@nerviq/cli 1.8.9 → 1.9.0

package/src/opencode/freshness.js

@@ -1,158 +1,158 @@
-/**
- * OpenCode Freshness Operationalization
- *
- * Release gates, recurring probes, propagation checklists,
- * and staleness blocking for OpenCode surfaces.
- */
-
-const { version } = require('../../package.json');
-
-const P0_SOURCES = [
-  {
-    key: 'opencode-docs',
-    label: 'OpenCode Official Docs',
-    url: 'https://opencode.ai/docs',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-config-reference',
-    label: 'OpenCode Config Reference',
-    url: 'https://opencode.ai/config',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-github-releases',
-    label: 'OpenCode GitHub Releases',
-    url: 'https://github.com/sst/opencode/releases',
-    stalenessThresholdDays: 14,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-plugin-api',
-    label: 'OpenCode Plugin API',
-    url: 'https://opencode.ai/plugins',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'opencode-permissions-docs',
-    label: 'OpenCode Permissions Documentation',
-    url: 'https://opencode.ai/permissions',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-];
-
-const PROPAGATION_CHECKLIST = [
-  {
-    trigger: 'OpenCode release with config changes',
-    targets: [
-      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
-      'src/opencode/config-parser.js — update JSONC validation',
-      'src/opencode/governance.js — update caveats if behavior changes',
-      'test/opencode-check-matrix.js — update check expectations',
-    ],
-  },
-  {
-    trigger: 'New OpenCode plugin event type added',
-    targets: [
-      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
-      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
-      'src/opencode/setup.js — update plugins starter template',
-    ],
-  },
-  {
-    trigger: 'New OpenCode permission tool added',
-    targets: [
-      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
-      'src/opencode/governance.js — update permission profiles',
-      'src/opencode/setup.js — update default permission config',
-    ],
-  },
-  {
-    trigger: 'OpenCode MCP schema change',
-    targets: [
-      'src/opencode/mcp-packs.js — update JSONC projections',
-      'src/opencode/techniques.js — update MCP checks',
-    ],
-  },
-  {
-    trigger: 'Known security bug fixed or new bug reported',
-    targets: [
-      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
-      'src/opencode/governance.js — update platformCaveats',
-      'src/opencode/freshness.js — verify against latest release',
-    ],
-  },
-];
-
-function checkReleaseGate(sourceVerifications = {}) {
-  const now = new Date();
-  const results = P0_SOURCES.map(source => {
-    const verifiedAt = sourceVerifications[source.key]
-      ? new Date(sourceVerifications[source.key])
-      : source.verifiedAt ? new Date(source.verifiedAt) : null;
-
-    if (!verifiedAt) {
-      return { ...source, status: 'unverified', daysStale: null };
-    }
-
-    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
-    const isStale = daysSince > source.stalenessThresholdDays;
-
-    return {
-      ...source,
-      verifiedAt: verifiedAt.toISOString(),
-      daysStale: daysSince,
-      status: isStale ? 'stale' : 'fresh',
-    };
-  });
-
-  return {
-    ready: results.every(r => r.status === 'fresh'),
-    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
-    fresh: results.filter(r => r.status === 'fresh'),
-    results,
-  };
-}
-
-function formatReleaseGate(gateResult) {
-  const lines = [
-    `OpenCode Freshness Gate (nerviq v${version})`,
-    '═══════════════════════════════════════',
-    '',
-    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
-    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
-    '',
-  ];
-
-  for (const result of gateResult.results) {
-    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
-    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
-    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
-  }
-
-  if (!gateResult.ready) {
-    lines.push('');
-    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
-  }
-
-  return lines.join('\n');
-}
-
-function getPropagationTargets(triggerKeyword) {
-  const keyword = triggerKeyword.toLowerCase();
-  return PROPAGATION_CHECKLIST.filter(item =>
-    item.trigger.toLowerCase().includes(keyword)
-  );
-}
-
-module.exports = {
-  P0_SOURCES,
-  PROPAGATION_CHECKLIST,
-  checkReleaseGate,
-  formatReleaseGate,
-  getPropagationTargets,
-};
+/**
+ * OpenCode Freshness Operationalization
+ *
+ * Release gates, recurring probes, propagation checklists,
+ * and staleness blocking for OpenCode surfaces.
+ */
+
+const { version } = require('../../package.json');
+
+const P0_SOURCES = [
+  {
+    key: 'opencode-docs',
+    label: 'OpenCode Official Docs',
+    url: 'https://opencode.ai/docs',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-config-reference',
+    label: 'OpenCode Config Reference',
+    url: 'https://opencode.ai/docs/config/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-github-releases',
+    label: 'OpenCode GitHub Releases',
+    url: 'https://github.com/sst/opencode/releases',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-plugin-api',
+    label: 'OpenCode Plugin API',
+    url: 'https://opencode.ai/docs/plugins/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+  {
+    key: 'opencode-permissions-docs',
+    label: 'OpenCode Permissions Documentation',
+    url: 'https://opencode.ai/docs/permissions/',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-07',
+  },
+];
+
+const PROPAGATION_CHECKLIST = [
+  {
+    trigger: 'OpenCode release with config changes',
+    targets: [
+      'src/opencode/techniques.js — update DEPRECATED_CONFIG_KEYS if keys renamed/removed',
+      'src/opencode/config-parser.js — update JSONC validation',
+      'src/opencode/governance.js — update caveats if behavior changes',
+      'test/opencode-check-matrix.js — update check expectations',
+    ],
+  },
+  {
+    trigger: 'New OpenCode plugin event type added',
+    targets: [
+      'src/opencode/techniques.js — add to VALID_PLUGIN_EVENTS',
+      'src/opencode/governance.js — add to OPENCODE_PLUGIN_GOVERNANCE',
+      'src/opencode/setup.js — update plugins starter template',
+    ],
+  },
+  {
+    trigger: 'New OpenCode permission tool added',
+    targets: [
+      'src/opencode/techniques.js — add to PERMISSIONED_TOOLS',
+      'src/opencode/governance.js — update permission profiles',
+      'src/opencode/setup.js — update default permission config',
+    ],
+  },
+  {
+    trigger: 'OpenCode MCP schema change',
+    targets: [
+      'src/opencode/mcp-packs.js — update JSONC projections',
+      'src/opencode/techniques.js — update MCP checks',
+    ],
+  },
+  {
+    trigger: 'Known security bug fixed or new bug reported',
+    targets: [
+      'src/opencode/techniques.js — update security checks (E02, E03, D05)',
+      'src/opencode/governance.js — update platformCaveats',
+      'src/opencode/freshness.js — verify against latest release',
+    ],
+  },
+];
+
+function checkReleaseGate(sourceVerifications = {}) {
+  const now = new Date();
+  const results = P0_SOURCES.map(source => {
+    const verifiedAt = sourceVerifications[source.key]
+      ? new Date(sourceVerifications[source.key])
+      : source.verifiedAt ? new Date(source.verifiedAt) : null;
+
+    if (!verifiedAt) {
+      return { ...source, status: 'unverified', daysStale: null };
+    }
+
+    const daysSince = Math.floor((now - verifiedAt) / (1000 * 60 * 60 * 24));
+    const isStale = daysSince > source.stalenessThresholdDays;
+
+    return {
+      ...source,
+      verifiedAt: verifiedAt.toISOString(),
+      daysStale: daysSince,
+      status: isStale ? 'stale' : 'fresh',
+    };
+  });
+
+  return {
+    ready: results.every(r => r.status === 'fresh'),
+    stale: results.filter(r => r.status === 'stale' || r.status === 'unverified'),
+    fresh: results.filter(r => r.status === 'fresh'),
+    results,
+  };
+}
+
+function formatReleaseGate(gateResult) {
+  const lines = [
+    `OpenCode Freshness Gate (nerviq v${version})`,
+    '═══════════════════════════════════════',
+    '',
+    `Status: ${gateResult.ready ? 'READY' : 'BLOCKED'}`,
+    `Fresh: ${gateResult.fresh.length}/${gateResult.results.length}`,
+    '',
+  ];
+
+  for (const result of gateResult.results) {
+    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
+    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
+    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
+  }
+
+  if (!gateResult.ready) {
+    lines.push('');
+    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
+  }
+
+  return lines.join('\n');
+}
+
+function getPropagationTargets(triggerKeyword) {
+  const keyword = triggerKeyword.toLowerCase();
+  return PROPAGATION_CHECKLIST.filter(item =>
+    item.trigger.toLowerCase().includes(keyword)
+  );
+}
+
+module.exports = {
+  P0_SOURCES,
+  PROPAGATION_CHECKLIST,
+  checkReleaseGate,
+  formatReleaseGate,
+  getPropagationTargets,
+};

package/src/techniques.js

@@ -954,6 +954,119 @@ const TECHNIQUES = {
     template: null
   },
 
+  // --- Dockerfile best practices (Issue #8) ---
+
+  dockerMultiStage: {
+    id: 39902,
+    name: 'Dockerfile uses multi-stage build',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return (content.match(/^FROM\s/gim) || []).length >= 2;
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Use multi-stage builds in Dockerfile to reduce image size and avoid leaking build tools into production.',
+    template: null
+  },
+
+  dockerignoreExists: {
+    id: 39903,
+    name: '.dockerignore includes node_modules and .env',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /^Dockerfile/i.test(f))) return null;
+      const di = ctx.fileContent('.dockerignore') || '';
+      return di.includes('node_modules') && /\.env/i.test(di);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .dockerignore with node_modules, .env, and other sensitive/large files to keep images small and secure.',
+    template: null
+  },
+
+  dockerNoSecrets: {
+    id: 39904,
+    name: 'Dockerfile has no secrets in build args',
+    check: (ctx) => {
+      const df = findProjectFiles(ctx, /^Dockerfile$/i);
+      if (df.length === 0) return null;
+      const content = ctx.fileContent(df[0]) || '';
+      return !/ARG\s+(PASSWORD|SECRET|TOKEN|API_KEY|PRIVATE_KEY)/i.test(content);
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never pass secrets via ARG in Dockerfile — use runtime environment variables or secret mounts instead.',
+    template: null
+  },
+
+  // --- Terraform checks (Issue #10) ---
+
+  terraformFmt: {
+    id: 39705,
+    name: 'Terraform formatting configured',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const ci = readProjectFiles(ctx, /\.(yml|yaml)$/i, 10);
+      const makefileContent = ctx.fileContent('Makefile') || '';
+      const preCommit = ctx.fileContent('.pre-commit-config.yaml') || '';
+      return /terraform\s+fmt/i.test(ci) || /terraform\s+fmt/i.test(makefileContent) || /terraform_fmt/i.test(preCommit);
+    },
+    impact: 'medium',
+    rating: 3,
+    category: 'devops',
+    fix: 'Add `terraform fmt` to CI or pre-commit hooks to enforce consistent formatting.',
+    template: null
+  },
+
+  terraformDirIgnored: {
+    id: 39706,
+    name: '.terraform directory in .gitignore',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      const gi = ctx.fileContent('.gitignore') || '';
+      return /\.terraform/i.test(gi);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Add .terraform/ to .gitignore — it contains provider binaries and should not be committed.',
+    template: null
+  },
+
+  terraformStateNotCommitted: {
+    id: 39707,
+    name: 'Terraform state file not committed',
+    check: (ctx) => {
+      if (!ctx.files.some(f => /\.tf$/.test(f))) return null;
+      return !ctx.files.some(f => /terraform\.tfstate$/i.test(f));
+    },
+    impact: 'critical',
+    rating: 5,
+    category: 'devops',
+    fix: 'Never commit terraform.tfstate — it may contain secrets. Use a remote backend (S3, GCS, Terraform Cloud).',
+    template: null
+  },
+
+  terraformBackendConfigured: {
+    id: 39708,
+    name: 'Terraform remote backend configured',
+    check: (ctx) => {
+      const tfFiles = findProjectFiles(ctx, /\.tf$/);
+      if (tfFiles.length === 0) return null;
+      const allTf = tfFiles.slice(0, 10).map(f => ctx.fileContent(f) || '').join('\n');
+      return /backend\s+"(s3|gcs|azurerm|remote|cloud|consul|http)"/i.test(allTf);
+    },
+    impact: 'high',
+    rating: 4,
+    category: 'devops',
+    fix: 'Configure a remote backend in Terraform (S3, GCS, Terraform Cloud) for team collaboration and state locking.',
+    template: null
+  },
+
   // ============================================================
   // === PROJECT HYGIENE (category: 'hygiene') ==================
   // ============================================================