@nerviq/cli 1.10.0 → 1.11.0

package/src/activity.js

@@ -136,6 +136,37 @@ function summarizeSnapshot(snapshotKind, payload) {
   return {};
 }
 
+function normalizeSnapshotTags(input) {
+  const values = Array.isArray(input) ? input : (input ? [input] : []);
+  const seen = new Set();
+  const tags = [];
+
+  for (const value of values) {
+    const parts = `${value || ''}`
+      .split(',')
+      .map((item) => item.replace(/\s+/g, ' ').trim())
+      .filter(Boolean);
+
+    for (const part of parts) {
+      const key = part.toLowerCase();
+      if (seen.has(key)) continue;
+      seen.add(key);
+      tags.push(part.slice(0, 48));
+      if (tags.length >= 8) {
+        return tags;
+      }
+    }
+  }
+
+  return tags;
+}
+
+function formatSnapshotTags(tags = []) {
+  const normalized = normalizeSnapshotTags(tags);
+  if (normalized.length === 0) return '';
+  return ` [${normalized.join(', ')}]`;
+}
+
 function updateSnapshotIndex(snapshotDir, record) {
   const indexPath = path.join(snapshotDir, 'index.json');
   let entries = [];
@@ -173,6 +204,11 @@ function writeSnapshotArtifact(dir, snapshotKind, payload, meta = {}) {
   const { snapshotDir } = ensureArtifactDirs(dir);
   const filePath = path.join(snapshotDir, `${id}-${snapshotKind}.json`);
   const summary = summarizeSnapshot(snapshotKind, payload);
+  const metaTags = normalizeSnapshotTags([
+    ...(Array.isArray(meta.tags) ? meta.tags : (meta.tags ? [meta.tags] : [])),
+    ...(meta.tag ? [meta.tag] : []),
+  ]);
+  const { tags: _ignoredTags, tag: _ignoredTag, ...restMeta } = meta;
   const envelope = {
     schemaVersion: 1,
     artifactType: 'snapshot',
@@ -183,7 +219,8 @@ function writeSnapshotArtifact(dir, snapshotKind, payload, meta = {}) {
     generatedBy: `nerviq@${version}`,
     directory: dir,
     summary,
-    ...meta,
+    tags: metaTags,
+    ...restMeta,
     payload,
   };
 
@@ -194,6 +231,7 @@ function writeSnapshotArtifact(dir, snapshotKind, payload, meta = {}) {
     snapshotKind,
     createdAt: envelope.createdAt,
     relativePath: path.relative(dir, filePath),
+    tags: metaTags,
     summary,
   };
   updateSnapshotIndex(snapshotDir, record);
@@ -236,6 +274,79 @@ function getHistory(dir, limit = 20) {
     .slice(0, limit);
 }
 
+function buildCheckDiffDetail(previousResult, currentResult) {
+  const source = currentResult || previousResult || {};
+  const previousState = previousResult ? previousResult.passed : undefined;
+  const currentState = currentResult ? currentResult.passed : undefined;
+  return {
+    key: source.key,
+    name: source.name || source.key,
+    impact: source.impact || null,
+    category: source.category || null,
+    previousState,
+    currentState,
+  };
+}
+
+function collectCheckDiff(previousResults = [], currentResults = []) {
+  const prevMap = new Map();
+  const currMap = new Map();
+
+  for (const result of previousResults) {
+    if (result && result.key) prevMap.set(result.key, result);
+  }
+  for (const result of currentResults) {
+    if (result && result.key) currMap.set(result.key, result);
+  }
+
+  const regressions = [];
+  const improvements = [];
+  const newlyApplicable = [];
+  const noLongerApplicable = [];
+  const newChecks = [];
+  const removedChecks = [];
+
+  const allKeys = [...new Set([...prevMap.keys(), ...currMap.keys()])].sort();
+  for (const key of allKeys) {
+    const previousResult = prevMap.get(key);
+    const currentResult = currMap.get(key);
+    const previousState = previousResult ? previousResult.passed : undefined;
+    const currentState = currentResult ? currentResult.passed : undefined;
+    const detail = buildCheckDiffDetail(previousResult, currentResult);
+
+    if (!previousResult) {
+      if (currentState !== undefined) {
+        newChecks.push(detail);
+      }
+      continue;
+    }
+
+    if (!currentResult) {
+      removedChecks.push(detail);
+      continue;
+    }
+
+    if (previousState === true && currentState === false) {
+      regressions.push(detail);
+    } else if (previousState === false && currentState === true) {
+      improvements.push(detail);
+    } else if ((previousState === null || previousState === undefined) && (currentState === true || currentState === false)) {
+      newlyApplicable.push(detail);
+    } else if ((currentState === null || currentState === undefined) && (previousState === true || previousState === false)) {
+      noLongerApplicable.push(detail);
+    }
+  }
+
+  return {
+    regressions,
+    improvements,
+    newlyApplicable,
+    noLongerApplicable,
+    newChecks,
+    removedChecks,
+  };
+}
+
 /**
  * Compare the two most recent audit snapshots and return the delta.
  * @param {string} dir - Project root directory.
@@ -247,6 +358,8 @@ function compareLatest(dir) {
 
   const current = audits[0];
   const previous = audits[1];
+  const currentPayload = loadSnapshotPayload(dir, current);
+  const previousPayload = loadSnapshotPayload(dir, previous);
 
   const delta = {
     score: (current.summary?.score || 0) - (previous.summary?.score || 0),
@@ -254,26 +367,64 @@ function compareLatest(dir) {
     passed: (current.summary?.passed || 0) - (previous.summary?.passed || 0),
   };
 
-  const regressions = [];
-  const improvements = [];
-
-  const prevKeys = new Set(previous.summary?.topActionKeys || []);
-  const currKeys = new Set(current.summary?.topActionKeys || []);
-
-  for (const key of currKeys) {
-    if (!prevKeys.has(key)) regressions.push(key);
-  }
-  for (const key of prevKeys) {
-    if (!currKeys.has(key)) improvements.push(key);
+  let regressionDetails = [];
+  let improvementDetails = [];
+  let newlyApplicableDetails = [];
+  let noLongerApplicableDetails = [];
+  let newChecks = [];
+  let removedChecks = [];
+  let regressions = [];
+  let improvements = [];
+  let detailedDiffAvailable = false;
+
+  if (currentPayload && previousPayload && Array.isArray(currentPayload.results) && Array.isArray(previousPayload.results)) {
+    const diff = collectCheckDiff(previousPayload.results, currentPayload.results);
+    regressionDetails = diff.regressions;
+    improvementDetails = diff.improvements;
+    newlyApplicableDetails = diff.newlyApplicable;
+    noLongerApplicableDetails = diff.noLongerApplicable;
+    newChecks = diff.newChecks;
+    removedChecks = diff.removedChecks;
+    regressions = regressionDetails.map((item) => item.key);
+    improvements = improvementDetails.map((item) => item.key);
+    detailedDiffAvailable = true;
+  } else {
+    const prevKeys = new Set(previous.summary?.topActionKeys || []);
+    const currKeys = new Set(current.summary?.topActionKeys || []);
+    for (const key of currKeys) {
+      if (!prevKeys.has(key)) regressions.push(key);
+    }
+    for (const key of prevKeys) {
+      if (!currKeys.has(key)) improvements.push(key);
+    }
   }
 
   return {
     scoreType: 'audit-snapshot-score',
-    current: { date: current.createdAt, score: current.summary?.score, passed: current.summary?.passed, scoreType: 'audit-snapshot-score' },
-    previous: { date: previous.createdAt, score: previous.summary?.score, passed: previous.summary?.passed, scoreType: 'audit-snapshot-score' },
+    current: {
+      date: current.createdAt,
+      score: current.summary?.score,
+      passed: current.summary?.passed,
+      tags: current.tags || [],
+      scoreType: 'audit-snapshot-score',
+    },
+    previous: {
+      date: previous.createdAt,
+      score: previous.summary?.score,
+      passed: previous.summary?.passed,
+      tags: previous.tags || [],
+      scoreType: 'audit-snapshot-score',
+    },
     delta,
     regressions,
     improvements,
+    regressionDetails,
+    improvementDetails,
+    newlyApplicableDetails,
+    noLongerApplicableDetails,
+    newChecks,
+    removedChecks,
+    detailedDiffAvailable,
     trend: delta.score > 0 ? 'improving' : delta.score < 0 ? 'regressing' : 'stable',
   };
 }
@@ -303,13 +454,13 @@ function formatSnapshotBootstrap(dir, goal = 'history') {
 
   if (snapshotCount === 0) {
     lines.push('  Bootstrap it with:');
-    lines.push('  1. Run `nerviq audit --snapshot` to save the baseline.');
+    lines.push('  1. Run `nerviq audit --snapshot --tag "baseline"` to save the baseline.');
     lines.push('  2. Make a meaningful repo change (`nerviq setup --auto` or `nerviq fix --all-critical --auto`).');
-    lines.push('  3. Run `nerviq audit --snapshot` again to capture the next state.');
+    lines.push('  3. Run `nerviq audit --snapshot --tag "after-change"` to capture the next state.');
   } else {
     lines.push('  Next:');
     lines.push('  1. Make a meaningful repo change (`nerviq setup --auto` or `nerviq fix --all-critical --auto`).');
-    lines.push('  2. Run `nerviq audit --snapshot` again.');
+    lines.push('  2. Run `nerviq audit --snapshot --tag "after-change"` again.');
   }
 
   if (goal === 'compare') {
@@ -340,7 +491,7 @@ function formatHistory(dir) {
     const score = entry.summary?.score ?? '?';
     const passed = entry.summary?.passed ?? '?';
     const total = entry.summary?.checkCount ?? '?';
-    lines.push(`  ${dateDisplay}  snapshot ${score}/100  (${passed}/${total} checks passing)`);
+    lines.push(`  ${dateDisplay}  snapshot${formatSnapshotTags(entry.tags)} ${score}/100  (${passed}/${total} checks passing)`);
   }
 
   const comparison = compareLatest(dir);
@@ -348,6 +499,9 @@ function formatHistory(dir) {
     lines.push('');
     const sign = comparison.delta.score >= 0 ? '+' : '';
     lines.push(`  Latest snapshot trend: ${comparison.trend} (${sign}${comparison.delta.score} since previous snapshot)`);
+    if ((comparison.previous.tags || []).length > 0 || (comparison.current.tags || []).length > 0) {
+      lines.push(`  Snapshot tags: previous${formatSnapshotTags(comparison.previous.tags)} -> current${formatSnapshotTags(comparison.current.tags)}`);
+    }
     if (comparison.improvements.length > 0) {
       lines.push(`  Fixed: ${comparison.improvements.join(', ')}`);
     }
@@ -378,21 +532,22 @@ function exportTrendReport(dir) {
     '',
     '## Audit Snapshot History',
     '',
-    '| Date | Score | Passed | Checks |',
-    '|------|-------|--------|--------|',
+    '| Date | Tags | Score | Passed | Checks |',
+    '|------|------|-------|--------|--------|',
   ];
 
   for (const entry of history) {
     const date = entry.createdAt?.split('T')[0] || '?';
-    lines.push(`| ${date} | ${entry.summary?.score ?? '?'}/100 | ${entry.summary?.passed ?? '?'} | ${entry.summary?.checkCount ?? '?'} |`);
+    const tags = (entry.tags || []).length > 0 ? entry.tags.join(', ') : '-';
+    lines.push(`| ${date} | ${tags} | ${entry.summary?.score ?? '?'}/100 | ${entry.summary?.passed ?? '?'} | ${entry.summary?.checkCount ?? '?'} |`);
   }
 
   if (comparison) {
     lines.push('');
     lines.push('## Latest Comparison');
     lines.push('');
-    lines.push(`- **Previous snapshot score:** ${comparison.previous.score}/100 (${comparison.previous.date?.split('T')[0]})`);
-    lines.push(`- **Current snapshot score:** ${comparison.current.score}/100 (${comparison.current.date?.split('T')[0]})`);
+    lines.push(`- **Previous snapshot score:** ${comparison.previous.score}/100 (${comparison.previous.date?.split('T')[0]})${formatSnapshotTags(comparison.previous.tags)}`);
+    lines.push(`- **Current snapshot score:** ${comparison.current.score}/100 (${comparison.current.date?.split('T')[0]})${formatSnapshotTags(comparison.current.tags)}`);
     lines.push(`- **Snapshot delta:** ${comparison.delta.score >= 0 ? '+' : ''}${comparison.delta.score} points`);
     lines.push(`- **Trend:** ${comparison.trend}`);
     if (comparison.improvements.length > 0) lines.push(`- **Fixed:** ${comparison.improvements.join(', ')}`);
@@ -627,42 +782,11 @@ function checkHealth(dir) {
 
   const currentResults = currentPayload.results || [];
   const previousResults = previousPayload.results || [];
-
-  // Build maps: key → passed (true/false/null)
-  const prevMap = {};
-  for (const r of previousResults) {
-    if (r.key) prevMap[r.key] = r.passed;
-  }
-  const currMap = {};
-  for (const r of currentResults) {
-    if (r.key) currMap[r.key] = r.passed;
-  }
-
-  const regressions = []; // was passing → now failing
-  const improvements = []; // was failing → now passing
-  const newChecks = []; // not in previous
-  const removedChecks = []; // not in current
-
-  for (const r of currentResults) {
-    if (!r.key) continue;
-    const prev = prevMap[r.key];
-    const curr = r.passed;
-    if (prev === undefined) {
-      if (curr !== null) newChecks.push({ key: r.key, name: r.name, impact: r.impact, passed: curr });
-      continue;
-    }
-    if (prev === true && curr === false) {
-      regressions.push({ key: r.key, name: r.name, impact: r.impact, category: r.category });
-    } else if (prev === false && curr === true) {
-      improvements.push({ key: r.key, name: r.name, impact: r.impact, category: r.category });
-    }
-  }
-
-  for (const r of previousResults) {
-    if (r.key && currMap[r.key] === undefined) {
-      removedChecks.push({ key: r.key, name: r.name });
-    }
-  }
+  const diff = collectCheckDiff(previousResults, currentResults);
+  const regressions = diff.regressions;
+  const improvements = diff.improvements;
+  const newChecks = diff.newChecks;
+  const removedChecks = diff.removedChecks;
 
   // Detect potential platform format changes:
   // If 3+ checks in the same category regressed, flag it
@@ -855,6 +979,8 @@ module.exports = {
   writeActivityArtifact,
   writeRollbackArtifact,
   writeSnapshotArtifact,
+  normalizeSnapshotTags,
+  formatSnapshotTags,
   readSnapshotIndex,
   getHistory,
   compareLatest,

package/src/aider/freshness.js

@@ -93,11 +93,11 @@ const PROPAGATION_CHECKLIST = [
 ];
 
 /**
- * Check release gate — are all P0 sources fresh?
- */
-function checkReleaseGate(overrides = {}) {
-  const now = new Date();
-  const results = P0_SOURCES.map(source => {
+ * Check release gate — are all P0 sources fresh?
+ */
+function checkReleaseGate(overrides = {}) {
+  const now = new Date();
+  const results = P0_SOURCES.map(source => {
     const verifiedAt = overrides[source.key] || source.verifiedAt;
     if (!verifiedAt) {
       return { ...source, status: 'unverified', daysStale: null };
@@ -114,26 +114,29 @@ function checkReleaseGate(overrides = {}) {
     };
   });
 
-  const allFresh = results.every(r => r.status === 'fresh');
-
-  return {
-    ready: allFresh,
-    results,
-    nerviqVersion: version,
-    checkedAt: now.toISOString(),
-  };
-}
-
-/**
- * Format release gate for display.
- */
-function formatReleaseGate(overrides = {}) {
-  const gateResult = checkReleaseGate(overrides);
-  const lines = [
-    `Aider Release Freshness Gate (nerviq v${version})`,
-    `Status: ${gateResult.ready ? 'READY' : 'NOT READY'}`,
-    '',
-  ];
+  const stale = results.filter((result) => result.status === 'stale' || result.status === 'unverified');
+  const fresh = results.filter((result) => result.status === 'fresh');
+  const allFresh = stale.length === 0;
+
+  return {
+    ready: allFresh,
+    stale,
+    fresh,
+    results,
+    nerviqVersion: version,
+    checkedAt: now.toISOString(),
+  };
+}
+
+/**
+ * Format release gate for display.
+ */
+function formatReleaseGate(gateResult) {
+  const lines = [
+    `Aider Release Freshness Gate (nerviq v${version})`,
+    `Status: ${gateResult.ready ? 'READY' : 'NOT READY'}`,
+    '',
+  ];
 
   for (const result of gateResult.results) {
     const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';

package/src/analyze.js

@@ -11,6 +11,7 @@ const { STACKS } = require('./techniques');
 const { detectDomainPacks } = require('./domain-packs');
 const { detectCodexDomainPacks } = require('./codex/domain-packs');
 const { recommendMcpPacks } = require('./mcp-packs');
+const { collectClaudeDenyRules } = require('./permission-rules');
 
 const COLORS = {
   reset: '\x1b[0m',
@@ -101,6 +102,7 @@ function collectClaudeAssets(ctx) {
   const sharedSettings = ctx.jsonFile('.claude/settings.json');
   const localSettings = ctx.jsonFile('.claude/settings.local.json');
   const settings = sharedSettings || localSettings || null;
+  const denyRules = collectClaudeDenyRules(ctx);
 
   const assetFiles = {
     claudeMd: ctx.fileContent('CLAUDE.md') ? 'CLAUDE.md' : (ctx.fileContent('.claude/CLAUDE.md') ? '.claude/CLAUDE.md' : null),
@@ -129,7 +131,7 @@ function collectClaudeAssets(ctx) {
     },
     permissions: settings && settings.permissions ? {
       defaultMode: settings.permissions.defaultMode || null,
-      hasDenyRules: Array.isArray(settings.permissions.deny) && settings.permissions.deny.length > 0,
+      hasDenyRules: denyRules.length > 0,
     } : null,
     settingsSource: assetFiles.settings,
     summaryLine: `Commands: ${assetFiles.commands.length} | Rules: ${assetFiles.rules.length} | Hooks: ${assetFiles.hooks.length} | Agents: ${assetFiles.agents.length} | Skills: ${assetFiles.skills.length} | MCP servers: ${settings && settings.mcpServers ? Object.keys(settings.mcpServers).length : 0}`,

package/src/anti-patterns.js

@@ -8,6 +8,8 @@ const {
   hasDocumentedVerificationGuidance,
   hasDocumentedTestCommand,
 } = require('./instruction-surfaces');
+const { collectClaudeDenyRules } = require('./permission-rules');
+const { containsEmbeddedSecret } = require('./secret-patterns');
 
 const ANTI_PATTERNS = [
   {
@@ -32,7 +34,7 @@ const ANTI_PATTERNS = [
     detect: (ctx) => {
       const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
       if (!settings || !settings.permissions) return true;
-      return !Array.isArray(settings.permissions.deny) || settings.permissions.deny.length === 0;
+      return collectClaudeDenyRules(ctx).length === 0;
     },
   },
   {
@@ -322,7 +324,7 @@ const ANTI_PATTERNS = [
       ];
       for (const file of hookFiles) {
         const content = ctx.fileContent(`.claude/hooks/${file}`) || '';
-        if (secretPatterns.some(p => p.test(content))) {
+        if (secretPatterns.some(p => p.test(content)) || containsEmbeddedSecret(content)) {
           return true;
         }
       }