npm - @neurcode-ai/cli - Versions diffs - 0.9.65 → 0.9.66 - Mend

@neurcode-ai/cli 0.9.65 → 0.9.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/dist/commands/verify.js CHANGED Viewed

@@ -69,8 +69,12 @@ const diff_symbols_1 = require("../utils/diff-symbols");
 const advisory_signals_1 = require("../utils/advisory-signals");
 const structural_rules_1 = require("../structural-rules");
 const canonical_pipeline_1 = require("../governance/canonical-pipeline");
+const canonical_invariants_1 = require("../governance/canonical-invariants");
 const structural_on_diff_1 = require("../governance/structural-on-diff");
-const structural_policy_merge_1 = require("../governance/structural-policy-merge");
+// NOTE: mergeStructuralIntoPolicyViolations is intentionally NOT imported.
+// Structural violations flow exclusively through payload.structuralViolations
+// into the canonical pipeline. Merging them into policyViolations caused
+// duplicate GovernanceFinding objects (fixed in Phase 1 canonical graph hardening).
 const telemetry_1 = require("@neurcode-ai/telemetry");
 const governance_provenance_1 = require("../utils/governance-provenance");
 const pilot_metrics_1 = require("../utils/pilot-metrics");
@@ -80,6 +84,7 @@ const artifact_signature_1 = require("../utils/artifact-signature");
 const policy_1 = require("@neurcode-ai/policy");
 const ai_debt_budget_1 = require("../utils/ai-debt-budget");
 const verification_evidence_1 = require("../utils/verification-evidence");
+const verify_runtime_stability_1 = require("../utils/verify-runtime-stability");
 // Import chalk with fallback
 let chalk;
 try {
@@ -100,6 +105,38 @@ catch {
         white: (str) => str,
     };
 }
+/**
+ * Structured CI explainability for `neurcode verify --ci` / `--policy-only` human output.
+ * Keeps logs short — no JSON dumps — and separates merge-blocking vs advisory signals.
+ */
+function logCiPolicyOnlyOutcomeExplainability(params) {
+    if (!params.ciModeEnabled || params.json) {
+        return;
+    }
+    const modeLine = params.source === 'ci'
+        ? '`verify --ci` uses deterministic local governance (compiled/custom policy + structural rules). Remote plan-verify API is not used.'
+        : '`--policy-only` — local policy + structural governance without plan adherence.';
+    const sev = (s) => String(s || '').toLowerCase();
+    const sBlock = params.structuralViolations.filter((v) => v.severity === 'BLOCKING').length;
+    const sAdv = params.structuralViolations.length - sBlock;
+    const pBlock = params.policyViolations.filter((v) => sev(v.severity) === 'block').length;
+    const pWarn = params.policyViolations.filter((v) => sev(v.severity) === 'warn').length;
+    if (params.verdict === 'PASS') {
+        console.log(chalk.dim('\n── CI verify contract ──'));
+        console.log(chalk.dim(`   ${modeLine}`));
+        console.log(chalk.dim('   Exit 0: no blocking severities. Replay checksum (JSON) anchors structural findings for audit parity.'));
+        return;
+    }
+    console.log(chalk.bold.red('\n── CI failure explainability ──'));
+    console.log(chalk.dim(`   ${modeLine}`));
+    console.log(chalk.red(`   Merge-blocking rows: structural BLOCKING ${sBlock}; policy/custom severity=block ${pBlock}`));
+    console.log(chalk.yellow(`   Non-blocking (warn/advisory-class): structural advisory ${sAdv}; policy warn ${pWarn} — does not fail CI unless your gate maps warns to failure`));
+    console.log(chalk.dim('   Offline / structural-only: set NEURCODE_VERIFY_LOCAL_ONLY=1 or `--local-only` to skip API compatibility probes (AST gates still run).'));
+    if (params.replayChecksum) {
+        console.log(chalk.dim(`   Structural replay checksum: ${params.replayChecksum.slice(0, 16)}… · mode ${params.replayMode ?? 'local-structural'}`));
+    }
+    console.log(chalk.dim('   Next: resolve BLOCKING first → `neurcode remediate-export` (optional) → re-run `neurcode verify --ci`.\n'));
+}
 ;
 function toArtifactSignatureSummary(status) {
     return {
@@ -1932,7 +1969,9 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         });
     }
     const policyOnlyStructural = (0, structural_on_diff_1.runStructuralOnDiffFiles)(projectRoot, diffFilesForPolicy);
-    (0, structural_policy_merge_1.mergeStructuralIntoPolicyViolations)(policyViolations, policyOnlyStructural.violations);
+    // Structural violations are passed to the canonical pipeline via payload.structuralViolations
+    // (see line ~2584). Do NOT merge them into policyViolations — that would create structural:*
+    // duplicates that contaminate the canonical finding graph.
     policyDecision = resolvePolicyDecisionFromViolations(policyViolations);
     const effectiveVerdict = policyDecision === 'block' ? 'FAIL' : policyDecision === 'warn' ? 'WARN' : 'PASS';
     const grade = effectiveVerdict === 'PASS' ? 'A' : effectiveVerdict === 'WARN' ? 'C' : 'F';
@@ -1989,6 +2028,11 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
             eventCount: auditIntegrity.count,
         },
     };
+    // Phase 4: Compute replay checksum from structural findings so replayChecksum
+    // is populated in --policy-only and --local-only CI/daemonless modes.
+    // This closes the N/A gap identified in the Apache Airflow benchmark.
+    const policyOnlyStructuralFindings = policyOnlyStructural.violations.map(canonical_pipeline_1.findingFromStructural);
+    const policyOnlyReplayChecksum = (0, canonical_invariants_1.computeCanonicalFindingChecksum)(policyOnlyStructuralFindings);
     const policyOnlyPayload = {
         grade,
         score,
@@ -2007,6 +2051,8 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         mode: 'policy_only',
         policyOnly: true,
         policyOnlySource: source,
+        replayChecksum: policyOnlyReplayChecksum,
+        replayMode: 'local-structural',
         ...governancePayload,
         policyLock: {
             enforced: policyLockEvaluation.enforced,
@@ -2057,6 +2103,16 @@ async function executePolicyOnlyMode(options, diffFiles, ignoreFilter, projectRo
         }
         displayGovernanceInsights(governanceAnalysis, { explain: options.explain });
         console.log(chalk.dim(`\n${message}`));
+        logCiPolicyOnlyOutcomeExplainability({
+            ciModeEnabled,
+            json: Boolean(options.json),
+            verdict: effectiveVerdict,
+            source,
+            structuralViolations: policyOnlyStructural.violations,
+            policyViolations,
+            replayChecksum: policyOnlyReplayChecksum,
+            replayMode: 'local-structural',
+        });
     }
     await recordPolicyOnlyVerification({
         grade,
@@ -2092,6 +2148,13 @@ async function verifyCommand(options) {
         let lastCanonicalOutput = null;
         let lastEvidenceFallbackOutput = null;
         let evidenceFinalizeAttempted = false;
+        // ── Phase 1 Runtime Stability: create context early so all subsystems share it ──
+        // Structural governance is NEVER gated by this context — it always runs.
+        const runtimeCtx = (0, verify_runtime_stability_1.createVerifyRuntimeContext)(ciModeEnabled);
+        // Large repo detection: sets largeRepoMode and emits cache-build recommendation.
+        (0, verify_runtime_stability_1.applyLargeRepoProtection)(runtimeCtx, projectRoot);
+        // Initial memory pressure check at entry.
+        (0, verify_runtime_stability_1.applyMemoryPressureDegradation)(runtimeCtx);
         if (ciModeEnabled) {
             options.policyOnly = true;
             options.requirePlan = false;
@@ -2163,6 +2226,9 @@ async function verifyCommand(options) {
         let structuralRulesApplied = [];
         let structuralSuppressedCount = 0;
         const emitVerifyJson = (payload) => {
+            // Check memory pressure immediately before emission (may have changed during long verify)
+            (0, verify_runtime_stability_1.applyMemoryPressureDegradation)(runtimeCtx);
+            const runtimeStabilityReport = (0, verify_runtime_stability_1.buildVerifyRuntimeReport)(runtimeCtx);
             const enrichedPayload = {
                 ...payload,
                 ciMode: payload.ciMode ?? ciModeEnabled,
@@ -2178,6 +2244,8 @@ async function verifyCommand(options) {
                 structuralViolations: payload.structuralViolations ?? structuralViolations,
                 structuralRulesApplied: payload.structuralRulesApplied ?? structuralRulesApplied,
                 structuralSuppressedCount: payload.structuralSuppressedCount ?? structuralSuppressedCount,
+                // Runtime stability transparency — always present
+                runtimeStabilityReport,
             };
             lastEvidenceFallbackOutput = enrichedPayload;
             emitCanonicalVerifyJson(enrichedPayload, (canonical) => {
@@ -2622,8 +2690,19 @@ async function verifyCommand(options) {
             try {
                 let contextNote = note;
                 if (Array.isArray(changedFiles) && changedFiles.length > 0) {
-                    const refreshed = (0, brain_context_1.refreshBrainContextForFiles)(projectRoot, brainScope, changedFiles);
-                    contextNote = `${contextNote};indexed=${refreshed.indexed};removed=${refreshed.removed};skipped=${refreshed.skipped}`;
+                    // Runtime stability: skip brain context refresh if semantic layer is degraded
+                    // (memory pressure or time pressure). Structural verification is unaffected.
+                    if ((0, verify_runtime_stability_1.shouldSkipSemanticLayer)(runtimeCtx)) {
+                        contextNote = `${contextNote};semantic_skipped=runtime_pressure`;
+                        if (!ciModeEnabled && runtimeCtx.degradationReasons.length > 0) {
+                            console.log(chalk.yellow(`\n⚠️  Brain context refresh skipped: ${runtimeCtx.degradationReasons[runtimeCtx.degradationReasons.length - 1]}`));
+                            console.log(chalk.dim('   Deterministic structural governance continues unaffected.\n'));
+                        }
+                    }
+                    else {
+                        const refreshed = (0, brain_context_1.refreshBrainContextForFiles)(projectRoot, brainScope, changedFiles);
+                        contextNote = `${contextNote};indexed=${refreshed.indexed};removed=${refreshed.removed};skipped=${refreshed.skipped}`;
+                    }
                 }
                 (0, brain_context_1.recordBrainProgressEvent)(projectRoot, brainScope, {
                     type: 'verify',
@@ -2818,7 +2897,9 @@ async function verifyCommand(options) {
                     });
                 }
                 console.log(chalk.dim(`\n[Local-only] ${localStructural.violations.length} finding(s), ${blockingViolations.length} blocking. ` +
-                    `Remove --local-only for full governance verification.\n`));
+                    `Structural analysis ran on this checkout only (no verify API).\n`));
+                console.log(chalk.dim('   Replay: same commit + same flags → same structural findings.\n' +
+                    '   Full plan/adherence + remote verify: drop --local-only when policy allows network/API.\n'));
             }
             recordVerifyEvent(localVerdict, `local_only;structural=${localStructural.violations.length}`, diffFiles.map((f) => f.path));
             exitWithEvidence(blockingViolations.length > 0 ? 2 : 0);
@@ -3216,10 +3297,14 @@ async function verifyCommand(options) {
             }
             const message = 'No plan linked yet. Ran advisory verification for quick first-run experience. ' +
                 'Use `neurcode plan` and `neurcode contract import --auto-detect --write-change-contract` for full enforcement.';
-            const advisorySignals = (0, advisory_signals_1.evaluateAdvisorySignals)({
-                diffFiles,
-                summary,
-            });
+            // Runtime stability: skip advisory signals if advisory layer is degraded.
+            // Structural rules always run regardless.
+            const advisorySignals = (0, verify_runtime_stability_1.shouldSkipAdvisoryLayer)(runtimeCtx)
+                ? []
+                : (0, advisory_signals_1.evaluateAdvisorySignals)({ diffFiles, summary });
+            if ((0, verify_runtime_stability_1.shouldSkipAdvisoryLayer)(runtimeCtx) && !options.json) {
+                console.log(chalk.dim('   Advisory signals skipped (runtime pressure — structural governance unaffected).'));
+            }
             const advisoryWarnCount = advisorySignals.filter((item) => item.severity === 'warn').length;
             // ── Advisory-first: always run structural rules, downgrade scope issues to advisory ──
             // Structural rules are deterministic and local — they MUST always run regardless of plan.
@@ -3971,7 +4056,9 @@ async function verifyCommand(options) {
                 message: `Policy audit chain is invalid: ${auditIntegrityStatus.issues.join('; ') || 'unknown issue'}`,
             });
         }
-        (0, structural_policy_merge_1.mergeStructuralIntoPolicyViolations)(policyViolations, structuralViolations);
+        // Structural violations are passed to the canonical pipeline via payload.structuralViolations
+        // (see line ~5281). Do NOT merge them into policyViolations — that would create structural:*
+        // duplicates that contaminate the canonical finding graph.
         policyDecision = resolvePolicyDecisionFromViolations(policyViolations);
         const policyExceptionsSummary = {
             sourceMode: policyExceptionResolution.mode,
@@ -4556,6 +4643,15 @@ async function verifyCommand(options) {
                         console.log(chalk.dim('   Intent proof repo scan reached configured file/byte limit (truncated).'));
                     }
                 }
+                console.log(chalk.dim('\n── Verification contract (this run) ──'));
+                console.log(chalk.dim(`   Verify source: ${verifySource === 'local_fallback'
+                    ? 'local deterministic fallback (verify API unavailable)'
+                    : 'verify API'}`));
+                console.log(chalk.dim(`   Structural findings: ${structuralViolations.length} ` +
+                    `(${structuralViolations.filter((v) => v.severity === 'BLOCKING').length} blocking, ` +
+                    `${structuralViolations.filter((v) => v.severity !== 'BLOCKING').length} advisory)`));
+                console.log(chalk.dim('   Merge gates follow rule severity + policy: blocking structural findings are reproducible on this tree.'));
+                console.log(chalk.dim('   Evidence trail: see `.neurcode/` on success (provenance, telemetry) — use `neurcode replay` / dashboard for audit parity.'));
             }
             // ── Governance Provenance Chain + Pilot Metrics ───────────────────────
             // Best-effort: never throws, never changes the verification outcome.