great-cto 2.31.0 → 2.33.0

package/dist/bootstrap.js

@@ -2,7 +2,6 @@
 // Safe: will NOT overwrite an existing PROJECT.md.
 import { existsSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
 import { join } from "node:path";
-import { homedir } from "node:os";
 import { dim, success, warn } from "./ui.js";
 import { suggestJurisdictions } from "./jurisdictions.js";
 import { compileFlow, renderFlowMd } from "./flow.js";
@@ -146,55 +145,6 @@ when you actually start work:
 `;
     writeFileSync(projectMd, content, "utf-8");
     success(`created .great_cto/PROJECT.md ${dim(`(archetype: ${archetype})`)}`);
-    // Write ~/.great_cto/guardrails.yml example if it doesn't exist yet.
-    // This is the user-level agentshield config — applies across all projects.
-    const globalGreatCtoDir = join(homedir(), ".great_cto");
-    const guardrailsPath = join(globalGreatCtoDir, "guardrails.yml");
-    if (!existsSync(guardrailsPath)) {
-        mkdirSync(globalGreatCtoDir, { recursive: true });
-        const guardrailsContent = `# ~/.great_cto/guardrails.yml
-# User-defined agentshield rules. Loaded and merged with built-in rules on every scan.
-# Rules use the same YAML format as agentshield-rules/*.yaml.
-#
-# action field (user rules only):
-#   block  — scan fails (treated as critical finding; blocks gate:ship)
-#   audit  — finding reported but scan continues (warning only)
-#   redact — same as audit; marks pattern for future content redaction
-#
-# Example rule — customize with your org's patterns:
-#
-# - id: UG-001
-#   scanner: secrets-in-prompts
-#   title: Internal API token pattern
-#   severity: critical
-#   description: |
-#     Detects hardcoded internal API tokens matching the org pattern mytoken_*.
-#   remediation: |
-#     Move to environment variable. Reference via process.env.MY_TOKEN.
-#   patterns:
-#     - 'mytoken_[a-z0-9]{32}'
-#   action: block
-#
-# - id: UG-002
-#   scanner: prompt-injection
-#   title: Audit use of customer data in prompts
-#   severity: high
-#   description: |
-#     Flags when customer PII fields (email, phone, address) are embedded in prompts.
-#   remediation: |
-#     Replace PII with anonymized tokens before embedding in prompts.
-#   patterns:
-#     - 'customer\.(email|phone|address|ssn)'
-#   action: audit
-#   file_globs:
-#     - "**/*.ts"
-#     - "**/*.py"
-#
-# Add your own rules below:
-`;
-        writeFileSync(guardrailsPath, guardrailsContent, "utf-8");
-        success(`created ~/.great_cto/guardrails.yml ${dim("(user-level agentshield rules — edit to add org-specific patterns)")}`);
-    }
     // Write FLOW.md — compiled delivery flow for agents and user
     const confidence = detectionMeta?.confidence ?? "medium";
     const size = (detection.projectSize ?? "medium");

package/dist/ci.js

@@ -1,95 +1,22 @@
 // great-cto ci — single-command CI gate.
 //
-// Runs scan + budget-check + archetype-validate with output formats matching
-// CI conventions. Designed to be the only great_cto invocation in a CI step.
+// Runs archetype-validate + budget-check. Designed to be the only great_cto
+// invocation in a CI step.
 //
 // Outputs:
 //   - human-readable to stderr (always)
-//   - GitHub Actions annotations (auto when $GITHUB_ACTIONS is set, or --annotations)
-//   - SARIF 2.1.0 JSON (--sarif <path>) — uploadable to GitHub Security tab
-//   - JUnit XML (--junit <path>) — for test reporters / pipeline UIs
 //
 // Exit codes:
 //   0 = clean, all gates pass
-//   1 = findings at/above --fail-on threshold (CI should fail)
-//   2 = scan/setup error (not a finding — infrastructure problem)
+//   1 = archetype drift (CI should fail)
+//   2 = setup error (not a finding — infrastructure problem)
 //
 // Example workflow:
 //   - run: npx great-cto@latest ci ./
 //     env:
 //       GREAT_CTO_NO_TELEMETRY: "1"
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, readFileSync } from "node:fs";
 import { resolve } from "node:path";
-const SEVERITY_ORDER = {
-    info: 0,
-    low: 1,
-    medium: 2,
-    high: 3,
-    critical: 4,
-};
-function severityAtLeast(sev, threshold) {
-    return (SEVERITY_ORDER[sev] ?? 0) >= (SEVERITY_ORDER[threshold] ?? 0);
-}
-/**
- * Emit GitHub Actions annotation lines. These appear inline on PR diffs.
- * Format: ::error file=path,line=N,col=M,title=T::message
- *         ::warning file=...
- *         ::notice file=...
- */
-function emitGitHubAnnotation(finding) {
-    const sev = finding.rule.severity;
-    const level = sev === "critical" || sev === "high" ? "error"
-        : sev === "medium" ? "warning" : "notice";
-    const file = finding.location.file;
-    const line = finding.location.line;
-    const title = `${finding.rule.id}: ${finding.rule.title}`;
-    const message = finding.rule.owasp
-        ? `${finding.rule.title} (${finding.rule.owasp})`
-        : finding.rule.title;
-    // Escape GHA-special characters
-    const escape = (s) => s.replace(/%/g, "%25").replace(/\r/g, "%0D").replace(/\n/g, "%0A");
-    console.log(`::${level} file=${escape(file)},line=${line},title=${escape(title)}::${escape(message)}`);
-}
-/**
- * Emit JUnit XML report. One <testcase> per scanned file, fails recorded as
- * <failure> elements. Format compatible with most CI test reporters.
- */
-function buildJunitXml(report) {
-    const findingsByFile = new Map();
-    for (const f of report.findings) {
-        const arr = findingsByFile.get(f.location.file) || [];
-        arr.push(f);
-        findingsByFile.set(f.location.file, arr);
-    }
-    const totalTests = Math.max(report.filesScanned, findingsByFile.size);
-    const failures = report.findings.length;
-    const escape = (s) => String(s)
-        .replace(/&/g, "&amp;")
-        .replace(/</g, "&lt;")
-        .replace(/>/g, "&gt;")
-        .replace(/"/g, "&quot;")
-        .replace(/'/g, "&apos;");
-    const cases = Array.from(findingsByFile.entries())
-        .map(([file, findings]) => {
-        const failureBody = findings
-            .map(f => `      <failure type="${escape(f.rule.severity)}" message="${escape(f.rule.id + ': ' + f.rule.title)}">
-${escape(f.location.snippet || '')}
-${escape(f.rule.owasp || '')}
-      </failure>`)
-            .join("\n");
-        return `    <testcase classname="agentshield" name="${escape(file)}" time="0">
-${failureBody}
-    </testcase>`;
-    })
-        .join("\n");
-    return `<?xml version="1.0" encoding="UTF-8"?>
-<testsuites>
-  <testsuite name="great-cto ci" tests="${totalTests}" failures="${failures}" errors="0" time="${(report.durationMs / 1000).toFixed(3)}">
-${cases}
-  </testsuite>
-</testsuites>
-`;
-}
 /**
  * Quick archetype-detection sanity check. Fails CI if the archetype changed
  * from what's pinned in .great_cto/PROJECT.md (signals undeclared
@@ -147,66 +74,26 @@ function budgetCheck(cwd, quiet) {
 }
 export async function runCi(args) {
     const startTs = Date.now();
-    const inGitHubActions = process.env.GITHUB_ACTIONS === "true";
-    const wantAnnotations = args.annotations || inGitHubActions;
     if (!args.quiet) {
-        console.error(`\ngreat-cto ci — gate threshold: ${args.failOn}, scan: ${args.severity}+`);
+        console.error(`\ngreat-cto ci — archetype + budget gate`);
         console.error(`  path: ${resolve(args.path)}`);
-        if (inGitHubActions)
-            console.error(`  env: GitHub Actions detected — emitting annotations`);
         console.error("");
     }
-    // 1. Scan
-    let scan;
-    let toSarif;
-    try {
-        ({ scan } = await import("./agentshield/scanner.js"));
-        ({ toSarif } = await import("./agentshield/sarif.js"));
-    }
-    catch (e) {
-        console.error(`ci: failed to load scanner: ${e.message}`);
-        return 2;
-    }
-    const report = scan(resolve(args.path), {
-        minSeverity: args.severity,
-    });
-    // 2. Archetype check
+    // 1. Archetype check
     let archResult = { ok: true, msg: "skipped" };
     if (!args.noArchetype) {
         archResult = await archetypeCheck(args.path, args.quiet);
     }
-    // 3. Budget check (warn-only)
+    // 2. Budget check (warn-only)
     let budgetResult = { ok: true, msg: "skipped" };
     if (!args.noBudget) {
         budgetResult = budgetCheck(args.path, args.quiet);
     }
-    // 4. Emit annotations
-    if (wantAnnotations) {
-        for (const f of report.findings) {
-            if (severityAtLeast(f.rule.severity, args.failOn)) {
-                emitGitHubAnnotation(f);
-            }
-        }
-    }
-    // 5. Emit SARIF
-    if (args.sarifPath) {
-        writeFileSync(args.sarifPath, JSON.stringify(toSarif(report), null, 2));
-        if (!args.quiet)
-            console.error(`  ✓ SARIF → ${args.sarifPath}`);
-    }
-    // 6. Emit JUnit XML
-    if (args.junitPath) {
-        writeFileSync(args.junitPath, buildJunitXml(report));
-        if (!args.quiet)
-            console.error(`  ✓ JUnit XML → ${args.junitPath}`);
-    }
-    // 7. Summary
-    const blockingFindings = report.findings.filter((f) => severityAtLeast(f.rule.severity, args.failOn));
-    const passed = blockingFindings.length === 0 && archResult.ok;
+    // 3. Summary
+    const passed = archResult.ok;
     if (!args.quiet) {
         const dur = ((Date.now() - startTs) / 1000).toFixed(1);
         console.error("");
-        console.error(`  scan:       ${report.findings.length} finding(s) (${blockingFindings.length} at/above ${args.failOn})`);
         console.error(`  archetype:  ${archResult.ok ? "✓" : "✗"} ${archResult.msg}`);
         console.error(`  budget:     ${budgetResult.msg}`);
         console.error(`  duration:   ${dur}s`);
@@ -216,15 +103,6 @@ export async function runCi(args) {
         }
         else {
             console.error("\x1b[31m✗ great-cto ci: failed\x1b[0m");
-            if (blockingFindings.length) {
-                console.error(`  ${blockingFindings.length} finding(s) at/above ${args.failOn}:`);
-                for (const f of blockingFindings.slice(0, 10)) {
-                    console.error(`    [${f.rule.severity}] ${f.rule.id} — ${f.location.file}:${f.location.line}`);
-                }
-                if (blockingFindings.length > 10) {
-                    console.error(`    ... +${blockingFindings.length - 10} more`);
-                }
-            }
             if (!archResult.ok)
                 console.error(`  ${archResult.msg}`);
         }
@@ -236,10 +114,6 @@ export async function runCi(args) {
  */
 export function parseCiArgs(rawArgv) {
     const flag = (n) => rawArgv.includes(`--${n}`);
-    const value = (n, def) => {
-        const i = rawArgv.indexOf(`--${n}`);
-        return i >= 0 && i < rawArgv.length - 1 ? rawArgv[i + 1] : def;
-    };
     const ciIdx = rawArgv.indexOf("ci");
     let path = ".";
     for (let i = ciIdx + 1; i < rawArgv.length; i++) {
@@ -250,11 +124,6 @@ export function parseCiArgs(rawArgv) {
     }
     return {
         path,
-        severity: value("severity", "high"),
-        failOn: value("fail-on", "critical"),
-        sarifPath: value("sarif") ?? null,
-        junitPath: value("junit") ?? null,
-        annotations: flag("annotations"),
         noBudget: flag("no-budget"),
         noArchetype: flag("no-archetype"),
         quiet: flag("quiet"),

package/dist/companion.js

@@ -42,7 +42,11 @@ function isAlreadyInstalled(name) {
         return null;
     try {
         const versions = readdirSync(base).filter((v) => /\S/.test(v));
-        return versions.length > 0 ? versions[0] : null;
+        if (versions.length === 0)
+            return null;
+        // Return the highest version, not filesystem order — matches
+        // upgrade.ts/installer.ts which both sort before picking.
+        return versions.sort(semverDescending)[0];
     }
     catch {
         return null;

package/dist/detect.js

@@ -1118,7 +1118,7 @@ function mineReadmeKeywords(dir) {
         if (terms.some((t) => text.includes(t)))
             kws.add(bucket);
     }
-    // Wave 1-3 pack-trigger raw terms — emitted verbatim so packs.ts
+    // Wave 1-4 pack-trigger raw terms — emitted verbatim so packs.ts
     // can substring-match them. Keep in sync with packs.ts SIGNALS.keywords.
     // Single tokens + multi-word phrases supported.
     const packTerms = [
@@ -1163,6 +1163,19 @@ function mineReadmeKeywords(dir) {
         "glp", "gmp", "gxp", "preclinical", "lims", "eln", "annex 11", "alcoa",
         "lab automation", "robotic biology", "liquid handler", "hamilton", "tecan",
         "beckman", "opentrons", "plate reader", "sequencer", "hplc", "mass spec", "sila",
+        // digital-health-pack (Wave 4) — keep in sync with packs.ts SIGNALS.keywords
+        "wearable", "apple watch", "apple health", "healthkit", "health connect",
+        "garmin", "samsung health", "google fit", "fitbit", "heart rate", "hrv",
+        "heart rate variability", "spo2", "sleep tracking", "sleep stages",
+        "biometric sensor", "stress score", "activity tracking", "ecg wearable",
+        "mental health", "mental wellness", "wellbeing", "mindfulness ai",
+        "stress detection", "burnout detection", "mood tracking", "anxiety ai",
+        "depression ai", "phq-9", "gad-7", "digital therapeutics", "dtx",
+        "cbt app", "dbt app", "therapy ai", "personalised training",
+        "personalized training", "fitness ai", "nutrition ai",
+        "supplement recommendation", "supplement ai", "diet ai", "meal plan ai",
+        "macro ai", "physician review", "physician hitl", "doctor in the loop",
+        "clinical review workflow", "remote patient monitoring", "rpm", "teleconsultation",
     ];
     for (const term of packTerms) {
         if (text.includes(term))

package/dist/main.js

@@ -82,10 +82,6 @@ function parseArgs(argv) {
             args.command = "board";
         else if (a === "register")
             args.command = "register";
-        else if (a === "scan")
-            args.command = "scan";
-        else if (a === "list-rules")
-            args.command = "list-rules";
         else if (a === "ci")
             args.command = "ci";
         else if (a === "mcp")
@@ -140,136 +136,6 @@ function parseArgs(argv) {
     args.positional = rest;
     return args;
 }
-/**
- * `great-cto scan [path]` — AI-specific security scanner (formerly @great-cto/agentshield).
- *
- * Detects OWASP LLM Top 10 patterns: prompt injection vectors, secrets in
- * prompts, SSRF in tool definitions, RAG poisoning, cost-runaway loops.
- *
- * Flags (parsed from raw argv since they're scan-specific):
- *   --severity <lvl>   info|low|medium|high|critical (default: info)
- *   --scanner <name>   prompt-injection | secrets-in-prompts | ssrf-in-tools |
- *                      rag-poisoning | cost-runaway (repeatable)
- *   --sarif <file>     emit SARIF 2.1.0 to file
- *   --json             emit JSON to stdout
- *   --quiet            suppress human-readable output
- *   --max <n>          stop after N findings
- *   --exclude <regex>  add path exclude (repeatable)
- *
- * Exit codes:
- *   0 = no findings (or all below severity threshold)
- *   1 = findings at/above threshold (CI-friendly)
- *   2 = scan failed
- */
-async function runScan(args, rawArgv) {
-    const { writeFileSync } = await import("node:fs");
-    const { resolve: resolvePath } = await import("node:path");
-    // Lazy import compiled scanner — keeps cold start fast for `init` flow.
-    let scan;
-    let toSarif;
-    try {
-        ({ scan } = await import("./agentshield/scanner.js"));
-        ({ toSarif } = await import("./agentshield/sarif.js"));
-    }
-    catch (e) {
-        error(`scan: failed to load scanner: ${e.message}`);
-        return 2;
-    }
-    // Parse scan-specific flags from raw argv
-    const flag = (n) => rawArgv.includes(`--${n}`);
-    const value = (n, def) => {
-        const i = rawArgv.indexOf(`--${n}`);
-        return i >= 0 && i < rawArgv.length - 1 ? rawArgv[i + 1] : def;
-    };
-    const scanners = rawArgv
-        .map((a, i) => (a === "--scanner" ? rawArgv[i + 1] : null))
-        .filter(Boolean);
-    const exclude = rawArgv
-        .map((a, i) => (a === "--exclude" ? rawArgv[i + 1] : null))
-        .filter(Boolean);
-    // Path: first non-flag arg after `scan`, default cwd
-    const scanIdx = rawArgv.indexOf("scan");
-    let root = ".";
-    for (let i = scanIdx + 1; i < rawArgv.length; i++) {
-        if (rawArgv[i] && !rawArgv[i].startsWith("--")) {
-            root = rawArgv[i];
-            break;
-        }
-    }
-    const opts = {
-        scanners: scanners.length > 0 ? scanners : undefined,
-        minSeverity: value("severity", "info"),
-        exclude: exclude.length > 0 ? exclude : undefined,
-        maxFindings: value("max") ? parseInt(value("max"), 10) : undefined,
-    };
-    const sarifPath = value("sarif");
-    const wantsJson = flag("json");
-    const quiet = flag("quiet");
-    const report = scan(resolvePath(root), opts);
-    if (sarifPath) {
-        writeFileSync(sarifPath, JSON.stringify(toSarif(report), null, 2));
-        if (!quiet)
-            console.error(`✓ SARIF written → ${sarifPath}`);
-    }
-    if (wantsJson) {
-        console.log(JSON.stringify(report, null, 2));
-    }
-    else if (!quiet) {
-        const COLORS = {
-            critical: "\x1b[1;31m", high: "\x1b[31m", medium: "\x1b[33m",
-            low: "\x1b[36m", info: "\x1b[2m", reset: "\x1b[0m",
-        };
-        const useColor = process.stdout.isTTY;
-        const c = (sev, s) => (useColor ? `${COLORS[sev] || ""}${s}${COLORS.reset}` : s);
-        console.error(`\ngreat-cto scan ${getCliVersion()} — scanned ${report.filesScanned} file(s) in ${report.durationMs}ms\n`);
-        if (report.errors.length > 0) {
-            console.error(`\x1b[33m⚠ ${report.errors.length} error(s):\x1b[0m`);
-            for (const e of report.errors)
-                console.error(`    ${e}`);
-            console.error("");
-        }
-        if (report.findings.length === 0) {
-            console.error("\x1b[32m✓ No findings.\x1b[0m\n");
-        }
-        else {
-            for (const f of report.findings) {
-                const tag = c(f.rule.severity, `[${f.rule.severity.toUpperCase()}]`);
-                console.error(`${tag} ${f.rule.id}  ${f.location.file}:${f.location.line}`);
-                console.error(`        ${f.rule.title}`);
-                console.error(`        ${c("info", f.location.snippet)}`);
-                if (f.rule.owasp)
-                    console.error(`        ${c("info", f.rule.owasp)}`);
-                console.error("");
-            }
-            const counts = {};
-            for (const f of report.findings)
-                counts[f.rule.severity] = (counts[f.rule.severity] || 0) + 1;
-            const order = ["critical", "high", "medium", "low", "info"];
-            const parts = order.filter((s) => counts[s]).map((s) => c(s, `${counts[s]} ${s}`));
-            console.error(`\x1b[1m${report.findings.length} finding(s)\x1b[0m  —  ${parts.join(", ")}\n`);
-        }
-    }
-    return report.findings.length > 0 ? 1 : 0;
-}
-/**
- * `great-cto list-rules` — print the rule catalog.
- */
-async function runListRules() {
-    let loadRules;
-    try {
-        ({ loadRules } = await import("./agentshield/rules-loader.js"));
-    }
-    catch (e) {
-        error(`list-rules: failed: ${e.message}`);
-        return 2;
-    }
-    const rules = loadRules();
-    for (const r of rules) {
-        console.log(`${r.id.padEnd(8)} ${r.severity.padEnd(8)} ${r.scanner.padEnd(20)} ${r.title}`);
-    }
-    console.log(`\n${rules.length} rule(s) loaded.`);
-    return 0;
-}
 async function runRegister(args) {
     const { join } = await import("node:path");
     const { existsSync, readFileSync, writeFileSync, mkdirSync, statSync } = await import("node:fs");
@@ -464,9 +330,7 @@ ${bold("Usage:")}
   npx great-cto [init] [options]     Detect + bootstrap
   npx great-cto board [--port 3141] [--no-open]
   npx great-cto register [--dir PATH]
-  npx great-cto scan [path] [--severity LVL] [--scanner NAME] [--sarif FILE]
-  npx great-cto list-rules
-  npx great-cto ci [path] [--fail-on LVL] [--sarif F] [--junit F]
+  npx great-cto ci [path] [--no-archetype] [--no-budget]
   npx great-cto mcp [--sse --port N]
   npx great-cto adapt [--dry-run]
   npx great-cto serve [--port 3142]
@@ -490,27 +354,18 @@ ${bold("Upgrade:")}
   great-cto upgrade beads        Upgrade beads only
   ${dim("(Safe to run any time — idempotent if already on latest)")}
 
-${bold("Scan (AI-security):")}
-  great-cto scan                       AI-specific scan of cwd (OWASP LLM Top 10)
-  great-cto scan ./src --severity high Filter by minimum severity
-  great-cto scan --scanner ssrf-in-tools  Run only one scanner
-  great-cto scan --sarif out.sarif     Emit SARIF for GitHub Code Scanning
-  great-cto scan --json                JSON output for CI pipelines
-  great-cto list-rules                 Print rule catalog
-  ${dim("(exits 1 if findings ≥ severity threshold; CI-friendly)")}
-
 ${bold("CI gate:")}
-  great-cto ci                         Single-command CI gate (scan + archetype check)
-  great-cto ci --fail-on critical      Exit 1 only on critical findings (default)
-  great-cto ci --sarif out.sarif       Emit SARIF (uploadable to GitHub Security)
-  great-cto ci --junit out.xml         Emit JUnit XML for test reporters
-  ${dim("(auto-detects \$GITHUB_ACTIONS → emits ::error:: annotations)")}
+  great-cto ci                         Single-command CI gate (archetype + budget check)
+  great-cto ci --no-archetype          Skip the archetype-drift check
+  great-cto ci --no-budget             Skip the monthly-budget sanity check
+  ${dim("(exits 1 on archetype drift; budget is warn-only)")}
 
 ${bold("MCP server (cross-platform):")}
   great-cto mcp                        Stdio MCP server — works in Claude Code /
                                        Claude Desktop / any MCP host
   great-cto mcp --sse --port 8765      SSE mode for remote / multi-client (TODO v2.5)
-  ${dim("Tools exposed: scan, list_rules, detect_archetype, estimate_cost, query_decisions")}
+  ${dim("Tools exposed: detect_archetype, estimate_cost, query_decisions,")}
+  ${dim("               project_status, cost_summary, pipeline_stages, recent_verdicts")}
 
 ${bold("Claude Code adapter:")}
   great-cto adapt                      Generate AGENTS.md + CLAUDE.md
@@ -997,26 +852,6 @@ async function main() {
         log(`Run ${cyan("great-cto --help")} for usage.`);
         process.exit(2);
     }
-    if (args.command === "scan") {
-        try {
-            const code = await runScan(args, rawArgv);
-            process.exit(code);
-        }
-        catch (e) {
-            error(e.message);
-            process.exit(2);
-        }
-    }
-    if (args.command === "list-rules") {
-        try {
-            const code = await runListRules();
-            process.exit(code);
-        }
-        catch (e) {
-            error(e.message);
-            process.exit(2);
-        }
-    }
     if (args.command === "board") {
         try {
             const code = await runBoard(args);
@@ -1080,8 +915,11 @@ async function main() {
     if (args.command === "serve") {
         try {
             const { runServe } = await import("./serve.js");
+            const explicitPort = rawArgv.some((a) => a === "--port" || a.startsWith("--port="));
             const code = await runServe({
-                port: args.boardPort === 3141 ? 3142 : args.boardPort,
+                // serve defaults to 3142 (board uses 3141). Honor an explicit --port
+                // of any value, including 3141 — only fall back to 3142 when unset.
+                port: explicitPort ? args.boardPort : 3142,
                 noLog: rawArgv.includes("--no-log"),
                 insecure: rawArgv.includes("--insecure"),
             });
@@ -1128,8 +966,8 @@ async function main() {
         log(`    ${cyan("/" + tried)} ${dim("[args]")}`);
         log("");
         log(`The CLI surface (this command) only exposes:`);
-        log(`  ${cyan("init")} · ${cyan("scan")} · ${cyan("list-rules")} · ${cyan("ci")} · ${cyan("mcp")} ·`);
-        log(`  ${cyan("adapt")} · ${cyan("serve")} · ${cyan("webhook")} · ${cyan("report")} · ${cyan("board")} · ${cyan("register")}`);
+        log(`  ${cyan("init")} · ${cyan("ci")} · ${cyan("mcp")} · ${cyan("adapt")} ·`);
+        log(`  ${cyan("serve")} · ${cyan("webhook")} · ${cyan("report")} · ${cyan("board")} · ${cyan("register")} · ${cyan("upgrade")}`);
         log("");
         log(`Run ${cyan("npx great-cto --help")} for the full CLI reference.`);
         process.exit(2);

package/dist/mcp.js

@@ -10,11 +10,13 @@
 //   sse              — long-running HTTP/SSE for remote / multi-client access
 //
 // Tools exposed:
-//   scan              OWASP LLM Top 10 + 24 rules → findings
-//   list_rules        full rule catalogue
 //   detect_archetype  archetype + compliance for a path
 //   estimate_cost     LLM/human time for a task
 //   query_decisions   search ~/.great_cto/decisions.md
+//   project_status    board project state
+//   cost_summary      board cost rollup
+//   pipeline_stages   board pipeline stage breakdown
+//   recent_verdicts   board recent agent verdicts
 //
 // Protocol: minimal MCP 2024-11-05 implementation. We hand-roll because
 // adding @modelcontextprotocol/sdk would balloon install size for what is
@@ -28,41 +30,6 @@ const SERVER_INFO = {
     version: "", // populated at startup
 };
 // ── Tool implementations ────────────────────────────────────────────────────
-async function toolScan(args) {
-    const { scan } = await import("./agentshield/scanner.js");
-    const path = args.path ?? ".";
-    const report = scan(resolve(path), {
-        minSeverity: (args.severity ?? "info"),
-        scanners: args.scanner,
-    });
-    return {
-        files_scanned: report.filesScanned,
-        duration_ms: report.durationMs,
-        findings: report.findings.map((f) => ({
-            rule_id: f.rule.id,
-            severity: f.rule.severity,
-            title: f.rule.title,
-            owasp: f.rule.owasp,
-            file: f.location.file,
-            line: f.location.line,
-            snippet: f.location.snippet,
-        })),
-    };
-}
-async function toolListRules() {
-    const { loadRules } = await import("./agentshield/rules-loader.js");
-    const rules = loadRules();
-    return {
-        count: rules.length,
-        rules: rules.map((r) => ({
-            id: r.id,
-            severity: r.severity,
-            scanner: r.scanner,
-            title: r.title,
-            owasp: r.owasp ?? null,
-        })),
-    };
-}
 async function toolDetectArchetype(args) {
     const { detect } = await import("./detect.js");
     const { pickArchetype, suggestCompliance } = await import("./archetypes.js");
@@ -234,36 +201,6 @@ async function toolRecentVerdicts(args) {
 }
 // ── Tool dispatch table ────────────────────────────────────────────────────
 const TOOLS = [
-    {
-        name: "scan",
-        description: "Scan code for AI/LLM-specific security issues (OWASP LLM Top 10, 24 rules). Returns findings with severity, file, line, OWASP mapping.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                path: { type: "string", description: "File or directory to scan (default: cwd)" },
-                severity: {
-                    type: "string",
-                    enum: ["info", "low", "medium", "high", "critical"],
-                    description: "Minimum severity to report",
-                },
-                scanner: {
-                    type: "array",
-                    items: {
-                        type: "string",
-                        enum: ["prompt-injection", "secrets-in-prompts", "ssrf-in-tools", "rag-poisoning", "cost-runaway"],
-                    },
-                    description: "Limit to specific scanner categories",
-                },
-            },
-        },
-        handler: toolScan,
-    },
-    {
-        name: "list_rules",
-        description: "List all 24 AgentShield security rules with severity and OWASP LLM Top 10 mapping.",
-        inputSchema: { type: "object", properties: {} },
-        handler: toolListRules,
-    },
     {
         name: "detect_archetype",
         description: "Detect the project archetype (one of 25: fintech, healthcare, commerce, agent-product, mlops, edtech, gov-public, insurance, ...) and the compliance gates that apply.",

package/dist/report.js

@@ -45,10 +45,14 @@ function readAllVerdicts() {
     return out.sort((a, b) => a.ts.localeCompare(b.ts));
 }
 function periodToCutoff(period) {
-    const m = period.match(/^(\d+)d$/);
-    if (!m)
+    // "all" intentionally returns "" → every verdict passes the `ts >= cutoff`
+    // filter (no lower bound).
+    if (period === "all")
         return "";
-    const days = parseInt(m[1], 10);
+    // Malformed input (e.g. "30" without the "d", "1w") must NOT silently fall
+    // through to all-time — fall back to the documented 30d default instead.
+    const m = period.match(/^(\d+)d$/);
+    const days = m ? parseInt(m[1], 10) : 30;
     return new Date(Date.now() - days * 86_400_000).toISOString();
 }
 // ── Cost report ────────────────────────────────────────────────────────────