@nerviq/cli 1.27.1 → 1.29.1

package/src/shallow-risk/patterns/hook-script-missing.js

@@ -1,70 +1,70 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  escapeRegExp,
-  getHookCommandPath,
-  resolveRepoPath,
-} = require('../shared');
-
-const HOOK_EVENTS = new Set([
-  'PreToolUse',
-  'PostToolUse',
-  'Stop',
-  'UserPromptSubmit',
-  'SessionStart',
-]);
-
-function collectHookCommands(node, output = []) {
-  if (Array.isArray(node)) {
-    for (const item of node) collectHookCommands(item, output);
-    return output;
-  }
-
-  if (!node || typeof node !== 'object') {
-    return output;
-  }
-
-  if (node.type === 'command' && typeof node.command === 'string') {
-    output.push(node.command);
-  }
-
-  for (const value of Object.values(node)) {
-    collectHookCommands(value, output);
-  }
-
-  return output;
-}
-
-module.exports = {
-  key: 'hook-script-missing',
-  name: 'Configured hook script is missing',
-  severity: 'high',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const file = '.claude/settings.json';
-    const config = ctx.jsonFile(file);
-    if (!config || !config.hooks || typeof config.hooks !== 'object') {
-      return [];
-    }
-
-    const findings = [];
-    for (const [eventName, entries] of Object.entries(config.hooks)) {
-      if (!HOOK_EVENTS.has(eventName)) continue;
-      for (const command of collectHookCommands(entries)) {
-        const scriptPath = getHookCommandPath(command);
-        if (!scriptPath) continue;
-        const resolvedPath = resolveRepoPath(ctx, file, scriptPath, 'repo-root');
-        if (!resolvedPath || ctx.fileContent(resolvedPath) !== null) continue;
-        findings.push({
-          file,
-          line: ctx.lineNumber(file, new RegExp(escapeRegExp(command))) || ctx.lineNumber(file, new RegExp(`"${escapeRegExp(eventName)}"`)) || 1,
-          fix: `${file} declares a ${eventName} hook at \`${resolvedPath}\`, but the script is missing. Create the hook file or remove the dead hook reference.`,
-        });
-      }
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  escapeRegExp,
+  getHookCommandPath,
+  resolveRepoPath,
+} = require('../shared');
+
+const HOOK_EVENTS = new Set([
+  'PreToolUse',
+  'PostToolUse',
+  'Stop',
+  'UserPromptSubmit',
+  'SessionStart',
+]);
+
+function collectHookCommands(node, output = []) {
+  if (Array.isArray(node)) {
+    for (const item of node) collectHookCommands(item, output);
+    return output;
+  }
+
+  if (!node || typeof node !== 'object') {
+    return output;
+  }
+
+  if (node.type === 'command' && typeof node.command === 'string') {
+    output.push(node.command);
+  }
+
+  for (const value of Object.values(node)) {
+    collectHookCommands(value, output);
+  }
+
+  return output;
+}
+
+module.exports = {
+  key: 'hook-script-missing',
+  name: 'Configured hook script is missing',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const file = '.claude/settings.json';
+    const config = ctx.jsonFile(file);
+    if (!config || !config.hooks || typeof config.hooks !== 'object') {
+      return [];
+    }
+
+    const findings = [];
+    for (const [eventName, entries] of Object.entries(config.hooks)) {
+      if (!HOOK_EVENTS.has(eventName)) continue;
+      for (const command of collectHookCommands(entries)) {
+        const scriptPath = getHookCommandPath(command);
+        if (!scriptPath) continue;
+        const resolvedPath = resolveRepoPath(ctx, file, scriptPath, 'repo-root');
+        if (!resolvedPath || ctx.fileContent(resolvedPath) !== null) continue;
+        findings.push({
+          file,
+          line: ctx.lineNumber(file, new RegExp(escapeRegExp(command))) || ctx.lineNumber(file, new RegExp(`"${escapeRegExp(eventName)}"`)) || 1,
+          fix: `${file} declares a ${eventName} hook at \`${resolvedPath}\`, but the script is missing. Create the hook file or remove the dead hook reference.`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};

package/src/shallow-risk/patterns/mcp-server-no-allowlist.js

@@ -1,52 +1,52 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  escapeRegExp,
-  isClearlyLocalMcpBinary,
-} = require('../shared');
-
-function hasBroadOpenPermissions(server) {
-  if (!server || typeof server !== 'object') return false;
-  if (Array.isArray(server.permissions) && server.permissions.length === 0) return true;
-  if (server.allow === '*') return true;
-  if (Array.isArray(server.allow) && server.allow.includes('*')) return true;
-  if (server.permissions && typeof server.permissions === 'object') {
-    if (server.permissions.allow === '*') return true;
-    if (Array.isArray(server.permissions.allow) && server.permissions.allow.includes('*')) return true;
-  }
-  return false;
-}
-
-module.exports = {
-  key: 'mcp-server-no-allowlist',
-  name: 'MCP server has no allowlist',
-  severity: 'critical',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const findings = [];
-    const candidates = ['.claude/settings.json', '.mcp.json'];
-
-    for (const file of candidates) {
-      const config = ctx.jsonFile(file);
-      const servers = config && config.mcpServers && typeof config.mcpServers === 'object'
-        ? config.mcpServers
-        : null;
-      if (!servers) continue;
-
-      for (const [serverName, server] of Object.entries(servers)) {
-        if (!hasBroadOpenPermissions(server)) continue;
-        const command = typeof server.command === 'string' ? server.command : '';
-        findings.push({
-          severity: isClearlyLocalMcpBinary(command) ? 'high' : 'critical',
-          file,
-          line: ctx.lineNumber(file, new RegExp(`"${escapeRegExp(serverName)}"`)) || 1,
-          fix: `MCP server "${serverName}" in ${file} has broad access without an allowlist. Add a narrow allow/permissions list before relying on it in CI or production repos.`,
-        });
-      }
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  escapeRegExp,
+  isClearlyLocalMcpBinary,
+} = require('../shared');
+
+function hasBroadOpenPermissions(server) {
+  if (!server || typeof server !== 'object') return false;
+  if (Array.isArray(server.permissions) && server.permissions.length === 0) return true;
+  if (server.allow === '*') return true;
+  if (Array.isArray(server.allow) && server.allow.includes('*')) return true;
+  if (server.permissions && typeof server.permissions === 'object') {
+    if (server.permissions.allow === '*') return true;
+    if (Array.isArray(server.permissions.allow) && server.permissions.allow.includes('*')) return true;
+  }
+  return false;
+}
+
+module.exports = {
+  key: 'mcp-server-no-allowlist',
+  name: 'MCP server has no allowlist',
+  severity: 'critical',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const findings = [];
+    const candidates = ['.claude/settings.json', '.mcp.json'];
+
+    for (const file of candidates) {
+      const config = ctx.jsonFile(file);
+      const servers = config && config.mcpServers && typeof config.mcpServers === 'object'
+        ? config.mcpServers
+        : null;
+      if (!servers) continue;
+
+      for (const [serverName, server] of Object.entries(servers)) {
+        if (!hasBroadOpenPermissions(server)) continue;
+        const command = typeof server.command === 'string' ? server.command : '';
+        findings.push({
+          severity: isClearlyLocalMcpBinary(command) ? 'high' : 'critical',
+          file,
+          line: ctx.lineNumber(file, new RegExp(`"${escapeRegExp(serverName)}"`)) || 1,
+          fix: `MCP server "${serverName}" in ${file} has broad access without an allowlist. Add a narrow allow/permissions list before relying on it in CI or production repos.`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};