHTML(monthly, daily, config, analysis) {
+  const modelRows = Object.entries(monthly.byModel).sort(([, a], [, b]) => b.costUSD - a.costUSD).map(
+    ([model, data]) => `<tr><td>${model}</td><td>${data.requests}</td><td>${(data.tokens / 1e3).toFixed(1)}K</td><td>$${data.costUSD.toFixed(4)}</td></tr>`
+  ).join("");
+  const providerRows = Object.entries(monthly.byProvider).sort(([, a], [, b]) => b.costUSD - a.costUSD).map(
+    ([provider, data]) => `<tr><td>${provider}</td><td>${data.requests}</td><td>$${data.costUSD.toFixed(4)}</td></tr>`
+  ).join("");
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>CTO Gateway Dashboard</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0a0a0f; color: #e0e0e0; padding: 2rem; }
+    h1 { font-size: 1.8rem; margin-bottom: 0.5rem; color: #fff; }
+    h2 { font-size: 1.2rem; margin: 2rem 0 1rem; color: #8b8bff; }
+    .subtitle { color: #666; margin-bottom: 2rem; }
+    .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 1rem; margin-bottom: 2rem; }
+    .card { background: #14141f; border: 1px solid #2a2a3a; border-radius: 12px; padding: 1.5rem; }
+    .card .label { font-size: 0.75rem; text-transform: uppercase; color: #666; letter-spacing: 0.05em; }
+    .card .value { font-size: 2rem; font-weight: 700; color: #fff; margin-top: 0.25rem; }
+    .card .detail { font-size: 0.85rem; color: #888; margin-top: 0.25rem; }
+    .card.green .value { color: #4ade80; }
+    .card.red .value { color: #f87171; }
+    .card.blue .value { color: #60a5fa; }
+    .card.purple .value { color: #a78bfa; }
+    table { width: 100%; border-collapse: collapse; margin-top: 0.5rem; }
+    th { text-align: left; padding: 0.5rem; color: #666; font-size: 0.75rem; text-transform: uppercase; border-bottom: 1px solid #2a2a3a; }
+    td { padding: 0.5rem; border-bottom: 1px solid #1a1a2a; font-size: 0.9rem; }
+    .status { display: inline-block; width: 8px; height: 8px; border-radius: 50%; margin-right: 8px; }
+    .status.on { background: #4ade80; }
+    .status.off { background: #666; }
+    .footer { margin-top: 3rem; color: #444; font-size: 0.75rem; }
+    .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.7rem; font-weight: 600; }
+    .badge.critical { background: #7f1d1d; color: #fca5a5; }
+    .badge.ok { background: #14532d; color: #86efac; }
+  </style>
+</head>
+<body>
+  <h1>\u26A1 CTO Context Gateway</h1>
+  <p class="subtitle">Real-time AI proxy with context optimization, secret redaction, and cost tracking</p>
+
+  <h2>Today</h2>
+  <div class="grid">
+    <div class="card blue">
+      <div class="label">Requests</div>
+      <div class="value">${daily.totalRequests}</div>
+    </div>
+    <div class="card">
+      <div class="label">Cost</div>
+      <div class="value">$${daily.totalCostUSD.toFixed(2)}</div>
+      ${config.budgetDaily > 0 ? `<div class="detail">Budget: $${config.budgetDaily}/day</div>` : ""}
+    </div>
+    <div class="card green">
+      <div class="label">Tokens Saved</div>
+      <div class="value">${(daily.totalSavedTokens / 1e3).toFixed(1)}K</div>
+      <div class="detail">$${daily.totalSavedUSD.toFixed(2)} saved</div>
+    </div>
+    <div class="card ${daily.totalSecretsRedacted > 0 ? "red" : ""}">
+      <div class="label">Secrets Redacted</div>
+      <div class="value">${daily.totalSecretsRedacted}</div>
+    </div>
+  </div>
+
+  <h2>This Month</h2>
+  <div class="grid">
+    <div class="card blue">
+      <div class="label">Total Requests</div>
+      <div class="value">${monthly.totalRequests}</div>
+    </div>
+    <div class="card">
+      <div class="label">Total Cost</div>
+      <div class="value">$${monthly.totalCostUSD.toFixed(2)}</div>
+      ${config.budgetMonthly > 0 ? `<div class="detail">Budget: $${config.budgetMonthly}/month</div>` : ""}
+    </div>
+    <div class="card green">
+      <div class="label">Total Saved</div>
+      <div class="value">$${monthly.totalSavedUSD.toFixed(2)}</div>
+      <div class="detail">${(monthly.totalSavedTokens / 1e3).toFixed(0)}K tokens</div>
+    </div>
+    <div class="card purple">
+      <div class="label">Tokens Processed</div>
+      <div class="value">${((monthly.totalInputTokens + monthly.totalOutputTokens) / 1e3).toFixed(0)}K</div>
+      <div class="detail">${(monthly.totalInputTokens / 1e3).toFixed(0)}K in / ${(monthly.totalOutputTokens / 1e3).toFixed(0)}K out</div>
+    </div>
+  </div>
+
+  <h2>Features</h2>
+  <div class="grid">
+    <div class="card">
+      <div class="label">Context Optimization</div>
+      <div class="value"><span class="status ${config.optimize ? "on" : "off"}"></span>${config.optimize ? "ON" : "OFF"}</div>
+      ${analysis ? `<div class="detail">${analysis.totalFiles} files, ${(analysis.totalTokens / 1e3).toFixed(0)}K tokens</div>` : '<div class="detail">Loading analysis...</div>'}
+    </div>
+    <div class="card">
+      <div class="label">Secret Redaction</div>
+      <div class="value"><span class="status ${config.redactSecrets ? "on" : "off"}"></span>${config.redactSecrets ? "ON" : "OFF"}</div>
+      ${config.blockOnSecrets ? '<span class="badge critical">BLOCKING</span>' : ""}
+    </div>
+    <div class="card">
+      <div class="label">Cost Tracking</div>
+      <div class="value"><span class="status ${config.costTracking ? "on" : "off"}"></span>${config.costTracking ? "ON" : "OFF"}</div>
+    </div>
+    <div class="card">
+      <div class="label">Audit Log</div>
+      <div class="value"><span class="status ${config.auditLog ? "on" : "off"}"></span>${config.auditLog ? "ON" : "OFF"}</div>
+      <div class="detail">${config.logDir}</div>
+    </div>
+  </div>
+
+  ${modelRows ? `
+  <h2>By Model</h2>
+  <div class="card">
+    <table>
+      <thead><tr><th>Model</th><th>Requests</th><th>Tokens</th><th>Cost</th></tr></thead>
+      <tbody>${modelRows}</tbody>
+    </table>
+  </div>` : ""}
+
+  ${providerRows ? `
+  <h2>By Provider</h2>
+  <div class="card">
+    <table>
+      <thead><tr><th>Provider</th><th>Requests</th><th>Cost</th></tr></thead>
+      <tbody>${providerRows}</tbody>
+    </table>
+  </div>` : ""}
+
+  <div class="footer">
+    CTO Context Gateway v4.0.0 \xB7 Listening on ${config.host}:${config.port} \xB7 <a href="/health" style="color:#666">Health</a>
+  </div>
+
+  <script>setTimeout(() => location.reload(), 30000);</script>
+</body>
+</html>`;
+}
+var ContextGateway;
+var init_server = __esm({
+  "src/gateway/server.ts"() {
+    "use strict";
+    init_types();
+    init_providers();
+    init_interceptor();
+    init_tracker();
+    init_analyzer();
+    ContextGateway = class {
+      config;
+      tracker;
+      analysis = null;
+      analysisPromise = null;
+      eventHandlers = [];
+      server = null;
+      httpAgent;
+      httpsAgent;
+      budgetLock = false;
+      // Simple lock for budget reservation
+      constructor(config = {}) {
+        this.config = { ...DEFAULT_GATEWAY_CONFIG, ...config };
+        this.tracker = new UsageTracker(this.config);
+        this.httpAgent = new HttpAgent({ keepAlive: true, maxSockets: 50 });
+        this.httpsAgent = new HttpsAgent({ keepAlive: true, maxSockets: 50 });
+        this.tracker.onEvent((event) => this.emit(event));
+      }
+      // ===== EVENTS =====
+      onEvent(handler) {
+        this.eventHandlers.push(handler);
+      }
+      emit(event) {
+        for (const handler of this.eventHandlers) {
+          try {
+            handler(event);
+          } catch {
+          }
+        }
+      }
+      // ===== LIFECYCLE =====
+      async start() {
+        if (this.config.optimize) {
+          this.analysisPromise = this.refreshAnalysis();
+        }
+        this.server = createServer((req, res) => this.handleRequest(req, res));
+        return new Promise((resolve8) => {
+          this.server.listen(this.config.port, this.config.host, () => {
+            resolve8();
+          });
+        });
+      }
+      async stop() {
+        return new Promise((resolve8) => {
+          if (this.server) {
+            this.server.close(() => resolve8());
+          } else {
+            resolve8();
+          }
+        });
+      }
+      getTracker() {
+        return this.tracker;
+      }
+      // ===== ANALYSIS =====
+      async refreshAnalysis() {
+        try {
+          const analysis = await analyzeProject(this.config.projectPath);
+          this.analysis = analysis;
+          return analysis;
+        } catch (err) {
+          this.emit({ type: "error", message: `Analysis failed: ${err.message}`, error: err });
+          throw err;
+        }
+      }
+      // ===== REQUEST HANDLER =====
+      async handleRequest(req, res) {
+        const startTime = Date.now();
+        if (this.config.dashboard && req.url?.startsWith(this.config.dashboardPath)) {
+          return this.serveDashboard(req, res);
+        }
+        if (req.url === "/health" || req.url === "/__cto/health") {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            status: "ok",
+            version: "4.0.0",
+            uptime: process.uptime(),
+            analysis: this.analysis ? "ready" : "loading"
+          }));
+          return;
+        }
+        if (this.config.apiKey) {
+          const authHeader = req.headers["x-cto-key"] || req.headers["authorization"]?.replace(/^Bearer\s+/i, "") || "";
+          if (authHeader !== this.config.apiKey) {
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Unauthorized. Set x-cto-key header or Authorization: Bearer <key>" }));
+            return;
+          }
+        }
+        if (req.method !== "POST") {
+          res.writeHead(405, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Method not allowed. Gateway only proxies POST requests." }));
+          return;
+        }
+        let body;
+        try {
+          body = await readBody(req, this.config.maxBodyBytes);
+        } catch (err) {
+          const status = err.message === "body-too-large" ? 413 : 400;
+          res.writeHead(status, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: status === 413 ? `Request body too large. Max: ${Math.round(this.config.maxBodyBytes / 1024 / 1024)}MB` : "Failed to read request body" }));
+          return;
+        }
+        let parsedBody;
+        try {
+          parsedBody = JSON.parse(body);
+        } catch {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Invalid JSON in request body" }));
+          return;
+        }
+        const targetUrl = req.headers["x-cto-target"] || req.headers["x-target-url"] || "";
+        if (!targetUrl) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            error: "Missing target URL. Set x-cto-target header to the provider API URL.",
+            example: "x-cto-target: https://api.openai.com/v1/chat/completions"
+          }));
+          return;
+        }
+        let targetUrlParsed;
+        try {
+          targetUrlParsed = new URL(targetUrl);
+        } catch {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Invalid target URL" }));
+          return;
+        }
+        if (targetUrlParsed.protocol !== "https:" && targetUrlParsed.hostname !== "localhost") {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Only HTTPS targets allowed (SSRF protection)" }));
+          return;
+        }
+        if (!isAllowedTarget(targetUrlParsed.hostname, this.config)) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            error: `Target domain not allowed: ${targetUrlParsed.hostname}`,
+            allowed: this.config.allowedTargetDomains.length > 0 ? this.config.allowedTargetDomains : ["api.openai.com", "api.anthropic.com", "*.googleapis.com", "*.openai.azure.com"]
+          }));
+          return;
+        }
+        try {
+          const resolved = await lookup(targetUrlParsed.hostname);
+          if (isPrivateIP(resolved.address)) {
+            res.writeHead(403, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Target resolves to private IP (SSRF protection)" }));
+            return;
+          }
+        } catch {
+        }
+        const headers = flattenHeaders(req.headers);
+        const provider = detectProvider(targetUrl || req.url || "", headers);
+        const parsed = provider.parseRequest(parsedBody);
+        const now = /* @__PURE__ */ new Date();
+        if (this.tracker.isDailyBudgetExceeded(now)) {
+          res.writeHead(429, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            error: "Daily budget exceeded",
+            budget: this.config.budgetDaily,
+            current: this.tracker.getDailyCost(now)
+          }));
+          return;
+        }
+        if (this.tracker.isMonthlyBudgetExceeded(now)) {
+          res.writeHead(429, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            error: "Monthly budget exceeded",
+            budget: this.config.budgetMonthly,
+            current: this.tracker.getMonthlyCost(now)
+          }));
+          return;
+        }
+        if (this.analysisPromise && !this.analysis) {
+          try {
+            await this.analysisPromise;
+          } catch {
+          }
+        }
+        const interceptResult = await interceptRequest(parsed.messages, this.config, this.analysis);
+        if (interceptResult.secretsBlocked) {
+          res.writeHead(403, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({
+            error: "Request blocked: secrets detected in message content",
+            decisions: interceptResult.decisions,
+            secretsRedacted: interceptResult.secretsRedacted
+          }));
+          this.tracker.record({
+            provider: provider.name,
+            model: parsed.model,
+            inputTokens: 0,
+            outputTokens: 0,
+            costUSD: 0,
+            originalTokens: interceptResult.originalTokens,
+            optimizedTokens: 0,
+            savedTokens: 0,
+            savedUSD: 0,
+            secretsRedacted: interceptResult.secretsRedacted,
+            secretsBlocked: true,
+            projectPath: this.config.projectPath,
+            latencyMs: Date.now() - startTime,
+            stream: parsed.stream,
+            error: "blocked:secrets"
+          });
+          return;
+        }
+        const modifiedBody = rebuildRequestBody(parsedBody, interceptResult.messages, provider.name);
+        try {
+          await this.proxyRequest(targetUrl, req, res, modifiedBody, provider, parsed, interceptResult, startTime);
+        } catch (err) {
+          if (!res.headersSent) {
+            const status = err.message === "upstream-timeout" ? 504 : 502;
+            res.writeHead(status, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: status === 504 ? "Upstream provider timeout" : `Proxy error: ${err.message}` }));
+          }
+          this.emit({ type: "error", message: `Proxy error: ${err.message}`, error: err });
+        }
+      }
+      // ===== PROXY =====
+      async proxyRequest(targetUrl, clientReq, clientRes, body, provider, parsed, interceptResult, startTime) {
+        const url = new URL(targetUrl);
+        const isHttps = url.protocol === "https:";
+        const requester = isHttps ? httpsRequest : httpRequest;
+        const forwardHeaders = {};
+        const stripHeaders = /* @__PURE__ */ new Set(["host", "content-length", "x-cto-target", "x-target-url", "x-cto-key"]);
+        for (const [key, value] of Object.entries(clientReq.headers)) {
+          if (stripHeaders.has(key)) continue;
+          if (value) forwardHeaders[key] = Array.isArray(value) ? value[0] : value;
+        }
+        forwardHeaders["content-length"] = Buffer.byteLength(body).toString();
+        return new Promise((resolve8, reject) => {
+          const proxyReq = requester(
+            {
+              hostname: url.hostname,
+              port: url.port || (isHttps ? 443 : 80),
+              path: url.pathname + url.search,
+              method: "POST",
+              headers: forwardHeaders,
+              agent: isHttps ? this.httpsAgent : this.httpAgent,
+              // Connection pooling
+              timeout: this.config.upstreamTimeoutMs
+            },
+            (proxyRes) => {
+              if (parsed.stream && proxyRes.headers["content-type"]?.includes("text/event-stream")) {
+                this.handleStreamResponse(
+                  proxyRes,
+                  clientRes,
+                  provider,
+                  parsed,
+                  interceptResult,
+                  startTime
+                ).then(resolve8).catch(reject);
+              } else {
+                this.handleBufferedResponse(
+                  proxyRes,
+                  clientRes,
+                  provider,
+                  parsed,
+                  interceptResult,
+                  startTime
+                ).then(resolve8).catch(reject);
+              }
+            }
+          );
+          proxyReq.on("timeout", () => {
+            proxyReq.destroy();
+            reject(new Error("upstream-timeout"));
+          });
+          proxyReq.on("error", reject);
+          proxyReq.write(body);
+          proxyReq.end();
+        });
+      }
+      // ===== STREAM HANDLER =====
+      async handleStreamResponse(proxyRes, clientRes, provider, parsed, interceptResult, startTime) {
+        clientRes.writeHead(proxyRes.statusCode || 200, proxyRes.headers);
+        let fullContent2 = "";
+        let inputTokens = 0;
+        let outputTokens = 0;
+        let sseBuffer = "";
+        return new Promise((resolve8) => {
+          proxyRes.on("data", (chunk) => {
+            clientRes.write(chunk);
+            sseBuffer += chunk.toString();
+            const events = sseBuffer.split("\n\n");
+            sseBuffer = events.pop() || "";
+            for (const event of events) {
+              for (const line of event.split("\n")) {
+                if (!line.startsWith("data: ")) continue;
+                const data = line.slice(6).trim();
+                if (data === "[DONE]") continue;
+                try {
+                  const obj = JSON.parse(data);
+                  const delta = obj.choices?.[0]?.delta?.content || obj.delta?.text || "";
+                  if (delta) fullContent2 += delta;
+                  if (obj.usage) {
+                    inputTokens = obj.usage.prompt_tokens || obj.usage.input_tokens || 0;
+                    outputTokens = obj.usage.completion_tokens || obj.usage.output_tokens || 0;
+                  }
+                } catch {
+                }
+              }
+            }
+          });
+          proxyRes.on("end", () => {
+            if (sseBuffer.trim()) {
+              for (const line of sseBuffer.split("\n")) {
+                if (!line.startsWith("data: ")) continue;
+                const data = line.slice(6).trim();
+                if (data === "[DONE]") continue;
+                try {
+                  const obj = JSON.parse(data);
+                  if (obj.usage) {
+                    inputTokens = obj.usage.prompt_tokens || obj.usage.input_tokens || 0;
+                    outputTokens = obj.usage.completion_tokens || obj.usage.output_tokens || 0;
+                  }
+                } catch {
+                }
+              }
+            }
+            clientRes.end();
+            if (inputTokens === 0) inputTokens = interceptResult.optimizedTokens;
+            if (outputTokens === 0) outputTokens = Math.ceil(fullContent2.length / 4);
+            const costUSD = estimateCost(provider, parsed.model, inputTokens, outputTokens);
+            const originalCost = estimateCost(provider, parsed.model, interceptResult.originalTokens, outputTokens);
+            this.tracker.record({
+              provider: provider.name,
+              model: parsed.model,
+              inputTokens,
+              outputTokens,
+              costUSD,
+              originalTokens: interceptResult.originalTokens,
+              optimizedTokens: interceptResult.optimizedTokens,
+              savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
+              savedUSD: Math.max(0, originalCost - costUSD),
+              secretsRedacted: interceptResult.secretsRedacted,
+              secretsBlocked: false,
+              projectPath: this.config.projectPath,
+              latencyMs: Date.now() - startTime,
+              stream: true
+            });
+            resolve8();
+          });
+          proxyRes.on("error", () => {
+            clientRes.end();
+            resolve8();
+          });
+        });
+      }
+      // ===== BUFFERED HANDLER =====
+      async handleBufferedResponse(proxyRes, clientRes, provider, parsed, interceptResult, startTime) {
+        return new Promise((resolve8) => {
+          const chunks = [];
+          proxyRes.on("data", (chunk) => chunks.push(chunk));
+          proxyRes.on("end", () => {
+            const responseBody = Buffer.concat(chunks).toString();
+            clientRes.writeHead(proxyRes.statusCode || 200, proxyRes.headers);
+            clientRes.end(responseBody);
+            try {
+              const responseJson = JSON.parse(responseBody);
+              const parsedResponse = provider.parseResponse(responseJson, false);
+              const costUSD = estimateCost(
+                provider,
+                parsedResponse.model || parsed.model,
+                parsedResponse.inputTokens,
+                parsedResponse.outputTokens
+              );
+              const originalCost = estimateCost(
+                provider,
+                parsed.model,
+                interceptResult.originalTokens,
+                parsedResponse.outputTokens
+              );
+              this.tracker.record({
+                provider: provider.name,
+                model: parsedResponse.model || parsed.model,
+                inputTokens: parsedResponse.inputTokens,
+                outputTokens: parsedResponse.outputTokens,
+                costUSD,
+                originalTokens: interceptResult.originalTokens,
+                optimizedTokens: interceptResult.optimizedTokens,
+                savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
+                savedUSD: Math.max(0, originalCost - costUSD),
+                secretsRedacted: interceptResult.secretsRedacted,
+                secretsBlocked: false,
+                projectPath: this.config.projectPath,
+                latencyMs: Date.now() - startTime,
+                stream: false
+              });
+            } catch {
+              this.tracker.record({
+                provider: provider.name,
+                model: parsed.model,
+                inputTokens: interceptResult.optimizedTokens,
+                outputTokens: 0,
+                costUSD: 0,
+                originalTokens: interceptResult.originalTokens,
+                optimizedTokens: interceptResult.optimizedTokens,
+                savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
+                savedUSD: 0,
+                secretsRedacted: interceptResult.secretsRedacted,
+                secretsBlocked: false,
+                projectPath: this.config.projectPath,
+                latencyMs: Date.now() - startTime,
+                stream: false,
+                error: "response-parse-failed"
+              });
+            }
+            resolve8();
+          });
+          proxyRes.on("error", () => {
+            clientRes.end();
+            resolve8();
+          });
+        });
+      }
+      // ===== DASHBOARD =====
+      serveDashboard(_req, res) {
+        const summary = this.tracker.getSummary("month");
+        const dailySummary = this.tracker.getSummary("day");
+        const html = generateDashboardHTML(summary, dailySummary, this.config, this.analysis);
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(html);
+      }
+    };
+  }
+});
+
+// src/cli/score.ts
+init_analyzer();
+import { resolve as resolve7, join as join8 } from "path";
+import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync2, readFileSync as readFileSync4, appendFileSync as appendFileSync2 } from "fs";
+
+// src/engine/score.ts
+init_selector();
+init_coverage();
+init_graph_utils();
+async function computeContextScore(analysis, task = "general code review and refactoring", budget = 5e4) {
+  const selection = await selectContext({ task, analysis, budget });
+  const insights = [];
+  const efficiency = scoreEfficiency(analysis, selection, insights);
+  const coverage = scoreCoverage(analysis, selection, insights);
+  const riskControl = scoreRiskControl(analysis, selection, insights);
+  const structure = scoreStructure(analysis, insights);
+  const governance = scoreGovernance(analysis, insights);
+  const overall = Math.round(
+    efficiency.weighted + coverage.weighted + riskControl.weighted + structure.weighted + governance.weighted
+  );
+  const grade = scoreToGrade(overall);
+  const naiveTokens = analysis.totalTokens;
+  const optimizedTokens = selection.totalTokens;
+  const savedTokens = naiveTokens - optimizedTokens;
+  const savedPercent = naiveTokens > 0 ? Math.round(savedTokens / naiveTokens * 100) : 0;
+  const interactionsPerMonth = 40 * 20;
+  const costPerMToken = 3;
+  const naiveMonthlyCost = naiveTokens / 1e6 * costPerMToken * interactionsPerMonth;
+  const optimizedMonthlyCost = optimizedTokens / 1e6 * costPerMToken * interactionsPerMonth;
+  const monthlySavingsUSD = Math.round((naiveMonthlyCost - optimizedMonthlyCost) * 100) / 100;
+  return {
+    overall,
+    grade,
+    dimensions: {
+      efficiency,
+      coverage,
+      riskControl,
+      structure,
+      governance
+    },
+    insights: insights.sort((a, b) => {
+      const order = { high: 0, medium: 1, low: 2 };
+      return order[a.impact] - order[b.impact];
+    }),
+    comparison: {
+      naiveTokens,
+      optimizedTokens,
+      savedTokens,
+      savedPercent,
+      monthlySavingsUSD
+    },
+    meta: {
+      projectName: analysis.projectName,
+      totalFiles: analysis.totalFiles,
+      totalTokens: analysis.totalTokens,
+      analyzedAt: analysis.analyzedAt
+    }
+  };
+}
+function scoreEfficiency(analysis, selection, insights) {
+  const weight = 30;
+  const ratio = analysis.totalTokens > 0 ? 1 - selection.totalTokens / analysis.totalTokens : 0;
+  const selectivity = analysis.totalFiles > 0 ? 1 - selection.files.length / analysis.totalFiles : 0;
+  const prunedFiles = selection.files.filter(
+    (f) => f.pruneLevel === "signatures" || f.pruneLevel === "skeleton"
+  ).length;
+  const pruneRatio = selection.files.length > 0 ? prunedFiles / selection.files.length : 0;
+  const raw = (ratio * 0.5 + selectivity * 0.3 + pruneRatio * 0.2) * 100;
+  const score = Math.min(100, Math.max(0, Math.round(raw)));
+  const weighted = score / 100 * weight;
+  if (ratio > 0.7) {
+    insights.push({
+      type: "strength",
+      title: "Excellent compression",
+      detail: `${Math.round(ratio * 100)}% token reduction while maintaining context quality`,
+      impact: "high"
+    });
+  }
+  if (ratio < 0.3 && analysis.totalTokens > 2e4) {
+    insights.push({
+      type: "weakness",
+      title: "Low compression opportunity",
+      detail: "Most files are needed. Consider splitting the project into smaller modules.",
+      impact: "medium"
+    });
+  }
+  return {
+    score,
+    weight,
+    weighted,
+    detail: `${Math.round(ratio * 100)}% compression, ${prunedFiles}/${selection.files.length} files pruned`
+  };
+}
+function scoreCoverage(analysis, selection, insights) {
+  const weight = 25;
   const coverageScore = selection.coverage.score;
   const missingCritical = selection.coverage.missingCritical.length;
   let penalty = 0;
@@ -1727,6 +3616,7 @@ function formatNumber(n) {
 }
 
 // src/engine/benchmark.ts
+init_selector();
 async function runBenchmark(analysis, task = "general code review and refactoring", budget = 5e4) {
   const criticalFiles = analysis.files.filter((f) => f.riskScore >= 80);
   const highRiskFiles = analysis.files.filter((f) => f.riskScore >= 60 && f.riskScore < 80);
@@ -1879,6 +3769,540 @@ function fmt(n) {
   return n.toString();
 }
 
+// src/cli/score.ts
+init_selector();
+init_secrets();
+
+// src/engine/monorepo.ts
+import { readFile as readFile5, readdir as readdir2 } from "fs/promises";
+import { join as join5, relative as relative4, basename as basename3 } from "path";
+import { existsSync as existsSync4 } from "fs";
+async function detectMonorepoTool(rootPath) {
+  const checks = [
+    { file: "nx.json", tool: "nx" },
+    { file: "turbo.json", tool: "turborepo" },
+    { file: "lerna.json", tool: "lerna" },
+    { file: "pnpm-workspace.yaml", tool: "pnpm-workspaces" },
+    {
+      file: "package.json",
+      tool: "npm-workspaces",
+      validate: (content) => {
+        try {
+          const pkg = JSON.parse(content);
+          return Array.isArray(pkg.workspaces) || typeof pkg.workspaces?.packages !== "undefined";
+        } catch {
+          return false;
+        }
+      }
+    }
+  ];
+  for (const check of checks) {
+    const filePath = join5(rootPath, check.file);
+    if (existsSync4(filePath)) {
+      if (!check.validate) return check.tool;
+      try {
+        const content = await readFile5(filePath, "utf-8");
+        if (check.validate(content)) {
+          if (check.tool === "npm-workspaces") {
+            if (existsSync4(join5(rootPath, "yarn.lock"))) return "yarn-workspaces";
+            return "npm-workspaces";
+          }
+          return check.tool;
+        }
+      } catch {
+      }
+    }
+  }
+  return "none";
+}
+async function resolveWorkspaceGlobs(rootPath, globs) {
+  const packagePaths = [];
+  for (const glob of globs) {
+    const cleanGlob = glob.replace(/\/?\*\*?$/, "");
+    const searchDir = join5(rootPath, cleanGlob);
+    if (!existsSync4(searchDir)) continue;
+    try {
+      const entries = await readdir2(searchDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue;
+        const pkgJsonPath = join5(searchDir, entry.name, "package.json");
+        if (existsSync4(pkgJsonPath)) {
+          packagePaths.push(join5(searchDir, entry.name));
+        }
+      }
+    } catch {
+    }
+  }
+  return packagePaths;
+}
+async function discoverPackages(rootPath, tool) {
+  switch (tool) {
+    case "npm-workspaces":
+    case "yarn-workspaces": {
+      const pkgJson = JSON.parse(await readFile5(join5(rootPath, "package.json"), "utf-8"));
+      const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : pkgJson.workspaces?.packages || [];
+      return resolveWorkspaceGlobs(rootPath, workspaces);
+    }
+    case "pnpm-workspaces": {
+      const content = await readFile5(join5(rootPath, "pnpm-workspace.yaml"), "utf-8");
+      const packages = [];
+      let inPackages = false;
+      for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed === "packages:") {
+          inPackages = true;
+          continue;
+        }
+        if (inPackages && trimmed.startsWith("- ")) {
+          packages.push(trimmed.slice(2).replace(/['"]/g, ""));
+        } else if (inPackages && !trimmed.startsWith("-") && trimmed.length > 0) {
+          inPackages = false;
+        }
+      }
+      return resolveWorkspaceGlobs(rootPath, packages);
+    }
+    case "turborepo": {
+      const pkgJson = JSON.parse(await readFile5(join5(rootPath, "package.json"), "utf-8"));
+      const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : pkgJson.workspaces?.packages || [];
+      if (workspaces.length > 0) return resolveWorkspaceGlobs(rootPath, workspaces);
+      if (existsSync4(join5(rootPath, "pnpm-workspace.yaml"))) {
+        return discoverPackages(rootPath, "pnpm-workspaces");
+      }
+      return [];
+    }
+    case "nx": {
+      const standardDirs = ["packages", "apps", "libs"];
+      const globs = standardDirs.filter((d) => existsSync4(join5(rootPath, d)));
+      if (globs.length > 0) return resolveWorkspaceGlobs(rootPath, globs);
+      try {
+        const pkgJson = JSON.parse(await readFile5(join5(rootPath, "package.json"), "utf-8"));
+        const workspaces = Array.isArray(pkgJson.workspaces) ? pkgJson.workspaces : [];
+        if (workspaces.length > 0) return resolveWorkspaceGlobs(rootPath, workspaces);
+      } catch {
+      }
+      return [];
+    }
+    case "lerna": {
+      const lernaJson = JSON.parse(await readFile5(join5(rootPath, "lerna.json"), "utf-8"));
+      const packages = lernaJson.packages || ["packages/*"];
+      return resolveWorkspaceGlobs(rootPath, packages);
+    }
+    default:
+      return [];
+  }
+}
+function buildCrossPackageEdges(packages, allFiles, graphEdges, rootPath) {
+  const fileToPackage = /* @__PURE__ */ new Map();
+  for (const pkg of packages) {
+    const pkgRel = relative4(rootPath, pkg.path);
+    for (const f of allFiles) {
+      if (f.relativePath.startsWith(pkgRel + "/") || f.relativePath.startsWith(pkgRel + "\\")) {
+        fileToPackage.set(f.relativePath, pkg.name);
+      }
+    }
+  }
+  const edgeMap = /* @__PURE__ */ new Map();
+  for (const edge of graphEdges) {
+    const fromPkg = fileToPackage.get(edge.from);
+    const toPkg = fileToPackage.get(edge.to);
+    if (fromPkg && toPkg && fromPkg !== toPkg) {
+      const key = `${fromPkg}\u2192${toPkg}`;
+      if (!edgeMap.has(key)) {
+        edgeMap.set(key, { files: /* @__PURE__ */ new Set(), type: "dependency" });
+      }
+      edgeMap.get(key).files.add(edge.from);
+    }
+  }
+  return Array.from(edgeMap.entries()).map(([key, val]) => {
+    const [from, to] = key.split("\u2192");
+    return { from, to, files: val.files.size, type: val.type };
+  });
+}
+async function analyzeMonorepo(rootPath, analysis) {
+  const tool = await detectMonorepoTool(rootPath);
+  if (tool === "none") {
+    return {
+      detected: false,
+      tool: "none",
+      rootPath,
+      packages: [],
+      sharedPackages: [],
+      crossPackageEdges: [],
+      isolationScore: 100,
+      totalTokens: analysis?.totalTokens ?? 0,
+      packageTokenMap: {}
+    };
+  }
+  const packagePaths = await discoverPackages(rootPath, tool);
+  const packages = [];
+  const packageTokenMap = {};
+  for (const pkgPath of packagePaths) {
+    const pkgJsonPath = join5(pkgPath, "package.json");
+    let name = basename3(pkgPath);
+    let pkgDeps = [];
+    try {
+      const pkgJson = JSON.parse(await readFile5(pkgJsonPath, "utf-8"));
+      name = pkgJson.name || name;
+      const allDeps = {
+        ...pkgJson.dependencies || {},
+        ...pkgJson.devDependencies || {},
+        ...pkgJson.peerDependencies || {}
+      };
+      pkgDeps = Object.keys(allDeps);
+    } catch {
+    }
+    const relPath = relative4(rootPath, pkgPath);
+    let fileCount = 0;
+    let tokenCount = 0;
+    const entryPoints = [];
+    if (analysis) {
+      for (const f of analysis.files) {
+        if (f.relativePath.startsWith(relPath + "/") || f.relativePath.startsWith(relPath + "\\")) {
+          fileCount++;
+          tokenCount += f.tokens;
+          if (f.kind === "entry") entryPoints.push(f.relativePath);
+        }
+      }
+    }
+    packageTokenMap[name] = tokenCount;
+    packages.push({
+      name,
+      path: pkgPath,
+      relativePath: relPath,
+      files: fileCount,
+      tokens: tokenCount,
+      dependencies: [],
+      // Filled below after we know all package names
+      dependents: [],
+      isShared: false,
+      entryPoints
+    });
+  }
+  const pkgNames = new Set(packages.map((p) => p.name));
+  for (const pkg of packages) {
+    const pkgJsonPath = join5(pkg.path, "package.json");
+    try {
+      const pkgJson = JSON.parse(await readFile5(pkgJsonPath, "utf-8"));
+      const allDeps = {
+        ...pkgJson.dependencies || {},
+        ...pkgJson.devDependencies || {}
+      };
+      pkg.dependencies = Object.keys(allDeps).filter((d) => pkgNames.has(d));
+    } catch {
+    }
+  }
+  for (const pkg of packages) {
+    for (const depName of pkg.dependencies) {
+      const dep = packages.find((p) => p.name === depName);
+      if (dep) dep.dependents.push(pkg.name);
+    }
+  }
+  for (const pkg of packages) {
+    pkg.isShared = pkg.dependents.length >= 2;
+  }
+  const sharedPackages = packages.filter((p) => p.isShared);
+  const crossPackageEdges = analysis ? buildCrossPackageEdges(packages, analysis.files, analysis.graph.edges, rootPath) : [];
+  const maxPossibleEdges = packages.length * (packages.length - 1);
+  const actualEdges = crossPackageEdges.length;
+  const isolationScore = maxPossibleEdges > 0 ? Math.round(100 * (1 - actualEdges / maxPossibleEdges)) : 100;
+  return {
+    detected: true,
+    tool,
+    rootPath,
+    packages,
+    sharedPackages,
+    crossPackageEdges,
+    isolationScore,
+    totalTokens: analysis?.totalTokens ?? packages.reduce((s, p) => s + p.tokens, 0),
+    packageTokenMap
+  };
+}
+function selectPackageContext(monorepo, targetPackage) {
+  const target = monorepo.packages.find((p) => p.name === targetPackage || p.relativePath === targetPackage);
+  if (!target) {
+    return {
+      targetPackage,
+      includedPackages: [],
+      excludedPackages: monorepo.packages.map((p) => p.name),
+      originalTokens: monorepo.totalTokens,
+      optimizedTokens: 0,
+      savedTokens: monorepo.totalTokens,
+      savedPercent: 100
+    };
+  }
+  const includedNames = /* @__PURE__ */ new Set([target.name]);
+  for (const depName of target.dependencies) {
+    includedNames.add(depName);
+    const dep = monorepo.packages.find((p) => p.name === depName);
+    if (dep) {
+      for (const transDep of dep.dependencies) {
+        const transDepPkg = monorepo.packages.find((p) => p.name === transDep);
+        if (transDepPkg?.isShared) includedNames.add(transDep);
+      }
+    }
+  }
+  const includedPackages = Array.from(includedNames);
+  const excludedPackages = monorepo.packages.filter((p) => !includedNames.has(p.name)).map((p) => p.name);
+  const optimizedTokens = monorepo.packages.filter((p) => includedNames.has(p.name)).reduce((s, p) => s + p.tokens, 0);
+  const savedTokens = monorepo.totalTokens - optimizedTokens;
+  const savedPercent = monorepo.totalTokens > 0 ? Math.round(savedTokens / monorepo.totalTokens * 100) : 0;
+  return {
+    targetPackage: target.name,
+    includedPackages,
+    excludedPackages,
+    originalTokens: monorepo.totalTokens,
+    optimizedTokens,
+    savedTokens,
+    savedPercent
+  };
+}
+function renderMonorepoAnalysis(mono) {
+  if (!mono.detected) {
+    return "  \u2139\uFE0F  No monorepo detected (single-package project).\n";
+  }
+  const lines = [];
+  lines.push("");
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push(`  \u{1F4E6} Monorepo Analysis \u2014 ${mono.tool}`);
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push("");
+  lines.push(`  Packages:         ${mono.packages.length}`);
+  lines.push(`  Shared packages:  ${mono.sharedPackages.length}`);
+  lines.push(`  Isolation score:  ${mono.isolationScore}/100`);
+  lines.push(`  Total tokens:     ${mono.totalTokens.toLocaleString()}`);
+  lines.push("");
+  lines.push("  Package breakdown:");
+  lines.push("");
+  const sorted = [...mono.packages].sort((a, b) => b.tokens - a.tokens);
+  const maxNameLen = Math.max(...sorted.map((p) => p.name.length), 10);
+  for (const pkg of sorted) {
+    const name = pkg.name.padEnd(maxNameLen);
+    const tokens = `${(pkg.tokens / 1e3).toFixed(1)}K`.padStart(8);
+    const files = `${pkg.files} files`.padStart(10);
+    const deps = pkg.dependencies.length > 0 ? ` \u2192 ${pkg.dependencies.join(", ")}` : "";
+    const shared = pkg.isShared ? " [shared]" : "";
+    lines.push(`  ${name} ${tokens} ${files}${shared}${deps}`);
+  }
+  if (mono.crossPackageEdges.length > 0) {
+    lines.push("");
+    lines.push("  Cross-package dependencies:");
+    for (const edge of mono.crossPackageEdges.slice(0, 10)) {
+      lines.push(`    ${edge.from} \u2192 ${edge.to} (${edge.files} files)`);
+    }
+    if (mono.crossPackageEdges.length > 10) {
+      lines.push(`    ... and ${mono.crossPackageEdges.length - 10} more`);
+    }
+  }
+  lines.push("");
+  lines.push("  \u{1F4A1} Use --monorepo --package <name> to see context savings for a specific package.");
+  lines.push("");
+  return lines.join("\n");
+}
+function renderPackageContext(result) {
+  const lines = [];
+  lines.push("");
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push(`  \u{1F3AF} Package Context \u2014 ${result.targetPackage}`);
+  lines.push("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  lines.push("");
+  lines.push(`  Included packages:  ${result.includedPackages.length}`);
+  lines.push(`  Excluded packages:  ${result.excludedPackages.length}`);
+  lines.push("");
+  lines.push(`  Original tokens:    ${result.originalTokens.toLocaleString()}`);
+  lines.push(`  Optimized tokens:   ${result.optimizedTokens.toLocaleString()}`);
+  lines.push(`  Token savings:      ${result.savedTokens.toLocaleString()} (${result.savedPercent}%)`);
+  lines.push("");
+  if (result.includedPackages.length > 0) {
+    lines.push("  \u2705 Included:");
+    for (const p of result.includedPackages) {
+      lines.push(`     ${p}`);
+    }
+  }
+  if (result.excludedPackages.length > 0) {
+    lines.push("  \u2B1C Excluded (not needed for this package):");
+    for (const p of result.excludedPackages.slice(0, 10)) {
+      lines.push(`     ${p}`);
+    }
+    if (result.excludedPackages.length > 10) {
+      lines.push(`     ... and ${result.excludedPackages.length - 10} more`);
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+
+// src/engine/quality-gate.ts
+import { readFile as readFile6, writeFile as writeFile2, mkdir } from "fs/promises";
+import { resolve as resolve5 } from "path";
+import { existsSync as existsSync5 } from "fs";
+var DEFAULT_GATE_CONFIG = {
+  threshold: 70,
+  failOnSecrets: true,
+  failOnRegression: true,
+  regressionLimit: 5,
+  baselinePath: ".cto/baseline.json",
+  secretSeverities: ["critical", "high"]
+};
+async function loadBaseline(projectPath, baselinePath) {
+  const filePath = resolve5(projectPath, baselinePath || ".cto/baseline.json");
+  if (!existsSync5(filePath)) return null;
+  try {
+    const content = await readFile6(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
+async function saveBaseline(projectPath, score, commit, branch, baselinePath) {
+  const dir = resolve5(projectPath, ".cto");
+  if (!existsSync5(dir)) await mkdir(dir, { recursive: true });
+  const baseline = {
+    score: score.overall,
+    grade: score.grade,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    commit,
+    branch,
+    dimensions: {
+      efficiency: score.dimensions.efficiency.score,
+      coverage: score.dimensions.coverage.score,
+      riskControl: score.dimensions.riskControl.score,
+      structure: score.dimensions.structure.score,
+      governance: score.dimensions.governance.score
+    }
+  };
+  const filePath = resolve5(projectPath, baselinePath || ".cto/baseline.json");
+  await writeFile2(filePath, JSON.stringify(baseline, null, 2));
+}
+async function runQualityGate(score, analysis, secretFindings, config = {}) {
+  const cfg = { ...DEFAULT_GATE_CONFIG, ...config };
+  const checks = [];
+  const baseline = await loadBaseline(analysis.projectPath, cfg.baselinePath);
+  const previousScore = baseline?.score ?? null;
+  const delta = previousScore !== null ? score.overall - previousScore : null;
+  const thresholdPassed = score.overall >= cfg.threshold;
+  checks.push({
+    name: "Score threshold",
+    passed: thresholdPassed,
+    detail: thresholdPassed ? `Score ${score.overall} \u2265 threshold ${cfg.threshold}` : `Score ${score.overall} < threshold ${cfg.threshold}`,
+    severity: thresholdPassed ? "info" : "error"
+  });
+  const dangerousSecrets = secretFindings.filter(
+    (f) => cfg.secretSeverities.includes(f.severity)
+  );
+  const secretsPassed = !cfg.failOnSecrets || dangerousSecrets.length === 0;
+  checks.push({
+    name: "No secrets detected",
+    passed: secretsPassed,
+    detail: secretsPassed ? "No critical/high severity secrets found" : `${dangerousSecrets.length} secret(s) with ${cfg.secretSeverities.join("/")} severity`,
+    severity: secretsPassed ? "info" : "error"
+  });
+  let regressionPassed = true;
+  if (cfg.failOnRegression && delta !== null) {
+    regressionPassed = delta >= -cfg.regressionLimit;
+  }
+  checks.push({
+    name: "No score regression",
+    passed: regressionPassed,
+    detail: delta !== null ? regressionPassed ? `Score changed by ${delta >= 0 ? "+" : ""}${delta} (limit: -${cfg.regressionLimit})` : `Score dropped by ${Math.abs(delta)} points (limit: -${cfg.regressionLimit})` : "No baseline found (first run)",
+    severity: regressionPassed ? delta !== null && delta < 0 ? "warning" : "info" : "error"
+  });
+  const weakDimensions = Object.entries(score.dimensions).filter(([_, d]) => d.score < 50).map(([name]) => name);
+  const dimensionsPassed = weakDimensions.length === 0;
+  checks.push({
+    name: "Dimension health",
+    passed: dimensionsPassed,
+    detail: dimensionsPassed ? "All dimensions above 50%" : `Weak dimensions: ${weakDimensions.join(", ")}`,
+    severity: dimensionsPassed ? "info" : "warning"
+  });
+  const passed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const prComment = generatePRComment(score, analysis, checks, baseline, delta);
+  const summary = generateSummary(score, checks, passed);
+  return {
+    passed,
+    score: score.overall,
+    grade: score.grade,
+    previousScore,
+    delta,
+    checks,
+    baseline,
+    prComment,
+    summary
+  };
+}
+function generatePRComment(score, analysis, checks, baseline, delta) {
+  const gradeEmoji = score.grade.startsWith("A") ? "\u{1F7E2}" : score.grade.startsWith("B") ? "\u{1F535}" : score.grade.startsWith("C") ? "\u{1F7E1}" : "\u{1F534}";
+  const allPassed = checks.filter((c) => c.severity === "error").every((c) => c.passed);
+  const statusIcon = allPassed ? "\u2705" : "\u274C";
+  const deltaStr = delta !== null ? ` (${delta >= 0 ? "+" : ""}${delta})` : "";
+  const lines = [
+    `## ${statusIcon} CTO Quality Gate ${allPassed ? "Passed" : "Failed"}`,
+    "",
+    `### ${gradeEmoji} Context Score: ${score.overall}/100 (${score.grade})${deltaStr}`,
+    "",
+    `> **${analysis.projectName}** \xB7 ${analysis.totalFiles} files \xB7 ${Math.round(analysis.totalTokens / 1e3)}K tokens`,
+    "",
+    "### Checks",
+    "",
+    "| Check | Status | Detail |",
+    "|-------|--------|--------|"
+  ];
+  for (const check of checks) {
+    const icon = check.passed ? "\u2705" : check.severity === "warning" ? "\u26A0\uFE0F" : "\u274C";
+    lines.push(`| ${check.name} | ${icon} | ${check.detail} |`);
+  }
+  lines.push("");
+  lines.push("### Dimensions");
+  lines.push("");
+  lines.push("| Dimension | Score | vs Baseline |");
+  lines.push("|-----------|-------|-------------|");
+  for (const [name, dim] of Object.entries(score.dimensions)) {
+    const prev = baseline?.dimensions[name];
+    const diff = prev !== void 0 ? dim.score - prev : null;
+    const diffStr = diff !== null ? `${diff >= 0 ? "+" : ""}${diff}` : "\u2014";
+    const bar = renderBar2(dim.score);
+    lines.push(`| ${name} | ${bar} ${dim.score}% | ${diffStr} |`);
+  }
+  lines.push("");
+  lines.push("### Savings");
+  lines.push("");
+  lines.push(`| Metric | Value |`);
+  lines.push(`|--------|-------|`);
+  lines.push(`| Tokens saved | ${score.comparison.savedTokens.toLocaleString()} (${score.comparison.savedPercent}%) |`);
+  lines.push(`| Monthly savings | $${score.comparison.monthlySavingsUSD.toFixed(2)} |`);
+  if (score.insights.length > 0) {
+    lines.push("");
+    lines.push("### Insights");
+    lines.push("");
+    for (const insight of score.insights.slice(0, 5)) {
+      const icon = insight.type === "strength" ? "\u2705" : insight.type === "weakness" ? "\u26A0\uFE0F" : "\u{1F4A1}";
+      lines.push(`- ${icon} **${insight.title}** \u2014 ${insight.detail}`);
+    }
+  }
+  lines.push("");
+  lines.push("---");
+  lines.push(`<sub>Generated by [CTO Quality Gate](https://npmjs.com/package/cto-ai-cli) \xB7 ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}</sub>`);
+  return lines.join("\n");
+}
+function renderBar2(score) {
+  const filled = Math.round(score / 10);
+  return "\u2588".repeat(filled) + "\u2591".repeat(10 - filled);
+}
+function generateSummary(score, checks, passed) {
+  const status = passed ? "\u2705 PASSED" : "\u274C FAILED";
+  const failedChecks = checks.filter((c) => !c.passed && c.severity === "error");
+  const warnings = checks.filter((c) => !c.passed && c.severity === "warning");
+  let summary = `Quality Gate ${status} \u2014 Score: ${score.overall}/100 (${score.grade})`;
+  if (failedChecks.length > 0) {
+    summary += `
+Failed: ${failedChecks.map((c) => c.name).join(", ")}`;
+  }
+  if (warnings.length > 0) {
+    summary += `
+Warnings: ${warnings.map((c) => c.name).join(", ")}`;
+  }
+  return summary;
+}
+
 // src/cli/score.ts
 async function main() {
   const args = process.argv.slice(2);
@@ -1887,24 +4311,60 @@ async function main() {
   const fixMode = args.includes("--fix");
   const reportMode = args.includes("--report");
   const compareMode = args.includes("--compare");
+  const auditMode = args.includes("--audit");
+  const initHookMode = args.includes("--init-hook");
+  const fullScanMode = args.includes("--full-scan");
+  const noAllowlistMode = args.includes("--no-allowlist");
+  const monorepoMode = args.includes("--monorepo");
+  const gatewayMode = args.includes("--gateway");
+  const ciMode = args.includes("--ci");
   const helpMode = args.includes("--help") || args.includes("-h");
+  const pkgIdx = args.indexOf("--package");
+  const targetPackage = pkgIdx !== -1 && args[pkgIdx + 1] ? args[pkgIdx + 1] : null;
+  const threshIdx = args.indexOf("--threshold");
+  const thresholdArg = threshIdx !== -1 && args[threshIdx + 1] ? parseInt(args[threshIdx + 1], 10) : 70;
   const contextIdx = args.indexOf("--context");
   const contextTask = contextIdx !== -1 && args[contextIdx + 1] ? args[contextIdx + 1] : null;
-  const pathArg = args.find((a) => !a.startsWith("--") && !a.startsWith("-") && a !== contextTask);
-  const projectPath = resolve4(pathArg ?? ".");
+  const pathArg = args.find((a) => !a.startsWith("--") && !a.startsWith("-") && a !== contextTask && a !== targetPackage);
+  const projectPath = resolve7(pathArg ?? ".");
   if (helpMode) {
     console.log(`
   \u26A1 cto-score \u2014 How AI-ready is your codebase?
 
   Usage:
-    npx cto-ai-cli                           Scan current directory
-    npx cto-ai-cli ./path                    Scan a specific project
-    npx cto-ai-cli --benchmark               CTO vs naive vs random comparison
-    npx cto-ai-cli --fix                     Auto-generate optimized context files
-    npx cto-ai-cli --context "your task"     Generate task-specific context
-    npx cto-ai-cli --report                  Generate shareable markdown report
-    npx cto-ai-cli --compare                 Compare your score vs popular projects
-    npx cto-ai-cli --json                    Output as JSON (for CI/scripts)
+    npx cto-ai-cli                               Scan current directory
+    npx cto-ai-cli ./path                        Scan a specific project
+
+  Phase 1 \u2014 Marketing:
+    npx cto-ai-cli --benchmark                   CTO vs naive vs random comparison
+    npx cto-ai-cli --fix                         Auto-generate optimized context files
+    npx cto-ai-cli --context "your task"         Generate task-specific context
+    npx cto-ai-cli --report                      Generate shareable markdown report
+    npx cto-ai-cli --compare                     Compare your score vs popular projects
+
+  Phase 2 \u2014 Security:
+    npx cto-ai-cli --audit                       Security audit: detect secrets & PII
+    npx cto-ai-cli --audit --init-hook           Generate pre-commit hook
+    npx cto-ai-cli --audit --full-scan           Skip incremental cache
+    npx cto-ai-cli --audit --no-allowlist        Ignore allowlist
+
+  Phase 3 \u2014 Gateway:
+    npx cto-ai-cli --gateway                     Start Context Gateway (proxy)
+    npx cto-ai-cli --gateway --port 9000         Custom port
+    npx cto-ai-cli --gateway --block-secrets     Block requests with secrets
+    npx cto-ai-cli --gateway --budget-daily 10   Daily budget ($10/day)
+
+  Phase 4 \u2014 Monorepo:
+    npx cto-ai-cli --monorepo                    Analyze monorepo structure
+    npx cto-ai-cli --monorepo --package <name>   Context savings for a package
+
+  Phase 5 \u2014 CI/CD Quality Gate:
+    npx cto-ai-cli --ci                          Run quality gate (exits 1 on failure)
+    npx cto-ai-cli --ci --threshold 80           Set minimum score (default: 70)
+    npx cto-ai-cli --ci --json                   JSON output for CI pipelines
+
+  Options:
+    npx cto-ai-cli --json                        Output as JSON (for CI/scripts)
 
   What it does:
     Analyzes your project's structure, dependencies, and risk profile.
@@ -1916,6 +4376,65 @@ async function main() {
 `);
     process.exit(0);
   }
+  if (gatewayMode) {
+    const { ContextGateway: ContextGateway2 } = await Promise.resolve().then(() => (init_server(), server_exports));
+    const { DEFAULT_GATEWAY_CONFIG: DEFAULT_GATEWAY_CONFIG2 } = await Promise.resolve().then(() => (init_types(), types_exports));
+    const getArg = (flag) => {
+      const idx = args.indexOf(flag);
+      return idx !== -1 && args[idx + 1] ? args[idx + 1] : void 0;
+    };
+    const gwConfig = { projectPath };
+    const port = getArg("--port");
+    if (port) gwConfig.port = parseInt(port, 10);
+    const budgetDaily = getArg("--budget-daily");
+    if (budgetDaily) gwConfig.budgetDaily = parseFloat(budgetDaily);
+    const budgetMonthly = getArg("--budget-monthly");
+    if (budgetMonthly) gwConfig.budgetMonthly = parseFloat(budgetMonthly);
+    const apiKey = getArg("--api-key");
+    if (apiKey) gwConfig.apiKey = apiKey;
+    if (args.includes("--block-secrets")) gwConfig.blockOnSecrets = true;
+    if (args.includes("--no-optimize")) gwConfig.optimize = false;
+    if (args.includes("--no-redact")) gwConfig.redactSecrets = false;
+    if (args.includes("--no-dashboard")) gwConfig.dashboard = false;
+    const finalConfig = { ...DEFAULT_GATEWAY_CONFIG2, ...gwConfig };
+    const gateway = new ContextGateway2(finalConfig);
+    gateway.onEvent((event) => {
+      const ts = (/* @__PURE__ */ new Date()).toLocaleTimeString();
+      switch (event.type) {
+        case "request": {
+          const r = event.record;
+          const saved = r.savedTokens > 0 ? ` (saved ${(r.savedTokens / 1e3).toFixed(1)}K)` : "";
+          const secrets = r.secretsRedacted > 0 ? ` [${r.secretsRedacted} redacted]` : "";
+          console.log(`  ${ts}  ${r.provider}/${r.model}  $${r.costUSD.toFixed(4)}${saved}${secrets}  ${r.latencyMs}ms`);
+          break;
+        }
+        case "budget-alert":
+          console.log(`  \u26A0\uFE0F  ${ts}  Budget alert: $${event.current.toFixed(2)}/$${event.limit.toFixed(2)} (${event.period})`);
+          break;
+        case "budget-exceeded":
+          console.log(`  \u{1F534}  ${ts}  Budget EXCEEDED: $${event.current.toFixed(2)}/$${event.limit.toFixed(2)} (${event.period})`);
+          break;
+        case "error":
+          console.log(`  \u274C  ${ts}  ${event.message}`);
+          break;
+      }
+    });
+    console.log("");
+    console.log("  \u26A1 CTO Context Gateway v4.1.0");
+    console.log("");
+    await gateway.start();
+    console.log(`  \u{1F310} Proxy:      http://${finalConfig.host}:${finalConfig.port}`);
+    if (finalConfig.dashboard) {
+      console.log(`  \u{1F4CA} Dashboard:  http://${finalConfig.host}:${finalConfig.port}${finalConfig.dashboardPath}`);
+    }
+    console.log(`  \u{1F4C1} Project:    ${finalConfig.projectPath}`);
+    console.log("");
+    console.log("  Waiting for requests... (Ctrl+C to stop)");
+    console.log("");
+    await new Promise(() => {
+    });
+    return;
+  }
   console.log("");
   console.log("  \u26A1 cto-score \u2014 analyzing your project...");
   console.log("");
@@ -1964,6 +4483,15 @@ async function main() {
     if (compareMode) {
       runCompare(score);
     }
+    if (auditMode) {
+      await runAudit(projectPath, analysis, { initHookMode, fullScanMode, noAllowlistMode });
+    }
+    if (monorepoMode) {
+      await runMonorepo(projectPath, analysis, targetPackage, jsonMode);
+    }
+    if (ciMode) {
+      await runCIGate(projectPath, analysis, score, thresholdArg, jsonMode);
+    }
     console.log("");
     console.log(`  Scanned in ${elapsed}s \xB7 ${analysis.totalFiles} files \xB7 ${Math.round(analysis.totalTokens / 1e3)}K tokens`);
     console.log("");
@@ -1993,8 +4521,8 @@ async function main() {
   }
 }
 async function runFix(projectPath, analysis, score) {
-  const ctoDir = join4(projectPath, ".cto");
-  mkdirSync(ctoDir, { recursive: true });
+  const ctoDir = join8(projectPath, ".cto");
+  mkdirSync3(ctoDir, { recursive: true });
   const selection = await selectContext({
     task: "general code review and refactoring",
     analysis,
@@ -2052,7 +4580,7 @@ async function runFix(projectPath, analysis, score) {
 `;
   contextMd += `## Savings: ${score.comparison.savedPercent}% (${formatTokens(score.comparison.savedTokens)})
 `;
-  writeFileSync(join4(ctoDir, "context.md"), contextMd);
+  writeFileSync2(join8(ctoDir, "context.md"), contextMd);
   const config = {
     version: "3.0",
     project: analysis.projectName,
@@ -2080,7 +4608,7 @@ async function runFix(projectPath, analysis, score) {
       impact: i.impact
     }))
   };
-  writeFileSync(join4(ctoDir, "config.json"), JSON.stringify(config, null, 2));
+  writeFileSync2(join8(ctoDir, "config.json"), JSON.stringify(config, null, 2));
   const ignoreContent = [
     "# CTO AI-ignore \u2014 files that add noise to AI context",
     "# Generated by cto-ai-cli",
@@ -2106,7 +4634,7 @@ async function runFix(projectPath, analysis, score) {
     }).slice(0, 20).map((o) => `${o}  # orphan, low-risk`),
     ""
   ].join("\n");
-  writeFileSync(join4(ctoDir, ".cteignore"), ignoreContent);
+  writeFileSync2(join8(ctoDir, ".cteignore"), ignoreContent);
   console.log("");
   console.log("  \u2705 Auto-fix complete! Generated:");
   console.log("");
@@ -2119,8 +4647,8 @@ async function runFix(projectPath, analysis, score) {
   console.log("");
 }
 async function runContext(projectPath, analysis, task) {
-  const ctoDir = join4(projectPath, ".cto");
-  mkdirSync(ctoDir, { recursive: true });
+  const ctoDir = join8(projectPath, ".cto");
+  mkdirSync3(ctoDir, { recursive: true });
   const selection = await selectContext({
     task,
     analysis,
@@ -2200,12 +4728,14 @@ async function runContext(projectPath, analysis, task) {
     const fullFile = analysis.files.find((f) => f.relativePath === sf.relativePath);
     if (!fullFile) continue;
     try {
-      const content = readFileSync(fullFile.path, "utf-8");
+      const content = readFileSync4(fullFile.path, "utf-8");
       const ext = fullFile.extension.replace(".", "");
       contextMd += `### ${sf.relativePath}
 `;
+      const maxChars = 5e3;
+      const truncated = content.length > maxChars;
       contextMd += `\`\`\`${ext}
-${content.slice(0, 5e3)}
+${content.slice(0, maxChars)}${truncated ? "\n// ... [truncated \u2014 " + (content.length - maxChars) + " chars omitted]" : ""}
 \`\`\`
 
 `;
@@ -2214,7 +4744,7 @@ ${content.slice(0, 5e3)}
   }
   const safeName = task.replace(/[^a-zA-Z0-9]/g, "-").toLowerCase().slice(0, 40);
   const filename = `context-${safeName}.md`;
-  writeFileSync(join4(ctoDir, filename), contextMd);
+  writeFileSync2(join8(ctoDir, filename), contextMd);
   console.log("");
   console.log(`  \u2705 Task context generated!`);
   console.log("");
@@ -2232,9 +4762,10 @@ async function runReport(projectPath, analysis, score) {
   let report = `# CTO Context Score\u2122 Report
 
 `;
+  const safeGrade = encodeURIComponent(score.grade);
   report += `![CTO Score](https://img.shields.io/badge/CTO_Score-${score.overall}%2F100-${gradeColor}?style=for-the-badge)
 `;
-  report += `![Grade](https://img.shields.io/badge/Grade-${score.grade}-${gradeColor}?style=for-the-badge)
+  report += `![Grade](https://img.shields.io/badge/Grade-${safeGrade}-${gradeColor}?style=for-the-badge)
 
 `;
   report += `> Generated by [cto-ai-cli](https://npmjs.com/package/cto-ai-cli) on ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}
@@ -2306,9 +4837,9 @@ async function runReport(projectPath, analysis, score) {
 `;
   report += `*Run \`npx cto-ai-cli\` to generate your own report. [Learn more](https://npmjs.com/package/cto-ai-cli)*
 `;
-  const ctoDir = join4(projectPath, ".cto");
-  mkdirSync(ctoDir, { recursive: true });
-  writeFileSync(join4(ctoDir, "report.md"), report);
+  const ctoDir = join8(projectPath, ".cto");
+  mkdirSync3(ctoDir, { recursive: true });
+  writeFileSync2(join8(ctoDir, "report.md"), report);
   console.log("");
   console.log("  \u2705 Report generated!");
   console.log("");
@@ -2365,9 +4896,256 @@ function renderCompareBar(pct) {
   const empty = width - filled;
   return "\u2588".repeat(filled) + "\u2591".repeat(empty);
 }
+async function runAudit(projectPath, analysis, flags = {}) {
+  if (flags.initHookMode) {
+    const { generatePreCommitHook: generatePreCommitHook2 } = await Promise.resolve().then(() => (init_secrets(), secrets_exports));
+    const hookPath = generatePreCommitHook2(projectPath, "husky");
+    console.log("");
+    console.log("  \u2705 Pre-commit hook generated!");
+    console.log(`  \u{1F4CB} ${hookPath}`);
+    console.log("");
+    console.log("  Staged files will be scanned for secrets before every commit.");
+    console.log("  To remove: delete the hook file.");
+    console.log("");
+    return;
+  }
+  console.log("");
+  console.log("  \u{1F50D} Running security audit...");
+  console.log("");
+  const filePaths = analysis.files.map((f) => f.path);
+  const result = await auditProject(projectPath, filePaths, {
+    includePII: true,
+    incrementalScan: !flags.fullScanMode,
+    useAllowlist: !flags.noAllowlistMode
+  });
+  const { summary, findings, recommendations } = result;
+  const statusIcon = summary.bySeverity.critical > 0 ? "\u{1F534}" : summary.bySeverity.high > 0 ? "\u{1F7E0}" : summary.totalFindings > 0 ? "\u{1F7E1}" : "\u{1F7E2}";
+  const statusText = summary.bySeverity.critical > 0 ? "CRITICAL ISSUES FOUND" : summary.bySeverity.high > 0 ? "HIGH-SEVERITY ISSUES FOUND" : summary.totalFindings > 0 ? "MINOR ISSUES FOUND" : "ALL CLEAR";
+  console.log("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557");
+  console.log("  \u2551                                                  \u2551");
+  console.log(`  \u2551   ${statusIcon} Security Audit: ${statusText.padEnd(28)} \u2551`);
+  console.log("  \u2551                                                  \u2551");
+  console.log(`  \u2551   Files scanned:  ${summary.filesScanned.toString().padEnd(30)} \u2551`);
+  console.log(`  \u2551   Files affected: ${summary.filesWithSecrets.toString().padEnd(30)} \u2551`);
+  console.log(`  \u2551   Total findings: ${summary.totalFindings.toString().padEnd(30)} \u2551`);
+  console.log("  \u2551                                                  \u2551");
+  console.log("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+  console.log("  \u2551                                                  \u2551");
+  if (summary.bySeverity.critical > 0) {
+    console.log(`  \u2551   \u{1F534} Critical: ${summary.bySeverity.critical.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.high > 0) {
+    console.log(`  \u2551   \u{1F7E0} High:     ${summary.bySeverity.high.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.medium > 0) {
+    console.log(`  \u2551   \u{1F7E1} Medium:   ${summary.bySeverity.medium.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.low > 0) {
+    console.log(`  \u2551   \u{1F535} Low:      ${summary.bySeverity.low.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.totalFindings === 0) {
+    console.log("  \u2551   \u2705 No secrets or PII detected                  \u2551");
+  }
+  console.log("  \u2551                                                  \u2551");
+  if (Object.keys(summary.byType).length > 0) {
+    console.log("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+    console.log("  \u2551                                                  \u2551");
+    console.log("  \u2551   By type:                                       \u2551");
+    for (const [type, count] of Object.entries(summary.byType)) {
+      const label = type.padEnd(18);
+      console.log(`  \u2551     ${label} ${count.toString().padEnd(28)} \u2551`);
+    }
+    console.log("  \u2551                                                  \u2551");
+  }
+  console.log("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D");
+  if (findings.length > 0) {
+    console.log("");
+    console.log("  Findings:");
+    console.log("");
+    const shown = findings.slice(0, 15);
+    for (const f of shown) {
+      const icon = f.severity === "critical" ? "\u{1F534}" : f.severity === "high" ? "\u{1F7E0}" : f.severity === "medium" ? "\u{1F7E1}" : "\u{1F535}";
+      const sev = f.severity.toUpperCase().padEnd(8);
+      console.log(`  ${icon} ${sev} ${f.file}:${f.line}`);
+      console.log(`           ${f.type}: ${f.redacted}`);
+    }
+    if (findings.length > 15) {
+      console.log(`  ... and ${findings.length - 15} more (see .cto/audit/ for full report)`);
+    }
+  }
+  if (recommendations.length > 0) {
+    console.log("");
+    console.log("  Recommendations:");
+    console.log("");
+    for (const rec of recommendations) {
+      const icon = rec.startsWith("CRITICAL") ? "\u{1F6A8}" : "\u{1F4A1}";
+      console.log(`  ${icon} ${rec}`);
+    }
+  }
+  const ctoDir = join8(projectPath, ".cto");
+  const auditDir = join8(ctoDir, "audit");
+  mkdirSync3(auditDir, { recursive: true });
+  const now = /* @__PURE__ */ new Date();
+  const dateStr = now.toISOString().split("T")[0];
+  const logFile = join8(auditDir, `${dateStr}.jsonl`);
+  const logEntry = {
+    timestamp: now.toISOString(),
+    version: "3.2.0",
+    summary: {
+      filesScanned: summary.filesScanned,
+      filesWithSecrets: summary.filesWithSecrets,
+      totalFindings: summary.totalFindings,
+      bySeverity: summary.bySeverity,
+      byType: summary.byType
+    },
+    findings: findings.map((f) => ({
+      type: f.type,
+      file: f.file,
+      line: f.line,
+      severity: f.severity,
+      redacted: f.redacted
+    }))
+  };
+  appendFileSync2(logFile, JSON.stringify(logEntry) + "\n");
+  let report = `# Security Audit Report
+
+`;
+  report += `> Generated by cto-ai-cli on ${now.toISOString()}
+
+`;
+  report += `## Summary
+
+`;
+  report += `| Metric | Value |
+`;
+  report += `|--------|-------|
+`;
+  report += `| Files scanned | ${summary.filesScanned} |
+`;
+  report += `| Files with issues | ${summary.filesWithSecrets} |
+`;
+  report += `| Total findings | ${summary.totalFindings} |
+`;
+  report += `| Critical | ${summary.bySeverity.critical} |
+`;
+  report += `| High | ${summary.bySeverity.high} |
+`;
+  report += `| Medium | ${summary.bySeverity.medium} |
+
+`;
+  if (findings.length > 0) {
+    report += `## Findings
+
+`;
+    report += `| Severity | Type | File | Line | Redacted |
+`;
+    report += `|----------|------|------|------|----------|
+`;
+    for (const f of findings) {
+      report += `| ${f.severity} | ${f.type} | ${f.file} | ${f.line} | \`${f.redacted.slice(0, 30)}\` |
+`;
+    }
+    report += "\n";
+  }
+  if (recommendations.length > 0) {
+    report += `## Recommendations
+
+`;
+    for (const rec of recommendations) {
+      report += `- ${rec}
+`;
+    }
+  }
+  writeFileSync2(join8(auditDir, "report.md"), report);
+  const envSecrets = findings.filter(
+    (f) => f.type === "env-variable" || f.type === "password" || f.type === "api-key" || f.type === "aws-key" || f.type === "connection-string"
+  );
+  if (envSecrets.length > 0) {
+    const envVarNames = /* @__PURE__ */ new Set();
+    for (const f of envSecrets) {
+      const varMatch = f.match.match(/^([A-Z_][A-Z0-9_]*)\s*[:=]/i);
+      if (varMatch) {
+        envVarNames.add(varMatch[1].toUpperCase());
+      } else {
+        const name = f.type.toUpperCase().replace(/-/g, "_");
+        envVarNames.add(name);
+      }
+    }
+    if (envVarNames.size > 0) {
+      let envExample = "# Environment variables \u2014 NEVER commit real values\n";
+      envExample += "# Generated by cto-ai-cli --audit\n\n";
+      for (const name of envVarNames) {
+        envExample += `${name}=your_${name.toLowerCase()}_here
+`;
+      }
+      writeFileSync2(join8(ctoDir, ".env.example"), envExample);
+    }
+  }
+  console.log("");
+  console.log("  \u{1F4C1} Audit artifacts:");
+  console.log(`  \u{1F4CB} .cto/audit/${dateStr}.jsonl   Audit log (append-only)`);
+  console.log("  \u{1F4CA} .cto/audit/report.md         Full report");
+  if (envSecrets.length > 0) {
+    console.log("  \u{1F4DD} .cto/.env.example            Template for environment variables");
+  }
+  console.log("");
+  if (process.env.CI && (summary.bySeverity.critical > 0 || summary.bySeverity.high > 0)) {
+    console.log("  \u274C CI mode: Failing due to critical/high severity findings.");
+    process.exit(1);
+  }
+}
 function formatTokens(n) {
   if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
   if (n >= 1e3) return `${(n / 1e3).toFixed(1)}K`;
   return n.toString();
 }
+async function runMonorepo(projectPath, analysis, targetPackage, jsonMode) {
+  const mono = await analyzeMonorepo(projectPath, analysis);
+  if (jsonMode) {
+    if (targetPackage) {
+      const pkgCtx = selectPackageContext(mono, targetPackage);
+      console.log(JSON.stringify({ monorepo: mono, packageContext: pkgCtx }, null, 2));
+    } else {
+      console.log(JSON.stringify(mono, null, 2));
+    }
+    return;
+  }
+  console.log(renderMonorepoAnalysis(mono));
+  if (targetPackage && mono.detected) {
+    const pkgCtx = selectPackageContext(mono, targetPackage);
+    console.log(renderPackageContext(pkgCtx));
+  }
+}
+async function runCIGate(projectPath, analysis, score, threshold, jsonMode) {
+  const filePaths = analysis.files.map((f) => f.path);
+  const auditResult = await auditProject(projectPath, filePaths, { includePII: false });
+  const result = await runQualityGate(score, analysis, auditResult.findings, { threshold });
+  await saveBaseline(projectPath, score);
+  if (jsonMode) {
+    console.log(JSON.stringify(result, null, 2));
+    if (!result.passed) process.exit(1);
+    return;
+  }
+  console.log("");
+  console.log("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log(`  \u{1F6A6} Quality Gate: ${result.passed ? "\u2705 PASSED" : "\u274C FAILED"}`);
+  console.log("  \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550");
+  console.log("");
+  for (const check of result.checks) {
+    const icon = check.passed ? "\u2705" : check.severity === "warning" ? "\u26A0\uFE0F" : "\u274C";
+    console.log(`  ${icon} ${check.name}: ${check.detail}`);
+  }
+  if (result.delta !== null) {
+    const arrow = result.delta >= 0 ? "\u2191" : "\u2193";
+    console.log("");
+    console.log(`  \u{1F4CA} Score: ${result.score}/100 (${result.grade}) ${arrow} ${Math.abs(result.delta)} from baseline`);
+  }
+  console.log("");
+  console.log("  \u{1F4CB} Baseline saved to .cto/baseline.json");
+  console.log("");
+  if (!result.passed) {
+    console.log("  \u274C Quality gate failed. Fix the issues above and re-run.");
+    process.exit(1);
+  }
+}
 main();