npm - @nerviq/cli - Versions diffs - 1.10.0 → 1.11.0 - Mend

@nerviq/cli 1.10.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/src/techniques.js CHANGED Viewed

@@ -6,6 +6,7 @@
 const fs = require('fs');
 const path = require('path');
+const { collectClaudeDenyRules } = require('./permission-rules');
 const {
   getClaudeInstructionBundle,
   hasDocumentedVerificationGuidance,
@@ -560,19 +561,19 @@ const TECHNIQUES = {
     template: null
   },
-  noSecretsInClaude: {
-    id: 1039,
-    name: 'CLAUDE.md has no embedded API keys',
-    check: (ctx) => {
-      const md = ctx.claudeMdContent() || '';
-      return !containsEmbeddedSecret(md);
-    },
-    impact: 'critical',
-    rating: 5,
-    category: 'git',
-    fix: 'Remove API keys from CLAUDE.md. Use environment variables or .env files instead.',
-    template: null
-  },
+  noSecretsInClaude: {
+    id: 1039,
+    name: 'CLAUDE.md has no embedded secrets',
+    check: (ctx) => {
+      const md = ctx.claudeMdContent() || '';
+      return !containsEmbeddedSecret(md);
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'git',
+    fix: 'Remove hardcoded secrets, tokens, private keys, and connection strings from CLAUDE.md. Use environment variables or external secret stores instead.',
+    template: null
+  },
   // ============================================================
   // === WORKFLOW (category: 'workflow') =========================
@@ -717,16 +718,13 @@ const TECHNIQUES = {
     template: null
   },
-  permissionDeny: {
-    id: 2401,
-    name: 'Deny rules configured in permissions',
-    check: (ctx) => {
-      const settings = ctx.jsonFile('.claude/settings.local.json') || ctx.jsonFile('.claude/settings.json');
-      if (!settings || !settings.permissions) return false;
-      const deny = settings.permissions.deny;
-      return Array.isArray(deny) && deny.length > 0;
-    },
-    impact: 'high',
+  permissionDeny: {
+    id: 2401,
+    name: 'Deny rules configured in permissions',
+    check: (ctx) => {
+      return collectClaudeDenyRules(ctx).length > 0;
+    },
+    impact: 'high',
     rating: 5,
     category: 'security',
     fix: 'Add permissions.deny rules to block dangerous operations (e.g. rm -rf, dropping databases).',
@@ -754,18 +752,19 @@ const TECHNIQUES = {
     template: null
   },
-  secretsProtection: {
-    id: 1096,
-    name: 'Secrets protection configured',
-    check: (ctx) => {
-      // Prefer shared settings.json (committed) over local override
-      const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
-      if (!settings || !settings.permissions) return false;
-      const deny = JSON.stringify(settings.permissions.deny || []);
-      const hasDeny = deny.includes('.env') || deny.includes('secrets');
-      // Fail if allow includes "*" (overly broad — bypasses deny rules)
-      const allow = settings.permissions.allow || [];
-      if (Array.isArray(allow) && allow.includes('*')) return false;
+  secretsProtection: {
+    id: 1096,
+    name: 'Secrets protection configured',
+    check: (ctx) => {
+      const shared = ctx.jsonFile('.claude/settings.json');
+      const local = ctx.jsonFile('.claude/settings.local.json');
+      const settings = shared || local;
+      if (!settings || !settings.permissions) return false;
+      const denyRules = collectClaudeDenyRules(ctx);
+      const hasDeny = denyRules.some((rule) => rule.protectsSecrets);
+      // Fail if allow includes "*" (overly broad — bypasses deny rules)
+      const allow = settings.permissions.allow || [];
+      if (Array.isArray(allow) && allow.includes('*')) return false;
       return hasDeny;
     },
     impact: 'critical',
@@ -1527,16 +1526,13 @@ const TECHNIQUES = {
     template: null
   },
-  denyRulesDepth: {
-    id: 2014,
-    name: 'Deny rules cover 3+ patterns',
-    check: (ctx) => {
-      const shared = ctx.jsonFile('.claude/settings.json');
-      const local = ctx.jsonFile('.claude/settings.local.json');
-      const deny = (shared?.permissions?.deny || []).concat(local?.permissions?.deny || []);
-      return deny.length >= 3;
-    },
-    impact: 'high', rating: 4, category: 'security',
+  denyRulesDepth: {
+    id: 2014,
+    name: 'Deny rules cover 3+ patterns',
+    check: (ctx) => {
+      return collectClaudeDenyRules(ctx).length >= 3;
+    },
+    impact: 'high', rating: 4, category: 'security',
     fix: 'Add at least 3 deny rules: rm -rf, force-push, and .env reads. More patterns = safer Claude.',
     template: null
   },

package/src/terminology.js ADDED Viewed

@@ -0,0 +1,73 @@
+'use strict';
+const TERMINOLOGY = {
+  governance: {
+    label: 'governance',
+    description: 'the rollout safety layer: permissions, hooks, profiles, and policy packs',
+  },
+  hooks: {
+    label: 'hooks',
+    description: 'auto-run checks or scripts triggered before or after agent tool actions',
+  },
+  denyRules: {
+    label: 'deny rules',
+    description: 'explicit blocks for risky reads or commands like .env access or rm -rf',
+  },
+  mcp: {
+    label: 'MCP',
+    description: 'live external tool connectors for docs, APIs, databases, and other systems',
+  },
+};
+const TERM_ORDER = ['governance', 'hooks', 'denyRules', 'mcp'];
+function normalizeTermKeys(keys = []) {
+  const seen = new Set();
+  for (const key of keys) {
+    if (!TERMINOLOGY[key]) continue;
+    seen.add(key);
+  }
+  return TERM_ORDER.filter((key) => seen.has(key));
+}
+function collectAuditTerminology(result = {}) {
+  const terms = new Set();
+  const texts = [];
+  for (const item of result.topNextActions || []) {
+    texts.push(item.name || '', item.fix || '', item.why || '', item.module || '', ...(item.signals || []));
+  }
+  for (const item of result.results || []) {
+    if (item.passed === false) {
+      texts.push(item.key || '', item.name || '', item.fix || '', item.category || '');
+    }
+  }
+  const blob = texts.join('\n');
+  if (/\bhook/i.test(blob)) terms.add('hooks');
+  if (/\bdeny rules?\b|permissions?\.deny|bypasspermissions|\.env access|rm -rf/i.test(blob)) terms.add('denyRules');
+  if (/\bmcp\b|context7|external tool/i.test(blob)) terms.add('mcp');
+  if (/\bgovernance\b|policy pack|permission profile/i.test(blob) || terms.size > 0) terms.add('governance');
+  return normalizeTermKeys([...terms]);
+}
+function formatTerminologyLines(keys, options = {}) {
+  const normalized = normalizeTermKeys(keys);
+  if (normalized.length === 0) return [];
+  const title = options.title || '  Terms used here:';
+  const indent = options.indent || '  ';
+  const bullet = options.bullet || '-';
+  return [
+    title,
+    ...normalized.map((key) => `${indent}${bullet} ${TERMINOLOGY[key].label}: ${TERMINOLOGY[key].description}`),
+  ];
+}
+module.exports = {
+  TERMINOLOGY,
+  collectAuditTerminology,
+  formatTerminologyLines,
+};

package/src/token-estimate.js ADDED Viewed

@@ -0,0 +1,35 @@
+function splitIdentifierSegments(value) {
+  return String(value || '')
+    .replace(/([a-z0-9])([A-Z])/g, '$1 $2')
+    .replace(/[_./:-]+/g, ' ')
+    .split(/\s+/)
+    .filter(Boolean);
+}
+function estimateSegmentTokens(segment) {
+  const charCount = [...String(segment || '')].length;
+  return Math.max(1, Math.ceil(charCount / 4));
+}
+function estimateTokenCount(text) {
+  if (typeof text !== 'string' || !text) return 0;
+  const parts = text.match(/[\p{L}\p{N}_]+|[^\s]/gu) || [];
+  let total = 0;
+  for (const part of parts) {
+    if (/^[\p{L}\p{N}_]+$/u.test(part)) {
+      const segments = splitIdentifierSegments(part);
+      total += segments.reduce((sum, segment) => sum + estimateSegmentTokens(segment), 0);
+      continue;
+    }
+    total += 1;
+  }
+  return total;
+}
+module.exports = {
+  estimateTokenCount,
+};

package/src/workspace.js CHANGED Viewed

@@ -177,6 +177,104 @@ function summarizeAuditResult(result, scoreType, scope) {
   };
 }
+function summarizeWorkspaceEntry(result, workspacePath, absPath, platform) {
+  const stackKeys = (result.stacks || []).map((item) => item.key);
+  const stackLabels = (result.stacks || []).map((item) => item.label);
+  return {
+    name: path.basename(workspacePath),
+    workspace: workspacePath,
+    dir: absPath,
+    platform,
+    stackKeys,
+    stackLabels,
+    workspaceProfile: classifyWorkspaceProfile(stackKeys),
+    ...summarizeAuditResult(result, 'workspace-live-audit', 'workspace-package'),
+  };
+}
+function classifyWorkspaceProfile(stackKeys) {
+  const keys = new Set(Array.isArray(stackKeys) ? stackKeys : []);
+  const matchAny = (candidates) => candidates.some((candidate) => keys.has(candidate));
+  if (matchAny(['go'])) {
+    return { key: 'go-workspace', label: 'Go workspace' };
+  }
+  if (matchAny(['python', 'django', 'fastapi'])) {
+    return { key: 'python-workspace', label: 'Python workspace' };
+  }
+  if (matchAny(['dotnet'])) {
+    return { key: 'dotnet-workspace', label: '.NET workspace' };
+  }
+  if (matchAny(['java', 'spring'])) {
+    return { key: 'java-workspace', label: 'Java workspace' };
+  }
+  if (matchAny(['flutter', 'dart'])) {
+    return { key: 'flutter-workspace', label: 'Flutter workspace' };
+  }
+  if (matchAny(['swift'])) {
+    return { key: 'swift-workspace', label: 'Swift workspace' };
+  }
+  if (matchAny(['kotlin'])) {
+    return { key: 'kotlin-workspace', label: 'Kotlin workspace' };
+  }
+  if (matchAny(['react', 'nextjs', 'node', 'typescript', 'javascript', 'nestjs', 'vue', 'angular', 'svelte'])) {
+    return { key: 'node-workspace', label: 'Node / JS workspace' };
+  }
+  return { key: 'general-workspace', label: 'General workspace' };
+}
+function buildProfileBreakdown(results) {
+  const grouped = new Map();
+  for (const item of results) {
+    const profileKey = item.workspaceProfile?.key || 'general-workspace';
+    const profileLabel = item.workspaceProfile?.label || 'General workspace';
+    if (!grouped.has(profileKey)) {
+      grouped.set(profileKey, {
+        profileKey,
+        profileLabel,
+        scoreType: 'workspace-live-audit',
+        workspaceCount: 0,
+        workspaces: [],
+        stackLabels: new Set(),
+        scores: [],
+        totals: [],
+      });
+    }
+    const entry = grouped.get(profileKey);
+    entry.workspaceCount += 1;
+    entry.workspaces.push(item.workspace);
+    for (const label of item.stackLabels || []) {
+      entry.stackLabels.add(label);
+    }
+    if (typeof item.score === 'number') {
+      entry.scores.push(item.score);
+    }
+    if (typeof item.total === 'number') {
+      entry.totals.push(item.total);
+    }
+  }
+  return [...grouped.values()]
+    .map((entry) => ({
+      profileKey: entry.profileKey,
+      profileLabel: entry.profileLabel,
+      scoreType: 'workspace-live-audit',
+      workspaceCount: entry.workspaceCount,
+      averageScore: entry.scores.length > 0
+        ? Math.round(entry.scores.reduce((sum, value) => sum + value, 0) / entry.scores.length)
+        : 0,
+      averageTotal: entry.totals.length > 0
+        ? Math.round(entry.totals.reduce((sum, value) => sum + value, 0) / entry.totals.length)
+        : 0,
+      stackLabels: [...entry.stackLabels].sort(),
+      workspaces: entry.workspaces.sort(),
+    }))
+    .sort((left, right) => left.profileLabel.localeCompare(right.profileLabel));
+}
 async function auditWorkspaces(dir, workspaceGlobs, platform = 'claude') {
   const { audit } = require('./audit');
   const rootDir = path.resolve(dir);
@@ -207,14 +305,7 @@ async function auditWorkspaces(dir, workspaceGlobs, platform = 'claude') {
     const absPath = path.join(rootDir, workspacePath);
     try {
       const result = await audit({ dir: absPath, platform, silent: true });
-      results.push({
-        name: path.basename(workspacePath),
-        workspace: workspacePath,
-        dir: absPath,
-        platform,
-        ...summarizeAuditResult(result, 'workspace-live-audit', 'workspace-package'),
-        result,
-      });
+      results.push(summarizeWorkspaceEntry(result, workspacePath, absPath, platform));
     } catch (error) {
       results.push({
         name: path.basename(workspacePath),
@@ -227,6 +318,9 @@ async function auditWorkspaces(dir, workspaceGlobs, platform = 'claude') {
         passed: 0,
         total: 0,
         topAction: null,
+        stackKeys: [],
+        stackLabels: [],
+        workspaceProfile: { key: 'general-workspace', label: 'General workspace' },
         error: error.message,
       });
     }
@@ -238,6 +332,7 @@ async function auditWorkspaces(dir, workspaceGlobs, platform = 'claude') {
     : 0;
   const maxScore = validScores.length > 0 ? Math.max(...validScores) : 0;
   const minScore = validScores.length > 0 ? Math.min(...validScores) : 0;
+  const profileBreakdown = buildProfileBreakdown(results);
   return {
     summaryType: 'monorepo-workspace-audit',
@@ -254,10 +349,12 @@ async function auditWorkspaces(dir, workspaceGlobs, platform = 'claude') {
       maxScore,
       minScore,
     },
+    profileBreakdown,
     scoreSemantics: {
       rootGovernance: 'Root repo live audit for shared instructions, hooks, permissions, and top-level governance files.',
       workspaceAggregate: 'Average of the selected workspace live audit scores. This is a package coverage rollup, not the root repo score.',
       workspaceEntries: 'Each workspace row is a package-level live audit. Package scores can differ from the root governance score for legitimate reasons.',
+      workspaceProfiles: 'Workspace totals can differ because each package uses a stack-specific check profile based on detected languages and frameworks.',
     },
     workspaces: results,
     detectedWorkspaces: workspacePaths,