npm - @hiveai/cli - Versions diffs - 0.24.0 → 0.26.0 - Mend

@hiveai/cli 0.24.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -2253,6 +2253,7 @@ import path11 from "path";
 import {
   buildFrontmatter,
   loadMemoriesFromDir as loadMemoriesFromDir5,
+  meetsSeedQualityFloor,
   memoryFilePath,
   serializeMemory as serializeMemory2,
   STACK_PACK_TAG
@@ -2293,7 +2294,12 @@ app.useGlobalPipes(new ValidationPipe({ whitelist: true, forbidNonWhitelisted: t
       body: `Controllers must never import Prisma/TypeORM directly \u2014 that belongs in Services.
 Controller \u2192 Service \u2192 Repository (or direct ORM) is the required layering.
-Direct ORM usage in controllers makes testing impossible and couples transport to persistence.`
+Direct ORM usage in controllers makes testing impossible and couples transport to persistence.`,
+      sensor: {
+        pattern: "@prisma/client|PrismaClient|getRepository\\(|createQueryBuilder\\(",
+        paths: ["**/*.controller.ts"],
+        message: "ORM/Prisma used directly in a controller \u2014 move persistence into a Service (Controller \u2192 Service \u2192 Repository)."
+      }
     },
     {
       slug: "nestjs-exception-filter-for-prisma",
@@ -2478,7 +2484,11 @@ Routes without schema accept any body and bypass Fastify's fast-json-stringify s
 Calling $disconnect() after each request wastes the warm connection pool.
 Create one PrismaClient per process (module-level singleton), not per request.
-Disconnecting is only needed when the process is shutting down.`
+Disconnecting is only needed when the process is shutting down.`,
+      sensor: {
+        pattern: "\\$disconnect\\(\\)",
+        message: "prisma.$disconnect() per request drains the warm connection pool in serverless \u2014 use a module-level PrismaClient singleton and only disconnect on shutdown."
+      }
     },
     {
       slug: "prisma-migrations-never-modify",
@@ -2534,7 +2544,11 @@ const store = useStore();
 const count = useStore((s) => s.count);
 \`\`\`
-Subscribing to the whole store is the single most common Zustand performance mistake.`
+Subscribing to the whole store is the single most common Zustand performance mistake.`,
+      sensor: {
+        pattern: "use[A-Z]\\w*Store\\(\\s*\\)",
+        message: "A Zustand store hook called with no selector subscribes to the WHOLE store (re-renders on any change) \u2014 pass a slice selector: useStore(s => s.field)."
+      }
     },
     {
       slug: "zustand-devtools-wrap-dev-only",
@@ -2755,7 +2769,8 @@ const users = await User.find({});
 const users = await User.find({}).lean();
 \`\`\`
-Never use .lean() when you need to call .save() or Mongoose instance methods.`
+\`.lean()\` skips hydration into a Mongoose \`Document\`, so getters, virtuals, \`toObject()\` and
+instance methods are gone. Never use \`.lean()\` when you then call \`.save()\` or instance methods.`
     },
     {
       slug: "mongoose-index-frequently-queried-fields",
@@ -2974,7 +2989,11 @@ A committed key lets anyone forge sessions and CSRF tokens.`
 db.execute(f"SELECT * FROM users WHERE id = {uid}")
 # \u2705
 db.execute("SELECT * FROM users WHERE id = %s", (uid,))
-\`\`\``
+\`\`\``,
+      sensor: {
+        pattern: `execute\\(\\s*f["']`,
+        message: 'SQL built with an f-string inside execute() \u2014 SQL injection risk; use a parameterized query: execute("\u2026 %s \u2026", (params,)).'
+      }
     }
   ],
   vue: [
@@ -3342,6 +3361,7 @@ async function seedStackPack(haivePaths, stack) {
   let memCount = 0;
   let sensorCount = 0;
   for (const mem of memories) {
+    if (!meetsSeedQualityFloor(mem.body, Boolean(mem.sensor))) continue;
     const sensor = mem.sensor ? {
       kind: "regex",
       pattern: mem.sensor.pattern,
@@ -3390,7 +3410,7 @@ ${SEED_FOOTER(stack)}` });
 // src/commands/init.ts
 var execFileAsync = promisify2(execFile2);
-var HAIVE_GITHUB_ACTION_REF = `v${"0.24.0"}`;
+var HAIVE_GITHUB_ACTION_REF = `v${"0.26.0"}`;
 var PROJECT_CONTEXT_TEMPLATE = `# Project context
 > Generated by \`haive init\`. Run \`haive init --bootstrap\` to auto-fill from your codebase,
@@ -5829,6 +5849,7 @@ var IngestFindingsInputSchema = {
   scope: z16.enum(["personal", "team", "module"]).default("team").describe("Visibility scope for the created memories"),
   module: z16.string().optional().describe("Module name (required when scope=module)"),
   min_severity: z16.enum(["info", "minor", "major", "critical", "blocker"]).optional().describe("Ignore findings below this severity"),
+  include_stylistic: z16.boolean().optional().describe("Also ingest auto-fixable stylistic rules (semi/quotes/prefer-const\u2026); off by default as low-value noise"),
   limit: z16.number().int().positive().optional().describe("Cap the number of memories created"),
   author: z16.string().optional().describe("Author handle or email"),
   dry_run: z16.boolean().default(false).describe("When true, return the drafts that WOULD be created without writing them")
@@ -5854,6 +5875,7 @@ async function ingestFindings(input, ctx) {
     module: input.module,
     author: input.author,
     ...input.min_severity ? { minSeverity: input.min_severity } : {},
+    ...input.include_stylistic ? { includeStylistic: true } : {},
     ...input.limit ? { limit: input.limit } : {}
   });
   const existing = existsSync16(ctx.paths.memoriesDir) ? await loadMemoriesFromDir13(ctx.paths.memoriesDir) : [];
@@ -8676,7 +8698,7 @@ When done, respond with: "Imported N memories: [list of IDs]" or "Nothing action
   };
 }
 var SERVER_NAME = "haive";
-var SERVER_VERSION = "0.24.0";
+var SERVER_VERSION = "0.26.0";
 function jsonResult(data) {
   return {
     content: [
@@ -14453,7 +14475,7 @@ function registerDoctor(program2) {
         fix: "Edit .ai/haive.config.json: set autoSessionEnd: true (or re-run `haive init` without --manual)."
       });
     }
-    findings.push(...await collectInstallFindings(root, "0.24.0"));
+    findings.push(...await collectInstallFindings(root, "0.26.0"));
     findings.push(...await collectToolchainFindings(root));
     try {
       const legacyRaw = execSync3("haive-mcp --version", {
@@ -14461,7 +14483,7 @@ function registerDoctor(program2) {
         timeout: 3e3,
         stdio: ["ignore", "pipe", "ignore"]
       }).trim();
-      const cliVersion = "0.24.0";
+      const cliVersion = "0.26.0";
       if (legacyRaw && legacyRaw !== cliVersion) {
         findings.push({
           severity: "warn",
@@ -16165,7 +16187,7 @@ async function buildEnforcementReport(dir, stage, sessionId) {
       findings: [{ severity: "info", code: "enforcement-off", message: "hAIve enforcement is disabled." }]
     });
   }
-  findings.push(...await inspectIntegrationVersions(root, "0.24.0"));
+  findings.push(...await inspectIntegrationVersions(root, "0.26.0"));
   if (config.enforcement?.requireBriefingFirst !== false && stage !== "ci") {
     const hasBriefing = await hasRecentBriefingMarker2(paths, sessionId);
     findings.push(hasBriefing ? { severity: "ok", code: "briefing-loaded", message: "A recent hAIve briefing marker exists." } : {
@@ -17534,7 +17556,7 @@ var SEVERITIES = ["info", "minor", "major", "critical", "blocker"];
 function registerIngest(program2) {
   program2.command("ingest").description(
     "Ingest scanner findings (SonarQube / SARIF) as proposed, anchored memories with sensors.\n\n  Closes the review\u2194memory loop: a real defect a scanner found becomes a `gotcha`/`convention`\n  memory anchored to the file, pre-filled with a conservative `warn` sensor, so the next agent\n  is steered away from it. Drafts are status=proposed; a human validates/promotes them.\n\n  `sonar-api` fetches issues live over plain HTTPS from any SonarQube/SonarCloud instance \u2014\n  no MCP or special setup required, just a URL + token you provide (or SONAR_HOST_URL /\n  SONAR_TOKEN env). If you don't use it, file-based ingest works exactly the same.\n\n  Example:\n    haive ingest --from eslint eslint-report.json --min-severity major\n    haive ingest --from npm-audit audit.json --scope team\n    haive ingest --from sarif report.sarif --dry-run\n    haive ingest --from sonar sonar-issues.json --scope team --min-severity major\n    haive ingest --from sonar-api --sonar-component my_project --min-severity major\n\n  Generate the input reports:\n    eslint -f json -o eslint-report.json .      # --from eslint\n    npm audit --json > audit.json               # --from npm-audit\n"
-  ).argument("[file]", "path to the findings report JSON (required for --from sarif|sonar|eslint|npm-audit)").requiredOption("--from <format>", "report format: sarif | sonar | sonar-api | eslint | npm-audit").option("--dry-run", "show what would be created without writing", false).option("--scope <scope>", "memory scope: personal | team | module", "team").option("--module <name>", "module name (required when scope=module)").option("--type <type>", "memory type: gotcha | convention", "gotcha").option("--min-severity <severity>", "ignore findings below this severity (info|minor|major|critical|blocker)").option("--limit <n>", "cap the number of memories created").option("--author <author>", "author email or handle").option("--json", "emit JSON", false).option("--sonar-url <url>", "SonarQube base URL for --from sonar-api (or env SONAR_HOST_URL)").option("--sonar-token <token>", "SonarQube token for --from sonar-api (or env SONAR_TOKEN)").option("--sonar-component <key>", "SonarQube project/component key for --from sonar-api").option("--sonar-branch <branch>", "optional SonarQube branch for --from sonar-api").option("-d, --dir <dir>", "project root").action(async (file, opts) => {
+  ).argument("[file]", "path to the findings report JSON (required for --from sarif|sonar|eslint|npm-audit)").requiredOption("--from <format>", "report format: sarif | sonar | sonar-api | eslint | npm-audit").option("--dry-run", "show what would be created without writing", false).option("--scope <scope>", "memory scope: personal | team | module", "team").option("--module <name>", "module name (required when scope=module)").option("--type <type>", "memory type: gotcha | convention", "gotcha").option("--min-severity <severity>", "ignore findings below this severity (info|minor|major|critical|blocker)").option("--include-stylistic", "also ingest auto-fixable stylistic rules (semi/quotes/prefer-const\u2026); off by default as low-value noise", false).option("--limit <n>", "cap the number of memories created").option("--author <author>", "author email or handle").option("--json", "emit JSON", false).option("--sonar-url <url>", "SonarQube base URL for --from sonar-api (or env SONAR_HOST_URL)").option("--sonar-token <token>", "SonarQube token for --from sonar-api (or env SONAR_TOKEN)").option("--sonar-component <key>", "SonarQube project/component key for --from sonar-api").option("--sonar-branch <branch>", "optional SonarQube branch for --from sonar-api").option("-d, --dir <dir>", "project root").action(async (file, opts) => {
     const format = opts.from;
     const VALID_FORMATS = ["sarif", "sonar", "sonar-api", "eslint", "npm-audit"];
     if (!format || !VALID_FORMATS.includes(format)) {
@@ -17590,14 +17612,17 @@ function registerIngest(program2) {
       }
     }
     let drafts;
+    let findingsCount = 0;
     try {
       const findings = parseFindings2(parseFormat, raw, { cwd: root });
+      findingsCount = findings.length;
       drafts = draftsFromFindings2(findings, {
         type: opts.type ?? "gotcha",
         scope: opts.scope ?? "team",
         module: opts.module,
         author: opts.author,
         ...opts.minSeverity ? { minSeverity: opts.minSeverity } : {},
+        ...opts.includeStylistic ? { includeStylistic: true } : {},
         ...opts.limit ? { limit: Math.max(0, Number.parseInt(opts.limit, 10) || 0) } : {}
       });
     } catch (err) {
@@ -17620,7 +17645,9 @@ function registerIngest(program2) {
         JSON.stringify(
           {
             format,
+            findings: findingsCount,
             parsed: drafts.length,
+            filtered_low_value: Math.max(0, findingsCount - drafts.length),
             new: fresh.length,
             skipped_existing: skipped,
             dry_run: Boolean(opts.dryRun),
@@ -17639,9 +17666,10 @@ function registerIngest(program2) {
       );
       return;
     }
+    const filteredLowValue = Math.max(0, findingsCount - drafts.length);
     console.log(
       ui.bold(
-        `hAIve ingest (${format}) \u2014 ${drafts.length} finding(s), ${fresh.length} new` + (skipped > 0 ? `, ${skipped} already ingested` : "")
+        `hAIve ingest (${format}) \u2014 ${findingsCount} finding(s), ${fresh.length} new` + (filteredLowValue > 0 ? `, ${filteredLowValue} low-value/stylistic filtered` : "") + (skipped > 0 ? `, ${skipped} already ingested` : "")
       )
     );
     if (fresh.length === 0) {
@@ -18324,7 +18352,7 @@ function registerBridges(program2) {
 // src/index.ts
 var program = new Command64();
-program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.24.0").option("--advanced", "show maintenance and experimental commands in help");
+program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.26.0").option("--advanced", "show maintenance and experimental commands in help");
 registerInit(program);
 registerWelcome(program);
 registerResolveProject(program);