@rigour-labs/cli 4.3.6 → 5.0.1

package/dist/commands/check.js

@@ -2,7 +2,7 @@ import fs from 'fs-extra';
 import path from 'path';
 import chalk from 'chalk';
 import yaml from 'yaml';
-import { GateRunner, ConfigSchema, recordScore, getScoreTrend, resolveDeepOptions } from '@rigour-labs/core';
+import { GateRunner, ConfigSchema, recordScore, getScoreTrend, resolveDeepOptions, getProvenanceTrends, getQualityTrend } from '@rigour-labs/core';
 import inquirer from 'inquirer';
 import { randomUUID } from 'crypto';
 // Exit codes per spec
@@ -270,6 +270,34 @@ function renderDeepOutput(report, config, options, resolvedDeepMode) {
         console.log(chalk.dim(`  Model: ${model} (${tier}) ${inferenceSec}`));
     }
     console.log('');
+    // ── Temporal Drift Trends ──
+    try {
+        const driftCwd = process.cwd();
+        const trend = getQualityTrend(driftCwd);
+        const provTrends = getProvenanceTrends(driftCwd);
+        const hasTrends = trend !== 'stable' || provTrends.aiDrift !== 'stable' || provTrends.structural !== 'stable' || provTrends.security !== 'stable';
+        if (hasTrends) {
+            const trendIcon = trend === 'improving' ? chalk.green('↑') : trend === 'degrading' ? chalk.red('↓') : chalk.dim('→');
+            const trendColor = trend === 'improving' ? chalk.green : trend === 'degrading' ? chalk.red : chalk.dim;
+            console.log(`  ${chalk.bold('Trend:')}         ${trendIcon} ${trendColor(trend.toUpperCase())} (Z-score analysis)`);
+            if (provTrends.aiDrift !== 'stable') {
+                const c = provTrends.aiDrift === 'degrading' ? chalk.red : chalk.green;
+                console.log(`  ${chalk.dim('  AI Drift:')}    ${c(provTrends.aiDrift)} (Z=${provTrends.aiDriftZScore})`);
+            }
+            if (provTrends.structural !== 'stable') {
+                const c = provTrends.structural === 'degrading' ? chalk.red : chalk.green;
+                console.log(`  ${chalk.dim('  Structural:')}  ${c(provTrends.structural)} (Z=${provTrends.structuralZScore})`);
+            }
+            if (provTrends.security !== 'stable') {
+                const c = provTrends.security === 'degrading' ? chalk.red : chalk.green;
+                console.log(`  ${chalk.dim('  Security:')}    ${c(provTrends.security)} (Z=${provTrends.securityZScore})`);
+            }
+            console.log('');
+        }
+    }
+    catch {
+        // Not enough historical data — skip silently
+    }
     // Categorize findings by provenance
     const deepFailures = report.failures.filter((f) => f.provenance === 'deep-analysis');
     const aiDriftFailures = report.failures.filter((f) => f.provenance === 'ai-drift');
@@ -386,6 +414,16 @@ function renderStandardOutput(report, config) {
                 console.log('Severity: ' + parts.join(', ') + '\n');
             }
         }
+        // ── Temporal Drift Trends (standard mode) ──
+        try {
+            const trend = getQualityTrend(process.cwd());
+            if (trend !== 'stable') {
+                const trendIcon = trend === 'improving' ? chalk.green('↑') : chalk.red('↓');
+                const trendColor = trend === 'improving' ? chalk.green : chalk.red;
+                console.log(`Trend: ${trendIcon} ${trendColor(trend)} (Z-score)\n`);
+            }
+        }
+        catch { /* ignore */ }
         for (const failure of report.failures) {
             const sev = severityIcon(failure.severity);
             const prov = failure.provenance ? chalk.dim(`[${failure.provenance}]`) : '';

package/dist/commands/demo-display.d.ts

@@ -8,4 +8,5 @@ export declare function printPlantedIssues(): void;
 export declare function displayGateResults(report: any, cinematic: boolean): void;
 export declare function printSeverityBreakdown(stats: any): void;
 export declare function printFailure(failure: any): void;
+export declare function displayDriftSummary(): void;
 export declare function printClosing(cinematic: boolean): void;

package/dist/commands/demo-display.js

@@ -122,6 +122,16 @@ export function displayGateResults(report, cinematic) {
     else {
         console.log(chalk.green.bold('✔ PASS — All quality gates satisfied.\n'));
     }
+    // Provenance breakdown
+    if (stats.provenance_breakdown) {
+        const parts = Object.entries(stats.provenance_breakdown)
+            .filter(([, count]) => count > 0)
+            .map(([prov, count]) => chalk.dim(`${prov}: ${count}`));
+        if (parts.length > 0) {
+            console.log(chalk.bold('  Provenance: ') + parts.join(' | '));
+            console.log('');
+        }
+    }
     console.log(chalk.dim(`Finished in ${stats.duration_ms}ms\n`));
 }
 export function printSeverityBreakdown(stats) {
@@ -152,15 +162,58 @@ export function printFailure(failure) {
         console.log(chalk.cyan(`        ${failure.hint}`));
     }
 }
+// ── Drift Detection Summary (for demo/Nikhil) ──────────────────────
+export function displayDriftSummary() {
+    console.log(chalk.bold.cyan('\n  ── v5.1 Drift Detection Engine ──\n'));
+    console.log(chalk.white('  Seven production-grade detection systems:\n'));
+    console.log(chalk.bold('  1. EWMA Checkpoint Monitoring'));
+    console.log(chalk.dim('     Before: Linear regression on 5 points (one outlier = broken)'));
+    console.log(chalk.green('     After:  EWMA (α=0.3) — 70% history, 30% new → noise-resistant'));
+    console.log(chalk.dim('     Detects: sudden drops AND gradual decline separately\n'));
+    console.log(chalk.bold('  2. Z-Score Adaptive Thresholds'));
+    console.log(chalk.dim('     Before: Moving window delta (100→108 = "degrading")'));
+    console.log(chalk.green('     After:  Z-score normalization — size-independent anomaly detection'));
+    console.log(chalk.dim('     Per-provenance: AI drift vs structural vs security tracked independently\n'));
+    console.log(chalk.bold('  3. Three-Pass Duplicate Detection'));
+    console.log(chalk.dim('     Pass 1: MD5 hash → exact duplicates (O(n), <10ms)'));
+    console.log(chalk.dim('     Pass 2: Jaccard on tree-sitter AST node multisets → structural near-duplicates'));
+    console.log(chalk.green('     Pass 3: Semantic embedding (all-MiniLM-L6-v2, 384D) → intent-level duplicates'));
+    console.log(chalk.dim('     Catches: .find() vs .filter()[0] — same intent, different AST\n'));
+    console.log(chalk.bold('  4. Temporal Drift Engine'));
+    console.log(chalk.dim('     Cross-session trend analysis from SQLite brain'));
+    console.log(chalk.green('     Per-provenance EWMA streams + monthly rollups + anomaly detection'));
+    console.log(chalk.dim('     Answers: "Is AI getting worse?" independently from "Is code quality dropping?"\n'));
+    console.log(chalk.bold('  5. Dependency Bloat Detection'));
+    console.log(chalk.dim('     Before: Only checked forbidden package list'));
+    console.log(chalk.green('     After:  Unused deps + heavy alternatives + duplicate purpose detection'));
+    console.log(chalk.dim('     Catches: axios AND got both installed (AI sessions chose different HTTP clients)\n'));
+    console.log(chalk.bold('  6. Style Drift Detection'));
+    console.log(chalk.dim('     Before: No style enforcement beyond linters'));
+    console.log(chalk.green('     After:  Fingerprint naming, error handling, import style, quotes → compare to baseline'));
+    console.log(chalk.dim('     Catches: AI switching from camelCase to snake_case mid-project\n'));
+    console.log(chalk.bold('  7. Logic Drift Foundation'));
+    console.log(chalk.dim('     Before: No detection of subtle logic changes'));
+    console.log(chalk.green('     After:  Tracks comparison operators, branch counts, return counts per function'));
+    console.log(chalk.dim('     Catches: >= silently became > (off-by-one), return statements added/removed\n'));
+}
 export function printClosing(cinematic) {
     const divider = chalk.bold.cyan('━'.repeat(50));
+    // Show drift detection summary in cinematic mode
+    if (cinematic) {
+        displayDriftSummary();
+    }
     console.log(divider);
-    console.log(chalk.bold('What Rigour does:'));
-    console.log(chalk.dim('  Catches AI drift (hallucinated imports, unhandled promises)'));
-    console.log(chalk.dim('  Blocks security issues (hardcoded keys, injection patterns)'));
+    console.log(chalk.bold('What Rigour does (27+ gates):'));
+    console.log(chalk.dim('  Catches AI drift (hallucinated imports, duplicates, logic mutations)'));
+    console.log(chalk.dim('  Blocks security issues (hardcoded keys, injection patterns, DLP)'));
     console.log(chalk.dim('  Enforces structure (file size, complexity, documentation)'));
+    console.log(chalk.dim('  Detects dependency bloat (unused, heavy, duplicate purpose)'));
+    console.log(chalk.dim('  Monitors style drift (naming, error handling, imports)'));
+    console.log(chalk.dim('  Tracks logic mutations (operator changes, branch count shifts)'));
     console.log(chalk.dim('  Generates audit-ready evidence (scores, trends, reports)'));
     console.log(chalk.dim('  Real-time hooks for Claude, Cursor, Cline, Windsurf'));
+    console.log(chalk.dim('  Three-pass duplication: MD5 → AST Jaccard → Semantic Embedding'));
+    console.log(chalk.dim('  EWMA + Z-score + temporal drift engine (v5.1)'));
     console.log(divider);
     console.log('');
     if (cinematic) {

package/dist/commands/hooks.js

@@ -19,6 +19,7 @@ import chalk from 'chalk';
 import { randomUUID } from 'crypto';
 import { runHookChecker, scanInputForCredentials, formatDLPAlert, createDLPAuditEntry } from '@rigour-labs/core';
 // ── Studio event logging ─────────────────────────────────────────────
+const MAX_EVENT_LOG_LINES = 2000;
 async function logStudioEvent(cwd, event) {
     try {
         const rigourDir = path.join(cwd, '.rigour');
@@ -30,11 +31,30 @@ async function logStudioEvent(cwd, event) {
             ...event,
         }) + '\n';
         await fs.appendFile(eventsPath, logEntry);
+        // Rotate: keep last MAX_EVENT_LOG_LINES entries to prevent unbounded growth
+        await rotateEventLog(eventsPath);
     }
     catch {
         // Silent fail
     }
 }
+async function rotateEventLog(eventsPath) {
+    try {
+        const stat = await fs.stat(eventsPath);
+        // Only check rotation when file exceeds ~500KB (avoids reading on every append)
+        if (stat.size < 512 * 1024)
+            return;
+        const content = await fs.readFile(eventsPath, 'utf-8');
+        const lines = content.trim().split('\n');
+        if (lines.length > MAX_EVENT_LOG_LINES) {
+            const trimmed = lines.slice(-MAX_EVENT_LOG_LINES).join('\n') + '\n';
+            await fs.writeFile(eventsPath, trimmed);
+        }
+    }
+    catch {
+        // Silent fail — rotation is best-effort
+    }
+}
 // ── Tool detection ───────────────────────────────────────────────────
 const TOOL_MARKERS = {
     claude: ['CLAUDE.md', '.claude'],
@@ -249,6 +269,8 @@ process.stdin.on('end', async () => {
         const proc = spawnSync(
             command,
             [...baseArgs, '--mode', 'dlp', '--stdin'],
+            // Note: joining with \\n is safe — credential patterns match within single values.
+            // A credential split across two toolInput fields would be malformed regardless.
             { input: textsToScan.join('\\n'), encoding: 'utf-8', timeout: 3000 }
         );
         if (proc.error) throw proc.error;

package/dist/commands/studio.js

@@ -344,6 +344,19 @@ async function setupApiAndLaunch(apiPort, studioPort, eventsPath, cwd, studioPro
                 res.end(e.message);
             }
         }
+        else if (url.pathname === '/api/drift') {
+            try {
+                const { generateTemporalDriftReport } = await import('@rigour-labs/core');
+                const report = generateTemporalDriftReport(cwd);
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify(report || { totalScans: 0 }));
+            }
+            catch (e) {
+                // SQLite not available or no data
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ totalScans: 0 }));
+            }
+        }
         else if (url.pathname === '/api/arbitrate' && req.method === 'POST') {
             let body = '';
             req.on('data', chunk => body += chunk);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/cli",
-  "version": "4.3.6",
+  "version": "5.0.1",
   "description": "CLI quality gates for AI-generated code. Forces AI agents (Claude, Cursor, Copilot) to meet strict engineering standards with PASS/FAIL enforcement.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -44,7 +44,7 @@
     "inquirer": "9.2.16",
     "ora": "^8.0.1",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "4.3.6"
+    "@rigour-labs/core": "5.0.1"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",