@nerviq/cli 1.9.0 → 1.11.0

package/src/governance.js

@@ -1,6 +1,7 @@
-const { DOMAIN_PACKS } = require('./domain-packs');
-const { MCP_PACKS, mergeMcpServers, normalizeMcpPackKeys } = require('./mcp-packs');
-const { getCodexGovernanceSummary } = require('./codex/governance');
+const { DOMAIN_PACKS } = require('./domain-packs');
+const { MCP_PACKS, mergeMcpServers, normalizeMcpPackKeys } = require('./mcp-packs');
+const { getCodexGovernanceSummary } = require('./codex/governance');
+const { formatTerminologyLines } = require('./terminology');
 
 const PERMISSION_PROFILES = [
   {
@@ -406,10 +407,15 @@ function printGovernanceSummary(summary, options = {}) {
   console.log('');
   console.log(`  nerviq ${summary.platformLabel.toLowerCase()} governance`);
   console.log('  ═══════════════════════════════════════');
-  console.log(`  Safe defaults, hook transparency, and pilot guidance for ${summary.platformLabel}.`);
-  console.log('');
-
-  console.log('  Permission Profiles');
+  console.log(`  Safe defaults, hook transparency, and pilot guidance for ${summary.platformLabel}.`);
+  console.log('');
+
+  for (const line of formatTerminologyLines(['governance', 'hooks', 'denyRules', 'mcp'])) {
+    console.log(line);
+  }
+  console.log('');
+
+  console.log('  Permission Profiles');
   for (const profile of summary.permissionProfiles) {
     console.log(`  - ${profile.label} [${profile.risk}]`);
     console.log(`    ${profile.useWhen}`);

package/src/index.js

@@ -88,7 +88,7 @@ const { getOpenCodeGovernanceSummary } = require('./opencode/governance');
 const { runOpenCodeDeepReview } = require('./opencode/deep-review');
 const { opencodeInteractive } = require('./opencode/interactive');
 const { detectPlatforms, getCatalog, synergyReport } = require('./public-api');
-const { createServer, startServer } = require('./server');
+const { buildServeOpenApiSpec, createServer, startServer } = require('./server');
 
 module.exports = {
   audit,
@@ -101,6 +101,7 @@ module.exports = {
   detectPlatforms,
   getCatalog,
   synergyReport,
+  buildServeOpenApiSpec,
   createServer,
   startServer,
   DOMAIN_PACKS,

package/src/instruction-surfaces.js

@@ -0,0 +1,185 @@
+const path = require('path');
+
+const TEST_COMMAND_PATTERNS = [
+  /\b(?:npm|pnpm|yarn|bun)(?:\s+run)?\s+test\b/i,
+  /\b(?:python\s+-m\s+)?pytest\b/i,
+  /\bpython\s+manage\.py\s+test\b/i,
+  /\bdjango-admin\s+test\b/i,
+  /\bpython\s+-m\s+unittest\b/i,
+  /\bgo\s+test(?:\s|$)/i,
+  /\bcargo\s+test\b/i,
+  /\bmake\s+test\b/i,
+  /\bmix\s+test\b/i,
+  /\bbundle\s+exec\s+rspec\b/i,
+  /\brspec\b/i,
+  /\bphpunit\b/i,
+  /\bdotnet\s+test(?:\s|$)/i,
+  /\bflutter\s+test\b/i,
+  /\bswift\s+test\b/i,
+  /\bxcodebuild\b[^\n\r`]{0,200}\btest\b/i,
+  /\bgradlew?\s+test\b/i,
+  /\bmvn(?:w)?\s+test\b/i,
+  /\bplaywright\s+test\b/i,
+  /\bcypress\s+run\b/i,
+];
+
+const LINT_COMMAND_PATTERNS = [
+  /\b(?:npm|pnpm|yarn|bun)(?:\s+run)?\s+lint\b/i,
+  /\beslint\b/i,
+  /\bprettier\b/i,
+  /\bruff(?:\s+(?:check|format))?\b/i,
+  /\bblack\b/i,
+  /\bflake8\b/i,
+  /\bpylint\b/i,
+  /\bmypy\b/i,
+  /\bpyright\b/i,
+  /\bgo\s+vet\b/i,
+  /\bgofmt\b/i,
+  /\bgofumpt\b/i,
+  /\bstaticcheck\b/i,
+  /\bgolangci-lint\b/i,
+  /\bcargo\s+clippy\b/i,
+  /\bflutter\s+analyze\b/i,
+  /\bdart\s+analyze\b/i,
+  /\bswiftlint\b/i,
+  /\bswift(?:-|\s+)format\b/i,
+  /\bdotnet\s+format(?:\s|$)/i,
+  /\bgradlew?\s+lint\b/i,
+  /\bmvn(?:w)?\s+(?:checkstyle:check|spotbugs:check|verify)\b/i,
+];
+
+const BUILD_COMMAND_PATTERNS = [
+  /\b(?:npm|pnpm|yarn|bun)(?:\s+run)?\s+build\b/i,
+  /\btsc(?:\s|$)/i,
+  /\bgo\s+build(?:\s|$)/i,
+  /\bcargo\s+(?:build|check)\b/i,
+  /\bmake\s+build\b/i,
+  /\bdotnet\s+(?:build|publish)(?:\s|$)/i,
+  /\bmsbuild\b/i,
+  /\bflutter\s+build(?:\s|$)/i,
+  /\bswift\s+build\b/i,
+  /\bxcodebuild\b/i,
+  /\bgradlew?\s+(?:build|assemble)\b/i,
+  /\bmvn(?:w)?\s+(?:compile|package|verify|install)\b/i,
+  /\bpython\s+-m\s+build\b/i,
+  /\bpoetry\s+build\b/i,
+];
+
+function normalizePath(filePath) {
+  return String(filePath || '').replace(/\\/g, '/').replace(/^\.\//, '');
+}
+
+function addSurface(ctx, surfaces, seen, filePath) {
+  const normalized = normalizePath(filePath);
+  if (!normalized || seen.has(normalized)) return;
+  const content = typeof ctx.fileContent === 'function' ? (ctx.fileContent(normalized) || '') : '';
+  if (!content.trim()) return;
+  seen.add(normalized);
+  surfaces.push({ path: normalized, content });
+}
+
+function addDirSurfaces(ctx, surfaces, seen, dirPath, filter) {
+  if (typeof ctx.dirFiles !== 'function') return;
+  for (const entry of ctx.dirFiles(dirPath) || []) {
+    if (filter && !filter.test(entry)) continue;
+    addSurface(ctx, surfaces, seen, path.join(dirPath, entry));
+  }
+}
+
+function buildSurfaceList(ctx, scope) {
+  const surfaces = [];
+  const seen = new Set();
+  const includeReadme = scope === 'repo';
+
+  addSurface(ctx, surfaces, seen, 'CLAUDE.md');
+  addSurface(ctx, surfaces, seen, '.claude/CLAUDE.md');
+  addDirSurfaces(ctx, surfaces, seen, '.claude/rules', /\.md$/i);
+  addDirSurfaces(ctx, surfaces, seen, '.claude/commands', /\.md$/i);
+  addDirSurfaces(ctx, surfaces, seen, '.claude/agents', /\.md$/i);
+
+  if (scope === 'repo') {
+    addSurface(ctx, surfaces, seen, 'AGENTS.md');
+    addSurface(ctx, surfaces, seen, 'AGENTS.override.md');
+    addSurface(ctx, surfaces, seen, '.cursorrules');
+    addSurface(ctx, surfaces, seen, '.windsurfrules');
+    addSurface(ctx, surfaces, seen, 'GEMINI.md');
+    addSurface(ctx, surfaces, seen, '.gemini/GEMINI.md');
+    addSurface(ctx, surfaces, seen, '.github/copilot-instructions.md');
+    addDirSurfaces(ctx, surfaces, seen, '.cursor/rules', /\.(md|mdc)$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.cursor/commands', /\.md$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.windsurf/rules', /\.md$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.windsurf/workflows', /\.md$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.github/instructions', /\.instructions\.md$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.github/prompts', /\.prompt\.md$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.opencode/commands', /\.(md|markdown|ya?ml)$/i);
+    addDirSurfaces(ctx, surfaces, seen, '.gemini/agents', /\.md$/i);
+  }
+
+  if (includeReadme) {
+    addSurface(ctx, surfaces, seen, 'README.md');
+    addSurface(ctx, surfaces, seen, 'CONTRIBUTING.md');
+  }
+
+  return surfaces;
+}
+
+function getSurfaceBundle(ctx, scope) {
+  const cacheKey = scope === 'repo' ? '__nerviqRepoInstructionBundle' : '__nerviqClaudeInstructionBundle';
+  if (ctx && ctx[cacheKey] !== undefined) return ctx[cacheKey];
+  const bundle = buildSurfaceList(ctx, scope)
+    .map((surface) => surface.content)
+    .join('\n\n');
+  if (ctx) ctx[cacheKey] = bundle;
+  return bundle;
+}
+
+function matchesAny(text, patterns) {
+  const normalized = String(text || '');
+  return patterns.some((pattern) => {
+    pattern.lastIndex = 0;
+    return pattern.test(normalized);
+  });
+}
+
+function hasDocumentedTestCommand(text) {
+  return matchesAny(text, TEST_COMMAND_PATTERNS);
+}
+
+function hasDocumentedLintCommand(text) {
+  return matchesAny(text, LINT_COMMAND_PATTERNS);
+}
+
+function hasDocumentedBuildCommand(text) {
+  return matchesAny(text, BUILD_COMMAND_PATTERNS);
+}
+
+function hasDocumentedVerificationGuidance(text) {
+  const normalized = String(text || '');
+  if (!normalized.trim()) return false;
+  return hasDocumentedTestCommand(normalized) ||
+    hasDocumentedLintCommand(normalized) ||
+    hasDocumentedBuildCommand(normalized) ||
+    (/\b(?:verification|verify|self-check|quality gate)\b/i.test(normalized) &&
+      matchesAny(normalized, [
+        ...TEST_COMMAND_PATTERNS,
+        ...LINT_COMMAND_PATTERNS,
+        ...BUILD_COMMAND_PATTERNS,
+      ]));
+}
+
+function getClaudeInstructionBundle(ctx) {
+  return getSurfaceBundle(ctx, 'claude');
+}
+
+function getRepoInstructionBundle(ctx) {
+  return getSurfaceBundle(ctx, 'repo');
+}
+
+module.exports = {
+  getClaudeInstructionBundle,
+  getRepoInstructionBundle,
+  hasDocumentedVerificationGuidance,
+  hasDocumentedTestCommand,
+  hasDocumentedLintCommand,
+  hasDocumentedBuildCommand,
+};

package/src/integrations.js

@@ -10,66 +10,113 @@
 
 'use strict';
 
-const https = require('https');
-const http = require('http');
-const { URL } = require('url');
-
-// ─── Webhook delivery ────────────────────────────────────────────────────────
+const https = require('https');
+const http = require('http');
+const { URL } = require('url');
+
+const RETRYABLE_STATUS_CODES = new Set([408, 425, 429, 500, 502, 503, 504]);
+
+function wait(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+function sendWebhookOnce(parsed, body, opts = {}) {
+  return new Promise((resolve, reject) => {
+    const timeoutMs = opts.timeoutMs ?? 10_000;
+    const customHeaders = opts.headers || {};
+    const headers = {
+      'User-Agent': `nerviq/${require('../package.json').version}`,
+      ...customHeaders,
+      'Content-Length': Buffer.byteLength(body),
+    };
+
+    const hasContentTypeHeader = Object.keys(headers).some((name) => name.toLowerCase() === 'content-type');
+    if (!hasContentTypeHeader) {
+      headers['Content-Type'] = 'application/json';
+    }
+
+    const options = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+      path: parsed.pathname + (parsed.search || ''),
+      method: 'POST',
+      headers,
+    };
+
+    const transport = parsed.protocol === 'https:' ? https : http;
+
+    const req = transport.request(options, (res) => {
+      const chunks = [];
+      res.on('data', (c) => chunks.push(c));
+      res.on('end', () => {
+        const respBody = Buffer.concat(chunks).toString('utf8');
+        resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, status: res.statusCode, body: respBody });
+      });
+    });
+
+    req.setTimeout(timeoutMs, () => {
+      req.destroy(new Error(`Webhook request timed out after ${timeoutMs}ms`));
+    });
+
+    req.on('error', reject);
+    req.write(body);
+    req.end();
+  });
+}
+
+// ─── Webhook delivery ────────────────────────────────────────────────────────
 
 /**
  * POST JSON payload to a webhook URL.
  * @param {string} url  - Destination URL (http or https)
  * @param {object} payload - JSON-serialisable object
- * @param {object} [opts]
- * @param {number} [opts.timeoutMs=10000]
- * @param {object} [opts.headers]
- * @returns {Promise<{ ok: boolean, status: number, body: string }>}
- */
-function sendWebhook(url, payload, opts = {}) {
-  return new Promise((resolve, reject) => {
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      return reject(new Error(`Invalid webhook URL: ${url}`));
-    }
-
-    const body = JSON.stringify(payload);
-    const timeoutMs = opts.timeoutMs ?? 10_000;
-
-    const options = {
-      hostname: parsed.hostname,
-      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
-      path: parsed.pathname + (parsed.search || ''),
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Content-Length': Buffer.byteLength(body),
-        'User-Agent': `nerviq/${require('../package.json').version}`,
-        ...(opts.headers || {}),
-      },
-    };
-
-    const transport = parsed.protocol === 'https:' ? https : http;
-
-    const req = transport.request(options, (res) => {
-      const chunks = [];
-      res.on('data', (c) => chunks.push(c));
-      res.on('end', () => {
-        const respBody = Buffer.concat(chunks).toString('utf8');
-        resolve({ ok: res.statusCode >= 200 && res.statusCode < 300, status: res.statusCode, body: respBody });
-      });
-    });
-
-    req.setTimeout(timeoutMs, () => {
-      req.destroy(new Error(`Webhook request timed out after ${timeoutMs}ms`));
-    });
-
-    req.on('error', reject);
-    req.write(body);
-    req.end();
-  });
-}
+ * @param {object} [opts]
+ * @param {number} [opts.timeoutMs=10000]
+ * @param {object} [opts.headers]
+ * @param {number} [opts.retries=2]
+ * @param {number} [opts.retryDelayMs=400]
+ * @returns {Promise<{ ok: boolean, status: number, body: string, attempts: number }>}
+ */
+async function sendWebhook(url, payload, opts = {}) {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error(`Invalid webhook URL: ${url}`);
+  }
+
+  if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+    throw new Error(`Unsupported webhook protocol: ${parsed.protocol}`);
+  }
+
+  const body = JSON.stringify(payload);
+  const retries = Number.isInteger(opts.retries) && opts.retries >= 0 ? opts.retries : 2;
+  const retryDelayMs = Number.isFinite(opts.retryDelayMs) && opts.retryDelayMs >= 0 ? opts.retryDelayMs : 400;
+  const maxAttempts = retries + 1;
+
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      const response = await sendWebhookOnce(parsed, body, opts);
+      const enriched = { ...response, attempts: attempt };
+      const shouldRetry = RETRYABLE_STATUS_CODES.has(response.status) && attempt < maxAttempts;
+      if (!shouldRetry) {
+        return enriched;
+      }
+    } catch (error) {
+      error.attempts = attempt;
+      if (attempt >= maxAttempts) {
+        throw error;
+      }
+    }
+
+    const delayMs = retryDelayMs * attempt;
+    if (delayMs > 0) {
+      await wait(delayMs);
+    }
+  }
+
+  return { ok: false, status: 0, body: '', attempts: maxAttempts };
+}
 
 // ─── Slack formatting ─────────────────────────────────────────────────────────
 

package/src/locales/en.json

@@ -7,7 +7,7 @@
   "audit.platform": "Platform: {platform} ({version})",
   "audit.domainPacks": "Domain packs: {packs}",
   "audit.scope": "Scope: {message}",
-  "audit.score": "Score: {score}/100  ({passed}/{total} checks passing)",
+  "audit.score": "Live audit score: {score}  ({passed}/{total} checks passing)",
   "audit.found": "Found: {files}",
   "audit.excellent": "Excellent setup — production-ready governance",
   "audit.strong": "Strong setup — {count} critical items to address",

package/src/locales/es.json

@@ -7,7 +7,7 @@
   "audit.platform": "Plataforma: {platform} ({version})",
   "audit.domainPacks": "Paquetes de dominio: {packs}",
   "audit.scope": "Alcance: {message}",
-  "audit.score": "Puntuación: {score}/100  ({passed}/{total} verificaciones aprobadas)",
+  "audit.score": "Puntuación de auditoría en vivo: {score}  ({passed}/{total} verificaciones aprobadas)",
   "audit.found": "Encontrado: {files}",
   "audit.excellent": "Configuración excelente — gobernanza lista para producción",
   "audit.strong": "Configuración sólida — {count} elementos críticos por resolver",

package/src/permission-rules.js

@@ -0,0 +1,218 @@
+const fs = require('fs');
+const path = require('path');
+
+const PATH_ACTIONS = new Set(['read', 'write', 'edit', 'multiedit']);
+const SECRET_PATH_RE = /(^|\/)(\.env(?:[^/]*)?|secrets?)(\/|$)/i;
+
+function normalizeSlash(value) {
+  return String(value || '').replace(/\\/g, '/');
+}
+
+function stripWrappingQuotes(value) {
+  const trimmed = String(value || '').trim();
+  if (!trimmed) return '';
+  const first = trimmed[0];
+  const last = trimmed[trimmed.length - 1];
+  if ((first === '"' || first === "'") && first === last) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+
+function getProjectRoot(rootDir) {
+  try {
+    return fs.realpathSync.native(rootDir);
+  } catch {
+    return path.resolve(rootDir);
+  }
+}
+
+function splitPatternSegments(rawPattern, isAbsolute) {
+  const normalized = normalizeSlash(rawPattern);
+
+  if (/^[A-Za-z]:\//.test(normalized)) {
+    return normalized.slice(3).split('/').filter(Boolean);
+  }
+
+  if (isAbsolute && normalized.startsWith('/')) {
+    return normalized.slice(1).split('/').filter(Boolean);
+  }
+
+  return normalized.split('/').filter((segment) => segment && segment !== '.');
+}
+
+function hasGlob(segment) {
+  return /[*?[\]{}]/.test(segment);
+}
+
+function buildAbsolutePattern(rootDir, rawPattern) {
+  const normalized = stripWrappingQuotes(normalizeSlash(rawPattern).replace(/^file:\/\//i, ''));
+  if (!normalized) {
+    return {
+      absolutePattern: null,
+      normalizedInput: '',
+      isAbsolute: false,
+      traversalSegments: false,
+    };
+  }
+
+  const isAbsolute = /^[A-Za-z]:\//.test(normalized) || normalized.startsWith('/');
+  const traversalSegments = normalized.split('/').some((segment) => segment === '..');
+  const segments = splitPatternSegments(normalized, isAbsolute);
+  let current = isAbsolute ? path.parse(path.resolve(normalized)).root : getProjectRoot(rootDir);
+
+  for (const segment of segments) {
+    const candidate = path.join(current, segment);
+    if (hasGlob(segment)) {
+      current = candidate;
+      continue;
+    }
+
+    try {
+      current = fs.realpathSync.native(candidate);
+    } catch {
+      current = candidate;
+    }
+  }
+
+  return {
+    absolutePattern: current,
+    normalizedInput: normalized,
+    isAbsolute,
+    traversalSegments,
+  };
+}
+
+function normalizePathPayload(rawPayload, rootDir) {
+  const {
+    absolutePattern,
+    normalizedInput,
+    isAbsolute,
+    traversalSegments,
+  } = buildAbsolutePattern(rootDir, rawPayload);
+
+  if (!absolutePattern) {
+    return {
+      normalizedPath: '',
+      repoRelativePath: '',
+      outsideRepo: false,
+      invalid: true,
+      isAbsolute,
+      traversalSegments,
+    };
+  }
+
+  const projectRoot = getProjectRoot(rootDir);
+  const relativePath = normalizeSlash(path.relative(projectRoot, absolutePattern));
+  const outsideRepo = relativePath === '..' || relativePath.startsWith('../') || /^[A-Za-z]:\//.test(relativePath);
+  const repoRelativePath = outsideRepo ? null : relativePath || '.';
+  const normalizedPath = outsideRepo
+    ? normalizeSlash(absolutePattern)
+    : `./${repoRelativePath}`;
+
+  return {
+    normalizedPath,
+    repoRelativePath,
+    outsideRepo,
+    invalid: traversalSegments && outsideRepo && !isAbsolute,
+    isAbsolute,
+    traversalSegments,
+    normalizedInput,
+  };
+}
+
+function normalizeCommandPayload(rawPayload) {
+  return stripWrappingQuotes(rawPayload).replace(/\s+/g, ' ').trim();
+}
+
+function normalizePermissionRule(rule, rootDir) {
+  if (typeof rule !== 'string' || !rule.trim()) return null;
+  const trimmed = rule.trim();
+  const match = trimmed.match(/^([A-Za-z]+)\((.*)\)$/);
+  if (!match) {
+    return {
+      raw: trimmed,
+      action: null,
+      payload: trimmed,
+      normalized: trimmed,
+      dedupeKey: trimmed.toLowerCase(),
+      kind: 'raw',
+      invalid: false,
+      outsideRepo: false,
+      protectsSecrets: false,
+    };
+  }
+
+  const action = match[1];
+  const payload = match[2].trim();
+  const actionKey = action.toLowerCase();
+
+  if (PATH_ACTIONS.has(actionKey)) {
+    const details = normalizePathPayload(payload, rootDir);
+    const dedupeKey = `${actionKey}:${details.normalizedPath.toLowerCase()}`;
+    return {
+      raw: trimmed,
+      action,
+      payload,
+      normalized: `${action}(${details.normalizedPath})`,
+      normalizedPath: details.normalizedPath,
+      repoRelativePath: details.repoRelativePath,
+      dedupeKey,
+      kind: 'path',
+      invalid: details.invalid,
+      outsideRepo: details.outsideRepo,
+      traversalSegments: details.traversalSegments,
+      isAbsolute: details.isAbsolute,
+      protectsSecrets: !details.outsideRepo && SECRET_PATH_RE.test(details.repoRelativePath || ''),
+    };
+  }
+
+  const normalizedPayload = normalizeCommandPayload(payload);
+  return {
+    raw: trimmed,
+    action,
+    payload,
+    normalized: `${action}(${normalizedPayload})`,
+    dedupeKey: `${actionKey}:${normalizedPayload.toLowerCase()}`,
+    kind: 'command',
+    invalid: false,
+    outsideRepo: false,
+    protectsSecrets: false,
+  };
+}
+
+function normalizePermissionRules(rules, rootDir) {
+  const seen = new Set();
+  const normalized = [];
+
+  for (const rule of Array.isArray(rules) ? rules : []) {
+    const entry = normalizePermissionRule(rule, rootDir);
+    if (!entry || entry.invalid) continue;
+    if (seen.has(entry.dedupeKey)) continue;
+    seen.add(entry.dedupeKey);
+    normalized.push(entry);
+  }
+
+  return normalized;
+}
+
+function collectClaudeDenyRules(ctx) {
+  const shared = ctx.jsonFile('.claude/settings.json');
+  const local = ctx.jsonFile('.claude/settings.local.json');
+  const denyRules = []
+    .concat(shared?.permissions?.deny || [])
+    .concat(local?.permissions?.deny || []);
+
+  return normalizePermissionRules(denyRules, ctx.dir);
+}
+
+function hasSecretDenyRule(rules) {
+  return (Array.isArray(rules) ? rules : []).some((rule) => rule && rule.protectsSecrets);
+}
+
+module.exports = {
+  collectClaudeDenyRules,
+  hasSecretDenyRule,
+  normalizePermissionRule,
+  normalizePermissionRules,
+};

package/src/secret-patterns.js

@@ -5,6 +5,15 @@ const EMBEDDED_SECRET_PATTERNS = [
   /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
   /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g,
   /\bgh[pousr]_[A-Za-z0-9]{20,}\b/g,
+  /\bAZURE(?:_[A-Z0-9]+){0,4}_(?:API_)?KEY\s*[:=]\s*['"]?[A-Za-z0-9+/=_-]{20,}['"]?/g,
+  /\bDefaultEndpointsProtocol=https;AccountName=[^;\s]+;AccountKey=[A-Za-z0-9+/=]{20,};EndpointSuffix=core\.windows\.net\b/gi,
+  /\bEndpoint=sb:\/\/[^\s;]+;SharedAccessKeyName=[^;\s]+;SharedAccessKey=[A-Za-z0-9+/=]{20,}\b/gi,
+  /\b(?:postgres(?:ql)?|mysql|mariadb|mongodb(?:\+srv)?|redis|rediss|amqp):\/\/[^:\s/]+:[^@\s]{4,}@[^/\s]+(?:\/[^\s'"]*)?/gi,
+  /\b(?:Server|Host|Data Source)\s*=\s*[^;\n]+;[^\n]*(?:Password|Pwd)\s*=\s*[^;\n]{4,}/gi,
+  /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g,
+  /-----BEGIN (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----[\s\S]{40,}?-----END (?:OPENSSH|RSA|DSA|EC) PRIVATE KEY-----/g,
+  /-----BEGIN PRIVATE KEY-----[\s\S]{40,}?-----END PRIVATE KEY-----/g,
+  /"type"\s*:\s*"service_account"[\s\S]{0,1200}?"client_email"\s*:\s*"[^\"]+@[^"]*gserviceaccount\.com"[\s\S]{0,1200}?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]{20,}?-----END PRIVATE KEY-----\\n?"/g,
 ];
 
 function containsEmbeddedSecret(text = '') {