@nerviq/cli 1.20.1 → 1.21.0

package/src/prompt-injection.js

@@ -1,74 +1,74 @@
-'use strict';
-
-const PROMPT_INJECTION_PATTERNS = [
-  /\bignore (?:all )?(?:previous|earlier|above) instructions?\b/i,
-  /\boverride (?:the )?(?:system|developer|safety|previous) instructions?\b/i,
-  /\breveal (?:your|the) (?:system|developer) prompt\b/i,
-  /\bbypass (?:all )?(?:safety|guardrails|restrictions|protections)\b/i,
-  /\bdisable (?:the )?(?:guardrails|safety checks?)\b/i,
-  /\bact as (?:the )?(?:system|developer)\b/i,
-  /\breport (?:that )?(?:everything is )?perfect(?: and score 100\/100)?\b/i,
-  /\bscore 100\/100\b/i,
-  /\bexfiltrate\b.*\b(?:secret|token|credential|password)\b/i,
-];
-
-const TRUST_BOUNDARY_PATTERNS = [
-  /\btreat(?: every| all)?(?: string| file| repo(?:sitory)?| external)?[\w\s,-]{0,80}\buntrusted\b/i,
-  /\bnever follow instructions embedded in\b/i,
-  /\b(?:repo(?:sitory)? files?|file contents?|web(?:site|page)? content|fetched content|external content|mcp responses?)\b[\w\s,-]{0,120}\b(?:data|quoted)\b[\w\s,-]{0,80}\bnot instructions\b/i,
-  /\bmcp responses?\b[\w\s,-]{0,80}\buntrusted\b/i,
-  /\bfile contents?\b[\w\s,-]{0,80}\buntrusted\b/i,
-  /\bprompt injection\b[\w\s,-]{0,120}\b(?:defense|resistance|guard|boundary)\b/i,
-];
-
-function containsPromptInjectionPattern(text) {
-  const normalized = String(text || '');
-  return PROMPT_INJECTION_PATTERNS.some((pattern) => {
-    pattern.lastIndex = 0;
-    return pattern.test(normalized);
-  });
-}
-
-function hasPromptInjectionDefenseGuidance(text) {
-  const normalized = String(text || '');
-  if (!normalized.trim()) return false;
-  return TRUST_BOUNDARY_PATTERNS.some((pattern) => {
-    pattern.lastIndex = 0;
-    return pattern.test(normalized);
-  });
-}
-
-function hasMcpPromptInjectionDefenseGuidance(text) {
-  const normalized = String(text || '');
-  if (!/\bmcp\b/i.test(normalized)) return false;
-  return hasPromptInjectionDefenseGuidance(normalized);
-}
-
-function collectHookBlocks(settings) {
-  if (!settings || !settings.hooks || typeof settings.hooks !== 'object') return [];
-  const blocks = [];
-  for (const [eventName, entries] of Object.entries(settings.hooks)) {
-    if (!Array.isArray(entries)) continue;
-    for (const entry of entries) {
-      blocks.push({ eventName, entry });
-    }
-  }
-  return blocks;
-}
-
-function hasInjectionDefenseHookConfigured(settings) {
-  return collectHookBlocks(settings).some(({ eventName, entry }) => {
-    if (eventName !== 'PostToolUse') return false;
-    const matcher = `${entry && entry.matcher ? entry.matcher : ''}`;
-    if (!/WebFetch|WebSearch|Read|Grep|Glob|mcp__/i.test(matcher)) return false;
-    const hooks = Array.isArray(entry && entry.hooks) ? entry.hooks : [];
-    return hooks.some((hook) => /injection|prompt|sanitize|untrusted/i.test(`${hook && hook.command ? hook.command : ''}`));
-  });
-}
-
-module.exports = {
-  containsPromptInjectionPattern,
-  hasPromptInjectionDefenseGuidance,
-  hasMcpPromptInjectionDefenseGuidance,
-  hasInjectionDefenseHookConfigured,
-};
+'use strict';
+
+const PROMPT_INJECTION_PATTERNS = [
+  /\bignore (?:all )?(?:previous|earlier|above) instructions?\b/i,
+  /\boverride (?:the )?(?:system|developer|safety|previous) instructions?\b/i,
+  /\breveal (?:your|the) (?:system|developer) prompt\b/i,
+  /\bbypass (?:all )?(?:safety|guardrails|restrictions|protections)\b/i,
+  /\bdisable (?:the )?(?:guardrails|safety checks?)\b/i,
+  /\bact as (?:the )?(?:system|developer)\b/i,
+  /\breport (?:that )?(?:everything is )?perfect(?: and score 100\/100)?\b/i,
+  /\bscore 100\/100\b/i,
+  /\bexfiltrate\b.*\b(?:secret|token|credential|password)\b/i,
+];
+
+const TRUST_BOUNDARY_PATTERNS = [
+  /\btreat(?: every| all)?(?: string| file| repo(?:sitory)?| external)?[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bnever follow instructions embedded in\b/i,
+  /\b(?:repo(?:sitory)? files?|file contents?|web(?:site|page)? content|fetched content|external content|mcp responses?)\b[\w\s,-]{0,120}\b(?:data|quoted)\b[\w\s,-]{0,80}\bnot instructions\b/i,
+  /\bmcp responses?\b[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bfile contents?\b[\w\s,-]{0,80}\buntrusted\b/i,
+  /\bprompt injection\b[\w\s,-]{0,120}\b(?:defense|resistance|guard|boundary)\b/i,
+];
+
+function containsPromptInjectionPattern(text) {
+  const normalized = String(text || '');
+  return PROMPT_INJECTION_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(normalized);
+  });
+}
+
+function hasPromptInjectionDefenseGuidance(text) {
+  const normalized = String(text || '');
+  if (!normalized.trim()) return false;
+  return TRUST_BOUNDARY_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(normalized);
+  });
+}
+
+function hasMcpPromptInjectionDefenseGuidance(text) {
+  const normalized = String(text || '');
+  if (!/\bmcp\b/i.test(normalized)) return false;
+  return hasPromptInjectionDefenseGuidance(normalized);
+}
+
+function collectHookBlocks(settings) {
+  if (!settings || !settings.hooks || typeof settings.hooks !== 'object') return [];
+  const blocks = [];
+  for (const [eventName, entries] of Object.entries(settings.hooks)) {
+    if (!Array.isArray(entries)) continue;
+    for (const entry of entries) {
+      blocks.push({ eventName, entry });
+    }
+  }
+  return blocks;
+}
+
+function hasInjectionDefenseHookConfigured(settings) {
+  return collectHookBlocks(settings).some(({ eventName, entry }) => {
+    if (eventName !== 'PostToolUse') return false;
+    const matcher = `${entry && entry.matcher ? entry.matcher : ''}`;
+    if (!/WebFetch|WebSearch|Read|Grep|Glob|mcp__/i.test(matcher)) return false;
+    const hooks = Array.isArray(entry && entry.hooks) ? entry.hooks : [];
+    return hooks.some((hook) => /injection|prompt|sanitize|untrusted/i.test(`${hook && hook.command ? hook.command : ''}`));
+  });
+}
+
+module.exports = {
+  containsPromptInjectionPattern,
+  hasPromptInjectionDefenseGuidance,
+  hasMcpPromptInjectionDefenseGuidance,
+  hasInjectionDefenseHookConfigured,
+};

package/src/public-api.js

@@ -1,173 +1,173 @@
-const fs = require('fs');
-const path = require('path');
-const { audit } = require('./audit');
-const { harmonyAudit } = require('./harmony/audit');
-const { generateCatalog } = require('./catalog');
-const { compoundAudit, calculateAmplification } = require('./synergy/evidence');
-const { analyzeCompensation } = require('./synergy/compensation');
-const { discoverPatterns } = require('./synergy/patterns');
-const { rankRecommendations } = require('./synergy/ranking');
-const { generateSynergyReport } = require('./synergy/report');
-const { routeTask } = require('./synergy/routing');
-const { CodexProjectContext } = require('./codex/context');
-const { GeminiProjectContext } = require('./gemini/context');
-const { CopilotProjectContext } = require('./copilot/context');
-const { CursorProjectContext } = require('./cursor/context');
-const { WindsurfProjectContext } = require('./windsurf/context');
-const { AiderProjectContext } = require('./aider/context');
-const { OpenCodeProjectContext } = require('./opencode/context');
-
-const PLATFORM_ORDER = [
-  'claude',
-  'codex',
-  'gemini',
-  'copilot',
-  'cursor',
-  'windsurf',
-  'aider',
-  'opencode',
-];
-
-const PLATFORM_DETECTORS = {
-  claude: (dir) => exists(path.join(dir, 'CLAUDE.md')) || exists(path.join(dir, '.claude')),
-  codex: (dir) => CodexProjectContext.isCodexRepo(dir),
-  gemini: (dir) => GeminiProjectContext.isGeminiRepo(dir),
-  copilot: (dir) => CopilotProjectContext.isCopilotRepo(dir),
-  cursor: (dir) => CursorProjectContext.isCursorRepo(dir),
-  windsurf: (dir) => WindsurfProjectContext.isWindsurfRepo(dir),
-  aider: (dir) => AiderProjectContext.isAiderRepo(dir),
-  opencode: (dir) => OpenCodeProjectContext.isOpenCodeRepo(dir),
-};
-
-const IMPACT_SCORES = {
-  critical: 5,
-  high: 4,
-  medium: 3,
-  low: 2,
-};
-
-function exists(targetPath) {
-  try {
-    return fs.existsSync(targetPath);
-  } catch {
-    return false;
-  }
-}
-
-function resolveDir(dir) {
-  return path.resolve(dir || '.');
-}
-
-function detectPlatforms(dir) {
-  const resolvedDir = resolveDir(dir);
-  return PLATFORM_ORDER.filter((platform) => {
-    const detect = PLATFORM_DETECTORS[platform];
-    return typeof detect === 'function' ? detect(resolvedDir) : false;
-  });
-}
-
-function getCatalog() {
-  return generateCatalog();
-}
-
-function buildPatternHistory(dir, platformAudits) {
-  const timestamp = new Date().toISOString();
-  return Object.entries(platformAudits).map(([platform, result]) => ({
-    dir,
-    platform,
-    score: result.score,
-    findings: result.results || [],
-    timestamp,
-  }));
-}
-
-function buildRecommendationPool(platformAudits, compensation) {
-  const recommendations = [];
-
-  for (const [platform, result] of Object.entries(platformAudits)) {
-    const topActions = Array.isArray(result.topNextActions) ? result.topNextActions : [];
-    for (const action of topActions) {
-      recommendations.push({
-        key: action.key,
-        name: action.name,
-        description: action.fix,
-        impact: action.impact,
-        sourcePlatform: platform,
-        applicablePlatforms: [platform],
-        validatedOn: [platform],
-        baseScore: IMPACT_SCORES[action.impact] || 1,
-      });
-    }
-  }
-
-  for (const addition of compensation.recommendedAdditions || []) {
-    recommendations.push({
-      key: `add-${addition.platform}`,
-      name: `Add ${addition.platform}`,
-      description: `Covers ${addition.wouldCover.map((item) => item.label).join(', ')}`,
-      impact: addition.wouldCover.length >= 2 ? 'high' : 'medium',
-      sourcePlatform: addition.platform,
-      applicablePlatforms: [addition.platform],
-      validatedOn: [],
-      fillsGap: true,
-      baseScore: Math.max(2, Math.min(5, Math.round(addition.estimatedBenefit / Math.max(1, addition.wouldCover.length)))),
-    });
-  }
-
-  return recommendations;
-}
-
-async function synergyReport(dir) {
-  const resolvedDir = resolveDir(dir);
-  const activePlatforms = detectPlatforms(resolvedDir);
-  const platformAudits = {};
-  const errors = [];
-
-  for (const platform of activePlatforms) {
-    try {
-      platformAudits[platform] = await audit({
-        dir: resolvedDir,
-        platform,
-        silent: true,
-      });
-    } catch (error) {
-      errors.push({ platform, message: error.message });
-    }
-  }
-
-  const compound = compoundAudit(platformAudits);
-  const amplification = calculateAmplification(platformAudits);
-  const compensation = analyzeCompensation(activePlatforms, platformAudits);
-  const patterns = discoverPatterns(buildPatternHistory(resolvedDir, platformAudits)).patterns;
-  const recommendations = rankRecommendations(
-    buildRecommendationPool(platformAudits, compensation),
-    activePlatforms
-  );
-  const report = generateSynergyReport({
-    platformAudits,
-    activePlatforms,
-    recommendations,
-  });
-
-  return {
-    dir: resolvedDir,
-    activePlatforms,
-    platformAudits,
-    compound,
-    amplification,
-    compensation,
-    patterns,
-    recommendations,
-    errors,
-    report,
-  };
-}
-
-module.exports = {
-  audit,
-  harmonyAudit,
-  detectPlatforms,
-  getCatalog,
-  routeTask,
-  synergyReport,
-};
+const fs = require('fs');
+const path = require('path');
+const { audit } = require('./audit');
+const { harmonyAudit } = require('./harmony/audit');
+const { generateCatalog } = require('./catalog');
+const { compoundAudit, calculateAmplification } = require('./synergy/evidence');
+const { analyzeCompensation } = require('./synergy/compensation');
+const { discoverPatterns } = require('./synergy/patterns');
+const { rankRecommendations } = require('./synergy/ranking');
+const { generateSynergyReport } = require('./synergy/report');
+const { routeTask } = require('./synergy/routing');
+const { CodexProjectContext } = require('./codex/context');
+const { GeminiProjectContext } = require('./gemini/context');
+const { CopilotProjectContext } = require('./copilot/context');
+const { CursorProjectContext } = require('./cursor/context');
+const { WindsurfProjectContext } = require('./windsurf/context');
+const { AiderProjectContext } = require('./aider/context');
+const { OpenCodeProjectContext } = require('./opencode/context');
+
+const PLATFORM_ORDER = [
+  'claude',
+  'codex',
+  'gemini',
+  'copilot',
+  'cursor',
+  'windsurf',
+  'aider',
+  'opencode',
+];
+
+const PLATFORM_DETECTORS = {
+  claude: (dir) => exists(path.join(dir, 'CLAUDE.md')) || exists(path.join(dir, '.claude')),
+  codex: (dir) => CodexProjectContext.isCodexRepo(dir),
+  gemini: (dir) => GeminiProjectContext.isGeminiRepo(dir),
+  copilot: (dir) => CopilotProjectContext.isCopilotRepo(dir),
+  cursor: (dir) => CursorProjectContext.isCursorRepo(dir),
+  windsurf: (dir) => WindsurfProjectContext.isWindsurfRepo(dir),
+  aider: (dir) => AiderProjectContext.isAiderRepo(dir),
+  opencode: (dir) => OpenCodeProjectContext.isOpenCodeRepo(dir),
+};
+
+const IMPACT_SCORES = {
+  critical: 5,
+  high: 4,
+  medium: 3,
+  low: 2,
+};
+
+function exists(targetPath) {
+  try {
+    return fs.existsSync(targetPath);
+  } catch {
+    return false;
+  }
+}
+
+function resolveDir(dir) {
+  return path.resolve(dir || '.');
+}
+
+function detectPlatforms(dir) {
+  const resolvedDir = resolveDir(dir);
+  return PLATFORM_ORDER.filter((platform) => {
+    const detect = PLATFORM_DETECTORS[platform];
+    return typeof detect === 'function' ? detect(resolvedDir) : false;
+  });
+}
+
+function getCatalog() {
+  return generateCatalog();
+}
+
+function buildPatternHistory(dir, platformAudits) {
+  const timestamp = new Date().toISOString();
+  return Object.entries(platformAudits).map(([platform, result]) => ({
+    dir,
+    platform,
+    score: result.score,
+    findings: result.results || [],
+    timestamp,
+  }));
+}
+
+function buildRecommendationPool(platformAudits, compensation) {
+  const recommendations = [];
+
+  for (const [platform, result] of Object.entries(platformAudits)) {
+    const topActions = Array.isArray(result.topNextActions) ? result.topNextActions : [];
+    for (const action of topActions) {
+      recommendations.push({
+        key: action.key,
+        name: action.name,
+        description: action.fix,
+        impact: action.impact,
+        sourcePlatform: platform,
+        applicablePlatforms: [platform],
+        validatedOn: [platform],
+        baseScore: IMPACT_SCORES[action.impact] || 1,
+      });
+    }
+  }
+
+  for (const addition of compensation.recommendedAdditions || []) {
+    recommendations.push({
+      key: `add-${addition.platform}`,
+      name: `Add ${addition.platform}`,
+      description: `Covers ${addition.wouldCover.map((item) => item.label).join(', ')}`,
+      impact: addition.wouldCover.length >= 2 ? 'high' : 'medium',
+      sourcePlatform: addition.platform,
+      applicablePlatforms: [addition.platform],
+      validatedOn: [],
+      fillsGap: true,
+      baseScore: Math.max(2, Math.min(5, Math.round(addition.estimatedBenefit / Math.max(1, addition.wouldCover.length)))),
+    });
+  }
+
+  return recommendations;
+}
+
+async function synergyReport(dir) {
+  const resolvedDir = resolveDir(dir);
+  const activePlatforms = detectPlatforms(resolvedDir);
+  const platformAudits = {};
+  const errors = [];
+
+  for (const platform of activePlatforms) {
+    try {
+      platformAudits[platform] = await audit({
+        dir: resolvedDir,
+        platform,
+        silent: true,
+      });
+    } catch (error) {
+      errors.push({ platform, message: error.message });
+    }
+  }
+
+  const compound = compoundAudit(platformAudits);
+  const amplification = calculateAmplification(platformAudits);
+  const compensation = analyzeCompensation(activePlatforms, platformAudits);
+  const patterns = discoverPatterns(buildPatternHistory(resolvedDir, platformAudits)).patterns;
+  const recommendations = rankRecommendations(
+    buildRecommendationPool(platformAudits, compensation),
+    activePlatforms
+  );
+  const report = generateSynergyReport({
+    platformAudits,
+    activePlatforms,
+    recommendations,
+  });
+
+  return {
+    dir: resolvedDir,
+    activePlatforms,
+    platformAudits,
+    compound,
+    amplification,
+    compensation,
+    patterns,
+    recommendations,
+    errors,
+    report,
+  };
+}
+
+module.exports = {
+  audit,
+  harmonyAudit,
+  detectPlatforms,
+  getCatalog,
+  routeTask,
+  synergyReport,
+};

package/src/recommendation-rules.js

@@ -1,84 +1,84 @@
-/**
- * Recommendation Rules Export
- *
- * Reads all TECHNIQUES, groups by category, and generates
- * a structured JSON-serializable recommendation rules object.
- */
-
-const { TECHNIQUES } = require('./techniques');
-const { version } = require('../package.json');
-
-const IMPACT_ORDER = { critical: 4, high: 3, medium: 2, low: 1 };
-
-function impactLabel(avg) {
-  if (avg >= 3.5) return 'critical';
-  if (avg >= 2.5) return 'high';
-  if (avg >= 1.5) return 'medium';
-  return 'low';
-}
-
-function generateRecommendationRules(options) {
-  const opts = options || {};
-  const entries = Object.entries(TECHNIQUES);
-
-  // Group by category
-  const grouped = {};
-  for (const [key, t] of entries) {
-    const cat = t.category;
-    if (!grouped[cat]) grouped[cat] = [];
-    grouped[cat].push({ key, ...t });
-  }
-
-  // Build categories summary
-  const categories = {};
-  for (const [cat, checks] of Object.entries(grouped)) {
-    const weights = checks.map(c => IMPACT_ORDER[c.impact] || 0);
-    const avgWeight = weights.reduce((a, b) => a + b, 0) / weights.length;
-
-    // Top 5 by impact weight (descending), then by rating (descending)
-    const sorted = [...checks].sort((a, b) => {
-      const impactDiff = (IMPACT_ORDER[b.impact] || 0) - (IMPACT_ORDER[a.impact] || 0);
-      if (impactDiff !== 0) return impactDiff;
-      return (b.rating || 0) - (a.rating || 0);
-    });
-
-    const topChecks = sorted.slice(0, 5).map(c => ({
-      key: c.key,
-      name: c.name,
-      impact: c.impact,
-      fix: c.fix,
-    }));
-
-    categories[cat] = {
-      checkCount: checks.length,
-      averageImpact: impactLabel(avgWeight),
-      topChecks,
-    };
-  }
-
-  const byRepoType = {
-    frontend: ['security', 'design', 'performance-budget', 'accessibility'],
-    backend: ['security', 'api-versioning', 'caching', 'rate-limiting', 'observability'],
-    fullstack: ['security', 'quality', 'automation', 'observability'],
-    mobile: ['flutter', 'swift', 'kotlin', 'security'],
-    infrastructure: ['devops', 'supply-chain', 'monitoring'],
-    library: ['docs-quality', 'quality', 'git'],
-  };
-
-  const byMaturity = {
-    'new-project': { focus: ['hygiene', 'security', 'quality'], skipCategories: ['quality-deep', 'enterprise'] },
-    growing: { focus: ['automation', 'workflow', 'observability'], skipCategories: [] },
-    mature: { focus: ['quality-deep', 'performance-budget', 'governance'], skipCategories: [] },
-  };
-
-  return {
-    generatedAt: new Date().toISOString(),
-    version,
-    totalRules: entries.length,
-    categories,
-    byRepoType,
-    byMaturity,
-  };
-}
-
-module.exports = { generateRecommendationRules };
+/**
+ * Recommendation Rules Export
+ *
+ * Reads all TECHNIQUES, groups by category, and generates
+ * a structured JSON-serializable recommendation rules object.
+ */
+
+const { TECHNIQUES } = require('./techniques');
+const { version } = require('../package.json');
+
+const IMPACT_ORDER = { critical: 4, high: 3, medium: 2, low: 1 };
+
+function impactLabel(avg) {
+  if (avg >= 3.5) return 'critical';
+  if (avg >= 2.5) return 'high';
+  if (avg >= 1.5) return 'medium';
+  return 'low';
+}
+
+function generateRecommendationRules(options) {
+  const opts = options || {};
+  const entries = Object.entries(TECHNIQUES);
+
+  // Group by category
+  const grouped = {};
+  for (const [key, t] of entries) {
+    const cat = t.category;
+    if (!grouped[cat]) grouped[cat] = [];
+    grouped[cat].push({ key, ...t });
+  }
+
+  // Build categories summary
+  const categories = {};
+  for (const [cat, checks] of Object.entries(grouped)) {
+    const weights = checks.map(c => IMPACT_ORDER[c.impact] || 0);
+    const avgWeight = weights.reduce((a, b) => a + b, 0) / weights.length;
+
+    // Top 5 by impact weight (descending), then by rating (descending)
+    const sorted = [...checks].sort((a, b) => {
+      const impactDiff = (IMPACT_ORDER[b.impact] || 0) - (IMPACT_ORDER[a.impact] || 0);
+      if (impactDiff !== 0) return impactDiff;
+      return (b.rating || 0) - (a.rating || 0);
+    });
+
+    const topChecks = sorted.slice(0, 5).map(c => ({
+      key: c.key,
+      name: c.name,
+      impact: c.impact,
+      fix: c.fix,
+    }));
+
+    categories[cat] = {
+      checkCount: checks.length,
+      averageImpact: impactLabel(avgWeight),
+      topChecks,
+    };
+  }
+
+  const byRepoType = {
+    frontend: ['security', 'design', 'performance-budget', 'accessibility'],
+    backend: ['security', 'api-versioning', 'caching', 'rate-limiting', 'observability'],
+    fullstack: ['security', 'quality', 'automation', 'observability'],
+    mobile: ['flutter', 'swift', 'kotlin', 'security'],
+    infrastructure: ['devops', 'supply-chain', 'monitoring'],
+    library: ['docs-quality', 'quality', 'git'],
+  };
+
+  const byMaturity = {
+    'new-project': { focus: ['hygiene', 'security', 'quality'], skipCategories: ['quality-deep', 'enterprise'] },
+    growing: { focus: ['automation', 'workflow', 'observability'], skipCategories: [] },
+    mature: { focus: ['quality-deep', 'performance-budget', 'governance'], skipCategories: [] },
+  };
+
+  return {
+    generatedAt: new Date().toISOString(),
+    version,
+    totalRules: entries.length,
+    categories,
+    byRepoType,
+    byMaturity,
+  };
+}
+
+module.exports = { generateRecommendationRules };