great-cto 2.3.4 → 2.5.0

package/dist/adapt.js

@@ -0,0 +1,342 @@
+// great-cto adapt — platform config generator.
+//
+// Writes platform-native config files derived from a shared core. Lets a
+// single great_cto installation work transparently with Claude Code, OpenAI
+// Codex CLI, Cursor, Aider, and Continue. AGENTS.md is the de-facto cross-
+// platform standard (used verbatim by Codex; consumed as fallback by most
+// others) so it forms the shared core.
+//
+// Usage:
+//   great-cto adapt --platform claude     CLAUDE.md
+//   great-cto adapt --platform codex      AGENTS.md
+//   great-cto adapt --platform cursor     .cursorrules + .cursor/rules/*.mdc
+//   great-cto adapt --platform aider      .aider.conf.yml + CONVENTIONS.md
+//   great-cto adapt --platform continue   .continue/rules.md
+//   great-cto adapt --platform all        all of the above
+//   great-cto adapt --dry-run             show what would be written
+//
+// Each adapter writes ONLY platform-native files. All share the AGENTS.md
+// core text via getAgentsCore(). To customize per-project, edit
+// .great_cto/PROJECT.md (archetype, owners, compliance) — adapt re-derives.
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+function readProjectMeta(cwd) {
+    const projectMd = join(cwd, ".great_cto", "PROJECT.md");
+    if (!existsSync(projectMd)) {
+        return { archetype: "unknown", compliance: [], owners: "", hasGreatCto: false };
+    }
+    const text = readFileSync(projectMd, "utf8");
+    const archetype = (text.match(/^primary:\s*(\S+)/m)?.[1] ?? "unknown").trim();
+    const complianceLine = text.match(/^compliance:\s*(.+)$/m)?.[1] ?? "";
+    const compliance = complianceLine
+        .split(/[,\s]+/)
+        .map(s => s.trim())
+        .filter(Boolean);
+    const owners = (text.match(/^owners?:\s*(.+)$/m)?.[1] ?? "").trim();
+    return { archetype, compliance, owners, hasGreatCto: true };
+}
+/**
+ * Common AGENTS.md content used across platforms.
+ * Codex CLI reads this verbatim. Cursor / Aider / Claude Code embed it.
+ */
+function getAgentsCore(meta) {
+    const compliance = meta.compliance.length > 0
+        ? meta.compliance.map(c => `- ${c}`).join("\n")
+        : "_(none auto-detected — set in .great_cto/PROJECT.md)_";
+    return `# AGENTS.md
+
+> This file is the cross-tool agent contract. It is consumed by OpenAI Codex
+> CLI, Claude Code, Cursor, Aider, Continue, and any other AGENTS.md-aware
+> tooling. Generated by \`great-cto adapt\` — re-run after editing
+> \`.great_cto/PROJECT.md\`.
+
+## Project context
+
+- **Archetype:** ${meta.archetype}
+- **Compliance gates:**
+${compliance.split("\n").map(l => "  " + l).join("\n")}
+- **Owners:** ${meta.owners || "_(unset)_"}
+
+## How agents should work in this repo
+
+1. **Before touching code** — read \`.great_cto/PROJECT.md\` (archetype +
+   constraints) and \`.great_cto/lessons.md\` if present (past mistakes).
+2. **Before proposing a fix** — query \`~/.great_cto/decisions.md\` for ADRs
+   on related topics. Solved problems should stay solved.
+3. **Before merging** — run \`npx great-cto ci\` locally. Same gate as CI.
+4. **On failure / incident** — append to \`.great_cto/lessons.md\`. After 3
+   occurrences across projects, \`/crystallize\` promotes to global pattern.
+
+## Required gates (do not bypass)
+
+| Gate | When | Owner |
+|---|---|---|
+| security-officer | Any change touching auth, payments, PII | @security |
+| qa-engineer | Any feature merge | @qa |
+| performance-engineer | Any change to hot path | @perf |
+| db-migration-reviewer | Any \`migrations/\` change | @data |
+
+Override with \`/waiver\` and a written reason. Auto-expires in 14 days.
+
+## Available tools (via MCP)
+
+When this repo is opened in any MCP-capable tool, \`great-cto mcp\` exposes:
+
+- \`scan\` — OWASP LLM Top 10 + 24 rules · returns findings
+- \`list_rules\` — full rule catalogue
+- \`detect_archetype\` — archetype + compliance for any path
+- \`estimate_cost\` — LLM vs human time estimate for a task
+- \`query_decisions\` — search ADR log
+
+Configure your client to launch:
+\`\`\`bash
+npx great-cto mcp
+\`\`\`
+
+## Style + conventions
+
+- Tests **before** implementation (RED → GREEN → REFACTOR). Coverage 80%+ default.
+- Conventional commits: \`feat\` / \`fix\` / \`docs\` / \`refactor\` / \`test\` / \`chore\`.
+- One concern per PR. Refactors and behaviour changes are separate PRs.
+- No secrets in code. \`great-cto scan\` blocks ~13 patterns by default.
+
+## Out of scope
+
+Do not invent business decisions. If the spec is ambiguous, ask. Do not skip
+gates "because it's just a small change" — that's the path to incidents.
+
+---
+
+_Generated by \`great-cto@${getCliVersion()}\` adapt at ${new Date().toISOString().slice(0, 10)}_
+`;
+}
+function getCliVersion() {
+    try {
+        const here = dirname(new URL(import.meta.url).pathname);
+        const pkg = JSON.parse(readFileSync(join(here, "..", "package.json"), "utf8"));
+        return pkg.version ?? "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+function writeFile(path, content, dryRun) {
+    if (dryRun) {
+        console.log(`would write: ${path} (${content.length} bytes)`);
+        return false;
+    }
+    mkdirSync(dirname(path), { recursive: true });
+    const existed = existsSync(path);
+    writeFileSync(path, content);
+    console.log(`  ${existed ? "✎ updated" : "✓ wrote"}  ${path}`);
+    return true;
+}
+// ── Per-platform adapters ──────────────────────────────────────────────────
+function adaptClaude(cwd, meta, dryRun) {
+    // Claude Code reads CLAUDE.md (or AGENTS.md as fallback). We write both
+    // for maximum compat — projects with CLAUDE.md already get a top-level
+    // reference, and AGENTS.md unlocks any AGENTS.md-aware tool simultaneously.
+    const out = [];
+    const agentsBody = getAgentsCore(meta);
+    const claudeBody = `# CLAUDE.md
+
+> Project guidance for Claude Code. The full agent contract lives in
+> \`AGENTS.md\` — please read that first. This file adds Claude-Code-specific
+> overrides only.
+
+## Cross-tool contract
+
+See [AGENTS.md](./AGENTS.md) for the full project context, gates, and
+conventions. Generated by \`great-cto adapt\`.
+
+## Claude Code specifics
+
+- The great_cto plugin orchestrates 34 specialist agents — pipeline runs
+  through \`/start\`, \`/inbox\`, \`/save\`, etc.
+- Memory is layered: \`.great_cto/PROJECT.md\` (L1) → \`lessons.md\` (L3) →
+  \`~/.great_cto/decisions.md\` (L4 cross-project ADR log).
+- Run \`great-cto board\` (\`http://localhost:3141\`) for the kanban + metrics
+  + memory + agents view.
+
+## Quick links
+
+- ${"`"}/start "..."${"`"} — kick off a feature pipeline
+- ${"`"}/inbox${"`"} — see what needs your decision
+- ${"`"}/agent-review${"`"} — performance scorecard for agents
+
+`;
+    if (writeFile(join(cwd, "AGENTS.md"), agentsBody, dryRun))
+        out.push("AGENTS.md");
+    if (writeFile(join(cwd, "CLAUDE.md"), claudeBody, dryRun))
+        out.push("CLAUDE.md");
+    return out;
+}
+function adaptCodex(cwd, meta, dryRun) {
+    // OpenAI Codex CLI reads AGENTS.md. We write only that — Codex doesn't
+    // currently consume CLAUDE.md / .cursorrules.
+    const out = [];
+    if (writeFile(join(cwd, "AGENTS.md"), getAgentsCore(meta), dryRun))
+        out.push("AGENTS.md");
+    return out;
+}
+function adaptCursor(cwd, meta, dryRun) {
+    // Cursor reads .cursorrules (legacy single file) and .cursor/rules/*.mdc
+    // (modern modular). Write both for compat.
+    const out = [];
+    const rulesContent = `# Cursor rules — auto-generated by great-cto adapt
+# See AGENTS.md for the full agent contract; this file is the Cursor-native
+# subset focusing on inline-completion and chat behaviour.
+
+archetype: ${meta.archetype}
+compliance:
+${meta.compliance.map(c => `  - ${c}`).join("\n") || "  - none"}
+
+## Behaviour
+
+Before suggesting code changes:
+- Read \`AGENTS.md\` for repo-wide conventions
+- Read \`.great_cto/PROJECT.md\` for archetype constraints
+- Check \`~/.great_cto/decisions.md\` for prior ADRs on the topic
+
+## Gates that block merges (do not bypass)
+
+- security-officer: auth/payments/PII changes
+- qa-engineer: feature merges
+- db-migration-reviewer: any migrations/ change
+
+## Style
+
+- TDD: tests RED → implementation GREEN → refactor
+- Conventional commits
+- One concern per PR
+`;
+    const mdcContent = `---
+description: great_cto archetype + compliance contract
+globs: ["**/*"]
+alwaysApply: true
+---
+
+This repo is a **${meta.archetype}** project. Compliance gates:
+${meta.compliance.map(c => `- ${c}`).join("\n") || "- none"}
+
+Read \`AGENTS.md\` and \`.great_cto/PROJECT.md\` before proposing changes.
+Run \`npx great-cto ci\` before pushing.
+`;
+    if (writeFile(join(cwd, ".cursorrules"), rulesContent, dryRun))
+        out.push(".cursorrules");
+    if (writeFile(join(cwd, ".cursor", "rules", "great-cto.mdc"), mdcContent, dryRun))
+        out.push(".cursor/rules/great-cto.mdc");
+    if (writeFile(join(cwd, "AGENTS.md"), getAgentsCore(meta), dryRun))
+        out.push("AGENTS.md");
+    return out;
+}
+function adaptAider(cwd, meta, dryRun) {
+    // Aider reads .aider.conf.yml for settings and CONVENTIONS.md (or files
+    // listed in read: arrays) for context.
+    const out = [];
+    const conf = `# .aider.conf.yml — auto-generated by great-cto adapt
+# Aider config. Run aider in this dir and these settings apply.
+
+# Always include AGENTS.md and PROJECT.md as context
+read:
+  - AGENTS.md
+  - .great_cto/PROJECT.md
+
+# Auto-test after edits
+auto-test: true
+test-cmd: "npx great-cto ci --severity high"
+
+# Pretty output
+pretty: true
+
+# Conventional commits
+commit-prompt: "Use conventional commit format: feat/fix/docs/refactor/test/chore"
+
+# Archetype: ${meta.archetype}
+# Compliance: ${meta.compliance.join(", ") || "none"}
+`;
+    const conventions = `# CONVENTIONS.md
+
+> This is the Aider-native conventions file. The cross-tool agent contract
+> lives in \`AGENTS.md\` — please read that for full context.
+
+## Quick rules
+
+- **Archetype:** ${meta.archetype}
+- **Compliance gates:** ${meta.compliance.join(", ") || "_(none)_"}
+
+### Process
+1. Tests first (TDD)
+2. One concern per PR
+3. Conventional commits
+4. Run \`npx great-cto ci\` before push
+
+### Style
+- No secrets in code (\`great-cto scan\` enforces this)
+- Read \`.great_cto/PROJECT.md\` before suggesting architectural changes
+- Read \`~/.great_cto/decisions.md\` for prior ADRs
+`;
+    if (writeFile(join(cwd, ".aider.conf.yml"), conf, dryRun))
+        out.push(".aider.conf.yml");
+    if (writeFile(join(cwd, "CONVENTIONS.md"), conventions, dryRun))
+        out.push("CONVENTIONS.md");
+    if (writeFile(join(cwd, "AGENTS.md"), getAgentsCore(meta), dryRun))
+        out.push("AGENTS.md");
+    return out;
+}
+function adaptContinue(cwd, meta, dryRun) {
+    const out = [];
+    const rulesContent = `# Continue rules — generated by great-cto adapt
+
+## Project context
+
+Archetype: **${meta.archetype}**.
+Compliance: ${meta.compliance.join(", ") || "none"}.
+Read \`AGENTS.md\` for the full contract.
+
+## Behaviour
+
+- Run \`npx great-cto ci\` before pushing
+- Don't bypass gates (security / qa / db-migration)
+- Append lessons to \`.great_cto/lessons.md\` after incidents
+`;
+    if (writeFile(join(cwd, ".continue", "rules.md"), rulesContent, dryRun))
+        out.push(".continue/rules.md");
+    if (writeFile(join(cwd, "AGENTS.md"), getAgentsCore(meta), dryRun))
+        out.push("AGENTS.md");
+    return out;
+}
+// ── Main entry ─────────────────────────────────────────────────────────────
+export async function runAdapt(args) {
+    const meta = readProjectMeta(args.cwd);
+    if (!meta.hasGreatCto) {
+        console.error("FAIL: no .great_cto/PROJECT.md found.");
+        console.error("Run `npx great-cto init` first to bootstrap the project.");
+        return 1;
+    }
+    const platforms = args.platform === "all"
+        ? ["claude", "codex", "cursor", "aider", "continue"]
+        : [args.platform];
+    console.log(`great-cto adapt → ${platforms.join(", ")}${args.dryRun ? " (dry-run)" : ""}`);
+    console.log(`  archetype: ${meta.archetype}  compliance: ${meta.compliance.join(", ") || "none"}`);
+    console.log("");
+    const written = [];
+    for (const p of platforms) {
+        console.log(`▸ ${p}`);
+        const adapter = {
+            claude: adaptClaude,
+            codex: adaptCodex,
+            cursor: adaptCursor,
+            aider: adaptAider,
+            continue: adaptContinue,
+        }[p];
+        const out = adapter(args.cwd, meta, args.dryRun);
+        written.push(...out);
+    }
+    if (!args.dryRun) {
+        console.log("");
+        console.log(`✓ generated ${written.length} file(s) for ${platforms.length} platform(s).`);
+        console.log(`  Re-run after editing .great_cto/PROJECT.md to refresh.`);
+    }
+    return 0;
+}

package/dist/ci.js

@@ -0,0 +1,258 @@
+// great-cto ci — single-command CI gate.
+//
+// Runs scan + budget-check + archetype-validate with output formats matching
+// CI conventions. Designed to be the only great_cto invocation in a CI step.
+//
+// Outputs:
+//   - human-readable to stderr (always)
+//   - GitHub Actions annotations (auto when $GITHUB_ACTIONS is set, or --annotations)
+//   - SARIF 2.1.0 JSON (--sarif <path>) — uploadable to GitHub Security tab
+//   - JUnit XML (--junit <path>) — for test reporters / pipeline UIs
+//
+// Exit codes:
+//   0 = clean, all gates pass
+//   1 = findings at/above --fail-on threshold (CI should fail)
+//   2 = scan/setup error (not a finding — infrastructure problem)
+//
+// Example workflow:
+//   - run: npx great-cto@latest ci ./
+//     env:
+//       GREAT_CTO_NO_TELEMETRY: "1"
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+const SEVERITY_ORDER = {
+    info: 0,
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+function severityAtLeast(sev, threshold) {
+    return (SEVERITY_ORDER[sev] ?? 0) >= (SEVERITY_ORDER[threshold] ?? 0);
+}
+/**
+ * Emit GitHub Actions annotation lines. These appear inline on PR diffs.
+ * Format: ::error file=path,line=N,col=M,title=T::message
+ *         ::warning file=...
+ *         ::notice file=...
+ */
+function emitGitHubAnnotation(finding) {
+    const sev = finding.rule.severity;
+    const level = sev === "critical" || sev === "high" ? "error"
+        : sev === "medium" ? "warning" : "notice";
+    const file = finding.location.file;
+    const line = finding.location.line;
+    const title = `${finding.rule.id}: ${finding.rule.title}`;
+    const message = finding.rule.owasp
+        ? `${finding.rule.title} (${finding.rule.owasp})`
+        : finding.rule.title;
+    // Escape GHA-special characters
+    const escape = (s) => s.replace(/%/g, "%25").replace(/\r/g, "%0D").replace(/\n/g, "%0A");
+    console.log(`::${level} file=${escape(file)},line=${line},title=${escape(title)}::${escape(message)}`);
+}
+/**
+ * Emit JUnit XML report. One <testcase> per scanned file, fails recorded as
+ * <failure> elements. Format compatible with most CI test reporters.
+ */
+function buildJunitXml(report) {
+    const findingsByFile = new Map();
+    for (const f of report.findings) {
+        const arr = findingsByFile.get(f.location.file) || [];
+        arr.push(f);
+        findingsByFile.set(f.location.file, arr);
+    }
+    const totalTests = Math.max(report.filesScanned, findingsByFile.size);
+    const failures = report.findings.length;
+    const escape = (s) => String(s)
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&apos;");
+    const cases = Array.from(findingsByFile.entries())
+        .map(([file, findings]) => {
+        const failureBody = findings
+            .map(f => `      <failure type="${escape(f.rule.severity)}" message="${escape(f.rule.id + ': ' + f.rule.title)}">
+${escape(f.location.snippet || '')}
+${escape(f.rule.owasp || '')}
+      </failure>`)
+            .join("\n");
+        return `    <testcase classname="agentshield" name="${escape(file)}" time="0">
+${failureBody}
+    </testcase>`;
+    })
+        .join("\n");
+    return `<?xml version="1.0" encoding="UTF-8"?>
+<testsuites>
+  <testsuite name="great-cto ci" tests="${totalTests}" failures="${failures}" errors="0" time="${(report.durationMs / 1000).toFixed(3)}">
+${cases}
+  </testsuite>
+</testsuites>
+`;
+}
+/**
+ * Quick archetype-detection sanity check. Fails CI if the archetype changed
+ * from what's pinned in .great_cto/PROJECT.md (signals undeclared
+ * architectural drift).
+ */
+async function archetypeCheck(cwd, quiet) {
+    const projectMd = resolve(cwd, ".great_cto", "PROJECT.md");
+    if (!existsSync(projectMd)) {
+        if (!quiet)
+            console.error("  ⊘ archetype check skipped (no .great_cto/PROJECT.md)");
+        return { ok: true, msg: "skipped" };
+    }
+    const declared = (readFileSync(projectMd, "utf8").match(/^primary:\s*(\S+)/m)?.[1] ?? "").trim();
+    if (!declared) {
+        return { ok: true, msg: "no archetype declared in PROJECT.md" };
+    }
+    try {
+        const { detect } = await import("./detect.js");
+        const { pickArchetype } = await import("./archetypes.js");
+        const detected = await detect(cwd);
+        const result = pickArchetype(detected);
+        if (result.primary !== declared) {
+            return {
+                ok: false,
+                msg: `archetype drift: declared=${declared}, detected=${result.primary} (${result.confidence})`,
+            };
+        }
+        return { ok: true, msg: `archetype confirmed: ${declared}` };
+    }
+    catch (e) {
+        return { ok: true, msg: `archetype check failed (non-fatal): ${e.message}` };
+    }
+}
+/**
+ * Quick budget sanity check. Reads monthly-budget from PROJECT.md and warns
+ * if recent burn (last 30 days) exceeds it. Non-fatal — never blocks CI.
+ * Pure observability — for fatal budget enforcement use cost-guard hook.
+ */
+function budgetCheck(cwd, quiet) {
+    const projectMd = resolve(cwd, ".great_cto", "PROJECT.md");
+    if (!existsSync(projectMd))
+        return { ok: true, msg: "no PROJECT.md" };
+    const text = readFileSync(projectMd, "utf8");
+    const budget = text.match(/monthly[-_]budget:\s*\$?(\d[\d,]+)/i)?.[1]?.replace(/,/g, "");
+    if (!budget)
+        return { ok: true, msg: "no budget set" };
+    // Very simple: just confirm budget is well-formed. Real burn calc lives in board.
+    if (!quiet)
+        console.error(`  ✓ monthly-budget: $${budget}`);
+    return { ok: true, msg: `budget configured: $${budget}` };
+}
+export async function runCi(args) {
+    const startTs = Date.now();
+    const inGitHubActions = process.env.GITHUB_ACTIONS === "true";
+    const wantAnnotations = args.annotations || inGitHubActions;
+    if (!args.quiet) {
+        console.error(`\ngreat-cto ci — gate threshold: ${args.failOn}, scan: ${args.severity}+`);
+        console.error(`  path: ${resolve(args.path)}`);
+        if (inGitHubActions)
+            console.error(`  env: GitHub Actions detected — emitting annotations`);
+        console.error("");
+    }
+    // 1. Scan
+    let scan;
+    let toSarif;
+    try {
+        ({ scan } = await import("./agentshield/scanner.js"));
+        ({ toSarif } = await import("./agentshield/sarif.js"));
+    }
+    catch (e) {
+        console.error(`ci: failed to load scanner: ${e.message}`);
+        return 2;
+    }
+    const report = scan(resolve(args.path), {
+        minSeverity: args.severity,
+    });
+    // 2. Archetype check
+    let archResult = { ok: true, msg: "skipped" };
+    if (!args.noArchetype) {
+        archResult = await archetypeCheck(args.path, args.quiet);
+    }
+    // 3. Budget check (warn-only)
+    let budgetResult = { ok: true, msg: "skipped" };
+    if (!args.noBudget) {
+        budgetResult = budgetCheck(args.path, args.quiet);
+    }
+    // 4. Emit annotations
+    if (wantAnnotations) {
+        for (const f of report.findings) {
+            if (severityAtLeast(f.rule.severity, args.failOn)) {
+                emitGitHubAnnotation(f);
+            }
+        }
+    }
+    // 5. Emit SARIF
+    if (args.sarifPath) {
+        writeFileSync(args.sarifPath, JSON.stringify(toSarif(report), null, 2));
+        if (!args.quiet)
+            console.error(`  ✓ SARIF → ${args.sarifPath}`);
+    }
+    // 6. Emit JUnit XML
+    if (args.junitPath) {
+        writeFileSync(args.junitPath, buildJunitXml(report));
+        if (!args.quiet)
+            console.error(`  ✓ JUnit XML → ${args.junitPath}`);
+    }
+    // 7. Summary
+    const blockingFindings = report.findings.filter((f) => severityAtLeast(f.rule.severity, args.failOn));
+    const passed = blockingFindings.length === 0 && archResult.ok;
+    if (!args.quiet) {
+        const dur = ((Date.now() - startTs) / 1000).toFixed(1);
+        console.error("");
+        console.error(`  scan:       ${report.findings.length} finding(s) (${blockingFindings.length} at/above ${args.failOn})`);
+        console.error(`  archetype:  ${archResult.ok ? "✓" : "✗"} ${archResult.msg}`);
+        console.error(`  budget:     ${budgetResult.msg}`);
+        console.error(`  duration:   ${dur}s`);
+        console.error("");
+        if (passed) {
+            console.error("\x1b[32m✓ great-cto ci: passed\x1b[0m");
+        }
+        else {
+            console.error("\x1b[31m✗ great-cto ci: failed\x1b[0m");
+            if (blockingFindings.length) {
+                console.error(`  ${blockingFindings.length} finding(s) at/above ${args.failOn}:`);
+                for (const f of blockingFindings.slice(0, 10)) {
+                    console.error(`    [${f.rule.severity}] ${f.rule.id} — ${f.location.file}:${f.location.line}`);
+                }
+                if (blockingFindings.length > 10) {
+                    console.error(`    ... +${blockingFindings.length - 10} more`);
+                }
+            }
+            if (!archResult.ok)
+                console.error(`  ${archResult.msg}`);
+        }
+    }
+    return passed ? 0 : 1;
+}
+/**
+ * Parse `great-cto ci` flags from raw argv.
+ */
+export function parseCiArgs(rawArgv) {
+    const flag = (n) => rawArgv.includes(`--${n}`);
+    const value = (n, def) => {
+        const i = rawArgv.indexOf(`--${n}`);
+        return i >= 0 && i < rawArgv.length - 1 ? rawArgv[i + 1] : def;
+    };
+    const ciIdx = rawArgv.indexOf("ci");
+    let path = ".";
+    for (let i = ciIdx + 1; i < rawArgv.length; i++) {
+        if (rawArgv[i] && !rawArgv[i].startsWith("--")) {
+            path = rawArgv[i];
+            break;
+        }
+    }
+    return {
+        path,
+        severity: value("severity", "high"),
+        failOn: value("fail-on", "critical"),
+        sarifPath: value("sarif") ?? null,
+        junitPath: value("junit") ?? null,
+        annotations: flag("annotations"),
+        noBudget: flag("no-budget"),
+        noArchetype: flag("no-archetype"),
+        quiet: flag("quiet"),
+    };
+}