@nimiplatform/nimi-coding 0.1.0 → 0.2.1

package/cli/lib/audit-sweep-runtime/inventory-spec-chunks.mjs

@@ -6,33 +6,25 @@ function evidenceRootsForSpecOwner(ownerDomain, targetRootRef) {
   if (targetRootRef !== ".") {
     return [targetRootRef];
   }
-  const repoWideEvidenceRoots = [
-    ".github",
-    "apps",
-    "config",
-    "kit",
-    "nimi-coding",
-    "nimi-cognition",
-    "proto",
-    "runtime",
+  const owner = String(ownerDomain ?? "").trim().replace(/\\/g, "/").replace(/^\/+|\/+$/g, "");
+  const repoWideEvidenceRoots = [".", ".github", "config", "scripts", "src", "lib", "packages", "apps", "tools", "services"];
+  if (!owner || owner === "spec-meta" || owner === "spec-root") {
+    return repoWideEvidenceRoots;
+  }
+  if (owner === "project") {
+    return ["src", "lib", "packages", "apps", "tools", "services", "scripts", "config"];
+  }
+  return [
+    owner,
+    `src/${owner}`,
+    `lib/${owner}`,
+    `packages/${owner}`,
+    `apps/${owner}`,
+    `tools/${owner}`,
+    `services/${owner}`,
     "scripts",
-    "sdk",
-    ".nimi/spec",
-    ".nimi/contracts",
-    ".nimi/methodology",
+    "config",
   ];
-  const roots = {
-    "spec-meta": repoWideEvidenceRoots,
-    "spec-root": repoWideEvidenceRoots,
-    cognition: ["nimi-cognition", ".nimi/spec/cognition"],
-    desktop: ["apps/desktop", "kit", ".nimi/spec/desktop"],
-    future: [".nimi/spec/future", ".nimi/topics"],
-    platform: ["kit", "scripts", ".nimi/spec/platform"],
-    realm: ["sdk/src/realm", "runtime/internal/protocol", ".nimi/spec/realm"],
-    runtime: ["runtime", "proto/runtime/v1", "scripts", "config", ".nimi/spec/runtime"],
-    sdk: ["sdk/src", "sdk/test", "scripts", ".nimi/spec/sdk"],
-  };
-  return roots[ownerDomain] ?? [ownerDomain, `.nimi/spec/${ownerDomain}`];
 }
 
 function slugPart(value) {
@@ -74,7 +66,13 @@ function candidateEvidenceRefsForModuleMapPath(modulePath, evidenceRoots) {
   if (!normalized || normalized.startsWith("http:") || normalized.startsWith("https:")) {
     return [];
   }
-  const directRoot = /^(?:\.nimi|apps|config|kit|nimi-[^/]+|proto|runtime|scripts|sdk)\//.test(normalized);
+  const firstSegment = normalized.split("/")[0];
+  const genericDirectRoots = new Set([".github", ".nimi", "apps", "config", "lib", "packages", "scripts", "services", "src", "tools"]);
+  const directRoot = genericDirectRoots.has(firstSegment)
+    || (evidenceRoots ?? []).some((rootRef) => {
+      const root = String(rootRef ?? "").replace(/\\/g, "/").replace(/\/$/, "");
+      return root !== "." && (normalized === root || normalized.startsWith(`${root}/`));
+    });
   const candidates = [];
   if (directRoot) {
     candidates.push(normalized);
@@ -195,4 +193,3 @@ export function buildSpecChunks(includedInventory, options) {
   }
   return chunks;
 }
-

package/cli/lib/audit-sweep-runtime/inventory.mjs

@@ -38,6 +38,10 @@ import { assignEvidenceInventory } from "./evidence-assignment.mjs";
 import { buildSpecChunks } from "./inventory-spec-chunks.mjs";
 import { buildRiskBudgetPolicy } from "./risk-budget.mjs";
 import { pathExists } from "../fs-helpers.mjs";
+import {
+  buildSpecSurfaceInventory,
+  isProductAuthoritySurfaceClass,
+} from "../internal/surface-taxonomy-validators.mjs";
 
 const execFile = promisify(execFileCallback);
 async function listGitFiles(projectRoot, targetRootRef) {
@@ -140,7 +144,7 @@ async function hasSpecAuthorityRoot(projectRoot) {
 function resolveChunkBasis(targetRootRef, requested, specRootPresent) {
   const normalized = requested ? String(requested).trim() : "auto";
   if (!["auto", "files", "spec"].includes(normalized)) {
-    return { ok: false, error: "nimicoding audit-sweep refused: --chunk-basis must be auto, files, or spec.\n" };
+    return { ok: false, error: "nimicoding sweep audit refused: --chunk-basis must be auto, files, or spec.\n" };
   }
   if (normalized === "files") {
     return { ok: true, basis: "files" };
@@ -148,7 +152,7 @@ function resolveChunkBasis(targetRootRef, requested, specRootPresent) {
   if (normalized === "spec") {
     return specRootPresent
       ? { ok: true, basis: "spec" }
-      : { ok: false, error: "nimicoding audit-sweep refused: --chunk-basis spec requires .nimi/spec.\n" };
+      : { ok: false, error: "nimicoding sweep audit refused: --chunk-basis spec requires .nimi/spec.\n" };
   }
   return { ok: true, basis: (targetRootRef === "." || isSpecAuthorityRoot(targetRootRef)) && specRootPresent ? "spec" : "files" };
 }
@@ -169,6 +173,7 @@ async function buildInventoryEntry(projectRoot, fileRef, targetRootRef, excludeP
     extension: extension || "none",
     owner_domain: options.ownerDomain ?? ownerDomainForFile(fileRef, targetRootRef),
     classification: classifyFile(fileRef),
+    surface_class: options.surfaceClass ?? null,
     included,
     exclusion_reason: included
       ? null
@@ -176,6 +181,25 @@ async function buildInventoryEntry(projectRoot, fileRef, targetRootRef, excludeP
   };
 }
 
+function applySpecSurfaceAuthorityFilter(inventory, surfaceEntriesByRef) {
+  return inventory.map((entry) => {
+    const surfaceEntry = surfaceEntriesByRef.get(entry.file_ref);
+    if (!surfaceEntry) {
+      return entry;
+    }
+    const surfaceClass = surfaceEntry.current_inferred_class;
+    if (isProductAuthoritySurfaceClass(surfaceClass)) {
+      return { ...entry, surface_class: surfaceClass };
+    }
+    return {
+      ...entry,
+      surface_class: surfaceClass,
+      included: false,
+      exclusion_reason: `non_product_surface:${surfaceClass}`,
+    };
+  });
+}
+
 function buildFileChunks(includedInventory, options) {
   const byOwner = new Map();
   for (const entry of includedInventory) {
@@ -222,7 +246,7 @@ function buildAuditIgnorePolicy(projectConfig, options) {
   if (!reason) {
     return {
       ok: false,
-      error: "nimicoding audit-sweep refused: --ignore or --ignore-owner requires --ignore-reason, or .nimi/config/audit-sweep.yaml audit_sweep.ignore_reason.\n",
+      error: "nimicoding sweep audit refused: --ignore or --ignore-owner requires --ignore-reason, or .nimi/config/audit-sweep.yaml audit_sweep.ignore_reason.\n",
     };
   }
   return {
@@ -297,7 +321,7 @@ async function listAdmittedPackageAuthorityEntries(projectRoot, packageAuthority
     if (!rootInfo?.isDirectory()) {
       return {
         ok: false,
-        error: `nimicoding audit-sweep refused: package authority admission ${admission.id} authority_root is missing: ${admission.authority_root}.\n`,
+        error: `nimicoding sweep audit refused: package authority admission ${admission.id} authority_root is missing: ${admission.authority_root}.\n`,
       };
     }
     const gitFiles = await listGitFiles(projectRoot, admission.authority_root);
@@ -326,7 +350,7 @@ async function listAdmittedAppAuthorityEntries(projectRoot, appSliceAdmissions,
     if (!rootInfo?.isDirectory()) {
       return {
         ok: false,
-        error: `nimicoding audit-sweep refused: app-slice admission ${admission.app_id} authority_root is missing: ${admission.authority_root}.\n`,
+        error: `nimicoding sweep audit refused: app-slice admission ${admission.app_id} authority_root is missing: ${admission.authority_root}.\n`,
       };
     }
     const gitFiles = await listGitFiles(projectRoot, admission.authority_root);
@@ -381,12 +405,12 @@ export async function createAuditSweepPlan(projectRoot, options) {
 
   const targetInfo = await pathExists(targetRoot.absolutePath);
   if (!targetInfo || !targetInfo.isDirectory()) {
-    return inputError("nimicoding audit-sweep refused: --root must point to an existing directory.\n");
+    return inputError("nimicoding sweep audit refused: --root must point to an existing directory.\n");
   }
 
   const sweepId = options.sweepId ? safeSweepId(options.sweepId) : deriveSweepId(targetRootRef);
   if (!sweepId) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id must be a safe id.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id must be a safe id.\n");
   }
 
   const specRootPresent = await hasSpecAuthorityRoot(projectRoot);
@@ -446,15 +470,22 @@ export async function createAuditSweepPlan(projectRoot, options) {
   for (const fileRef of allFileRefs) {
     inventory.push(await buildInventoryEntry(projectRoot, fileRef, inventoryRootRef, excludePatterns, { forceAuthority: true }));
   }
+  let specSurfaceReport = null;
+  let authorityInventory = inventory;
+  if (chunkBasis.basis === "spec") {
+    specSurfaceReport = await buildSpecSurfaceInventory(projectRoot, { rootRef: inventoryRootRef });
+    const surfaceEntriesByRef = new Map(specSurfaceReport.entries.map((entry) => [entry.source_path, entry]));
+    authorityInventory = applySpecSurfaceAuthorityFilter(inventory, surfaceEntriesByRef);
+  }
   if (chunkBasis.basis === "spec" && appSliceAdmissions.length > 0) {
     const appAuthorityEntries = await listAdmittedAppAuthorityEntries(projectRoot, appSliceAdmissions, excludePatterns);
     if (!appAuthorityEntries.ok) {
       return inputError(appAuthorityEntries.error);
     }
-    const seenAuthorityRefs = new Set(inventory.map((entry) => entry.file_ref));
+    const seenAuthorityRefs = new Set(authorityInventory.map((entry) => entry.file_ref));
     for (const entry of appAuthorityEntries.entries) {
       if (!seenAuthorityRefs.has(entry.file_ref)) {
-        inventory.push(entry);
+        authorityInventory.push(entry);
         seenAuthorityRefs.add(entry.file_ref);
       }
     }
@@ -464,16 +495,16 @@ export async function createAuditSweepPlan(projectRoot, options) {
     if (!packageAuthorityEntries.ok) {
       return inputError(packageAuthorityEntries.error);
     }
-    const seenAuthorityRefs = new Set(inventory.map((entry) => entry.file_ref));
+    const seenAuthorityRefs = new Set(authorityInventory.map((entry) => entry.file_ref));
     for (const entry of packageAuthorityEntries.entries) {
       if (!seenAuthorityRefs.has(entry.file_ref)) {
-        inventory.push(entry);
+        authorityInventory.push(entry);
         seenAuthorityRefs.add(entry.file_ref);
       }
     }
   }
 
-  const includedInventory = inventory.filter((entry) => entry.included);
+  const includedInventory = authorityInventory.filter((entry) => entry.included);
   const authorityFileRefs = new Set(includedInventory.map((entry) => entry.file_ref));
   const authorityTextByRef = new Map();
   if (chunkBasis.basis === "spec") {
@@ -516,7 +547,7 @@ export async function createAuditSweepPlan(projectRoot, options) {
   const createdAt = options.createdAt ?? new Date().toISOString();
   const ignoreResult = applyAuditIgnorePolicy(chunks, auditIgnorePolicy, createdAt);
   chunks = ignoreResult.chunks;
-  const inventoryHash = sha256Object(inventory.map((entry) => ({
+  const inventoryHash = sha256Object(authorityInventory.map((entry) => ({
     file_ref: entry.file_ref,
     sha256: entry.sha256,
     included: entry.included,
@@ -574,8 +605,15 @@ export async function createAuditSweepPlan(projectRoot, options) {
     } : {}),
     exclude_patterns: excludePatterns,
     inventory_hash: inventoryHash,
+    ...(specSurfaceReport ? {
+      surface_classification: {
+        contract: specSurfaceReport.contract,
+        summary: specSurfaceReport.summary,
+        errors: specSurfaceReport.errors,
+      },
+    } : {}),
     ...(evidenceInventoryHash ? { evidence_inventory_hash: evidenceInventoryHash } : {}),
-    inventory,
+    inventory: authorityInventory,
     ...(chunkBasis.basis === "spec" ? {
       evidence_inventory: evidenceInventory.map((entry) => ({
         file_ref: entry.file_ref,
@@ -591,9 +629,9 @@ export async function createAuditSweepPlan(projectRoot, options) {
     } : {}),
     chunks,
     coverage: {
-      total_files: inventory.length,
+      total_files: authorityInventory.length,
       included_files: includedInventory.length,
-      excluded_files: inventory.length - includedInventory.length,
+      excluded_files: authorityInventory.length - includedInventory.length,
       ...(chunkBasis.basis === "spec" ? {
         authority_files: includedInventory.length,
         evidence_files: evidenceInventory.length,
@@ -694,11 +732,12 @@ export async function createAuditSweepPlan(projectRoot, options) {
     sweepId,
     planRef: planRef(sweepId),
     chunkRefs: chunks.map((chunk) => chunkRef(sweepId, chunk.chunk_id)),
+    chunkIds: chunks.map((chunk) => chunk.chunk_id),
     runLedgerRef: runRef,
     chunkCount: chunks.length,
-    totalFiles: inventory.length,
+    totalFiles: authorityInventory.length,
     includedFiles: includedInventory.length,
-    excludedFiles: inventory.length - includedInventory.length,
+    excludedFiles: authorityInventory.length - includedInventory.length,
     ...(chunkBasis.basis === "spec" ? {
       evidenceFiles: evidenceInventory.length,
       unmappedEvidenceFiles: unmappedEvidenceFiles.length,
@@ -724,5 +763,6 @@ export async function getPlannedChunkRefs(projectRoot, sweepId) {
   return {
     ok: true,
     chunkRefs: loaded.plan.chunks.map((chunk) => chunkRef(sweepId, chunk.chunk_id)),
+    chunkIds: loaded.plan.chunks.map((chunk) => chunk.chunk_id),
   };
 }

package/cli/lib/audit-sweep-runtime/ledger.mjs

@@ -206,7 +206,7 @@ function formatReport({ sweepId, ledger, findings }) {
 export async function buildAuditSweepLedger(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id is required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id is required.\n");
   }
 
   const timestampError = options.verifiedAt ? ensureIsoTimestamp(options.verifiedAt) : null;

package/cli/lib/audit-sweep-runtime/p0p1-profile.mjs

@@ -15,8 +15,8 @@ const HIGH_RISK_OWNER_DOMAINS = new Set([
   "provider",
   "desktop",
   "web",
-  "nimi-coding",
-  "nimi-coding/audit-sweep",
+  "nimicoding",
+  "nimicoding/audit-sweep",
 ]);
 
 export function criteriaEnableP0P1Recall(criteria) {

package/cli/lib/audit-sweep-runtime/remediation.mjs

@@ -135,7 +135,7 @@ function groupOpenFindings(findings, clusters, maxFindingsPerWave) {
 export async function buildAuditSweepRemediationMap(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id is required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id is required.\n");
   }
   const timestampError = options.verifiedAt ? ensureIsoTimestamp(options.verifiedAt) : null;
   if (timestampError) {
@@ -243,7 +243,7 @@ function topicWaveFromRemediationWave(wave, ledgerRef, remediationMapRefValue) {
 export async function admitAuditSweepRemediationMap(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId || typeof options.topicId !== "string" || !options.topicId.trim()) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id and --topic-id are required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id and --topic-id are required.\n");
   }
 
   const ledgerResult = await loadLatestLedger(projectRoot, sweepId);
@@ -253,7 +253,7 @@ export async function admitAuditSweepRemediationMap(projectRoot, options) {
   const mapRef = remediationMapRef(sweepId, ledgerResult.ledger.snapshot_id);
   const remediationMap = await loadYamlRef(projectRoot, mapRef);
   if (!remediationMap || remediationMap.kind !== "audit-remediation-map" || remediationMap.source_ledger_ref !== ledgerResult.ledgerRef || !Array.isArray(remediationMap.waves)) {
-    return inputError("nimicoding audit-sweep refused: latest remediation map is missing or malformed.\n");
+    return inputError("nimicoding sweep audit refused: latest remediation map is missing or malformed.\n");
   }
   const planResult = await loadPlan(projectRoot, sweepId);
   if (!planResult.ok) {
@@ -273,7 +273,7 @@ export async function admitAuditSweepRemediationMap(projectRoot, options) {
         ok: false,
         inputError: true,
         exitCode: 1,
-        error: `nimicoding audit-sweep refused: remediation wave admission failed: ${addResult.error}\n`,
+        error: `nimicoding sweep audit refused: remediation wave admission failed: ${addResult.error}\n`,
       };
     }
     materialized.push(topicWave.wave_id);
@@ -289,7 +289,7 @@ export async function admitAuditSweepRemediationMap(projectRoot, options) {
         ok: false,
         inputError: true,
         exitCode: 1,
-        error: `nimicoding audit-sweep refused: remediation wave selection failed: ${selectResult.error}\n`,
+        error: `nimicoding sweep audit refused: remediation wave selection failed: ${selectResult.error}\n`,
       };
     }
     const admitResult = await admitWaveInTopic(projectRoot, options.topicId, topicWave.wave_id);
@@ -298,7 +298,7 @@ export async function admitAuditSweepRemediationMap(projectRoot, options) {
         ok: false,
         inputError: true,
         exitCode: 1,
-        error: `nimicoding audit-sweep refused: remediation wave admission failed: ${admitResult.error}\n`,
+        error: `nimicoding sweep audit refused: remediation wave admission failed: ${admitResult.error}\n`,
       };
     }
     admitted.push(topicWave.wave_id);

package/cli/lib/audit-sweep-runtime/rerun.mjs

@@ -59,10 +59,10 @@ function validateRerunEvidence(evidence, finding, disposition) {
 export async function resolveAuditSweepFinding(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId || typeof options.findingId !== "string") {
-    return inputError("nimicoding audit-sweep refused: --sweep-id and --finding-id are required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id and --finding-id are required.\n");
   }
   if (!FINDING_DISPOSITION.has(options.disposition) || options.disposition === "open") {
-    return inputError("nimicoding audit-sweep refused: --disposition must be one of remediated, accepted-risk, false-positive, deferred-backlog.\n");
+    return inputError("nimicoding sweep audit refused: --disposition must be one of remediated, accepted-risk, false-positive, deferred-backlog.\n");
   }
   const timestampError = ensureIsoTimestamp(options.verifiedAt);
   if (timestampError) {
@@ -74,22 +74,22 @@ export async function resolveAuditSweepFinding(projectRoot, options) {
   }
   const sourceInfo = await pathExists(source.absolutePath);
   if (!sourceInfo || !sourceInfo.isFile()) {
-    return inputError("nimicoding audit-sweep refused: --from must point to an existing JSON evidence file.\n");
+    return inputError("nimicoding sweep audit refused: --from must point to an existing JSON evidence file.\n");
   }
 
   const { findingsRef: aggregateFindingsRef, store } = await loadFindings(projectRoot, sweepId);
   const findingIndex = store.findings.findIndex((finding) => finding.id === options.findingId);
   if (findingIndex === -1) {
-    return inputError(`nimicoding audit-sweep refused: finding not found for ${options.findingId}.\n`);
+    return inputError(`nimicoding sweep audit refused: finding not found for ${options.findingId}.\n`);
   }
   const finding = store.findings[findingIndex];
   const evidenceJson = await loadJsonFile(source.absolutePath);
   if (!evidenceJson.ok) {
-    return inputError("nimicoding audit-sweep refused: --from must contain valid JSON.\n");
+    return inputError("nimicoding sweep audit refused: --from must contain valid JSON.\n");
   }
   const validation = validateRerunEvidence(evidenceJson.value, finding, options.disposition);
   if (!validation.ok) {
-    return inputError(`nimicoding audit-sweep refused: ${validation.error}.\n`);
+    return inputError(`nimicoding sweep audit refused: ${validation.error}.\n`);
   }
 
   const evidenceRef = artifactRef("evidence_refs", sweepId, `resolution-${options.findingId}.json`);

package/cli/lib/audit-sweep-runtime/status.mjs

@@ -12,7 +12,7 @@ import { ensureClusterStore } from "./risk-budget.mjs";
 export async function getAuditSweepStatus(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id is required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id is required.\n");
   }
 
   const planResult = await loadPlan(projectRoot, sweepId);

package/cli/lib/audit-sweep-runtime/validators.mjs

@@ -688,11 +688,11 @@ async function validateCloseoutArtifact(projectRoot, sweepId, ledgerInfo, remedi
 export async function validateAuditSweepArtifacts(projectRoot, options) {
   const sweepId = safeSweepId(options.sweepId);
   if (!sweepId) {
-    return inputError("nimicoding audit-sweep refused: --sweep-id is required.\n");
+    return inputError("nimicoding sweep audit refused: --sweep-id is required.\n");
   }
   const scope = options.scope ?? "all";
   if (!VALIDATION_SCOPES.has(scope)) {
-    return inputError("nimicoding audit-sweep refused: --scope must be one of all, plan, chunks, findings, ledger, remediation, rerun, closeout.\n");
+    return inputError("nimicoding sweep audit refused: --scope must be one of all, plan, chunks, findings, ledger, remediation, rerun, closeout.\n");
   }
 
   const checks = [];