@nerviq/cli 1.8.8 → 1.8.9

package/bin/cli.js

@@ -308,6 +308,7 @@ function printScanDetail(summary, options) {
 
     // Show per-category breakdown if result is available
     if (item.result && item.result.results) {
+      const STACK_LANGUAGES = new Set(['python', 'go', 'rust', 'java', 'ruby', 'dotnet', 'php', 'flutter', 'swift', 'kotlin']);
       const categories = {};
       for (const r of item.result.results) {
         const cat = r.category || 'other';
@@ -315,7 +316,9 @@ function printScanDetail(summary, options) {
         categories[cat].total++;
         if (r.passed) categories[cat].passed++;
       }
-      const catEntries = Object.entries(categories).sort((a, b) => (a[1].passed / a[1].total) - (b[1].passed / b[1].total));
+      const catEntries = Object.entries(categories)
+        .filter(([cat, v]) => v.passed > 0 || !STACK_LANGUAGES.has(cat))
+        .sort((a, b) => (a[1].passed / a[1].total) - (b[1].passed / b[1].total));
       const catLine = catEntries.map(([cat, v]) => `${cat}: ${v.passed}/${v.total}`).join('  ');
       console.log(`    \x1b[2m${catLine}\x1b[0m`);
     }
@@ -1402,7 +1405,21 @@ async function main() {
           console.error('\n  Error: Profile name required. Usage: nerviq profile load <name>\n');
           process.exit(1);
         }
-        const profile = loadProfile(options.dir, profileArg);
+        let profile;
+        try {
+          profile = loadProfile(options.dir, profileArg);
+        } catch {
+          // Not found as a user-saved profile — try built-in governance profiles
+          const { getPermissionProfile } = require('../src/governance');
+          const builtIn = getPermissionProfile(profileArg);
+          if (builtIn && builtIn.key === profileArg) {
+            profile = { name: builtIn.label, platforms: ['claude'], threshold: builtIn.threshold || 0, ...builtIn };
+          }
+        }
+        if (!profile) {
+          console.error(`\n  Error: Profile '${profileArg}' not found. Run 'nerviq profile list' to see available profiles.\n`);
+          process.exit(1);
+        }
 
         // Apply profile settings to .claude/settings.json
         const fs = require('fs');
@@ -1458,8 +1475,35 @@ async function main() {
         process.exit(1);
       }
     } else if (normalizedCommand === 'synergy-report') {
-      // Placeholder — synergy report is referenced but may not be implemented yet
-      console.log('\n  Synergy report: coming soon.\n');
+      const { formatSynergyReport } = require('../src/synergy/report');
+      const { detectActivePlatforms: detectSynergyPlatforms } = require('../src/harmony/canon');
+      const presentPlatforms = detectSynergyPlatforms(options.dir).map(p => p.platform);
+      if (presentPlatforms.length === 0) {
+        console.log('\n  No platform configurations detected.');
+        console.log('  Run "nerviq harmony-audit" first, or "nerviq setup" to bootstrap a platform.\n');
+        process.exit(0);
+      }
+      const platformAudits = {};
+      const activePlatforms = [];
+      for (const plat of presentPlatforms) {
+        try {
+          const result = await audit({ dir: options.dir, silent: true, platform: plat });
+          if (result && typeof result.score === 'number') {
+            platformAudits[plat] = result;
+            activePlatforms.push(plat);
+          }
+        } catch (_e) { /* platform not available */ }
+      }
+      if (activePlatforms.length === 0) {
+        console.log('\n  No auditable platforms found. Run "nerviq harmony-audit" first.\n');
+        process.exit(0);
+      }
+      const report = formatSynergyReport({ platformAudits, activePlatforms });
+      if (options.json) {
+        console.log(JSON.stringify({ activePlatforms, platformAudits }, null, 2));
+      } else {
+        console.log(report);
+      }
       process.exit(0);
     } else if (normalizedCommand === 'doctor') {
       const { runDoctor } = require('../src/doctor');
@@ -1888,6 +1932,16 @@ async function main() {
         process.exit(0);
       }
       const result = await audit(options);
+      if (options.out) {
+        const fs = require('fs');
+        const path = require('path');
+        const outPath = path.resolve(options.out);
+        fs.mkdirSync(path.dirname(outPath), { recursive: true });
+        fs.writeFileSync(outPath, JSON.stringify(result, null, 2), 'utf8');
+        if (!options.json) {
+          console.log(`\n  Audit report written to ${options.out}\n`);
+        }
+      }
       if (options.webhookUrl) {
         try {
           const { sendWebhook, formatSlackMessage } = require('../src/integrations');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nerviq/cli",
-  "version": "1.8.8",
+  "version": "1.8.9",
   "description": "The intelligent nervous system for AI coding agents — 2,431 checks (8 platforms × ~300 governance rules), 10 languages, 62 domain packs. Audit, align, and amplify.",
   "main": "src/index.js",
   "bin": {

package/src/benchmark.js

@@ -321,9 +321,13 @@ function printBenchmark(report, options = {}) {
   console.log('  ═══════════════════════════════════════');
   console.log('  Runs in an isolated temp copy. Your current repo is not modified.');
   console.log('');
-  console.log(`  Before:  ${report.before.score}/100 (organic ${report.before.organicScore}/100)`);
-  console.log(`  After:   ${report.after.score}/100 (organic ${report.after.organicScore}/100)`);
-  console.log(`  Delta:   score ${report.delta.score >= 0 ? '+' : ''}${report.delta.score}, organic ${report.delta.organicScore >= 0 ? '+' : ''}${report.delta.organicScore}`);
+  const orgDeltaSign = report.delta.organicScore >= 0 ? '+' : '';
+  const totalDeltaSign = report.delta.score >= 0 ? '+' : '';
+  console.log(`  Organic improvement: \x1b[1m${orgDeltaSign}${report.delta.organicScore} points\x1b[0m (your actual config quality)`);
+  console.log(`  Total with nerviq setup: ${totalDeltaSign}${report.delta.score} points`);
+  console.log('');
+  console.log(`  Before:  organic ${report.before.organicScore}/100, total ${report.before.score}/100`);
+  console.log(`  After:   organic ${report.after.organicScore}/100, total ${report.after.score}/100`);
   console.log('');
   console.log(`  ${report.executiveSummary.headline}`);
   console.log(`  Recommendation: ${report.executiveSummary.decisionGuidance}`);

package/src/certification.js

@@ -37,10 +37,14 @@ async function certifyProject(dir) {
 
   // Run per-platform audits
   const platformScores = {};
+  const allAuditResults = [];
   for (const platform of platforms) {
     try {
       const result = await audit({ dir: resolvedDir, platform, silent: true });
       platformScores[platform] = result.score;
+      if (Array.isArray(result.results)) {
+        allAuditResults.push(...result.results);
+      }
     } catch {
       platformScores[platform] = 0;
     }
@@ -55,18 +59,36 @@ async function certifyProject(dir) {
     harmonyScore = 0;
   }
 
-  // Determine certification level
+  // Determine certification level with security gates
   const scores = Object.values(platformScores);
   const allAbove70 = scores.length > 0 && scores.every(s => s >= 70);
   const allAbove50 = scores.length > 0 && scores.every(s => s >= 50);
   const anyAbove40 = scores.some(s => s >= 40);
 
+  // Security gate helpers — check whether specific audit checks passed
+  const checkPassed = (key) => {
+    const match = allAuditResults.find(r => r.key === key);
+    return match ? match.passed === true : false;
+  };
+
+  const gitIgnoreOk = checkPassed('gitIgnoreEnv');
+  const secretsOk = checkPassed('secretsProtection');
+  const criticalAntiPatterns = allAuditResults.filter(
+    r => r.passed === false && r.impact === 'critical'
+  );
+  const noCriticalAntiPatterns = criticalAntiPatterns.length === 0;
+
+  // Bronze gate: score >= 40 AND basic security (gitignore + secrets protection)
+  const bronzeSecurityGate = gitIgnoreOk && secretsOk;
+  // Silver gate: Bronze requirements AND no critical anti-patterns
+  const silverSecurityGate = bronzeSecurityGate && noCriticalAntiPatterns;
+
   let level;
-  if (harmonyScore >= 80 && allAbove70) {
+  if (harmonyScore >= 80 && allAbove70 && silverSecurityGate) {
     level = LEVELS.GOLD;
-  } else if (harmonyScore >= 60 && allAbove50) {
+  } else if (harmonyScore >= 60 && allAbove50 && silverSecurityGate) {
     level = LEVELS.SILVER;
-  } else if (anyAbove40) {
+  } else if (anyAbove40 && bronzeSecurityGate) {
     level = LEVELS.BRONZE;
   } else {
     level = LEVELS.NONE;
@@ -80,6 +102,12 @@ async function certifyProject(dir) {
     platformScores,
     platforms,
     badge,
+    securityGates: {
+      gitIgnoreEnv: gitIgnoreOk,
+      secretsProtection: secretsOk,
+      noCriticalAntiPatterns,
+      criticalAntiPatternCount: criticalAntiPatterns.length,
+    },
   };
 }
 

package/src/governance.js

@@ -55,7 +55,7 @@ const HOOK_REGISTRY = [
     key: 'protect-secrets',
     file: '.claude/hooks/protect-secrets.sh',
     triggerPoint: 'PreToolUse',
-    matcher: 'Read|Write|Edit',
+    matcher: 'Read|Write|Edit|Bash',
     purpose: 'Blocks direct access to secret or credential files before a tool runs.',
     filesTouched: [],
     sideEffects: ['Stops the action and returns a block decision when a secret path is targeted.'],
@@ -322,7 +322,7 @@ function buildHookConfig(hookFiles, profileKey) {
   const secretsFile = uniqueFiles.find(isSecrets);
   if (secretsFile) {
     hookConfig.PreToolUse = [{
-      matcher: 'Read|Write|Edit',
+      matcher: 'Read|Write|Edit|Bash',
       hooks: [{
         type: 'command',
         command: hookCommand(secretsFile),

package/src/mcp-server.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 /**
  * Nerviq MCP Server
  *

package/src/server.js

@@ -18,6 +18,10 @@ const SUPPORTED_PLATFORMS = new Set([
   'opencode',
 ]);
 
+function envelope(data) {
+  return { data, meta: { version, timestamp: new Date().toISOString() } };
+}
+
 function sendJson(res, statusCode, payload) {
   const body = JSON.stringify(payload, null, 2);
   res.writeHead(statusCode, {
@@ -57,6 +61,11 @@ function createServer(options = {}) {
   const baseDir = path.resolve(options.baseDir || process.cwd());
 
   return http.createServer(async (req, res) => {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+
     const requestUrl = new URL(req.url || '/', 'http://127.0.0.1');
 
     if (req.method !== 'GET') {
@@ -66,16 +75,16 @@ function createServer(options = {}) {
 
     try {
       if (requestUrl.pathname === '/api/health') {
-        sendJson(res, 200, {
+        sendJson(res, 200, envelope({
           status: 'ok',
           version,
           checks: getCatalog().length,
-        });
+        }));
         return;
       }
 
       if (requestUrl.pathname === '/api/catalog') {
-        sendJson(res, 200, getCatalog());
+        sendJson(res, 200, envelope(getCatalog()));
         return;
       }
 
@@ -83,14 +92,14 @@ function createServer(options = {}) {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const platform = normalizePlatform(requestUrl.searchParams.get('platform'));
         const result = await audit({ dir, platform, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 
       if (requestUrl.pathname === '/api/harmony') {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const result = await harmonyAudit({ dir, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 

package/src/setup.js

@@ -10,6 +10,7 @@ const { ProjectContext } = require('./context');
 const { audit } = require('./audit');
 const { buildSettingsForProfile } = require('./governance');
 const { getMcpPackPreflight } = require('./mcp-packs');
+const { writeRollbackArtifact } = require('./activity');
 const { setupCodex } = require('./codex/setup');
 
 // ============================================================
@@ -797,14 +798,21 @@ try {
 } catch (e) { /* linter not available or failed - non-blocking */ }
 `,
     'protect-secrets.js': `#!/usr/bin/env node
-// PreToolUse hook - blocks reads of secret files
+// PreToolUse hook - blocks reads of secret files (Read/Write/Edit AND Bash)
 let input = '';
 process.stdin.on('data', d => input += d);
 process.stdin.on('end', () => {
   try {
     const data = JSON.parse(input);
+    // Check file_path (for Read/Write/Edit)
     const fp = (data.tool_input && data.tool_input.file_path) || '';
-    if (/\\.env$|\\.env\\.|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i.test(fp)) {
+    // Check command (for Bash)
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    const secretPattern = /\\.env($|\\.)|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i;
+    const bashSecretPattern = /\\bcat\\s+\\.env|\\bless\\s+\\.env|\\bhead\\s+\\.env|\\btail\\s+\\.env|\\bgrep\\b.*\\.env|\\bcp\\s+\\.env|\\bmv\\s+\\.env|\\bbase64\\s+\\.env|\\bxxd\\s+\\.env|secrets\\/|credentials|\\.pem\\b|\\.key\\b/i;
+
+    if (secretPattern.test(fp) || bashSecretPattern.test(cmd)) {
       console.log(JSON.stringify({ decision: 'block', reason: 'Blocked: accessing secret/credential files is not allowed.' }));
     } else {
       console.log(JSON.stringify({ decision: 'allow' }));
@@ -1143,6 +1151,17 @@ async function setup(options) {
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
 
+  // Snapshot settings.json before any changes for rollback support
+  const settingsPathForSnapshot = path.join(options.dir, '.claude/settings.json');
+  let settingsSnapshotBefore = null;
+  if (fs.existsSync(settingsPathForSnapshot)) {
+    try {
+      settingsSnapshotBefore = fs.readFileSync(settingsPathForSnapshot, 'utf8');
+    } catch (_) {
+      // Ignore read errors
+    }
+  }
+
   function log(message = '') {
     if (!silent) {
       console.log(message);
@@ -1260,7 +1279,17 @@ async function setup(options) {
       }
       // Merge all fields from newSettings into existing, preserving existing values
       if (newSettings.hooks) existingSettings.hooks = newSettings.hooks;
-      if (newSettings.permissions) existingSettings.permissions = { ...existingSettings.permissions, ...newSettings.permissions };
+      if (newSettings.permissions) {
+        existingSettings.permissions = existingSettings.permissions || {};
+        // MERGE deny rules: keep existing + add new (deduplicate)
+        const existingDeny = existingSettings.permissions.deny || [];
+        const newDeny = newSettings.permissions.deny || [];
+        existingSettings.permissions.deny = [...new Set([...existingDeny, ...newDeny])];
+        // Only set defaultMode if not already set
+        if (!existingSettings.permissions.defaultMode && newSettings.permissions.defaultMode) {
+          existingSettings.permissions.defaultMode = newSettings.permissions.defaultMode;
+        }
+      }
       if (newSettings.mcpServers) existingSettings.mcpServers = { ...existingSettings.mcpServers, ...newSettings.mcpServers };
       if (newSettings.nerviqSetup) existingSettings.nerviqSetup = { ...existingSettings.nerviqSetup, ...newSettings.nerviqSetup };
       fs.writeFileSync(settingsPath, JSON.stringify(existingSettings, null, 2), 'utf8');
@@ -1302,6 +1331,29 @@ async function setup(options) {
   log('  Run \x1b[1mnpx nerviq audit\x1b[0m to check your score.');
   log('');
 
+  // Write rollback artifact so setup can be undone
+  let rollbackId = null;
+  if (writtenFiles.length > 0) {
+    const patchedFiles = [];
+    // If settings.json was modified (not newly created), record the before-snapshot
+    if (settingsSnapshotBefore !== null && writtenFiles.includes('.claude/settings.json')) {
+      patchedFiles.push({
+        file: '.claude/settings.json',
+        before: settingsSnapshotBefore,
+      });
+    }
+    const rollbackArtifact = writeRollbackArtifact(options.dir, {
+      sourcePlan: 'setup',
+      createdFiles: writtenFiles.filter(f => {
+        // Exclude patched files from createdFiles list
+        return !patchedFiles.some(p => p.file === f);
+      }),
+      patchedFiles,
+      rollbackInstructions: ['Use nerviq rollback to undo this setup'],
+    });
+    rollbackId = rollbackArtifact.id;
+  }
+
   return {
     created,
     skipped,
@@ -1309,6 +1361,7 @@ async function setup(options) {
     preservedFiles,
     stacks,
     mcpPreflightWarnings,
+    rollbackId,
   };
 }