@nerviq/cli 1.11.0 → 1.12.0

package/src/analyze.js

@@ -12,6 +12,9 @@ const { detectDomainPacks } = require('./domain-packs');
 const { detectCodexDomainPacks } = require('./codex/domain-packs');
 const { recommendMcpPacks } = require('./mcp-packs');
 const { collectClaudeDenyRules } = require('./permission-rules');
+const { buildRepoArchetypeProfile } = require('./repo-archetype');
+const { buildOperatingProfile } = require('./operating-profile');
+const { buildAdoptionAdvisor } = require('./adoption-advisor');
 
 const COLORS = {
   reset: '\x1b[0m',
@@ -498,6 +501,30 @@ async function analyzeProject(options) {
     ? detectCodexDomainPacks(ctx, stacks, assets)
     : detectDomainPacks(ctx, stacks, assets);
   const recommendedMcpPacks = platform === 'claude' ? recommendMcpPacks(stacks, recommendedDomainPacks, { ctx, assets }) : [];
+  const repoArchetype = buildRepoArchetypeProfile({
+    ctx,
+    platform,
+    stacks,
+    assets,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    maturity,
+  });
+  const recommendedOperatingProfile = buildOperatingProfile({
+    dir: options.dir,
+    platform,
+    repoArchetype,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+  });
+  const adoptionGuidance = buildAdoptionAdvisor({
+    platform,
+    repoArchetype,
+    recommendedOperatingProfile,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    env: options.env || {},
+  });
 
   const report = {
     platform,
@@ -511,16 +538,28 @@ async function analyzeProject(options) {
       stacks: stacks.map(s => s.label),
       domains: recommendedDomainPacks.map(pack => pack.label),
       maturity,
+      archetype: repoArchetype.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
+      operatingProfile: recommendedOperatingProfile.label,
+      adoptionPlan: adoptionGuidance.summary.label,
       score: auditResult.score,
       organicScore: auditResult.organicScore,
       checkCount: auditResult.checkCount,
     },
     platformScopeNote: auditResult.platformScopeNote || null,
     platformCaveats: auditResult.platformCaveats || [],
+    repoArchetype,
+    recommendedOperatingProfile,
+    adoptionGuidance,
     detectedArchitecture: {
       repoType: stacks.length > 0 ? 'stack-detected repo' : 'generic repo',
       mainDirectories: mainDirs,
       stackSignals: stacks.map(s => s.key),
+      stackFamily: repoArchetype.stackFamily.label,
+      topology: repoArchetype.topology.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
     },
     existingPlatformAssets: assets,
     strengthsPreserved: toStrengths(auditResult.results),
@@ -585,11 +624,14 @@ function printAnalysis(report, options = {}) {
   } else {
     console.log(c(`  Platform: ${report.platformLabel}`, 'dim'));
   }
+  console.log(c(`  Archetype: ${report.repoArchetype.label} | Workflow: ${report.repoArchetype.primaryWorkflow.label} | Risk: ${report.repoArchetype.riskProfile.label}`, 'dim'));
   console.log(c(`  Maturity: ${report.projectSummary.maturity} | Score: ${report.projectSummary.score}/100 | Organic: ${report.projectSummary.organicScore}/100`, 'dim'));
   console.log('');
 
   console.log(c('  Detected Architecture', 'blue'));
+  console.log(c(`  Stack family: ${report.repoArchetype.stackFamily.label} | Topology: ${report.repoArchetype.topology.label} | Confidence: ${report.repoArchetype.confidence}`, 'dim'));
   console.log(c(`  Main directories: ${report.detectedArchitecture.mainDirectories.join(', ') || 'No strong structure detected yet'}`, 'dim'));
+  console.log(c(`  Signals: ${report.repoArchetype.signals.join(' | ') || 'No strong archetype signals yet'}`, 'dim'));
   console.log('');
 
   console.log(c(`  Existing ${report.existingPlatformAssets.label} Assets`, 'blue'));
@@ -683,6 +725,36 @@ function printAnalysis(report, options = {}) {
     console.log('');
   }
 
+  if (report.recommendedOperatingProfile) {
+    console.log(c('  Recommended Operating Profile', 'blue'));
+    console.log(`  ${report.recommendedOperatingProfile.label}`);
+    console.log(c(`  Permission: ${report.recommendedOperatingProfile.permissionProfile.label} | Governance pack: ${report.recommendedOperatingProfile.governancePack.label}`, 'dim'));
+    console.log(c(`  CI shape: ${report.recommendedOperatingProfile.ciShape.label} | Platforms: ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`, 'dim'));
+    console.log(c(`  Hooks: ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`, 'dim'));
+    console.log(c(`  Verification: ${report.recommendedOperatingProfile.verification.required.join(', ')}`, 'dim'));
+    console.log('');
+  }
+
+  if (report.adoptionGuidance && Array.isArray(report.adoptionGuidance.items) && report.adoptionGuidance.items.length > 0) {
+    console.log(c('  Adopt / Defer / Ignore', 'blue'));
+    console.log(c(`  ${report.adoptionGuidance.summary.label}`, 'dim'));
+    const groups = [
+      ['adopt', 'Adopt now'],
+      ['defer', 'Defer until prerequisites are ready'],
+      ['ignore', 'Ignore for this repo shape'],
+    ];
+    for (const [decision, label] of groups) {
+      const items = report.adoptionGuidance.items.filter((item) => item.decision === decision).slice(0, 3);
+      if (items.length === 0) continue;
+      console.log(`  ${label}`);
+      for (const item of items) {
+        console.log(`    - ${item.label}`);
+        console.log(c(`      ${item.why}`, 'dim'));
+      }
+    }
+    console.log('');
+  }
+
   if (report.suggestedRolloutOrder.length > 0) {
     console.log(c('  Suggested Rollout Order', 'blue'));
     report.suggestedRolloutOrder.forEach((item, index) => {
@@ -710,6 +782,11 @@ function exportMarkdown(report) {
   if (report.platform === 'claude') {
     lines.push(`**Domain Packs:** ${report.projectSummary.domains.join(', ') || 'Baseline General'}`);
   }
+  lines.push(`**Archetype:** ${report.repoArchetype.label}`);
+  lines.push(`**Workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`**Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`**Operating profile:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`**Adoption plan:** ${report.adoptionGuidance.summary.label}`);
   lines.push(`**Maturity:** ${report.projectSummary.maturity}`);
   lines.push('');
 
@@ -730,6 +807,57 @@ function exportMarkdown(report) {
   }
   lines.push('');
 
+  lines.push('## Repo Archetype');
+  lines.push('');
+  lines.push(`- **Label:** ${report.repoArchetype.label}`);
+  lines.push(`- **Summary:** ${report.repoArchetype.summary}`);
+  lines.push(`- **Stack family:** ${report.repoArchetype.stackFamily.label}`);
+  lines.push(`- **Topology:** ${report.repoArchetype.topology.label}`);
+  lines.push(`- **Primary workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`- **Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`- **Confidence:** ${report.repoArchetype.confidence}`);
+  if (report.repoArchetype.signals.length > 0) {
+    lines.push(`- **Signals:** ${report.repoArchetype.signals.join(', ')}`);
+  }
+  lines.push('');
+
+  lines.push('## Recommended Operating Profile');
+  lines.push('');
+  lines.push(`- **Label:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`- **Summary:** ${report.recommendedOperatingProfile.summary}`);
+  lines.push(`- **Permission profile:** ${report.recommendedOperatingProfile.permissionProfile.label}`);
+  lines.push(`- **Governance pack:** ${report.recommendedOperatingProfile.governancePack.label}`);
+  lines.push(`- **Platform support:** ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`);
+  if (report.recommendedOperatingProfile.platformSupport.optionalExpansion) {
+    lines.push(`- **Optional expansion:** ${report.recommendedOperatingProfile.platformSupport.optionalExpansion}`);
+  }
+  lines.push(`- **CI shape:** ${report.recommendedOperatingProfile.ciShape.label}`);
+  lines.push(`- **Verification:** ${report.recommendedOperatingProfile.verification.required.join(', ')}`);
+  lines.push(`- **Hooks:** ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`);
+  lines.push('');
+
+  lines.push('## Adopt / Defer / Ignore');
+  lines.push('');
+  const decisionGroups = [
+    ['adopt', 'Adopt now'],
+    ['defer', 'Defer'],
+    ['ignore', 'Ignore'],
+  ];
+  for (const [decision, label] of decisionGroups) {
+    const items = report.adoptionGuidance.items.filter((item) => item.decision === decision);
+    if (items.length === 0) continue;
+    lines.push(`### ${label}`);
+    lines.push('');
+    for (const item of items) {
+      lines.push(`- **${item.label}** — ${item.why}`);
+      lines.push(`  Evidence: ${item.evidence.join(' | ')}`);
+      lines.push(`  Prerequisites: ${item.prerequisites.length > 0 ? item.prerequisites.join(' | ') : 'None'}`);
+      lines.push(`  Expected benefit: ${item.expectedBenefit}`);
+      lines.push(`  Rollback safety: ${item.rollbackSafety}`);
+    }
+    lines.push('');
+  }
+
   if (report.strengthsPreserved.length > 0) {
     lines.push('## Strengths Preserved (don\'t change these)');
     lines.push('');

package/src/anti-patterns.js

@@ -10,6 +10,7 @@ const {
 } = require('./instruction-surfaces');
 const { collectClaudeDenyRules } = require('./permission-rules');
 const { containsEmbeddedSecret } = require('./secret-patterns');
+const { containsPromptInjectionPattern } = require('./prompt-injection');
 
 const ANTI_PATTERNS = [
   {
@@ -218,6 +219,18 @@ const ANTI_PATTERNS = [
       return !hasTestInMd && !hasTestScript;
     },
   },
+  {
+    id: 'AP023',
+    name: 'Suspicious prompt-injection phrases in repo instructions',
+    severity: 'high',
+    description: 'Instruction surfaces that say things like "ignore previous instructions", "bypass guardrails", or "score 100/100" create confusion and downstream trust problems, even when the static audit itself is not LLM-driven.',
+    platforms: ['claude', 'codex', 'cursor', 'windsurf', 'copilot', 'gemini', 'aider', 'opencode'],
+    fix: 'Remove adversarial phrases from repo instructions and replace them with an explicit trust-boundary note about treating repo/web/MCP content as untrusted data.',
+    detect: (ctx) => {
+      const content = getRepoInstructionBundle(ctx);
+      return containsPromptInjectionPattern(content);
+    },
+  },
   {
     id: 'AP015',
     name: 'All permissions allowed',

package/src/audit.js

@@ -64,8 +64,9 @@ function formatLocation(file, line) {
   return line ? `${file}:${line}` : file;
 }
 
-const IMPACT_ORDER = { critical: 3, high: 2, medium: 1, low: 0 };
-const WEIGHTS = { critical: 15, high: 10, medium: 5, low: 2 };
+const IMPACT_ORDER = { critical: 3, high: 2, medium: 1, low: 0 };
+const WEIGHTS = { critical: 15, high: 10, medium: 5, low: 2 };
+const SCORE_MILESTONES = [50, 70, 90, 100];
 const LARGE_INSTRUCTION_WARN_TOKENS = 12000;
 const LARGE_INSTRUCTION_SKIP_TOKENS = 240000;
 const CATEGORY_MODULES = {
@@ -659,7 +660,7 @@ function getRecommendationPriorityScore(item, outcomeSummaryByKey = {}, fpFeedba
   return raw * getFpFeedbackMultiplier(fpFeedbackByKey, item.key);
 }
 
-function buildTopNextActions(failed, limit = 5, outcomeSummaryByKey = {}, options = {}) {
+function buildTopNextActions(failed, limit = 5, outcomeSummaryByKey = {}, options = {}) {
   const pool = getPrioritizedFailed(failed);
   const fpByKey = options.fpFeedbackByKey || null;
 
@@ -724,11 +725,65 @@ function buildTopNextActions(failed, limit = 5, outcomeSummaryByKey = {}, option
         avgScoreDelta: feedback.avgScoreDelta,
       } : null,
     });
-    });
-}
-
-function computeCategoryScores(applicable, passed) {
-  const grouped = {};
+    });
+}
+
+function getNextScoreMilestone(score) {
+  return SCORE_MILESTONES.find((milestone) => score < milestone) || null;
+}
+
+function buildScoreCoaching({ score, earnedPoints, maxPoints, failed, outcomeSummaryByKey = {}, platform, fpFeedbackByKey = null }) {
+  if (!Array.isArray(failed) || failed.length === 0 || !Number.isFinite(maxPoints) || maxPoints <= 0) {
+    return null;
+  }
+
+  const nextMilestone = getNextScoreMilestone(score);
+  if (!nextMilestone) return null;
+
+  const targetEarnedPoints = Math.ceil((nextMilestone / 100) * maxPoints);
+  const pointsNeeded = Math.max(0, targetEarnedPoints - earnedPoints);
+  if (pointsNeeded <= 0) return null;
+
+  const rankedActions = buildTopNextActions(failed, failed.length, outcomeSummaryByKey, { platform, fpFeedbackByKey });
+  if (rankedActions.length === 0) return null;
+
+  const failedByKey = new Map(failed.map((item) => [item.key, item]));
+  const selected = [];
+  let recoveredPoints = 0;
+
+  for (const action of rankedActions) {
+    const source = failedByKey.get(action.key);
+    if (!source) continue;
+    selected.push({
+      key: source.key,
+      name: source.name,
+      impact: source.impact,
+      weight: WEIGHTS[source.impact] || 0,
+    });
+    recoveredPoints += WEIGHTS[source.impact] || 0;
+    if (recoveredPoints >= pointsNeeded) break;
+  }
+
+  if (selected.length === 0) return null;
+
+  const fixesNeeded = selected.length;
+  const projectedScore = Math.round(((earnedPoints + recoveredPoints) / maxPoints) * 100);
+  const summary = `You're ${fixesNeeded} ${fixesNeeded === 1 ? 'fix' : 'fixes'} away from ${nextMilestone}/100.`;
+
+  return {
+    currentScore: score,
+    nextMilestone,
+    pointsNeeded,
+    fixesNeeded,
+    projectedScore: Math.min(100, projectedScore),
+    summary,
+    recommendedKeys: selected.map((item) => item.key),
+    recommendedNames: selected.map((item) => item.name),
+  };
+}
+
+function computeCategoryScores(applicable, passed) {
+  const grouped = {};
 
   for (const item of applicable) {
     const category = item.category || 'unknown';
@@ -915,6 +970,9 @@ function printLiteAudit(result, dir) {
     scoreExplanation = t('audit.early');
   }
   console.log(colorize(`  ${scoreExplanation}`, 'dim'));
+  if (result.scoreCoaching) {
+    console.log(colorize(`  Milestone: ${result.scoreCoaching.summary}`, 'magenta'));
+  }
   console.log(colorize('  Score type: live repo audit (current files only, not snapshot history or benchmark projection).', 'dim'));
 
   if (result.platformScopeNote) {
@@ -1159,7 +1217,7 @@ async function audit(options) {
   const recommendedDomainPacks = spec.platform === 'codex'
     ? detectCodexDomainPacks(ctx, stacks, getCodexDomainPackSignals(ctx))
     : [];
-  const result = {
+  const result = {
     platform: spec.platform,
     platformLabel: spec.platformLabel,
     platformVersion: spec.platformVersion,
@@ -1182,9 +1240,18 @@ async function audit(options) {
       deprecatedReason: r.deprecatedReason || null,
       sunsetDate: r.sunsetDate || null,
     })),
-    categoryScores,
-    quickWins: quickWins.map(({ key, name, impact, fix, category, sourceUrl }) => ({ key, name, impact, category, fix, sourceUrl })),
-    topNextActions,
+    categoryScores,
+    scoreCoaching: buildScoreCoaching({
+      score,
+      earnedPoints: earnedScore,
+      maxPoints: maxScore,
+      failed,
+      outcomeSummaryByKey: outcomeSummary.byKey,
+      platform: spec.platform,
+      fpFeedbackByKey: fpFeedback.byKey,
+    }),
+    quickWins: quickWins.map(({ key, name, impact, fix, category, sourceUrl }) => ({ key, name, impact, category, fix, sourceUrl })),
+    topNextActions,
     recommendationOutcomes: {
       totalEntries: outcomeSummary.totalEntries,
       keysTracked: outcomeSummary.keys,
@@ -1214,11 +1281,12 @@ async function audit(options) {
   result.detectedConfigFiles = configFiles;
 
   result.suggestedNextCommand = inferSuggestedNextCommand(result);
-  result.liteSummary = {
-    topNextActions: topNextActions.slice(0, 3),
-    nextCommand: result.suggestedNextCommand,
-    platformCaveats: platformCaveats.slice(0, 2),
-  };
+  result.liteSummary = {
+    topNextActions: topNextActions.slice(0, 3),
+    nextCommand: result.suggestedNextCommand,
+    platformCaveats: platformCaveats.slice(0, 2),
+    scoreCoaching: result.scoreCoaching,
+  };
 
   // Silent mode: skip all output, just return result
   if (silent) {
@@ -1313,11 +1381,18 @@ async function audit(options) {
   console.log('');
 
   // Score
-  console.log(`  ${progressBar(score)} ${colorize(`${score}/100`, 'bold')}`);
-  if (isScaffolded && scaffoldedPassed.length > 0) {
-    console.log(colorize(`  Organic: ${organicScore}/100 (without nerviq generated files)`, 'dim'));
-  }
-  console.log('');
+  console.log(`  ${progressBar(score)} ${colorize(`${score}/100`, 'bold')}`);
+  if (isScaffolded && scaffoldedPassed.length > 0) {
+    console.log(colorize(`  Organic: ${organicScore}/100 (without nerviq generated files)`, 'dim'));
+  }
+  if (result.scoreCoaching) {
+    const fastestPath = result.scoreCoaching.recommendedNames.slice(0, 3).join(', ');
+    console.log(colorize(`  Milestone: ${result.scoreCoaching.summary}`, 'magenta'));
+    if (fastestPath) {
+      console.log(colorize(`  Fastest path: ${fastestPath}`, 'dim'));
+    }
+  }
+  console.log('');
 
   // Passed
   if (passed.length > 0) {