great-cto 2.4.0 → 2.5.1

package/dist/agentshield/scanner.js

@@ -54,21 +54,46 @@ function* walk(root, exclude) {
 function fileMatchesGlobs(file, globs) {
     if (!globs || globs.length === 0)
         return true;
-    // Tiny glob → regex. Convert globs in two passes:
-    //   1. Replace ** and * with sentinel placeholders.
-    //   2. Escape remaining regex metachars.
-    //   3. Replace placeholders with their regex equivalents.
+    // Normalize path separators for cross-platform matching
+    const normalized = file.replace(/\\/g, '/');
     return globs.some((g) => {
-        const pattern = g
-            .replace(/\*\*/g, '
') // ** → SOH
-            .replace(/\*/g, '') // *  → STX
-            .replace(/\?/g, '') // ?  → ETX
-            .replace(/[.+^${}()|[\]\\]/g, '\\$&')
-            .replace(/
/g, '.*')
-            .replace(//g, '[^/]*')
-            .replace(//g, '.');
+        // Token-based glob → regex conversion. Walks character-by-character to
+        // avoid the substitution-order pitfalls of multiple replace passes.
+        // Treats `**/` as "zero or more path segments" — so `**/*.ts` matches
+        // both `foo.ts` (root) and `src/lib/foo.ts` (nested).
+        let re = '';
+        for (let i = 0; i < g.length; i++) {
+            const c = g[i];
+            if (c === '*' && g[i + 1] === '*') {
+                // ** consumes the trailing /, so `**/x` becomes `(?:.*\/)?x` not `.*\/x`
+                if (g[i + 2] === '/') {
+                    re += '(?:.*\\/)?';
+                    i += 2;
+                }
+                else {
+                    re += '.*';
+                    i++;
+                }
+            }
+            else if (c === '*') {
+                re += '[^/]*';
+            }
+            else if (c === '?') {
+                re += '.';
+            }
+            else if ('.+^${}()|[]\\'.includes(c)) {
+                re += '\\' + c;
+            }
+            else if (c === '/') {
+                re += '/';
+            }
+            else {
+                re += c;
+            }
+        }
         try {
-            return new RegExp(pattern).test(file);
+            // Match suffix — `src/foo.ts` matches `**/*.ts` regardless of cwd
+            return new RegExp('(?:^|/)' + re + '$').test(normalized);
         }
         catch {
             return false;

package/dist/main.js

@@ -91,6 +91,10 @@ function parseArgs(argv) {
             args.command = "adapt";
         else if (a === "serve")
             args.command = "serve";
+        else if (a === "webhook")
+            args.command = "webhook";
+        else if (a === "report")
+            args.command = "report";
         else if (a.startsWith("--dir="))
             args.dir = a.slice("--dir=".length);
         else if (a === "--dir")
@@ -823,6 +827,7 @@ async function main() {
             const code = await runServe({
                 port: args.boardPort === 3141 ? 3142 : args.boardPort,
                 noLog: rawArgv.includes("--no-log"),
+                insecure: rawArgv.includes("--insecure"),
             });
             process.exit(code);
         }
@@ -831,6 +836,37 @@ async function main() {
             process.exit(2);
         }
     }
+    if (args.command === "webhook") {
+        try {
+            const { runWebhookCli, parseWebhookArgs } = await import("./webhook-cli.js");
+            const parsed = parseWebhookArgs(rawArgv);
+            if (!parsed) {
+                error("usage: great-cto webhook list | add-incoming <name> --secret <s> | add-outgoing <name> --url <u> --format <f> --triggers <t1,t2> | remove <name> | test <name>");
+                process.exit(2);
+            }
+            const code = await runWebhookCli(parsed);
+            process.exit(code);
+        }
+        catch (e) {
+            error(e.message);
+            process.exit(2);
+        }
+    }
+    if (args.command === "report") {
+        try {
+            const { runReport, parseReportArgs } = await import("./report.js");
+            const parsed = parseReportArgs(rawArgv, args.dir);
+            if (!parsed) {
+                process.exit(2);
+            }
+            const code = await runReport(parsed);
+            process.exit(code);
+        }
+        catch (e) {
+            error(e.message);
+            process.exit(2);
+        }
+    }
     if (args.command === "version") {
         // Version resolved in index.mjs or from package.json at runtime
         try {

package/dist/mcp.js

@@ -245,6 +245,75 @@ async function handle(req) {
         return fail(-32603, `Internal error: ${e.message}`);
     }
 }
+// ── SSE transport ──────────────────────────────────────────────────────────
+async function runSse(port, version) {
+    const { createServer } = await import("node:http");
+    // Each connection gets a unique session id and an open SSE stream.
+    // Inbound JSON-RPC arrives via POST /message?sessionId=<id>; responses are
+    // pushed back over the SSE stream. This matches the standard MCP SSE
+    // transport (https://spec.modelcontextprotocol.io/specification/transports).
+    const sessions = new Map();
+    const server = createServer(async (req, res) => {
+        const url = new URL(req.url ?? "/", `http://localhost:${port}`);
+        if (req.method === "GET" && url.pathname === "/sse") {
+            const sessionId = `s-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+            res.writeHead(200, {
+                "Content-Type": "text/event-stream",
+                "Cache-Control": "no-cache, no-transform",
+                Connection: "keep-alive",
+                "X-Accel-Buffering": "no",
+            });
+            // Initial endpoint event — tells client where to POST messages
+            res.write(`event: endpoint\ndata: /message?sessionId=${sessionId}\n\n`);
+            sessions.set(sessionId, res);
+            req.on("close", () => sessions.delete(sessionId));
+            return;
+        }
+        if (req.method === "POST" && url.pathname === "/message") {
+            const sessionId = url.searchParams.get("sessionId") ?? "";
+            const sse = sessions.get(sessionId);
+            if (!sse) {
+                res.writeHead(404, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "unknown sessionId" }));
+                return;
+            }
+            const chunks = [];
+            req.on("data", c => chunks.push(Buffer.from(c)));
+            req.on("end", async () => {
+                const body = Buffer.concat(chunks).toString("utf8");
+                try {
+                    const reqJson = JSON.parse(body);
+                    const reply = await handle(reqJson);
+                    if (reply) {
+                        sse.write(`event: message\ndata: ${JSON.stringify(reply)}\n\n`);
+                    }
+                    res.writeHead(202).end();
+                }
+                catch (e) {
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({ error: e.message }));
+                }
+            });
+            return;
+        }
+        if (req.method === "GET" && url.pathname === "/healthz") {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true, version, sessions: sessions.size, transport: "sse" }));
+            return;
+        }
+        res.writeHead(404).end();
+    });
+    return new Promise(resolve => {
+        server.listen(port, "127.0.0.1", () => {
+            process.stderr.write(`great-cto mcp v${version} (sse) → http://localhost:${port}/sse\n`);
+            process.stderr.write(`  GET  /sse                       open event stream\n`);
+            process.stderr.write(`  POST /message?sessionId=...     send JSON-RPC\n`);
+            process.stderr.write(`  GET  /healthz                   liveness\n`);
+        });
+        process.on("SIGINT", () => { server.close(); resolve(0); });
+        process.on("SIGTERM", () => { server.close(); resolve(0); });
+    });
+}
 // ── stdio transport ────────────────────────────────────────────────────────
 async function runStdio() {
     // Read newline-delimited JSON from stdin, write to stdout. This is the
@@ -278,8 +347,7 @@ async function runStdio() {
 export async function runMcp(args) {
     SERVER_INFO.version = args.version;
     if (args.mode === "sse") {
-        process.stderr.write("great-cto mcp: SSE mode not yet implemented (use --stdio)\n");
-        return 2;
+        return runSse(args.port, args.version);
     }
     // Notify clients we're ready (some hosts log this)
     process.stderr.write(`great-cto mcp v${args.version} (stdio) — ${TOOLS.length} tools\n`);

package/dist/report.js

@@ -0,0 +1,410 @@
+// great-cto report — shareable cost / agents / compliance reports.
+//
+// Three report types, two output formats (HTML self-contained, JSON):
+//
+//   great-cto report cost --period 30d --format html > cost.html
+//   great-cto report agents --since-last-release --format json
+//   great-cto report compliance --archetype fintech --format html
+//
+// HTML output is fully self-contained (no external CSS/JS) so it can be
+// emailed to a CFO, attached to a PR, or hosted as a GitHub Pages artifact.
+// JSON is for downstream automation.
+//
+// Data sources:
+//   cost          → ~/.great_cto/verdicts/*.log (LLM cost ledger) +
+//                   .great_cto/PROJECT.md (monthly-budget) +
+//                   bd tasks (closed_at-created_at timing)
+//   agents        → ~/.great_cto/verdicts/*.log + plugin agents/*.md
+//   compliance    → .great_cto/PROJECT.md (compliance gates) +
+//                   docs/security/CSO-*.md + docs/qa-reports/QA-*.md +
+//                   gates closed via bd
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+// ── Data collectors ────────────────────────────────────────────────────────
+function readAllVerdicts() {
+    const dir = join(homedir(), ".great_cto", "verdicts");
+    if (!existsSync(dir))
+        return [];
+    const out = [];
+    for (const f of readdirSync(dir)) {
+        if (!f.endsWith(".log"))
+            continue;
+        const agent = f.replace(/\.log$/, "");
+        const lines = readFileSync(join(dir, f), "utf8").split("\n").filter(Boolean);
+        for (const line of lines) {
+            const ts = line.split(/\s+/)[0] ?? "";
+            const verdict = line.split(/\s+/)[1] ?? "";
+            const costMatch = line.match(/\bcost(?:_usd)?[=:]?\s*\$?(\d+\.?\d*)/i);
+            out.push({
+                ts, agent, verdict,
+                cost_usd: costMatch ? parseFloat(costMatch[1]) : null,
+            });
+        }
+    }
+    return out.sort((a, b) => a.ts.localeCompare(b.ts));
+}
+function periodToCutoff(period) {
+    const m = period.match(/^(\d+)d$/);
+    if (!m)
+        return "";
+    const days = parseInt(m[1], 10);
+    return new Date(Date.now() - days * 86_400_000).toISOString();
+}
+// ── Cost report ────────────────────────────────────────────────────────────
+function buildCostReport(args) {
+    const cutoff = periodToCutoff(args.period);
+    const verdicts = readAllVerdicts().filter(v => v.ts >= cutoff);
+    const HUMAN_RATE_PER_HR = 150;
+    const LLM_RATE_PER_HR = 0.02;
+    const RATIO = HUMAN_RATE_PER_HR / LLM_RATE_PER_HR;
+    // Per-agent aggregation
+    const byAgent = new Map();
+    let totalLlm = 0;
+    for (const v of verdicts) {
+        const cost = v.cost_usd ?? 0;
+        totalLlm += cost;
+        const cur = byAgent.get(v.agent) ?? { llm: 0, runs: 0 };
+        cur.llm += cost;
+        cur.runs += 1;
+        byAgent.set(v.agent, cur);
+    }
+    // Day-level series for chart
+    const byDay = new Map();
+    for (const v of verdicts) {
+        const day = v.ts.slice(0, 10);
+        byDay.set(day, (byDay.get(day) ?? 0) + (v.cost_usd ?? 0));
+    }
+    const series = Array.from(byDay.entries())
+        .map(([date, llm]) => ({ date, llm }))
+        .sort((a, b) => a.date.localeCompare(b.date));
+    // Read budget
+    const projectMd = join(args.cwd, ".great_cto", "PROJECT.md");
+    const budgetMatch = existsSync(projectMd)
+        ? readFileSync(projectMd, "utf8").match(/monthly[-_]budget:\s*\$?(\d[\d,]+)/i)
+        : null;
+    const budget = budgetMatch ? parseFloat(budgetMatch[1].replace(/,/g, "")) : null;
+    const totalHuman = totalLlm * RATIO;
+    return {
+        type: "cost",
+        period: args.period,
+        generated_at: new Date().toISOString(),
+        summary: {
+            total_llm_usd: +totalLlm.toFixed(4),
+            total_human_equivalent_usd: +totalHuman.toFixed(2),
+            savings_x: Math.round(RATIO),
+            savings_usd: +(totalHuman - totalLlm).toFixed(2),
+            runs: verdicts.length,
+            monthly_budget: budget,
+            pct_of_budget: budget ? +((totalLlm / budget) * 100).toFixed(1) : null,
+        },
+        by_agent: Array.from(byAgent.entries())
+            .map(([agent, { llm, runs }]) => ({
+            agent,
+            llm_usd: +llm.toFixed(4),
+            human_equivalent_usd: +(llm * RATIO).toFixed(2),
+            runs,
+        }))
+            .sort((a, b) => b.llm_usd - a.llm_usd),
+        series,
+    };
+}
+// ── Agents report ──────────────────────────────────────────────────────────
+function buildAgentsReport(args) {
+    const cutoff = periodToCutoff(args.period);
+    const verdicts = readAllVerdicts().filter(v => v.ts >= cutoff);
+    const byAgent = new Map();
+    for (const v of verdicts) {
+        const cur = byAgent.get(v.agent) ?? { runs: 0, ok: 0, fail: 0, lastTs: "", cost: 0 };
+        cur.runs += 1;
+        const u = (v.verdict || "").toUpperCase();
+        if (["OK", "APPROVED", "DONE", "PASS", "PASSED"].includes(u))
+            cur.ok += 1;
+        else if (["FAIL", "FAILED", "BLOCKED", "REJECTED"].includes(u))
+            cur.fail += 1;
+        if (v.ts > cur.lastTs)
+            cur.lastTs = v.ts;
+        cur.cost += v.cost_usd ?? 0;
+        byAgent.set(v.agent, cur);
+    }
+    return {
+        type: "agents",
+        period: args.period,
+        generated_at: new Date().toISOString(),
+        summary: {
+            total_agents: byAgent.size,
+            total_runs: verdicts.length,
+            total_cost_usd: +Array.from(byAgent.values()).reduce((s, a) => s + a.cost, 0).toFixed(4),
+        },
+        agents: Array.from(byAgent.entries())
+            .map(([name, m]) => ({
+            agent: name,
+            runs: m.runs,
+            ok: m.ok,
+            fail: m.fail,
+            success_rate: m.runs ? +((m.ok / m.runs) * 100).toFixed(1) : null,
+            cost_usd: +m.cost.toFixed(4),
+            last_seen: m.lastTs,
+        }))
+            .sort((a, b) => b.runs - a.runs),
+    };
+}
+// ── Compliance report ──────────────────────────────────────────────────────
+function buildComplianceReport(args) {
+    const projectMd = join(args.cwd, ".great_cto", "PROJECT.md");
+    const meta = existsSync(projectMd) ? readFileSync(projectMd, "utf8") : "";
+    const declaredArchetype = (meta.match(/^primary:\s*(\S+)/m)?.[1] ?? "unknown").trim();
+    const archetype = args.archetype ?? declaredArchetype;
+    const compliance = (meta.match(/^compliance:\s*(.+)$/m)?.[1] ?? "")
+        .split(/[,\s]+/).map(s => s.trim()).filter(Boolean);
+    // Count gates from docs/security and docs/qa-reports
+    const securityDir = join(args.cwd, "docs", "security");
+    const qaDir = join(args.cwd, "docs", "qa-reports");
+    let secApproved = 0, secBlocked = 0, secTotal = 0;
+    if (existsSync(securityDir)) {
+        for (const f of readdirSync(securityDir).filter(x => x.endsWith(".md"))) {
+            secTotal += 1;
+            const text = readFileSync(join(securityDir, f), "utf8");
+            if (/APPROVED/i.test(text))
+                secApproved += 1;
+            if (/BLOCKED/i.test(text))
+                secBlocked += 1;
+        }
+    }
+    let qaPass = 0, qaFail = 0, qaTotal = 0;
+    if (existsSync(qaDir)) {
+        for (const f of readdirSync(qaDir).filter(x => x.endsWith(".md"))) {
+            qaTotal += 1;
+            const text = readFileSync(join(qaDir, f), "utf8");
+            if (/(?:verdict|status|result)\s*[:=]?\s*[*_`]*\s*(?:✅|✓|pass(?:ed)?)/i.test(text))
+                qaPass += 1;
+            else if (/(?:verdict|status|result)\s*[:=]?\s*[*_`]*\s*(?:❌|✗|fail|block)/i.test(text))
+                qaFail += 1;
+        }
+    }
+    return {
+        type: "compliance",
+        archetype,
+        generated_at: new Date().toISOString(),
+        declared_compliance: compliance,
+        security_gates: { total: secTotal, approved: secApproved, blocked: secBlocked },
+        qa_reports: { total: qaTotal, passed: qaPass, failed: qaFail,
+            pass_rate: qaTotal ? +((qaPass / qaTotal) * 100).toFixed(1) : null },
+    };
+}
+// ── HTML rendering ─────────────────────────────────────────────────────────
+const HTML_STYLE = `
+:root { color-scheme: light dark; }
+body { font: 14px/1.45 -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif; max-width: 960px; margin: 32px auto; padding: 0 24px; color: #111; background: #fafafa; }
+@media (prefers-color-scheme: dark) { body { background: #0d0e10; color: #d6d6d6; } }
+h1 { font-size: 22px; margin: 0 0 4px; }
+h2 { font-size: 14px; text-transform: uppercase; letter-spacing: 0.06em; color: #888; margin: 28px 0 8px; }
+.meta { color: #888; margin-bottom: 24px; font-size: 12px; }
+.tile-row { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 12px; margin-bottom: 24px; }
+.tile { background: #fff; border: 1px solid #eee; border-radius: 8px; padding: 14px 16px; }
+@media (prefers-color-scheme: dark) { .tile { background: #1a1c1f; border-color: #2a2c30; } }
+.tile-num { font-size: 26px; font-weight: 600; }
+.tile-lbl { font-size: 11px; color: #888; text-transform: uppercase; letter-spacing: 0.06em; margin-top: 4px; }
+.tile-sub { font-size: 12px; color: #666; margin-top: 4px; }
+table { width: 100%; border-collapse: collapse; margin-bottom: 16px; }
+th, td { text-align: left; padding: 8px 12px; border-bottom: 1px solid #eee; }
+@media (prefers-color-scheme: dark) { th, td { border-color: #2a2c30; } }
+th { font-size: 11px; text-transform: uppercase; letter-spacing: 0.06em; color: #888; font-weight: 500; }
+td.num { font-variant-numeric: tabular-nums; text-align: right; }
+.bar { height: 6px; background: #eee; border-radius: 99px; overflow: hidden; min-width: 60px; }
+@media (prefers-color-scheme: dark) { .bar { background: #2a2c30; } }
+.bar > span { display: block; height: 100%; background: #16a34a; min-width: 2px; }
+.footer { color: #999; font-size: 11px; margin-top: 40px; padding-top: 16px; border-top: 1px solid #eee; }
+@media (prefers-color-scheme: dark) { .footer { border-color: #2a2c30; } }
+.svg-chart { background: #fff; border: 1px solid #eee; border-radius: 8px; padding: 14px; margin: 8px 0 24px; }
+@media (prefers-color-scheme: dark) { .svg-chart { background: #1a1c1f; border-color: #2a2c30; } }
+`;
+function fmtMoney(n) {
+    return "$" + Math.round(n).toLocaleString().replace(/,/g, " ");
+}
+function renderCostHtml(report) {
+    const s = report.summary;
+    const series = report.series;
+    const maxLlm = Math.max(...series.map(p => p.llm), 0.001);
+    const chartH = 120;
+    const chartW = 800;
+    const padL = 40, padR = 12, padB = 24, padT = 8;
+    const usableW = chartW - padL - padR;
+    const usableH = chartH - padT - padB;
+    const bars = series.map((p, i) => {
+        const barW = Math.max(2, usableW / Math.max(series.length, 1) - 2);
+        const x = padL + i * (usableW / Math.max(series.length, 1));
+        const h = (p.llm / maxLlm) * usableH;
+        const y = padT + (usableH - h);
+        return `<rect x="${x.toFixed(1)}" y="${y.toFixed(1)}" width="${barW.toFixed(1)}" height="${h.toFixed(1)}" fill="#16a34a" />`;
+    }).join("");
+    const chartSvg = `
+<svg class="svg-chart" viewBox="0 0 ${chartW} ${chartH}" width="100%" preserveAspectRatio="none">
+  <line x1="${padL}" y1="${padT + usableH}" x2="${chartW - padR}" y2="${padT + usableH}" stroke="#999" stroke-width="0.5" />
+  ${bars}
+  <text x="${padL}" y="${chartH - 4}" font-family="ui-monospace" font-size="9" fill="#888">${series[0]?.date ?? ""}</text>
+  <text x="${chartW - padR}" y="${chartH - 4}" font-family="ui-monospace" font-size="9" fill="#888" text-anchor="end">${series[series.length - 1]?.date ?? ""}</text>
+  <text x="${padL - 6}" y="${padT + 8}" font-family="ui-monospace" font-size="9" fill="#888" text-anchor="end">${fmtMoney(maxLlm)}</text>
+  <text x="${padL - 6}" y="${chartH - padB + 4}" font-family="ui-monospace" font-size="9" fill="#888" text-anchor="end">$0</text>
+</svg>`;
+    const agentRows = report.by_agent.map(a => `
+    <tr>
+      <td>${escapeHtml(a.agent)}</td>
+      <td class="num">${a.runs}</td>
+      <td class="num">${fmtMoney(a.llm_usd)}</td>
+      <td class="num">${fmtMoney(a.human_equivalent_usd)}</td>
+      <td><span class="bar"><span style="width:${(a.llm_usd / Math.max(report.by_agent[0]?.llm_usd || 1, 0.0001) * 100).toFixed(1)}%"></span></span></td>
+    </tr>`).join("");
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>great-cto cost report — ${escapeHtml(report.period)}</title>
+<style>${HTML_STYLE}</style>
+</head>
+<body>
+<h1>Cost report — last ${escapeHtml(report.period)}</h1>
+<div class="meta">Generated ${escapeHtml(report.generated_at)} · ${s.runs} agent run(s) · period: ${escapeHtml(report.period)}</div>
+
+<div class="tile-row">
+  <div class="tile"><div class="tile-num">${fmtMoney(s.total_llm_usd)}</div><div class="tile-lbl">LLM spend</div></div>
+  <div class="tile"><div class="tile-num">${fmtMoney(s.total_human_equivalent_usd)}</div><div class="tile-lbl">vs human team</div></div>
+  <div class="tile"><div class="tile-num">${s.savings_x}×</div><div class="tile-lbl">cost ratio</div><div class="tile-sub">saved ${fmtMoney(s.savings_usd)}</div></div>
+  <div class="tile"><div class="tile-num">${s.pct_of_budget != null ? s.pct_of_budget + "%" : "—"}</div><div class="tile-lbl">of monthly budget</div><div class="tile-sub">${s.monthly_budget != null ? "budget: " + fmtMoney(s.monthly_budget) : "(no budget set)"}</div></div>
+</div>
+
+<h2>Daily LLM spend</h2>
+${chartSvg}
+
+<h2>Per-agent breakdown</h2>
+<table>
+<thead><tr><th>Agent</th><th class="num">Runs</th><th class="num">LLM cost</th><th class="num">Human equiv.</th><th>Share</th></tr></thead>
+<tbody>${agentRows}</tbody>
+</table>
+
+<div class="footer">
+  Report generated by great-cto. LLM cost ratio model: $0.02/AI-hour vs $150/human-hour (~7500×).
+  Source: ~/.great_cto/verdicts/*.log + .great_cto/PROJECT.md.
+</div>
+</body>
+</html>
+`;
+}
+function renderAgentsHtml(report) {
+    const s = report.summary;
+    const rows = report.agents.map(a => `
+    <tr>
+      <td>${escapeHtml(a.agent)}</td>
+      <td class="num">${a.runs}</td>
+      <td class="num">${a.success_rate != null ? a.success_rate + "%" : "—"}</td>
+      <td class="num">${a.ok}</td>
+      <td class="num">${a.fail}</td>
+      <td class="num">${fmtMoney(a.cost_usd)}</td>
+      <td>${a.last_seen ? escapeHtml(a.last_seen.slice(0, 10)) : "—"}</td>
+    </tr>`).join("");
+    return `<!doctype html>
+<html lang="en"><head><meta charset="utf-8">
+<title>great-cto agents report</title><style>${HTML_STYLE}</style></head>
+<body>
+<h1>Agents performance — last ${escapeHtml(report.period)}</h1>
+<div class="meta">Generated ${escapeHtml(report.generated_at)} · ${s.total_agents} agent(s) · ${s.total_runs} run(s)</div>
+<div class="tile-row">
+  <div class="tile"><div class="tile-num">${s.total_agents}</div><div class="tile-lbl">Active agents</div></div>
+  <div class="tile"><div class="tile-num">${s.total_runs}</div><div class="tile-lbl">Total runs</div></div>
+  <div class="tile"><div class="tile-num">${fmtMoney(s.total_cost_usd)}</div><div class="tile-lbl">Total cost</div></div>
+</div>
+<table>
+<thead><tr><th>Agent</th><th class="num">Runs</th><th class="num">Success rate</th><th class="num">OK</th><th class="num">Fail</th><th class="num">Cost</th><th>Last seen</th></tr></thead>
+<tbody>${rows}</tbody>
+</table>
+<div class="footer">Source: ~/.great_cto/verdicts/*.log</div>
+</body></html>`;
+}
+function renderComplianceHtml(report) {
+    const sg = report.security_gates;
+    const qa = report.qa_reports;
+    const compRows = report.declared_compliance
+        .map(c => `<li>${escapeHtml(c)}</li>`)
+        .join("");
+    return `<!doctype html>
+<html lang="en"><head><meta charset="utf-8">
+<title>great-cto compliance report</title><style>${HTML_STYLE}</style></head>
+<body>
+<h1>Compliance posture — ${escapeHtml(report.archetype)}</h1>
+<div class="meta">Generated ${escapeHtml(report.generated_at)}</div>
+
+<div class="tile-row">
+  <div class="tile"><div class="tile-num">${sg.total}</div><div class="tile-lbl">Security signoffs</div><div class="tile-sub">${sg.approved} approved · ${sg.blocked} blocked</div></div>
+  <div class="tile"><div class="tile-num">${qa.total}</div><div class="tile-lbl">QA reports</div><div class="tile-sub">${qa.pass_rate != null ? qa.pass_rate + "% pass rate" : "(no data)"}</div></div>
+</div>
+
+<h2>Declared compliance gates</h2>
+${compRows ? `<ul>${compRows}</ul>` : "<p>No compliance gates declared in PROJECT.md.</p>"}
+
+<h2>Audit trail</h2>
+<table>
+<tr><td>Security signoffs</td><td class="num">${sg.approved}/${sg.total} approved</td></tr>
+<tr><td>QA reports</td><td class="num">${qa.passed}/${qa.total} passed</td></tr>
+</table>
+
+<div class="footer">Source: docs/security/CSO-*.md, docs/qa-reports/QA-*.md, .great_cto/PROJECT.md</div>
+</body></html>`;
+}
+function escapeHtml(s) {
+    return String(s).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+// ── Main entry ─────────────────────────────────────────────────────────────
+export async function runReport(args) {
+    let report;
+    try {
+        if (args.type === "cost")
+            report = buildCostReport(args);
+        else if (args.type === "agents")
+            report = buildAgentsReport(args);
+        else if (args.type === "compliance")
+            report = buildComplianceReport(args);
+        else {
+            console.error(`unknown report type: ${args.type}`);
+            return 2;
+        }
+    }
+    catch (e) {
+        console.error(`report failed: ${e.message}`);
+        return 2;
+    }
+    if (args.format === "json") {
+        console.log(JSON.stringify(report, null, 2));
+    }
+    else {
+        let html;
+        if (args.type === "cost")
+            html = renderCostHtml(report);
+        else if (args.type === "agents")
+            html = renderAgentsHtml(report);
+        else
+            html = renderComplianceHtml(report);
+        console.log(html);
+    }
+    return 0;
+}
+export function parseReportArgs(rawArgv, cwd) {
+    const idx = rawArgv.indexOf("report");
+    if (idx === -1)
+        return null;
+    const type = rawArgv[idx + 1];
+    if (!["cost", "agents", "compliance"].includes(type)) {
+        console.error(`great-cto report: type must be cost|agents|compliance (got: ${type ?? "<missing>"})`);
+        return null;
+    }
+    const flag = (n, def) => {
+        const i = rawArgv.indexOf(`--${n}`);
+        return i >= 0 && i < rawArgv.length - 1 ? rawArgv[i + 1] : def;
+    };
+    return {
+        type,
+        format: flag("format", "html"),
+        period: flag("period", "30d"),
+        archetype: flag("archetype") ?? null,
+        cwd,
+    };
+}

package/dist/serve.js

@@ -1,26 +1,30 @@
-// great-cto serve — webhook receiver + outbound notifier (scaffolding).
+// great-cto serve — webhook receiver with HMAC verification, retry, DLQ.
+// v2.5.0 production-grade upgrade.
 //
-// v2.4.0 ships scaffolding + a single working endpoint (POST /webhook/github
-// → run scan, log event). Signature verification, retry/DLQ, and outbound
-// integrations land in v2.5.0.
+// Incoming endpoints:
+//   POST /webhook/github      GitHub events with X-Hub-Signature-256 verification
+//   POST /webhook/sentry      Sentry alerts (HMAC via X-Sentry-Signature-256)
+//   POST /webhook/generic     Generic JSON, optional shared-secret verification
+//   GET  /events              Recent event log (last 50)
+//   GET  /healthz             Liveness probe
+//   GET  /dlq                 Recent dead-lettered outbound deliveries
 //
-// Usage:
-//   great-cto serve [--port 3142] [--no-log]
+// HMAC verification is REQUIRED unless GREATCTO_WEBHOOK_INSECURE=1 is set
+// (intended only for local dev). Configure secrets via:
+//   great-cto webhook add-incoming github --secret <hmac-secret>
 //
-// Endpoints:
-//   POST /webhook/github    GitHub event receiver (pull_request.opened →
-//                           runs scan on PR head, persists summary)
-//   POST /webhook/generic   Catch-all for ad-hoc integrations. Body persisted
-//                           to ~/.great_cto/webhook-events.log (JSONL).
-//   GET  /healthz           Liveness probe
-//   GET  /events            Recent event log (last 50)
-//
-// All events are appended to ~/.great_cto/webhook-events.log as JSONL with
-// fields: ts, source, event_type, payload_summary, action_taken.
+// Outbound dispatch fires automatically on certain incoming events:
+//   github.pull_request.opened    → "pr.opened" event
+//   github.issues.opened          → "issue.opened" event
+//   sentry.event_alert            → "incident.p0" event (severity-mapped)
+// Each registered outgoing hook listens to a subset via its triggers list.
 import { appendFileSync, existsSync, mkdirSync, readFileSync } from "node:fs";
+import { createHmac, timingSafeEqual } from "node:crypto";
 import { createServer } from "node:http";
 import { homedir } from "node:os";
 import { join } from "node:path";
+import { dispatch, getDlqPath } from "./webhook-dispatch.js";
+import { getIncoming } from "./webhook-config.js";
 const EVENTS_LOG = join(homedir(), ".great_cto", "webhook-events.log");
 function logEvent(ev, noLog) {
     if (noLog)
@@ -37,9 +41,9 @@ function logEvent(ev, noLog) {
 }
 function readBody(req) {
     return new Promise((resolve, reject) => {
-        let data = "";
-        req.on("data", chunk => (data += chunk));
-        req.on("end", () => resolve(data));
+        const chunks = [];
+        req.on("data", chunk => chunks.push(Buffer.from(chunk)));
+        req.on("end", () => resolve(Buffer.concat(chunks)));
         req.on("error", reject);
     });
 }
@@ -47,40 +51,149 @@ function json(res, status, body) {
     res.writeHead(status, { "Content-Type": "application/json" });
     res.end(JSON.stringify(body));
 }
+// ── HMAC verification ──────────────────────────────────────────────────────
+/**
+ * Constant-time HMAC-SHA256 verification. Returns true if signatures match.
+ * GitHub format:    "sha256=<hex>"
+ * Sentry format:    "<hex>" (just the digest)
+ * Generic format:   either accepted
+ */
+function verifyHmac(secret, body, headerValue) {
+    if (!headerValue)
+        return false;
+    // Strip "sha256=" prefix if present
+    const expected = headerValue.startsWith("sha256=") ? headerValue.slice(7) : headerValue;
+    const computed = createHmac("sha256", secret).update(body).digest("hex");
+    if (expected.length !== computed.length)
+        return false;
+    try {
+        return timingSafeEqual(Buffer.from(expected, "hex"), Buffer.from(computed, "hex"));
+    }
+    catch {
+        return false;
+    }
+}
 // ── Endpoint handlers ──────────────────────────────────────────────────────
 async function handleGitHub(req, res, args) {
     const body = await readBody(req);
     const eventType = req.headers["x-github-event"] ?? "unknown";
     const deliveryId = req.headers["x-github-delivery"] ?? "no-id";
+    const signature = req.headers["x-hub-signature-256"];
+    // HMAC verification
+    if (!args.insecure) {
+        const cfg = getIncoming("github");
+        if (!cfg?.secret) {
+            json(res, 401, {
+                error: "github webhook not configured",
+                hint: "run: great-cto webhook add-incoming github --secret <hmac-secret>",
+            });
+            return;
+        }
+        if (!verifyHmac(cfg.secret, body, signature)) {
+            json(res, 401, { error: "invalid signature" });
+            return;
+        }
+    }
     let payload;
     try {
-        payload = JSON.parse(body);
+        payload = JSON.parse(body.toString("utf8"));
     }
     catch {
         json(res, 400, { error: "invalid JSON" });
         return;
     }
-    // Currently we just record the event. Scan-on-PR lands in v2.5.0 with
-    // proper signature verification and clone-and-scan flow.
+    const action = payload.action ?? "?";
     const summary = eventType === "pull_request"
-        ? `${payload.action ?? "?"} PR #${payload.number ?? "?"} in ${payload.repository?.full_name ?? "?"}`
-        : `${eventType} delivery=${deliveryId}`;
-    const ev = {
+        ? `${action} PR #${payload.number ?? "?"} in ${payload.repository?.full_name ?? "?"}`
+        : eventType === "issues"
+            ? `${action} issue #${payload.issue?.number ?? "?"} in ${payload.repository?.full_name ?? "?"}`
+            : `${eventType} delivery=${deliveryId}`;
+    // Outbound dispatch — map GitHub events to internal trigger names
+    let outboundFired = 0;
+    if (eventType === "pull_request" && action === "opened") {
+        outboundFired = dispatch({
+            name: "pr.opened",
+            level: "info",
+            title: `PR opened: #${payload.number} in ${payload.repository?.full_name}`,
+            body: payload.pull_request?.title ?? "",
+            meta: { url: payload.pull_request?.html_url, author: payload.sender?.login },
+        }).fired;
+    }
+    else if (eventType === "issues" && action === "opened") {
+        outboundFired = dispatch({
+            name: "issue.opened",
+            level: "info",
+            title: `Issue opened: #${payload.issue.number} in ${payload.repository?.full_name}`,
+            body: payload.issue?.title ?? "",
+            meta: { url: payload.issue?.html_url, author: payload.sender?.login },
+        }).fired;
+    }
+    logEvent({
         ts: new Date().toISOString(),
         source: "github",
         event_type: eventType,
         summary,
-        action_taken: "logged",
+        action_taken: outboundFired > 0 ? `dispatched to ${outboundFired} outbound hook(s)` : "logged",
         meta: { delivery_id: deliveryId, pr_number: payload.number, action: payload.action },
-    };
-    logEvent(ev, args.noLog);
-    json(res, 200, { ok: true, event_type: eventType, recorded: true });
+    }, args.noLog);
+    json(res, 200, { ok: true, event_type: eventType, dispatched_to: outboundFired });
+}
+async function handleSentry(req, res, args) {
+    const body = await readBody(req);
+    const signature = req.headers["x-sentry-signature-256"];
+    if (!args.insecure) {
+        const cfg = getIncoming("sentry");
+        if (!cfg?.secret) {
+            json(res, 401, { error: "sentry webhook not configured" });
+            return;
+        }
+        if (!verifyHmac(cfg.secret, body, signature)) {
+            json(res, 401, { error: "invalid signature" });
+            return;
+        }
+    }
+    let payload;
+    try {
+        payload = JSON.parse(body.toString("utf8"));
+    }
+    catch {
+        json(res, 400, { error: "invalid JSON" });
+        return;
+    }
+    // Sentry events typically include event.level: 'fatal' | 'error' | 'warning'
+    const level = payload?.event?.level ?? payload?.level ?? "warning";
+    const title = payload?.event?.title ?? payload?.title ?? "Sentry alert";
+    const isP0 = level === "fatal" || level === "critical";
+    const fired = dispatch({
+        name: isP0 ? "incident.p0" : "incident.alert",
+        level: isP0 ? "critical" : "error",
+        title,
+        body: payload?.event?.metadata?.value ?? "",
+        meta: { url: payload?.url, project: payload?.project_slug },
+    }).fired;
+    logEvent({
+        ts: new Date().toISOString(),
+        source: "sentry",
+        event_type: isP0 ? "p0" : "alert",
+        summary: title,
+        action_taken: `dispatched to ${fired} outbound hook(s)`,
+        meta: { level, url: payload?.url },
+    }, args.noLog);
+    json(res, 200, { ok: true, dispatched_to: fired });
 }
 async function handleGeneric(req, res, args) {
     const body = await readBody(req);
-    let payload = body;
+    const signature = req.headers["x-greatcto-signature-256"];
+    if (!args.insecure) {
+        const cfg = getIncoming("generic");
+        if (cfg?.secret && !verifyHmac(cfg.secret, body, signature)) {
+            json(res, 401, { error: "invalid signature" });
+            return;
+        }
+    }
+    let payload = body.toString("utf8");
     try {
-        payload = JSON.parse(body);
+        payload = JSON.parse(payload);
     }
     catch {
         /* keep as raw string */
@@ -91,7 +204,7 @@ async function handleGeneric(req, res, args) {
         event_type: "incoming",
         summary: `payload ${body.length} bytes`,
         action_taken: "logged",
-        meta: { payload_preview: String(body).slice(0, 200) },
+        meta: { payload_preview: String(body.toString("utf8")).slice(0, 200) },
     };
     logEvent(ev, args.noLog);
     json(res, 200, { ok: true, recorded: true });
@@ -106,53 +219,71 @@ function handleEvents(_req, res) {
         .filter(Boolean)
         .slice(-50);
     const events = lines
-        .map(l => {
-        try {
-            return JSON.parse(l);
-        }
-        catch {
-            return null;
-        }
-    })
+        .map(l => { try {
+        return JSON.parse(l);
+    }
+    catch {
+        return null;
+    } })
         .filter(Boolean);
     json(res, 200, { events });
 }
+function handleDlq(_req, res) {
+    const dlq = getDlqPath();
+    if (!existsSync(dlq)) {
+        json(res, 200, { dlq: [] });
+        return;
+    }
+    const lines = readFileSync(dlq, "utf8").split("\n").filter(Boolean).slice(-50);
+    const events = lines
+        .map(l => { try {
+        return JSON.parse(l);
+    }
+    catch {
+        return null;
+    } })
+        .filter(Boolean);
+    json(res, 200, { dlq: events });
+}
 // ── Main entry ─────────────────────────────────────────────────────────────
 export async function runServe(args) {
+    const insecure = args.insecure ?? process.env.GREATCTO_WEBHOOK_INSECURE === "1";
+    const finalArgs = { ...args, insecure };
     const server = createServer(async (req, res) => {
         const url = new URL(req.url ?? "/", `http://localhost:${args.port}`);
         const path = url.pathname;
-        // Healthz
         if (req.method === "GET" && path === "/healthz") {
-            return json(res, 200, { ok: true, service: "great-cto serve", events_log: EVENTS_LOG });
+            return json(res, 200, { ok: true, service: "great-cto serve", insecure });
         }
         if (req.method === "GET" && path === "/events") {
             return handleEvents(req, res);
         }
+        if (req.method === "GET" && path === "/dlq") {
+            return handleDlq(req, res);
+        }
         if (req.method === "POST" && path === "/webhook/github") {
-            return handleGitHub(req, res, args);
+            return handleGitHub(req, res, finalArgs);
+        }
+        if (req.method === "POST" && path === "/webhook/sentry") {
+            return handleSentry(req, res, finalArgs);
         }
         if (req.method === "POST" && path === "/webhook/generic") {
-            return handleGeneric(req, res, args);
+            return handleGeneric(req, res, finalArgs);
         }
         json(res, 404, { error: "not found", path });
     });
     return new Promise(resolve => {
         server.listen(args.port, "127.0.0.1", () => {
-            console.error(`great-cto serve → http://localhost:${args.port}`);
-            console.error(`  POST /webhook/github    GitHub event receiver`);
-            console.error(`  POST /webhook/generic   Catch-all`);
-            console.error(`  GET  /events            Recent event log`);
-            console.error(`  GET  /healthz           Liveness probe`);
+            console.error(`great-cto serve → http://localhost:${args.port}${insecure ? "  [INSECURE: HMAC OFF]" : ""}`);
+            console.error(`  POST /webhook/github   GitHub (HMAC SHA-256)`);
+            console.error(`  POST /webhook/sentry   Sentry (HMAC SHA-256)`);
+            console.error(`  POST /webhook/generic  Generic (optional HMAC)`);
+            console.error(`  GET  /events           Recent event log`);
+            console.error(`  GET  /dlq              Dead-letter queue`);
+            console.error(`  GET  /healthz          Liveness probe`);
             console.error(`  log: ${EVENTS_LOG}`);
         });
-        process.on("SIGINT", () => {
-            server.close();
-            resolve(0);
-        });
-        process.on("SIGTERM", () => {
-            server.close();
-            resolve(0);
-        });
+        process.on("SIGINT", () => { server.close(); resolve(0); });
+        process.on("SIGTERM", () => { server.close(); resolve(0); });
     });
 }

package/dist/webhook-cli.js

@@ -0,0 +1,150 @@
+// great-cto webhook — manage incoming/outgoing webhook configuration.
+//
+// Usage:
+//   great-cto webhook list
+//   great-cto webhook add-incoming <name> --secret <hmac> [--events e1,e2]
+//   great-cto webhook add-outgoing <name> --url <url> --format slack|discord|pagerduty|generic --triggers t1,t2
+//   great-cto webhook remove <name>
+//   great-cto webhook test <name>          (sends a test event through dispatcher)
+import { loadConfig, addIncoming, addOutgoing, removeHook, getConfigPath, } from "./webhook-config.js";
+import { dispatch } from "./webhook-dispatch.js";
+export async function runWebhookCli(args) {
+    switch (args.action) {
+        case "list": {
+            const cfg = loadConfig();
+            console.log(`config: ${getConfigPath()}\n`);
+            console.log(`Incoming hooks (${cfg.incoming.length}):`);
+            if (cfg.incoming.length === 0)
+                console.log("  (none)");
+            for (const h of cfg.incoming) {
+                const sec = h.secret ? `[secret: ${h.secret.slice(0, 4)}...${h.secret.slice(-2)}]` : "[NO SECRET — INSECURE]";
+                console.log(`  - ${h.name}  ${sec}  events=${h.events?.join(",") || "all"}`);
+            }
+            console.log(`\nOutgoing hooks (${cfg.outgoing.length}):`);
+            if (cfg.outgoing.length === 0)
+                console.log("  (none)");
+            for (const h of cfg.outgoing) {
+                const url = h.url.length > 60 ? h.url.slice(0, 57) + "..." : h.url;
+                console.log(`  - ${h.name}  [${h.format}]  triggers=${h.triggers.join(",")}\n      ${url}`);
+            }
+            return 0;
+        }
+        case "add-incoming": {
+            if (!args.name) {
+                console.error("FAIL: --name required");
+                return 2;
+            }
+            if (!args.secret) {
+                console.error("WARN: no --secret provided. Webhooks will only work in --insecure mode.");
+            }
+            addIncoming({
+                name: args.name,
+                secret: args.secret,
+                events: args.events,
+            });
+            console.log(`✓ added incoming hook "${args.name}"`);
+            return 0;
+        }
+        case "add-outgoing": {
+            if (!args.name) {
+                console.error("FAIL: --name required");
+                return 2;
+            }
+            if (!args.url) {
+                console.error("FAIL: --url required");
+                return 2;
+            }
+            if (!args.format) {
+                console.error("FAIL: --format required");
+                return 2;
+            }
+            if (!args.triggers || args.triggers.length === 0) {
+                console.error("FAIL: --triggers required (comma-separated event names)");
+                return 2;
+            }
+            const headers = {};
+            if (args.routingKey)
+                headers.routing_key = args.routingKey;
+            addOutgoing({
+                name: args.name,
+                url: args.url,
+                format: args.format,
+                triggers: args.triggers,
+                headers: Object.keys(headers).length ? headers : undefined,
+            });
+            console.log(`✓ added outgoing hook "${args.name}" (${args.format}) → ${args.triggers.join(", ")}`);
+            return 0;
+        }
+        case "remove": {
+            if (!args.name) {
+                console.error("FAIL: --name required");
+                return 2;
+            }
+            const removed = removeHook(args.name);
+            if (removed) {
+                console.log(`✓ removed hook "${args.name}"`);
+                return 0;
+            }
+            console.error(`hook not found: ${args.name}`);
+            return 1;
+        }
+        case "test": {
+            if (!args.name) {
+                console.error("FAIL: --name required");
+                return 2;
+            }
+            const cfg = loadConfig();
+            const hook = cfg.outgoing.find(h => h.name === args.name);
+            if (!hook) {
+                console.error(`outgoing hook not found: ${args.name}`);
+                return 1;
+            }
+            const result = dispatch({
+                name: hook.triggers[0] ?? "test.event",
+                level: "info",
+                title: "great-cto webhook test",
+                body: "If you see this, your webhook is correctly configured.",
+                meta: { test: true, timestamp: new Date().toISOString() },
+            });
+            console.log(`✓ test event dispatched to ${result.fired} hook(s)`);
+            console.log(`  (delivery is async — check destination shortly; check ~/.great_cto/webhook-dlq.log if it doesn't arrive)`);
+            // Give the in-flight request a moment before exit
+            await new Promise(r => setTimeout(r, 500));
+            return 0;
+        }
+    }
+    console.error(`unknown action: ${args.action}`);
+    return 2;
+}
+export function parseWebhookArgs(rawArgv) {
+    const idx = rawArgv.indexOf("webhook");
+    if (idx === -1)
+        return null;
+    const action = rawArgv[idx + 1];
+    if (!["list", "add-incoming", "add-outgoing", "remove", "test"].includes(action)) {
+        return null;
+    }
+    const flag = (n) => {
+        const i = rawArgv.indexOf(`--${n}`);
+        return i >= 0 && i < rawArgv.length - 1 ? rawArgv[i + 1] : undefined;
+    };
+    // First positional after action = name
+    let name;
+    for (let i = idx + 2; i < rawArgv.length; i++) {
+        const a = rawArgv[i];
+        if (!a.startsWith("--")) {
+            name = a;
+            break;
+        }
+    }
+    return {
+        action,
+        name,
+        secret: flag("secret"),
+        url: flag("url"),
+        format: flag("format"),
+        triggers: flag("triggers")?.split(",").map(s => s.trim()).filter(Boolean),
+        events: flag("events")?.split(",").map(s => s.trim()).filter(Boolean),
+        routingKey: flag("routing-key"),
+    };
+}

package/dist/webhook-config.js

@@ -0,0 +1,65 @@
+// Webhook configuration store — persisted to ~/.great_cto/webhooks.json.
+// Used by `serve` (incoming) and the dispatcher (outgoing).
+//
+// Schema:
+//   {
+//     "incoming": [
+//       { "name": "github", "secret": "<hmac-secret>", "events": ["pull_request"] }
+//     ],
+//     "outgoing": [
+//       { "name": "ops-slack", "url": "https://hooks.slack.com/services/...",
+//         "format": "slack", "triggers": ["gate.approved", "incident.p0"] }
+//     ]
+//   }
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+const CONFIG_PATH = join(homedir(), ".great_cto", "webhooks.json");
+const DEFAULT_CONFIG = { incoming: [], outgoing: [] };
+export function getConfigPath() {
+    return CONFIG_PATH;
+}
+export function loadConfig() {
+    if (!existsSync(CONFIG_PATH))
+        return { ...DEFAULT_CONFIG };
+    try {
+        const raw = readFileSync(CONFIG_PATH, "utf8");
+        const parsed = JSON.parse(raw);
+        return {
+            incoming: parsed.incoming ?? [],
+            outgoing: parsed.outgoing ?? [],
+        };
+    }
+    catch {
+        return { ...DEFAULT_CONFIG };
+    }
+}
+export function saveConfig(cfg) {
+    const dir = dirname(CONFIG_PATH);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+}
+export function addIncoming(hook) {
+    const cfg = loadConfig();
+    cfg.incoming = cfg.incoming.filter(h => h.name !== hook.name);
+    cfg.incoming.push({ enabled: true, ...hook });
+    saveConfig(cfg);
+}
+export function addOutgoing(hook) {
+    const cfg = loadConfig();
+    cfg.outgoing = cfg.outgoing.filter(h => h.name !== hook.name);
+    cfg.outgoing.push({ enabled: true, ...hook });
+    saveConfig(cfg);
+}
+export function removeHook(name) {
+    const cfg = loadConfig();
+    const before = cfg.incoming.length + cfg.outgoing.length;
+    cfg.incoming = cfg.incoming.filter(h => h.name !== name);
+    cfg.outgoing = cfg.outgoing.filter(h => h.name !== name);
+    saveConfig(cfg);
+    return cfg.incoming.length + cfg.outgoing.length < before;
+}
+export function getIncoming(name) {
+    return loadConfig().incoming.find(h => h.name === name) ?? null;
+}

package/dist/webhook-dispatch.js

@@ -0,0 +1,132 @@
+// Webhook dispatcher — outbound notifications with retry + DLQ.
+//
+// Reliability model:
+//   - In-memory retry queue with exponential backoff (1s, 4s, 16s, 64s)
+//   - Max 4 attempts per delivery
+//   - On final failure: append to dead-letter log (~/.great_cto/webhook-dlq.log)
+//   - Dispatcher is fire-and-forget for the caller — we never block the
+//     incoming-webhook handler on outbound success
+//
+// Format adapters:
+//   - slack: posts as Slack incoming-webhook JSON ({text, blocks?})
+//   - discord: Discord webhook JSON ({content, embeds?})
+//   - pagerduty: Events API v2 ({routing_key, event_action, payload})
+//   - generic: arbitrary JSON POST
+import { appendFileSync, existsSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import { loadConfig } from "./webhook-config.js";
+const DLQ_PATH = join(homedir(), ".great_cto", "webhook-dlq.log");
+const RETRY_DELAYS_MS = [1_000, 4_000, 16_000, 64_000]; // 4 attempts total
+// ── Format adapters ────────────────────────────────────────────────────────
+function formatSlack(ev) {
+    const emoji = ev.level === "critical" ? ":rotating_light:"
+        : ev.level === "error" ? ":x:"
+            : ev.level === "warning" ? ":warning:"
+                : ":information_source:";
+    return {
+        text: `${emoji} *${ev.title}*`,
+        attachments: ev.body ? [{ text: ev.body, color: ev.level === "critical" ? "danger" : "good" }] : undefined,
+    };
+}
+function formatDiscord(ev) {
+    const color = ev.level === "critical" ? 0xff0000
+        : ev.level === "error" ? 0xff6600
+            : ev.level === "warning" ? 0xffcc00
+                : 0x00aa66;
+    return {
+        content: ev.title,
+        embeds: ev.body ? [{ description: ev.body, color }] : undefined,
+    };
+}
+function formatPagerDuty(ev, routingKey) {
+    // PagerDuty Events API v2
+    const severity = ev.level === "critical" ? "critical"
+        : ev.level === "error" ? "error"
+            : ev.level === "warning" ? "warning"
+                : "info";
+    return {
+        routing_key: routingKey,
+        event_action: "trigger",
+        payload: {
+            summary: ev.title,
+            source: "great-cto",
+            severity,
+            custom_details: ev.body ? { details: ev.body, ...(ev.meta ?? {}) } : ev.meta,
+        },
+    };
+}
+function buildPayload(hook, ev) {
+    switch (hook.format) {
+        case "slack": return formatSlack(ev);
+        case "discord": return formatDiscord(ev);
+        case "pagerduty": {
+            // PagerDuty uses routing_key from headers config: headers.routing_key
+            const key = hook.headers?.routing_key ?? "";
+            return formatPagerDuty(ev, key);
+        }
+        case "generic":
+        default: return { event: ev.name, ...ev };
+    }
+}
+// ── Retry / DLQ ────────────────────────────────────────────────────────────
+async function deliver(hook, ev, attempt = 0) {
+    try {
+        const body = JSON.stringify(buildPayload(hook, ev));
+        const headers = {
+            "Content-Type": "application/json",
+            ...hook.headers,
+        };
+        // Don't leak routing_key as HTTP header — PagerDuty wants it in body
+        delete headers.routing_key;
+        const res = await fetch(hook.url, { method: "POST", headers, body });
+        if (!res.ok) {
+            throw new Error(`HTTP ${res.status} ${res.statusText}`);
+        }
+    }
+    catch (err) {
+        const next = attempt + 1;
+        if (next < RETRY_DELAYS_MS.length) {
+            setTimeout(() => { void deliver(hook, ev, next); }, RETRY_DELAYS_MS[next]);
+            return;
+        }
+        // Final failure — write to DLQ
+        writeToDlq(hook, ev, err);
+    }
+}
+function writeToDlq(hook, ev, err) {
+    try {
+        const dir = dirname(DLQ_PATH);
+        if (!existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        const entry = {
+            ts: new Date().toISOString(),
+            hook: hook.name,
+            url: hook.url,
+            event: ev,
+            error: err.message,
+        };
+        appendFileSync(DLQ_PATH, JSON.stringify(entry) + "\n");
+        process.stderr.write(`webhook-dispatch: ${hook.name} dead-lettered: ${err.message}\n`);
+    }
+    catch {
+        /* even DLQ failed — no recovery */
+    }
+}
+// ── Public API ─────────────────────────────────────────────────────────────
+/**
+ * Fire-and-forget dispatch to all outbound webhooks whose triggers include
+ * the event's name. The caller does not await delivery — we run all
+ * dispatchers in parallel with their own retry queues.
+ */
+export function dispatch(ev) {
+    const cfg = loadConfig();
+    const targets = cfg.outgoing.filter(h => (h.enabled !== false) && h.triggers.includes(ev.name));
+    for (const hook of targets) {
+        void deliver(hook, ev, 0);
+    }
+    return { fired: targets.length };
+}
+export function getDlqPath() {
+    return DLQ_PATH;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.4.0",
+  "version": "2.5.1",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",