@nerviq/cli 1.20.0 → 1.21.0

package/src/codex/freshness.js

@@ -8,10 +8,10 @@
 const { version } = require('../../package.json');
 
 /**
- * P0 sources that must be fresh before any Codex release claim.
- * Each source has a staleness threshold in days.
- */
-const P0_SOURCES = [
+ * P0 sources that must be fresh before any Codex release claim.
+ * Each source has a staleness threshold in days.
+ */
+const P0_SOURCES = [
   {
     key: 'codex-cli-docs',
     label: 'Codex CLI Official Docs',
@@ -19,53 +19,53 @@ const P0_SOURCES = [
     stalenessThresholdDays: 30,
     verifiedAt: '2026-04-07',
   },
-  {
-    key: 'codex-config-reference',
-    label: 'Codex Config Reference',
-    url: 'https://developers.openai.com/codex/config-reference',
-    stalenessThresholdDays: 30,
-    verifiedAt: '2026-04-07',
-  },
-  {
-    key: 'codex-agent-approvals-security',
-    label: 'Codex Agent Approvals & Security',
-    url: 'https://developers.openai.com/codex/agent-approvals-security',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'codex-subagents',
-    label: 'Codex Subagents Documentation',
-    url: 'https://developers.openai.com/codex/subagents',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'codex-automations',
-    label: 'Codex Automations / App Workflows',
-    url: 'https://developers.openai.com/codex/app/automations',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'codex-local-environments',
-    label: 'Codex Local Environments / Worktrees',
-    url: 'https://developers.openai.com/codex/app/local-environments',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'codex-feature-maturity',
-    label: 'Codex Feature Maturity',
-    url: 'https://developers.openai.com/codex/feature-maturity',
-    stalenessThresholdDays: 14,
-    verifiedAt: '2026-04-10',
-  },
-  {
-    key: 'codex-github-action',
-    label: 'Codex GitHub Action',
-    url: 'https://github.com/openai/codex-action',
-    stalenessThresholdDays: 30,
+  {
+    key: 'codex-config-reference',
+    label: 'Codex Config Reference',
+    url: 'https://developers.openai.com/codex/config-reference',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'codex-agent-approvals-security',
+    label: 'Codex Agent Approvals & Security',
+    url: 'https://developers.openai.com/codex/agent-approvals-security',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'codex-subagents',
+    label: 'Codex Subagents Documentation',
+    url: 'https://developers.openai.com/codex/subagents',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'codex-automations',
+    label: 'Codex Automations / App Workflows',
+    url: 'https://developers.openai.com/codex/app/automations',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'codex-local-environments',
+    label: 'Codex Local Environments / Worktrees',
+    url: 'https://developers.openai.com/codex/app/local-environments',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'codex-feature-maturity',
+    label: 'Codex Feature Maturity',
+    url: 'https://developers.openai.com/codex/feature-maturity',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-10',
+  },
+  {
+    key: 'codex-github-action',
+    label: 'Codex GitHub Action',
+    url: 'https://github.com/openai/codex-action',
+    stalenessThresholdDays: 30,
     verifiedAt: '2026-04-07',
   },
   {
@@ -112,39 +112,39 @@ const PROPAGATION_CHECKLIST = [
       'src/codex/governance.js — governance export picks up changes',
     ],
   },
-  {
-    trigger: 'New check category added',
-    targets: [
-      'src/codex/techniques.js — add check implementations',
-      'test/codex-check-matrix.js — add pass/fail scenarios',
-      'test/codex-golden-matrix.js — update golden scores',
-    ],
-  },
-  {
-    trigger: 'Codex approvals/security model change (approval classes, sandboxing, unattended safety behavior)',
-    targets: [
-      'src/codex/governance.js — update permission profiles and caveats',
-      'src/codex/techniques.js — update trust/security checks tied to approval behavior',
-      'src/source-urls.js — refresh Codex trust/authentication source mappings if docs move',
-    ],
-  },
-  {
-    trigger: 'Codex subagent or local-environment change (subagents, worktrees, workspace lifecycle, handoff expectations)',
-    targets: [
-      'src/codex/setup.js — update subagent/worktree starter templates',
-      'src/codex/techniques.js — update subagent and worktree governance checks',
-      'src/codex/governance.js — update multi-agent policy guidance',
-    ],
-  },
-  {
-    trigger: 'Codex automation or feature-maturity change (automations, background workflows, capability maturity guidance)',
-    targets: [
-      'src/codex/techniques.js — update automation and maturity-sensitive checks',
-      'src/codex/interactive.js — update automation/setup wizard copy if platform behavior changes',
-      'src/source-urls.js — refresh Codex automation and maturity source mappings',
-    ],
-  },
-];
+  {
+    trigger: 'New check category added',
+    targets: [
+      'src/codex/techniques.js — add check implementations',
+      'test/codex-check-matrix.js — add pass/fail scenarios',
+      'test/codex-golden-matrix.js — update golden scores',
+    ],
+  },
+  {
+    trigger: 'Codex approvals/security model change (approval classes, sandboxing, unattended safety behavior)',
+    targets: [
+      'src/codex/governance.js — update permission profiles and caveats',
+      'src/codex/techniques.js — update trust/security checks tied to approval behavior',
+      'src/source-urls.js — refresh Codex trust/authentication source mappings if docs move',
+    ],
+  },
+  {
+    trigger: 'Codex subagent or local-environment change (subagents, worktrees, workspace lifecycle, handoff expectations)',
+    targets: [
+      'src/codex/setup.js — update subagent/worktree starter templates',
+      'src/codex/techniques.js — update subagent and worktree governance checks',
+      'src/codex/governance.js — update multi-agent policy guidance',
+    ],
+  },
+  {
+    trigger: 'Codex automation or feature-maturity change (automations, background workflows, capability maturity guidance)',
+    targets: [
+      'src/codex/techniques.js — update automation and maturity-sensitive checks',
+      'src/codex/interactive.js — update automation/setup wizard copy if platform behavior changes',
+      'src/source-urls.js — refresh Codex automation and maturity source mappings',
+    ],
+  },
+];
 
 /**
  * Release gate: check if all P0 sources are within staleness threshold.

package/src/codex/governance.js

@@ -1,192 +1,192 @@
-const { CODEX_DOMAIN_PACKS } = require('./domain-packs');
-const { CODEX_MCP_PACKS } = require('./mcp-packs');
-
-const CODEX_PERMISSION_PROFILES = [
-  {
-    key: 'locked-down',
-    label: 'Locked Down',
-    risk: 'low',
-    defaultSandbox: 'read-only',
-    approvalPolicy: 'untrusted',
-    useWhen: 'First contact with a repo, security review, or regulated environments.',
-    behavior: 'No writes, explicit escalation for anything outside trusted commands.',
-  },
-  {
-    key: 'standard',
-    label: 'Standard',
-    risk: 'medium',
-    defaultSandbox: 'workspace-write',
-    approvalPolicy: 'on-request',
-    useWhen: 'Default product work where Codex edits locally but risky commands still need review.',
-    behavior: 'Balanced baseline for normal repo work.',
-  },
-  {
-    key: 'full-auto',
-    label: 'Full Auto',
-    risk: 'high',
-    defaultSandbox: 'workspace-write',
-    approvalPolicy: 'never',
-    useWhen: 'Externally sandboxed automation only, with strong repo guardrails.',
-    behavior: 'No approval prompts. Suitable only when the outer environment is controlled.',
-  },
-  {
-    key: 'unrestricted',
-    label: 'Unrestricted',
-    risk: 'critical',
-    defaultSandbox: 'danger-full-access',
-    approvalPolicy: 'never',
-    useWhen: 'Exceptional internal debugging only.',
-    behavior: 'Bypasses core safety boundaries and should never be the product default.',
-  },
-  // CP-10: New profile for CI/automation
-  {
-    key: 'ci-automation',
-    label: 'CI Automation',
-    risk: 'high',
-    defaultSandbox: 'workspace-write',
-    approvalPolicy: 'never',
-    useWhen: 'GitHub Actions, `codex exec`, or scheduled automation where the outer CI environment provides containment.',
-    behavior: 'No prompts. Designed for `codex exec` and GitHub Action contexts. Requires CODEX_API_KEY, not user credentials.',
-  },
-];
-
-const CODEX_HOOK_REGISTRY = [
-  {
-    key: 'session-start',
-    file: '.codex/hooks.json',
-    triggerPoint: 'SessionStart',
-    matcher: null,
-    purpose: 'Bootstrap local context or guardrails at session start when hooks are supported.',
-    risk: 'low',
-  },
-  {
-    key: 'pre-tool-use',
-    file: '.codex/hooks.json',
-    triggerPoint: 'PreToolUse',
-    matcher: 'shell or tool events',
-    purpose: 'Pre-flight validation before risky work.',
-    risk: 'medium',
-  },
-  {
-    key: 'post-tool-use',
-    file: '.codex/hooks.json',
-    triggerPoint: 'PostToolUse',
-    matcher: 'shell or tool events',
-    purpose: 'Post-edit checks and guardrails after commands complete.',
-    risk: 'medium',
-  },
-  // CP-10: Expanded hook registry
-  {
-    key: 'user-prompt-submit',
-    file: '.codex/hooks.json',
-    triggerPoint: 'UserPromptSubmit',
-    matcher: null,
-    purpose: 'Validate or transform user prompts before they reach the model.',
-    risk: 'low',
-  },
-  {
-    key: 'stop',
-    file: '.codex/hooks.json',
-    triggerPoint: 'Stop',
-    matcher: null,
-    purpose: 'Clean up resources or log session outcomes when Codex exits.',
-    risk: 'low',
-  },
-  // Parity hooks to match Claude's 7
-  {
-    key: 'injection-defense',
-    file: '.codex/hooks.json',
-    triggerPoint: 'PreToolUse',
-    matcher: 'fetch or web events',
-    purpose: 'Validate external content for prompt injection before processing.',
-    risk: 'medium',
-  },
-  {
-    key: 'trust-drift-check',
-    file: '.codex/hooks.json',
-    triggerPoint: 'PostToolUse',
-    matcher: 'config or agents file changes',
-    purpose: 'Detect config/instruction drift after tool edits that touch trust surfaces.',
-    risk: 'medium',
-  },
-];
-
-const CODEX_POLICY_PACKS = [
-  {
-    key: 'baseline-safe',
-    label: 'Baseline Safe',
-    modules: ['AGENTS.md baseline', 'safe profile', 'network explicit', 'history explicit'],
-    useWhen: 'Default local Codex rollout.',
-  },
-  {
-    key: 'automation-reviewed',
-    label: 'Automation Reviewed',
-    modules: ['safe GitHub Action strategy', 'managed CODEX_API_KEY', 'manual test note'],
-    useWhen: 'Repos adding Codex workflows in CI or scheduled automation.',
-  },
-  {
-    key: 'skills-and-subagents',
-    label: 'Skills + Subagents',
-    modules: ['repo-local skills', 'custom agent field validation', 'fanout limits'],
-    useWhen: 'Teams that want structured Codex specialization without losing governance.',
-  },
-  // CP-10: New policy packs
-  {
-    key: 'cloud-automation',
-    label: 'Cloud Automation',
-    modules: ['ci-automation profile', 'CODEX_API_KEY auth', 'exec safety review', 'cloud trust boundary'],
-    useWhen: 'Repos deploying Codex in CI/CD, cloud tasks, or scheduled automation.',
-  },
-  {
-    key: 'enterprise-strict',
-    label: 'Enterprise Strict',
-    modules: ['locked-down profile', 'audit trail', 'explicit governance export', 'compliance-safe history settings'],
-    useWhen: 'Regulated or compliance-sensitive repos where every Codex action must be auditable.',
-  },
-];
-
-const CODEX_PILOT_ROLLOUT_KIT = {
-  recommendedScope: [
-    'Start with audit and setup on one trusted repo before enabling automation.',
-    'Keep AGENTS.md and config.toml in version control so Codex behavior is reviewable.',
-    'Use workflow_dispatch or manual dry runs before schedules or cloud tasks.',
-  ],
-  approvals: [
-    'Engineering owner approves approval_policy and sandbox_mode.',
-    'Security owner approves any CI, cloud, or full-auto posture.',
-    'Pilot owner records before/after audit deltas and rollback expectations.',
-  ],
-  successMetrics: [
-    'Audit score delta',
-    'Config explicitness delta',
-    'Time to first useful Codex task',
-    'No-overwrite rate on existing repo files',
-  ],
-  rollbackExpectations: [
-    'Every Codex setup/apply write path should emit a rollback artifact.',
-    'Treat hooks on Windows as unsupported and move enforcement to CI.',
-    'Re-run audit after rollback to confirm the repo returned to the expected state.',
-  ],
-};
-
-function getCodexGovernanceSummary() {
-  return {
-    platform: 'codex',
-    platformLabel: 'Codex',
-    permissionProfiles: CODEX_PERMISSION_PROFILES,
-    hookRegistry: CODEX_HOOK_REGISTRY,
-    policyPacks: CODEX_POLICY_PACKS,
-    domainPacks: CODEX_DOMAIN_PACKS,
-    mcpPacks: CODEX_MCP_PACKS,
-    pilotRolloutKit: CODEX_PILOT_ROLLOUT_KIT,
-    platformCaveats: [
-      'Hooks are not enforced on Windows today.',
-      'agents.max_threads defaults high enough to deserve an explicit cap.',
-      'Cloud tasks have a different trust class than local CLI work.',
-    ],
-  };
-}
-
-module.exports = {
-  getCodexGovernanceSummary,
-};
+const { CODEX_DOMAIN_PACKS } = require('./domain-packs');
+const { CODEX_MCP_PACKS } = require('./mcp-packs');
+
+const CODEX_PERMISSION_PROFILES = [
+  {
+    key: 'locked-down',
+    label: 'Locked Down',
+    risk: 'low',
+    defaultSandbox: 'read-only',
+    approvalPolicy: 'untrusted',
+    useWhen: 'First contact with a repo, security review, or regulated environments.',
+    behavior: 'No writes, explicit escalation for anything outside trusted commands.',
+  },
+  {
+    key: 'standard',
+    label: 'Standard',
+    risk: 'medium',
+    defaultSandbox: 'workspace-write',
+    approvalPolicy: 'on-request',
+    useWhen: 'Default product work where Codex edits locally but risky commands still need review.',
+    behavior: 'Balanced baseline for normal repo work.',
+  },
+  {
+    key: 'full-auto',
+    label: 'Full Auto',
+    risk: 'high',
+    defaultSandbox: 'workspace-write',
+    approvalPolicy: 'never',
+    useWhen: 'Externally sandboxed automation only, with strong repo guardrails.',
+    behavior: 'No approval prompts. Suitable only when the outer environment is controlled.',
+  },
+  {
+    key: 'unrestricted',
+    label: 'Unrestricted',
+    risk: 'critical',
+    defaultSandbox: 'danger-full-access',
+    approvalPolicy: 'never',
+    useWhen: 'Exceptional internal debugging only.',
+    behavior: 'Bypasses core safety boundaries and should never be the product default.',
+  },
+  // CP-10: New profile for CI/automation
+  {
+    key: 'ci-automation',
+    label: 'CI Automation',
+    risk: 'high',
+    defaultSandbox: 'workspace-write',
+    approvalPolicy: 'never',
+    useWhen: 'GitHub Actions, `codex exec`, or scheduled automation where the outer CI environment provides containment.',
+    behavior: 'No prompts. Designed for `codex exec` and GitHub Action contexts. Requires CODEX_API_KEY, not user credentials.',
+  },
+];
+
+const CODEX_HOOK_REGISTRY = [
+  {
+    key: 'session-start',
+    file: '.codex/hooks.json',
+    triggerPoint: 'SessionStart',
+    matcher: null,
+    purpose: 'Bootstrap local context or guardrails at session start when hooks are supported.',
+    risk: 'low',
+  },
+  {
+    key: 'pre-tool-use',
+    file: '.codex/hooks.json',
+    triggerPoint: 'PreToolUse',
+    matcher: 'shell or tool events',
+    purpose: 'Pre-flight validation before risky work.',
+    risk: 'medium',
+  },
+  {
+    key: 'post-tool-use',
+    file: '.codex/hooks.json',
+    triggerPoint: 'PostToolUse',
+    matcher: 'shell or tool events',
+    purpose: 'Post-edit checks and guardrails after commands complete.',
+    risk: 'medium',
+  },
+  // CP-10: Expanded hook registry
+  {
+    key: 'user-prompt-submit',
+    file: '.codex/hooks.json',
+    triggerPoint: 'UserPromptSubmit',
+    matcher: null,
+    purpose: 'Validate or transform user prompts before they reach the model.',
+    risk: 'low',
+  },
+  {
+    key: 'stop',
+    file: '.codex/hooks.json',
+    triggerPoint: 'Stop',
+    matcher: null,
+    purpose: 'Clean up resources or log session outcomes when Codex exits.',
+    risk: 'low',
+  },
+  // Parity hooks to match Claude's 7
+  {
+    key: 'injection-defense',
+    file: '.codex/hooks.json',
+    triggerPoint: 'PreToolUse',
+    matcher: 'fetch or web events',
+    purpose: 'Validate external content for prompt injection before processing.',
+    risk: 'medium',
+  },
+  {
+    key: 'trust-drift-check',
+    file: '.codex/hooks.json',
+    triggerPoint: 'PostToolUse',
+    matcher: 'config or agents file changes',
+    purpose: 'Detect config/instruction drift after tool edits that touch trust surfaces.',
+    risk: 'medium',
+  },
+];
+
+const CODEX_POLICY_PACKS = [
+  {
+    key: 'baseline-safe',
+    label: 'Baseline Safe',
+    modules: ['AGENTS.md baseline', 'safe profile', 'network explicit', 'history explicit'],
+    useWhen: 'Default local Codex rollout.',
+  },
+  {
+    key: 'automation-reviewed',
+    label: 'Automation Reviewed',
+    modules: ['safe GitHub Action strategy', 'managed CODEX_API_KEY', 'manual test note'],
+    useWhen: 'Repos adding Codex workflows in CI or scheduled automation.',
+  },
+  {
+    key: 'skills-and-subagents',
+    label: 'Skills + Subagents',
+    modules: ['repo-local skills', 'custom agent field validation', 'fanout limits'],
+    useWhen: 'Teams that want structured Codex specialization without losing governance.',
+  },
+  // CP-10: New policy packs
+  {
+    key: 'cloud-automation',
+    label: 'Cloud Automation',
+    modules: ['ci-automation profile', 'CODEX_API_KEY auth', 'exec safety review', 'cloud trust boundary'],
+    useWhen: 'Repos deploying Codex in CI/CD, cloud tasks, or scheduled automation.',
+  },
+  {
+    key: 'enterprise-strict',
+    label: 'Enterprise Strict',
+    modules: ['locked-down profile', 'audit trail', 'explicit governance export', 'compliance-safe history settings'],
+    useWhen: 'Regulated or compliance-sensitive repos where every Codex action must be auditable.',
+  },
+];
+
+const CODEX_PILOT_ROLLOUT_KIT = {
+  recommendedScope: [
+    'Start with audit and setup on one trusted repo before enabling automation.',
+    'Keep AGENTS.md and config.toml in version control so Codex behavior is reviewable.',
+    'Use workflow_dispatch or manual dry runs before schedules or cloud tasks.',
+  ],
+  approvals: [
+    'Engineering owner approves approval_policy and sandbox_mode.',
+    'Security owner approves any CI, cloud, or full-auto posture.',
+    'Pilot owner records before/after audit deltas and rollback expectations.',
+  ],
+  successMetrics: [
+    'Audit score delta',
+    'Config explicitness delta',
+    'Time to first useful Codex task',
+    'No-overwrite rate on existing repo files',
+  ],
+  rollbackExpectations: [
+    'Every Codex setup/apply write path should emit a rollback artifact.',
+    'Treat hooks on Windows as unsupported and move enforcement to CI.',
+    'Re-run audit after rollback to confirm the repo returned to the expected state.',
+  ],
+};
+
+function getCodexGovernanceSummary() {
+  return {
+    platform: 'codex',
+    platformLabel: 'Codex',
+    permissionProfiles: CODEX_PERMISSION_PROFILES,
+    hookRegistry: CODEX_HOOK_REGISTRY,
+    policyPacks: CODEX_POLICY_PACKS,
+    domainPacks: CODEX_DOMAIN_PACKS,
+    mcpPacks: CODEX_MCP_PACKS,
+    pilotRolloutKit: CODEX_PILOT_ROLLOUT_KIT,
+    platformCaveats: [
+      'Hooks are not enforced on Windows today.',
+      'agents.max_threads defaults high enough to deserve an explicit cap.',
+      'Cloud tasks have a different trust class than local CLI work.',
+    ],
+  };
+}
+
+module.exports = {
+  getCodexGovernanceSummary,
+};