@nerviq/cli 1.10.0 → 1.11.0

package/src/permission-rules.js

@@ -0,0 +1,218 @@
+const fs = require('fs');
+const path = require('path');
+
+const PATH_ACTIONS = new Set(['read', 'write', 'edit', 'multiedit']);
+const SECRET_PATH_RE = /(^|\/)(\.env(?:[^/]*)?|secrets?)(\/|$)/i;
+
+function normalizeSlash(value) {
+  return String(value || '').replace(/\\/g, '/');
+}
+
+function stripWrappingQuotes(value) {
+  const trimmed = String(value || '').trim();
+  if (!trimmed) return '';
+  const first = trimmed[0];
+  const last = trimmed[trimmed.length - 1];
+  if ((first === '"' || first === "'") && first === last) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function getProjectRoot(rootDir) {
+  try {
+    return fs.realpathSync.native(rootDir);
+  } catch {
+    return path.resolve(rootDir);
+  }
+}
+
+function splitPatternSegments(rawPattern, isAbsolute) {
+  const normalized = normalizeSlash(rawPattern);
+
+  if (/^[A-Za-z]:\//.test(normalized)) {
+    return normalized.slice(3).split('/').filter(Boolean);
+  }
+
+  if (isAbsolute && normalized.startsWith('/')) {
+    return normalized.slice(1).split('/').filter(Boolean);
+  }
+
+  return normalized.split('/').filter((segment) => segment && segment !== '.');
+}
+
+function hasGlob(segment) {
+  return /[*?[\]{}]/.test(segment);
+}
+
+function buildAbsolutePattern(rootDir, rawPattern) {
+  const normalized = stripWrappingQuotes(normalizeSlash(rawPattern).replace(/^file:\/\//i, ''));
+  if (!normalized) {
+    return {
+      absolutePattern: null,
+      normalizedInput: '',
+      isAbsolute: false,
+      traversalSegments: false,
+    };
+  }
+
+  const isAbsolute = /^[A-Za-z]:\//.test(normalized) || normalized.startsWith('/');
+  const traversalSegments = normalized.split('/').some((segment) => segment === '..');
+  const segments = splitPatternSegments(normalized, isAbsolute);
+  let current = isAbsolute ? path.parse(path.resolve(normalized)).root : getProjectRoot(rootDir);
+
+  for (const segment of segments) {
+    const candidate = path.join(current, segment);
+    if (hasGlob(segment)) {
+      current = candidate;
+      continue;
+    }
+
+    try {
+      current = fs.realpathSync.native(candidate);
+    } catch {
+      current = candidate;
+    }
+  }
+
+  return {
+    absolutePattern: current,
+    normalizedInput: normalized,
+    isAbsolute,
+    traversalSegments,
+  };
+}
+
+function normalizePathPayload(rawPayload, rootDir) {
+  const {
+    absolutePattern,
+    normalizedInput,
+    isAbsolute,
+    traversalSegments,
+  } = buildAbsolutePattern(rootDir, rawPayload);
+
+  if (!absolutePattern) {
+    return {
+      normalizedPath: '',
+      repoRelativePath: '',
+      outsideRepo: false,
+      invalid: true,
+      isAbsolute,
+      traversalSegments,
+    };
+  }
+
+  const projectRoot = getProjectRoot(rootDir);
+  const relativePath = normalizeSlash(path.relative(projectRoot, absolutePattern));
+  const outsideRepo = relativePath === '..' || relativePath.startsWith('../') || /^[A-Za-z]:\//.test(relativePath);
+  const repoRelativePath = outsideRepo ? null : relativePath || '.';
+  const normalizedPath = outsideRepo
+    ? normalizeSlash(absolutePattern)
+    : `./${repoRelativePath}`;
+
+  return {
+    normalizedPath,
+    repoRelativePath,
+    outsideRepo,
+    invalid: traversalSegments && outsideRepo && !isAbsolute,
+    isAbsolute,
+    traversalSegments,
+    normalizedInput,
+  };
+}
+
+function normalizeCommandPayload(rawPayload) {
+  return stripWrappingQuotes(rawPayload).replace(/\s+/g, ' ').trim();
+}
+
+function normalizePermissionRule(rule, rootDir) {
+  if (typeof rule !== 'string' || !rule.trim()) return null;
+  const trimmed = rule.trim();
+  const match = trimmed.match(/^([A-Za-z]+)\((.*)\)$/);
+  if (!match) {
+    return {
+      raw: trimmed,
+      action: null,
+      payload: trimmed,
+      normalized: trimmed,
+      dedupeKey: trimmed.toLowerCase(),
+      kind: 'raw',
+      invalid: false,
+      outsideRepo: false,
+      protectsSecrets: false,
+    };
+  }
+
+  const action = match[1];
+  const payload = match[2].trim();
+  const actionKey = action.toLowerCase();
+
+  if (PATH_ACTIONS.has(actionKey)) {
+    const details = normalizePathPayload(payload, rootDir);
+    const dedupeKey = `${actionKey}:${details.normalizedPath.toLowerCase()}`;
+    return {
+      raw: trimmed,
+      action,
+      payload,
+      normalized: `${action}(${details.normalizedPath})`,
+      normalizedPath: details.normalizedPath,
+      repoRelativePath: details.repoRelativePath,
+      dedupeKey,
+      kind: 'path',
+      invalid: details.invalid,
+      outsideRepo: details.outsideRepo,
+      traversalSegments: details.traversalSegments,
+      isAbsolute: details.isAbsolute,
+      protectsSecrets: !details.outsideRepo && SECRET_PATH_RE.test(details.repoRelativePath || ''),
+    };
+  }
+
+  const normalizedPayload = normalizeCommandPayload(payload);
+  return {
+    raw: trimmed,
+    action,
+    payload,
+    normalized: `${action}(${normalizedPayload})`,
+    dedupeKey: `${actionKey}:${normalizedPayload.toLowerCase()}`,
+    kind: 'command',
+    invalid: false,
+    outsideRepo: false,
+    protectsSecrets: false,
+  };
+}
+
+function normalizePermissionRules(rules, rootDir) {
+  const seen = new Set();
+  const normalized = [];
+
+  for (const rule of Array.isArray(rules) ? rules : []) {
+    const entry = normalizePermissionRule(rule, rootDir);
+    if (!entry || entry.invalid) continue;
+    if (seen.has(entry.dedupeKey)) continue;
+    seen.add(entry.dedupeKey);
+    normalized.push(entry);
+  }
+
+  return normalized;
+}
+
+function collectClaudeDenyRules(ctx) {
+  const shared = ctx.jsonFile('.claude/settings.json');
+  const local = ctx.jsonFile('.claude/settings.local.json');
+  const denyRules = []
+    .concat(shared?.permissions?.deny || [])
+    .concat(local?.permissions?.deny || []);
+
+  return normalizePermissionRules(denyRules, ctx.dir);
+}
+
+function hasSecretDenyRule(rules) {
+  return (Array.isArray(rules) ? rules : []).some((rule) => rule && rule.protectsSecrets);
+}
+
+module.exports = {
+  collectClaudeDenyRules,
+  hasSecretDenyRule,
+  normalizePermissionRule,
+  normalizePermissionRules,
+};

package/src/secret-patterns.js

@@ -5,6 +5,15 @@ const EMBEDDED_SECRET_PATTERNS = [
   /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
   /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g,
   /\bgh[pousr]_[A-Za-z0-9]{20,}\b/g,
+  /\bAZURE(?:_[A-Z0-9]+){0,4}_(?:API_)?KEY\s*[:=]\s*['"]?[A-Za-z0-9+/=_-]{20,}['"]?/g,
+  /\bDefaultEndpointsProtocol=https;AccountName=[^;\s]+;AccountKey=[A-Za-z0-9+/=]{20,};EndpointSuffix=core\.windows\.net\b/gi,
+  /\bEndpoint=sb:\/\/[^\s;]+;SharedAccessKeyName=[^;\s]+;SharedAccessKey=[A-Za-z0-9+/=]{20,}\b/gi,
+  /\b(?:postgres(?:ql)?|mysql|mariadb|mongodb(?:\+srv)?|redis|rediss|amqp):\/\/[^:\s/]+:[^@\s]{4,}@[^/\s]+(?:\/[^\s'"]*)?/gi,
+  /\b(?:Server|Host|Data Source)\s*=\s*[^;\n]+;[^\n]*(?:Password|Pwd)\s*=\s*[^;\n]{4,}/gi,
+  /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g,
+  /-----BEGIN (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----[\s\S]{40,}?-----END (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----/g,
+  /-----BEGIN PRIVATE KEY-----[\s\S]{40,}?-----END PRIVATE KEY-----/g,
+  /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"client_email"\s*:\s*"[^\"]+@[^"]*gserviceaccount\.com"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]{20,}?-----END PRIVATE KEY-----\\n?"/g,
 ];
 
 function containsEmbeddedSecret(text = '') {

package/src/server.js

@@ -7,7 +7,7 @@ const { audit } = require('./audit');
 const { harmonyAudit } = require('./harmony/audit');
 const { getCatalog } = require('./public-api');
 
-const SUPPORTED_PLATFORMS = new Set([
+const SUPPORTED_PLATFORMS = [
   'claude',
   'codex',
   'gemini',
@@ -16,7 +16,8 @@ const SUPPORTED_PLATFORMS = new Set([
   'windsurf',
   'aider',
   'opencode',
-]);
+];
+const SUPPORTED_PLATFORM_SET = new Set(SUPPORTED_PLATFORMS);
 
 function envelope(data) {
   return { data, meta: { version, timestamp: new Date().toISOString() } };
@@ -49,7 +50,7 @@ function resolveRequestDir(baseDir, rawDir) {
 
 function normalizePlatform(rawPlatform) {
   const platform = (rawPlatform || 'claude').toLowerCase();
-  if (!SUPPORTED_PLATFORMS.has(platform)) {
+  if (!SUPPORTED_PLATFORM_SET.has(platform)) {
     const error = new Error(`Unsupported platform '${rawPlatform}'.`);
     error.statusCode = 400;
     throw error;
@@ -57,6 +58,392 @@ function normalizePlatform(rawPlatform) {
   return platform;
 }
 
+function buildEnvelopeSchema(dataSchema) {
+  return {
+    type: 'object',
+    required: ['data', 'meta'],
+    properties: {
+      data: dataSchema,
+      meta: { $ref: '#/components/schemas/ResponseMeta' },
+    },
+  };
+}
+
+function buildServeOpenApiSpec(options = {}) {
+  const serverUrl = options.serverUrl || 'http://127.0.0.1:3000';
+  const catalogSize = options.catalogSize == null ? getCatalog().length : options.catalogSize;
+
+  return {
+    openapi: '3.1.0',
+    info: {
+      title: 'Nerviq Local API',
+      version,
+      summary: 'Zero-dependency local REST surface for audit, harmony, catalog, and health data.',
+      description: [
+        'Nerviq exposes a local-first HTTP API through `nerviq serve`.',
+        'Operational endpoints are GET-only, return JSON, and wrap successful payloads in `{ data, meta }` envelopes.',
+        'The OpenAPI document itself is available at `/api/openapi.json`.',
+      ].join(' '),
+    },
+    servers: [
+      {
+        url: serverUrl,
+        description: 'Current Nerviq serve instance',
+      },
+    ],
+    tags: [
+      { name: 'system', description: 'Server health and contract discovery.' },
+      { name: 'audit', description: 'Repository audit and governance scoring.' },
+      { name: 'harmony', description: 'Cross-platform alignment and drift analysis.' },
+      { name: 'catalog', description: 'Unified public check catalog.' },
+    ],
+    paths: {
+      '/api/openapi.json': {
+        get: {
+          tags: ['system'],
+          operationId: 'getOpenApiSpec',
+          summary: 'Return the live OpenAPI contract for this Nerviq serve instance.',
+          responses: {
+            200: {
+              description: 'OpenAPI 3.1 document for the active server surface.',
+              content: {
+                'application/json': {
+                  schema: {
+                    type: 'object',
+                    required: ['openapi', 'info', 'paths'],
+                    properties: {
+                      openapi: { type: 'string', example: '3.1.0' },
+                      info: { type: 'object' },
+                      servers: { type: 'array', items: { type: 'object' } },
+                      paths: { type: 'object' },
+                    },
+                  },
+                },
+              },
+            },
+            405: {
+              $ref: '#/components/responses/MethodNotAllowed',
+            },
+          },
+        },
+      },
+      '/api/health': {
+        get: {
+          tags: ['system'],
+          operationId: 'getHealth',
+          summary: 'Check local server readiness and catalog size.',
+          responses: {
+            200: {
+              description: 'Current server health envelope.',
+              content: {
+                'application/json': {
+                  schema: { $ref: '#/components/schemas/HealthEnvelope' },
+                },
+              },
+            },
+            405: {
+              $ref: '#/components/responses/MethodNotAllowed',
+            },
+            500: {
+              $ref: '#/components/responses/InternalError',
+            },
+          },
+        },
+      },
+      '/api/catalog': {
+        get: {
+          tags: ['catalog'],
+          operationId: 'getCatalog',
+          summary: 'Return the merged public check catalog.',
+          responses: {
+            200: {
+              description: 'Full catalog envelope.',
+              content: {
+                'application/json': {
+                  schema: { $ref: '#/components/schemas/CatalogEnvelope' },
+                },
+              },
+            },
+            405: {
+              $ref: '#/components/responses/MethodNotAllowed',
+            },
+            500: {
+              $ref: '#/components/responses/InternalError',
+            },
+          },
+        },
+      },
+      '/api/audit': {
+        get: {
+          tags: ['audit'],
+          operationId: 'runAudit',
+          summary: 'Run a Nerviq audit for one directory and one platform.',
+          parameters: [
+            { $ref: '#/components/parameters/DirParam' },
+            { $ref: '#/components/parameters/PlatformParam' },
+          ],
+          responses: {
+            200: {
+              description: 'Audit result envelope.',
+              content: {
+                'application/json': {
+                  schema: { $ref: '#/components/schemas/AuditEnvelope' },
+                },
+              },
+            },
+            400: {
+              $ref: '#/components/responses/BadRequest',
+            },
+            405: {
+              $ref: '#/components/responses/MethodNotAllowed',
+            },
+            500: {
+              $ref: '#/components/responses/InternalError',
+            },
+          },
+        },
+      },
+      '/api/harmony': {
+        get: {
+          tags: ['harmony'],
+          operationId: 'runHarmonyAudit',
+          summary: 'Run cross-platform harmony audit and drift analysis.',
+          parameters: [
+            { $ref: '#/components/parameters/DirParam' },
+          ],
+          responses: {
+            200: {
+              description: 'Harmony result envelope.',
+              content: {
+                'application/json': {
+                  schema: { $ref: '#/components/schemas/HarmonyEnvelope' },
+                },
+              },
+            },
+            400: {
+              $ref: '#/components/responses/BadRequest',
+            },
+            405: {
+              $ref: '#/components/responses/MethodNotAllowed',
+            },
+            500: {
+              $ref: '#/components/responses/InternalError',
+            },
+          },
+        },
+      },
+    },
+    components: {
+      parameters: {
+        DirParam: {
+          name: 'dir',
+          in: 'query',
+          required: false,
+          description: 'Directory to audit. Relative paths resolve from the server base directory. Defaults to `.`.',
+          schema: {
+            type: 'string',
+            default: '.',
+          },
+        },
+        PlatformParam: {
+          name: 'platform',
+          in: 'query',
+          required: false,
+          description: 'Target platform to audit. Defaults to `claude` when omitted.',
+          schema: {
+            type: 'string',
+            enum: SUPPORTED_PLATFORMS,
+            default: 'claude',
+          },
+        },
+      },
+      responses: {
+        BadRequest: {
+          description: 'Validation error such as unsupported platform or missing directory.',
+          content: {
+            'application/json': {
+              schema: { $ref: '#/components/schemas/ErrorResponse' },
+            },
+          },
+        },
+        MethodNotAllowed: {
+          description: 'Only GET and OPTIONS are supported on this local API.',
+          content: {
+            'application/json': {
+              schema: { $ref: '#/components/schemas/ErrorResponse' },
+            },
+          },
+        },
+        InternalError: {
+          description: 'Unexpected server-side failure while building the response.',
+          content: {
+            'application/json': {
+              schema: { $ref: '#/components/schemas/ErrorResponse' },
+            },
+          },
+        },
+      },
+      schemas: {
+        ErrorResponse: {
+          type: 'object',
+          required: ['error'],
+          properties: {
+            error: { type: 'string' },
+          },
+        },
+        ResponseMeta: {
+          type: 'object',
+          required: ['version', 'timestamp'],
+          properties: {
+            version: {
+              type: 'string',
+              example: version,
+            },
+            timestamp: {
+              type: 'string',
+              format: 'date-time',
+            },
+          },
+        },
+        HealthPayload: {
+          type: 'object',
+          required: ['status', 'version', 'checks'],
+          properties: {
+            status: { type: 'string', example: 'ok' },
+            version: { type: 'string', example: version },
+            checks: { type: 'integer', example: catalogSize },
+          },
+        },
+        CatalogEntry: {
+          type: 'object',
+          properties: {
+            platform: { type: 'string', example: 'claude' },
+            id: { type: 'string', example: 'CL-A01' },
+            key: { type: 'string', example: 'claudeMd' },
+            name: { type: 'string', example: 'CLAUDE.md project instructions' },
+            category: { type: 'string', example: 'memory' },
+            impact: { type: 'string', example: 'critical' },
+            fix: { type: 'string' },
+            sourceUrl: { type: 'string' },
+            confidence: { type: 'number', minimum: 0, maximum: 1 },
+          },
+          additionalProperties: true,
+        },
+        AuditStack: {
+          type: 'object',
+          properties: {
+            key: { type: 'string' },
+            label: { type: 'string' },
+          },
+          additionalProperties: true,
+        },
+        AuditAction: {
+          type: 'object',
+          properties: {
+            key: { type: 'string' },
+            name: { type: 'string' },
+            impact: { type: 'string' },
+            fix: { type: 'string' },
+          },
+          additionalProperties: true,
+        },
+        AuditCheck: {
+          type: 'object',
+          properties: {
+            key: { type: 'string' },
+            name: { type: 'string' },
+            impact: { type: 'string' },
+            category: { type: 'string' },
+            passed: {
+              oneOf: [
+                { type: 'boolean' },
+                { type: 'null' },
+              ],
+            },
+          },
+          additionalProperties: true,
+        },
+        AuditPayload: {
+          type: 'object',
+          properties: {
+            platform: { type: 'string', example: 'claude' },
+            platformLabel: { type: 'string', example: 'Claude Code' },
+            score: { type: 'integer', minimum: 0, maximum: 100 },
+            organicScore: { type: 'integer', minimum: 0, maximum: 100 },
+            earnedPoints: { type: 'integer' },
+            maxPoints: { type: 'integer' },
+            isScaffolded: { type: 'boolean' },
+            passed: { type: 'integer' },
+            failed: { type: 'integer' },
+            skipped: { type: 'integer' },
+            checkCount: { type: 'integer' },
+            stacks: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/AuditStack' },
+            },
+            topNextActions: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/AuditAction' },
+            },
+            results: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/AuditCheck' },
+            },
+          },
+          additionalProperties: true,
+        },
+        HarmonyRecommendation: {
+          type: 'object',
+          properties: {
+            priority: { type: 'string' },
+            category: { type: 'string' },
+            message: { type: 'string' },
+          },
+          additionalProperties: true,
+        },
+        ActivePlatform: {
+          type: 'object',
+          properties: {
+            platform: { type: 'string' },
+            label: { type: 'string' },
+          },
+          additionalProperties: true,
+        },
+        HarmonyPayload: {
+          type: 'object',
+          properties: {
+            harmonyScore: { type: 'integer', minimum: 0, maximum: 100 },
+            platformScores: {
+              type: 'object',
+              additionalProperties: { type: 'integer' },
+            },
+            drift: {
+              type: 'object',
+              additionalProperties: true,
+            },
+            recommendations: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/HarmonyRecommendation' },
+            },
+            activePlatforms: {
+              type: 'array',
+              items: { $ref: '#/components/schemas/ActivePlatform' },
+            },
+          },
+          additionalProperties: true,
+        },
+        HealthEnvelope: buildEnvelopeSchema({ $ref: '#/components/schemas/HealthPayload' }),
+        CatalogEnvelope: buildEnvelopeSchema({
+          type: 'array',
+          items: { $ref: '#/components/schemas/CatalogEntry' },
+        }),
+        AuditEnvelope: buildEnvelopeSchema({ $ref: '#/components/schemas/AuditPayload' }),
+        HarmonyEnvelope: buildEnvelopeSchema({ $ref: '#/components/schemas/HarmonyPayload' }),
+      },
+    },
+  };
+}
+
 function createServer(options = {}) {
   const baseDir = path.resolve(options.baseDir || process.cwd());
 
@@ -74,6 +461,13 @@ function createServer(options = {}) {
     }
 
     try {
+      if (requestUrl.pathname === '/api/openapi.json') {
+        sendJson(res, 200, buildServeOpenApiSpec({
+          serverUrl: `http://${req.headers.host || '127.0.0.1:3000'}`,
+        }));
+        return;
+      }
+
       if (requestUrl.pathname === '/api/health') {
         sendJson(res, 200, envelope({
           status: 'ok',
@@ -127,6 +521,7 @@ function startServer(options = {}) {
 }
 
 module.exports = {
+  buildServeOpenApiSpec,
   createServer,
   startServer,
 };

package/src/setup.js

@@ -809,8 +809,8 @@ process.stdin.on('end', () => {
     // Check command (for Bash)
     const cmd = (data.tool_input && data.tool_input.command) || '';
 
-    const secretPattern = /\\.env($|\\.)|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i;
-    const bashSecretPattern = /\\bcat\\s+\\.env|\\bless\\s+\\.env|\\bhead\\s+\\.env|\\btail\\s+\\.env|\\bgrep\\b.*\\.env|\\bcp\\s+\\.env|\\bmv\\s+\\.env|\\bbase64\\s+\\.env|\\bxxd\\s+\\.env|secrets\\/|credentials|\\.pem\\b|\\.key\\b/i;
+    const secretPattern = /\\.env($|\\.)|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$|\\.(?:p12|pfx)$|(?:^|[\\/\\\\])\\.ssh(?:[\\/\\\\]|$)|(?:^|[\\/\\\\])id_(?:rsa|dsa|ecdsa|ed25519)$|\\.tfvars(?:\\.json)?$|values[-_.]?secret\\.ya?ml$|service-?account[^\\/\\\\]*\\.json$|gcp[^\\/\\\\]*credentials?[^\\/\\\\]*\\.json$|sa-key[^\\/\\\\]*\\.json$/i;
+    const bashSecretPattern = /\\bcat\\s+\\.env|\\bless\\s+\\.env|\\bhead\\s+\\.env|\\btail\\s+\\.env|\\bgrep\\b.*\\.env|\\bcp\\s+\\.env|\\bmv\\s+\\.env|\\bbase64\\s+\\.env|\\bxxd\\s+\\.env|secrets[\\/\\\\]|credentials|\\.pem\\b|\\.key\\b|\\.(?:p12|pfx)\\b|\\.ssh[\\/\\\\]|id_(?:rsa|dsa|ecdsa|ed25519)\\b|\\.tfvars(?:\\.json)?\\b|values[-_.]?secret\\.ya?ml\\b|service-?account[^\\s]*\\.json\\b|gcp[^\\s]*credentials?[^\\s]*\\.json\\b|sa-key[^\\s]*\\.json\\b/i;
 
     if (secretPattern.test(fp) || bashSecretPattern.test(cmd)) {
       console.log(JSON.stringify({ decision: 'block', reason: 'Blocked: accessing secret/credential files is not allowed.' }));