@nerviq/cli 1.8.7 → 1.8.8

package/README.md

@@ -347,16 +347,3 @@ If Nerviq helped you, consider giving it a ⭐ on [GitHub](https://github.com/ne
 | `BETA` | Works but has limited real-world testing. API may change |
 | `EXPERIMENTAL` | Early stage, static rules, results may vary |
 
-## Previously nerviq-cli
-
-Nerviq was previously published as `nerviq-cli`. If you were using it:
-
-```bash
-# Old
-npx nerviq-cli
-
-# New
-npx @nerviq/cli audit
-```
-
-All features are preserved and expanded.

package/bin/cli.js

@@ -285,6 +285,53 @@ function printWorkspaceSummary(summary, options) {
   console.log('');
 }
 
+function printScanDetail(summary, options) {
+  if (options.json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
+  }
+
+  console.log('');
+  console.log('\x1b[1m  nerviq scan — per-repo comparison\x1b[0m');
+  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
+  console.log(`  Platform: ${summary.platform}  |  Repos: ${summary.repoCount}  |  Average: \x1b[1m${summary.averageScore}/100\x1b[0m`);
+  console.log('');
+
+  for (const item of summary.repos) {
+    if (item.error) {
+      console.log(`  \x1b[31m✗ ${item.name}\x1b[0m — ${item.error}`);
+      console.log('');
+      continue;
+    }
+    const scoreColor = item.score >= 80 ? '\x1b[32m' : item.score >= 50 ? '\x1b[33m' : '\x1b[31m';
+    console.log(`  \x1b[1m${item.name}\x1b[0m  ${scoreColor}${item.score}/100\x1b[0m  (${item.passed}/${item.total} checks passed)`);
+
+    // Show per-category breakdown if result is available
+    if (item.result && item.result.results) {
+      const categories = {};
+      for (const r of item.result.results) {
+        const cat = r.category || 'other';
+        if (!categories[cat]) categories[cat] = { passed: 0, total: 0 };
+        categories[cat].total++;
+        if (r.passed) categories[cat].passed++;
+      }
+      const catEntries = Object.entries(categories).sort((a, b) => (a[1].passed / a[1].total) - (b[1].passed / b[1].total));
+      const catLine = catEntries.map(([cat, v]) => `${cat}: ${v.passed}/${v.total}`).join('  ');
+      console.log(`    \x1b[2m${catLine}\x1b[0m`);
+    }
+
+    // Show top 3 gaps
+    if (item.result && item.result.topNextActions && item.result.topNextActions.length > 0) {
+      const gaps = item.result.topNextActions.slice(0, 3);
+      console.log('    Top gaps:');
+      for (const gap of gaps) {
+        console.log(`      \x1b[33m→\x1b[0m ${gap.name || gap.key}${gap.impact ? ` \x1b[2m(+${gap.impact})\x1b[0m` : ''}`);
+      }
+    }
+    console.log('');
+  }
+}
+
 function printOrgSummary(summary, options) {
   if (options.json) {
     console.log(JSON.stringify(summary, null, 2));
@@ -525,6 +572,21 @@ async function main() {
     }
   }
 
+  // Apply built-in governance profile (--profile flag) to audit options
+  if (parsed.profile && parsed.profile !== 'safe-write') {
+    const { getPermissionProfile } = require('../src/governance');
+    const govProfile = getPermissionProfile(parsed.profile);
+    if (govProfile) {
+      options.governanceProfile = govProfile;
+      if (govProfile.deny && govProfile.deny.length > 0) {
+        options.suppressedChecks = options.suppressedChecks || [];
+      }
+      if (!options.json) {
+        console.log(`  Using governance profile: ${govProfile.label} (${govProfile.risk} risk)`);
+      }
+    }
+  }
+
   const SUPPORTED_PLATFORMS = ['claude', 'codex', 'gemini', 'copilot', 'cursor', 'windsurf', 'aider', 'opencode'];
   if (!SUPPORTED_PLATFORMS.includes(options.platform)) {
     console.error(`\n  Error: Unsupported platform '${options.platform}'.`);
@@ -595,7 +657,7 @@ async function main() {
       // Harmony + Synergy (cross-platform)
       'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise',
       'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export',
-      'freshness', 'profile',
+      'freshness', 'profile', 'migrate',
     ]);
 
     if (options.platform === 'codex') {
@@ -648,7 +710,7 @@ async function main() {
         process.exit(1);
       }
       const summary = await scanOrg(scanDirs, options.platform);
-      printOrgSummary(summary, options);
+      printScanDetail(summary, options);
       if (options.threshold !== null && summary.averageScore < options.threshold) {
         process.exit(1);
       }
@@ -1341,11 +1403,39 @@ async function main() {
           process.exit(1);
         }
         const profile = loadProfile(options.dir, profileArg);
+
+        // Apply profile settings to .claude/settings.json
+        const fs = require('fs');
+        const settingsPath = require('path').join(options.dir, '.claude', 'settings.json');
+        let settings = {};
+        if (fs.existsSync(settingsPath)) {
+          try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch {}
+        }
+        // Apply deny rules from governance profile if platforms include claude
+        if (profile.platforms && profile.platforms.includes('claude')) {
+          const { getPermissionProfile } = require('../src/governance');
+          const govProfile = getPermissionProfile(profileArg);
+          if (govProfile && govProfile.deny && govProfile.deny.length > 0) {
+            settings.deny = govProfile.deny;
+          }
+        }
+        // Apply threshold and suppressed checks
+        if (profile.threshold != null) {
+          settings.threshold = profile.threshold;
+        }
+        if (profile.suppressedChecks && profile.suppressedChecks.length > 0) {
+          settings.suppressedChecks = profile.suppressedChecks;
+        }
+        const settingsDir = require('path').dirname(settingsPath);
+        fs.mkdirSync(settingsDir, { recursive: true });
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf8');
+
         if (options.json) {
           console.log(JSON.stringify(profile, null, 2));
         } else {
           console.log('');
           console.log(formatProfile(profile));
+          console.log(`\n  Settings applied to ${settingsPath}`);
           console.log('');
         }
         process.exit(0);
@@ -1404,7 +1494,8 @@ async function main() {
       const fixKey = parsed.extraArgs[0] || null;
       const allCritical = flags.includes('--all-critical');
       const promptOnly = flags.includes('--prompt');
-      const autoApply = options.auto || options.dryRun;
+      const autoApply = options.auto;
+      const isDryRun = options.dryRun;
 
       // Step 1: Run silent audit to find failed checks (only actual failures, not skipped/null)
       const auditResult = await audit({ dir: options.dir, silent: true, platform: options.platform });
@@ -1447,6 +1538,13 @@ async function main() {
           for (const entry of denyEntries) {
             if (!settings.permissions.deny.includes(entry)) settings.permissions.deny.push(entry);
           }
+          // Remove overly broad allow:["*"] if present
+          if (Array.isArray(settings.permissions.allow) && settings.permissions.allow.includes('*')) {
+            settings.permissions.allow = settings.permissions.allow.filter(a => a !== '*');
+            if (settings.permissions.allow.length === 0) {
+              delete settings.permissions.allow;
+            }
+          }
           fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');
           return true;
         },
@@ -1558,7 +1656,7 @@ async function main() {
       const predictedScore = maxScore > 0 ? Math.round((simulatedEarned / maxScore) * 100) : 0;
       const predictedDelta = predictedScore - preScore;
 
-      if (!autoApply) {
+      if (!autoApply && !isDryRun) {
         console.log('');
         if (allCritical && fixableTargets.length > 1) {
           // Multi-fix summary
@@ -1607,9 +1705,9 @@ async function main() {
       const allCreatedFiles = [];
       const fixResults = []; // { key, name, status, delta }
 
-      if (!options.dryRun && targetKeys.length > 0) {
-        // Snapshot existing files for rollback
-        const snapshotFiles = {};
+      const snapshotFiles = {};
+      if (!isDryRun && targetKeys.length > 0) {
+        // Snapshot existing files for rollback (before applying fixes)
         for (const key of targetKeys) {
           const technique = TECHNIQUES[key];
           if (technique && technique.template && technique.template.path) {
@@ -1619,14 +1717,6 @@ async function main() {
             }
           }
         }
-        const rollbackArtifact = writeRollbackArtifact(options.dir, {
-          sourcePlan: 'fix-batch',
-          preSnapshot: snapshotFiles,
-          createdFiles: [],
-          patchedFiles: Object.keys(snapshotFiles),
-          rollbackInstructions: ['Use nerviq rollback to undo these fixes'],
-        });
-        rollbackId = rollbackArtifact.id;
       }
 
       // Step 3b: Apply fixes sequentially with progress
@@ -1641,7 +1731,7 @@ async function main() {
         const progress = isBatch ? `${i + 1}/${targetKeys.length}: ` : '';
 
         if (technique && technique.template) {
-          if (options.dryRun) {
+          if (isDryRun) {
             console.log(`  [dry-run] Would fix: ${progress}${failedCheck.name} (${key})`);
             fixResults.push({ key, name: failedCheck.name, status: 'dry-run', delta: 0 });
             fixed++;
@@ -1671,7 +1761,7 @@ async function main() {
             }
           }
         } else if (INLINE_FIXERS[key]) {
-          if (options.dryRun) {
+          if (isDryRun) {
             console.log(`  [dry-run] Would fix: ${progress}${failedCheck.name} (${key})`);
             fixResults.push({ key, name: failedCheck.name, status: 'dry-run', delta: 0 });
             fixed++;
@@ -1716,26 +1806,33 @@ async function main() {
       }
 
       // Record accepted patterns for successfully fixed checks
-      if (!options.dryRun) {
+      if (!isDryRun) {
         for (const key of targetKeys) {
           const fr = fixResults.find(r => r.key === key);
           recordPattern(options.dir, key, fr && fr.status === 'fixed' ? 'accepted' : 'rejected');
         }
       }
 
-      // Update rollback artifact with actual created files
-      if (!options.dryRun && rollbackId && allCreatedFiles.length > 0) {
-        const { ensureArtifactDirs } = require('../src/activity');
-        const { rollbackDir } = ensureArtifactDirs(options.dir);
-        const rbFiles = fs.readdirSync(rollbackDir).filter(f => f.includes(rollbackId));
-        if (rbFiles.length > 0) {
-          const rbPath = pathMod.join(rollbackDir, rbFiles[0]);
-          try {
-            const rbData = JSON.parse(fs.readFileSync(rbPath, 'utf8'));
-            rbData.createdFiles = allCreatedFiles;
-            fs.writeFileSync(rbPath, JSON.stringify(rbData, null, 2), 'utf8');
-          } catch { /* best effort */ }
+      // Write rollback artifact AFTER fixes are applied (with actual file lists)
+      if (!isDryRun && targetKeys.length > 0 && fixed > 0) {
+        const allPatchedFiles = Object.keys(snapshotFiles);
+        // Also track inline-fixer patched files
+        for (const fr of fixResults) {
+          if (fr.status === 'fixed' && INLINE_FIXERS[fr.key]) {
+            const inlinePath = fr.key === 'gitIgnoreEnv' ? '.gitignore' : fr.key === 'secretsProtection' ? '.claude/settings.json' : null;
+            if (inlinePath && !allPatchedFiles.includes(inlinePath)) {
+              allPatchedFiles.push(inlinePath);
+            }
+          }
         }
+        const rollbackArtifact = writeRollbackArtifact(options.dir, {
+          sourcePlan: 'fix-batch',
+          preSnapshot: snapshotFiles,
+          createdFiles: allCreatedFiles,
+          patchedFiles: allPatchedFiles,
+          rollbackInstructions: ['Use nerviq rollback to undo these fixes'],
+        });
+        rollbackId = rollbackArtifact.id;
       }
 
       // Step 4: Show batch summary or simple score impact
@@ -1751,10 +1848,10 @@ async function main() {
         const totalDelta = runningScore - preScore;
         console.log('');
         console.log(`  Score: ${preScore} → ${runningScore} (${totalDelta >= 0 ? '+' : ''}${totalDelta})`);
-        if (rollbackId && !options.dryRun) {
+        if (rollbackId && !isDryRun) {
           console.log(`  Rollback available: nerviq rollback --id ${rollbackId}`);
         }
-      } else if (fixed > 0 && !options.dryRun) {
+      } else if (fixed > 0 && !isDryRun) {
         const postResult = await audit({ dir: options.dir, silent: true, platform: options.platform });
         const delta = postResult.score - preScore;
         console.log('');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nerviq/cli",
-  "version": "1.8.7",
+  "version": "1.8.8",
   "description": "The intelligent nervous system for AI coding agents — 2,431 checks (8 platforms × ~300 governance rules), 10 languages, 62 domain packs. Audit, align, and amplify.",
   "main": "src/index.js",
   "bin": {

package/src/context.js

@@ -185,12 +185,38 @@ class ProjectContext {
     return deps;
   }
 
+  /**
+   * Recursively check if a file or directory name exists anywhere under a given base directory.
+   * Searches up to maxDepth levels deep.
+   */
+  _findInSubdirs(name, baseDir, maxDepth = 3) {
+    if (maxDepth <= 0) return false;
+    try {
+      const entries = fs.readdirSync(baseDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.name === 'node_modules' || entry.name === '__pycache__' || entry.name === '.git') continue;
+        if (entry.name === name || entry.name.endsWith(name)) return true;
+        if (entry.isDirectory()) {
+          if (this._findInSubdirs(name, path.join(baseDir, entry.name), maxDepth - 1)) return true;
+        }
+      }
+    } catch {
+      // directory not readable
+    }
+    return false;
+  }
+
   detectStacks(STACKS) {
     const detected = [];
     for (const [key, stack] of Object.entries(STACKS)) {
-      const hasFile = stack.files.some(f => {
+      // Check root-level files first (fast path)
+      let hasFile = stack.files.some(f => {
         return this.files.some(pf => pf.startsWith(f));
       });
+      // If not found at root, search subdirectories (up to 3 levels deep)
+      if (!hasFile) {
+        hasFile = stack.files.some(f => this._findInSubdirs(f, this.dir));
+      }
       if (!hasFile) continue;
 
       let contentMatch = true;

package/src/convert.js

@@ -98,7 +98,7 @@ function readSourceConfig(dir, from) {
           if (descMatch) desc = descMatch[1].trim();
         }
         canonical.rules.push({
-          name: file.replace('.mdc', ''),
+          name: file.replace(/\.(mdc|md|txt)$/i, ''),
           content,
           alwaysOn,
           glob,
@@ -165,7 +165,11 @@ function readSourceConfig(dir, from) {
 
 function buildTargetOutput(canonical, to, { dryRun = false } = {}) {
   const outputs = [];  // Array of { path, content }
-  const combinedContent = canonical.rules.map(r => r.content).join('\n\n');
+  // Strip MDC frontmatter from rule content for non-cursor targets to prevent leaking
+  const stripFrontmatter = (text) => text.replace(/^---[\s\S]*?---\n/m, '').trim();
+  const combinedContent = to === 'cursor'
+    ? canonical.rules.map(r => r.content).join('\n\n')
+    : canonical.rules.map(r => stripFrontmatter(r.content)).join('\n\n');
 
   if (to === 'claude') {
     // Extract or create CLAUDE.md from combined rules

package/src/setup.js

@@ -810,7 +810,7 @@ process.stdin.on('end', () => {
       console.log(JSON.stringify({ decision: 'allow' }));
     }
   } catch (e) {
-    console.log(JSON.stringify({ decision: 'allow' }));
+    console.log(JSON.stringify({ decision: 'block', reason: 'Hook error - blocking for safety' }));
   }
 });
 `,
@@ -1062,7 +1062,14 @@ Prepare a release candidate for: $ARGUMENTS
 - Mock external dependencies, not internal logic
 - Include both happy path and edge case tests
 `;
-    rules['repository.md'] = `When changing release, packaging, or workflow files:
+    rules['repository.md'] = hasPython
+      ? `When changing release, packaging, or workflow files:
+- Keep pyproject.toml (or requirements.txt), CHANGELOG.md, README.md, and docs in sync
+- Prefer tagged release references over floating branch references in public docs
+- Preserve backward compatibility in CLI flags where practical
+- Any automation that writes files must document rollback expectations
+`
+      : `When changing release, packaging, or workflow files:
 - Keep package.json, CHANGELOG.md, README.md, and docs in sync
 - Prefer tagged release references over floating branch references in public docs
 - Preserve backward compatibility in CLI flags where practical
@@ -1115,6 +1122,18 @@ async function setup(options) {
   if (options.platform === 'codex') {
     return setupCodex(options);
   }
+  if (options.platform === 'windsurf') {
+    const { setupWindsurf } = require('./windsurf/setup');
+    return setupWindsurf(options);
+  }
+  if (options.platform === 'aider') {
+    const { setupAider } = require('./aider/setup');
+    return setupAider(options);
+  }
+  if (options.platform === 'cursor') {
+    const { setupCursor } = require('./cursor/setup');
+    return setupCursor(options);
+  }
 
   const ctx = new ProjectContext(options.dir);
   const stacks = ctx.detectStacks(STACKS);
@@ -1218,21 +1237,40 @@ async function setup(options) {
     }
   }
 
-  // Auto-register hooks in settings if hooks were created but no settings exist
+  // Auto-register hooks in settings — always merge hooks into settings.json
   const hooksDir = path.join(options.dir, '.claude/hooks');
   const settingsPath = path.join(options.dir, '.claude/settings.json');
-  if (fs.existsSync(hooksDir) && !fs.existsSync(settingsPath)) {
+  if (fs.existsSync(hooksDir)) {
     const hookFiles = fs.readdirSync(hooksDir).filter(f => f.endsWith('.sh') || f.endsWith('.js'));
     if (hookFiles.length > 0) {
-      const settings = buildSettingsForProfile({
+      const newSettings = buildSettingsForProfile({
         profileKey: options.profile || 'safe-write',
         hookFiles,
         mcpPackKeys: options.mcpPacks || [],
       });
-      fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');
-      writtenFiles.push('.claude/settings.json');
-      log(`  \x1b[32m✅\x1b[0m Created .claude/settings.json (hooks registered)`);
-      created++;
+      // Merge new settings into existing settings.json, preserving all fields
+      let existingSettings = {};
+      if (fs.existsSync(settingsPath)) {
+        try {
+          existingSettings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+        } catch (_) {
+          // If settings.json is malformed, start fresh
+          existingSettings = {};
+        }
+      }
+      // Merge all fields from newSettings into existing, preserving existing values
+      if (newSettings.hooks) existingSettings.hooks = newSettings.hooks;
+      if (newSettings.permissions) existingSettings.permissions = { ...existingSettings.permissions, ...newSettings.permissions };
+      if (newSettings.mcpServers) existingSettings.mcpServers = { ...existingSettings.mcpServers, ...newSettings.mcpServers };
+      if (newSettings.nerviqSetup) existingSettings.nerviqSetup = { ...existingSettings.nerviqSetup, ...newSettings.nerviqSetup };
+      fs.writeFileSync(settingsPath, JSON.stringify(existingSettings, null, 2), 'utf8');
+      if (!writtenFiles.includes('.claude/settings.json') && !preservedFiles.includes('.claude/settings.json')) {
+        writtenFiles.push('.claude/settings.json');
+        log(`  \x1b[32m✅\x1b[0m Updated .claude/settings.json (hooks registered)`);
+        created++;
+      } else {
+        log(`  \x1b[32m✅\x1b[0m Merged hooks into existing .claude/settings.json`);
+      }
     }
   }
 

package/src/techniques.js

@@ -759,7 +759,11 @@ const TECHNIQUES = {
       const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
       if (!settings || !settings.permissions) return false;
       const deny = JSON.stringify(settings.permissions.deny || []);
-      return deny.includes('.env') || deny.includes('secrets');
+      const hasDeny = deny.includes('.env') || deny.includes('secrets');
+      // Fail if allow includes "*" (overly broad — bypasses deny rules)
+      const allow = settings.permissions.allow || [];
+      if (Array.isArray(allow) && allow.includes('*')) return false;
+      return hasDeny;
     },
     impact: 'critical',
     rating: 5,
@@ -5474,7 +5478,7 @@ const STACKS = {
   ruby: { files: ['Gemfile'], content: {}, label: 'Ruby' },
   java: { files: ['pom.xml'], content: {}, label: 'Java' },
   kotlin: { files: ['build.gradle.kts'], content: {}, label: 'Kotlin' },
-  swift: { files: ['Package.swift'], content: {}, label: 'Swift' },
+  swift: { files: ['Package.swift', '.xcodeproj'], content: {}, label: 'Swift' },
   terraform: { files: ['main.tf', 'terraform'], content: {}, label: 'Terraform' },
   kubernetes: { files: ['k8s', 'kubernetes', 'helm'], content: {}, label: 'Kubernetes' },
   cpp: { files: ['CMakeLists.txt', 'Makefile', '.clang-format'], content: {}, label: 'C++' },