@nerviq/cli 0.9.2 → 0.9.4

package/src/convert.js

@@ -0,0 +1,336 @@
+/**
+ * Nerviq Convert
+ *
+ * Converts configuration files between AI coding platforms.
+ * Reads the source platform's config and emits equivalent config
+ * for the target platform, preserving intent where possible.
+ *
+ * Supported conversions:
+ *   claude  → codex, cursor, copilot, gemini, windsurf, aider
+ *   codex   → claude, cursor, copilot, gemini, windsurf, aider
+ *   cursor  → claude, codex, copilot, gemini, windsurf, aider
+ *   (any)   → (any)  using canonical model as intermediary
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const COLORS = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[36m',
+};
+
+function c(text, color) {
+  return `${COLORS[color] || ''}${text}${COLORS.reset}`;
+}
+
+// ─── Platform config readers ─────────────────────────────────────────────────
+
+/**
+ * Read the canonical "intent" from a source platform.
+ * Returns a normalized object with: name, description, rules[], mcpServers{}, hooks[]
+ */
+function readSourceConfig(dir, from) {
+  const canonical = {
+    platform: from,
+    name: path.basename(dir),
+    description: null,
+    rules: [],         // Array of { name, content, alwaysOn, glob, description }
+    mcpServers: {},    // { serverName: { command, args, env, url, type } }
+    hooks: [],         // Array of { event, command, matcher }
+    techStack: [],     // Detected languages/frameworks
+    lintCmd: null,
+    testCmd: null,
+    buildCmd: null,
+  };
+
+  if (from === 'claude') {
+    const claudeMd = fs.existsSync(path.join(dir, 'CLAUDE.md'))
+      ? fs.readFileSync(path.join(dir, 'CLAUDE.md'), 'utf8')
+      : null;
+    if (claudeMd) {
+      canonical.description = claudeMd.slice(0, 500);
+      canonical.rules.push({ name: 'CLAUDE.md', content: claudeMd, alwaysOn: true });
+    }
+    // Read .claude/settings.json for MCP
+    const settingsPath = path.join(dir, '.claude', 'settings.json');
+    if (fs.existsSync(settingsPath)) {
+      try {
+        const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+        if (settings.mcpServers) canonical.mcpServers = settings.mcpServers;
+      } catch {}
+    }
+  }
+
+  if (from === 'codex') {
+    const agentsMd = fs.existsSync(path.join(dir, 'AGENTS.md'))
+      ? fs.readFileSync(path.join(dir, 'AGENTS.md'), 'utf8')
+      : null;
+    if (agentsMd) {
+      canonical.description = agentsMd.slice(0, 500);
+      canonical.rules.push({ name: 'AGENTS.md', content: agentsMd, alwaysOn: true });
+    }
+  }
+
+  if (from === 'cursor') {
+    const rulesDir = path.join(dir, '.cursor', 'rules');
+    if (fs.existsSync(rulesDir)) {
+      const files = fs.readdirSync(rulesDir).filter(f => f.endsWith('.mdc'));
+      for (const file of files) {
+        const content = fs.readFileSync(path.join(rulesDir, file), 'utf8');
+        // Parse frontmatter
+        const fmMatch = content.match(/^---\n([\s\S]*?)\n---\n([\s\S]*)$/);
+        let alwaysOn = false;
+        let glob = null;
+        let desc = null;
+        if (fmMatch) {
+          alwaysOn = /alwaysApply\s*:\s*true/i.test(fmMatch[1]);
+          const globMatch = fmMatch[1].match(/globs?\s*:\s*(.+)/i);
+          if (globMatch) glob = globMatch[1].trim();
+          const descMatch = fmMatch[1].match(/description\s*:\s*"?([^"\n]+)"?/i);
+          if (descMatch) desc = descMatch[1].trim();
+        }
+        canonical.rules.push({
+          name: file.replace('.mdc', ''),
+          content,
+          alwaysOn,
+          glob,
+          description: desc,
+        });
+      }
+    }
+    // Cursor MCP
+    const mcpPath = path.join(dir, '.cursor', 'mcp.json');
+    if (fs.existsSync(mcpPath)) {
+      try {
+        const mcp = JSON.parse(fs.readFileSync(mcpPath, 'utf8'));
+        if (mcp.mcpServers) canonical.mcpServers = mcp.mcpServers;
+      } catch {}
+    }
+  }
+
+  if (from === 'gemini') {
+    const geminiMd = fs.existsSync(path.join(dir, 'GEMINI.md'))
+      ? fs.readFileSync(path.join(dir, 'GEMINI.md'), 'utf8')
+      : null;
+    if (geminiMd) {
+      canonical.description = geminiMd.slice(0, 500);
+      canonical.rules.push({ name: 'GEMINI.md', content: geminiMd, alwaysOn: true });
+    }
+  }
+
+  if (from === 'windsurf') {
+    const windsurfRulesDir = path.join(dir, '.windsurf', 'rules');
+    if (fs.existsSync(windsurfRulesDir)) {
+      const files = fs.readdirSync(windsurfRulesDir).filter(f => f.endsWith('.md'));
+      for (const file of files) {
+        const content = fs.readFileSync(path.join(windsurfRulesDir, file), 'utf8');
+        canonical.rules.push({ name: file.replace('.md', ''), content, alwaysOn: true });
+      }
+    }
+  }
+
+  if (from === 'aider') {
+    const aiderConf = fs.existsSync(path.join(dir, '.aider.conf.yml'))
+      ? fs.readFileSync(path.join(dir, '.aider.conf.yml'), 'utf8')
+      : null;
+    if (aiderConf) {
+      canonical.rules.push({ name: '.aider.conf.yml', content: aiderConf, alwaysOn: false });
+      const lintMatch = aiderConf.match(/lint-cmd\s*:\s*(.+)/);
+      if (lintMatch) canonical.lintCmd = lintMatch[1].trim().replace(/^['"]|['"]$/g, '');
+      const testMatch = aiderConf.match(/test-cmd\s*:\s*(.+)/);
+      if (testMatch) canonical.testCmd = testMatch[1].trim().replace(/^['"]|['"]$/g, '');
+    }
+  }
+
+  if (from === 'copilot') {
+    const copilotPath = path.join(dir, '.github', 'copilot-instructions.md');
+    if (fs.existsSync(copilotPath)) {
+      const content = fs.readFileSync(copilotPath, 'utf8');
+      canonical.rules.push({ name: 'copilot-instructions', content, alwaysOn: true });
+    }
+  }
+
+  return canonical;
+}
+
+// ─── Platform config writers ─────────────────────────────────────────────────
+
+function buildTargetOutput(canonical, to, { dryRun = false } = {}) {
+  const outputs = [];  // Array of { path, content }
+  const combinedContent = canonical.rules.map(r => r.content).join('\n\n');
+
+  if (to === 'claude') {
+    // Extract or create CLAUDE.md from combined rules
+    const content = `# ${canonical.name}\n\n${combinedContent}\n`;
+    outputs.push({ file: 'CLAUDE.md', content });
+
+    if (Object.keys(canonical.mcpServers).length > 0) {
+      const settings = { mcpServers: canonical.mcpServers };
+      outputs.push({ file: '.claude/settings.json', content: JSON.stringify(settings, null, 2) + '\n' });
+    }
+  }
+
+  if (to === 'codex') {
+    const content = `# ${canonical.name}\n\n${combinedContent}\n`;
+    outputs.push({ file: 'AGENTS.md', content });
+  }
+
+  if (to === 'cursor') {
+    // Write each rule as an .mdc file
+    if (canonical.rules.length === 0) {
+      const content = `---\nalwaysApply: true\n---\n\n# ${canonical.name}\n\n${combinedContent}\n`;
+      outputs.push({ file: '.cursor/rules/core.mdc', content });
+    } else {
+      for (const rule of canonical.rules) {
+        const fm = rule.alwaysOn
+          ? `---\nalwaysApply: true\n---\n`
+          : rule.glob
+            ? `---\nglobs: ${rule.glob}\nalwaysApply: false\n---\n`
+            : `---\nalwaysApply: false\n---\n`;
+        outputs.push({ file: `.cursor/rules/${rule.name}.mdc`, content: `${fm}\n${rule.content}\n` });
+      }
+    }
+    if (Object.keys(canonical.mcpServers).length > 0) {
+      const mcp = { mcpServers: canonical.mcpServers };
+      outputs.push({ file: '.cursor/mcp.json', content: JSON.stringify(mcp, null, 2) + '\n' });
+    }
+  }
+
+  if (to === 'gemini') {
+    const content = `# ${canonical.name}\n\n${combinedContent}\n`;
+    outputs.push({ file: 'GEMINI.md', content });
+    if (Object.keys(canonical.mcpServers).length > 0) {
+      const settings = { mcpServers: canonical.mcpServers };
+      outputs.push({ file: '.gemini/settings.json', content: JSON.stringify(settings, null, 2) + '\n' });
+    }
+  }
+
+  if (to === 'windsurf') {
+    if (canonical.rules.length === 0) {
+      outputs.push({ file: '.windsurf/rules/core.md', content: `---\ntrigger: always_on\n---\n\n${combinedContent}\n` });
+    } else {
+      for (const rule of canonical.rules) {
+        const fm = `---\ntrigger: always_on\n---\n`;
+        const safeContent = rule.content.replace(/^---[\s\S]*?---\n/m, '').trim();
+        outputs.push({ file: `.windsurf/rules/${rule.name}.md`, content: `${fm}\n${safeContent}\n` });
+      }
+    }
+  }
+
+  if (to === 'aider') {
+    const confLines = ['# Generated by nerviq convert'];
+    if (canonical.lintCmd) confLines.push(`lint-cmd: '${canonical.lintCmd}'`);
+    if (canonical.testCmd) confLines.push(`test-cmd: '${canonical.testCmd}'`);
+    confLines.push('auto-commits: true');
+    confLines.push('auto-lint: true');
+    outputs.push({ file: '.aider.conf.yml', content: confLines.join('\n') + '\n' });
+    if (combinedContent.trim()) {
+      outputs.push({ file: 'CONVENTIONS.md', content: `# ${canonical.name} Conventions\n\n${combinedContent}\n` });
+    }
+  }
+
+  if (to === 'copilot') {
+    const content = `# ${canonical.name}\n\n${combinedContent}\n`;
+    outputs.push({ file: '.github/copilot-instructions.md', content });
+  }
+
+  return outputs;
+}
+
+// ─── Main convert function ────────────────────────────────────────────────────
+
+async function runConvert({ dir = process.cwd(), from, to, dryRun = false, json = false } = {}) {
+  if (!from || !to) {
+    throw new Error('Both --from and --to are required. Example: nerviq convert --from claude --to codex');
+  }
+
+  const SUPPORTED = ['claude', 'codex', 'cursor', 'copilot', 'gemini', 'windsurf', 'aider', 'opencode'];
+  if (!SUPPORTED.includes(from)) throw new Error(`Unsupported source platform '${from}'. Use: ${SUPPORTED.join(', ')}`);
+  if (!SUPPORTED.includes(to)) throw new Error(`Unsupported target platform '${to}'. Use: ${SUPPORTED.join(', ')}`);
+  if (from === to) throw new Error(`Source and target platform are the same: '${from}'`);
+
+  const canonical = readSourceConfig(dir, from);
+  const outputs = buildTargetOutput(canonical, to, { dryRun });
+
+  const written = [];
+  const skipped = [];
+
+  if (!dryRun) {
+    for (const out of outputs) {
+      const outPath = path.join(dir, out.file);
+      const outDir = path.dirname(outPath);
+      if (!fs.existsSync(outPath)) {
+        fs.mkdirSync(outDir, { recursive: true });
+        fs.writeFileSync(outPath, out.content, 'utf8');
+        written.push(out.file);
+      } else {
+        skipped.push(out.file);
+      }
+    }
+  }
+
+  const result = {
+    from,
+    to,
+    dir,
+    dryRun,
+    sourceRulesFound: canonical.rules.length,
+    mcpServersFound: Object.keys(canonical.mcpServers).length,
+    outputFiles: outputs.map(o => o.file),
+    written: dryRun ? [] : written,
+    skipped: dryRun ? [] : skipped,
+    wouldWrite: dryRun ? outputs.map(o => o.file) : [],
+  };
+
+  if (json) return JSON.stringify(result, null, 2);
+
+  const lines = [''];
+  lines.push(c(`  nerviq convert  ${from} → ${to}`, 'bold'));
+  lines.push(c('  ═══════════════════════════════════════', 'dim'));
+  lines.push('');
+  lines.push(`  Source platform:  ${c(from, 'blue')}   (${canonical.rules.length} rule(s) found)`);
+  lines.push(`  Target platform:  ${c(to, 'blue')}`);
+  lines.push(`  Directory:        ${dir}`);
+  lines.push(`  MCP servers:      ${Object.keys(canonical.mcpServers).length}`);
+  lines.push('');
+
+  if (dryRun) {
+    lines.push(c('  Dry run — no files written', 'yellow'));
+    lines.push('');
+    lines.push('  Would generate:');
+    for (const f of outputs) {
+      lines.push(`    ${c('→', 'dim')} ${f.file}`);
+    }
+  } else if (written.length > 0 || skipped.length > 0) {
+    if (written.length > 0) {
+      lines.push('  Written:');
+      for (const f of written) lines.push(`    ${c('✓', 'green')} ${f}`);
+    }
+    if (skipped.length > 0) {
+      lines.push('  Skipped (already exists):');
+      for (const f of skipped) lines.push(`    ${c('-', 'dim')} ${f}`);
+    }
+  }
+
+  lines.push('');
+  if (!dryRun && written.length > 0) {
+    lines.push(c(`  ✓ Conversion complete. Run \`nerviq audit --platform ${to}\` to verify.`, 'green'));
+  } else if (dryRun) {
+    lines.push(c(`  Run without --dry-run to write files.`, 'dim'));
+  } else {
+    lines.push(c(`  No new files written (all already exist).`, 'dim'));
+  }
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+module.exports = { runConvert };

package/src/copilot/techniques.js

@@ -1,11 +1,12 @@
 /**
  * Copilot techniques module — CHECK CATALOG
  *
- * 82 checks across 16 categories:
+ * 86 checks across 17 categories:
  *   v0.1 (38): A. Instructions(8), B. Config(6), C. Trust & Safety(9), D. MCP(5), E. Cloud Agent(5), F. Organization(5)
  *   v0.5 (54): G. Prompt Files(4), H. Agents & Skills(4), I. VS Code IDE(4), J. CLI(4)
  *   v1.0 (70): K. Cross-Surface(5), L. Enterprise(5), M. Quality Deep(6)
- *   CP-08 (82): N. Advisory(4), O. Pack(4), P. Repeat(3), Q. Freshness(3)
+ *   CP-08 (82): N. Advisory(4), O. Pack(4), P. Repeat(3)
+ *   v1.1 (87): Q. Experiment-Verified CLI Fixes (CLI ingests AGENTS.md/CLAUDE.md, mcpServers key, VS Code settings not CLI-relevant, org policy MCP blocks, BYOK MCP caveat)
  *
  * Each check: { id, name, check(ctx), impact, rating, category, fix, template, file(), line() }
  */
@@ -14,6 +15,7 @@ const os = require('os');
 const path = require('path');
 const { CopilotProjectContext } = require('./context');
 const { EMBEDDED_SECRET_PATTERNS, containsEmbeddedSecret } = require('../secret-patterns');
+const { attachSourceUrls } = require('../source-urls');
 const { extractFrontmatter, validateInstructionFrontmatter, validatePromptFrontmatter } = require('./config-parser');
 
 // ─── Shared helpers ─────────────────────────────────────────────────────────
@@ -313,18 +315,19 @@ const COPILOT_TECHNIQUES = {
 
   copilotVscodeSettingsExists: {
     id: 'CP-B01',
-    name: '.vscode/settings.json has Copilot agent settings',
+    name: '.vscode/settings.json has Copilot agent settings (VS Code-only)',
     check: (ctx) => {
       const data = vscodeSettingsData(ctx);
       if (!data) return false;
       // Check for any Copilot or chat-related key
+      // NOTE: These settings affect VS Code only. Copilot CLI ignores them.
       const raw = vscodeSettingsRaw(ctx);
       return /github\.copilot|chat\./.test(raw);
     },
     impact: 'medium',
     rating: 4,
     category: 'config',
-    fix: 'Add Copilot agent settings to .vscode/settings.json.',
+    fix: 'Add Copilot agent settings to .vscode/settings.json. NOTE: These are VS Code-only — Copilot CLI has its own configuration surface.',
     template: 'copilot-vscode-settings',
     file: () => '.vscode/settings.json',
     line: () => 1,
@@ -491,19 +494,20 @@ const COPILOT_TECHNIQUES = {
 
   copilotTerminalSandboxEnabled: {
     id: 'CP-C03',
-    name: 'Terminal sandbox enabled (VS Code agent)',
+    name: 'Terminal sandbox enabled (VS Code-only — does NOT affect CLI)',
     check: (ctx) => {
       const data = vscodeSettingsData(ctx);
       if (!data) return false;
       const raw = vscodeSettingsRaw(ctx);
       // Check for chat.tools.terminal.sandbox.enabled = true
+      // NOTE: This setting is VS Code-specific. Copilot CLI ignores it entirely.
       if (raw.includes('terminal.sandbox') && raw.includes('true')) return true;
       return getCopilotSetting(ctx, 'chat.tools.terminal.sandbox.enabled') === true;
     },
     impact: 'high',
     rating: 5,
     category: 'trust',
-    fix: 'Add "chat.tools.terminal.sandbox.enabled": true to .vscode/settings.json.',
+    fix: 'Add "chat.tools.terminal.sandbox.enabled": true to .vscode/settings.json. NOTE: This is VS Code-only — Copilot CLI uses its own permission flags, not VS Code settings.',
     template: 'copilot-vscode-settings',
     file: () => '.vscode/settings.json',
     line: (ctx) => {
@@ -533,12 +537,14 @@ const COPILOT_TECHNIQUES = {
 
   copilotAutoApprovalSpecific: {
     id: 'CP-C05',
-    name: 'Auto-approval rules are specific (not wildcard)',
+    name: 'Auto-approval rules are specific (VS Code-only — CLI uses permission flags)',
     check: (ctx) => {
       const data = vscodeSettingsData(ctx);
       if (!data) return null;
       const raw = vscodeSettingsRaw(ctx);
       // Check for auto-approval patterns
+      // NOTE: autoApproval.terminalCommands is VS Code-specific.
+      // Copilot CLI uses its own --permission flags, not this setting.
       const autoApproval = getCopilotSetting(ctx, 'chat.agent.autoApproval.terminalCommands');
       if (!autoApproval || !Array.isArray(autoApproval)) return null;
       // Fail if any wildcard patterns
@@ -547,7 +553,7 @@ const COPILOT_TECHNIQUES = {
     impact: 'high',
     rating: 5,
     category: 'trust',
-    fix: 'Replace wildcard auto-approval patterns with specific command patterns (e.g., "npm test", "npm run lint").',
+    fix: 'Replace wildcard auto-approval patterns with specific command patterns (e.g., "npm test", "npm run lint"). NOTE: This setting only affects VS Code — Copilot CLI approval is controlled by CLI permission flags.',
     template: null,
     file: () => '.vscode/settings.json',
     line: (ctx) => {
@@ -1051,11 +1057,13 @@ const COPILOT_TECHNIQUES = {
 
   copilotAgentsMdEnabled: {
     id: 'CP-H01',
-    name: 'If AGENTS.md exists, verify it is enabled in VS Code settings',
+    name: 'If AGENTS.md exists, verify it is enabled in VS Code (CLI reads it automatically)',
     check: (ctx) => {
       const agentsMd = ctx.fileContent('AGENTS.md');
       if (!agentsMd) return null; // N/A
-      // AGENTS.md support needs explicit enabling
+      // AGENTS.md support needs explicit enabling in VS Code
+      // WARNING: Copilot CLI reads AGENTS.md (and CLAUDE.md) automatically without any setting!
+      // Use --no-custom-instructions in CLI to prevent this
       const data = vscodeSettingsData(ctx);
       if (!data) return false;
       const raw = vscodeSettingsRaw(ctx);
@@ -1064,7 +1072,7 @@ const COPILOT_TECHNIQUES = {
     impact: 'critical',
     rating: 5,
     category: 'skills-agents',
-    fix: 'Enable AGENTS.md support in VS Code settings. It is off by default and silently ignored.',
+    fix: 'Enable AGENTS.md in VS Code settings (off by default). WARNING: Copilot CLI reads AGENTS.md and CLAUDE.md automatically — use --no-custom-instructions to prevent cross-platform instruction leakage.',
     template: 'copilot-vscode-settings',
     file: () => '.vscode/settings.json',
     line: (ctx) => {
@@ -1815,8 +1823,114 @@ const COPILOT_TECHNIQUES = {
     file: () => null,
     line: () => null,
   },
+
+  // =============================================
+  // Q. Experiment-Verified CLI Fixes (5 checks) — CP-Q01..CP-Q05
+  // Added from runtime experiment findings (2026-04-05)
+  // =============================================
+
+  copilotCliIngestsNonCopilotFiles: {
+    id: 'CP-Q01',
+    name: 'Aware that Copilot CLI ingests AGENTS.md and CLAUDE.md',
+    check: (ctx) => {
+      const agentsMd = ctx.fileContent('AGENTS.md');
+      const claudeMd = ctx.fileContent('CLAUDE.md');
+      if (!agentsMd && !claudeMd) return null; // No cross-platform files
+      const instr = copilotInstructions(ctx) || '';
+      // If non-Copilot instruction files exist, check that instructions acknowledge this
+      return /copilot cli|--no-custom-instructions|cross.platform|AGENTS\.md|CLAUDE\.md/i.test(instr);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'quality-deep',
+    fix: 'WARNING: Copilot CLI ingests AGENTS.md and CLAUDE.md alongside copilot-instructions.md. Document this or use --no-custom-instructions for clean runs.',
+    template: null,
+    file: () => '.github/copilot-instructions.md',
+    line: () => null,
+  },
+
+  copilotCliMcpUsesServerKey: {
+    id: 'CP-Q02',
+    name: 'CLI MCP config uses mcpServers key (not servers)',
+    check: (ctx) => {
+      const mcpData = mcpJsonData(ctx);
+      if (!mcpData) return null;
+      // CLI expects mcpServers, not servers
+      if (mcpData.servers && !mcpData.mcpServers) return false;
+      return true;
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'ci-automation',
+    fix: 'Copilot CLI MCP config expects the "mcpServers" key. "servers" alone may not work in CLI context.',
+    template: null,
+    file: () => '.vscode/mcp.json',
+    line: () => 1,
+  },
+
+  copilotVscodeSettingsNotCliRelevant: {
+    id: 'CP-Q03',
+    name: 'VS Code-specific settings not assumed to affect CLI',
+    check: (ctx) => {
+      const instr = copilotInstructions(ctx) || '';
+      if (!instr) return null;
+      // If instructions reference VS Code settings as if they affect CLI, flag it
+      const mentionsCli = /copilot cli|gh copilot/i.test(instr);
+      const mentionsVscodeForCli = /chat\.tools.*cli|terminal\.sandbox.*cli|autoApproval.*cli/i.test(instr);
+      if (mentionsCli && mentionsVscodeForCli) return false;
+      return true;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'quality-deep',
+    fix: 'VS Code settings (sandbox, autoApproval, instructionsFilesLocations) do not affect Copilot CLI. Document CLI-specific configuration separately.',
+    template: null,
+    file: () => '.github/copilot-instructions.md',
+    line: () => null,
+  },
+
+  copilotOrgPolicyBlocksMcp: {
+    id: 'CP-Q04',
+    name: 'Org policy MCP restrictions documented if applicable',
+    check: (ctx) => {
+      const instr = copilotInstructions(ctx) || '';
+      const mcpData = mcpJsonData(ctx);
+      if (!mcpData) return null;
+      const servers = mcpData.servers || mcpData.mcpServers || {};
+      if (Object.keys(servers).length === 0) return null;
+      // If MCP servers are configured, check that org policy restrictions are documented
+      return /org.policy|policy.block|third.party.*mcp|mcp.*restrict|Access denied/i.test(instr);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'quality-deep',
+    fix: 'Document that org policies can block third-party MCP servers even in local CLI sessions. Error: "Access denied by policy settings".',
+    template: null,
+    file: () => '.github/copilot-instructions.md',
+    line: () => null,
+  },
+
+  copilotByokMcpCaveat: {
+    id: 'CP-Q05',
+    name: 'BYOK mode MCP limitations documented',
+    check: (ctx) => {
+      const instr = copilotInstructions(ctx) || '';
+      // Only relevant if BYOK is mentioned
+      if (!/byok|bring your own key|openai.*key|COPILOT_.*KEY/i.test(instr)) return null;
+      return /byok.*mcp|mcp.*byok|oauth.*broken|built.in.*github.*mcp/i.test(instr);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'quality-deep',
+    fix: 'Document that BYOK mode breaks built-in GitHub MCP server (OAuth auth unavailable). Third-party MCP may also be restricted by org policy.',
+    template: null,
+    file: () => '.github/copilot-instructions.md',
+    line: () => null,
+  },
 };
 
+attachSourceUrls('copilot', COPILOT_TECHNIQUES);
+
 module.exports = {
   COPILOT_TECHNIQUES,
 };