@nerviq/cli 1.26.0 → 1.27.1

package/src/opencode/techniques.js

@@ -163,15 +163,69 @@ function hasCommandMention(content, category) {
   return false;
 }
 
-function docsBundle(ctx) {
-  return `${agentsContent(ctx)}\n${ctx.fileContent('README.md') || ''}`;
-}
-
-function repoLooksRegulated(ctx) {
-  const filenames = ctx.files.join('\n');
-  const packageJson = ctx.fileContent('package.json') || '';
-  const readme = ctx.fileContent('README.md') || '';
-  const combined = `${filenames}\n${packageJson}\n${readme}`;
+function docsBundle(ctx) {
+  return `${agentsContent(ctx)}\n${ctx.fileContent('README.md') || ''}`;
+}
+
+function hasExplicitModelSetting(value) {
+  if (!value || typeof value !== 'object') return false;
+  if (Array.isArray(value)) return value.some((item) => hasExplicitModelSetting(item));
+  if (typeof value.model === 'string' && value.model.trim()) return true;
+  return Object.values(value).some((item) => hasExplicitModelSetting(item));
+}
+
+function configuredPluginRefs(ctx) {
+  const config = ctx.configJson();
+  if (!config.ok || !config.data) return [];
+  const refs = config.data.plugin || config.data.plugins || [];
+  return Array.isArray(refs) ? refs.filter(Boolean) : [];
+}
+
+function extractSkillDescription(content) {
+  if (!content) return null;
+  const frontmatter = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!frontmatter) return null;
+
+  const lines = frontmatter[1].split(/\r?\n/);
+  for (let index = 0; index < lines.length; index++) {
+    const line = lines[index];
+    const match = line.match(/^description:\s*(.*)$/);
+    if (!match) continue;
+
+    const rawValue = match[1].trim();
+    if (rawValue === '|' || rawValue === '>') {
+      const block = [];
+      for (let next = index + 1; next < lines.length; next++) {
+        const candidate = lines[next];
+        if (candidate.trim() && !/^\s/.test(candidate)) break;
+        block.push(candidate.replace(/^\s{2}/, ''));
+      }
+      return block.join('\n').trim();
+    }
+
+    return rawValue.replace(/^['"]|['"]$/g, '').trim();
+  }
+
+  return null;
+}
+
+function preferredSkillRoot(ctx) {
+  const candidates = [
+    '.opencode/skills',
+    '.opencode/skill',
+    '.claude/skills',
+    '.agents/skills',
+    '.opencode/commands',
+  ];
+  const found = candidates.find((candidate) => ctx.hasDir(candidate));
+  return `${(found || '.opencode/skills').replace(/\\/g, '/')}/`;
+}
+
+function repoLooksRegulated(ctx) {
+  const filenames = ctx.files.join('\n');
+  const packageJson = ctx.fileContent('package.json') || '';
+  const readme = ctx.fileContent('README.md') || '';
+  const combined = `${filenames}\n${packageJson}\n${readme}`;
 
   const strongSignals = /\bhipaa\b|\bphi\b|\bpci\b|\bsoc2\b|\biso[- ]?27001\b|\bcompliance\b|\bhealth(?:care)?\b|\bmedical\b|\bbank(?:ing)?\b|\bpayments?\b|\bfintech\b/i;
   if (strongSignals.test(combined)) return true;
@@ -364,35 +418,35 @@ const OPENCODE_TECHNIQUES = {
     line: () => 1,
   },
 
-  opencodeModelExplicit: {
-    id: 'OC-B04',
-    name: 'model is set explicitly (not relying on silent default)',
-    check: (ctx) => {
-      const config = ctx.configJson();
-      if (!config.ok || !config.data) return null;
-      return Boolean(config.data.model);
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'config',
-    fix: 'Set "model" explicitly in opencode.json to avoid relying on silent provider defaults.',
+  opencodeModelExplicit: {
+    id: 'OC-B04',
+    name: 'model is set explicitly (not relying on silent default)',
+    check: (ctx) => {
+      const config = ctx.configJson();
+      if (!config.ok || !config.data) return null;
+      return hasExplicitModelSetting(config.data) ? true : null;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'config',
+    fix: 'Set "model" explicitly in opencode.json to avoid relying on silent provider defaults.',
     template: 'opencode-config',
     file: (ctx) => configFileName(ctx),
     line: () => null,
   },
 
-  opencodeSmallModelSet: {
-    id: 'OC-B05',
-    name: 'small_model is set for task delegation',
-    check: (ctx) => {
-      const config = ctx.configJson();
-      if (!config.ok || !config.data) return null;
-      return Boolean(config.data.small_model);
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'config',
-    fix: 'Set "small_model" in opencode.json for efficient task delegation and cost control.',
+  opencodeSmallModelSet: {
+    id: 'OC-B05',
+    name: 'small_model is set for task delegation',
+    check: (ctx) => {
+      const config = ctx.configJson();
+      if (!config.ok || !config.data) return null;
+      return config.data.small_model ? true : null;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'config',
+    fix: 'Set "small_model" in opencode.json for efficient task delegation and cost control.',
     template: 'opencode-config',
     file: (ctx) => configFileName(ctx),
     line: () => null,
@@ -1104,22 +1158,22 @@ const OPENCODE_TECHNIQUES = {
   // I. Skills (5 checks)
   // ==============================
 
-  opencodeSkillDirsExist: {
-    id: 'OC-I01',
-    name: 'Skill directories exist (.opencode/commands/ subdirs with SKILL.md)',
-    check: (ctx) => {
-      const skillDirs = ctx.skillDirs();
-      if (skillDirs.length === 0) return null;
-      return skillDirs.length > 0;
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'skills',
-    fix: 'Create skill directories under .opencode/commands/ with SKILL.md files.',
-    template: 'opencode-skills',
-    file: () => '.opencode/commands/',
-    line: () => null,
-  },
+  opencodeSkillDirsExist: {
+    id: 'OC-I01',
+    name: 'Skill directories exist in supported OpenCode paths',
+    check: (ctx) => {
+      const skillDirs = ctx.skillDirs();
+      if (skillDirs.length === 0) return null;
+      return skillDirs.length > 0;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'skills',
+    fix: 'Create skill directories under `.opencode/skills/` with `SKILL.md` files. `.claude/skills/` and `.agents/skills/` remain compatible, and older `.opencode/commands/<name>/SKILL.md` layouts are still tolerated for backwards compatibility.',
+    template: 'opencode-skills',
+    file: (ctx) => preferredSkillRoot(ctx),
+    line: () => null,
+  },
 
   opencodeSkillFrontmatter: {
     id: 'OC-I02',
@@ -1133,15 +1187,15 @@ const OPENCODE_TECHNIQUES = {
         if (!/^#\s+/m.test(content)) return false;
       }
       return true;
-    },
-    impact: 'high',
-    rating: 4,
-    category: 'skills',
-    fix: 'Each SKILL.md needs a title (# heading) and description for skill invocation.',
-    template: 'opencode-skills',
-    file: () => '.opencode/commands/',
-    line: () => null,
-  },
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'skills',
+    fix: 'Each SKILL.md needs a title (# heading) and description for skill invocation.',
+    template: 'opencode-skills',
+    file: (ctx) => preferredSkillRoot(ctx),
+    line: () => null,
+  },
 
   opencodeSkillKebabCase: {
     id: 'OC-I03',
@@ -1151,54 +1205,56 @@ const OPENCODE_TECHNIQUES = {
       if (skillDirs.length === 0) return null;
       return skillDirs.every(name => /^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(name));
     },
-    impact: 'medium',
-    rating: 2,
-    category: 'skills',
-    fix: 'Prefer kebab-case for skill names, but treat it as a style recommendation rather than a hard runtime requirement. Current runtime still discovered underscore-based names.',
-    template: 'opencode-skills',
-    file: () => '.opencode/commands/',
-    line: () => null,
-  },
-
-  opencodeSkillDescriptionBounded: {
-    id: 'OC-I04',
-    name: 'Skill descriptions are bounded for implicit invocation context cost',
-    check: (ctx) => {
-      const skillDirs = ctx.skillDirs();
-      if (skillDirs.length === 0) return null;
-      for (const name of skillDirs) {
-        const content = ctx.skillMetadata(name);
-        if (!content) continue;
-        if (content.length > 3000) return false;
-      }
-      return true;
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'skills',
-    fix: 'Keep SKILL.md descriptions under 3000 characters to manage implicit invocation context cost.',
-    template: 'opencode-skills',
-    file: () => '.opencode/commands/',
-    line: () => null,
-  },
-
-  opencodeSkillCompatPaths: {
-    id: 'OC-I05',
-    name: 'OpenCode skill discovery accepts either .opencode/commands or .claude/skills',
-    check: (ctx) => {
-      const hasClaudeSkills = ctx.hasDir('.claude/skills');
-      const hasOpencodeCommands = ctx.hasDir('.opencode/commands');
-      if (!hasClaudeSkills && !hasOpencodeCommands) return null;
-      return hasClaudeSkills || hasOpencodeCommands;
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'skills',
-    fix: 'Use `.opencode/commands/` for native OpenCode skills when you need them, but do not require a duplicate tree just to mirror `.claude/skills/`. Current runtime discovered `.claude/skills/` compatibility successfully.',
-    template: 'opencode-skills',
-    file: () => '.opencode/commands/',
-    line: () => null,
-  },
+    impact: 'medium',
+    rating: 2,
+    category: 'skills',
+    fix: 'Prefer kebab-case for skill names, but treat it as a style recommendation rather than a hard runtime requirement. Current runtime still discovered underscore-based names.',
+    template: 'opencode-skills',
+    file: (ctx) => preferredSkillRoot(ctx),
+    line: () => null,
+  },
+
+  opencodeSkillDescriptionBounded: {
+    id: 'OC-I04',
+    name: 'Skill descriptions are bounded for implicit invocation context cost',
+    check: (ctx) => {
+      const skillDirs = ctx.skillDirs();
+      if (skillDirs.length === 0) return null;
+      for (const name of skillDirs) {
+        const content = ctx.skillMetadata(name);
+        if (!content) continue;
+        const description = extractSkillDescription(content);
+        if (description && description.length > 3000) return false;
+      }
+      return true;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'skills',
+    fix: 'Keep SKILL.md descriptions under 3000 characters to manage implicit invocation context cost.',
+    template: 'opencode-skills',
+    file: (ctx) => preferredSkillRoot(ctx),
+    line: () => null,
+  },
+
+  opencodeSkillCompatPaths: {
+    id: 'OC-I05',
+    name: 'OpenCode skill discovery accepts native and compatible skill trees',
+    check: (ctx) => {
+      const hasNativeSkillTree = ctx.hasDir('.opencode/skills') || ctx.hasDir('.opencode/skill');
+      const hasCompatibleSkillTree = ctx.hasDir('.claude/skills') || ctx.hasDir('.agents/skills');
+      const hasLegacyCommandsSkills = ctx.hasDir('.opencode/commands') && ctx.skillDirs().length > 0;
+      if (!hasNativeSkillTree && !hasCompatibleSkillTree && !hasLegacyCommandsSkills) return null;
+      return hasNativeSkillTree || hasCompatibleSkillTree || hasLegacyCommandsSkills;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'skills',
+    fix: 'Use `.opencode/skills/` for native OpenCode skills. `.claude/skills/` and `.agents/skills/` remain compatible, and older `.opencode/commands/<name>/SKILL.md` layouts are kept as legacy compatibility only.',
+    template: 'opencode-skills',
+    file: (ctx) => preferredSkillRoot(ctx),
+    line: () => null,
+  },
 
   // ==============================
   // J. Agents & Subagents (4 checks)
@@ -1498,42 +1554,42 @@ const OPENCODE_TECHNIQUES = {
     line: () => null,
   },
 
-  opencodeConfigKeysFresh: {
-    id: 'OC-N02',
-    name: 'Config references current OpenCode features (no removed or renamed keys)',
-    check: (ctx) => {
-      const docs = docsBundle(ctx);
-      const config = ctx.configContent();
-      if (!docs.trim() && !config) return null;
-      const combined = `${docs}\n${config || ''}`;
-      return !/\bconfig\.json\b|\.well-known\/opencode|mode\s*->\s*agent|CLAUDE\.md fallback/i.test(combined);
-    },
-    impact: 'medium',
-    rating: 3,
-    category: 'release-freshness',
-    fix: 'Update stale OpenCode references. Use `opencode.json`/`opencode.jsonc`, keep `mode` guidance version-scoped, and treat `.well-known/opencode` plus `CLAUDE.md` fallback claims as unvalidated until you have fresh runtime proof.',
-    template: 'opencode-config',
-    file: (ctx) => configFileName(ctx),
-    line: () => null,
-  },
-
-  opencodePropagationCompleteness: {
-    id: 'OC-N03',
-    name: 'No dangling surface references (plugins, skills, MCP mentioned but not defined)',
-    check: (ctx) => {
-      const agents = agentsContent(ctx);
-      if (!agents) return null;
-      const issues = [];
-      if (/\bplugins?\b/i.test(agents) && ctx.pluginFiles().length === 0) {
-        issues.push('plugins referenced but .opencode/plugins/ empty');
-      }
-      if (/\bskills?\b/i.test(agents) && !ctx.hasDir('.opencode/commands')) {
-        issues.push('skills referenced but .opencode/commands/ missing');
-      }
-      const config = ctx.configJson();
-      if (config.ok && config.data && /\bmcp\b/i.test(agents)) {
-        const mcp = config.data.mcp || {};
-        if (Object.keys(mcp).length === 0) {
+  opencodeConfigKeysFresh: {
+    id: 'OC-N02',
+    name: 'Config references current OpenCode features (no removed or renamed keys)',
+    check: (ctx) => {
+      const docs = docsBundle(ctx);
+      const config = ctx.configContent();
+      if (!docs.trim() && !config) return null;
+      const combined = `${docs}\n${config || ''}`;
+      return !/(?:^|[\s`"'(])~\/\.opencode\.json\b|(?:^|[\s`"'(])\.opencode\/config\.json\b|mode\s*->\s*agent|CLAUDE\.md fallback/i.test(combined);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'release-freshness',
+    fix: 'Update stale OpenCode references. Use `opencode.json`/`opencode.jsonc` plus the current `.opencode/{agents,commands,plugins,skills}/` directory layout. Treat legacy `~/.opencode.json`, `.opencode/config.json`, and `CLAUDE.md` fallback claims as stale unless you have fresh runtime proof.',
+    template: 'opencode-config',
+    file: (ctx) => configFileName(ctx),
+    line: () => null,
+  },
+
+  opencodePropagationCompleteness: {
+    id: 'OC-N03',
+    name: 'No dangling surface references (plugins, skills, MCP mentioned but not defined)',
+    check: (ctx) => {
+      const agents = agentsContent(ctx);
+      if (!agents) return null;
+      const issues = [];
+      if (/\bplugins?\b/i.test(agents) && ctx.pluginFiles().length === 0 && configuredPluginRefs(ctx).length === 0) {
+        issues.push('plugins referenced but .opencode/plugins/ empty');
+      }
+      if (/\bskills?\b/i.test(agents) && ctx.skillDirs().length === 0) {
+        issues.push('skills referenced but no supported skill tree found (.opencode/skills, .claude/skills, .agents/skills, or legacy .opencode/commands/<name>/SKILL.md)');
+      }
+      const config = ctx.configJson();
+      if (config.ok && config.data && /\bmcp\b/i.test(agents)) {
+        const mcp = config.data.mcp || {};
+        if (Object.keys(mcp).length === 0) {
           issues.push('MCP referenced in AGENTS.md but no MCP servers in config');
         }
       }

package/src/output-icons.js

@@ -0,0 +1,44 @@
+const ASCII_ENV = 'NERVIQ_ASCII_OUTPUT';
+
+const ASCII_TRUE = new Set(['1', 'true', 'yes', 'on']);
+const ASCII_FALSE = new Set(['0', 'false', 'no', 'off']);
+
+const ICONS = {
+  ok: { emoji: '✅', ascii: '[OK]' },
+  fail: { emoji: '❌', ascii: '[FAIL]' },
+  warn: { emoji: '⚠', ascii: '[WARN]' },
+  skip: { emoji: '⏭️', ascii: '[SKIP]' },
+  delete: { emoji: '🗑️', ascii: '[DEL]' },
+};
+
+function parseAsciiOverride(env = process.env) {
+  const raw = env && env[ASCII_ENV];
+  if (typeof raw !== 'string') return null;
+  const normalized = raw.trim().toLowerCase();
+  if (ASCII_TRUE.has(normalized)) return true;
+  if (ASCII_FALSE.has(normalized)) return false;
+  return null;
+}
+
+function shouldUseAsciiOutput(options = {}) {
+  const env = options.env || process.env;
+  const platform = options.platform || process.platform;
+  const stream = options.stream || process.stdout;
+  const override = parseAsciiOverride(env);
+  if (override !== null) return override;
+  if (!stream || stream.isTTY === false) return true;
+  return platform === 'win32';
+}
+
+function icon(name, options = {}) {
+  const token = ICONS[name];
+  if (!token) {
+    throw new Error(`Unknown icon token: ${name}`);
+  }
+  return shouldUseAsciiOutput(options) ? token.ascii : token.emoji;
+}
+
+module.exports = {
+  icon,
+  shouldUseAsciiOutput,
+};

package/src/setup/runtime.js

@@ -1,6 +1,7 @@
 const fs = require('fs');
 const path = require('path');
 const { buildSettingsForProfile } = require('../governance');
+const { icon } = require('../output-icons');
 
 function snapshotSettingsBeforeSetup(dir) {
   const settingsPath = path.join(dir, '.claude/settings.json');
@@ -53,11 +54,11 @@ function applyTemplateResults({ dir, failedWithTemplates, stacks, ctx, templates
       if (!fs.existsSync(fullPath)) {
         fs.writeFileSync(fullPath, result, 'utf8');
         writtenFiles.push(filePath);
-        log(`  \x1b[32mגœ…\x1b[0m Created ${filePath}`);
+        log(`  \x1b[32m${icon('ok')}\x1b[0m Created ${filePath}`);
         created++;
       } else {
         preservedFiles.push(filePath);
-        log(`  \x1b[2mג­ן¸  Skipped ${filePath} (already exists ג€” your version is kept)\x1b[0m`);
+        log(`  \x1b[2m${icon('skip')} Skipped ${filePath} (already exists - your version is kept)\x1b[0m`);
         skipped++;
       }
     } else if (typeof result === 'object') {
@@ -84,7 +85,7 @@ function applyTemplateResults({ dir, failedWithTemplates, stacks, ctx, templates
         if (!fs.existsSync(filePath)) {
           fs.writeFileSync(filePath, content, 'utf8');
           writtenFiles.push(path.relative(dir, filePath));
-          log(`  \x1b[32mגœ…\x1b[0m Created ${path.relative(dir, filePath)}`);
+          log(`  \x1b[32m${icon('ok')}\x1b[0m Created ${path.relative(dir, filePath)}`);
           created++;
         } else {
           preservedFiles.push(path.relative(dir, filePath));
@@ -151,10 +152,10 @@ function mergeGeneratedHookSettings({ dir, profile, mcpPacks, writtenFiles, pres
   fs.writeFileSync(settingsPath, JSON.stringify(existingSettings, null, 2), 'utf8');
   if (!writtenFiles.includes('.claude/settings.json') && !preservedFiles.includes('.claude/settings.json')) {
     writtenFiles.push('.claude/settings.json');
-    log(`  \x1b[32mגœ…\x1b[0m Updated .claude/settings.json (hooks registered)`);
+    log(`  \x1b[32m${icon('ok')}\x1b[0m Updated .claude/settings.json (hooks registered)`);
     created++;
   } else {
-    log(`  \x1b[32mגœ…\x1b[0m Merged hooks into existing .claude/settings.json`);
+    log(`  \x1b[32m${icon('ok')}\x1b[0m Merged hooks into existing .claude/settings.json`);
   }
 
   return {

package/src/setup.js

@@ -9,8 +9,9 @@ const { TECHNIQUES, STACKS } = require('./techniques');
 const { ProjectContext } = require('./context');
 const { getMcpPackPreflight } = require('./mcp-packs');
 const { writeRollbackArtifact } = require('./activity');
-const { setupCodex } = require('./codex/setup');
-const { detectDependencies, detectMainDirs, detectProjectMetadata, detectScripts, generateMermaid, getFrameworkInstructions } = require('./setup/analysis');
+const { setupCodex } = require('./codex/setup');
+const { icon } = require('./output-icons');
+const { detectDependencies, detectMainDirs, detectProjectMetadata, detectScripts, generateMermaid, getFrameworkInstructions } = require('./setup/analysis');
 const { applyTemplateResults, collectFailedSetupTemplates, mergeGeneratedHookSettings, snapshotSettingsBeforeSetup } = require('./setup/runtime');
 
 // ============================================================
@@ -617,7 +618,7 @@ async function setup(options) {
   preservedFiles = settingsMerge.preservedFiles;
   log('');
   if (created === 0 && skipped > 0) {
-    log('  \x1b[32m✅\x1b[0m Your project is already well configured!');
+    log(`  \x1b[32m${icon('ok')}\x1b[0m Your project is already well configured!`);
     log(`  \x1b[2m  ${skipped} files already exist and were preserved.\x1b[0m`);
     log('  \x1b[2m  We never overwrite your existing config — your setup is kept.\x1b[0m');
   } else if (created > 0) {

package/src/shallow-risk/index.js

@@ -0,0 +1,56 @@
+'use strict';
+
+const { buildFinding, SHALLOW_RISK_BANNER, SHALLOW_RISK_BANNER_LINES } = require('./shared');
+
+const patterns = [
+  require('./patterns/agent-config-missing-file'),
+  require('./patterns/agent-config-stack-contradiction'),
+  require('./patterns/agent-config-cross-platform-drift'),
+  require('./patterns/mcp-server-no-allowlist'),
+  require('./patterns/hook-script-missing'),
+  require('./patterns/agent-config-secret-literal'),
+  require('./patterns/agent-config-deprecated-keys'),
+  require('./patterns/agent-config-dangerous-autoapprove'),
+];
+
+function runShallowRisk(ctx) {
+  if (!ctx || process.env.NERVIQ_SHALLOW_RISK === 'off') {
+    return [];
+  }
+
+  const findings = [];
+  const seen = new Set();
+
+  for (const pattern of patterns) {
+    let emitted = [];
+    try {
+      const next = pattern.run(ctx);
+      emitted = Array.isArray(next) ? next : [];
+    } catch {
+      emitted = [];
+    }
+
+    for (const finding of emitted) {
+      const normalized = buildFinding(pattern, ctx, finding || {});
+      const dedupeKey = [
+        normalized.key,
+        normalized.file || '',
+        normalized.line || '',
+        normalized.fix || '',
+      ].join('|');
+
+      if (seen.has(dedupeKey)) continue;
+      seen.add(dedupeKey);
+      findings.push(normalized);
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  patterns,
+  runShallowRisk,
+  SHALLOW_RISK_BANNER,
+  SHALLOW_RISK_BANNER_LINES,
+};

package/src/shallow-risk/patterns/agent-config-cross-platform-drift.js

@@ -0,0 +1,50 @@
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  collectStackClaims,
+} = require('../shared');
+
+module.exports = {
+  key: 'agent-config-cross-platform-drift',
+  name: 'Cross-platform stack drift detected',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const claims = collectStackClaims(ctx).filter((claim) => claim.platform !== 'agent');
+    if (claims.length < 2) return [];
+
+    const byPlatform = new Map();
+    for (const claim of claims) {
+      const bucket = byPlatform.get(claim.platform) || [];
+      bucket.push(claim);
+      byPlatform.set(claim.platform, bucket);
+    }
+
+    const representatives = [];
+    for (const bucket of byPlatform.values()) {
+      const uniqueKeys = [...new Set(bucket.map((claim) => claim.key))];
+      if (uniqueKeys.length !== 1) continue;
+      representatives.push(bucket[0]);
+    }
+
+    representatives.sort((left, right) => left.file.localeCompare(right.file));
+
+    for (let index = 0; index < representatives.length; index++) {
+      for (let inner = index + 1; inner < representatives.length; inner++) {
+        const first = representatives[index];
+        const second = representatives[inner];
+        if (first.key === second.key) continue;
+
+        return [{
+          file: first.file,
+          line: first.line,
+          fix: `Drift detected: ${first.file} declares "${first.label}" while ${second.file} declares "${second.label}". Align the shared primary-language guidance or document an intentional platform-specific override.`,
+        }];
+      }
+    }
+
+    return [];
+  },
+};

package/src/shallow-risk/patterns/agent-config-dangerous-autoapprove.js

@@ -0,0 +1,46 @@
+'use strict';
+
+const { SHALLOW_RISK_DOC_URL, escapeRegExp } = require('../shared');
+
+const DANGEROUS_ALLOW_PATTERNS = [
+  /\brm\b[\s\S]{0,40}-r/i,
+  /\bgit\s+push\s+--force\b/i,
+  /\bdrop\s+(?:database|table)\b/i,
+  /\btruncate\s+table\b/i,
+  /\bdelete\s+from\b/i,
+];
+
+function isDangerousAllowRule(rule) {
+  if (typeof rule !== 'string') return false;
+  if (/\bdelete\s+from\b/i.test(rule)) {
+    return !/\bwhere\b/i.test(rule) || /\bwhere\s*1\s*=\s*1\b/i.test(rule);
+  }
+  return DANGEROUS_ALLOW_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(rule);
+  });
+}
+
+module.exports = {
+  key: 'agent-config-dangerous-autoapprove',
+  name: 'Agent config auto-approves destructive commands',
+  severity: 'critical',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const file = '.claude/settings.json';
+    const config = ctx.jsonFile(file);
+    const allowRules = config && config.permissions && Array.isArray(config.permissions.allow)
+      ? config.permissions.allow
+      : [];
+    if (allowRules.length === 0) return [];
+
+    return allowRules
+      .filter(isDangerousAllowRule)
+      .map((rule) => ({
+        file,
+        line: ctx.lineNumber(file, new RegExp(escapeRegExp(rule))) || 1,
+        fix: `${file} pre-approves the destructive rule \`${rule}\`. Remove it from the allow-list so destructive commands always require explicit review.`,
+      }));
+  },
+};