great-cto 2.22.3 → 2.24.0

package/dist/adapt.js

@@ -1,16 +1,25 @@
-// great-cto adapt — Claude Code config generator.
+// great-cto adapt — AI config generator.
 //
 // Writes CLAUDE.md + AGENTS.md from .great_cto/PROJECT.md context.
+// Also generates cross-AI configs for Cursor, Copilot, Windsurf, Aider
+// when ai_tools is set in PROJECT.md.
 //
 // Usage:
-//   great-cto adapt            Generate CLAUDE.md + AGENTS.md
+//   great-cto adapt            Generate all configs (reads ai_tools from PROJECT.md)
 //   great-cto adapt --dry-run  Show what would be written
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
+const VALID_AI_TOOLS = ["claude-code", "cursor", "copilot", "windsurf", "aider"];
+function parseAiTools(text) {
+    const line = text.match(/^ai_tools:\s*(.+)$/m)?.[1] ?? "";
+    // Support: [claude-code, cursor] or claude-code, cursor or claude-code
+    const raw = line.replace(/[\[\]]/g, "").split(/[,\s]+/).map(s => s.trim()).filter(Boolean);
+    return raw.filter((t) => VALID_AI_TOOLS.includes(t));
+}
 function readProjectMeta(cwd) {
     const projectMd = join(cwd, ".great_cto", "PROJECT.md");
     if (!existsSync(projectMd)) {
-        return { archetype: "unknown", compliance: [], owners: "", hasGreatCto: false };
+        return { archetype: "unknown", compliance: [], owners: "", hasGreatCto: false, aiTools: ["claude-code"], projectName: "project" };
     }
     const text = readFileSync(projectMd, "utf8");
     const archetype = (text.match(/^primary:\s*(\S+)/m)?.[1] ?? "unknown").trim();
@@ -20,7 +29,63 @@ function readProjectMeta(cwd) {
         .map(s => s.trim())
         .filter(Boolean);
     const owners = (text.match(/^owners?:\s*(.+)$/m)?.[1] ?? "").trim();
-    return { archetype, compliance, owners, hasGreatCto: true };
+    const aiTools = parseAiTools(text);
+    // Infer project name from first H1 heading
+    const projectName = (text.match(/^#\s+(.+)$/m)?.[1] ?? "project").trim();
+    return { archetype, compliance, owners, hasGreatCto: true, aiTools: aiTools.length > 0 ? aiTools : ["claude-code"], projectName };
+}
+/**
+ * Project Constitution — universal hard constraints injected into every AI config.
+ * Inspired by Spec Driven Development (FredAntB/Spec-Driven-Development).
+ */
+function getConstitutionBlock(meta) {
+    const hasSpec = existsSync(join(process.cwd(), "requirements.md"));
+    const specSection = hasSpec ? `
+## Spec files (source of truth)
+
+  requirements.md  — What the system must do
+  design.md        — How the system is structured
+  tasks.md         — Ordered implementation plan
+
+MANDATORY BEFORE ANY ACTION:
+  0. If CONTEXT.md exists, read it first — it has session state
+  1. Read requirements.md — understand what is in scope
+  2. Read design.md — understand how it is structured
+  3. Read tasks.md — find the next incomplete [ ] task
+` : `
+## Session context
+
+  0. If CONTEXT.md exists, read it first — it has the active task and session state
+  1. Read .great_cto/PROJECT.md — archetype, compliance gates, team mode
+  2. Read .great_cto/lessons.md if present — past mistakes and patterns
+`;
+    return `
+═══════════════════════════════════════════════════════════
+PROJECT CONSTITUTION — ${meta.projectName.toUpperCase()}
+Generated by great-cto adapt · ${new Date().toISOString().slice(0, 10)}
+═══════════════════════════════════════════════════════════
+${specSection}
+HARD CONSTRAINTS (no exceptions):
+  ✗ Never implement requirements not explicitly defined in requirements.md
+  ✗ Never alter the data model without updating design.md first
+  ✗ Never mark a task [x] without verifying its acceptance criterion
+  ✗ Never create files not listed or implied in design.md
+  ✗ Never guess when a requirement is ambiguous — ask instead
+  ✗ Never skip gates (security-officer, qa-engineer) — use /waiver with reason
+
+AFTER COMPLETING A TASK:
+  1. Run the verification step listed in tasks.md (or acceptance criterion)
+  2. Mark the task [x] in tasks.md
+  3. Update CONTEXT.md resume block with the next active task
+  4. Record any divergences from design.md in CONTEXT.md
+
+IF IMPLEMENTATION MUST DEVIATE FROM DESIGN:
+  1. Stop immediately
+  2. Describe the conflict clearly
+  3. Wait for explicit approval
+  4. Update design.md FIRST, then implement
+═══════════════════════════════════════════════════════════
+`;
 }
 /**
  * AGENTS.md — Claude Code reads this as the cross-tool agent contract.
@@ -29,7 +94,9 @@ function getAgentsCore(meta) {
     const compliance = meta.compliance.length > 0
         ? meta.compliance.map(c => `- ${c}`).join("\n")
         : "_(none auto-detected — set in .great_cto/PROJECT.md)_";
+    const constitution = getConstitutionBlock(meta);
     return `# AGENTS.md
+${constitution}
 
 > Project agent contract for Claude Code. Generated by \`great-cto adapt\` —
 > re-run after editing \`.great_cto/PROJECT.md\`.
@@ -133,6 +200,117 @@ gates "because it's just a small change" — that's the path to incidents.
 _Generated by \`great-cto@${getCliVersion()}\` adapt at ${new Date().toISOString().slice(0, 10)}_
 `;
 }
+// ── Cross-AI config generators ─────────────────────────────────────────────
+function getCursorrules(meta) {
+    const constitution = getConstitutionBlock(meta);
+    return `${constitution}
+
+# .cursorrules — Cursor AI configuration for ${meta.projectName}
+# Generated by great-cto adapt · ${new Date().toISOString().slice(0, 10)}
+
+## Project context
+
+- **Archetype:** ${meta.archetype}
+- **Compliance:** ${meta.compliance.join(", ") || "none"}
+- **Stack:** See .great_cto/PROJECT.md
+
+## Coding conventions
+
+- TypeScript strict mode — no \`any\` without explanatory comment
+- ESM modules only (.mjs / "type":"module")
+- Conventional commits: feat / fix / docs / refactor / test / chore
+- Tests before implementation (RED → GREEN → REFACTOR), 80%+ coverage
+- One concern per PR — refactors and behaviour changes are separate PRs
+
+## Agent routing
+
+For complex tasks, prefer the great_cto agent pipeline (via Claude Code):
+- Architecture decisions → \`architect\` agent
+- Feature planning → \`pm\` agent
+- Implementation → \`senior-dev\` agent
+- Security review → \`security-officer\` agent
+
+See AGENTS.md for the full routing table.
+`;
+}
+function getCopilotInstructions(meta) {
+    const constitution = getConstitutionBlock(meta);
+    return `${constitution}
+
+# GitHub Copilot Instructions for ${meta.projectName}
+# Generated by great-cto adapt · ${new Date().toISOString().slice(0, 10)}
+
+## Project context
+
+- **Archetype:** ${meta.archetype}
+- **Compliance gates:** ${meta.compliance.join(", ") || "none"}
+- **Read first:** CONTEXT.md (session state), requirements.md (scope)
+
+## Code style
+
+- TypeScript strict mode, ESM-only
+- Conventional commits
+- Test-first development — write tests before implementation
+- No secrets in code — great-cto scan blocks ~13 patterns
+
+## What NOT to do
+
+- Do not implement features not in requirements.md
+- Do not alter data models without updating design.md
+- Do not generate placeholder files with TODO tokens
+- Do not guess ambiguous requirements — surface them for human decision
+`;
+}
+function getWindsurfrules(meta) {
+    const constitution = getConstitutionBlock(meta);
+    return `${constitution}
+
+# .windsurfrules — Windsurf AI configuration for ${meta.projectName}
+# Generated by great-cto adapt · ${new Date().toISOString().slice(0, 10)}
+
+## Session startup
+
+1. Read CONTEXT.md — resume active task from resume block
+2. Read requirements.md — understand scope
+3. Read design.md — understand structure
+4. Find next incomplete [ ] task in tasks.md
+
+## Project context
+
+- Archetype: ${meta.archetype}
+- Compliance: ${meta.compliance.join(", ") || "none"}
+- Spec files: requirements.md / design.md / tasks.md
+
+## Hard rules
+
+- Never implement beyond requirements.md scope
+- Never skip the CONTEXT.md update at session end
+- Run verification step before marking any task complete
+`;
+}
+function getAiderConf(meta) {
+    return `# .aider.conf.yml — Aider configuration for ${meta.projectName}
+# Generated by great-cto adapt · ${new Date().toISOString().slice(0, 10)}
+
+# Read these files as context at startup
+read:
+  - CONTEXT.md
+  - requirements.md
+  - design.md
+  - tasks.md
+  - .great_cto/PROJECT.md
+
+# Commit message format
+commit-prompt: |
+  Write a conventional commit message (feat/fix/docs/refactor/test/chore).
+  Be specific about what changed and why.
+  Never mention private project names — use <private-project> placeholder.
+
+# Conventions
+auto-commits: false
+dirty-commits: false
+`;
+}
 function getCliVersion() {
     try {
         const here = dirname(new URL(import.meta.url).pathname);
@@ -171,8 +349,8 @@ conventions. Generated by \`great-cto adapt\`.
 
 ## Claude Code specifics
 
-- The great_cto plugin orchestrates 34 specialist agents — pipeline runs
-  through \`/start\`, \`/inbox\`, \`/save\`, etc.
+- The great_cto plugin orchestrates specialist agents — pipeline runs
+  through \`/start\`, \`/inbox\`, \`/save\`, \`/spec\`, etc.
 - Memory is layered: \`.great_cto/PROJECT.md\` (L1) → \`lessons.md\` (L3) →
   \`~/.great_cto/decisions.md\` (L4 cross-project ADR log).
 - Run \`great-cto board\` (\`http://localhost:3141\`) for the kanban + metrics
@@ -180,6 +358,7 @@ conventions. Generated by \`great-cto adapt\`.
 
 ## Quick links
 
+- \`/spec\` — interview → requirements.md + design.md + tasks.md
 - \`/start "..."\` — kick off a feature pipeline
 - \`/inbox\` — see what needs your decision
 - \`/agent-review\` — performance scorecard for agents
@@ -189,6 +368,38 @@ conventions. Generated by \`great-cto adapt\`.
         out.push("AGENTS.md");
     if (writeFile(join(cwd, "CLAUDE.md"), claudeBody, dryRun))
         out.push("CLAUDE.md");
+    // Cross-AI config files based on ai_tools in PROJECT.md
+    for (const tool of meta.aiTools) {
+        switch (tool) {
+            case "cursor": {
+                const path = join(cwd, ".cursorrules");
+                if (writeFile(path, getCursorrules(meta), dryRun))
+                    out.push(".cursorrules");
+                break;
+            }
+            case "copilot": {
+                const path = join(cwd, ".github", "copilot-instructions.md");
+                if (writeFile(path, getCopilotInstructions(meta), dryRun))
+                    out.push(".github/copilot-instructions.md");
+                break;
+            }
+            case "windsurf": {
+                const path = join(cwd, ".windsurfrules");
+                if (writeFile(path, getWindsurfrules(meta), dryRun))
+                    out.push(".windsurfrules");
+                break;
+            }
+            case "aider": {
+                const path = join(cwd, ".aider.conf.yml");
+                if (writeFile(path, getAiderConf(meta), dryRun))
+                    out.push(".aider.conf.yml");
+                break;
+            }
+            case "claude-code":
+                // Already handled above (CLAUDE.md + AGENTS.md)
+                break;
+        }
+    }
     return out;
 }
 // ── Main entry ─────────────────────────────────────────────────────────────
@@ -199,14 +410,19 @@ export async function runAdapt(args) {
         console.error("Run `npx great-cto init` first to bootstrap the project.");
         return 1;
     }
-    console.log(`great-cto adapt → claude${args.dryRun ? " (dry-run)" : ""}`);
+    const toolsList = meta.aiTools.join(", ");
+    console.log(`great-cto adapt → ${toolsList}${args.dryRun ? " (dry-run)" : ""}`);
     console.log(`  archetype: ${meta.archetype}  compliance: ${meta.compliance.join(", ") || "none"}`);
+    console.log(`  ai_tools:  ${toolsList}`);
     console.log("");
     const written = adaptClaude(args.cwd, meta, args.dryRun);
     if (!args.dryRun) {
         console.log("");
-        console.log(`✓ generated ${written.length} file(s).`);
-        console.log(`  Re-run after editing .great_cto/PROJECT.md to refresh.`);
+        console.log(`✓ generated ${written.length} file(s): ${written.join(", ")}`);
+        console.log(`  Re-run after editing .great_cto/PROJECT.md or adding tools to ai_tools: [] to refresh.`);
+        if (!meta.aiTools.includes("cursor") && !meta.aiTools.includes("copilot") && !meta.aiTools.includes("windsurf")) {
+            console.log(`  Tip: add other AI tools to ai_tools: [] in PROJECT.md to generate .cursorrules, copilot-instructions.md, etc.`);
+        }
     }
     return 0;
 }

package/dist/agentshield/index.js

@@ -11,5 +11,5 @@
  *   writeFileSync('agentshield.sarif', JSON.stringify(toSarif(report)));
  */
 export { scan, scanFile } from './scanner.js';
-export { loadRules, parseRulesFile } from './rules-loader.js';
+export { loadRules, parseRulesFile, loadUserRules, userGuardrailsPath } from './rules-loader.js';
 export { SEVERITY_ORDER, severityRank } from './types.js';

package/dist/agentshield/rules-loader.js

@@ -5,9 +5,14 @@
  * each rule file is a list of dash-prefixed entries with key/value lines.
  * If we ever need real YAML (anchors, complex nesting), we'll add `yaml` as
  * a dep then.
+ *
+ * User-defined rules are loaded from ~/.great_cto/guardrails.yml and merged
+ * with the built-in rules. User rules use the same YAML format but include
+ * an optional `action: block | audit | redact` field.
  */
 import { readdirSync, readFileSync, existsSync } from 'node:fs';
 import { join, dirname } from 'node:path';
+import { homedir } from 'node:os';
 import { fileURLToPath } from 'node:url';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 /**
@@ -40,8 +45,39 @@ export function loadRules(rulesDir = defaultRulesDir()) {
         const text = readFileSync(join(rulesDir, f), 'utf8');
         rules.push(...parseRulesFile(text, f));
     }
+    // Merge user-defined rules from ~/.great_cto/guardrails.yml
+    const userRules = loadUserRules();
+    rules.push(...userRules);
     return rules;
 }
+/**
+ * Default path for user-defined guardrail rules.
+ * Falls back to legacy .great_cto/guardrails.yml in the current project.
+ */
+export function userGuardrailsPath() {
+    return join(homedir(), '.great_cto', 'guardrails.yml');
+}
+/**
+ * Load user-defined rules from ~/.great_cto/guardrails.yml.
+ * Returns [] silently if the file does not exist.
+ * Errors in user rules are surfaced as warnings (console.warn) but do not
+ * abort the scan — broken user rules should not block CI.
+ */
+export function loadUserRules(path) {
+    const guardrailsPath = path ?? userGuardrailsPath();
+    if (!existsSync(guardrailsPath))
+        return [];
+    try {
+        const text = readFileSync(guardrailsPath, 'utf8');
+        const parsed = parseRulesFile(text, guardrailsPath);
+        // Mark all user rules as userDefined so scanners can handle action correctly
+        return parsed.map(r => ({ ...r, userDefined: true }));
+    }
+    catch (e) {
+        console.warn(`agentshield: warning — failed to load user guardrails from ${guardrailsPath}: ${e.message}`);
+        return [];
+    }
+}
 /**
  * Parse a minimal YAML format:
  *
@@ -160,6 +196,7 @@ function parseBlock(block, filename) {
             throw new Error(`missing required field "${required}" in rule (block from ${filename})\nparsed: ${JSON.stringify(out)}`);
         }
     }
+    const action = out.action;
     return {
         id: out.id,
         scanner: out.scanner,
@@ -171,5 +208,6 @@ function parseBlock(block, filename) {
         patterns: out.patterns,
         file_globs: out.file_globs,
         negate: out.negate,
+        action: (action === 'block' || action === 'audit' || action === 'redact') ? action : undefined,
     };
 }

package/dist/bootstrap.js

@@ -2,6 +2,7 @@
 // Safe: will NOT overwrite an existing PROJECT.md.
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
 import { join } from "node:path";
+import { homedir } from "node:os";
 import { dim, success, warn } from "./ui.js";
 import { suggestJurisdictions } from "./jurisdictions.js";
 import { compileFlow, renderFlowMd } from "./flow.js";
@@ -22,6 +23,38 @@ export function bootstrap(dir, detection, archetype, compliance, detectionMeta)
         : "unknown";
     const teamSize = 1; // MVP default — user edits later
     const approvalLevel = "gates-only"; // default per README
+    // Write CONTEXT.md in the project root (resume-block for all AI agents).
+    const contextMdPath = join(dir, "CONTEXT.md");
+    if (!existsSync(contextMdPath)) {
+        const contextContent = `# CONTEXT.md
+
+> AI session state for all agents. Updated at the end of each session.
+> All AI coding tools (Claude Code, Cursor, Copilot, Windsurf, Aider) read this
+> before starting work.
+
+## Resume block
+
+**Current task:** _(none — project just initialized)_
+**Last session:** ${new Date().toISOString().slice(0, 10)}
+**Status:** 🟢 ready to start
+
+## Session log
+
+| Session | Date | Summary | Files changed |
+|---------|------|---------|---------------|
+| 1 | ${new Date().toISOString().slice(0, 10)} | Project initialized | CONTEXT.md, .great_cto/PROJECT.md |
+
+## Open questions
+
+_(none yet — add questions that need founder/team input before implementation can proceed)_
+
+## Divergences from spec
+
+_(none — record any deviations from design.md here with rationale)_
+`;
+        writeFileSync(contextMdPath, contextContent, "utf-8");
+        success(`created CONTEXT.md ${dim("(session resume block for all AI tools)")}`);
+    }
     const content = `# ${title}
 
 > Auto-generated by \`great-cto init\` on ${new Date().toISOString().slice(0, 10)}.
@@ -55,8 +88,12 @@ phase: implementation
 team-size: ${teamSize}
 mode: solo
 approval-level: ${approvalLevel}
+ai_tools: [claude-code]
 
 > \`team-size:\` is read at root level (not nested) by /rfc and other commands.
+> \`ai_tools:\` controls which config files \`great-cto adapt\` generates.
+> Supported values: claude-code, cursor, copilot, windsurf, aider
+> Example: ai_tools: [claude-code, cursor, copilot]
 
 ## Compliance
 
@@ -109,6 +146,55 @@ when you actually start work:
 `;
     writeFileSync(projectMd, content, "utf-8");
     success(`created .great_cto/PROJECT.md ${dim(`(archetype: ${archetype})`)}`);
+    // Write ~/.great_cto/guardrails.yml example if it doesn't exist yet.
+    // This is the user-level agentshield config — applies across all projects.
+    const globalGreatCtoDir = join(homedir(), ".great_cto");
+    const guardrailsPath = join(globalGreatCtoDir, "guardrails.yml");
+    if (!existsSync(guardrailsPath)) {
+        mkdirSync(globalGreatCtoDir, { recursive: true });
+        const guardrailsContent = `# ~/.great_cto/guardrails.yml
+# User-defined agentshield rules. Loaded and merged with built-in rules on every scan.
+# Rules use the same YAML format as agentshield-rules/*.yaml.
+#
+# action field (user rules only):
+#   block  — scan fails (treated as critical finding; blocks gate:ship)
+#   audit  — finding reported but scan continues (warning only)
+#   redact — same as audit; marks pattern for future content redaction
+#
+# Example rule — customize with your org's patterns:
+#
+# - id: UG-001
+#   scanner: secrets-in-prompts
+#   title: Internal API token pattern
+#   severity: critical
+#   description: |
+#     Detects hardcoded internal API tokens matching the org pattern mytoken_*.
+#   remediation: |
+#     Move to environment variable. Reference via process.env.MY_TOKEN.
+#   patterns:
+#     - 'mytoken_[a-z0-9]{32}'
+#   action: block
+#
+# - id: UG-002
+#   scanner: prompt-injection
+#   title: Audit use of customer data in prompts
+#   severity: high
+#   description: |
+#     Flags when customer PII fields (email, phone, address) are embedded in prompts.
+#   remediation: |
+#     Replace PII with anonymized tokens before embedding in prompts.
+#   patterns:
+#     - 'customer\.(email|phone|address|ssn)'
+#   action: audit
+#   file_globs:
+#     - "**/*.ts"
+#     - "**/*.py"
+#
+# Add your own rules below:
+`;
+        writeFileSync(guardrailsPath, guardrailsContent, "utf-8");
+        success(`created ~/.great_cto/guardrails.yml ${dim("(user-level agentshield rules — edit to add org-specific patterns)")}`);
+    }
     // Write FLOW.md — compiled delivery flow for agents and user
     const confidence = detectionMeta?.confidence ?? "medium";
     const size = (detection.projectSize ?? "medium");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.22.3",
+  "version": "2.24.0",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",