cto-ai-cli 4.0.0 → 5.1.0

package/dist/api/server.js

@@ -592,8 +592,8 @@ async function analyzeProject(projectPath, config) {
     maxDepth: mergedConfig.analysis.maxDepth
   });
   const tokenMethod = mergedConfig.tokens.method;
-  const files = [];
-  for (const entry of walkEntries) {
+  const BATCH_SIZE = 50;
+  async function estimateFileTokens(entry) {
     let tokens;
     if (tokenMethod === "tiktoken") {
       try {
@@ -605,7 +605,7 @@ async function analyzeProject(projectPath, config) {
     } else {
       tokens = countTokensChars4(entry.size);
     }
-    files.push({
+    return {
       path: entry.path,
       relativePath: entry.relativePath,
       extension: entry.extension,
@@ -614,16 +614,20 @@ async function analyzeProject(projectPath, config) {
       lines: entry.lines,
       lastModified: entry.lastModified,
       kind: classifyFileKind(entry.relativePath),
-      // Graph data — populated by graph analysis
       imports: [],
       importedBy: [],
       isHub: false,
       complexity: 0,
-      // Risk data — populated by risk analysis
       riskScore: 0,
       riskFactors: [],
       exclusionImpact: "none"
-    });
+    };
+  }
+  const files = [];
+  for (let i = 0; i < walkEntries.length; i += BATCH_SIZE) {
+    const batch = walkEntries.slice(i, i + BATCH_SIZE);
+    const results = await Promise.all(batch.map(estimateFileTokens));
+    files.push(...results);
   }
   const graph = buildProjectGraph(absPath, files);
   for (const file of files) {
@@ -1005,10 +1009,7 @@ function deduplicateFindings(findings) {
 }
 
 // src/engine/pruner.ts
-import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
 import { readFile as readFile4 } from "fs/promises";
-import { existsSync as existsSync3 } from "fs";
-import { join as join5 } from "path";
 var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
 async function pruneFile(file, level) {
   if (level === "excluded") {
@@ -1031,23 +1032,7 @@ async function pruneTypeScript(file, level) {
   } catch {
     return emptyResult(file, level);
   }
-  let project;
-  try {
-    const tsConfigPath = findTsConfig(file.path);
-    project = new Project2({
-      tsConfigFilePath: tsConfigPath,
-      skipAddingFilesFromTsConfig: true,
-      compilerOptions: tsConfigPath ? void 0 : { allowJs: true, esModuleInterop: true }
-    });
-    project.createSourceFile(file.path, content, { overwrite: true });
-  } catch {
-    return pruneGenericFromContent(file, content, level);
-  }
-  const sourceFile = project.getSourceFiles()[0];
-  if (!sourceFile) {
-    return pruneGenericFromContent(file, content, level);
-  }
-  const prunedContent = level === "signatures" ? extractSignaturesAST(sourceFile) : extractSkeletonAST(sourceFile);
+  const prunedContent = level === "signatures" ? extractSignaturesRegex(content) : extractSkeletonRegex(content);
   const prunedTokens = countTokensChars4(Buffer.byteLength(prunedContent, "utf-8"));
   const savingsPercent = file.tokens > 0 ? (file.tokens - prunedTokens) / file.tokens * 100 : 0;
   return {
@@ -1059,131 +1044,281 @@ async function pruneTypeScript(file, level) {
     savingsPercent: Math.max(0, savingsPercent)
   };
 }
-function extractSignaturesAST(sf) {
+function extractSignaturesRegex(content) {
+  const lines = content.split("\n");
   const parts = [];
-  for (const imp of sf.getImportDeclarations()) {
-    parts.push(imp.getText());
-  }
-  if (parts.length > 0) parts.push("");
-  for (const ta of sf.getTypeAliases()) {
-    addJSDoc(ta, parts);
-    parts.push(ta.getText());
-  }
-  for (const iface of sf.getInterfaces()) {
-    addJSDoc(iface, parts);
-    parts.push(iface.getText());
-  }
-  for (const en of sf.getEnums()) {
-    addJSDoc(en, parts);
-    parts.push(en.getText());
-  }
-  for (const fn of sf.getFunctions()) {
-    addJSDoc(fn, parts);
-    const isExported = fn.isExported();
-    const isAsync = fn.isAsync();
-    const name = fn.getName() ?? "<anonymous>";
-    const params = fn.getParameters().map((p) => p.getText()).join(", ");
-    const returnType = fn.getReturnTypeNode()?.getText();
-    const returnStr = returnType ? `: ${returnType}` : "";
-    const prefix = isExported ? "export " : "";
-    const asyncStr = isAsync ? "async " : "";
-    parts.push(`${prefix}${asyncStr}function ${name}(${params})${returnStr} { /* ... */ }`);
-  }
-  for (const stmt of sf.getVariableStatements()) {
-    for (const decl of stmt.getDeclarations()) {
-      const init = decl.getInitializer();
-      if (init && (init.getKind() === SyntaxKind2.ArrowFunction || init.getKind() === SyntaxKind2.FunctionExpression)) {
-        addJSDoc(stmt, parts);
-        const isExported = stmt.isExported();
-        const prefix = isExported ? "export " : "";
-        const kind = stmt.getDeclarationKind();
-        const name = decl.getName();
-        const typeNode = decl.getTypeNode()?.getText();
-        const typeStr = typeNode ? `: ${typeNode}` : "";
-        parts.push(`${prefix}${kind} ${name}${typeStr} = /* ... */;`);
-      } else {
-        addJSDoc(stmt, parts);
-        parts.push(stmt.getText());
+  let i = 0;
+  while (i < lines.length) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    if (trimmed === "") {
+      i++;
+      continue;
+    }
+    if (trimmed.startsWith("/**")) {
+      const docLines = [];
+      while (i < lines.length) {
+        docLines.push(lines[i]);
+        if (lines[i].includes("*/")) {
+          i++;
+          break;
+        }
+        i++;
+      }
+      parts.push(docLines.join("\n"));
+      continue;
+    }
+    if (trimmed.startsWith("//")) {
+      parts.push(line);
+      i++;
+      continue;
+    }
+    if (/^\s*(import|export)\s/.test(line) && (trimmed.includes(" from ") || trimmed.startsWith("import "))) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*export\s*(\{|\*)/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?type\s+\w/.test(trimmed) && !trimmed.startsWith("typeof")) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?interface\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?(const\s+)?enum\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    const fnMatch = trimmed.match(/^(export\s+)?(async\s+)?function\s+(\w+)/);
+    if (fnMatch) {
+      const sig = extractFnSignature(lines, i);
+      parts.push(`${sig} { /* ... */ }`);
+      i = skipBlock(lines, i);
+      continue;
+    }
+    const arrowMatch = trimmed.match(/^(export\s+)?(const|let|var)\s+(\w+)/);
+    if (arrowMatch && looksLikeFunctionDecl(lines, i)) {
+      const prefix = trimmed.match(/^((?:export\s+)?(?:const|let|var)\s+\w+[^=]*=)/)?.[1];
+      if (prefix) {
+        parts.push(`${prefix} /* ... */;`);
       }
+      i = skipBlock(lines, i);
+      continue;
     }
-  }
-  for (const cls of sf.getClasses()) {
-    addJSDoc(cls, parts);
-    const isExported = cls.isExported();
-    const prefix = isExported ? "export " : "";
-    const name = cls.getName() ?? "<anonymous>";
-    const ext = cls.getExtends()?.getText();
-    const impl = cls.getImplements().map((i) => i.getText()).join(", ");
-    let header = `${prefix}class ${name}`;
-    if (ext) header += ` extends ${ext}`;
-    if (impl) header += ` implements ${impl}`;
-    header += " {";
-    parts.push(header);
-    for (const prop of cls.getProperties()) {
-      parts.push(`  ${prop.getText()}`);
-    }
-    const ctor = cls.getConstructors()[0];
-    if (ctor) {
-      const ctorParams = ctor.getParameters().map((p) => p.getText()).join(", ");
-      parts.push(`  constructor(${ctorParams}) { /* ... */ }`);
-    }
-    for (const method of cls.getMethods()) {
-      const isStatic = method.isStatic();
-      const isAsync = method.isAsync();
-      const methodName = method.getName();
-      const methodParams = method.getParameters().map((p) => p.getText()).join(", ");
-      const returnType = method.getReturnTypeNode()?.getText();
-      const returnStr = returnType ? `: ${returnType}` : "";
-      const staticStr = isStatic ? "static " : "";
-      const asyncStr = isAsync ? "async " : "";
-      parts.push(`  ${staticStr}${asyncStr}${methodName}(${methodParams})${returnStr} { /* ... */ }`);
-    }
-    parts.push("}");
-  }
-  for (const exp of sf.getExportDeclarations()) {
-    parts.push(exp.getText());
-  }
-  for (const exp of sf.getExportAssignments()) {
-    parts.push(exp.getText());
+    if (arrowMatch) {
+      const block = collectStatement(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^\s*(export\s+)?(abstract\s+)?class\s+\w/.test(trimmed)) {
+      const classOutline = extractClassOutline(lines, i);
+      parts.push(classOutline.text);
+      i = classOutline.nextIndex;
+      continue;
+    }
+    i++;
   }
   return parts.join("\n");
 }
-function extractSkeletonAST(sf) {
+function extractSkeletonRegex(content) {
+  const lines = content.split("\n");
   const parts = [];
-  for (const imp of sf.getImportDeclarations()) {
-    parts.push(imp.getText());
-  }
-  if (parts.length > 0) parts.push("");
-  for (const ta of sf.getTypeAliases()) {
-    if (ta.isExported()) parts.push(ta.getText());
-  }
-  for (const iface of sf.getInterfaces()) {
-    if (!iface.isExported()) continue;
-    const ext = iface.getExtends().map((e) => e.getText());
-    const extStr = ext.length > 0 ? ` extends ${ext.join(", ")}` : "";
-    parts.push(`export interface ${iface.getName()}${extStr} { /* ${iface.getProperties().length} props */ }`);
-  }
-  for (const en of sf.getEnums()) {
-    if (!en.isExported()) continue;
-    const members = en.getMembers().map((m) => m.getName());
-    parts.push(`export enum ${en.getName()} { ${members.join(", ")} }`);
-  }
-  for (const fn of sf.getFunctions()) {
-    if (!fn.isExported()) continue;
-    const name = fn.getName() ?? "<anonymous>";
-    const params = fn.getParameters().map((p) => p.getText()).join(", ");
-    parts.push(`export function ${name}(${params});`);
-  }
-  for (const cls of sf.getClasses()) {
-    if (!cls.isExported()) continue;
-    const methods = cls.getMethods().map((m) => m.getName());
-    parts.push(`export class ${cls.getName()} { /* methods: ${methods.join(", ")} */ }`);
-  }
-  for (const exp of sf.getExportDeclarations()) {
-    parts.push(exp.getText());
+  let i = 0;
+  while (i < lines.length) {
+    const trimmed = lines[i].trim();
+    if (/^import\s/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(type|interface)\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(const\s+)?enum\s+\w/.test(trimmed)) {
+      const block = collectBalanced(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    if (/^export\s+(async\s+)?function\s+\w/.test(trimmed)) {
+      const sig = extractFnSignature(lines, i);
+      parts.push(`${sig};`);
+      i = skipBlock(lines, i);
+      continue;
+    }
+    if (/^export\s+(abstract\s+)?class\s+/.test(trimmed)) {
+      const nameMatch = trimmed.match(/class\s+(\w+)/);
+      const name = nameMatch?.[1] ?? "Unknown";
+      const end = skipBlock(lines, i);
+      const methods = [];
+      for (let j = i + 1; j < end; j++) {
+        const mt = lines[j].trim();
+        const mm = mt.match(/^(?:static\s+)?(?:async\s+)?(\w+)\s*\(/);
+        if (mm && mm[1] !== "constructor") methods.push(mm[1]);
+      }
+      parts.push(`export class ${name} { /* methods: ${methods.join(", ")} */ }`);
+      i = end;
+      continue;
+    }
+    if (/^export\s*(\{|\*)/.test(trimmed)) {
+      const block = collectBracedLine(lines, i);
+      parts.push(block.text);
+      i = block.nextIndex;
+      continue;
+    }
+    i++;
   }
   return parts.join("\n");
 }
+function collectBracedLine(lines, start) {
+  let text = lines[start];
+  let i = start + 1;
+  while (i < lines.length && !text.includes(";") && !text.trimEnd().endsWith("'") && !text.trimEnd().endsWith('"')) {
+    text += "\n" + lines[i];
+    i++;
+  }
+  return { text, nextIndex: i };
+}
+function collectBalanced(lines, start) {
+  let depth = 0;
+  let text = "";
+  let i = start;
+  let started = false;
+  while (i < lines.length) {
+    const line = lines[i];
+    text += (text ? "\n" : "") + line;
+    for (const ch of line) {
+      if (ch === "{" || ch === "(") {
+        depth++;
+        started = true;
+      }
+      if (ch === "}" || ch === ")") depth--;
+    }
+    i++;
+    if (started && depth <= 0) break;
+    if (!started && line.includes(";")) break;
+  }
+  return { text, nextIndex: i };
+}
+function collectStatement(lines, start) {
+  let text = lines[start];
+  let i = start + 1;
+  if (text.includes(";")) return { text, nextIndex: i };
+  let depth = 0;
+  for (const ch of text) {
+    if (ch === "{" || ch === "(" || ch === "[") depth++;
+    if (ch === "}" || ch === ")" || ch === "]") depth--;
+  }
+  while (i < lines.length && depth > 0) {
+    text += "\n" + lines[i];
+    for (const ch of lines[i]) {
+      if (ch === "{" || ch === "(" || ch === "[") depth++;
+      if (ch === "}" || ch === ")" || ch === "]") depth--;
+    }
+    i++;
+  }
+  return { text, nextIndex: i };
+}
+function extractFnSignature(lines, start) {
+  let sig = "";
+  let i = start;
+  while (i < lines.length) {
+    const line = lines[i].trim();
+    sig += (sig ? " " : "") + line;
+    if (line.includes("{")) {
+      sig = sig.replace(/\s*\{[^]*$/, "").trim();
+      break;
+    }
+    i++;
+  }
+  return sig;
+}
+function skipBlock(lines, start) {
+  let depth = 0;
+  let i = start;
+  let foundBrace = false;
+  while (i < lines.length) {
+    for (const ch of lines[i]) {
+      if (ch === "{") {
+        depth++;
+        foundBrace = true;
+      }
+      if (ch === "}") depth--;
+    }
+    i++;
+    if (foundBrace && depth <= 0) break;
+    if (!foundBrace && lines[i - 1].includes(";")) break;
+  }
+  return i;
+}
+function looksLikeFunctionDecl(lines, start) {
+  const chunk = lines.slice(start, Math.min(start + 5, lines.length)).join(" ");
+  return /=>/.test(chunk) || /=\s*function/.test(chunk);
+}
+function extractClassOutline(lines, start) {
+  const header = lines[start].trim();
+  let headerText = header;
+  let i = start + 1;
+  if (!header.includes("{")) {
+    while (i < lines.length) {
+      headerText += " " + lines[i].trim();
+      if (lines[i].includes("{")) {
+        i++;
+        break;
+      }
+      i++;
+    }
+  } else {
+    i = start + 1;
+  }
+  const bodyParts = [headerText.replace(/\{[^]*$/, "{").trim()];
+  let depth = 1;
+  while (i < lines.length && depth > 0) {
+    const line = lines[i];
+    const trimmed = line.trim();
+    for (const ch of line) {
+      if (ch === "{") depth++;
+      if (ch === "}") depth--;
+    }
+    if (depth <= 0) {
+      i++;
+      break;
+    }
+    if (depth === 1) {
+      if (/^(private|protected|public|readonly|static|#)/.test(trimmed) && !trimmed.includes("(")) {
+        bodyParts.push(`  ${trimmed}`);
+      } else if (/^constructor\s*\(/.test(trimmed)) {
+        const sig = extractFnSignature(lines, i);
+        bodyParts.push(`  ${sig} { /* ... */ }`);
+      } else if (/^(?:static\s+)?(?:async\s+)?(?:get\s+|set\s+)?\w+\s*[(<]/.test(trimmed) && !trimmed.startsWith("//")) {
+        const sig = extractFnSignature(lines, i);
+        bodyParts.push(`  ${sig} { /* ... */ }`);
+      }
+    }
+    i++;
+  }
+  bodyParts.push("}");
+  return { text: bodyParts.join("\n"), nextIndex: i };
+}
 async function pruneGeneric(file, level) {
   let content;
   try {
@@ -1244,22 +1379,6 @@ function emptyResult(file, level) {
     savingsPercent: 100
   };
 }
-function addJSDoc(node, parts) {
-  if (!node.getJsDocs) return;
-  const docs = node.getJsDocs();
-  if (docs.length > 0) {
-    parts.push(docs[0].getText());
-  }
-}
-function findTsConfig(filePath) {
-  let dir = filePath;
-  for (let i = 0; i < 10; i++) {
-    dir = join5(dir, "..");
-    const candidate = join5(dir, "tsconfig.json");
-    if (existsSync3(candidate)) return candidate;
-  }
-  return void 0;
-}
 
 // src/engine/graph-utils.ts
 function buildAdjacencyList(edges) {
@@ -2922,18 +3041,18 @@ function formatCost(cost) {
 // src/govern/audit.ts
 import { randomUUID, createHash as createHash5 } from "crypto";
 import { readdir as readdir3, chmod } from "fs/promises";
-import { join as join6 } from "path";
+import { join as join5 } from "path";
 import { userInfo } from "os";
 import { homedir } from "os";
 var CTO_DIR = ".cto-ai";
 var AUDIT_DIR = "audit";
 var MAX_ENTRIES_PER_FILE = 500;
 function getAuditDir() {
-  return join6(homedir(), CTO_DIR, AUDIT_DIR);
+  return join5(homedir(), CTO_DIR, AUDIT_DIR);
 }
 function getCurrentAuditFile() {
   const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
-  return join6(getAuditDir(), `audit_${date}.json`);
+  return join5(getAuditDir(), `audit_${date}.json`);
 }
 function computeIntegrityHash(entry) {
   const payload = JSON.stringify({
@@ -2961,7 +3080,7 @@ async function readJSON(filePath) {
 }
 async function writeJSON(filePath, data) {
   const { writeFile: writeFile2 } = await import("fs/promises");
-  await ensureDir(join6(filePath, ".."));
+  await ensureDir(join5(filePath, ".."));
   await writeFile2(filePath, JSON.stringify(data, null, 2), "utf-8");
 }
 async function logAudit(action, projectPath, details = {}) {
@@ -3111,6 +3230,52 @@ async function planInteraction(input) {
 // src/api/server.ts
 var API_VERSION = "1.0.0";
 var DEFAULT_PORT = 3141;
+var FORBIDDEN_PREFIXES = [
+  "/etc",
+  "/usr",
+  "/var",
+  "/sys",
+  "/proc",
+  "/dev",
+  "/boot",
+  "/sbin",
+  "/bin",
+  "/tmp",
+  "/root",
+  "/lib",
+  "/opt"
+];
+var FORBIDDEN_PATTERNS = [".ssh", ".gnupg", ".aws", ".env", "passwd", "shadow"];
+function getAllowedRoots() {
+  const raw = process.env.CTO_ALLOWED_ROOTS;
+  if (!raw) return null;
+  return raw.split(",").map((r) => resolve7(r.trim()));
+}
+function validateProjectPath(projectPath) {
+  if (typeof projectPath !== "string" || !projectPath.trim()) {
+    return { valid: false, reason: "Missing or invalid path field" };
+  }
+  const absPath = resolve7(projectPath);
+  const lower = absPath.toLowerCase();
+  for (const prefix of FORBIDDEN_PREFIXES) {
+    if (lower === prefix || lower.startsWith(prefix + "/")) {
+      return { valid: false, reason: `Access denied: system path ${prefix}` };
+    }
+  }
+  for (const pattern of FORBIDDEN_PATTERNS) {
+    if (lower.includes(pattern)) {
+      return { valid: false, reason: `Access denied: path contains forbidden segment '${pattern}'` };
+    }
+  }
+  const roots = getAllowedRoots();
+  if (roots && roots.length > 0) {
+    const allowed = roots.some((root) => absPath === root || absPath.startsWith(root + "/"));
+    if (!allowed) {
+      return { valid: false, reason: `Access denied: path not under allowed roots. Set CTO_ALLOWED_ROOTS to allow.` };
+    }
+  }
+  return { valid: true, absPath };
+}
 function validateApiKey(req) {
   const apiKey = process.env.CTO_API_KEY;
   if (!apiKey) return true;
@@ -3134,6 +3299,12 @@ function checkRateLimit(ip) {
   entry.count++;
   return true;
 }
+setInterval(() => {
+  const now = Date.now();
+  for (const [ip, entry] of requestCounts) {
+    if (now > entry.reset) requestCounts.delete(ip);
+  }
+}, 5 * 6e4).unref();
 function getIP(req) {
   return req.headers["x-forwarded-for"]?.split(",")[0]?.trim() ?? req.socket.remoteAddress ?? "unknown";
 }
@@ -3166,9 +3337,9 @@ function error(res, status, message) {
   json(res, status, { error: message, status });
 }
 async function handleAnalyze(body, res) {
-  const { path: projectPath } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
-  const absPath = resolve7(projectPath);
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   json(res, 200, {
     project: analysis.projectName,
@@ -3186,10 +3357,11 @@ async function handleAnalyze(body, res) {
   });
 }
 async function handleSelect(body, res) {
-  const { path: projectPath, task, budget } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
+  const { task, budget } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
   if (!task) return error(res, 400, "Missing required field: task");
-  const absPath = resolve7(projectPath);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const selection = await selectContext({
     task,
@@ -3213,9 +3385,10 @@ async function handleSelect(body, res) {
   });
 }
 async function handleScore(body, res) {
-  const { path: projectPath, task, budget } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
-  const absPath = resolve7(projectPath);
+  const { task, budget } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const score = await computeContextScore(
     analysis,
@@ -3238,9 +3411,10 @@ async function handleScore(body, res) {
   });
 }
 async function handleBenchmark(body, res) {
-  const { path: projectPath, task, budget } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
-  const absPath = resolve7(projectPath);
+  const { task, budget } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const result = await runBenchmark(
     analysis,
@@ -3250,10 +3424,11 @@ async function handleBenchmark(body, res) {
   json(res, 200, result);
 }
 async function handleQuality(body, res) {
-  const { path: projectPath, task, budget } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
+  const { task, budget } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
   if (!task) return error(res, 400, "Missing required field: task");
-  const absPath = resolve7(projectPath);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const result = await runQualityBenchmark(analysis, task, budget ?? 5e4);
   json(res, 200, {
@@ -3267,9 +3442,10 @@ async function handleQuality(body, res) {
   });
 }
 async function handlePRContext(body, res) {
-  const { path: projectPath, baseBranch, depth, includeTests } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
-  const absPath = resolve7(projectPath);
+  const { baseBranch, depth, includeTests } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const pr = await generatePRContext(analysis, {
     baseBranch: baseBranch ?? "main",
@@ -3288,10 +3464,11 @@ async function handlePRContext(body, res) {
   });
 }
 async function handleInteract(body, res) {
-  const { path: projectPath, task, budget, model } = body;
-  if (!projectPath) return error(res, 400, "Missing required field: path");
+  const { task, budget, model } = body;
+  const check = validateProjectPath(body.path);
+  if (!check.valid) return error(res, 403, check.reason);
   if (!task) return error(res, 400, "Missing required field: task");
-  const absPath = resolve7(projectPath);
+  const absPath = check.absPath;
   const analysis = await getCachedAnalysis(absPath);
   const plan = await planInteraction({
     task,
@@ -3447,8 +3624,9 @@ function createAPIServer() {
       const body = req.method === "GET" ? {} : await readBody(req);
       await handler(body, res);
     } catch (err) {
-      console.error(`[CTO API] Error on ${routeKey}:`, err.message);
-      error(res, 500, err.message ?? "Internal server error");
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`[CTO API] Error on ${routeKey}:`, message);
+      error(res, 500, message || "Internal server error");
     }
   });
   return server2;