@nerviq/cli 1.8.7 → 1.8.9

package/README.md

@@ -347,16 +347,3 @@ If Nerviq helped you, consider giving it a ⭐ on [GitHub](https://github.com/ne
 | `BETA` | Works but has limited real-world testing. API may change |
 | `EXPERIMENTAL` | Early stage, static rules, results may vary |
 
-## Previously nerviq-cli
-
-Nerviq was previously published as `nerviq-cli`. If you were using it:
-
-```bash
-# Old
-npx nerviq-cli
-
-# New
-npx @nerviq/cli audit
-```
-
-All features are preserved and expanded.

package/bin/cli.js

@@ -285,6 +285,56 @@ function printWorkspaceSummary(summary, options) {
   console.log('');
 }
 
+function printScanDetail(summary, options) {
+  if (options.json) {
+    console.log(JSON.stringify(summary, null, 2));
+    return;
+  }
+
+  console.log('');
+  console.log('\x1b[1m  nerviq scan — per-repo comparison\x1b[0m');
+  console.log('\x1b[2m  ═══════════════════════════════════════\x1b[0m');
+  console.log(`  Platform: ${summary.platform}  |  Repos: ${summary.repoCount}  |  Average: \x1b[1m${summary.averageScore}/100\x1b[0m`);
+  console.log('');
+
+  for (const item of summary.repos) {
+    if (item.error) {
+      console.log(`  \x1b[31m✗ ${item.name}\x1b[0m — ${item.error}`);
+      console.log('');
+      continue;
+    }
+    const scoreColor = item.score >= 80 ? '\x1b[32m' : item.score >= 50 ? '\x1b[33m' : '\x1b[31m';
+    console.log(`  \x1b[1m${item.name}\x1b[0m  ${scoreColor}${item.score}/100\x1b[0m  (${item.passed}/${item.total} checks passed)`);
+
+    // Show per-category breakdown if result is available
+    if (item.result && item.result.results) {
+      const STACK_LANGUAGES = new Set(['python', 'go', 'rust', 'java', 'ruby', 'dotnet', 'php', 'flutter', 'swift', 'kotlin']);
+      const categories = {};
+      for (const r of item.result.results) {
+        const cat = r.category || 'other';
+        if (!categories[cat]) categories[cat] = { passed: 0, total: 0 };
+        categories[cat].total++;
+        if (r.passed) categories[cat].passed++;
+      }
+      const catEntries = Object.entries(categories)
+        .filter(([cat, v]) => v.passed > 0 || !STACK_LANGUAGES.has(cat))
+        .sort((a, b) => (a[1].passed / a[1].total) - (b[1].passed / b[1].total));
+      const catLine = catEntries.map(([cat, v]) => `${cat}: ${v.passed}/${v.total}`).join('  ');
+      console.log(`    \x1b[2m${catLine}\x1b[0m`);
+    }
+
+    // Show top 3 gaps
+    if (item.result && item.result.topNextActions && item.result.topNextActions.length > 0) {
+      const gaps = item.result.topNextActions.slice(0, 3);
+      console.log('    Top gaps:');
+      for (const gap of gaps) {
+        console.log(`      \x1b[33m→\x1b[0m ${gap.name || gap.key}${gap.impact ? ` \x1b[2m(+${gap.impact})\x1b[0m` : ''}`);
+      }
+    }
+    console.log('');
+  }
+}
+
 function printOrgSummary(summary, options) {
   if (options.json) {
     console.log(JSON.stringify(summary, null, 2));
@@ -525,6 +575,21 @@ async function main() {
     }
   }
 
+  // Apply built-in governance profile (--profile flag) to audit options
+  if (parsed.profile && parsed.profile !== 'safe-write') {
+    const { getPermissionProfile } = require('../src/governance');
+    const govProfile = getPermissionProfile(parsed.profile);
+    if (govProfile) {
+      options.governanceProfile = govProfile;
+      if (govProfile.deny && govProfile.deny.length > 0) {
+        options.suppressedChecks = options.suppressedChecks || [];
+      }
+      if (!options.json) {
+        console.log(`  Using governance profile: ${govProfile.label} (${govProfile.risk} risk)`);
+      }
+    }
+  }
+
   const SUPPORTED_PLATFORMS = ['claude', 'codex', 'gemini', 'copilot', 'cursor', 'windsurf', 'aider', 'opencode'];
   if (!SUPPORTED_PLATFORMS.includes(options.platform)) {
     console.error(`\n  Error: Unsupported platform '${options.platform}'.`);
@@ -595,7 +660,7 @@ async function main() {
       // Harmony + Synergy (cross-platform)
       'harmony-audit', 'harmony-sync', 'harmony-drift', 'harmony-advise',
       'harmony-watch', 'harmony-governance', 'harmony-add', 'synergy-report', 'anti-patterns', 'rules-export',
-      'freshness', 'profile',
+      'freshness', 'profile', 'migrate',
     ]);
 
     if (options.platform === 'codex') {
@@ -648,7 +713,7 @@ async function main() {
         process.exit(1);
       }
       const summary = await scanOrg(scanDirs, options.platform);
-      printOrgSummary(summary, options);
+      printScanDetail(summary, options);
       if (options.threshold !== null && summary.averageScore < options.threshold) {
         process.exit(1);
       }
@@ -1340,12 +1405,54 @@ async function main() {
           console.error('\n  Error: Profile name required. Usage: nerviq profile load <name>\n');
           process.exit(1);
         }
-        const profile = loadProfile(options.dir, profileArg);
+        let profile;
+        try {
+          profile = loadProfile(options.dir, profileArg);
+        } catch {
+          // Not found as a user-saved profile — try built-in governance profiles
+          const { getPermissionProfile } = require('../src/governance');
+          const builtIn = getPermissionProfile(profileArg);
+          if (builtIn && builtIn.key === profileArg) {
+            profile = { name: builtIn.label, platforms: ['claude'], threshold: builtIn.threshold || 0, ...builtIn };
+          }
+        }
+        if (!profile) {
+          console.error(`\n  Error: Profile '${profileArg}' not found. Run 'nerviq profile list' to see available profiles.\n`);
+          process.exit(1);
+        }
+
+        // Apply profile settings to .claude/settings.json
+        const fs = require('fs');
+        const settingsPath = require('path').join(options.dir, '.claude', 'settings.json');
+        let settings = {};
+        if (fs.existsSync(settingsPath)) {
+          try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch {}
+        }
+        // Apply deny rules from governance profile if platforms include claude
+        if (profile.platforms && profile.platforms.includes('claude')) {
+          const { getPermissionProfile } = require('../src/governance');
+          const govProfile = getPermissionProfile(profileArg);
+          if (govProfile && govProfile.deny && govProfile.deny.length > 0) {
+            settings.deny = govProfile.deny;
+          }
+        }
+        // Apply threshold and suppressed checks
+        if (profile.threshold != null) {
+          settings.threshold = profile.threshold;
+        }
+        if (profile.suppressedChecks && profile.suppressedChecks.length > 0) {
+          settings.suppressedChecks = profile.suppressedChecks;
+        }
+        const settingsDir = require('path').dirname(settingsPath);
+        fs.mkdirSync(settingsDir, { recursive: true });
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n', 'utf8');
+
         if (options.json) {
           console.log(JSON.stringify(profile, null, 2));
         } else {
           console.log('');
           console.log(formatProfile(profile));
+          console.log(`\n  Settings applied to ${settingsPath}`);
           console.log('');
         }
         process.exit(0);
@@ -1368,8 +1475,35 @@ async function main() {
         process.exit(1);
       }
     } else if (normalizedCommand === 'synergy-report') {
-      // Placeholder — synergy report is referenced but may not be implemented yet
-      console.log('\n  Synergy report: coming soon.\n');
+      const { formatSynergyReport } = require('../src/synergy/report');
+      const { detectActivePlatforms: detectSynergyPlatforms } = require('../src/harmony/canon');
+      const presentPlatforms = detectSynergyPlatforms(options.dir).map(p => p.platform);
+      if (presentPlatforms.length === 0) {
+        console.log('\n  No platform configurations detected.');
+        console.log('  Run "nerviq harmony-audit" first, or "nerviq setup" to bootstrap a platform.\n');
+        process.exit(0);
+      }
+      const platformAudits = {};
+      const activePlatforms = [];
+      for (const plat of presentPlatforms) {
+        try {
+          const result = await audit({ dir: options.dir, silent: true, platform: plat });
+          if (result && typeof result.score === 'number') {
+            platformAudits[plat] = result;
+            activePlatforms.push(plat);
+          }
+        } catch (_e) { /* platform not available */ }
+      }
+      if (activePlatforms.length === 0) {
+        console.log('\n  No auditable platforms found. Run "nerviq harmony-audit" first.\n');
+        process.exit(0);
+      }
+      const report = formatSynergyReport({ platformAudits, activePlatforms });
+      if (options.json) {
+        console.log(JSON.stringify({ activePlatforms, platformAudits }, null, 2));
+      } else {
+        console.log(report);
+      }
       process.exit(0);
     } else if (normalizedCommand === 'doctor') {
       const { runDoctor } = require('../src/doctor');
@@ -1404,7 +1538,8 @@ async function main() {
       const fixKey = parsed.extraArgs[0] || null;
       const allCritical = flags.includes('--all-critical');
       const promptOnly = flags.includes('--prompt');
-      const autoApply = options.auto || options.dryRun;
+      const autoApply = options.auto;
+      const isDryRun = options.dryRun;
 
       // Step 1: Run silent audit to find failed checks (only actual failures, not skipped/null)
       const auditResult = await audit({ dir: options.dir, silent: true, platform: options.platform });
@@ -1447,6 +1582,13 @@ async function main() {
           for (const entry of denyEntries) {
             if (!settings.permissions.deny.includes(entry)) settings.permissions.deny.push(entry);
           }
+          // Remove overly broad allow:["*"] if present
+          if (Array.isArray(settings.permissions.allow) && settings.permissions.allow.includes('*')) {
+            settings.permissions.allow = settings.permissions.allow.filter(a => a !== '*');
+            if (settings.permissions.allow.length === 0) {
+              delete settings.permissions.allow;
+            }
+          }
           fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');
           return true;
         },
@@ -1558,7 +1700,7 @@ async function main() {
       const predictedScore = maxScore > 0 ? Math.round((simulatedEarned / maxScore) * 100) : 0;
       const predictedDelta = predictedScore - preScore;
 
-      if (!autoApply) {
+      if (!autoApply && !isDryRun) {
         console.log('');
         if (allCritical && fixableTargets.length > 1) {
           // Multi-fix summary
@@ -1607,9 +1749,9 @@ async function main() {
       const allCreatedFiles = [];
       const fixResults = []; // { key, name, status, delta }
 
-      if (!options.dryRun && targetKeys.length > 0) {
-        // Snapshot existing files for rollback
-        const snapshotFiles = {};
+      const snapshotFiles = {};
+      if (!isDryRun && targetKeys.length > 0) {
+        // Snapshot existing files for rollback (before applying fixes)
         for (const key of targetKeys) {
           const technique = TECHNIQUES[key];
           if (technique && technique.template && technique.template.path) {
@@ -1619,14 +1761,6 @@ async function main() {
             }
           }
         }
-        const rollbackArtifact = writeRollbackArtifact(options.dir, {
-          sourcePlan: 'fix-batch',
-          preSnapshot: snapshotFiles,
-          createdFiles: [],
-          patchedFiles: Object.keys(snapshotFiles),
-          rollbackInstructions: ['Use nerviq rollback to undo these fixes'],
-        });
-        rollbackId = rollbackArtifact.id;
       }
 
       // Step 3b: Apply fixes sequentially with progress
@@ -1641,7 +1775,7 @@ async function main() {
         const progress = isBatch ? `${i + 1}/${targetKeys.length}: ` : '';
 
         if (technique && technique.template) {
-          if (options.dryRun) {
+          if (isDryRun) {
             console.log(`  [dry-run] Would fix: ${progress}${failedCheck.name} (${key})`);
             fixResults.push({ key, name: failedCheck.name, status: 'dry-run', delta: 0 });
             fixed++;
@@ -1671,7 +1805,7 @@ async function main() {
             }
           }
         } else if (INLINE_FIXERS[key]) {
-          if (options.dryRun) {
+          if (isDryRun) {
             console.log(`  [dry-run] Would fix: ${progress}${failedCheck.name} (${key})`);
             fixResults.push({ key, name: failedCheck.name, status: 'dry-run', delta: 0 });
             fixed++;
@@ -1716,26 +1850,33 @@ async function main() {
       }
 
       // Record accepted patterns for successfully fixed checks
-      if (!options.dryRun) {
+      if (!isDryRun) {
         for (const key of targetKeys) {
           const fr = fixResults.find(r => r.key === key);
           recordPattern(options.dir, key, fr && fr.status === 'fixed' ? 'accepted' : 'rejected');
         }
       }
 
-      // Update rollback artifact with actual created files
-      if (!options.dryRun && rollbackId && allCreatedFiles.length > 0) {
-        const { ensureArtifactDirs } = require('../src/activity');
-        const { rollbackDir } = ensureArtifactDirs(options.dir);
-        const rbFiles = fs.readdirSync(rollbackDir).filter(f => f.includes(rollbackId));
-        if (rbFiles.length > 0) {
-          const rbPath = pathMod.join(rollbackDir, rbFiles[0]);
-          try {
-            const rbData = JSON.parse(fs.readFileSync(rbPath, 'utf8'));
-            rbData.createdFiles = allCreatedFiles;
-            fs.writeFileSync(rbPath, JSON.stringify(rbData, null, 2), 'utf8');
-          } catch { /* best effort */ }
+      // Write rollback artifact AFTER fixes are applied (with actual file lists)
+      if (!isDryRun && targetKeys.length > 0 && fixed > 0) {
+        const allPatchedFiles = Object.keys(snapshotFiles);
+        // Also track inline-fixer patched files
+        for (const fr of fixResults) {
+          if (fr.status === 'fixed' && INLINE_FIXERS[fr.key]) {
+            const inlinePath = fr.key === 'gitIgnoreEnv' ? '.gitignore' : fr.key === 'secretsProtection' ? '.claude/settings.json' : null;
+            if (inlinePath && !allPatchedFiles.includes(inlinePath)) {
+              allPatchedFiles.push(inlinePath);
+            }
+          }
         }
+        const rollbackArtifact = writeRollbackArtifact(options.dir, {
+          sourcePlan: 'fix-batch',
+          preSnapshot: snapshotFiles,
+          createdFiles: allCreatedFiles,
+          patchedFiles: allPatchedFiles,
+          rollbackInstructions: ['Use nerviq rollback to undo these fixes'],
+        });
+        rollbackId = rollbackArtifact.id;
       }
 
       // Step 4: Show batch summary or simple score impact
@@ -1751,10 +1892,10 @@ async function main() {
         const totalDelta = runningScore - preScore;
         console.log('');
         console.log(`  Score: ${preScore} → ${runningScore} (${totalDelta >= 0 ? '+' : ''}${totalDelta})`);
-        if (rollbackId && !options.dryRun) {
+        if (rollbackId && !isDryRun) {
           console.log(`  Rollback available: nerviq rollback --id ${rollbackId}`);
         }
-      } else if (fixed > 0 && !options.dryRun) {
+      } else if (fixed > 0 && !isDryRun) {
         const postResult = await audit({ dir: options.dir, silent: true, platform: options.platform });
         const delta = postResult.score - preScore;
         console.log('');
@@ -1791,6 +1932,16 @@ async function main() {
         process.exit(0);
       }
       const result = await audit(options);
+      if (options.out) {
+        const fs = require('fs');
+        const path = require('path');
+        const outPath = path.resolve(options.out);
+        fs.mkdirSync(path.dirname(outPath), { recursive: true });
+        fs.writeFileSync(outPath, JSON.stringify(result, null, 2), 'utf8');
+        if (!options.json) {
+          console.log(`\n  Audit report written to ${options.out}\n`);
+        }
+      }
       if (options.webhookUrl) {
         try {
           const { sendWebhook, formatSlackMessage } = require('../src/integrations');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nerviq/cli",
-  "version": "1.8.7",
+  "version": "1.8.9",
   "description": "The intelligent nervous system for AI coding agents — 2,431 checks (8 platforms × ~300 governance rules), 10 languages, 62 domain packs. Audit, align, and amplify.",
   "main": "src/index.js",
   "bin": {

package/src/benchmark.js

@@ -321,9 +321,13 @@ function printBenchmark(report, options = {}) {
   console.log('  ═══════════════════════════════════════');
   console.log('  Runs in an isolated temp copy. Your current repo is not modified.');
   console.log('');
-  console.log(`  Before:  ${report.before.score}/100 (organic ${report.before.organicScore}/100)`);
-  console.log(`  After:   ${report.after.score}/100 (organic ${report.after.organicScore}/100)`);
-  console.log(`  Delta:   score ${report.delta.score >= 0 ? '+' : ''}${report.delta.score}, organic ${report.delta.organicScore >= 0 ? '+' : ''}${report.delta.organicScore}`);
+  const orgDeltaSign = report.delta.organicScore >= 0 ? '+' : '';
+  const totalDeltaSign = report.delta.score >= 0 ? '+' : '';
+  console.log(`  Organic improvement: \x1b[1m${orgDeltaSign}${report.delta.organicScore} points\x1b[0m (your actual config quality)`);
+  console.log(`  Total with nerviq setup: ${totalDeltaSign}${report.delta.score} points`);
+  console.log('');
+  console.log(`  Before:  organic ${report.before.organicScore}/100, total ${report.before.score}/100`);
+  console.log(`  After:   organic ${report.after.organicScore}/100, total ${report.after.score}/100`);
   console.log('');
   console.log(`  ${report.executiveSummary.headline}`);
   console.log(`  Recommendation: ${report.executiveSummary.decisionGuidance}`);

package/src/certification.js

@@ -37,10 +37,14 @@ async function certifyProject(dir) {
 
   // Run per-platform audits
   const platformScores = {};
+  const allAuditResults = [];
   for (const platform of platforms) {
     try {
       const result = await audit({ dir: resolvedDir, platform, silent: true });
       platformScores[platform] = result.score;
+      if (Array.isArray(result.results)) {
+        allAuditResults.push(...result.results);
+      }
     } catch {
       platformScores[platform] = 0;
     }
@@ -55,18 +59,36 @@ async function certifyProject(dir) {
     harmonyScore = 0;
   }
 
-  // Determine certification level
+  // Determine certification level with security gates
   const scores = Object.values(platformScores);
   const allAbove70 = scores.length > 0 && scores.every(s => s >= 70);
   const allAbove50 = scores.length > 0 && scores.every(s => s >= 50);
   const anyAbove40 = scores.some(s => s >= 40);
 
+  // Security gate helpers — check whether specific audit checks passed
+  const checkPassed = (key) => {
+    const match = allAuditResults.find(r => r.key === key);
+    return match ? match.passed === true : false;
+  };
+
+  const gitIgnoreOk = checkPassed('gitIgnoreEnv');
+  const secretsOk = checkPassed('secretsProtection');
+  const criticalAntiPatterns = allAuditResults.filter(
+    r => r.passed === false && r.impact === 'critical'
+  );
+  const noCriticalAntiPatterns = criticalAntiPatterns.length === 0;
+
+  // Bronze gate: score >= 40 AND basic security (gitignore + secrets protection)
+  const bronzeSecurityGate = gitIgnoreOk && secretsOk;
+  // Silver gate: Bronze requirements AND no critical anti-patterns
+  const silverSecurityGate = bronzeSecurityGate && noCriticalAntiPatterns;
+
   let level;
-  if (harmonyScore >= 80 && allAbove70) {
+  if (harmonyScore >= 80 && allAbove70 && silverSecurityGate) {
     level = LEVELS.GOLD;
-  } else if (harmonyScore >= 60 && allAbove50) {
+  } else if (harmonyScore >= 60 && allAbove50 && silverSecurityGate) {
     level = LEVELS.SILVER;
-  } else if (anyAbove40) {
+  } else if (anyAbove40 && bronzeSecurityGate) {
     level = LEVELS.BRONZE;
   } else {
     level = LEVELS.NONE;
@@ -80,6 +102,12 @@ async function certifyProject(dir) {
     platformScores,
     platforms,
     badge,
+    securityGates: {
+      gitIgnoreEnv: gitIgnoreOk,
+      secretsProtection: secretsOk,
+      noCriticalAntiPatterns,
+      criticalAntiPatternCount: criticalAntiPatterns.length,
+    },
   };
 }
 

package/src/context.js

@@ -185,12 +185,38 @@ class ProjectContext {
     return deps;
   }
 
+  /**
+   * Recursively check if a file or directory name exists anywhere under a given base directory.
+   * Searches up to maxDepth levels deep.
+   */
+  _findInSubdirs(name, baseDir, maxDepth = 3) {
+    if (maxDepth <= 0) return false;
+    try {
+      const entries = fs.readdirSync(baseDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.name === 'node_modules' || entry.name === '__pycache__' || entry.name === '.git') continue;
+        if (entry.name === name || entry.name.endsWith(name)) return true;
+        if (entry.isDirectory()) {
+          if (this._findInSubdirs(name, path.join(baseDir, entry.name), maxDepth - 1)) return true;
+        }
+      }
+    } catch {
+      // directory not readable
+    }
+    return false;
+  }
+
   detectStacks(STACKS) {
     const detected = [];
     for (const [key, stack] of Object.entries(STACKS)) {
-      const hasFile = stack.files.some(f => {
+      // Check root-level files first (fast path)
+      let hasFile = stack.files.some(f => {
         return this.files.some(pf => pf.startsWith(f));
       });
+      // If not found at root, search subdirectories (up to 3 levels deep)
+      if (!hasFile) {
+        hasFile = stack.files.some(f => this._findInSubdirs(f, this.dir));
+      }
       if (!hasFile) continue;
 
       let contentMatch = true;

package/src/convert.js

@@ -98,7 +98,7 @@ function readSourceConfig(dir, from) {
           if (descMatch) desc = descMatch[1].trim();
         }
         canonical.rules.push({
-          name: file.replace('.mdc', ''),
+          name: file.replace(/\.(mdc|md|txt)$/i, ''),
           content,
           alwaysOn,
           glob,
@@ -165,7 +165,11 @@ function readSourceConfig(dir, from) {
 
 function buildTargetOutput(canonical, to, { dryRun = false } = {}) {
   const outputs = [];  // Array of { path, content }
-  const combinedContent = canonical.rules.map(r => r.content).join('\n\n');
+  // Strip MDC frontmatter from rule content for non-cursor targets to prevent leaking
+  const stripFrontmatter = (text) => text.replace(/^---[\s\S]*?---\n/m, '').trim();
+  const combinedContent = to === 'cursor'
+    ? canonical.rules.map(r => r.content).join('\n\n')
+    : canonical.rules.map(r => stripFrontmatter(r.content)).join('\n\n');
 
   if (to === 'claude') {
     // Extract or create CLAUDE.md from combined rules

package/src/governance.js

@@ -55,7 +55,7 @@ const HOOK_REGISTRY = [
     key: 'protect-secrets',
     file: '.claude/hooks/protect-secrets.sh',
     triggerPoint: 'PreToolUse',
-    matcher: 'Read|Write|Edit',
+    matcher: 'Read|Write|Edit|Bash',
     purpose: 'Blocks direct access to secret or credential files before a tool runs.',
     filesTouched: [],
     sideEffects: ['Stops the action and returns a block decision when a secret path is targeted.'],
@@ -322,7 +322,7 @@ function buildHookConfig(hookFiles, profileKey) {
   const secretsFile = uniqueFiles.find(isSecrets);
   if (secretsFile) {
     hookConfig.PreToolUse = [{
-      matcher: 'Read|Write|Edit',
+      matcher: 'Read|Write|Edit|Bash',
       hooks: [{
         type: 'command',
         command: hookCommand(secretsFile),

package/src/mcp-server.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 /**
  * Nerviq MCP Server
  *

package/src/server.js

@@ -18,6 +18,10 @@ const SUPPORTED_PLATFORMS = new Set([
   'opencode',
 ]);
 
+function envelope(data) {
+  return { data, meta: { version, timestamp: new Date().toISOString() } };
+}
+
 function sendJson(res, statusCode, payload) {
   const body = JSON.stringify(payload, null, 2);
   res.writeHead(statusCode, {
@@ -57,6 +61,11 @@ function createServer(options = {}) {
   const baseDir = path.resolve(options.baseDir || process.cwd());
 
   return http.createServer(async (req, res) => {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+
     const requestUrl = new URL(req.url || '/', 'http://127.0.0.1');
 
     if (req.method !== 'GET') {
@@ -66,16 +75,16 @@ function createServer(options = {}) {
 
     try {
       if (requestUrl.pathname === '/api/health') {
-        sendJson(res, 200, {
+        sendJson(res, 200, envelope({
           status: 'ok',
           version,
           checks: getCatalog().length,
-        });
+        }));
         return;
       }
 
       if (requestUrl.pathname === '/api/catalog') {
-        sendJson(res, 200, getCatalog());
+        sendJson(res, 200, envelope(getCatalog()));
         return;
       }
 
@@ -83,14 +92,14 @@ function createServer(options = {}) {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const platform = normalizePlatform(requestUrl.searchParams.get('platform'));
         const result = await audit({ dir, platform, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 
       if (requestUrl.pathname === '/api/harmony') {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const result = await harmonyAudit({ dir, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 

package/src/setup.js

@@ -10,6 +10,7 @@ const { ProjectContext } = require('./context');
 const { audit } = require('./audit');
 const { buildSettingsForProfile } = require('./governance');
 const { getMcpPackPreflight } = require('./mcp-packs');
+const { writeRollbackArtifact } = require('./activity');
 const { setupCodex } = require('./codex/setup');
 
 // ============================================================
@@ -797,20 +798,27 @@ try {
 } catch (e) { /* linter not available or failed - non-blocking */ }
 `,
     'protect-secrets.js': `#!/usr/bin/env node
-// PreToolUse hook - blocks reads of secret files
+// PreToolUse hook - blocks reads of secret files (Read/Write/Edit AND Bash)
 let input = '';
 process.stdin.on('data', d => input += d);
 process.stdin.on('end', () => {
   try {
     const data = JSON.parse(input);
+    // Check file_path (for Read/Write/Edit)
     const fp = (data.tool_input && data.tool_input.file_path) || '';
-    if (/\\.env$|\\.env\\.|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i.test(fp)) {
+    // Check command (for Bash)
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    const secretPattern = /\\.env($|\\.)|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i;
+    const bashSecretPattern = /\\bcat\\s+\\.env|\\bless\\s+\\.env|\\bhead\\s+\\.env|\\btail\\s+\\.env|\\bgrep\\b.*\\.env|\\bcp\\s+\\.env|\\bmv\\s+\\.env|\\bbase64\\s+\\.env|\\bxxd\\s+\\.env|secrets\\/|credentials|\\.pem\\b|\\.key\\b/i;
+
+    if (secretPattern.test(fp) || bashSecretPattern.test(cmd)) {
       console.log(JSON.stringify({ decision: 'block', reason: 'Blocked: accessing secret/credential files is not allowed.' }));
     } else {
       console.log(JSON.stringify({ decision: 'allow' }));
     }
   } catch (e) {
-    console.log(JSON.stringify({ decision: 'allow' }));
+    console.log(JSON.stringify({ decision: 'block', reason: 'Hook error - blocking for safety' }));
   }
 });
 `,
@@ -1062,7 +1070,14 @@ Prepare a release candidate for: $ARGUMENTS
 - Mock external dependencies, not internal logic
 - Include both happy path and edge case tests
 `;
-    rules['repository.md'] = `When changing release, packaging, or workflow files:
+    rules['repository.md'] = hasPython
+      ? `When changing release, packaging, or workflow files:
+- Keep pyproject.toml (or requirements.txt), CHANGELOG.md, README.md, and docs in sync
+- Prefer tagged release references over floating branch references in public docs
+- Preserve backward compatibility in CLI flags where practical
+- Any automation that writes files must document rollback expectations
+`
+      : `When changing release, packaging, or workflow files:
 - Keep package.json, CHANGELOG.md, README.md, and docs in sync
 - Prefer tagged release references over floating branch references in public docs
 - Preserve backward compatibility in CLI flags where practical
@@ -1115,6 +1130,18 @@ async function setup(options) {
   if (options.platform === 'codex') {
     return setupCodex(options);
   }
+  if (options.platform === 'windsurf') {
+    const { setupWindsurf } = require('./windsurf/setup');
+    return setupWindsurf(options);
+  }
+  if (options.platform === 'aider') {
+    const { setupAider } = require('./aider/setup');
+    return setupAider(options);
+  }
+  if (options.platform === 'cursor') {
+    const { setupCursor } = require('./cursor/setup');
+    return setupCursor(options);
+  }
 
   const ctx = new ProjectContext(options.dir);
   const stacks = ctx.detectStacks(STACKS);
@@ -1124,6 +1151,17 @@ async function setup(options) {
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
 
+  // Snapshot settings.json before any changes for rollback support
+  const settingsPathForSnapshot = path.join(options.dir, '.claude/settings.json');
+  let settingsSnapshotBefore = null;
+  if (fs.existsSync(settingsPathForSnapshot)) {
+    try {
+      settingsSnapshotBefore = fs.readFileSync(settingsPathForSnapshot, 'utf8');
+    } catch (_) {
+      // Ignore read errors
+    }
+  }
+
   function log(message = '') {
     if (!silent) {
       console.log(message);
@@ -1218,21 +1256,50 @@ async function setup(options) {
     }
   }
 
-  // Auto-register hooks in settings if hooks were created but no settings exist
+  // Auto-register hooks in settings — always merge hooks into settings.json
   const hooksDir = path.join(options.dir, '.claude/hooks');
   const settingsPath = path.join(options.dir, '.claude/settings.json');
-  if (fs.existsSync(hooksDir) && !fs.existsSync(settingsPath)) {
+  if (fs.existsSync(hooksDir)) {
     const hookFiles = fs.readdirSync(hooksDir).filter(f => f.endsWith('.sh') || f.endsWith('.js'));
     if (hookFiles.length > 0) {
-      const settings = buildSettingsForProfile({
+      const newSettings = buildSettingsForProfile({
         profileKey: options.profile || 'safe-write',
         hookFiles,
         mcpPackKeys: options.mcpPacks || [],
       });
-      fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), 'utf8');
-      writtenFiles.push('.claude/settings.json');
-      log(`  \x1b[32m✅\x1b[0m Created .claude/settings.json (hooks registered)`);
-      created++;
+      // Merge new settings into existing settings.json, preserving all fields
+      let existingSettings = {};
+      if (fs.existsSync(settingsPath)) {
+        try {
+          existingSettings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+        } catch (_) {
+          // If settings.json is malformed, start fresh
+          existingSettings = {};
+        }
+      }
+      // Merge all fields from newSettings into existing, preserving existing values
+      if (newSettings.hooks) existingSettings.hooks = newSettings.hooks;
+      if (newSettings.permissions) {
+        existingSettings.permissions = existingSettings.permissions || {};
+        // MERGE deny rules: keep existing + add new (deduplicate)
+        const existingDeny = existingSettings.permissions.deny || [];
+        const newDeny = newSettings.permissions.deny || [];
+        existingSettings.permissions.deny = [...new Set([...existingDeny, ...newDeny])];
+        // Only set defaultMode if not already set
+        if (!existingSettings.permissions.defaultMode && newSettings.permissions.defaultMode) {
+          existingSettings.permissions.defaultMode = newSettings.permissions.defaultMode;
+        }
+      }
+      if (newSettings.mcpServers) existingSettings.mcpServers = { ...existingSettings.mcpServers, ...newSettings.mcpServers };
+      if (newSettings.nerviqSetup) existingSettings.nerviqSetup = { ...existingSettings.nerviqSetup, ...newSettings.nerviqSetup };
+      fs.writeFileSync(settingsPath, JSON.stringify(existingSettings, null, 2), 'utf8');
+      if (!writtenFiles.includes('.claude/settings.json') && !preservedFiles.includes('.claude/settings.json')) {
+        writtenFiles.push('.claude/settings.json');
+        log(`  \x1b[32m✅\x1b[0m Updated .claude/settings.json (hooks registered)`);
+        created++;
+      } else {
+        log(`  \x1b[32m✅\x1b[0m Merged hooks into existing .claude/settings.json`);
+      }
     }
   }
 
@@ -1264,6 +1331,29 @@ async function setup(options) {
   log('  Run \x1b[1mnpx nerviq audit\x1b[0m to check your score.');
   log('');
 
+  // Write rollback artifact so setup can be undone
+  let rollbackId = null;
+  if (writtenFiles.length > 0) {
+    const patchedFiles = [];
+    // If settings.json was modified (not newly created), record the before-snapshot
+    if (settingsSnapshotBefore !== null && writtenFiles.includes('.claude/settings.json')) {
+      patchedFiles.push({
+        file: '.claude/settings.json',
+        before: settingsSnapshotBefore,
+      });
+    }
+    const rollbackArtifact = writeRollbackArtifact(options.dir, {
+      sourcePlan: 'setup',
+      createdFiles: writtenFiles.filter(f => {
+        // Exclude patched files from createdFiles list
+        return !patchedFiles.some(p => p.file === f);
+      }),
+      patchedFiles,
+      rollbackInstructions: ['Use nerviq rollback to undo this setup'],
+    });
+    rollbackId = rollbackArtifact.id;
+  }
+
   return {
     created,
     skipped,
@@ -1271,6 +1361,7 @@ async function setup(options) {
     preservedFiles,
     stacks,
     mcpPreflightWarnings,
+    rollbackId,
   };
 }
 

package/src/techniques.js

@@ -759,7 +759,11 @@ const TECHNIQUES = {
       const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
       if (!settings || !settings.permissions) return false;
       const deny = JSON.stringify(settings.permissions.deny || []);
-      return deny.includes('.env') || deny.includes('secrets');
+      const hasDeny = deny.includes('.env') || deny.includes('secrets');
+      // Fail if allow includes "*" (overly broad — bypasses deny rules)
+      const allow = settings.permissions.allow || [];
+      if (Array.isArray(allow) && allow.includes('*')) return false;
+      return hasDeny;
     },
     impact: 'critical',
     rating: 5,
@@ -5474,7 +5478,7 @@ const STACKS = {
   ruby: { files: ['Gemfile'], content: {}, label: 'Ruby' },
   java: { files: ['pom.xml'], content: {}, label: 'Java' },
   kotlin: { files: ['build.gradle.kts'], content: {}, label: 'Kotlin' },
-  swift: { files: ['Package.swift'], content: {}, label: 'Swift' },
+  swift: { files: ['Package.swift', '.xcodeproj'], content: {}, label: 'Swift' },
   terraform: { files: ['main.tf', 'terraform'], content: {}, label: 'Terraform' },
   kubernetes: { files: ['k8s', 'kubernetes', 'helm'], content: {}, label: 'Kubernetes' },
   cpp: { files: ['CMakeLists.txt', 'Makefile', '.clang-format'], content: {}, label: 'C++' },