@rigour-labs/cli 5.0.0 → 5.1.0

package/README.md

@@ -4,8 +4,8 @@
 [![npm downloads](https://img.shields.io/npm/dm/@rigour-labs/cli?color=blue)](https://www.npmjs.com/package/@rigour-labs/cli)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-**Local-first quality gates for AI-generated code.**  
-Rigour forces AI agents to meet strict engineering standards before marking tasks "Done".
+**AI Agent Governance CLI — quality gates, DLP, drift detection, and deep analysis.**
+Rigour governs what goes IN (DLP), what comes OUT (quality gates), and what gets PERSISTED (memory governance).
 
 > Core gates run locally. Deep analysis can run local or cloud provider mode.
 
@@ -13,8 +13,8 @@ Rigour forces AI agents to meet strict engineering standards before marking task
 
 ```bash
 npx @rigour-labs/cli scan     # Zero-config scan (auto-detect stack)
-npx @rigour-labs/cli init     # Initialize quality gates
-npx @rigour-labs/cli check    # Verify code quality
+npx @rigour-labs/cli init     # Initialize config, hooks, DLP, governance
+npx @rigour-labs/cli check    # Verify code quality (27+ gates)
 npx @rigour-labs/cli run -- claude "Build feature X"  # Agent loop
 ```
 
@@ -27,64 +27,126 @@ brew install rigour
 
 ## 🛑 The Problem
 
-AI agents often fall into **"Vibe Coding"**—claiming success based on narrative, not execution:
+AI agents are powerful but ungoverned. They claim success based on narrative, not execution. Credentials get cached in agent memory. Imports get hallucinated. Code quality drifts across sessions.
 
-1. Agent makes a change
-2. Agent **claims** "Task 100% complete"
-3. **CI Fails** with type errors, lint failures, or broken tests
-
-**Rigour breaks this cycle** by forcing agents to face the same verification tools (ruff, mypy, vitest) that CI runs—locally and immediately.
+**Rigour breaks this cycle** with deterministic PASS/FAIL gates, credential interception, and memory governance — all local-first.
 
 ## 🔄 How It Works
 
 ```
 Agent writes code → Rigour checks → FAIL? → Fix Packet → Agent retries → PASS ✓
+DLP: User input → Credential scan → BLOCK before agent sees it
+Memory: Agent writes CLAUDE.md → Rigour intercepts → Forces rigour_remember (DLP-scanned)
 ```
 
-## ⚙️ Quality Gates
+## ⚙️ Quality Gates (27+ Deterministic)
 
 ### Structural & Security Gates
 | Gate | Description |
 |:---|:---|
 | **File Size** | Max lines per file (default: 300-500) |
-| **Hygiene** | No TODO/FIXME comments allowed |
-| **Complexity** | Cyclomatic complexity limits (AST-based) |
+| **Content Hygiene** | No TODO/FIXME comments allowed |
+| **AST Analysis** | Cyclomatic complexity, method count, nesting depth, function length |
 | **Required Docs** | SPEC.md, ARCH.md, README must exist |
 | **File Guard** | Protected paths, max files changed |
-| **Security Patterns** | XSS, SQL injection, hardcoded secrets, command injection |
-| **Context Alignment** | Prevents drift by anchoring on project patterns |
+| **Security Patterns** | XSS, SQL injection, hardcoded secrets, command injection, path traversal |
+| **Frontend Secret Exposure** | API keys in client-side bundles |
+| **Deprecated APIs** | Node, Python, Web, Go, C#, Java deprecated usage |
+| **Test Quality** | Empty tests, tautological assertions, mock-heavy, snapshot abuse |
+| **Side-Effect Safety** | Unbounded timers, recursive depth, resource lifecycle, retry loops |
 
-### AI-Native Drift Detection (v2.16+)
+### AI-Native Drift Detection
+| Gate | Description |
+|:---|:---|
+| **Hallucinated Imports** | Imports referencing non-existent modules (JS/TS, Python, Go, Ruby, C#, Rust, Java, Kotlin) |
+| **Phantom APIs** | Non-existent stdlib/framework methods the LLM invented |
+| **Promise Safety** | Unhandled async, unsafe JSON.parse, floating fetch across 6 languages |
+| **Duplication Drift** | Three-pass: MD5 exact → AST Jaccard (tree-sitter) → semantic embedding (384D cosine) |
+| **Style Drift** | Naming conventions, error handling, import style fingerprinted against project baseline |
+| **Logic Drift** | Comparison operators (>= → >), branch counts, return statements tracked per function |
+| **Context Window Artifacts** | Quality degradation within long files — clean top, messy bottom |
+| **Inconsistent Error Handling** | Same error type handled differently across sessions |
+| **Dependency Bloat** | Unused deps, heavy alternatives (moment→dayjs), duplicate purpose packages |
+
+### Agent Governance
 | Gate | Description |
 |:---|:---|
-| **Duplication Drift** | Near-identical functions across files — AI re-invents what it forgot |
-| **Hallucinated Imports** | Imports referencing modules that don't exist (JS/TS, Python, Go, Ruby, C#) |
-| **Inconsistent Error Handling** | Same error type handled differently across agent sessions |
-| **Context Window Artifacts** | Quality degradation within a file — clean top, messy bottom |
-| **Async & Error Safety** | Unsafe async/promise patterns, unhandled errors across 6 languages |
+| **Memory Governance** | Blocks agent writes to CLAUDE.md, .clinerules, .windsurf/memories/ |
+| **Skills Governance** | Blocks agent writes to .claude/skills/, .cursor/rules/ |
+| **Governance DLP** | Scans content written to any governed file for credentials |
+
+### Two-Score System
+Every failure carries a provenance tag (`ai-drift`, `traditional`, `security`, `governance`) and contributes to two sub-scores: **AI Health Score** (0–100) and **Structural Score** (0–100).
+
+## 🔒 AI Agent DLP (Data Loss Prevention)
+
+Real-time credential interception via PreToolUse hooks — blocks credentials before agents see them.
 
-### Multi-Language Support
-All gates support **TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET**.
+- **29 credential patterns**: AWS, GCP, Azure, OpenAI, Anthropic, GitHub, Stripe, private keys, database URLs, JWTs, CI/CD tokens
+- **Anti-evasion**: Unicode normalization, zero-width char removal, bidi control stripping, Shannon entropy detection (>4.5 bits)
+- **Compliance mapped**: SOC2-CC6.1, HIPAA-164.312, PCI-DSS-3.4/3.5/6.5, OWASP-A2, CWE-798
+
+## 🔗 Real-Time Hooks
+
+Two-tier supervision: inline hooks (<200ms per file write) + checkpoint suite (full gates).
+
+```bash
+rigour hooks init                    # auto-detect tool, install hooks + DLP
+rigour hooks init --tool all         # all tools at once
+rigour hooks init --block            # exit code 2 on failures (strict mode)
+rigour hooks init --no-dlp           # skip DLP hooks
+rigour hooks check --files src/a.ts  # manual fast check
+```
+
+**Supported tools:** Claude Code, Cursor, Cline, Windsurf — each with quality (post-write) and DLP (pre-write) hooks.
+
+## 🧠 Deep Analysis (LLM-Powered)
+
+Five-signal extraction → LLM interpretation → deterministic verification pipeline.
+
+```bash
+rigour check --deep                  # Local sidecar (Qwen3.5-0.8B, any CPU)
+rigour check --deep --pro            # Full model (Qwen2.5-Coder-1.5B)
+rigour check --deep --provider claude -k sk-ant-xxx  # Cloud BYOK
+```
+
+## 🌐 Multi-Language Support
+
+Hallucinated import detection with stdlib whitelists and dependency manifest parsing:
+
+**JS/TS** (Node.js builtins, package.json) · **Python** (160+ stdlib, local modules) · **Go** (150+ stdlib, go.mod) · **Ruby** (80+ stdlib, Gemfile) · **C#/.NET** (.NET 8 namespaces, .csproj) · **Rust** (std/core/alloc, Cargo.toml) · **Java** (java/javax/jakarta, build.gradle/pom.xml) · **Kotlin** (kotlin/kotlinx + Java interop, build.gradle.kts)
 
 ## 🛠️ Commands
 
 | Command | Purpose |
 |:---|:---|
-| `rigour scan` | Zero-config stack-aware scan using existing gates |
-| `rigour init` | Setup Rigour in your project |
-| `rigour check` | Validate code against quality gates |
-| `rigour check --ci` | CI mode with appropriate output |
-| `rigour hooks init` | Install real-time hooks for supported tools |
-| `rigour hooks check --files ...` | Run fast hook gates on specific files |
-| `rigour explain` | Detailed explanation of validation results |
-| `rigour run` | Supervisor loop for iterative refinement |
+| `rigour scan` | Zero-config stack-aware scan (auto-detect) |
+| `rigour scan --deep` | Zero-config + local LLM deep analysis |
+| `rigour init` | Setup config, hooks, DLP, governance |
+| `rigour check` | Full repository quality gates |
+| `rigour check --ci` | CI mode with minimal output |
+| `rigour check --deep` | + local LLM analysis |
+| `rigour hooks init` | Install real-time hooks for detected tools |
+| `rigour hooks check --files ...` | Fast hook gates on specific files |
+| `rigour explain` | Detailed explanation of failures |
+| `rigour run` | Supervisor loop for agent refinement |
+| `rigour run --supervised` | Full supervisor mode (iterative command + gate loop) |
 | `rigour studio` | Dashboard for monitoring |
-| `rigour index` | Build semantic index of codebase patterns |
+| `rigour brain` | Local memory status (SQLite) |
+| `rigour brain --compact` | Prune old findings, reclaim disk |
+| `rigour doctor` | Diagnose install + deep readiness |
+| `rigour export-audit` | Export compliance audit report (JSON/Markdown) |
+| `rigour demo` | Live demo on synthetic or real repos |
+| `rigour settings` | Manage API keys and provider config |
 
 ## 🤖 Works With
 
-- **Claude Code**: `rigour run -- claude "..."`
-- **Cursor / Cline / Gemini**: Via MCP server (`rigour_check`, `rigour_explain`)
+- **Claude Code**: `rigour run -- claude "..."` + real-time hooks
+- **Cursor**: Via MCP server + `.cursor/hooks.json`
+- **Cline**: Via MCP server + `.clinerules/hooks/` scripts
+- **Windsurf**: Via MCP server + `.windsurf/hooks.json`
+- **Gemini**: Via MCP server (`rigour_check`, `rigour_explain`)
+- **GitHub Actions**: `npx @rigour-labs/cli check --ci`
 
 ## 📖 Documentation
 
@@ -106,5 +168,3 @@ All gates support **TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET**.
 ## 📜 License
 
 MIT © [Rigour Labs](https://github.com/rigour-labs)
-
-> *"Rigour adds the engineering."*

package/dist/commands/brain.js

@@ -40,10 +40,10 @@ async function handleStatus(core) {
     console.log(chalk.dim(`   Database: ~/.rigour/rigour.db`));
     console.log(chalk.dim(`   Size:     ${formatBytes(sizeBytes)}\n`));
     const cwd = process.cwd();
-    const stats = core.getProjectStats(cwd);
+    const stats = await core.getProjectStats(cwd);
     if (!stats) {
-        console.log(chalk.yellow('   SQLite not available (better-sqlite3 not installed).'));
-        console.log(chalk.dim('   Run: npm install better-sqlite3'));
+        console.log(chalk.yellow('   SQLite not available (sqlite3 not installed).'));
+        console.log(chalk.dim('   Run: npm install sqlite3'));
         return;
     }
     if (stats.totalScans === 0) {
@@ -66,7 +66,7 @@ async function handleStatus(core) {
 /** Compact: prune old findings, weak patterns, VACUUM. */
 async function handleCompact(core, retainDays) {
     console.log(chalk.bold.cyan(`\n🧠 Compacting Rigour Brain (retain ${retainDays} days)...\n`));
-    const result = core.compactDatabase(retainDays);
+    const result = await core.compactDatabase(retainDays);
     console.log(`   Findings pruned:   ${chalk.yellow(result.pruned)}`);
     console.log(`   Patterns removed:  ${chalk.yellow(result.patternsDecayed)}`);
     console.log(`   Size before:       ${formatBytes(result.sizeBefore)}`);

package/dist/commands/check.js

@@ -114,15 +114,15 @@ export async function checkCommand(cwd, files = [], options = {}) {
         if (isDeep) {
             try {
                 const { openDatabase, insertScan, insertFindings } = await import('@rigour-labs/core');
-                const db = openDatabase();
+                const db = await openDatabase();
                 if (db) {
                     const repoName = path.basename(cwd);
-                    const scanId = insertScan(db, repoName, report, {
+                    const scanId = await insertScan(db, repoName, report, {
                         deepTier: report.stats.deep?.tier || (options.pro ? 'deep' : (resolvedDeepMode?.isLocal ? 'lite' : 'cloud')),
                         deepModel: report.stats.deep?.model,
                     });
-                    insertFindings(db, scanId, report.failures);
-                    db.close();
+                    await insertFindings(db, scanId, report.failures);
+                    await db.close();
                 }
             }
             catch (dbError) {

package/dist/commands/hooks.js

@@ -19,6 +19,7 @@ import chalk from 'chalk';
 import { randomUUID } from 'crypto';
 import { runHookChecker, scanInputForCredentials, formatDLPAlert, createDLPAuditEntry } from '@rigour-labs/core';
 // ── Studio event logging ─────────────────────────────────────────────
+const MAX_EVENT_LOG_LINES = 2000;
 async function logStudioEvent(cwd, event) {
     try {
         const rigourDir = path.join(cwd, '.rigour');
@@ -30,11 +31,30 @@ async function logStudioEvent(cwd, event) {
             ...event,
         }) + '\n';
         await fs.appendFile(eventsPath, logEntry);
+        // Rotate: keep last MAX_EVENT_LOG_LINES entries to prevent unbounded growth
+        await rotateEventLog(eventsPath);
     }
     catch {
         // Silent fail
     }
 }
+async function rotateEventLog(eventsPath) {
+    try {
+        const stat = await fs.stat(eventsPath);
+        // Only check rotation when file exceeds ~500KB (avoids reading on every append)
+        if (stat.size < 512 * 1024)
+            return;
+        const content = await fs.readFile(eventsPath, 'utf-8');
+        const lines = content.trim().split('\n');
+        if (lines.length > MAX_EVENT_LOG_LINES) {
+            const trimmed = lines.slice(-MAX_EVENT_LOG_LINES).join('\n') + '\n';
+            await fs.writeFile(eventsPath, trimmed);
+        }
+    }
+    catch {
+        // Silent fail — rotation is best-effort
+    }
+}
 // ── Tool detection ───────────────────────────────────────────────────
 const TOOL_MARKERS = {
     claude: ['CLAUDE.md', '.claude'],
@@ -249,6 +269,8 @@ process.stdin.on('end', async () => {
         const proc = spawnSync(
             command,
             [...baseArgs, '--mode', 'dlp', '--stdin'],
+            // Note: joining with \\n is safe — credential patterns match within single values.
+            // A credential split across two toolInput fields would be malformed regardless.
             { input: textsToScan.join('\\n'), encoding: 'utf-8', timeout: 3000 }
         );
         if (proc.error) throw proc.error;

package/dist/commands/scan-deep.d.ts

@@ -4,5 +4,5 @@ import type { ScanOptions, StackSignals } from './scan.js';
 export declare function buildDeepOpts(options: ScanOptions, isSilent: boolean): DeepOptions & {
     onProgress?: (msg: string) => void;
 };
-export declare function persistDeepResults(cwd: string, report: Report, isDeep: boolean, options: ScanOptions): void;
+export declare function persistDeepResults(cwd: string, report: Report, isDeep: boolean, options: ScanOptions): Promise<void>;
 export declare function renderDeepScanResults(report: Report, stackSignals: StackSignals, config: Config, cwd: string): void;

package/dist/commands/scan-deep.js

@@ -23,22 +23,21 @@ export function buildDeepOpts(options, isSilent) {
         },
     };
 }
-export function persistDeepResults(cwd, report, isDeep, options) {
+export async function persistDeepResults(cwd, report, isDeep, options) {
     if (!isDeep)
         return;
     try {
-        import('@rigour-labs/core').then(({ openDatabase, insertScan, insertFindings }) => {
-            const db = openDatabase();
-            if (!db)
-                return;
-            const repoName = require('path').basename(cwd);
-            const scanId = insertScan(db, repoName, report, {
-                deepTier: report.stats.deep?.tier || (options.pro ? 'deep' : 'lite'),
-                deepModel: report.stats.deep?.model,
-            });
-            insertFindings(db, scanId, report.failures);
-            db.close();
-        }).catch(() => { });
+        const { openDatabase, insertScan, insertFindings } = await import('@rigour-labs/core');
+        const db = await openDatabase();
+        if (!db)
+            return;
+        const repoName = require('path').basename(cwd);
+        const scanId = await insertScan(db, repoName, report, {
+            deepTier: report.stats.deep?.tier || (options.pro ? 'deep' : 'lite'),
+            deepModel: report.stats.deep?.model,
+        });
+        await insertFindings(db, scanId, report.failures);
+        await db.close();
     }
     catch { /* silent */ }
 }

package/dist/commands/scan.js

@@ -58,6 +58,7 @@ export async function scanCommand(cwd, files = [], options = {}) {
         const deepOpts = isDeep ? buildDeepOpts(options, isSilent) : undefined;
         const report = await runner.run(cwd, files.length > 0 ? files : undefined, deepOpts);
         await writeReportArtifacts(cwd, report, scanCtx.config);
+        await writeLastScanJson(cwd, scanCtx, stackSignals, report, isDeep);
         persistDeepResults(cwd, report, isDeep, options);
         if (options.json) {
             outputJson(scanCtx, stackSignals, report);
@@ -73,6 +74,7 @@ export async function scanCommand(cwd, files = [], options = {}) {
         else {
             renderScanResults(report, stackSignals, scanCtx.config.output.report_path, cwd);
         }
+        renderSummaryTable(report, isDeep);
         process.exit(report.status === 'PASS' ? EXIT_PASS : EXIT_FAIL);
     }
     catch (error) {
@@ -298,3 +300,102 @@ export function extractHallucinatedImports(failures) {
     }
     return fakeImports;
 }
+/**
+ * Always write a comprehensive last-scan.json to .rigour/ for tooling and MCP consumption.
+ * This file is written regardless of --json, --ci, or --deep flags.
+ */
+async function writeLastScanJson(cwd, scanCtx, stackSignals, report, isDeep) {
+    const rigourDir = path.join(cwd, '.rigour');
+    await fs.ensureDir(rigourDir);
+    const lastScanPath = path.join(rigourDir, 'last-scan.json');
+    const severity = report.stats.severity_breakdown || {};
+    const provenance = report.stats.provenance_breakdown || {};
+    const payload = {
+        timestamp: new Date().toISOString(),
+        mode: scanCtx.mode,
+        preset: scanCtx.detectedPreset ?? scanCtx.config.preset,
+        paradigm: scanCtx.detectedParadigm ?? scanCtx.config.paradigm,
+        stack: stackSignals,
+        deep: isDeep,
+        status: report.status,
+        scores: {
+            overall: report.stats.score ?? 0,
+            ai_health: report.stats.ai_health_score ?? 0,
+            structural: report.stats.structural_score ?? 0,
+            code_quality: report.stats.code_quality_score ?? 0,
+        },
+        severity_breakdown: severity,
+        provenance_breakdown: provenance,
+        total_findings: report.failures.length,
+        duration_ms: report.stats.duration_ms,
+        deep_stats: report.stats.deep || null,
+        findings: report.failures.map(f => ({
+            id: f.id,
+            title: f.title,
+            severity: f.severity ?? 'medium',
+            provenance: f.provenance ?? 'traditional',
+            files: f.files || [],
+            line: f.line,
+            hint: f.hint,
+            category: f.category,
+            verified: f.verified,
+            confidence: f.confidence,
+        })),
+    };
+    await fs.writeJson(lastScanPath, payload, { spaces: 2 });
+}
+/**
+ * Render a compact summary table to the terminal after main scan output.
+ * Shows findings grouped by gate and provenance — always printed regardless of deep/standard mode.
+ */
+function renderSummaryTable(report, isDeep) {
+    if (report.failures.length === 0)
+        return;
+    console.log('');
+    console.log(chalk.bold.underline('Summary by Gate'));
+    console.log('');
+    // Group failures by gate ID
+    const byGate = new Map();
+    for (const f of report.failures) {
+        const existing = byGate.get(f.id) || { count: 0, critical: 0, high: 0, medium: 0, low: 0, provenance: f.provenance || 'traditional' };
+        existing.count++;
+        const sev = f.severity ?? 'medium';
+        if (sev === 'critical')
+            existing.critical++;
+        else if (sev === 'high')
+            existing.high++;
+        else if (sev === 'medium')
+            existing.medium++;
+        else
+            existing.low++;
+        byGate.set(f.id, existing);
+    }
+    // Sort by total count descending
+    const sorted = [...byGate.entries()].sort((a, b) => b[1].count - a[1].count);
+    // Print header
+    const gateCol = 28;
+    const numCol = 6;
+    const header = `  ${'Gate'.padEnd(gateCol)} ${'Total'.padStart(numCol)} ${'Crit'.padStart(numCol)} ${'High'.padStart(numCol)} ${'Med'.padStart(numCol)} ${'Low'.padStart(numCol)}  Provenance`;
+    console.log(chalk.dim(header));
+    console.log(chalk.dim('  ' + '─'.repeat(header.length - 2)));
+    for (const [gateId, stats] of sorted) {
+        const provColor = stats.provenance === 'ai-drift' ? chalk.magenta
+            : stats.provenance === 'security' ? chalk.red
+                : stats.provenance === 'deep-analysis' ? chalk.blue
+                    : chalk.dim;
+        const critStr = stats.critical > 0 ? chalk.red.bold(String(stats.critical).padStart(numCol)) : chalk.dim(String(stats.critical).padStart(numCol));
+        const highStr = stats.high > 0 ? chalk.yellow(String(stats.high).padStart(numCol)) : chalk.dim(String(stats.high).padStart(numCol));
+        console.log(`  ${gateId.padEnd(gateCol)} ${String(stats.count).padStart(numCol)} ${critStr} ${highStr} ${chalk.dim(String(stats.medium).padStart(numCol))} ${chalk.dim(String(stats.low).padStart(numCol))}  ${provColor(stats.provenance)}`);
+    }
+    // Totals row
+    const totals = sorted.reduce((acc, [, s]) => ({
+        count: acc.count + s.count,
+        critical: acc.critical + s.critical,
+        high: acc.high + s.high,
+        medium: acc.medium + s.medium,
+        low: acc.low + s.low,
+    }), { count: 0, critical: 0, high: 0, medium: 0, low: 0 });
+    console.log(chalk.dim('  ' + '─'.repeat(header.length - 2)));
+    console.log(chalk.bold(`  ${'TOTAL'.padEnd(gateCol)} ${String(totals.count).padStart(numCol)} ${String(totals.critical).padStart(numCol)} ${String(totals.high).padStart(numCol)} ${String(totals.medium).padStart(numCol)} ${String(totals.low).padStart(numCol)}`));
+    console.log(chalk.dim(`\n  Details saved to: .rigour/last-scan.json`));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/cli",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "CLI quality gates for AI-generated code. Forces AI agents (Claude, Cursor, Copilot) to meet strict engineering standards with PASS/FAIL enforcement.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -44,7 +44,7 @@
     "inquirer": "9.2.16",
     "ora": "^8.0.1",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "5.0.0"
+    "@rigour-labs/core": "5.1.0"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",