npm - @neurcode-ai/cli - Versions diffs - 0.9.44 → 0.9.46 - Mend

@neurcode-ai/cli 0.9.44 → 0.9.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/README.md +7 -3
package/dist/commands/contract.js +47 -0
package/dist/commands/plan.js +40 -0
package/dist/commands/ship.js +10 -3
package/dist/commands/verify.d.ts +2 -0
package/dist/commands/verify.js +251 -118
package/dist/index.js +41 -5
package/dist/utils/advisory-signals.d.ts +20 -0
package/dist/utils/advisory-signals.js +177 -0
package/dist/utils/change-contract.d.ts +105 -1
package/dist/utils/change-contract.js +685 -12
package/dist/utils/diff-symbols.d.ts +10 -0
package/dist/utils/diff-symbols.js +218 -0
package/dist/utils/governance.d.ts +1 -0
package/dist/utils/governance.js +1 -1
package/dist/utils/plan-symbols.d.ts +17 -0
package/dist/utils/plan-symbols.js +209 -0
package/package.json +6 -14
package/LICENSE +0 -201
package/dist/api-client.d.ts.map +0 -1
package/dist/api-client.js.map +0 -1
package/dist/commands/allow.d.ts.map +0 -1
package/dist/commands/allow.js.map +0 -1
package/dist/commands/apply.d.ts.map +0 -1
package/dist/commands/apply.js.map +0 -1
package/dist/commands/approve.d.ts.map +0 -1
package/dist/commands/approve.js.map +0 -1
package/dist/commands/ask.d.ts.map +0 -1
package/dist/commands/ask.js.map +0 -1
package/dist/commands/audit.d.ts.map +0 -1
package/dist/commands/audit.js.map +0 -1
package/dist/commands/bootstrap.d.ts.map +0 -1
package/dist/commands/bootstrap.js.map +0 -1
package/dist/commands/brain.d.ts.map +0 -1
package/dist/commands/brain.js.map +0 -1
package/dist/commands/check.d.ts.map +0 -1
package/dist/commands/check.js.map +0 -1
package/dist/commands/config.d.ts.map +0 -1
package/dist/commands/config.js.map +0 -1
package/dist/commands/contract.d.ts.map +0 -1
package/dist/commands/contract.js.map +0 -1
package/dist/commands/doctor.d.ts.map +0 -1
package/dist/commands/doctor.js.map +0 -1
package/dist/commands/feedback.d.ts.map +0 -1
package/dist/commands/feedback.js.map +0 -1
package/dist/commands/guard.d.ts.map +0 -1
package/dist/commands/guard.js.map +0 -1
package/dist/commands/init.d.ts.map +0 -1
package/dist/commands/init.js.map +0 -1
package/dist/commands/login.d.ts.map +0 -1
package/dist/commands/login.js.map +0 -1
package/dist/commands/logout.d.ts.map +0 -1
package/dist/commands/logout.js.map +0 -1
package/dist/commands/map.d.ts.map +0 -1
package/dist/commands/map.js.map +0 -1
package/dist/commands/plan-slo.d.ts.map +0 -1
package/dist/commands/plan-slo.js.map +0 -1
package/dist/commands/plan.d.ts.map +0 -1
package/dist/commands/plan.js.map +0 -1
package/dist/commands/policy.d.ts.map +0 -1
package/dist/commands/policy.js.map +0 -1
package/dist/commands/prompt.d.ts.map +0 -1
package/dist/commands/prompt.js.map +0 -1
package/dist/commands/refactor.d.ts.map +0 -1
package/dist/commands/refactor.js.map +0 -1
package/dist/commands/remediate.d.ts.map +0 -1
package/dist/commands/remediate.js.map +0 -1
package/dist/commands/repo.d.ts.map +0 -1
package/dist/commands/repo.js.map +0 -1
package/dist/commands/revert.d.ts.map +0 -1
package/dist/commands/revert.js.map +0 -1
package/dist/commands/security.d.ts.map +0 -1
package/dist/commands/security.js.map +0 -1
package/dist/commands/session.d.ts.map +0 -1
package/dist/commands/session.js.map +0 -1
package/dist/commands/ship.d.ts.map +0 -1
package/dist/commands/ship.js.map +0 -1
package/dist/commands/simulate.d.ts.map +0 -1
package/dist/commands/simulate.js.map +0 -1
package/dist/commands/verify.d.ts.map +0 -1
package/dist/commands/verify.js.map +0 -1
package/dist/commands/watch.d.ts.map +0 -1
package/dist/commands/watch.js.map +0 -1
package/dist/commands/whoami.d.ts.map +0 -1
package/dist/commands/whoami.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/rules.d.ts.map +0 -1
package/dist/rules.js.map +0 -1
package/dist/services/integrations/TicketService.d.ts.map +0 -1
package/dist/services/integrations/TicketService.js.map +0 -1
package/dist/services/mapper/ProjectScanner.d.ts.map +0 -1
package/dist/services/mapper/ProjectScanner.js.map +0 -1
package/dist/services/project-knowledge-service.d.ts.map +0 -1
package/dist/services/project-knowledge-service.js.map +0 -1
package/dist/services/security/SecurityGuard.d.ts.map +0 -1
package/dist/services/security/SecurityGuard.js.map +0 -1
package/dist/services/toolbox-service.d.ts.map +0 -1
package/dist/services/toolbox-service.js.map +0 -1
package/dist/services/watch/BlobStore.d.ts.map +0 -1
package/dist/services/watch/BlobStore.js.map +0 -1
package/dist/services/watch/CommandPoller.d.ts.map +0 -1
package/dist/services/watch/CommandPoller.js.map +0 -1
package/dist/services/watch/Journal.d.ts.map +0 -1
package/dist/services/watch/Journal.js.map +0 -1
package/dist/services/watch/Sentinel.d.ts.map +0 -1
package/dist/services/watch/Sentinel.js.map +0 -1
package/dist/services/watch/Syncer.d.ts.map +0 -1
package/dist/services/watch/Syncer.js.map +0 -1
package/dist/utils/ROILogger.d.ts.map +0 -1
package/dist/utils/ROILogger.js.map +0 -1
package/dist/utils/RelevanceScorer.d.ts.map +0 -1
package/dist/utils/RelevanceScorer.js.map +0 -1
package/dist/utils/ai-debt-budget.d.ts.map +0 -1
package/dist/utils/ai-debt-budget.js.map +0 -1
package/dist/utils/artifact-signature.d.ts.map +0 -1
package/dist/utils/artifact-signature.js.map +0 -1
package/dist/utils/ask-cache.d.ts.map +0 -1
package/dist/utils/ask-cache.js.map +0 -1
package/dist/utils/box.d.ts.map +0 -1
package/dist/utils/box.js.map +0 -1
package/dist/utils/brain-context.d.ts.map +0 -1
package/dist/utils/brain-context.js.map +0 -1
package/dist/utils/breakage-simulator.d.ts.map +0 -1
package/dist/utils/breakage-simulator.js.map +0 -1
package/dist/utils/change-contract.d.ts.map +0 -1
package/dist/utils/change-contract.js.map +0 -1
package/dist/utils/cli-json.d.ts.map +0 -1
package/dist/utils/cli-json.js.map +0 -1
package/dist/utils/custom-policy-rules.d.ts.map +0 -1
package/dist/utils/custom-policy-rules.js.map +0 -1
package/dist/utils/git.d.ts.map +0 -1
package/dist/utils/git.js.map +0 -1
package/dist/utils/gitignore.d.ts.map +0 -1
package/dist/utils/gitignore.js.map +0 -1
package/dist/utils/governance.d.ts.map +0 -1
package/dist/utils/governance.js.map +0 -1
package/dist/utils/ignore.d.ts.map +0 -1
package/dist/utils/ignore.js.map +0 -1
package/dist/utils/manual-approvals.d.ts.map +0 -1
package/dist/utils/manual-approvals.js.map +0 -1
package/dist/utils/messages.d.ts.map +0 -1
package/dist/utils/messages.js.map +0 -1
package/dist/utils/neurcode-context.d.ts.map +0 -1
package/dist/utils/neurcode-context.js.map +0 -1
package/dist/utils/plan-cache.d.ts.map +0 -1
package/dist/utils/plan-cache.js.map +0 -1
package/dist/utils/plan-slo.d.ts.map +0 -1
package/dist/utils/plan-slo.js.map +0 -1
package/dist/utils/policy-audit.d.ts.map +0 -1
package/dist/utils/policy-audit.js.map +0 -1
package/dist/utils/policy-compiler.d.ts.map +0 -1
package/dist/utils/policy-compiler.js.map +0 -1
package/dist/utils/policy-exceptions.d.ts.map +0 -1
package/dist/utils/policy-exceptions.js.map +0 -1
package/dist/utils/policy-governance.d.ts.map +0 -1
package/dist/utils/policy-governance.js.map +0 -1
package/dist/utils/policy-packs.d.ts.map +0 -1
package/dist/utils/policy-packs.js.map +0 -1
package/dist/utils/project-detector.d.ts.map +0 -1
package/dist/utils/project-detector.js.map +0 -1
package/dist/utils/project-root.d.ts.map +0 -1
package/dist/utils/project-root.js.map +0 -1
package/dist/utils/repo-links.d.ts.map +0 -1
package/dist/utils/repo-links.js.map +0 -1
package/dist/utils/restore.d.ts.map +0 -1
package/dist/utils/restore.js.map +0 -1
package/dist/utils/runtime-guard.d.ts.map +0 -1
package/dist/utils/runtime-guard.js.map +0 -1
package/dist/utils/scope-telemetry.d.ts.map +0 -1
package/dist/utils/scope-telemetry.js.map +0 -1
package/dist/utils/secret-masking.d.ts.map +0 -1
package/dist/utils/secret-masking.js.map +0 -1
package/dist/utils/state.d.ts.map +0 -1
package/dist/utils/state.js.map +0 -1
package/dist/utils/tier.d.ts.map +0 -1
package/dist/utils/tier.js.map +0 -1
package/dist/utils/user-context.d.ts.map +0 -1
package/dist/utils/user-context.js.map +0 -1

package/README.md CHANGED Viewed

@@ -49,14 +49,17 @@ neurcode brain mode --storage-mode no-code
 neurcode brain doctor "is userid used instead of org id"
 ```
-## Enterprise Governance Signing
+## Enterprise Governance Signing (Optional Hardening)
 Use signed AI change logs for fail-closed governance in `verify`/`ship`.
 ```bash
-# Mandatory signed logs (fail closed when key material is missing)
+# Optional strict mode: require signed logs (fail closed when key material is missing)
 export NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS=1
+# Optional: honor org-level signed log requirement from control plane
+export NEURCODE_GOVERNANCE_ENFORCE_ORG_SIGNED_LOG_REQUIREMENT=1
 # Single-key mode
 export NEURCODE_GOVERNANCE_SIGNING_KEY="<strong-random-secret>"
 export NEURCODE_GOVERNANCE_SIGNING_KEY_ID="kid-prod-2026-03"
@@ -68,10 +71,11 @@ export NEURCODE_GOVERNANCE_SIGNING_KEY_ID="kid-prod-2026-03"
 Notes:
 - `verify` writes and verifies `.neurcode/ai-change-log.json` with integrity chain checks.
-- If signed logs are required and integrity/signature checks fail, `verify` exits non-zero.
+- If strict signed-log mode is enabled and integrity/signature checks fail, `verify` exits non-zero.
 - `ship` will block deployment when required signed AI logs are missing/invalid.
 - `policy compile` and `plan` auto-sign deterministic artifacts when governance signing keys are configured.
 - Use `--require-signed-artifacts` (or `NEURCODE_VERIFY_REQUIRE_SIGNED_ARTIFACTS=1`) to fail closed on unsigned/tampered artifacts.
+- Default onboarding flow is non-blocking unless strict signing is explicitly enabled.
 ## Docs

package/dist/commands/contract.js CHANGED Viewed

@@ -12,6 +12,7 @@ const policy_packs_1 = require("../utils/policy-packs");
 const policy_compiler_1 = require("../utils/policy-compiler");
 const change_contract_1 = require("../utils/change-contract");
 const artifact_signature_1 = require("../utils/artifact-signature");
+const plan_symbols_1 = require("../utils/plan-symbols");
 let chalk;
 try {
     chalk = require('chalk');
@@ -60,6 +61,49 @@ function parseAsJsonIfPossible(raw) {
 function normalizeProvider(provider) {
     return String(provider || 'generic').trim().toLowerCase();
 }
+function parseBooleanFlag(raw, fallback) {
+    if (!raw || !raw.trim())
+        return fallback;
+    const normalized = raw.trim().toLowerCase();
+    if (normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on')
+        return true;
+    if (normalized === '0' || normalized === 'false' || normalized === 'no' || normalized === 'off')
+        return false;
+    return fallback;
+}
+function parseNonNegativeInt(raw) {
+    if (!raw || !raw.trim())
+        return undefined;
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed))
+        return undefined;
+    const rounded = Math.floor(parsed);
+    return rounded >= 0 ? rounded : undefined;
+}
+function resolveChangeContractOptionsFromEnv() {
+    const maxUnexpectedFiles = parseNonNegativeInt(process.env.NEURCODE_CHANGE_CONTRACT_MAX_UNEXPECTED_FILES);
+    const maxMissingExpectedSymbols = parseNonNegativeInt(process.env.NEURCODE_CHANGE_CONTRACT_MAX_MISSING_EXPECTED_SYMBOLS);
+    return {
+        enforceExpectedFiles: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_EXPECTED_FILES, false),
+        enforceActionMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_ACTION_MATCHING, true),
+        allowRenameForModify: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ALLOW_RENAME_FOR_MODIFY, true),
+        enforceExpectedSymbols: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_EXPECTED_SYMBOLS, false),
+        enforceSymbolActionMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_SYMBOL_ACTION_MATCHING, false),
+        symbolTypeRelaxedMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_SYMBOL_TYPE_RELAXED_MATCHING, true),
+        symbolFileBasenameFallback: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_SYMBOL_FILE_BASENAME_FALLBACK, false),
+        ...(maxUnexpectedFiles !== undefined ? { maxUnexpectedFiles } : {}),
+        ...(maxMissingExpectedSymbols !== undefined ? { maxMissingExpectedSymbols } : {}),
+    };
+}
+function mapPlanFilesForChangeContract(files) {
+    return files
+        .map((file) => ({
+        path: file.path,
+        action: file.action,
+        reason: file.reason,
+    }))
+        .filter((file) => typeof file.path === 'string' && file.path.trim().length > 0);
+}
 function normalizeCandidateLimit(value) {
     if (!Number.isFinite(value))
         return 8;
@@ -407,6 +451,9 @@ function contractCommand(program) {
                     projectId: options.projectId || null,
                     intent: options.intent || response.plan.summary || 'imported-plan',
                     expectedFiles,
+                    planFiles: mapPlanFilesForChangeContract(response.plan.files),
+                    expectedSymbols: (0, plan_symbols_1.mapPlanSymbolsForChangeContract)(response.plan),
+                    options: resolveChangeContractOptionsFromEnv(),
                     policyLockFingerprint: policyLock.lock?.effective.fingerprint || null,
                     compiledPolicyFingerprint: compiledPolicy.artifact?.fingerprint || null,
                 });

package/dist/commands/plan.js CHANGED Viewed

@@ -55,6 +55,7 @@ const change_contract_1 = require("../utils/change-contract");
 const policy_packs_1 = require("../utils/policy-packs");
 const policy_compiler_1 = require("../utils/policy-compiler");
 const artifact_signature_1 = require("../utils/artifact-signature");
+const plan_symbols_1 = require("../utils/plan-symbols");
 // Import chalk with fallback for plain strings if not available
 let chalk;
 try {
@@ -591,6 +592,39 @@ function parseBooleanFlag(raw, fallback) {
     }
     return fallback;
 }
+function parseNonNegativeInt(raw) {
+    if (!raw || !raw.trim())
+        return undefined;
+    const parsed = Number(raw);
+    if (!Number.isFinite(parsed))
+        return undefined;
+    const rounded = Math.floor(parsed);
+    return rounded >= 0 ? rounded : undefined;
+}
+function resolveChangeContractOptionsFromEnv() {
+    const maxUnexpectedFiles = parseNonNegativeInt(process.env.NEURCODE_CHANGE_CONTRACT_MAX_UNEXPECTED_FILES);
+    const maxMissingExpectedSymbols = parseNonNegativeInt(process.env.NEURCODE_CHANGE_CONTRACT_MAX_MISSING_EXPECTED_SYMBOLS);
+    return {
+        enforceExpectedFiles: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_EXPECTED_FILES, false),
+        enforceActionMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_ACTION_MATCHING, true),
+        allowRenameForModify: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ALLOW_RENAME_FOR_MODIFY, true),
+        enforceExpectedSymbols: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_EXPECTED_SYMBOLS, false),
+        enforceSymbolActionMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_ENFORCE_SYMBOL_ACTION_MATCHING, false),
+        symbolTypeRelaxedMatching: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_SYMBOL_TYPE_RELAXED_MATCHING, true),
+        symbolFileBasenameFallback: parseBooleanFlag(process.env.NEURCODE_CHANGE_CONTRACT_SYMBOL_FILE_BASENAME_FALLBACK, false),
+        ...(maxUnexpectedFiles !== undefined ? { maxUnexpectedFiles } : {}),
+        ...(maxMissingExpectedSymbols !== undefined ? { maxMissingExpectedSymbols } : {}),
+    };
+}
+function mapPlanFilesForChangeContract(files) {
+    return files
+        .map((file) => ({
+        path: file.path,
+        action: file.action,
+        reason: file.reason,
+    }))
+        .filter((file) => typeof file.path === 'string' && file.path.trim().length > 0);
+}
 function parseConfidenceScoreThreshold(raw) {
     if (!raw)
         return null;
@@ -854,6 +888,9 @@ function emitCachedPlanHit(input) {
                 projectId: input.projectId || null,
                 intent: input.response.plan.summary || 'cached-plan',
                 expectedFiles,
+                planFiles: mapPlanFilesForChangeContract(input.response.plan.files),
+                expectedSymbols: (0, plan_symbols_1.mapPlanSymbolsForChangeContract)(input.response.plan),
+                options: resolveChangeContractOptionsFromEnv(),
                 policyLockFingerprint: lockRead.lock?.effective.fingerprint || null,
                 compiledPolicyFingerprint: compiledPolicyRead.artifact?.fingerprint || null,
             });
@@ -2284,6 +2321,9 @@ async function planCommand(intent, options) {
                     projectId: finalProjectId || null,
                     intent,
                     expectedFiles,
+                    planFiles: mapPlanFilesForChangeContract(response.plan.files),
+                    expectedSymbols: (0, plan_symbols_1.mapPlanSymbolsForChangeContract)(response.plan),
+                    options: resolveChangeContractOptionsFromEnv(),
                     policyLockFingerprint: lockRead.lock?.effective.fingerprint || null,
                     compiledPolicyFingerprint: compiledPolicyRead.artifact?.fingerprint || null,
                 });

package/dist/commands/ship.js CHANGED Viewed

@@ -825,6 +825,15 @@ function isEnabledFlag(value) {
     const normalized = value.trim().toLowerCase();
     return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
 }
+function isSignedAiLogsRequired(orgGovernance) {
+    const explicitRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
+        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED);
+    if (explicitRequirement) {
+        return true;
+    }
+    const honorOrgRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_ENFORCE_ORG_SIGNED_LOG_REQUIREMENT);
+    return honorOrgRequirement && orgGovernance?.requireSignedAiLogs === true;
+}
 function collectApplyWrittenFiles(output) {
     const clean = stripAnsi(output);
     const files = [];
@@ -1846,9 +1855,7 @@ async function shipCommand(goal, options) {
     const manualApprovalBypass = options.manualApproveHighRisk === true || process.env.NEURCODE_MANUAL_APPROVE_HIGH_RISK === '1';
     const governanceDecision = finalVerifyPayload.governanceDecision?.decision;
     const orgGovernance = finalVerifyPayload.orgGovernance || null;
-    const signedAiLogsRequired = orgGovernance?.requireSignedAiLogs === true ||
-        isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
-        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED);
+    const signedAiLogsRequired = isSignedAiLogsRequired(orgGovernance);
     const aiLogIntegrity = finalVerifyPayload.aiChangeLog?.integrity;
     const signedAiLogsValid = aiLogIntegrity?.valid === true && aiLogIntegrity?.signed === true;
     const orgManualApprovalRequired = orgGovernance?.requireManualApproval === true;

package/dist/commands/verify.d.ts CHANGED Viewed

@@ -37,6 +37,8 @@ interface VerifyOptions {
     runtimeGuard?: string;
     /** Print detailed AI change justification reasoning. */
     explain?: boolean;
+    /** Print extra explanatory output for demos/onboarding. */
+    demo?: boolean;
     /** Use queue-backed async verification mode on the API. */
     asyncMode?: boolean;
     /** Poll interval for async verification job status. */