@neurcode-ai/cli 0.10.1 → 0.12.0

package/dist/governance/pipeline/stages/policy-lock-stage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-lock-stage.d.ts","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/policy-lock-stage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAEL,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACzB,MAAM,6BAA6B,CAAC;AAErC,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAGxD,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,mBAAmB,CAAC;IACrC,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,OAAO,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,kBAAkB,EAAE,CAAC;IACjC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,eAAO,MAAM,eAAe,EAAE,uBAAuB,CAAC,eAAe,EAAE,gBAAgB,CAsDtF,CAAC"}

package/dist/governance/pipeline/stages/policy-lock-stage.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * Policy Lock Stage
+ * -----------------
+ * Verifies the policy lock fingerprint against the currently-resolved policy
+ * snapshot. This is a thin wrapper around `evaluatePolicyLock` from
+ * `utils/policy-packs` — it preserves all existing semantics and only adds
+ * stage lineage, fingerprinting, and replay receipts.
+ *
+ * SEMANTIC PRESERVATION:
+ *   The output `enforced`, `matched`, `lockPresent`, `lockPath`, and
+ *   `mismatches[]` fields are produced by `evaluatePolicyLock` directly —
+ *   they MUST be identical to the values verify.ts records inline.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.policyLockStage = void 0;
+const policy_packs_1 = require("../../../utils/policy-packs");
+const fingerprint_1 = require("../fingerprint");
+const types_1 = require("../types");
+exports.policyLockStage = {
+    id: 'policy-lock',
+    determinism: 'deterministic-structural',
+    boundary: {
+        ...types_1.STRICT_REQUIRED_BOUNDARY,
+        dependencies: ['diff-normalization'],
+    },
+    description: 'Compare resolved policy snapshot against the policy lock file; report fingerprint mismatches.',
+    execute(input) {
+        if (input.skipLock) {
+            return {
+                enforced: false,
+                matched: true,
+                lockPresent: false,
+                lockPath: '',
+                mismatches: [],
+                skipped: true,
+            };
+        }
+        const validation = (0, policy_packs_1.evaluatePolicyLock)(input.projectRoot, input.currentSnapshot, {
+            requireLock: input.requireLock,
+        });
+        return {
+            enforced: validation.enforced,
+            matched: validation.matched,
+            lockPresent: validation.lockPresent,
+            lockPath: validation.lockPath,
+            mismatches: [...validation.mismatches],
+            skipped: false,
+        };
+    },
+    fingerprintInput(input) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            requireLock: input.requireLock,
+            skipLock: input.skipLock,
+            snapshotFingerprint: input.currentSnapshot.effective?.fingerprint ?? null,
+        });
+    },
+    fingerprintOutput(output) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            enforced: output.enforced,
+            matched: output.matched,
+            lockPresent: output.lockPresent,
+            skipped: output.skipped,
+            mismatchCodes: output.mismatches.map(m => m.code).sort(),
+        });
+    },
+    outputItemCount(output) {
+        return output.mismatches.length;
+    },
+};
+//# sourceMappingURL=policy-lock-stage.js.map

package/dist/governance/pipeline/stages/policy-lock-stage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-lock-stage.js","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/policy-lock-stage.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAGH,8DAIqC;AACrC,gDAAwD;AAExD,oCAAoD;AAkBvC,QAAA,eAAe,GAA+D;IACzF,EAAE,EAAE,aAAa;IACjB,WAAW,EAAE,0BAAuD;IACpE,QAAQ,EAAE;QACR,GAAG,gCAAwB;QAC3B,YAAY,EAAE,CAAC,oBAAoB,CAAC;KACrC;IACD,WAAW,EAAE,+FAA+F;IAE5G,OAAO,CAAC,KAAsB;QAC5B,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,OAAO;gBACL,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,IAAI;gBACb,WAAW,EAAE,KAAK;gBAClB,QAAQ,EAAE,EAAE;gBACZ,UAAU,EAAE,EAAE;gBACd,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GAAG,IAAA,iCAAkB,EAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,eAAe,EAAE;YAC9E,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC,CAAC;QACH,OAAO;YACL,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,UAAU,EAAE,CAAC,GAAG,UAAU,CAAC,UAAU,CAAC;YACtC,OAAO,EAAE,KAAK;SACf,CAAC;IACJ,CAAC;IAED,gBAAgB,CAAC,KAAsB;QACrC,OAAO,IAAA,oCAAsB,EAAC;YAC5B,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,mBAAmB,EAAE,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,WAAW,IAAI,IAAI;SAC1E,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB,CAAC,MAAwB;QACxC,OAAO,IAAA,oCAAsB,EAAC;YAC5B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;SACzD,CAAC,CAAC;IACL,CAAC;IAED,eAAe,CAAC,MAAwB;QACtC,OAAO,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;IAClC,CAAC;CACF,CAAC"}

package/dist/governance/pipeline/stages/runtime-guard-stage.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Runtime Guard Stage
+ * -------------------
+ * Validates the runtime guard artifact against the actual diff. Pure wrapper
+ * around `readRuntimeGuardArtifact` + `evaluateRuntimeGuardArtifact` from
+ * `utils/runtime-guard`.
+ *
+ * SEMANTIC PRESERVATION:
+ *   The `RuntimeGuardEvaluation` returned here is byte-identical to what
+ *   verify.ts produces inline. This stage adds lineage + fingerprinting only.
+ */
+import type { DiffFile } from '@neurcode-ai/diff-parser';
+import { type RuntimeGuardArtifact, type RuntimeGuardEvaluation } from '../../../utils/runtime-guard';
+import type { GovernancePipelineStage } from '../types';
+export interface RuntimeGuardInput {
+    projectRoot: string;
+    guardPath?: string;
+    diffFiles: DiffFile[];
+    fileContents?: Record<string, string>;
+}
+export interface RuntimeGuardOutput {
+    path: string;
+    exists: boolean;
+    artifact: RuntimeGuardArtifact | null;
+    error?: string;
+    evaluation: RuntimeGuardEvaluation | null;
+}
+export declare const runtimeGuardStage: GovernancePipelineStage<RuntimeGuardInput, RuntimeGuardOutput>;
+//# sourceMappingURL=runtime-guard-stage.d.ts.map

package/dist/governance/pipeline/stages/runtime-guard-stage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-guard-stage.d.ts","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/runtime-guard-stage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAEzD,OAAO,EAGL,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC5B,MAAM,8BAA8B,CAAC;AAEtC,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAExD,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,oBAAoB,GAAG,IAAI,CAAC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,sBAAsB,GAAG,IAAI,CAAC;CAC3C;AAED,eAAO,MAAM,iBAAiB,EAAE,uBAAuB,CACrD,iBAAiB,EACjB,kBAAkB,CAwDnB,CAAC"}

package/dist/governance/pipeline/stages/runtime-guard-stage.js

@@ -0,0 +1,65 @@
+"use strict";
+/**
+ * Runtime Guard Stage
+ * -------------------
+ * Validates the runtime guard artifact against the actual diff. Pure wrapper
+ * around `readRuntimeGuardArtifact` + `evaluateRuntimeGuardArtifact` from
+ * `utils/runtime-guard`.
+ *
+ * SEMANTIC PRESERVATION:
+ *   The `RuntimeGuardEvaluation` returned here is byte-identical to what
+ *   verify.ts produces inline. This stage adds lineage + fingerprinting only.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runtimeGuardStage = void 0;
+const runtime_guard_1 = require("../../../utils/runtime-guard");
+const fingerprint_1 = require("../fingerprint");
+exports.runtimeGuardStage = {
+    id: 'runtime-guard',
+    determinism: 'deterministic-structural',
+    boundary: {
+        isolateFailure: true,
+        required: false,
+        dependencies: ['diff-normalization'],
+    },
+    description: 'Validate runtime guard artifact against diff; report out-of-scope files and constraint violations.',
+    execute(input) {
+        const read = (0, runtime_guard_1.readRuntimeGuardArtifact)(input.projectRoot, input.guardPath);
+        if (!read.artifact) {
+            return {
+                path: read.path,
+                exists: read.exists,
+                artifact: null,
+                error: read.error,
+                evaluation: null,
+            };
+        }
+        const evaluation = (0, runtime_guard_1.evaluateRuntimeGuardArtifact)(read.artifact, input.diffFiles, input.fileContents);
+        return {
+            path: read.path,
+            exists: read.exists,
+            artifact: read.artifact,
+            evaluation,
+        };
+    },
+    fingerprintInput(input) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            guardPath: input.guardPath ?? null,
+            files: input.diffFiles.map(f => f.path).sort(),
+        });
+    },
+    fingerprintOutput(output) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            exists: output.exists,
+            expectedFilesFingerprint: output.artifact?.expectedFilesFingerprint ?? null,
+            compiledPolicyFingerprint: output.artifact?.source?.compiledPolicyFingerprint ?? null,
+            passed: output.evaluation?.pass ?? null,
+            violationCount: output.evaluation?.violations.length ?? 0,
+            outOfScopeFileCount: output.evaluation?.outOfScopeFiles.length ?? 0,
+        });
+    },
+    outputItemCount(output) {
+        return output.evaluation?.violations.length ?? 0;
+    },
+};
+//# sourceMappingURL=runtime-guard-stage.js.map

package/dist/governance/pipeline/stages/runtime-guard-stage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-guard-stage.js","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/runtime-guard-stage.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAIH,gEAKsC;AACtC,gDAAwD;AAkB3C,QAAA,iBAAiB,GAG1B;IACF,EAAE,EAAE,eAAe;IACnB,WAAW,EAAE,0BAAuD;IACpE,QAAQ,EAAE;QACR,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,CAAC,oBAAoB,CAAC;KACrC;IACD,WAAW,EAAE,oGAAoG;IAEjH,OAAO,CAAC,KAAwB;QAC9B,MAAM,IAAI,GAAG,IAAA,wCAAwB,EAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAC1E,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,OAAO;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,IAAI;gBACd,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,UAAU,EAAE,IAAI;aACjB,CAAC;QACJ,CAAC;QACD,MAAM,UAAU,GAAG,IAAA,4CAA4B,EAC7C,IAAI,CAAC,QAAQ,EACb,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,YAAY,CACnB,CAAC;QACF,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU;SACX,CAAC;IACJ,CAAC;IAED,gBAAgB,CAAC,KAAwB;QACvC,OAAO,IAAA,oCAAsB,EAAC;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;YAClC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB,CAAC,MAA0B;QAC1C,OAAO,IAAA,oCAAsB,EAAC;YAC5B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,wBAAwB,EAAE,MAAM,CAAC,QAAQ,EAAE,wBAAwB,IAAI,IAAI;YAC3E,yBAAyB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,yBAAyB,IAAI,IAAI;YACrF,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,IAAI,IAAI,IAAI;YACvC,cAAc,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,IAAI,CAAC;YACzD,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,eAAe,CAAC,MAAM,IAAI,CAAC;SACpE,CAAC,CAAC;IACL,CAAC;IAED,eAAe,CAAC,MAA0B;QACxC,OAAO,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;IACnD,CAAC;CACF,CAAC"}

package/dist/governance/pipeline/stages/structural-analysis-stage.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Structural Analysis Stage
+ * -------------------------
+ * Runs the deterministic structural rule engine (SR/DS/PY rules) on the
+ * diff files produced by `diff-normalization`. Pure wrapper around
+ * `runStructuralOnDiffFiles` from `governance/structural-on-diff`.
+ *
+ * SEMANTIC PRESERVATION:
+ *   The output `violations[]`, `rulesApplied[]`, `suppressedCount`,
+ *   `newViolationCount`, `legacyDebtCount`, and `diffScopedEnforcement`
+ *   fields are produced by `runStructuralOnDiffFiles` directly — verify.ts
+ *   inline behavior is unchanged.
+ */
+import type { DiffFile } from '@neurcode-ai/diff-parser';
+import { type StructuralOnDiffResult } from '../../structural-on-diff';
+import type { GovernancePipelineStage } from '../types';
+export interface StructuralAnalysisInput {
+    projectRoot: string;
+    diffFiles: DiffFile[];
+    strictFullFile?: boolean;
+}
+export type StructuralAnalysisOutput = StructuralOnDiffResult;
+export declare const structuralAnalysisStage: GovernancePipelineStage<StructuralAnalysisInput, StructuralAnalysisOutput>;
+//# sourceMappingURL=structural-analysis-stage.d.ts.map

package/dist/governance/pipeline/stages/structural-analysis-stage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"structural-analysis-stage.d.ts","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/structural-analysis-stage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAEzD,OAAO,EAEL,KAAK,sBAAsB,EAC5B,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAGxD,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAE9D,eAAO,MAAM,uBAAuB,EAAE,uBAAuB,CAC3D,uBAAuB,EACvB,wBAAwB,CA2CzB,CAAC"}

package/dist/governance/pipeline/stages/structural-analysis-stage.js

@@ -0,0 +1,58 @@
+"use strict";
+/**
+ * Structural Analysis Stage
+ * -------------------------
+ * Runs the deterministic structural rule engine (SR/DS/PY rules) on the
+ * diff files produced by `diff-normalization`. Pure wrapper around
+ * `runStructuralOnDiffFiles` from `governance/structural-on-diff`.
+ *
+ * SEMANTIC PRESERVATION:
+ *   The output `violations[]`, `rulesApplied[]`, `suppressedCount`,
+ *   `newViolationCount`, `legacyDebtCount`, and `diffScopedEnforcement`
+ *   fields are produced by `runStructuralOnDiffFiles` directly — verify.ts
+ *   inline behavior is unchanged.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.structuralAnalysisStage = void 0;
+const structural_on_diff_1 = require("../../structural-on-diff");
+const fingerprint_1 = require("../fingerprint");
+const types_1 = require("../types");
+exports.structuralAnalysisStage = {
+    id: 'structural-analysis',
+    determinism: 'deterministic-structural',
+    boundary: {
+        ...types_1.STRICT_REQUIRED_BOUNDARY,
+        dependencies: ['diff-normalization'],
+    },
+    description: 'Run deterministic structural rule engine (SR/DS/PY) on diff files; classify diff-scoped vs legacy debt.',
+    execute(input) {
+        return (0, structural_on_diff_1.runStructuralOnDiffFiles)(input.projectRoot, input.diffFiles, {
+            strictFullFile: input.strictFullFile,
+        });
+    },
+    fingerprintInput(input) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            files: input.diffFiles.map(f => f.path).sort(),
+            strictFullFile: input.strictFullFile ?? false,
+        });
+    },
+    fingerprintOutput(output) {
+        return (0, fingerprint_1.fingerprintStageSignal)({
+            rulesApplied: [...output.rulesApplied].sort(),
+            violationKeys: output.violations
+                .map(v => `${v.ruleId}\x1e${v.filePath}\x1e${v.line}\x1e${v.column ?? 0}`)
+                .sort(),
+            newViolationCount: output.newViolationCount,
+            legacyDebtCount: output.legacyDebtCount,
+            suppressedCount: output.suppressedCount,
+            diffScopedEnforcement: output.diffScopedEnforcement,
+        });
+    },
+    inputItemCount(input) {
+        return input.diffFiles.length;
+    },
+    outputItemCount(output) {
+        return output.violations.length;
+    },
+};
+//# sourceMappingURL=structural-analysis-stage.js.map

package/dist/governance/pipeline/stages/structural-analysis-stage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"structural-analysis-stage.js","sourceRoot":"","sources":["../../../../src/governance/pipeline/stages/structural-analysis-stage.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAIH,iEAGkC;AAClC,gDAAwD;AAExD,oCAAoD;AAUvC,QAAA,uBAAuB,GAGhC;IACF,EAAE,EAAE,qBAAqB;IACzB,WAAW,EAAE,0BAAuD;IACpE,QAAQ,EAAE;QACR,GAAG,gCAAwB;QAC3B,YAAY,EAAE,CAAC,oBAAoB,CAAC;KACrC;IACD,WAAW,EAAE,yGAAyG;IAEtH,OAAO,CAAC,KAA8B;QACpC,OAAO,IAAA,6CAAwB,EAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE;YAClE,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC;IACL,CAAC;IAED,gBAAgB,CAAC,KAA8B;QAC7C,OAAO,IAAA,oCAAsB,EAAC;YAC5B,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;YAC9C,cAAc,EAAE,KAAK,CAAC,cAAc,IAAI,KAAK;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB,CAAC,MAAgC;QAChD,OAAO,IAAA,oCAAsB,EAAC;YAC5B,YAAY,EAAE,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE;YAC7C,aAAa,EAAE,MAAM,CAAC,UAAU;iBAC7B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,QAAQ,OAAO,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;iBACzE,IAAI,EAAE;YACT,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,qBAAqB,EAAE,MAAM,CAAC,qBAAqB;SACpD,CAAC,CAAC;IACL,CAAC;IAED,cAAc,CAAC,KAA8B;QAC3C,OAAO,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC;IAChC,CAAC;IAED,eAAe,CAAC,MAAgC;QAC9C,OAAO,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;IAClC,CAAC;CACF,CAAC"}

package/dist/governance/pipeline/summary.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Pipeline summary builder.
+ *
+ * Derives a `GovernancePipelineSummary` from a ledger of stage results. The
+ * summary is the audience-facing surface for explainability dashboards,
+ * stage-level SLOs, and replay reconstruction.
+ *
+ * The `pipelineFingerprint` is a SHA-256 over the ordered sequence of
+ * (stageId, status, outputFingerprint?) tuples. It is independent of and
+ * non-overlapping with `GovernanceVerificationEnvelope.replayChecksum`.
+ */
+import type { GovernancePipelineSummary, GovernanceStageResult } from '@neurcode-ai/contracts';
+export declare function buildPipelineSummary(ledger: readonly GovernanceStageResult[]): GovernancePipelineSummary;
+//# sourceMappingURL=summary.d.ts.map

package/dist/governance/pipeline/summary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"summary.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/summary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EACV,yBAAyB,EAEzB,qBAAqB,EAEtB,MAAM,wBAAwB,CAAC;AAGhC,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,qBAAqB,EAAE,GACvC,yBAAyB,CAoC3B"}

package/dist/governance/pipeline/summary.js

@@ -0,0 +1,50 @@
+"use strict";
+/**
+ * Pipeline summary builder.
+ *
+ * Derives a `GovernancePipelineSummary` from a ledger of stage results. The
+ * summary is the audience-facing surface for explainability dashboards,
+ * stage-level SLOs, and replay reconstruction.
+ *
+ * The `pipelineFingerprint` is a SHA-256 over the ordered sequence of
+ * (stageId, status, outputFingerprint?) tuples. It is independent of and
+ * non-overlapping with `GovernanceVerificationEnvelope.replayChecksum`.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPipelineSummary = buildPipelineSummary;
+const crypto_1 = require("crypto");
+const contracts_1 = require("@neurcode-ai/contracts");
+function buildPipelineSummary(ledger) {
+    const stages = ledger.map(entry => ({
+        stageId: entry.stageId,
+        status: entry.status,
+        determinism: entry.replay.determinism,
+        durationMs: entry.metrics.durationMs,
+        inputFingerprint: entry.replay.inputFingerprint,
+        outputFingerprint: entry.replay.outputFingerprint,
+        dependsOn: [...entry.replay.dependsOn],
+        failureCategory: entry.failure?.category,
+    }));
+    const fingerprintInput = stages
+        .map(s => `${s.stageId}\x1e${s.status}\x1e${s.outputFingerprint ?? ''}`)
+        .join('\x00');
+    const pipelineFingerprint = (0, crypto_1.createHash)('sha256')
+        .update(fingerprintInput, 'utf-8')
+        .digest('hex');
+    const totalDurationMs = stages.reduce((acc, s) => acc + (s.durationMs || 0), 0);
+    const degradedStages = stages
+        .filter(s => s.status === 'degraded')
+        .map(s => s.stageId);
+    const failedStages = stages
+        .filter(s => s.status === 'failed')
+        .map(s => s.stageId);
+    return {
+        schemaVersion: contracts_1.GOVERNANCE_PIPELINE_SCHEMA_VERSION,
+        pipelineFingerprint,
+        stages,
+        totalDurationMs,
+        degradedStages,
+        failedStages,
+    };
+}
+//# sourceMappingURL=summary.js.map

package/dist/governance/pipeline/summary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"summary.js","sourceRoot":"","sources":["../../../src/governance/pipeline/summary.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAWH,oDAsCC;AA/CD,mCAAoC;AAOpC,sDAA4E;AAE5E,SAAgB,oBAAoB,CAClC,MAAwC;IAExC,MAAM,MAAM,GAA6B,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5D,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,WAAW;QACrC,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,UAAU;QACpC,gBAAgB,EAAE,KAAK,CAAC,MAAM,CAAC,gBAAgB;QAC/C,iBAAiB,EAAE,KAAK,CAAC,MAAM,CAAC,iBAAiB;QACjD,SAAS,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC;QACtC,eAAe,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ;KACzC,CAAC,CAAC,CAAC;IAEJ,MAAM,gBAAgB,GAAG,MAAM;SAC5B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,OAAO,CAAC,CAAC,MAAM,OAAO,CAAC,CAAC,iBAAiB,IAAI,EAAE,EAAE,CAAC;SACvE,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,MAAM,mBAAmB,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC;SAC7C,MAAM,CAAC,gBAAgB,EAAE,OAAO,CAAC;SACjC,MAAM,CAAC,KAAK,CAAC,CAAC;IAEjB,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAChF,MAAM,cAAc,GAAwB,MAAM;SAC/C,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC;SACpC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACvB,MAAM,YAAY,GAAwB,MAAM;SAC7C,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC;SAClC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAEvB,OAAO;QACL,aAAa,EAAE,8CAAkC;QACjD,mBAAmB;QACnB,MAAM;QACN,eAAe;QACf,cAAc;QACd,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/governance/pipeline/types.d.ts

@@ -0,0 +1,69 @@
+/**
+ * CLI-side governance pipeline types.
+ *
+ * Builds on `@neurcode-ai/contracts` stage contracts with executor-side detail
+ * (context, stage definition, ledger). The wire-level types remain in contracts.
+ */
+import type { DeterminismClassification, GovernanceStageBoundary, GovernanceStageId, GovernanceStageResult } from '@neurcode-ai/contracts';
+/**
+ * Per-run pipeline context. Carries cross-stage execution state, environment,
+ * and the in-progress ledger of stage results.
+ *
+ * The context is INTENTIONALLY narrow. Stages must not stash unstructured data
+ * here; new shared state belongs in a stage's typed output or in a dedicated
+ * follow-up contract.
+ */
+export interface GovernancePipelineContext {
+    /** Absolute project root, resolved once at the top of verify. */
+    readonly projectRoot: string;
+    /** True when running in CI / policy-only deterministic mode. */
+    readonly ciMode: boolean;
+    /** True when JSON mode is requested (suppresses human-readable side effects). */
+    readonly jsonMode: boolean;
+    /** Wall-clock start time of the verify run (ms since epoch). */
+    readonly startedAtMs: number;
+    /** Mutable ledger of completed stage results. Append-only by convention. */
+    readonly ledger: GovernanceStageResult[];
+    /** Optional run ID for cross-stage correlation. */
+    runId?: string;
+}
+/**
+ * Stage definition contract.
+ *
+ * `execute` MUST be deterministic given its input — observable side effects
+ * (filesystem reads, git invocations, etc.) are allowed but their outputs must
+ * be reflected in `fingerprintOutput` so replays can detect drift.
+ */
+export interface GovernancePipelineStage<TIn, TOut> {
+    readonly id: GovernanceStageId;
+    readonly determinism: DeterminismClassification;
+    readonly boundary: GovernanceStageBoundary;
+    /** Human-readable description for explainability dashboards. */
+    readonly description?: string;
+    /**
+     * Run the stage. Throwing aborts the pipeline UNLESS boundary.isolateFailure
+     * is true, in which case the runner catches and emits a failed result.
+     */
+    execute(input: TIn, ctx: GovernancePipelineContext): Promise<TOut> | TOut;
+    /** Compute a deterministic fingerprint of the input for replay lineage. */
+    fingerprintInput?(input: TIn): string | undefined;
+    /** Compute a deterministic fingerprint of the output for replay lineage. */
+    fingerprintOutput?(output: TOut): string | undefined;
+    /** Report an input item count for observability. Optional. */
+    inputItemCount?(input: TIn): number | undefined;
+    /** Report an output item count for observability. Optional. */
+    outputItemCount?(output: TOut): number | undefined;
+}
+/**
+ * Default boundary policy: required, strict, no dependencies.
+ *
+ * Most stages should NOT use this directly — they should declare their actual
+ * upstream dependencies so replay can reconstruct the computation graph.
+ */
+export declare const STRICT_REQUIRED_BOUNDARY: GovernanceStageBoundary;
+/**
+ * Boundary policy for optional observability / non-load-bearing stages.
+ * Failures here are caught and surfaced but never abort governance.
+ */
+export declare const OBSERVABILITY_BOUNDARY: GovernanceStageBoundary;
+//# sourceMappingURL=types.d.ts.map

package/dist/governance/pipeline/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/governance/pipeline/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,yBAAyB,EACzB,uBAAuB,EACvB,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,wBAAwB,CAAC;AAEhC;;;;;;;GAOG;AACH,MAAM,WAAW,yBAAyB;IACxC,iEAAiE;IACjE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,gEAAgE;IAChE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,iFAAiF;IACjF,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,gEAAgE;IAChE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,4EAA4E;IAC5E,QAAQ,CAAC,MAAM,EAAE,qBAAqB,EAAE,CAAC;IACzC,mDAAmD;IACnD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,uBAAuB,CAAC,GAAG,EAAE,IAAI;IAChD,QAAQ,CAAC,EAAE,EAAE,iBAAiB,CAAC;IAC/B,QAAQ,CAAC,WAAW,EAAE,yBAAyB,CAAC;IAChD,QAAQ,CAAC,QAAQ,EAAE,uBAAuB,CAAC;IAC3C,gEAAgE;IAChE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B;;;OAGG;IACH,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,yBAAyB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IAC1E,2EAA2E;IAC3E,gBAAgB,CAAC,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,SAAS,CAAC;IAClD,4EAA4E;IAC5E,iBAAiB,CAAC,CAAC,MAAM,EAAE,IAAI,GAAG,MAAM,GAAG,SAAS,CAAC;IACrD,8DAA8D;IAC9D,cAAc,CAAC,CAAC,KAAK,EAAE,GAAG,GAAG,MAAM,GAAG,SAAS,CAAC;IAChD,+DAA+D;IAC/D,eAAe,CAAC,CAAC,MAAM,EAAE,IAAI,GAAG,MAAM,GAAG,SAAS,CAAC;CACpD;AAED;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,uBAItC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,uBAIpC,CAAC"}

package/dist/governance/pipeline/types.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * CLI-side governance pipeline types.
+ *
+ * Builds on `@neurcode-ai/contracts` stage contracts with executor-side detail
+ * (context, stage definition, ledger). The wire-level types remain in contracts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OBSERVABILITY_BOUNDARY = exports.STRICT_REQUIRED_BOUNDARY = void 0;
+/**
+ * Default boundary policy: required, strict, no dependencies.
+ *
+ * Most stages should NOT use this directly — they should declare their actual
+ * upstream dependencies so replay can reconstruct the computation graph.
+ */
+exports.STRICT_REQUIRED_BOUNDARY = {
+    isolateFailure: false,
+    required: true,
+    dependencies: [],
+};
+/**
+ * Boundary policy for optional observability / non-load-bearing stages.
+ * Failures here are caught and surfaced but never abort governance.
+ */
+exports.OBSERVABILITY_BOUNDARY = {
+    isolateFailure: true,
+    required: false,
+    dependencies: [],
+};
+//# sourceMappingURL=types.js.map

package/dist/governance/pipeline/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/governance/pipeline/types.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA4DH;;;;;GAKG;AACU,QAAA,wBAAwB,GAA4B;IAC/D,cAAc,EAAE,KAAK;IACrB,QAAQ,EAAE,IAAI;IACd,YAAY,EAAE,EAAE;CACjB,CAAC;AAEF;;;GAGG;AACU,QAAA,sBAAsB,GAA4B;IAC7D,cAAc,EAAE,IAAI;IACpB,QAAQ,EAAE,KAAK;IACf,YAAY,EAAE,EAAE;CACjB,CAAC"}

package/dist/index.js

@@ -377,6 +377,31 @@ program
 (0, control_plane_1.controlPlaneCommand)(program);
 (0, workspace_1.workspaceCommand)(program);
 (0, replay_1.replayCommand)(program);
+// Top-level discoverability alias for `neurcode replay timeline`. Reviewers
+// asking "what changed and when?" should not need to know the subcommand
+// hierarchy. Same canonical artifact source, same deterministic output.
+program
+    .command('timeline')
+    .description('Operational governance timeline (alias for `replay timeline`)')
+    .option('--workspace <workspaceId>', 'Workspace scope')
+    .option('--from <timestamp>', 'ISO start timestamp')
+    .option('--to <timestamp>', 'ISO end timestamp')
+    .option('--limit <count>', 'Maximum timeline items to return', (value) => Number.parseInt(value, 10))
+    .option('--json', 'Output JSON')
+    .action(async (options) => {
+    const args = ['replay', 'timeline'];
+    if (options.workspace)
+        args.push('--workspace', String(options.workspace));
+    if (options.from)
+        args.push('--from', String(options.from));
+    if (options.to)
+        args.push('--to', String(options.to));
+    if (Number.isFinite(options.limit))
+        args.push('--limit', String(options.limit));
+    if (options.json)
+        args.push('--json');
+    await program.parseAsync(['node', 'neurcode', ...args]);
+});
 (0, audit_1.auditCommand)(program);
 (0, contract_1.contractCommand)(program);
 (0, feedback_1.feedbackCommand)(program);
@@ -1153,6 +1178,7 @@ program
     .option('--api-key <key>', 'Neurcode API Key (overrides config and env var)')
     .option('--api-url <url>', 'Override API URL (default: https://api.neurcode.com)')
     .option('--local-only', 'Offline structural fallback: skip API, run deterministic structural rules only (sets NEURCODE_VERIFY_LOCAL_ONLY=1)')
+    .option('--require-intent-runtime', 'Fail if the intent-governed runtime is not active for this run (no silent downgrade to structural-only). Honours NEURCODE_REQUIRE_INTENT_RUNTIME=1.')
     .action(async (options) => {
     if (options.localOnly === true) {
         process.env.NEURCODE_VERIFY_LOCAL_ONLY = '1';
@@ -1217,6 +1243,8 @@ program
             verifyArgs.push('--api-key', options.apiKey);
         if (options.apiUrl)
             verifyArgs.push('--api-url', options.apiUrl);
+        if (options.requireIntentRuntime === true)
+            verifyArgs.push('--require-intent-runtime');
         const run = await (0, execution_bus_1.runExecution)({
             type: 'verify',
             source: 'cli',
@@ -1262,6 +1290,7 @@ program
         verifyJobTimeoutMs: Number.isFinite(options.verifyJobTimeoutMs) ? options.verifyJobTimeoutMs : undefined,
         verifyIdempotencyKey: options.verifyIdempotencyKey,
         verifyJobMaxAttempts: Number.isFinite(options.verifyJobMaxAttempts) ? options.verifyJobMaxAttempts : undefined,
+        requireIntentRuntime: options.requireIntentRuntime === true,
     });
 });
 program