cto-ai-cli 3.1.0 → 4.0.0

package/dist/cli/v2/index.js

@@ -935,8 +935,8 @@ var analyzeCommand = new Command2("analyze").description("Analyze project struct
 // src/cli/v2/interact.ts
 import { Command as Command3 } from "commander";
 import chalk3 from "chalk";
-import { resolve as resolve8, join as join8 } from "path";
-import { writeFile as writeFile3 } from "fs/promises";
+import { resolve as resolve8, join as join9 } from "path";
+import { writeFile as writeFile4 } from "fs/promises";
 
 // src/engine/cache.ts
 import { createHash as createHash2 } from "crypto";
@@ -1307,11 +1307,13 @@ function emptyResult(baseBranch) {
 import { randomUUID as randomUUID2 } from "crypto";
 
 // src/engine/selector.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile4 } from "fs/promises";
-import { resolve as resolve7, relative as relative4 } from "path";
+import { readFileSync, existsSync as existsSync3, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve7, relative as relative4, join as join6, dirname as dirname2 } from "path";
+import { createHash as createHash3 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -1336,15 +1338,66 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -1358,7 +1411,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -1370,6 +1423,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -1417,6 +1471,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -1430,8 +1514,8 @@ function deduplicateFindings(findings) {
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile5 } from "fs/promises";
-import { existsSync as existsSync3 } from "fs";
-import { join as join6 } from "path";
+import { existsSync as existsSync4 } from "fs";
+import { join as join7 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -1677,9 +1761,9 @@ function addJSDoc(node, parts) {
 function findTsConfig(filePath) {
   let dir = filePath;
   for (let i = 0; i < 10; i++) {
-    dir = join6(dir, "..");
-    const candidate = join6(dir, "tsconfig.json");
-    if (existsSync3(candidate)) return candidate;
+    dir = join7(dir, "..");
+    const candidate = join7(dir, "tsconfig.json");
+    if (existsSync4(candidate)) return candidate;
   }
   return void 0;
 }
@@ -1893,7 +1977,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash4("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -2386,20 +2470,20 @@ function makeSection(id, role, content) {
 }
 
 // src/govern/audit.ts
-import { randomUUID, createHash as createHash4 } from "crypto";
+import { randomUUID, createHash as createHash5 } from "crypto";
 import { readdir as readdir3, chmod } from "fs/promises";
-import { join as join7 } from "path";
+import { join as join8 } from "path";
 import { userInfo } from "os";
 import { homedir } from "os";
 var CTO_DIR = ".cto-ai";
 var AUDIT_DIR = "audit";
 var MAX_ENTRIES_PER_FILE = 500;
 function getAuditDir() {
-  return join7(homedir(), CTO_DIR, AUDIT_DIR);
+  return join8(homedir(), CTO_DIR, AUDIT_DIR);
 }
 function getCurrentAuditFile() {
   const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
-  return join7(getAuditDir(), `audit_${date}.json`);
+  return join8(getAuditDir(), `audit_${date}.json`);
 }
 function computeIntegrityHash(entry) {
   const payload = JSON.stringify({
@@ -2410,7 +2494,7 @@ function computeIntegrityHash(entry) {
     projectPath: entry.projectPath,
     details: entry.details
   });
-  return createHash4("sha256").update(payload).digest("hex");
+  return createHash5("sha256").update(payload).digest("hex");
 }
 async function ensureDir(dirPath) {
   const { mkdir: mkdir5 } = await import("fs/promises");
@@ -2426,9 +2510,9 @@ async function readJSON(filePath) {
   }
 }
 async function writeJSON(filePath, data) {
-  const { writeFile: writeFile6 } = await import("fs/promises");
-  await ensureDir(join7(filePath, ".."));
-  await writeFile6(filePath, JSON.stringify(data, null, 2), "utf-8");
+  const { writeFile: writeFile7 } = await import("fs/promises");
+  await ensureDir(join8(filePath, ".."));
+  await writeFile7(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
   const auditDir = getAuditDir();
@@ -2477,7 +2561,7 @@ async function getAuditEntries(options = {}) {
   const limit = options.limit ?? 100;
   for (const file of auditFiles) {
     if (allEntries.length >= limit) break;
-    const entries = await readJSON(join7(auditDir, file));
+    const entries = await readJSON(join8(auditDir, file));
     if (!entries) continue;
     for (const entry of entries.reverse()) {
       if (allEntries.length >= limit) break;
@@ -2526,7 +2610,7 @@ async function purgeOldAuditEntries(retentionDays) {
     const dateStr = file.replace("audit_", "").replace(".json", "");
     if (dateStr < cutoffStr) {
       try {
-        await unlink(join7(auditDir, file));
+        await unlink(join8(auditDir, file));
         purged++;
       } catch {
       }
@@ -2753,8 +2837,8 @@ var interactCommand = new Command3("interact").description("Build optimized AI c
       console.log("");
     }
     if (opts.output === "file") {
-      const outPath = join8(resolve8(opts.path ?? "."), ".cto", `prompt-${plan.id}.md`);
-      await writeFile3(outPath, plan.prompt.rendered, "utf-8");
+      const outPath = join9(resolve8(opts.path ?? "."), ".cto", `prompt-${plan.id}.md`);
+      await writeFile4(outPath, plan.prompt.rendered, "utf-8");
       console.log(chalk3.green(`  \u{1F4BE} Prompt saved to ${outPath}`));
       console.log("");
     } else if (opts.output === "clipboard") {
@@ -2783,11 +2867,11 @@ var interactCommand = new Command3("interact").description("Build optimized AI c
 // src/cli/v2/snapshot.ts
 import { Command as Command4 } from "commander";
 import chalk4 from "chalk";
-import { resolve as resolve9, join as join9 } from "path";
-import { readFile as readFile7, writeFile as writeFile4, readdir as readdir4, mkdir as mkdir3 } from "fs/promises";
+import { resolve as resolve9, join as join10 } from "path";
+import { readFile as readFile7, writeFile as writeFile5, readdir as readdir4, mkdir as mkdir3 } from "fs/promises";
 
 // src/govern/snapshot.ts
-import { randomUUID as randomUUID3, createHash as createHash5 } from "crypto";
+import { randomUUID as randomUUID3, createHash as createHash6 } from "crypto";
 import "fs/promises";
 function createSnapshot(name, analysis, selection, metadata = {}) {
   const files = selection.files.map((f) => ({
@@ -2880,13 +2964,13 @@ function compareSnapshots(older, newer) {
   };
 }
 function hashString(input) {
-  return createHash5("sha256").update(input).digest("hex").substring(0, 16);
+  return createHash6("sha256").update(input).digest("hex").substring(0, 16);
 }
 
 // src/cli/v2/snapshot.ts
 var SNAPSHOTS_DIR = ".cto/snapshots";
 async function ensureSnapshotsDir(projectPath) {
-  const dir = join9(projectPath, SNAPSHOTS_DIR);
+  const dir = join10(projectPath, SNAPSHOTS_DIR);
   await mkdir3(dir, { recursive: true });
   return dir;
 }
@@ -2914,8 +2998,8 @@ var snapshotCommand = new Command4("snapshot").description("Create and manage re
         createdBy: process.env.USER ?? "unknown"
       });
       const dir = await ensureSnapshotsDir(projectPath);
-      const filePath = join9(dir, `${name}.json`);
-      await writeFile4(filePath, JSON.stringify(snap, null, 2), "utf-8");
+      const filePath = join10(dir, `${name}.json`);
+      await writeFile5(filePath, JSON.stringify(snap, null, 2), "utf-8");
       console.log("");
       console.log(chalk4.bold.cyan(`  \u{1F4F8} Snapshot "${name}" created`));
       console.log(`    Files: ${snap.files.length}`);
@@ -2937,7 +3021,7 @@ var snapshotCommand = new Command4("snapshot").description("Create and manage re
     try {
       const projectPath = resolve9(opts.path ?? ".");
       const budget = parseInt(opts.budget ?? "50000", 10);
-      const snapPath = join9(projectPath, SNAPSHOTS_DIR, `${name}.json`);
+      const snapPath = join10(projectPath, SNAPSHOTS_DIR, `${name}.json`);
       const snap = await loadSnapshot(snapPath);
       console.log(chalk4.dim(`
   Re-analyzing project...`));
@@ -2974,9 +3058,9 @@ var snapshotCommand = new Command4("snapshot").description("Create and manage re
   new Command4("compare").description("Compare two snapshots").argument("<older>", "Older snapshot name").argument("<newer>", "Newer snapshot name").option("-p, --path <path>", "Project path", ".").action(async (older, newer, opts) => {
     try {
       const projectPath = resolve9(opts.path ?? ".");
-      const dir = join9(projectPath, SNAPSHOTS_DIR);
-      const snap1 = await loadSnapshot(join9(dir, `${older}.json`));
-      const snap2 = await loadSnapshot(join9(dir, `${newer}.json`));
+      const dir = join10(projectPath, SNAPSHOTS_DIR);
+      const snap1 = await loadSnapshot(join10(dir, `${older}.json`));
+      const snap2 = await loadSnapshot(join10(dir, `${newer}.json`));
       const diff = compareSnapshots(snap1, snap2);
       console.log("");
       console.log(chalk4.bold.cyan(`  \u{1F4CA} Snapshot Comparison: ${older} \u2192 ${newer}`));
@@ -3009,7 +3093,7 @@ var snapshotCommand = new Command4("snapshot").description("Create and manage re
   new Command4("list").description("List saved snapshots").option("-p, --path <path>", "Project path", ".").action(async (opts) => {
     try {
       const projectPath = resolve9(opts.path ?? ".");
-      const dir = join9(projectPath, SNAPSHOTS_DIR);
+      const dir = join10(projectPath, SNAPSHOTS_DIR);
       let files;
       try {
         files = await readdir4(dir);
@@ -3027,7 +3111,7 @@ var snapshotCommand = new Command4("snapshot").description("Create and manage re
       console.log("");
       for (const file of snapFiles) {
         try {
-          const snap = await loadSnapshot(join9(dir, file));
+          const snap = await loadSnapshot(join10(dir, file));
           const date = new Date(snap.createdAt).toLocaleString();
           console.log(`  ${chalk4.bold(snap.name)} \u2014 ${snap.files.length} files, ~${Math.round(snap.totalTokens / 1e3)}K tokens, coverage ${snap.coverageScore}%`);
           console.log(`    ${chalk4.dim(`Created: ${date} | Hash: ${snap.hash}`)}`);
@@ -3138,8 +3222,8 @@ var auditCommand = new Command5("audit").description("View and manage the audit
 // src/cli/v2/policy.ts
 import { Command as Command6 } from "commander";
 import chalk6 from "chalk";
-import { resolve as resolve10, join as join10 } from "path";
-import { readFile as readFile8, writeFile as writeFile5, mkdir as mkdir4 } from "fs/promises";
+import { resolve as resolve10, join as join11 } from "path";
+import { readFile as readFile8, writeFile as writeFile6, mkdir as mkdir4 } from "fs/promises";
 
 // src/govern/policy.ts
 var DEFAULT_POLICY = {
@@ -3293,16 +3377,16 @@ function fileMatchesCategory(path, category) {
 var POLICY_FILE2 = ".cto/policy.json";
 async function loadPolicy(projectPath) {
   try {
-    const content = await readFile8(join10(projectPath, POLICY_FILE2), "utf-8");
+    const content = await readFile8(join11(projectPath, POLICY_FILE2), "utf-8");
     return JSON.parse(content);
   } catch {
     return DEFAULT_POLICY;
   }
 }
 async function savePolicy(projectPath, policy) {
-  const dir = join10(projectPath, ".cto");
+  const dir = join11(projectPath, ".cto");
   await mkdir4(dir, { recursive: true });
-  await writeFile5(join10(projectPath, POLICY_FILE2), JSON.stringify(policy, null, 2), "utf-8");
+  await writeFile6(join11(projectPath, POLICY_FILE2), JSON.stringify(policy, null, 2), "utf-8");
 }
 var policyCommand = new Command6("policy").description("Manage context selection policies").addCommand(
   new Command6("show").description("Show current policy rules").option("-p, --path <path>", "Project path", ".").option("--json", "Output as JSON").action(async (opts) => {
@@ -3446,7 +3530,7 @@ var policyCommand = new Command6("policy").description("Manage context selection
       const projectPath = resolve10(opts.path ?? ".");
       await savePolicy(projectPath, DEFAULT_POLICY);
       console.log(chalk6.green(`
-  \u2705 Default policy initialized at ${join10(projectPath, POLICY_FILE2)}
+  \u2705 Default policy initialized at ${join11(projectPath, POLICY_FILE2)}
 `));
     } catch (err) {
       console.error(chalk6.red(`