@nerviq/cli 1.10.0 → 1.12.0

package/src/org.js

@@ -1,48 +1,119 @@
 const fs = require('fs');
 const path = require('path');
+const { resolvePolicyLayers, applyPolicyLayersToOptions } = require('./policy-layers');
 
-async function scanOrg(dirs, platform = 'claude') {
+function summarizePolicyCoverage(contract) {
+  const validLayers = (contract?.layers || []).filter((layer) => layer.valid);
+  return {
+    layerCount: validLayers.length,
+    layerKeys: validLayers.map((layer) => layer.layer),
+    org: validLayers.some((layer) => layer.layer === 'org'),
+    team: validLayers.some((layer) => layer.layer === 'team'),
+    repo: validLayers.some((layer) => layer.layer === 'repo'),
+  };
+}
+
+function buildScoreBands(repos) {
+  const bands = {
+    strong: 0,
+    developing: 0,
+    bootstrap: 0,
+    unknown: 0,
+  };
+
+  for (const repo of repos) {
+    if (typeof repo.score !== 'number') {
+      bands.unknown += 1;
+    } else if (repo.score >= 70) {
+      bands.strong += 1;
+    } else if (repo.score >= 40) {
+      bands.developing += 1;
+    } else {
+      bands.bootstrap += 1;
+    }
+  }
+
+  return bands;
+}
+
+function buildTopEvidence(repos) {
+  const counts = new Map();
+  for (const repo of repos) {
+    const key = repo.topActionKey;
+    if (!key) continue;
+    counts.set(key, (counts.get(key) || 0) + 1);
+  }
+
+  return [...counts.entries()]
+    .map(([key, repoCount]) => ({ key, repoCount }))
+    .sort((a, b) => b.repoCount - a.repoCount)
+    .slice(0, 5);
+}
+
+async function scanOrg(dirs, options = {}) {
   const { audit } = require('./audit');
   const targets = Array.isArray(dirs) ? dirs : [];
   const repos = [];
+  const fallbackPlatform = options.platform || 'claude';
 
   for (const dir of targets) {
-    const resolved = path.resolve(dir);
-    if (!fs.existsSync(resolved)) {
+    const resolvedDir = path.resolve(dir);
+    const policyContract = resolvePolicyLayers(resolvedDir);
+    const policyCoverage = summarizePolicyCoverage(policyContract);
+
+    if (!fs.existsSync(resolvedDir)) {
       repos.push({
         name: path.basename(dir),
-        dir: resolved,
-        platform,
+        dir: resolvedDir,
+        platform: fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: null,
         passed: 0,
         total: 0,
         topAction: null,
+        topActionKey: null,
+        policyCoverage,
+        policyLayers: policyContract,
         error: 'directory not found',
       });
       continue;
     }
 
+    const repoOptions = applyPolicyLayersToOptions(policyContract, {
+      ...options,
+      dir: resolvedDir,
+      silent: true,
+    });
+
     try {
-      const result = await audit({ dir: resolved, platform, silent: true });
+      const result = await audit(repoOptions);
       repos.push({
-        name: path.basename(resolved),
-        dir: resolved,
-        platform,
+        name: path.basename(resolvedDir),
+        dir: resolvedDir,
+        platform: repoOptions.platform || fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: result.score,
         passed: result.passed,
         total: result.checkCount,
         topAction: result.topNextActions?.[0]?.name || null,
+        topActionKey: result.topNextActions?.[0]?.key || null,
+        policyCoverage,
+        policyLayers: policyContract,
         result,
       });
     } catch (error) {
       repos.push({
-        name: path.basename(resolved),
-        dir: resolved,
-        platform,
+        name: path.basename(resolvedDir),
+        dir: resolvedDir,
+        platform: repoOptions.platform || fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: null,
         passed: 0,
         total: 0,
         topAction: null,
+        topActionKey: null,
+        policyCoverage,
+        policyLayers: policyContract,
         error: error.message,
       });
     }
@@ -54,11 +125,24 @@ async function scanOrg(dirs, platform = 'claude') {
     : 0;
 
   return {
-    platform,
+    platform: fallbackPlatform,
     repoCount: repos.length,
     averageScore,
+    scoreType: 'org-live-average-score',
+    scoreSemantics: {
+      repoScoreType: 'live-repo-audit-score',
+      rollupScoreType: 'org-live-average-score',
+      note: 'Repo rows are live per-repo audits. The org average is a rollup across those live repo scores, not a snapshot score or benchmark projection.',
+    },
     maxScore: validScores.length > 0 ? Math.max(...validScores) : 0,
     minScore: validScores.length > 0 ? Math.min(...validScores) : 0,
+    scoreBands: buildScoreBands(repos),
+    policyCoverage: {
+      orgPolicyRepos: repos.filter((repo) => repo.policyCoverage.org).length,
+      teamPolicyRepos: repos.filter((repo) => repo.policyCoverage.team).length,
+      repoPolicyRepos: repos.filter((repo) => repo.policyCoverage.repo).length,
+    },
+    topEvidence: buildTopEvidence(repos),
     repos,
   };
 }

package/src/permission-rules.js

@@ -0,0 +1,218 @@
+const fs = require('fs');
+const path = require('path');
+
+const PATH_ACTIONS = new Set(['read', 'write', 'edit', 'multiedit']);
+const SECRET_PATH_RE = /(^|\/)(\.env(?:[^/]*)?|secrets?)(\/|$)/i;
+
+function normalizeSlash(value) {
+  return String(value || '').replace(/\\/g, '/');
+}
+
+function stripWrappingQuotes(value) {
+  const trimmed = String(value || '').trim();
+  if (!trimmed) return '';
+  const first = trimmed[0];
+  const last = trimmed[trimmed.length - 1];
+  if ((first === '"' || first === "'") && first === last) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function getProjectRoot(rootDir) {
+  try {
+    return fs.realpathSync.native(rootDir);
+  } catch {
+    return path.resolve(rootDir);
+  }
+}
+
+function splitPatternSegments(rawPattern, isAbsolute) {
+  const normalized = normalizeSlash(rawPattern);
+
+  if (/^[A-Za-z]:\//.test(normalized)) {
+    return normalized.slice(3).split('/').filter(Boolean);
+  }
+
+  if (isAbsolute && normalized.startsWith('/')) {
+    return normalized.slice(1).split('/').filter(Boolean);
+  }
+
+  return normalized.split('/').filter((segment) => segment && segment !== '.');
+}
+
+function hasGlob(segment) {
+  return /[*?[\]{}]/.test(segment);
+}
+
+function buildAbsolutePattern(rootDir, rawPattern) {
+  const normalized = stripWrappingQuotes(normalizeSlash(rawPattern).replace(/^file:\/\//i, ''));
+  if (!normalized) {
+    return {
+      absolutePattern: null,
+      normalizedInput: '',
+      isAbsolute: false,
+      traversalSegments: false,
+    };
+  }
+
+  const isAbsolute = /^[A-Za-z]:\//.test(normalized) || normalized.startsWith('/');
+  const traversalSegments = normalized.split('/').some((segment) => segment === '..');
+  const segments = splitPatternSegments(normalized, isAbsolute);
+  let current = isAbsolute ? path.parse(path.resolve(normalized)).root : getProjectRoot(rootDir);
+
+  for (const segment of segments) {
+    const candidate = path.join(current, segment);
+    if (hasGlob(segment)) {
+      current = candidate;
+      continue;
+    }
+
+    try {
+      current = fs.realpathSync.native(candidate);
+    } catch {
+      current = candidate;
+    }
+  }
+
+  return {
+    absolutePattern: current,
+    normalizedInput: normalized,
+    isAbsolute,
+    traversalSegments,
+  };
+}
+
+function normalizePathPayload(rawPayload, rootDir) {
+  const {
+    absolutePattern,
+    normalizedInput,
+    isAbsolute,
+    traversalSegments,
+  } = buildAbsolutePattern(rootDir, rawPayload);
+
+  if (!absolutePattern) {
+    return {
+      normalizedPath: '',
+      repoRelativePath: '',
+      outsideRepo: false,
+      invalid: true,
+      isAbsolute,
+      traversalSegments,
+    };
+  }
+
+  const projectRoot = getProjectRoot(rootDir);
+  const relativePath = normalizeSlash(path.relative(projectRoot, absolutePattern));
+  const outsideRepo = relativePath === '..' || relativePath.startsWith('../') || /^[A-Za-z]:\//.test(relativePath);
+  const repoRelativePath = outsideRepo ? null : relativePath || '.';
+  const normalizedPath = outsideRepo
+    ? normalizeSlash(absolutePattern)
+    : `./${repoRelativePath}`;
+
+  return {
+    normalizedPath,
+    repoRelativePath,
+    outsideRepo,
+    invalid: traversalSegments && outsideRepo && !isAbsolute,
+    isAbsolute,
+    traversalSegments,
+    normalizedInput,
+  };
+}
+
+function normalizeCommandPayload(rawPayload) {
+  return stripWrappingQuotes(rawPayload).replace(/\s+/g, ' ').trim();
+}
+
+function normalizePermissionRule(rule, rootDir) {
+  if (typeof rule !== 'string' || !rule.trim()) return null;
+  const trimmed = rule.trim();
+  const match = trimmed.match(/^([A-Za-z]+)\((.*)\)$/);
+  if (!match) {
+    return {
+      raw: trimmed,
+      action: null,
+      payload: trimmed,
+      normalized: trimmed,
+      dedupeKey: trimmed.toLowerCase(),
+      kind: 'raw',
+      invalid: false,
+      outsideRepo: false,
+      protectsSecrets: false,
+    };
+  }
+
+  const action = match[1];
+  const payload = match[2].trim();
+  const actionKey = action.toLowerCase();
+
+  if (PATH_ACTIONS.has(actionKey)) {
+    const details = normalizePathPayload(payload, rootDir);
+    const dedupeKey = `${actionKey}:${details.normalizedPath.toLowerCase()}`;
+    return {
+      raw: trimmed,
+      action,
+      payload,
+      normalized: `${action}(${details.normalizedPath})`,
+      normalizedPath: details.normalizedPath,
+      repoRelativePath: details.repoRelativePath,
+      dedupeKey,
+      kind: 'path',
+      invalid: details.invalid,
+      outsideRepo: details.outsideRepo,
+      traversalSegments: details.traversalSegments,
+      isAbsolute: details.isAbsolute,
+      protectsSecrets: !details.outsideRepo && SECRET_PATH_RE.test(details.repoRelativePath || ''),
+    };
+  }
+
+  const normalizedPayload = normalizeCommandPayload(payload);
+  return {
+    raw: trimmed,
+    action,
+    payload,
+    normalized: `${action}(${normalizedPayload})`,
+    dedupeKey: `${actionKey}:${normalizedPayload.toLowerCase()}`,
+    kind: 'command',
+    invalid: false,
+    outsideRepo: false,
+    protectsSecrets: false,
+  };
+}
+
+function normalizePermissionRules(rules, rootDir) {
+  const seen = new Set();
+  const normalized = [];
+
+  for (const rule of Array.isArray(rules) ? rules : []) {
+    const entry = normalizePermissionRule(rule, rootDir);
+    if (!entry || entry.invalid) continue;
+    if (seen.has(entry.dedupeKey)) continue;
+    seen.add(entry.dedupeKey);
+    normalized.push(entry);
+  }
+
+  return normalized;
+}
+
+function collectClaudeDenyRules(ctx) {
+  const shared = ctx.jsonFile('.claude/settings.json');
+  const local = ctx.jsonFile('.claude/settings.local.json');
+  const denyRules = []
+    .concat(shared?.permissions?.deny || [])
+    .concat(local?.permissions?.deny || []);
+
+  return normalizePermissionRules(denyRules, ctx.dir);
+}
+
+function hasSecretDenyRule(rules) {
+  return (Array.isArray(rules) ? rules : []).some((rule) => rule && rule.protectsSecrets);
+}
+
+module.exports = {
+  collectClaudeDenyRules,
+  hasSecretDenyRule,
+  normalizePermissionRule,
+  normalizePermissionRules,
+};

package/src/plans.js

@@ -59,6 +59,32 @@ const FALLBACK_TEMPLATE_BY_KEY = {
   agentsHaveMaxTurns: 'agents',
 };
 
+const VERIFICATION_TRIGGER_KEYS = new Set([
+  'verificationLoop',
+  'testCommand',
+  'lintCommand',
+  'buildCommand',
+]);
+
+const GOVERNANCE_TRIGGER_KEYS = new Set([
+  'permissionDeny',
+  'secretsProtection',
+  'preToolUseHook',
+  'postToolUseHook',
+  'sessionStartHook',
+  'hooksInSettings',
+  'settingsPermissions',
+  'securityReview',
+]);
+
+const AUTOMATION_TRIGGER_KEYS = new Set([
+  'customCommands',
+  'skills',
+  'agents',
+  'multipleAgents',
+  'multipleMcpServers',
+]);
+
 function previewContent(content) {
   return content.split('\n').slice(0, 12).join('\n');
 }
@@ -372,9 +398,140 @@ function toProposal(templateKey, triggers, templateFiles, ctx) {
   };
 }
 
+function proposalMatchesTriggerKeys(proposal, keySet) {
+  return (proposal.triggers || []).some((trigger) => keySet.has(trigger.key));
+}
+
+function collectCampaignProposals(proposals, predicate) {
+  return proposals.filter((proposal) => proposal.readyToApply && predicate(proposal));
+}
+
+function buildCampaigns(bundle) {
+  const proposals = Array.isArray(bundle?.proposals) ? bundle.proposals : [];
+  const campaigns = [];
+  const maturity = bundle?.projectSummary?.maturity || 'unknown';
+
+  const starterBaseline = collectCampaignProposals(
+    proposals,
+    (proposal) => ['claude-md', 'commands', 'rules', 'hooks', 'agents'].includes(proposal.id),
+  );
+  if (starterBaseline.length > 0) {
+    campaigns.push({
+      key: 'starter-baseline',
+      label: 'Starter baseline',
+      summary: 'Establish the managed baseline surfaces Nerviq expects before deeper upgrades.',
+      proposalIds: starterBaseline.map((proposal) => proposal.id),
+      milestone: maturity === 'mature' ? 'pre-upgrade' : 'baseline',
+      focusAreas: ['config-drift', 'maturity-opportunity'],
+    });
+  }
+
+  const verificationClosure = collectCampaignProposals(
+    proposals,
+    (proposal) => proposalMatchesTriggerKeys(proposal, VERIFICATION_TRIGGER_KEYS),
+  );
+  if (verificationClosure.length > 0) {
+    campaigns.push({
+      key: 'verification-closure',
+      label: 'Verification closure',
+      summary: 'Close missing test/lint/build loops so audits can be verified continuously.',
+      proposalIds: verificationClosure.map((proposal) => proposal.id),
+      milestone: 'post-fix',
+      focusAreas: ['config-drift', 'maturity-opportunity'],
+    });
+  }
+
+  const governanceHardening = collectCampaignProposals(
+    proposals,
+    (proposal) => proposal.id === 'hooks' || proposalMatchesTriggerKeys(proposal, GOVERNANCE_TRIGGER_KEYS),
+  );
+  if (governanceHardening.length > 0) {
+    campaigns.push({
+      key: 'governance-hardening',
+      label: 'Governance hardening',
+      summary: 'Tighten permissions, hooks, secret protection, and reviewable safety defaults.',
+      proposalIds: governanceHardening.map((proposal) => proposal.id),
+      milestone: 'pre-upgrade',
+      focusAreas: ['policy-drift', 'config-drift'],
+    });
+  }
+
+  const reviewableAutomation = collectCampaignProposals(
+    proposals,
+    (proposal) => proposal.id === 'agents' || proposal.id === 'commands' || proposalMatchesTriggerKeys(proposal, AUTOMATION_TRIGGER_KEYS),
+  );
+  if (reviewableAutomation.length > 0) {
+    campaigns.push({
+      key: 'reviewable-automation',
+      label: 'Reviewable automation',
+      summary: 'Add automation surfaces that keep upgrades inspectable instead of ad-hoc.',
+      proposalIds: reviewableAutomation.map((proposal) => proposal.id),
+      milestone: 'pre-upgrade',
+      focusAreas: ['maturity-opportunity', 'config-drift'],
+    });
+  }
+
+  return campaigns.filter((campaign, index, all) =>
+    all.findIndex((item) => item.key === campaign.key) === index,
+  );
+}
+
+function filterBundleByCampaigns(bundle, campaignKeys = []) {
+  if (!Array.isArray(campaignKeys) || campaignKeys.length === 0) {
+    return bundle;
+  }
+
+  const available = new Map((bundle.campaigns || []).map((campaign) => [campaign.key, campaign]));
+  const missing = campaignKeys.filter((key) => !available.has(key));
+  if (missing.length > 0) {
+    throw new Error(`unknown campaign(s): ${missing.join(', ')}`);
+  }
+
+  const selectedIds = new Set();
+  for (const key of campaignKeys) {
+    for (const proposalId of available.get(key).proposalIds || []) {
+      selectedIds.add(proposalId);
+    }
+  }
+
+  return {
+    ...bundle,
+    selectedCampaigns: campaignKeys,
+    proposals: bundle.proposals.filter((proposal) => selectedIds.has(proposal.id)),
+    campaigns: (bundle.campaigns || []).filter((campaign) => campaignKeys.includes(campaign.key)),
+  };
+}
+
+function resolveSelectionSet(bundle, options = {}) {
+  const proposalIds = new Set((bundle.proposals || []).map((proposal) => proposal.id));
+  const onlySet = options.only && options.only.length > 0 ? new Set(options.only) : null;
+  const campaignSet = options.campaigns && options.campaigns.length > 0
+    ? new Set((bundle.campaigns || []).flatMap((campaign) => {
+      if (!options.campaigns.includes(campaign.key)) return [];
+      return campaign.proposalIds || [];
+    }))
+    : null;
+
+  if (onlySet && campaignSet) {
+    return new Set([...onlySet].filter((proposalId) => campaignSet.has(proposalId) && proposalIds.has(proposalId)));
+  }
+  if (onlySet) {
+    return new Set([...onlySet].filter((proposalId) => proposalIds.has(proposalId)));
+  }
+  if (campaignSet) {
+    return new Set([...campaignSet].filter((proposalId) => proposalIds.has(proposalId)));
+  }
+
+  return null;
+}
+
 async function buildProposalBundle(options) {
   if (options.platform === 'codex') {
-    return buildCodexProposalBundle(options);
+    const bundle = await buildCodexProposalBundle(options);
+    return filterBundleByCampaigns({
+      ...bundle,
+      campaigns: buildCampaigns(bundle),
+    }, options.campaigns);
   }
 
   const ctx = new ProjectContext(options.dir);
@@ -405,7 +562,7 @@ async function buildProposalBundle(options) {
     return impactB - impactA;
   });
 
-  return {
+  return filterBundleByCampaigns({
     schemaVersion: 1,
     generatedBy: `nerviq@${version}`,
     createdAt: new Date().toISOString(),
@@ -416,7 +573,8 @@ async function buildProposalBundle(options) {
     riskNotes: report.riskNotes,
     mcpPreflightWarnings,
     proposals,
-  };
+    campaigns: buildCampaigns({ proposals, projectSummary: report.projectSummary }),
+  }, options.campaigns);
 }
 
 function printProposalBundle(bundle, options = {}) {
@@ -429,8 +587,19 @@ function printProposalBundle(bundle, options = {}) {
   console.log('  nerviq plan');
   console.log('  ═══════════════════════════════════════');
   console.log(`  ${bundle.projectSummary.name} | maturity=${bundle.projectSummary.maturity} | score=${bundle.projectSummary.score}/100`);
+  if (bundle.projectSummary.archetype) {
+    console.log(`  archetype=${bundle.projectSummary.archetype} | workflow=${bundle.projectSummary.workflow || 'unknown'} | risk=${bundle.projectSummary.riskLevel || 'unknown'}`);
+  }
+  if (bundle.projectSummary.operatingProfile) {
+    console.log(`  operating-profile=${bundle.projectSummary.operatingProfile}`);
+  }
   console.log('');
 
+  if (bundle.selectedCampaigns && bundle.selectedCampaigns.length > 0) {
+    console.log(`  Selected campaigns: ${bundle.selectedCampaigns.join(', ')}`);
+    console.log('');
+  }
+
   if (bundle.mcpPreflightWarnings && bundle.mcpPreflightWarnings.length > 0) {
     console.log('  MCP Preflight Warnings');
     for (const warning of bundle.mcpPreflightWarnings) {
@@ -445,6 +614,16 @@ function printProposalBundle(bundle, options = {}) {
     return;
   }
 
+  if (bundle.campaigns && bundle.campaigns.length > 0) {
+    console.log('  Upgrade campaigns');
+    for (const campaign of bundle.campaigns) {
+      console.log(`  - ${campaign.key} (${campaign.milestone})`);
+      console.log(`    ${campaign.label} — ${campaign.summary}`);
+      console.log(`    proposals: ${campaign.proposalIds.join(', ')}`);
+    }
+    console.log('');
+  }
+
   console.log('  Proposal Bundles');
   for (const proposal of bundle.proposals) {
     const applyState = proposal.readyToApply ? 'ready' : 'manual-review';
@@ -536,9 +715,12 @@ function applyRuntimeSettingsOverlays(bundle, options) {
 
 function resolvePlan(bundle, options) {
   if (options.planFile) {
-    return applyRuntimeSettingsOverlays(JSON.parse(fs.readFileSync(options.planFile, 'utf8')), options);
+    return filterBundleByCampaigns(
+      applyRuntimeSettingsOverlays(JSON.parse(fs.readFileSync(options.planFile, 'utf8')), options),
+      options.campaigns,
+    );
   }
-  return applyRuntimeSettingsOverlays(bundle, options);
+  return filterBundleByCampaigns(applyRuntimeSettingsOverlays(bundle, options), options.campaigns);
 }
 
 async function applyProposalBundle(options) {
@@ -546,9 +728,7 @@ async function applyProposalBundle(options) {
   const bundle = resolvePlan(liveBundle, options);
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
-  const selectedIds = options.only && options.only.length > 0
-    ? new Set(options.only)
-    : null;
+  const selectedIds = resolveSelectionSet(bundle, options);
   const selected = bundle.proposals.filter(proposal => {
     if (selectedIds && !selectedIds.has(proposal.id)) return false;
     return proposal.readyToApply;
@@ -606,6 +786,7 @@ async function applyProposalBundle(options) {
   return {
     proposalCount: bundle.proposals.length,
     appliedProposalIds: selected.map(item => item.id),
+    selectedCampaigns: bundle.selectedCampaigns || options.campaigns || [],
     createdFiles,
     patchedFiles: patchedFiles.map(file => file.path),
     skippedFiles,
@@ -629,6 +810,9 @@ function printApplyResult(result, options = {}) {
     console.log('  Dry-run only. No files were written.');
   }
   console.log(`  Applied proposal bundles: ${result.appliedProposalIds.join(', ') || 'none'}`);
+  if (result.selectedCampaigns && result.selectedCampaigns.length > 0) {
+    console.log(`  Campaigns: ${result.selectedCampaigns.join(', ')}`);
+  }
   console.log(`  Created files: ${result.createdFiles.join(', ') || 'none'}`);
   console.log(`  Patched files: ${result.patchedFiles.join(', ') || 'none'}`);
   if (result.mcpPreflightWarnings && result.mcpPreflightWarnings.length > 0) {