@nerviq/cli 1.11.0 → 1.13.0

package/bin/cli.js

@@ -14,8 +14,9 @@ const { auditWorkspaces } = require('../src/workspace');
 const { scanOrg } = require('../src/org');
 const { detectAntiPatterns, printAntiPatterns, printAntiPatternCatalog } = require('../src/anti-patterns');
 const { VERIFICATION_DATES, getVerificationDate, getVerificationStats } = require('../src/verification-metadata');
-const { init: initI18n, t } = require('../src/i18n');
-const { version } = require('../package.json');
+const { init: initI18n, t } = require('../src/i18n');
+const { version } = require('../package.json');
+const { SNAPSHOT_MILESTONES } = require('../src/activity');
 
 const args = process.argv.slice(2);
 const COMMAND_ALIASES = {
@@ -28,7 +29,7 @@ const COMMAND_ALIASES = {
   gov: 'governance',
   outcome: 'feedback',
 };
-const KNOWN_COMMANDS = ['audit', 'org', 'setup', 'init', 'augment', 'suggest-only', 'plan', 'apply', 'fix', 'rollback', 'governance', 'benchmark', 'deep-review', 'interactive', 'watch', 'badge', 'insights', 'history', 'compare', 'trend', 'scan', 'feedback', 'doctor', 'convert', 'migrate', 'catalog', 'certify', 'serve', 'check-health', 'dashboard', 'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise', 'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export', 'freshness', 'suggest-rules', 'profile', 'help', 'version'];
+const KNOWN_COMMANDS = ['audit', 'org', 'setup', 'init', 'augment', 'suggest-only', 'plan', 'apply', 'fix', 'rollback', 'governance', 'benchmark', 'deep-review', 'interactive', 'watch', 'badge', 'insights', 'history', 'compare', 'trend', 'scan', 'feedback', 'doctor', 'convert', 'migrate', 'catalog', 'certify', 'serve', 'check-health', 'dashboard', 'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise', 'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export', 'freshness', 'suggest-rules', 'profile', 'baseline', 'exception', 'help', 'version'];
 
 function levenshtein(a, b) {
   const matrix = Array.from({ length: a.length + 1 }, () => Array(b.length + 1).fill(0));
@@ -97,16 +98,27 @@ function parseArgs(rawArgs) {
   let feedbackEffect = null;
   let feedbackNotes = null;
   let feedbackSource = null;
-  let feedbackScoreDelta = null;
-  let platform = 'claude';
-  let format = null;
+  let feedbackScoreDelta = null;
+  let platform = 'claude';
+  let platformExplicit = false;
+  let format = null;
   let port = null;
   let workspace = null;
   let webhookUrl = null;
   let webhookHeaders = [];
   let webhookRetries = null;
   let snapshotTags = [];
-  let commandSet = false;
+  let snapshotMilestone = null;
+  let campaigns = [];
+  let diffBase = null;
+  let diffHead = null;
+  let driftMode = null;
+  let exceptionOwner = null;
+  let exceptionReason = null;
+  let exceptionExpires = null;
+  let exceptionScope = null;
+  let exceptionClass = null;
+  let commandSet = false;
   let extraArgs = [];
   let convertFrom = null;
   let convertTo = null;
@@ -122,7 +134,7 @@ function parseArgs(rawArgs) {
   for (let i = 0; i < rawArgs.length; i++) {
     const arg = rawArgs[i];
 
-    if (arg === '--threshold' || arg === '--out' || arg === '--plan' || arg === '--only' || arg === '--profile' || arg === '--mcp-pack' || arg === '--require' || arg === '--key' || arg === '--status' || arg === '--effect' || arg === '--notes' || arg === '--source' || arg === '--score-delta' || arg === '--platform' || arg === '--format' || arg === '--from' || arg === '--to' || arg === '--port' || arg === '--workspace' || arg === '--check-version' || arg === '--webhook' || arg === '--webhook-header' || arg === '--webhook-retries' || arg === '--external' || arg === '--team-profile' || arg === '--lang' || arg === '--tag') {
+    if (arg === '--threshold' || arg === '--out' || arg === '--plan' || arg === '--only' || arg === '--profile' || arg === '--mcp-pack' || arg === '--require' || arg === '--key' || arg === '--status' || arg === '--effect' || arg === '--notes' || arg === '--source' || arg === '--score-delta' || arg === '--platform' || arg === '--format' || arg === '--from' || arg === '--to' || arg === '--port' || arg === '--workspace' || arg === '--check-version' || arg === '--webhook' || arg === '--webhook-header' || arg === '--webhook-retries' || arg === '--external' || arg === '--team-profile' || arg === '--lang' || arg === '--tag' || arg === '--milestone' || arg === '--campaign' || arg === '--diff-base' || arg === '--diff-head' || arg === '--drift-mode' || arg === '--owner' || arg === '--reason' || arg === '--expires' || arg === '--scope' || arg === '--class') {
       const value = rawArgs[i + 1];
       if (!value || value.startsWith('--')) {
         throw new Error(`${arg} requires a value`);
@@ -140,7 +152,7 @@ function parseArgs(rawArgs) {
       if (arg === '--notes') feedbackNotes = value;
       if (arg === '--source') feedbackSource = value.trim();
       if (arg === '--score-delta') feedbackScoreDelta = value.trim();
-      if (arg === '--platform') platform = value.trim().toLowerCase();
+      if (arg === '--platform') { platform = value.trim().toLowerCase(); platformExplicit = true; }
       if (arg === '--format') format = value.trim().toLowerCase();
       if (arg === '--from') { convertFrom = value.trim(); migrateFrom = value.trim(); }
       if (arg === '--to') { convertTo = value.trim(); migrateTo = value.trim(); }
@@ -154,6 +166,16 @@ function parseArgs(rawArgs) {
       if (arg === '--team-profile') teamProfile = value.trim();
       if (arg === '--lang') lang = value.trim().toLowerCase();
       if (arg === '--tag') snapshotTags.push(value.trim());
+      if (arg === '--milestone') snapshotMilestone = value.trim().toLowerCase();
+      if (arg === '--campaign') campaigns = value.split(',').map(item => item.trim()).filter(Boolean);
+      if (arg === '--diff-base') diffBase = value.trim();
+      if (arg === '--diff-head') diffHead = value.trim();
+      if (arg === '--drift-mode') driftMode = value.trim().toLowerCase();
+      if (arg === '--owner') exceptionOwner = value.trim();
+      if (arg === '--reason') exceptionReason = value;
+      if (arg === '--expires') exceptionExpires = value.trim();
+      if (arg === '--scope') exceptionScope = value.trim().toLowerCase();
+      if (arg === '--class') exceptionClass = value.trim().toLowerCase();
       i++;
       continue;
     }
@@ -177,6 +199,56 @@ function parseArgs(rawArgs) {
       snapshotTags.push(arg.split('=').slice(1).join('=').trim());
       continue;
     }
+
+    if (arg.startsWith('--milestone=')) {
+      snapshotMilestone = arg.split('=').slice(1).join('=').trim().toLowerCase();
+      continue;
+    }
+
+    if (arg.startsWith('--campaign=')) {
+      campaigns = arg.split('=').slice(1).join('=').split(',').map(item => item.trim()).filter(Boolean);
+      continue;
+    }
+
+    if (arg.startsWith('--diff-base=')) {
+      diffBase = arg.split('=').slice(1).join('=').trim();
+      continue;
+    }
+
+    if (arg.startsWith('--diff-head=')) {
+      diffHead = arg.split('=').slice(1).join('=').trim();
+      continue;
+    }
+
+    if (arg.startsWith('--drift-mode=')) {
+      driftMode = arg.split('=').slice(1).join('=').trim().toLowerCase();
+      continue;
+    }
+
+    if (arg.startsWith('--owner=')) {
+      exceptionOwner = arg.split('=').slice(1).join('=').trim();
+      continue;
+    }
+
+    if (arg.startsWith('--reason=')) {
+      exceptionReason = arg.split('=').slice(1).join('=');
+      continue;
+    }
+
+    if (arg.startsWith('--expires=')) {
+      exceptionExpires = arg.split('=').slice(1).join('=').trim();
+      continue;
+    }
+
+    if (arg.startsWith('--scope=')) {
+      exceptionScope = arg.split('=').slice(1).join('=').trim().toLowerCase();
+      continue;
+    }
+
+    if (arg.startsWith('--class=')) {
+      exceptionClass = arg.split('=').slice(1).join('=').trim().toLowerCase();
+      continue;
+    }
 
     if (arg === '--repos') {
       // Collect all following non-flag args as repo paths (supports comma-separated too)
@@ -259,10 +331,11 @@ function parseArgs(rawArgs) {
       continue;
     }
 
-    if (arg.startsWith('--platform=')) {
-      platform = arg.split('=').slice(1).join('=').trim().toLowerCase();
-      continue;
-    }
+    if (arg.startsWith('--platform=')) {
+      platform = arg.split('=').slice(1).join('=').trim().toLowerCase();
+      platformExplicit = true;
+      continue;
+    }
 
     if (arg.startsWith('--format=')) {
       format = arg.split('=').slice(1).join('=').trim().toLowerCase();
@@ -315,7 +388,7 @@ function parseArgs(rawArgs) {
 
   const normalizedCommand = COMMAND_ALIASES[command] || command;
 
-  return { flags, command, commandExplicit, normalizedCommand, threshold, out, planFile, only, profile, mcpPacks, requireChecks, feedbackKey, feedbackStatus, feedbackEffect, feedbackNotes, feedbackSource, feedbackScoreDelta, platform, format, port, workspace, extraArgs, convertFrom, convertTo, migrateFrom, migrateTo, checkVersion, webhookUrl, webhookHeaders, webhookRetries, external, repos, teamProfile, lang, snapshotTags };
+  return { flags, command, commandExplicit, normalizedCommand, threshold, out, planFile, only, profile, mcpPacks, requireChecks, feedbackKey, feedbackStatus, feedbackEffect, feedbackNotes, feedbackSource, feedbackScoreDelta, platform, platformExplicit, format, port, workspace, extraArgs, convertFrom, convertTo, migrateFrom, migrateTo, checkVersion, webhookUrl, webhookHeaders, webhookRetries, external, repos, teamProfile, lang, snapshotTags, snapshotMilestone, campaigns, diffBase, diffHead, driftMode, exceptionOwner, exceptionReason, exceptionExpires, exceptionScope, exceptionClass };
 }
 
 function printWorkspaceSummary(summary, options) {
@@ -373,16 +446,19 @@ function printCompareCheckSection(title, items, prefix) {
 }
 
 function printScanDetail(summary, options) {
-  if (options.json) {
-    console.log(JSON.stringify(summary, null, 2));
-    return;
+  if (options.json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
   }
 
-  console.log('');
-  console.log('\x1b[1m  nerviq scan — per-repo comparison\x1b[0m');
-  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
-  console.log(`  Platform: ${summary.platform}  |  Repos: ${summary.repoCount}  |  Average: \x1b[1m${summary.averageScore}/100\x1b[0m`);
-  console.log('');
+  console.log('');
+  console.log('\x1b[1m  nerviq scan — per-repo comparison\x1b[0m');
+  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
+  console.log(`  Platform: ${summary.platform}  |  Repos: ${summary.repoCount}  |  Average: \x1b[1m${summary.averageScore}/100\x1b[0m`);
+  if (summary.scoreSemantics?.note) {
+    console.log(`  Score semantics: ${summary.scoreSemantics.note}`);
+  }
+  console.log('');
 
   for (const item of summary.repos) {
     if (item.error) {
@@ -391,9 +467,12 @@ function printScanDetail(summary, options) {
       continue;
     }
     const scoreColor = item.score >= 80 ? '\x1b[32m' : item.score >= 50 ? '\x1b[33m' : '\x1b[31m';
-    console.log(`  \x1b[1m${item.name}\x1b[0m  ${scoreColor}${item.score}/100\x1b[0m  (${item.passed}/${item.total} checks passed)`);
-
-    // Show per-category breakdown if result is available
+    console.log(`  \x1b[1m${item.name}\x1b[0m  ${scoreColor}${item.score}/100\x1b[0m  (${item.passed}/${item.total} checks passed)`);
+    if (item.policyCoverage?.layerKeys?.length > 0) {
+      console.log(`    \x1b[2mPolicy layers: ${item.policyCoverage.layerKeys.join(' -> ')}\x1b[0m`);
+    }
+
+    // Show per-category breakdown if result is available
     if (item.result && item.result.results) {
       const STACK_LANGUAGES = new Set(['python', 'go', 'rust', 'java', 'ruby', 'dotnet', 'php', 'flutter', 'swift', 'kotlin']);
       const categories = {};
@@ -422,28 +501,57 @@ function printScanDetail(summary, options) {
   }
 }
 
-function printOrgSummary(summary, options) {
-  if (options.json) {
-    console.log(JSON.stringify(summary, null, 2));
-    return;
-  }
+function printOrgSummary(summary, options) {
+  if (options.json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
+  }
 
   console.log('');
-  console.log('\x1b[1m  nerviq org scan\x1b[0m');
-  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
-  console.log(`  Platform: ${summary.platform}`);
-  console.log(`  Repos: ${summary.repoCount}`);
-  console.log(`  Average score: \x1b[1m${summary.averageScore}/100\x1b[0m`);
-  console.log('');
-  console.log('\x1b[1m  Repo              Platform  Score  Top action\x1b[0m');
-  console.log('  ' + '─'.repeat(72));
-  for (const item of summary.repos) {
-    const score = item.score === null ? 'ERR' : String(item.score);
-    const topAction = item.error || item.topAction || '-';
-    console.log(`  ${item.name.padEnd(18)} ${item.platform.padEnd(8)} ${score.padStart(5)}  ${topAction}`);
-  }
-  console.log('');
-}
+  console.log('\x1b[1m  nerviq org scan\x1b[0m');
+  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
+  console.log(`  Platform: ${summary.platform}`);
+  console.log(`  Repos: ${summary.repoCount}`);
+  console.log(`  Average score: \x1b[1m${summary.averageScore}/100\x1b[0m`);
+  if (summary.scoreSemantics?.note) {
+    console.log(`  Score semantics: ${summary.scoreSemantics.note}`);
+  }
+  if (summary.policyCoverage) {
+    console.log(`  Policy coverage: org=${summary.policyCoverage.orgPolicyRepos} team=${summary.policyCoverage.teamPolicyRepos} repo=${summary.policyCoverage.repoPolicyRepos}`);
+  }
+  if (summary.scoreBands) {
+    console.log(`  Bands: strong=${summary.scoreBands.strong} developing=${summary.scoreBands.developing} bootstrap=${summary.scoreBands.bootstrap} unknown=${summary.scoreBands.unknown}`);
+  }
+  console.log('');
+  console.log('\x1b[1m  Repo              Platform  Score  Policy        Top action\x1b[0m');
+  console.log('  ' + '─'.repeat(72));
+  for (const item of summary.repos) {
+    const score = item.score === null ? 'ERR' : String(item.score);
+    const topAction = item.error || item.topAction || '-';
+    const policy = item.policyCoverage?.layerKeys?.length > 0 ? item.policyCoverage.layerKeys.join('/') : '-';
+    console.log(`  ${item.name.padEnd(18)} ${item.platform.padEnd(8)} ${score.padStart(5)}  ${policy.padEnd(12)} ${topAction}`);
+  }
+  if (Array.isArray(summary.topEvidence) && summary.topEvidence.length > 0) {
+    console.log('');
+    console.log('  Common top evidence:');
+    for (const item of summary.topEvidence) {
+      console.log(`    - ${item.key} (${item.repoCount} repos)`);
+    }
+  }
+  console.log('');
+}
+
+function writeStdout(text) {
+  return new Promise((resolve, reject) => {
+    process.stdout.write(text, (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+}
 
 const HELP = `
   nerviq v${version}
@@ -457,19 +565,22 @@ const HELP = `
     nerviq audit --platform X     Audit specific platform (claude|codex|cursor|copilot|gemini|windsurf|aider|opencode)
     nerviq audit --json           Machine-readable JSON output (for CI)
     nerviq audit --workspace packages/*     Audit monorepo workspaces with stack-specific package profiles
-    nerviq scan dir1 dir2         Compare multiple repos side-by-side
-    nerviq org scan dir1 dir2     Aggregate multiple repos into one score table
+    nerviq scan dir1 dir2         Compare multiple repos side-by-side
+    nerviq org scan dir1 dir2     Aggregate multiple repos into one score table
+    nerviq org policy [dir]       Inspect resolved org/team/repo policy layers
     nerviq catalog                Full check catalog (all 8 platforms)
     nerviq catalog --json         Export full check catalog as JSON
     nerviq anti-patterns          Detect anti-patterns in current project
     nerviq anti-patterns --all    Show full anti-pattern catalog
 
-  SETUP
-    nerviq setup                  Generate starter-safe baseline config files
-    nerviq setup --auto           Apply all generated files without prompts
-    nerviq interactive            Step-by-step guided wizard
-    nerviq check-health           Detect regressions + platform format changes between snapshots
-    nerviq doctor                 Self-diagnostics: Node, deps, freshness, platform detection
+  SETUP
+    nerviq setup                  Generate starter-safe baseline config files
+    nerviq setup --auto           Apply all generated files without prompts
+    nerviq interactive            Step-by-step guided wizard
+    nerviq baseline init          Lock the first managed Nerviq baseline for continuous ops
+    nerviq baseline status        Show the current managed baseline contract
+    nerviq check-health           Detect regressions + platform format changes between snapshots
+    nerviq doctor                 Self-diagnostics: Node, deps, freshness, MCP, hook runtime
 
   FIX
     nerviq fix                    Show fixable checks and manual-fix guidance
@@ -482,13 +593,15 @@ const HELP = `
     nerviq rollback --list        Show available rollback points
     nerviq rollback --dry-run     Preview what would be deleted
 
-  IMPROVE
-    nerviq augment                Improvement plan (no writes)
-    nerviq suggest-only           Structured report for sharing (no writes)
-    nerviq plan                   Export proposal bundles with diffs
-    nerviq plan --out plan.json   Save plan to file
-    nerviq apply                  Apply proposals selectively with rollback
-    nerviq apply --dry-run        Preview changes without writing
+  IMPROVE
+    nerviq augment                Improvement plan (no writes)
+    nerviq suggest-only           Structured report for sharing (no writes)
+    nerviq plan                   Export proposal bundles with diffs
+    nerviq plan --campaign X      Export a named upgrade campaign slice
+    nerviq plan --out plan.json   Save plan to file
+    nerviq apply                  Apply proposals selectively with rollback
+    nerviq apply --campaign X     Apply a named upgrade campaign
+    nerviq apply --dry-run        Preview changes without writing
 
   GOVERN
     nerviq governance             Permission profiles + hooks + policy packs (the rollout safety layer)
@@ -509,17 +622,24 @@ const HELP = `
     nerviq migrate --platform X   Platform version migration helper
     nerviq migrate --platform cursor --from v2 --to v3
 
-  MONITOR
+  MONITOR
     nerviq dashboard              Generate static dashboard from latest audit snapshot (or live audit if none)
-    nerviq dashboard --out F      Save dashboard to custom file
-    nerviq dashboard --open       Open dashboard in browser after generating
-    nerviq watch                  Live config monitoring (re-audits on file change)
+    nerviq dashboard --out F      Save dashboard to custom file
+    nerviq dashboard --open       Open dashboard in browser after generating
+    nerviq watch                  Live config monitoring (re-audits on file change)
+    nerviq audit --diff-only --drift-mode ci   PR / CI drift review against the managed baseline
     nerviq history                Audit snapshot history from saved snapshots
     nerviq compare                Detailed per-check diff between latest two audit snapshots
     nerviq trend                  Audit snapshot trend over time
     nerviq trend --out report.md  Export trend report as markdown
-    nerviq audit --snapshot --tag "pre-refactor"  Save a named audit snapshot
+    nerviq audit --snapshot --milestone baseline --tag "baseline"  Save a lifecycle checkpoint
     nerviq feedback               Record recommendation outcomes
+
+  EXCEPTIONS
+    nerviq exception add --key permissionDeny --owner team --reason "migration in progress" --expires 2026-05-01
+    nerviq exception add --class policy-drift --scope ci --owner team --reason "temporary rollout" --expires 2026-05-01
+    nerviq exception list         Show active and expired exceptions
+    nerviq exception prune        Remove expired exceptions
 
   TEAM PROFILES
     nerviq profile save <name>    Save current preferences as a named profile
@@ -528,8 +648,9 @@ const HELP = `
     nerviq profile export <name>  Export profile JSON for sharing
 
   ADVANCED
-    nerviq deep-review            AI-powered config review (opt-in, uses API key)
-    nerviq serve --port 3000      Start local Nerviq REST API server + OpenAPI contract
+    nerviq deep-review            AI-powered config review (opt-in, uses API key)
+    nerviq deep-review --behavioral  Local behavioral drift review (opt-in, no API)
+    nerviq serve --port 3000      Start local Nerviq HTTP API server + OpenAPI contract
     nerviq badge                  Generate shields.io badge markdown
     nerviq rules-export           Export recommendation rules as JSON
     nerviq rules-export --out F   Save rules to file
@@ -553,8 +674,14 @@ const HELP = `
     --external PATH   Benchmark an external repo instead of cwd
     --port N          Port for \`serve\` (default: 3000)
     --workspace GLOBS Audit workspaces separately with root/package score semantics and stack-specific profiles
+    --diff-only       Audit only changed files / linked config surfaces from git diff
+    --drift-mode M    Continuous posture mode: ci | pr | watch
+    --diff-base SHA   Base SHA for diff-only mode (defaults to PR env vars when present)
+    --diff-head SHA   Head SHA for diff-only mode (defaults to GITHUB_SHA or HEAD)
     --snapshot        Save snapshot artifact under .claude/nerviq/snapshots/
     --tag LABEL       Tag the saved snapshot (use with --snapshot; repeat or comma-separate for more)
+    --milestone NAME  Snapshot lifecycle milestone: baseline | post-fix | pre-upgrade | release
+    --campaign A,B    Limit plan/apply to named upgrade campaigns
     --full            Show full audit output (all checks, weakest areas, badge)
     --lite            Short top-3 scan (default behavior since v1.5.2)
     --dry-run         Preview changes without writing files
@@ -565,26 +692,38 @@ const HELP = `
     --auto            Apply all generated files without prompting
     --beginner        Show only the 5 starter commands for first-time users
     --key NAME        Feedback: recommendation key (e.g. permissionDeny)
-    --status VALUE    Feedback: accepted | rejected | deferred
-    --effect VALUE    Feedback: positive | neutral | negative
-    --score-delta N   Feedback: observed score delta
-    --help            Show this help
-    --version         Show version
+    --status VALUE    Feedback: accepted | rejected | deferred
+    --effect VALUE    Feedback: positive | neutral | negative
+    --score-delta N   Feedback: observed score delta
+    --owner NAME      Exception owner
+    --reason TEXT     Exception reason
+    --expires DATE    Exception expiry (ISO date or date-time)
+    --scope NAME      Exception scope: all | ci | watch | pr
+    --class NAME      Exception target class: policy-drift | config-drift | platform-drift | maturity-opportunity
+    --behavioral      Run the opt-in local behavioral drift / outcome-layer review
+    --history         With deep-review --behavioral, show behavioral snapshot history
+    --compare         With deep-review --behavioral, compare the latest two behavioral snapshots
+    --help            Show this help
+    --version         Show version
 
   EXAMPLES
     npx nerviq --beginner
     npx nerviq
     npx nerviq --lite
     npx nerviq --platform cursor
-    npx nerviq audit --workspace packages/*
-    npx nerviq --platform codex augment
-    npx nerviq org scan ./app ./api ./infra
+    npx nerviq audit --workspace packages/*
+    npx nerviq baseline init
+    npx nerviq audit --diff-only --drift-mode ci
+    npx nerviq --platform codex augment
+    npx nerviq org scan ./app ./api ./infra
+    npx nerviq org policy
     npx nerviq scan ./app ./api ./infra
     npx nerviq harmony-audit
     npx nerviq convert --from claude --to codex
     npx nerviq migrate --platform cursor --from v2 --to v3
-    npx nerviq setup --mcp-pack context7-docs
-    npx nerviq apply --plan plan.json --only hooks,commands
+    npx nerviq setup --mcp-pack context7-docs
+    npx nerviq plan --campaign governance-hardening
+    npx nerviq apply --plan plan.json --only hooks,commands
     npx nerviq serve --port 4000
     npx nerviq --json --threshold 70
     npx nerviq catalog --json --out catalog.json
@@ -606,7 +745,7 @@ const BEGINNER_HELP = `
     nerviq setup      Generate a starter-safe baseline
     nerviq fix        Fix what can be fixed or show manual fix guidance
     nerviq augment    Show an improvement plan without writing
-    nerviq doctor     Check install health, freshness, and platform detection
+    nerviq doctor     Check install health, freshness, platform detection, MCP, and hook runtime
 
   SIMPLE PATH
     1. nerviq audit
@@ -670,9 +809,10 @@ async function main() {
     only: parsed.only,
     profile: parsed.profile,
     mcpPacks: parsed.mcpPacks,
-    require: parsed.requireChecks,
-    platform: parsed.platform || 'claude',
-    format: parsed.format || null,
+    require: parsed.requireChecks,
+    platform: parsed.platform || 'claude',
+    platformExplicit: Boolean(parsed.platformExplicit),
+    format: parsed.format || null,
     port: parsed.port !== null ? Number(parsed.port) : null,
     workspace: parsed.workspace || null,
     webhookUrl: parsed.webhookUrl || null,
@@ -681,6 +821,20 @@ async function main() {
     lang: parsed.lang || null,
     external: parsed.external || null,
     snapshotTags: parsed.snapshotTags || [],
+    snapshotMilestone: parsed.snapshotMilestone || null,
+    campaigns: parsed.campaigns || [],
+    behavioral: flags.includes('--behavioral'),
+    historyView: flags.includes('--history'),
+    compareView: flags.includes('--compare'),
+    diffOnly: flags.includes('--diff-only'),
+    diffBase: parsed.diffBase || null,
+    diffHead: parsed.diffHead || null,
+    driftMode: parsed.driftMode || null,
+    exceptionOwner: parsed.exceptionOwner || null,
+    exceptionReason: parsed.exceptionReason || null,
+    exceptionExpires: parsed.exceptionExpires || null,
+    exceptionScope: parsed.exceptionScope || null,
+    exceptionClass: parsed.exceptionClass || null,
     dir: process.cwd()
   };
 
@@ -688,18 +842,49 @@ async function main() {
     console.error('\n  Error: --tag requires --snapshot.\n');
     process.exit(1);
   }
+
+  if (options.snapshotMilestone && !options.snapshot) {
+    console.error('\n  Error: --milestone requires --snapshot.\n');
+    process.exit(1);
+  }
+
+  if (options.snapshotMilestone && !SNAPSHOT_MILESTONES.includes(options.snapshotMilestone)) {
+    console.error(`\n  Error: Unsupported milestone '${options.snapshotMilestone}'. Use one of: ${SNAPSHOT_MILESTONES.join(', ')}.\n`);
+    process.exit(1);
+  }
+
+  if (options.diffOnly && options.snapshot) {
+    console.error('\n  Error: --diff-only cannot be combined with --snapshot because diff-only scores are not comparable to full audit snapshots.\n');
+    process.exit(1);
+  }
+
+  if (options.driftMode && !['ci', 'pr', 'watch'].includes(options.driftMode)) {
+    console.error(`\n  Error: Unsupported drift mode '${options.driftMode}'. Use ci, pr, or watch.\n`);
+    process.exit(1);
+  }
 
-  if (parsed.checkVersion) {
+  if (parsed.checkVersion) {
     if (parsed.checkVersion !== version) {
       console.error(`\n  Warning: --check-version ${parsed.checkVersion} does not match installed nerviq version ${version}.`);
       console.error(`  Check catalog may differ between versions. To align, run: npm install @nerviq/cli@${parsed.checkVersion}`);
       console.error('');
     }
-    options.checkVersion = parsed.checkVersion;
-  }
-
-  if (parsed.teamProfile) {
-    const { loadProfile, applyProfileToOptions } = require('../src/profiles');
+    options.checkVersion = parsed.checkVersion;
+  }
+
+  const {
+    resolvePolicyLayers,
+    applyPolicyLayersToOptions,
+    formatPolicyContract,
+  } = require('../src/policy-layers');
+  const inheritedPolicyContract = resolvePolicyLayers(options.dir);
+  if (inheritedPolicyContract.layers.some((layer) => layer.valid)) {
+    Object.assign(options, applyPolicyLayersToOptions(inheritedPolicyContract, options));
+    options.policyContract = inheritedPolicyContract;
+  }
+
+  if (parsed.teamProfile) {
+    const { loadProfile, applyProfileToOptions } = require('../src/profiles');
     try {
       const teamProf = loadProfile(options.dir, parsed.teamProfile);
       const merged = applyProfileToOptions(teamProf, options);
@@ -738,10 +923,15 @@ async function main() {
     process.exit(1);
   }
 
-  if (options.format !== null && !['json', 'sarif', 'otel'].includes(options.format)) {
-    console.error(`\n  Error: Unsupported format '${options.format}'. Use 'json', 'sarif', or 'otel'.\n`);
-    process.exit(1);
-  }
+  if (options.format !== null && !['json', 'sarif', 'otel'].includes(options.format)) {
+    console.error(`\n  Error: Unsupported format '${options.format}'. Use 'json', 'sarif', or 'otel'.\n`);
+    process.exit(1);
+  }
+
+  if (options.driftMode && options.format !== null) {
+    console.error('\n  Error: --drift-mode is only supported with normal text output or --json.\n');
+    process.exit(1);
+  }
 
   if (options.port !== null && (!Number.isInteger(options.port) || options.port < 0 || options.port > 65535)) {
     console.error('\n  Error: --port must be an integer between 0 and 65535.\n');
@@ -791,13 +981,13 @@ async function main() {
   }
 
   try {
-    const FULL_COMMAND_SET = new Set([
-      'audit', 'org', 'scan', 'badge', 'augment', 'suggest-only', 'setup', 'plan', 'apply',
-      'governance', 'benchmark', 'deep-review', 'interactive', 'watch', 'insights',
-      'history', 'compare', 'trend', 'feedback', 'catalog', 'certify', 'serve', 'help', 'version',
-      // Harmony + Synergy (cross-platform)
-      'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise',
-      'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export',
+    const FULL_COMMAND_SET = new Set([
+      'audit', 'org', 'scan', 'badge', 'augment', 'suggest-only', 'setup', 'plan', 'apply',
+      'governance', 'benchmark', 'deep-review', 'interactive', 'watch', 'insights',
+      'history', 'compare', 'trend', 'feedback', 'catalog', 'certify', 'serve', 'baseline', 'exception', 'help', 'version',
+      // Harmony + Synergy (cross-platform)
+      'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise',
+      'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export',
       'freshness', 'profile', 'migrate',
     ]);
 
@@ -843,33 +1033,51 @@ async function main() {
       }
     }
 
-    if (normalizedCommand === 'scan') {
-      const scanDirs = parsed.extraArgs;
-      if (scanDirs.length === 0) {
-        console.error('\n  Error: scan requires at least one directory argument.');
-        console.error('  Usage: npx nerviq scan dir1 dir2 dir3\n');
-        process.exit(1);
-      }
-      const summary = await scanOrg(scanDirs, options.platform);
-      printScanDetail(summary, options);
-      if (options.threshold !== null && summary.averageScore < options.threshold) {
-        process.exit(1);
-      }
-      process.exit(0);
-    } else if (normalizedCommand === 'org') {
-      const subcommand = parsed.extraArgs[0];
-      const scanDirs = parsed.extraArgs.slice(1);
-      if (subcommand !== 'scan' || scanDirs.length === 0) {
-        console.error('\n  Error: org requires the scan subcommand and at least one directory.');
-        console.error('  Usage: npx nerviq org scan dir1 dir2 dir3\n');
-        process.exit(1);
-      }
-      const summary = await scanOrg(scanDirs, options.platform);
-      printOrgSummary(summary, options);
-      if (options.threshold !== null && summary.averageScore < options.threshold) {
-        process.exit(1);
-      }
-      process.exit(0);
+    if (normalizedCommand === 'scan') {
+      const scanDirs = parsed.extraArgs;
+      if (scanDirs.length === 0) {
+        console.error('\n  Error: scan requires at least one directory argument.');
+        console.error('  Usage: npx nerviq scan dir1 dir2 dir3\n');
+        process.exit(1);
+      }
+      const summary = await scanOrg(scanDirs, options);
+      printScanDetail(summary, options);
+      if (options.threshold !== null && summary.averageScore < options.threshold) {
+        process.exit(1);
+      }
+      process.exit(0);
+    } else if (normalizedCommand === 'org') {
+      const subcommand = parsed.extraArgs[0];
+      if (subcommand === 'policy') {
+        const targetDir = parsed.extraArgs[1] ? require('path').resolve(parsed.extraArgs[1]) : options.dir;
+        const contract = resolvePolicyLayers(targetDir);
+        if (options.json) {
+          await writeStdout(JSON.stringify(contract, null, 2) + '\n');
+        } else {
+          console.log('');
+          console.log(formatPolicyContract(contract));
+          console.log('');
+        }
+        process.exit(0);
+      }
+
+      const scanDirs = parsed.extraArgs.slice(1);
+      if (subcommand !== 'scan' || scanDirs.length === 0) {
+        console.error('\n  Error: org requires `scan` or `policy`.');
+        console.error('  Usage: npx nerviq org scan dir1 dir2 dir3');
+        console.error('         npx nerviq org policy [dir]\n');
+        process.exit(1);
+      }
+      const summary = await scanOrg(scanDirs, options);
+      if (options.json) {
+        await writeStdout(JSON.stringify(summary, null, 2) + '\n');
+      } else {
+        printOrgSummary(summary, options);
+      }
+      if (options.threshold !== null && summary.averageScore < options.threshold) {
+        process.exit(1);
+      }
+      process.exit(0);
     } else if (normalizedCommand === 'history') {
       const { formatHistory, readSnapshotIndex } = require('../src/activity');
       // Handle --prune N
@@ -900,7 +1108,7 @@ async function main() {
       console.log('');
       process.exit(0);
     } else if (normalizedCommand === 'compare') {
-      const { compareLatest, formatSnapshotBootstrap, formatSnapshotTags } = require('../src/activity');
+      const { compareLatest, formatSnapshotBootstrap, formatSnapshotTags, formatSnapshotMilestone } = require('../src/activity');
       const result = compareLatest(options.dir);
       if (!result) {
         console.log('');
@@ -913,8 +1121,8 @@ async function main() {
       } else {
         const sign = result.delta.score >= 0 ? '+' : '';
         console.log('');
-        console.log(`  Previous snapshot: ${result.previous.score}/100 (${result.previous.date?.split('T')[0]})${formatSnapshotTags(result.previous.tags)}`);
-        console.log(`  Current snapshot:  ${result.current.score}/100 (${result.current.date?.split('T')[0]})${formatSnapshotTags(result.current.tags)}`);
+        console.log(`  Previous snapshot: ${result.previous.score}/100 (${result.previous.date?.split('T')[0]})${formatSnapshotMilestone(result.previous.milestone)}${formatSnapshotTags(result.previous.tags)}`);
+        console.log(`  Current snapshot:  ${result.current.score}/100 (${result.current.date?.split('T')[0]})${formatSnapshotMilestone(result.current.milestone)}${formatSnapshotTags(result.current.tags)}`);
         console.log(`  Snapshot delta:    ${sign}${result.delta.score} points`);
         console.log(`  Trend:    ${result.trend}`);
         if (result.detailedDiffAvailable) {
@@ -1066,6 +1274,7 @@ async function main() {
       const report = await analyzeProject({ ...options, mode: normalizedCommand });
       const snapshot = options.snapshot ? writeSnapshotArtifact(options.dir, normalizedCommand, report, {
         tags: options.snapshotTags,
+        milestone: options.snapshotMilestone,
         sourceCommand: normalizedCommand,
       }) : null;
       if (options.out && !options.json) {
@@ -1200,6 +1409,7 @@ async function main() {
       printGovernanceSummary(summary, options);
       const snapshot = options.snapshot ? writeSnapshotArtifact(options.dir, 'governance', summary, {
         tags: options.snapshotTags,
+        milestone: options.snapshotMilestone,
         sourceCommand: normalizedCommand,
       }) : null;
       if (options.out && !options.json) {
@@ -1215,6 +1425,7 @@ async function main() {
       const report = await runBenchmark(options);
       const snapshot = options.snapshot ? writeSnapshotArtifact(options.dir, 'benchmark', report, {
         tags: options.snapshotTags,
+        milestone: options.snapshotMilestone,
         sourceCommand: normalizedCommand,
       }) : null;
       if (options.out) {
@@ -1233,13 +1444,87 @@ async function main() {
     } else if (normalizedCommand === 'deep-review') {
       const { deepReview } = require('../src/deep-review');
       await deepReview(options);
-    } else if (normalizedCommand === 'interactive') {
-      const { interactive } = require('../src/interactive');
-      await interactive(options);
-    } else if (normalizedCommand === 'watch') {
-      const { watch } = require('../src/watch');
-      await watch(options);
-    } else if (normalizedCommand === 'catalog') {
+    } else if (normalizedCommand === 'interactive') {
+      const { interactive } = require('../src/interactive');
+      await interactive(options);
+    } else if (normalizedCommand === 'baseline') {
+      const {
+        readManagedBaseline,
+        writeManagedBaseline,
+        buildManagedBaselineRecord,
+        formatManagedBaselineStatus,
+      } = require('../src/continuous-ops');
+      const subcommand = parsed.extraArgs[0] || 'status';
+
+      if (subcommand === 'status') {
+        const baseline = readManagedBaseline(options.dir);
+        if (options.json) {
+          console.log(JSON.stringify(baseline, null, 2));
+        } else {
+          console.log('');
+          console.log(formatManagedBaselineStatus(options.dir, baseline));
+          console.log('');
+        }
+        process.exit(0);
+      }
+
+      if (subcommand === 'init') {
+        const existingBaseline = readManagedBaseline(options.dir);
+        if (existingBaseline && !flags.includes('--force')) {
+          console.error('\n  Error: Managed baseline already exists. Use `nerviq baseline status` to inspect it, or rerun with --force to replace it.\n');
+          process.exit(1);
+        }
+
+        const auditResult = await audit({ ...options, silent: true });
+        const analysisReport = await analyzeProject({ ...options, mode: 'augment' });
+        const detectedPlatforms = detectPlatforms(options.dir);
+        const snapshot = writeSnapshotArtifact(options.dir, 'audit', auditResult, {
+          tags: [...options.snapshotTags, 'baseline'],
+          milestone: 'baseline',
+          sourceCommand: 'baseline init',
+          managedBaseline: true,
+        });
+        const baselineRecord = buildManagedBaselineRecord({
+          dir: options.dir,
+          platform: options.platform,
+          auditResult,
+          analysisReport,
+          snapshotArtifact: snapshot,
+          currentPlatforms: detectedPlatforms,
+        });
+        const saved = writeManagedBaseline(options.dir, baselineRecord);
+
+        if (options.json) {
+          console.log(JSON.stringify({
+            ...baselineRecord,
+            baselinePath: saved.relativePath,
+          }, null, 2));
+        } else {
+          console.log('');
+          console.log('  nerviq baseline init');
+          console.log('  ═══════════════════════════════════════');
+          console.log(`  Managed baseline written: ${saved.relativePath}`);
+          console.log(`  Snapshot: ${snapshot.relativePath}`);
+          console.log(`  Score: ${baselineRecord.baselineAudit.score}/100`);
+          console.log(`  Operating profile: ${baselineRecord.operatingProfile.label || 'n/a'}`);
+          console.log(`  Adoption plan: ${baselineRecord.adoptionPlan || 'n/a'}`);
+          console.log(`  Active platforms: ${(baselineRecord.detectedPlatforms || []).join(', ') || 'none detected'}`);
+          console.log('');
+          console.log('  Next:');
+          console.log('    - nerviq audit --diff-only --drift-mode ci');
+          console.log('    - nerviq watch');
+          console.log('    - nerviq plan --campaign governance-hardening');
+          console.log('');
+        }
+        process.exit(0);
+      }
+
+      console.error('\n  Error: baseline supports `init` and `status`.\n');
+      process.exit(1);
+    } else if (normalizedCommand === 'watch') {
+      const { watch } = require('../src/watch');
+      await watch(options);
+    } else if (normalizedCommand === 'catalog') {
       const { generateCatalogWithVersion, writeCatalogJson } = require('../src/catalog');
       if (options.out) {
         const result = writeCatalogJson(options.out);
@@ -1313,6 +1598,7 @@ async function main() {
       console.log(`  nerviq API listening on http://127.0.0.1:${resolvedPort}`);
       console.log('  Endpoints: /api/openapi.json, /api/health, /api/catalog, /api/audit, /api/harmony');
       console.log(`  Contract: http://127.0.0.1:${resolvedPort}/api/openapi.json`);
+      console.log('  MCP hosts should use nerviq-mcp (stdio JSON-RPC 2.0), not this HTTP server.');
       console.log('');
 
       const closeServer = () => {
@@ -1538,18 +1824,74 @@ async function main() {
         }
       }
       process.exit(0);
-    } else if (normalizedCommand === 'suggest-rules') {
-      const { analyzeSuggestions, formatSuggestions } = require('../src/auto-suggest');
-      const suggestions = analyzeSuggestions(options.dir);
-      if (options.json) {
-        console.log(JSON.stringify(suggestions, null, 2));
-      } else {
-        console.log('');
-        console.log(formatSuggestions(suggestions));
-        console.log('');
-      }
-      process.exit(0);
-    } else if (normalizedCommand === 'profile') {
+    } else if (normalizedCommand === 'suggest-rules') {
+      const { analyzeSuggestions, formatSuggestions } = require('../src/auto-suggest');
+      const suggestions = analyzeSuggestions(options.dir);
+      if (options.json) {
+        console.log(JSON.stringify(suggestions, null, 2));
+      } else {
+        console.log('');
+        console.log(formatSuggestions(suggestions));
+        console.log('');
+      }
+      process.exit(0);
+    } else if (normalizedCommand === 'exception') {
+      const {
+        listExceptions,
+        addException,
+        pruneExpiredExceptions,
+        formatExceptionsList,
+      } = require('../src/continuous-ops');
+      const subcommand = parsed.extraArgs[0] || 'list';
+
+      if (subcommand === 'list') {
+        const records = listExceptions(options.dir);
+        if (options.json) {
+          console.log(JSON.stringify(records, null, 2));
+        } else {
+          console.log('');
+          console.log(formatExceptionsList(records));
+          console.log('');
+        }
+        process.exit(0);
+      }
+
+      if (subcommand === 'add') {
+        const result = addException(options.dir, {
+          key: parsed.feedbackKey || null,
+          watchClass: options.exceptionClass,
+          owner: options.exceptionOwner,
+          reason: options.exceptionReason,
+          expiresAt: options.exceptionExpires,
+          scope: options.exceptionScope || 'all',
+        });
+        if (options.json) {
+          console.log(JSON.stringify(result.record, null, 2));
+        } else {
+          console.log('');
+          console.log(`  Exception added: ${result.record.id}`);
+          console.log(`  Target: ${result.record.key || result.record.watchClass}`);
+          console.log(`  Owner: ${result.record.owner}`);
+          console.log(`  Scope: ${result.record.scope}`);
+          console.log(`  Expires: ${result.record.expiresAt}`);
+          console.log('');
+        }
+        process.exit(0);
+      }
+
+      if (subcommand === 'prune') {
+        const result = pruneExpiredExceptions(options.dir);
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          console.log(`\n  Pruned ${result.removedCount} expired exception(s). Kept ${result.keptCount} active record(s).\n`);
+        }
+        process.exit(0);
+      }
+
+      console.error('\n  Error: exception supports `add`, `list`, and `prune`.\n');
+      process.exit(1);
+    } else if (normalizedCommand === 'profile') {
       const { saveProfile, loadProfile, listProfiles, exportProfile, formatProfileList, formatProfile } = require('../src/profiles');
       const subcommand = parsed.extraArgs[0];
       const profileArg = parsed.extraArgs[1];
@@ -2095,27 +2437,113 @@ async function main() {
         const postSetupResult = await audit({ dir: options.dir, silent: true, platform: options.platform });
         const snapshot = writeSnapshotArtifact(options.dir, 'audit', postSetupResult, {
           tags: options.snapshotTags,
+          milestone: options.snapshotMilestone,
           sourceCommand: 'setup',
         });
         if (!options.json) {
           console.log(`  Snapshot saved: ${snapshot.relativePath}`);
         }
       }
-    } else {
-      if (options.workspace) {
-        const summary = await auditWorkspaces(options.dir, options.workspace, options.platform);
-        printWorkspaceSummary(summary, options);
-        if (options.threshold !== null && summary.averageScore < options.threshold) {
-          process.exit(1);
-        }
-        process.exit(0);
-      }
-      const result = await audit(options);
-      if (options.out) {
-        const fs = require('fs');
-        const path = require('path');
-        const outPath = path.resolve(options.out);
-        fs.mkdirSync(path.dirname(outPath), { recursive: true });
+    } else {
+      if (options.workspace) {
+        const summary = await auditWorkspaces(options.dir, options.workspace, options.platform);
+        printWorkspaceSummary(summary, options);
+        if (options.threshold !== null && summary.averageScore < options.threshold) {
+          process.exit(1);
+        }
+        process.exit(0);
+      }
+      let result;
+      const renderAuditJsonLocally = options.json && Boolean(options.driftMode);
+      if (options.diffOnly) {
+        const { getChangedFiles, buildDiffOnlyAuditView, printDiffOnlyAudit } = require('../src/diff-only');
+        const fullResult = await audit({ ...options, silent: true });
+        const diffInfo = getChangedFiles(options.dir, {
+          diffBase: options.diffBase,
+          diffHead: options.diffHead,
+        });
+        result = buildDiffOnlyAuditView(fullResult, diffInfo);
+      } else {
+        result = renderAuditJsonLocally
+          ? await audit({ ...options, silent: true })
+          : await audit(options);
+      }
+
+      if (options.driftMode) {
+        const { buildContinuousStatus, formatContinuousStatus } = require('../src/continuous-ops');
+        let campaigns = [];
+        try {
+          const planBundle = await buildProposalBundle({
+            dir: options.dir,
+            platform: options.platform,
+            profile: options.profile,
+            mcpPacks: options.mcpPacks,
+            campaigns: [],
+          });
+          campaigns = planBundle.campaigns || [];
+        } catch {
+          campaigns = [];
+        }
+
+        result = {
+          ...result,
+          continuousStatus: buildContinuousStatus({
+            dir: options.dir,
+            auditResult: result,
+            mode: options.driftMode,
+            currentPlatforms: detectPlatforms(options.dir),
+            campaigns,
+          }),
+        };
+      }
+
+      if (options.policyContract && options.policyContract.layers.some((layer) => layer.valid)) {
+        result = {
+          ...result,
+          policyLayers: options.policyContract,
+        };
+      }
+
+      if (options.diffOnly) {
+        const { printDiffOnlyAudit } = require('../src/diff-only');
+        if (options.json) {
+          console.log(JSON.stringify({
+            version,
+            timestamp: new Date().toISOString(),
+            ...result,
+          }, null, 2));
+        } else {
+          console.log(printDiffOnlyAudit(result));
+          if (result.continuousStatus) {
+            const { formatContinuousStatus } = require('../src/continuous-ops');
+            console.log(formatContinuousStatus(result.continuousStatus));
+            console.log('');
+          }
+        }
+      } else if (renderAuditJsonLocally) {
+        console.log(JSON.stringify({
+          version,
+          timestamp: new Date().toISOString(),
+          ...result,
+        }, null, 2));
+      } else {
+        if (!options.json && options.policyContract && options.policyContract.layers.some((layer) => layer.valid)) {
+          console.log('');
+          console.log(formatPolicyContract(options.policyContract));
+          console.log('');
+        }
+        if (!options.json && result.continuousStatus) {
+          const { formatContinuousStatus } = require('../src/continuous-ops');
+          console.log('');
+          console.log(formatContinuousStatus(result.continuousStatus));
+          console.log('');
+        }
+      }
+      if (options.out) {
+        const fs = require('fs');
+        const path = require('path');
+        const outPath = path.resolve(options.out);
+        fs.mkdirSync(path.dirname(outPath), { recursive: true });
         fs.writeFileSync(outPath, JSON.stringify(result, null, 2), 'utf8');
         if (!options.json) {
           console.log(`\n  Audit report written to ${options.out}\n`);
@@ -2123,20 +2551,19 @@ async function main() {
       }
       if (options.webhookUrl) {
         try {
-          const { sendWebhook, formatSlackMessage } = require('../src/integrations');
+          const { sendWebhook, formatSlackMessage, formatGenericAuditWebhookEvent } = require('../src/integrations');
           // Auto-detect Slack vs generic by URL pattern
           const isSlack = options.webhookUrl.includes('hooks.slack.com');
           const isDiscord = options.webhookUrl.includes('discord.com/api/webhooks');
           let payload;
-          if (isSlack) {
-            payload = formatSlackMessage(result);
-          } else if (isDiscord) {
-            const { formatDiscordMessage } = require('../src/integrations');
-            payload = formatDiscordMessage(result);
-          } else {
-            // Generic webhook: send full JSON audit result
-            payload = { platform: result.platform, score: result.score, passed: result.passed, failed: result.failed, results: result.results };
-          }
+          if (isSlack) {
+            payload = formatSlackMessage(result);
+          } else if (isDiscord) {
+            const { formatDiscordMessage } = require('../src/integrations');
+            payload = formatDiscordMessage(result);
+          } else {
+            payload = formatGenericAuditWebhookEvent(result);
+          }
           const webhookResp = await sendWebhook(options.webhookUrl, payload, {
             headers: options.webhookHeaders,
             retries: options.webhookRetries,
@@ -2178,6 +2605,7 @@ async function main() {
       }
       const snapshot = options.snapshot ? writeSnapshotArtifact(options.dir, 'audit', result, {
         tags: options.snapshotTags,
+        milestone: options.snapshotMilestone,
         sourceCommand: normalizedCommand,
       }) : null;
       if (snapshot && !options.json) {
@@ -2185,18 +2613,27 @@ async function main() {
         console.log(`  Snapshot index: ${snapshot.indexPath}`);
         console.log('');
       }
-      if (options.threshold !== null && result.score < options.threshold) {
-        if (!options.json) {
-          console.error(`\n  Error: Threshold not met — score ${result.score}/100 is below required ${options.threshold}/100.`);
-          console.error('  Why: Your project audit score is lower than the minimum threshold set via --threshold.');
-          console.error('  Fix: Run `npx nerviq augment` to see improvement suggestions, then re-audit.');
+      if (options.threshold !== null && result.score < options.threshold) {
+        if (!options.json) {
+          console.error(`\n  Error: Threshold not met — score ${result.score}/100 is below required ${options.threshold}/100.`);
+          console.error('  Why: Your project audit score is lower than the minimum threshold set via --threshold.');
+          console.error('  Fix: Run `npx nerviq augment` to see improvement suggestions, then re-audit.');
           console.error('  Docs: https://github.com/nerviq/nerviq#ci-integration\n');
-        }
-        process.exit(1);
-      }
-      if (options.require && options.require.length > 0) {
-        const failedRequired = options.require.filter(key => {
-          const check = result.results.find(r => r.key === key);
+        }
+        process.exit(1);
+      }
+      if (result.continuousStatus && result.continuousStatus.gate === 'fail') {
+        if (!options.json) {
+          console.error('\n  Error: Continuous drift gate failed.');
+          console.error(`  Why: ${result.continuousStatus.gateLabel}.`);
+          console.error('  Fix: review the blocking drift items or add a temporary exception with owner/reason/expiry.');
+          console.error('  Docs: https://github.com/nerviq/nerviq#readme\n');
+        }
+        process.exit(1);
+      }
+      if (options.require && options.require.length > 0) {
+        const failedRequired = options.require.filter(key => {
+          const check = result.results.find(r => r.key === key);
           return !check || check.passed !== true;
         });
         if (failedRequired.length > 0) {