@nerviq/cli 1.8.9 → 1.10.0

package/src/locales/en.json

@@ -0,0 +1,34 @@
+{
+  "audit.title": "nerviq audit",
+  "audit.quickScan": "nerviq quick scan",
+  "audit.codexTitle": "nerviq codex audit",
+  "audit.codexQuickScan": "nerviq codex quick scan",
+  "audit.scanning": "Scanning: {dir}",
+  "audit.platform": "Platform: {platform} ({version})",
+  "audit.domainPacks": "Domain packs: {packs}",
+  "audit.scope": "Scope: {message}",
+  "audit.score": "Live audit score: {score}  ({passed}/{total} checks passing)",
+  "audit.found": "Found: {files}",
+  "audit.excellent": "Excellent setup — production-ready governance",
+  "audit.strong": "Strong setup — {count} critical items to address",
+  "audit.good": "Good foundation — {count} items need attention",
+  "audit.basic": "Basic setup — significant gaps in {category}",
+  "audit.early": "Early stage — run `nerviq setup` to bootstrap your config",
+  "audit.solid": "Your {platform} setup looks solid.",
+  "audit.next": "Next: {command}",
+  "audit.quickWins": "Quick wins:",
+  "audit.topActions": "Top actions:",
+  "audit.platformCaveats": "Platform caveats:",
+  "audit.largeFile": "Large file: {file} ({size}KB)",
+  "audit.categoryScores": "Category scores:",
+  "audit.passed": "Passed",
+  "audit.failed": "Failed",
+  "audit.skipped": "Skipped",
+  "audit.details": "Details:",
+  "cli.help.description": "The intelligent governance layer for AI coding agents",
+  "cli.help.usage": "Usage: nerviq <command> [options]",
+  "cli.help.commands": "Commands:",
+  "cli.help.options": "Options:",
+  "cli.error.unknownCommand": "Unknown command: {command}",
+  "cli.error.requiresValue": "{flag} requires a value"
+}

package/src/locales/es.json

@@ -0,0 +1,34 @@
+{
+  "audit.title": "nerviq auditoría",
+  "audit.quickScan": "nerviq escaneo rápido",
+  "audit.codexTitle": "nerviq codex auditoría",
+  "audit.codexQuickScan": "nerviq codex escaneo rápido",
+  "audit.scanning": "Escaneando: {dir}",
+  "audit.platform": "Plataforma: {platform} ({version})",
+  "audit.domainPacks": "Paquetes de dominio: {packs}",
+  "audit.scope": "Alcance: {message}",
+  "audit.score": "Puntuación de auditoría en vivo: {score}  ({passed}/{total} verificaciones aprobadas)",
+  "audit.found": "Encontrado: {files}",
+  "audit.excellent": "Configuración excelente — gobernanza lista para producción",
+  "audit.strong": "Configuración sólida — {count} elementos críticos por resolver",
+  "audit.good": "Buena base — {count} elementos necesitan atención",
+  "audit.basic": "Configuración básica — brechas significativas en {category}",
+  "audit.early": "Etapa inicial — ejecuta `nerviq setup` para iniciar tu configuración",
+  "audit.solid": "Tu configuración de {platform} se ve sólida.",
+  "audit.next": "Siguiente: {command}",
+  "audit.quickWins": "Mejoras rápidas:",
+  "audit.topActions": "Acciones principales:",
+  "audit.platformCaveats": "Advertencias de plataforma:",
+  "audit.largeFile": "Archivo grande: {file} ({size}KB)",
+  "audit.categoryScores": "Puntuaciones por categoría:",
+  "audit.passed": "Aprobado",
+  "audit.failed": "Fallido",
+  "audit.skipped": "Omitido",
+  "audit.details": "Detalles:",
+  "cli.help.description": "La capa de gobernanza inteligente para agentes de codificación IA",
+  "cli.help.usage": "Uso: nerviq <comando> [opciones]",
+  "cli.help.commands": "Comandos:",
+  "cli.help.options": "Opciones:",
+  "cli.error.unknownCommand": "Comando desconocido: {command}",
+  "cli.error.requiresValue": "{flag} requiere un valor"
+}

package/src/mcp-server.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 /**
  * Nerviq MCP Server
  *

package/src/opencode/freshness.js

@@ -1,158 +1,158 @@
-/**
- * OpenCode Freshness Operationalization
- *
- * Release gates, recurring probes, propagation checklists,
- * and staleness blocking for OpenCode surfaces.
- */
-
-const { version } = require('../../package.json');
-
-const P0_SOURCES = [
-  {
-    key: 'opencode-docs',
-    label: 'OpenCode Official Docs',
-    url: 'https://opencode.ai/docs',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-config-reference',
-    label: 'OpenCode Config Reference',
-    url: 'https://opencode.ai/config',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-github-releases',
-    label: 'OpenCode GitHub Releases',
-    url: 'https://github.com/sst/opencode/releases',
-    stalenessThresholdDays: 14,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-plugin-api',
-    label: 'OpenCode Plugin API',
-    url: 'https://opencode.ai/plugins',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-permissions-docs',
-    label: 'OpenCode Permissions Documentation',
-    url: 'https://opencode.ai/permissions',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-];
-
-const PROPAGATION_CHECKLIST = [
-  {
-    trigger: 'OpenCode release with config changes',
-    targets: [
-      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
-      'src/opencode/config-parser.js — update JSONC validation',
-      'src/opencode/governance.js — update caveats if behavior changes',
-      'test/opencode-check-matrix.js — update check expectations',
-    ],
-  },
-  {
-    trigger: 'New OpenCode plugin event type added',
-    targets: [
-      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
-      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
-      'src/opencode/setup.js — update plugins starter template',
-    ],
-  },
-  {
-    trigger: 'New OpenCode permission tool added',
-    targets: [
-      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
-      'src/opencode/governance.js — update permission profiles',
-      'src/opencode/setup.js — update default permission config',
-    ],
-  },
-  {
-    trigger: 'OpenCode MCP schema change',
-    targets: [
-      'src/opencode/mcp-packs.js — update JSONC projections',
-      'src/opencode/techniques.js — update MCP checks',
-    ],
-  },
-  {
-    trigger: 'Known security bug fixed or new bug reported',
-    targets: [
-      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
-      'src/opencode/governance.js — update platformCaveats',
-      'src/opencode/freshness.js — verify against latest release',
-    ],
-  },
-];
-
-function checkReleaseGate(sourceVerifications = {}) {
-  const now = new Date();
-  const results = P0_SOURCES.map(source => {
-    const verifiedAt = sourceVerifications[source.key]
-      ? new Date(sourceVerifications[source.key])
-      : source.verifiedAt ? new Date(source.verifiedAt) : null;
-
-    if (!verifiedAt) {
-      return { ...source, status: 'unverified', daysStale: null };
-    }
-
-    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
-    const isStale = daysSince > source.stalenessThresholdDays;
-
-    return {
-      ...source,
-      verifiedAt: verifiedAt.toISOString(),
-      daysStale: daysSince,
-      status: isStale ? 'stale' : 'fresh',
-    };
-  });
-
-  return {
-    ready: results.every(r => r.status === 'fresh'),
-    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
-    fresh: results.filter(r => r.status === 'fresh'),
-    results,
-  };
-}
-
-function formatReleaseGate(gateResult) {
-  const lines = [
-    `OpenCode Freshness Gate (nerviq v${version})`,
-    '═══════════════════════════════════════',
-    '',
-    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
-    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
-    '',
-  ];
-
-  for (const result of gateResult.results) {
-    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
-    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
-    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
-  }
-
-  if (!gateResult.ready) {
-    lines.push('');
-    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
-  }
-
-  return lines.join('\n');
-}
-
-function getPropagationTargets(triggerKeyword) {
-  const keyword = triggerKeyword.toLowerCase();
-  return PROPAGATION_CHECKLIST.filter(item =>
-    item.trigger.toLowerCase().includes(keyword)
-  );
-}
-
-module.exports = {
-  P0_SOURCES,
-  PROPAGATION_CHECKLIST,
-  checkReleaseGate,
-  formatReleaseGate,
-  getPropagationTargets,
-};
+/**
+ * OpenCode Freshness Operationalization
+ *
+ * Release gates, recurring probes, propagation checklists,
+ * and staleness blocking for OpenCode surfaces.
+ */
+
+const { version } = require('../../package.json');
+
+const P0_SOURCES = [
+  {
+    key: 'opencode-docs',
+    label: 'OpenCode Official Docs',
+    url: 'https://opencode.ai/docs',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-config-reference',
+    label: 'OpenCode Config Reference',
+    url: 'https://opencode.ai/docs/config/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-github-releases',
+    label: 'OpenCode GitHub Releases',
+    url: 'https://github.com/sst/opencode/releases',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-plugin-api',
+    label: 'OpenCode Plugin API',
+    url: 'https://opencode.ai/docs/plugins/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-permissions-docs',
+    label: 'OpenCode Permissions Documentation',
+    url: 'https://opencode.ai/docs/permissions/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+];
+
+const PROPAGATION_CHECKLIST = [
+  {
+    trigger: 'OpenCode release with config changes',
+    targets: [
+      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
+      'src/opencode/config-parser.js — update JSONC validation',
+      'src/opencode/governance.js — update caveats if behavior changes',
+      'test/opencode-check-matrix.js — update check expectations',
+    ],
+  },
+  {
+    trigger: 'New OpenCode plugin event type added',
+    targets: [
+      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
+      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
+      'src/opencode/setup.js — update plugins starter template',
+    ],
+  },
+  {
+    trigger: 'New OpenCode permission tool added',
+    targets: [
+      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
+      'src/opencode/governance.js — update permission profiles',
+      'src/opencode/setup.js — update default permission config',
+    ],
+  },
+  {
+    trigger: 'OpenCode MCP schema change',
+    targets: [
+      'src/opencode/mcp-packs.js — update JSONC projections',
+      'src/opencode/techniques.js — update MCP checks',
+    ],
+  },
+  {
+    trigger: 'Known security bug fixed or new bug reported',
+    targets: [
+      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
+      'src/opencode/governance.js — update platformCaveats',
+      'src/opencode/freshness.js — verify against latest release',
+    ],
+  },
+];
+
+function checkReleaseGate(sourceVerifications = {}) {
+  const now = new Date();
+  const results = P0_SOURCES.map(source => {
+    const verifiedAt = sourceVerifications[source.key]
+      ? new Date(sourceVerifications[source.key])
+      : source.verifiedAt ? new Date(source.verifiedAt) : null;
+
+    if (!verifiedAt) {
+      return { ...source, status: 'unverified', daysStale: null };
+    }
+
+    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
+    const isStale = daysSince > source.stalenessThresholdDays;
+
+    return {
+      ...source,
+      verifiedAt: verifiedAt.toISOString(),
+      daysStale: daysSince,
+      status: isStale ? 'stale' : 'fresh',
+    };
+  });
+
+  return {
+    ready: results.every(r => r.status === 'fresh'),
+    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
+    fresh: results.filter(r => r.status === 'fresh'),
+    results,
+  };
+}
+
+function formatReleaseGate(gateResult) {
+  const lines = [
+    `OpenCode Freshness Gate (nerviq v${version})`,
+    '═══════════════════════════════════════',
+    '',
+    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
+    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
+    '',
+  ];
+
+  for (const result of gateResult.results) {
+    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
+    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
+    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
+  }
+
+  if (!gateResult.ready) {
+    lines.push('');
+    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
+  }
+
+  return lines.join('\n');
+}
+
+function getPropagationTargets(triggerKeyword) {
+  const keyword = triggerKeyword.toLowerCase();
+  return PROPAGATION_CHECKLIST.filter(item =>
+    item.trigger.toLowerCase().includes(keyword)
+  );
+}
+
+module.exports = {
+  P0_SOURCES,
+  PROPAGATION_CHECKLIST,
+  checkReleaseGate,
+  formatReleaseGate,
+  getPropagationTargets,
+};

package/src/stack-checks.js

@@ -358,7 +358,7 @@ function buildStackChecks({ platform, objectPrefix, idPrefix, docs }) {
       impact: 'high',
       fix: 'Document the XCTest or `xcodebuild test` workflow so iOS verification is part of the default path.',
       check: (ctx) => hasSwiftSurface(ctx)
-        ? /xctest|swift test|xcodebuild test|test target/i.test(projectText(ctx, docs)) ||
+        ? /xctest|swift test|xcodebuild[^\n\r]{0,200}\btest\b|test target/i.test(projectText(ctx, docs)) ||
           hasMatchingFile(ctx, /(^|[\\/])Tests([\\/]|$)|XCTestCase/i)
         : null,
     }),

package/src/synergy/report.js

@@ -54,6 +54,7 @@ function formatSynergyReport(options) {
   lines.push(c('  ║     SYNERGY DASHBOARD [EXPERIMENTAL]             ║', 'blue'));
   lines.push(c('  ╚══════════════════════════════════════════════════╝', 'blue'));
   lines.push(c('  Static routing rules. Learned routing planned for v2.0.', 'dim'));
+  lines.push(c('  Harmony is the GA cross-platform surface. Treat Synergy as advisory research output.', 'dim'));
   lines.push('');
 
   // Compound audit

package/src/techniques.js

@@ -4,8 +4,15 @@
  * Each technique includes: what to check, how to fix, impact level.
  */
 
-const fs = require('fs');
-const path = require('path');
+const fs = require('fs');
+const path = require('path');
+const {
+  getClaudeInstructionBundle,
+  hasDocumentedVerificationGuidance,
+  hasDocumentedTestCommand,
+  hasDocumentedLintCommand,
+  hasDocumentedBuildCommand,
+} = require('./instruction-surfaces');
 
 function hasFrontendSignals(ctx) {
   const pkg = ctx.fileContent('package.json') || '';
@@ -444,62 +451,58 @@ const TECHNIQUES = {
   // === QUALITY & TESTING (category: 'quality') ================
   // ============================================================
 
-  verificationLoop: {
-    id: 93,
-    name: 'Verification criteria in CLAUDE.md',
-    check: (ctx) => {
-      const md = ctx.claudeMdContent() || '';
-      return /\b(npm test|yarn test|pnpm test|pytest|go test|make test|npm run lint|yarn lint|npx |ruff |eslint)\b/i.test(md) ||
-        /\b(test command|lint command|build command|verify|run tests|run lint)\b/i.test(md);
-    },
-    impact: 'critical',
-    rating: 5,
-    category: 'quality',
-    fix: 'Add test/lint/build commands to CLAUDE.md so Claude can verify its own work.',
-    template: null
-  },
-
-  testCommand: {
-    id: 93001,
-    name: 'CLAUDE.md contains a test command',
-    check: (ctx) => {
-      const md = ctx.claudeMdContent() || '';
-      return /npm test|pytest|jest|vitest|cargo test|go test|mix test|rspec/.test(md);
-    },
-    impact: 'high',
-    rating: 5,
-    category: 'quality',
-    fix: 'Add an explicit test command to CLAUDE.md (e.g. "Run `npm test` before committing").',
-    template: null
-  },
-
-  lintCommand: {
-    id: 93002,
-    name: 'CLAUDE.md contains a lint command',
-    check: (ctx) => {
-      const md = ctx.claudeMdContent() || '';
-      return /eslint|prettier|ruff|black|clippy|golangci-lint|rubocop|npm run lint|yarn lint|pnpm lint|bun lint/.test(md);
-    },
-    impact: 'high',
-    rating: 4,
-    category: 'quality',
-    fix: 'Add a lint command to CLAUDE.md so Claude auto-formats and checks code style.',
-    template: null
-  },
-
-  buildCommand: {
-    id: 93003,
-    name: 'CLAUDE.md contains a build command',
-    check: (ctx) => {
-      const md = ctx.claudeMdContent() || '';
-      return /npm run build|cargo build|go build|make|tsc|gradle build|mvn compile/.test(md);
-    },
-    impact: 'medium',
-    rating: 4,
-    category: 'quality',
-    fix: 'Add a build command to CLAUDE.md so Claude can verify compilation before committing.',
-    template: null
-  },
+  verificationLoop: {
+    id: 93,
+    name: 'Claude instruction surfaces include verification criteria',
+    check: (ctx) => {
+      const docs = getClaudeInstructionBundle(ctx);
+      return hasDocumentedVerificationGuidance(docs);
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'quality',
+    fix: 'Add canonical test/lint/build commands to your Claude instruction surfaces (CLAUDE.md, imported docs, or .claude/commands) so Claude can verify its own work.',
+    template: null
+  },
+
+  testCommand: {
+    id: 93001,
+    name: 'Claude instruction surfaces include a test command',
+    check: (ctx) => {
+      return hasDocumentedTestCommand(getClaudeInstructionBundle(ctx));
+    },
+    impact: 'high',
+    rating: 5,
+    category: 'quality',
+    fix: 'Add an explicit test command to your Claude instruction surfaces (for example "Run `npm test` before committing").',
+    template: null
+  },
+
+  lintCommand: {
+    id: 93002,
+    name: 'Claude instruction surfaces include a lint command',
+    check: (ctx) => {
+      return hasDocumentedLintCommand(getClaudeInstructionBundle(ctx));
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'quality',
+    fix: 'Add a lint command to your Claude instruction surfaces so Claude can check style and static quality automatically.',
+    template: null
+  },
+
+  buildCommand: {
+    id: 93003,
+    name: 'Claude instruction surfaces include a build command',
+    check: (ctx) => {
+      return hasDocumentedBuildCommand(getClaudeInstructionBundle(ctx));
+    },
+    impact: 'medium',
+    rating: 4,
+    category: 'quality',
+    fix: 'Add a build command to your Claude instruction surfaces so Claude can verify compilation before committing.',
+    template: null
+  },
 
   // ============================================================
   // === GIT SAFETY (category: 'git') ===========================
@@ -954,6 +957,119 @@ const TECHNIQUES = {
     template: null
   },
 
+  // --- Dockerfile best practices (Issue #8) ---
+
+  dockerMultiStage: {
+    id: 39902,
+    name: 'Dockerfile uses multi-stage build',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return (content.match(/^FROM\s/gim) || []).length >= 2;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Use multi-stage builds in Dockerfile to reduce image size and avoid leaking build tools into production.',
+    template: null
+  },
+
+  dockerignoreExists: {
+    id: 39903,
+    name: '.dockerignore includes node_modules and .env',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /^Dockerfile/i.test(f))) return null;
+      const di = ctx.fileContent('.dockerignore') || '';
+      return di.includes('node_modules') && /\.env/i.test(di);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .dockerignore with node_modules, .env, and other sensitive/large files to keep images small and secure.',
+    template: null
+  },
+
+  dockerNoSecrets: {
+    id: 39904,
+    name: 'Dockerfile has no secrets in build args',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return !/ARG\s+(PASSWORD|SECRET|TOKEN|API_KEY|PRIVATE_KEY)/i.test(content);
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never pass secrets via ARG in Dockerfile — use runtime environment variables or secret mounts instead.',
+    template: null
+  },
+
+  // --- Terraform checks (Issue #10) ---
+
+  terraformFmt: {
+    id: 39705,
+    name: 'Terraform formatting configured',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const ci = readProjectFiles(ctx, /\.(yml|yaml)$/i, 10);
+      const makefileContent = ctx.fileContent('Makefile') || '';
+      const preCommit = ctx.fileContent('.pre-commit-config.yaml') || '';
+      return /terraform\s+fmt/i.test(ci) || /terraform\s+fmt/i.test(makefileContent) || /terraform_fmt/i.test(preCommit);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Add `terraform fmt` to CI or pre-commit hooks to enforce consistent formatting.',
+    template: null
+  },
+
+  terraformDirIgnored: {
+    id: 39706,
+    name: '.terraform directory in .gitignore',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const gi = ctx.fileContent('.gitignore') || '';
+      return /\.terraform/i.test(gi);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .terraform/ to .gitignore — it contains provider binaries and should not be committed.',
+    template: null
+  },
+
+  terraformStateNotCommitted: {
+    id: 39707,
+    name: 'Terraform state file not committed',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      return !ctx.files.some(f => /terraform\.tfstate$/i.test(f));
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never commit terraform.tfstate — it may contain secrets. Use a remote backend (S3, GCS, Terraform Cloud).',
+    template: null
+  },
+
+  terraformBackendConfigured: {
+    id: 39708,
+    name: 'Terraform remote backend configured',
+    check: (ctx) => {
+      const tfFiles = findProjectFiles(ctx, /\.tf$/);
+      if (tfFiles.length === 0) return null;
+      const allTf = tfFiles.slice(0, 10).map(f => ctx.fileContent(f) || '').join('\n');
+      return /backend\s+"(s3|gcs|azurerm|remote|cloud|consul|http)"/i.test(allTf);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Configure a remote backend in Terraform (S3, GCS, Terraform Cloud) for team collaboration and state locking.',
+    template: null
+  },
+
   // ============================================================
   // === PROJECT HYGIENE (category: 'hygiene') ==================
   // ============================================================