cto-ai-cli 5.2.0 → 7.1.0

package/dist/gateway/index.js

@@ -1,2932 +0,0 @@
-// src/gateway/server.ts
-import { createServer, Agent as HttpAgent } from "http";
-import { request as httpsRequest, Agent as HttpsAgent } from "https";
-import { request as httpRequest } from "http";
-import { URL } from "url";
-import { lookup } from "dns/promises";
-
-// src/gateway/types.ts
-var DEFAULT_GATEWAY_CONFIG = {
-  port: 8787,
-  host: "127.0.0.1",
-  optimize: true,
-  projectPath: ".",
-  budget: 5e4,
-  redactSecrets: true,
-  blockOnSecrets: false,
-  apiKey: "",
-  allowedTargetDomains: [],
-  // Empty = default LLM provider allowlist
-  maxBodyBytes: 10 * 1024 * 1024,
-  // 10MB
-  upstreamTimeoutMs: 12e4,
-  // 2 minutes (streaming can be slow)
-  costTracking: true,
-  budgetDaily: 0,
-  budgetMonthly: 0,
-  alertThreshold: 0.8,
-  auditLog: true,
-  logDir: ".cto/gateway",
-  dashboard: true,
-  dashboardPath: "/__cto"
-};
-var DEFAULT_ALLOWED_DOMAINS = /* @__PURE__ */ new Set([
-  "api.openai.com",
-  "api.anthropic.com",
-  "generativelanguage.googleapis.com",
-  "aiplatform.googleapis.com"
-  // Azure uses custom subdomains: *.openai.azure.com
-]);
-var PRIVATE_IP_PATTERNS = [
-  /^127\./,
-  // Loopback
-  /^10\./,
-  // Class A private
-  /^172\.(1[6-9]|2\d|3[01])\./,
-  // Class B private
-  /^192\.168\./,
-  // Class C private
-  /^169\.254\./,
-  // Link-local (AWS metadata!)
-  /^0\./,
-  // Current network
-  /^::1$/,
-  // IPv6 loopback
-  /^f[cd]/i,
-  // IPv6 private
-  /^fe80:/i
-  // IPv6 link-local
-];
-function isPrivateIP(ip) {
-  return PRIVATE_IP_PATTERNS.some((p) => p.test(ip));
-}
-function isAllowedTarget(hostname, config) {
-  if (config.allowedTargetDomains.length > 0) {
-    return config.allowedTargetDomains.some(
-      (d) => hostname === d || hostname.endsWith("." + d)
-    );
-  }
-  if (DEFAULT_ALLOWED_DOMAINS.has(hostname)) return true;
-  if (hostname.endsWith(".openai.azure.com")) return true;
-  return false;
-}
-
-// src/gateway/providers.ts
-var OPENAI_MODELS = [
-  { id: "gpt-4o", contextWindow: 128e3, costPerMInput: 2.5, costPerMOutput: 10, maxOutput: 16384 },
-  { id: "gpt-4o-mini", contextWindow: 128e3, costPerMInput: 0.15, costPerMOutput: 0.6, maxOutput: 16384 },
-  { id: "gpt-4-turbo", contextWindow: 128e3, costPerMInput: 10, costPerMOutput: 30, maxOutput: 4096 },
-  { id: "gpt-3.5-turbo", contextWindow: 16385, costPerMInput: 0.5, costPerMOutput: 1.5, maxOutput: 4096 },
-  { id: "o1", contextWindow: 2e5, costPerMInput: 15, costPerMOutput: 60, maxOutput: 1e5 },
-  { id: "o1-mini", contextWindow: 128e3, costPerMInput: 3, costPerMOutput: 12, maxOutput: 65536 },
-  { id: "o3-mini", contextWindow: 2e5, costPerMInput: 1.1, costPerMOutput: 4.4, maxOutput: 1e5 }
-];
-var ANTHROPIC_MODELS = [
-  { id: "claude-sonnet-4-20250514", contextWindow: 2e5, costPerMInput: 3, costPerMOutput: 15, maxOutput: 64e3 },
-  { id: "claude-3-5-haiku-20241022", contextWindow: 2e5, costPerMInput: 0.8, costPerMOutput: 4, maxOutput: 8192 },
-  { id: "claude-3-opus-20240229", contextWindow: 2e5, costPerMInput: 15, costPerMOutput: 75, maxOutput: 4096 }
-];
-var GOOGLE_MODELS = [
-  { id: "gemini-2.5-pro", contextWindow: 1e6, costPerMInput: 1.25, costPerMOutput: 10, maxOutput: 65536 },
-  { id: "gemini-2.0-flash", contextWindow: 1e6, costPerMInput: 0.1, costPerMOutput: 0.4, maxOutput: 8192 },
-  { id: "gemini-1.5-pro", contextWindow: 2e6, costPerMInput: 1.25, costPerMOutput: 5, maxOutput: 8192 }
-];
-function parseOpenAIRequest(body) {
-  const rawMessages = Array.isArray(body.messages) ? body.messages : [];
-  const messages = rawMessages.map((m) => ({
-    role: m.role || "user",
-    content: typeof m.content === "string" ? m.content : JSON.stringify(m.content)
-  }));
-  return {
-    model: body.model || "unknown",
-    messages,
-    stream: body.stream === true,
-    maxTokens: body.max_tokens ?? body.max_completion_tokens,
-    temperature: body.temperature
-  };
-}
-function parseOpenAIResponse(body, _streaming) {
-  const usage = body.usage;
-  const choices = Array.isArray(body.choices) ? body.choices : [];
-  const first = choices[0];
-  const msg = first?.message;
-  return {
-    model: body.model || "unknown",
-    inputTokens: usage?.prompt_tokens || 0,
-    outputTokens: usage?.completion_tokens || 0,
-    content: msg?.content || "",
-    finishReason: first?.finish_reason || "stop"
-  };
-}
-function parseAnthropicRequest(body) {
-  const messages = [];
-  if (body.system) {
-    messages.push({ role: "system", content: String(body.system) });
-  }
-  const rawMessages = Array.isArray(body.messages) ? body.messages : [];
-  for (const m of rawMessages) {
-    const content = typeof m.content === "string" ? m.content : Array.isArray(m.content) ? m.content.map((b) => String(b.text ?? "")).join("\n") : "";
-    const role = m.role || "user";
-    messages.push({ role, content });
-  }
-  return {
-    model: body.model || "unknown",
-    messages,
-    stream: body.stream === true,
-    maxTokens: body.max_tokens,
-    temperature: body.temperature
-  };
-}
-function parseAnthropicResponse(body, _streaming) {
-  const usage = body.usage;
-  const contentBlocks = Array.isArray(body.content) ? body.content : [];
-  return {
-    model: body.model || "unknown",
-    inputTokens: usage?.input_tokens || 0,
-    outputTokens: usage?.output_tokens || 0,
-    content: contentBlocks.map((b) => String(b.text ?? "")).join("\n"),
-    finishReason: body.stop_reason || "end_turn"
-  };
-}
-function parseGoogleRequest(body) {
-  const messages = [];
-  const sysInst = body.systemInstruction;
-  if (sysInst && Array.isArray(sysInst.parts)) {
-    messages.push({
-      role: "system",
-      content: sysInst.parts.map((p) => String(p.text ?? "")).join("\n")
-    });
-  }
-  const contents = Array.isArray(body.contents) ? body.contents : [];
-  for (const item of contents) {
-    const role = item.role === "model" ? "assistant" : "user";
-    const parts = Array.isArray(item.parts) ? item.parts : [];
-    const content = parts.map((p) => String(p.text ?? "")).join("\n");
-    messages.push({ role, content });
-  }
-  const model = body.model || body.modelId || "gemini-2.0-flash";
-  const genConfig = body.generationConfig;
-  return {
-    model,
-    messages,
-    stream: body.stream === true,
-    maxTokens: genConfig?.maxOutputTokens,
-    temperature: genConfig?.temperature
-  };
-}
-function parseGoogleResponse(body, _streaming) {
-  const candidates = Array.isArray(body.candidates) ? body.candidates : [];
-  const candidate = candidates[0];
-  const usage = body.usageMetadata;
-  const candidateContent = candidate?.content;
-  const parts = Array.isArray(candidateContent?.parts) ? candidateContent.parts : [];
-  return {
-    model: body.modelVersion || body.model || "gemini-2.0-flash",
-    inputTokens: usage?.promptTokenCount || 0,
-    outputTokens: usage?.candidatesTokenCount || 0,
-    content: parts.map((p) => String(p.text ?? "")).join("\n"),
-    finishReason: candidate?.finishReason || "STOP"
-  };
-}
-var PROVIDERS = {
-  openai: {
-    name: "openai",
-    displayName: "OpenAI",
-    baseUrl: "https://api.openai.com",
-    authHeader: "Authorization",
-    chatPath: "/v1/chat/completions",
-    models: OPENAI_MODELS,
-    parseRequest: parseOpenAIRequest,
-    parseResponse: parseOpenAIResponse,
-    detectProvider: (url, _headers) => url.includes("api.openai.com") || url.includes("/v1/chat/completions")
-  },
-  anthropic: {
-    name: "anthropic",
-    displayName: "Anthropic",
-    baseUrl: "https://api.anthropic.com",
-    authHeader: "x-api-key",
-    chatPath: "/v1/messages",
-    models: ANTHROPIC_MODELS,
-    parseRequest: parseAnthropicRequest,
-    parseResponse: parseAnthropicResponse,
-    detectProvider: (url, headers) => url.includes("api.anthropic.com") || url.includes("/v1/messages") || !!headers["x-api-key"] || !!headers["anthropic-version"]
-  },
-  google: {
-    name: "google",
-    displayName: "Google AI",
-    baseUrl: "https://generativelanguage.googleapis.com",
-    authHeader: "x-goog-api-key",
-    chatPath: "/v1beta/models",
-    models: GOOGLE_MODELS,
-    parseRequest: parseGoogleRequest,
-    parseResponse: parseGoogleResponse,
-    detectProvider: (url, _headers) => url.includes("generativelanguage.googleapis.com") || url.includes("aiplatform.googleapis.com")
-  },
-  "azure-openai": {
-    name: "azure-openai",
-    displayName: "Azure OpenAI",
-    baseUrl: "",
-    authHeader: "api-key",
-    chatPath: "/openai/deployments",
-    models: OPENAI_MODELS,
-    // Same models, different hosting
-    parseRequest: parseOpenAIRequest,
-    parseResponse: parseOpenAIResponse,
-    detectProvider: (url, headers) => url.includes(".openai.azure.com") || !!headers["api-key"]
-  },
-  custom: {
-    name: "custom",
-    displayName: "Custom (OpenAI-compatible)",
-    baseUrl: "",
-    authHeader: "Authorization",
-    chatPath: "/v1/chat/completions",
-    models: [],
-    parseRequest: parseOpenAIRequest,
-    parseResponse: parseOpenAIResponse,
-    detectProvider: () => false
-    // Fallback only
-  }
-};
-function detectProvider(url, headers) {
-  for (const provider of Object.values(PROVIDERS)) {
-    if (provider.name === "custom") continue;
-    if (provider.detectProvider(url, headers)) return provider;
-  }
-  return PROVIDERS.custom;
-}
-function getModelConfig(provider, modelId) {
-  const exact = provider.models.find((m) => m.id === modelId);
-  if (exact) return exact;
-  return provider.models.find((m) => modelId.startsWith(m.id) || m.id.startsWith(modelId));
-}
-function estimateCost(provider, modelId, inputTokens, outputTokens) {
-  const model = getModelConfig(provider, modelId);
-  if (!model) return 0;
-  const inputCost = inputTokens / 1e6 * model.costPerMInput;
-  const outputCost = outputTokens / 1e6 * model.costPerMOutput;
-  return Math.round((inputCost + outputCost) * 1e6) / 1e6;
-}
-
-// src/govern/secrets.ts
-import { readFile } from "fs/promises";
-import { readFileSync, existsSync, mkdirSync, writeFileSync } from "fs";
-import { resolve, relative, join, dirname } from "path";
-import { createHash } from "crypto";
-var BUILTIN_PATTERNS = [
-  // API Keys
-  { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
-  { type: "api-key", source: "sk-[a-zA-Z0-9]{20,}", flags: "g", severity: "critical", description: "OpenAI/Anthropic API Key" },
-  { type: "api-key", source: "sk-ant-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "Anthropic API Key" },
-  // AWS
-  { type: "aws-key", source: "AKIA[0-9A-Z]{16}", flags: "g", severity: "critical", description: "AWS Access Key ID" },
-  { type: "aws-key", source: `(?:aws_secret_access_key|aws_secret)\\s*[:=]\\s*['"]?([a-zA-Z0-9/+=]{40})['"]?`, flags: "gi", severity: "critical", description: "AWS Secret Key" },
-  // Private Keys
-  { type: "private-key", source: "-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", flags: "g", severity: "critical", description: "Private Key" },
-  { type: "private-key", source: "-----BEGIN OPENSSH PRIVATE KEY-----", flags: "g", severity: "critical", description: "SSH Private Key" },
-  // Passwords
-  { type: "password", source: `(?:password|passwd|pwd)\\s*[:=]\\s*['"]([^'"]{8,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Hardcoded Password" },
-  { type: "password", source: `(?:DB_PASSWORD|DATABASE_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)\\s*[:=]\\s*['"]?([^'"{}\\s]{4,})['"]?`, flags: "gi", severity: "high", description: "Database Password" },
-  // Tokens
-  { type: "token", source: `(?:bearer|token|auth_token|access_token|refresh_token)\\s*[:=]\\s*['"]([a-zA-Z0-9_\\-.]{20,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Auth Token" },
-  { type: "token", source: "ghp_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub Personal Access Token" },
-  { type: "token", source: "gho_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub OAuth Token" },
-  { type: "token", source: "glpat-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "GitLab Personal Access Token" },
-  { type: "token", source: "npm_[a-zA-Z0-9]{36}", flags: "g", severity: "high", description: "npm Token" },
-  // Connection strings
-  { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
-  { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
-  // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
-  // Stripe
-  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
-  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
-  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
-  // Slack
-  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
-  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
-  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
-  // Google
-  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
-  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
-  // Azure
-  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
-  // Twilio
-  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
-  // SendGrid
-  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
-  // JWT
-  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
-  // Datadog
-  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
-  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
-  // Sentry
-  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
-  // Firebase
-  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
-  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
-  // Supabase
-  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
-  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
-  // Vercel
-  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
-  // Heroku
-  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
-  // DigitalOcean
-  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
-  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
-  // Mailgun
-  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
-  // PII
-  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
-  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
-];
-var _cachedBuiltinPatterns = null;
-function getBuiltinPatterns() {
-  if (!_cachedBuiltinPatterns) {
-    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
-      type: def.type,
-      pattern: new RegExp(def.source, def.flags),
-      severity: def.severity,
-      description: def.description
-    }));
-  }
-  return _cachedBuiltinPatterns;
-}
-function buildPatterns(customPatterns = []) {
-  const builtins = getBuiltinPatterns();
-  if (customPatterns.length === 0) return builtins;
-  const patterns = [...builtins];
-  for (const custom of customPatterns) {
-    try {
-      patterns.push({
-        type: "custom",
-        pattern: new RegExp(custom, "gi"),
-        severity: "medium",
-        description: `Custom pattern: ${custom}`
-      });
-    } catch {
-    }
-  }
-  return patterns;
-}
-function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
-  const findings = [];
-  const lines = content.split("\n");
-  const allPatterns = buildPatterns(customPatterns);
-  for (const secretPattern of allPatterns) {
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      secretPattern.pattern.lastIndex = 0;
-      let match;
-      while ((match = secretPattern.pattern.exec(line)) !== null) {
-        const matchText = match[0];
-        if (isTemplateOrPlaceholder(matchText)) continue;
-        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
-        findings.push({
-          type: secretPattern.type,
-          file: filePath,
-          line: i + 1,
-          match: matchText,
-          redacted: redactSecret(matchText),
-          severity: secretPattern.severity
-        });
-      }
-    }
-  }
-  return deduplicateFindings(findings);
-}
-async function scanFileForSecrets(filePath, projectPath, customPatterns = []) {
-  try {
-    const content = await readFile(filePath, "utf-8");
-    const relPath = relative(resolve(projectPath), resolve(filePath));
-    return scanContentForSecrets(content, relPath, customPatterns);
-  } catch {
-    return [];
-  }
-}
-function sanitizeContent(content, customPatterns = []) {
-  let sanitized = content;
-  const allPatterns = buildPatterns(customPatterns);
-  for (const secretPattern of allPatterns) {
-    sanitized = sanitized.replace(secretPattern.pattern, (match) => {
-      if (isTemplateOrPlaceholder(match)) return match;
-      return redactSecret(match);
-    });
-  }
-  return sanitized;
-}
-function redactSecret(value) {
-  if (value.length <= 8) return "***REDACTED***";
-  const prefix = value.substring(0, 4);
-  const suffix = value.substring(value.length - 2);
-  return `${prefix}${"*".repeat(Math.min(value.length - 6, 20))}${suffix}`;
-}
-function isTemplateOrPlaceholder(value) {
-  const placeholders = [
-    /\$\{.*\}/,
-    /\{\{.*\}\}/,
-    /%[sd]/,
-    /<[A-Z_]+>/,
-    /YOUR_.*_HERE/i,
-    /\bCHANGE_ME\b/i,
-    /\bPLACEHOLDER\b/i,
-    /\bexample\b/i,
-    /\bTODO\b/i,
-    /xxx+/i,
-    /\breplace.?me\b/i,
-    /\bdummy\b/i,
-    /\btest_?key\b/i,
-    /\bsample\b/i
-  ];
-  return placeholders.some((p) => p.test(value));
-}
-var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
-  "example.com",
-  "example.org",
-  "example.net",
-  "test.com",
-  "test.org",
-  "test.net",
-  "localhost",
-  "localhost.localdomain",
-  "email.com",
-  "mail.com",
-  "foo.com",
-  "bar.com",
-  "baz.com",
-  "acme.com",
-  "company.com",
-  "corp.com",
-  "noreply.com",
-  "no-reply.com",
-  "users.noreply.github.com",
-  "placeholder.com"
-]);
-function isSafeEmail(value, extraDomains) {
-  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
-  if (!match) return false;
-  const domain = match[1].toLowerCase();
-  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
-  if (extraDomains && extraDomains.has(domain)) return true;
-  return false;
-}
-function deduplicateFindings(findings) {
-  const seen = /* @__PURE__ */ new Set();
-  return findings.filter((f) => {
-    const key = `${f.file}:${f.line}:${f.type}:${f.match}`;
-    if (seen.has(key)) return false;
-    seen.add(key);
-    return true;
-  });
-}
-
-// src/engine/selector.ts
-import { createHash as createHash2 } from "crypto";
-
-// src/engine/pruner.ts
-import { readFile as readFile3 } from "fs/promises";
-
-// src/engine/tokenizer.ts
-import { encodingForModel } from "js-tiktoken";
-import { readFile as readFile2, stat } from "fs/promises";
-var CHARS_PER_TOKEN = 4;
-var encoder = null;
-function getEncoder() {
-  if (!encoder) {
-    encoder = encodingForModel("claude-3-5-sonnet-20241022");
-  }
-  return encoder;
-}
-function countTokensTiktoken(text) {
-  try {
-    const enc = getEncoder();
-    const tokens = enc.encode(text);
-    return tokens.length;
-  } catch {
-    return Math.ceil(text.length / CHARS_PER_TOKEN);
-  }
-}
-function countTokensChars4(sizeInBytes) {
-  return Math.ceil(sizeInBytes / CHARS_PER_TOKEN);
-}
-function estimateTokens(content, sizeInBytes, method = "chars4") {
-  if (method === "tiktoken") {
-    return countTokensTiktoken(content);
-  }
-  return countTokensChars4(sizeInBytes);
-}
-
-// src/engine/pruner.ts
-var TS_EXTENSIONS = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs"]);
-async function pruneFile(file, level) {
-  if (level === "excluded") {
-    return emptyResult(file, "excluded");
-  }
-  if (level === "full") {
-    return fullContent(file);
-  }
-  const ext = file.extension.toLowerCase();
-  const isTS = TS_EXTENSIONS.has(ext);
-  if (isTS) {
-    return pruneTypeScript(file, level);
-  }
-  return pruneGeneric(file, level);
-}
-async function pruneTypeScript(file, level) {
-  let content;
-  try {
-    content = await readFile3(file.path, "utf-8");
-  } catch {
-    return emptyResult(file, level);
-  }
-  const prunedContent = level === "signatures" ? extractSignaturesRegex(content) : extractSkeletonRegex(content);
-  const prunedTokens = countTokensChars4(Buffer.byteLength(prunedContent, "utf-8"));
-  const savingsPercent = file.tokens > 0 ? (file.tokens - prunedTokens) / file.tokens * 100 : 0;
-  return {
-    relativePath: file.relativePath,
-    originalTokens: file.tokens,
-    prunedTokens,
-    pruneLevel: level,
-    content: prunedContent,
-    savingsPercent: Math.max(0, savingsPercent)
-  };
-}
-function extractSignaturesRegex(content) {
-  const lines = content.split("\n");
-  const parts = [];
-  let i = 0;
-  while (i < lines.length) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    if (trimmed === "") {
-      i++;
-      continue;
-    }
-    if (trimmed.startsWith("/**")) {
-      const docLines = [];
-      while (i < lines.length) {
-        docLines.push(lines[i]);
-        if (lines[i].includes("*/")) {
-          i++;
-          break;
-        }
-        i++;
-      }
-      parts.push(docLines.join("\n"));
-      continue;
-    }
-    if (trimmed.startsWith("//")) {
-      parts.push(line);
-      i++;
-      continue;
-    }
-    if (/^\s*(import|export)\s/.test(line) && (trimmed.includes(" from ") || trimmed.startsWith("import "))) {
-      const block = collectBracedLine(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^\s*export\s*(\{|\*)/.test(trimmed)) {
-      const block = collectBracedLine(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^\s*(export\s+)?type\s+\w/.test(trimmed) && !trimmed.startsWith("typeof")) {
-      const block = collectBalanced(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^\s*(export\s+)?interface\s+\w/.test(trimmed)) {
-      const block = collectBalanced(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^\s*(export\s+)?(const\s+)?enum\s+\w/.test(trimmed)) {
-      const block = collectBalanced(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    const fnMatch = trimmed.match(/^(export\s+)?(async\s+)?function\s+(\w+)/);
-    if (fnMatch) {
-      const sig = extractFnSignature(lines, i);
-      parts.push(`${sig} { /* ... */ }`);
-      i = skipBlock(lines, i);
-      continue;
-    }
-    const arrowMatch = trimmed.match(/^(export\s+)?(const|let|var)\s+(\w+)/);
-    if (arrowMatch && looksLikeFunctionDecl(lines, i)) {
-      const prefix = trimmed.match(/^((?:export\s+)?(?:const|let|var)\s+\w+[^=]*=)/)?.[1];
-      if (prefix) {
-        parts.push(`${prefix} /* ... */;`);
-      }
-      i = skipBlock(lines, i);
-      continue;
-    }
-    if (arrowMatch) {
-      const block = collectStatement(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^\s*(export\s+)?(abstract\s+)?class\s+\w/.test(trimmed)) {
-      const classOutline = extractClassOutline(lines, i);
-      parts.push(classOutline.text);
-      i = classOutline.nextIndex;
-      continue;
-    }
-    i++;
-  }
-  return parts.join("\n");
-}
-function extractSkeletonRegex(content) {
-  const lines = content.split("\n");
-  const parts = [];
-  let i = 0;
-  while (i < lines.length) {
-    const trimmed = lines[i].trim();
-    if (/^import\s/.test(trimmed)) {
-      const block = collectBracedLine(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^export\s+(type|interface)\s+\w/.test(trimmed)) {
-      const block = collectBalanced(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^export\s+(const\s+)?enum\s+\w/.test(trimmed)) {
-      const block = collectBalanced(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    if (/^export\s+(async\s+)?function\s+\w/.test(trimmed)) {
-      const sig = extractFnSignature(lines, i);
-      parts.push(`${sig};`);
-      i = skipBlock(lines, i);
-      continue;
-    }
-    if (/^export\s+(abstract\s+)?class\s+/.test(trimmed)) {
-      const nameMatch = trimmed.match(/class\s+(\w+)/);
-      const name = nameMatch?.[1] ?? "Unknown";
-      const end = skipBlock(lines, i);
-      const methods = [];
-      for (let j = i + 1; j < end; j++) {
-        const mt = lines[j].trim();
-        const mm = mt.match(/^(?:static\s+)?(?:async\s+)?(\w+)\s*\(/);
-        if (mm && mm[1] !== "constructor") methods.push(mm[1]);
-      }
-      parts.push(`export class ${name} { /* methods: ${methods.join(", ")} */ }`);
-      i = end;
-      continue;
-    }
-    if (/^export\s*(\{|\*)/.test(trimmed)) {
-      const block = collectBracedLine(lines, i);
-      parts.push(block.text);
-      i = block.nextIndex;
-      continue;
-    }
-    i++;
-  }
-  return parts.join("\n");
-}
-function collectBracedLine(lines, start) {
-  let text = lines[start];
-  let i = start + 1;
-  while (i < lines.length && !text.includes(";") && !text.trimEnd().endsWith("'") && !text.trimEnd().endsWith('"')) {
-    text += "\n" + lines[i];
-    i++;
-  }
-  return { text, nextIndex: i };
-}
-function collectBalanced(lines, start) {
-  let depth = 0;
-  let text = "";
-  let i = start;
-  let started = false;
-  while (i < lines.length) {
-    const line = lines[i];
-    text += (text ? "\n" : "") + line;
-    for (const ch of line) {
-      if (ch === "{" || ch === "(") {
-        depth++;
-        started = true;
-      }
-      if (ch === "}" || ch === ")") depth--;
-    }
-    i++;
-    if (started && depth <= 0) break;
-    if (!started && line.includes(";")) break;
-  }
-  return { text, nextIndex: i };
-}
-function collectStatement(lines, start) {
-  let text = lines[start];
-  let i = start + 1;
-  if (text.includes(";")) return { text, nextIndex: i };
-  let depth = 0;
-  for (const ch of text) {
-    if (ch === "{" || ch === "(" || ch === "[") depth++;
-    if (ch === "}" || ch === ")" || ch === "]") depth--;
-  }
-  while (i < lines.length && depth > 0) {
-    text += "\n" + lines[i];
-    for (const ch of lines[i]) {
-      if (ch === "{" || ch === "(" || ch === "[") depth++;
-      if (ch === "}" || ch === ")" || ch === "]") depth--;
-    }
-    i++;
-  }
-  return { text, nextIndex: i };
-}
-function extractFnSignature(lines, start) {
-  let sig = "";
-  let i = start;
-  while (i < lines.length) {
-    const line = lines[i].trim();
-    sig += (sig ? " " : "") + line;
-    if (line.includes("{")) {
-      sig = sig.replace(/\s*\{[^]*$/, "").trim();
-      break;
-    }
-    i++;
-  }
-  return sig;
-}
-function skipBlock(lines, start) {
-  let depth = 0;
-  let i = start;
-  let foundBrace = false;
-  while (i < lines.length) {
-    for (const ch of lines[i]) {
-      if (ch === "{") {
-        depth++;
-        foundBrace = true;
-      }
-      if (ch === "}") depth--;
-    }
-    i++;
-    if (foundBrace && depth <= 0) break;
-    if (!foundBrace && lines[i - 1].includes(";")) break;
-  }
-  return i;
-}
-function looksLikeFunctionDecl(lines, start) {
-  const chunk = lines.slice(start, Math.min(start + 5, lines.length)).join(" ");
-  return /=>/.test(chunk) || /=\s*function/.test(chunk);
-}
-function extractClassOutline(lines, start) {
-  const header = lines[start].trim();
-  let headerText = header;
-  let i = start + 1;
-  if (!header.includes("{")) {
-    while (i < lines.length) {
-      headerText += " " + lines[i].trim();
-      if (lines[i].includes("{")) {
-        i++;
-        break;
-      }
-      i++;
-    }
-  } else {
-    i = start + 1;
-  }
-  const bodyParts = [headerText.replace(/\{[^]*$/, "{").trim()];
-  let depth = 1;
-  while (i < lines.length && depth > 0) {
-    const line = lines[i];
-    const trimmed = line.trim();
-    for (const ch of line) {
-      if (ch === "{") depth++;
-      if (ch === "}") depth--;
-    }
-    if (depth <= 0) {
-      i++;
-      break;
-    }
-    if (depth === 1) {
-      if (/^(private|protected|public|readonly|static|#)/.test(trimmed) && !trimmed.includes("(")) {
-        bodyParts.push(`  ${trimmed}`);
-      } else if (/^constructor\s*\(/.test(trimmed)) {
-        const sig = extractFnSignature(lines, i);
-        bodyParts.push(`  ${sig} { /* ... */ }`);
-      } else if (/^(?:static\s+)?(?:async\s+)?(?:get\s+|set\s+)?\w+\s*[(<]/.test(trimmed) && !trimmed.startsWith("//")) {
-        const sig = extractFnSignature(lines, i);
-        bodyParts.push(`  ${sig} { /* ... */ }`);
-      }
-    }
-    i++;
-  }
-  bodyParts.push("}");
-  return { text: bodyParts.join("\n"), nextIndex: i };
-}
-async function pruneGeneric(file, level) {
-  let content;
-  try {
-    content = await readFile3(file.path, "utf-8");
-  } catch {
-    return emptyResult(file, level);
-  }
-  return pruneGenericFromContent(file, content, level);
-}
-function pruneGenericFromContent(file, content, level) {
-  const lines = content.split("\n");
-  let result;
-  if (level === "signatures") {
-    result = lines.filter((line) => {
-      const t = line.trim();
-      return t === "" || t.startsWith("#") || t.startsWith("//") || t.startsWith("import ") || t.startsWith("from ") || t.startsWith("export ") || t.startsWith("def ") || t.startsWith("async def ") || t.startsWith("class ") || t.startsWith("function ") || t.startsWith("const ") || t.startsWith("let ") || t.startsWith("var ") || /^(pub |fn |struct |enum |impl |mod |use )/.test(t);
-    });
-  } else {
-    result = lines.filter((line) => {
-      const t = line.trim();
-      return t.startsWith("import ") || t.startsWith("from ") || t.startsWith("export ") || t.startsWith("def ") || t.startsWith("class ") || t.startsWith("function ") || /^(pub |fn |struct |enum |mod |use )/.test(t);
-    });
-  }
-  const prunedContent = result.join("\n");
-  const prunedTokens = countTokensChars4(Buffer.byteLength(prunedContent, "utf-8"));
-  const savingsPercent = file.tokens > 0 ? (file.tokens - prunedTokens) / file.tokens * 100 : 0;
-  return {
-    relativePath: file.relativePath,
-    originalTokens: file.tokens,
-    prunedTokens,
-    pruneLevel: level,
-    content: prunedContent,
-    savingsPercent: Math.max(0, savingsPercent)
-  };
-}
-async function fullContent(file) {
-  let content = "";
-  try {
-    content = await readFile3(file.path, "utf-8");
-  } catch {
-  }
-  return {
-    relativePath: file.relativePath,
-    originalTokens: file.tokens,
-    prunedTokens: file.tokens,
-    pruneLevel: "full",
-    content,
-    savingsPercent: 0
-  };
-}
-function emptyResult(file, level) {
-  return {
-    relativePath: file.relativePath,
-    originalTokens: file.tokens,
-    prunedTokens: 0,
-    pruneLevel: level,
-    content: "",
-    savingsPercent: 100
-  };
-}
-
-// src/engine/graph-utils.ts
-function buildAdjacencyList(edges) {
-  const forward = /* @__PURE__ */ new Map();
-  const reverse = /* @__PURE__ */ new Map();
-  for (const edge of edges) {
-    if (!forward.has(edge.from)) forward.set(edge.from, []);
-    forward.get(edge.from).push(edge.to);
-    if (!reverse.has(edge.to)) reverse.set(edge.to, []);
-    reverse.get(edge.to).push(edge.from);
-  }
-  return { forward, reverse };
-}
-function bfsBidirectional(seeds, adj, depth) {
-  const result = new Set(seeds);
-  let frontier = [...seeds];
-  const visited = /* @__PURE__ */ new Set();
-  for (let d = 0; d < depth; d++) {
-    const nextFrontier = [];
-    for (const node of frontier) {
-      if (visited.has(node)) continue;
-      visited.add(node);
-      const fwd = adj.forward.get(node);
-      if (fwd) {
-        for (const neighbor of fwd) {
-          if (!visited.has(neighbor)) {
-            result.add(neighbor);
-            nextFrontier.push(neighbor);
-          }
-        }
-      }
-      const rev = adj.reverse.get(node);
-      if (rev) {
-        for (const neighbor of rev) {
-          if (!visited.has(neighbor)) {
-            result.add(neighbor);
-            nextFrontier.push(neighbor);
-          }
-        }
-      }
-    }
-    frontier = nextFrontier;
-  }
-  return result;
-}
-function matchGlob(path, pattern) {
-  const regexStr = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "\xA7\xA7").replace(/\*/g, "[^/]*").replace(/§§/g, ".*").replace(/\?/g, ".");
-  try {
-    return new RegExp(`^${regexStr}$`).test(path);
-  } catch {
-    return false;
-  }
-}
-
-// src/engine/coverage.ts
-function calculateCoverage(targetPaths, includedPaths, allFiles, graph, depth = 2) {
-  const adj = buildAdjacencyList(graph.edges);
-  const relevantSet = targetPaths.length > 0 ? bfsBidirectional(targetPaths, adj, depth) : /* @__PURE__ */ new Set();
-  const includedSet = new Set(includedPaths);
-  const tempFileMap = new Map(allFiles.map((f) => [f.relativePath, f]));
-  for (const path of includedPaths) {
-    const file = tempFileMap.get(path);
-    if (!file) continue;
-    for (const imp of file.imports) {
-      const impFile = tempFileMap.get(imp);
-      if (impFile && impFile.kind === "type") {
-        relevantSet.add(imp);
-      }
-    }
-  }
-  const relevantFiles = Array.from(relevantSet);
-  const includedRelevant = relevantFiles.filter((f) => includedSet.has(f));
-  const missingRelevant = relevantFiles.filter((f) => !includedSet.has(f));
-  const missingCritical = missingRelevant.filter((f) => {
-    const file = tempFileMap.get(f);
-    return file && (file.exclusionImpact === "critical" || file.exclusionImpact === "high");
-  });
-  const fileMap = new Map(allFiles.map((f) => [f.relativePath, f]));
-  let totalRelevantRisk = 0;
-  let includedRelevantRisk = 0;
-  for (const f of relevantFiles) {
-    const risk = fileMap.get(f)?.riskScore ?? 1;
-    totalRelevantRisk += risk;
-    if (includedSet.has(f)) {
-      includedRelevantRisk += risk;
-    }
-  }
-  const score = totalRelevantRisk > 0 ? Math.round(includedRelevantRisk / totalRelevantRisk * 100) : relevantFiles.length > 0 ? Math.round(includedRelevant.length / relevantFiles.length * 100) : 100;
-  let explanation;
-  if (score >= 90) {
-    explanation = `Excellent coverage (${score}%): AI has nearly all relevant context.`;
-  } else if (score >= 70) {
-    explanation = `Good coverage (${score}%): Most relevant files included.`;
-    if (missingCritical.length > 0) {
-      explanation += ` Warning: ${missingCritical.length} critical file(s) missing.`;
-    }
-  } else if (score >= 50) {
-    explanation = `Partial coverage (${score}%): Significant context is missing.`;
-    if (missingCritical.length > 0) {
-      explanation += ` ${missingCritical.length} critical file(s) not included \u2014 AI quality will degrade.`;
-    }
-  } else {
-    explanation = `Low coverage (${score}%): Most relevant files are excluded. AI response quality will be poor.`;
-  }
-  return {
-    score,
-    relevantFiles,
-    includedRelevant,
-    missingRelevant,
-    missingCritical,
-    explanation
-  };
-}
-
-// src/engine/budget.ts
-function getPruneLevelForRisk(riskScore) {
-  if (riskScore >= 80) return "full";
-  if (riskScore >= 60) return "full";
-  if (riskScore >= 30) return "signatures";
-  return "skeleton";
-}
-
-// src/engine/selector.ts
-async function selectContext(input) {
-  const { task, analysis, budget, policies, depth = 2 } = input;
-  const decisions = [];
-  const targetPaths = identifyTargetFiles(task, analysis.files);
-  if (targetPaths.length > 0) {
-    decisions.push({
-      file: targetPaths.join(", "),
-      action: "include-full",
-      reason: `Target file(s) identified from task description`
-    });
-  }
-  const adj = buildAdjacencyList(analysis.graph.edges);
-  const expandedPaths = targetPaths.length > 0 ? Array.from(bfsBidirectional(targetPaths, adj, depth)) : [];
-  const expansionCount = expandedPaths.length - targetPaths.length;
-  if (expansionCount > 0) {
-    decisions.push({
-      file: `${expansionCount} dependencies`,
-      action: "include-full",
-      reason: `Expanded ${targetPaths.length} target(s) to ${expandedPaths.length} files via dependency graph (depth ${depth})`
-    });
-  }
-  const allFileMap = new Map(analysis.files.map((f) => [f.relativePath, f]));
-  if (targetPaths.length > 0) {
-    for (const path of expandedPaths) {
-      const file = allFileMap.get(path);
-      if (!file) continue;
-      for (const imp of file.imports) {
-        const impFile = allFileMap.get(imp);
-        if (impFile && impFile.kind === "type") {
-          expandedPaths.push(imp);
-        }
-      }
-    }
-  }
-  const { mustInclude, mustExclude } = applyPolicies(analysis.files, policies);
-  const candidateSet = /* @__PURE__ */ new Set([...expandedPaths, ...mustInclude]);
-  if (targetPaths.length === 0) {
-    for (const f of analysis.files) {
-      candidateSet.add(f.relativePath);
-    }
-  }
-  for (const ex of mustExclude) {
-    candidateSet.delete(ex);
-    decisions.push({
-      file: ex,
-      action: "exclude",
-      reason: "Excluded by policy"
-    });
-  }
-  const hasSecretBlock = policies?.rules.some(
-    (r) => r.type === "secret-block" && r.enabled
-  );
-  if (hasSecretBlock) {
-    for (const path of Array.from(candidateSet)) {
-      const file = allFileMap.get(path);
-      if (!file) continue;
-      const findings = await scanFileForSecrets(
-        file.path,
-        analysis.projectPath
-      );
-      if (findings.length > 0) {
-        candidateSet.delete(path);
-        decisions.push({
-          file: path,
-          action: "exclude",
-          reason: `Blocked: ${findings.length} secret(s) detected (${findings.map((f) => f.type).join(", ")})`
-        });
-      }
-    }
-  }
-  const candidates = Array.from(candidateSet).map((p) => allFileMap.get(p)).filter((f) => f !== void 0).sort((a, b) => {
-    const aIsTarget = targetPaths.includes(a.relativePath) ? 0 : 1;
-    const bIsTarget = targetPaths.includes(b.relativePath) ? 0 : 1;
-    if (aIsTarget !== bIsTarget) return aIsTarget - bIsTarget;
-    const aIsMust = mustInclude.has(a.relativePath) ? 0 : 1;
-    const bIsMust = mustInclude.has(b.relativePath) ? 0 : 1;
-    if (aIsMust !== bIsMust) return aIsMust - bIsMust;
-    return b.riskScore - a.riskScore;
-  });
-  const selectedFiles = [];
-  let usedTokens = 0;
-  for (const file of candidates) {
-    const isTarget = targetPaths.includes(file.relativePath);
-    const isMustInclude = mustInclude.has(file.relativePath);
-    const defaultLevel = isTarget ? "full" : getPruneLevelForRisk(file.riskScore);
-    const levels = getCascadeLevels(defaultLevel);
-    let included = false;
-    for (const level of levels) {
-      if (level === "excluded") break;
-      let tokens;
-      if (level === "full") {
-        tokens = file.tokens;
-      } else {
-        const pruned = await pruneFile(file, level);
-        tokens = pruned.prunedTokens;
-      }
-      if (usedTokens + tokens <= budget) {
-        usedTokens += tokens;
-        selectedFiles.push({
-          relativePath: file.relativePath,
-          tokens,
-          originalTokens: file.tokens,
-          pruneLevel: level,
-          riskScore: file.riskScore,
-          reason: buildReason(file, level, isTarget, isMustInclude)
-        });
-        if (level !== defaultLevel) {
-          decisions.push({
-            file: file.relativePath,
-            action: `include-${level}`,
-            reason: `Downgraded from ${defaultLevel} to ${level} due to budget constraint`,
-            alternatives: `Would need ${file.tokens - tokens} more tokens for ${defaultLevel}`
-          });
-        }
-        included = true;
-        break;
-      }
-    }
-    if (!included) {
-      decisions.push({
-        file: file.relativePath,
-        action: "exclude",
-        reason: `Budget exhausted (risk: ${file.riskScore}, needs ${file.tokens} tokens)`
-      });
-    }
-  }
-  const includedPaths = selectedFiles.map((f) => f.relativePath);
-  const coverage = calculateCoverage(
-    targetPaths,
-    includedPaths,
-    analysis.files,
-    analysis.graph,
-    depth
-  );
-  const includedSet = new Set(includedPaths);
-  const excludedFiles = analysis.files.filter(
-    (f) => !includedSet.has(f.relativePath)
-  );
-  const excludedRisk = excludedFiles.length > 0 ? Math.round(excludedFiles.reduce((s, f) => s + f.riskScore, 0) / excludedFiles.length) : 0;
-  const hashInput = selectedFiles.map((f) => `${f.relativePath}:${f.pruneLevel}`).sort().join("|") + `|budget:${budget}`;
-  const hash = createHash2("sha256").update(hashInput).digest("hex").substring(0, 16);
-  return {
-    files: selectedFiles,
-    totalTokens: usedTokens,
-    budget,
-    usedPercent: budget > 0 ? Math.round(usedTokens / budget * 100 * 10) / 10 : 0,
-    coverage,
-    riskScore: excludedRisk,
-    deterministic: true,
-    hash,
-    decisions
-  };
-}
-function identifyTargetFiles(task, files) {
-  const targets = [];
-  const pathPattern = /(?:^|\s|["'`])([.\w/-]+\.[a-zA-Z]{1,4})(?:\s|$|["'`]|,|:)/g;
-  let match;
-  while ((match = pathPattern.exec(task)) !== null) {
-    const candidate = match[1];
-    const found = files.find(
-      (f) => f.relativePath === candidate || f.relativePath.endsWith(candidate)
-    );
-    if (found && !targets.includes(found.relativePath)) {
-      targets.push(found.relativePath);
-    }
-  }
-  return targets;
-}
-function applyPolicies(files, policies) {
-  const mustInclude = /* @__PURE__ */ new Set();
-  const mustExclude = /* @__PURE__ */ new Set();
-  if (!policies) return { mustInclude, mustExclude };
-  for (const rule of policies.rules) {
-    if (!rule.enabled) continue;
-    if (rule.type === "include-always" && rule.pattern) {
-      for (const file of files) {
-        if (matchGlob(file.relativePath, rule.pattern)) {
-          mustInclude.add(file.relativePath);
-        }
-      }
-    }
-    if (rule.type === "exclude-always" && rule.pattern) {
-      for (const file of files) {
-        if (matchGlob(file.relativePath, rule.pattern)) {
-          mustExclude.add(file.relativePath);
-        }
-      }
-    }
-  }
-  return { mustInclude, mustExclude };
-}
-function getCascadeLevels(startLevel) {
-  const all = ["full", "signatures", "skeleton", "excluded"];
-  const startIdx = all.indexOf(startLevel);
-  return all.slice(startIdx);
-}
-function buildReason(file, level, isTarget, isMustInclude) {
-  if (isTarget) return "Target file";
-  if (isMustInclude) return "Required by policy";
-  const impact = file.exclusionImpact;
-  const levelStr = level === "full" ? "full content" : level;
-  if (impact === "critical") return `Critical dependency (risk ${file.riskScore}) \u2014 ${levelStr}`;
-  if (impact === "high") return `High-risk dependency (risk ${file.riskScore}) \u2014 ${levelStr}`;
-  if (impact === "medium") return `Medium relevance (risk ${file.riskScore}) \u2014 ${levelStr}`;
-  return `Low relevance (risk ${file.riskScore}) \u2014 ${levelStr}`;
-}
-
-// src/gateway/interceptor.ts
-import { readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
-function estimateTokensFromString(s) {
-  return Math.ceil(Buffer.byteLength(s, "utf-8") / 4);
-}
-async function interceptRequest(messages, config, analysis) {
-  const decisions = [];
-  let secretsRedacted = 0;
-  let secretsBlocked = false;
-  let contextInjected = false;
-  const originalTokens = messages.reduce((sum, m) => sum + estimateTokensFromString(m.content), 0);
-  let processedMessages = messages;
-  if (config.redactSecrets || config.blockOnSecrets) {
-    const { messages: scannedMessages, redactedCount, blocked, scanDecisions } = scanMessages(messages, config);
-    processedMessages = scannedMessages;
-    secretsRedacted = redactedCount;
-    secretsBlocked = blocked;
-    decisions.push(...scanDecisions);
-    if (blocked) {
-      return {
-        modified: true,
-        messages: processedMessages,
-        originalTokens,
-        optimizedTokens: 0,
-        secretsRedacted,
-        secretsBlocked: true,
-        contextInjected: false,
-        decisions
-      };
-    }
-  }
-  if (config.optimize && analysis) {
-    const { messages: optimizedMessages, injected, optimizeDecisions } = await optimizeContext(processedMessages, analysis, config);
-    processedMessages = optimizedMessages;
-    contextInjected = injected;
-    decisions.push(...optimizeDecisions);
-  }
-  const optimizedTokens = processedMessages.reduce((sum, m) => sum + estimateTokensFromString(m.content), 0);
-  return {
-    modified: secretsRedacted > 0 || contextInjected,
-    messages: processedMessages,
-    originalTokens,
-    optimizedTokens,
-    secretsRedacted,
-    secretsBlocked,
-    contextInjected,
-    decisions
-  };
-}
-function scanMessages(messages, config) {
-  const scanDecisions = [];
-  let redactedCount = 0;
-  let blocked = false;
-  const scannedMessages = messages.map((msg) => {
-    const findings = scanContentForSecrets(msg.content, `message:${msg.role}`);
-    if (findings.length === 0) return msg;
-    const criticalCount = findings.filter((f) => f.severity === "critical").length;
-    if (config.blockOnSecrets && criticalCount > 0) {
-      blocked = true;
-      scanDecisions.push(
-        `BLOCKED: ${criticalCount} critical secret(s) in ${msg.role} message. Types: ${[...new Set(findings.map((f) => f.type))].join(", ")}`
-      );
-      return msg;
-    }
-    const sanitized = sanitizeContent(msg.content);
-    redactedCount += findings.length;
-    scanDecisions.push(
-      `Redacted ${findings.length} secret(s) in ${msg.role} message: ${[...new Set(findings.map((f) => f.type))].join(", ")}`
-    );
-    return { ...msg, content: sanitized };
-  });
-  return { messages: scannedMessages, redactedCount, blocked, scanDecisions };
-}
-async function optimizeContext(messages, analysis, config) {
-  const optimizeDecisions = [];
-  const lastUserMsg = [...messages].reverse().find((m) => m.role === "user");
-  if (!lastUserMsg) {
-    optimizeDecisions.push("No user message found \u2014 skipping optimization");
-    return { messages, injected: false, optimizeDecisions };
-  }
-  const hasCtxContext = messages.some(
-    (m) => m.role === "system" && m.content.includes("[CTO Context]")
-  );
-  if (hasCtxContext) {
-    optimizeDecisions.push("CTO context already present \u2014 skipping injection");
-    return { messages, injected: false, optimizeDecisions };
-  }
-  try {
-    const selection = await selectContext({
-      task: lastUserMsg.content.slice(0, 500),
-      analysis,
-      budget: config.budget
-    });
-    if (selection.files.length === 0) {
-      optimizeDecisions.push("No relevant files found for task \u2014 skipping injection");
-      return { messages, injected: false, optimizeDecisions };
-    }
-    const contentBudget = Math.floor(config.budget * 0.6);
-    let usedTokens = 0;
-    const contextLines = [
-      "[CTO Context] Optimized project context (auto-injected by CTO Gateway)",
-      "",
-      `Project: ${analysis.projectName} (${analysis.totalFiles} files, ${Math.round(analysis.totalTokens / 1e3)}K tokens)`,
-      `Selected: ${selection.files.length} files, ${selection.totalTokens.toLocaleString()} tokens (${selection.coverage.score}% coverage)`,
-      ""
-    ];
-    const topFiles = selection.files.sort((a, b) => b.riskScore - a.riskScore);
-    const injectedFiles = [];
-    const skippedFiles = [];
-    for (const f of topFiles) {
-      if (usedTokens >= contentBudget) {
-        skippedFiles.push(f.relativePath);
-        continue;
-      }
-      try {
-        const fullPath = resolve2(config.projectPath, f.relativePath);
-        const content = readFileSync2(fullPath, "utf-8");
-        const fileTokens = estimateTokensFromString(content);
-        const remainingBudget = contentBudget - usedTokens;
-        let fileContent;
-        let truncated = false;
-        if (fileTokens > remainingBudget) {
-          const charLimit = remainingBudget * 4;
-          fileContent = content.slice(0, charLimit);
-          truncated = true;
-        } else {
-          fileContent = content;
-        }
-        const ext = f.relativePath.split(".").pop() || "";
-        contextLines.push(`### ${f.relativePath}${truncated ? " [truncated]" : ""}`);
-        contextLines.push("```" + ext);
-        contextLines.push(fileContent);
-        contextLines.push("```");
-        contextLines.push("");
-        usedTokens += estimateTokensFromString(fileContent);
-        injectedFiles.push(f.relativePath);
-      } catch {
-        skippedFiles.push(f.relativePath);
-      }
-    }
-    const typeFiles = analysis.files.filter((f) => f.kind === "type").map((f) => f.relativePath);
-    if (typeFiles.length > 0) {
-      contextLines.push("Type definitions (always import from these):");
-      for (const tf of typeFiles.slice(0, 10)) {
-        contextLines.push(`  - ${tf}`);
-      }
-      contextLines.push("");
-    }
-    if (analysis.graph.hubs.length > 0) {
-      contextLines.push("Hub files (central modules with many dependents):");
-      for (const hub of analysis.graph.hubs.slice(0, 5)) {
-        contextLines.push(`  - ${hub.relativePath} (${hub.dependents} dependents)`);
-      }
-      contextLines.push("");
-    }
-    if (skippedFiles.length > 0) {
-      contextLines.push(`Additional relevant files (not included due to token budget):`);
-      for (const sf of skippedFiles.slice(0, 15)) {
-        contextLines.push(`  - ${sf}`);
-      }
-      if (skippedFiles.length > 15) {
-        contextLines.push(`  ... and ${skippedFiles.length - 15} more`);
-      }
-    }
-    const contextBlock = contextLines.join("\n");
-    const systemMsg = {
-      role: "system",
-      content: contextBlock
-    };
-    const existingSystemIdx = messages.findIndex((m) => m.role === "system");
-    let optimizedMessages;
-    if (existingSystemIdx >= 0) {
-      optimizedMessages = [...messages];
-      optimizedMessages[existingSystemIdx] = {
-        ...optimizedMessages[existingSystemIdx],
-        content: optimizedMessages[existingSystemIdx].content + "\n\n" + contextBlock
-      };
-    } else {
-      optimizedMessages = [systemMsg, ...messages];
-    }
-    optimizeDecisions.push(
-      `Injected CTO context: ${injectedFiles.length} files with contents (${usedTokens.toLocaleString()} tokens), ${skippedFiles.length} listed without contents, ${selection.coverage.score}% coverage`
-    );
-    return { messages: optimizedMessages, injected: true, optimizeDecisions };
-  } catch (err) {
-    const errMsg = err instanceof Error ? err.message : String(err);
-    optimizeDecisions.push(`Context optimization failed: ${errMsg}`);
-    return { messages, injected: false, optimizeDecisions };
-  }
-}
-
-// src/gateway/tracker.ts
-import { mkdirSync as mkdirSync2, appendFileSync, readFileSync as readFileSync3, readdirSync, existsSync as existsSync2 } from "fs";
-import { join as join2 } from "path";
-import { randomUUID } from "crypto";
-var UsageTracker = class {
-  logDir;
-  config;
-  eventHandlers = [];
-  cache = null;
-  cacheMonth = null;
-  // In-memory cost accumulators — survive async disk writes
-  memRecords = [];
-  constructor(config) {
-    this.config = config;
-    this.logDir = join2(config.logDir, "usage");
-    mkdirSync2(this.logDir, { recursive: true });
-  }
-  // ===== EVENT SYSTEM =====
-  onEvent(handler) {
-    this.eventHandlers.push(handler);
-  }
-  emit(event) {
-    for (const handler of this.eventHandlers) {
-      try {
-        handler(event);
-      } catch {
-      }
-    }
-  }
-  // ===== RECORD =====
-  record(params) {
-    const record = {
-      id: randomUUID().slice(0, 8),
-      timestamp: /* @__PURE__ */ new Date(),
-      ...params
-    };
-    const monthKey = this.getMonthKey(record.timestamp);
-    const logFile = join2(this.logDir, `${monthKey}.jsonl`);
-    const line = JSON.stringify({
-      ...record,
-      timestamp: record.timestamp.toISOString()
-    });
-    appendFileSync(logFile, line + "\n");
-    this.memRecords.push(record);
-    this.cache = null;
-    this.emit({ type: "request", record });
-    this.checkBudget(record.timestamp);
-    return record;
-  }
-  // ===== BUDGET CHECKS =====
-  checkBudget(now) {
-    if (this.config.budgetDaily > 0) {
-      const dailyCost = this.getDailyCost(now);
-      const threshold = this.config.budgetDaily * this.config.alertThreshold;
-      if (dailyCost >= this.config.budgetDaily) {
-        this.emit({
-          type: "budget-exceeded",
-          current: dailyCost,
-          limit: this.config.budgetDaily,
-          period: "daily"
-        });
-      } else if (dailyCost >= threshold) {
-        this.emit({
-          type: "budget-alert",
-          current: dailyCost,
-          limit: this.config.budgetDaily,
-          period: "daily"
-        });
-      }
-    }
-    if (this.config.budgetMonthly > 0) {
-      const monthlyCost = this.getMonthlyCost(now);
-      const threshold = this.config.budgetMonthly * this.config.alertThreshold;
-      if (monthlyCost >= this.config.budgetMonthly) {
-        this.emit({
-          type: "budget-exceeded",
-          current: monthlyCost,
-          limit: this.config.budgetMonthly,
-          period: "monthly"
-        });
-      } else if (monthlyCost >= threshold) {
-        this.emit({
-          type: "budget-alert",
-          current: monthlyCost,
-          limit: this.config.budgetMonthly,
-          period: "monthly"
-        });
-      }
-    }
-  }
-  isDailyBudgetExceeded(now = /* @__PURE__ */ new Date()) {
-    if (this.config.budgetDaily <= 0) return false;
-    return this.getDailyCost(now) >= this.config.budgetDaily;
-  }
-  isMonthlyBudgetExceeded(now = /* @__PURE__ */ new Date()) {
-    if (this.config.budgetMonthly <= 0) return false;
-    return this.getMonthlyCost(now) >= this.config.budgetMonthly;
-  }
-  // ===== QUERIES =====
-  getDailyCost(date = /* @__PURE__ */ new Date()) {
-    const dayStr = date.toISOString().split("T")[0];
-    const diskRecords = this.getMonthRecords(date);
-    const allRecords = this.mergeWithMemRecords(diskRecords);
-    return allRecords.filter((r) => r.timestamp.toISOString().startsWith(dayStr)).reduce((sum, r) => sum + r.costUSD, 0);
-  }
-  getMonthlyCost(date = /* @__PURE__ */ new Date()) {
-    const diskRecords = this.getMonthRecords(date);
-    const allRecords = this.mergeWithMemRecords(diskRecords);
-    return allRecords.reduce((sum, r) => sum + r.costUSD, 0);
-  }
-  mergeWithMemRecords(diskRecords) {
-    if (this.memRecords.length === 0) return diskRecords;
-    const diskIds = new Set(diskRecords.map((r) => r.id));
-    const newRecords = this.memRecords.filter((r) => !diskIds.has(r.id));
-    return [...diskRecords, ...newRecords];
-  }
-  getSummary(period = "month") {
-    const now = /* @__PURE__ */ new Date();
-    let records;
-    switch (period) {
-      case "day": {
-        const dayStr = now.toISOString().split("T")[0];
-        records = this.mergeWithMemRecords(this.getMonthRecords(now)).filter(
-          (r) => r.timestamp.toISOString().startsWith(dayStr)
-        );
-        break;
-      }
-      case "week": {
-        const weekAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1e3);
-        const weekAgoKey = this.getMonthKey(weekAgo);
-        const nowKey = this.getMonthKey(now);
-        const baseRecs = weekAgoKey !== nowKey ? [...this.getMonthRecordsByKey(weekAgoKey), ...this.getMonthRecords(now)] : this.getMonthRecords(now);
-        records = this.mergeWithMemRecords(baseRecs).filter((r) => r.timestamp >= weekAgo);
-        break;
-      }
-      case "month":
-        records = this.mergeWithMemRecords(this.getMonthRecords(now));
-        break;
-      case "all":
-        records = this.mergeWithMemRecords(this.getAllRecords());
-        break;
-    }
-    const byModel = {};
-    const byProvider = {};
-    for (const r of records) {
-      if (!byModel[r.model]) byModel[r.model] = { requests: 0, costUSD: 0, tokens: 0 };
-      byModel[r.model].requests++;
-      byModel[r.model].costUSD += r.costUSD;
-      byModel[r.model].tokens += r.inputTokens + r.outputTokens;
-      if (!byProvider[r.provider]) byProvider[r.provider] = { requests: 0, costUSD: 0 };
-      byProvider[r.provider].requests++;
-      byProvider[r.provider].costUSD += r.costUSD;
-    }
-    return {
-      period,
-      totalRequests: records.length,
-      totalInputTokens: records.reduce((s, r) => s + r.inputTokens, 0),
-      totalOutputTokens: records.reduce((s, r) => s + r.outputTokens, 0),
-      totalCostUSD: records.reduce((s, r) => s + r.costUSD, 0),
-      totalSavedTokens: records.reduce((s, r) => s + r.savedTokens, 0),
-      totalSavedUSD: records.reduce((s, r) => s + r.savedUSD, 0),
-      totalSecretsRedacted: records.reduce((s, r) => s + r.secretsRedacted, 0),
-      byModel,
-      byProvider
-    };
-  }
-  // ===== STORAGE =====
-  getMonthKey(date) {
-    return date.toISOString().slice(0, 7);
-  }
-  getMonthRecordsByKey(monthKey) {
-    const filePath = join2(this.logDir, `${monthKey}.jsonl`);
-    if (!existsSync2(filePath)) return [];
-    return readFileSync3(filePath, "utf-8").split("\n").filter((line) => line.trim()).map((line) => {
-      try {
-        const parsed = JSON.parse(line);
-        parsed.timestamp = new Date(parsed.timestamp);
-        return parsed;
-      } catch {
-        return null;
-      }
-    }).filter((r) => r !== null);
-  }
-  getMonthRecords(date) {
-    const monthKey = this.getMonthKey(date);
-    if (this.cache && this.cacheMonth === monthKey) return this.cache;
-    const filePath = join2(this.logDir, `${monthKey}.jsonl`);
-    if (!existsSync2(filePath)) return [];
-    const records = readFileSync3(filePath, "utf-8").split("\n").filter((line) => line.trim()).map((line) => {
-      try {
-        const parsed = JSON.parse(line);
-        parsed.timestamp = new Date(parsed.timestamp);
-        return parsed;
-      } catch {
-        return null;
-      }
-    }).filter((r) => r !== null);
-    this.cache = records;
-    this.cacheMonth = monthKey;
-    return records;
-  }
-  getAllRecords() {
-    if (!existsSync2(this.logDir)) return [];
-    const files = readdirSync(this.logDir).filter((f) => f.endsWith(".jsonl")).sort();
-    const allRecords = [];
-    for (const file of files) {
-      const content = readFileSync3(join2(this.logDir, file), "utf-8");
-      const records = content.split("\n").filter((line) => line.trim()).map((line) => {
-        try {
-          const parsed = JSON.parse(line);
-          parsed.timestamp = new Date(parsed.timestamp);
-          return parsed;
-        } catch {
-          return null;
-        }
-      }).filter((r) => r !== null);
-      allRecords.push(...records);
-    }
-    return allRecords;
-  }
-};
-
-// src/engine/analyzer.ts
-import { readFile as readFile4, readdir, stat as stat2 } from "fs/promises";
-import { join as join4, extname, relative as relative3, resolve as resolve4, basename as basename2 } from "path";
-import { createHash as createHash3 } from "crypto";
-
-// src/types/engine.ts
-var DEFAULT_RISK_WEIGHTS = {
-  hub: 30,
-  typeProvider: 25,
-  complexity: 15,
-  recency: 15,
-  config: 10,
-  churn: 5
-};
-
-// src/types/config.ts
-var DEFAULT_CONFIG = {
-  version: "2.0",
-  analysis: {
-    extensions: {
-      code: ["ts", "tsx", "js", "jsx", "py", "go", "rs", "java", "kt", "rb", "php", "c", "cpp", "h", "hpp", "cs"],
-      config: ["json", "yml", "yaml", "toml"],
-      docs: ["md", "txt", "rst"]
-    },
-    ignore: {
-      dirs: ["node_modules", "dist", "build", ".git", "coverage", "__pycache__", ".next", "vendor", ".cto"],
-      patterns: ["*.min.js", "*.map", "*.lock", "*.generated.*"]
-    },
-    maxDepth: 20
-  },
-  risk: {
-    weights: {
-      hub: 30,
-      typeProvider: 25,
-      complexity: 15,
-      recency: 15,
-      config: 10,
-      churn: 5
-    }
-  },
-  interaction: {
-    defaultBudget: 5e4,
-    defaultModel: "claude-sonnet-4"
-  },
-  tokens: {
-    method: "chars4"
-  },
-  governance: {
-    auditEnabled: true,
-    secretDetection: true,
-    retentionDays: 90
-  }
-};
-
-// src/engine/graph.ts
-import { Project, SyntaxKind } from "ts-morph";
-import { resolve as resolve3, relative as relative2, dirname as dirname2, join as join3 } from "path";
-import { existsSync as existsSync3 } from "fs";
-var TS_EXTENSIONS2 = /* @__PURE__ */ new Set(["ts", "tsx", "js", "jsx", "mts", "mjs", "cts", "cjs"]);
-function createProject(projectPath, filePaths) {
-  const tsConfigPath = join3(projectPath, "tsconfig.json");
-  const hasTsConfig = existsSync3(tsConfigPath);
-  const project = new Project({
-    tsConfigFilePath: hasTsConfig ? tsConfigPath : void 0,
-    skipAddingFilesFromTsConfig: true,
-    compilerOptions: hasTsConfig ? void 0 : {
-      allowJs: true,
-      jsx: 4,
-      // JsxEmit.ReactJSX
-      esModuleInterop: true,
-      moduleResolution: 100
-      // Bundler
-    }
-  });
-  const tsFiles = filePaths.filter((f) => {
-    const ext = f.split(".").pop()?.toLowerCase() ?? "";
-    return TS_EXTENSIONS2.has(ext);
-  });
-  for (const filePath of tsFiles) {
-    try {
-      project.addSourceFileAtPath(filePath);
-    } catch {
-    }
-  }
-  return project;
-}
-function buildProjectGraph(projectPath, files) {
-  const absPath = resolve3(projectPath);
-  const tsFiles = files.filter((f) => TS_EXTENSIONS2.has(f.extension)).map((f) => f.path);
-  if (tsFiles.length === 0) {
-    return emptyGraph(files);
-  }
-  let project;
-  try {
-    project = createProject(projectPath, tsFiles);
-  } catch {
-    return emptyGraph(files);
-  }
-  const edges = [];
-  const nodeSet = /* @__PURE__ */ new Set();
-  for (const sourceFile of project.getSourceFiles()) {
-    const fromRel = relative2(absPath, sourceFile.getFilePath());
-    if (fromRel.startsWith("..") || fromRel.includes("node_modules")) continue;
-    nodeSet.add(fromRel);
-    for (const imp of sourceFile.getImportDeclarations()) {
-      const moduleSpecifier = imp.getModuleSpecifierValue();
-      const resolved = resolveImport(sourceFile, moduleSpecifier, absPath);
-      if (resolved) {
-        nodeSet.add(resolved);
-        edges.push({ from: fromRel, to: resolved, type: "import" });
-      }
-    }
-    for (const exp of sourceFile.getExportDeclarations()) {
-      const moduleSpecifier = exp.getModuleSpecifierValue();
-      if (moduleSpecifier) {
-        const resolved = resolveImport(sourceFile, moduleSpecifier, absPath);
-        if (resolved) {
-          nodeSet.add(resolved);
-          edges.push({ from: fromRel, to: resolved, type: "re-export" });
-        }
-      }
-    }
-  }
-  const nodes = Array.from(nodeSet);
-  const importedByCount = /* @__PURE__ */ new Map();
-  const importCount = /* @__PURE__ */ new Map();
-  for (const edge of edges) {
-    importedByCount.set(edge.to, (importedByCount.get(edge.to) ?? 0) + 1);
-    importCount.set(edge.from, (importCount.get(edge.from) ?? 0) + 1);
-  }
-  const N = Math.max(nodes.length, 1);
-  const hubs = nodes.map((node) => {
-    const inDeg = importedByCount.get(node) ?? 0;
-    const outDeg = importCount.get(node) ?? 0;
-    const centrality = N > 1 ? inDeg / (N - 1) * 100 : 0;
-    const score = Math.round(centrality + outDeg * (100 / (2 * N)));
-    return {
-      relativePath: node,
-      dependents: inDeg,
-      dependencies: outDeg,
-      score: Math.min(100, score)
-    };
-  }).filter((h) => h.dependents >= 3 || h.score >= 15).sort((a, b) => b.score - a.score);
-  const leaves = nodes.filter(
-    (node) => (importedByCount.get(node) ?? 0) === 0 && (importCount.get(node) ?? 0) > 0
-  );
-  const connectedNodes = /* @__PURE__ */ new Set();
-  for (const edge of edges) {
-    connectedNodes.add(edge.from);
-    connectedNodes.add(edge.to);
-  }
-  const allFileNodes = new Set(files.map((f) => f.relativePath));
-  const orphans = Array.from(allFileNodes).filter((n) => !connectedNodes.has(n));
-  const clusters = detectClusters(nodes, edges, files);
-  enrichComplexity(project, absPath, files);
-  return { nodes, edges, hubs, leaves, orphans, clusters };
-}
-var UnionFind = class {
-  parent;
-  rank;
-  constructor(nodes) {
-    this.parent = /* @__PURE__ */ new Map();
-    this.rank = /* @__PURE__ */ new Map();
-    for (const n of nodes) {
-      this.parent.set(n, n);
-      this.rank.set(n, 0);
-    }
-  }
-  find(x) {
-    const p = this.parent.get(x);
-    if (p === void 0) return x;
-    if (p !== x) {
-      this.parent.set(x, this.find(p));
-    }
-    return this.parent.get(x);
-  }
-  union(a, b) {
-    const ra = this.find(a);
-    const rb = this.find(b);
-    if (ra === rb) return;
-    const rankA = this.rank.get(ra) ?? 0;
-    const rankB = this.rank.get(rb) ?? 0;
-    if (rankA < rankB) {
-      this.parent.set(ra, rb);
-    } else if (rankA > rankB) {
-      this.parent.set(rb, ra);
-    } else {
-      this.parent.set(rb, ra);
-      this.rank.set(ra, rankA + 1);
-    }
-  }
-};
-function detectClusters(nodes, edges, files) {
-  const uf = new UnionFind(nodes);
-  for (const edge of edges) {
-    uf.union(edge.from, edge.to);
-  }
-  const components = /* @__PURE__ */ new Map();
-  for (const node of nodes) {
-    const root = uf.find(node);
-    if (!components.has(root)) components.set(root, []);
-    components.get(root).push(node);
-  }
-  const tokenMap = new Map(files.map((f) => [f.relativePath, f.tokens]));
-  const clusters = [];
-  for (const [, groupFiles] of components) {
-    if (groupFiles.length < 2) continue;
-    const name = commonPrefix(groupFiles);
-    const fileSet = new Set(groupFiles);
-    let internalEdges = 0;
-    let externalEdges = 0;
-    for (const edge of edges) {
-      const fromIn = fileSet.has(edge.from);
-      const toIn = fileSet.has(edge.to);
-      if (fromIn && toIn) internalEdges++;
-      else if (fromIn || toIn) externalEdges++;
-    }
-    const totalEdges = internalEdges + externalEdges;
-    const cohesion = totalEdges > 0 ? internalEdges / totalEdges : 0;
-    const totalTokens = groupFiles.reduce((s, f) => s + (tokenMap.get(f) ?? 0), 0);
-    clusters.push({
-      id: name.replace(/[^a-zA-Z0-9]/g, "-") || `cluster-${clusters.length}`,
-      name: name || `cluster-${clusters.length}`,
-      files: groupFiles,
-      totalTokens,
-      internalEdges,
-      externalEdges,
-      cohesion: Math.round(cohesion * 100) / 100
-    });
-  }
-  return clusters.sort((a, b) => b.files.length - a.files.length);
-}
-function commonPrefix(paths) {
-  if (paths.length === 0) return "";
-  const parts = paths.map((p) => p.split("/"));
-  const prefix = [];
-  for (let i = 0; i < parts[0].length - 1; i++) {
-    const segment = parts[0][i];
-    if (parts.every((p) => p[i] === segment)) {
-      prefix.push(segment);
-    } else break;
-  }
-  return prefix.join("/") || parts[0][0];
-}
-function enrichComplexity(project, absPath, files) {
-  const fileMap = new Map(files.map((f) => [f.relativePath, f]));
-  for (const sourceFile of project.getSourceFiles()) {
-    const relPath = relative2(absPath, sourceFile.getFilePath());
-    if (relPath.startsWith("..") || relPath.includes("node_modules")) continue;
-    const file = fileMap.get(relPath);
-    if (!file) continue;
-    let totalComplexity = 0;
-    for (const func of sourceFile.getFunctions()) {
-      totalComplexity += calculateCyclomaticComplexity(func);
-    }
-    for (const cls of sourceFile.getClasses()) {
-      for (const method of cls.getMethods()) {
-        totalComplexity += calculateCyclomaticComplexity(method);
-      }
-    }
-    for (const varDecl of sourceFile.getVariableDeclarations()) {
-      const init = varDecl.getInitializer();
-      if (init && (init.getKind() === SyntaxKind.ArrowFunction || init.getKind() === SyntaxKind.FunctionExpression)) {
-        totalComplexity += calculateCyclomaticComplexity(init);
-      }
-    }
-    file.complexity = Math.max(1, totalComplexity);
-  }
-}
-function calculateCyclomaticComplexity(node) {
-  let complexity = 1;
-  node.forEachDescendant((descendant) => {
-    switch (descendant.getKind()) {
-      case SyntaxKind.IfStatement:
-      case SyntaxKind.ConditionalExpression:
-      case SyntaxKind.ForStatement:
-      case SyntaxKind.ForInStatement:
-      case SyntaxKind.ForOfStatement:
-      case SyntaxKind.WhileStatement:
-      case SyntaxKind.DoStatement:
-      case SyntaxKind.CaseClause:
-      case SyntaxKind.CatchClause:
-        complexity++;
-        break;
-      case SyntaxKind.BinaryExpression: {
-        const opToken = descendant.getOperatorToken?.();
-        if (opToken) {
-          const kind = opToken.getKind();
-          if (kind === SyntaxKind.AmpersandAmpersandToken || kind === SyntaxKind.BarBarToken || kind === SyntaxKind.QuestionQuestionToken) {
-            complexity++;
-          }
-        }
-        break;
-      }
-    }
-  });
-  return complexity;
-}
-function resolveImport(sourceFile, moduleSpecifier, projectRoot) {
-  if (!moduleSpecifier.startsWith(".")) return null;
-  const sourceDir = dirname2(sourceFile.getFilePath());
-  const basePath = resolve3(sourceDir, moduleSpecifier);
-  const extensions = [".ts", ".tsx", ".js", ".jsx", "/index.ts", "/index.tsx", "/index.js", "/index.jsx"];
-  for (const ext of extensions) {
-    const candidate = basePath.endsWith(ext) ? basePath : basePath + ext;
-    if (existsSync3(candidate)) {
-      const rel = relative2(projectRoot, candidate);
-      if (!rel.startsWith("..")) return rel;
-    }
-  }
-  if (moduleSpecifier.endsWith(".js")) {
-    const tsPath = basePath.replace(/\.js$/, ".ts");
-    if (existsSync3(tsPath)) {
-      const rel = relative2(projectRoot, tsPath);
-      if (!rel.startsWith("..")) return rel;
-    }
-  }
-  return null;
-}
-function emptyGraph(files) {
-  return {
-    nodes: files.map((f) => f.relativePath),
-    edges: [],
-    hubs: [],
-    leaves: [],
-    orphans: files.map((f) => f.relativePath),
-    clusters: []
-  };
-}
-
-// src/engine/risk.ts
-function scoreAllFiles(files, graph, weights = DEFAULT_RISK_WEIGHTS) {
-  const typeProviderUsage = computeTypeProviderUsage(files, graph);
-  for (const file of files) {
-    const factors = computeRiskFactors(file, graph, typeProviderUsage, weights);
-    file.riskFactors = factors;
-    file.riskScore = computeWeightedScore(factors);
-    file.exclusionImpact = scoreToImpact(file.riskScore);
-  }
-}
-function computeRiskFactors(file, graph, typeProviderUsage, weights) {
-  const factors = [];
-  factors.push(computeHubFactor(file, weights.hub));
-  factors.push(computeTypeProviderFactor(file, typeProviderUsage, weights.typeProvider));
-  factors.push(computeComplexityFactor(file, weights.complexity));
-  factors.push(computeRecencyFactor(file, weights.recency));
-  factors.push(computeConfigFactor(file, weights.config));
-  factors.push(computeChurnFactor(file, weights.churn));
-  return factors;
-}
-function computeHubFactor(file, weight) {
-  const dependents = file.importedBy.length;
-  const K = 12;
-  const score = dependents === 0 ? 0 : Math.min(100, Math.round(100 * Math.log2(1 + dependents) / Math.log2(1 + K)));
-  const detail = dependents === 0 ? "No dependents" : `Hub: ${dependents} file(s) depend on this (score ${score}/100)`;
-  return { type: "hub", score, weight, detail };
-}
-function computeTypeProviderFactor(file, usage, weight) {
-  const isTypeFile = file.kind === "type";
-  const consumers = usage.get(file.relativePath) ?? 0;
-  let score;
-  let detail;
-  if (isTypeFile && consumers >= 4) {
-    score = 100;
-    detail = `Type provider: used by ${consumers} files (critical type source)`;
-  } else if (isTypeFile && consumers >= 1) {
-    score = 50;
-    detail = `Type provider: used by ${consumers} files`;
-  } else if (isTypeFile) {
-    score = 30;
-    detail = "Type file (no detected consumers)";
-  } else {
-    score = 0;
-    detail = "Not a type provider";
-  }
-  return { type: "type-provider", score, weight, detail };
-}
-function computeComplexityFactor(file, weight) {
-  const c = file.complexity;
-  const K = 30;
-  const score = Math.min(100, Math.round(100 * Math.log(1 + c) / Math.log(1 + K)));
-  const detail = c >= 30 ? `Very high complexity: ${c} (AI needs full context)` : c >= 10 ? `High complexity: ${c}` : `Complexity: ${c}`;
-  return { type: "complexity", score, weight, detail };
-}
-function computeRecencyFactor(file, weight) {
-  const now = Date.now();
-  const modified = new Date(file.lastModified).getTime();
-  const daysAgo = (now - modified) / (1e3 * 60 * 60 * 24);
-  const HALF_LIFE = 7;
-  const score = Math.round(100 * Math.pow(2, -daysAgo / HALF_LIFE));
-  const detail = daysAgo <= 1 ? "Modified today" : `Modified ${Math.round(daysAgo)} days ago (decay score ${score})`;
-  return { type: "recency", score, weight, detail };
-}
-function computeConfigFactor(file, weight) {
-  let score;
-  let detail;
-  if (file.kind === "entry") {
-    score = 90;
-    detail = "Entry point \u2014 critical for understanding app structure";
-  } else if (file.kind === "config") {
-    score = 80;
-    detail = "Configuration file \u2014 affects runtime behavior";
-  } else {
-    score = 0;
-    detail = "Regular source file";
-  }
-  return { type: "config", score, weight, detail };
-}
-function computeChurnFactor(file, weight) {
-  const complexitySignal = Math.min(file.complexity / 20, 1);
-  const now = Date.now();
-  const daysAgo = (now - new Date(file.lastModified).getTime()) / (1e3 * 60 * 60 * 24);
-  const recencySignal = Math.pow(2, -daysAgo / 7);
-  const score = Math.round(Math.sqrt(complexitySignal * recencySignal) * 100);
-  const detail = score >= 50 ? "Likely under active development (complex + recent)" : score >= 20 ? "Some recent activity" : "Stable \u2014 low churn (proxy estimate)";
-  return { type: "churn", score, weight, detail };
-}
-function computeWeightedScore(factors) {
-  let totalWeightedScore = 0;
-  let totalWeight = 0;
-  for (const factor of factors) {
-    totalWeightedScore += factor.score * factor.weight;
-    totalWeight += factor.weight;
-  }
-  if (totalWeight === 0) return 0;
-  return Math.round(totalWeightedScore / totalWeight);
-}
-function scoreToImpact(score) {
-  if (score >= 80) return "critical";
-  if (score >= 60) return "high";
-  if (score >= 30) return "medium";
-  if (score > 0) return "low";
-  return "none";
-}
-function computeTypeProviderUsage(files, graph) {
-  const usage = /* @__PURE__ */ new Map();
-  const typeFiles = new Set(
-    files.filter((f) => f.kind === "type").map((f) => f.relativePath)
-  );
-  for (const edge of graph.edges) {
-    if (typeFiles.has(edge.to)) {
-      usage.set(edge.to, (usage.get(edge.to) ?? 0) + 1);
-    }
-  }
-  return usage;
-}
-
-// src/engine/analyzer.ts
-function matchesPattern(filename, patterns) {
-  for (const pattern of patterns) {
-    if (pattern.startsWith("*.")) {
-      const ext = pattern.slice(1);
-      if (filename.endsWith(ext)) return true;
-    } else if (filename === pattern) {
-      return true;
-    }
-  }
-  return false;
-}
-async function walkProject(rootPath, options) {
-  const results = [];
-  const { ignoreDirs, ignorePatterns, extensions, maxDepth = 20 } = options;
-  const ignoreDirSet = new Set(ignoreDirs);
-  async function walk(dir, depth) {
-    if (depth > maxDepth) return;
-    let entries;
-    try {
-      entries = await readdir(dir, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    const promises = [];
-    for (const entry of entries) {
-      const fullPath = join4(dir, entry.name);
-      if (entry.isDirectory()) {
-        if (!ignoreDirSet.has(entry.name) && !entry.name.startsWith(".")) {
-          promises.push(walk(fullPath, depth + 1));
-        }
-      } else if (entry.isFile()) {
-        const ext = extname(entry.name).slice(1).toLowerCase();
-        if (ext && extensions.includes(ext) && !matchesPattern(entry.name, ignorePatterns)) {
-          promises.push(
-            (async () => {
-              const fileStat = await stat2(fullPath).catch(() => null);
-              if (!fileStat) return;
-              let lines = 0;
-              try {
-                const content = await readFile4(fullPath, "utf-8");
-                lines = content.split("\n").length;
-              } catch {
-                lines = 0;
-              }
-              results.push({
-                path: fullPath,
-                relativePath: relative3(rootPath, fullPath),
-                extension: ext,
-                size: fileStat.size,
-                lastModified: fileStat.mtime,
-                lines
-              });
-            })()
-          );
-        }
-      }
-    }
-    await Promise.all(promises);
-  }
-  await walk(rootPath, 0);
-  return results;
-}
-var TYPE_PATTERNS = [/types?\//i, /\.d\.ts$/, /interfaces?\//i];
-var TEST_PATTERNS = [/\.test\.[jt]sx?$/, /\.spec\.[jt]sx?$/, /\/__tests__\//, /\/tests?\//];
-var CONFIG_PATTERNS = [/\.config\.[jt]s$/, /rc\.[jt]s$/, /\.env/, /tsconfig/, /package\.json$/, /\.yml$/, /\.yaml$/, /\.toml$/];
-var ENTRY_PATTERNS = [/^index\.[jt]sx?$/, /^main\.[jt]sx?$/, /^app\.[jt]sx?$/, /^server\.[jt]sx?$/];
-function classifyFileKind(relativePath) {
-  const filename = basename2(relativePath);
-  if (TYPE_PATTERNS.some((p) => p.test(relativePath))) return "type";
-  if (TEST_PATTERNS.some((p) => p.test(relativePath))) return "test";
-  if (CONFIG_PATTERNS.some((p) => p.test(relativePath) || p.test(filename))) return "config";
-  if (ENTRY_PATTERNS.some((p) => p.test(filename))) return "entry";
-  return "source";
-}
-function detectStack(files) {
-  const stack = [];
-  const extensions = new Set(files.map((f) => f.extension));
-  const paths = files.map((f) => f.relativePath.toLowerCase());
-  if (extensions.has("ts") || extensions.has("tsx")) stack.push("TypeScript");
-  else if (extensions.has("js") || extensions.has("jsx")) stack.push("JavaScript");
-  if (extensions.has("py")) stack.push("Python");
-  if (extensions.has("go")) stack.push("Go");
-  if (extensions.has("rs")) stack.push("Rust");
-  if (extensions.has("java")) stack.push("Java");
-  if (extensions.has("kt")) stack.push("Kotlin");
-  if (extensions.has("rb")) stack.push("Ruby");
-  if (extensions.has("php")) stack.push("PHP");
-  if (extensions.has("cs")) stack.push("C#");
-  if (extensions.has("c") || extensions.has("cpp")) stack.push("C/C++");
-  if (paths.some((p) => p.includes("next.config"))) stack.push("Next.js");
-  if (paths.some((p) => p.includes("nuxt.config"))) stack.push("Nuxt");
-  if (paths.some((p) => p.includes("angular.json"))) stack.push("Angular");
-  return stack;
-}
-async function analyzeProject(projectPath, config) {
-  const absPath = resolve4(projectPath);
-  const projectName = basename2(absPath);
-  const mergedConfig = mergeConfig(DEFAULT_CONFIG, config);
-  const allExtensions = [
-    ...mergedConfig.analysis.extensions.code,
-    ...mergedConfig.analysis.extensions.config,
-    ...mergedConfig.analysis.extensions.docs
-  ];
-  const walkEntries = await walkProject(absPath, {
-    ignoreDirs: mergedConfig.analysis.ignore.dirs,
-    ignorePatterns: mergedConfig.analysis.ignore.patterns,
-    extensions: allExtensions,
-    maxDepth: mergedConfig.analysis.maxDepth
-  });
-  const tokenMethod = mergedConfig.tokens.method;
-  const BATCH_SIZE = 50;
-  async function estimateFileTokens(entry) {
-    let tokens;
-    if (tokenMethod === "tiktoken") {
-      try {
-        const content = await readFile4(entry.path, "utf-8");
-        tokens = estimateTokens(content, entry.size, "tiktoken");
-      } catch {
-        tokens = countTokensChars4(entry.size);
-      }
-    } else {
-      tokens = countTokensChars4(entry.size);
-    }
-    return {
-      path: entry.path,
-      relativePath: entry.relativePath,
-      extension: entry.extension,
-      size: entry.size,
-      tokens,
-      lines: entry.lines,
-      lastModified: entry.lastModified,
-      kind: classifyFileKind(entry.relativePath),
-      imports: [],
-      importedBy: [],
-      isHub: false,
-      complexity: 0,
-      riskScore: 0,
-      riskFactors: [],
-      exclusionImpact: "none"
-    };
-  }
-  const files = [];
-  for (let i = 0; i < walkEntries.length; i += BATCH_SIZE) {
-    const batch = walkEntries.slice(i, i + BATCH_SIZE);
-    const results = await Promise.all(batch.map(estimateFileTokens));
-    files.push(...results);
-  }
-  const graph = buildProjectGraph(absPath, files);
-  for (const file of files) {
-    const nodeImports = [];
-    const nodeImportedBy = [];
-    for (const edge of graph.edges) {
-      if (edge.from === file.relativePath) nodeImports.push(edge.to);
-      if (edge.to === file.relativePath) nodeImportedBy.push(edge.from);
-    }
-    file.imports = nodeImports;
-    file.importedBy = nodeImportedBy;
-    file.isHub = graph.hubs.some((h) => h.relativePath === file.relativePath);
-  }
-  const riskWeights = mergedConfig.risk.weights;
-  scoreAllFiles(files, graph, riskWeights);
-  const riskProfile = {
-    distribution: {
-      critical: files.filter((f) => f.riskScore >= 80).length,
-      high: files.filter((f) => f.riskScore >= 60 && f.riskScore < 80).length,
-      medium: files.filter((f) => f.riskScore >= 30 && f.riskScore < 60).length,
-      low: files.filter((f) => f.riskScore < 30).length
-    },
-    topRiskFiles: [...files].sort((a, b) => b.riskScore - a.riskScore).slice(0, 10),
-    overallComplexity: files.length > 0 ? files.reduce((s, f) => s + f.complexity, 0) / files.length : 0
-  };
-  const totalTokens = files.reduce((s, f) => s + f.tokens, 0);
-  const hashInput = files.map((f) => `${f.relativePath}:${f.tokens}:${f.riskScore}`).sort().join("|");
-  const hash = createHash3("sha256").update(hashInput).digest("hex").substring(0, 16);
-  const stack = detectStack(walkEntries);
-  return {
-    projectPath: absPath,
-    projectName,
-    analyzedAt: /* @__PURE__ */ new Date(),
-    hash,
-    files,
-    totalFiles: files.length,
-    totalTokens,
-    graph,
-    riskProfile,
-    stack,
-    tokenMethod
-  };
-}
-function mergeConfig(base, overrides) {
-  if (!overrides) return base;
-  return {
-    ...base,
-    ...overrides,
-    analysis: {
-      ...base.analysis,
-      ...overrides.analysis,
-      extensions: {
-        ...base.analysis.extensions,
-        ...overrides.analysis?.extensions
-      },
-      ignore: {
-        ...base.analysis.ignore,
-        ...overrides.analysis?.ignore
-      }
-    },
-    risk: {
-      ...base.risk,
-      ...overrides.risk,
-      weights: {
-        ...base.risk.weights,
-        ...overrides.risk?.weights
-      }
-    },
-    interaction: {
-      ...base.interaction,
-      ...overrides.interaction
-    },
-    tokens: {
-      ...base.tokens,
-      ...overrides.tokens
-    },
-    governance: {
-      ...base.governance,
-      ...overrides.governance
-    }
-  };
-}
-
-// src/gateway/server.ts
-var ContextGateway = class {
-  config;
-  tracker;
-  analysis = null;
-  analysisPromise = null;
-  eventHandlers = [];
-  server = null;
-  httpAgent;
-  httpsAgent;
-  budgetLock = false;
-  // Simple lock for budget reservation
-  constructor(config = {}) {
-    this.config = { ...DEFAULT_GATEWAY_CONFIG, ...config };
-    this.tracker = new UsageTracker(this.config);
-    this.httpAgent = new HttpAgent({ keepAlive: true, maxSockets: 50 });
-    this.httpsAgent = new HttpsAgent({ keepAlive: true, maxSockets: 50 });
-    this.tracker.onEvent((event) => this.emit(event));
-  }
-  // ===== EVENTS =====
-  onEvent(handler) {
-    this.eventHandlers.push(handler);
-  }
-  emit(event) {
-    for (const handler of this.eventHandlers) {
-      try {
-        handler(event);
-      } catch {
-      }
-    }
-  }
-  // ===== LIFECYCLE =====
-  async start() {
-    if (this.config.optimize) {
-      this.analysisPromise = this.refreshAnalysis();
-    }
-    this.server = createServer((req, res) => this.handleRequest(req, res));
-    return new Promise((resolve5) => {
-      this.server.listen(this.config.port, this.config.host, () => {
-        resolve5();
-      });
-    });
-  }
-  async stop() {
-    return new Promise((resolve5) => {
-      if (this.server) {
-        this.server.close(() => resolve5());
-      } else {
-        resolve5();
-      }
-    });
-  }
-  getTracker() {
-    return this.tracker;
-  }
-  // ===== ANALYSIS =====
-  async refreshAnalysis() {
-    try {
-      const analysis = await analyzeProject(this.config.projectPath);
-      this.analysis = analysis;
-      return analysis;
-    } catch (err) {
-      const message = err instanceof Error ? err.message : String(err);
-      this.emit({ type: "error", message: `Analysis failed: ${message}`, error: err instanceof Error ? err : void 0 });
-      throw err;
-    }
-  }
-  // ===== REQUEST HANDLER =====
-  async handleRequest(req, res) {
-    const startTime = Date.now();
-    if (this.config.dashboard && req.url?.startsWith(this.config.dashboardPath)) {
-      return this.serveDashboard(req, res);
-    }
-    if (req.url === "/health" || req.url === "/__cto/health") {
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        status: "ok",
-        version: "4.0.0",
-        uptime: process.uptime(),
-        analysis: this.analysis ? "ready" : "loading"
-      }));
-      return;
-    }
-    if (this.config.apiKey) {
-      const authHeader = req.headers["x-cto-key"] || req.headers["authorization"]?.replace(/^Bearer\s+/i, "") || "";
-      if (authHeader !== this.config.apiKey) {
-        res.writeHead(401, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Unauthorized. Set x-cto-key header or Authorization: Bearer <key>" }));
-        return;
-      }
-    }
-    if (req.method !== "POST") {
-      res.writeHead(405, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Method not allowed. Gateway only proxies POST requests." }));
-      return;
-    }
-    let body;
-    try {
-      body = await readBody(req, this.config.maxBodyBytes);
-    } catch (err) {
-      const errMsg = err instanceof Error ? err.message : String(err);
-      const status = errMsg === "body-too-large" ? 413 : 400;
-      res.writeHead(status, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: status === 413 ? `Request body too large. Max: ${Math.round(this.config.maxBodyBytes / 1024 / 1024)}MB` : "Failed to read request body" }));
-      return;
-    }
-    let parsedBody;
-    try {
-      parsedBody = JSON.parse(body);
-    } catch {
-      res.writeHead(400, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Invalid JSON in request body" }));
-      return;
-    }
-    const targetUrl = req.headers["x-cto-target"] || req.headers["x-target-url"] || "";
-    if (!targetUrl) {
-      res.writeHead(400, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: "Missing target URL. Set x-cto-target header to the provider API URL.",
-        example: "x-cto-target: https://api.openai.com/v1/chat/completions"
-      }));
-      return;
-    }
-    let targetUrlParsed;
-    try {
-      targetUrlParsed = new URL(targetUrl);
-    } catch {
-      res.writeHead(400, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Invalid target URL" }));
-      return;
-    }
-    if (targetUrlParsed.protocol !== "https:" && targetUrlParsed.hostname !== "localhost") {
-      res.writeHead(403, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Only HTTPS targets allowed (SSRF protection)" }));
-      return;
-    }
-    if (!isAllowedTarget(targetUrlParsed.hostname, this.config)) {
-      res.writeHead(403, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: `Target domain not allowed: ${targetUrlParsed.hostname}`,
-        allowed: this.config.allowedTargetDomains.length > 0 ? this.config.allowedTargetDomains : ["api.openai.com", "api.anthropic.com", "*.googleapis.com", "*.openai.azure.com"]
-      }));
-      return;
-    }
-    try {
-      const resolved = await lookup(targetUrlParsed.hostname);
-      if (isPrivateIP(resolved.address)) {
-        res.writeHead(403, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Target resolves to private IP (SSRF protection)" }));
-        return;
-      }
-    } catch {
-    }
-    const headers = flattenHeaders(req.headers);
-    const provider = detectProvider(targetUrl || req.url || "", headers);
-    const parsed = provider.parseRequest(parsedBody);
-    const now = /* @__PURE__ */ new Date();
-    if (this.tracker.isDailyBudgetExceeded(now)) {
-      res.writeHead(429, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: "Daily budget exceeded",
-        budget: this.config.budgetDaily,
-        current: this.tracker.getDailyCost(now)
-      }));
-      return;
-    }
-    if (this.tracker.isMonthlyBudgetExceeded(now)) {
-      res.writeHead(429, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: "Monthly budget exceeded",
-        budget: this.config.budgetMonthly,
-        current: this.tracker.getMonthlyCost(now)
-      }));
-      return;
-    }
-    if (this.analysisPromise && !this.analysis) {
-      try {
-        await this.analysisPromise;
-      } catch {
-      }
-    }
-    const interceptResult = await interceptRequest(parsed.messages, this.config, this.analysis);
-    if (interceptResult.secretsBlocked) {
-      res.writeHead(403, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({
-        error: "Request blocked: secrets detected in message content",
-        decisions: interceptResult.decisions,
-        secretsRedacted: interceptResult.secretsRedacted
-      }));
-      this.tracker.record({
-        provider: provider.name,
-        model: parsed.model,
-        inputTokens: 0,
-        outputTokens: 0,
-        costUSD: 0,
-        originalTokens: interceptResult.originalTokens,
-        optimizedTokens: 0,
-        savedTokens: 0,
-        savedUSD: 0,
-        secretsRedacted: interceptResult.secretsRedacted,
-        secretsBlocked: true,
-        projectPath: this.config.projectPath,
-        latencyMs: Date.now() - startTime,
-        stream: parsed.stream,
-        error: "blocked:secrets"
-      });
-      return;
-    }
-    const modifiedBody = rebuildRequestBody(parsedBody, interceptResult.messages, provider.name);
-    try {
-      await this.proxyRequest(targetUrl, req, res, modifiedBody, provider, parsed, interceptResult, startTime);
-    } catch (err) {
-      const errMsg = err instanceof Error ? err.message : String(err);
-      if (!res.headersSent) {
-        const status = errMsg === "upstream-timeout" ? 504 : 502;
-        res.writeHead(status, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: status === 504 ? "Upstream provider timeout" : `Proxy error: ${errMsg}` }));
-      }
-      this.emit({ type: "error", message: `Proxy error: ${errMsg}`, error: err instanceof Error ? err : void 0 });
-    }
-  }
-  // ===== PROXY =====
-  async proxyRequest(targetUrl, clientReq, clientRes, body, provider, parsed, interceptResult, startTime) {
-    const url = new URL(targetUrl);
-    const isHttps = url.protocol === "https:";
-    const requester = isHttps ? httpsRequest : httpRequest;
-    const forwardHeaders = {};
-    const stripHeaders = /* @__PURE__ */ new Set(["host", "content-length", "x-cto-target", "x-target-url", "x-cto-key"]);
-    for (const [key, value] of Object.entries(clientReq.headers)) {
-      if (stripHeaders.has(key)) continue;
-      if (value) forwardHeaders[key] = Array.isArray(value) ? value[0] : value;
-    }
-    forwardHeaders["content-length"] = Buffer.byteLength(body).toString();
-    return new Promise((resolve5, reject) => {
-      const proxyReq = requester(
-        {
-          hostname: url.hostname,
-          port: url.port || (isHttps ? 443 : 80),
-          path: url.pathname + url.search,
-          method: "POST",
-          headers: forwardHeaders,
-          agent: isHttps ? this.httpsAgent : this.httpAgent,
-          // Connection pooling
-          timeout: this.config.upstreamTimeoutMs
-        },
-        (proxyRes) => {
-          if (parsed.stream && proxyRes.headers["content-type"]?.includes("text/event-stream")) {
-            this.handleStreamResponse(
-              proxyRes,
-              clientRes,
-              provider,
-              parsed,
-              interceptResult,
-              startTime
-            ).then(resolve5).catch(reject);
-          } else {
-            this.handleBufferedResponse(
-              proxyRes,
-              clientRes,
-              provider,
-              parsed,
-              interceptResult,
-              startTime
-            ).then(resolve5).catch(reject);
-          }
-        }
-      );
-      proxyReq.on("timeout", () => {
-        proxyReq.destroy();
-        reject(new Error("upstream-timeout"));
-      });
-      proxyReq.on("error", reject);
-      proxyReq.write(body);
-      proxyReq.end();
-    });
-  }
-  // ===== STREAM HANDLER =====
-  async handleStreamResponse(proxyRes, clientRes, provider, parsed, interceptResult, startTime) {
-    clientRes.writeHead(proxyRes.statusCode || 200, proxyRes.headers);
-    let fullContent2 = "";
-    let inputTokens = 0;
-    let outputTokens = 0;
-    let sseBuffer = "";
-    return new Promise((resolve5) => {
-      proxyRes.on("data", (chunk) => {
-        clientRes.write(chunk);
-        sseBuffer += chunk.toString();
-        const events = sseBuffer.split("\n\n");
-        sseBuffer = events.pop() || "";
-        for (const event of events) {
-          for (const line of event.split("\n")) {
-            if (!line.startsWith("data: ")) continue;
-            const data = line.slice(6).trim();
-            if (data === "[DONE]") continue;
-            try {
-              const obj = JSON.parse(data);
-              const delta = obj.choices?.[0]?.delta?.content || obj.delta?.text || "";
-              if (delta) fullContent2 += delta;
-              if (obj.usage) {
-                inputTokens = obj.usage.prompt_tokens || obj.usage.input_tokens || 0;
-                outputTokens = obj.usage.completion_tokens || obj.usage.output_tokens || 0;
-              }
-            } catch {
-            }
-          }
-        }
-      });
-      proxyRes.on("end", () => {
-        if (sseBuffer.trim()) {
-          for (const line of sseBuffer.split("\n")) {
-            if (!line.startsWith("data: ")) continue;
-            const data = line.slice(6).trim();
-            if (data === "[DONE]") continue;
-            try {
-              const obj = JSON.parse(data);
-              if (obj.usage) {
-                inputTokens = obj.usage.prompt_tokens || obj.usage.input_tokens || 0;
-                outputTokens = obj.usage.completion_tokens || obj.usage.output_tokens || 0;
-              }
-            } catch {
-            }
-          }
-        }
-        clientRes.end();
-        if (inputTokens === 0) inputTokens = interceptResult.optimizedTokens;
-        if (outputTokens === 0) outputTokens = Math.ceil(fullContent2.length / 4);
-        const costUSD = estimateCost(provider, parsed.model, inputTokens, outputTokens);
-        const originalCost = estimateCost(provider, parsed.model, interceptResult.originalTokens, outputTokens);
-        this.tracker.record({
-          provider: provider.name,
-          model: parsed.model,
-          inputTokens,
-          outputTokens,
-          costUSD,
-          originalTokens: interceptResult.originalTokens,
-          optimizedTokens: interceptResult.optimizedTokens,
-          savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
-          savedUSD: Math.max(0, originalCost - costUSD),
-          secretsRedacted: interceptResult.secretsRedacted,
-          secretsBlocked: false,
-          projectPath: this.config.projectPath,
-          latencyMs: Date.now() - startTime,
-          stream: true
-        });
-        resolve5();
-      });
-      proxyRes.on("error", () => {
-        clientRes.end();
-        resolve5();
-      });
-    });
-  }
-  // ===== BUFFERED HANDLER =====
-  async handleBufferedResponse(proxyRes, clientRes, provider, parsed, interceptResult, startTime) {
-    return new Promise((resolve5) => {
-      const chunks = [];
-      proxyRes.on("data", (chunk) => chunks.push(chunk));
-      proxyRes.on("end", () => {
-        const responseBody = Buffer.concat(chunks).toString();
-        clientRes.writeHead(proxyRes.statusCode || 200, proxyRes.headers);
-        clientRes.end(responseBody);
-        try {
-          const responseJson = JSON.parse(responseBody);
-          const parsedResponse = provider.parseResponse(responseJson, false);
-          const costUSD = estimateCost(
-            provider,
-            parsedResponse.model || parsed.model,
-            parsedResponse.inputTokens,
-            parsedResponse.outputTokens
-          );
-          const originalCost = estimateCost(
-            provider,
-            parsed.model,
-            interceptResult.originalTokens,
-            parsedResponse.outputTokens
-          );
-          this.tracker.record({
-            provider: provider.name,
-            model: parsedResponse.model || parsed.model,
-            inputTokens: parsedResponse.inputTokens,
-            outputTokens: parsedResponse.outputTokens,
-            costUSD,
-            originalTokens: interceptResult.originalTokens,
-            optimizedTokens: interceptResult.optimizedTokens,
-            savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
-            savedUSD: Math.max(0, originalCost - costUSD),
-            secretsRedacted: interceptResult.secretsRedacted,
-            secretsBlocked: false,
-            projectPath: this.config.projectPath,
-            latencyMs: Date.now() - startTime,
-            stream: false
-          });
-        } catch {
-          this.tracker.record({
-            provider: provider.name,
-            model: parsed.model,
-            inputTokens: interceptResult.optimizedTokens,
-            outputTokens: 0,
-            costUSD: 0,
-            originalTokens: interceptResult.originalTokens,
-            optimizedTokens: interceptResult.optimizedTokens,
-            savedTokens: interceptResult.originalTokens - interceptResult.optimizedTokens,
-            savedUSD: 0,
-            secretsRedacted: interceptResult.secretsRedacted,
-            secretsBlocked: false,
-            projectPath: this.config.projectPath,
-            latencyMs: Date.now() - startTime,
-            stream: false,
-            error: "response-parse-failed"
-          });
-        }
-        resolve5();
-      });
-      proxyRes.on("error", () => {
-        clientRes.end();
-        resolve5();
-      });
-    });
-  }
-  // ===== DASHBOARD =====
-  serveDashboard(_req, res) {
-    const summary = this.tracker.getSummary("month");
-    const dailySummary = this.tracker.getSummary("day");
-    const html = generateDashboardHTML(summary, dailySummary, this.config, this.analysis);
-    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-    res.end(html);
-  }
-};
-function readBody(req, maxBytes = 0) {
-  return new Promise((resolve5, reject) => {
-    const chunks = [];
-    let totalBytes = 0;
-    req.on("data", (chunk) => {
-      totalBytes += chunk.length;
-      if (maxBytes > 0 && totalBytes > maxBytes) {
-        req.destroy();
-        reject(new Error("body-too-large"));
-        return;
-      }
-      chunks.push(chunk);
-    });
-    req.on("end", () => resolve5(Buffer.concat(chunks).toString()));
-    req.on("error", reject);
-  });
-}
-function flattenHeaders(headers) {
-  const flat = {};
-  for (const [key, value] of Object.entries(headers)) {
-    if (value) flat[key] = Array.isArray(value) ? value[0] : value;
-  }
-  return flat;
-}
-function rebuildRequestBody(original, messages, provider) {
-  const body = { ...original };
-  if (provider === "anthropic") {
-    const systemMsg = messages.find((m) => m.role === "system");
-    const otherMsgs = messages.filter((m) => m.role !== "system");
-    if (systemMsg) body.system = systemMsg.content;
-    body.messages = otherMsgs;
-  } else if (provider === "google") {
-    const systemMsg = messages.find((m) => m.role === "system");
-    const otherMsgs = messages.filter((m) => m.role !== "system");
-    if (systemMsg) {
-      body.systemInstruction = { parts: [{ text: systemMsg.content }] };
-    }
-    body.contents = otherMsgs.map((m) => ({
-      role: m.role === "assistant" ? "model" : "user",
-      parts: [{ text: m.content }]
-    }));
-  } else {
-    body.messages = messages;
-  }
-  return JSON.stringify(body);
-}
-function generateDashboardHTML(monthly, daily, config, analysis) {
-  const modelRows = Object.entries(monthly.byModel).sort(([, a], [, b]) => b.costUSD - a.costUSD).map(
-    ([model, data]) => `<tr><td>${model}</td><td>${data.requests}</td><td>${(data.tokens / 1e3).toFixed(1)}K</td><td>$${data.costUSD.toFixed(4)}</td></tr>`
-  ).join("");
-  const providerRows = Object.entries(monthly.byProvider).sort(([, a], [, b]) => b.costUSD - a.costUSD).map(
-    ([provider, data]) => `<tr><td>${provider}</td><td>${data.requests}</td><td>$${data.costUSD.toFixed(4)}</td></tr>`
-  ).join("");
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>CTO Gateway Dashboard</title>
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0a0a0f; color: #e0e0e0; padding: 2rem; }
-    h1 { font-size: 1.8rem; margin-bottom: 0.5rem; color: #fff; }
-    h2 { font-size: 1.2rem; margin: 2rem 0 1rem; color: #8b8bff; }
-    .subtitle { color: #666; margin-bottom: 2rem; }
-    .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 1rem; margin-bottom: 2rem; }
-    .card { background: #14141f; border: 1px solid #2a2a3a; border-radius: 12px; padding: 1.5rem; }
-    .card .label { font-size: 0.75rem; text-transform: uppercase; color: #666; letter-spacing: 0.05em; }
-    .card .value { font-size: 2rem; font-weight: 700; color: #fff; margin-top: 0.25rem; }
-    .card .detail { font-size: 0.85rem; color: #888; margin-top: 0.25rem; }
-    .card.green .value { color: #4ade80; }
-    .card.red .value { color: #f87171; }
-    .card.blue .value { color: #60a5fa; }
-    .card.purple .value { color: #a78bfa; }
-    table { width: 100%; border-collapse: collapse; margin-top: 0.5rem; }
-    th { text-align: left; padding: 0.5rem; color: #666; font-size: 0.75rem; text-transform: uppercase; border-bottom: 1px solid #2a2a3a; }
-    td { padding: 0.5rem; border-bottom: 1px solid #1a1a2a; font-size: 0.9rem; }
-    .status { display: inline-block; width: 8px; height: 8px; border-radius: 50%; margin-right: 8px; }
-    .status.on { background: #4ade80; }
-    .status.off { background: #666; }
-    .footer { margin-top: 3rem; color: #444; font-size: 0.75rem; }
-    .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 0.7rem; font-weight: 600; }
-    .badge.critical { background: #7f1d1d; color: #fca5a5; }
-    .badge.ok { background: #14532d; color: #86efac; }
-  </style>
-</head>
-<body>
-  <h1>\u26A1 CTO Context Gateway</h1>
-  <p class="subtitle">Real-time AI proxy with context optimization, secret redaction, and cost tracking</p>
-
-  <h2>Today</h2>
-  <div class="grid">
-    <div class="card blue">
-      <div class="label">Requests</div>
-      <div class="value">${daily.totalRequests}</div>
-    </div>
-    <div class="card">
-      <div class="label">Cost</div>
-      <div class="value">$${daily.totalCostUSD.toFixed(2)}</div>
-      ${config.budgetDaily > 0 ? `<div class="detail">Budget: $${config.budgetDaily}/day</div>` : ""}
-    </div>
-    <div class="card green">
-      <div class="label">Tokens Saved</div>
-      <div class="value">${(daily.totalSavedTokens / 1e3).toFixed(1)}K</div>
-      <div class="detail">$${daily.totalSavedUSD.toFixed(2)} saved</div>
-    </div>
-    <div class="card ${daily.totalSecretsRedacted > 0 ? "red" : ""}">
-      <div class="label">Secrets Redacted</div>
-      <div class="value">${daily.totalSecretsRedacted}</div>
-    </div>
-  </div>
-
-  <h2>This Month</h2>
-  <div class="grid">
-    <div class="card blue">
-      <div class="label">Total Requests</div>
-      <div class="value">${monthly.totalRequests}</div>
-    </div>
-    <div class="card">
-      <div class="label">Total Cost</div>
-      <div class="value">$${monthly.totalCostUSD.toFixed(2)}</div>
-      ${config.budgetMonthly > 0 ? `<div class="detail">Budget: $${config.budgetMonthly}/month</div>` : ""}
-    </div>
-    <div class="card green">
-      <div class="label">Total Saved</div>
-      <div class="value">$${monthly.totalSavedUSD.toFixed(2)}</div>
-      <div class="detail">${(monthly.totalSavedTokens / 1e3).toFixed(0)}K tokens</div>
-    </div>
-    <div class="card purple">
-      <div class="label">Tokens Processed</div>
-      <div class="value">${((monthly.totalInputTokens + monthly.totalOutputTokens) / 1e3).toFixed(0)}K</div>
-      <div class="detail">${(monthly.totalInputTokens / 1e3).toFixed(0)}K in / ${(monthly.totalOutputTokens / 1e3).toFixed(0)}K out</div>
-    </div>
-  </div>
-
-  <h2>Features</h2>
-  <div class="grid">
-    <div class="card">
-      <div class="label">Context Optimization</div>
-      <div class="value"><span class="status ${config.optimize ? "on" : "off"}"></span>${config.optimize ? "ON" : "OFF"}</div>
-      ${analysis ? `<div class="detail">${analysis.totalFiles} files, ${(analysis.totalTokens / 1e3).toFixed(0)}K tokens</div>` : '<div class="detail">Loading analysis...</div>'}
-    </div>
-    <div class="card">
-      <div class="label">Secret Redaction</div>
-      <div class="value"><span class="status ${config.redactSecrets ? "on" : "off"}"></span>${config.redactSecrets ? "ON" : "OFF"}</div>
-      ${config.blockOnSecrets ? '<span class="badge critical">BLOCKING</span>' : ""}
-    </div>
-    <div class="card">
-      <div class="label">Cost Tracking</div>
-      <div class="value"><span class="status ${config.costTracking ? "on" : "off"}"></span>${config.costTracking ? "ON" : "OFF"}</div>
-    </div>
-    <div class="card">
-      <div class="label">Audit Log</div>
-      <div class="value"><span class="status ${config.auditLog ? "on" : "off"}"></span>${config.auditLog ? "ON" : "OFF"}</div>
-      <div class="detail">${config.logDir}</div>
-    </div>
-  </div>
-
-  ${modelRows ? `
-  <h2>By Model</h2>
-  <div class="card">
-    <table>
-      <thead><tr><th>Model</th><th>Requests</th><th>Tokens</th><th>Cost</th></tr></thead>
-      <tbody>${modelRows}</tbody>
-    </table>
-  </div>` : ""}
-
-  ${providerRows ? `
-  <h2>By Provider</h2>
-  <div class="card">
-    <table>
-      <thead><tr><th>Provider</th><th>Requests</th><th>Cost</th></tr></thead>
-      <tbody>${providerRows}</tbody>
-    </table>
-  </div>` : ""}
-
-  <div class="footer">
-    CTO Context Gateway v4.0.0 \xB7 Listening on ${config.host}:${config.port} \xB7 <a href="/health" style="color:#666">Health</a>
-  </div>
-
-  <script>setTimeout(() => location.reload(), 30000);</script>
-</body>
-</html>`;
-}
-export {
-  ContextGateway,
-  DEFAULT_GATEWAY_CONFIG,
-  PROVIDERS,
-  UsageTracker,
-  detectProvider,
-  estimateCost,
-  getModelConfig,
-  interceptRequest
-};
-//# sourceMappingURL=index.js.map