@neurcode-ai/cli 0.9.45 → 0.9.46

package/README.md

@@ -49,14 +49,17 @@ neurcode brain mode --storage-mode no-code
 neurcode brain doctor "is userid used instead of org id"
 ```
 
-## Enterprise Governance Signing
+## Enterprise Governance Signing (Optional Hardening)
 
 Use signed AI change logs for fail-closed governance in `verify`/`ship`.
 
 ```bash
-# Mandatory signed logs (fail closed when key material is missing)
+# Optional strict mode: require signed logs (fail closed when key material is missing)
 export NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS=1
 
+# Optional: honor org-level signed log requirement from control plane
+export NEURCODE_GOVERNANCE_ENFORCE_ORG_SIGNED_LOG_REQUIREMENT=1
+
 # Single-key mode
 export NEURCODE_GOVERNANCE_SIGNING_KEY="<strong-random-secret>"
 export NEURCODE_GOVERNANCE_SIGNING_KEY_ID="kid-prod-2026-03"
@@ -68,10 +71,11 @@ export NEURCODE_GOVERNANCE_SIGNING_KEY_ID="kid-prod-2026-03"
 
 Notes:
 - `verify` writes and verifies `.neurcode/ai-change-log.json` with integrity chain checks.
-- If signed logs are required and integrity/signature checks fail, `verify` exits non-zero.
+- If strict signed-log mode is enabled and integrity/signature checks fail, `verify` exits non-zero.
 - `ship` will block deployment when required signed AI logs are missing/invalid.
 - `policy compile` and `plan` auto-sign deterministic artifacts when governance signing keys are configured.
 - Use `--require-signed-artifacts` (or `NEURCODE_VERIFY_REQUIRE_SIGNED_ARTIFACTS=1`) to fail closed on unsigned/tampered artifacts.
+- Default onboarding flow is non-blocking unless strict signing is explicitly enabled.
 
 ## Docs
 

package/dist/commands/ship.js

@@ -825,6 +825,15 @@ function isEnabledFlag(value) {
     const normalized = value.trim().toLowerCase();
     return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
 }
+function isSignedAiLogsRequired(orgGovernance) {
+    const explicitRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
+        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED);
+    if (explicitRequirement) {
+        return true;
+    }
+    const honorOrgRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_ENFORCE_ORG_SIGNED_LOG_REQUIREMENT);
+    return honorOrgRequirement && orgGovernance?.requireSignedAiLogs === true;
+}
 function collectApplyWrittenFiles(output) {
     const clean = stripAnsi(output);
     const files = [];
@@ -1846,9 +1855,7 @@ async function shipCommand(goal, options) {
     const manualApprovalBypass = options.manualApproveHighRisk === true || process.env.NEURCODE_MANUAL_APPROVE_HIGH_RISK === '1';
     const governanceDecision = finalVerifyPayload.governanceDecision?.decision;
     const orgGovernance = finalVerifyPayload.orgGovernance || null;
-    const signedAiLogsRequired = orgGovernance?.requireSignedAiLogs === true ||
-        isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
-        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED);
+    const signedAiLogsRequired = isSignedAiLogsRequired(orgGovernance);
     const aiLogIntegrity = finalVerifyPayload.aiChangeLog?.integrity;
     const signedAiLogsValid = aiLogIntegrity?.valid === true && aiLogIntegrity?.signed === true;
     const orgManualApprovalRequired = orgGovernance?.requireManualApproval === true;

package/dist/commands/verify.js

@@ -821,9 +821,13 @@ function isGitRepository(cwd) {
     }
 }
 function isSignedAiLogsRequired(orgGovernanceSettings) {
-    return (orgGovernanceSettings?.requireSignedAiLogs === true ||
-        isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
-        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED));
+    const explicitRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_REQUIRE_SIGNED_LOGS) ||
+        isEnabledFlag(process.env.NEURCODE_AI_LOG_REQUIRE_SIGNED);
+    if (explicitRequirement) {
+        return true;
+    }
+    const honorOrgRequirement = isEnabledFlag(process.env.NEURCODE_GOVERNANCE_ENFORCE_ORG_SIGNED_LOG_REQUIREMENT);
+    return honorOrgRequirement && orgGovernanceSettings?.requireSignedAiLogs === true;
 }
 function policyLockMismatchMessage(mismatches) {
     if (mismatches.length === 0) {
@@ -1012,6 +1016,7 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
     if (!options.json) {
         console.log(chalk.cyan('🛡️  General Governance mode (policy only, no plan linked)\n'));
     }
+    const signedLogsRequired = isSignedAiLogsRequired(orgGovernanceSettings);
     const governanceAnalysis = (0, governance_1.evaluateGovernance)({
         projectRoot,
         task: 'Policy-only verification',
@@ -1019,6 +1024,7 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         diffFiles,
         contextCandidates: diffFiles.map((file) => file.path),
         orgGovernance: orgGovernanceSettings,
+        requireSignedAiLogs: signedLogsRequired,
         signingKey: aiLogSigningKey,
         signingKeyId: aiLogSigningKeyId,
         signingKeys: aiLogSigningKeys,
@@ -1029,7 +1035,6 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         changeContract: changeContractSummary,
     });
     const contextPolicyViolations = governanceAnalysis.contextPolicy.violations.filter((item) => !ignoreFilter(item.file));
-    const signedLogsRequired = isSignedAiLogsRequired(orgGovernanceSettings);
     if (signedLogsRequired && !governanceAnalysis.aiChangeLogIntegrity.valid) {
         const message = `AI change-log integrity check failed: ${governanceAnalysis.aiChangeLogIntegrity.issues.join('; ') || 'unknown issue'}`;
         if (options.json) {
@@ -2246,6 +2251,7 @@ async function verifyCommand(options) {
                 diffFiles,
                 contextCandidates: diffFiles.map((file) => file.path),
                 orgGovernance: orgGovernanceSettings,
+                requireSignedAiLogs: signedLogsRequired,
                 signingKey: aiLogSigningKey,
                 signingKeyId: aiLogSigningKeyId,
                 signingKeys: aiLogSigningKeys,
@@ -2547,6 +2553,7 @@ async function verifyCommand(options) {
                 diffFiles,
                 contextCandidates: planFiles,
                 orgGovernance: orgGovernanceSettings,
+                requireSignedAiLogs: signedLogsRequired,
                 signingKey: aiLogSigningKey,
                 signingKeyId: aiLogSigningKeyId,
                 signingKeys: aiLogSigningKeys,

package/dist/utils/governance.d.ts

@@ -8,6 +8,7 @@ export interface GovernanceEvaluationInput {
     diffFiles: DiffFile[];
     contextCandidates?: string[];
     orgGovernance?: OrgGovernanceSettings | null;
+    requireSignedAiLogs?: boolean;
     signingKey?: string | null;
     signingKeyId?: string | null;
     signingKeys?: Record<string, string> | null;

package/dist/utils/governance.js

@@ -35,7 +35,7 @@ function evaluateGovernance(input) {
     });
     let aiChangeLogIntegrity = writtenChangeLog.integrity;
     let governanceDecisionFinal = governanceDecision;
-    const requireSignedAiLogs = input.orgGovernance?.requireSignedAiLogs === true;
+    const requireSignedAiLogs = input.requireSignedAiLogs === true;
     if (requireSignedAiLogs) {
         aiChangeLogIntegrity = (0, analysis_1.verifyAiChangeLogIntegrity)(input.projectRoot, {
             requiredSigned: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@neurcode-ai/cli",
-  "version": "0.9.45",
+  "version": "0.9.46",
   "description": "Neurcode CLI - AI code governance and diff analysis",
   "bin": {
     "neurcode": "dist/index.js"