npm - @neurcode-ai/cli - Versions diffs - 0.9.65 → 0.9.66 - Mend

@neurcode-ai/cli 0.9.65 → 0.9.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/dist/governance/pilot-readiness.js ADDED Viewed

@@ -0,0 +1,226 @@
+"use strict";
+/**
+ * Pilot Readiness Validator (Phase 6 — Pilot Readiness Hardening)
+ *
+ * Checks that a repository meets all prerequisites for a reliable Neurcode
+ * onboarding. Designed to be runnable in under 10 seconds with no external
+ * network calls.
+ *
+ * Usage: runPilotReadinessCheck(projectRoot) → PilotReadinessReport
+ *
+ * Returns:
+ *   ready:    true if all blockers pass (warnings are non-blocking)
+ *   blockers: list of hard failures that prevent governance from running
+ *   warnings: list of soft issues that degrade experience but don't block
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runPilotReadinessCheck = runPilotReadinessCheck;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const child_process_1 = require("child_process");
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function check(name, fn) {
+    try {
+        const result = fn();
+        return { name, ...result };
+    }
+    catch (e) {
+        return {
+            name,
+            status: 'fail',
+            message: `Check threw unexpectedly: ${e instanceof Error ? e.message : String(e)}`,
+        };
+    }
+}
+function nodeVersion() {
+    const v = process.version; // e.g. 'v18.12.0'
+    return parseInt(v.slice(1).split('.')[0] ?? '0', 10);
+}
+// ── Individual checks ─────────────────────────────────────────────────────────
+function checkGitAvailable() {
+    try {
+        (0, child_process_1.execSync)('git --version', { stdio: 'ignore', timeout: 3000 });
+        return { status: 'pass', message: 'git is available.' };
+    }
+    catch {
+        return { status: 'fail', message: 'git is not available in PATH. Neurcode requires git to compute diffs.' };
+    }
+}
+function checkNodeVersion() {
+    const major = nodeVersion();
+    if (major >= 20)
+        return { status: 'pass', message: `Node.js v${major} (≥20 recommended).` };
+    if (major >= 18)
+        return { status: 'pass', message: `Node.js v${major} (supported; v20+ recommended for best performance).` };
+    return { status: 'fail', message: `Node.js v${major} is below minimum requirement (18). Upgrade to Node.js 18 or later.` };
+}
+function checkNeurcodeDir(projectRoot) {
+    const dir = (0, path_1.join)(projectRoot, '.neurcode');
+    if (!(0, fs_1.existsSync)(dir)) {
+        // Not existing is fine — it will be created on first run
+        // But check that the parent directory is writable
+        try {
+            (0, fs_1.accessSync)(projectRoot, fs_1.constants.W_OK);
+            return { status: 'pass', message: '.neurcode/ does not exist yet (will be created on first verify run). Project root is writable.' };
+        }
+        catch {
+            return { status: 'fail', message: `Project root '${projectRoot}' is not writable. Cannot create .neurcode/ directory.` };
+        }
+    }
+    try {
+        (0, fs_1.accessSync)(dir, fs_1.constants.W_OK);
+        return { status: 'pass', message: '.neurcode/ directory exists and is writable.' };
+    }
+    catch {
+        return { status: 'fail', message: '.neurcode/ directory exists but is not writable. Check file permissions.' };
+    }
+}
+function checkPolicyLock(projectRoot) {
+    const lockPath = (0, path_1.join)(projectRoot, '.neurcode', 'neurcode.policy.lock.json');
+    if (!(0, fs_1.existsSync)(lockPath)) {
+        return {
+            status: 'warn',
+            message: 'Policy lock file (neurcode.policy.lock.json) not found. Run `neurcode policy bootstrap` to create it.',
+        };
+    }
+    try {
+        const raw = (0, fs_1.readFileSync)(lockPath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === 'object' && parsed !== null) {
+            return { status: 'pass', message: 'Policy lock file exists and is valid JSON.' };
+        }
+        return { status: 'warn', message: 'Policy lock file exists but content is not a valid JSON object.' };
+    }
+    catch {
+        return { status: 'fail', message: 'Policy lock file exists but is corrupt (invalid JSON). Delete and re-run `neurcode policy bootstrap`.' };
+    }
+}
+function checkCacheHealth(projectRoot) {
+    const cachePath = (0, path_1.join)(projectRoot, '.neurcode', 'structural-cache.json');
+    if (!(0, fs_1.existsSync)(cachePath)) {
+        return { status: 'pass', message: 'No structural cache found (cold start — normal for first run).' };
+    }
+    try {
+        const raw = (0, fs_1.readFileSync)(cachePath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (typeof parsed === 'object' &&
+            parsed !== null &&
+            typeof parsed.version === 'number' &&
+            typeof parsed.entries === 'object') {
+            const entryCount = Object.keys(parsed.entries).length;
+            return { status: 'pass', message: `Structural cache exists and is valid (${entryCount} entries).` };
+        }
+        return { status: 'warn', message: 'Structural cache exists but has unexpected format. It will be regenerated on next verify run.' };
+    }
+    catch {
+        return { status: 'warn', message: 'Structural cache file is corrupt. It will be regenerated on next verify run.' };
+    }
+}
+function checkRepoCompatibility(projectRoot) {
+    // Detect potentially unsupported repo configurations
+    const cargoToml = (0, path_1.join)(projectRoot, 'Cargo.toml');
+    const goMod = (0, path_1.join)(projectRoot, 'go.mod');
+    const packageJson = (0, path_1.join)(projectRoot, 'package.json');
+    const requirementsTxt = (0, path_1.join)(projectRoot, 'requirements.txt');
+    const pyprojectToml = (0, path_1.join)(projectRoot, 'pyproject.toml');
+    const pomXml = (0, path_1.join)(projectRoot, 'pom.xml');
+    const detected = [];
+    if ((0, fs_1.existsSync)(packageJson))
+        detected.push('Node.js/TypeScript');
+    if ((0, fs_1.existsSync)(requirementsTxt) || (0, fs_1.existsSync)(pyprojectToml))
+        detected.push('Python');
+    if ((0, fs_1.existsSync)(goMod))
+        detected.push('Go');
+    if ((0, fs_1.existsSync)(pomXml))
+        detected.push('Java/Maven');
+    if ((0, fs_1.existsSync)(cargoToml))
+        detected.push('Rust');
+    if (detected.length === 0) {
+        return {
+            status: 'warn',
+            message: 'No recognized dependency manifest found (package.json, requirements.txt, go.mod, pom.xml). ' +
+                'Repo may be unsupported. Structural rules will run in degraded mode.',
+        };
+    }
+    if ((0, fs_1.existsSync)(cargoToml) && detected.length === 1) {
+        return {
+            status: 'warn',
+            message: 'Pure Rust repository detected. Structural rules currently support TypeScript, JavaScript, and Python. ' +
+                'Policy engine will still run; structural analysis will be limited.',
+        };
+    }
+    return {
+        status: 'pass',
+        message: `Detected ecosystem(s): ${detected.join(', ')}. Structural rules are supported.`,
+    };
+}
+function checkGitRepo(projectRoot) {
+    const gitDir = (0, path_1.join)(projectRoot, '.git');
+    if (!(0, fs_1.existsSync)(gitDir)) {
+        return {
+            status: 'fail',
+            message: 'Not a git repository (no .git directory found). Neurcode requires git history to compute diffs.',
+        };
+    }
+    return { status: 'pass', message: 'Git repository detected.' };
+}
+function checkActivePlan(projectRoot) {
+    // Check for a plan state file — existence indicates a plan is linked
+    const stateFile = (0, path_1.join)(projectRoot, '.neurcode', 'state.json');
+    if (!(0, fs_1.existsSync)(stateFile)) {
+        return {
+            status: 'warn',
+            message: 'No Neurcode state file found. Run `neurcode plan` to set an intent before verifying. ' +
+                'Without a plan, verify runs in advisory-only mode.',
+        };
+    }
+    try {
+        const raw = (0, fs_1.readFileSync)(stateFile, 'utf-8');
+        const state = JSON.parse(raw);
+        const planId = state.activePlanId ?? state.planId;
+        if (planId && typeof planId === 'string') {
+            return { status: 'pass', message: `Active plan detected: ${planId.slice(0, 16)}...` };
+        }
+        return {
+            status: 'warn',
+            message: 'State file found but no active plan linked. Run `neurcode plan` to set intent.',
+        };
+    }
+    catch {
+        return { status: 'warn', message: 'State file is unreadable. Run `neurcode plan` to re-link a plan.' };
+    }
+}
+// ── Main entry point ──────────────────────────────────────────────────────────
+/**
+ * Run all pilot readiness checks for a repository.
+ *
+ * @param projectRoot  Absolute path to the project root
+ * @returns            PilotReadinessReport with ready flag, blockers, warnings, and per-check results
+ */
+function runPilotReadinessCheck(projectRoot) {
+    const startMs = Date.now();
+    const checks = [
+        check('git-available', () => checkGitAvailable()),
+        check('git-repository', () => checkGitRepo(projectRoot)),
+        check('node-version', () => checkNodeVersion()),
+        check('neurcode-dir', () => checkNeurcodeDir(projectRoot)),
+        check('repo-compatibility', () => checkRepoCompatibility(projectRoot)),
+        check('policy-lock', () => checkPolicyLock(projectRoot)),
+        check('cache-health', () => checkCacheHealth(projectRoot)),
+        check('active-plan', () => checkActivePlan(projectRoot)),
+    ];
+    const blockers = checks
+        .filter(c => c.status === 'fail')
+        .map(c => `[${c.name}] ${c.message}`);
+    const warnings = checks
+        .filter(c => c.status === 'warn')
+        .map(c => `[${c.name}] ${c.message}`);
+    return {
+        ready: blockers.length === 0,
+        blockers,
+        warnings,
+        checks,
+        durationMs: Date.now() - startMs,
+    };
+}
+//# sourceMappingURL=pilot-readiness.js.map

package/dist/governance/pilot-readiness.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pilot-readiness.js","sourceRoot":"","sources":["../../src/governance/pilot-readiness.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAiNH,wDA6BC;AA5OD,2BAA+E;AAC/E,+BAA4B;AAC5B,iDAAyC;AAkBzC,iFAAiF;AAEjF,SAAS,KAAK,CACZ,IAAY,EACZ,EAA+D;IAE/D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,OAAO,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,CAAC;IAC7B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO;YACL,IAAI;YACJ,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,6BAA6B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;SACnF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,kBAAkB;IAC7C,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,iFAAiF;AAEjF,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,eAAe,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,uEAAuE,EAAE,CAAC;IAC9G,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAC5B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,KAAK,qBAAqB,EAAE,CAAC;IAC5F,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,KAAK,sDAAsD,EAAE,CAAC;IAC7H,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,KAAK,qEAAqE,EAAE,CAAC;AAC7H,CAAC;AAED,SAAS,gBAAgB,CAAC,WAAmB;IAC3C,MAAM,GAAG,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC3C,IAAI,CAAC,IAAA,eAAU,EAAC,GAAG,CAAC,EAAE,CAAC;QACrB,yDAAyD;QACzD,kDAAkD;QAClD,IAAI,CAAC;YACH,IAAA,eAAU,EAAC,WAAW,EAAE,cAAS,CAAC,IAAI,CAAC,CAAC;YACxC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,gGAAgG,EAAE,CAAC;QACvI,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,WAAW,wDAAwD,EAAE,CAAC;QAC3H,CAAC;IACH,CAAC;IACD,IAAI,CAAC;QACH,IAAA,eAAU,EAAC,GAAG,EAAE,cAAS,CAAC,IAAI,CAAC,CAAC;QAChC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACrF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,0EAA0E,EAAE,CAAC;IACjH,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,WAAmB;IAC1C,MAAM,QAAQ,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,WAAW,EAAE,2BAA2B,CAAC,CAAC;IAC7E,IAAI,CAAC,IAAA,eAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,uGAAuG;SACjH,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAC1C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YAClD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,4CAA4C,EAAE,CAAC;QACnF,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,iEAAiE,EAAE,CAAC;IACxG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,uGAAuG,EAAE,CAAC;IAC9I,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,WAAmB;IAC3C,MAAM,SAAS,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,WAAW,EAAE,uBAAuB,CAAC,CAAC;IAC1E,IAAI,CAAC,IAAA,eAAU,EAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,gEAAgE,EAAE,CAAC;IACvG,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iBAAY,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAC1C,IACE,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,KAAK,IAAI;YACf,OAAQ,MAAkC,CAAC,OAAO,KAAK,QAAQ;YAC/D,OAAQ,MAAkC,CAAC,OAAO,KAAK,QAAQ,EAC/D,CAAC;YACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAE,MAA+C,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAChG,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,yCAAyC,UAAU,YAAY,EAAE,CAAC;QACtG,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,+FAA+F,EAAE,CAAC;IACtI,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,8EAA8E,EAAE,CAAC;IACrH,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,WAAmB;IACjD,qDAAqD;IACrD,MAAM,SAAS,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACtD,MAAM,eAAe,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;IAC9D,MAAM,aAAa,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;IAC1D,MAAM,MAAM,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAE5C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,IAAA,eAAU,EAAC,WAAW,CAAC;QAAE,QAAQ,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjE,IAAI,IAAA,eAAU,EAAC,eAAe,CAAC,IAAI,IAAA,eAAU,EAAC,aAAa,CAAC;QAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtF,IAAI,IAAA,eAAU,EAAC,KAAK,CAAC;QAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3C,IAAI,IAAA,eAAU,EAAC,MAAM,CAAC;QAAE,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACpD,IAAI,IAAA,eAAU,EAAC,SAAS,CAAC;QAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,6FAA6F;gBAC7F,sEAAsE;SAChF,CAAC;IACJ,CAAC;IAED,IAAI,IAAA,eAAU,EAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,wGAAwG;gBACxG,oEAAoE;SAC9E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,0BAA0B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,mCAAmC;KAC1F,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,WAAmB;IACvC,MAAM,MAAM,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACzC,IAAI,CAAC,IAAA,eAAU,EAAC,MAAM,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,iGAAiG;SAC3G,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;AACjE,CAAC;AAED,SAAS,eAAe,CAAC,WAAmB;IAC1C,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAA,WAAI,EAAC,WAAW,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAA,eAAU,EAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,uFAAuF;gBACvF,oDAAoD;SAC9D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAA,iBAAY,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QACzD,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,IAAI,KAAK,CAAC,MAAM,CAAC;QAClD,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YACzC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,yBAAyB,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC;QACxF,CAAC;QACD,OAAO;YACL,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,gFAAgF;SAC1F,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,kEAAkE,EAAE,CAAC;IACzG,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,WAAmB;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,MAAM,MAAM,GAA0B;QACpC,KAAK,CAAC,eAAe,EAAO,GAAG,EAAE,CAAC,iBAAiB,EAAE,CAAC;QACtD,KAAK,CAAC,gBAAgB,EAAM,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC5D,KAAK,CAAC,cAAc,EAAQ,GAAG,EAAE,CAAC,gBAAgB,EAAE,CAAC;QACrD,KAAK,CAAC,cAAc,EAAQ,GAAG,EAAE,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,KAAK,CAAC,oBAAoB,EAAE,GAAG,EAAE,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QACtE,KAAK,CAAC,aAAa,EAAS,GAAG,EAAE,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAC/D,KAAK,CAAC,cAAc,EAAQ,GAAG,EAAE,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAChE,KAAK,CAAC,aAAa,EAAS,GAAG,EAAE,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;KAChE,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAExC,MAAM,QAAQ,GAAG,MAAM;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAExC,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;QAC5B,QAAQ;QACR,QAAQ;QACR,MAAM;QACN,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO;KACjC,CAAC;AACJ,CAAC"}

package/dist/governance/policy-parity-validator.d.ts ADDED Viewed

@@ -0,0 +1,62 @@
+/**
+ * Policy Enforcement Parity Validator
+ *
+ * Closes the governance theatre gap: a policy can appear in policy.yml
+ * claiming "deterministic" enforcement, but have zero structural rule
+ * implementation. This validator surfaces those mismatches explicitly.
+ *
+ * Benchmark finding (Apache Airflow, 2026-05-12):
+ *   7 of 15 policies were unenforced. Enterprise teams believed those
+ *   policies were being checked. They were not.
+ *
+ * This module is called from `neurcode verify --policy-only` to emit
+ * GOV_PARITY_MISMATCH advisory findings for every enforcement gap.
+ */
+export type EnforcementType = 'deterministic' | 'advisory' | 'semantic' | 'none';
+export interface PolicyParityEntry {
+    ruleId: string;
+    name?: string;
+    enforcementType: EnforcementType;
+    hasStructuralImpl: boolean;
+    hasPolicyEngineImpl: boolean;
+}
+export interface PolicyParityReport {
+    totalPolicies: number;
+    deterministicCount: number;
+    advisoryCount: number;
+    semanticCount: number;
+    noneCount: number;
+    /** Percentage of policies with deterministic structural enforcement (0-100) */
+    coveragePct: number;
+    /** Policies claiming deterministic but with no registered implementation */
+    unenforced: string[];
+    /** All entries with full detail */
+    entries: PolicyParityEntry[];
+}
+export interface ParityMismatchFinding {
+    ruleId: string;
+    policyName?: string;
+    message: string;
+    severity: 'advisory';
+    governanceCode: 'GOV_PARITY_MISMATCH';
+}
+/**
+ * Validate enforcement parity between policy declarations and the structural rule engine.
+ *
+ * @param policyRules - Rules from the compiled/loaded policy (array of { id, name, enforcementType? })
+ * @param registeredStructuralRuleIds - Set of rule IDs currently registered in StructuralRuleEngine
+ * @returns PolicyParityReport + mismatch findings (one per unenforced deterministic policy)
+ */
+export declare function validatePolicyEnforcementParity(policyRules: Array<{
+    id: string;
+    name?: string;
+    enforcementType?: string;
+}>, registeredStructuralRuleIds: Set<string>): {
+    report: PolicyParityReport;
+    findings: ParityMismatchFinding[];
+};
+/**
+ * Generate a compact governance coverage summary string for CLI output.
+ */
+export declare function formatParityReport(report: PolicyParityReport): string;
+//# sourceMappingURL=policy-parity-validator.d.ts.map

package/dist/governance/policy-parity-validator.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy-parity-validator.d.ts","sourceRoot":"","sources":["../../src/governance/policy-parity-validator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,MAAM,MAAM,eAAe,GAAG,eAAe,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC;AAEjF,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,eAAe,CAAC;IACjC,iBAAiB,EAAE,OAAO,CAAC;IAC3B,mBAAmB,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,mCAAmC;IACnC,OAAO,EAAE,iBAAiB,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,UAAU,CAAC;IACrB,cAAc,EAAE,qBAAqB,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,+BAA+B,CAC7C,WAAW,EAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,EAC3E,2BAA2B,EAAE,GAAG,CAAC,MAAM,CAAC,GACvC;IAAE,MAAM,EAAE,kBAAkB,CAAC;IAAC,QAAQ,EAAE,qBAAqB,EAAE,CAAA;CAAE,CAsEnE;AA4BD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAWrE"}

package/dist/governance/policy-parity-validator.js ADDED Viewed

@@ -0,0 +1,137 @@
+"use strict";
+/**
+ * Policy Enforcement Parity Validator
+ *
+ * Closes the governance theatre gap: a policy can appear in policy.yml
+ * claiming "deterministic" enforcement, but have zero structural rule
+ * implementation. This validator surfaces those mismatches explicitly.
+ *
+ * Benchmark finding (Apache Airflow, 2026-05-12):
+ *   7 of 15 policies were unenforced. Enterprise teams believed those
+ *   policies were being checked. They were not.
+ *
+ * This module is called from `neurcode verify --policy-only` to emit
+ * GOV_PARITY_MISMATCH advisory findings for every enforcement gap.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validatePolicyEnforcementParity = validatePolicyEnforcementParity;
+exports.formatParityReport = formatParityReport;
+/**
+ * Validate enforcement parity between policy declarations and the structural rule engine.
+ *
+ * @param policyRules - Rules from the compiled/loaded policy (array of { id, name, enforcementType? })
+ * @param registeredStructuralRuleIds - Set of rule IDs currently registered in StructuralRuleEngine
+ * @returns PolicyParityReport + mismatch findings (one per unenforced deterministic policy)
+ */
+function validatePolicyEnforcementParity(policyRules, registeredStructuralRuleIds) {
+    const entries = [];
+    const findings = [];
+    let deterministicCount = 0;
+    let advisoryCount = 0;
+    let semanticCount = 0;
+    let noneCount = 0;
+    const unenforced = [];
+    for (const rule of policyRules) {
+        const rawType = rule.enforcementType ?? 'none';
+        const enforcementType = normalizeEnforcementType(rawType);
+        const hasStructuralImpl = registeredStructuralRuleIds.has(rule.id);
+        // Policy-engine rules (evaluated separately) — count as implemented if known
+        const hasPolicyEngineImpl = KNOWN_POLICY_ENGINE_RULES.has(rule.id);
+        entries.push({
+            ruleId: rule.id,
+            name: rule.name,
+            enforcementType,
+            hasStructuralImpl,
+            hasPolicyEngineImpl,
+        });
+        switch (enforcementType) {
+            case 'deterministic':
+                deterministicCount++;
+                break;
+            case 'advisory':
+                advisoryCount++;
+                break;
+            case 'semantic':
+                semanticCount++;
+                break;
+            case 'none':
+                noneCount++;
+                break;
+        }
+        // Emit a mismatch finding if a policy claims deterministic enforcement
+        // but has no matching rule implementation
+        if (enforcementType === 'deterministic' && !hasStructuralImpl && !hasPolicyEngineImpl) {
+            unenforced.push(rule.id);
+            findings.push({
+                ruleId: rule.id,
+                policyName: rule.name,
+                severity: 'advisory',
+                governanceCode: 'GOV_PARITY_MISMATCH',
+                message: `Policy "${rule.name ?? rule.id}" declares enforcementType: deterministic ` +
+                    `but has no registered structural or policy-engine implementation. ` +
+                    `This policy will NEVER produce a finding. ` +
+                    `Either add a structural rule for ${rule.id}, change enforcementType to "none", ` +
+                    `or remove the policy. ` +
+                    `(Unenforced deterministic policies create false governance confidence.)`,
+            });
+        }
+    }
+    const enforced = deterministicCount - unenforced.length;
+    const coveragePct = deterministicCount === 0
+        ? 100 // no deterministic claims = 100% parity (vacuously true)
+        : Math.round((enforced / deterministicCount) * 100);
+    const report = {
+        totalPolicies: policyRules.length,
+        deterministicCount,
+        advisoryCount,
+        semanticCount,
+        noneCount,
+        coveragePct,
+        unenforced,
+        entries,
+    };
+    return { report, findings };
+}
+function normalizeEnforcementType(raw) {
+    const v = raw.toLowerCase().trim();
+    if (v === 'deterministic')
+        return 'deterministic';
+    if (v === 'advisory')
+        return 'advisory';
+    if (v === 'semantic')
+        return 'semantic';
+    return 'none';
+}
+/**
+ * Known policy-engine rule IDs that are enforced via the policy YAML evaluator
+ * (not via the structural rule engine). These are counted as implemented.
+ */
+const KNOWN_POLICY_ENGINE_RULES = new Set([
+    'NO_HARDCODED_SECRETS',
+    'REQUIRE_RESOURCE_TAGGING',
+    'PY001_NO_BARE_EXCEPT',
+    'PY003_ASYNC_SAFETY',
+    'TS001_TYPED_BOUNDARIES',
+    'GOV001_REPLAY_INTEGRITY_REQUIRED',
+    'GOV002_SUPPRESSION_REQUIRES_JUSTIFICATION',
+    'potential-secret-default',
+    'potential-secret-high',
+    'require-signed-ai-logs',
+    'ai-change-log-integrity',
+]);
+/**
+ * Generate a compact governance coverage summary string for CLI output.
+ */
+function formatParityReport(report) {
+    const { totalPolicies, deterministicCount, advisoryCount, semanticCount, noneCount, coveragePct, unenforced } = report;
+    const lines = [
+        `Policy Enforcement Coverage: ${coveragePct}% (${deterministicCount - unenforced.length}/${deterministicCount} deterministic policies enforced)`,
+        `  Total policies: ${totalPolicies} | Deterministic: ${deterministicCount} | Advisory: ${advisoryCount} | Semantic: ${semanticCount} | Unenforced: ${noneCount + unenforced.length}`,
+    ];
+    if (unenforced.length > 0) {
+        lines.push(`  ⚠  Unenforced deterministic policies: ${unenforced.join(', ')}`);
+        lines.push(`     These policies appear in policy.yml as deterministic but will NEVER produce findings.`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=policy-parity-validator.js.map

package/dist/governance/policy-parity-validator.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy-parity-validator.js","sourceRoot":"","sources":["../../src/governance/policy-parity-validator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAyCH,0EAyEC;AA+BD,gDAWC;AA1HD;;;;;;GAMG;AACH,SAAgB,+BAA+B,CAC7C,WAA2E,EAC3E,2BAAwC;IAExC,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAE7C,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,IAAI,MAAM,CAAC;QAC/C,MAAM,eAAe,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;QAC1D,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnE,6EAA6E;QAC7E,MAAM,mBAAmB,GAAG,yBAAyB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEnE,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,IAAI,CAAC,EAAE;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,eAAe;YACf,iBAAiB;YACjB,mBAAmB;SACpB,CAAC,CAAC;QAEH,QAAQ,eAAe,EAAE,CAAC;YACxB,KAAK,eAAe;gBAAE,kBAAkB,EAAE,CAAC;gBAAC,MAAM;YAClD,KAAK,UAAU;gBAAE,aAAa,EAAE,CAAC;gBAAC,MAAM;YACxC,KAAK,UAAU;gBAAE,aAAa,EAAE,CAAC;gBAAC,MAAM;YACxC,KAAK,MAAM;gBAAE,SAAS,EAAE,CAAC;gBAAC,MAAM;QAClC,CAAC;QAED,uEAAuE;QACvE,0CAA0C;QAC1C,IAAI,eAAe,KAAK,eAAe,IAAI,CAAC,iBAAiB,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACtF,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,EAAE;gBACf,UAAU,EAAE,IAAI,CAAC,IAAI;gBACrB,QAAQ,EAAE,UAAU;gBACpB,cAAc,EAAE,qBAAqB;gBACrC,OAAO,EACL,WAAW,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,EAAE,4CAA4C;oBAC3E,oEAAoE;oBACpE,4CAA4C;oBAC5C,oCAAoC,IAAI,CAAC,EAAE,sCAAsC;oBACjF,wBAAwB;oBACxB,yEAAyE;aAC5E,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,GAAG,UAAU,CAAC,MAAM,CAAC;IACxD,MAAM,WAAW,GACf,kBAAkB,KAAK,CAAC;QACtB,CAAC,CAAC,GAAG,CAAC,yDAAyD;QAC/D,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,kBAAkB,CAAC,GAAG,GAAG,CAAC,CAAC;IAExD,MAAM,MAAM,GAAuB;QACjC,aAAa,EAAE,WAAW,CAAC,MAAM;QACjC,kBAAkB;QAClB,aAAa;QACb,aAAa;QACb,SAAS;QACT,WAAW;QACX,UAAU;QACV,OAAO;KACR,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAW;IAC3C,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,eAAe;QAAE,OAAO,eAAe,CAAC;IAClD,IAAI,CAAC,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACxC,IAAI,CAAC,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAS;IAChD,sBAAsB;IACtB,0BAA0B;IAC1B,sBAAsB;IACtB,oBAAoB;IACpB,wBAAwB;IACxB,kCAAkC;IAClC,2CAA2C;IAC3C,0BAA0B;IAC1B,uBAAuB;IACvB,wBAAwB;IACxB,yBAAyB;CAC1B,CAAC,CAAC;AAEH;;GAEG;AACH,SAAgB,kBAAkB,CAAC,MAA0B;IAC3D,MAAM,EAAE,aAAa,EAAE,kBAAkB,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IACvH,MAAM,KAAK,GAAa;QACtB,gCAAgC,WAAW,MAAM,kBAAkB,GAAG,UAAU,CAAC,MAAM,IAAI,kBAAkB,mCAAmC;QAChJ,qBAAqB,aAAa,qBAAqB,kBAAkB,gBAAgB,aAAa,gBAAgB,aAAa,kBAAkB,SAAS,GAAG,UAAU,CAAC,MAAM,EAAE;KACrL,CAAC;IACF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,2CAA2C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/E,KAAK,CAAC,IAAI,CAAC,4FAA4F,CAAC,CAAC;IAC3G,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/governance/remediation-boundary.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * Remediation Boundary Enforcement (Phase 4)
+ *
+ * Validates that a remediation suggestion respects strict boundaries:
+ *   - Same language as the finding
+ *   - Same package/subsystem boundary (inferred from file path)
+ *   - No cross-frontend/backend boundary crossings
+ *
+ * If no safe remediation can be proposed within these constraints, returns
+ * the sentinel string "No safe remediation suggestion available." which is
+ * preferable to misleading cross-boundary guidance.
+ *
+ * This is a deterministic, pure-function module — no I/O, no LLM.
+ */
+import type { RuleLanguage } from '../structural-rules/types';
+export interface RemediationBoundaryInput {
+    /** The file path where the violation was found */
+    findingFilePath: string;
+    /** The language of the finding */
+    findingLanguage: RuleLanguage | string;
+    /** The proposed target file for the remediation */
+    targetFilePath: string;
+    /** The language the remediation targets (if known) */
+    targetLanguage?: RuleLanguage | string;
+}
+export interface BoundaryCheckResult {
+    allowed: boolean;
+    reason: string;
+    /** Sentinel value when no safe remediation is possible */
+    safeRemediationUnavailable?: boolean;
+}
+/**
+ * Validate whether a remediation suggestion crosses acceptable boundaries.
+ *
+ * Enforcement rules (in priority order):
+ * 1. Language boundary: finding language must match target language
+ *    Exception: typescript ↔ javascript is allowed (same ecosystem)
+ * 2. Frontend/backend boundary: must not cross unless explicitly linked
+ * 3. Infrastructure boundary: infra files cannot be remediation targets for
+ *    application-layer findings
+ */
+export declare function validateRemediationBoundary(input: RemediationBoundaryInput): BoundaryCheckResult;
+/**
+ * The sentinel string returned when no safe remediation is available.
+ * Consumers MUST check for this exact string and suppress remediation output.
+ */
+export declare const NO_SAFE_REMEDIATION: "No safe remediation suggestion available.";
+/**
+ * Wrap a remediation string with boundary validation.
+ *
+ * Returns the original remediation if the boundary is safe, or the
+ * NO_SAFE_REMEDIATION sentinel if the boundary is violated.
+ */
+export declare function boundedRemediation(input: RemediationBoundaryInput, remediation: string): string;
+//# sourceMappingURL=remediation-boundary.d.ts.map

package/dist/governance/remediation-boundary.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"remediation-boundary.d.ts","sourceRoot":"","sources":["../../src/governance/remediation-boundary.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAI9D,MAAM,WAAW,wBAAwB;IACvC,kDAAkD;IAClD,eAAe,EAAE,MAAM,CAAC;IACxB,kCAAkC;IAClC,eAAe,EAAE,YAAY,GAAG,MAAM,CAAC;IACvC,mDAAmD;IACnD,cAAc,EAAE,MAAM,CAAC;IACvB,sDAAsD;IACtD,cAAc,CAAC,EAAE,YAAY,GAAG,MAAM,CAAC;CACxC;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,0DAA0D;IAC1D,0BAA0B,CAAC,EAAE,OAAO,CAAC;CACtC;AA+BD;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,wBAAwB,GAC9B,mBAAmB,CAgErB;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,EAAG,2CAAoD,CAAC;AAExF;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,wBAAwB,EAC/B,WAAW,EAAE,MAAM,GAClB,MAAM,CAIR"}

package/dist/governance/remediation-boundary.js ADDED Viewed

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Remediation Boundary Enforcement (Phase 4)
+ *
+ * Validates that a remediation suggestion respects strict boundaries:
+ *   - Same language as the finding
+ *   - Same package/subsystem boundary (inferred from file path)
+ *   - No cross-frontend/backend boundary crossings
+ *
+ * If no safe remediation can be proposed within these constraints, returns
+ * the sentinel string "No safe remediation suggestion available." which is
+ * preferable to misleading cross-boundary guidance.
+ *
+ * This is a deterministic, pure-function module — no I/O, no LLM.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NO_SAFE_REMEDIATION = void 0;
+exports.validateRemediationBoundary = validateRemediationBoundary;
+exports.boundedRemediation = boundedRemediation;
+const FRONTEND_PATH_RE = /(?:^|\/)(?:web|frontend|client|ui|dashboard|pages?|components?|views?|screens?|app\/(?:page|layout))[/\\]/i;
+const BACKEND_PATH_RE = /(?:^|\/)(?:api|services?|server|backend|controllers?|handlers?|routes?|domain)[/\\]/i;
+const INFRA_PATH_RE = /(?:^|\/)(?:infra|k8s|terraform|docker|deploy|charts?)[/\\]/i;
+const TEST_PATH_RE = /(?:^|\/)(?:__tests?__|tests?|spec|e2e)[/\\]|\.(?:test|spec)\.\w+$/i;
+function classifySubsystem(filePath) {
+    const p = filePath.replace(/\\/g, '/');
+    if (TEST_PATH_RE.test(p))
+        return 'test';
+    if (INFRA_PATH_RE.test(p))
+        return 'infra';
+    if (FRONTEND_PATH_RE.test(p))
+        return 'frontend';
+    if (BACKEND_PATH_RE.test(p))
+        return 'backend';
+    return 'unknown';
+}
+// ── Language inference from file extension ────────────────────────────────────
+function inferLanguageFromPath(filePath) {
+    if (/\.(ts|tsx)$/.test(filePath))
+        return 'typescript';
+    if (/\.(js|jsx|mjs|cjs)$/.test(filePath))
+        return 'javascript';
+    if (/\.py$/.test(filePath))
+        return 'python';
+    return 'unknown';
+}
+// ── Boundary validation ───────────────────────────────────────────────────────
+/**
+ * Validate whether a remediation suggestion crosses acceptable boundaries.
+ *
+ * Enforcement rules (in priority order):
+ * 1. Language boundary: finding language must match target language
+ *    Exception: typescript ↔ javascript is allowed (same ecosystem)
+ * 2. Frontend/backend boundary: must not cross unless explicitly linked
+ * 3. Infrastructure boundary: infra files cannot be remediation targets for
+ *    application-layer findings
+ */
+function validateRemediationBoundary(input) {
+    const { findingFilePath, findingLanguage, targetFilePath, targetLanguage: explicitTargetLang, } = input;
+    const effectiveTargetLang = explicitTargetLang ?? inferLanguageFromPath(targetFilePath);
+    const findingSubsystem = classifySubsystem(findingFilePath);
+    const targetSubsystem = classifySubsystem(targetFilePath);
+    // ── Rule 1: Language boundary ──────────────────────────────────────────────
+    if (effectiveTargetLang !== 'unknown' &&
+        findingLanguage !== effectiveTargetLang) {
+        // Allow typescript ↔ javascript (same ecosystem, transpiled)
+        const tsJsCompat = (findingLanguage === 'typescript' && effectiveTargetLang === 'javascript') ||
+            (findingLanguage === 'javascript' && effectiveTargetLang === 'typescript');
+        if (!tsJsCompat) {
+            return {
+                allowed: false,
+                safeRemediationUnavailable: true,
+                reason: `Language boundary violation: finding is in '${findingLanguage}' but remediation ` +
+                    `targets '${effectiveTargetLang}' file '${targetFilePath}'. ` +
+                    'Cross-language remediation is not safe.',
+            };
+        }
+    }
+    // ── Rule 2: Frontend/backend boundary ─────────────────────────────────────
+    if ((findingSubsystem === 'frontend' && targetSubsystem === 'backend') ||
+        (findingSubsystem === 'backend' && targetSubsystem === 'frontend')) {
+        return {
+            allowed: false,
+            safeRemediationUnavailable: true,
+            reason: `Subsystem boundary violation: finding is in '${findingSubsystem}' ` +
+                `but remediation targets '${targetSubsystem}' file '${targetFilePath}'. ` +
+                'Cross-boundary remediation requires explicit architectural approval.',
+        };
+    }
+    // ── Rule 3: Infra boundary ─────────────────────────────────────────────────
+    if (targetSubsystem === 'infra' && findingSubsystem !== 'infra') {
+        return {
+            allowed: false,
+            safeRemediationUnavailable: true,
+            reason: `Infrastructure boundary violation: application-layer finding in '${findingFilePath}' ` +
+                `cannot be remediated by modifying infrastructure file '${targetFilePath}'.`,
+        };
+    }
+    return {
+        allowed: true,
+        reason: 'Remediation is within safe boundaries.',
+    };
+}
+/**
+ * The sentinel string returned when no safe remediation is available.
+ * Consumers MUST check for this exact string and suppress remediation output.
+ */
+exports.NO_SAFE_REMEDIATION = 'No safe remediation suggestion available.';
+/**
+ * Wrap a remediation string with boundary validation.
+ *
+ * Returns the original remediation if the boundary is safe, or the
+ * NO_SAFE_REMEDIATION sentinel if the boundary is violated.
+ */
+function boundedRemediation(input, remediation) {
+    const result = validateRemediationBoundary(input);
+    if (!result.allowed)
+        return exports.NO_SAFE_REMEDIATION;
+    return remediation;
+}
+//# sourceMappingURL=remediation-boundary.js.map

package/dist/governance/remediation-boundary.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"remediation-boundary.js","sourceRoot":"","sources":["../../src/governance/remediation-boundary.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AA+DH,kEAkEC;AAcD,gDAOC;AA1HD,MAAM,gBAAgB,GAAG,4GAA4G,CAAC;AACtI,MAAM,eAAe,GAAI,sFAAsF,CAAC;AAChH,MAAM,aAAa,GAAM,6DAA6D,CAAC;AACvF,MAAM,YAAY,GAAO,oEAAoE,CAAC;AAE9F,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IACxC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,OAAO,CAAC;IAC1C,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC;IAChD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,iFAAiF;AAEjF,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,YAAY,CAAC;IACtD,IAAI,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,YAAY,CAAC;IAC9D,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC5C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;GASG;AACH,SAAgB,2BAA2B,CACzC,KAA+B;IAE/B,MAAM,EACJ,eAAe,EACf,eAAe,EACf,cAAc,EACd,cAAc,EAAE,kBAAkB,GACnC,GAAG,KAAK,CAAC;IAEV,MAAM,mBAAmB,GAAG,kBAAkB,IAAI,qBAAqB,CAAC,cAAc,CAAC,CAAC;IACxF,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAC5D,MAAM,eAAe,GAAI,iBAAiB,CAAC,cAAc,CAAC,CAAC;IAE3D,8EAA8E;IAC9E,IACE,mBAAmB,KAAK,SAAS;QACjC,eAAe,KAAK,mBAAmB,EACvC,CAAC;QACD,6DAA6D;QAC7D,MAAM,UAAU,GACd,CAAC,eAAe,KAAK,YAAY,IAAI,mBAAmB,KAAK,YAAY,CAAC;YAC1E,CAAC,eAAe,KAAK,YAAY,IAAI,mBAAmB,KAAK,YAAY,CAAC,CAAC;QAE7E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,0BAA0B,EAAE,IAAI;gBAChC,MAAM,EACJ,+CAA+C,eAAe,oBAAoB;oBAClF,YAAY,mBAAmB,WAAW,cAAc,KAAK;oBAC7D,yCAAyC;aAC5C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,IACE,CAAC,gBAAgB,KAAK,UAAU,IAAI,eAAe,KAAK,SAAS,CAAC;QAClE,CAAC,gBAAgB,KAAK,SAAS,IAAK,eAAe,KAAK,UAAU,CAAC,EACnE,CAAC;QACD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,0BAA0B,EAAE,IAAI;YAChC,MAAM,EACJ,gDAAgD,gBAAgB,IAAI;gBACpE,4BAA4B,eAAe,WAAW,cAAc,KAAK;gBACzE,sEAAsE;SACzE,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,IAAI,eAAe,KAAK,OAAO,IAAI,gBAAgB,KAAK,OAAO,EAAE,CAAC;QAChE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,0BAA0B,EAAE,IAAI;YAChC,MAAM,EACJ,oEAAoE,eAAe,IAAI;gBACvF,0DAA0D,cAAc,IAAI;SAC/E,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,wCAAwC;KACjD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACU,QAAA,mBAAmB,GAAG,2CAAoD,CAAC;AAExF;;;;;GAKG;AACH,SAAgB,kBAAkB,CAChC,KAA+B,EAC/B,WAAmB;IAEnB,MAAM,MAAM,GAAG,2BAA2B,CAAC,KAAK,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO,2BAAmB,CAAC;IAChD,OAAO,WAAW,CAAC;AACrB,CAAC"}