cto-ai-cli 3.2.0 → 5.0.0

package/dist/api/server.js

@@ -800,11 +800,13 @@ async function getCachedAnalysis(projectPath, config) {
 }
 
 // src/engine/selector.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 
 // src/govern/secrets.ts
 import { readFile as readFile3 } from "fs/promises";
-import { resolve as resolve4, relative as relative4 } from "path";
+import { readFileSync, existsSync as existsSync2, mkdirSync, writeFileSync } from "fs";
+import { resolve as resolve4, relative as relative4, join as join4, dirname as dirname2 } from "path";
+import { createHash as createHash3 } from "crypto";
 var BUILTIN_PATTERNS = [
   // API Keys
   { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
@@ -849,17 +851,46 @@ var BUILTIN_PATTERNS = [
   { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
   // JWT
   { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // Datadog
+  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
+  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
+  // Sentry
+  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
+  // Firebase
+  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
+  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
+  // Supabase
+  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
+  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
+  // Vercel
+  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
+  // Heroku
+  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
+  // DigitalOcean
+  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
+  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
+  // Mailgun
+  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
   // PII
   { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
-  { type: "pii", source: "\\b\\d{3}[-.]?\\d{2}[-.]?\\d{4}\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
+  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
+var _cachedBuiltinPatterns = null;
+function getBuiltinPatterns() {
+  if (!_cachedBuiltinPatterns) {
+    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
+      type: def.type,
+      pattern: new RegExp(def.source, def.flags),
+      severity: def.severity,
+      description: def.description
+    }));
+  }
+  return _cachedBuiltinPatterns;
+}
 function buildPatterns(customPatterns = []) {
-  const patterns = BUILTIN_PATTERNS.map((def) => ({
-    type: def.type,
-    pattern: new RegExp(def.source, def.flags),
-    severity: def.severity,
-    description: def.description
-  }));
+  const builtins = getBuiltinPatterns();
+  if (customPatterns.length === 0) return builtins;
+  const patterns = [...builtins];
   for (const custom of customPatterns) {
     try {
       patterns.push({
@@ -873,7 +904,7 @@ function buildPatterns(customPatterns = []) {
   }
   return patterns;
 }
-function scanContentForSecrets(content, filePath, customPatterns = []) {
+function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
   const findings = [];
   const lines = content.split("\n");
   const allPatterns = buildPatterns(customPatterns);
@@ -885,6 +916,7 @@ function scanContentForSecrets(content, filePath, customPatterns = []) {
       while ((match = secretPattern.pattern.exec(line)) !== null) {
         const matchText = match[0];
         if (isTemplateOrPlaceholder(matchText)) continue;
+        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
         findings.push({
           type: secretPattern.type,
           file: filePath,
@@ -932,6 +964,36 @@ function isTemplateOrPlaceholder(value) {
   ];
   return placeholders.some((p) => p.test(value));
 }
+var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "test.org",
+  "test.net",
+  "localhost",
+  "localhost.localdomain",
+  "email.com",
+  "mail.com",
+  "foo.com",
+  "bar.com",
+  "baz.com",
+  "acme.com",
+  "company.com",
+  "corp.com",
+  "noreply.com",
+  "no-reply.com",
+  "users.noreply.github.com",
+  "placeholder.com"
+]);
+function isSafeEmail(value, extraDomains) {
+  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
+  if (!match) return false;
+  const domain = match[1].toLowerCase();
+  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
+  if (extraDomains && extraDomains.has(domain)) return true;
+  return false;
+}
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Set();
   return findings.filter((f) => {
@@ -943,10 +1005,7 @@ function deduplicateFindings(findings) {
 }
 
 // src/engine/pruner.ts
-import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync2 } from "fs";
-import { join as join4 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -969,23 +1028,7 @@ async function pruneTypeScript(file, level) {
   } catch {
     return emptyResult(file, level);
   }
-  let project;
-  try {
-    const tsConfigPath = findTsConfig(file.path);
-    project = new Project2({
-      tsConfigFilePath: tsConfigPath,
-      skipAddingFilesFromTsConfig: true,
-      compilerOptions: tsConfigPath ? void 0 : { allowJs: true, esModuleInterop: true }
-    });
-    project.createSourceFile(file.path, content, { overwrite: true });
-  } catch {
-    return pruneGenericFromContent(file, content, level);
-  }
-  const sourceFile = project.getSourceFiles()[0];
-  if (!sourceFile) {
-    return pruneGenericFromContent(file, content, level);
-  }
-  const prunedContent = level === "signatures" ? extractSignaturesAST(sourceFile) : extractSkeletonAST(sourceFile);
+  const prunedContent = level === "signatures" ? extractSignaturesRegex(content) : extractSkeletonRegex(content);
   const prunedTokens = countTokensChars4(Buffer.byteLength(prunedContent, "utf-8"));
   const savingsPercent = file.tokens > 0 ? (file.tokens - prunedTokens) / file.tokens * 100 : 0;
   return {
@@ -997,131 +1040,281 @@ async function pruneTypeScript(file, level) {
     savingsPercent: Math.max(0, savingsPercent)
   };
 }
-function extractSignaturesAST(sf) {
+function extractSignaturesRegex(content) {
+  const lines = content.split("\n");
   const parts = [];
-  for (const imp of sf.getImportDeclarations()) {
-    parts.push(imp.getText());
-  }
-  if (parts.length > 0) parts.push("");
-  for (const ta of sf.getTypeAliases()) {
-    addJSDoc(ta, parts);
-    parts.push(ta.getText());
-  }
-  for (const iface of sf.getInterfaces()) {
-    addJSDoc(iface, parts);
-    parts.push(iface.getText());
-  }
-  for (const en of sf.getEnums()) {
-    addJSDoc(en, parts);
-    parts.push(en.getText());
-  }
-  for (const fn of sf.getFunctions()) {
-    addJSDoc(fn, parts);
-    const isExported = fn.isExported();
-    const isAsync = fn.isAsync();
-    const name = fn.getName() ?? "<anonymous>";
-    const params = fn.getParameters().map((p) => p.getText()).join(", ");
-    const returnType = fn.getReturnTypeNode()?.getText();
-    const returnStr = returnType ? `: ${returnType}` : "";
-    const prefix = isExported ? "export " : "";
-    const asyncStr = isAsync ? "async " : "";
-    parts.push(`${prefix}${asyncStr}function ${name}(${params})${returnStr} { /* ... */ }`);
-  }
-  for (const stmt of sf.getVariableStatements()) {
-    for (const decl of stmt.getDeclarations()) {
-      const init = decl.getInitializer();
-      if (init && (init.getKind() === SyntaxKind2.ArrowFunction || init.getKind() === SyntaxKind2.FunctionExpression)) {
-        addJSDoc(stmt, parts);
-        const isExported = stmt.isExported();
-        const prefix = isExported ? "export " : "";
-        const kind = stmt.getDeclarationKind();
-        const name = decl.getName();
-        const typeNode = decl.getTypeNode()?.getText();
-        const typeStr = typeNode ? `: ${typeNode}` : "";
-        parts.push(`${prefix}${kind} ${name}${typeStr} = /* ... */;`);
-      } else {
-        addJSDoc(stmt, parts);
-        parts.push(stmt.getText());
+  let i = 0;
+  while (i < lines.length) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed === "") {
+      i++;
+      continue;
+    }
+    if (trimmed.startsWith("/**")) {
+      const docLines = [];
+      while (i < lines.length) {
+        docLines.push(lines[i]);
+        if (lines[i].includes("*/")) {
+          i++;
+          break;
+        }
+        i++;
+      }
+      parts.push(docLines.join("\n"));
+      continue;
+    }
+    if (trimmed.startsWith("//")) {
+      parts.push(line);
+      i++;
+      continue;
+    }
+    if (/^\s*(import|export)\s/.test(line) && (trimmed.includes(" from ") || trimmed.startsWith("import "))) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*export\s*(\{|\*)/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?type\s+\w/.test(trimmed) && !trimmed.startsWith("typeof")) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?interface\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?(const\s+)?enum\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    const fnMatch = trimmed.match(/^(export\s+)?(async\s+)?function\s+(\w+)/);
+    if (fnMatch) {
+      const sig = extractFnSignature(lines, i);
+      parts.push(`${sig} { /* ... */ }`);
+      i = skipBlock(lines, i);
+      continue;
+    }
+    const arrowMatch = trimmed.match(/^(export\s+)?(const|let|var)\s+(\w+)/);
+    if (arrowMatch && looksLikeFunctionDecl(lines, i)) {
+      const prefix = trimmed.match(/^((?:export\s+)?(?:const|let|var)\s+\w+[^=]*=)/)?.[1];
+      if (prefix) {
+        parts.push(`${prefix} /* ... */;`);
       }
+      i = skipBlock(lines, i);
+      continue;
     }
-  }
-  for (const cls of sf.getClasses()) {
-    addJSDoc(cls, parts);
-    const isExported = cls.isExported();
-    const prefix = isExported ? "export " : "";
-    const name = cls.getName() ?? "<anonymous>";
-    const ext = cls.getExtends()?.getText();
-    const impl = cls.getImplements().map((i) => i.getText()).join(", ");
-    let header = `${prefix}class ${name}`;
-    if (ext) header += ` extends ${ext}`;
-    if (impl) header += ` implements ${impl}`;
-    header += " {";
-    parts.push(header);
-    for (const prop of cls.getProperties()) {
-      parts.push(`  ${prop.getText()}`);
-    }
-    const ctor = cls.getConstructors()[0];
-    if (ctor) {
-      const ctorParams = ctor.getParameters().map((p) => p.getText()).join(", ");
-      parts.push(`  constructor(${ctorParams}) { /* ... */ }`);
-    }
-    for (const method of cls.getMethods()) {
-      const isStatic = method.isStatic();
-      const isAsync = method.isAsync();
-      const methodName = method.getName();
-      const methodParams = method.getParameters().map((p) => p.getText()).join(", ");
-      const returnType = method.getReturnTypeNode()?.getText();
-      const returnStr = returnType ? `: ${returnType}` : "";
-      const staticStr = isStatic ? "static " : "";
-      const asyncStr = isAsync ? "async " : "";
-      parts.push(`  ${staticStr}${asyncStr}${methodName}(${methodParams})${returnStr} { /* ... */ }`);
-    }
-    parts.push("}");
-  }
-  for (const exp of sf.getExportDeclarations()) {
-    parts.push(exp.getText());
-  }
-  for (const exp of sf.getExportAssignments()) {
-    parts.push(exp.getText());
+    if (arrowMatch) {
+      const block = collectStatement(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?(abstract\s+)?class\s+\w/.test(trimmed)) {
+      const classOutline = extractClassOutline(lines, i);
+      parts.push(classOutline.text);
+      i = classOutline.nextIndex;
+      continue;
+    }
+    i++;
   }
   return parts.join("\n");
 }
-function extractSkeletonAST(sf) {
+function extractSkeletonRegex(content) {
+  const lines = content.split("\n");
   const parts = [];
-  for (const imp of sf.getImportDeclarations()) {
-    parts.push(imp.getText());
-  }
-  if (parts.length > 0) parts.push("");
-  for (const ta of sf.getTypeAliases()) {
-    if (ta.isExported()) parts.push(ta.getText());
-  }
-  for (const iface of sf.getInterfaces()) {
-    if (!iface.isExported()) continue;
-    const ext = iface.getExtends().map((e) => e.getText());
-    const extStr = ext.length > 0 ? ` extends ${ext.join(", ")}` : "";
-    parts.push(`export interface ${iface.getName()}${extStr} { /* ${iface.getProperties().length} props */ }`);
-  }
-  for (const en of sf.getEnums()) {
-    if (!en.isExported()) continue;
-    const members = en.getMembers().map((m) => m.getName());
-    parts.push(`export enum ${en.getName()} { ${members.join(", ")} }`);
-  }
-  for (const fn of sf.getFunctions()) {
-    if (!fn.isExported()) continue;
-    const name = fn.getName() ?? "<anonymous>";
-    const params = fn.getParameters().map((p) => p.getText()).join(", ");
-    parts.push(`export function ${name}(${params});`);
-  }
-  for (const cls of sf.getClasses()) {
-    if (!cls.isExported()) continue;
-    const methods = cls.getMethods().map((m) => m.getName());
-    parts.push(`export class ${cls.getName()} { /* methods: ${methods.join(", ")} */ }`);
-  }
-  for (const exp of sf.getExportDeclarations()) {
-    parts.push(exp.getText());
+  let i = 0;
+  while (i < lines.length) {
+    const trimmed = lines[i].trim();
+    if (/^import\s/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(type|interface)\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(const\s+)?enum\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(async\s+)?function\s+\w/.test(trimmed)) {
+      const sig = extractFnSignature(lines, i);
+      parts.push(`${sig};`);
+      i = skipBlock(lines, i);
+      continue;
+    }
+    if (/^export\s+(abstract\s+)?class\s+/.test(trimmed)) {
+      const nameMatch = trimmed.match(/class\s+(\w+)/);
+      const name = nameMatch?.[1] ?? "Unknown";
+      const end = skipBlock(lines, i);
+      const methods = [];
+      for (let j = i + 1; j < end; j++) {
+        const mt = lines[j].trim();
+        const mm = mt.match(/^(?:static\s+)?(?:async\s+)?(\w+)\s*\(/);
+        if (mm && mm[1] !== "constructor") methods.push(mm[1]);
+      }
+      parts.push(`export class ${name} { /* methods: ${methods.join(", ")} */ }`);
+      i = end;
+      continue;
+    }
+    if (/^export\s*(\{|\*)/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    i++;
   }
   return parts.join("\n");
 }
+function collectBracedLine(lines, start) {
+  let text = lines[start];
+  let i = start + 1;
+  while (i < lines.length && !text.includes(";") && !text.trimEnd().endsWith("'") && !text.trimEnd().endsWith('"')) {
+    text += "\n" + lines[i];
+    i++;
+  }
+  return { text, nextIndex: i };
+}
+function collectBalanced(lines, start) {
+  let depth = 0;
+  let text = "";
+  let i = start;
+  let started = false;
+  while (i < lines.length) {
+    const line = lines[i];
+    text += (text ? "\n" : "") + line;
+    for (const ch of line) {
+      if (ch === "{" || ch === "(") {
+        depth++;
+        started = true;
+      }
+      if (ch === "}" || ch === ")") depth--;
+    }
+    i++;
+    if (started && depth <= 0) break;
+    if (!started && line.includes(";")) break;
+  }
+  return { text, nextIndex: i };
+}
+function collectStatement(lines, start) {
+  let text = lines[start];
+  let i = start + 1;
+  if (text.includes(";")) return { text, nextIndex: i };
+  let depth = 0;
+  for (const ch of text) {
+    if (ch === "{" || ch === "(" || ch === "[") depth++;
+    if (ch === "}" || ch === ")" || ch === "]") depth--;
+  }
+  while (i < lines.length && depth > 0) {
+    text += "\n" + lines[i];
+    for (const ch of lines[i]) {
+      if (ch === "{" || ch === "(" || ch === "[") depth++;
+      if (ch === "}" || ch === ")" || ch === "]") depth--;
+    }
+    i++;
+  }
+  return { text, nextIndex: i };
+}
+function extractFnSignature(lines, start) {
+  let sig = "";
+  let i = start;
+  while (i < lines.length) {
+    const line = lines[i].trim();
+    sig += (sig ? " " : "") + line;
+    if (line.includes("{")) {
+      sig = sig.replace(/\s*\{[^]*$/, "").trim();
+      break;
+    }
+    i++;
+  }
+  return sig;
+}
+function skipBlock(lines, start) {
+  let depth = 0;
+  let i = start;
+  let foundBrace = false;
+  while (i < lines.length) {
+    for (const ch of lines[i]) {
+      if (ch === "{") {
+        depth++;
+        foundBrace = true;
+      }
+      if (ch === "}") depth--;
+    }
+    i++;
+    if (foundBrace && depth <= 0) break;
+    if (!foundBrace && lines[i - 1].includes(";")) break;
+  }
+  return i;
+}
+function looksLikeFunctionDecl(lines, start) {
+  const chunk = lines.slice(start, Math.min(start + 5, lines.length)).join(" ");
+  return /=>/.test(chunk) || /=\s*function/.test(chunk);
+}
+function extractClassOutline(lines, start) {
+  const header = lines[start].trim();
+  let headerText = header;
+  let i = start + 1;
+  if (!header.includes("{")) {
+    while (i < lines.length) {
+      headerText += " " + lines[i].trim();
+      if (lines[i].includes("{")) {
+        i++;
+        break;
+      }
+      i++;
+    }
+  } else {
+    i = start + 1;
+  }
+  const bodyParts = [headerText.replace(/\{[^]*$/, "{").trim()];
+  let depth = 1;
+  while (i < lines.length && depth > 0) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    for (const ch of line) {
+      if (ch === "{") depth++;
+      if (ch === "}") depth--;
+    }
+    if (depth <= 0) {
+      i++;
+      break;
+    }
+    if (depth === 1) {
+      if (/^(private|protected|public|readonly|static|#)/.test(trimmed) && !trimmed.includes("(")) {
+        bodyParts.push(`  ${trimmed}`);
+      } else if (/^constructor\s*\(/.test(trimmed)) {
+        const sig = extractFnSignature(lines, i);
+        bodyParts.push(`  ${sig} { /* ... */ }`);
+      } else if (/^(?:static\s+)?(?:async\s+)?(?:get\s+|set\s+)?\w+\s*[(<]/.test(trimmed) && !trimmed.startsWith("//")) {
+        const sig = extractFnSignature(lines, i);
+        bodyParts.push(`  ${sig} { /* ... */ }`);
+      }
+    }
+    i++;
+  }
+  bodyParts.push("}");
+  return { text: bodyParts.join("\n"), nextIndex: i };
+}
 async function pruneGeneric(file, level) {
   let content;
   try {
@@ -1182,22 +1375,6 @@ function emptyResult(file, level) {
     savingsPercent: 100
   };
 }
-function addJSDoc(node, parts) {
-  if (!node.getJsDocs) return;
-  const docs = node.getJsDocs();
-  if (docs.length > 0) {
-    parts.push(docs[0].getText());
-  }
-}
-function findTsConfig(filePath) {
-  let dir = filePath;
-  for (let i = 0; i < 10; i++) {
-    dir = join4(dir, "..");
-    const candidate = join4(dir, "tsconfig.json");
-    if (existsSync2(candidate)) return candidate;
-  }
-  return void 0;
-}
 
 // src/engine/graph-utils.ts
 function buildAdjacencyList(edges) {
@@ -1461,7 +1638,7 @@ async function selectContext(input) {
   );
   const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
   const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
+  const hash = createHash4("sha256").update(hashInput).digest("hex").substring(0, 16);
   return {
     files: selectedFiles,
     totalTokens: usedTokens,
@@ -2858,7 +3035,7 @@ function formatCost(cost) {
 }
 
 // src/govern/audit.ts
-import { randomUUID, createHash as createHash4 } from "crypto";
+import { randomUUID, createHash as createHash5 } from "crypto";
 import { readdir as readdir3, chmod } from "fs/promises";
 import { join as join5 } from "path";
 import { userInfo } from "os";
@@ -2882,7 +3059,7 @@ function computeIntegrityHash(entry) {
     projectPath: entry.projectPath,
     details: entry.details
   });
-  return createHash4("sha256").update(payload).digest("hex");
+  return createHash5("sha256").update(payload).digest("hex");
 }
 async function ensureDir(dirPath) {
   const { mkdir } = await import("fs/promises");
@@ -2898,9 +3075,9 @@ async function readJSON(filePath) {
   }
 }
 async function writeJSON(filePath, data) {
-  const { writeFile } = await import("fs/promises");
+  const { writeFile: writeFile2 } = await import("fs/promises");
   await ensureDir(join5(filePath, ".."));
-  await writeFile(filePath, JSON.stringify(data, null, 2), "utf-8");
+  await writeFile2(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
   const auditDir = getAuditDir();
@@ -3072,6 +3249,12 @@ function checkRateLimit(ip) {
   entry.count++;
   return true;
 }
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of requestCounts) {
+    if (now > entry.reset) requestCounts.delete(ip);
+  }
+}, 5 * 6e4).unref();
 function getIP(req) {
   return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() ?? req.socket.remoteAddress ?? "unknown";
 }