@neurcode-ai/cli 0.9.44 → 0.9.45

package/dist/index.js

@@ -62,12 +62,15 @@ catch (error) {
 const program = new commander_1.Command();
 const CORE_WORKFLOW_STEPS = [
     '1) neurcode init',
-    '2) neurcode plan "Describe the change"',
-    '3) neurcode prompt',
-    '4) neurcode verify --record',
-    '5) neurcode ship "Goal" --max-fix-attempts 2',
+    '2) neurcode login',
+    '3) neurcode verify --plan-id <id> --enforce-change-contract',
+    '4) neurcode fix --plan-id <id> (optional)',
 ];
 const ADVANCED_WORKFLOW_HINTS = [
+    'neurcode plan "Describe the change"',
+    'neurcode contract import --auto-detect --write-change-contract',
+    'neurcode prompt',
+    'neurcode ship "Goal" --max-fix-attempts 2',
     'neurcode ask "<question>"',
     'neurcode simulate --base origin/main',
     'neurcode guard start && neurcode guard check --staged',
@@ -121,7 +124,7 @@ showWelcomeIfNeeded().catch(() => {
 });
 program
     .command('start')
-    .description('Show guided Neurcode flow (init -> plan -> prompt -> verify -> ship)')
+    .description('Show guided Neurcode flow (init -> login -> verify -> fix)')
     .option('--run-init', 'Run `neurcode init` immediately after showing the guide')
     .option('--json', 'Output machine-readable onboarding metadata')
     .action(async (options) => {
@@ -643,6 +646,37 @@ program
         json: options.json === true,
     });
 });
+program
+    .command('fix')
+    .description('Primary alias for remediation loop (verify -> fix -> verify)')
+    .option('--goal <text>', 'Goal text for remediation loop')
+    .option('--plan-id <id>', 'Plan ID for verify scope checks')
+    .option('--project-id <id>', 'Project ID override')
+    .option('--max-fix-attempts <n>', 'Maximum remediation attempts (default: 2)', (val) => parseInt(val, 10))
+    .option('--policy-only', 'Run in policy-only verification mode')
+    .option('--require-plan', 'Fail verify if plan context is missing')
+    .option('--strict-artifacts', 'Require deterministic compiled-policy/change-contract artifacts')
+    .option('--no-strict-artifacts', 'Disable strict deterministic artifact enforcement')
+    .option('--enforce-change-contract', 'Require change contract enforcement')
+    .option('--no-enforce-change-contract', 'Disable change contract enforcement')
+    .option('--require-runtime-guard', 'Require runtime guard checks before each remediation attempt')
+    .option('--no-record', 'Disable cloud recording during verify/ship runs')
+    .option('--json', 'Output machine-readable JSON')
+    .action((options) => {
+    (0, remediate_1.remediateCommand)({
+        goal: options.goal,
+        planId: options.planId,
+        projectId: options.projectId,
+        maxFixAttempts: Number.isFinite(options.maxFixAttempts) ? options.maxFixAttempts : undefined,
+        policyOnly: options.policyOnly === true,
+        requirePlan: options.requirePlan === true,
+        strictArtifacts: options.strictArtifacts !== false,
+        enforceChangeContract: options.enforceChangeContract !== false,
+        requireRuntimeGuard: options.requireRuntimeGuard === true,
+        noRecord: options.record === false,
+        json: options.json === true,
+    });
+});
 program
     .command('verify')
     .description('Verify plan adherence - Compare current changes against an Architect Plan')
@@ -668,6 +702,7 @@ program
     .option('--head', 'Verify changes against HEAD')
     .option('--base <ref>', 'Verify changes against a specific base ref')
     .option('--explain', 'Include AI change justification details in human-readable output')
+    .option('--demo', 'Demo mode: print extra explanatory output')
     .option('--json', 'Output results as JSON')
     .option('--record', 'Report verification results to Neurcode Cloud')
     .option('--api-key <key>', 'Neurcode API Key (overrides config and env var)')
@@ -679,6 +714,7 @@ program
         staged: options.staged,
         head: options.head,
         base: options.base,
+        demo: options.demo === true,
         explain: options.explain === true,
         json: options.json,
         record: options.record,

package/dist/utils/advisory-signals.d.ts

@@ -0,0 +1,20 @@
+import type { DiffFile } from '@neurcode-ai/diff-parser';
+export type AdvisorySignalSeverity = 'info' | 'warn';
+export interface AdvisorySignal {
+    code: 'SENSITIVE_DOMAIN_SPAN' | 'DIRECT_DB_IN_REQUEST_LAYER' | 'LARGE_CHANGE_SURFACE' | 'CODE_WITHOUT_TEST_UPDATES' | 'INFRA_AND_APP_MIXED' | 'POSSIBLE_SECRET_ADDITION';
+    severity: AdvisorySignalSeverity;
+    title: string;
+    detail: string;
+    files: string[];
+}
+interface AdvisoryInput {
+    diffFiles: DiffFile[];
+    summary?: {
+        totalFiles: number;
+        totalAdded: number;
+        totalRemoved: number;
+    };
+}
+export declare function evaluateAdvisorySignals(input: AdvisoryInput): AdvisorySignal[];
+export {};
+//# sourceMappingURL=advisory-signals.d.ts.map

package/dist/utils/advisory-signals.js

@@ -0,0 +1,177 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateAdvisorySignals = evaluateAdvisorySignals;
+function toUnixPath(filePath) {
+    return String(filePath || '').replace(/\\/g, '/');
+}
+function unique(items) {
+    return [...new Set(items)];
+}
+function isRequestLayerPath(path) {
+    return /(\/|^)(route|routes|controller|controllers|handler|handlers|api)(\/|$)/i.test(path);
+}
+function isTestPath(path) {
+    return /(^|\/)(__tests__|tests?|test)(\/|$)|\.(test|spec)\.[A-Za-z0-9]+$/i.test(path);
+}
+function isCodePath(path) {
+    return /\.(ts|tsx|js|jsx|mjs|cjs|py|go|java|rb|cs|php|rs|kt|swift)$/i.test(path);
+}
+function isInfraPath(path) {
+    return /(\/|^)(infra|terraform|k8s|kubernetes|helm|ansible|iac|cloudformation|pulumi|\.github\/workflows)(\/|$)/i.test(path);
+}
+function isAppPath(path) {
+    return /(\/|^)(src|app|services|packages|web)(\/|$)/i.test(path);
+}
+function isGeneratedArtifactPath(path) {
+    const normalized = path.toLowerCase();
+    return (normalized.endsWith('.map')
+        || normalized.includes('/dist/')
+        || normalized.includes('/build/')
+        || normalized.includes('/coverage/')
+        || normalized.includes('/.next/')
+        || normalized.includes('/out/')
+        || /\.min\.(js|css)$/.test(normalized));
+}
+function classifySensitiveDomains(path) {
+    const normalized = path.toLowerCase();
+    const domains = [];
+    if (/\b(auth|rbac|permission|acl|identity|oauth|session|jwt)\b/.test(normalized)) {
+        domains.push('auth');
+    }
+    if (/\b(payment|billing|invoice|refund|wallet|checkout)\b/.test(normalized)) {
+        domains.push('payment');
+    }
+    if (/\b(db|database|prisma|migration|sql|repository|repositories)\b/.test(normalized)) {
+        domains.push('data');
+    }
+    if (isInfraPath(normalized)) {
+        domains.push('infra');
+    }
+    return domains;
+}
+function findAddedLines(diffFiles) {
+    const lines = [];
+    for (const file of diffFiles) {
+        const filePath = toUnixPath(file.path);
+        for (const hunk of file.hunks || []) {
+            for (const line of hunk.lines || []) {
+                if (line.type === 'added') {
+                    lines.push({ file: filePath, content: line.content });
+                }
+            }
+        }
+    }
+    return lines;
+}
+function limitFiles(files, max = 6) {
+    const deduped = unique(files);
+    if (deduped.length <= max)
+        return deduped;
+    return deduped.slice(0, max);
+}
+function evaluateAdvisorySignals(input) {
+    const diffFiles = input.diffFiles || [];
+    const changedPaths = unique(diffFiles.map((file) => toUnixPath(file.path)).filter(Boolean));
+    const totalFiles = input.summary?.totalFiles ?? changedPaths.length;
+    const totalAdded = input.summary?.totalAdded ?? 0;
+    const totalRemoved = input.summary?.totalRemoved ?? 0;
+    const signals = [];
+    const sensitiveDomains = new Set();
+    const filesBySensitiveDomain = {};
+    for (const path of changedPaths) {
+        const domains = classifySensitiveDomains(path);
+        for (const domain of domains) {
+            sensitiveDomains.add(domain);
+            if (!filesBySensitiveDomain[domain]) {
+                filesBySensitiveDomain[domain] = [];
+            }
+            filesBySensitiveDomain[domain].push(path);
+        }
+    }
+    if (sensitiveDomains.size >= 2) {
+        const domains = [...sensitiveDomains].sort((a, b) => a.localeCompare(b));
+        const files = limitFiles(domains.flatMap((domain) => filesBySensitiveDomain[domain] || []));
+        signals.push({
+            code: 'SENSITIVE_DOMAIN_SPAN',
+            severity: 'warn',
+            title: 'Changes span multiple sensitive domains',
+            detail: `Changes touch ${domains.join(' + ')} modules in one diff. ` +
+                'This pattern often indicates unintended side effects or architectural drift.',
+            files,
+        });
+    }
+    const dbCallPattern = /\b(prisma|db|sequelize)\.[A-Za-z_$][A-Za-z0-9_$]*\.[A-Za-z_$][A-Za-z0-9_$]*\s*\(|\bknex\s*\(/;
+    const directDbRequestLayerFiles = findAddedLines(diffFiles)
+        .filter((line) => isRequestLayerPath(line.file) && dbCallPattern.test(line.content))
+        .map((line) => line.file);
+    if (directDbRequestLayerFiles.length > 0) {
+        signals.push({
+            code: 'DIRECT_DB_IN_REQUEST_LAYER',
+            severity: 'warn',
+            title: 'Direct DB access detected in request layer',
+            detail: 'Route/controller code now calls the DB directly. This can bypass service-layer controls and increase drift risk.',
+            files: limitFiles(directDbRequestLayerFiles),
+        });
+    }
+    const totalDelta = totalAdded + totalRemoved;
+    if (totalFiles >= 15 || totalDelta >= 600) {
+        signals.push({
+            code: 'LARGE_CHANGE_SURFACE',
+            severity: 'warn',
+            title: 'Large change surface',
+            detail: `This diff touches ${totalFiles} file(s) and ${totalDelta} changed line(s). ` +
+                'Large surfaces reduce review certainty and raise drift probability.',
+            files: limitFiles(changedPaths),
+        });
+    }
+    const codeFilesTouched = changedPaths.filter((path) => isCodePath(path) && !isTestPath(path) && !path.startsWith('docs/'));
+    const nonGeneratedCodeFilesTouched = codeFilesTouched.filter((path) => !isGeneratedArtifactPath(path));
+    const testFilesTouched = changedPaths.filter((path) => isTestPath(path));
+    if (nonGeneratedCodeFilesTouched.length >= 3 && testFilesTouched.length === 0) {
+        signals.push({
+            code: 'CODE_WITHOUT_TEST_UPDATES',
+            severity: nonGeneratedCodeFilesTouched.length >= 8 ? 'warn' : 'info',
+            title: 'Code changed without test updates',
+            detail: `Detected ${nonGeneratedCodeFilesTouched.length} code file change(s) with no test file updates. ` +
+                'Behavior drift may go unnoticed without verification tests.',
+            files: limitFiles(nonGeneratedCodeFilesTouched),
+        });
+    }
+    const infraFiles = changedPaths.filter((path) => isInfraPath(path));
+    const appFiles = changedPaths.filter((path) => isAppPath(path) && !isInfraPath(path));
+    if (infraFiles.length > 0 && appFiles.length > 0) {
+        signals.push({
+            code: 'INFRA_AND_APP_MIXED',
+            severity: 'warn',
+            title: 'Infra and app code changed together',
+            detail: 'This diff mixes infrastructure and application edits. Consider splitting for clearer intent and rollback safety.',
+            files: limitFiles([...infraFiles, ...appFiles]),
+        });
+    }
+    const secretPattern = /(AKIA[0-9A-Z]{16}|-----BEGIN [A-Z ]*PRIVATE KEY-----|(?:api[_-]?key|secret|password)\s*[:=]\s*(?:"[^"]{8,}"|'[^']{8,}'|`[^`]{8,}`))/i;
+    const possibleSecretFiles = findAddedLines(diffFiles)
+        .filter((line) => !isGeneratedArtifactPath(line.file))
+        .filter((line) => line.content.trim().length <= 240)
+        .filter((line) => !/\[REDACTED\]|process\.env\./i.test(line.content))
+        .filter((line) => secretPattern.test(line.content))
+        .map((line) => line.file);
+    if (possibleSecretFiles.length > 0) {
+        signals.push({
+            code: 'POSSIBLE_SECRET_ADDITION',
+            severity: 'warn',
+            title: 'Possible secret-like value added',
+            detail: 'Detected new lines resembling secrets or credentials. Validate redaction and secret management before merge.',
+            files: limitFiles(possibleSecretFiles),
+        });
+    }
+    const precedence = { warn: 0, info: 1 };
+    return signals
+        .sort((left, right) => {
+        const severityDelta = precedence[left.severity] - precedence[right.severity];
+        if (severityDelta !== 0)
+            return severityDelta;
+        return left.title.localeCompare(right.title);
+    })
+        .slice(0, 4);
+}
+//# sourceMappingURL=advisory-signals.js.map

package/dist/utils/change-contract.d.ts

@@ -10,9 +10,69 @@ export interface ChangeContract {
     intentHash: string;
     expectedFiles: string[];
     expectedFilesFingerprint: string;
+    planFiles?: ChangeContractPlanFile[];
+    expectedSymbols?: ChangeContractExpectedSymbol[];
+    options?: ChangeContractOptions;
     policyLockFingerprint: string | null;
     compiledPolicyFingerprint: string | null;
 }
+export type ChangeContractPlanAction = 'CREATE' | 'MODIFY' | 'BLOCK';
+export type ChangeContractDiffAction = 'add' | 'delete' | 'modify' | 'rename';
+export type ChangeContractSymbolAction = 'CREATE' | 'MODIFY' | 'BLOCK';
+export type ChangeContractSymbolType = 'function' | 'class' | 'interface' | 'type' | 'method' | 'const' | 'unknown';
+export type ChangeContractDiffSymbolAction = 'add' | 'delete' | 'modify';
+export interface ChangeContractPlanFile {
+    path: string;
+    action: ChangeContractPlanAction;
+    reason?: string;
+}
+export interface ChangeContractExpectedSymbol {
+    name: string;
+    action: ChangeContractSymbolAction;
+    type?: ChangeContractSymbolType;
+    file?: string;
+    reason?: string;
+}
+export interface ChangeContractOptions {
+    /**
+     * When enabled, files expected by the contract must be changed in the current diff.
+     * This is opt-in to avoid breaking partial/iterative delivery workflows.
+     */
+    enforceExpectedFiles?: boolean;
+    /**
+     * When enabled, diff operations are validated against planned file actions.
+     */
+    enforceActionMatching?: boolean;
+    /**
+     * Allows rename operations to satisfy MODIFY expectations.
+     * Defaults to true when action matching is enabled.
+     */
+    allowRenameForModify?: boolean;
+    /**
+     * When enabled, symbols expected by the contract must be present in changed symbol declarations.
+     */
+    enforceExpectedSymbols?: boolean;
+    /**
+     * When enabled, symbol-level operation matching is validated against expected symbol actions.
+     */
+    enforceSymbolActionMatching?: boolean;
+    /**
+     * When enabled (default), function/method/const symbol kinds can match compatible declarations.
+     */
+    symbolTypeRelaxedMatching?: boolean;
+    /**
+     * Allows expected symbol file constraints to fallback to basename matching.
+     */
+    symbolFileBasenameFallback?: boolean;
+    /**
+     * Tolerate this many out-of-contract file touches before failing.
+     */
+    maxUnexpectedFiles?: number;
+    /**
+     * Tolerate this many missing expected symbols before failing.
+     */
+    maxMissingExpectedSymbols?: number;
+}
 export interface ReadChangeContractResult {
     path: string;
     exists: boolean;
@@ -20,9 +80,11 @@ export interface ReadChangeContractResult {
     error?: string;
 }
 export interface ChangeContractViolation {
-    code: 'CHANGE_CONTRACT_PLAN_MISMATCH' | 'CHANGE_CONTRACT_UNEXPECTED_FILE' | 'CHANGE_CONTRACT_POLICY_LOCK_MISMATCH' | 'CHANGE_CONTRACT_COMPILED_POLICY_MISMATCH';
+    code: 'CHANGE_CONTRACT_PLAN_MISMATCH' | 'CHANGE_CONTRACT_UNEXPECTED_FILE' | 'CHANGE_CONTRACT_MISSING_EXPECTED_FILE' | 'CHANGE_CONTRACT_BLOCKED_FILE_TOUCHED' | 'CHANGE_CONTRACT_ACTION_MISMATCH' | 'CHANGE_CONTRACT_MISSING_EXPECTED_SYMBOL' | 'CHANGE_CONTRACT_BLOCKED_SYMBOL_TOUCHED' | 'CHANGE_CONTRACT_SYMBOL_ACTION_MISMATCH' | 'CHANGE_CONTRACT_POLICY_LOCK_MISMATCH' | 'CHANGE_CONTRACT_COMPILED_POLICY_MISMATCH';
     message: string;
     file?: string;
+    symbol?: string;
+    symbolType?: string;
     expected?: string;
     actual?: string;
 }
@@ -33,6 +95,17 @@ export interface ChangeContractEvaluation {
         expectedFiles: number;
         changedFiles: number;
         outOfContractFiles: number;
+        missingExpectedFiles: number;
+        blockedFilesTouched: number;
+        actionMismatches: number;
+        expectedSymbols: number;
+        changedSymbols: number;
+        missingExpectedSymbols: number;
+        blockedSymbolsTouched: number;
+        symbolActionMismatches: number;
+        symbolRenameMatches: number;
+        toleratedUnexpectedFiles: number;
+        toleratedMissingExpectedSymbols: number;
     };
 }
 export declare function createChangeContract(input: {
@@ -42,6 +115,19 @@ export declare function createChangeContract(input: {
     projectId?: string | null;
     intent: string;
     expectedFiles: string[];
+    planFiles?: Array<{
+        path: string;
+        action: ChangeContractPlanAction;
+        reason?: string;
+    }>;
+    expectedSymbols?: Array<{
+        name: string;
+        action: ChangeContractSymbolAction;
+        type?: ChangeContractSymbolType;
+        file?: string;
+        reason?: string;
+    }>;
+    options?: ChangeContractOptions;
     policyLockFingerprint?: string | null;
     compiledPolicyFingerprint?: string | null;
 }): ChangeContract;
@@ -51,7 +137,25 @@ export declare function readChangeContract(projectRoot: string, inputPath?: stri
 export declare function evaluateChangeContract(contract: ChangeContract, input: {
     planId: string;
     changedFiles: string[];
+    changedFileEntries?: Array<{
+        path: string;
+        changeType: ChangeContractDiffAction;
+    }>;
+    changedSymbols?: Array<{
+        name: string;
+        action: ChangeContractDiffSymbolAction;
+        type?: ChangeContractSymbolType;
+        file?: string;
+    }>;
     policyLockFingerprint?: string | null;
     compiledPolicyFingerprint?: string | null;
 }): ChangeContractEvaluation;
+export interface ChangeContractViolationGroup {
+    key: 'out_of_scope_changes' | 'missing_expected_files' | 'blocked_files_touched' | 'file_action_mismatches' | 'missing_expected_symbols' | 'blocked_symbols_touched' | 'symbol_action_mismatches' | 'contract_metadata_mismatches' | 'other';
+    title: string;
+    impact: string;
+    items: string[];
+    count: number;
+}
+export declare function groupChangeContractViolations(violations: ChangeContractViolation[]): ChangeContractViolationGroup[];
 //# sourceMappingURL=change-contract.d.ts.map