@nerviq/cli 1.10.0 → 1.12.0

package/src/techniques/security.js

@@ -0,0 +1,237 @@
+/**
+ * Security technique fragments.
+ * Generated mechanically from the legacy techniques.js monolith during HR-09.
+ */
+
+const {
+  collectClaudeDenyRules,
+  hasPromptInjectionDefenseGuidance,
+  hasMcpPromptInjectionDefenseGuidance,
+  hasInjectionDefenseHookConfigured,
+  getRepoInstructionBundle,
+  getWorkflowContent,
+} = require('./shared');
+
+module.exports = {
+  settingsPermissions: {
+      id: 24,
+      name: 'Permission configuration',
+      check: (ctx) => {
+        // Prefer local (effective config) — any settings file with permissions passes
+        const settings = ctx.jsonFile('.claude/settings.local.json') || ctx.jsonFile('.claude/settings.json');
+        return !!(settings && settings.permissions);
+      },
+      impact: 'medium',
+      rating: 4,
+      category: 'security',
+      fix: 'Configure allow/deny permission lists for safe tool usage.',
+      template: null
+    },
+
+  permissionDeny: {
+      id: 2401,
+      name: 'Deny rules configured in permissions',
+      check: (ctx) => {
+        return collectClaudeDenyRules(ctx).length > 0;
+      },
+      impact: 'high',
+      rating: 5,
+      category: 'security',
+      fix: 'Add permissions.deny rules to block dangerous operations (e.g. rm -rf, dropping databases).',
+      template: null
+    },
+
+  noBypassPermissions: {
+      id: 2402,
+      name: 'Default mode is not bypassPermissions',
+      check: (ctx) => {
+        // Check shared settings first (committed to git) — if the shared baseline
+        // is safe, a personal settings.local.json override should not fail the audit.
+        const shared = ctx.jsonFile('.claude/settings.json');
+        if (shared && shared.permissions) {
+          return shared.permissions.defaultMode !== 'bypassPermissions';
+        }
+        const local = ctx.jsonFile('.claude/settings.local.json');
+        if (!local || !local.permissions) return null;
+        return local.permissions.defaultMode !== 'bypassPermissions';
+      },
+      impact: 'critical',
+      rating: 5,
+      category: 'security',
+      fix: 'Do not set defaultMode to bypassPermissions. Use explicit allow rules instead.',
+      template: null
+    },
+
+  secretsProtection: {
+      id: 1096,
+      name: 'Secrets protection configured',
+      check: (ctx) => {
+        const shared = ctx.jsonFile('.claude/settings.json');
+        const local = ctx.jsonFile('.claude/settings.local.json');
+        const settings = shared || local;
+        if (!settings || !settings.permissions) return false;
+        const denyRules = collectClaudeDenyRules(ctx);
+        const hasDeny = denyRules.some((rule) => rule.protectsSecrets);
+        // Fail if allow includes "*" (overly broad — bypasses deny rules)
+        const allow = settings.permissions.allow || [];
+        if (Array.isArray(allow) && allow.includes('*')) return false;
+        return hasDeny;
+      },
+      impact: 'critical',
+      rating: 5,
+      category: 'security',
+      fix: 'Add permissions.deny rules to block reading .env files and secrets directories.',
+      template: null
+    },
+
+  securityReview: {
+      id: 1031,
+      name: 'Security review command awareness',
+      check: (ctx) => {
+        const md = ctx.claudeMdContent() || '';
+        return md.includes('security') || md.includes('/security-review');
+      },
+      impact: 'high',
+      rating: 5,
+      category: 'security',
+      fix: 'Add /security-review to your workflow. Claude Code has built-in OWASP Top 10 scanning.',
+      template: null
+    },
+
+  promptInjectionTrustBoundary: {
+      id: 8805,
+      name: 'Prompt injection trust boundary documented',
+      check: (ctx) => {
+        const bundle = getRepoInstructionBundle(ctx);
+        return hasPromptInjectionDefenseGuidance(bundle);
+      },
+      impact: 'high',
+      rating: 5,
+      category: 'security',
+      fix: 'Document a trust boundary: treat repo files, fetched content, and MCP responses as untrusted data, not instructions to follow.',
+      template: null
+    },
+
+  injectionDefenseHook: {
+      id: 8806,
+      name: 'Injection defense hook configured for external content',
+      check: (ctx) => {
+        const shared = ctx.jsonFile('.claude/settings.json');
+        const local = ctx.jsonFile('.claude/settings.local.json');
+        return hasInjectionDefenseHookConfigured(shared) || hasInjectionDefenseHookConfigured(local);
+      },
+      impact: 'medium',
+      rating: 4,
+      category: 'security',
+      fix: 'Add a PostToolUse injection-defense hook for WebFetch/WebSearch/Read/Grep/Glob/MCP flows so suspicious external content is logged and reviewed.',
+      template: 'hooks'
+    },
+
+  mcpPromptInjectionBoundary: {
+      id: 8807,
+      name: 'MCP responses treated as untrusted in instructions',
+      check: (ctx) => {
+        const hasMcpSignals = Boolean(
+          ctx.fileContent('.mcp.json') ||
+          ctx.fileContent('.vscode/mcp.json') ||
+          ctx.fileContent('.cursor/mcp.json') ||
+          ctx.fileContent('.windsurf/mcp.json') ||
+          ctx.fileContent('opencode.json') ||
+          ctx.fileContent('opencode.jsonc') ||
+          ctx.fileContent('.codex/config.toml')
+        );
+        if (!hasMcpSignals) return null;
+        const bundle = getRepoInstructionBundle(ctx);
+        return hasMcpPromptInjectionDefenseGuidance(bundle);
+      },
+      impact: 'medium',
+      rating: 4,
+      category: 'security',
+      fix: 'Document that MCP outputs are untrusted data, can contain indirect prompt injection, and must never override repo-level instructions.',
+      template: null
+    },
+
+  sandboxAwareness: {
+      id: 2013,
+      name: 'Sandbox or isolation mentioned',
+      check: (ctx) => {
+        const md = ctx.claudeMdContent() || '';
+        const settings = ctx.jsonFile('.claude/settings.json') || {};
+        return /sandbox|isolat/i.test(md) || !!settings.sandbox;
+      },
+      impact: 'medium', rating: 3, category: 'security',
+      fix: 'Claude Code supports sandboxed command execution. Consider enabling it for untrusted operations.',
+      template: null
+    },
+
+  denyRulesDepth: {
+      id: 2014,
+      name: 'Deny rules cover 3+ patterns',
+      check: (ctx) => {
+        return collectClaudeDenyRules(ctx).length >= 3;
+      },
+      impact: 'high', rating: 4, category: 'security',
+      fix: 'Add at least 3 deny rules: rm -rf, force-push, and .env reads. More patterns = safer Claude.',
+      template: null
+    },
+
+  sbomExists: {
+      id: 130041,
+      name: 'SBOM file exists',
+      check: (ctx) => {
+        return ctx.files.some(f => /sbom\.(json|xml|cdx\.json)|bom\.xml|cyclonedx/i.test(f));
+      },
+      impact: 'medium',
+      category: 'supply-chain',
+      fix: 'Generate an SBOM (Software Bill of Materials) in CycloneDX or SPDX format for supply chain transparency.',
+    },
+
+  dependencyPinning: {
+      id: 130042,
+      name: 'Lock files committed',
+      check: (ctx) => {
+        return ctx.files.some(f => /^(package-lock\.json|yarn\.lock|pnpm-lock\.yaml|Cargo\.lock|poetry\.lock|Pipfile\.lock|bun\.lockb|composer\.lock|Gemfile\.lock|go\.sum)$/i.test(f));
+      },
+      impact: 'high',
+      category: 'supply-chain',
+      fix: 'Commit lock files (package-lock.json, yarn.lock, Cargo.lock, poetry.lock) for reproducible builds.',
+    },
+
+  provenanceAttestation: {
+      id: 130043,
+      name: 'Provenance or sigstore in CI',
+      check: (ctx) => {
+        const ci = getWorkflowContent(ctx);
+        return /provenance|sigstore|cosign|slsa|attestation/i.test(ci);
+      },
+      impact: 'medium',
+      category: 'supply-chain',
+      fix: 'Add npm provenance or sigstore attestation in CI to verify package integrity.',
+    },
+
+  lockfileIntegrity: {
+      id: 130044,
+      name: 'CI uses frozen lockfile install',
+      check: (ctx) => {
+        const ci = getWorkflowContent(ctx);
+        return /npm ci\b|--frozen-lockfile|--immutable|cargo.*--locked|pip install.*--require-hashes/i.test(ci);
+      },
+      impact: 'high',
+      category: 'supply-chain',
+      fix: 'Use `npm ci` or `--frozen-lockfile` in CI instead of `npm install` for deterministic builds.',
+    },
+
+  dependencyScanning: {
+      id: 130045,
+      name: 'Dependency scanning configured',
+      check: (ctx) => {
+        const hasConfig = ctx.files.some(f => /dependabot\.yml|renovate\.json|\.snyk/i.test(f));
+        if (hasConfig) return true;
+        const ci = getWorkflowContent(ctx);
+        return /dependabot|renovate|snyk|npm audit|cargo audit|pip-audit|safety check/i.test(ci);
+      },
+      impact: 'high',
+      category: 'supply-chain',
+      fix: 'Configure Dependabot, Renovate, or Snyk to automatically scan and update vulnerable dependencies.',
+    },
+};

package/src/techniques/shared.js

@@ -0,0 +1,443 @@
+/**
+ * Shared helpers for Claude technique modules.
+ * Generated mechanically from the legacy monolith during HR-09.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { collectClaudeDenyRules } = require('../permission-rules');
+const {
+  hasPromptInjectionDefenseGuidance,
+  hasMcpPromptInjectionDefenseGuidance,
+  hasInjectionDefenseHookConfigured,
+} = require('../prompt-injection');
+const {
+  getClaudeInstructionBundle,
+  getRepoInstructionBundle,
+  hasDocumentedVerificationGuidance,
+  hasDocumentedTestCommand,
+  hasDocumentedLintCommand,
+  hasDocumentedBuildCommand,
+} = require('../instruction-surfaces');
+
+function hasFrontendSignals(ctx) {
+  const pkg = ctx.fileContent('package.json') || '';
+  return /react|vue|angular|next|svelte|tailwind|vite|astro/i.test(pkg) ||
+    ctx.files.some(f => /tailwind\.config|vite\.config|next\.config|svelte\.config|nuxt\.config|pages\/|components\/|app\//i.test(f));
+}
+
+function getClaudeHookContents(ctx) {
+  const hookFiles = ctx.dirFiles('.claude/hooks').filter(f => /\.(js|cjs|mjs|ts|sh|py)$/.test(f));
+  return hookFiles.map(f => ctx.fileContent(`.claude/hooks/${f}`) || '');
+}
+
+function matchesPattern(value, pattern) {
+  if (pattern instanceof RegExp) {
+    pattern.lastIndex = 0;
+    return pattern.test(value);
+  }
+  return value === pattern;
+}
+
+function getProjectEntries(ctx) {
+  if (ctx.__nerviqProjectEntries) return ctx.__nerviqProjectEntries;
+
+  const entries = [];
+  const skippedDirs = new Set([
+    '.git',
+    '.hg',
+    '.svn',
+    'node_modules',
+    '__pycache__',
+    '.pytest_cache',
+    '.mypy_cache',
+    '.ruff_cache',
+    '.venv',
+    'venv',
+    'env',
+    '.tox',
+    '.nox',
+    'vendor',
+    'dist',
+    'build',
+    'coverage',
+  ]);
+
+  const walk = (relPath = '') => {
+    const fullPath = relPath
+      ? path.join(ctx.dir, ...relPath.split('/'))
+      : ctx.dir;
+
+    let dirents = [];
+    try {
+      dirents = fs.readdirSync(fullPath, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const dirent of dirents) {
+      if (dirent.name === '.DS_Store') continue;
+
+      const entryPath = relPath ? `${relPath}/${dirent.name}` : dirent.name;
+      if (dirent.isDirectory()) {
+        if (skippedDirs.has(dirent.name)) continue;
+        entries.push(`${entryPath}/`);
+        walk(entryPath);
+      } else {
+        entries.push(entryPath);
+      }
+    }
+  };
+
+  walk();
+  ctx.__nerviqProjectEntries = entries;
+  return entries;
+}
+
+function getProjectFiles(ctx) {
+  if (ctx.__nerviqProjectFiles) return ctx.__nerviqProjectFiles;
+  ctx.__nerviqProjectFiles = getProjectEntries(ctx).filter(entry => !entry.endsWith('/'));
+  return ctx.__nerviqProjectFiles;
+}
+
+function findProjectFiles(ctx, pattern) {
+  return getProjectFiles(ctx).filter(file => matchesPattern(file, pattern));
+}
+
+function hasProjectFile(ctx, pattern) {
+  return findProjectFiles(ctx, pattern).length > 0;
+}
+
+/**
+ * Check if a stack-indicator file exists at a "core" location (root, src/, lib/, app/, packages/)
+ * rather than inside examples/, docs/, test/, vendor/, or deeply nested paths.
+ * This prevents false stack detection from example/demo code.
+ */
+const EXCLUDED_STACK_DIRS = /^(examples?|docs?|test|tests|fixtures?|samples?|demo|vendor|third[_-]?party|\.github)\//i;
+
+function hasCoreProjectFile(ctx, pattern) {
+  return findProjectFiles(ctx, pattern).some(file => !EXCLUDED_STACK_DIRS.test(file));
+}
+
+function hasCoreRootFile(ctx, pattern) {
+  // Only match files at project root (no / in path) or one level deep (src/X, lib/X, app/X)
+  return findProjectFiles(ctx, pattern).some(file => {
+    if (EXCLUDED_STACK_DIRS.test(file)) return false;
+    const depth = (file.match(/\//g) || []).length;
+    return depth <= 1;
+  });
+}
+
+function readProjectFiles(ctx, pattern, limit = 60) {
+  return findProjectFiles(ctx, pattern)
+    .slice(0, limit)
+    .map(file => ctx.fileContent(file) || '')
+    .filter(Boolean)
+    .join('\n');
+}
+
+function isPythonProject(ctx) {
+  if (ctx.__nerviqIsPython !== undefined) return ctx.__nerviqIsPython;
+  // Require a Python config file (pyproject.toml, requirements.txt, setup.py) at a core location.
+  // Stray .py files in examples/ or docs/ don't make it a Python project.
+  ctx.__nerviqIsPython =
+    hasCoreRootFile(ctx, /(^|\/)(pyproject\.toml|setup\.py|Pipfile)$/i) ||
+    hasCoreRootFile(ctx, /(^|\/)requirements\.txt$/i);
+  return ctx.__nerviqIsPython;
+}
+
+function isGoProject(ctx) {
+  if (ctx.__nerviqIsGo !== undefined) return ctx.__nerviqIsGo;
+  ctx.__nerviqIsGo = hasCoreRootFile(ctx, /(^|\/)go\.mod$/i);
+  return ctx.__nerviqIsGo;
+}
+
+function isRustProject(ctx) {
+  if (ctx.__nerviqIsRust !== undefined) return ctx.__nerviqIsRust;
+  ctx.__nerviqIsRust = hasCoreRootFile(ctx, /(^|\/)Cargo\.toml$/i);
+  return ctx.__nerviqIsRust;
+}
+
+function isJavaProject(ctx) {
+  if (ctx.__nerviqIsJava !== undefined) return ctx.__nerviqIsJava;
+  ctx.__nerviqIsJava = hasCoreRootFile(ctx, /(^|\/)(pom\.xml|build\.gradle|build\.gradle\.kts)$/i);
+  return ctx.__nerviqIsJava;
+}
+
+function isFlutterProject(ctx) {
+  if (ctx.__nerviqIsFlutter !== undefined) return ctx.__nerviqIsFlutter;
+  ctx.__nerviqIsFlutter = hasCoreRootFile(ctx, /(^|\/)pubspec\.yaml$/i);
+  return ctx.__nerviqIsFlutter;
+}
+
+function isSwiftProject(ctx) {
+  if (ctx.__nerviqIsSwift !== undefined) return ctx.__nerviqIsSwift;
+  ctx.__nerviqIsSwift = hasCoreRootFile(ctx, /(^|\/)Package\.swift$/i) ||
+    hasCoreProjectFile(ctx, /\.xcodeproj/i);
+  return ctx.__nerviqIsSwift;
+}
+
+function isKotlinProject(ctx) {
+  if (ctx.__nerviqIsKotlin !== undefined) return ctx.__nerviqIsKotlin;
+  const gradle = (ctx.fileContent('build.gradle.kts') || '') + (ctx.fileContent('build.gradle') || '');
+  ctx.__nerviqIsKotlin = /kotlin/i.test(gradle);
+  return ctx.__nerviqIsKotlin;
+}
+
+function isRubyProject(ctx) {
+  if (ctx.__nerviqIsRuby !== undefined) return ctx.__nerviqIsRuby;
+  ctx.__nerviqIsRuby = hasCoreRootFile(ctx, /(^|\/)Gemfile$/i);
+  return ctx.__nerviqIsRuby;
+}
+
+function isPhpProject(ctx) {
+  if (ctx.__nerviqIsPhp !== undefined) return ctx.__nerviqIsPhp;
+  ctx.__nerviqIsPhp = hasCoreRootFile(ctx, /(^|\/)composer\.json$/i);
+  return ctx.__nerviqIsPhp;
+}
+
+function isDotnetProject(ctx) {
+  if (ctx.__nerviqIsDotnet !== undefined) return ctx.__nerviqIsDotnet;
+  ctx.__nerviqIsDotnet = hasCoreProjectFile(ctx, /(^|\/)(.*\.csproj|.*\.sln|global\.json)$/i);
+  return ctx.__nerviqIsDotnet;
+}
+
+/**
+ * Map category names to their project detection function.
+ * Used by the audit to skip entire categories when the stack isn't detected.
+ */
+const STACK_CATEGORY_DETECTORS = {
+  python: isPythonProject,
+  go: isGoProject,
+  rust: isRustProject,
+  java: isJavaProject,
+  flutter: isFlutterProject,
+  swift: isSwiftProject,
+  kotlin: isKotlinProject,
+  ruby: isRubyProject,
+  php: isPhpProject,
+  dotnet: isDotnetProject,
+};
+
+function getPythonFiles(ctx) {
+  if (ctx.__nerviqPythonFiles) return ctx.__nerviqPythonFiles;
+  ctx.__nerviqPythonFiles = findProjectFiles(ctx, /\.py$/i);
+  return ctx.__nerviqPythonFiles;
+}
+
+function getMainPythonFiles(ctx) {
+  if (ctx.__nerviqMainPythonFiles) return ctx.__nerviqMainPythonFiles;
+  ctx.__nerviqMainPythonFiles = getPythonFiles(ctx)
+    .filter(file => !/(^|\/)(tests?|__pycache__|migrations)\//i.test(file))
+    .filter(file => !/(^|\/)(test_[^/]+|conftest)\.py$/i.test(file))
+    .slice(0, 50);
+  return ctx.__nerviqMainPythonFiles;
+}
+
+function getPythonProjectText(ctx) {
+  if (ctx.__nerviqPythonProjectText) return ctx.__nerviqPythonProjectText;
+  ctx.__nerviqPythonProjectText = [
+    readProjectFiles(ctx, /(^|\/)pyproject\.toml$/i),
+    readProjectFiles(ctx, /(^|\/)requirements[^/]*\.txt$/i),
+    readProjectFiles(ctx, /(^|\/)setup\.py$/i),
+    readProjectFiles(ctx, /(^|\/)setup\.cfg$/i),
+    readProjectFiles(ctx, /(^|\/)Pipfile$/i),
+  ].filter(Boolean).join('\n');
+  return ctx.__nerviqPythonProjectText;
+}
+
+function getGoFiles(ctx) {
+  if (ctx.__nerviqGoFiles) return ctx.__nerviqGoFiles;
+  ctx.__nerviqGoFiles = findProjectFiles(ctx, /\.go$/i);
+  return ctx.__nerviqGoFiles;
+}
+
+function getRustFiles(ctx) {
+  if (ctx.__nerviqRustFiles) return ctx.__nerviqRustFiles;
+  ctx.__nerviqRustFiles = findProjectFiles(ctx, /\.rs$/i);
+  return ctx.__nerviqRustFiles;
+}
+
+function getMainRustFiles(ctx) {
+  if (ctx.__nerviqMainRustFiles) return ctx.__nerviqMainRustFiles;
+  ctx.__nerviqMainRustFiles = getRustFiles(ctx)
+    .filter(file => !/(^|\/)(tests|target)\//i.test(file))
+    .slice(0, 60);
+  return ctx.__nerviqMainRustFiles;
+}
+
+function getJavaFiles(ctx) {
+  if (ctx.__nerviqJavaFiles) return ctx.__nerviqJavaFiles;
+  ctx.__nerviqJavaFiles = findProjectFiles(ctx, /\.java$/i);
+  return ctx.__nerviqJavaFiles;
+}
+
+function getMainJavaFiles(ctx) {
+  if (ctx.__nerviqMainJavaFiles) return ctx.__nerviqMainJavaFiles;
+  ctx.__nerviqMainJavaFiles = getJavaFiles(ctx)
+    .filter(file => !/(^|\/)(test|tests|src\/test)\//i.test(file))
+    .slice(0, 60);
+  return ctx.__nerviqMainJavaFiles;
+}
+
+function getMainGoFiles(ctx) {
+  if (ctx.__nerviqMainGoFiles) return ctx.__nerviqMainGoFiles;
+  ctx.__nerviqMainGoFiles = getGoFiles(ctx).filter(file => !/_test\.go$/i.test(file)).slice(0, 60);
+  return ctx.__nerviqMainGoFiles;
+}
+
+function getWorkflowContent(ctx) {
+  if (ctx.__nerviqWorkflowContent !== undefined) return ctx.__nerviqWorkflowContent;
+  ctx.__nerviqWorkflowContent = readProjectFiles(ctx, /^\.github\/workflows\/.*\.ya?ml$/i);
+  return ctx.__nerviqWorkflowContent;
+}
+
+function getPreCommitContent(ctx) {
+  if (ctx.__nerviqPreCommitContent !== undefined) return ctx.__nerviqPreCommitContent;
+  ctx.__nerviqPreCommitContent = readProjectFiles(ctx, /(^|\/)\.pre-commit-config\.ya?ml$/i);
+  return ctx.__nerviqPreCommitContent;
+}
+
+function getGoProjectText(ctx) {
+  if (ctx.__nerviqGoProjectText) return ctx.__nerviqGoProjectText;
+  ctx.__nerviqGoProjectText = [
+    readProjectFiles(ctx, /(^|\/)go\.mod$/i),
+    getWorkflowContent(ctx),
+    readProjectFiles(ctx, /(^|\/)Makefile$/),
+    getPreCommitContent(ctx),
+    getMainGoFiles(ctx).slice(0, 25).map(file => ctx.fileContent(file) || '').filter(Boolean).join('\n'),
+  ].filter(Boolean).join('\n');
+  return ctx.__nerviqGoProjectText;
+}
+
+function getRustProjectText(ctx) {
+  if (ctx.__nerviqRustProjectText) return ctx.__nerviqRustProjectText;
+  ctx.__nerviqRustProjectText = [
+    readProjectFiles(ctx, /(^|\/)Cargo\.toml$/i),
+    readProjectFiles(ctx, /(^|\/)(clippy\.toml|\.clippy\.toml|rustfmt\.toml|\.rustfmt\.toml|build\.rs)$/i),
+    readProjectFiles(ctx, /(^|\/)\.cargo\/config\.toml$/i),
+    getWorkflowContent(ctx),
+    getMainRustFiles(ctx).slice(0, 30).map(file => ctx.fileContent(file) || '').filter(Boolean).join('\n'),
+  ].filter(Boolean).join('\n');
+  return ctx.__nerviqRustProjectText;
+}
+
+function getJavaBuildText(ctx) {
+  if (ctx.__nerviqJavaBuildText) return ctx.__nerviqJavaBuildText;
+  ctx.__nerviqJavaBuildText = [
+    readProjectFiles(ctx, /(^|\/)pom\.xml$/i),
+    readProjectFiles(ctx, /(^|\/)build\.gradle$/i),
+    readProjectFiles(ctx, /(^|\/)build\.gradle\.kts$/i),
+    readProjectFiles(ctx, /(^|\/)settings\.gradle$/i),
+    readProjectFiles(ctx, /(^|\/)settings\.gradle\.kts$/i),
+  ].filter(Boolean).join('\n');
+  return ctx.__nerviqJavaBuildText;
+}
+
+function getJavaProjectText(ctx) {
+  if (ctx.__nerviqJavaProjectText) return ctx.__nerviqJavaProjectText;
+  ctx.__nerviqJavaProjectText = [
+    getJavaBuildText(ctx),
+    getWorkflowContent(ctx),
+    readProjectFiles(ctx, /(^|\/)\.editorconfig$/i),
+    readProjectFiles(ctx, /(^|\/)(application\.properties|application\.ya?ml|logback.*\.xml|log4j2?.*\.xml)$/i),
+    getMainJavaFiles(ctx).slice(0, 30).map(file => ctx.fileContent(file) || '').filter(Boolean).join('\n'),
+  ].filter(Boolean).join('\n');
+  return ctx.__nerviqJavaProjectText;
+}
+
+function getGoInterfaceBlocks(ctx) {
+  if (ctx.__nerviqGoInterfaces) return ctx.__nerviqGoInterfaces;
+  const blocks = [];
+  for (const file of getMainGoFiles(ctx)) {
+    const content = ctx.fileContent(file) || '';
+    for (const match of content.matchAll(/type\s+\w+\s+interface\s*\{([\s\S]*?)\}/g)) {
+      blocks.push(match[1]);
+    }
+  }
+  ctx.__nerviqGoInterfaces = blocks;
+  return ctx.__nerviqGoInterfaces;
+}
+
+function countGoInterfaceMethods(block) {
+  return block
+    .split(/\r?\n/)
+    .map(line => line.trim())
+    .filter(line => line && !line.startsWith('//') && !line.startsWith('/*'))
+    .length;
+}
+
+const { containsEmbeddedSecret } = require('../secret-patterns');
+const { attachSourceUrls } = require('../source-urls');
+const { buildSupplementalChecks } = require('../supplemental-checks');
+const { resolveProjectStateReadPath } = require('../state-paths');
+
+const CLAUDE_SUPPLEMENTAL_SOURCE_URLS = {
+  'testing-strategy': 'https://code.claude.com/docs/en/common-workflows',
+  'code-quality': 'https://code.claude.com/docs/en/best-practices',
+  'api-design': 'https://code.claude.com/docs/en/best-practices',
+  database: 'https://code.claude.com/docs/en/common-workflows',
+  authentication: 'https://code.claude.com/docs/en/permissions',
+  monitoring: 'https://code.claude.com/docs/en/common-workflows',
+  'dependency-management': 'https://code.claude.com/docs/en/best-practices',
+  'cost-optimization': 'https://code.claude.com/docs/en/memory',
+};
+
+module.exports = {
+  fs,
+  path,
+  collectClaudeDenyRules,
+  hasPromptInjectionDefenseGuidance,
+  hasMcpPromptInjectionDefenseGuidance,
+  hasInjectionDefenseHookConfigured,
+  getClaudeInstructionBundle,
+  getRepoInstructionBundle,
+  hasDocumentedVerificationGuidance,
+  hasDocumentedTestCommand,
+  hasDocumentedLintCommand,
+  hasDocumentedBuildCommand,
+  hasFrontendSignals,
+  getClaudeHookContents,
+  matchesPattern,
+  getProjectEntries,
+  getProjectFiles,
+  findProjectFiles,
+  hasProjectFile,
+  EXCLUDED_STACK_DIRS,
+  hasCoreProjectFile,
+  hasCoreRootFile,
+  readProjectFiles,
+  isPythonProject,
+  isGoProject,
+  isRustProject,
+  isJavaProject,
+  isFlutterProject,
+  isSwiftProject,
+  isKotlinProject,
+  isRubyProject,
+  isPhpProject,
+  isDotnetProject,
+  STACK_CATEGORY_DETECTORS,
+  getPythonFiles,
+  getMainPythonFiles,
+  getPythonProjectText,
+  getGoFiles,
+  getRustFiles,
+  getMainRustFiles,
+  getJavaFiles,
+  getMainJavaFiles,
+  getMainGoFiles,
+  getWorkflowContent,
+  getPreCommitContent,
+  getGoProjectText,
+  getRustProjectText,
+  getJavaBuildText,
+  getJavaProjectText,
+  getGoInterfaceBlocks,
+  countGoInterfaceMethods,
+  containsEmbeddedSecret,
+  attachSourceUrls,
+  buildSupplementalChecks,
+  resolveProjectStateReadPath,
+  CLAUDE_SUPPLEMENTAL_SOURCE_URLS,
+};