@neurcode-ai/cli 0.9.42 → 0.9.44

package/dist/commands/verify.js

@@ -367,6 +367,152 @@ function getRuntimeIgnoreSetFromEnv() {
         .map((item) => toUnixPath(item.trim()))
         .filter(Boolean));
 }
+const INTENT_PROOF_CODE_EXTENSIONS = new Set([
+    '.ts',
+    '.tsx',
+    '.js',
+    '.jsx',
+    '.mjs',
+    '.cjs',
+    '.mts',
+    '.cts',
+    '.py',
+    '.java',
+    '.go',
+    '.rb',
+    '.rs',
+]);
+const INTENT_PROOF_IGNORED_DIRECTORIES = new Set([
+    '.git',
+    '.hg',
+    '.svn',
+    '.neurcode',
+    'node_modules',
+    'vendor',
+    'dist',
+    'build',
+    'out',
+    'coverage',
+    '.next',
+    '.turbo',
+    '.cache',
+]);
+function isIntentProofSourceFile(pathValue) {
+    const lower = pathValue.toLowerCase();
+    for (const extension of INTENT_PROOF_CODE_EXTENSIONS) {
+        if (lower.endsWith(extension)) {
+            return true;
+        }
+    }
+    return false;
+}
+function dedupeDeterministicRules(rules) {
+    const seen = new Set();
+    const out = [];
+    for (const rule of rules) {
+        const key = [
+            rule.id,
+            rule.source,
+            rule.statement,
+            rule.matchToken,
+            rule.evaluationMode || '',
+            rule.evaluationScope || '',
+            typeof rule.minMatchesPerFile === 'number' ? String(rule.minMatchesPerFile) : '',
+            typeof rule.maxMatchesPerFile === 'number' ? String(rule.maxMatchesPerFile) : '',
+            rule.pathIncludePatterns?.join('|') || '',
+            rule.pathExcludePatterns?.join('|') || '',
+        ].join('::');
+        if (seen.has(key))
+            continue;
+        seen.add(key);
+        out.push(rule);
+    }
+    return out;
+}
+function collectIntentProofFileContents(projectRoot, changedPaths, maxFiles, maxTotalBytes, maxPerFileBytes) {
+    const fileContents = {};
+    let scannedFiles = 0;
+    let scannedBytes = 0;
+    let truncated = false;
+    const tryAddFile = (relativePath) => {
+        if (!relativePath || fileContents[relativePath] !== undefined)
+            return;
+        if (!isIntentProofSourceFile(relativePath) || isExcludedFile(relativePath))
+            return;
+        if (scannedFiles >= maxFiles) {
+            truncated = true;
+            return;
+        }
+        const absolutePath = (0, path_1.join)(projectRoot, relativePath);
+        if (!(0, fs_1.existsSync)(absolutePath))
+            return;
+        try {
+            const stat = (0, fs_1.statSync)(absolutePath);
+            if (!stat.isFile())
+                return;
+            if (stat.size > maxPerFileBytes)
+                return;
+            if (scannedBytes + stat.size > maxTotalBytes) {
+                truncated = true;
+                return;
+            }
+            const content = (0, fs_1.readFileSync)(absolutePath, 'utf-8');
+            fileContents[relativePath] = content;
+            scannedFiles += 1;
+            scannedBytes += stat.size;
+        }
+        catch {
+            // Non-text/unreadable: skip.
+        }
+    };
+    for (const rawPath of changedPaths) {
+        tryAddFile(toUnixPath(rawPath));
+    }
+    const stack = [projectRoot];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        if (!current)
+            continue;
+        let entries;
+        try {
+            entries = (0, fs_1.readdirSync)(current, { withFileTypes: true });
+        }
+        catch {
+            continue;
+        }
+        for (const entry of entries) {
+            if (entry.name === '.' || entry.name === '..')
+                continue;
+            const absolutePath = (0, path_1.join)(current, entry.name);
+            const relativePath = toUnixPath(absolutePath.slice(projectRoot.length + 1));
+            if (entry.isDirectory()) {
+                if (INTENT_PROOF_IGNORED_DIRECTORIES.has(entry.name))
+                    continue;
+                if (isExcludedFile(`${relativePath}/`))
+                    continue;
+                stack.push(absolutePath);
+                continue;
+            }
+            if (!entry.isFile()) {
+                continue;
+            }
+            if (scannedFiles >= maxFiles) {
+                truncated = true;
+                break;
+            }
+            tryAddFile(relativePath);
+        }
+        if (truncated && scannedFiles >= maxFiles) {
+            break;
+        }
+    }
+    return {
+        fileContents,
+        scannedFiles,
+        scannedBytes,
+        truncated,
+    };
+}
 async function buildEffectivePolicyRules(client, projectRoot, useDashboardPolicies) {
     const defaultPolicy = (0, policy_engine_1.createDefaultPolicy)();
     const customRules = [];
@@ -481,6 +627,112 @@ function runtimeGuardViolationsToReport(summary) {
         message: item.message,
     }));
 }
+function asObjectRecord(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return null;
+    }
+    return value;
+}
+function asObjectArray(value) {
+    if (!Array.isArray(value)) {
+        return [];
+    }
+    return value
+        .map((item) => asObjectRecord(item))
+        .filter((item) => item !== null);
+}
+function asBooleanFlag(value) {
+    return typeof value === 'boolean' ? value : null;
+}
+function asNumberValue(value) {
+    return typeof value === 'number' && Number.isFinite(value) ? value : null;
+}
+function asStringValue(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value : null;
+}
+function buildDeterministicLayerSummary(payload) {
+    const verdict = asStringValue(payload.verdict) || 'UNKNOWN';
+    const mode = asStringValue(payload.mode) || 'unknown';
+    const policyOnly = payload.policyOnly === true;
+    const scopeGuardPassed = asBooleanFlag(payload.scopeGuardPassed);
+    const violations = asObjectArray(payload.violations);
+    const policyViolations = violations.filter((entry) => {
+        const rule = String(entry.rule || '').toLowerCase();
+        return (!rule.includes('scope_guard')
+            && !rule.includes('change_contract')
+            && !rule.includes('runtime_guard')
+            && !rule.includes('deterministic_artifacts_required')
+            && !rule.includes('signed_artifacts_required'));
+    });
+    const policyBlocking = policyViolations.filter((entry) => String(entry.severity || '').toLowerCase() === 'block');
+    const policyWarnings = policyViolations.filter((entry) => String(entry.severity || '').toLowerCase() === 'warn');
+    const changeContract = asObjectRecord(payload.changeContract);
+    const changeContractValid = asBooleanFlag(changeContract?.valid);
+    const changeContractEnforced = changeContract?.enforced === true;
+    const changeContractViolations = Array.isArray(changeContract?.violations)
+        ? (changeContract?.violations).length
+        : 0;
+    const explicitContractViolations = violations.filter((entry) => {
+        const rule = String(entry.rule || '').toLowerCase();
+        return rule.includes('scope_guard') || rule.includes('change_contract');
+    }).length;
+    const runtimeGuard = asObjectRecord(payload.runtimeGuard);
+    const runtimeGuardRequired = runtimeGuard?.required === true;
+    const runtimeGuardPass = asBooleanFlag(runtimeGuard?.pass);
+    const runtimeGuardViolations = Array.isArray(runtimeGuard?.violations)
+        ? (runtimeGuard?.violations).length
+        : violations.filter((entry) => String(entry.rule || '').toLowerCase().includes('runtime_guard')).length;
+    const policyCompilation = asObjectRecord(payload.policyCompilation);
+    const deterministicRuleCount = asNumberValue(policyCompilation?.deterministicRuleCount);
+    const unmatchedStatements = asNumberValue(policyCompilation?.unmatchedStatements);
+    let policyGateStatus = 'pass';
+    if (policyBlocking.length > 0) {
+        policyGateStatus = 'fail';
+    }
+    else if (policyWarnings.length > 0 || verdict === 'WARN') {
+        policyGateStatus = 'warn';
+    }
+    let contractGateStatus = 'not_applicable';
+    if (!policyOnly) {
+        contractGateStatus = 'pass';
+        if (changeContractEnforced
+            && (changeContractValid === false || changeContractViolations > 0 || explicitContractViolations > 0 || scopeGuardPassed === false)) {
+            contractGateStatus = 'fail';
+        }
+        else if (!changeContractEnforced && (changeContractViolations > 0 || explicitContractViolations > 0)) {
+            contractGateStatus = 'warn';
+        }
+    }
+    let runtimeGuardStatus = 'not_applicable';
+    if (runtimeGuardRequired) {
+        runtimeGuardStatus = runtimeGuardPass === false || runtimeGuardViolations > 0 ? 'fail' : 'pass';
+    }
+    else if (runtimeGuardViolations > 0) {
+        runtimeGuardStatus = 'fail';
+    }
+    return {
+        policyGate: {
+            status: policyGateStatus,
+            blockingViolations: policyBlocking.length,
+            warningViolations: policyWarnings.length,
+            deterministicRuleCount: deterministicRuleCount ?? null,
+            unmatchedStatements: unmatchedStatements ?? null,
+        },
+        contractGate: {
+            status: contractGateStatus,
+            enforced: changeContractEnforced,
+            valid: changeContractValid,
+            violationCount: changeContractViolations + explicitContractViolations,
+            mode,
+        },
+        runtimeGuardGate: {
+            status: runtimeGuardStatus,
+            required: runtimeGuardRequired,
+            pass: runtimeGuardPass,
+            violationCount: runtimeGuardViolations,
+        },
+    };
+}
 function toAiDebtSummary(evaluation) {
     return {
         mode: evaluation.mode,
@@ -544,31 +796,29 @@ function parseSigningKeyRing(raw) {
     return out;
 }
 function resolveGovernanceSigningConfig() {
-    const signingKeys = parseSigningKeyRing(process.env.NEURCODE_GOVERNANCE_SIGNING_KEYS);
-    const envSigningKey = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY?.trim() ||
-        process.env.NEURCODE_AI_LOG_SIGNING_KEY?.trim() ||
-        '';
-    const requestedKeyId = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY_ID?.trim() || '';
+    const artifactSigningConfig = (0, artifact_signature_1.resolveGovernanceArtifactSigningConfigFromEnv)();
     const signer = process.env.NEURCODE_GOVERNANCE_SIGNER || process.env.USER || 'neurcode-cli';
-    let signingKey = envSigningKey || null;
-    let signingKeyId = requestedKeyId || null;
-    if (!signingKey && Object.keys(signingKeys).length > 0) {
-        if (signingKeyId && signingKeys[signingKeyId]) {
-            signingKey = signingKeys[signingKeyId];
-        }
-        else {
-            const fallbackKeyId = Object.keys(signingKeys).sort((a, b) => a.localeCompare(b))[0];
-            signingKey = signingKeys[fallbackKeyId];
-            signingKeyId = signingKeyId || fallbackKeyId;
-        }
-    }
     return {
-        signingKey,
-        signingKeyId,
-        signingKeys,
+        signingKey: artifactSigningConfig.signingKey,
+        signingKeyId: artifactSigningConfig.signingKeyId,
+        signingKeys: artifactSigningConfig.signingKeys,
         signer,
     };
 }
+function isGitRepository(cwd) {
+    try {
+        const output = (0, child_process_1.execSync)('git rev-parse --is-inside-work-tree', {
+            cwd,
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+            maxBuffer: 1024 * 1024,
+        }).trim().toLowerCase();
+        return output === 'true';
+    }
+    catch {
+        return false;
+    }
+}
 function isSignedAiLogsRequired(orgGovernanceSettings) {
     return (orgGovernanceSettings?.requireSignedAiLogs === true ||
         isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
@@ -738,8 +988,12 @@ async function recordVerificationIfRequested(options, config, payload) {
  */
 async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRoot, config, client, source, scopeTelemetry, projectId, orgGovernanceSettings, aiLogSigningKey, aiLogSigningKeyId, aiLogSigningKeys, aiLogSigner, compiledPolicyMetadata, changeContractSummary) {
     const emitPolicyOnlyJson = (payload) => {
-        console.log(JSON.stringify({
+        const enrichedPayload = {
             ...payload,
+            deterministicLayers: buildDeterministicLayerSummary(payload),
+        };
+        console.log(JSON.stringify({
+            ...enrichedPayload,
             ...(compiledPolicyMetadata ? { policyCompilation: compiledPolicyMetadata } : {}),
             changeContract: changeContractSummary,
             scope: scopeTelemetry,
@@ -1264,10 +1518,45 @@ async function verifyCommand(options) {
         const emitVerifyJson = (payload) => {
             const jsonPayload = {
                 ...payload,
+                deterministicLayers: buildDeterministicLayerSummary(payload),
                 scope: scopeTelemetry,
             };
             console.log(JSON.stringify(jsonPayload, null, 2));
         };
+        if (!isGitRepository(projectRoot)) {
+            const message = 'Verify requires a git repository. Initialize git (`git init`) or run this command inside an existing git project.';
+            if (options.json) {
+                emitVerifyJson({
+                    grade: 'F',
+                    score: 0,
+                    verdict: 'FAIL',
+                    violations: [
+                        {
+                            file: '.',
+                            rule: 'git_repository_required',
+                            severity: 'block',
+                            message,
+                        },
+                    ],
+                    adherenceScore: 0,
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    plannedFilesModified: 0,
+                    totalPlannedFiles: 0,
+                    message,
+                    scopeGuardPassed: false,
+                    mode: 'git_repository_required',
+                    policyOnly: options.policyOnly === true,
+                });
+            }
+            else {
+                console.log(chalk.red('\n❌ Git Repository Required'));
+                console.log(chalk.red(`   ${message}`));
+                console.log(chalk.dim(`   Current path: ${projectRoot}`));
+                console.log(chalk.dim('   Next step: git init && git add . && git commit -m "chore: baseline"\n'));
+            }
+            process.exit(1);
+        }
         const enforceChangeContract = options.enforceChangeContract === true ||
             isEnabledFlag(process.env.NEURCODE_VERIFY_ENFORCE_CHANGE_CONTRACT);
         const explicitStrictArtifactMode = options.strictArtifacts === true ||
@@ -1715,7 +2004,7 @@ async function verifyCommand(options) {
         // Determine which diff to capture (staged + unstaged for full current work)
         let diffText;
         if (options.staged) {
-            diffText = (0, child_process_1.execSync)('git diff --staged', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
+            diffText = (0, child_process_1.execSync)('git diff --cached', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
         }
         else if (options.base) {
             diffText = (0, git_1.getDiffFromBase)(options.base);
@@ -1726,7 +2015,7 @@ async function verifyCommand(options) {
         else {
             // Default: combine staged + unstaged to capture all current work
             try {
-                const stagedDiff = (0, child_process_1.execSync)('git diff --staged', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
+                const stagedDiff = (0, child_process_1.execSync)('git diff --cached', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
                 const unstagedDiff = (0, child_process_1.execSync)('git diff', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
                 diffText = stagedDiff + (stagedDiff && unstagedDiff ? '\n' : '') + unstagedDiff;
             }
@@ -2496,6 +2785,11 @@ async function verifyCommand(options) {
         const hydratedCompiledPolicyRules = effectiveCompiledPolicy
             ? (0, policy_compiler_1.hydrateCompiledPolicyRules)(effectiveCompiledPolicy)
             : [];
+        const deterministicPolicyRules = effectiveCompiledPolicy
+            ? [...effectiveCompiledPolicy.statements.policyRules]
+            : effectiveRules.customPolicies
+                .map((policy) => policy.rule_text)
+                .filter((ruleText) => typeof ruleText === 'string' && ruleText.trim().length > 0);
         if (effectiveCompiledPolicy?.source.policyLockFingerprint &&
             policyLockEvaluation.lockPresent &&
             effectiveCompiledPolicy.source.policyLockFingerprint !== (0, policy_packs_1.readPolicyLockFile)(projectRoot).lock?.effective.fingerprint) {
@@ -2661,6 +2955,17 @@ async function verifyCommand(options) {
                 eventCount: auditIntegrity.count,
             },
         };
+        let intentProofSummary = {
+            enabled: false,
+            pass: true,
+            checkedRules: 0,
+            repoScopedRules: 0,
+            signatureDriftRules: 0,
+            scannedFiles: 0,
+            scannedBytes: 0,
+            truncated: false,
+            violations: [],
+        };
         if (!options.json && effectiveRules.customRules.length > 0) {
             console.log(chalk.dim(`   Evaluating ${effectiveRules.customRules.length} custom policy rule(s) from dashboard`));
         }
@@ -2692,6 +2997,73 @@ async function verifyCommand(options) {
                 })),
             })),
         }));
+        const compiledIntentProof = (0, governance_runtime_1.compileDeterministicConstraints)({
+            intentConstraints: intentConstraintsForVerification,
+            policyRules: deterministicPolicyRules,
+        });
+        const proofRules = dedupeDeterministicRules([
+            ...compiledIntentProof.rules,
+            ...hydratedCompiledPolicyRules,
+        ].filter((rule) => rule.evaluationScope === 'repo'
+            || rule.evaluationMode === 'signature_delta'));
+        if (proofRules.length > 0) {
+            const repoScopedRules = proofRules.filter((rule) => rule.evaluationScope === 'repo');
+            const signatureDriftRules = proofRules.filter((rule) => rule.evaluationMode === 'signature_delta');
+            const maxProofFiles = Math.max(100, Math.floor(Number(process.env.NEURCODE_INTENT_PROOF_MAX_FILES || 2500)));
+            const maxProofBytes = Math.max(1024 * 1024, Math.floor(Number(process.env.NEURCODE_INTENT_PROOF_MAX_BYTES || (32 * 1024 * 1024))));
+            const maxProofPerFileBytes = Math.max(4096, Math.floor(Number(process.env.NEURCODE_INTENT_PROOF_MAX_FILE_BYTES || (768 * 1024))));
+            let proofContents;
+            let proofScannedFiles = 0;
+            let proofScannedBytes = 0;
+            let proofTruncated = false;
+            if (repoScopedRules.length > 0) {
+                const scan = collectIntentProofFileContents(projectRoot, changedFiles.map((file) => file.path), maxProofFiles, maxProofBytes, maxProofPerFileBytes);
+                proofContents = scan.fileContents;
+                proofScannedFiles = scan.scannedFiles;
+                proofScannedBytes = scan.scannedBytes;
+                proofTruncated = scan.truncated;
+            }
+            const proofEvaluation = (0, governance_runtime_1.evaluatePlanVerification)({
+                planFiles: planFilesForVerification.map((path) => ({
+                    path,
+                    action: 'MODIFY',
+                })),
+                changedFiles,
+                diffStats,
+                extraConstraintRules: proofRules,
+                fileContents: proofContents,
+            });
+            intentProofSummary = {
+                enabled: true,
+                pass: proofEvaluation.constraintViolations.length === 0,
+                checkedRules: proofRules.length,
+                repoScopedRules: repoScopedRules.length,
+                signatureDriftRules: signatureDriftRules.length,
+                scannedFiles: proofScannedFiles,
+                scannedBytes: proofScannedBytes,
+                truncated: proofTruncated,
+                violations: [...proofEvaluation.constraintViolations],
+            };
+            if (proofEvaluation.constraintViolations.length > 0) {
+                const intentProofPolicyViolations = proofEvaluation.constraintViolations.map((violation) => ({
+                    file: '.neurcode/intent-proof',
+                    rule: 'intent_proof',
+                    severity: 'block',
+                    message: violation,
+                }));
+                policyViolations.push(...intentProofPolicyViolations);
+                policyDecision = resolvePolicyDecisionFromViolations(policyViolations);
+            }
+            if (!options.json) {
+                if (intentProofSummary.pass) {
+                    console.log(chalk.dim(`   Intent proof checks passed (${intentProofSummary.checkedRules} rule(s)` +
+                        `${intentProofSummary.repoScopedRules > 0 ? `, repo scan ${intentProofSummary.scannedFiles} file(s)` : ''})`));
+                }
+                else {
+                    console.log(chalk.red(`   Intent proof checks failed (${intentProofSummary.violations.length} violation(s), ${intentProofSummary.checkedRules} rule(s))`));
+                }
+            }
+        }
         const changeContractEvaluation = changeContractRead.contract
             ? (0, change_contract_1.evaluateChangeContract)(changeContractRead.contract, {
                 planId: finalPlanId,
@@ -2795,11 +3167,6 @@ async function verifyCommand(options) {
         try {
             let verifySource = 'api';
             let verifyResult;
-            const deterministicPolicyRules = effectiveCompiledPolicy
-                ? [...effectiveCompiledPolicy.statements.policyRules]
-                : effectiveRules.customPolicies
-                    .map((policy) => policy.rule_text)
-                    .filter((ruleText) => typeof ruleText === 'string' && ruleText.trim().length > 0);
             try {
                 verifyResult = await client.verifyPlan(finalPlanId, diffStats, changedFiles, projectId, intentConstraintsForVerification, deterministicPolicyRules, 'api', compiledPolicyMetadata, {
                     async: options.asyncMode === true,
@@ -2990,6 +3357,7 @@ async function verifyCommand(options) {
                     },
                     policyExceptions: policyExceptionsSummary,
                     policyGovernance: policyGovernanceSummary,
+                    intentProof: intentProofSummary,
                     ...(runtimeGuardSummary.required ? { runtimeGuard: runtimeGuardSummary } : {}),
                     ...(policyViolations.length > 0 && { policyDecision }),
                     ...(effectiveRules.policyPack
@@ -3093,6 +3461,25 @@ async function verifyCommand(options) {
                 if (runtimeGuardSummary.required) {
                     console.log(chalk.dim(`\n   Runtime guard: ${runtimeGuardSummary.pass ? 'pass' : 'block'} (${runtimeGuardSummary.path})`));
                 }
+                if (intentProofSummary.enabled) {
+                    const proofHeader = intentProofSummary.pass
+                        ? chalk.dim(`   Intent proof: pass (${intentProofSummary.checkedRules} rule(s)` +
+                            `${intentProofSummary.repoScopedRules > 0 ? `, scanned ${intentProofSummary.scannedFiles} file(s)` : ''})`)
+                        : chalk.red(`\n⛔ Intent proof enforcement: ${intentProofSummary.violations.length} violation(s) ` +
+                            `(${intentProofSummary.checkedRules} rule(s))`);
+                    console.log(`\n${proofHeader}`);
+                    if (!intentProofSummary.pass) {
+                        intentProofSummary.violations.slice(0, 5).forEach((issue) => {
+                            console.log(chalk.red(`   • ${issue}`));
+                        });
+                        if (intentProofSummary.violations.length > 5) {
+                            console.log(chalk.dim(`   ... ${intentProofSummary.violations.length - 5} more violation(s)`));
+                        }
+                    }
+                    else if (intentProofSummary.truncated) {
+                        console.log(chalk.dim('   Intent proof repo scan reached configured file/byte limit (truncated).'));
+                    }
+                }
             }
             // Report to Neurcode Cloud if --record flag is set
             const filteredBloatForReport = (verifyResult.bloatFiles || []).filter((f) => !shouldIgnore(f));