@hiveai/cli 0.12.9 → 0.13.1

package/dist/index.js

@@ -2789,6 +2789,111 @@ Use \`select_related\` (FK / one-to-one, SQL JOIN) and \`prefetch_related\` (M2M
 \`\`\`py
 for order in Order.objects.select_related("customer").all():
     order.customer.name  # no extra query
+\`\`\``
+    }
+  ],
+  flask: [
+    {
+      slug: "flask-no-debug-in-prod",
+      type: "gotcha",
+      tags: ["flask", "python", "security", "deployment"],
+      body: `\`app.run(debug=True)\` enables the Werkzeug debugger \u2014 remote code execution if exposed.
+
+Never ship debug mode. Run behind a real WSGI server (gunicorn/uwsgi) in production and
+drive debug from the environment for local dev only.`,
+      sensor: {
+        pattern: "app\\.run\\([^)]*debug\\s*=\\s*True",
+        message: "Flask debug=True exposes the Werkzeug console (RCE) \u2014 never run it in production."
+      }
+    },
+    {
+      slug: "flask-secret-key-from-env",
+      type: "convention",
+      tags: ["flask", "python", "security"],
+      body: `Load \`SECRET_KEY\` from the environment \u2014 never commit a literal.
+
+\`\`\`py
+app.config["SECRET_KEY"] = os.environ["SECRET_KEY"]
+\`\`\`
+A committed key lets anyone forge sessions and CSRF tokens.`
+    },
+    {
+      slug: "flask-no-sql-string-interpolation",
+      type: "gotcha",
+      tags: ["flask", "python", "security", "sql-injection"],
+      body: `Never build SQL with f-strings/%-formatting \u2014 use parameterized queries.
+
+\`\`\`py
+# \u274C SQL injection
+db.execute(f"SELECT * FROM users WHERE id = {uid}")
+# \u2705
+db.execute("SELECT * FROM users WHERE id = %s", (uid,))
+\`\`\``
+    }
+  ],
+  vue: [
+    {
+      slug: "vue-v-html-xss",
+      type: "gotcha",
+      tags: ["vue", "security", "xss"],
+      body: `\`v-html\` renders raw HTML and bypasses Vue's escaping \u2014 an XSS sink for user content.
+
+Only use it on trusted/sanitized content. Prefer text interpolation ({{ }}) or sanitize
+with DOMPurify before binding.`,
+      sensor: {
+        pattern: "v-html",
+        message: "v-html renders unescaped HTML (XSS risk) \u2014 sanitize the value or use text interpolation."
+      }
+    },
+    {
+      slug: "vue-key-in-v-for",
+      type: "convention",
+      tags: ["vue", "performance"],
+      body: `Always bind a stable \`:key\` on \`v-for\` \u2014 and never the loop index.
+
+Index keys corrupt component state on reorder/insert, exactly like React. Use a stable id.`
+    },
+    {
+      slug: "vue-props-are-readonly",
+      type: "gotcha",
+      tags: ["vue", "reactivity"],
+      body: `Never mutate a prop inside a child component \u2014 props are one-way (parent \u2192 child).
+
+Mutating a prop breaks the data flow and warns in dev. Emit an event (\`update:modelValue\`)
+or copy the prop into local state, depending on intent.`
+    }
+  ],
+  spring: [
+    {
+      slug: "spring-constructor-injection",
+      type: "convention",
+      tags: ["spring", "java", "di", "testing"],
+      body: `Prefer constructor injection over \`@Autowired\` field injection.
+
+Constructor injection makes dependencies explicit, allows \`final\` fields, and lets you
+instantiate the class in tests without a Spring context. Field injection hides dependencies
+and forces reflection-based test setup.`
+    },
+    {
+      slug: "spring-no-cors-wildcard",
+      type: "gotcha",
+      tags: ["spring", "java", "security", "cors"],
+      body: `\`@CrossOrigin(origins = "*")\` (or wildcard CORS config) allows any site to call your API.
+
+Combined with credentials it leaks authenticated data cross-origin. Whitelist explicit origins.`,
+      sensor: {
+        pattern: "@CrossOrigin\\([^)]*\\*",
+        message: 'Wildcard CORS (@CrossOrigin origins="*") lets any site call your API \u2014 whitelist explicit origins.'
+      }
+    },
+    {
+      slug: "spring-no-field-secrets",
+      type: "convention",
+      tags: ["spring", "java", "security", "config"],
+      body: `Keep secrets in externalized config (env / vault / application.yml placeholders), not in source.
+
+\`\`\`java
+@Value("\${app.api-key}") private String apiKey; // resolved from env, not hardcoded
 \`\`\``
     }
   ],
@@ -2907,7 +3012,7 @@ ${SEED_FOOTER(stack)}` });
 }
 
 // src/commands/init.ts
-var HAIVE_GITHUB_ACTION_REF = `v${"0.12.9"}`;
+var HAIVE_GITHUB_ACTION_REF = `v${"0.13.1"}`;
 var PROJECT_CONTEXT_TEMPLATE = `# Project context
 
 > Generated by \`haive init\`. Run \`haive init --bootstrap\` to auto-fill from your codebase,
@@ -3071,6 +3176,27 @@ jobs:
           # post-if-empty: 'true'   # uncomment to always post (even when no memories found)
           # max-memories: '5'       # limit memories per file in the comment
 
+  # On pull request: fail if the harness quality score regressed vs the committed baseline.
+  # Measures whether the right memories still surface and the right sensors still fire.
+  # No-op (passes) when no .ai/eval/baseline.json exists \u2014 safe to keep enabled before you
+  # ever create one. To turn the gate on: run \`haive eval --baseline\` locally and commit
+  # .ai/eval/baseline.json. Needs nothing external \u2014 no secrets, no services.
+  pr-eval-gate:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: install haive
+        run: npm install -g @hiveai/cli
+
+      - name: harness quality regression gate
+        run: haive eval --regression-gate
+
   # On push to main: push shared memories to the hub (if hubPath is configured)
   # Uncomment and configure hubPath in .ai/haive.config.json to enable.
   # hub-push:
@@ -7786,7 +7912,7 @@ When done, respond with: "Imported N memories: [list of IDs]" or "Nothing action
   };
 }
 var SERVER_NAME = "haive";
-var SERVER_VERSION = "0.12.9";
+var SERVER_VERSION = "0.13.1";
 function jsonResult(data) {
   return {
     content: [
@@ -12546,7 +12672,7 @@ import {
 function registerEval(program2) {
   program2.command("eval").description(
     "Rigorous, repeatable quality eval: do the right memories surface (retrieval) and do the right sensors fire (catch-rate)? Emits a chiffr\xE9 0\u2013100 score. Uses .ai/eval cases via --spec, or auto-synthesizes cases from anchored memories."
-  ).option("--spec <file>", "JSON eval spec ({ retrieval: [...], sensors: [...] })").option("--semantic-only", "self-eval probes by title alone (no anchor files) \u2014 harder retrieval", false).option("-k, --top <n>", "briefing top-k considered a hit", "8").option("--json", "emit JSON", false).option("--out <file>", "write a Markdown report").option("--fail-under <score>", "exit non-zero if the overall score is below this (0\u2013100) \u2014 for CI gates").option("--baseline", "save this run as the baseline (.ai/eval/baseline.json) for future --compare", false).option("--compare", "diff this run against the saved baseline and print the delta", false).option("--baseline-file <path>", "baseline file to read/write (default: .ai/eval/baseline.json)").option("--fail-on-regression", "with --compare, exit non-zero if the score dropped vs the baseline", false).option("-d, --dir <dir>", "project root").action(async (opts) => {
+  ).option("--spec <file>", "JSON eval spec ({ retrieval: [...], sensors: [...] })").option("--semantic-only", "self-eval probes by title alone (no anchor files) \u2014 harder retrieval", false).option("-k, --top <n>", "briefing top-k considered a hit", "8").option("--json", "emit JSON", false).option("--out <file>", "write a Markdown report").option("--fail-under <score>", "exit non-zero if the overall score is below this (0\u2013100) \u2014 for CI gates").option("--baseline", "save this run as the baseline (.ai/eval/baseline.json) for future --compare", false).option("--compare", "diff this run against the saved baseline and print the delta", false).option("--baseline-file <path>", "baseline file to read/write (default: .ai/eval/baseline.json)").option("--fail-on-regression", "with --compare, exit non-zero if the score dropped vs the baseline", false).option("--regression-gate", "CI-safe gate: compare against the baseline IF one exists (fail on regression), else no-op", false).option("-d, --dir <dir>", "project root").action(async (opts) => {
     const root = findProjectRoot42(opts.dir);
     const paths = resolveHaivePaths38(root);
     if (!existsSync65(paths.memoriesDir)) {
@@ -12594,14 +12720,19 @@ function registerEval(program2) {
       if (!opts.json) ui.success(`Saved baseline (score ${report.score}/100) \u2192 ${path43.relative(root, baselineFile)}`);
     }
     let delta = null;
-    if (opts.compare) {
+    if (opts.compare || opts.regressionGate) {
       if (!existsSync65(baselineFile)) {
-        ui.error(`No baseline at ${path43.relative(root, baselineFile)}. Run \`haive eval --baseline\` first.`);
-        process.exitCode = 1;
-        return;
+        if (opts.regressionGate) {
+          if (!opts.json) ui.info(`No baseline at ${path43.relative(root, baselineFile)} \u2014 regression gate skipped. Run \`haive eval --baseline\` to enable it.`);
+        } else {
+          ui.error(`No baseline at ${path43.relative(root, baselineFile)}. Run \`haive eval --baseline\` first.`);
+          process.exitCode = 1;
+          return;
+        }
+      } else {
+        const snapshot = JSON.parse(await readFile20(baselineFile, "utf8"));
+        delta = compareEvalReports(snapshot.report, report);
       }
-      const snapshot = JSON.parse(await readFile20(baselineFile, "utf8"));
-      delta = compareEvalReports(snapshot.report, report);
     }
     if (opts.json) {
       console.log(JSON.stringify({ root, k, spec_source: resolvedSpec.source, report, ...delta ? { delta } : {} }, null, 2));
@@ -12633,7 +12764,7 @@ function applyExitGates(opts, report, delta) {
       process.exitCode = 1;
     }
   }
-  if (opts.failOnRegression && delta?.regressed) {
+  if ((opts.failOnRegression || opts.regressionGate) && delta?.regressed) {
     ui.error(`eval score regressed ${delta.score.baseline} \u2192 ${delta.score.current} (\u0394 ${delta.score.delta}) vs baseline`);
     process.exitCode = 1;
   }
@@ -13350,7 +13481,7 @@ function registerDoctor(program2) {
         fix: "Edit .ai/haive.config.json: set autoSessionEnd: true (or re-run `haive init` without --manual)."
       });
     }
-    findings.push(...await collectInstallFindings(root, "0.12.9"));
+    findings.push(...await collectInstallFindings(root, "0.13.1"));
     findings.push(...await collectToolchainFindings(root));
     try {
       const legacyRaw = execSync3("haive-mcp --version", {
@@ -13358,7 +13489,7 @@ function registerDoctor(program2) {
         timeout: 3e3,
         stdio: ["ignore", "pipe", "ignore"]
       }).trim();
-      const cliVersion = "0.12.9";
+      const cliVersion = "0.13.1";
       if (legacyRaw && legacyRaw !== cliVersion) {
         findings.push({
           severity: "warn",
@@ -14951,7 +15082,7 @@ async function buildEnforcementReport(dir, stage, sessionId) {
       findings: [{ severity: "info", code: "enforcement-off", message: "hAIve enforcement is disabled." }]
     });
   }
-  findings.push(...await inspectIntegrationVersions(root, "0.12.9"));
+  findings.push(...await inspectIntegrationVersions(root, "0.13.1"));
   if (config.enforcement?.requireBriefingFirst !== false && stage !== "ci") {
     const hasBriefing = await hasRecentBriefingMarker2(paths, sessionId);
     findings.push(hasBriefing ? { severity: "ok", code: "briefing-loaded", message: "A recent hAIve briefing marker exists." } : {
@@ -16077,11 +16208,11 @@ import {
 var SEVERITIES = ["info", "minor", "major", "critical", "blocker"];
 function registerIngest(program2) {
   program2.command("ingest").description(
-    "Ingest scanner findings (SonarQube / SARIF) as proposed, anchored memories with sensors.\n\n  Closes the review\u2194memory loop: a real defect a scanner found becomes a `gotcha`/`convention`\n  memory anchored to the file, pre-filled with a conservative `warn` sensor, so the next agent\n  is steered away from it. Drafts are status=proposed; a human validates/promotes them.\n\n  Example:\n    haive ingest --from sarif eslint.sarif --dry-run\n    haive ingest --from sonar sonar-issues.json --scope team --min-severity major\n"
-  ).argument("<file>", "path to the findings report (JSON)").requiredOption("--from <format>", "report format: sarif | sonar").option("--dry-run", "show what would be created without writing", false).option("--scope <scope>", "memory scope: personal | team | module", "team").option("--module <name>", "module name (required when scope=module)").option("--type <type>", "memory type: gotcha | convention", "gotcha").option("--min-severity <severity>", "ignore findings below this severity (info|minor|major|critical|blocker)").option("--limit <n>", "cap the number of memories created").option("--author <author>", "author email or handle").option("--json", "emit JSON", false).option("-d, --dir <dir>", "project root").action(async (file, opts) => {
+    "Ingest scanner findings (SonarQube / SARIF) as proposed, anchored memories with sensors.\n\n  Closes the review\u2194memory loop: a real defect a scanner found becomes a `gotcha`/`convention`\n  memory anchored to the file, pre-filled with a conservative `warn` sensor, so the next agent\n  is steered away from it. Drafts are status=proposed; a human validates/promotes them.\n\n  `sonar-api` fetches issues live over plain HTTPS from any SonarQube/SonarCloud instance \u2014\n  no MCP or special setup required, just a URL + token you provide (or SONAR_HOST_URL /\n  SONAR_TOKEN env). If you don't use it, file-based ingest works exactly the same.\n\n  Example:\n    haive ingest --from sarif eslint.sarif --dry-run\n    haive ingest --from sonar sonar-issues.json --scope team --min-severity major\n    haive ingest --from sonar-api --sonar-component my_project --min-severity major\n"
+  ).argument("[file]", "path to the findings report JSON (required for --from sarif|sonar)").requiredOption("--from <format>", "report format: sarif | sonar | sonar-api").option("--dry-run", "show what would be created without writing", false).option("--scope <scope>", "memory scope: personal | team | module", "team").option("--module <name>", "module name (required when scope=module)").option("--type <type>", "memory type: gotcha | convention", "gotcha").option("--min-severity <severity>", "ignore findings below this severity (info|minor|major|critical|blocker)").option("--limit <n>", "cap the number of memories created").option("--author <author>", "author email or handle").option("--json", "emit JSON", false).option("--sonar-url <url>", "SonarQube base URL for --from sonar-api (or env SONAR_HOST_URL)").option("--sonar-token <token>", "SonarQube token for --from sonar-api (or env SONAR_TOKEN)").option("--sonar-component <key>", "SonarQube project/component key for --from sonar-api").option("--sonar-branch <branch>", "optional SonarQube branch for --from sonar-api").option("-d, --dir <dir>", "project root").action(async (file, opts) => {
     const format = opts.from;
-    if (format !== "sarif" && format !== "sonar") {
-      ui.error("--from must be sarif or sonar");
+    if (format !== "sarif" && format !== "sonar" && format !== "sonar-api") {
+      ui.error("--from must be sarif, sonar, or sonar-api");
       process.exitCode = 1;
       return;
     }
@@ -16102,23 +16233,39 @@ function registerIngest(program2) {
       process.exitCode = 1;
       return;
     }
-    const reportPath = path54.resolve(root, file);
-    if (!existsSync77(reportPath)) {
-      ui.error(`Report file not found: ${reportPath}`);
-      process.exitCode = 1;
-      return;
-    }
+    const parseFormat = format === "sarif" ? "sarif" : "sonar";
     let raw;
-    try {
-      raw = await readFile25(reportPath, "utf8");
-    } catch (err) {
-      ui.error(`Could not read ${reportPath}: ${err instanceof Error ? err.message : String(err)}`);
-      process.exitCode = 1;
-      return;
+    if (format === "sonar-api") {
+      const fetched = await fetchSonarIssues(opts);
+      if (!fetched.ok) {
+        ui.error(fetched.error);
+        process.exitCode = 1;
+        return;
+      }
+      raw = fetched.json;
+    } else {
+      if (!file) {
+        ui.error(`--from ${format} needs a report file argument, e.g. \`haive ingest --from ${format} report.json\`.`);
+        process.exitCode = 1;
+        return;
+      }
+      const reportPath = path54.resolve(root, file);
+      if (!existsSync77(reportPath)) {
+        ui.error(`Report file not found: ${reportPath}`);
+        process.exitCode = 1;
+        return;
+      }
+      try {
+        raw = await readFile25(reportPath, "utf8");
+      } catch (err) {
+        ui.error(`Could not read ${reportPath}: ${err instanceof Error ? err.message : String(err)}`);
+        process.exitCode = 1;
+        return;
+      }
     }
     let drafts;
     try {
-      const findings = parseFindings2(format, raw);
+      const findings = parseFindings2(parseFormat, raw);
       drafts = draftsFromFindings2(findings, {
         type: opts.type ?? "gotcha",
         scope: opts.scope ?? "team",
@@ -16201,6 +16348,42 @@ async function writeDraft2(paths, draft) {
   await writeFile37(file, serializeMemory28({ frontmatter: draft.frontmatter, body: draft.body }), "utf8");
   return file;
 }
+async function fetchSonarIssues(opts) {
+  const baseUrl = (opts.sonarUrl ?? process.env.SONAR_HOST_URL ?? "").trim().replace(/\/+$/, "");
+  const token = (opts.sonarToken ?? process.env.SONAR_TOKEN ?? "").trim();
+  const component = (opts.sonarComponent ?? "").trim();
+  if (!baseUrl) {
+    return { ok: false, error: "--from sonar-api needs --sonar-url (or env SONAR_HOST_URL)." };
+  }
+  if (!token) {
+    return { ok: false, error: "--from sonar-api needs --sonar-token (or env SONAR_TOKEN)." };
+  }
+  if (!component) {
+    return { ok: false, error: "--from sonar-api needs --sonar-component <projectKey>." };
+  }
+  if (typeof fetch !== "function") {
+    return { ok: false, error: "global fetch is unavailable \u2014 Node 18+ is required for --from sonar-api." };
+  }
+  const params = new URLSearchParams({ componentKeys: component, resolved: "false", ps: "500" });
+  if (opts.sonarBranch) params.set("branch", opts.sonarBranch);
+  const url = `${baseUrl}/api/issues/search?${params.toString()}`;
+  try {
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${token}`, Accept: "application/json" }
+    });
+    if (!res.ok) {
+      const hint = res.status === 401 || res.status === 403 ? " (check the token and its permissions)" : "";
+      return { ok: false, error: `SonarQube API returned ${res.status} ${res.statusText}${hint}.` };
+    }
+    const json = await res.text();
+    return { ok: true, json };
+  } catch (err) {
+    return {
+      ok: false,
+      error: `Could not reach SonarQube at ${baseUrl}: ${err instanceof Error ? err.message : String(err)}. File-based ingest (--from sonar) still works.`
+    };
+  }
+}
 
 // src/commands/dashboard.ts
 import { existsSync as existsSync78 } from "fs";
@@ -16305,7 +16488,7 @@ function warnNum(n) {
 
 // src/index.ts
 var program = new Command58();
-program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.12.9").option("--advanced", "show maintenance and experimental commands in help");
+program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.13.1").option("--advanced", "show maintenance and experimental commands in help");
 registerInit(program);
 registerWelcome(program);
 registerResolveProject(program);