npm - @nerviq/cli - Versions diffs - 1.11.0 → 1.12.0 - Mend

@nerviq/cli 1.11.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/README.md +97 -19
package/bin/cli.js +618 -182
package/package.json +2 -2
package/src/activity.js +49 -9
package/src/adoption-advisor.js +299 -0
package/src/aider/techniques.js +16 -11
package/src/analyze.js +128 -0
package/src/anti-patterns.js +13 -0
package/src/audit.js +97 -22
package/src/behavioral-drift.js +801 -0
package/src/continuous-ops.js +681 -0
package/src/cost-tracking.js +61 -0
package/src/cursor/techniques.js +17 -12
package/src/deep-review.js +83 -0
package/src/diff-only.js +280 -0
package/src/doctor.js +118 -55
package/src/governance.js +59 -43
package/src/hook-validation.js +342 -0
package/src/index.js +5 -0
package/src/integrations.js +42 -5
package/src/mcp-validation.js +337 -0
package/src/opencode/techniques.js +12 -7
package/src/operating-profile.js +574 -0
package/src/org.js +97 -13
package/src/plans.js +192 -8
package/src/platform-change-manifest.js +86 -0
package/src/policy-layers.js +210 -0
package/src/profiles.js +4 -1
package/src/prompt-injection.js +74 -0
package/src/repo-archetype.js +386 -0
package/src/setup.js +34 -0
package/src/source-urls.js +132 -132
package/src/supplemental-checks.js +13 -12
package/src/techniques/api.js +407 -0
package/src/techniques/automation.js +316 -0
package/src/techniques/compliance.js +257 -0
package/src/techniques/hygiene.js +294 -0
package/src/techniques/instructions.js +243 -0
package/src/techniques/observability.js +226 -0
package/src/techniques/optimization.js +142 -0
package/src/techniques/quality.js +317 -0
package/src/techniques/security.js +237 -0
package/src/techniques/shared.js +443 -0
package/src/techniques/stacks.js +2294 -0
package/src/techniques/tools.js +106 -0
package/src/techniques/workflow.js +413 -0
package/src/techniques.js +78 -5607
package/src/watch.js +18 -0
package/src/windsurf/techniques.js +17 -12

package/src/operating-profile.js ADDED Viewed

@@ -0,0 +1,574 @@
+'use strict';
+const { detectPlatforms } = require('./public-api');
+const { PERMISSION_PROFILES, HOOK_REGISTRY, POLICY_PACKS } = require('./governance');
+function unique(values) {
+  return [...new Set((values || []).filter(Boolean))];
+}
+function getProfile(key) {
+  return PERMISSION_PROFILES.find((profile) => profile.key === key) || PERMISSION_PROFILES[0];
+}
+function getPolicyPack(key) {
+  return POLICY_PACKS.find((pack) => pack.key === key) || POLICY_PACKS[0];
+}
+function getHook(key) {
+  return HOOK_REGISTRY.find((hook) => hook.key === key);
+}
+function buildEvidence(repoArchetype, recommendedDomainPacks = [], extras = []) {
+  const packLabels = (recommendedDomainPacks || []).map((pack) => pack.label).slice(0, 2);
+  return unique([
+    `Archetype: ${repoArchetype.label}`,
+    `Workflow: ${repoArchetype.primaryWorkflow.label}`,
+    `Risk: ${repoArchetype.riskProfile.label}`,
+    packLabels.length > 0 ? `Domain packs: ${packLabels.join(', ')}` : null,
+    ...(repoArchetype.signals || []).slice(0, 2),
+    ...extras,
+  ]).slice(0, 5);
+}
+function withExplainability(base, repoArchetype, recommendedDomainPacks, options = {}) {
+  const {
+    evidence = [],
+    prerequisites = [],
+    expectedBenefit = '',
+    rollbackSafety = '',
+  } = options;
+  return {
+    ...base,
+    why: base.rationale,
+    evidence: buildEvidence(repoArchetype, recommendedDomainPacks, evidence),
+    prerequisites: unique(prerequisites),
+    expectedBenefit,
+    rollbackSafety,
+  };
+}
+function buildDomainInfluence(repoArchetype, recommendedDomainPacks = [], recommendedMcpPacks = []) {
+  const keys = new Set((recommendedDomainPacks || []).map((pack) => pack.key));
+  const reasons = [];
+  const extraHooks = [];
+  let permissionOverride = null;
+  let governancePackOverride = null;
+  let verificationBias = null;
+  let ciShapeOverride = null;
+  if (keys.has('security-focused') || keys.has('regulated-lite')) {
+    permissionOverride = 'suggest-only';
+    governancePackOverride = 'regulated-lite';
+    reasons.push('Security-focused or regulated domain signals push the repo toward review-first posture.');
+  }
+  if (keys.has('enterprise-governed')) {
+    permissionOverride = 'suggest-only';
+    governancePackOverride = governancePackOverride || 'security-sensitive';
+    ciShapeOverride = 'governed-pr-gate';
+    extraHooks.push('trust-drift-check');
+    reasons.push('Enterprise-governed domain signals favor approvals, traceability, and trust-drift checks.');
+  }
+  if (keys.has('infra-platform') || keys.has('devops-cicd')) {
+    governancePackOverride = governancePackOverride || 'security-sensitive';
+    verificationBias = 'infra';
+    ciShapeOverride = ciShapeOverride || 'governed-pr-gate';
+    extraHooks.push('trust-drift-check');
+    reasons.push('Infra / CI domain signals increase the value of plan-first rollout and trust-drift validation.');
+  }
+  if (keys.has('ai-ml') || keys.has('data-pipeline')) {
+    verificationBias = 'pipeline';
+    reasons.push('Pipeline-oriented domains need repeatable verification and state-aware review loops.');
+  }
+  if (keys.has('mobile')) {
+    verificationBias = 'mobile';
+    reasons.push('Mobile domain signals shift the recommended loop toward analyze + build verification.');
+  }
+  if (keys.has('oss-library') || keys.has('docs-content')) {
+    permissionOverride = permissionOverride || 'suggest-only';
+    governancePackOverride = governancePackOverride || 'oss-friendly';
+    reasons.push('Contributor-sensitive or docs-heavy repos benefit from lighter review-first governance.');
+  }
+  if (keys.has('monorepo')) {
+    ciShapeOverride = 'workspace-pr-gate';
+    extraHooks.push('trust-drift-check');
+    reasons.push('Monorepo domain signals reinforce workspace-aware CI and drift checks.');
+  }
+  if (keys.has('ecommerce')) {
+    extraHooks.push('protect-secrets');
+    reasons.push('Commerce and payment surfaces justify extra secret-handling discipline.');
+  }
+  if ((recommendedMcpPacks || []).length >= 3) {
+    extraHooks.push('injection-defense');
+    reasons.push('Multi-MCP posture increases the value of trust-boundary hooks.');
+  }
+  if (repoArchetype.repoClass.key === 'mobile-app' && !verificationBias) {
+    verificationBias = 'mobile';
+  }
+  return {
+    keys,
+    reasons,
+    extraHooks: unique(extraHooks),
+    permissionOverride,
+    governancePackOverride,
+    verificationBias,
+    ciShapeOverride,
+  };
+}
+function recommendPlatformSupport(dir, platform, repoArchetype, recommendedDomainPacks = []) {
+  const current = detectPlatforms(dir);
+  const primary = current.length > 0 ? current[0] : platform;
+  const recommended = current.length > 0 ? current : [platform];
+  let strategy = 'single-platform-baseline';
+  let rationale = 'Start from one governed primary platform before widening the surface area.';
+  let optionalExpansion = null;
+  if (recommended.length >= 2) {
+    strategy = 'harmonize-current-platforms';
+    rationale = 'Multiple AI platforms are already active, so the main priority is keeping them aligned instead of adding more.';
+  } else if (repoArchetype.topology.key === 'monorepo' || repoArchetype.primaryWorkflow.key === 'governed-rollout' || repoArchetype.riskProfile.key === 'regulated') {
+    strategy = 'primary-plus-review-surface';
+    rationale = 'This repo benefits from one primary surface plus one secondary advisory/review surface once the baseline is stable.';
+    optionalExpansion = primary === 'codex' ? 'claude' : 'codex';
+  }
+  const base = {
+    current,
+    primary,
+    recommended,
+    strategy,
+    rationale,
+    optionalExpansion,
+  };
+  return withExplainability(base, repoArchetype, recommendedDomainPacks, {
+    evidence: [
+      current.length > 0 ? `Detected platforms: ${current.join(', ')}` : `No existing platform config found; defaulting to ${platform}`,
+    ],
+    prerequisites: current.length >= 2
+      ? ['Keep Harmony aligned before adding another platform surface.']
+      : ['Stabilize the primary platform baseline before widening the tool surface.'],
+    expectedBenefit: current.length >= 2
+      ? 'Keeps active AI surfaces aligned so governance and review flows do not drift apart.'
+      : 'Reduces setup sprawl by making one platform posture explicit before adding more.',
+    rollbackSafety: 'Platform strategy is advisory only. You can stay on the current primary surface or revert secondary additions without touching source code.',
+  });
+}
+function recommendPermissionProfile(repoArchetype, recommendedDomainPacks, domainInfluence) {
+  if (repoArchetype.riskProfile.key === 'elevated') {
+    return withExplainability({
+      profile: getProfile('read-only'),
+      rationale: 'Permissive runtime posture should be brought back under review before Nerviq writes into the repo.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Elevated-risk posture detected from repo signals.'].concat(domainInfluence.reasons),
+      prerequisites: ['Confirm discovery-only mode is acceptable for the next improvement pass.'],
+      expectedBenefit: 'Prevents Nerviq from modifying the repo while the trust boundary is still unclear.',
+      rollbackSafety: 'Switching back to a writable profile is a config-only change once the repo posture is explicit.',
+    });
+  }
+  if (domainInfluence.permissionOverride) {
+    const profile = getProfile(domainInfluence.permissionOverride);
+    return withExplainability({
+      profile,
+      rationale: `Domain signals make ${profile.label.toLowerCase()} the safest recommended baseline for this repo.`,
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Keep proposal/export flows reviewable while adopting the recommended posture.'],
+      expectedBenefit: 'Aligns repo writes and review expectations to the domain risk and contributor model.',
+      rollbackSafety: 'Permission profiles are declarative. Move back to another profile once the repo proves it can support faster writes safely.',
+    });
+  }
+  if (repoArchetype.riskProfile.key === 'regulated' || repoArchetype.primaryWorkflow.key === 'governed-rollout') {
+    return withExplainability({
+      profile: getProfile('suggest-only'),
+      rationale: 'Governed or security-sensitive repos should begin from proposal/export flows instead of direct writes.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Governed rollout or regulated posture detected.'],
+      prerequisites: ['Use plan/export artifacts for any write-bearing rollout.'],
+      expectedBenefit: 'Creates a reviewable path to adoption without blocking analysis and planning.',
+      rollbackSafety: 'Profiles can be relaxed later without changing repo files.',
+    });
+  }
+  if (repoArchetype.maturity.key === 'none' || repoArchetype.maturity.key === 'starter') {
+    return withExplainability({
+      profile: getProfile('safe-write'),
+      rationale: 'Bootstrap repos need a writable baseline, but still with visible rollback and no overwrites.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Repo maturity is starter-level or missing governed assets.'],
+      prerequisites: ['Keep rollback artifacts enabled before broader apply flows.'],
+      expectedBenefit: 'Lets Nerviq establish a baseline quickly without flattening existing work.',
+      rollbackSafety: 'Safe-write preserves existing files and keeps rollback artifacts for removals.',
+    });
+  }
+  if (repoArchetype.repoClass.key === 'library-sdk' || repoArchetype.stackFamily.key === 'docs') {
+    return withExplainability({
+      profile: getProfile('suggest-only'),
+      rationale: 'Contributor-sensitive or docs-heavy repos benefit from review-first proposal flows.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Library or docs-oriented repo class detected.'],
+      prerequisites: ['Use human review as the merge gate for generated changes.'],
+      expectedBenefit: 'Protects external contributors from unexpected automation while keeping Nerviq useful.',
+      rollbackSafety: 'No direct writes are implied, so there is nothing operational to roll back.',
+    });
+  }
+  if (repoArchetype.repoClass.key === 'developer-tool' && repoArchetype.maturity.key === 'mature') {
+    return withExplainability({
+      profile: getProfile('power-user'),
+      rationale: 'Mature developer tooling repos can tolerate faster iteration once the baseline is already explicit.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Mature developer-tool repo detected.'],
+      prerequisites: ['Keep trust settings, hooks, and rollback flows explicit before widening autonomy.'],
+      expectedBenefit: 'Speeds iteration for maintainers who already have a stable governed baseline.',
+      rollbackSafety: 'Move back to safe-write or suggest-only if the broader autonomy level proves noisy.',
+    });
+  }
+  return withExplainability({
+    profile: getProfile('safe-write'),
+    rationale: 'A safe writable baseline is the default operating posture for product repos after first contact.',
+  }, repoArchetype, recommendedDomainPacks, {
+    evidence: domainInfluence.reasons,
+    prerequisites: ['Keep visible rollback and plan export available for non-trivial changes.'],
+    expectedBenefit: 'Lets the repo move from advisory mode into real guided setup work without bypassing guardrails.',
+    rollbackSafety: 'Safe-write avoids overwriting existing assets and keeps rollback visible.',
+  });
+}
+function recommendGovernancePack(repoArchetype, recommendedDomainPacks, domainInfluence) {
+  if (domainInfluence.governancePackOverride) {
+    const pack = getPolicyPack(domainInfluence.governancePackOverride);
+    return withExplainability({
+      pack,
+      rationale: `Domain signals make ${pack.label.toLowerCase()} the best governance baseline for this repo.`,
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Apply the pack after confirming the repo owner agrees with the rollout style.'],
+      expectedBenefit: 'Narrows Nerviq to the modules and rollout posture that fit this repo instead of generic defaults.',
+      rollbackSafety: 'Policy packs are compositional. You can step back to a lighter pack without rewriting application code.',
+    });
+  }
+  if (repoArchetype.riskProfile.key === 'regulated') {
+    return withExplainability({
+      pack: getPolicyPack('regulated-lite'),
+      rationale: 'This repo needs auditable rollout defaults more than raw automation breadth.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Regulated risk posture detected.'],
+      prerequisites: ['Keep activity artifacts and rollback manifests in the rollout path.'],
+      expectedBenefit: 'Adds auditability without requiring a full enterprise control plane from day one.',
+      rollbackSafety: 'The pack changes the recommended rollout modules, not the application architecture.',
+    });
+  }
+  if (repoArchetype.repoClass.key === 'library-sdk' || repoArchetype.stackFamily.key === 'docs') {
+    return withExplainability({
+      pack: getPolicyPack('oss-friendly'),
+      rationale: 'Lower-footprint governance keeps contributor workflows reviewable without overfitting the repo.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Contributor-sensitive or docs-oriented repo detected.'],
+      prerequisites: ['Keep merge review human-owned for external-facing changes.'],
+      expectedBenefit: 'Preserves contributor friendliness while still making AI posture explicit.',
+      rollbackSafety: 'Reverting to baseline-engineering is a pack-level config change.',
+    });
+  }
+  if (repoArchetype.primaryWorkflow.key === 'governed-rollout') {
+    return withExplainability({
+      pack: getPolicyPack('security-sensitive'),
+      rationale: 'The workflow already points toward approvals, hooks, and reviewable rollout discipline.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Governed rollout workflow detected.'],
+      prerequisites: ['Confirm approvals and pre-merge review are real team behaviors, not just intent.'],
+      expectedBenefit: 'Matches governance modules to the way the repo is already being operated.',
+      rollbackSafety: 'You can drop back to baseline-engineering if the workflow proves lighter in practice.',
+    });
+  }
+  return withExplainability({
+    pack: getPolicyPack('baseline-engineering'),
+    rationale: 'A pragmatic engineering baseline is the best starting point for this repo shape.',
+  }, repoArchetype, recommendedDomainPacks, {
+    evidence: domainInfluence.reasons,
+    prerequisites: ['Confirm the repo wants a practical default before enabling domain-specific packs.'],
+    expectedBenefit: 'Provides a stable baseline without forcing heavier governance where it is not justified.',
+    rollbackSafety: 'Baseline packs are additive and can be swapped without touching product code.',
+  });
+}
+function recommendHooks(repoArchetype, recommendedDomainPacks, domainInfluence) {
+  const keys = ['protect-secrets', 'log-changes', 'session-init'];
+  if (repoArchetype.stackFamily.key !== 'docs') {
+    keys.push('on-edit-lint');
+  }
+  if (repoArchetype.workflowTraits.some((trait) => trait.key === 'tool-enriched')) {
+    keys.push('injection-defense');
+  }
+  if (repoArchetype.primaryWorkflow.key === 'governed-rollout' || repoArchetype.topology.key === 'monorepo') {
+    keys.push('trust-drift-check');
+  }
+  keys.push(...domainInfluence.extraHooks);
+  return unique(keys)
+    .map((key) => getHook(key))
+    .filter(Boolean)
+    .map((hook) => ({
+      key: hook.key,
+      label: hook.file,
+      triggerPoint: hook.triggerPoint,
+      matcher: hook.matcher || null,
+      risk: hook.risk,
+      rationale: hook.purpose,
+      why: hook.purpose,
+      evidence: buildEvidence(repoArchetype, recommendedDomainPacks, [
+        hook.matcher ? `Trigger matcher: ${hook.matcher}` : `Trigger point: ${hook.triggerPoint}`,
+      ].concat(domainInfluence.reasons)),
+      prerequisites: unique([
+        hook.triggerPoint === 'PostToolUse' ? 'Confirm the repo has the runtime/tooling needed for the hook script.' : null,
+        hook.triggerPoint === 'PreToolUse' ? 'Review the block rules before enabling the hook in a shared repo.' : null,
+        'Validate hook runtime health with `nerviq doctor` after registration.',
+      ]),
+      expectedBenefit: hook.purpose,
+      rollbackSafety: hook.rollbackPath,
+    }));
+}
+function recommendVerificationProfile(repoArchetype, recommendedDomainPacks, domainInfluence) {
+  const bias = domainInfluence.verificationBias || repoArchetype.stackFamily.key;
+  if (bias === 'mobile') {
+    return withExplainability({
+      key: 'mobile-release-loop',
+      label: 'Mobile release loop',
+      required: ['test', 'lint/analyze', 'build'],
+      optional: ['security-review'],
+      rationale: 'Mobile repos need correctness, platform analysis, and build verification before rollout.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Document the concrete mobile test/analyze/build commands in repo instructions.'],
+      expectedBenefit: 'Catches platform-specific regressions before they turn into emulator or release surprises.',
+      rollbackSafety: 'Verification guidance is advisory and can be narrowed if the repo later proves lighter-weight.',
+    });
+  }
+  if (bias === 'infra') {
+    return withExplainability({
+      key: 'infra-change-loop',
+      label: 'Infra change loop',
+      required: ['lint', 'validate/plan', 'build'],
+      optional: ['security-review'],
+      rationale: 'Infrastructure repos need validation and dry-run style checks before operational changes land.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Document validate/plan commands before enabling wider apply flows.'],
+      expectedBenefit: 'Shifts repo changes toward plan-first rollout and catches operational blast radius earlier.',
+      rollbackSafety: 'Verification loops can be narrowed later without undoing generated config.',
+    });
+  }
+  if (repoArchetype.stackFamily.key === 'docs') {
+    return withExplainability({
+      key: 'content-publish-loop',
+      label: 'Content publish loop',
+      required: ['build', 'link/content checks'],
+      optional: ['lint'],
+      rationale: 'Docs/content repos need publish safety more than heavy runtime verification.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Docs / content stack family detected.'],
+      prerequisites: ['Make the publish/build command explicit in repo instructions.'],
+      expectedBenefit: 'Keeps content repos fast while still protecting against broken docs deploys.',
+      rollbackSafety: 'This is guidance only; adding or removing checks does not mutate the repo automatically.',
+    });
+  }
+  if (bias === 'pipeline' || repoArchetype.stackFamily.key === 'data-ml') {
+    return withExplainability({
+      key: 'pipeline-verification-loop',
+      label: 'Pipeline verification loop',
+      required: ['test', 'lint', 'build'],
+      optional: ['security-review', 'data/pipeline smoke check'],
+      rationale: 'Data and ML repos still need code verification, but often also benefit from pipeline sanity checks.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Define at least one lightweight pipeline smoke check if the repo owns jobs or model flows.'],
+      expectedBenefit: 'Protects repo correctness and catches broken pipeline assumptions before rollout.',
+      rollbackSafety: 'Pipeline smoke checks are additive and can be disabled without impacting baseline code generation.',
+    });
+  }
+  return withExplainability({
+    key: 'application-verification-loop',
+    label: 'Application verification loop',
+    required: ['test', 'lint', 'build'],
+    optional: repoArchetype.riskProfile.key === 'regulated' ? ['security-review'] : [],
+    rationale: 'Product repos should default to explicit test, lint, and build loops before completion.',
+  }, repoArchetype, recommendedDomainPacks, {
+    evidence: domainInfluence.reasons,
+    prerequisites: ['Document repo-specific test/lint/build commands if they are not already explicit.'],
+    expectedBenefit: 'Creates a predictable verification floor for day-to-day AI-assisted edits.',
+    rollbackSafety: 'Verification recommendations can be tuned over time without reworking repo structure.',
+  });
+}
+function recommendCiShape(repoArchetype, recommendedDomainPacks, domainInfluence) {
+  const ciBias = domainInfluence.ciShapeOverride;
+  if (repoArchetype.topology.key === 'monorepo' || ciBias === 'workspace-pr-gate') {
+    return withExplainability({
+      key: 'workspace-pr-gate',
+      label: 'Workspace-aware PR gate',
+      steps: [
+        'Run `nerviq audit --diff-only` in PRs for changed-file governance feedback',
+        'Run workspace-aware audits for touched packages before merge',
+        'Save tagged full snapshots on baseline and release checkpoints',
+      ],
+      rationale: 'Monorepos need scoped PR checks plus periodic full-root evidence.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Monorepo or workspace-oriented domain signals detected.'].concat(domainInfluence.reasons),
+      prerequisites: ['Adopt workspace-aware audit coverage before relying on per-package score semantics.'],
+      expectedBenefit: 'Keeps package-local drift visible without losing root governance posture.',
+      rollbackSafety: 'CI shape is an operating recommendation; you can revert to a simpler gate without touching product code.',
+    });
+  }
+  if (repoArchetype.primaryWorkflow.key === 'governed-rollout' || repoArchetype.riskProfile.key === 'regulated' || ciBias === 'governed-pr-gate') {
+    return withExplainability({
+      key: 'governed-pr-gate',
+      label: 'Governed PR gate',
+      steps: [
+        'Run `nerviq audit --diff-only` on PRs',
+        'Run a full `nerviq audit --threshold` check before merge or release',
+        'Use tagged snapshots (`baseline`, `post-fix`, `pre-release`) for traceable history',
+      ],
+      rationale: 'Governed repos need PR feedback plus full-posture evidence before risky changes are accepted.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: domainInfluence.reasons,
+      prerequisites: ['Make baseline and release snapshot milestones part of the merge process.'],
+      expectedBenefit: 'Turns Nerviq into a repeatable part of repo governance instead of a one-off setup step.',
+      rollbackSafety: 'CI shape is policy-level guidance and can be dialed back if the repo does not need full governed gates.',
+    });
+  }
+  if (repoArchetype.maturity.key === 'none' || repoArchetype.maturity.key === 'starter') {
+    return withExplainability({
+      key: 'bootstrap-ci',
+      label: 'Bootstrap CI baseline',
+      steps: [
+        'Start with a full `nerviq audit` on the default branch',
+        'Introduce `--diff-only` PR checks once the repo has a stable baseline',
+        'Capture a named baseline snapshot before broad apply flows',
+      ],
+      rationale: 'Early-stage repos need one stable baseline before diff-aware automation becomes meaningful.',
+    }, repoArchetype, recommendedDomainPacks, {
+      evidence: ['Starter or missing managed baseline detected.'],
+      prerequisites: ['Capture the first clean baseline snapshot before diff-only enforcement.'],
+      expectedBenefit: 'Avoids noisy CI by introducing governance incrementally instead of all at once.',
+      rollbackSafety: 'Bootstrap CI is intentionally minimal and can graduate into stronger gates later.',
+    });
+  }
+  return withExplainability({
+    key: 'standard-pr-gate',
+    label: 'Standard PR gate',
+    steps: [
+      'Use `nerviq audit --diff-only` for PR-level feedback',
+      'Run periodic full audits to keep score semantics grounded in live repo state',
+      'Capture tagged snapshots around major fixes or releases',
+    ],
+    rationale: 'The repo is ready for regular diff-aware checks plus scheduled full-posture verification.',
+  }, repoArchetype, recommendedDomainPacks, {
+    evidence: domainInfluence.reasons,
+    prerequisites: ['Keep periodic full audits scheduled so diff-only checks stay grounded.'],
+    expectedBenefit: 'Makes Nerviq part of the normal PR loop without requiring heavy governed rollout overhead.',
+    rollbackSafety: 'This operating mode can be tightened or relaxed as team habits change.',
+  });
+}
+function buildOperatingProfile(options) {
+  const {
+    dir,
+    platform,
+    repoArchetype,
+    recommendedDomainPacks = [],
+    recommendedMcpPacks = [],
+  } = options || {};
+  const domainInfluence = buildDomainInfluence(repoArchetype, recommendedDomainPacks, recommendedMcpPacks);
+  const platformSupport = recommendPlatformSupport(dir, platform, repoArchetype, recommendedDomainPacks);
+  const permission = recommendPermissionProfile(repoArchetype, recommendedDomainPacks, domainInfluence);
+  const governancePack = recommendGovernancePack(repoArchetype, recommendedDomainPacks, domainInfluence);
+  const hooks = recommendHooks(repoArchetype, recommendedDomainPacks, domainInfluence);
+  const verification = recommendVerificationProfile(repoArchetype, recommendedDomainPacks, domainInfluence);
+  const ciShape = recommendCiShape(repoArchetype, recommendedDomainPacks, domainInfluence);
+  const snapshotTags = repoArchetype.primaryWorkflow.key === 'governed-rollout'
+    ? ['baseline', 'post-fix', 'pre-release']
+    : ['baseline', 'post-fix'];
+  return {
+    key: `${repoArchetype.key}:${permission.profile.key}`,
+    label: `${repoArchetype.label} operating profile`,
+    summary: `Recommended posture: ${permission.profile.label}, ${ciShape.label.toLowerCase()}, and ${hooks.length} starter hooks for a ${repoArchetype.label.toLowerCase()}.`,
+    platformSupport,
+    permissionProfile: {
+      key: permission.profile.key,
+      label: permission.profile.label,
+      risk: permission.profile.risk,
+      rationale: permission.rationale,
+      why: permission.why,
+      evidence: permission.evidence,
+      prerequisites: permission.prerequisites,
+      expectedBenefit: permission.expectedBenefit,
+      rollbackSafety: permission.rollbackSafety,
+    },
+    governancePack: {
+      key: governancePack.pack.key,
+      label: governancePack.pack.label,
+      modules: governancePack.pack.modules,
+      rationale: governancePack.rationale,
+      why: governancePack.why,
+      evidence: governancePack.evidence,
+      prerequisites: governancePack.prerequisites,
+      expectedBenefit: governancePack.expectedBenefit,
+      rollbackSafety: governancePack.rollbackSafety,
+    },
+    hooks,
+    verification,
+    ciShape,
+    governanceDefaults: {
+      benchmarkBeforeApply: repoArchetype.riskProfile.key === 'regulated' || repoArchetype.maturity.key === 'mature',
+      exportPlanBeforeWrites: permission.profile.key !== 'safe-write' || repoArchetype.maturity.key !== 'none',
+      useDiffOnlyInPrs: ciShape.key !== 'bootstrap-ci',
+      harmonizePlatforms: platformSupport.current.length >= 2,
+      snapshotTags,
+      recommendedDomainPacks: recommendedDomainPacks.map((pack) => pack.key),
+      recommendedMcpPacks: recommendedMcpPacks.map((pack) => pack.key),
+    },
+    domainInfluence: {
+      keys: [...domainInfluence.keys],
+      reasons: domainInfluence.reasons,
+    },
+  };
+}
+module.exports = {
+  buildOperatingProfile,
+};