@nerviq/cli 1.11.0 → 1.13.0

package/src/analyze.js

@@ -12,6 +12,9 @@ const { detectDomainPacks } = require('./domain-packs');
 const { detectCodexDomainPacks } = require('./codex/domain-packs');
 const { recommendMcpPacks } = require('./mcp-packs');
 const { collectClaudeDenyRules } = require('./permission-rules');
+const { buildRepoArchetypeProfile } = require('./repo-archetype');
+const { buildOperatingProfile } = require('./operating-profile');
+const { buildAdoptionAdvisor } = require('./adoption-advisor');
 
 const COLORS = {
   reset: '\x1b[0m',
@@ -498,6 +501,30 @@ async function analyzeProject(options) {
     ? detectCodexDomainPacks(ctx, stacks, assets)
     : detectDomainPacks(ctx, stacks, assets);
   const recommendedMcpPacks = platform === 'claude' ? recommendMcpPacks(stacks, recommendedDomainPacks, { ctx, assets }) : [];
+  const repoArchetype = buildRepoArchetypeProfile({
+    ctx,
+    platform,
+    stacks,
+    assets,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    maturity,
+  });
+  const recommendedOperatingProfile = buildOperatingProfile({
+    dir: options.dir,
+    platform,
+    repoArchetype,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+  });
+  const adoptionGuidance = buildAdoptionAdvisor({
+    platform,
+    repoArchetype,
+    recommendedOperatingProfile,
+    recommendedDomainPacks,
+    recommendedMcpPacks,
+    env: options.env || {},
+  });
 
   const report = {
     platform,
@@ -511,16 +538,28 @@ async function analyzeProject(options) {
       stacks: stacks.map(s => s.label),
       domains: recommendedDomainPacks.map(pack => pack.label),
       maturity,
+      archetype: repoArchetype.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
+      operatingProfile: recommendedOperatingProfile.label,
+      adoptionPlan: adoptionGuidance.summary.label,
       score: auditResult.score,
       organicScore: auditResult.organicScore,
       checkCount: auditResult.checkCount,
     },
     platformScopeNote: auditResult.platformScopeNote || null,
     platformCaveats: auditResult.platformCaveats || [],
+    repoArchetype,
+    recommendedOperatingProfile,
+    adoptionGuidance,
     detectedArchitecture: {
       repoType: stacks.length > 0 ? 'stack-detected repo' : 'generic repo',
       mainDirectories: mainDirs,
       stackSignals: stacks.map(s => s.key),
+      stackFamily: repoArchetype.stackFamily.label,
+      topology: repoArchetype.topology.label,
+      workflow: repoArchetype.primaryWorkflow.label,
+      riskLevel: repoArchetype.riskProfile.label,
     },
     existingPlatformAssets: assets,
     strengthsPreserved: toStrengths(auditResult.results),
@@ -585,11 +624,14 @@ function printAnalysis(report, options = {}) {
   } else {
     console.log(c(`  Platform: ${report.platformLabel}`, 'dim'));
   }
+  console.log(c(`  Archetype: ${report.repoArchetype.label} | Workflow: ${report.repoArchetype.primaryWorkflow.label} | Risk: ${report.repoArchetype.riskProfile.label}`, 'dim'));
   console.log(c(`  Maturity: ${report.projectSummary.maturity} | Score: ${report.projectSummary.score}/100 | Organic: ${report.projectSummary.organicScore}/100`, 'dim'));
   console.log('');
 
   console.log(c('  Detected Architecture', 'blue'));
+  console.log(c(`  Stack family: ${report.repoArchetype.stackFamily.label} | Topology: ${report.repoArchetype.topology.label} | Confidence: ${report.repoArchetype.confidence}`, 'dim'));
   console.log(c(`  Main directories: ${report.detectedArchitecture.mainDirectories.join(', ') || 'No strong structure detected yet'}`, 'dim'));
+  console.log(c(`  Signals: ${report.repoArchetype.signals.join(' | ') || 'No strong archetype signals yet'}`, 'dim'));
   console.log('');
 
   console.log(c(`  Existing ${report.existingPlatformAssets.label} Assets`, 'blue'));
@@ -683,6 +725,36 @@ function printAnalysis(report, options = {}) {
     console.log('');
   }
 
+  if (report.recommendedOperatingProfile) {
+    console.log(c('  Recommended Operating Profile', 'blue'));
+    console.log(`  ${report.recommendedOperatingProfile.label}`);
+    console.log(c(`  Permission: ${report.recommendedOperatingProfile.permissionProfile.label} | Governance pack: ${report.recommendedOperatingProfile.governancePack.label}`, 'dim'));
+    console.log(c(`  CI shape: ${report.recommendedOperatingProfile.ciShape.label} | Platforms: ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`, 'dim'));
+    console.log(c(`  Hooks: ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`, 'dim'));
+    console.log(c(`  Verification: ${report.recommendedOperatingProfile.verification.required.join(', ')}`, 'dim'));
+    console.log('');
+  }
+
+  if (report.adoptionGuidance && Array.isArray(report.adoptionGuidance.items) && report.adoptionGuidance.items.length > 0) {
+    console.log(c('  Adopt / Defer / Ignore', 'blue'));
+    console.log(c(`  ${report.adoptionGuidance.summary.label}`, 'dim'));
+    const groups = [
+      ['adopt', 'Adopt now'],
+      ['defer', 'Defer until prerequisites are ready'],
+      ['ignore', 'Ignore for this repo shape'],
+    ];
+    for (const [decision, label] of groups) {
+      const items = report.adoptionGuidance.items.filter((item) => item.decision === decision).slice(0, 3);
+      if (items.length === 0) continue;
+      console.log(`  ${label}`);
+      for (const item of items) {
+        console.log(`    - ${item.label}`);
+        console.log(c(`      ${item.why}`, 'dim'));
+      }
+    }
+    console.log('');
+  }
+
   if (report.suggestedRolloutOrder.length > 0) {
     console.log(c('  Suggested Rollout Order', 'blue'));
     report.suggestedRolloutOrder.forEach((item, index) => {
@@ -710,6 +782,11 @@ function exportMarkdown(report) {
   if (report.platform === 'claude') {
     lines.push(`**Domain Packs:** ${report.projectSummary.domains.join(', ') || 'Baseline General'}`);
   }
+  lines.push(`**Archetype:** ${report.repoArchetype.label}`);
+  lines.push(`**Workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`**Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`**Operating profile:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`**Adoption plan:** ${report.adoptionGuidance.summary.label}`);
   lines.push(`**Maturity:** ${report.projectSummary.maturity}`);
   lines.push('');
 
@@ -730,6 +807,57 @@ function exportMarkdown(report) {
   }
   lines.push('');
 
+  lines.push('## Repo Archetype');
+  lines.push('');
+  lines.push(`- **Label:** ${report.repoArchetype.label}`);
+  lines.push(`- **Summary:** ${report.repoArchetype.summary}`);
+  lines.push(`- **Stack family:** ${report.repoArchetype.stackFamily.label}`);
+  lines.push(`- **Topology:** ${report.repoArchetype.topology.label}`);
+  lines.push(`- **Primary workflow:** ${report.repoArchetype.primaryWorkflow.label}`);
+  lines.push(`- **Risk posture:** ${report.repoArchetype.riskProfile.label}`);
+  lines.push(`- **Confidence:** ${report.repoArchetype.confidence}`);
+  if (report.repoArchetype.signals.length > 0) {
+    lines.push(`- **Signals:** ${report.repoArchetype.signals.join(', ')}`);
+  }
+  lines.push('');
+
+  lines.push('## Recommended Operating Profile');
+  lines.push('');
+  lines.push(`- **Label:** ${report.recommendedOperatingProfile.label}`);
+  lines.push(`- **Summary:** ${report.recommendedOperatingProfile.summary}`);
+  lines.push(`- **Permission profile:** ${report.recommendedOperatingProfile.permissionProfile.label}`);
+  lines.push(`- **Governance pack:** ${report.recommendedOperatingProfile.governancePack.label}`);
+  lines.push(`- **Platform support:** ${(report.recommendedOperatingProfile.platformSupport.recommended || []).join(', ') || report.platformLabel}`);
+  if (report.recommendedOperatingProfile.platformSupport.optionalExpansion) {
+    lines.push(`- **Optional expansion:** ${report.recommendedOperatingProfile.platformSupport.optionalExpansion}`);
+  }
+  lines.push(`- **CI shape:** ${report.recommendedOperatingProfile.ciShape.label}`);
+  lines.push(`- **Verification:** ${report.recommendedOperatingProfile.verification.required.join(', ')}`);
+  lines.push(`- **Hooks:** ${report.recommendedOperatingProfile.hooks.map((hook) => hook.key).join(', ')}`);
+  lines.push('');
+
+  lines.push('## Adopt / Defer / Ignore');
+  lines.push('');
+  const decisionGroups = [
+    ['adopt', 'Adopt now'],
+    ['defer', 'Defer'],
+    ['ignore', 'Ignore'],
+  ];
+  for (const [decision, label] of decisionGroups) {
+    const items = report.adoptionGuidance.items.filter((item) => item.decision === decision);
+    if (items.length === 0) continue;
+    lines.push(`### ${label}`);
+    lines.push('');
+    for (const item of items) {
+      lines.push(`- **${item.label}** — ${item.why}`);
+      lines.push(`  Evidence: ${item.evidence.join(' | ')}`);
+      lines.push(`  Prerequisites: ${item.prerequisites.length > 0 ? item.prerequisites.join(' | ') : 'None'}`);
+      lines.push(`  Expected benefit: ${item.expectedBenefit}`);
+      lines.push(`  Rollback safety: ${item.rollbackSafety}`);
+    }
+    lines.push('');
+  }
+
   if (report.strengthsPreserved.length > 0) {
     lines.push('## Strengths Preserved (don\'t change these)');
     lines.push('');

package/src/anti-patterns.js

@@ -10,6 +10,7 @@ const {
 } = require('./instruction-surfaces');
 const { collectClaudeDenyRules } = require('./permission-rules');
 const { containsEmbeddedSecret } = require('./secret-patterns');
+const { containsPromptInjectionPattern } = require('./prompt-injection');
 
 const ANTI_PATTERNS = [
   {
@@ -218,6 +219,18 @@ const ANTI_PATTERNS = [
       return !hasTestInMd && !hasTestScript;
     },
   },
+  {
+    id: 'AP023',
+    name: 'Suspicious prompt-injection phrases in repo instructions',
+    severity: 'high',
+    description: 'Instruction surfaces that say things like "ignore previous instructions", "bypass guardrails", or "score 100/100" create confusion and downstream trust problems, even when the static audit itself is not LLM-driven.',
+    platforms: ['claude', 'codex', 'cursor', 'windsurf', 'copilot', 'gemini', 'aider', 'opencode'],
+    fix: 'Remove adversarial phrases from repo instructions and replace them with an explicit trust-boundary note about treating repo/web/MCP content as untrusted data.',
+    detect: (ctx) => {
+      const content = getRepoInstructionBundle(ctx);
+      return containsPromptInjectionPattern(content);
+    },
+  },
   {
     id: 'AP015',
     name: 'All permissions allowed',

package/src/audit/instruction-files.js

@@ -0,0 +1,180 @@
+const path = require('path');
+
+const { hasWorkspaceConfig, detectWorkspaceGlobs, detectWorkspaces } = require('../workspace');
+const { estimateTokenCount } = require('../token-estimate');
+
+const LARGE_INSTRUCTION_WARN_TOKENS = 12000;
+const LARGE_INSTRUCTION_SKIP_TOKENS = 240000;
+
+function normalizeRelativePath(filePath) {
+  return String(filePath || '').replace(/\\/g, '/').replace(/^\.\//, '');
+}
+
+function formatCount(value) {
+  return Number(value || 0).toLocaleString('en-US');
+}
+
+function addPath(target, filePath) {
+  if (!filePath || typeof filePath !== 'string') return;
+  target.add(normalizeRelativePath(filePath));
+}
+
+function addDirFiles(ctx, target, dirPath, filter) {
+  if (typeof ctx.dirFiles !== 'function') return;
+  for (const file of ctx.dirFiles(dirPath)) {
+    if (filter && !filter.test(file)) continue;
+    addPath(target, path.join(dirPath, file));
+  }
+}
+
+function instructionFileCandidates(spec, ctx) {
+  const candidates = new Set();
+
+  if (spec.platform === 'claude') {
+    addPath(candidates, 'CLAUDE.md');
+    addPath(candidates, '.claude/CLAUDE.md');
+    addDirFiles(ctx, candidates, '.claude/rules', /\.md$/i);
+    addDirFiles(ctx, candidates, '.claude/commands', /\.md$/i);
+    addDirFiles(ctx, candidates, '.claude/agents', /\.md$/i);
+    if (typeof ctx.dirFiles === 'function') {
+      for (const skillDir of ctx.dirFiles('.claude/skills')) {
+        addPath(candidates, path.join('.claude', 'skills', skillDir, 'SKILL.md'));
+      }
+    }
+  }
+
+  if (spec.platform === 'codex') {
+    addPath(candidates, 'AGENTS.md');
+    addPath(candidates, 'AGENTS.override.md');
+    addPath(candidates, typeof ctx.agentsMdPath === 'function' ? ctx.agentsMdPath() : null);
+    addDirFiles(ctx, candidates, 'codex/rules');
+    addDirFiles(ctx, candidates, '.codex/rules');
+    if (typeof ctx.skillDirs === 'function') {
+      for (const skillDir of ctx.skillDirs()) {
+        addPath(candidates, path.join('.agents', 'skills', skillDir, 'SKILL.md'));
+      }
+    }
+  }
+
+  if (spec.platform === 'gemini') {
+    addPath(candidates, 'GEMINI.md');
+    addPath(candidates, '.gemini/GEMINI.md');
+    addDirFiles(ctx, candidates, '.gemini/agents', /\.md$/i);
+    if (typeof ctx.skillDirs === 'function') {
+      for (const skillDir of ctx.skillDirs()) {
+        addPath(candidates, path.join('.gemini', 'skills', skillDir, 'SKILL.md'));
+      }
+    }
+  }
+
+  if (spec.platform === 'copilot') {
+    addPath(candidates, '.github/copilot-instructions.md');
+    addDirFiles(ctx, candidates, '.github/instructions', /\.instructions\.md$/i);
+    addDirFiles(ctx, candidates, '.github/prompts', /\.prompt\.md$/i);
+  }
+
+  if (spec.platform === 'cursor') {
+    addPath(candidates, '.cursorrules');
+    addDirFiles(ctx, candidates, '.cursor/rules', /\.mdc$/i);
+    addDirFiles(ctx, candidates, '.cursor/commands', /\.md$/i);
+  }
+
+  if (spec.platform === 'windsurf') {
+    addPath(candidates, '.windsurfrules');
+    addDirFiles(ctx, candidates, '.windsurf/rules', /\.md$/i);
+    addDirFiles(ctx, candidates, '.windsurf/workflows', /\.md$/i);
+    addDirFiles(ctx, candidates, '.windsurf/memories', /\.(md|json)$/i);
+  }
+
+  if (spec.platform === 'aider' && typeof ctx.conventionFiles === 'function') {
+    for (const file of ctx.conventionFiles()) {
+      addPath(candidates, file);
+    }
+  }
+
+  if (spec.platform === 'opencode') {
+    addPath(candidates, 'AGENTS.md');
+    addPath(candidates, 'CLAUDE.md');
+    addDirFiles(ctx, candidates, '.opencode/commands', /\.(md|markdown|ya?ml)$/i);
+    if (typeof ctx.skillDirs === 'function') {
+      for (const skillDir of ctx.skillDirs()) {
+        addPath(candidates, path.join('.opencode', 'commands', skillDir, 'SKILL.md'));
+      }
+    }
+  }
+
+  return [...candidates];
+}
+
+function inspectInstructionFiles(spec, ctx) {
+  const warnings = [];
+
+  for (const filePath of instructionFileCandidates(spec, ctx)) {
+    const content = typeof ctx.fileContent === 'function' ? ctx.fileContent(filePath) : null;
+    const byteCount = typeof ctx.fileSizeBytes === 'function' ? ctx.fileSizeBytes(filePath) : null;
+    const tokenCount = typeof content === 'string' ? estimateTokenCount(content) : null;
+    if (!Number.isFinite(tokenCount) || tokenCount <= LARGE_INSTRUCTION_WARN_TOKENS) continue;
+
+    warnings.push({
+      file: normalizeRelativePath(filePath),
+      byteCount,
+      tokenCount,
+      lineCount: typeof content === 'string' ? content.split(/\r?\n/).length : null,
+      skipped: tokenCount > LARGE_INSTRUCTION_SKIP_TOKENS,
+      severity: tokenCount > LARGE_INSTRUCTION_SKIP_TOKENS ? 'critical' : 'warning',
+      message: tokenCount > LARGE_INSTRUCTION_SKIP_TOKENS
+        ? 'Instruction file exceeds ~240,000 tokens and will be skipped during audit.'
+        : 'Instruction file exceeds ~12,000 tokens. Audit will continue, but this file may reduce runtime clarity.',
+    });
+  }
+
+  return warnings;
+}
+
+function guardSkippedInstructionFiles(ctx, warnings) {
+  const skippedFiles = new Set(
+    warnings.filter((item) => item.skipped).map((item) => normalizeRelativePath(item.file))
+  );
+  if (skippedFiles.size === 0) return;
+
+  const originalFileContent = typeof ctx.fileContent === 'function' ? ctx.fileContent.bind(ctx) : null;
+  const originalLineNumber = typeof ctx.lineNumber === 'function' ? ctx.lineNumber.bind(ctx) : null;
+
+  if (originalFileContent) {
+    ctx.fileContent = (filePath) => {
+      if (skippedFiles.has(normalizeRelativePath(filePath))) return null;
+      return originalFileContent(filePath);
+    };
+  }
+
+  if (originalLineNumber) {
+    ctx.lineNumber = (filePath, matcher) => {
+      if (skippedFiles.has(normalizeRelativePath(filePath))) return null;
+      return originalLineNumber(filePath, matcher);
+    };
+  }
+}
+
+function buildWorkspaceHint(dir) {
+  if (!hasWorkspaceConfig(dir)) return null;
+
+  const patterns = detectWorkspaceGlobs(dir);
+  const workspaces = detectWorkspaces(dir);
+  if (patterns.length === 0 && workspaces.length === 0) return null;
+
+  return {
+    detected: true,
+    patterns,
+    workspaces,
+    suggestedCommand: patterns.length > 0
+      ? `npx nerviq audit --workspace ${patterns.join(',')}`
+      : `npx nerviq audit --workspace ${workspaces.join(',')}`,
+  };
+}
+
+module.exports = {
+  buildWorkspaceHint,
+  formatCount,
+  guardSkippedInstructionFiles,
+  inspectInstructionFiles,
+};