@nerviq/cli 1.11.0 → 1.13.0

package/src/org.js

@@ -1,48 +1,119 @@
 const fs = require('fs');
 const path = require('path');
+const { resolvePolicyLayers, applyPolicyLayersToOptions } = require('./policy-layers');
 
-async function scanOrg(dirs, platform = 'claude') {
+function summarizePolicyCoverage(contract) {
+  const validLayers = (contract?.layers || []).filter((layer) => layer.valid);
+  return {
+    layerCount: validLayers.length,
+    layerKeys: validLayers.map((layer) => layer.layer),
+    org: validLayers.some((layer) => layer.layer === 'org'),
+    team: validLayers.some((layer) => layer.layer === 'team'),
+    repo: validLayers.some((layer) => layer.layer === 'repo'),
+  };
+}
+
+function buildScoreBands(repos) {
+  const bands = {
+    strong: 0,
+    developing: 0,
+    bootstrap: 0,
+    unknown: 0,
+  };
+
+  for (const repo of repos) {
+    if (typeof repo.score !== 'number') {
+      bands.unknown += 1;
+    } else if (repo.score >= 70) {
+      bands.strong += 1;
+    } else if (repo.score >= 40) {
+      bands.developing += 1;
+    } else {
+      bands.bootstrap += 1;
+    }
+  }
+
+  return bands;
+}
+
+function buildTopEvidence(repos) {
+  const counts = new Map();
+  for (const repo of repos) {
+    const key = repo.topActionKey;
+    if (!key) continue;
+    counts.set(key, (counts.get(key) || 0) + 1);
+  }
+
+  return [...counts.entries()]
+    .map(([key, repoCount]) => ({ key, repoCount }))
+    .sort((a, b) => b.repoCount - a.repoCount)
+    .slice(0, 5);
+}
+
+async function scanOrg(dirs, options = {}) {
   const { audit } = require('./audit');
   const targets = Array.isArray(dirs) ? dirs : [];
   const repos = [];
+  const fallbackPlatform = options.platform || 'claude';
 
   for (const dir of targets) {
-    const resolved = path.resolve(dir);
-    if (!fs.existsSync(resolved)) {
+    const resolvedDir = path.resolve(dir);
+    const policyContract = resolvePolicyLayers(resolvedDir);
+    const policyCoverage = summarizePolicyCoverage(policyContract);
+
+    if (!fs.existsSync(resolvedDir)) {
       repos.push({
         name: path.basename(dir),
-        dir: resolved,
-        platform,
+        dir: resolvedDir,
+        platform: fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: null,
         passed: 0,
         total: 0,
         topAction: null,
+        topActionKey: null,
+        policyCoverage,
+        policyLayers: policyContract,
         error: 'directory not found',
       });
       continue;
     }
 
+    const repoOptions = applyPolicyLayersToOptions(policyContract, {
+      ...options,
+      dir: resolvedDir,
+      silent: true,
+    });
+
     try {
-      const result = await audit({ dir: resolved, platform, silent: true });
+      const result = await audit(repoOptions);
       repos.push({
-        name: path.basename(resolved),
-        dir: resolved,
-        platform,
+        name: path.basename(resolvedDir),
+        dir: resolvedDir,
+        platform: repoOptions.platform || fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: result.score,
         passed: result.passed,
         total: result.checkCount,
         topAction: result.topNextActions?.[0]?.name || null,
+        topActionKey: result.topNextActions?.[0]?.key || null,
+        policyCoverage,
+        policyLayers: policyContract,
         result,
       });
     } catch (error) {
       repos.push({
-        name: path.basename(resolved),
-        dir: resolved,
-        platform,
+        name: path.basename(resolvedDir),
+        dir: resolvedDir,
+        platform: repoOptions.platform || fallbackPlatform,
+        scoreType: 'live-repo-audit-score',
         score: null,
         passed: 0,
         total: 0,
         topAction: null,
+        topActionKey: null,
+        policyCoverage,
+        policyLayers: policyContract,
         error: error.message,
       });
     }
@@ -54,11 +125,24 @@ async function scanOrg(dirs, platform = 'claude') {
     : 0;
 
   return {
-    platform,
+    platform: fallbackPlatform,
     repoCount: repos.length,
     averageScore,
+    scoreType: 'org-live-average-score',
+    scoreSemantics: {
+      repoScoreType: 'live-repo-audit-score',
+      rollupScoreType: 'org-live-average-score',
+      note: 'Repo rows are live per-repo audits. The org average is a rollup across those live repo scores, not a snapshot score or benchmark projection.',
+    },
     maxScore: validScores.length > 0 ? Math.max(...validScores) : 0,
     minScore: validScores.length > 0 ? Math.min(...validScores) : 0,
+    scoreBands: buildScoreBands(repos),
+    policyCoverage: {
+      orgPolicyRepos: repos.filter((repo) => repo.policyCoverage.org).length,
+      teamPolicyRepos: repos.filter((repo) => repo.policyCoverage.team).length,
+      repoPolicyRepos: repos.filter((repo) => repo.policyCoverage.repo).length,
+    },
+    topEvidence: buildTopEvidence(repos),
     repos,
   };
 }

package/src/plans.js

@@ -59,6 +59,32 @@ const FALLBACK_TEMPLATE_BY_KEY = {
   agentsHaveMaxTurns: 'agents',
 };
 
+const VERIFICATION_TRIGGER_KEYS = new Set([
+  'verificationLoop',
+  'testCommand',
+  'lintCommand',
+  'buildCommand',
+]);
+
+const GOVERNANCE_TRIGGER_KEYS = new Set([
+  'permissionDeny',
+  'secretsProtection',
+  'preToolUseHook',
+  'postToolUseHook',
+  'sessionStartHook',
+  'hooksInSettings',
+  'settingsPermissions',
+  'securityReview',
+]);
+
+const AUTOMATION_TRIGGER_KEYS = new Set([
+  'customCommands',
+  'skills',
+  'agents',
+  'multipleAgents',
+  'multipleMcpServers',
+]);
+
 function previewContent(content) {
   return content.split('\n').slice(0, 12).join('\n');
 }
@@ -372,9 +398,140 @@ function toProposal(templateKey, triggers, templateFiles, ctx) {
   };
 }
 
+function proposalMatchesTriggerKeys(proposal, keySet) {
+  return (proposal.triggers || []).some((trigger) => keySet.has(trigger.key));
+}
+
+function collectCampaignProposals(proposals, predicate) {
+  return proposals.filter((proposal) => proposal.readyToApply && predicate(proposal));
+}
+
+function buildCampaigns(bundle) {
+  const proposals = Array.isArray(bundle?.proposals) ? bundle.proposals : [];
+  const campaigns = [];
+  const maturity = bundle?.projectSummary?.maturity || 'unknown';
+
+  const starterBaseline = collectCampaignProposals(
+    proposals,
+    (proposal) => ['claude-md', 'commands', 'rules', 'hooks', 'agents'].includes(proposal.id),
+  );
+  if (starterBaseline.length > 0) {
+    campaigns.push({
+      key: 'starter-baseline',
+      label: 'Starter baseline',
+      summary: 'Establish the managed baseline surfaces Nerviq expects before deeper upgrades.',
+      proposalIds: starterBaseline.map((proposal) => proposal.id),
+      milestone: maturity === 'mature' ? 'pre-upgrade' : 'baseline',
+      focusAreas: ['config-drift', 'maturity-opportunity'],
+    });
+  }
+
+  const verificationClosure = collectCampaignProposals(
+    proposals,
+    (proposal) => proposalMatchesTriggerKeys(proposal, VERIFICATION_TRIGGER_KEYS),
+  );
+  if (verificationClosure.length > 0) {
+    campaigns.push({
+      key: 'verification-closure',
+      label: 'Verification closure',
+      summary: 'Close missing test/lint/build loops so audits can be verified continuously.',
+      proposalIds: verificationClosure.map((proposal) => proposal.id),
+      milestone: 'post-fix',
+      focusAreas: ['config-drift', 'maturity-opportunity'],
+    });
+  }
+
+  const governanceHardening = collectCampaignProposals(
+    proposals,
+    (proposal) => proposal.id === 'hooks' || proposalMatchesTriggerKeys(proposal, GOVERNANCE_TRIGGER_KEYS),
+  );
+  if (governanceHardening.length > 0) {
+    campaigns.push({
+      key: 'governance-hardening',
+      label: 'Governance hardening',
+      summary: 'Tighten permissions, hooks, secret protection, and reviewable safety defaults.',
+      proposalIds: governanceHardening.map((proposal) => proposal.id),
+      milestone: 'pre-upgrade',
+      focusAreas: ['policy-drift', 'config-drift'],
+    });
+  }
+
+  const reviewableAutomation = collectCampaignProposals(
+    proposals,
+    (proposal) => proposal.id === 'agents' || proposal.id === 'commands' || proposalMatchesTriggerKeys(proposal, AUTOMATION_TRIGGER_KEYS),
+  );
+  if (reviewableAutomation.length > 0) {
+    campaigns.push({
+      key: 'reviewable-automation',
+      label: 'Reviewable automation',
+      summary: 'Add automation surfaces that keep upgrades inspectable instead of ad-hoc.',
+      proposalIds: reviewableAutomation.map((proposal) => proposal.id),
+      milestone: 'pre-upgrade',
+      focusAreas: ['maturity-opportunity', 'config-drift'],
+    });
+  }
+
+  return campaigns.filter((campaign, index, all) =>
+    all.findIndex((item) => item.key === campaign.key) === index,
+  );
+}
+
+function filterBundleByCampaigns(bundle, campaignKeys = []) {
+  if (!Array.isArray(campaignKeys) || campaignKeys.length === 0) {
+    return bundle;
+  }
+
+  const available = new Map((bundle.campaigns || []).map((campaign) => [campaign.key, campaign]));
+  const missing = campaignKeys.filter((key) => !available.has(key));
+  if (missing.length > 0) {
+    throw new Error(`unknown campaign(s): ${missing.join(', ')}`);
+  }
+
+  const selectedIds = new Set();
+  for (const key of campaignKeys) {
+    for (const proposalId of available.get(key).proposalIds || []) {
+      selectedIds.add(proposalId);
+    }
+  }
+
+  return {
+    ...bundle,
+    selectedCampaigns: campaignKeys,
+    proposals: bundle.proposals.filter((proposal) => selectedIds.has(proposal.id)),
+    campaigns: (bundle.campaigns || []).filter((campaign) => campaignKeys.includes(campaign.key)),
+  };
+}
+
+function resolveSelectionSet(bundle, options = {}) {
+  const proposalIds = new Set((bundle.proposals || []).map((proposal) => proposal.id));
+  const onlySet = options.only && options.only.length > 0 ? new Set(options.only) : null;
+  const campaignSet = options.campaigns && options.campaigns.length > 0
+    ? new Set((bundle.campaigns || []).flatMap((campaign) => {
+      if (!options.campaigns.includes(campaign.key)) return [];
+      return campaign.proposalIds || [];
+    }))
+    : null;
+
+  if (onlySet && campaignSet) {
+    return new Set([...onlySet].filter((proposalId) => campaignSet.has(proposalId) && proposalIds.has(proposalId)));
+  }
+  if (onlySet) {
+    return new Set([...onlySet].filter((proposalId) => proposalIds.has(proposalId)));
+  }
+  if (campaignSet) {
+    return new Set([...campaignSet].filter((proposalId) => proposalIds.has(proposalId)));
+  }
+
+  return null;
+}
+
 async function buildProposalBundle(options) {
   if (options.platform === 'codex') {
-    return buildCodexProposalBundle(options);
+    const bundle = await buildCodexProposalBundle(options);
+    return filterBundleByCampaigns({
+      ...bundle,
+      campaigns: buildCampaigns(bundle),
+    }, options.campaigns);
   }
 
   const ctx = new ProjectContext(options.dir);
@@ -405,7 +562,7 @@ async function buildProposalBundle(options) {
     return impactB - impactA;
   });
 
-  return {
+  return filterBundleByCampaigns({
     schemaVersion: 1,
     generatedBy: `nerviq@${version}`,
     createdAt: new Date().toISOString(),
@@ -416,7 +573,8 @@ async function buildProposalBundle(options) {
     riskNotes: report.riskNotes,
     mcpPreflightWarnings,
     proposals,
-  };
+    campaigns: buildCampaigns({ proposals, projectSummary: report.projectSummary }),
+  }, options.campaigns);
 }
 
 function printProposalBundle(bundle, options = {}) {
@@ -429,8 +587,19 @@ function printProposalBundle(bundle, options = {}) {
   console.log('  nerviq plan');
   console.log('  ═══════════════════════════════════════');
   console.log(`  ${bundle.projectSummary.name} | maturity=${bundle.projectSummary.maturity} | score=${bundle.projectSummary.score}/100`);
+  if (bundle.projectSummary.archetype) {
+    console.log(`  archetype=${bundle.projectSummary.archetype} | workflow=${bundle.projectSummary.workflow || 'unknown'} | risk=${bundle.projectSummary.riskLevel || 'unknown'}`);
+  }
+  if (bundle.projectSummary.operatingProfile) {
+    console.log(`  operating-profile=${bundle.projectSummary.operatingProfile}`);
+  }
   console.log('');
 
+  if (bundle.selectedCampaigns && bundle.selectedCampaigns.length > 0) {
+    console.log(`  Selected campaigns: ${bundle.selectedCampaigns.join(', ')}`);
+    console.log('');
+  }
+
   if (bundle.mcpPreflightWarnings && bundle.mcpPreflightWarnings.length > 0) {
     console.log('  MCP Preflight Warnings');
     for (const warning of bundle.mcpPreflightWarnings) {
@@ -445,6 +614,16 @@ function printProposalBundle(bundle, options = {}) {
     return;
   }
 
+  if (bundle.campaigns && bundle.campaigns.length > 0) {
+    console.log('  Upgrade campaigns');
+    for (const campaign of bundle.campaigns) {
+      console.log(`  - ${campaign.key} (${campaign.milestone})`);
+      console.log(`    ${campaign.label} — ${campaign.summary}`);
+      console.log(`    proposals: ${campaign.proposalIds.join(', ')}`);
+    }
+    console.log('');
+  }
+
   console.log('  Proposal Bundles');
   for (const proposal of bundle.proposals) {
     const applyState = proposal.readyToApply ? 'ready' : 'manual-review';
@@ -536,9 +715,12 @@ function applyRuntimeSettingsOverlays(bundle, options) {
 
 function resolvePlan(bundle, options) {
   if (options.planFile) {
-    return applyRuntimeSettingsOverlays(JSON.parse(fs.readFileSync(options.planFile, 'utf8')), options);
+    return filterBundleByCampaigns(
+      applyRuntimeSettingsOverlays(JSON.parse(fs.readFileSync(options.planFile, 'utf8')), options),
+      options.campaigns,
+    );
   }
-  return applyRuntimeSettingsOverlays(bundle, options);
+  return filterBundleByCampaigns(applyRuntimeSettingsOverlays(bundle, options), options.campaigns);
 }
 
 async function applyProposalBundle(options) {
@@ -546,9 +728,7 @@ async function applyProposalBundle(options) {
   const bundle = resolvePlan(liveBundle, options);
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
-  const selectedIds = options.only && options.only.length > 0
-    ? new Set(options.only)
-    : null;
+  const selectedIds = resolveSelectionSet(bundle, options);
   const selected = bundle.proposals.filter(proposal => {
     if (selectedIds && !selectedIds.has(proposal.id)) return false;
     return proposal.readyToApply;
@@ -606,6 +786,7 @@ async function applyProposalBundle(options) {
   return {
     proposalCount: bundle.proposals.length,
     appliedProposalIds: selected.map(item => item.id),
+    selectedCampaigns: bundle.selectedCampaigns || options.campaigns || [],
     createdFiles,
     patchedFiles: patchedFiles.map(file => file.path),
     skippedFiles,
@@ -629,6 +810,9 @@ function printApplyResult(result, options = {}) {
     console.log('  Dry-run only. No files were written.');
   }
   console.log(`  Applied proposal bundles: ${result.appliedProposalIds.join(', ') || 'none'}`);
+  if (result.selectedCampaigns && result.selectedCampaigns.length > 0) {
+    console.log(`  Campaigns: ${result.selectedCampaigns.join(', ')}`);
+  }
   console.log(`  Created files: ${result.createdFiles.join(', ') || 'none'}`);
   console.log(`  Patched files: ${result.patchedFiles.join(', ') || 'none'}`);
   if (result.mcpPreflightWarnings && result.mcpPreflightWarnings.length > 0) {

package/src/platform-change-manifest.js

@@ -0,0 +1,86 @@
+'use strict';
+
+const claudeFreshness = require('./freshness');
+const codexFreshness = require('./codex/freshness');
+const cursorFreshness = require('./cursor/freshness');
+const copilotFreshness = require('./copilot/freshness');
+const geminiFreshness = require('./gemini/freshness');
+const windsurfFreshness = require('./windsurf/freshness');
+const aiderFreshness = require('./aider/freshness');
+const opencodeFreshness = require('./opencode/freshness');
+
+const DAILY_FRESHNESS_WORKFLOW = {
+  workflow: '.github/workflows/freshness-check.yml',
+  cadence: 'Daily at 06:00 UTC plus manual dispatch',
+  issuePolicy: 'Open or refresh GitHub issues for stale P0 sources without failing the main CI pipeline.',
+};
+
+const PLATFORM_CHANGE_MANIFEST = [
+  { key: 'claude', label: 'Claude Code', modulePath: 'src/freshness.js', freshness: claudeFreshness },
+  { key: 'codex', label: 'Codex', modulePath: 'src/codex/freshness.js', freshness: codexFreshness },
+  { key: 'cursor', label: 'Cursor', modulePath: 'src/cursor/freshness.js', freshness: cursorFreshness },
+  { key: 'copilot', label: 'Copilot', modulePath: 'src/copilot/freshness.js', freshness: copilotFreshness },
+  { key: 'gemini', label: 'Gemini CLI', modulePath: 'src/gemini/freshness.js', freshness: geminiFreshness },
+  { key: 'windsurf', label: 'Windsurf', modulePath: 'src/windsurf/freshness.js', freshness: windsurfFreshness },
+  { key: 'aider', label: 'Aider', modulePath: 'src/aider/freshness.js', freshness: aiderFreshness },
+  { key: 'opencode', label: 'OpenCode', modulePath: 'src/opencode/freshness.js', freshness: opencodeFreshness },
+].map((entry) => {
+  const sources = (entry.freshness.P0_SOURCES || []).map((source) => ({
+    key: source.key,
+    label: source.label,
+    url: source.url,
+    stalenessThresholdDays: source.stalenessThresholdDays,
+    verifiedAt: source.verifiedAt || null,
+  }));
+  const thresholds = [...new Set(sources.map((source) => source.stalenessThresholdDays))].sort((a, b) => a - b);
+
+  return {
+    key: entry.key,
+    label: entry.label,
+    modulePath: entry.modulePath,
+    trackedSources: sources,
+    trackedSourceCount: sources.length,
+    reviewCadence: {
+      automation: DAILY_FRESHNESS_WORKFLOW.cadence,
+      thresholdsDays: thresholds,
+      manualExpectation: thresholds.includes(14)
+        ? 'Review high-volatility sources weekly and verify any stale source immediately.'
+        : 'Review sources at least monthly and verify any stale source immediately.',
+    },
+    freshnessWorkflow: {
+      ...DAILY_FRESHNESS_WORKFLOW,
+      manualTrigger: true,
+    },
+    updateTriggers: (entry.freshness.PROPAGATION_CHECKLIST || []).map((item) => ({
+      trigger: item.trigger,
+      targets: item.targets || [],
+    })),
+  };
+});
+
+function getPlatformChangeManifest() {
+  return JSON.parse(JSON.stringify(PLATFORM_CHANGE_MANIFEST));
+}
+
+function summarizePlatformChangeManifest() {
+  const manifest = getPlatformChangeManifest();
+  return {
+    platformCount: manifest.length,
+    trackedSourceCount: manifest.reduce((sum, entry) => sum + entry.trackedSourceCount, 0),
+    workflow: DAILY_FRESHNESS_WORKFLOW,
+    platforms: manifest.map((entry) => ({
+      key: entry.key,
+      label: entry.label,
+      trackedSourceCount: entry.trackedSourceCount,
+      thresholdDays: entry.reviewCadence.thresholdsDays,
+      updateTriggerCount: entry.updateTriggers.length,
+    })),
+  };
+}
+
+module.exports = {
+  DAILY_FRESHNESS_WORKFLOW,
+  PLATFORM_CHANGE_MANIFEST,
+  getPlatformChangeManifest,
+  summarizePlatformChangeManifest,
+};