@neurcode-ai/cli 0.9.29 → 0.9.30

package/dist/commands/verify.js

@@ -58,6 +58,8 @@ const custom_policy_rules_1 = require("../utils/custom-policy-rules");
 const policy_exceptions_1 = require("../utils/policy-exceptions");
 const policy_governance_1 = require("../utils/policy-governance");
 const policy_audit_1 = require("../utils/policy-audit");
+const governance_1 = require("../utils/governance");
+const policy_1 = require("@neurcode-ai/policy");
 // Import chalk with fallback
 let chalk;
 try {
@@ -294,10 +296,56 @@ function resolveAuditIntegrityStatus(requireIntegrity, auditIntegrity) {
  * Execute policy-only verification (General Governance mode)
  * Returns the exit code to use
  */
-async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRoot, config, client, source) {
+async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRoot, config, client, source, orgGovernanceSettings, aiLogSigningKey, aiLogSigner) {
     if (!options.json) {
         console.log(chalk.cyan('🛡️  General Governance mode (policy only, no plan linked)\n'));
     }
+    const governanceAnalysis = (0, governance_1.evaluateGovernance)({
+        projectRoot,
+        task: 'Policy-only verification',
+        expectedFiles: [],
+        diffFiles,
+        contextCandidates: diffFiles.map((file) => file.path),
+        orgGovernance: orgGovernanceSettings,
+        signingKey: aiLogSigningKey,
+        signer: aiLogSigner,
+    });
+    const contextPolicyViolations = governanceAnalysis.contextPolicy.violations.filter((item) => !ignoreFilter(item.file));
+    if (contextPolicyViolations.length > 0) {
+        const message = `Context policy violation: ${contextPolicyViolations.map((item) => item.file).join(', ')}`;
+        if (options.json) {
+            console.log(JSON.stringify({
+                grade: 'F',
+                score: 0,
+                verdict: 'FAIL',
+                violations: contextPolicyViolations.map((item) => ({
+                    file: item.file,
+                    rule: `context_policy:${item.rule}`,
+                    severity: 'block',
+                    message: item.reason,
+                })),
+                message,
+                scopeGuardPassed: false,
+                bloatCount: 0,
+                bloatFiles: [],
+                plannedFilesModified: 0,
+                totalPlannedFiles: 0,
+                adherenceScore: 0,
+                mode: 'policy_only',
+                policyOnly: true,
+                policyOnlySource: source,
+                ...buildGovernancePayload(governanceAnalysis, orgGovernanceSettings),
+            }, null, 2));
+        }
+        else {
+            console.log(chalk.red('❌ Context policy violation detected (policy-only mode).'));
+            contextPolicyViolations.forEach((item) => {
+                console.log(chalk.red(`   • ${item.file}: ${item.reason}`));
+            });
+            console.log(chalk.dim(`\n${message}`));
+        }
+        return 2;
+    }
     let policyViolations = [];
     let policyDecision = 'allow';
     const requirePolicyLock = options.requirePolicyLock === true || isEnabledFlag(process.env.NEURCODE_VERIFY_REQUIRE_POLICY_LOCK);
@@ -385,6 +433,7 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
                 mode: 'policy_only',
                 policyOnly: true,
                 policyOnlySource: source,
+                ...buildGovernancePayload(governanceAnalysis, orgGovernanceSettings),
                 policyLock: {
                     enforced: true,
                     matched: false,
@@ -516,6 +565,7 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
             mode: 'policy_only',
             policyOnly: true,
             policyOnlySource: source,
+            ...buildGovernancePayload(governanceAnalysis, orgGovernanceSettings),
             policyLock: {
                 enforced: policyLockEvaluation.enforced,
                 matched: policyLockEvaluation.matched,
@@ -555,6 +605,7 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         if (governance.audit.requireIntegrity && !auditIntegrityStatus.valid) {
             console.log(chalk.red('   Policy audit integrity check failed'));
         }
+        displayGovernanceInsights(governanceAnalysis, { explain: options.explain });
         console.log(chalk.dim(`\n${message}`));
     }
     return effectiveVerdict === 'FAIL' ? 2 : effectiveVerdict === 'WARN' ? 1 : 0;
@@ -610,6 +661,31 @@ async function verifyCommand(options) {
             orgId: (0, state_1.getOrgId)(),
             projectId: projectId || null,
         };
+        const aiLogSigningKey = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY ||
+            process.env.NEURCODE_AI_LOG_SIGNING_KEY ||
+            null;
+        const aiLogSigner = process.env.NEURCODE_GOVERNANCE_SIGNER || process.env.USER || 'neurcode-cli';
+        let orgGovernanceSettings = null;
+        if (config.apiKey) {
+            try {
+                const remoteSettings = await client.getOrgGovernanceSettings();
+                if (remoteSettings) {
+                    orgGovernanceSettings = {
+                        contextPolicy: (0, policy_1.normalizeContextPolicy)(remoteSettings.contextPolicy),
+                        requireSignedAiLogs: remoteSettings.requireSignedAiLogs === true,
+                        requireManualApproval: remoteSettings.requireManualApproval !== false,
+                        minimumManualApprovals: Math.max(1, Math.min(5, Math.floor(remoteSettings.minimumManualApprovals || 1))),
+                        updatedAt: remoteSettings.updatedAt,
+                    };
+                }
+            }
+            catch (error) {
+                if (!options.json) {
+                    const message = error instanceof Error ? error.message : 'Unknown error';
+                    console.log(chalk.dim(`   Org governance settings unavailable, using local policy only (${message})`));
+                }
+            }
+        }
         const recordVerifyEvent = (verdict, note, changedFiles, planId) => {
             if (!brainScope.orgId || !brainScope.projectId) {
                 return;
@@ -727,13 +803,65 @@ async function verifyCommand(options) {
             const normalized = toUnixPath(filePath || '');
             return ignoreFilter(normalized) || runtimeIgnoreSet.has(normalized);
         };
+        const baselineContextPolicyLocal = (0, policy_1.loadContextPolicy)(projectRoot);
+        const baselineContextPolicy = orgGovernanceSettings?.contextPolicy
+            ? (0, policy_1.mergeContextPolicies)(baselineContextPolicyLocal, orgGovernanceSettings.contextPolicy)
+            : baselineContextPolicyLocal;
+        const baselineContextPolicyEvaluation = (0, policy_1.evaluateContextPolicyForChanges)(diffFiles.map((file) => file.path), baselineContextPolicy, diffFiles.map((file) => file.path));
+        const baselineContextViolations = baselineContextPolicyEvaluation.violations.filter((item) => !shouldIgnore(item.file));
+        if (baselineContextViolations.length > 0) {
+            const baselineGovernance = (0, governance_1.evaluateGovernance)({
+                projectRoot,
+                task: 'Context policy validation',
+                expectedFiles: [],
+                diffFiles,
+                contextCandidates: diffFiles.map((file) => file.path),
+                orgGovernance: orgGovernanceSettings,
+                signingKey: aiLogSigningKey,
+                signer: aiLogSigner,
+            });
+            const message = `Context access policy violation: ${baselineContextViolations.map((item) => item.file).join(', ')}`;
+            recordVerifyEvent('FAIL', `context_policy_violations=${baselineContextViolations.length}`, diffFiles.map((f) => f.path));
+            if (options.json) {
+                console.log(JSON.stringify({
+                    grade: 'F',
+                    score: 0,
+                    verdict: 'FAIL',
+                    violations: baselineContextViolations.map((item) => ({
+                        file: item.file,
+                        rule: `context_policy:${item.rule}`,
+                        severity: 'block',
+                        message: item.reason,
+                    })),
+                    adherenceScore: 0,
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    plannedFilesModified: 0,
+                    totalPlannedFiles: 0,
+                    message,
+                    scopeGuardPassed: false,
+                    ...buildGovernancePayload(baselineGovernance, orgGovernanceSettings),
+                    mode: 'policy_violation',
+                    policyOnly: false,
+                }, null, 2));
+            }
+            else {
+                console.log(chalk.red('\n⛔ Context Policy Violation'));
+                baselineContextViolations.forEach((item) => {
+                    console.log(chalk.red(`   • ${item.file}: ${item.reason}`));
+                });
+                console.log(chalk.dim(`\nRisk level: ${baselineGovernance.blastRadius.riskScore.toUpperCase()}`));
+                console.log(chalk.red('\nAction blocked.\n'));
+            }
+            process.exit(2);
+        }
         if (!options.json) {
             console.log(chalk.cyan('\n📊 Analyzing changes against plan...'));
             console.log(chalk.dim(`   Found ${summary.totalFiles} file(s) changed`));
             console.log(chalk.dim(`   ${summary.totalAdded} lines added, ${summary.totalRemoved} lines removed\n`));
         }
         const runPolicyOnlyModeAndExit = async (source) => {
-            const exitCode = await executePolicyOnlyMode(options, diffFiles, shouldIgnore, projectRoot, config, client, source);
+            const exitCode = await executePolicyOnlyMode(options, diffFiles, shouldIgnore, projectRoot, config, client, source, orgGovernanceSettings, aiLogSigningKey, aiLogSigner);
             const changedFiles = diffFiles.map((f) => f.path);
             const verdict = exitCode === 2 ? 'FAIL' : exitCode === 1 ? 'WARN' : 'PASS';
             recordVerifyEvent(verdict, `policy_only_source=${source};exit=${exitCode}`, changedFiles);
@@ -824,6 +952,7 @@ async function verifyCommand(options) {
         }
         // Track if scope guard passed - this takes priority over AI grading
         let scopeGuardPassed = false;
+        let governanceResult = null;
         try {
             // Step A: Get Modified Files (already have from diffFiles)
             const modifiedFiles = diffFiles.map(f => f.path);
@@ -831,10 +960,29 @@ async function verifyCommand(options) {
             const planData = await client.getPlan(finalPlanId);
             // Extract original intent from plan (for constraint checking)
             const originalIntent = planData.intent || '';
+            const planTitle = typeof planData.content.title === 'string'
+                ? planData.content.title?.trim()
+                : '';
+            const planSummary = typeof planData.content.summary === 'string' ? planData.content.summary.trim() : '';
+            const governanceTask = planTitle || planSummary || originalIntent || 'Plan verification';
             // Get approved files from plan (only files with action CREATE or MODIFY)
             const planFiles = planData.content.files
                 .filter(f => f.action === 'CREATE' || f.action === 'MODIFY')
                 .map(f => f.path);
+            const planDependencies = Array.isArray(planData.content.dependencies)
+                ? planData.content.dependencies.filter((item) => typeof item === 'string')
+                : [];
+            governanceResult = (0, governance_1.evaluateGovernance)({
+                projectRoot,
+                task: governanceTask,
+                expectedFiles: planFiles,
+                expectedDependencies: planDependencies,
+                diffFiles,
+                contextCandidates: planFiles,
+                orgGovernance: orgGovernanceSettings,
+                signingKey: aiLogSigningKey,
+                signer: aiLogSigner,
+            });
             // Get sessionId from state file (.neurcode/state.json) first, then fallback to config
             // Fallback to sessionId from plan if not in state/config
             // This is the session_id string needed to fetch the session
@@ -903,6 +1051,9 @@ async function verifyCommand(options) {
                         scopeGuardPassed: false,
                         mode: 'plan_enforced',
                         policyOnly: false,
+                        ...(governanceResult
+                            ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                            : {}),
                     };
                     // CRITICAL: Print JSON first, then exit
                     console.log(JSON.stringify(jsonOutput, null, 2));
@@ -922,6 +1073,9 @@ async function verifyCommand(options) {
                     filteredViolations.forEach(file => {
                         console.log(chalk.dim(`   neurcode allow ${file}`));
                     });
+                    if (governanceResult) {
+                        displayGovernanceInsights(governanceResult, { explain: options.explain });
+                    }
                     console.log('');
                     process.exit(1);
                 }
@@ -1026,6 +1180,9 @@ async function verifyCommand(options) {
                         scopeGuardPassed,
                         mode: 'plan_enforced',
                         policyOnly: false,
+                        ...(governanceResult
+                            ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                            : {}),
                         policyLock: {
                             enforced: true,
                             matched: false,
@@ -1079,6 +1236,9 @@ async function verifyCommand(options) {
                     mode: 'plan_enforced',
                     policyOnly: false,
                     tier: 'FREE',
+                    ...(governanceResult
+                        ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                        : {}),
                     policyLock: {
                         enforced: policyLockEvaluation.enforced,
                         matched: policyLockEvaluation.matched,
@@ -1309,6 +1469,9 @@ async function verifyCommand(options) {
                     totalPlannedFiles: verifyResult.totalPlannedFiles,
                     mode: 'plan_enforced',
                     policyOnly: false,
+                    ...(governanceResult
+                        ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                        : {}),
                     policyLock: {
                         enforced: policyLockEvaluation.enforced,
                         matched: policyLockEvaluation.matched,
@@ -1347,8 +1510,10 @@ async function verifyCommand(options) {
                         })),
                     ];
                     // Report in background (don't await to avoid blocking JSON output)
-                    reportVerification(grade, violations, verifyResult, config.apiKey, config.apiUrl, projectId || undefined, true // jsonMode = true
-                    ).catch(() => {
+                    reportVerification(grade, violations, verifyResult, config.apiKey, config.apiUrl, projectId || undefined, true, // jsonMode = true
+                    governanceResult
+                        ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                        : undefined).catch(() => {
                         // Error already logged in reportVerification
                     });
                 }
@@ -1376,6 +1541,9 @@ async function verifyCommand(options) {
                     bloatFiles: displayBloatFiles,
                     bloatCount: displayBloatFiles.length,
                 }, policyViolations);
+                if (governanceResult) {
+                    displayGovernanceInsights(governanceResult, { explain: options.explain });
+                }
                 if (policyExceptionsSummary.suppressed > 0) {
                     console.log(chalk.yellow(`\n⚠️  Policy exceptions applied: ${policyExceptionsSummary.suppressed}`));
                     if (policyExceptionsSummary.matchedExceptionIds.length > 0) {
@@ -1421,8 +1589,10 @@ async function verifyCommand(options) {
                             message: v.message,
                         })),
                     ];
-                    await reportVerification(grade, violations, verifyResult, config.apiKey, config.apiUrl, projectId || undefined, false // jsonMode = false
-                    );
+                    await reportVerification(grade, violations, verifyResult, config.apiKey, config.apiUrl, projectId || undefined, false, // jsonMode = false
+                    governanceResult
+                        ? buildGovernancePayload(governanceResult, orgGovernanceSettings)
+                        : undefined);
                 }
             }
             // Governance override: keep PASS only when scope guard passes and failure is due
@@ -1613,7 +1783,7 @@ function collectCIContext() {
 /**
  * Report verification results to Neurcode Cloud
  */
-async function reportVerification(grade, violations, verifyResult, apiKey, apiUrl, projectId, jsonMode) {
+async function reportVerification(grade, violations, verifyResult, apiKey, apiUrl, projectId, jsonMode, governance) {
     try {
         const ciContext = collectCIContext();
         const payload = {
@@ -1629,6 +1799,7 @@ async function reportVerification(grade, violations, verifyResult, apiKey, apiUr
             branch: ciContext.branch,
             workflowRunId: ciContext.workflowRunId,
             projectId,
+            governance,
         };
         const response = await fetch(`${apiUrl}/api/v1/action/verifications`, {
             method: 'POST',
@@ -1657,6 +1828,68 @@ async function reportVerification(grade, violations, verifyResult, apiKey, apiUr
         }
     }
 }
+function buildGovernancePayload(governance, orgGovernanceSettings) {
+    return {
+        contextPolicy: governance.contextPolicy,
+        blastRadius: governance.blastRadius,
+        suspiciousChange: governance.suspiciousChange,
+        changeJustification: governance.changeJustification,
+        governanceDecision: governance.governanceDecision,
+        aiChangeLog: {
+            path: governance.aiChangeLogPath,
+            auditPath: governance.aiChangeLogAuditPath,
+            integrity: governance.aiChangeLogIntegrity,
+        },
+        policySources: governance.policySources,
+        orgGovernance: orgGovernanceSettings
+            ? {
+                requireSignedAiLogs: orgGovernanceSettings.requireSignedAiLogs,
+                requireManualApproval: orgGovernanceSettings.requireManualApproval,
+                minimumManualApprovals: orgGovernanceSettings.minimumManualApprovals,
+                updatedAt: orgGovernanceSettings.updatedAt || null,
+            }
+            : null,
+    };
+}
+function displayGovernanceInsights(governance, options = {}) {
+    const maxUnexpectedFiles = options.maxUnexpectedFiles ?? 20;
+    const decision = governance.governanceDecision;
+    console.log(chalk.bold.white('\nBlast Radius:'));
+    console.log(chalk.dim(`   Files touched: ${governance.blastRadius.filesChanged}`));
+    console.log(chalk.dim(`   Functions impacted: ${governance.blastRadius.functionsAffected}`));
+    console.log(chalk.dim(`   Modules impacted: ${governance.blastRadius.modulesAffected.join(', ') || 'none'}`));
+    if (governance.blastRadius.dependenciesAdded.length > 0) {
+        console.log(chalk.dim(`   Dependencies added: ${governance.blastRadius.dependenciesAdded.join(', ')}`));
+    }
+    console.log(chalk.dim(`   Risk level: ${governance.blastRadius.riskScore.toUpperCase()}`));
+    console.log(chalk.dim(`   Governance decision: ${decision.decision.toUpperCase().replace('_', ' ')} | Avg relevance: ${decision.averageRelevanceScore}`));
+    console.log(chalk.dim(`   Policy source: ${governance.policySources.mode}${governance.policySources.orgPolicy ? ' (org + local)' : ' (local)'}`));
+    console.log(governance.aiChangeLogIntegrity.valid
+        ? chalk.dim(`   AI change-log integrity: valid (${governance.aiChangeLogIntegrity.signed ? 'signed' : 'unsigned'})`)
+        : chalk.red(`   AI change-log integrity: invalid (${governance.aiChangeLogIntegrity.issues.join('; ') || 'unknown'})`));
+    if (governance.suspiciousChange.flagged) {
+        console.log(chalk.red('\nSuspicious Change Detected'));
+        console.log(chalk.red(`   Plan expected files: ${governance.suspiciousChange.expectedFiles} | AI modified files: ${governance.suspiciousChange.actualFiles}`));
+        governance.suspiciousChange.unexpectedFiles.slice(0, maxUnexpectedFiles).forEach((filePath) => {
+            console.log(chalk.red(`   • ${filePath}`));
+        });
+        console.log(chalk.red(`   Confidence: ${governance.suspiciousChange.confidence}`));
+    }
+    if (decision.lowRelevanceFiles.length > 0) {
+        console.log(chalk.yellow('\nLow Relevance Files'));
+        decision.lowRelevanceFiles.slice(0, 10).forEach((item) => {
+            console.log(chalk.yellow(`   • ${item.file} (score ${item.relevanceScore}, ${item.planLink.replace('_', ' ')})`));
+        });
+    }
+    if (options.explain) {
+        console.log(chalk.bold.white('\nAI Change Justification:'));
+        console.log(chalk.dim(`   Task: ${governance.changeJustification.task}`));
+        governance.changeJustification.changes.forEach((item) => {
+            const relevance = typeof item.relevanceScore === 'number' ? ` [score ${item.relevanceScore}]` : '';
+            console.log(chalk.dim(`   • ${item.file} — ${item.reason}${relevance}`));
+        });
+    }
+}
 /**
  * Display verification results in a formatted report card
  */