@neurcode-ai/cli 0.9.44 → 0.9.46

package/dist/utils/advisory-signals.js

@@ -0,0 +1,177 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateAdvisorySignals = evaluateAdvisorySignals;
+function toUnixPath(filePath) {
+    return String(filePath || '').replace(/\\/g, '/');
+}
+function unique(items) {
+    return [...new Set(items)];
+}
+function isRequestLayerPath(path) {
+    return /(\/|^)(route|routes|controller|controllers|handler|handlers|api)(\/|$)/i.test(path);
+}
+function isTestPath(path) {
+    return /(^|\/)(__tests__|tests?|test)(\/|$)|\.(test|spec)\.[A-Za-z0-9]+$/i.test(path);
+}
+function isCodePath(path) {
+    return /\.(ts|tsx|js|jsx|mjs|cjs|py|go|java|rb|cs|php|rs|kt|swift)$/i.test(path);
+}
+function isInfraPath(path) {
+    return /(\/|^)(infra|terraform|k8s|kubernetes|helm|ansible|iac|cloudformation|pulumi|\.github\/workflows)(\/|$)/i.test(path);
+}
+function isAppPath(path) {
+    return /(\/|^)(src|app|services|packages|web)(\/|$)/i.test(path);
+}
+function isGeneratedArtifactPath(path) {
+    const normalized = path.toLowerCase();
+    return (normalized.endsWith('.map')
+        || normalized.includes('/dist/')
+        || normalized.includes('/build/')
+        || normalized.includes('/coverage/')
+        || normalized.includes('/.next/')
+        || normalized.includes('/out/')
+        || /\.min\.(js|css)$/.test(normalized));
+}
+function classifySensitiveDomains(path) {
+    const normalized = path.toLowerCase();
+    const domains = [];
+    if (/\b(auth|rbac|permission|acl|identity|oauth|session|jwt)\b/.test(normalized)) {
+        domains.push('auth');
+    }
+    if (/\b(payment|billing|invoice|refund|wallet|checkout)\b/.test(normalized)) {
+        domains.push('payment');
+    }
+    if (/\b(db|database|prisma|migration|sql|repository|repositories)\b/.test(normalized)) {
+        domains.push('data');
+    }
+    if (isInfraPath(normalized)) {
+        domains.push('infra');
+    }
+    return domains;
+}
+function findAddedLines(diffFiles) {
+    const lines = [];
+    for (const file of diffFiles) {
+        const filePath = toUnixPath(file.path);
+        for (const hunk of file.hunks || []) {
+            for (const line of hunk.lines || []) {
+                if (line.type === 'added') {
+                    lines.push({ file: filePath, content: line.content });
+                }
+            }
+        }
+    }
+    return lines;
+}
+function limitFiles(files, max = 6) {
+    const deduped = unique(files);
+    if (deduped.length <= max)
+        return deduped;
+    return deduped.slice(0, max);
+}
+function evaluateAdvisorySignals(input) {
+    const diffFiles = input.diffFiles || [];
+    const changedPaths = unique(diffFiles.map((file) => toUnixPath(file.path)).filter(Boolean));
+    const totalFiles = input.summary?.totalFiles ?? changedPaths.length;
+    const totalAdded = input.summary?.totalAdded ?? 0;
+    const totalRemoved = input.summary?.totalRemoved ?? 0;
+    const signals = [];
+    const sensitiveDomains = new Set();
+    const filesBySensitiveDomain = {};
+    for (const path of changedPaths) {
+        const domains = classifySensitiveDomains(path);
+        for (const domain of domains) {
+            sensitiveDomains.add(domain);
+            if (!filesBySensitiveDomain[domain]) {
+                filesBySensitiveDomain[domain] = [];
+            }
+            filesBySensitiveDomain[domain].push(path);
+        }
+    }
+    if (sensitiveDomains.size >= 2) {
+        const domains = [...sensitiveDomains].sort((a, b) => a.localeCompare(b));
+        const files = limitFiles(domains.flatMap((domain) => filesBySensitiveDomain[domain] || []));
+        signals.push({
+            code: 'SENSITIVE_DOMAIN_SPAN',
+            severity: 'warn',
+            title: 'Changes span multiple sensitive domains',
+            detail: `Changes touch ${domains.join(' + ')} modules in one diff. ` +
+                'This pattern often indicates unintended side effects or architectural drift.',
+            files,
+        });
+    }
+    const dbCallPattern = /\b(prisma|db|sequelize)\.[A-Za-z_$][A-Za-z0-9_$]*\.[A-Za-z_$][A-Za-z0-9_$]*\s*\(|\bknex\s*\(/;
+    const directDbRequestLayerFiles = findAddedLines(diffFiles)
+        .filter((line) => isRequestLayerPath(line.file) && dbCallPattern.test(line.content))
+        .map((line) => line.file);
+    if (directDbRequestLayerFiles.length > 0) {
+        signals.push({
+            code: 'DIRECT_DB_IN_REQUEST_LAYER',
+            severity: 'warn',
+            title: 'Direct DB access detected in request layer',
+            detail: 'Route/controller code now calls the DB directly. This can bypass service-layer controls and increase drift risk.',
+            files: limitFiles(directDbRequestLayerFiles),
+        });
+    }
+    const totalDelta = totalAdded + totalRemoved;
+    if (totalFiles >= 15 || totalDelta >= 600) {
+        signals.push({
+            code: 'LARGE_CHANGE_SURFACE',
+            severity: 'warn',
+            title: 'Large change surface',
+            detail: `This diff touches ${totalFiles} file(s) and ${totalDelta} changed line(s). ` +
+                'Large surfaces reduce review certainty and raise drift probability.',
+            files: limitFiles(changedPaths),
+        });
+    }
+    const codeFilesTouched = changedPaths.filter((path) => isCodePath(path) && !isTestPath(path) && !path.startsWith('docs/'));
+    const nonGeneratedCodeFilesTouched = codeFilesTouched.filter((path) => !isGeneratedArtifactPath(path));
+    const testFilesTouched = changedPaths.filter((path) => isTestPath(path));
+    if (nonGeneratedCodeFilesTouched.length >= 3 && testFilesTouched.length === 0) {
+        signals.push({
+            code: 'CODE_WITHOUT_TEST_UPDATES',
+            severity: nonGeneratedCodeFilesTouched.length >= 8 ? 'warn' : 'info',
+            title: 'Code changed without test updates',
+            detail: `Detected ${nonGeneratedCodeFilesTouched.length} code file change(s) with no test file updates. ` +
+                'Behavior drift may go unnoticed without verification tests.',
+            files: limitFiles(nonGeneratedCodeFilesTouched),
+        });
+    }
+    const infraFiles = changedPaths.filter((path) => isInfraPath(path));
+    const appFiles = changedPaths.filter((path) => isAppPath(path) && !isInfraPath(path));
+    if (infraFiles.length > 0 && appFiles.length > 0) {
+        signals.push({
+            code: 'INFRA_AND_APP_MIXED',
+            severity: 'warn',
+            title: 'Infra and app code changed together',
+            detail: 'This diff mixes infrastructure and application edits. Consider splitting for clearer intent and rollback safety.',
+            files: limitFiles([...infraFiles, ...appFiles]),
+        });
+    }
+    const secretPattern = /(AKIA[0-9A-Z]{16}|-----BEGIN [A-Z ]*PRIVATE KEY-----|(?:api[_-]?key|secret|password)\s*[:=]\s*(?:"[^"]{8,}"|'[^']{8,}'|`[^`]{8,}`))/i;
+    const possibleSecretFiles = findAddedLines(diffFiles)
+        .filter((line) => !isGeneratedArtifactPath(line.file))
+        .filter((line) => line.content.trim().length <= 240)
+        .filter((line) => !/\[REDACTED\]|process\.env\./i.test(line.content))
+        .filter((line) => secretPattern.test(line.content))
+        .map((line) => line.file);
+    if (possibleSecretFiles.length > 0) {
+        signals.push({
+            code: 'POSSIBLE_SECRET_ADDITION',
+            severity: 'warn',
+            title: 'Possible secret-like value added',
+            detail: 'Detected new lines resembling secrets or credentials. Validate redaction and secret management before merge.',
+            files: limitFiles(possibleSecretFiles),
+        });
+    }
+    const precedence = { warn: 0, info: 1 };
+    return signals
+        .sort((left, right) => {
+        const severityDelta = precedence[left.severity] - precedence[right.severity];
+        if (severityDelta !== 0)
+            return severityDelta;
+        return left.title.localeCompare(right.title);
+    })
+        .slice(0, 4);
+}
+//# sourceMappingURL=advisory-signals.js.map

package/dist/utils/change-contract.d.ts

@@ -10,9 +10,69 @@ export interface ChangeContract {
     intentHash: string;
     expectedFiles: string[];
     expectedFilesFingerprint: string;
+    planFiles?: ChangeContractPlanFile[];
+    expectedSymbols?: ChangeContractExpectedSymbol[];
+    options?: ChangeContractOptions;
     policyLockFingerprint: string | null;
     compiledPolicyFingerprint: string | null;
 }
+export type ChangeContractPlanAction = 'CREATE' | 'MODIFY' | 'BLOCK';
+export type ChangeContractDiffAction = 'add' | 'delete' | 'modify' | 'rename';
+export type ChangeContractSymbolAction = 'CREATE' | 'MODIFY' | 'BLOCK';
+export type ChangeContractSymbolType = 'function' | 'class' | 'interface' | 'type' | 'method' | 'const' | 'unknown';
+export type ChangeContractDiffSymbolAction = 'add' | 'delete' | 'modify';
+export interface ChangeContractPlanFile {
+    path: string;
+    action: ChangeContractPlanAction;
+    reason?: string;
+}
+export interface ChangeContractExpectedSymbol {
+    name: string;
+    action: ChangeContractSymbolAction;
+    type?: ChangeContractSymbolType;
+    file?: string;
+    reason?: string;
+}
+export interface ChangeContractOptions {
+    /**
+     * When enabled, files expected by the contract must be changed in the current diff.
+     * This is opt-in to avoid breaking partial/iterative delivery workflows.
+     */
+    enforceExpectedFiles?: boolean;
+    /**
+     * When enabled, diff operations are validated against planned file actions.
+     */
+    enforceActionMatching?: boolean;
+    /**
+     * Allows rename operations to satisfy MODIFY expectations.
+     * Defaults to true when action matching is enabled.
+     */
+    allowRenameForModify?: boolean;
+    /**
+     * When enabled, symbols expected by the contract must be present in changed symbol declarations.
+     */
+    enforceExpectedSymbols?: boolean;
+    /**
+     * When enabled, symbol-level operation matching is validated against expected symbol actions.
+     */
+    enforceSymbolActionMatching?: boolean;
+    /**
+     * When enabled (default), function/method/const symbol kinds can match compatible declarations.
+     */
+    symbolTypeRelaxedMatching?: boolean;
+    /**
+     * Allows expected symbol file constraints to fallback to basename matching.
+     */
+    symbolFileBasenameFallback?: boolean;
+    /**
+     * Tolerate this many out-of-contract file touches before failing.
+     */
+    maxUnexpectedFiles?: number;
+    /**
+     * Tolerate this many missing expected symbols before failing.
+     */
+    maxMissingExpectedSymbols?: number;
+}
 export interface ReadChangeContractResult {
     path: string;
     exists: boolean;
@@ -20,9 +80,11 @@ export interface ReadChangeContractResult {
     error?: string;
 }
 export interface ChangeContractViolation {
-    code: 'CHANGE_CONTRACT_PLAN_MISMATCH' | 'CHANGE_CONTRACT_UNEXPECTED_FILE' | 'CHANGE_CONTRACT_POLICY_LOCK_MISMATCH' | 'CHANGE_CONTRACT_COMPILED_POLICY_MISMATCH';
+    code: 'CHANGE_CONTRACT_PLAN_MISMATCH' | 'CHANGE_CONTRACT_UNEXPECTED_FILE' | 'CHANGE_CONTRACT_MISSING_EXPECTED_FILE' | 'CHANGE_CONTRACT_BLOCKED_FILE_TOUCHED' | 'CHANGE_CONTRACT_ACTION_MISMATCH' | 'CHANGE_CONTRACT_MISSING_EXPECTED_SYMBOL' | 'CHANGE_CONTRACT_BLOCKED_SYMBOL_TOUCHED' | 'CHANGE_CONTRACT_SYMBOL_ACTION_MISMATCH' | 'CHANGE_CONTRACT_POLICY_LOCK_MISMATCH' | 'CHANGE_CONTRACT_COMPILED_POLICY_MISMATCH';
     message: string;
     file?: string;
+    symbol?: string;
+    symbolType?: string;
     expected?: string;
     actual?: string;
 }
@@ -33,6 +95,17 @@ export interface ChangeContractEvaluation {
         expectedFiles: number;
         changedFiles: number;
         outOfContractFiles: number;
+        missingExpectedFiles: number;
+        blockedFilesTouched: number;
+        actionMismatches: number;
+        expectedSymbols: number;
+        changedSymbols: number;
+        missingExpectedSymbols: number;
+        blockedSymbolsTouched: number;
+        symbolActionMismatches: number;
+        symbolRenameMatches: number;
+        toleratedUnexpectedFiles: number;
+        toleratedMissingExpectedSymbols: number;
     };
 }
 export declare function createChangeContract(input: {
@@ -42,6 +115,19 @@ export declare function createChangeContract(input: {
     projectId?: string | null;
     intent: string;
     expectedFiles: string[];
+    planFiles?: Array<{
+        path: string;
+        action: ChangeContractPlanAction;
+        reason?: string;
+    }>;
+    expectedSymbols?: Array<{
+        name: string;
+        action: ChangeContractSymbolAction;
+        type?: ChangeContractSymbolType;
+        file?: string;
+        reason?: string;
+    }>;
+    options?: ChangeContractOptions;
     policyLockFingerprint?: string | null;
     compiledPolicyFingerprint?: string | null;
 }): ChangeContract;
@@ -51,7 +137,25 @@ export declare function readChangeContract(projectRoot: string, inputPath?: stri
 export declare function evaluateChangeContract(contract: ChangeContract, input: {
     planId: string;
     changedFiles: string[];
+    changedFileEntries?: Array<{
+        path: string;
+        changeType: ChangeContractDiffAction;
+    }>;
+    changedSymbols?: Array<{
+        name: string;
+        action: ChangeContractDiffSymbolAction;
+        type?: ChangeContractSymbolType;
+        file?: string;
+    }>;
     policyLockFingerprint?: string | null;
     compiledPolicyFingerprint?: string | null;
 }): ChangeContractEvaluation;
+export interface ChangeContractViolationGroup {
+    key: 'out_of_scope_changes' | 'missing_expected_files' | 'blocked_files_touched' | 'file_action_mismatches' | 'missing_expected_symbols' | 'blocked_symbols_touched' | 'symbol_action_mismatches' | 'contract_metadata_mismatches' | 'other';
+    title: string;
+    impact: string;
+    items: string[];
+    count: number;
+}
+export declare function groupChangeContractViolations(violations: ChangeContractViolation[]): ChangeContractViolationGroup[];
 //# sourceMappingURL=change-contract.d.ts.map