@nerviq/cli 1.29.0 → 1.29.1

package/src/setup/analysis.js

@@ -1,5 +1,5 @@
-const path = require('path');
-
+const path = require('path');
+
 // ============================================================
 // Helper: detect project scripts from package.json
 // ============================================================
@@ -607,13 +607,13 @@ function getFrameworkInstructions(stacks) {
   return sections.join('\n\n');
 }
 
-
-module.exports = {
-  detectDependencies,
-  detectMainDirs,
-  detectProjectMetadata,
-  detectScripts,
-  generateMermaid,
-  getFrameworkInstructions,
-};
-
+
+module.exports = {
+  detectDependencies,
+  detectMainDirs,
+  detectProjectMetadata,
+  detectScripts,
+  generateMermaid,
+  getFrameworkInstructions,
+};
+

package/src/setup.js

@@ -577,7 +577,7 @@ async function setup(options) {
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
 
-  const settingsSnapshotBefore = snapshotSettingsBeforeSetup(options.dir);
+  const settingsSnapshotBefore = snapshotSettingsBeforeSetup(options.dir);
 
 
   function log(message = '') {
@@ -617,12 +617,13 @@ async function setup(options) {
   writtenFiles = settingsMerge.writtenFiles;
   preservedFiles = settingsMerge.preservedFiles;
   log('');
-  if (created === 0 && skipped > 0) {
+  const totalWritten = writtenFiles.length;
+  if (totalWritten === 0 && skipped > 0) {
     log(`  \x1b[32m${icon('ok')}\x1b[0m Your project is already well configured!`);
     log(`  \x1b[2m  ${skipped} files already exist and were preserved.\x1b[0m`);
     log('  \x1b[2m  We never overwrite your existing config — your setup is kept.\x1b[0m');
-  } else if (created > 0) {
-    log(`  \x1b[1m${created} files created:\x1b[0m`);
+  } else if (totalWritten > 0) {
+    log(`  \x1b[1m${totalWritten} files written:\x1b[0m`);
     for (const f of writtenFiles) {
       log(`  \x1b[32m  + ${f}\x1b[0m`);
     }
@@ -679,5 +680,5 @@ async function setup(options) {
 }
 
 module.exports = { setup, TEMPLATES };
-
-
+
+

package/src/shallow-risk/index.js

@@ -1,56 +1,56 @@
-'use strict';
-
-const { buildFinding, SHALLOW_RISK_BANNER, SHALLOW_RISK_BANNER_LINES } = require('./shared');
-
-const patterns = [
-  require('./patterns/agent-config-missing-file'),
-  require('./patterns/agent-config-stack-contradiction'),
-  require('./patterns/agent-config-cross-platform-drift'),
-  require('./patterns/mcp-server-no-allowlist'),
-  require('./patterns/hook-script-missing'),
-  require('./patterns/agent-config-secret-literal'),
-  require('./patterns/agent-config-deprecated-keys'),
-  require('./patterns/agent-config-dangerous-autoapprove'),
-];
-
-function runShallowRisk(ctx) {
-  if (!ctx || process.env.NERVIQ_SHALLOW_RISK === 'off') {
-    return [];
-  }
-
-  const findings = [];
-  const seen = new Set();
-
-  for (const pattern of patterns) {
-    let emitted = [];
-    try {
-      const next = pattern.run(ctx);
-      emitted = Array.isArray(next) ? next : [];
-    } catch {
-      emitted = [];
-    }
-
-    for (const finding of emitted) {
-      const normalized = buildFinding(pattern, ctx, finding || {});
-      const dedupeKey = [
-        normalized.key,
-        normalized.file || '',
-        normalized.line || '',
-        normalized.fix || '',
-      ].join('|');
-
-      if (seen.has(dedupeKey)) continue;
-      seen.add(dedupeKey);
-      findings.push(normalized);
-    }
-  }
-
-  return findings;
-}
-
-module.exports = {
-  patterns,
-  runShallowRisk,
-  SHALLOW_RISK_BANNER,
-  SHALLOW_RISK_BANNER_LINES,
-};
+'use strict';
+
+const { buildFinding, SHALLOW_RISK_BANNER, SHALLOW_RISK_BANNER_LINES } = require('./shared');
+
+const patterns = [
+  require('./patterns/agent-config-missing-file'),
+  require('./patterns/agent-config-stack-contradiction'),
+  require('./patterns/agent-config-cross-platform-drift'),
+  require('./patterns/mcp-server-no-allowlist'),
+  require('./patterns/hook-script-missing'),
+  require('./patterns/agent-config-secret-literal'),
+  require('./patterns/agent-config-deprecated-keys'),
+  require('./patterns/agent-config-dangerous-autoapprove'),
+];
+
+function runShallowRisk(ctx) {
+  if (!ctx || process.env.NERVIQ_SHALLOW_RISK === 'off') {
+    return [];
+  }
+
+  const findings = [];
+  const seen = new Set();
+
+  for (const pattern of patterns) {
+    let emitted = [];
+    try {
+      const next = pattern.run(ctx);
+      emitted = Array.isArray(next) ? next : [];
+    } catch {
+      emitted = [];
+    }
+
+    for (const finding of emitted) {
+      const normalized = buildFinding(pattern, ctx, finding || {});
+      const dedupeKey = [
+        normalized.key,
+        normalized.file || '',
+        normalized.line || '',
+        normalized.fix || '',
+      ].join('|');
+
+      if (seen.has(dedupeKey)) continue;
+      seen.add(dedupeKey);
+      findings.push(normalized);
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  patterns,
+  runShallowRisk,
+  SHALLOW_RISK_BANNER,
+  SHALLOW_RISK_BANNER_LINES,
+};

package/src/shallow-risk/patterns/agent-config-cross-platform-drift.js

@@ -1,50 +1,50 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  collectStackClaims,
-} = require('../shared');
-
-module.exports = {
-  key: 'agent-config-cross-platform-drift',
-  name: 'Cross-platform stack drift detected',
-  severity: 'high',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const claims = collectStackClaims(ctx).filter((claim) => claim.platform !== 'agent');
-    if (claims.length < 2) return [];
-
-    const byPlatform = new Map();
-    for (const claim of claims) {
-      const bucket = byPlatform.get(claim.platform) || [];
-      bucket.push(claim);
-      byPlatform.set(claim.platform, bucket);
-    }
-
-    const representatives = [];
-    for (const bucket of byPlatform.values()) {
-      const uniqueKeys = [...new Set(bucket.map((claim) => claim.key))];
-      if (uniqueKeys.length !== 1) continue;
-      representatives.push(bucket[0]);
-    }
-
-    representatives.sort((left, right) => left.file.localeCompare(right.file));
-
-    for (let index = 0; index < representatives.length; index++) {
-      for (let inner = index + 1; inner < representatives.length; inner++) {
-        const first = representatives[index];
-        const second = representatives[inner];
-        if (first.key === second.key) continue;
-
-        return [{
-          file: first.file,
-          line: first.line,
-          fix: `Drift detected: ${first.file} declares "${first.label}" while ${second.file} declares "${second.label}". Align the shared primary-language guidance or document an intentional platform-specific override.`,
-        }];
-      }
-    }
-
-    return [];
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  collectStackClaims,
+} = require('../shared');
+
+module.exports = {
+  key: 'agent-config-cross-platform-drift',
+  name: 'Cross-platform stack drift detected',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const claims = collectStackClaims(ctx).filter((claim) => claim.platform !== 'agent');
+    if (claims.length < 2) return [];
+
+    const byPlatform = new Map();
+    for (const claim of claims) {
+      const bucket = byPlatform.get(claim.platform) || [];
+      bucket.push(claim);
+      byPlatform.set(claim.platform, bucket);
+    }
+
+    const representatives = [];
+    for (const bucket of byPlatform.values()) {
+      const uniqueKeys = [...new Set(bucket.map((claim) => claim.key))];
+      if (uniqueKeys.length !== 1) continue;
+      representatives.push(bucket[0]);
+    }
+
+    representatives.sort((left, right) => left.file.localeCompare(right.file));
+
+    for (let index = 0; index < representatives.length; index++) {
+      for (let inner = index + 1; inner < representatives.length; inner++) {
+        const first = representatives[index];
+        const second = representatives[inner];
+        if (first.key === second.key) continue;
+
+        return [{
+          file: first.file,
+          line: first.line,
+          fix: `Drift detected: ${first.file} declares "${first.label}" while ${second.file} declares "${second.label}". Align the shared primary-language guidance or document an intentional platform-specific override.`,
+        }];
+      }
+    }
+
+    return [];
+  },
+};

package/src/shallow-risk/patterns/agent-config-dangerous-autoapprove.js

@@ -1,46 +1,46 @@
-'use strict';
-
-const { SHALLOW_RISK_DOC_URL, escapeRegExp } = require('../shared');
-
-const DANGEROUS_ALLOW_PATTERNS = [
-  /\brm\b[\s\S]{0,40}-r/i,
-  /\bgit\s+push\s+--force\b/i,
-  /\bdrop\s+(?:database|table)\b/i,
-  /\btruncate\s+table\b/i,
-  /\bdelete\s+from\b/i,
-];
-
-function isDangerousAllowRule(rule) {
-  if (typeof rule !== 'string') return false;
-  if (/\bdelete\s+from\b/i.test(rule)) {
-    return !/\bwhere\b/i.test(rule) || /\bwhere\s*1\s*=\s*1\b/i.test(rule);
-  }
-  return DANGEROUS_ALLOW_PATTERNS.some((pattern) => {
-    pattern.lastIndex = 0;
-    return pattern.test(rule);
-  });
-}
-
-module.exports = {
-  key: 'agent-config-dangerous-autoapprove',
-  name: 'Agent config auto-approves destructive commands',
-  severity: 'critical',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const file = '.claude/settings.json';
-    const config = ctx.jsonFile(file);
-    const allowRules = config && config.permissions && Array.isArray(config.permissions.allow)
-      ? config.permissions.allow
-      : [];
-    if (allowRules.length === 0) return [];
-
-    return allowRules
-      .filter(isDangerousAllowRule)
-      .map((rule) => ({
-        file,
-        line: ctx.lineNumber(file, new RegExp(escapeRegExp(rule))) || 1,
-        fix: `${file} pre-approves the destructive rule \`${rule}\`. Remove it from the allow-list so destructive commands always require explicit review.`,
-      }));
-  },
-};
+'use strict';
+
+const { SHALLOW_RISK_DOC_URL, escapeRegExp } = require('../shared');
+
+const DANGEROUS_ALLOW_PATTERNS = [
+  /\brm\b[\s\S]{0,40}-r/i,
+  /\bgit\s+push\s+--force\b/i,
+  /\bdrop\s+(?:database|table)\b/i,
+  /\btruncate\s+table\b/i,
+  /\bdelete\s+from\b/i,
+];
+
+function isDangerousAllowRule(rule) {
+  if (typeof rule !== 'string') return false;
+  if (/\bdelete\s+from\b/i.test(rule)) {
+    return !/\bwhere\b/i.test(rule) || /\bwhere\s*1\s*=\s*1\b/i.test(rule);
+  }
+  return DANGEROUS_ALLOW_PATTERNS.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(rule);
+  });
+}
+
+module.exports = {
+  key: 'agent-config-dangerous-autoapprove',
+  name: 'Agent config auto-approves destructive commands',
+  severity: 'critical',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const file = '.claude/settings.json';
+    const config = ctx.jsonFile(file);
+    const allowRules = config && config.permissions && Array.isArray(config.permissions.allow)
+      ? config.permissions.allow
+      : [];
+    if (allowRules.length === 0) return [];
+
+    return allowRules
+      .filter(isDangerousAllowRule)
+      .map((rule) => ({
+        file,
+        line: ctx.lineNumber(file, new RegExp(escapeRegExp(rule))) || 1,
+        fix: `${file} pre-approves the destructive rule \`${rule}\`. Remove it from the allow-list so destructive commands always require explicit review.`,
+      }));
+  },
+};

package/src/shallow-risk/patterns/agent-config-deprecated-keys.js

@@ -1,46 +1,46 @@
-'use strict';
-
-const { AIDER_P0_SOURCES, SHALLOW_RISK_DOC_URL, hasLegacyAiderPin } = require('../shared');
-
-const DEPRECATED_AIDER_KEYS = [
-  {
-    key: 'auto-commit',
-    replacement: 'auto-commits',
-    pattern: /^\s*auto-commit\s*:/i,
-    note: 'removed in Aider 0.60+',
-  },
-];
-
-module.exports = {
-  key: 'agent-config-deprecated-keys',
-  name: 'Agent config uses deprecated keys',
-  severity: 'medium',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    if (!Array.isArray(AIDER_P0_SOURCES) || AIDER_P0_SOURCES.length < 2) {
-      return [];
-    }
-
-    const file = ctx.fileContent('.aider.conf.yml') !== null ? '.aider.conf.yml'
-      : (ctx.fileContent('.aider.conf.yaml') !== null ? '.aider.conf.yaml' : null);
-    if (!file || hasLegacyAiderPin(ctx)) return [];
-
-    const findings = [];
-    const content = ctx.fileContent(file) || '';
-    const lines = content.split(/\r?\n/);
-
-    for (const keyDef of DEPRECATED_AIDER_KEYS) {
-      const lineIndex = lines.findIndex((line) => keyDef.pattern.test(line));
-      if (lineIndex === -1) continue;
-      findings.push({
-        file,
-        line: lineIndex + 1,
-        fix: `${file} uses deprecated Aider key \`${keyDef.key}\` (${keyDef.note}). Replace it with \`${keyDef.replacement}\` or remove it if the repo intentionally stays on an older Aider release.`,
-        sourceUrl: AIDER_P0_SOURCES.find((source) => source.key === 'aider-config-reference')?.url || SHALLOW_RISK_DOC_URL,
-      });
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const { AIDER_P0_SOURCES, SHALLOW_RISK_DOC_URL, hasLegacyAiderPin } = require('../shared');
+
+const DEPRECATED_AIDER_KEYS = [
+  {
+    key: 'auto-commit',
+    replacement: 'auto-commits',
+    pattern: /^\s*auto-commit\s*:/i,
+    note: 'removed in Aider 0.60+',
+  },
+];
+
+module.exports = {
+  key: 'agent-config-deprecated-keys',
+  name: 'Agent config uses deprecated keys',
+  severity: 'medium',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    if (!Array.isArray(AIDER_P0_SOURCES) || AIDER_P0_SOURCES.length < 2) {
+      return [];
+    }
+
+    const file = ctx.fileContent('.aider.conf.yml') !== null ? '.aider.conf.yml'
+      : (ctx.fileContent('.aider.conf.yaml') !== null ? '.aider.conf.yaml' : null);
+    if (!file || hasLegacyAiderPin(ctx)) return [];
+
+    const findings = [];
+    const content = ctx.fileContent(file) || '';
+    const lines = content.split(/\r?\n/);
+
+    for (const keyDef of DEPRECATED_AIDER_KEYS) {
+      const lineIndex = lines.findIndex((line) => keyDef.pattern.test(line));
+      if (lineIndex === -1) continue;
+      findings.push({
+        file,
+        line: lineIndex + 1,
+        fix: `${file} uses deprecated Aider key \`${keyDef.key}\` (${keyDef.note}). Replace it with \`${keyDef.replacement}\` or remove it if the repo intentionally stays on an older Aider release.`,
+        sourceUrl: AIDER_P0_SOURCES.find((source) => source.key === 'aider-config-reference')?.url || SHALLOW_RISK_DOC_URL,
+      });
+    }
+
+    return findings;
+  },
+};