npm - @nerviq/cli - Versions diffs - 1.17.3 → 1.19.0 - Mend

@nerviq/cli 1.17.3 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (190) hide show

package/LICENSE +23 -23
package/README.md +4 -4
package/bin/cli.js +61 -274
package/package.json +60 -60
package/src/activity.js +1039 -1039
package/src/adoption-advisor.js +299 -299
package/src/aider/config-parser.js +166 -166
package/src/aider/context.js +158 -158
package/src/aider/deep-review.js +316 -316
package/src/aider/domain-packs.js +303 -303
package/src/aider/freshness.js +93 -93
package/src/aider/governance.js +253 -253
package/src/aider/interactive.js +334 -334
package/src/aider/mcp-packs.js +329 -329
package/src/aider/patch.js +214 -214
package/src/aider/plans.js +186 -186
package/src/aider/premium.js +360 -360
package/src/aider/setup.js +404 -404
package/src/aider/techniques.js +16 -16
package/src/analyze.js +951 -951
package/src/anti-patterns.js +485 -485
package/src/audit/instruction-files.js +180 -180
package/src/audit/recommendations.js +577 -577
package/src/auto-suggest.js +154 -154
package/src/badge.js +13 -13
package/src/behavioral-drift.js +801 -801
package/src/benchmark.js +67 -67
package/src/catalog.js +103 -103
package/src/certification.js +128 -128
package/src/codex/config-parser.js +183 -183
package/src/codex/context.js +223 -223
package/src/codex/deep-review.js +493 -493
package/src/codex/domain-packs.js +394 -394
package/src/codex/freshness.js +84 -84
package/src/codex/governance.js +192 -192
package/src/codex/interactive.js +618 -618
package/src/codex/mcp-packs.js +914 -914
package/src/codex/patch.js +209 -209
package/src/codex/plans.js +251 -251
package/src/codex/premium.js +614 -614
package/src/codex/setup.js +591 -591
package/src/context.js +320 -320
package/src/continuous-ops.js +681 -681
package/src/copilot/activity.js +309 -309
package/src/copilot/config-parser.js +280 -226
package/src/copilot/context.js +218 -197
package/src/copilot/deep-review.js +346 -346
package/src/copilot/domain-packs.js +372 -372
package/src/copilot/freshness.js +57 -57
package/src/copilot/governance.js +222 -222
package/src/copilot/interactive.js +406 -406
package/src/copilot/mcp-packs.js +826 -826
package/src/copilot/plans.js +253 -253
package/src/copilot/premium.js +451 -451
package/src/copilot/setup.js +488 -488
package/src/copilot/techniques.js +219 -78
package/src/cost-tracking.js +61 -61
package/src/cursor/activity.js +301 -301
package/src/cursor/config-parser.js +265 -265
package/src/cursor/context.js +256 -256
package/src/cursor/deep-review.js +334 -334
package/src/cursor/domain-packs.js +368 -368
package/src/cursor/freshness.js +65 -65
package/src/cursor/governance.js +229 -229
package/src/cursor/interactive.js +391 -391
package/src/cursor/mcp-packs.js +828 -828
package/src/cursor/plans.js +254 -254
package/src/cursor/premium.js +469 -469
package/src/cursor/setup.js +488 -488
package/src/dashboard.js +493 -493
package/src/deep-review.js +428 -428
package/src/deprecation.js +98 -98
package/src/diff-only.js +280 -280
package/src/doctor.js +119 -119
package/src/domain-pack-expansion.js +1033 -1033
package/src/domain-packs.js +387 -387
package/src/feedback.js +178 -178
package/src/fix-engine.js +783 -0
package/src/fix-prompts.js +122 -122
package/src/formatters/sarif.js +115 -115
package/src/freshness.js +74 -74
package/src/gemini/config-parser.js +275 -275
package/src/gemini/context.js +221 -221
package/src/gemini/deep-review.js +559 -559
package/src/gemini/domain-packs.js +393 -393
package/src/gemini/freshness.js +66 -66
package/src/gemini/governance.js +201 -201
package/src/gemini/interactive.js +860 -860
package/src/gemini/mcp-packs.js +915 -915
package/src/gemini/plans.js +269 -269
package/src/gemini/premium.js +760 -760
package/src/gemini/setup.js +692 -692
package/src/gemini/techniques.js +14 -14
package/src/governance.js +72 -72
package/src/harmony/add.js +68 -68
package/src/harmony/advisor.js +333 -333
package/src/harmony/canon.js +565 -565
package/src/harmony/cli.js +591 -591
package/src/harmony/drift.js +401 -401
package/src/harmony/governance.js +313 -313
package/src/harmony/memory.js +239 -239
package/src/harmony/sync.js +475 -475
package/src/harmony/watch.js +370 -370
package/src/hook-validation.js +342 -342
package/src/index.js +271 -271
package/src/init.js +184 -184
package/src/instruction-surfaces.js +185 -185
package/src/integrations.js +144 -144
package/src/interactive.js +118 -118
package/src/locales/en.json +1 -1
package/src/locales/es.json +1 -1
package/src/mcp-packs.js +830 -830
package/src/mcp-server.js +726 -726
package/src/mcp-validation.js +337 -337
package/src/nerviq-sync.json +7 -7
package/src/opencode/config-parser.js +109 -109
package/src/opencode/context.js +247 -247
package/src/opencode/deep-review.js +313 -313
package/src/opencode/domain-packs.js +262 -262
package/src/opencode/freshness.js +66 -66
package/src/opencode/governance.js +159 -159
package/src/opencode/interactive.js +392 -392
package/src/opencode/mcp-packs.js +705 -705
package/src/opencode/patch.js +184 -184
package/src/opencode/plans.js +231 -231
package/src/opencode/premium.js +413 -413
package/src/opencode/setup.js +449 -449
package/src/opencode/techniques.js +27 -27
package/src/operating-profile.js +574 -574
package/src/org.js +152 -152
package/src/permission-rules.js +218 -218
package/src/plans.js +839 -839
package/src/platform-change-manifest.js +86 -86
package/src/plugins.js +110 -110
package/src/policy-layers.js +210 -210
package/src/profiles.js +124 -124
package/src/prompt-injection.js +74 -74
package/src/public-api.js +173 -173
package/src/recommendation-rules.js +84 -84
package/src/repo-archetype.js +386 -386
package/src/secret-patterns.js +39 -39
package/src/server.js +527 -527
package/src/setup/analysis.js +607 -607
package/src/setup/runtime.js +172 -172
package/src/setup.js +677 -677
package/src/shared/capabilities.js +194 -194
package/src/source-urls.js +132 -132
package/src/stack-checks.js +565 -565
package/src/supplemental-checks.js +13 -13
package/src/synergy/adaptive.js +261 -261
package/src/synergy/compensation.js +137 -137
package/src/synergy/evidence.js +193 -193
package/src/synergy/learning.js +199 -199
package/src/synergy/patterns.js +227 -227
package/src/synergy/ranking.js +83 -83
package/src/synergy/report.js +165 -165
package/src/synergy/routing.js +146 -146
package/src/techniques/api.js +407 -407
package/src/techniques/automation.js +316 -316
package/src/techniques/compliance.js +257 -257
package/src/techniques/hygiene.js +294 -294
package/src/techniques/instructions.js +243 -243
package/src/techniques/observability.js +226 -226
package/src/techniques/optimization.js +142 -142
package/src/techniques/quality.js +318 -318
package/src/techniques/security.js +237 -237
package/src/techniques/shared.js +443 -443
package/src/techniques/stacks.js +2294 -2294
package/src/techniques/tools.js +106 -106
package/src/techniques/workflow.js +413 -413
package/src/techniques.js +81 -81
package/src/terminology.js +73 -73
package/src/token-estimate.js +35 -35
package/src/usage-patterns.js +99 -99
package/src/verification-metadata.js +145 -145
package/src/watch.js +247 -247
package/src/windsurf/activity.js +302 -302
package/src/windsurf/config-parser.js +267 -267
package/src/windsurf/context.js +249 -249
package/src/windsurf/deep-review.js +337 -337
package/src/windsurf/domain-packs.js +370 -370
package/src/windsurf/freshness.js +36 -36
package/src/windsurf/governance.js +231 -231
package/src/windsurf/interactive.js +388 -388
package/src/windsurf/mcp-packs.js +792 -792
package/src/windsurf/plans.js +247 -247
package/src/windsurf/premium.js +468 -468
package/src/windsurf/setup.js +471 -471
package/src/windsurf/techniques.js +17 -17
package/src/workspace.js +375 -375

package/src/windsurf/freshness.js CHANGED Viewed

@@ -41,25 +41,25 @@ const P0_SOURCES = [
     stalenessThresholdDays: 30,
     verifiedAt: '2026-04-07',
   },
-  {
-    key: 'windsurf-workflows-docs',
-    label: 'Workflows Documentation',
-    url: 'https://docs.windsurf.com/windsurf/cascade/workflows',
-    stalenessThresholdDays: 30,
-    verifiedAt: '2026-04-07',
-  },
-  {
-    key: 'windsurf-models-docs',
-    label: 'Windsurf Models & BYOK',
-    url: 'https://docs.windsurf.com/windsurf/models',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'windsurf-steps-docs',
-    label: 'Steps Documentation (via Workflows)',
-    url: 'https://docs.windsurf.com/windsurf/cascade/workflows',
-    stalenessThresholdDays: 30,
+  {
+    key: 'windsurf-workflows-docs',
+    label: 'Workflows Documentation',
+    url: 'https://docs.windsurf.com/windsurf/cascade/workflows',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'windsurf-models-docs',
+    label: 'Windsurf Models & BYOK',
+    url: 'https://docs.windsurf.com/windsurf/models',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'windsurf-steps-docs',
+    label: 'Steps Documentation (via Workflows)',
+    url: 'https://docs.windsurf.com/windsurf/cascade/workflows',
+    stalenessThresholdDays: 30,
     verifiedAt: '2026-04-07',
   },
   {
@@ -147,23 +147,23 @@ const PROPAGATION_CHECKLIST = [
       'src/windsurf/patch.js — update patchCascadeignore',
     ],
   },
-  {
-    trigger: '10K char rule limit change',
-    targets: [
-      'src/windsurf/techniques.js — update WS-A05, WS-L05',
-      'src/windsurf/context.js — update overLimit calculation',
-      'src/windsurf/governance.js — update rule-char-limit caveat',
-    ],
-  },
-  {
-    trigger: 'Windsurf model catalog / BYOK / pricing behavior change',
-    targets: [
-      'src/windsurf/techniques.js — update model-awareness and cost/trust assumptions',
-      'src/windsurf/governance.js — update BYOK and model-selection caveats',
-      'src/source-urls.js — refresh Windsurf model source mappings',
-    ],
-  },
-];
+  {
+    trigger: '10K char rule limit change',
+    targets: [
+      'src/windsurf/techniques.js — update WS-A05, WS-L05',
+      'src/windsurf/context.js — update overLimit calculation',
+      'src/windsurf/governance.js — update rule-char-limit caveat',
+    ],
+  },
+  {
+    trigger: 'Windsurf model catalog / BYOK / pricing behavior change',
+    targets: [
+      'src/windsurf/techniques.js — update model-awareness and cost/trust assumptions',
+      'src/windsurf/governance.js — update BYOK and model-selection caveats',
+      'src/source-urls.js — refresh Windsurf model source mappings',
+    ],
+  },
+];
 /**
  * Release gate: check if all P0 sources are within staleness threshold.

package/src/windsurf/governance.js CHANGED Viewed

@@ -1,231 +1,231 @@
-/**
- * Windsurf Governance Module
- *
- * 6 permission profiles, 7 hook equivalents, 5 policy packs.
- *
- * Windsurf-specific differences from Cursor:
- * - NO background agents (Cascade runs in foreground only)
- * - Cascade: autonomous agent with multi-file editing
- * - Memories: team-syncable persistent context
- * - Workflows: slash commands
- * - Steps: automation sequences
- * - .cascadeignore: gitignore-like for Cascade
- * - MCP with team whitelist
- * - 10K char rule limit per file
- * - 4 activation modes: Always, Auto, Agent-Requested, Manual
- */
-const { WINDSURF_DOMAIN_PACKS } = require('./domain-packs');
-const { WINDSURF_MCP_PACKS } = require('./mcp-packs');
-const WINDSURF_PERMISSION_PROFILES = [
-  {
-    key: 'read-only',
-    label: 'Read Only',
-    risk: 'low',
-    defaultSandbox: 'no-writes',
-    approvalPolicy: 'always-confirm',
-    useWhen: 'First contact with a repo, security review, or auditing.',
-    behavior: 'Cascade can read and suggest, but all edits and terminal commands require explicit confirmation.',
-    surfaces: ['foreground'],
-  },
-  {
-    key: 'standard',
-    label: 'Standard',
-    risk: 'medium',
-    defaultSandbox: 'user-approval',
-    approvalPolicy: 'selective-approval',
-    useWhen: 'Default product work where Cascade edits locally but risky commands need review.',
-    behavior: 'Cascade proposes edits. Terminal commands require per-command approval.',
-    surfaces: ['foreground'],
-  },
-  {
-    key: 'cascade-agent',
-    label: 'Cascade Agent',
-    risk: 'medium',
-    defaultSandbox: 'auto-run-trusted',
-    approvalPolicy: 'auto-approve-safe',
-    useWhen: 'Trusted repos where full Cascade agent mode is the primary workflow.',
-    behavior: 'Full Cascade agent mode. Multi-file edits with auto-approval for safe operations.',
-    surfaces: ['foreground'],
-  },
-  {
-    key: 'steps-automation',
-    label: 'Steps Automation',
-    risk: 'medium',
-    defaultSandbox: 'step-scoped',
-    approvalPolicy: 'step-level-approval',
-    useWhen: 'Complex multi-step tasks using Steps automation.',
-    behavior: 'Cascade runs multi-step workflows. Each step can be reviewed before proceeding.',
-    surfaces: ['foreground'],
-  },
-  {
-    key: 'team-managed',
-    label: 'Team Managed',
-    risk: 'medium',
-    defaultSandbox: 'team-policy',
-    approvalPolicy: 'team-controlled',
-    useWhen: 'Team environments with shared memories and MCP whitelist.',
-    behavior: 'Team-level policies for MCP whitelist, memories sync, and workflow access.',
-    surfaces: ['foreground'],
-  },
-  {
-    key: 'enterprise',
-    label: 'Enterprise',
-    risk: 'low',
-    defaultSandbox: 'org-policy-enforced',
-    approvalPolicy: 'org-admin-controlled',
-    useWhen: 'Enterprise tier with team sync, MCP whitelist, audit logs.',
-    behavior: 'Admin-managed policies. MCP whitelist enforced. Audit logs and team sync policies.',
-    surfaces: ['foreground'],
-  },
-];
-const WINDSURF_HOOK_REGISTRY = [
-  {
-    key: 'always-rules',
-    file: '.windsurf/rules/*.md',
-    triggerPoint: 'trigger: always',
-    matcher: 'every Cascade interaction',
-    purpose: 'Inject core instructions into every Cascade interaction.',
-    risk: 'low',
-  },
-  {
-    key: 'auto-rules',
-    file: '.windsurf/rules/*.md',
-    triggerPoint: 'trigger: auto, globs match',
-    matcher: 'file glob patterns',
-    purpose: 'Inject context-specific rules when matching files are referenced.',
-    risk: 'low',
-  },
-  {
-    key: 'agent-requested-rules',
-    file: '.windsurf/rules/*.md',
-    triggerPoint: 'trigger: agent_requested',
-    matcher: 'Cascade agent decision',
-    purpose: 'Rules that Cascade can choose to apply based on description relevance.',
-    risk: 'low',
-  },
-  {
-    key: 'workflow-trigger',
-    file: '.windsurf/workflows/*.md',
-    triggerPoint: 'slash command invocation',
-    matcher: 'user-triggered slash command',
-    purpose: 'Execute predefined workflows via slash commands.',
-    risk: 'medium',
-  },
-  {
-    key: 'memory-load',
-    file: '.windsurf/memories/',
-    triggerPoint: 'session start',
-    matcher: 'persistent context',
-    purpose: 'Load team-syncable memories into Cascade context.',
-    risk: 'low',
-  },
-  {
-    key: 'cascadeignore-filter',
-    file: '.cascadeignore',
-    triggerPoint: 'file access',
-    matcher: 'gitignore-style patterns',
-    purpose: 'Prevent Cascade from accessing sensitive files.',
-    risk: 'low',
-  },
-  {
-    key: 'mcp-tool-access',
-    file: '.windsurf/mcp.json',
-    triggerPoint: 'MCP tool invocation',
-    matcher: 'tool name/server + team whitelist',
-    purpose: 'Control which MCP tools are available. Team whitelist for controlled environments.',
-    risk: 'medium',
-  },
-];
-const WINDSURF_POLICY_PACKS = [
-  {
-    key: 'baseline-safe',
-    label: 'Baseline Safe',
-    modules: ['.windsurf/rules/ with trigger: always', 'no .windsurfrules', '.cascadeignore configured', 'no secrets in rules'],
-    useWhen: 'Default local Windsurf rollout.',
-  },
-  {
-    key: 'cascade-safe',
-    label: 'Cascade Safe',
-    modules: ['cascadeignore for secrets', 'PR review gate', 'multi-file review before commit', 'Steps scoped'],
-    useWhen: 'Repos using Cascade for autonomous multi-file editing.',
-  },
-  {
-    key: 'team-safe',
-    label: 'Team Safe',
-    modules: ['MCP team whitelist', 'memories no secrets', 'shared workflows reviewed', 'sync policies documented'],
-    useWhen: 'Team environments with shared Windsurf configuration.',
-  },
-  {
-    key: 'enterprise-governed',
-    label: 'Enterprise Governed',
-    modules: ['MCP whitelist enforced', 'audit logs enabled', 'team sync policies', 'model access policy'],
-    useWhen: 'Enterprise tier repos with strict governance requirements.',
-  },
-  {
-    key: 'security-first',
-    label: 'Security First',
-    modules: ['.cascadeignore comprehensive', 'no secrets in any Windsurf config', 'MCP env vars secured', 'memories reviewed for PII'],
-    useWhen: 'Repos handling sensitive data where security is paramount.',
-  },
-];
-const WINDSURF_PILOT_ROLLOUT_KIT = {
-  recommendedScope: [
-    'Start with audit and setup on one trusted repo.',
-    'Keep .windsurf/rules/ and .windsurf/mcp.json in version control.',
-    'Configure .cascadeignore before enabling Cascade on sensitive repos.',
-    'Migrate .windsurfrules to .windsurf/rules/*.md before relying on Cascade.',
-    'Review team-synced memories for secrets or PII before sharing.',
-    'Test workflows on non-critical repos first.',
-  ],
-  approvals: [
-    'Engineering owner approves Cascade usage scope and MCP whitelist.',
-    'Security owner approves .cascadeignore and memory sync policies.',
-    'Pilot owner records before/after audit deltas and rollback expectations.',
-    'Team lead approves shared workflow definitions.',
-  ],
-  successMetrics: [
-    'Audit score delta',
-    'Surface coverage (rules + workflows + memories)',
-    'Time to first useful Cascade task',
-    'No-overwrite rate on existing repo files',
-    'Legacy .windsurfrules migration completion',
-    'MCP server whitelist compliance',
-  ],
-  rollbackExpectations: [
-    'Every Windsurf setup/apply write path should emit a rollback artifact.',
-    'Re-run audit after rollback to confirm the repo returned to expected state.',
-    'Cascade can be limited by removing .windsurf/rules/ or configuring .cascadeignore.',
-    'Team sync can be disabled by removing .windsurf/memories/.',
-  ],
-};
-function getWindsurfGovernanceSummary() {
-  return {
-    platform: 'windsurf',
-    platformLabel: 'Windsurf (Cascade)',
-    permissionProfiles: WINDSURF_PERMISSION_PROFILES,
-    hookRegistry: WINDSURF_HOOK_REGISTRY,
-    policyPacks: WINDSURF_POLICY_PACKS,
-    domainPacks: WINDSURF_DOMAIN_PACKS,
-    mcpPacks: WINDSURF_MCP_PACKS,
-    pilotRolloutKit: WINDSURF_PILOT_ROLLOUT_KIT,
-    platformCaveats: [
-      { id: 'windsurfrules-legacy', severity: 'high', message: '.windsurfrules is legacy format — migrate to .windsurf/rules/*.md with YAML frontmatter.' },
-      { id: 'no-background-agents', severity: 'info', message: 'Windsurf has NO background agents (unlike Cursor). All Cascade runs are foreground.' },
-      { id: 'rule-char-limit', severity: 'medium', message: 'Windsurf enforces a 10K character limit per rule file.' },
-      { id: 'memories-team-sync', severity: 'high', message: 'Memories sync across team members — never put secrets or PII in memory files.' },
-      { id: 'mcp-team-whitelist', severity: 'medium', message: 'MCP servers can be whitelisted at team level. Ensure only approved servers are listed.' },
-      { id: 'cascadeignore-important', severity: 'high', message: 'Use .cascadeignore to prevent Cascade from accessing sensitive files (similar to .gitignore).' },
-      { id: 'cascade-multi-file', severity: 'medium', message: 'Cascade performs multi-file edits. Review all changed files before committing.' },
-    ],
-  };
-}
-module.exports = {
-  getWindsurfGovernanceSummary,
-};
+/**
+ * Windsurf Governance Module
+ *
+ * 6 permission profiles, 7 hook equivalents, 5 policy packs.
+ *
+ * Windsurf-specific differences from Cursor:
+ * - NO background agents (Cascade runs in foreground only)
+ * - Cascade: autonomous agent with multi-file editing
+ * - Memories: team-syncable persistent context
+ * - Workflows: slash commands
+ * - Steps: automation sequences
+ * - .cascadeignore: gitignore-like for Cascade
+ * - MCP with team whitelist
+ * - 10K char rule limit per file
+ * - 4 activation modes: Always, Auto, Agent-Requested, Manual
+ */
+const { WINDSURF_DOMAIN_PACKS } = require('./domain-packs');
+const { WINDSURF_MCP_PACKS } = require('./mcp-packs');
+const WINDSURF_PERMISSION_PROFILES = [
+  {
+    key: 'read-only',
+    label: 'Read Only',
+    risk: 'low',
+    defaultSandbox: 'no-writes',
+    approvalPolicy: 'always-confirm',
+    useWhen: 'First contact with a repo, security review, or auditing.',
+    behavior: 'Cascade can read and suggest, but all edits and terminal commands require explicit confirmation.',
+    surfaces: ['foreground'],
+  },
+  {
+    key: 'standard',
+    label: 'Standard',
+    risk: 'medium',
+    defaultSandbox: 'user-approval',
+    approvalPolicy: 'selective-approval',
+    useWhen: 'Default product work where Cascade edits locally but risky commands need review.',
+    behavior: 'Cascade proposes edits. Terminal commands require per-command approval.',
+    surfaces: ['foreground'],
+  },
+  {
+    key: 'cascade-agent',
+    label: 'Cascade Agent',
+    risk: 'medium',
+    defaultSandbox: 'auto-run-trusted',
+    approvalPolicy: 'auto-approve-safe',
+    useWhen: 'Trusted repos where full Cascade agent mode is the primary workflow.',
+    behavior: 'Full Cascade agent mode. Multi-file edits with auto-approval for safe operations.',
+    surfaces: ['foreground'],
+  },
+  {
+    key: 'steps-automation',
+    label: 'Steps Automation',
+    risk: 'medium',
+    defaultSandbox: 'step-scoped',
+    approvalPolicy: 'step-level-approval',
+    useWhen: 'Complex multi-step tasks using Steps automation.',
+    behavior: 'Cascade runs multi-step workflows. Each step can be reviewed before proceeding.',
+    surfaces: ['foreground'],
+  },
+  {
+    key: 'team-managed',
+    label: 'Team Managed',
+    risk: 'medium',
+    defaultSandbox: 'team-policy',
+    approvalPolicy: 'team-controlled',
+    useWhen: 'Team environments with shared memories and MCP whitelist.',
+    behavior: 'Team-level policies for MCP whitelist, memories sync, and workflow access.',
+    surfaces: ['foreground'],
+  },
+  {
+    key: 'enterprise',
+    label: 'Enterprise',
+    risk: 'low',
+    defaultSandbox: 'org-policy-enforced',
+    approvalPolicy: 'org-admin-controlled',
+    useWhen: 'Enterprise tier with team sync, MCP whitelist, audit logs.',
+    behavior: 'Admin-managed policies. MCP whitelist enforced. Audit logs and team sync policies.',
+    surfaces: ['foreground'],
+  },
+];
+const WINDSURF_HOOK_REGISTRY = [
+  {
+    key: 'always-rules',
+    file: '.windsurf/rules/*.md',
+    triggerPoint: 'trigger: always',
+    matcher: 'every Cascade interaction',
+    purpose: 'Inject core instructions into every Cascade interaction.',
+    risk: 'low',
+  },
+  {
+    key: 'auto-rules',
+    file: '.windsurf/rules/*.md',
+    triggerPoint: 'trigger: auto, globs match',
+    matcher: 'file glob patterns',
+    purpose: 'Inject context-specific rules when matching files are referenced.',
+    risk: 'low',
+  },
+  {
+    key: 'agent-requested-rules',
+    file: '.windsurf/rules/*.md',
+    triggerPoint: 'trigger: agent_requested',
+    matcher: 'Cascade agent decision',
+    purpose: 'Rules that Cascade can choose to apply based on description relevance.',
+    risk: 'low',
+  },
+  {
+    key: 'workflow-trigger',
+    file: '.windsurf/workflows/*.md',
+    triggerPoint: 'slash command invocation',
+    matcher: 'user-triggered slash command',
+    purpose: 'Execute predefined workflows via slash commands.',
+    risk: 'medium',
+  },
+  {
+    key: 'memory-load',
+    file: '.windsurf/memories/',
+    triggerPoint: 'session start',
+    matcher: 'persistent context',
+    purpose: 'Load team-syncable memories into Cascade context.',
+    risk: 'low',
+  },
+  {
+    key: 'cascadeignore-filter',
+    file: '.cascadeignore',
+    triggerPoint: 'file access',
+    matcher: 'gitignore-style patterns',
+    purpose: 'Prevent Cascade from accessing sensitive files.',
+    risk: 'low',
+  },
+  {
+    key: 'mcp-tool-access',
+    file: '.windsurf/mcp.json',
+    triggerPoint: 'MCP tool invocation',
+    matcher: 'tool name/server + team whitelist',
+    purpose: 'Control which MCP tools are available. Team whitelist for controlled environments.',
+    risk: 'medium',
+  },
+];
+const WINDSURF_POLICY_PACKS = [
+  {
+    key: 'baseline-safe',
+    label: 'Baseline Safe',
+    modules: ['.windsurf/rules/ with trigger: always', 'no .windsurfrules', '.cascadeignore configured', 'no secrets in rules'],
+    useWhen: 'Default local Windsurf rollout.',
+  },
+  {
+    key: 'cascade-safe',
+    label: 'Cascade Safe',
+    modules: ['cascadeignore for secrets', 'PR review gate', 'multi-file review before commit', 'Steps scoped'],
+    useWhen: 'Repos using Cascade for autonomous multi-file editing.',
+  },
+  {
+    key: 'team-safe',
+    label: 'Team Safe',
+    modules: ['MCP team whitelist', 'memories no secrets', 'shared workflows reviewed', 'sync policies documented'],
+    useWhen: 'Team environments with shared Windsurf configuration.',
+  },
+  {
+    key: 'enterprise-governed',
+    label: 'Enterprise Governed',
+    modules: ['MCP whitelist enforced', 'audit logs enabled', 'team sync policies', 'model access policy'],
+    useWhen: 'Enterprise tier repos with strict governance requirements.',
+  },
+  {
+    key: 'security-first',
+    label: 'Security First',
+    modules: ['.cascadeignore comprehensive', 'no secrets in any Windsurf config', 'MCP env vars secured', 'memories reviewed for PII'],
+    useWhen: 'Repos handling sensitive data where security is paramount.',
+  },
+];
+const WINDSURF_PILOT_ROLLOUT_KIT = {
+  recommendedScope: [
+    'Start with audit and setup on one trusted repo.',
+    'Keep .windsurf/rules/ and .windsurf/mcp.json in version control.',
+    'Configure .cascadeignore before enabling Cascade on sensitive repos.',
+    'Migrate .windsurfrules to .windsurf/rules/*.md before relying on Cascade.',
+    'Review team-synced memories for secrets or PII before sharing.',
+    'Test workflows on non-critical repos first.',
+  ],
+  approvals: [
+    'Engineering owner approves Cascade usage scope and MCP whitelist.',
+    'Security owner approves .cascadeignore and memory sync policies.',
+    'Pilot owner records before/after audit deltas and rollback expectations.',
+    'Team lead approves shared workflow definitions.',
+  ],
+  successMetrics: [
+    'Audit score delta',
+    'Surface coverage (rules + workflows + memories)',
+    'Time to first useful Cascade task',
+    'No-overwrite rate on existing repo files',
+    'Legacy .windsurfrules migration completion',
+    'MCP server whitelist compliance',
+  ],
+  rollbackExpectations: [
+    'Every Windsurf setup/apply write path should emit a rollback artifact.',
+    'Re-run audit after rollback to confirm the repo returned to expected state.',
+    'Cascade can be limited by removing .windsurf/rules/ or configuring .cascadeignore.',
+    'Team sync can be disabled by removing .windsurf/memories/.',
+  ],
+};
+function getWindsurfGovernanceSummary() {
+  return {
+    platform: 'windsurf',
+    platformLabel: 'Windsurf (Cascade)',
+    permissionProfiles: WINDSURF_PERMISSION_PROFILES,
+    hookRegistry: WINDSURF_HOOK_REGISTRY,
+    policyPacks: WINDSURF_POLICY_PACKS,
+    domainPacks: WINDSURF_DOMAIN_PACKS,
+    mcpPacks: WINDSURF_MCP_PACKS,
+    pilotRolloutKit: WINDSURF_PILOT_ROLLOUT_KIT,
+    platformCaveats: [
+      { id: 'windsurfrules-legacy', severity: 'high', message: '.windsurfrules is legacy format — migrate to .windsurf/rules/*.md with YAML frontmatter.' },
+      { id: 'no-background-agents', severity: 'info', message: 'Windsurf has NO background agents (unlike Cursor). All Cascade runs are foreground.' },
+      { id: 'rule-char-limit', severity: 'medium', message: 'Windsurf enforces a 10K character limit per rule file.' },
+      { id: 'memories-team-sync', severity: 'high', message: 'Memories sync across team members — never put secrets or PII in memory files.' },
+      { id: 'mcp-team-whitelist', severity: 'medium', message: 'MCP servers can be whitelisted at team level. Ensure only approved servers are listed.' },
+      { id: 'cascadeignore-important', severity: 'high', message: 'Use .cascadeignore to prevent Cascade from accessing sensitive files (similar to .gitignore).' },
+      { id: 'cascade-multi-file', severity: 'medium', message: 'Cascade performs multi-file edits. Review all changed files before committing.' },
+    ],
+  };
+}
+module.exports = {
+  getWindsurfGovernanceSummary,
+};