@neurcode-ai/cli 0.9.31 → 0.9.32

package/dist/commands/verify.js

@@ -241,6 +241,57 @@ function isEnabledFlag(value) {
     const normalized = value.trim().toLowerCase();
     return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
 }
+function parseSigningKeyRing(raw) {
+    if (!raw || !raw.trim()) {
+        return {};
+    }
+    const out = {};
+    for (const token of raw.split(/[,\n;]+/)) {
+        const trimmed = token.trim();
+        if (!trimmed)
+            continue;
+        const separator = trimmed.indexOf('=');
+        if (separator <= 0)
+            continue;
+        const keyId = trimmed.slice(0, separator).trim();
+        const key = trimmed.slice(separator + 1).trim();
+        if (!keyId || !key)
+            continue;
+        out[keyId] = key;
+    }
+    return out;
+}
+function resolveGovernanceSigningConfig() {
+    const signingKeys = parseSigningKeyRing(process.env.NEURCODE_GOVERNANCE_SIGNING_KEYS);
+    const envSigningKey = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY?.trim() ||
+        process.env.NEURCODE_AI_LOG_SIGNING_KEY?.trim() ||
+        '';
+    const requestedKeyId = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY_ID?.trim() || '';
+    const signer = process.env.NEURCODE_GOVERNANCE_SIGNER || process.env.USER || 'neurcode-cli';
+    let signingKey = envSigningKey || null;
+    let signingKeyId = requestedKeyId || null;
+    if (!signingKey && Object.keys(signingKeys).length > 0) {
+        if (signingKeyId && signingKeys[signingKeyId]) {
+            signingKey = signingKeys[signingKeyId];
+        }
+        else {
+            const fallbackKeyId = Object.keys(signingKeys).sort((a, b) => a.localeCompare(b))[0];
+            signingKey = signingKeys[fallbackKeyId];
+            signingKeyId = signingKeyId || fallbackKeyId;
+        }
+    }
+    return {
+        signingKey,
+        signingKeyId,
+        signingKeys,
+        signer,
+    };
+}
+function isSignedAiLogsRequired(orgGovernanceSettings) {
+    return (orgGovernanceSettings?.requireSignedAiLogs === true ||
+        isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
+        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED));
+}
 function policyLockMismatchMessage(mismatches) {
     if (mismatches.length === 0) {
         return 'Policy lock baseline check failed';
@@ -309,7 +360,7 @@ async function recordVerificationIfRequested(options, config, payload) {
  * Execute policy-only verification (General Governance mode)
  * Returns the exit code to use
  */
-async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRoot, config, client, source, projectId, orgGovernanceSettings, aiLogSigningKey, aiLogSigner) {
+async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRoot, config, client, source, projectId, orgGovernanceSettings, aiLogSigningKey, aiLogSigningKeyId, aiLogSigningKeys, aiLogSigner) {
     if (!options.json) {
         console.log(chalk.cyan('🛡️  General Governance mode (policy only, no plan linked)\n'));
     }
@@ -321,10 +372,128 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         contextCandidates: diffFiles.map((file) => file.path),
         orgGovernance: orgGovernanceSettings,
         signingKey: aiLogSigningKey,
+        signingKeyId: aiLogSigningKeyId,
+        signingKeys: aiLogSigningKeys,
         signer: aiLogSigner,
     });
     const governancePayload = buildGovernancePayload(governanceAnalysis, orgGovernanceSettings);
     const contextPolicyViolations = governanceAnalysis.contextPolicy.violations.filter((item) => !ignoreFilter(item.file));
+    const signedLogsRequired = isSignedAiLogsRequired(orgGovernanceSettings);
+    if (signedLogsRequired && !governanceAnalysis.aiChangeLogIntegrity.valid) {
+        const message = `AI change-log integrity check failed: ${governanceAnalysis.aiChangeLogIntegrity.issues.join('; ') || 'unknown issue'}`;
+        if (options.json) {
+            console.log(JSON.stringify({
+                grade: 'F',
+                score: 0,
+                verdict: 'FAIL',
+                violations: [
+                    {
+                        file: '.neurcode/ai-change-log.json',
+                        rule: 'ai_change_log_integrity',
+                        severity: 'block',
+                        message,
+                    },
+                ],
+                message,
+                scopeGuardPassed: false,
+                bloatCount: 0,
+                bloatFiles: [],
+                plannedFilesModified: 0,
+                totalPlannedFiles: 0,
+                adherenceScore: 0,
+                mode: 'policy_only',
+                policyOnly: true,
+                policyOnlySource: source,
+                ...governancePayload,
+            }, null, 2));
+        }
+        else {
+            console.log(chalk.red('❌ AI change-log integrity validation failed (policy-only mode).'));
+            console.log(chalk.red(`   ${message}`));
+        }
+        await recordVerificationIfRequested(options, config, {
+            grade: 'F',
+            violations: [
+                {
+                    file: '.neurcode/ai-change-log.json',
+                    rule: 'ai_change_log_integrity',
+                    severity: 'block',
+                    message,
+                },
+            ],
+            verifyResult: {
+                adherenceScore: 0,
+                verdict: 'FAIL',
+                bloatCount: 0,
+                bloatFiles: [],
+                message,
+            },
+            projectId,
+            jsonMode: Boolean(options.json),
+            governance: governancePayload,
+        });
+        return 2;
+    }
+    if (governanceAnalysis.governanceDecision.decision === 'block') {
+        const message = governanceAnalysis.governanceDecision.summary
+            || 'Governance decision matrix returned BLOCK.';
+        const reasonCodes = governanceAnalysis.governanceDecision.reasonCodes || [];
+        if (options.json) {
+            console.log(JSON.stringify({
+                grade: 'F',
+                score: 0,
+                verdict: 'FAIL',
+                violations: [
+                    {
+                        file: '.neurcode/ai-change-log.json',
+                        rule: 'governance_decision_block',
+                        severity: 'block',
+                        message,
+                    },
+                ],
+                message,
+                scopeGuardPassed: false,
+                bloatCount: 0,
+                bloatFiles: [],
+                plannedFilesModified: 0,
+                totalPlannedFiles: 0,
+                adherenceScore: 0,
+                mode: 'policy_only',
+                policyOnly: true,
+                policyOnlySource: source,
+                ...governancePayload,
+            }, null, 2));
+        }
+        else {
+            console.log(chalk.red('❌ Governance decision blocked this change set (policy-only mode).'));
+            if (reasonCodes.length > 0) {
+                console.log(chalk.red(`   Reasons: ${reasonCodes.join(', ')}`));
+            }
+            console.log(chalk.red(`   ${message}`));
+        }
+        await recordVerificationIfRequested(options, config, {
+            grade: 'F',
+            violations: [
+                {
+                    file: '.neurcode/ai-change-log.json',
+                    rule: 'governance_decision_block',
+                    severity: 'block',
+                    message,
+                },
+            ],
+            verifyResult: {
+                adherenceScore: 0,
+                verdict: 'FAIL',
+                bloatCount: 0,
+                bloatFiles: [],
+                message,
+            },
+            projectId,
+            jsonMode: Boolean(options.json),
+            governance: governancePayload,
+        });
+        return 2;
+    }
     if (contextPolicyViolations.length > 0) {
         const message = `Context policy violation: ${contextPolicyViolations.map((item) => item.file).join(', ')}`;
         const contextPolicyViolationItems = contextPolicyViolations.map((item) => ({
@@ -719,10 +888,11 @@ async function verifyCommand(options) {
             orgId: (0, state_1.getOrgId)(),
             projectId: projectId || null,
         };
-        const aiLogSigningKey = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY ||
-            process.env.NEURCODE_AI_LOG_SIGNING_KEY ||
-            null;
-        const aiLogSigner = process.env.NEURCODE_GOVERNANCE_SIGNER || process.env.USER || 'neurcode-cli';
+        const signingConfig = resolveGovernanceSigningConfig();
+        const aiLogSigningKey = signingConfig.signingKey;
+        const aiLogSigningKeyId = signingConfig.signingKeyId;
+        const aiLogSigningKeys = signingConfig.signingKeys;
+        const aiLogSigner = signingConfig.signer;
         let orgGovernanceSettings = null;
         if (config.apiKey) {
             try {
@@ -744,6 +914,8 @@ async function verifyCommand(options) {
                 }
             }
         }
+        const signedLogsRequired = isSignedAiLogsRequired(orgGovernanceSettings);
+        const hasSigningMaterial = Boolean(aiLogSigningKey) || Object.keys(aiLogSigningKeys).length > 0;
         const recordVerifyEvent = (verdict, note, changedFiles, planId) => {
             if (!brainScope.orgId || !brainScope.projectId) {
                 return;
@@ -765,6 +937,60 @@ async function verifyCommand(options) {
                 // Never block verify flow on Brain persistence failures.
             }
         };
+        if (signedLogsRequired && !hasSigningMaterial) {
+            const message = 'Signed AI change-logs are required but no signing key is configured. Set NEURCODE_GOVERNANCE_SIGNING_KEY or NEURCODE_GOVERNANCE_SIGNING_KEYS.';
+            recordVerifyEvent('FAIL', 'missing_signing_key_material');
+            if (options.json) {
+                console.log(JSON.stringify({
+                    grade: 'F',
+                    score: 0,
+                    verdict: 'FAIL',
+                    violations: [
+                        {
+                            file: '.neurcode/ai-change-log.json',
+                            rule: 'ai_change_log_signing_required',
+                            severity: 'block',
+                            message,
+                        },
+                    ],
+                    adherenceScore: 0,
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    plannedFilesModified: 0,
+                    totalPlannedFiles: 0,
+                    message,
+                    scopeGuardPassed: false,
+                    mode: 'plan_enforced',
+                    policyOnly: false,
+                }, null, 2));
+            }
+            else {
+                console.log(chalk.red('\n⛔ Governance Signing Key Missing'));
+                console.log(chalk.red(`   ${message}`));
+                console.log(chalk.dim('   Recommended: set NEURCODE_GOVERNANCE_SIGNING_KEY_ID and key ring via NEURCODE_GOVERNANCE_SIGNING_KEYS.'));
+            }
+            await recordVerificationIfRequested(options, config, {
+                grade: 'F',
+                violations: [
+                    {
+                        file: '.neurcode/ai-change-log.json',
+                        rule: 'ai_change_log_signing_required',
+                        severity: 'block',
+                        message,
+                    },
+                ],
+                verifyResult: {
+                    adherenceScore: 0,
+                    verdict: 'FAIL',
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    message,
+                },
+                projectId: projectId || undefined,
+                jsonMode: Boolean(options.json),
+            });
+            process.exit(2);
+        }
         // Determine which diff to capture (staged + unstaged for full current work)
         let diffText;
         if (options.staged) {
@@ -876,6 +1102,8 @@ async function verifyCommand(options) {
                 contextCandidates: diffFiles.map((file) => file.path),
                 orgGovernance: orgGovernanceSettings,
                 signingKey: aiLogSigningKey,
+                signingKeyId: aiLogSigningKeyId,
+                signingKeys: aiLogSigningKeys,
                 signer: aiLogSigner,
             });
             const baselineGovernancePayload = buildGovernancePayload(baselineGovernance, orgGovernanceSettings);
@@ -935,7 +1163,7 @@ async function verifyCommand(options) {
             console.log(chalk.dim(`   ${summary.totalAdded} lines added, ${summary.totalRemoved} lines removed\n`));
         }
         const runPolicyOnlyModeAndExit = async (source) => {
-            const exitCode = await executePolicyOnlyMode(options, diffFiles, shouldIgnore, projectRoot, config, client, source, projectId || undefined, orgGovernanceSettings, aiLogSigningKey, aiLogSigner);
+            const exitCode = await executePolicyOnlyMode(options, diffFiles, shouldIgnore, projectRoot, config, client, source, projectId || undefined, orgGovernanceSettings, aiLogSigningKey, aiLogSigningKeyId, aiLogSigningKeys, aiLogSigner);
             const changedFiles = diffFiles.map((f) => f.path);
             const verdict = exitCode === 2 ? 'FAIL' : exitCode === 1 ? 'WARN' : 'PASS';
             recordVerifyEvent(verdict, `policy_only_source=${source};exit=${exitCode}`, changedFiles);
@@ -1069,6 +1297,8 @@ async function verifyCommand(options) {
                 contextCandidates: planFiles,
                 orgGovernance: orgGovernanceSettings,
                 signingKey: aiLogSigningKey,
+                signingKeyId: aiLogSigningKeyId,
+                signingKeys: aiLogSigningKeys,
                 signer: aiLogSigner,
             });
             // Get sessionId from state file (.neurcode/state.json) first, then fallback to config
@@ -1517,13 +1747,23 @@ async function verifyCommand(options) {
             const verifyResult = await client.verifyPlan(finalPlanId, diffStats, changedFiles, projectId, intentConstraints);
             // Apply custom policy verdict: block from dashboard overrides API verdict
             const policyBlock = policyDecision === 'block' && policyViolations.length > 0;
-            const effectiveVerdict = policyBlock ? 'FAIL' : verifyResult.verdict;
+            const governanceDecisionBlock = governanceResult?.governanceDecision?.decision === 'block';
+            const governanceIntegrityBlock = signedLogsRequired && governanceResult ? governanceResult.aiChangeLogIntegrity.valid !== true : false;
+            const governanceHardBlock = governanceDecisionBlock || governanceIntegrityBlock;
+            const effectiveVerdict = policyBlock || governanceHardBlock
+                ? 'FAIL'
+                : verifyResult.verdict;
             const policyMessageBase = policyBlock
                 ? `Custom policy violations: ${policyViolations.map(v => `${v.file}: ${v.message || v.rule}`).join('; ')}. ${verifyResult.message}`
                 : verifyResult.message;
-            const effectiveMessage = policyExceptionsSummary.suppressed > 0
+            const governanceBlockReason = governanceIntegrityBlock
+                ? `AI change-log integrity failed: ${governanceResult?.aiChangeLogIntegrity?.issues?.join('; ') || 'unknown issue'}`
+                : governanceDecisionBlock
+                    ? governanceResult?.governanceDecision?.summary || 'Governance decision matrix returned BLOCK.'
+                    : null;
+            const effectiveMessage = (policyExceptionsSummary.suppressed > 0
                 ? `${policyMessageBase} Policy exceptions suppressed ${policyExceptionsSummary.suppressed} violation(s).`
-                : policyMessageBase;
+                : policyMessageBase) + (governanceBlockReason ? ` ${governanceBlockReason}` : '');
             // Calculate grade from effective verdict and score
             // CRITICAL: 0/0 planned files = 'F' (Incomplete), not 'B'
             // Bloat automatically drops grade by at least one letter
@@ -1572,6 +1812,7 @@ async function verifyCommand(options) {
             recordVerifyEvent(effectiveVerdict, `adherence=${verifyResult.adherenceScore};bloat=${verifyResult.bloatCount};scopeGuard=${scopeGuardPassed ? 1 : 0};policy=${policyDecision};policyExceptions=${policyExceptionsSummary.suppressed}`, changedPathsForBrain, finalPlanId);
             const shouldForceGovernancePass = scopeGuardPassed &&
                 !policyBlock &&
+                !governanceHardBlock &&
                 (effectiveVerdict === 'PASS' ||
                     ((verifyResult.verdict === 'FAIL' || verifyResult.verdict === 'WARN') &&
                         policyViolations.length === 0 &&
@@ -2069,6 +2310,17 @@ function displayGovernanceInsights(governance, options = {}) {
     console.log(governance.aiChangeLogIntegrity.valid
         ? chalk.dim(`   AI change-log integrity: valid (${governance.aiChangeLogIntegrity.signed ? 'signed' : 'unsigned'})`)
         : chalk.red(`   AI change-log integrity: invalid (${governance.aiChangeLogIntegrity.issues.join('; ') || 'unknown'})`));
+    if (governance.aiChangeLogIntegrity.signed) {
+        const keyId = typeof governance.aiChangeLogIntegrity.keyId === 'string'
+            ? governance.aiChangeLogIntegrity.keyId
+            : null;
+        const verifiedWithKeyId = typeof governance.aiChangeLogIntegrity.verifiedWithKeyId === 'string'
+            ? governance.aiChangeLogIntegrity.verifiedWithKeyId
+            : null;
+        if (keyId || verifiedWithKeyId) {
+            console.log(chalk.dim(`   Signing key: ${keyId || 'n/a'}${verifiedWithKeyId ? ` (verified via ${verifiedWithKeyId})` : ''}`));
+        }
+    }
     if (governance.suspiciousChange.flagged) {
         console.log(chalk.red('\nSuspicious Change Detected'));
         console.log(chalk.red(`   Plan expected files: ${governance.suspiciousChange.expectedFiles} | AI modified files: ${governance.suspiciousChange.actualFiles}`));