@nerviq/cli 1.10.0 → 1.12.0

package/src/adoption-advisor.js

@@ -0,0 +1,299 @@
+'use strict';
+
+const { getMcpPackPreflight } = require('./mcp-packs');
+
+const DECISION_ORDER = { adopt: 0, defer: 1, ignore: 2 };
+
+function unique(values) {
+  return [...new Set((values || []).filter(Boolean))];
+}
+
+function makeItem(item) {
+  return {
+    decision: item.decision,
+    kind: item.kind,
+    key: item.key,
+    label: item.label,
+    why: item.why,
+    evidence: unique(item.evidence),
+    prerequisites: unique(item.prerequisites),
+    expectedBenefit: item.expectedBenefit,
+    rollbackSafety: item.rollbackSafety,
+  };
+}
+
+function summarize(items = []) {
+  const counts = items.reduce((acc, item) => {
+    acc[item.decision] = (acc[item.decision] || 0) + 1;
+    return acc;
+  }, { adopt: 0, defer: 0, ignore: 0 });
+
+  return {
+    adopt: counts.adopt || 0,
+    defer: counts.defer || 0,
+    ignore: counts.ignore || 0,
+    label: `${counts.adopt || 0} adopt now / ${counts.defer || 0} defer / ${counts.ignore || 0} ignore`,
+  };
+}
+
+function inferMcpPackPrerequisites(pack, preflightEntry) {
+  const prerequisites = [];
+  if (preflightEntry && Array.isArray(preflightEntry.missingEnvVars) && preflightEntry.missingEnvVars.length > 0) {
+    prerequisites.push(`Provide required env vars: ${preflightEntry.missingEnvVars.join(', ')}`);
+  }
+
+  if (/Pass connection string as CLI argument/i.test(pack.adoption || '')) {
+    prerequisites.push('Provide a live connection string or DATABASE_URL before enabling this MCP pack.');
+  }
+
+  if (/Docker running locally/i.test(pack.adoption || '')) {
+    prerequisites.push('Docker must be running locally before this MCP pack is useful.');
+  }
+
+  if (/OAuth/i.test(pack.adoption || '')) {
+    prerequisites.push('Complete the OAuth or external auth setup before enabling this MCP pack in shared flows.');
+  }
+
+  if (/community-maintained/i.test(pack.adoption || '')) {
+    prerequisites.push('Review the package trust/update posture before enabling it in a wider team baseline.');
+  }
+
+  return unique(prerequisites);
+}
+
+function buildIgnoreItems(repoArchetype, operatingProfile, recommendedDomainPacks = []) {
+  const items = [];
+  const domainKeys = new Set((recommendedDomainPacks || []).map((pack) => pack.key));
+
+  if (operatingProfile.platformSupport.strategy === 'single-platform-baseline') {
+    items.push(makeItem({
+      decision: 'ignore',
+      kind: 'platform-expansion',
+      key: 'broad-platform-expansion',
+      label: 'Broad multi-platform expansion',
+      why: 'This repo should stabilize one governed primary platform before adding more AI surfaces.',
+      evidence: [
+        `Platform strategy: ${operatingProfile.platformSupport.strategy}`,
+        `Archetype: ${repoArchetype.label}`,
+      ],
+      prerequisites: [],
+      expectedBenefit: 'Prevents governance drift caused by widening the tool surface too early.',
+      rollbackSafety: 'Nothing is applied here; this is an intentional skip until the baseline matures.',
+    }));
+  }
+
+  if (repoArchetype.topology.key !== 'monorepo') {
+    items.push(makeItem({
+      decision: 'ignore',
+      kind: 'ci-shape',
+      key: 'workspace-pr-gate',
+      label: 'Workspace-aware PR gate',
+      why: 'Workspace-specific CI complexity does not match a non-monorepo repo shape.',
+      evidence: [
+        `Topology: ${repoArchetype.topology.label}`,
+        'No monorepo-specific governance surface is required.',
+      ],
+      prerequisites: [],
+      expectedBenefit: 'Keeps the operating model lean and aligned to the real repo topology.',
+      rollbackSafety: 'This is a deliberate skip; no cleanup is required.',
+    }));
+  }
+
+  if (repoArchetype.riskProfile.key !== 'regulated' && !domainKeys.has('regulated-lite') && !domainKeys.has('security-focused')) {
+    items.push(makeItem({
+      decision: 'ignore',
+      kind: 'governance-pack',
+      key: 'regulated-lite',
+      label: 'Regulated-lite governance overhead',
+      why: 'The repo does not show regulated or security-heavy signals strong enough to justify this heavier rollout pack.',
+      evidence: [
+        `Risk posture: ${repoArchetype.riskProfile.label}`,
+      ],
+      prerequisites: [],
+      expectedBenefit: 'Preserves a lighter rollout model and avoids over-governing normal product repos.',
+      rollbackSafety: 'This is a no-op skip; the repo can adopt a heavier pack later if evidence changes.',
+    }));
+  }
+
+  if (repoArchetype.stackFamily.key !== 'mobile' && !domainKeys.has('mobile')) {
+    items.push(makeItem({
+      decision: 'ignore',
+      kind: 'verification',
+      key: 'mobile-release-loop',
+      label: 'Mobile release workflow extras',
+      why: 'Mobile-only analyze/build workflow overhead should not be forced onto a non-mobile repo.',
+      evidence: [
+        `Stack family: ${repoArchetype.stackFamily.label}`,
+      ],
+      prerequisites: [],
+      expectedBenefit: 'Avoids irrelevant workflow ceremony and keeps verification recommendations credible.',
+      rollbackSafety: 'No rollback is needed because the capability is being intentionally skipped.',
+    }));
+  }
+
+  return items.slice(0, 3);
+}
+
+function buildAdoptionAdvisor(options) {
+  const {
+    platform,
+    repoArchetype,
+    recommendedOperatingProfile,
+    recommendedDomainPacks = [],
+    recommendedMcpPacks = [],
+    env = {},
+  } = options || {};
+
+  const items = [];
+  const mcpPreflightByKey = new Map(
+    getMcpPackPreflight((recommendedMcpPacks || []).map((pack) => pack.key), env).map((entry) => [entry.key, entry])
+  );
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'platform-strategy',
+    key: recommendedOperatingProfile.platformSupport.strategy,
+    label: `Platform strategy: ${recommendedOperatingProfile.platformSupport.strategy}`,
+    why: recommendedOperatingProfile.platformSupport.why,
+    evidence: recommendedOperatingProfile.platformSupport.evidence,
+    prerequisites: recommendedOperatingProfile.platformSupport.prerequisites,
+    expectedBenefit: recommendedOperatingProfile.platformSupport.expectedBenefit,
+    rollbackSafety: recommendedOperatingProfile.platformSupport.rollbackSafety,
+  }));
+
+  if (recommendedOperatingProfile.platformSupport.optionalExpansion) {
+    items.push(makeItem({
+      decision: 'defer',
+      kind: 'platform-expansion',
+      key: `secondary-${recommendedOperatingProfile.platformSupport.optionalExpansion}`,
+      label: `Add ${recommendedOperatingProfile.platformSupport.optionalExpansion} as a secondary review surface`,
+      why: 'A secondary platform could help later, but the repo should stabilize its primary governed posture first.',
+      evidence: recommendedOperatingProfile.platformSupport.evidence,
+      prerequisites: [
+        'Capture tagged baseline and post-fix snapshots first.',
+        'Keep Harmony stable across the currently active platform surface.',
+      ],
+      expectedBenefit: 'Adds a complementary advisory surface only after the core posture is already reliable.',
+      rollbackSafety: 'Secondary platform expansion is optional and can be removed without changing the app codebase.',
+    }));
+  }
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'permission-profile',
+    key: recommendedOperatingProfile.permissionProfile.key,
+    label: `Permission profile: ${recommendedOperatingProfile.permissionProfile.label}`,
+    why: recommendedOperatingProfile.permissionProfile.why,
+    evidence: recommendedOperatingProfile.permissionProfile.evidence,
+    prerequisites: recommendedOperatingProfile.permissionProfile.prerequisites,
+    expectedBenefit: recommendedOperatingProfile.permissionProfile.expectedBenefit,
+    rollbackSafety: recommendedOperatingProfile.permissionProfile.rollbackSafety,
+  }));
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'governance-pack',
+    key: recommendedOperatingProfile.governancePack.key,
+    label: `Governance pack: ${recommendedOperatingProfile.governancePack.label}`,
+    why: recommendedOperatingProfile.governancePack.why,
+    evidence: recommendedOperatingProfile.governancePack.evidence,
+    prerequisites: recommendedOperatingProfile.governancePack.prerequisites,
+    expectedBenefit: recommendedOperatingProfile.governancePack.expectedBenefit,
+    rollbackSafety: recommendedOperatingProfile.governancePack.rollbackSafety,
+  }));
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'hook-set',
+    key: 'starter-hooks',
+    label: `Starter hook set: ${recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`,
+    why: 'These hooks are the lowest-friction set that matches the repo trust boundary, logging needs, and review posture.',
+    evidence: unique(recommendedOperatingProfile.hooks.flatMap((hook) => hook.evidence || []).slice(0, 5)),
+    prerequisites: unique(recommendedOperatingProfile.hooks.flatMap((hook) => hook.prerequisites || [])),
+    expectedBenefit: 'Adds secret protection, trust-boundary checks, and durable change evidence without widening the product surface.',
+    rollbackSafety: 'Each hook can be removed independently from repo settings if it proves noisy.',
+  }));
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'verification-loop',
+    key: recommendedOperatingProfile.verification.key,
+    label: `Verification loop: ${recommendedOperatingProfile.verification.label}`,
+    why: recommendedOperatingProfile.verification.why,
+    evidence: recommendedOperatingProfile.verification.evidence,
+    prerequisites: recommendedOperatingProfile.verification.prerequisites,
+    expectedBenefit: recommendedOperatingProfile.verification.expectedBenefit,
+    rollbackSafety: recommendedOperatingProfile.verification.rollbackSafety,
+  }));
+
+  items.push(makeItem({
+    decision: 'adopt',
+    kind: 'ci-shape',
+    key: recommendedOperatingProfile.ciShape.key,
+    label: `CI shape: ${recommendedOperatingProfile.ciShape.label}`,
+    why: recommendedOperatingProfile.ciShape.why,
+    evidence: recommendedOperatingProfile.ciShape.evidence,
+    prerequisites: recommendedOperatingProfile.ciShape.prerequisites,
+    expectedBenefit: recommendedOperatingProfile.ciShape.expectedBenefit,
+    rollbackSafety: recommendedOperatingProfile.ciShape.rollbackSafety,
+  }));
+
+  for (const pack of recommendedDomainPacks) {
+    items.push(makeItem({
+      decision: 'adopt',
+      kind: 'domain-pack',
+      key: pack.key,
+      label: `Domain pack: ${pack.label}`,
+      why: pack.useWhen,
+      evidence: unique([...(pack.matchReasons || []), `Archetype: ${repoArchetype.label}`]).slice(0, 5),
+      prerequisites: [
+        `Review the pack modules before applying them: ${(pack.recommendedModules || []).slice(0, 4).join(', ') || 'no starter modules listed'}`,
+      ],
+      expectedBenefit: (pack.benchmarkFocus || []).length > 0
+        ? `Improves Nerviq's relevance around ${pack.benchmarkFocus.slice(0, 3).join(', ')}.`
+        : 'Makes Nerviq recommendations more domain-aware for this repo.',
+      rollbackSafety: 'Domain packs are additive guidance. You can remove a pack from the recommended stack without rewriting the repo.',
+    }));
+  }
+
+  if (platform === 'claude') {
+    for (const pack of recommendedMcpPacks) {
+      const preflight = mcpPreflightByKey.get(pack.key);
+      const prerequisites = inferMcpPackPrerequisites(pack, preflight);
+      const decision = prerequisites.length > 0 ? 'defer' : 'adopt';
+      items.push(makeItem({
+        decision,
+        kind: 'mcp-pack',
+        key: pack.key,
+        label: `MCP pack: ${pack.label}`,
+        why: pack.useWhen,
+        evidence: unique([pack.adoption, `Repo archetype: ${repoArchetype.label}`]).slice(0, 4),
+        prerequisites,
+        expectedBenefit: pack.adoption,
+        rollbackSafety: 'MCP packs are optional integrations; they can be added or removed from settings without changing application source code.',
+      }));
+    }
+  }
+
+  items.push(...buildIgnoreItems(repoArchetype, recommendedOperatingProfile, recommendedDomainPacks));
+
+  const sorted = items
+    .sort((a, b) => {
+      const decisionDiff = (DECISION_ORDER[a.decision] || 99) - (DECISION_ORDER[b.decision] || 99);
+      if (decisionDiff !== 0) return decisionDiff;
+      return a.label.localeCompare(b.label);
+    })
+    .map((item, index) => ({
+      priority: index + 1,
+      ...item,
+    }));
+
+  return {
+    summary: summarize(sorted),
+    items: sorted,
+  };
+}
+
+module.exports = {
+  buildAdoptionAdvisor,
+};

package/src/aider/freshness.js

@@ -93,11 +93,11 @@ const PROPAGATION_CHECKLIST = [
 ];
 
 /**
- * Check release gate — are all P0 sources fresh?
- */
-function checkReleaseGate(overrides = {}) {
-  const now = new Date();
-  const results = P0_SOURCES.map(source => {
+ * Check release gate — are all P0 sources fresh?
+ */
+function checkReleaseGate(overrides = {}) {
+  const now = new Date();
+  const results = P0_SOURCES.map(source => {
     const verifiedAt = overrides[source.key] || source.verifiedAt;
     if (!verifiedAt) {
       return { ...source, status: 'unverified', daysStale: null };
@@ -114,26 +114,29 @@ function checkReleaseGate(overrides = {}) {
     };
   });
 
-  const allFresh = results.every(r => r.status === 'fresh');
-
-  return {
-    ready: allFresh,
-    results,
-    nerviqVersion: version,
-    checkedAt: now.toISOString(),
-  };
-}
-
-/**
- * Format release gate for display.
- */
-function formatReleaseGate(overrides = {}) {
-  const gateResult = checkReleaseGate(overrides);
-  const lines = [
-    `Aider Release Freshness Gate (nerviq v${version})`,
-    `Status: ${gateResult.ready ? 'READY' : 'NOT READY'}`,
-    '',
-  ];
+  const stale = results.filter((result) => result.status === 'stale' || result.status === 'unverified');
+  const fresh = results.filter((result) => result.status === 'fresh');
+  const allFresh = stale.length === 0;
+
+  return {
+    ready: allFresh,
+    stale,
+    fresh,
+    results,
+    nerviqVersion: version,
+    checkedAt: now.toISOString(),
+  };
+}
+
+/**
+ * Format release gate for display.
+ */
+function formatReleaseGate(gateResult) {
+  const lines = [
+    `Aider Release Freshness Gate (nerviq v${version})`,
+    `Status: ${gateResult.ready ? 'READY' : 'NOT READY'}`,
+    '',
+  ];
 
   for (const result of gateResult.results) {
     const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';

package/src/aider/techniques.js

@@ -19,10 +19,11 @@
  * Check ID prefix: AD-
  */
 
-const { containsEmbeddedSecret } = require('../secret-patterns');
-const { attachSourceUrls } = require('../source-urls');
-const { buildStackChecks } = require('../stack-checks');
-const { isApiProject, isDatabaseProject, isAuthProject, isMonitoringRelevant } = require('../supplemental-checks');
+const { containsEmbeddedSecret } = require('../secret-patterns');
+const { attachSourceUrls } = require('../source-urls');
+const { buildStackChecks } = require('../stack-checks');
+const { isApiProject, isDatabaseProject, isAuthProject, isMonitoringRelevant } = require('../supplemental-checks');
+const { hasCostBudgetOrUsageTracking } = require('../cost-tracking');
 
 const FILLER_PATTERNS = [
   /\bbe helpful\b/i,
@@ -1724,13 +1725,17 @@ const AIDER_TECHNIQUES = {
     fix: 'Set `cache-prompts: true` in .aider.conf.yml to reduce API costs.',
     template: 'aider-conf-yml', file: () => '.aider.conf.yml', line: () => null,
   },
-  aiderCostBudgetDefined: {
-    id: 'AD-T48', name: 'AI cost budget or usage limits documented',
-    check: (ctx) => { const docs = conventionContent(ctx) + (ctx.fileContent('README.md') || ''); if (!docs.trim()) return null; return /cost.{0,15}budget|spending.{0,15}limit|usage.{0,15}limit/i.test(docs); },
-    impact: 'low', rating: 2, category: 'cost-optimization',
-    fix: 'Document AI cost budget in README.md.',
-    template: null, file: () => 'README.md', line: () => null,
-  },
+  aiderCostBudgetDefined: {
+    id: 'AD-T48', name: 'AI cost budget or per-run usage tracking documented',
+    check: (ctx) => {
+      const docs = conventionContent(ctx) + (ctx.fileContent('README.md') || '');
+      if (!docs.trim() && !hasCostBudgetOrUsageTracking('', ctx)) return null;
+      return hasCostBudgetOrUsageTracking(docs, ctx);
+    },
+    impact: 'low', rating: 2, category: 'cost-optimization',
+    fix: 'Document AI cost guardrails or per-run usage tracking so Aider usage is visible run by run.',
+    template: null, file: () => 'README.md', line: () => null,
+  },
 
   // ============================================================
   // === PYTHON STACK CHECKS (category: 'python') ===============

package/src/analyze.js

@@ -11,6 +11,10 @@ const { STACKS } = require('./techniques');
 const { detectDomainPacks } = require('./domain-packs');
 const { detectCodexDomainPacks } = require('./codex/domain-packs');
 const { recommendMcpPacks } = require('./mcp-packs');
+const { collectClaudeDenyRules } = require('./permission-rules');
+const { buildRepoArchetypeProfile } = require('./repo-archetype');
+const { buildOperatingProfile } = require('./operating-profile');
+const { buildAdoptionAdvisor } = require('./adoption-advisor');
 
 const COLORS = {
   reset: '\x1b[0m',
@@ -101,6 +105,7 @@ function collectClaudeAssets(ctx) {
   const sharedSettings = ctx.jsonFile('.claude/settings.json');
   const localSettings = ctx.jsonFile('.claude/settings.local.json');
   const settings = sharedSettings || localSettings || null;
+  const denyRules = collectClaudeDenyRules(ctx);
 
   const assetFiles = {
     claudeMd: ctx.fileContent('CLAUDE.md') ? 'CLAUDE.md' : (ctx.fileContent('.claude/CLAUDE.md') ? '.claude/CLAUDE.md' : null),
@@ -129,7 +134,7 @@ function collectClaudeAssets(ctx) {
     },
     permissions: settings && settings.permissions ? {
       defaultMode: settings.permissions.defaultMode || null,
-      hasDenyRules: Array.isArray(settings.permissions.deny) && settings.permissions.deny.length > 0,
+      hasDenyRules: denyRules.length > 0,
     } : null,
     settingsSource: assetFiles.settings,
     summaryLine: `Commands: ${assetFiles.commands.length} | Rules: ${assetFiles.rules.length} | Hooks: ${assetFiles.hooks.length} | Agents: ${assetFiles.agents.length} | Skills: ${assetFiles.skills.length} | MCP servers: ${settings && settings.mcpServers ? Object.keys(settings.mcpServers).length : 0}`,
@@ -496,6 +501,30 @@ async function analyzeProject(options) {
     ? detectCodexDomainPacks(ctx, stacks, assets)
     : detectDomainPacks(ctx, stacks, assets);
   const recommendedMcpPacks = platform === 'claude' ? recommendMcpPacks(stacks, recommendedDomainPacks, { ctx, assets }) : [];
+  const repoArchetype = buildRepoArchetypeProfile({
+    ctx,
+    platform,
+    stacks,
+    assets,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    maturity,
+  });
+  const recommendedOperatingProfile = buildOperatingProfile({
+    dir: options.dir,
+    platform,
+    repoArchetype,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+  });
+  const adoptionGuidance = buildAdoptionAdvisor({
+    platform,
+    repoArchetype,
+    recommendedOperatingProfile,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    env: options.env || {},
+  });
 
   const report = {
     platform,
@@ -509,16 +538,28 @@ async function analyzeProject(options) {
       stacks: stacks.map(s => s.label),
       domains: recommendedDomainPacks.map(pack => pack.label),
       maturity,
+      archetype: repoArchetype.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
+      operatingProfile: recommendedOperatingProfile.label,
+      adoptionPlan: adoptionGuidance.summary.label,
       score: auditResult.score,
       organicScore: auditResult.organicScore,
       checkCount: auditResult.checkCount,
     },
     platformScopeNote: auditResult.platformScopeNote || null,
     platformCaveats: auditResult.platformCaveats || [],
+    repoArchetype,
+    recommendedOperatingProfile,
+    adoptionGuidance,
     detectedArchitecture: {
       repoType: stacks.length > 0 ? 'stack-detected repo' : 'generic repo',
       mainDirectories: mainDirs,
       stackSignals: stacks.map(s => s.key),
+      stackFamily: repoArchetype.stackFamily.label,
+      topology: repoArchetype.topology.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
     },
     existingPlatformAssets: assets,
     strengthsPreserved: toStrengths(auditResult.results),
@@ -583,11 +624,14 @@ function printAnalysis(report, options = {}) {
   } else {
     console.log(c(`  Platform: ${report.platformLabel}`, 'dim'));
   }
+  console.log(c(`  Archetype: ${report.repoArchetype.label} | Workflow: ${report.repoArchetype.primaryWorkflow.label} | Risk: ${report.repoArchetype.riskProfile.label}`, 'dim'));
   console.log(c(`  Maturity: ${report.projectSummary.maturity} | Score: ${report.projectSummary.score}/100 | Organic: ${report.projectSummary.organicScore}/100`, 'dim'));
   console.log('');
 
   console.log(c('  Detected Architecture', 'blue'));
+  console.log(c(`  Stack family: ${report.repoArchetype.stackFamily.label} | Topology: ${report.repoArchetype.topology.label} | Confidence: ${report.repoArchetype.confidence}`, 'dim'));
   console.log(c(`  Main directories: ${report.detectedArchitecture.mainDirectories.join(', ') || 'No strong structure detected yet'}`, 'dim'));
+  console.log(c(`  Signals: ${report.repoArchetype.signals.join(' | ') || 'No strong archetype signals yet'}`, 'dim'));
   console.log('');
 
   console.log(c(`  Existing ${report.existingPlatformAssets.label} Assets`, 'blue'));
@@ -681,6 +725,36 @@ function printAnalysis(report, options = {}) {
     console.log('');
   }
 
+  if (report.recommendedOperatingProfile) {
+    console.log(c('  Recommended Operating Profile', 'blue'));
+    console.log(`  ${report.recommendedOperatingProfile.label}`);
+    console.log(c(`  Permission: ${report.recommendedOperatingProfile.permissionProfile.label} | Governance pack: ${report.recommendedOperatingProfile.governancePack.label}`, 'dim'));
+    console.log(c(`  CI shape: ${report.recommendedOperatingProfile.ciShape.label} | Platforms: ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`, 'dim'));
+    console.log(c(`  Hooks: ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`, 'dim'));
+    console.log(c(`  Verification: ${report.recommendedOperatingProfile.verification.required.join(', ')}`, 'dim'));
+    console.log('');
+  }
+
+  if (report.adoptionGuidance && Array.isArray(report.adoptionGuidance.items) && report.adoptionGuidance.items.length > 0) {
+    console.log(c('  Adopt / Defer / Ignore', 'blue'));
+    console.log(c(`  ${report.adoptionGuidance.summary.label}`, 'dim'));
+    const groups = [
+      ['adopt', 'Adopt now'],
+      ['defer', 'Defer until prerequisites are ready'],
+      ['ignore', 'Ignore for this repo shape'],
+    ];
+    for (const [decision, label] of groups) {
+      const items = report.adoptionGuidance.items.filter((item) => item.decision === decision).slice(0, 3);
+      if (items.length === 0) continue;
+      console.log(`  ${label}`);
+      for (const item of items) {
+        console.log(`    - ${item.label}`);
+        console.log(c(`      ${item.why}`, 'dim'));
+      }
+    }
+    console.log('');
+  }
+
   if (report.suggestedRolloutOrder.length > 0) {
     console.log(c('  Suggested Rollout Order', 'blue'));
     report.suggestedRolloutOrder.forEach((item, index) => {
@@ -708,6 +782,11 @@ function exportMarkdown(report) {
   if (report.platform === 'claude') {
     lines.push(`**Domain Packs:** ${report.projectSummary.domains.join(', ') || 'Baseline General'}`);
   }
+  lines.push(`**Archetype:** ${report.repoArchetype.label}`);
+  lines.push(`**Workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`**Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`**Operating profile:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`**Adoption plan:** ${report.adoptionGuidance.summary.label}`);
   lines.push(`**Maturity:** ${report.projectSummary.maturity}`);
   lines.push('');
 
@@ -728,6 +807,57 @@ function exportMarkdown(report) {
   }
   lines.push('');
 
+  lines.push('## Repo Archetype');
+  lines.push('');
+  lines.push(`- **Label:** ${report.repoArchetype.label}`);
+  lines.push(`- **Summary:** ${report.repoArchetype.summary}`);
+  lines.push(`- **Stack family:** ${report.repoArchetype.stackFamily.label}`);
+  lines.push(`- **Topology:** ${report.repoArchetype.topology.label}`);
+  lines.push(`- **Primary workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`- **Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`- **Confidence:** ${report.repoArchetype.confidence}`);
+  if (report.repoArchetype.signals.length > 0) {
+    lines.push(`- **Signals:** ${report.repoArchetype.signals.join(', ')}`);
+  }
+  lines.push('');
+
+  lines.push('## Recommended Operating Profile');
+  lines.push('');
+  lines.push(`- **Label:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`- **Summary:** ${report.recommendedOperatingProfile.summary}`);
+  lines.push(`- **Permission profile:** ${report.recommendedOperatingProfile.permissionProfile.label}`);
+  lines.push(`- **Governance pack:** ${report.recommendedOperatingProfile.governancePack.label}`);
+  lines.push(`- **Platform support:** ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`);
+  if (report.recommendedOperatingProfile.platformSupport.optionalExpansion) {
+    lines.push(`- **Optional expansion:** ${report.recommendedOperatingProfile.platformSupport.optionalExpansion}`);
+  }
+  lines.push(`- **CI shape:** ${report.recommendedOperatingProfile.ciShape.label}`);
+  lines.push(`- **Verification:** ${report.recommendedOperatingProfile.verification.required.join(', ')}`);
+  lines.push(`- **Hooks:** ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`);
+  lines.push('');
+
+  lines.push('## Adopt / Defer / Ignore');
+  lines.push('');
+  const decisionGroups = [
+    ['adopt', 'Adopt now'],
+    ['defer', 'Defer'],
+    ['ignore', 'Ignore'],
+  ];
+  for (const [decision, label] of decisionGroups) {
+    const items = report.adoptionGuidance.items.filter((item) => item.decision === decision);
+    if (items.length === 0) continue;
+    lines.push(`### ${label}`);
+    lines.push('');
+    for (const item of items) {
+      lines.push(`- **${item.label}** — ${item.why}`);
+      lines.push(`  Evidence: ${item.evidence.join(' | ')}`);
+      lines.push(`  Prerequisites: ${item.prerequisites.length > 0 ? item.prerequisites.join(' | ') : 'None'}`);
+      lines.push(`  Expected benefit: ${item.expectedBenefit}`);
+      lines.push(`  Rollback safety: ${item.rollbackSafety}`);
+    }
+    lines.push('');
+  }
+
   if (report.strengthsPreserved.length > 0) {
     lines.push('## Strengths Preserved (don\'t change these)');
     lines.push('');

package/src/anti-patterns.js

@@ -8,6 +8,9 @@ const {
   hasDocumentedVerificationGuidance,
   hasDocumentedTestCommand,
 } = require('./instruction-surfaces');
+const { collectClaudeDenyRules } = require('./permission-rules');
+const { containsEmbeddedSecret } = require('./secret-patterns');
+const { containsPromptInjectionPattern } = require('./prompt-injection');
 
 const ANTI_PATTERNS = [
   {
@@ -32,7 +35,7 @@ const ANTI_PATTERNS = [
     detect: (ctx) => {
       const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
       if (!settings || !settings.permissions) return true;
-      return !Array.isArray(settings.permissions.deny) || settings.permissions.deny.length === 0;
+      return collectClaudeDenyRules(ctx).length === 0;
     },
   },
   {
@@ -216,6 +219,18 @@ const ANTI_PATTERNS = [
       return !hasTestInMd && !hasTestScript;
     },
   },
+  {
+    id: 'AP023',
+    name: 'Suspicious prompt-injection phrases in repo instructions',
+    severity: 'high',
+    description: 'Instruction surfaces that say things like "ignore previous instructions", "bypass guardrails", or "score 100/100" create confusion and downstream trust problems, even when the static audit itself is not LLM-driven.',
+    platforms: ['claude', 'codex', 'cursor', 'windsurf', 'copilot', 'gemini', 'aider', 'opencode'],
+    fix: 'Remove adversarial phrases from repo instructions and replace them with an explicit trust-boundary note about treating repo/web/MCP content as untrusted data.',
+    detect: (ctx) => {
+      const content = getRepoInstructionBundle(ctx);
+      return containsPromptInjectionPattern(content);
+    },
+  },
   {
     id: 'AP015',
     name: 'All permissions allowed',
@@ -322,7 +337,7 @@ const ANTI_PATTERNS = [
       ];
       for (const file of hookFiles) {
         const content = ctx.fileContent(`.claude/hooks/${file}`) || '';
-        if (secretPatterns.some(p => p.test(content))) {
+        if (secretPatterns.some(p => p.test(content)) || containsEmbeddedSecret(content)) {
           return true;
         }
       }