great-cto 2.8.6 → 2.9.2

package/dist/adapt.js

@@ -77,6 +77,44 @@ Configure Claude Code to launch:
 npx great-cto mcp
 \`\`\`
 
+## Subagent routing (do not default to general-purpose)
+
+When dispatching the **Agent** tool, pick the right \`subagent_type\` based on
+what's being changed. \`general-purpose\` is a fallback, **not** the default —
+using it for pattern-matched work silently skips specialist review.
+
+| Trigger (file pattern OR topic in prompt) | Use \`subagent_type:\` |
+|---|---|
+| \`migrations/\`, \`schema.sql\`, ORM migration files | \`db-migration-reviewer\` |
+| \`auth/\`, OAuth/SAML/JWT, login flow, password reset | \`security-officer\` |
+| Payment endpoints, \`stripe.\`, webhooks, refund flow | \`pci-reviewer\` |
+| Prompts in \`prompts/\`, RAG, tool definitions, LLM-facing strings | \`ai-security-reviewer\` |
+| Eval suites, golden citation tests, prompt regression | \`ai-eval-engineer\` |
+| Play Store, App Store, iOS/Android release | \`mobile-store-reviewer\` |
+| API contract: OpenAPI, GraphQL schema, webhook signatures | \`api-platform-reviewer\` |
+| Voice/IVR/telephony, Twilio, recording-consent, TCPA | \`voice-ai-reviewer\` |
+| Clinical / SaMD / FDA / FHIR / PHI | \`ai-clinical-reviewer\`, \`fda-reviewer\` |
+| Lending, ECOA, FCRA, NMLS, adverse action | \`lending-credit-reviewer\` |
+| HR-AI, hiring, AEDT, resume screening | \`hr-ai-reviewer\` |
+| Infra-as-code: Terraform / Helm / CDK / Pulumi | \`infra-reviewer\` |
+| Performance regression, hot path, p99 budgets | \`performance-engineer\` |
+| Browser extension manifest, MV3 permissions | \`web-store-reviewer\` |
+| New feature implementation (TDD) | \`senior-dev\` |
+| Architecture decisions, ADRs, scaling questions | \`architect\` |
+| Planning a feature into tasks (Beads), dependency graph | \`pm\` |
+| QA report after impl, coverage + acceptance | \`qa-engineer\` |
+| Deploy / canary / rollback / SLO | \`devops\` |
+| Production incident triage, P0 postmortem | \`l3-support\` |
+| Pattern extraction from session, retro to \`lessons.md\` | \`continuous-learner\` |
+
+Rule of thumb: if a file pattern or topic matches above, use that specialist
+**before** falling back to \`general-purpose\`. Specialist agents catch
+domain-specific bugs (race conditions in migrations, prompt-injection vectors,
+TCPA violations) that a generalist won't flag.
+
+When in doubt, run two agents in parallel: the specialist + general-purpose,
+and reconcile their outputs.
+
 ## Style + conventions
 
 - Tests **before** implementation (RED → GREEN → REFACTOR). Coverage 80%+ default.

package/dist/webhook-dispatch.js

@@ -11,6 +11,7 @@
 //   - slack: posts as Slack incoming-webhook JSON ({text, blocks?})
 //   - discord: Discord webhook JSON ({content, embeds?})
 //   - pagerduty: Events API v2 ({routing_key, event_action, payload})
+//   - resend: HTML email via Resend API ({from, to, subject, html})
 //   - generic: arbitrary JSON POST
 import { appendFileSync, existsSync, mkdirSync } from "node:fs";
 import { homedir } from "node:os";
@@ -39,6 +40,62 @@ function formatDiscord(ev) {
         embeds: ev.body ? [{ description: ev.body, color }] : undefined,
     };
 }
+function emojiForLevel(level) {
+    return level === "critical" ? "🚨"
+        : level === "error" ? "❌"
+            : level === "warning" ? "⏸️"
+                : "ℹ️";
+}
+function escapeHtml(s) {
+    return s.replace(/[&<>"']/g, c => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" }[c]));
+}
+/**
+ * Build the Resend API payload — POSTed to https://api.resend.com/emails
+ * with Authorization: Bearer <api_key>.
+ *
+ * Body fields from meta:
+ *   - project, link (CTA URL), action (CTA label)
+ *   - kv: Record<string,string> for the metric table
+ *   - severity (optional override for color)
+ */
+function formatResend(ev, hook) {
+    const accent = ev.level === "critical" ? "#dc2626"
+        : ev.level === "error" ? "#ea580c"
+            : ev.level === "warning" ? "#d97706"
+                : "#00d97e";
+    const emoji = emojiForLevel(ev.level);
+    const meta = (ev.meta ?? {});
+    const project = typeof meta.project === "string" ? meta.project : "great_cto";
+    const link = typeof meta.link === "string" ? meta.link : "";
+    const action = typeof meta.action === "string" ? meta.action : "View in board";
+    const kv = (meta.kv ?? {});
+    const tableRows = Object.entries(kv)
+        .map(([k, v]) => `<tr><td style="padding:6px 12px;color:#6b7280;font-size:12px;font-family:ui-monospace,monospace;text-transform:uppercase;letter-spacing:.05em">${escapeHtml(k)}</td><td style="padding:6px 12px;color:#111827;font-size:14px;font-weight:500">${escapeHtml(v)}</td></tr>`)
+        .join("");
+    const html = `<!doctype html><html><body style="margin:0;background:#f9fafb;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;color:#111827">
+<div style="max-width:560px;margin:32px auto;background:#ffffff;border:1px solid #e5e7eb;border-radius:12px;overflow:hidden">
+  <div style="padding:20px 24px;border-bottom:1px solid #e5e7eb;background:#0a0e0c;color:#ffffff">
+    <div style="font-size:11px;font-family:ui-monospace,monospace;letter-spacing:.1em;color:#9ca3af">${escapeHtml(project.toUpperCase())} · GREATCTO</div>
+    <div style="font-size:20px;font-weight:600;margin-top:6px;color:${accent}">${emoji} ${escapeHtml(ev.title)}</div>
+  </div>
+  ${ev.body ? `<div style="padding:20px 24px;font-size:14px;line-height:1.55;color:#374151">${escapeHtml(ev.body).replace(/\n/g, "<br>")}</div>` : ""}
+  ${tableRows ? `<table style="width:100%;border-top:1px solid #e5e7eb;border-collapse:collapse">${tableRows}</table>` : ""}
+  ${link ? `<div style="padding:24px;text-align:center;border-top:1px solid #e5e7eb">
+    <a href="${escapeHtml(link)}" style="display:inline-block;background:${accent};color:#ffffff;text-decoration:none;padding:10px 22px;border-radius:8px;font-weight:600;font-size:14px">${escapeHtml(action)}</a>
+  </div>` : ""}
+  <div style="padding:14px 24px;background:#f9fafb;font-size:11px;color:#9ca3af;font-family:ui-monospace,monospace">
+    Sent by great_cto · ${escapeHtml(ev.name)} · ${new Date().toISOString()}<br>
+    Unsubscribe: edit ~/.great_cto/webhooks.json or the Notifications tab in the board
+  </div>
+</div></body></html>`;
+    const to = (hook.to ?? "").split(",").map(s => s.trim()).filter(Boolean);
+    return {
+        from: hook.from ?? "GreatCTO <notifications@greatcto.systems>",
+        to,
+        subject: `${emoji} ${ev.title}`,
+        html,
+    };
+}
 function formatPagerDuty(ev, routingKey) {
     // PagerDuty Events API v2
     const severity = ev.level === "critical" ? "critical"
@@ -65,6 +122,7 @@ function buildPayload(hook, ev) {
             const key = hook.headers?.routing_key ?? "";
             return formatPagerDuty(ev, key);
         }
+        case "resend": return formatResend(ev, hook);
         case "generic":
         default: return { event: ev.name, ...ev };
     }
@@ -79,7 +137,18 @@ async function deliver(hook, ev, attempt = 0) {
         };
         // Don't leak routing_key as HTTP header — PagerDuty wants it in body
         delete headers.routing_key;
-        const res = await fetch(hook.url, { method: "POST", headers, body });
+        // Resend: Bearer auth + URL override (config can leave url blank).
+        let url = hook.url;
+        if (hook.format === "resend") {
+            if (!hook.apiKey)
+                throw new Error("resend: apiKey is required");
+            if (!hook.to)
+                throw new Error("resend: 'to' email is required");
+            headers["Authorization"] = `Bearer ${hook.apiKey}`;
+            if (!url)
+                url = "https://api.resend.com/emails";
+        }
+        const res = await fetch(url, { method: "POST", headers, body });
         if (!res.ok) {
             throw new Error(`HTTP ${res.status} ${res.statusText}`);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "great-cto",
-  "version": "2.8.6",
+  "version": "2.9.2",
   "description": "One command install for the great_cto Claude Code plugin. Auto-detects your stack, picks the right archetype, bootstraps PROJECT.md.",
   "keywords": [
     "claude-code",
@@ -86,4 +86,4 @@
   "engines": {
     "node": ">=18.17.0"
   }
-}
+}

package/dist/telemetry.js

@@ -1,225 +0,0 @@
-// Anonymous opt-IN telemetry — default OFF.
-//
-// See docs/PRIVACY.md for the full policy. Short version:
-//   - Default: disabled (opt-in)
-//   - Honors DO_NOT_TRACK=1 (industry standard, https://consoledonottrack.com)
-//   - Skipped automatically in CI environments
-//   - No paths, no code, no PII — just {ts, version, command, archetype, node, os, exit, duration_ms, anon_id}
-//   - anon_id is sha256(user@hostname) truncated to 8 hex chars; not reversible
-//
-// Opt-in (any one):
-//   GREAT_CTO_TELEMETRY=on               (env var)
-//   ~/.great_cto/telemetry.json: { "enabled": true }
-//   npx great-cto telemetry on
-//
-// Opt-out (overrides everything):
-//   DO_NOT_TRACK=1                       (highest priority)
-//   GREAT_CTO_TELEMETRY=off
-//   GREAT_CTO_DISABLE_TELEMETRY=1        (legacy alias from v2.x)
-//   GREATCTO_NO_TELEMETRY=1              (legacy alias from v2.x)
-//   ~/.great_cto/telemetry.json: { "enabled": false }
-//
-// Endpoint:  https://telemetry.greatcto.systems/v1/event  (Cloudflare Worker → D1)
-// Worker:    workers/telemetry/index.ts
-// Schema v1: see docs/PRIVACY.md "What we collect"
-import * as fs from "node:fs";
-import * as path from "node:path";
-import * as os from "node:os";
-import * as crypto from "node:crypto";
-const TELEMETRY_ENDPOINT = process.env.GREAT_CTO_TELEMETRY_ENDPOINT
-    || "https://great-cto-telemetry.alexander-velikiy.workers.dev/v1/event";
-// Note: workers.dev URL is the temporary default until telemetry.greatcto.systems
-// custom domain is bound. Override anytime with GREAT_CTO_TELEMETRY_ENDPOINT.
-const TELEMETRY_TIMEOUT_MS = 1000;
-// Allowlist — anything else is dropped client-side and server-side.
-const ALLOWED_COMMANDS = new Set([
-    "init", "scan", "ci", "list-rules", "board", "register",
-    "adapt", "mcp", "report", "serve", "webhook",
-    "version", "help", "telemetry",
-]);
-// Allowlist for archetype field. Match the 25 documented + "none" + "unknown".
-const ALLOWED_ARCHETYPES = new Set([
-    "none", "unknown", "greenfield",
-    "enterprise-saas", "agent-product", "ai-system", "mlops",
-    "cli-tool", "cli", "library", "sdk", "devtools",
-    "fintech", "regulated", "compliance",
-    "iot-embedded", "web3", "marketplace", "cms", "edtech",
-    "gov-public", "insurance", "data-platform", "streaming",
-    "mobile-app", "infra", "web-service", "agent",
-]);
-function configPath() {
-    return path.join(os.homedir(), ".great_cto", "telemetry.json");
-}
-function legacyConfigPath() {
-    return path.join(os.homedir(), ".great_cto", "config.json");
-}
-function readConfig() {
-    // Try new file first.
-    try {
-        return JSON.parse(fs.readFileSync(configPath(), "utf8"));
-    }
-    catch { /* fall through */ }
-    // Fall back to legacy config.json (read-only — never write to it).
-    try {
-        const legacy = JSON.parse(fs.readFileSync(legacyConfigPath(), "utf8"));
-        return { enabled: legacy.telemetry, install_id: legacy.install_id };
-    }
-    catch {
-        return {};
-    }
-}
-function writeConfig(cfg) {
-    const file = configPath();
-    fs.mkdirSync(path.dirname(file), { recursive: true });
-    fs.writeFileSync(file, JSON.stringify(cfg, null, 2) + "\n");
-}
-/** Detect CI / automation environments — never send from these. */
-function isCI() {
-    const flags = ["CI", "GITHUB_ACTIONS", "GITLAB_CI", "CIRCLECI", "BUILDKITE",
-        "JENKINS_URL", "TF_BUILD", "DRONE", "TRAVIS", "APPVEYOR",
-        "BITBUCKET_BUILD_NUMBER", "TEAMCITY_VERSION", "CODEBUILD_BUILD_ID"];
-    return flags.some(f => process.env[f] != null && process.env[f] !== "");
-}
-/** Compute anon_id deterministically per machine, never reversible. */
-export function computeAnonId() {
-    const seed = `great_cto/${os.userInfo().username || "?"}/${os.hostname() || "?"}`;
-    return crypto.createHash("sha256").update(seed).digest("hex").slice(0, 8);
-}
-/** Resolve telemetry-enabled state. Pure function, no side effects. */
-export function isTelemetryEnabled(cliFlag = false) {
-    // Opt-out wins, in priority order:
-    if (process.env.DO_NOT_TRACK === "1" || process.env.DO_NOT_TRACK === "true")
-        return false;
-    if (process.env.GREAT_CTO_TELEMETRY === "off")
-        return false;
-    if (process.env.GREAT_CTO_DISABLE_TELEMETRY === "1")
-        return false;
-    if (process.env.GREATCTO_NO_TELEMETRY === "1")
-        return false;
-    if (cliFlag)
-        return false;
-    if (isCI())
-        return false;
-    // Opt-in checks:
-    if (process.env.GREAT_CTO_TELEMETRY === "on")
-        return true;
-    const cfg = readConfig();
-    if (cfg.enabled === true)
-        return true;
-    if (cfg.telemetry === true)
-        return true; // legacy
-    // Default: opt-out.
-    return false;
-}
-function sanitize(opts) {
-    const command = opts.command.toLowerCase();
-    if (!ALLOWED_COMMANDS.has(command))
-        return null;
-    const archetypeRaw = (opts.archetype || "none").toLowerCase().trim();
-    const archetype = ALLOWED_ARCHETYPES.has(archetypeRaw) ? archetypeRaw : "unknown";
-    return {
-        ts: new Date().toISOString(),
-        version: opts.cliVersion,
-        command,
-        archetype,
-        node: process.version.replace(/^v/, ""),
-        os: process.platform,
-        exit_code: typeof opts.exitCode === "number" ? opts.exitCode : 0,
-        duration_ms: typeof opts.durationMs === "number" ? Math.max(0, Math.round(opts.durationMs)) : 0,
-        anon_id: computeAnonId(),
-    };
-}
-/** Fire-and-forget POST. Never blocks. Never throws. Never logs unless DRYRUN. */
-async function send(evt) {
-    if (process.env.GREAT_CTO_TELEMETRY_DRYRUN === "1") {
-        process.stderr.write(`[telemetry] would-send: ${JSON.stringify(evt)}\n`);
-        return;
-    }
-    try {
-        const ctrl = new AbortController();
-        const timer = setTimeout(() => ctrl.abort(), TELEMETRY_TIMEOUT_MS);
-        await fetch(TELEMETRY_ENDPOINT, {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body: JSON.stringify(evt),
-            signal: ctrl.signal,
-        }).catch(() => { });
-        clearTimeout(timer);
-    }
-    catch { /* best-effort */ }
-}
-// --- Public API ------------------------------------------------------------
-/** First-run/install ping. Sent only when enabled. Idempotent across runs. */
-export async function sendInstallPing(opts) {
-    if (!opts.consent)
-        return;
-    if (!isTelemetryEnabled())
-        return;
-    const evt = sanitize({ cliVersion: opts.cliVersion, command: "init", archetype: opts.archetype });
-    if (!evt)
-        return;
-    await send(evt);
-}
-/** Per-command usage ping. Sent only when enabled. Fire-and-forget. */
-export async function sendUsagePing(opts) {
-    if (!isTelemetryEnabled())
-        return;
-    const evt = sanitize({
-        cliVersion: opts.cliVersion,
-        command: opts.subcommand,
-        archetype: opts.archetype,
-        exitCode: opts.exitCode,
-        durationMs: opts.durationMs,
-    });
-    if (!evt)
-        return;
-    await send(evt);
-}
-/**
- * Legacy shim — preserved for backwards compatibility with callers in main.ts
- * that pass `--no-telemetry`. With opt-IN default, consent resolution is
- * trivial: enabled iff isTelemetryEnabled() returns true.
- */
-export function resolveTelemetryConsent(cliFlag) {
-    return isTelemetryEnabled(cliFlag);
-}
-// --- `npx great-cto telemetry <on|off|status|whoami>` subcommand -----------
-export function telemetrySubcommand(arg) {
-    const action = (arg || "status").toLowerCase();
-    switch (action) {
-        case "on": {
-            const cfg = readConfig();
-            cfg.enabled = true;
-            writeConfig(cfg);
-            return { exitCode: 0, output: `✓ telemetry enabled (config: ${configPath()})\n` +
-                    `  Anonymous events go to ${TELEMETRY_ENDPOINT}\n` +
-                    `  See docs/PRIVACY.md for the full data schema.\n` };
-        }
-        case "off": {
-            const cfg = readConfig();
-            cfg.enabled = false;
-            writeConfig(cfg);
-            return { exitCode: 0, output: `✓ telemetry disabled (config: ${configPath()})\n` };
-        }
-        case "status": {
-            const enabled = isTelemetryEnabled();
-            const reason = enabled
-                ? "enabled (sending events to " + TELEMETRY_ENDPOINT + ")"
-                : isCI()
-                    ? "disabled (CI environment detected)"
-                    : process.env.DO_NOT_TRACK === "1"
-                        ? "disabled (DO_NOT_TRACK=1)"
-                        : "disabled (default; run 'great-cto telemetry on' to enable)";
-            return { exitCode: 0, output: `telemetry: ${reason}\n` +
-                    `anon_id  : ${computeAnonId()}\n` +
-                    `endpoint : ${TELEMETRY_ENDPOINT}\n` +
-                    `config   : ${configPath()}\n` };
-        }
-        case "whoami": {
-            return { exitCode: 0, output: computeAnonId() + "\n" };
-        }
-        default: {
-            return { exitCode: 2, output: `usage: great-cto telemetry <on|off|status|whoami>\n` };
-        }
-    }
-}