@nerviq/cli 1.8.8 → 1.9.0

package/src/opencode/freshness.js

@@ -1,158 +1,158 @@
-/**
- * OpenCode Freshness Operationalization
- *
- * Release gates, recurring probes, propagation checklists,
- * and staleness blocking for OpenCode surfaces.
- */
-
-const { version } = require('../../package.json');
-
-const P0_SOURCES = [
-  {
-    key: 'opencode-docs',
-    label: 'OpenCode Official Docs',
-    url: 'https://opencode.ai/docs',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-config-reference',
-    label: 'OpenCode Config Reference',
-    url: 'https://opencode.ai/config',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-github-releases',
-    label: 'OpenCode GitHub Releases',
-    url: 'https://github.com/sst/opencode/releases',
-    stalenessThresholdDays: 14,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-plugin-api',
-    label: 'OpenCode Plugin API',
-    url: 'https://opencode.ai/plugins',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-permissions-docs',
-    label: 'OpenCode Permissions Documentation',
-    url: 'https://opencode.ai/permissions',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-];
-
-const PROPAGATION_CHECKLIST = [
-  {
-    trigger: 'OpenCode release with config changes',
-    targets: [
-      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
-      'src/opencode/config-parser.js — update JSONC validation',
-      'src/opencode/governance.js — update caveats if behavior changes',
-      'test/opencode-check-matrix.js — update check expectations',
-    ],
-  },
-  {
-    trigger: 'New OpenCode plugin event type added',
-    targets: [
-      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
-      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
-      'src/opencode/setup.js — update plugins starter template',
-    ],
-  },
-  {
-    trigger: 'New OpenCode permission tool added',
-    targets: [
-      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
-      'src/opencode/governance.js — update permission profiles',
-      'src/opencode/setup.js — update default permission config',
-    ],
-  },
-  {
-    trigger: 'OpenCode MCP schema change',
-    targets: [
-      'src/opencode/mcp-packs.js — update JSONC projections',
-      'src/opencode/techniques.js — update MCP checks',
-    ],
-  },
-  {
-    trigger: 'Known security bug fixed or new bug reported',
-    targets: [
-      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
-      'src/opencode/governance.js — update platformCaveats',
-      'src/opencode/freshness.js — verify against latest release',
-    ],
-  },
-];
-
-function checkReleaseGate(sourceVerifications = {}) {
-  const now = new Date();
-  const results = P0_SOURCES.map(source => {
-    const verifiedAt = sourceVerifications[source.key]
-      ? new Date(sourceVerifications[source.key])
-      : source.verifiedAt ? new Date(source.verifiedAt) : null;
-
-    if (!verifiedAt) {
-      return { ...source, status: 'unverified', daysStale: null };
-    }
-
-    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
-    const isStale = daysSince > source.stalenessThresholdDays;
-
-    return {
-      ...source,
-      verifiedAt: verifiedAt.toISOString(),
-      daysStale: daysSince,
-      status: isStale ? 'stale' : 'fresh',
-    };
-  });
-
-  return {
-    ready: results.every(r => r.status === 'fresh'),
-    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
-    fresh: results.filter(r => r.status === 'fresh'),
-    results,
-  };
-}
-
-function formatReleaseGate(gateResult) {
-  const lines = [
-    `OpenCode Freshness Gate (nerviq v${version})`,
-    '═══════════════════════════════════════',
-    '',
-    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
-    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
-    '',
-  ];
-
-  for (const result of gateResult.results) {
-    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
-    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
-    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
-  }
-
-  if (!gateResult.ready) {
-    lines.push('');
-    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
-  }
-
-  return lines.join('\n');
-}
-
-function getPropagationTargets(triggerKeyword) {
-  const keyword = triggerKeyword.toLowerCase();
-  return PROPAGATION_CHECKLIST.filter(item =>
-    item.trigger.toLowerCase().includes(keyword)
-  );
-}
-
-module.exports = {
-  P0_SOURCES,
-  PROPAGATION_CHECKLIST,
-  checkReleaseGate,
-  formatReleaseGate,
-  getPropagationTargets,
-};
+/**
+ * OpenCode Freshness Operationalization
+ *
+ * Release gates, recurring probes, propagation checklists,
+ * and staleness blocking for OpenCode surfaces.
+ */
+
+const { version } = require('../../package.json');
+
+const P0_SOURCES = [
+  {
+    key: 'opencode-docs',
+    label: 'OpenCode Official Docs',
+    url: 'https://opencode.ai/docs',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-config-reference',
+    label: 'OpenCode Config Reference',
+    url: 'https://opencode.ai/docs/config/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-github-releases',
+    label: 'OpenCode GitHub Releases',
+    url: 'https://github.com/sst/opencode/releases',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-plugin-api',
+    label: 'OpenCode Plugin API',
+    url: 'https://opencode.ai/docs/plugins/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-permissions-docs',
+    label: 'OpenCode Permissions Documentation',
+    url: 'https://opencode.ai/docs/permissions/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+];
+
+const PROPAGATION_CHECKLIST = [
+  {
+    trigger: 'OpenCode release with config changes',
+    targets: [
+      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
+      'src/opencode/config-parser.js — update JSONC validation',
+      'src/opencode/governance.js — update caveats if behavior changes',
+      'test/opencode-check-matrix.js — update check expectations',
+    ],
+  },
+  {
+    trigger: 'New OpenCode plugin event type added',
+    targets: [
+      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
+      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
+      'src/opencode/setup.js — update plugins starter template',
+    ],
+  },
+  {
+    trigger: 'New OpenCode permission tool added',
+    targets: [
+      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
+      'src/opencode/governance.js — update permission profiles',
+      'src/opencode/setup.js — update default permission config',
+    ],
+  },
+  {
+    trigger: 'OpenCode MCP schema change',
+    targets: [
+      'src/opencode/mcp-packs.js — update JSONC projections',
+      'src/opencode/techniques.js — update MCP checks',
+    ],
+  },
+  {
+    trigger: 'Known security bug fixed or new bug reported',
+    targets: [
+      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
+      'src/opencode/governance.js — update platformCaveats',
+      'src/opencode/freshness.js — verify against latest release',
+    ],
+  },
+];
+
+function checkReleaseGate(sourceVerifications = {}) {
+  const now = new Date();
+  const results = P0_SOURCES.map(source => {
+    const verifiedAt = sourceVerifications[source.key]
+      ? new Date(sourceVerifications[source.key])
+      : source.verifiedAt ? new Date(source.verifiedAt) : null;
+
+    if (!verifiedAt) {
+      return { ...source, status: 'unverified', daysStale: null };
+    }
+
+    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
+    const isStale = daysSince > source.stalenessThresholdDays;
+
+    return {
+      ...source,
+      verifiedAt: verifiedAt.toISOString(),
+      daysStale: daysSince,
+      status: isStale ? 'stale' : 'fresh',
+    };
+  });
+
+  return {
+    ready: results.every(r => r.status === 'fresh'),
+    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
+    fresh: results.filter(r => r.status === 'fresh'),
+    results,
+  };
+}
+
+function formatReleaseGate(gateResult) {
+  const lines = [
+    `OpenCode Freshness Gate (nerviq v${version})`,
+    '═══════════════════════════════════════',
+    '',
+    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
+    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
+    '',
+  ];
+
+  for (const result of gateResult.results) {
+    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
+    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
+    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
+  }
+
+  if (!gateResult.ready) {
+    lines.push('');
+    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
+  }
+
+  return lines.join('\n');
+}
+
+function getPropagationTargets(triggerKeyword) {
+  const keyword = triggerKeyword.toLowerCase();
+  return PROPAGATION_CHECKLIST.filter(item =>
+    item.trigger.toLowerCase().includes(keyword)
+  );
+}
+
+module.exports = {
+  P0_SOURCES,
+  PROPAGATION_CHECKLIST,
+  checkReleaseGate,
+  formatReleaseGate,
+  getPropagationTargets,
+};

package/src/server.js

@@ -18,6 +18,10 @@ const SUPPORTED_PLATFORMS = new Set([
   'opencode',
 ]);
 
+function envelope(data) {
+  return { data, meta: { version, timestamp: new Date().toISOString() } };
+}
+
 function sendJson(res, statusCode, payload) {
   const body = JSON.stringify(payload, null, 2);
   res.writeHead(statusCode, {
@@ -57,6 +61,11 @@ function createServer(options = {}) {
   const baseDir = path.resolve(options.baseDir || process.cwd());
 
   return http.createServer(async (req, res) => {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+    if (req.method === 'OPTIONS') { res.writeHead(204); res.end(); return; }
+
     const requestUrl = new URL(req.url || '/', 'http://127.0.0.1');
 
     if (req.method !== 'GET') {
@@ -66,16 +75,16 @@ function createServer(options = {}) {
 
     try {
       if (requestUrl.pathname === '/api/health') {
-        sendJson(res, 200, {
+        sendJson(res, 200, envelope({
           status: 'ok',
           version,
           checks: getCatalog().length,
-        });
+        }));
         return;
       }
 
       if (requestUrl.pathname === '/api/catalog') {
-        sendJson(res, 200, getCatalog());
+        sendJson(res, 200, envelope(getCatalog()));
         return;
       }
 
@@ -83,14 +92,14 @@ function createServer(options = {}) {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const platform = normalizePlatform(requestUrl.searchParams.get('platform'));
         const result = await audit({ dir, platform, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 
       if (requestUrl.pathname === '/api/harmony') {
         const dir = resolveRequestDir(baseDir, requestUrl.searchParams.get('dir'));
         const result = await harmonyAudit({ dir, silent: true });
-        sendJson(res, 200, result);
+        sendJson(res, 200, envelope(result));
         return;
       }
 

package/src/setup.js

@@ -10,6 +10,7 @@ const { ProjectContext } = require('./context');
 const { audit } = require('./audit');
 const { buildSettingsForProfile } = require('./governance');
 const { getMcpPackPreflight } = require('./mcp-packs');
+const { writeRollbackArtifact } = require('./activity');
 const { setupCodex } = require('./codex/setup');
 
 // ============================================================
@@ -797,14 +798,21 @@ try {
 } catch (e) { /* linter not available or failed - non-blocking */ }
 `,
     'protect-secrets.js': `#!/usr/bin/env node
-// PreToolUse hook - blocks reads of secret files
+// PreToolUse hook - blocks reads of secret files (Read/Write/Edit AND Bash)
 let input = '';
 process.stdin.on('data', d => input += d);
 process.stdin.on('end', () => {
   try {
     const data = JSON.parse(input);
+    // Check file_path (for Read/Write/Edit)
     const fp = (data.tool_input && data.tool_input.file_path) || '';
-    if (/\\.env$|\\.env\\.|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i.test(fp)) {
+    // Check command (for Bash)
+    const cmd = (data.tool_input && data.tool_input.command) || '';
+
+    const secretPattern = /\\.env($|\\.)|secrets[\\/\\\\]|credentials|\\.pem$|\\.key$/i;
+    const bashSecretPattern = /\\bcat\\s+\\.env|\\bless\\s+\\.env|\\bhead\\s+\\.env|\\btail\\s+\\.env|\\bgrep\\b.*\\.env|\\bcp\\s+\\.env|\\bmv\\s+\\.env|\\bbase64\\s+\\.env|\\bxxd\\s+\\.env|secrets\\/|credentials|\\.pem\\b|\\.key\\b/i;
+
+    if (secretPattern.test(fp) || bashSecretPattern.test(cmd)) {
       console.log(JSON.stringify({ decision: 'block', reason: 'Blocked: accessing secret/credential files is not allowed.' }));
     } else {
       console.log(JSON.stringify({ decision: 'allow' }));
@@ -1143,6 +1151,17 @@ async function setup(options) {
   const mcpPreflightWarnings = getMcpPackPreflight(options.mcpPacks || [])
     .filter(item => item.missingEnvVars.length > 0);
 
+  // Snapshot settings.json before any changes for rollback support
+  const settingsPathForSnapshot = path.join(options.dir, '.claude/settings.json');
+  let settingsSnapshotBefore = null;
+  if (fs.existsSync(settingsPathForSnapshot)) {
+    try {
+      settingsSnapshotBefore = fs.readFileSync(settingsPathForSnapshot, 'utf8');
+    } catch (_) {
+      // Ignore read errors
+    }
+  }
+
   function log(message = '') {
     if (!silent) {
       console.log(message);
@@ -1260,7 +1279,17 @@ async function setup(options) {
       }
       // Merge all fields from newSettings into existing, preserving existing values
       if (newSettings.hooks) existingSettings.hooks = newSettings.hooks;
-      if (newSettings.permissions) existingSettings.permissions = { ...existingSettings.permissions, ...newSettings.permissions };
+      if (newSettings.permissions) {
+        existingSettings.permissions = existingSettings.permissions || {};
+        // MERGE deny rules: keep existing + add new (deduplicate)
+        const existingDeny = existingSettings.permissions.deny || [];
+        const newDeny = newSettings.permissions.deny || [];
+        existingSettings.permissions.deny = [...new Set([...existingDeny, ...newDeny])];
+        // Only set defaultMode if not already set
+        if (!existingSettings.permissions.defaultMode && newSettings.permissions.defaultMode) {
+          existingSettings.permissions.defaultMode = newSettings.permissions.defaultMode;
+        }
+      }
       if (newSettings.mcpServers) existingSettings.mcpServers = { ...existingSettings.mcpServers, ...newSettings.mcpServers };
       if (newSettings.nerviqSetup) existingSettings.nerviqSetup = { ...existingSettings.nerviqSetup, ...newSettings.nerviqSetup };
       fs.writeFileSync(settingsPath, JSON.stringify(existingSettings, null, 2), 'utf8');
@@ -1302,6 +1331,29 @@ async function setup(options) {
   log('  Run \x1b[1mnpx nerviq audit\x1b[0m to check your score.');
   log('');
 
+  // Write rollback artifact so setup can be undone
+  let rollbackId = null;
+  if (writtenFiles.length > 0) {
+    const patchedFiles = [];
+    // If settings.json was modified (not newly created), record the before-snapshot
+    if (settingsSnapshotBefore !== null && writtenFiles.includes('.claude/settings.json')) {
+      patchedFiles.push({
+        file: '.claude/settings.json',
+        before: settingsSnapshotBefore,
+      });
+    }
+    const rollbackArtifact = writeRollbackArtifact(options.dir, {
+      sourcePlan: 'setup',
+      createdFiles: writtenFiles.filter(f => {
+        // Exclude patched files from createdFiles list
+        return !patchedFiles.some(p => p.file === f);
+      }),
+      patchedFiles,
+      rollbackInstructions: ['Use nerviq rollback to undo this setup'],
+    });
+    rollbackId = rollbackArtifact.id;
+  }
+
   return {
     created,
     skipped,
@@ -1309,6 +1361,7 @@ async function setup(options) {
     preservedFiles,
     stacks,
     mcpPreflightWarnings,
+    rollbackId,
   };
 }
 

package/src/techniques.js

@@ -954,6 +954,119 @@ const TECHNIQUES = {
     template: null
   },
 
+  // --- Dockerfile best practices (Issue #8) ---
+
+  dockerMultiStage: {
+    id: 39902,
+    name: 'Dockerfile uses multi-stage build',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return (content.match(/^FROM\s/gim) || []).length >= 2;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Use multi-stage builds in Dockerfile to reduce image size and avoid leaking build tools into production.',
+    template: null
+  },
+
+  dockerignoreExists: {
+    id: 39903,
+    name: '.dockerignore includes node_modules and .env',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /^Dockerfile/i.test(f))) return null;
+      const di = ctx.fileContent('.dockerignore') || '';
+      return di.includes('node_modules') && /\.env/i.test(di);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .dockerignore with node_modules, .env, and other sensitive/large files to keep images small and secure.',
+    template: null
+  },
+
+  dockerNoSecrets: {
+    id: 39904,
+    name: 'Dockerfile has no secrets in build args',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return !/ARG\s+(PASSWORD|SECRET|TOKEN|API_KEY|PRIVATE_KEY)/i.test(content);
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never pass secrets via ARG in Dockerfile — use runtime environment variables or secret mounts instead.',
+    template: null
+  },
+
+  // --- Terraform checks (Issue #10) ---
+
+  terraformFmt: {
+    id: 39705,
+    name: 'Terraform formatting configured',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const ci = readProjectFiles(ctx, /\.(yml|yaml)$/i, 10);
+      const makefileContent = ctx.fileContent('Makefile') || '';
+      const preCommit = ctx.fileContent('.pre-commit-config.yaml') || '';
+      return /terraform\s+fmt/i.test(ci) || /terraform\s+fmt/i.test(makefileContent) || /terraform_fmt/i.test(preCommit);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Add `terraform fmt` to CI or pre-commit hooks to enforce consistent formatting.',
+    template: null
+  },
+
+  terraformDirIgnored: {
+    id: 39706,
+    name: '.terraform directory in .gitignore',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const gi = ctx.fileContent('.gitignore') || '';
+      return /\.terraform/i.test(gi);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .terraform/ to .gitignore — it contains provider binaries and should not be committed.',
+    template: null
+  },
+
+  terraformStateNotCommitted: {
+    id: 39707,
+    name: 'Terraform state file not committed',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      return !ctx.files.some(f => /terraform\.tfstate$/i.test(f));
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never commit terraform.tfstate — it may contain secrets. Use a remote backend (S3, GCS, Terraform Cloud).',
+    template: null
+  },
+
+  terraformBackendConfigured: {
+    id: 39708,
+    name: 'Terraform remote backend configured',
+    check: (ctx) => {
+      const tfFiles = findProjectFiles(ctx, /\.tf$/);
+      if (tfFiles.length === 0) return null;
+      const allTf = tfFiles.slice(0, 10).map(f => ctx.fileContent(f) || '').join('\n');
+      return /backend\s+"(s3|gcs|azurerm|remote|cloud|consul|http)"/i.test(allTf);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Configure a remote backend in Terraform (S3, GCS, Terraform Cloud) for team collaboration and state locking.',
+    template: null
+  },
+
   // ============================================================
   // === PROJECT HYGIENE (category: 'hygiene') ==================
   // ============================================================