cto-ai-cli 5.2.0 → 7.1.0

package/dist/govern/index.js

@@ -1,1101 +0,0 @@
-// src/govern/audit.ts
-import { randomUUID, createHash } from "crypto";
-import { readdir, chmod } from "fs/promises";
-import { join } from "path";
-import { userInfo } from "os";
-import { homedir } from "os";
-var CTO_DIR = ".cto-ai";
-var AUDIT_DIR = "audit";
-var MAX_ENTRIES_PER_FILE = 500;
-function getAuditDir() {
-  return join(homedir(), CTO_DIR, AUDIT_DIR);
-}
-function getCurrentAuditFile() {
-  const date = (/* @__PURE__ */ new Date()).toISOString().split("T")[0].replace(/-/g, "");
-  return join(getAuditDir(), `audit_${date}.json`);
-}
-function computeIntegrityHash(entry) {
-  const payload = JSON.stringify({
-    id: entry.id,
-    timestamp: entry.timestamp,
-    action: entry.action,
-    user: entry.user,
-    projectPath: entry.projectPath,
-    details: entry.details
-  });
-  return createHash("sha256").update(payload).digest("hex");
-}
-async function ensureDir(dirPath) {
-  const { mkdir } = await import("fs/promises");
-  await mkdir(dirPath, { recursive: true });
-}
-async function readJSON(filePath) {
-  const { readFile: readFile4 } = await import("fs/promises");
-  try {
-    const content = await readFile4(filePath, "utf-8");
-    return JSON.parse(content);
-  } catch {
-    return null;
-  }
-}
-async function writeJSON(filePath, data) {
-  const { writeFile: writeFile2 } = await import("fs/promises");
-  await ensureDir(join(filePath, ".."));
-  await writeFile2(filePath, JSON.stringify(data, null, 2), "utf-8");
-}
-async function logAudit(action, projectPath, details = {}) {
-  const auditDir = getAuditDir();
-  await ensureDir(auditDir);
-  let currentUser;
-  try {
-    currentUser = userInfo().username;
-  } catch {
-    currentUser = process.env.USER ?? process.env.USERNAME ?? "unknown";
-  }
-  const partialEntry = {
-    id: randomUUID().substring(0, 12),
-    timestamp: /* @__PURE__ */ new Date(),
-    action,
-    user: currentUser,
-    projectPath,
-    details
-  };
-  const entry = {
-    ...partialEntry,
-    integrityHash: computeIntegrityHash(partialEntry)
-  };
-  const auditFile = getCurrentAuditFile();
-  let entries = await readJSON(auditFile) ?? [];
-  entries.push(entry);
-  if (entries.length > MAX_ENTRIES_PER_FILE) {
-    entries = entries.slice(-MAX_ENTRIES_PER_FILE);
-  }
-  await writeJSON(auditFile, entries);
-  try {
-    await chmod(auditFile, 384);
-  } catch {
-  }
-  return entry;
-}
-async function getAuditEntries(options = {}) {
-  const auditDir = getAuditDir();
-  let files;
-  try {
-    files = await readdir(auditDir);
-  } catch {
-    return [];
-  }
-  const auditFiles = files.filter((f) => f.startsWith("audit_") && f.endsWith(".json")).sort().reverse();
-  const allEntries = [];
-  const limit = options.limit ?? 100;
-  for (const file of auditFiles) {
-    if (allEntries.length >= limit) break;
-    const entries = await readJSON(join(auditDir, file));
-    if (!entries) continue;
-    for (const entry of entries.reverse()) {
-      if (allEntries.length >= limit) break;
-      if (options.projectPath && entry.projectPath !== options.projectPath) continue;
-      if (options.action && entry.action !== options.action) continue;
-      if (options.since && new Date(entry.timestamp) < options.since) continue;
-      allEntries.push(entry);
-    }
-  }
-  return allEntries;
-}
-function verifyAuditEntry(entry) {
-  const { integrityHash, ...rest } = entry;
-  const expected = computeIntegrityHash(rest);
-  return expected === integrityHash;
-}
-async function verifyAuditIntegrity() {
-  const entries = await getAuditEntries({ limit: 1e4 });
-  const invalidEntries = [];
-  for (const entry of entries) {
-    if (!verifyAuditEntry(entry)) {
-      invalidEntries.push(entry);
-    }
-  }
-  return {
-    totalEntries: entries.length,
-    validEntries: entries.length - invalidEntries.length,
-    invalidEntries
-  };
-}
-async function purgeOldAuditEntries(retentionDays) {
-  const auditDir = getAuditDir();
-  let files;
-  try {
-    files = await readdir(auditDir);
-  } catch {
-    return 0;
-  }
-  const cutoff = /* @__PURE__ */ new Date();
-  cutoff.setDate(cutoff.getDate() - retentionDays);
-  const cutoffStr = cutoff.toISOString().split("T")[0].replace(/-/g, "");
-  let purged = 0;
-  const { unlink } = await import("fs/promises");
-  for (const file of files) {
-    if (!file.startsWith("audit_") || !file.endsWith(".json")) continue;
-    const dateStr = file.replace("audit_", "").replace(".json", "");
-    if (dateStr < cutoffStr) {
-      try {
-        await unlink(join(auditDir, file));
-        purged++;
-      } catch {
-      }
-    }
-  }
-  return purged;
-}
-
-// src/govern/secrets.ts
-import { readFile } from "fs/promises";
-import { readFileSync, existsSync, mkdirSync, writeFileSync } from "fs";
-import { resolve, relative, join as join2, dirname } from "path";
-import { createHash as createHash2 } from "crypto";
-var BUILTIN_PATTERNS = [
-  // API Keys
-  { type: "api-key", source: `(?:api[_-]?key|apikey)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{20,})['"]?`, flags: "gi", severity: "critical", description: "API Key" },
-  { type: "api-key", source: "sk-[a-zA-Z0-9]{20,}", flags: "g", severity: "critical", description: "OpenAI/Anthropic API Key" },
-  { type: "api-key", source: "sk-ant-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "Anthropic API Key" },
-  // AWS
-  { type: "aws-key", source: "AKIA[0-9A-Z]{16}", flags: "g", severity: "critical", description: "AWS Access Key ID" },
-  { type: "aws-key", source: `(?:aws_secret_access_key|aws_secret)\\s*[:=]\\s*['"]?([a-zA-Z0-9/+=]{40})['"]?`, flags: "gi", severity: "critical", description: "AWS Secret Key" },
-  // Private Keys
-  { type: "private-key", source: "-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----", flags: "g", severity: "critical", description: "Private Key" },
-  { type: "private-key", source: "-----BEGIN OPENSSH PRIVATE KEY-----", flags: "g", severity: "critical", description: "SSH Private Key" },
-  // Passwords
-  { type: "password", source: `(?:password|passwd|pwd)\\s*[:=]\\s*['"]([^'"]{8,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Hardcoded Password" },
-  { type: "password", source: `(?:DB_PASSWORD|DATABASE_PASSWORD|MYSQL_PASSWORD|POSTGRES_PASSWORD)\\s*[:=]\\s*['"]?([^'"{}\\s]{4,})['"]?`, flags: "gi", severity: "high", description: "Database Password" },
-  // Tokens
-  { type: "token", source: `(?:bearer|token|auth_token|access_token|refresh_token)\\s*[:=]\\s*['"]([a-zA-Z0-9_\\-.]{20,})['"](?!\\s*\\{)`, flags: "gi", severity: "high", description: "Auth Token" },
-  { type: "token", source: "ghp_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub Personal Access Token" },
-  { type: "token", source: "gho_[a-zA-Z0-9]{36}", flags: "g", severity: "critical", description: "GitHub OAuth Token" },
-  { type: "token", source: "glpat-[a-zA-Z0-9\\-]{20,}", flags: "g", severity: "critical", description: "GitLab Personal Access Token" },
-  { type: "token", source: "npm_[a-zA-Z0-9]{36}", flags: "g", severity: "high", description: "npm Token" },
-  // Connection strings
-  { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
-  { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
-  // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
-  // Stripe
-  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
-  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
-  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
-  // Slack
-  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
-  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
-  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
-  // Google
-  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
-  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
-  // Azure
-  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
-  // Twilio
-  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
-  // SendGrid
-  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
-  // JWT
-  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
-  // Datadog
-  { type: "api-key", source: `(?:DD_API_KEY|DATADOG_API_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{32})['"]?`, flags: "gi", severity: "critical", description: "Datadog API Key" },
-  { type: "api-key", source: `(?:DD_APP_KEY|DATADOG_APP_KEY)\\s*[:=]\\s*['"]?([a-f0-9]{40})['"]?`, flags: "gi", severity: "critical", description: "Datadog App Key" },
-  // Sentry
-  { type: "connection-string", source: "https://[a-f0-9]{32}@[a-z0-9]+\\.ingest\\.sentry\\.io/[0-9]+", flags: "g", severity: "high", description: "Sentry DSN" },
-  // Firebase
-  { type: "api-key", source: `(?:FIREBASE_API_KEY|FIREBASE_KEY)\\s*[:=]\\s*['"]?([a-zA-Z0-9_\\-]{30,})['"]?`, flags: "gi", severity: "high", description: "Firebase API Key" },
-  { type: "connection-string", source: `firebase[a-z]*:\\/\\/[^\\s'"]+`, flags: "gi", severity: "high", description: "Firebase URL" },
-  // Supabase
-  { type: "api-key", source: "sbp_[a-f0-9]{40}", flags: "g", severity: "critical", description: "Supabase Service Key" },
-  { type: "token", source: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\\.[a-zA-Z0-9_-]{20,}\\.[a-zA-Z0-9_-]{20,}", flags: "g", severity: "high", description: "Supabase Anon/Service JWT" },
-  // Vercel
-  { type: "token", source: `(?:VERCEL_TOKEN|VERCEL_API_TOKEN)\\s*[:=]\\s*['"]?([a-zA-Z0-9]{24,})['"]?`, flags: "gi", severity: "critical", description: "Vercel Token" },
-  // Heroku
-  { type: "api-key", source: `(?:HEROKU_API_KEY|HEROKU_TOKEN)\\s*[:=]\\s*['"]?([a-f0-9\\-]{36,})['"]?`, flags: "gi", severity: "critical", description: "Heroku API Key" },
-  // DigitalOcean
-  { type: "token", source: "dop_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean Personal Access Token" },
-  { type: "token", source: "doo_v1_[a-f0-9]{64}", flags: "g", severity: "critical", description: "DigitalOcean OAuth Token" },
-  // Mailgun
-  { type: "api-key", source: "key-[a-zA-Z0-9]{32}", flags: "g", severity: "high", description: "Mailgun API Key" },
-  // PII
-  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
-  { type: "pii", source: "\\b(?!000|666|9\\d{2})(\\d{3})[-.]?(?!00)(\\d{2})[-.]?(?!0000)(\\d{4})\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
-];
-var _cachedBuiltinPatterns = null;
-function getBuiltinPatterns() {
-  if (!_cachedBuiltinPatterns) {
-    _cachedBuiltinPatterns = BUILTIN_PATTERNS.map((def) => ({
-      type: def.type,
-      pattern: new RegExp(def.source, def.flags),
-      severity: def.severity,
-      description: def.description
-    }));
-  }
-  return _cachedBuiltinPatterns;
-}
-function buildPatterns(customPatterns = []) {
-  const builtins = getBuiltinPatterns();
-  if (customPatterns.length === 0) return builtins;
-  const patterns = [...builtins];
-  for (const custom of customPatterns) {
-    try {
-      patterns.push({
-        type: "custom",
-        pattern: new RegExp(custom, "gi"),
-        severity: "medium",
-        description: `Custom pattern: ${custom}`
-      });
-    } catch {
-    }
-  }
-  return patterns;
-}
-function scanContentForSecrets(content, filePath, customPatterns = [], extraPiiSafeDomains) {
-  const findings = [];
-  const lines = content.split("\n");
-  const allPatterns = buildPatterns(customPatterns);
-  for (const secretPattern of allPatterns) {
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      secretPattern.pattern.lastIndex = 0;
-      let match;
-      while ((match = secretPattern.pattern.exec(line)) !== null) {
-        const matchText = match[0];
-        if (isTemplateOrPlaceholder(matchText)) continue;
-        if (secretPattern.type === "pii" && isSafeEmail(matchText, extraPiiSafeDomains)) continue;
-        findings.push({
-          type: secretPattern.type,
-          file: filePath,
-          line: i + 1,
-          match: matchText,
-          redacted: redactSecret(matchText),
-          severity: secretPattern.severity
-        });
-      }
-    }
-  }
-  return deduplicateFindings(findings);
-}
-async function scanFileForSecrets(filePath, projectPath, customPatterns = []) {
-  try {
-    const content = await readFile(filePath, "utf-8");
-    const relPath = relative(resolve(projectPath), resolve(filePath));
-    return scanContentForSecrets(content, relPath, customPatterns);
-  } catch {
-    return [];
-  }
-}
-async function scanProjectForSecrets(projectPath, filePaths, customPatterns = []) {
-  const allFindings = [];
-  for (const fp of filePaths) {
-    const findings = await scanFileForSecrets(fp, projectPath, customPatterns);
-    allFindings.push(...findings);
-  }
-  return allFindings.sort((a, b) => {
-    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
-    return severityOrder[a.severity] - severityOrder[b.severity];
-  });
-}
-function sanitizeContent(content, customPatterns = []) {
-  let sanitized = content;
-  const allPatterns = buildPatterns(customPatterns);
-  for (const secretPattern of allPatterns) {
-    sanitized = sanitized.replace(secretPattern.pattern, (match) => {
-      if (isTemplateOrPlaceholder(match)) return match;
-      return redactSecret(match);
-    });
-  }
-  return sanitized;
-}
-function redactSecret(value) {
-  if (value.length <= 8) return "***REDACTED***";
-  const prefix = value.substring(0, 4);
-  const suffix = value.substring(value.length - 2);
-  return `${prefix}${"*".repeat(Math.min(value.length - 6, 20))}${suffix}`;
-}
-function isTemplateOrPlaceholder(value) {
-  const placeholders = [
-    /\$\{.*\}/,
-    /\{\{.*\}\}/,
-    /%[sd]/,
-    /<[A-Z_]+>/,
-    /YOUR_.*_HERE/i,
-    /\bCHANGE_ME\b/i,
-    /\bPLACEHOLDER\b/i,
-    /\bexample\b/i,
-    /\bTODO\b/i,
-    /xxx+/i,
-    /\breplace.?me\b/i,
-    /\bdummy\b/i,
-    /\btest_?key\b/i,
-    /\bsample\b/i
-  ];
-  return placeholders.some((p) => p.test(value));
-}
-var PII_SAFE_EMAIL_DOMAINS = /* @__PURE__ */ new Set([
-  "example.com",
-  "example.org",
-  "example.net",
-  "test.com",
-  "test.org",
-  "test.net",
-  "localhost",
-  "localhost.localdomain",
-  "email.com",
-  "mail.com",
-  "foo.com",
-  "bar.com",
-  "baz.com",
-  "acme.com",
-  "company.com",
-  "corp.com",
-  "noreply.com",
-  "no-reply.com",
-  "users.noreply.github.com",
-  "placeholder.com"
-]);
-function isSafeEmail(value, extraDomains) {
-  const match = value.match(/@([a-zA-Z0-9.-]+)$/);
-  if (!match) return false;
-  const domain = match[1].toLowerCase();
-  if (PII_SAFE_EMAIL_DOMAINS.has(domain)) return true;
-  if (extraDomains && extraDomains.has(domain)) return true;
-  return false;
-}
-function deduplicateFindings(findings) {
-  const seen = /* @__PURE__ */ new Set();
-  return findings.filter((f) => {
-    const key = `${f.file}:${f.line}:${f.type}:${f.match}`;
-    if (seen.has(key)) return false;
-    seen.add(key);
-    return true;
-  });
-}
-function fingerprintFinding(f) {
-  return createHash2("sha256").update(`${f.file}:${f.type}:${f.match}`).digest("hex").slice(0, 32);
-}
-function getAllowlistPath(projectPath) {
-  return join2(projectPath, ".cto", "audit", "allowlist.json");
-}
-function loadAllowlist(projectPath) {
-  const filePath = getAllowlistPath(projectPath);
-  if (!existsSync(filePath)) return [];
-  try {
-    return JSON.parse(readFileSync(filePath, "utf-8"));
-  } catch {
-    return [];
-  }
-}
-function saveAllowlist(projectPath, entries) {
-  const filePath = getAllowlistPath(projectPath);
-  mkdirSync(dirname(filePath), { recursive: true });
-  writeFileSync(filePath, JSON.stringify(entries, null, 2) + "\n");
-}
-function addToAllowlist(projectPath, finding, reason, reviewedBy = "manual") {
-  const entries = loadAllowlist(projectPath);
-  const entry = {
-    fingerprint: fingerprintFinding(finding),
-    file: finding.file,
-    type: finding.type,
-    redacted: finding.redacted,
-    reason,
-    reviewedBy,
-    reviewedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  const existing = entries.findIndex((e) => e.fingerprint === entry.fingerprint);
-  if (existing >= 0) {
-    entries[existing] = entry;
-  } else {
-    entries.push(entry);
-  }
-  saveAllowlist(projectPath, entries);
-  return entry;
-}
-function filterByAllowlist(findings, projectPath) {
-  const allowlist = loadAllowlist(projectPath);
-  if (allowlist.length === 0) return { filtered: findings, allowed: [] };
-  const allowedFingerprints = new Set(allowlist.map((e) => e.fingerprint));
-  const filtered = [];
-  const allowed = [];
-  for (const f of findings) {
-    if (allowedFingerprints.has(fingerprintFinding(f))) {
-      allowed.push(f);
-    } else {
-      filtered.push(f);
-    }
-  }
-  return { filtered, allowed };
-}
-function getHashCachePath(projectPath) {
-  return join2(projectPath, ".cto", "audit", ".hashcache.json");
-}
-function loadHashCache(projectPath) {
-  const filePath = getHashCachePath(projectPath);
-  if (!existsSync(filePath)) return {};
-  try {
-    return JSON.parse(readFileSync(filePath, "utf-8"));
-  } catch {
-    return {};
-  }
-}
-function saveHashCache(projectPath, cache) {
-  const filePath = getHashCachePath(projectPath);
-  mkdirSync(dirname(filePath), { recursive: true });
-  writeFileSync(filePath, JSON.stringify(cache));
-}
-function hashContent(content) {
-  return createHash2("sha256").update(content).digest("hex").slice(0, 16);
-}
-function getChangedFiles(projectPath, filePaths) {
-  const oldCache = loadHashCache(projectPath);
-  const newCache = {};
-  const changed = [];
-  const unchanged = [];
-  for (const fp of filePaths) {
-    try {
-      const content = readFileSync(fp, "utf-8");
-      const relPath = relative(resolve(projectPath), resolve(fp));
-      const hash = hashContent(content);
-      newCache[relPath] = hash;
-      if (oldCache[relPath] === hash) {
-        unchanged.push(fp);
-      } else {
-        changed.push(fp);
-      }
-    } catch {
-      changed.push(fp);
-    }
-  }
-  return { changed, unchanged, cache: newCache };
-}
-var DEFAULT_AUDIT_CONFIG = {
-  severityOverrides: {},
-  piiSafeDomains: [],
-  customPatterns: [],
-  entropyThreshold: 5,
-  includePII: true,
-  incrementalScan: true
-};
-function getAuditConfigPath(projectPath) {
-  return join2(projectPath, ".cto", "audit", "config.json");
-}
-function loadAuditConfig(projectPath) {
-  const filePath = getAuditConfigPath(projectPath);
-  if (!existsSync(filePath)) return { ...DEFAULT_AUDIT_CONFIG };
-  try {
-    const loaded = JSON.parse(readFileSync(filePath, "utf-8"));
-    return { ...DEFAULT_AUDIT_CONFIG, ...loaded };
-  } catch {
-    return { ...DEFAULT_AUDIT_CONFIG };
-  }
-}
-function saveAuditConfig(projectPath, config) {
-  const filePath = getAuditConfigPath(projectPath);
-  mkdirSync(dirname(filePath), { recursive: true });
-  writeFileSync(filePath, JSON.stringify(config, null, 2) + "\n");
-}
-function applySeverityOverrides(findings, overrides) {
-  if (Object.keys(overrides).length === 0) return findings;
-  return findings.map((f) => {
-    const override = overrides[f.type];
-    if (override) return { ...f, severity: override };
-    return f;
-  });
-}
-function generatePreCommitHook(projectPath, hookType = "husky") {
-  const hookContent = `#!/bin/sh
-# CTO Secret Detection \u2014 Pre-commit hook
-# Auto-generated by: npx cto-ai-cli --audit --init-hook
-# Scans ONLY staged files for secrets before allowing commit.
-
-STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
-
-if [ -z "$STAGED_FILES" ]; then
-  exit 0
-fi
-
-echo "\u{1F50D} CTO: Scanning $(echo "$STAGED_FILES" | wc -l | tr -d ' ') staged files for secrets..."
-
-# Write staged files to temp list
-TMPFILE=$(mktemp)
-echo "$STAGED_FILES" > "$TMPFILE"
-
-# Run audit in CI mode on staged files only
-CI=true npx cto-ai-cli --audit --files "$TMPFILE"
-RESULT=$?
-
-rm -f "$TMPFILE"
-
-if [ $RESULT -ne 0 ]; then
-  echo ""
-  echo "\u274C Commit blocked: secrets detected in staged files."
-  echo "   Run 'npx cto-ai-cli --audit' to see details."
-  echo "   Use allowlist to mark reviewed findings as safe."
-  echo ""
-  exit 1
-fi
-
-echo "\u2705 No secrets detected. Proceeding with commit."
-`;
-  let hookPath;
-  if (hookType === "husky") {
-    hookPath = join2(projectPath, ".husky", "pre-commit");
-  } else {
-    hookPath = join2(projectPath, ".git", "hooks", "pre-commit");
-  }
-  mkdirSync(dirname(hookPath), { recursive: true });
-  writeFileSync(hookPath, hookContent, { mode: 493 });
-  return hookPath;
-}
-function shannonEntropy(str) {
-  const freq = /* @__PURE__ */ new Map();
-  for (const ch of str) {
-    freq.set(ch, (freq.get(ch) || 0) + 1);
-  }
-  let entropy = 0;
-  for (const count of freq.values()) {
-    const p = count / str.length;
-    if (p > 0) entropy -= p * Math.log2(p);
-  }
-  return entropy;
-}
-var HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
-var ENTROPY_SKIP = [
-  /^[a-f0-9]{32,}$/i,
-  // hex hashes
-  /^[A-Z_]{30,}$/,
-  // all-caps constants
-  /^[a-z_]{30,}$/,
-  // all-lowercase identifiers
-  /^[a-zA-Z0-9+/]+=+$/,
-  // base64 padding
-  /^[a-z]+[A-Z][a-zA-Z]+$/,
-  // camelCase identifiers
-  /sha\d+-/i
-  // integrity hashes (sha256-, sha512-)
-];
-function scanContentForHighEntropy(content, filePath, threshold = 5) {
-  const findings = [];
-  const lines = content.split("\n");
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
-    HIGH_ENTROPY_RE.lastIndex = 0;
-    let match;
-    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
-      const value = match[1] || match[2];
-      if (!value || value.length < 40) continue;
-      if (isTemplateOrPlaceholder(value)) continue;
-      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
-      const entropy = shannonEntropy(value);
-      if (entropy >= threshold) {
-        findings.push({
-          type: "high-entropy",
-          file: filePath,
-          line: i + 1,
-          match: value,
-          redacted: redactSecret(value),
-          severity: entropy >= 5 ? "high" : "medium"
-        });
-      }
-    }
-  }
-  return deduplicateFindings(findings);
-}
-async function auditProject(projectPath, filePaths, options = {}) {
-  const savedConfig = loadAuditConfig(projectPath);
-  const customPatterns = options.customPatterns ?? savedConfig.customPatterns;
-  const entropyThreshold = options.entropyThreshold ?? savedConfig.entropyThreshold;
-  const includePII = options.includePII ?? savedConfig.includePII;
-  const useAllowlist = options.useAllowlist ?? true;
-  const incrementalScan = options.incrementalScan ?? savedConfig.incrementalScan;
-  const severityOverrides = options.severityOverrides ?? savedConfig.severityOverrides;
-  let extraPiiDomains;
-  const allExtraDomains = [...options.piiSafeDomains || [], ...savedConfig.piiSafeDomains];
-  if (allExtraDomains.length > 0) {
-    extraPiiDomains = new Set(allExtraDomains.map((d) => d.toLowerCase()));
-  }
-  let filesToScan = filePaths;
-  let unchangedCount = 0;
-  let newCache = null;
-  if (incrementalScan) {
-    const { changed, unchanged, cache } = getChangedFiles(projectPath, filePaths);
-    newCache = cache;
-    if (changed.length < filePaths.length) {
-      filesToScan = changed;
-      unchangedCount = unchanged.length;
-    }
-  }
-  const allFindings = [];
-  const filesWithSecrets = /* @__PURE__ */ new Set();
-  for (const fp of filesToScan) {
-    try {
-      const content = await readFile(fp, "utf-8");
-      const relPath = relative(resolve(projectPath), resolve(fp));
-      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
-      const isDtsFile = relPath.endsWith(".d.ts");
-      let findings = scanContentForSecrets(content, relPath, customPatterns, extraPiiDomains);
-      if (!includePII) {
-        findings = findings.filter((f) => f.type !== "pii");
-      }
-      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
-      const combined = [...findings, ...entropyFindings];
-      if (combined.length > 0) {
-        filesWithSecrets.add(relPath);
-        allFindings.push(...combined);
-      }
-    } catch {
-    }
-  }
-  let finalFindings = applySeverityOverrides(allFindings, severityOverrides);
-  let allowedCount = 0;
-  if (useAllowlist) {
-    const { filtered, allowed } = filterByAllowlist(finalFindings, projectPath);
-    finalFindings = filtered;
-    allowedCount = allowed.length;
-  }
-  finalFindings.sort((a, b) => {
-    const order = { critical: 0, high: 1, medium: 2, low: 3 };
-    return order[a.severity] - order[b.severity];
-  });
-  if (newCache) {
-    saveHashCache(projectPath, newCache);
-  }
-  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
-  const byType = {};
-  for (const f of finalFindings) {
-    bySeverity[f.severity]++;
-    byType[f.type] = (byType[f.type] || 0) + 1;
-  }
-  const recommendations = [];
-  if (bySeverity.critical > 0) {
-    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
-  }
-  if (byType["password"] > 0) {
-    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
-  }
-  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
-    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
-  }
-  if (byType["connection-string"] > 0) {
-    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
-  }
-  if (byType["private-key"] > 0) {
-    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
-  }
-  if (byType["pii"] > 0) {
-    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
-  }
-  if (byType["high-entropy"] > 0) {
-    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
-  }
-  if (finalFindings.length > 0) {
-    recommendations.push("Add a .gitignore entry for .env files if not already present.");
-    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
-  }
-  if (finalFindings.length === 0) {
-    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
-  }
-  if (allowedCount > 0) {
-    recommendations.push(`${allowedCount} finding(s) skipped via allowlist (.cto/audit/allowlist.json).`);
-  }
-  if (unchangedCount > 0) {
-    recommendations.push(`${unchangedCount} unchanged file(s) skipped (incremental scan).`);
-  }
-  return {
-    findings: finalFindings,
-    summary: {
-      totalFiles: filePaths.length,
-      filesScanned: filesToScan.length,
-      filesWithSecrets: filesWithSecrets.size,
-      totalFindings: finalFindings.length,
-      bySeverity,
-      byType
-    },
-    recommendations
-  };
-}
-
-// src/engine/graph-utils.ts
-function matchGlob(path, pattern) {
-  const regexStr = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "\xA7\xA7").replace(/\*/g, "[^/]*").replace(/§§/g, ".*").replace(/\?/g, ".");
-  try {
-    return new RegExp(`^${regexStr}$`).test(path);
-  } catch {
-    return false;
-  }
-}
-
-// src/govern/policy.ts
-var DEFAULT_POLICY = {
-  version: "1.0",
-  name: "default",
-  rules: [
-    {
-      id: "no-env",
-      type: "exclude-always",
-      pattern: "**/*.env*",
-      reason: "Environment files must never be sent to AI",
-      enabled: true
-    },
-    {
-      id: "no-secrets",
-      type: "secret-block",
-      reason: "Files with detected secrets are blocked",
-      enabled: true
-    },
-    {
-      id: "min-coverage",
-      type: "coverage-minimum",
-      threshold: 70,
-      reason: "Warn if context coverage drops below 70%",
-      enabled: true
-    }
-  ]
-};
-function validateSelection(selection, policies, allFiles) {
-  const violations = [];
-  const warnings = [];
-  const includedPaths = new Set(selection.files.map((f) => f.relativePath));
-  for (const rule of policies.rules) {
-    if (!rule.enabled) continue;
-    switch (rule.type) {
-      case "exclude-always": {
-        if (!rule.pattern) break;
-        const violatingFiles = selection.files.filter(
-          (f) => matchGlob(f.relativePath, rule.pattern)
-        );
-        for (const f of violatingFiles) {
-          violations.push({
-            rule,
-            message: `File "${f.relativePath}" is included but matches exclude-always pattern "${rule.pattern}"`,
-            severity: "error"
-          });
-        }
-        break;
-      }
-      case "include-always": {
-        if (!rule.pattern || !allFiles) break;
-        const requiredFiles = allFiles.filter(
-          (f) => matchGlob(f.relativePath, rule.pattern)
-        );
-        for (const f of requiredFiles) {
-          if (!includedPaths.has(f.relativePath)) {
-            violations.push({
-              rule,
-              message: `File "${f.relativePath}" matches include-always pattern "${rule.pattern}" but is not included`,
-              severity: "warning"
-            });
-          }
-        }
-        break;
-      }
-      case "coverage-minimum": {
-        const threshold = rule.threshold ?? 70;
-        if (selection.coverage.score < threshold) {
-          warnings.push({
-            rule,
-            message: `Coverage ${selection.coverage.score}% is below minimum ${threshold}%`,
-            currentValue: selection.coverage.score,
-            threshold
-          });
-        }
-        break;
-      }
-      case "risk-maximum": {
-        const threshold = rule.threshold ?? 50;
-        if (selection.riskScore > threshold) {
-          warnings.push({
-            rule,
-            message: `Exclusion risk ${selection.riskScore}/100 exceeds maximum ${threshold}`,
-            currentValue: selection.riskScore,
-            threshold
-          });
-        }
-        break;
-      }
-      case "budget-limit": {
-        if (!rule.category || !rule.threshold) break;
-        const categoryFiles = selection.files.filter(
-          (f) => fileMatchesCategory(f.relativePath, rule.category)
-        );
-        const categoryTokens = categoryFiles.reduce((s, f) => s + f.tokens, 0);
-        const categoryPercent = selection.totalTokens > 0 ? categoryTokens / selection.totalTokens * 100 : 0;
-        if (categoryPercent > rule.threshold) {
-          warnings.push({
-            rule,
-            message: `Category "${rule.category}" uses ${Math.round(categoryPercent)}% of budget (max: ${rule.threshold}%)`,
-            currentValue: Math.round(categoryPercent),
-            threshold: rule.threshold
-          });
-        }
-        break;
-      }
-    }
-  }
-  return {
-    passed: violations.filter((v) => v.severity === "error").length === 0,
-    violations,
-    warnings
-  };
-}
-function addRule(policies, rule) {
-  return {
-    ...policies,
-    rules: [...policies.rules, rule]
-  };
-}
-function removeRule(policies, ruleId) {
-  return {
-    ...policies,
-    rules: policies.rules.filter((r) => r.id !== ruleId)
-  };
-}
-function toggleRule(policies, ruleId, enabled) {
-  return {
-    ...policies,
-    rules: policies.rules.map(
-      (r) => r.id === ruleId ? { ...r, enabled } : r
-    )
-  };
-}
-function fileMatchesCategory(path, category) {
-  switch (category) {
-    case "test":
-      return /\.(test|spec)\.[jt]sx?$/.test(path) || /\/__tests__\//.test(path) || /\/tests?\//.test(path);
-    case "config":
-      return /\.(config|rc)\.[jt]s$/.test(path) || /\.json$/.test(path) || /\.ya?ml$/.test(path);
-    case "docs":
-      return /\.(md|txt|rst)$/.test(path);
-    case "types":
-      return /types?\//i.test(path) || /\.d\.ts$/.test(path);
-    default:
-      return path.includes(category);
-  }
-}
-
-// src/govern/snapshot.ts
-import { randomUUID as randomUUID2, createHash as createHash3 } from "crypto";
-import "fs/promises";
-function createSnapshot(name, analysis, selection, metadata = {}) {
-  const files = selection.files.map((f) => ({
-    relativePath: f.relativePath,
-    hash: hashString(`${f.relativePath}:${f.tokens}:${f.pruneLevel}`),
-    tokens: f.tokens,
-    pruneLevel: f.pruneLevel
-  }));
-  const snapshotData = files.map((f) => `${f.relativePath}:${f.hash}:${f.pruneLevel}`).sort().join("|");
-  return {
-    id: randomUUID2().substring(0, 8),
-    name,
-    createdAt: /* @__PURE__ */ new Date(),
-    hash: hashString(snapshotData),
-    projectHash: analysis.hash,
-    analysisHash: analysis.hash,
-    selectionHash: selection.hash,
-    files,
-    totalTokens: selection.totalTokens,
-    coverageScore: selection.coverage.score,
-    riskScore: selection.riskScore,
-    metadata
-  };
-}
-async function verifySnapshot(snapshot, currentAnalysis, currentSelection) {
-  const currentFiles = new Map(
-    currentSelection.files.map((f) => [f.relativePath, f])
-  );
-  let filesMatched = 0;
-  const filesMissing = [];
-  const filesChanged = [];
-  for (const snapFile of snapshot.files) {
-    const current = currentFiles.get(snapFile.relativePath);
-    if (!current) {
-      filesMissing.push(snapFile.relativePath);
-      continue;
-    }
-    const currentHash2 = hashString(
-      `${current.relativePath}:${current.tokens}:${current.pruneLevel}`
-    );
-    if (currentHash2 === snapFile.hash) {
-      filesMatched++;
-    } else {
-      filesChanged.push(snapFile.relativePath);
-    }
-  }
-  const currentSnapshotData = snapshot.files.map((f) => {
-    const current = currentFiles.get(f.relativePath);
-    if (!current) return `${f.relativePath}:MISSING:MISSING`;
-    return `${current.relativePath}:${hashString(`${current.relativePath}:${current.tokens}:${current.pruneLevel}`)}:${current.pruneLevel}`;
-  }).sort().join("|");
-  const currentHash = hashString(currentSnapshotData);
-  const integrityOk = currentHash === snapshot.hash && filesMissing.length === 0 && filesChanged.length === 0;
-  return {
-    valid: integrityOk,
-    snapshotId: snapshot.id,
-    filesChecked: snapshot.files.length,
-    filesMatched,
-    filesMissing,
-    filesChanged,
-    integrityOk
-  };
-}
-function compareSnapshots(older, newer) {
-  const olderFiles = new Map(older.files.map((f) => [f.relativePath, f]));
-  const newerFiles = new Map(newer.files.map((f) => [f.relativePath, f]));
-  const added = [];
-  const removed = [];
-  const changed = [];
-  for (const [path, file] of newerFiles) {
-    const old = olderFiles.get(path);
-    if (!old) {
-      added.push(path);
-    } else if (old.hash !== file.hash) {
-      changed.push(path);
-    }
-  }
-  for (const path of olderFiles.keys()) {
-    if (!newerFiles.has(path)) {
-      removed.push(path);
-    }
-  }
-  return {
-    added,
-    removed,
-    changed,
-    tokenDelta: newer.totalTokens - older.totalTokens,
-    coverageDelta: newer.coverageScore - older.coverageScore,
-    riskDelta: newer.riskScore - older.riskScore
-  };
-}
-function hashString(input) {
-  return createHash3("sha256").update(input).digest("hex").substring(0, 16);
-}
-
-// src/govern/integrity.ts
-import { createHash as createHash4 } from "crypto";
-import { readFile as readFile3, chmod as chmod2, readdir as readdir2, stat } from "fs/promises";
-import { join as join3 } from "path";
-function hashContent2(content) {
-  return createHash4("sha256").update(content).digest("hex");
-}
-async function hashFile(filePath) {
-  try {
-    const content = await readFile3(filePath);
-    return hashContent2(content);
-  } catch {
-    return null;
-  }
-}
-async function buildManifest(projectDir) {
-  const entries = [];
-  async function scanDir(dir, type) {
-    let files;
-    try {
-      files = await readdir2(dir);
-    } catch {
-      return;
-    }
-    for (const file of files) {
-      const fullPath = join3(dir, file);
-      try {
-        const fileStat = await stat(fullPath);
-        if (fileStat.isFile()) {
-          const hash = await hashFile(fullPath);
-          if (hash) {
-            entries.push({
-              filePath: fullPath,
-              hash,
-              size: fileStat.size,
-              createdAt: fileStat.mtime,
-              type
-            });
-          }
-        }
-      } catch {
-      }
-    }
-  }
-  await scanDir(join3(projectDir, "snapshots"), "snapshot");
-  await scanDir(join3(projectDir, "audit"), "audit");
-  await scanDir(projectDir, "config");
-  return {
-    version: "2.0",
-    createdAt: /* @__PURE__ */ new Date(),
-    entries
-  };
-}
-async function verifyManifest(manifest) {
-  const invalidFiles = [];
-  const missingFiles = [];
-  for (const entry of manifest.entries) {
-    const currentHash = await hashFile(entry.filePath);
-    if (currentHash === null) {
-      missingFiles.push(entry.filePath);
-    } else if (currentHash !== entry.hash) {
-      invalidFiles.push(entry.filePath);
-    }
-  }
-  return {
-    totalFiles: manifest.entries.length,
-    validFiles: manifest.entries.length - invalidFiles.length - missingFiles.length,
-    invalidFiles,
-    missingFiles
-  };
-}
-async function securePermissions(dirPath) {
-  let count = 0;
-  try {
-    await chmod2(dirPath, 448);
-    count++;
-    const files = await readdir2(dirPath);
-    for (const file of files) {
-      try {
-        const fullPath = join3(dirPath, file);
-        const fileStat = await stat(fullPath);
-        if (fileStat.isFile()) {
-          await chmod2(fullPath, 384);
-          count++;
-        }
-      } catch {
-      }
-    }
-  } catch {
-  }
-  return count;
-}
-export {
-  DEFAULT_AUDIT_CONFIG,
-  DEFAULT_POLICY,
-  addRule,
-  addToAllowlist,
-  auditProject,
-  buildManifest,
-  compareSnapshots,
-  createSnapshot,
-  filterByAllowlist,
-  generatePreCommitHook,
-  getAuditEntries,
-  getChangedFiles,
-  hashContent2 as hashContent,
-  hashFile,
-  loadAllowlist,
-  loadAuditConfig,
-  logAudit,
-  purgeOldAuditEntries,
-  removeRule,
-  sanitizeContent,
-  saveAllowlist,
-  saveAuditConfig,
-  scanContentForHighEntropy,
-  scanContentForSecrets,
-  scanFileForSecrets,
-  scanProjectForSecrets,
-  securePermissions,
-  toggleRule,
-  validateSelection,
-  verifyAuditEntry,
-  verifyAuditIntegrity,
-  verifyManifest,
-  verifySnapshot
-};
-//# sourceMappingURL=index.js.map