@neurcode-ai/cli 0.9.43 → 0.9.45

package/dist/commands/verify.js

@@ -51,7 +51,6 @@ const path_1 = require("path");
 const fs_1 = require("fs");
 const state_1 = require("../utils/state");
 const ROILogger_1 = require("../utils/ROILogger");
-const box_1 = require("../utils/box");
 const ignore_1 = require("../utils/ignore");
 const project_root_1 = require("../utils/project-root");
 const brain_context_1 = require("../utils/brain-context");
@@ -64,6 +63,8 @@ const policy_audit_1 = require("../utils/policy-audit");
 const governance_1 = require("../utils/governance");
 const policy_compiler_1 = require("../utils/policy-compiler");
 const change_contract_1 = require("../utils/change-contract");
+const diff_symbols_1 = require("../utils/diff-symbols");
+const advisory_signals_1 = require("../utils/advisory-signals");
 const runtime_guard_1 = require("../utils/runtime-guard");
 const artifact_signature_1 = require("../utils/artifact-signature");
 const policy_1 = require("@neurcode-ai/policy");
@@ -796,31 +797,29 @@ function parseSigningKeyRing(raw) {
     return out;
 }
 function resolveGovernanceSigningConfig() {
-    const signingKeys = parseSigningKeyRing(process.env.NEURCODE_GOVERNANCE_SIGNING_KEYS);
-    const envSigningKey = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY?.trim() ||
-        process.env.NEURCODE_AI_LOG_SIGNING_KEY?.trim() ||
-        '';
-    const requestedKeyId = process.env.NEURCODE_GOVERNANCE_SIGNING_KEY_ID?.trim() || '';
+    const artifactSigningConfig = (0, artifact_signature_1.resolveGovernanceArtifactSigningConfigFromEnv)();
     const signer = process.env.NEURCODE_GOVERNANCE_SIGNER || process.env.USER || 'neurcode-cli';
-    let signingKey = envSigningKey || null;
-    let signingKeyId = requestedKeyId || null;
-    if (!signingKey && Object.keys(signingKeys).length > 0) {
-        if (signingKeyId && signingKeys[signingKeyId]) {
-            signingKey = signingKeys[signingKeyId];
-        }
-        else {
-            const fallbackKeyId = Object.keys(signingKeys).sort((a, b) => a.localeCompare(b))[0];
-            signingKey = signingKeys[fallbackKeyId];
-            signingKeyId = signingKeyId || fallbackKeyId;
-        }
-    }
     return {
-        signingKey,
-        signingKeyId,
-        signingKeys,
+        signingKey: artifactSigningConfig.signingKey,
+        signingKeyId: artifactSigningConfig.signingKeyId,
+        signingKeys: artifactSigningConfig.signingKeys,
         signer,
     };
 }
+function isGitRepository(cwd) {
+    try {
+        const output = (0, child_process_1.execSync)('git rev-parse --is-inside-work-tree', {
+            cwd,
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'pipe'],
+            maxBuffer: 1024 * 1024,
+        }).trim().toLowerCase();
+        return output === 'true';
+    }
+    catch {
+        return false;
+    }
+}
 function isSignedAiLogsRequired(orgGovernanceSettings) {
     return (orgGovernanceSettings?.requireSignedAiLogs === true ||
         isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
@@ -1525,6 +1524,40 @@ async function verifyCommand(options) {
             };
             console.log(JSON.stringify(jsonPayload, null, 2));
         };
+        if (!isGitRepository(projectRoot)) {
+            const message = 'Verify requires a git repository. Initialize git (`git init`) or run this command inside an existing git project.';
+            if (options.json) {
+                emitVerifyJson({
+                    grade: 'F',
+                    score: 0,
+                    verdict: 'FAIL',
+                    violations: [
+                        {
+                            file: '.',
+                            rule: 'git_repository_required',
+                            severity: 'block',
+                            message,
+                        },
+                    ],
+                    adherenceScore: 0,
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    plannedFilesModified: 0,
+                    totalPlannedFiles: 0,
+                    message,
+                    scopeGuardPassed: false,
+                    mode: 'git_repository_required',
+                    policyOnly: options.policyOnly === true,
+                });
+            }
+            else {
+                console.log(chalk.red('\n❌ Git Repository Required'));
+                console.log(chalk.red(`   ${message}`));
+                console.log(chalk.dim(`   Current path: ${projectRoot}`));
+                console.log(chalk.dim('   Next step: git init && git add . && git commit -m "chore: baseline"\n'));
+            }
+            process.exit(1);
+        }
         const enforceChangeContract = options.enforceChangeContract === true ||
             isEnabledFlag(process.env.NEURCODE_VERIFY_ENFORCE_CHANGE_CONTRACT);
         const explicitStrictArtifactMode = options.strictArtifacts === true ||
@@ -1972,7 +2005,7 @@ async function verifyCommand(options) {
         // Determine which diff to capture (staged + unstaged for full current work)
         let diffText;
         if (options.staged) {
-            diffText = (0, child_process_1.execSync)('git diff --staged', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
+            diffText = (0, child_process_1.execSync)('git diff --cached', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
         }
         else if (options.base) {
             diffText = (0, git_1.getDiffFromBase)(options.base);
@@ -1983,7 +2016,7 @@ async function verifyCommand(options) {
         else {
             // Default: combine staged + unstaged to capture all current work
             try {
-                const stagedDiff = (0, child_process_1.execSync)('git diff --staged', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
+                const stagedDiff = (0, child_process_1.execSync)('git diff --cached', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
                 const unstagedDiff = (0, child_process_1.execSync)('git diff', { maxBuffer: 1024 * 1024 * 1024, encoding: 'utf-8' });
                 diffText = stagedDiff + (stagedDiff && unstagedDiff ? '\n' : '') + unstagedDiff;
             }
@@ -2276,6 +2309,9 @@ async function verifyCommand(options) {
             console.log(chalk.cyan('\n📊 Analyzing changes against plan...'));
             console.log(chalk.dim(`   Found ${summary.totalFiles} file(s) changed`));
             console.log(chalk.dim(`   ${summary.totalAdded} lines added, ${summary.totalRemoved} lines removed\n`));
+            if (options.demo) {
+                console.log(chalk.dim('   Demo mode enabled: showing extra context while keeping drift output short and grouped.\n'));
+            }
         }
         const runPolicyOnlyModeAndExit = async (source) => {
             const exitCode = await executePolicyOnlyMode(options, diffFiles, shouldIgnore, projectRoot, config, client, source, scopeTelemetry, projectId || undefined, orgGovernanceSettings, aiLogSigningKey, aiLogSigningKeyId, aiLogSigningKeys, aiLogSigner, compiledPolicyMetadata, changeContractSummary);
@@ -2368,10 +2404,104 @@ async function verifyCommand(options) {
                 });
                 process.exit(1);
             }
-            if (!options.json) {
-                console.log(chalk.yellow('⚠️  No Plan ID found. Falling back to General Governance (Policy Only).'));
+            let autoContractPath = null;
+            if (!changeContractRead.contract && !strictArtifactMode) {
+                try {
+                    const fallbackPlanId = `advisory_${Date.now()}`;
+                    const advisoryContract = buildMinimalAdvisoryContractFromDiff(diffFiles, fallbackPlanId);
+                    autoContractPath = (0, change_contract_1.writeChangeContract)(projectRoot, advisoryContract, options.changeContract);
+                    changeContractSummary = {
+                        path: autoContractPath,
+                        exists: true,
+                        enforced: false,
+                        valid: true,
+                        planId: advisoryContract.planId,
+                        contractId: advisoryContract.contractId,
+                        coverage: {
+                            expectedFiles: advisoryContract.expectedFiles.length,
+                            changedFiles: diffFiles.length,
+                            outOfContractFiles: 0,
+                            missingExpectedFiles: 0,
+                            blockedFilesTouched: 0,
+                            actionMismatches: 0,
+                            expectedSymbols: advisoryContract.expectedSymbols?.length || 0,
+                            changedSymbols: 0,
+                            missingExpectedSymbols: 0,
+                            blockedSymbolsTouched: 0,
+                            symbolActionMismatches: 0,
+                            symbolRenameMatches: 0,
+                            toleratedUnexpectedFiles: 0,
+                            toleratedMissingExpectedSymbols: 0,
+                        },
+                        signature: changeContractSummary.signature,
+                        violations: [],
+                    };
+                }
+                catch {
+                    autoContractPath = null;
+                }
+            }
+            const message = 'No plan linked yet. Ran advisory verification for quick first-run experience. ' +
+                'Use `neurcode plan` and `neurcode contract import --auto-detect --write-change-contract` for full enforcement.';
+            const advisorySignals = (0, advisory_signals_1.evaluateAdvisorySignals)({
+                diffFiles,
+                summary,
+            });
+            const advisoryWarnCount = advisorySignals.filter((item) => item.severity === 'warn').length;
+            const advisoryVerdict = advisoryWarnCount > 0 ? 'WARN' : 'PASS';
+            const advisoryGrade = advisoryWarnCount > 0 ? 'C' : 'B';
+            const advisoryScore = advisoryWarnCount > 0 ? 60 : 70;
+            const advisoryViolations = advisorySignals.map((item) => ({
+                file: item.files[0] || '.',
+                rule: `advisory:${item.code.toLowerCase()}`,
+                severity: item.severity === 'warn' ? 'warn' : 'allow',
+                message: `${item.title}: ${item.detail}`,
+            }));
+            recordVerifyEvent(advisoryVerdict, `advisory_missing_plan;signals=${advisorySignals.length};warn=${advisoryWarnCount}`, diffFiles.map((f) => f.path));
+            if (options.json) {
+                emitVerifyJson({
+                    grade: advisoryGrade,
+                    score: advisoryScore,
+                    verdict: advisoryVerdict,
+                    violations: advisoryViolations,
+                    adherenceScore: advisoryScore,
+                    bloatCount: 0,
+                    bloatFiles: [],
+                    plannedFilesModified: 0,
+                    totalPlannedFiles: 0,
+                    message,
+                    scopeGuardPassed: true,
+                    mode: 'advisory_missing_plan',
+                    advisoryMode: true,
+                    advisorySignals,
+                    policyOnly: true,
+                    policyOnlySource: 'fallback_missing_plan',
+                    ...(autoContractPath
+                        ? {
+                            changeContract: {
+                                ...changeContractSummary,
+                                path: autoContractPath,
+                            },
+                        }
+                        : {
+                            changeContract: changeContractSummary,
+                        }),
+                });
             }
-            await runPolicyOnlyModeAndExit('fallback_missing_plan');
+            else {
+                printFirstRunAdvisoryMessage(options.demo === true);
+                printAdvisorySignals(advisorySignals, options.demo === true);
+                if (autoContractPath) {
+                    console.log(chalk.green(`✅ Auto-generated minimal advisory contract: ${autoContractPath}`));
+                }
+                else if (!changeContractRead.contract) {
+                    console.log(chalk.yellow('⚠️  Could not auto-generate advisory contract; continuing without contract.'));
+                }
+                console.log(chalk.dim('Next steps: neurcode plan "<intent>"'));
+                console.log(chalk.dim('            neurcode contract import --auto-detect --write-change-contract'));
+                console.log(chalk.dim(`\nSummary: ${message}\n`));
+            }
+            process.exit(0);
         }
         if (!planId) {
             throw new Error('Plan ID resolution failed unexpectedly');
@@ -2965,6 +3095,7 @@ async function verifyCommand(options) {
                 })),
             })),
         }));
+        const changedSymbols = (0, diff_symbols_1.extractDeclaredSymbolsFromDiff)(diffFiles);
         const compiledIntentProof = (0, governance_runtime_1.compileDeterministicConstraints)({
             intentConstraints: intentConstraintsForVerification,
             policyRules: deterministicPolicyRules,
@@ -3036,6 +3167,16 @@ async function verifyCommand(options) {
             ? (0, change_contract_1.evaluateChangeContract)(changeContractRead.contract, {
                 planId: finalPlanId,
                 changedFiles: changedFiles.map((file) => file.path),
+                changedFileEntries: changedFiles.map((file) => ({
+                    path: file.path,
+                    changeType: file.changeType,
+                })),
+                changedSymbols: changedSymbols.map((symbol) => ({
+                    name: symbol.name,
+                    type: symbol.type,
+                    action: symbol.action,
+                    file: symbol.file,
+                })),
                 policyLockFingerprint: (0, policy_packs_1.readPolicyLockFile)(projectRoot).lock?.effective.fingerprint || null,
                 compiledPolicyFingerprint: effectiveCompiledPolicy?.fingerprint || null,
             })
@@ -3054,6 +3195,8 @@ async function verifyCommand(options) {
                     code: item.code,
                     message: item.message,
                     file: item.file,
+                    symbol: item.symbol,
+                    symbolType: item.symbolType,
                     expected: item.expected,
                     actual: item.actual,
                 })),
@@ -3065,9 +3208,8 @@ async function verifyCommand(options) {
                     severity: 'block',
                     message: item.message,
                 }));
-                const message = `Change contract enforcement failed: ${changeContractEvaluation.violations
-                    .map((item) => item.message)
-                    .join('; ')}`;
+                const message = `Implementation deviates from intended contract (` +
+                    `${changeContractEvaluation.violations.length} violation(s)).`;
                 if (options.json) {
                     emitVerifyJson({
                         grade: 'F',
@@ -3088,11 +3230,7 @@ async function verifyCommand(options) {
                     });
                 }
                 else {
-                    console.log(chalk.red('\n⛔ Change contract enforcement failed'));
-                    changeContractEvaluation.violations.forEach((item) => {
-                        console.log(chalk.red(`   • ${item.message}`));
-                    });
-                    console.log(chalk.dim(`   Contract path: ${changeContractRead.path}`));
+                    displayChangeContractDrift(changeContractSummary, { advisory: false });
                 }
                 await recordVerificationIfRequested(options, config, {
                     grade: 'F',
@@ -3116,13 +3254,7 @@ async function verifyCommand(options) {
                 process.exit(2);
             }
             else if (!changeContractEvaluation.valid && !options.json) {
-                console.log(chalk.yellow('\n⚠️  Change contract drift detected (advisory mode)'));
-                changeContractEvaluation.violations.slice(0, 5).forEach((item) => {
-                    console.log(chalk.yellow(`   • ${item.message}`));
-                });
-                if (changeContractEvaluation.violations.length > 5) {
-                    console.log(chalk.dim(`   ... ${changeContractEvaluation.violations.length - 5} more violation(s)`));
-                }
+                displayChangeContractDrift(changeContractSummary, { advisory: true });
             }
         }
         // Call verify API
@@ -3880,111 +4012,137 @@ function displayGovernanceInsights(governance, options = {}) {
         });
     }
 }
+function displayChangeContractDrift(summary, options = { advisory: false }) {
+    const groups = (0, change_contract_1.groupChangeContractViolations)(summary.violations.map((item) => ({
+        code: item.code,
+        message: item.message,
+        ...(item.file ? { file: item.file } : {}),
+        ...(item.symbol ? { symbol: item.symbol } : {}),
+        ...(item.symbolType ? { symbolType: item.symbolType } : {}),
+        ...(item.expected ? { expected: item.expected } : {}),
+        ...(item.actual ? { actual: item.actual } : {}),
+    })));
+    if (groups.length === 0)
+        return;
+    const maxItemsPerGroup = options.maxItemsPerGroup ?? 12;
+    const header = options.advisory
+        ? chalk.yellow('\nWARN ⚠️  Change contract drift detected')
+        : chalk.red('\nFAIL ❌  Change contract enforcement failed');
+    console.log(header);
+    for (const group of groups) {
+        console.log(chalk.white(`\n${group.title}:`));
+        group.items.slice(0, maxItemsPerGroup).forEach((entry) => {
+            console.log(`  - ${entry}`);
+        });
+        if (group.items.length > maxItemsPerGroup) {
+            console.log(chalk.dim(`  - ... ${group.items.length - maxItemsPerGroup} more`));
+        }
+        console.log(chalk.dim(`  Why it matters: ${group.impact}`));
+    }
+    console.log(chalk.dim('\nSummary:'));
+    console.log(chalk.dim('Implementation deviates from intended contract.'));
+    console.log(chalk.dim(`Contract path: ${summary.path}`));
+}
 /**
  * Display verification results in a formatted report card
  */
 function displayVerifyResults(result, policyViolations) {
-    // Calculate grade/score
-    // CRITICAL: 0/0 planned files = 'F' (Incomplete)
-    // Bloat automatically drops grade by at least one letter
-    let grade;
-    let gradeColor;
-    if (result.totalPlannedFiles === 0 && result.plannedFilesModified === 0) {
-        // Special case: No planned files = Incomplete (F)
-        grade = 'F';
-        gradeColor = chalk.red;
-    }
-    else if (result.verdict === 'PASS') {
-        grade = 'A';
-        gradeColor = chalk.green;
-    }
-    else if (result.verdict === 'WARN') {
-        // Base grade calculation
-        let baseGrade = result.adherenceScore >= 70 ? 'B' : result.adherenceScore >= 50 ? 'C' : 'D';
-        // Bloat drops grade by one letter (B -> C, C -> D, D -> F)
-        if (result.bloatCount > 0) {
-            if (baseGrade === 'B')
-                baseGrade = 'C';
-            else if (baseGrade === 'C')
-                baseGrade = 'D';
-            else if (baseGrade === 'D')
-                baseGrade = 'F';
-        }
-        grade = baseGrade;
-        gradeColor = chalk.yellow;
-    }
-    else {
-        grade = 'F';
-        gradeColor = chalk.red;
-    }
-    // Calculate estimated time saved (5 minutes per VERIFY_PASS)
-    const estimatedMinutesSaved = result.verdict === 'PASS' ? 5 : 0;
-    // Calculate policy compliance percentage
-    const policyCompliance = result.bloatCount === 0 ? 100 : Math.max(0, 100 - (result.bloatCount * 10));
-    // Display Governance Badge for PASS and FAIL verdicts (high visibility)
-    if (result.verdict === 'PASS' || result.verdict === 'FAIL') {
-        console.log('\n');
-        const borderColor = result.verdict === 'PASS' ? 'green' : 'red';
-        const gradeColorFunc = result.verdict === 'PASS' ? chalk.green.bold : chalk.red.bold;
-        const badgeContent = [
-            `${chalk.bold.white('Governance Badge')}`,
-            '',
-            `${chalk.cyan('Grade:')} ${gradeColorFunc(grade)} ${chalk.dim(`(${result.adherenceScore}%)`)}`,
-            result.verdict === 'PASS' ? `${chalk.cyan('Estimated Time Saved:')} ${chalk.green.bold(`${estimatedMinutesSaved}m`)}` : '',
-            `${chalk.cyan('Policy Compliance:')} ${result.verdict === 'PASS' ? chalk.green.bold(`${policyCompliance}%`) : chalk.red.bold(`${policyCompliance}%`)}`,
-        ].filter(line => line !== '').join('\n');
-        console.log((0, box_1.createBox)(badgeContent, {
-            borderColor,
-            titleColor: 'white',
-            padding: 2,
-        }));
-        console.log('');
-    }
-    console.log(chalk.bold.cyan('📋 Plan Adherence Report\n'));
-    console.log('━'.repeat(50));
-    const scoreDisplay = gradeColor(`Grade: ${grade} (${result.adherenceScore}%)`);
-    if (result.verdict === 'PASS') {
-        console.log(chalk.green('✅'), scoreDisplay);
+    const verdictLabel = result.verdict === 'PASS'
+        ? chalk.green('PASS ✅')
+        : result.verdict === 'WARN'
+            ? chalk.yellow('WARN ⚠️')
+            : chalk.red('FAIL ❌');
+    const plannedText = `${result.plannedFilesModified}/${result.totalPlannedFiles}`;
+    console.log(`\n${verdictLabel}`);
+    console.log(chalk.dim(`Plan adherence: ${plannedText} files (${result.adherenceScore}%)`));
+    const maxItems = 20;
+    if (result.bloatCount > 0) {
+        console.log(chalk.red('\nOut-of-scope changes:'));
+        result.bloatFiles.slice(0, maxItems).forEach((file) => {
+            console.log(`  - ${file}`);
+        });
+        if (result.bloatFiles.length > maxItems) {
+            console.log(chalk.dim(`  - ... ${result.bloatFiles.length - maxItems} more`));
+        }
     }
-    else if (result.verdict === 'WARN') {
-        console.log(chalk.yellow('⚠️ '), scoreDisplay);
+    if (policyViolations && policyViolations.length > 0) {
+        const blocking = policyViolations.filter((item) => item.severity === 'block');
+        const warnings = policyViolations.filter((item) => item.severity !== 'block');
+        if (blocking.length > 0) {
+            console.log(chalk.red('\nBlocking policy violations:'));
+            blocking.slice(0, maxItems).forEach((item) => {
+                console.log(`  - ${item.file}: ${item.message || item.rule}`);
+            });
+            if (blocking.length > maxItems) {
+                console.log(chalk.dim(`  - ... ${blocking.length - maxItems} more`));
+            }
+        }
+        if (warnings.length > 0) {
+            console.log(chalk.yellow('\nPolicy warnings:'));
+            warnings.slice(0, maxItems).forEach((item) => {
+                console.log(`  - ${item.file}: ${item.message || item.rule}`);
+            });
+            if (warnings.length > maxItems) {
+                console.log(chalk.dim(`  - ... ${warnings.length - maxItems} more`));
+            }
+        }
     }
-    else {
-        console.log(chalk.red('❌'), scoreDisplay);
+    if (result.bloatCount === 0 && (!policyViolations || policyViolations.length === 0)) {
+        console.log(chalk.green('\nNo drift detected.'));
     }
-    console.log('');
-    console.log(chalk.bold.white('Adherence:'));
-    console.log(`   ${result.plannedFilesModified}/${result.totalPlannedFiles} planned files modified`);
-    console.log(`   ${result.adherenceScore}% adherence to plan`);
-    // Display bloat
-    if (result.bloatCount > 0) {
-        console.log('');
-        console.log(chalk.bold.red(`🚫 Bloat Detected: ${result.bloatCount} unexpected file(s)`));
-        console.log(chalk.red('   Blocked Bloat:'));
-        result.bloatFiles.forEach(file => {
-            console.log(chalk.red(`     • ${file}`));
-        });
+    console.log(chalk.dim(`\nSummary: ${result.message}\n`));
+}
+function printFirstRunAdvisoryMessage(demoMode) {
+    console.log(chalk.cyan('\nNeurcode first-run advisory mode'));
+    console.log(chalk.dim('Neurcode checks if your AI-generated code matches your intended plan.'));
+    console.log(chalk.dim('To get full enforcement:'));
+    console.log(chalk.dim('1. Define a plan'));
+    console.log(chalk.dim('2. Generate a contract'));
+    console.log(chalk.dim('Running in advisory mode for now.\n'));
+    if (demoMode) {
+        console.log(chalk.dim('Demo mode: this run is intentionally non-blocking to make evaluation easy.'));
     }
-    else {
-        console.log('');
-        console.log(chalk.green('✅ No bloat detected - all changes match the plan'));
+}
+function printAdvisorySignals(signals, demoMode) {
+    if (signals.length === 0) {
+        if (demoMode) {
+            console.log(chalk.dim('No high-signal advisory findings detected for this diff.'));
+        }
+        return;
     }
-    // Display custom policy violations from dashboard
-    if (policyViolations && policyViolations.length > 0) {
-        console.log('');
-        const blockCount = policyViolations.filter(v => v.severity === 'block').length;
-        const label = blockCount > 0
-            ? chalk.bold.red(`🚫 Custom Policy Violations: ${policyViolations.length} (${blockCount} blocking)`)
-            : chalk.bold.yellow(`⚠️  Custom Policy Warnings: ${policyViolations.length}`);
-        console.log(label);
-        policyViolations.forEach(v => {
-            const lineColor = v.severity === 'block' ? chalk.red : chalk.yellow;
-            console.log(lineColor(`     • ${v.file}: ${v.message || v.rule}`));
+    console.log(chalk.yellow('\nAdvisory findings (non-blocking):'));
+    for (const signal of signals) {
+        const severityLabel = signal.severity === 'warn' ? chalk.yellow('[warn]') : chalk.dim('[info]');
+        console.log(`${severityLabel} ${signal.title}`);
+        console.log(chalk.dim(`  ${signal.detail}`));
+        signal.files.forEach((file) => {
+            console.log(chalk.dim(`  - ${file}`));
         });
     }
-    console.log('');
-    console.log('━'.repeat(50));
-    console.log(chalk.dim(result.message));
-    console.log('');
+}
+function buildMinimalAdvisoryContractFromDiff(diffFiles, fallbackPlanId) {
+    const expectedFiles = [...new Set(diffFiles.map((file) => toUnixPath(file.path)).filter(Boolean))];
+    const planFiles = expectedFiles.map((path) => {
+        const entry = diffFiles.find((file) => toUnixPath(file.path) === path);
+        const changeType = entry?.changeType;
+        const action = changeType === 'add' ? 'CREATE' : 'MODIFY';
+        return {
+            path,
+            action: action,
+            reason: 'Auto-generated advisory baseline from current diff',
+        };
+    });
+    return (0, change_contract_1.createChangeContract)({
+        planId: fallbackPlanId,
+        intent: 'Advisory baseline generated from current repository diff',
+        expectedFiles,
+        planFiles,
+        options: {
+            enforceExpectedFiles: false,
+            enforceActionMatching: false,
+            enforceExpectedSymbols: false,
+            enforceSymbolActionMatching: false,
+        },
+    });
 }
 //# sourceMappingURL=verify.js.map

package/dist/config.d.ts

@@ -10,6 +10,19 @@ export interface NeurcodeConfig {
     projectId?: string;
     orgId?: string;
 }
+export interface LocalGovernanceSigningMaterial {
+    signingKey: string;
+    signingKeyId: string;
+    source: 'persisted' | 'generated';
+}
+/**
+ * Resolve a local governance signing key from ~/.neurcoderc.
+ * If authenticated and no key exists, auto-provision one for smoother
+ * login-first onboarding in orgs that require signed AI logs.
+ */
+export declare function getOrCreateLocalGovernanceSigningMaterial(options?: {
+    autoProvision?: boolean;
+}): LocalGovernanceSigningMaterial | null;
 export declare function loadConfig(): NeurcodeConfig;
 /**
  * Get API key with helpful error message if not found

package/dist/config.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DEFAULT_API_URL = void 0;
+exports.getOrCreateLocalGovernanceSigningMaterial = getOrCreateLocalGovernanceSigningMaterial;
 exports.loadConfig = loadConfig;
 exports.getApiKey = getApiKey;
 exports.requireApiKey = requireApiKey;
@@ -10,6 +11,7 @@ exports.deleteGlobalAuth = deleteGlobalAuth;
 exports.deleteApiKeyFromAllSources = deleteApiKeyFromAllSources;
 const fs_1 = require("fs");
 const path_1 = require("path");
+const crypto_1 = require("crypto");
 const state_1 = require("./utils/state");
 const project_root_1 = require("./utils/project-root");
 /**
@@ -93,6 +95,52 @@ function writeGlobalAuthFile(data) {
         // Ignore
     }
 }
+/**
+ * Resolve a local governance signing key from ~/.neurcoderc.
+ * If authenticated and no key exists, auto-provision one for smoother
+ * login-first onboarding in orgs that require signed AI logs.
+ */
+function getOrCreateLocalGovernanceSigningMaterial(options) {
+    const autoProvision = options?.autoProvision !== false;
+    const global = readGlobalAuthFile();
+    if (!global)
+        return null;
+    const cfg = global.data || {};
+    const persistedKey = typeof cfg.governanceSigningKey === 'string'
+        ? cfg.governanceSigningKey.trim()
+        : '';
+    let persistedKeyId = typeof cfg.governanceSigningKeyId === 'string'
+        ? cfg.governanceSigningKeyId.trim()
+        : '';
+    if (persistedKey) {
+        if (!persistedKeyId) {
+            persistedKeyId = `local-${Date.now().toString(36)}`;
+            cfg.governanceSigningKeyId = persistedKeyId;
+            writeGlobalAuthFile(cfg);
+        }
+        return {
+            signingKey: persistedKey,
+            signingKeyId: persistedKeyId,
+            source: 'persisted',
+        };
+    }
+    if (!autoProvision)
+        return null;
+    const hasApiAuthMaterial = Boolean((cfg.apiKey || '').trim())
+        || Object.keys(cfg.apiKeysByOrg || {}).length > 0;
+    if (!hasApiAuthMaterial)
+        return null;
+    const signingKey = (0, crypto_1.randomBytes)(32).toString('hex');
+    const signingKeyId = `local-${Date.now().toString(36)}`;
+    cfg.governanceSigningKey = signingKey;
+    cfg.governanceSigningKeyId = signingKeyId;
+    writeGlobalAuthFile(cfg);
+    return {
+        signingKey,
+        signingKeyId,
+        source: 'generated',
+    };
+}
 function pickApiKeyFromKeyring(globalCfg, desiredOrgId) {
     const keyring = globalCfg.apiKeysByOrg || {};
     if (desiredOrgId) {