@neurcode-ai/cli 0.9.36 → 0.9.37

package/dist/commands/policy.js

@@ -10,6 +10,7 @@ const policy_governance_1 = require("../utils/policy-governance");
 const policy_audit_1 = require("../utils/policy-audit");
 const policy_packs_1 = require("../utils/policy-packs");
 const policy_compiler_1 = require("../utils/policy-compiler");
+const artifact_signature_1 = require("../utils/artifact-signature");
 // Import chalk with fallback
 let chalk;
 try {
@@ -73,6 +74,11 @@ function validateExceptionWindowByGovernance(expiresAt, maxExpiryDays) {
         throw new Error(`exception expiry exceeds governance max window (${maxExpiryDays} days)`);
     }
 }
+function normalizeListLimit(value, fallback, min, max) {
+    if (!Number.isFinite(value))
+        return fallback;
+    return Math.max(min, Math.min(max, Math.floor(Number(value))));
+}
 async function resolveCustomPolicies(client, includeDashboardPolicies, requireDashboardPolicies) {
     if (!includeDashboardPolicies) {
         return {
@@ -382,6 +388,7 @@ function policyCommand(program) {
         .option('--intent <text>', 'Optional intent constraints to compile alongside policy rules')
         .option('--no-dashboard', 'Exclude dashboard custom policies from compiled artifact')
         .option('--require-dashboard', 'Fail if dashboard custom policies cannot be loaded')
+        .option('--require-deterministic-match', 'Fail if any intent statement cannot be compiled into deterministic enforcement rules')
         .option('--output <path>', 'Output file path (default: neurcode.policy.compiled.json)')
         .option('--json', 'Output as JSON')
         .action(async (options) => {
@@ -402,7 +409,7 @@ function policyCommand(program) {
                 customRules,
                 includeDashboardPolicies: customPolicyResolution.includeDashboardPolicies,
             });
-            const compiled = (0, policy_compiler_1.buildCompiledPolicyArtifact)({
+            const compiledUnsigned = (0, policy_compiler_1.buildCompiledPolicyArtifact)({
                 includeDashboardPolicies: customPolicyResolution.includeDashboardPolicies,
                 policyLockPath: (0, policy_packs_1.getPolicyLockPath)(cwd),
                 policyLockFingerprint: snapshot.effective.fingerprint,
@@ -420,6 +427,19 @@ function policyCommand(program) {
                 intentConstraints: options.intent,
                 policyRules: customPolicyResolution.customPolicies.map((policy) => policy.rule_text),
             });
+            const artifactSigningConfig = (0, artifact_signature_1.resolveGovernanceArtifactSigningConfigFromEnv)();
+            const compiled = (0, artifact_signature_1.signGovernanceArtifact)(compiledUnsigned, artifactSigningConfig);
+            if (options.requireDeterministicMatch === true
+                && compiled.compilation.unmatchedStatements.length > 0) {
+                const unmatchedError = new Error(`Deterministic policy compilation blocked: ${compiled.compilation.unmatchedStatements.length} intent statement(s) could not be converted into enforceable rules.`);
+                unmatchedError.code = 'POLICY_COMPILE_UNMATCHED_INTENT';
+                unmatchedError.unmatchedStatements = [
+                    ...compiled.compilation.unmatchedStatements,
+                ];
+                unmatchedError.deterministicRuleCount =
+                    compiled.compilation.deterministicRuleCount;
+                throw unmatchedError;
+            }
             const outputPath = (0, policy_compiler_1.writeCompiledPolicyArtifact)(cwd, compiled, options.output);
             const readBack = (0, policy_compiler_1.readCompiledPolicyArtifact)(cwd, options.output);
             try {
@@ -433,6 +453,8 @@ function policyCommand(program) {
                         deterministicRuleCount: compiled.compilation.deterministicRuleCount,
                         unmatchedStatements: compiled.compilation.unmatchedStatements.length,
                         dashboardMode: compiled.source.includeDashboardPolicies ? 'dashboard' : 'disabled',
+                        signaturePresent: Boolean(compiled.signature && compiled.signature.value),
+                        signatureKeyId: compiled.signature?.keyId || null,
                     },
                 });
             }
@@ -454,6 +476,12 @@ function policyCommand(program) {
             console.log(chalk.dim(`Fingerprint: ${compiled.fingerprint}`));
             console.log(chalk.dim(`Deterministic rules: ${compiled.compilation.deterministicRuleCount}`));
             console.log(chalk.dim(`Unmatched statements: ${compiled.compilation.unmatchedStatements.length}`));
+            if (compiled.signature?.value) {
+                console.log(chalk.dim(`Artifact signature: signed (${compiled.signature.keyId ? `key ${compiled.signature.keyId}` : 'inline key'})`));
+            }
+            else {
+                console.log(chalk.dim('Artifact signature: unsigned (set NEURCODE_GOVERNANCE_SIGNING_KEY to sign artifacts)'));
+            }
             console.log(chalk.dim(`Policy source: ${compiled.source.includeDashboardPolicies ? 'dashboard + local packs' : 'local packs only'}`));
             if (customPolicyResolution.dashboardWarning) {
                 console.log(chalk.yellow(`\n⚠️  ${customPolicyResolution.dashboardWarning}`));
@@ -463,7 +491,22 @@ function policyCommand(program) {
         catch (error) {
             const message = error instanceof Error ? error.message : 'Unknown error';
             if (options.json) {
-                console.log(JSON.stringify({ error: message }, null, 2));
+                const payload = { error: message };
+                if (error && typeof error === 'object') {
+                    const maybeCode = error.code;
+                    const maybeUnmatched = error.unmatchedStatements;
+                    const maybeRuleCount = error.deterministicRuleCount;
+                    if (typeof maybeCode === 'string') {
+                        payload.code = maybeCode;
+                    }
+                    if (Array.isArray(maybeUnmatched)) {
+                        payload.unmatchedStatements = maybeUnmatched.filter((item) => typeof item === 'string');
+                    }
+                    if (typeof maybeRuleCount === 'number' && Number.isFinite(maybeRuleCount)) {
+                        payload.deterministicRuleCount = maybeRuleCount;
+                    }
+                }
+                console.log(JSON.stringify(payload, null, 2));
                 process.exit(1);
             }
             console.error(chalk.red(`\n❌ ${message}\n`));
@@ -783,9 +826,59 @@ function policyCommand(program) {
     exception
         .command('list')
         .description('List policy exceptions for this repository')
+        .option('--org', 'List centralized organization policy exceptions from Neurcode Cloud')
         .option('--all', 'Include inactive/expired exceptions')
         .option('--json', 'Output as JSON')
-        .action((options) => {
+        .action(async (options) => {
+        if (options.org) {
+            try {
+                const config = loadPolicyRuntimeConfig();
+                const client = new api_client_1.ApiClient(config);
+                const exceptions = await client.listOrgPolicyExceptions({ limit: 250 });
+                const items = options.all
+                    ? exceptions
+                    : exceptions.filter((entry) => entry.effectiveState !== 'revoked' && entry.effectiveState !== 'expired');
+                if (options.json) {
+                    console.log(JSON.stringify({
+                        source: 'org',
+                        total: exceptions.length,
+                        exceptions: items,
+                    }, null, 2));
+                    return;
+                }
+                if (items.length === 0) {
+                    console.log(chalk.yellow('\n⚠️  No organization policy exceptions found.\n'));
+                    console.log(chalk.dim('Add one: neurcode policy exception add --org --rule <pattern> --file <glob> --reason "<why>"\n'));
+                    return;
+                }
+                console.log(chalk.bold('\n🏢 Org Policy Exceptions\n'));
+                items.forEach((entry) => {
+                    console.log(chalk.cyan(`• ${entry.id}`));
+                    console.log(chalk.dim(`  state=${entry.effectiveState} workflow=${entry.workflowState}`));
+                    console.log(chalk.dim(`  rule=${entry.rulePattern} file=${entry.filePattern}`));
+                    console.log(chalk.dim(`  expires=${entry.expiresAt} active=${entry.active ? 'yes' : 'no'}`));
+                    console.log(chalk.dim(`  approvals=${entry.approvalCount}` +
+                        `${entry.requiredApprovals > 0 ? ` required=${entry.requiredApprovals}` : ''}` +
+                        `${entry.critical ? ' critical=yes' : ''}`));
+                    console.log(chalk.dim(`  reason=${entry.reason}`));
+                    if (entry.ticket) {
+                        console.log(chalk.dim(`  ticket=${entry.ticket}`));
+                    }
+                    console.log('');
+                });
+                console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions)\n'));
+                return;
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : 'Unknown error';
+                if (options.json) {
+                    console.log(JSON.stringify({ error: message }, null, 2));
+                    process.exit(1);
+                }
+                console.error(chalk.red(`\n❌ ${message}\n`));
+                process.exit(1);
+            }
+        }
         const cwd = (0, project_root_1.resolveNeurcodeProjectRoot)(process.cwd());
         const data = (0, policy_exceptions_1.listPolicyExceptions)(cwd);
         const governance = (0, policy_governance_1.readPolicyGovernanceConfig)(cwd);
@@ -865,6 +958,7 @@ function policyCommand(program) {
     exception
         .command('add')
         .description('Add a policy exception entry')
+        .option('--org', 'Create centralized organization policy exception in Neurcode Cloud')
         .requiredOption('--rule <pattern>', 'Rule pattern (exact, wildcard, or /regex/)')
         .requiredOption('--file <pattern>', 'File pattern (exact, wildcard, or /regex/)')
         .requiredOption('--reason <text>', 'Business justification for this exception')
@@ -873,7 +967,7 @@ function policyCommand(program) {
         .option('--expires-at <iso>', 'Expiry timestamp in ISO-8601')
         .option('--expires-in-days <n>', 'Expiry offset in days (default: 30)', (value) => parseInt(value, 10))
         .option('--json', 'Output as JSON')
-        .action((options) => {
+        .action(async (options) => {
         const cwd = (0, project_root_1.resolveNeurcodeProjectRoot)(process.cwd());
         try {
             const severity = options.severity === 'allow' || options.severity === 'warn' || options.severity === 'block'
@@ -886,6 +980,37 @@ function policyCommand(program) {
                 expiresAt: options.expiresAt,
                 expiresInDays: options.expiresInDays,
             });
+            if (options.org) {
+                const config = loadPolicyRuntimeConfig();
+                const client = new api_client_1.ApiClient(config);
+                const created = await client.createOrgPolicyException({
+                    rulePattern: options.rule,
+                    filePattern: options.file,
+                    reason: options.reason,
+                    ticket: options.ticket,
+                    severity,
+                    expiresAt,
+                });
+                if (options.json) {
+                    console.log(JSON.stringify({
+                        source: 'org',
+                        exception: created,
+                    }, null, 2));
+                    return;
+                }
+                console.log(chalk.green('\n✅ Organization policy exception created\n'));
+                console.log(chalk.cyan(`ID: ${created.id}`));
+                console.log(chalk.dim(`State: ${created.effectiveState}`));
+                console.log(chalk.dim(`Rule: ${created.rulePattern}`));
+                console.log(chalk.dim(`File: ${created.filePattern}`));
+                console.log(chalk.dim(`Expires: ${created.expiresAt}`));
+                console.log(chalk.dim(`Approvals: ${created.approvalCount}/${created.requiredApprovals}`));
+                if (created.ticket) {
+                    console.log(chalk.dim(`Ticket: ${created.ticket}`));
+                }
+                console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions)\n'));
+                return;
+            }
             const governance = (0, policy_governance_1.readPolicyGovernanceConfig)(cwd);
             if (governance.exceptionApprovals.requireReason
                 && options.reason.trim().length < governance.exceptionApprovals.minReasonLength) {
@@ -966,13 +1091,38 @@ function policyCommand(program) {
         .command('approve')
         .description('Approve a policy exception by ID')
         .argument('<id>', 'Exception ID to approve')
+        .option('--org', 'Approve centralized organization policy exception in Neurcode Cloud')
         .option('--by <actor>', 'Approver identity (defaults to NEURCODE_ACTOR/GITHUB_ACTOR/USER)')
         .option('--comment <text>', 'Approval comment')
         .option('--json', 'Output as JSON')
-        .action((id, options) => {
+        .action(async (id, options) => {
         const cwd = (0, project_root_1.resolveNeurcodeProjectRoot)(process.cwd());
         const approver = resolveActor(options.by);
         try {
+            if (options.org) {
+                if (options.by) {
+                    throw new Error('--by is not supported with --org (identity comes from authenticated Neurcode user)');
+                }
+                const config = loadPolicyRuntimeConfig();
+                const client = new api_client_1.ApiClient(config);
+                const updated = await client.approveOrgPolicyException(String(id).trim(), {
+                    note: options.comment,
+                });
+                if (options.json) {
+                    console.log(JSON.stringify({
+                        source: 'org',
+                        approved: true,
+                        exception: updated,
+                    }, null, 2));
+                    return;
+                }
+                console.log(chalk.green('\n✅ Organization policy exception approval recorded.\n'));
+                console.log(chalk.dim(`ID: ${updated.id}`));
+                console.log(chalk.dim(`State: ${updated.effectiveState}`));
+                console.log(chalk.dim(`Approvals: ${updated.approvalCount}/${updated.requiredApprovals}`));
+                console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions)\n'));
+                return;
+            }
             const governance = (0, policy_governance_1.readPolicyGovernanceConfig)(cwd);
             const target = (0, policy_exceptions_1.listPolicyExceptions)(cwd).all.find((entry) => entry.id === String(id).trim());
             if (!target) {
@@ -1066,12 +1216,185 @@ function policyCommand(program) {
             process.exit(1);
         }
     });
+    exception
+        .command('reject')
+        .description('Reject a pending organization policy exception by ID')
+        .argument('<id>', 'Exception ID to reject')
+        .requiredOption('--reason <text>', 'Reason for rejecting this exception')
+        .option('--org', 'Reject centralized organization policy exception in Neurcode Cloud')
+        .option('--json', 'Output as JSON')
+        .action(async (id, options) => {
+        if (!options.org) {
+            const message = '`policy exception reject` is only supported for --org exceptions. Use `policy exception remove` for local exceptions.';
+            if (options.json) {
+                console.log(JSON.stringify({ error: message }, null, 2));
+                process.exit(1);
+            }
+            console.error(chalk.red(`\n❌ ${message}\n`));
+            process.exit(1);
+        }
+        const reason = typeof options.reason === 'string' ? options.reason.trim() : '';
+        if (!reason) {
+            const message = '--reason is required';
+            if (options.json) {
+                console.log(JSON.stringify({ error: message }, null, 2));
+                process.exit(1);
+            }
+            console.error(chalk.red(`\n❌ ${message}\n`));
+            process.exit(1);
+        }
+        try {
+            const config = loadPolicyRuntimeConfig();
+            const client = new api_client_1.ApiClient(config);
+            const updated = await client.rejectOrgPolicyException(String(id).trim(), { reason });
+            if (options.json) {
+                console.log(JSON.stringify({
+                    source: 'org',
+                    rejected: true,
+                    exception: updated,
+                }, null, 2));
+                return;
+            }
+            console.log(chalk.green('\n✅ Organization policy exception rejected.\n'));
+            console.log(chalk.dim(`ID: ${updated.id}`));
+            console.log(chalk.dim(`State: ${updated.effectiveState}`));
+            if (updated.rejectionReason) {
+                console.log(chalk.dim(`Reason: ${updated.rejectionReason}`));
+            }
+            console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions)\n'));
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Unknown error';
+            if (options.json) {
+                console.log(JSON.stringify({ error: message }, null, 2));
+                process.exit(1);
+            }
+            console.error(chalk.red(`\n❌ ${message}\n`));
+            process.exit(1);
+        }
+    });
+    exception
+        .command('events')
+        .description('Show policy exception audit events')
+        .argument('<id>', 'Exception ID')
+        .option('--org', 'Read centralized organization policy exception events from Neurcode Cloud')
+        .option('--limit <n>', 'Maximum events to return (default: 30)', (value) => parseInt(value, 10))
+        .option('--json', 'Output as JSON')
+        .action(async (id, options) => {
+        const exceptionId = String(id).trim();
+        const limit = normalizeListLimit(options.limit, 30, 1, 300);
+        if (options.org) {
+            try {
+                const config = loadPolicyRuntimeConfig();
+                const client = new api_client_1.ApiClient(config);
+                const events = await client.listOrgPolicyExceptionEvents(exceptionId, limit);
+                if (options.json) {
+                    console.log(JSON.stringify({
+                        source: 'org',
+                        exceptionId,
+                        total: events.length,
+                        events,
+                    }, null, 2));
+                    return;
+                }
+                if (events.length === 0) {
+                    console.log(chalk.yellow('\n⚠️  No organization exception events found.\n'));
+                    return;
+                }
+                console.log(chalk.bold('\n🧾 Organization Exception Events\n'));
+                events.forEach((event) => {
+                    const actor = event.actorEmail ||
+                        [event.actorFirstName, event.actorLastName].filter(Boolean).join(' ').trim() ||
+                        event.actorUserId ||
+                        'unknown';
+                    console.log(chalk.cyan(`• ${event.createdAt}  ${event.action}`));
+                    console.log(chalk.dim(`  actor=${actor}`));
+                    if (event.note) {
+                        console.log(chalk.dim(`  note=${event.note}`));
+                    }
+                    console.log(chalk.dim(`  eventId=${event.id}`));
+                    console.log('');
+                });
+                console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions/:id/events)\n'));
+                return;
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : 'Unknown error';
+                if (options.json) {
+                    console.log(JSON.stringify({ error: message }, null, 2));
+                    process.exit(1);
+                }
+                console.error(chalk.red(`\n❌ ${message}\n`));
+                process.exit(1);
+            }
+        }
+        const cwd = (0, project_root_1.resolveNeurcodeProjectRoot)(process.cwd());
+        const events = (0, policy_audit_1.readPolicyAuditEvents)(cwd)
+            .filter((event) => event.entityType === 'policy_exception' && event.entityId === exceptionId)
+            .sort((left, right) => right.timestamp.localeCompare(left.timestamp))
+            .slice(0, limit);
+        if (options.json) {
+            console.log(JSON.stringify({
+                source: 'local',
+                exceptionId,
+                total: events.length,
+                events,
+                path: (0, policy_audit_1.getPolicyAuditPath)(cwd),
+            }, null, 2));
+            return;
+        }
+        if (events.length === 0) {
+            console.log(chalk.yellow('\n⚠️  No local exception audit events found.\n'));
+            return;
+        }
+        console.log(chalk.bold('\n🧾 Local Exception Events\n'));
+        events.forEach((event) => {
+            console.log(chalk.cyan(`• ${event.timestamp}  ${event.action}`));
+            console.log(chalk.dim(`  actor=${event.actor}`));
+            if (event.metadata && Object.keys(event.metadata).length > 0) {
+                console.log(chalk.dim(`  metadata=${JSON.stringify(event.metadata)}`));
+            }
+            console.log(chalk.dim(`  hash=${event.hash.slice(0, 12)}...`));
+            console.log('');
+        });
+        console.log(chalk.dim(`Source: ${(0, policy_audit_1.getPolicyAuditPath)(cwd)}\n`));
+    });
     exception
         .command('remove')
         .description('Deactivate a policy exception by ID')
         .argument('<id>', 'Exception ID to deactivate')
+        .option('--org', 'Revoke centralized organization policy exception in Neurcode Cloud')
         .option('--json', 'Output as JSON')
-        .action((id, options) => {
+        .action(async (id, options) => {
+        if (options.org) {
+            try {
+                const config = loadPolicyRuntimeConfig();
+                const client = new api_client_1.ApiClient(config);
+                const updated = await client.revokeOrgPolicyException(String(id).trim());
+                if (options.json) {
+                    console.log(JSON.stringify({
+                        source: 'org',
+                        removed: true,
+                        exception: updated,
+                    }, null, 2));
+                    return;
+                }
+                console.log(chalk.green('\n✅ Organization policy exception revoked.\n'));
+                console.log(chalk.dim(`ID: ${updated.id}`));
+                console.log(chalk.dim(`State: ${updated.effectiveState}`));
+                console.log(chalk.dim('Source: Neurcode Cloud (/api/v1/org/policy-exceptions)\n'));
+                return;
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : 'Unknown error';
+                if (options.json) {
+                    console.log(JSON.stringify({ error: message }, null, 2));
+                    process.exit(1);
+                }
+                console.error(chalk.red(`\n❌ ${message}\n`));
+                process.exit(1);
+            }
+        }
         const cwd = (0, project_root_1.resolveNeurcodeProjectRoot)(process.cwd());
         const removed = (0, policy_exceptions_1.revokePolicyException)(cwd, String(id).trim());
         if (removed) {