@nerviq/cli 1.10.0 → 1.12.0

package/src/platform-change-manifest.js

@@ -0,0 +1,86 @@
+'use strict';
+
+const claudeFreshness = require('./freshness');
+const codexFreshness = require('./codex/freshness');
+const cursorFreshness = require('./cursor/freshness');
+const copilotFreshness = require('./copilot/freshness');
+const geminiFreshness = require('./gemini/freshness');
+const windsurfFreshness = require('./windsurf/freshness');
+const aiderFreshness = require('./aider/freshness');
+const opencodeFreshness = require('./opencode/freshness');
+
+const DAILY_FRESHNESS_WORKFLOW = {
+  workflow: '.github/workflows/freshness-check.yml',
+  cadence: 'Daily at 06:00 UTC plus manual dispatch',
+  issuePolicy: 'Open or refresh GitHub issues for stale P0 sources without failing the main CI pipeline.',
+};
+
+const PLATFORM_CHANGE_MANIFEST = [
+  { key: 'claude', label: 'Claude Code', modulePath: 'src/freshness.js', freshness: claudeFreshness },
+  { key: 'codex', label: 'Codex', modulePath: 'src/codex/freshness.js', freshness: codexFreshness },
+  { key: 'cursor', label: 'Cursor', modulePath: 'src/cursor/freshness.js', freshness: cursorFreshness },
+  { key: 'copilot', label: 'Copilot', modulePath: 'src/copilot/freshness.js', freshness: copilotFreshness },
+  { key: 'gemini', label: 'Gemini CLI', modulePath: 'src/gemini/freshness.js', freshness: geminiFreshness },
+  { key: 'windsurf', label: 'Windsurf', modulePath: 'src/windsurf/freshness.js', freshness: windsurfFreshness },
+  { key: 'aider', label: 'Aider', modulePath: 'src/aider/freshness.js', freshness: aiderFreshness },
+  { key: 'opencode', label: 'OpenCode', modulePath: 'src/opencode/freshness.js', freshness: opencodeFreshness },
+].map((entry) => {
+  const sources = (entry.freshness.P0_SOURCES || []).map((source) => ({
+    key: source.key,
+    label: source.label,
+    url: source.url,
+    stalenessThresholdDays: source.stalenessThresholdDays,
+    verifiedAt: source.verifiedAt || null,
+  }));
+  const thresholds = [...new Set(sources.map((source) => source.stalenessThresholdDays))].sort((a, b) => a - b);
+
+  return {
+    key: entry.key,
+    label: entry.label,
+    modulePath: entry.modulePath,
+    trackedSources: sources,
+    trackedSourceCount: sources.length,
+    reviewCadence: {
+      automation: DAILY_FRESHNESS_WORKFLOW.cadence,
+      thresholdsDays: thresholds,
+      manualExpectation: thresholds.includes(14)
+        ? 'Review high-volatility sources weekly and verify any stale source immediately.'
+        : 'Review sources at least monthly and verify any stale source immediately.',
+    },
+    freshnessWorkflow: {
+      ...DAILY_FRESHNESS_WORKFLOW,
+      manualTrigger: true,
+    },
+    updateTriggers: (entry.freshness.PROPAGATION_CHECKLIST || []).map((item) => ({
+      trigger: item.trigger,
+      targets: item.targets || [],
+    })),
+  };
+});
+
+function getPlatformChangeManifest() {
+  return JSON.parse(JSON.stringify(PLATFORM_CHANGE_MANIFEST));
+}
+
+function summarizePlatformChangeManifest() {
+  const manifest = getPlatformChangeManifest();
+  return {
+    platformCount: manifest.length,
+    trackedSourceCount: manifest.reduce((sum, entry) => sum + entry.trackedSourceCount, 0),
+    workflow: DAILY_FRESHNESS_WORKFLOW,
+    platforms: manifest.map((entry) => ({
+      key: entry.key,
+      label: entry.label,
+      trackedSourceCount: entry.trackedSourceCount,
+      thresholdDays: entry.reviewCadence.thresholdsDays,
+      updateTriggerCount: entry.updateTriggers.length,
+    })),
+  };
+}
+
+module.exports = {
+  DAILY_FRESHNESS_WORKFLOW,
+  PLATFORM_CHANGE_MANIFEST,
+  getPlatformChangeManifest,
+  summarizePlatformChangeManifest,
+};

package/src/policy-layers.js

@@ -0,0 +1,210 @@
+const fs = require('fs');
+const path = require('path');
+const { applyProfileToOptions } = require('./profiles');
+
+const POLICY_FILES = {
+  org: path.join('.nerviq', 'org-policy.json'),
+  team: path.join('.nerviq', 'team-policy.json'),
+  repo: path.join('.nerviq', 'repo-policy.json'),
+};
+
+function normalizeArray(values) {
+  const seen = new Set();
+  const result = [];
+  for (const value of Array.isArray(values) ? values : []) {
+    const normalized = `${value || ''}`.trim();
+    if (!normalized || seen.has(normalized)) continue;
+    seen.add(normalized);
+    result.push(normalized);
+  }
+  return result;
+}
+
+function readPolicyFile(filePath, layer) {
+  if (!filePath || !fs.existsSync(filePath)) return null;
+
+  let raw;
+  try {
+    raw = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return {
+      layer,
+      path: filePath,
+      valid: false,
+      error: 'could not read policy file',
+    };
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return {
+      layer,
+      path: filePath,
+      valid: false,
+      error: 'invalid JSON',
+    };
+  }
+
+  return {
+    layer,
+    path: filePath,
+    valid: true,
+    policy: {
+      name: parsed.name || `${layer} policy`,
+      description: parsed.description || '',
+      platforms: normalizeArray(parsed.platforms || []),
+      threshold: parsed.threshold != null ? Number(parsed.threshold) : null,
+      requireChecks: normalizeArray(parsed.requireChecks || []),
+      suppressedChecks: normalizeArray(parsed.suppressedChecks || []),
+      priorityBoosts: normalizeArray(parsed.priorityBoosts || []),
+      customWeights: parsed.customWeights && typeof parsed.customWeights === 'object' ? parsed.customWeights : {},
+    },
+  };
+}
+
+function findAncestorOrgPolicy(dir) {
+  let current = path.resolve(dir);
+  let lastFound = null;
+
+  while (true) {
+    const candidate = path.join(current, POLICY_FILES.org);
+    if (fs.existsSync(candidate)) {
+      lastFound = candidate;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) break;
+    current = parent;
+  }
+
+  return lastFound;
+}
+
+function resolvePolicyLayers(dir) {
+  const absoluteDir = path.resolve(dir);
+  const layers = [];
+
+  const orgLayer = readPolicyFile(findAncestorOrgPolicy(absoluteDir), 'org');
+  if (orgLayer) layers.push(orgLayer);
+
+  const teamLayer = readPolicyFile(path.join(absoluteDir, POLICY_FILES.team), 'team');
+  if (teamLayer) layers.push(teamLayer);
+
+  const repoLayer = readPolicyFile(path.join(absoluteDir, POLICY_FILES.repo), 'repo');
+  if (repoLayer) layers.push(repoLayer);
+
+  const resolved = {
+    platforms: [],
+    threshold: null,
+    requireChecks: [],
+    suppressedChecks: [],
+    priorityBoosts: [],
+    customWeights: {},
+    description: '',
+  };
+
+  const fieldSources = {
+    platforms: [],
+    threshold: null,
+    requireChecks: [],
+    suppressedChecks: [],
+    priorityBoosts: [],
+    customWeights: [],
+    description: null,
+  };
+
+  for (const layer of layers) {
+    if (!layer.valid || !layer.policy) continue;
+    const { policy } = layer;
+
+    if (policy.platforms.length > 0) {
+      resolved.platforms = [...policy.platforms];
+      fieldSources.platforms = [layer.layer];
+    }
+
+    if (policy.threshold != null && Number.isFinite(policy.threshold)) {
+      resolved.threshold = policy.threshold;
+      fieldSources.threshold = layer.layer;
+    }
+
+    if (policy.requireChecks.length > 0) {
+      resolved.requireChecks = normalizeArray([...resolved.requireChecks, ...policy.requireChecks]);
+      fieldSources.requireChecks = normalizeArray([...fieldSources.requireChecks, layer.layer]);
+    }
+
+    if (policy.suppressedChecks.length > 0) {
+      resolved.suppressedChecks = normalizeArray([...resolved.suppressedChecks, ...policy.suppressedChecks]);
+      fieldSources.suppressedChecks = normalizeArray([...fieldSources.suppressedChecks, layer.layer]);
+    }
+
+    if (policy.priorityBoosts.length > 0) {
+      resolved.priorityBoosts = normalizeArray([...resolved.priorityBoosts, ...policy.priorityBoosts]);
+      fieldSources.priorityBoosts = normalizeArray([...fieldSources.priorityBoosts, layer.layer]);
+    }
+
+    if (Object.keys(policy.customWeights).length > 0) {
+      resolved.customWeights = { ...resolved.customWeights, ...policy.customWeights };
+      fieldSources.customWeights = normalizeArray([...fieldSources.customWeights, layer.layer]);
+    }
+
+    if (policy.description) {
+      resolved.description = policy.description;
+      fieldSources.description = layer.layer;
+    }
+  }
+
+  return {
+    dir: absoluteDir,
+    overrideOrder: ['org', 'team', 'repo', 'explicit-cli'],
+    layers,
+    resolved,
+    fieldSources,
+  };
+}
+
+function applyPolicyLayersToOptions(contract, options) {
+  if (!contract || !contract.resolved) {
+    return { ...options };
+  }
+
+  return applyProfileToOptions(contract.resolved, options);
+}
+
+function formatPolicyContract(contract) {
+  if (!contract || !Array.isArray(contract.layers) || contract.layers.length === 0) {
+    return '  No org/team/repo policy layers found.';
+  }
+
+  const lines = [
+    '  Policy layers (override order: org -> team -> repo -> explicit CLI):',
+  ];
+
+  for (const layer of contract.layers) {
+    if (!layer.valid) {
+      lines.push(`  - ${layer.layer}: ${layer.path} [invalid: ${layer.error}]`);
+      continue;
+    }
+
+    const policy = layer.policy || {};
+    const details = [];
+    if (policy.platforms?.length > 0) details.push(`platforms=${policy.platforms.join(', ')}`);
+    if (policy.threshold != null) details.push(`threshold=${policy.threshold}`);
+    if (policy.requireChecks?.length > 0) details.push(`require=${policy.requireChecks.join(', ')}`);
+    lines.push(`  - ${layer.layer}: ${path.relative(contract.dir, layer.path) || layer.path}${details.length > 0 ? ` (${details.join('; ')})` : ''}`);
+  }
+
+  const resolved = contract.resolved || {};
+  lines.push('  Resolved policy:');
+  lines.push(`  - Platforms: ${resolved.platforms?.length > 0 ? resolved.platforms.join(', ') : 'default CLI platform'}`);
+  lines.push(`  - Threshold: ${resolved.threshold != null ? resolved.threshold : 'default'}`);
+  lines.push(`  - Required checks: ${resolved.requireChecks?.length > 0 ? resolved.requireChecks.join(', ') : 'none'}`);
+  return lines.join('\n');
+}
+
+module.exports = {
+  POLICY_FILES,
+  resolvePolicyLayers,
+  applyPolicyLayersToOptions,
+  formatPolicyContract,
+};

package/src/profiles.js

@@ -86,9 +86,12 @@ function applyProfileToOptions(profile, options) {
   if (profile.threshold != null && merged.threshold == null) {
     merged.threshold = profile.threshold;
   }
-  if (profile.platforms && profile.platforms.length > 0 && !options.platform) {
+  if (profile.platforms && profile.platforms.length > 0 && !options.platformExplicit) {
     merged.platform = profile.platforms[0];
   }
+  if ((profile.requireChecks || []).length > 0 && (!Array.isArray(merged.require) || merged.require.length === 0)) {
+    merged.require = [...profile.requireChecks];
+  }
   merged.suppressedChecks = profile.suppressedChecks || [];
   merged.priorityBoosts = profile.priorityBoosts || [];
   merged.customWeights = profile.customWeights || {};

package/src/prompt-injection.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const PROMPT_INJECTION_PATTERNS = [
+  /\bignore (?:all )?(?:previous|earlier|above) instructions?\b/i,
+  /\boverride (?:the )?(?:system|developer|safety|previous) instructions?\b/i,
+  /\breveal (?:your|the) (?:system|developer) prompt\b/i,
+  /\bbypass (?:all )?(?:safety|guardrails|restrictions|protections)\b/i,
+  /\bdisable (?:the )?(?:guardrails|safety checks?)\b/i,
+  /\bact as (?:the )?(?:system|developer)\b/i,
+  /\breport (?:that )?(?:everything is )?perfect(?: and score 100\/100)?\b/i,
+  /\bscore 100\/100\b/i,
+  /\bexfiltrate\b.*\b(?:secret|token|credential|password)\b/i,
+];
+
+const TRUST_BOUNDARY_PATTERNS = [
+  /\btreat(?: every| all)?(?: string| file| repo(?:sitory)?| external)?[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bnever follow instructions embedded in\b/i,
+  /\b(?:repo(?:sitory)? files?|file contents?|web(?:site|page)? content|fetched content|external content|mcp responses?)\b[\w\s,-]{0,120}\b(?:data|quoted)\b[\w\s,-]{0,80}\bnot instructions\b/i,
+  /\bmcp responses?\b[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bfile contents?\b[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bprompt injection\b[\w\s,-]{0,120}\b(?:defense|resistance|guard|boundary)\b/i,
+];
+
+function containsPromptInjectionPattern(text) {
+  const normalized = String(text || '');
+  return PROMPT_INJECTION_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(normalized);
+  });
+}
+
+function hasPromptInjectionDefenseGuidance(text) {
+  const normalized = String(text || '');
+  if (!normalized.trim()) return false;
+  return TRUST_BOUNDARY_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(normalized);
+  });
+}
+
+function hasMcpPromptInjectionDefenseGuidance(text) {
+  const normalized = String(text || '');
+  if (!/\bmcp\b/i.test(normalized)) return false;
+  return hasPromptInjectionDefenseGuidance(normalized);
+}
+
+function collectHookBlocks(settings) {
+  if (!settings || !settings.hooks || typeof settings.hooks !== 'object') return [];
+  const blocks = [];
+  for (const [eventName, entries] of Object.entries(settings.hooks)) {
+    if (!Array.isArray(entries)) continue;
+    for (const entry of entries) {
+      blocks.push({ eventName, entry });
+    }
+  }
+  return blocks;
+}
+
+function hasInjectionDefenseHookConfigured(settings) {
+  return collectHookBlocks(settings).some(({ eventName, entry }) => {
+    if (eventName !== 'PostToolUse') return false;
+    const matcher = `${entry && entry.matcher ? entry.matcher : ''}`;
+    if (!/WebFetch|WebSearch|Read|Grep|Glob|mcp__/i.test(matcher)) return false;
+    const hooks = Array.isArray(entry && entry.hooks) ? entry.hooks : [];
+    return hooks.some((hook) => /injection|prompt|sanitize|untrusted/i.test(`${hook && hook.command ? hook.command : ''}`));
+  });
+}
+
+module.exports = {
+  containsPromptInjectionPattern,
+  hasPromptInjectionDefenseGuidance,
+  hasMcpPromptInjectionDefenseGuidance,
+  hasInjectionDefenseHookConfigured,
+};