@nerviq/cli 1.9.0 → 1.11.0

package/src/aider/freshness.js

@@ -1,123 +1,127 @@
-/**
- * Aider Freshness Operationalization
- *
- * Release gates, recurring probes, propagation checklists,
- * and staleness blocking for Aider surfaces.
- */
-
-const { version } = require('../../package.json');
-
-/**
- * P0 sources that must be fresh before any Aider release claim.
- */
-const P0_SOURCES = [
-  {
-    key: 'aider-docs',
-    label: 'Aider Official Docs',
-    url: 'https://aider.chat',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'aider-config-reference',
-    label: 'Aider Config Reference',
-    url: 'https://aider.chat/docs/config/aider_conf.html',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'aider-github-releases',
-    label: 'Aider GitHub Releases',
-    url: 'https://github.com/paul-gauthier/aider/releases',
-    stalenessThresholdDays: 14,
-    verifiedAt: null,
-  },
-  {
-    key: 'aider-model-docs',
-    label: 'Aider Model Documentation',
-    url: 'https://aider.chat/docs/llms.html',
-    stalenessThresholdDays: 30,
-    verifiedAt: null,
-  },
-  {
-    key: 'aider-pypi',
-    label: 'Aider PyPI Package',
-    url: 'https://pypi.org/project/aider-chat/',
-    stalenessThresholdDays: 14,
-    verifiedAt: null,
-  },
-];
-
-/**
- * Propagation checklist: when an Aider source changes, these must update.
- */
-const PROPAGATION_CHECKLIST = [
-  {
-    trigger: 'Aider release with new config keys',
-    targets: [
-      'src/aider/techniques.js — update checks for new keys',
-      'src/aider/config-parser.js — update if YAML handling changes',
-      'src/aider/setup.js — update generated .aider.conf.yml template',
-    ],
-  },
-  {
-    trigger: 'New Aider model support or role changes',
-    targets: [
-      'src/aider/techniques.js — update model config checks',
-      'src/aider/context.js — update modelRoles()',
-      'src/aider/governance.js — update policy packs if needed',
-    ],
-  },
-  {
-    trigger: 'New Aider edit format or architect changes',
-    targets: [
-      'src/aider/techniques.js — update edit format checks',
-      'src/aider/setup.js — update template comments',
-    ],
-  },
-  {
-    trigger: 'Aider CLI flag changes (renamed/removed)',
-    targets: [
-      'src/aider/techniques.js — update flag pattern matching',
-      'src/aider/setup.js — update generated config',
-      'src/aider/interactive.js — update wizard options',
-    ],
-  },
-  {
-    trigger: 'Aider domain pack definitions change',
-    targets: [
-      'src/aider/domain-packs.js — update pack registry',
-      'src/aider/governance.js — governance export picks up changes',
-    ],
-  },
-];
-
-/**
+/**
+ * Aider Freshness Operationalization
+ *
+ * Release gates, recurring probes, propagation checklists,
+ * and staleness blocking for Aider surfaces.
+ */
+
+const { version } = require('../../package.json');
+
+/**
+ * P0 sources that must be fresh before any Aider release claim.
+ */
+const P0_SOURCES = [
+  {
+    key: 'aider-docs',
+    label: 'Aider Official Docs',
+    url: 'https://aider.chat',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-08',
+  },
+  {
+    key: 'aider-config-reference',
+    label: 'Aider Config Reference',
+    url: 'https://aider.chat/docs/config/aider_conf.html',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-08',
+  },
+  {
+    key: 'aider-github-releases',
+    label: 'Aider GitHub Releases',
+    url: 'https://github.com/Aider-AI/aider/releases',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-08',
+  },
+  {
+    key: 'aider-model-docs',
+    label: 'Aider Model Documentation',
+    url: 'https://aider.chat/docs/llms.html',
+    stalenessThresholdDays: 30,
+    verifiedAt: '2026-04-08',
+  },
+  {
+    key: 'aider-pypi',
+    label: 'Aider PyPI Package',
+    url: 'https://pypi.org/project/aider-chat/',
+    stalenessThresholdDays: 14,
+    verifiedAt: '2026-04-08',
+  },
+];
+
+/**
+ * Propagation checklist: when an Aider source changes, these must update.
+ */
+const PROPAGATION_CHECKLIST = [
+  {
+    trigger: 'Aider release with new config keys',
+    targets: [
+      'src/aider/techniques.js — update checks for new keys',
+      'src/aider/config-parser.js — update if YAML handling changes',
+      'src/aider/setup.js — update generated .aider.conf.yml template',
+    ],
+  },
+  {
+    trigger: 'New Aider model support or role changes',
+    targets: [
+      'src/aider/techniques.js — update model config checks',
+      'src/aider/context.js — update modelRoles()',
+      'src/aider/governance.js — update policy packs if needed',
+    ],
+  },
+  {
+    trigger: 'New Aider edit format or architect changes',
+    targets: [
+      'src/aider/techniques.js — update edit format checks',
+      'src/aider/setup.js — update template comments',
+    ],
+  },
+  {
+    trigger: 'Aider CLI flag changes (renamed/removed)',
+    targets: [
+      'src/aider/techniques.js — update flag pattern matching',
+      'src/aider/setup.js — update generated config',
+      'src/aider/interactive.js — update wizard options',
+    ],
+  },
+  {
+    trigger: 'Aider domain pack definitions change',
+    targets: [
+      'src/aider/domain-packs.js — update pack registry',
+      'src/aider/governance.js — governance export picks up changes',
+    ],
+  },
+];
+
+/**
  * Check release gate — are all P0 sources fresh?
  */
 function checkReleaseGate(overrides = {}) {
   const now = new Date();
   const results = P0_SOURCES.map(source => {
-    const verifiedAt = overrides[source.key] || source.verifiedAt;
-    if (!verifiedAt) {
-      return { ...source, status: 'unverified', daysStale: null };
-    }
-
-    const verifiedDate = new Date(verifiedAt);
-    const daysSince = Math.floor((now - verifiedDate) / (1000 * 60 * 60 * 24));
-
-    return {
-      ...source,
-      verifiedAt,
-      status: daysSince <= source.stalenessThresholdDays ? 'fresh' : 'stale',
-      daysStale: daysSince,
-    };
-  });
-
-  const allFresh = results.every(r => r.status === 'fresh');
+    const verifiedAt = overrides[source.key] || source.verifiedAt;
+    if (!verifiedAt) {
+      return { ...source, status: 'unverified', daysStale: null };
+    }
+
+    const verifiedDate = new Date(verifiedAt);
+    const daysSince = Math.floor((now - verifiedDate) / (1000 * 60 * 60 * 24));
+
+    return {
+      ...source,
+      verifiedAt,
+      status: daysSince <= source.stalenessThresholdDays ? 'fresh' : 'stale',
+      daysStale: daysSince,
+    };
+  });
+
+  const stale = results.filter((result) => result.status === 'stale' || result.status === 'unverified');
+  const fresh = results.filter((result) => result.status === 'fresh');
+  const allFresh = stale.length === 0;
 
   return {
     ready: allFresh,
+    stale,
+    fresh,
     results,
     nerviqVersion: version,
     checkedAt: now.toISOString(),
@@ -127,42 +131,41 @@ function checkReleaseGate(overrides = {}) {
 /**
  * Format release gate for display.
  */
-function formatReleaseGate(overrides = {}) {
-  const gateResult = checkReleaseGate(overrides);
+function formatReleaseGate(gateResult) {
   const lines = [
     `Aider Release Freshness Gate (nerviq v${version})`,
     `Status: ${gateResult.ready ? 'READY' : 'NOT READY'}`,
     '',
   ];
-
-  for (const result of gateResult.results) {
-    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
-    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
-    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
-  }
-
-  if (!gateResult.ready) {
-    lines.push('');
-    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
-  }
-
-  return lines.join('\n');
-}
-
-/**
- * Get propagation targets for a given trigger.
- */
-function getPropagationTargets(triggerKeyword) {
-  const keyword = triggerKeyword.toLowerCase();
-  return PROPAGATION_CHECKLIST.filter(item =>
-    item.trigger.toLowerCase().includes(keyword)
-  );
-}
-
-module.exports = {
-  P0_SOURCES,
-  PROPAGATION_CHECKLIST,
-  checkReleaseGate,
-  formatReleaseGate,
-  getPropagationTargets,
-};
+
+  for (const result of gateResult.results) {
+    const icon = result.status === 'fresh' ? '✓' : result.status === 'stale' ? '✗' : '?';
+    const age = result.daysStale !== null ? ` (${result.daysStale}d ago)` : ' (unverified)';
+    lines.push(`  ${icon} ${result.label}${age} — threshold: ${result.stalenessThresholdDays}d`);
+  }
+
+  if (!gateResult.ready) {
+    lines.push('');
+    lines.push('Action required: verify stale/unverified sources before claiming release freshness.');
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Get propagation targets for a given trigger.
+ */
+function getPropagationTargets(triggerKeyword) {
+  const keyword = triggerKeyword.toLowerCase();
+  return PROPAGATION_CHECKLIST.filter(item =>
+    item.trigger.toLowerCase().includes(keyword)
+  );
+}
+
+module.exports = {
+  P0_SOURCES,
+  PROPAGATION_CHECKLIST,
+  checkReleaseGate,
+  formatReleaseGate,
+  getPropagationTargets,
+};

package/src/analyze.js

@@ -11,6 +11,7 @@ const { STACKS } = require('./techniques');
 const { detectDomainPacks } = require('./domain-packs');
 const { detectCodexDomainPacks } = require('./codex/domain-packs');
 const { recommendMcpPacks } = require('./mcp-packs');
+const { collectClaudeDenyRules } = require('./permission-rules');
 
 const COLORS = {
   reset: '\x1b[0m',
@@ -101,6 +102,7 @@ function collectClaudeAssets(ctx) {
   const sharedSettings = ctx.jsonFile('.claude/settings.json');
   const localSettings = ctx.jsonFile('.claude/settings.local.json');
   const settings = sharedSettings || localSettings || null;
+  const denyRules = collectClaudeDenyRules(ctx);
 
   const assetFiles = {
     claudeMd: ctx.fileContent('CLAUDE.md') ? 'CLAUDE.md' : (ctx.fileContent('.claude/CLAUDE.md') ? '.claude/CLAUDE.md' : null),
@@ -129,7 +131,7 @@ function collectClaudeAssets(ctx) {
     },
     permissions: settings && settings.permissions ? {
       defaultMode: settings.permissions.defaultMode || null,
-      hasDenyRules: Array.isArray(settings.permissions.deny) && settings.permissions.deny.length > 0,
+      hasDenyRules: denyRules.length > 0,
     } : null,
     settingsSource: assetFiles.settings,
     summaryLine: `Commands: ${assetFiles.commands.length} | Rules: ${assetFiles.rules.length} | Hooks: ${assetFiles.hooks.length} | Agents: ${assetFiles.agents.length} | Skills: ${assetFiles.skills.length} | MCP servers: ${settings && settings.mcpServers ? Object.keys(settings.mcpServers).length : 0}`,

package/src/anti-patterns.js

@@ -3,7 +3,13 @@
  * Provides a static catalog and a runtime detector that checks a project context.
  */
 
-const path = require('path');
+const {
+  getRepoInstructionBundle,
+  hasDocumentedVerificationGuidance,
+  hasDocumentedTestCommand,
+} = require('./instruction-surfaces');
+const { collectClaudeDenyRules } = require('./permission-rules');
+const { containsEmbeddedSecret } = require('./secret-patterns');
 
 const ANTI_PATTERNS = [
   {
@@ -28,7 +34,7 @@ const ANTI_PATTERNS = [
     detect: (ctx) => {
       const settings = ctx.jsonFile('.claude/settings.json') || ctx.jsonFile('.claude/settings.local.json');
       if (!settings || !settings.permissions) return true;
-      return !Array.isArray(settings.permissions.deny) || settings.permissions.deny.length === 0;
+      return collectClaudeDenyRules(ctx).length === 0;
     },
   },
   {
@@ -93,15 +99,13 @@ const ANTI_PATTERNS = [
     id: 'AP007',
     name: 'No verification commands',
     severity: 'medium',
-    description: 'Without test, lint, or build commands in CLAUDE.md, the agent cannot self-verify its changes.',
+    description: 'Without test, lint, or build commands across the repo instruction surfaces, agents cannot self-verify changes consistently.',
     platforms: ['claude', 'codex', 'cursor', 'windsurf', 'copilot', 'gemini', 'aider', 'opencode'],
-    fix: 'Add ## Verification Commands section with test, lint, and build commands to your instruction file.',
+    fix: 'Add a canonical verification section or command doc in your repo instruction surfaces (for example CLAUDE.md, AGENTS.md, README, or platform rules).',
     detect: (ctx) => {
-      const content = ctx.fileContent('CLAUDE.md') || ctx.fileContent('.claude/CLAUDE.md') || '';
+      const content = getRepoInstructionBundle(ctx);
       if (!content) return false;
-      const hasVerification = /\b(test|lint|build|check|verify)\b/i.test(content) &&
-        /\b(npm |yarn |pnpm |pytest|cargo |go |make )/i.test(content);
-      return !hasVerification;
+      return !hasDocumentedVerificationGuidance(content);
     },
   },
   {
@@ -203,13 +207,13 @@ const ANTI_PATTERNS = [
     id: 'AP014',
     name: 'No test command defined',
     severity: 'medium',
-    description: 'Without a test command, the agent cannot verify its changes work before presenting them for review.',
+    description: 'Without a canonical test command in repo instructions or scripts, agents cannot verify changes reliably before handoff.',
     platforms: ['claude', 'codex', 'cursor', 'windsurf', 'copilot', 'gemini', 'aider', 'opencode'],
-    fix: 'Add a test command in your instruction file, e.g., "Test: npm test" or "Test: pytest".',
+    fix: 'Add a canonical test command in repo instructions or package scripts, e.g. "Test: npm test" or "Test: pytest".',
     detect: (ctx) => {
-      const content = ctx.fileContent('CLAUDE.md') || ctx.fileContent('.claude/CLAUDE.md') || '';
+      const content = getRepoInstructionBundle(ctx);
       const pkg = ctx.jsonFile('package.json');
-      const hasTestInMd = /(?:test|testing)\s*(?:command)?[:\s]+[`"']*(?:npm|yarn|pnpm|pytest|cargo|go|make)\s/i.test(content);
+      const hasTestInMd = hasDocumentedTestCommand(content);
       const hasTestScript = pkg && pkg.scripts && pkg.scripts.test;
       return !hasTestInMd && !hasTestScript;
     },
@@ -320,7 +324,7 @@ const ANTI_PATTERNS = [
       ];
       for (const file of hookFiles) {
         const content = ctx.fileContent(`.claude/hooks/${file}`) || '';
-        if (secretPatterns.some(p => p.test(content))) {
+        if (secretPatterns.some(p => p.test(content)) || containsEmbeddedSecret(content)) {
           return true;
         }
       }