@nerviq/cli 1.29.0 → 1.29.1

package/src/shallow-risk/patterns/agent-config-secret-literal.js

@@ -1,49 +1,49 @@
-'use strict';
-
-const { SHALLOW_RISK_DOC_URL, getAgentConfigEntries } = require('../shared');
-
-const SECRET_PATTERNS = [
-  { label: 'AWS access key', pattern: /\bAKIA[0-9A-Z]{16}\b/g },
-  { label: 'Stripe live key', pattern: /\bsk_live_[A-Za-z0-9]{24,}\b/g },
-  { label: 'GitHub personal access token', pattern: /\bghp_[A-Za-z0-9]{36}\b/g },
-  { label: 'SSH private key header', pattern: /-----BEGIN (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----/g },
-];
-
-function looksLikePlaceholder(line, matchText) {
-  return /\b(example|sample|placeholder|replace[-_ ]?me|your[_-]?key|fake|dummy)\b/i.test(line) ||
-    /\bEXAMPLE\b/.test(matchText);
-}
-
-module.exports = {
-  key: 'agent-config-secret-literal',
-  name: 'Agent config contains secret literal',
-  severity: 'critical',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const findings = [];
-
-    for (const entry of getAgentConfigEntries(ctx)) {
-      const lines = entry.content.split(/\r?\n/);
-      for (let index = 0; index < lines.length; index++) {
-        const line = lines[index];
-        for (const secret of SECRET_PATTERNS) {
-          secret.pattern.lastIndex = 0;
-          let match = secret.pattern.exec(line);
-          while (match) {
-            if (!looksLikePlaceholder(line, match[0])) {
-              findings.push({
-                file: entry.path,
-                line: index + 1,
-                fix: `${entry.path} contains a ${secret.label} shape. Rotate the secret, remove it from the agent config, and scrub it from git history if it was real.`,
-              });
-            }
-            match = secret.pattern.exec(line);
-          }
-        }
-      }
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const { SHALLOW_RISK_DOC_URL, getAgentConfigEntries } = require('../shared');
+
+const SECRET_PATTERNS = [
+  { label: 'AWS access key', pattern: /\bAKIA[0-9A-Z]{16}\b/g },
+  { label: 'Stripe live key', pattern: /\bsk_live_[A-Za-z0-9]{24,}\b/g },
+  { label: 'GitHub personal access token', pattern: /\bghp_[A-Za-z0-9]{36}\b/g },
+  { label: 'SSH private key header', pattern: /-----BEGIN (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----/g },
+];
+
+function looksLikePlaceholder(line, matchText) {
+  return /\b(example|sample|placeholder|replace[-_ ]?me|your[_-]?key|fake|dummy)\b/i.test(line) ||
+    /\bEXAMPLE\b/.test(matchText);
+}
+
+module.exports = {
+  key: 'agent-config-secret-literal',
+  name: 'Agent config contains secret literal',
+  severity: 'critical',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const findings = [];
+
+    for (const entry of getAgentConfigEntries(ctx)) {
+      const lines = entry.content.split(/\r?\n/);
+      for (let index = 0; index < lines.length; index++) {
+        const line = lines[index];
+        for (const secret of SECRET_PATTERNS) {
+          secret.pattern.lastIndex = 0;
+          let match = secret.pattern.exec(line);
+          while (match) {
+            if (!looksLikePlaceholder(line, match[0])) {
+              findings.push({
+                file: entry.path,
+                line: index + 1,
+                fix: `${entry.path} contains a ${secret.label} shape. Rotate the secret, remove it from the agent config, and scrub it from git history if it was real.`,
+              });
+            }
+            match = secret.pattern.exec(line);
+          }
+        }
+      }
+    }
+
+    return findings;
+  },
+};

package/src/shallow-risk/patterns/agent-config-stack-contradiction.js

@@ -1,34 +1,34 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  collectStackClaims,
-  findFirstStackEvidence,
-  getDetectedStackEvidence,
-} = require('../shared');
-
-module.exports = {
-  key: 'agent-config-stack-contradiction',
-  name: 'Agent config contradicts actual stack',
-  severity: 'high',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const claims = collectStackClaims(ctx);
-    const distinctClaims = [...new Set(claims.map((claim) => claim.key))];
-    if (distinctClaims.length !== 1) return [];
-
-    const declared = claims[0];
-    const hasDeclaredEvidence = declared.stackKeys.some((stackKey) => Boolean(findFirstStackEvidence(ctx, stackKey)));
-    if (hasDeclaredEvidence) return [];
-
-    const actual = getDetectedStackEvidence(ctx).find((item) => !declared.stackKeys.includes(item.key));
-    if (!actual) return [];
-
-    return [{
-      file: declared.file,
-      line: declared.line,
-      fix: `${declared.file} declares the primary stack as "${declared.label}", but the repo shows ${actual.label} signals (${actual.file}) and no ${declared.label} evidence. Align the agent guidance with the actual stack or document a real migration plan.`,
-    }];
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  collectStackClaims,
+  findFirstStackEvidence,
+  getDetectedStackEvidence,
+} = require('../shared');
+
+module.exports = {
+  key: 'agent-config-stack-contradiction',
+  name: 'Agent config contradicts actual stack',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const claims = collectStackClaims(ctx);
+    const distinctClaims = [...new Set(claims.map((claim) => claim.key))];
+    if (distinctClaims.length !== 1) return [];
+
+    const declared = claims[0];
+    const hasDeclaredEvidence = declared.stackKeys.some((stackKey) => Boolean(findFirstStackEvidence(ctx, stackKey)));
+    if (hasDeclaredEvidence) return [];
+
+    const actual = getDetectedStackEvidence(ctx).find((item) => !declared.stackKeys.includes(item.key));
+    if (!actual) return [];
+
+    return [{
+      file: declared.file,
+      line: declared.line,
+      fix: `${declared.file} declares the primary stack as "${declared.label}", but the repo shows ${actual.label} signals (${actual.file}) and no ${declared.label} evidence. Align the agent guidance with the actual stack or document a real migration plan.`,
+    }];
+  },
+};

package/src/shallow-risk/patterns/hook-script-missing.js

@@ -1,70 +1,70 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  escapeRegExp,
-  getHookCommandPath,
-  resolveRepoPath,
-} = require('../shared');
-
-const HOOK_EVENTS = new Set([
-  'PreToolUse',
-  'PostToolUse',
-  'Stop',
-  'UserPromptSubmit',
-  'SessionStart',
-]);
-
-function collectHookCommands(node, output = []) {
-  if (Array.isArray(node)) {
-    for (const item of node) collectHookCommands(item, output);
-    return output;
-  }
-
-  if (!node || typeof node !== 'object') {
-    return output;
-  }
-
-  if (node.type === 'command' && typeof node.command === 'string') {
-    output.push(node.command);
-  }
-
-  for (const value of Object.values(node)) {
-    collectHookCommands(value, output);
-  }
-
-  return output;
-}
-
-module.exports = {
-  key: 'hook-script-missing',
-  name: 'Configured hook script is missing',
-  severity: 'high',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const file = '.claude/settings.json';
-    const config = ctx.jsonFile(file);
-    if (!config || !config.hooks || typeof config.hooks !== 'object') {
-      return [];
-    }
-
-    const findings = [];
-    for (const [eventName, entries] of Object.entries(config.hooks)) {
-      if (!HOOK_EVENTS.has(eventName)) continue;
-      for (const command of collectHookCommands(entries)) {
-        const scriptPath = getHookCommandPath(command);
-        if (!scriptPath) continue;
-        const resolvedPath = resolveRepoPath(ctx, file, scriptPath, 'repo-root');
-        if (!resolvedPath || ctx.fileContent(resolvedPath) !== null) continue;
-        findings.push({
-          file,
-          line: ctx.lineNumber(file, new RegExp(escapeRegExp(command))) || ctx.lineNumber(file, new RegExp(`"${escapeRegExp(eventName)}"`)) || 1,
-          fix: `${file} declares a ${eventName} hook at \`${resolvedPath}\`, but the script is missing. Create the hook file or remove the dead hook reference.`,
-        });
-      }
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  escapeRegExp,
+  getHookCommandPath,
+  resolveRepoPath,
+} = require('../shared');
+
+const HOOK_EVENTS = new Set([
+  'PreToolUse',
+  'PostToolUse',
+  'Stop',
+  'UserPromptSubmit',
+  'SessionStart',
+]);
+
+function collectHookCommands(node, output = []) {
+  if (Array.isArray(node)) {
+    for (const item of node) collectHookCommands(item, output);
+    return output;
+  }
+
+  if (!node || typeof node !== 'object') {
+    return output;
+  }
+
+  if (node.type === 'command' && typeof node.command === 'string') {
+    output.push(node.command);
+  }
+
+  for (const value of Object.values(node)) {
+    collectHookCommands(value, output);
+  }
+
+  return output;
+}
+
+module.exports = {
+  key: 'hook-script-missing',
+  name: 'Configured hook script is missing',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const file = '.claude/settings.json';
+    const config = ctx.jsonFile(file);
+    if (!config || !config.hooks || typeof config.hooks !== 'object') {
+      return [];
+    }
+
+    const findings = [];
+    for (const [eventName, entries] of Object.entries(config.hooks)) {
+      if (!HOOK_EVENTS.has(eventName)) continue;
+      for (const command of collectHookCommands(entries)) {
+        const scriptPath = getHookCommandPath(command);
+        if (!scriptPath) continue;
+        const resolvedPath = resolveRepoPath(ctx, file, scriptPath, 'repo-root');
+        if (!resolvedPath || ctx.fileContent(resolvedPath) !== null) continue;
+        findings.push({
+          file,
+          line: ctx.lineNumber(file, new RegExp(escapeRegExp(command))) || ctx.lineNumber(file, new RegExp(`"${escapeRegExp(eventName)}"`)) || 1,
+          fix: `${file} declares a ${eventName} hook at \`${resolvedPath}\`, but the script is missing. Create the hook file or remove the dead hook reference.`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};

package/src/shallow-risk/patterns/mcp-server-no-allowlist.js

@@ -1,52 +1,52 @@
-'use strict';
-
-const {
-  SHALLOW_RISK_DOC_URL,
-  escapeRegExp,
-  isClearlyLocalMcpBinary,
-} = require('../shared');
-
-function hasBroadOpenPermissions(server) {
-  if (!server || typeof server !== 'object') return false;
-  if (Array.isArray(server.permissions) && server.permissions.length === 0) return true;
-  if (server.allow === '*') return true;
-  if (Array.isArray(server.allow) && server.allow.includes('*')) return true;
-  if (server.permissions && typeof server.permissions === 'object') {
-    if (server.permissions.allow === '*') return true;
-    if (Array.isArray(server.permissions.allow) && server.permissions.allow.includes('*')) return true;
-  }
-  return false;
-}
-
-module.exports = {
-  key: 'mcp-server-no-allowlist',
-  name: 'MCP server has no allowlist',
-  severity: 'critical',
-  layer: 'shallow-risk',
-  sourceUrl: SHALLOW_RISK_DOC_URL,
-  run(ctx) {
-    const findings = [];
-    const candidates = ['.claude/settings.json', '.mcp.json'];
-
-    for (const file of candidates) {
-      const config = ctx.jsonFile(file);
-      const servers = config && config.mcpServers && typeof config.mcpServers === 'object'
-        ? config.mcpServers
-        : null;
-      if (!servers) continue;
-
-      for (const [serverName, server] of Object.entries(servers)) {
-        if (!hasBroadOpenPermissions(server)) continue;
-        const command = typeof server.command === 'string' ? server.command : '';
-        findings.push({
-          severity: isClearlyLocalMcpBinary(command) ? 'high' : 'critical',
-          file,
-          line: ctx.lineNumber(file, new RegExp(`"${escapeRegExp(serverName)}"`)) || 1,
-          fix: `MCP server "${serverName}" in ${file} has broad access without an allowlist. Add a narrow allow/permissions list before relying on it in CI or production repos.`,
-        });
-      }
-    }
-
-    return findings;
-  },
-};
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  escapeRegExp,
+  isClearlyLocalMcpBinary,
+} = require('../shared');
+
+function hasBroadOpenPermissions(server) {
+  if (!server || typeof server !== 'object') return false;
+  if (Array.isArray(server.permissions) && server.permissions.length === 0) return true;
+  if (server.allow === '*') return true;
+  if (Array.isArray(server.allow) && server.allow.includes('*')) return true;
+  if (server.permissions && typeof server.permissions === 'object') {
+    if (server.permissions.allow === '*') return true;
+    if (Array.isArray(server.permissions.allow) && server.permissions.allow.includes('*')) return true;
+  }
+  return false;
+}
+
+module.exports = {
+  key: 'mcp-server-no-allowlist',
+  name: 'MCP server has no allowlist',
+  severity: 'critical',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const findings = [];
+    const candidates = ['.claude/settings.json', '.mcp.json'];
+
+    for (const file of candidates) {
+      const config = ctx.jsonFile(file);
+      const servers = config && config.mcpServers && typeof config.mcpServers === 'object'
+        ? config.mcpServers
+        : null;
+      if (!servers) continue;
+
+      for (const [serverName, server] of Object.entries(servers)) {
+        if (!hasBroadOpenPermissions(server)) continue;
+        const command = typeof server.command === 'string' ? server.command : '';
+        findings.push({
+          severity: isClearlyLocalMcpBinary(command) ? 'high' : 'critical',
+          file,
+          line: ctx.lineNumber(file, new RegExp(`"${escapeRegExp(serverName)}"`)) || 1,
+          fix: `MCP server "${serverName}" in ${file} has broad access without an allowlist. Add a narrow allow/permissions list before relying on it in CI or production repos.`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};