@whitehatd/crag 0.2.2 → 0.2.4

package/src/commands/analyze.js

@@ -5,14 +5,33 @@ const fs = require('fs');
 const path = require('path');
 const { detectWorkspace } = require('../workspace/detect');
 const { enumerateMembers } = require('../workspace/enumerate');
+const { isGateCommand } = require('../governance/yaml-run');
+const { cliWarn, cliError, EXIT_INTERNAL } = require('../cli-errors');
+const { detectStack } = require('../analyze/stacks');
+const { inferGates } = require('../analyze/gates');
+const { normalizeCiGates } = require('../analyze/normalize');
+const { extractCiCommands } = require('../analyze/ci-extractors');
+const { mineTaskTargets } = require('../analyze/task-runners');
+const { mineDocGates } = require('../analyze/doc-mining');
+
+// Directories commonly used for test fixtures and examples in workspaces.
+// When analyze auto-wires to workspace detection, these are excluded from
+// member enumeration so we don't emit 79 per-fixture sections for vite.
+const FIXTURE_DIR_PATTERNS = [
+  /^playground$/,
+  /^fixtures$/,
+  /^examples?$/,
+  /^demos?$/,
+  /^test-fixtures$/,
+  /^__fixtures__$/,
+];
 
 /**
  * crag analyze — generate governance.md from existing project without interview.
- * Reads CI configs, package manifests, linter configs, git history.
  */
 function analyze(args) {
   const dryRun = args.includes('--dry-run');
-  const workspace = args.includes('--workspace');
+  const workspaceFlag = args.includes('--workspace');
   const merge = args.includes('--merge');
   const cwd = process.cwd();
 
@@ -20,17 +39,26 @@ function analyze(args) {
 
   const analysis = analyzeProject(cwd);
 
-  if (workspace) {
-    const ws = detectWorkspace(cwd);
-    if (ws.type !== 'none') {
-      const members = enumerateMembers(ws);
-      console.log(`  Workspace detected: ${ws.type} (${members.length} members)\n`);
+  // Workspace detection always runs. If a workspace is detected, we either:
+  //   (a) emit per-member sections when --workspace is passed, OR
+  //   (b) print a hint so the user knows to opt in.
+  const ws = detectWorkspace(cwd);
+  if (ws.type !== 'none') {
+    analysis.workspaceType = ws.type;
+    if (workspaceFlag) {
+      const members = filterFixtureMembers(enumerateMembers(ws));
+      console.log(`  Workspace detected: ${ws.type} (${members.length} real members after fixture filter)\n`);
       analysis.workspace = { type: ws.type, members: [] };
-
       for (const member of members) {
         const memberAnalysis = analyzeProject(member.path);
-        analysis.workspace.members.push({ name: member.name, ...memberAnalysis });
+        analysis.workspace.members.push({
+          name: member.name,
+          relativePath: member.relativePath,
+          ...memberAnalysis,
+        });
       }
+    } else {
+      console.log(`  Workspace detected: ${ws.type}. Pass --workspace for per-member gates.\n`);
     }
   }
 
@@ -45,21 +73,29 @@ function analyze(args) {
 
   const govPath = path.join(cwd, '.claude', 'governance.md');
   const govDir = path.dirname(govPath);
-  if (!fs.existsSync(govDir)) fs.mkdirSync(govDir, { recursive: true });
-
-  if (fs.existsSync(govPath) && !merge) {
-    const backupPath = govPath + '.bak.' + Date.now();
-    fs.copyFileSync(govPath, backupPath);
-    console.log(`  Backed up existing governance to ${path.basename(backupPath)}`);
-  }
+  try {
+    if (!fs.existsSync(govDir)) fs.mkdirSync(govDir, { recursive: true });
+
+    if (fs.existsSync(govPath) && !merge) {
+      const backupPath = govPath + '.bak.' + Date.now();
+      try {
+        fs.copyFileSync(govPath, backupPath);
+        console.log(`  Backed up existing governance to ${path.basename(backupPath)}`);
+      } catch (err) {
+        cliWarn(`could not create backup (continuing anyway): ${err.message}`);
+      }
+    }
 
-  if (merge && fs.existsSync(govPath)) {
-    console.log('  Merge mode: preserving existing governance, appending new gates');
-    const existing = fs.readFileSync(govPath, 'utf-8');
-    const mergedContent = mergeWithExisting(existing, governance);
-    fs.writeFileSync(govPath, mergedContent);
-  } else {
-    fs.writeFileSync(govPath, governance);
+    if (merge && fs.existsSync(govPath)) {
+      console.log('  Merge mode: preserving existing governance, appending new gates');
+      const existing = fs.readFileSync(govPath, 'utf-8');
+      const mergedContent = mergeWithExisting(existing, governance);
+      fs.writeFileSync(govPath, mergedContent);
+    } else {
+      fs.writeFileSync(govPath, governance);
+    }
+  } catch (err) {
+    cliError(`failed to write ${path.relative(cwd, govPath)}: ${err.message}`, EXIT_INTERNAL);
   }
 
   console.log(`  \x1b[32m✓\x1b[0m Generated ${path.relative(cwd, govPath)}`);
@@ -67,12 +103,23 @@ function analyze(args) {
   console.log(`  Run 'crag check' to verify infrastructure.\n`);
 }
 
+/**
+ * Filter out test fixture directories from workspace member lists.
+ * These directories (playground/, fixtures/, etc.) contain dozens of one-off
+ * test setups that should not each get their own governance section.
+ */
+function filterFixtureMembers(members) {
+  return members.filter(m => {
+    const parts = m.relativePath.split(/[\\/]/);
+    return !parts.some(p => FIXTURE_DIR_PATTERNS.some(rx => rx.test(p)));
+  });
+}
+
 function analyzeProject(dir) {
   const result = {
     name: path.basename(dir),
     description: '',
     stack: [],
-    gates: [],
     linters: [],
     formatters: [],
     testers: [],
@@ -82,218 +129,116 @@ function analyzeProject(dir) {
     deployment: [],
     ci: null,
     ciGates: [],
+    advisories: [],
+    docGates: [],
+    taskTargets: { make: [], task: [], just: [] },
   };
 
-  // Detect stack from manifests
+  // Stack detection (languages, frameworks, package managers)
   detectStack(dir, result);
 
-  // Extract gates from CI
-  extractCIGates(dir, result);
+  // CI system detection + raw command extraction (all supported CI systems)
+  const ci = extractCiCommands(dir);
+  result.ci = ci.system;
+  result.ciGates = normalizeCiGates(ci.commands.filter(c => isGateCommand(c)));
+
+  // Task runner target mining
+  result.taskTargets = mineTaskTargets(dir);
 
-  // Extract gates from package.json scripts
-  extractPackageScripts(dir, result);
+  // Gate inference per language/runtime (consumes _manifests)
+  inferGates(dir, result);
 
-  // Detect linters
-  detectLinters(dir, result);
+  // Emit explicit gates for mined task targets
+  emitTaskRunnerGates(result);
 
-  // Detect deployment
+  // Documentation-based gate mining (advisory)
+  result.docGates = mineDocGates(dir);
+
+  // Legacy deployment detection
   detectDeployment(dir, result);
 
-  // Infer branch strategy and commit convention from git
+  // Git-derived branch strategy + commit convention
   inferGitPatterns(dir, result);
 
-  return result;
-}
-
-function detectStack(dir, result) {
-  if (fs.existsSync(path.join(dir, 'package.json'))) {
-    result.stack.push('node');
-    try {
-      const pkg = JSON.parse(fs.readFileSync(path.join(dir, 'package.json'), 'utf-8'));
-      result.name = pkg.name || result.name;
-      result.description = pkg.description || '';
-
-      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
-      if (deps.next) result.stack.push('next.js');
-      if (deps.react && !deps.next) result.stack.push('react');
-      if (deps.vue) result.stack.push('vue');
-      if (deps.svelte) result.stack.push('svelte');
-      if (deps.express) result.stack.push('express');
-      if (deps.fastify) result.stack.push('fastify');
-      if (deps.typescript) result.stack.push('typescript');
-    } catch { /* skip */ }
+  // Carry advisories collected during gate inference (hadolint, actionlint)
+  if (result._advisories) {
+    result.advisories.push(...result._advisories);
+    delete result._advisories;
   }
-  if (fs.existsSync(path.join(dir, 'Cargo.toml'))) result.stack.push('rust');
-  if (fs.existsSync(path.join(dir, 'go.mod'))) result.stack.push('go');
-  if (fs.existsSync(path.join(dir, 'pyproject.toml')) || fs.existsSync(path.join(dir, 'setup.py'))) result.stack.push('python');
-  if (fs.existsSync(path.join(dir, 'build.gradle.kts')) || fs.existsSync(path.join(dir, 'build.gradle'))) result.stack.push('java/gradle');
-  if (fs.existsSync(path.join(dir, 'pom.xml'))) result.stack.push('java/maven');
-  if (fs.existsSync(path.join(dir, 'Dockerfile'))) result.stack.push('docker');
-}
+  // Drop the internal manifests attachment before returning
+  delete result._manifests;
 
-function extractCIGates(dir, result) {
-  // GitHub Actions
-  const workflowDir = path.join(dir, '.github', 'workflows');
-  if (fs.existsSync(workflowDir)) {
-    result.ci = 'github-actions';
-    try {
-      // Walk workflow dir recursively to catch nested workflows
-      const walk = (d) => {
-        const out = [];
-        for (const entry of fs.readdirSync(d, { withFileTypes: true })) {
-          const full = path.join(d, entry.name);
-          if (entry.isDirectory()) out.push(...walk(full));
-          else if (entry.name.endsWith('.yml') || entry.name.endsWith('.yaml')) out.push(full);
-        }
-        return out;
-      };
-      for (const file of walk(workflowDir)) {
-        const content = fs.readFileSync(file, 'utf-8');
-        for (const cmd of extractRunCommands(content)) {
-          if (isGateCommand(cmd)) result.ciGates.push(cmd);
-        }
-      }
-    } catch { /* skip */ }
-  }
+  return result;
+}
 
-  // GitLab CI
-  if (fs.existsSync(path.join(dir, '.gitlab-ci.yml'))) {
-    result.ci = 'gitlab-ci';
+function emitTaskRunnerGates(result) {
+  const { make, task, just } = result.taskTargets;
+  for (const target of make) {
+    // Canonical gate name: use `make X` literally
+    const cmd = `make ${target}`;
+    if (isTestTarget(target)) addUnique(result.testers, cmd);
+    else if (isLintTarget(target)) addUnique(result.linters, cmd);
+    else if (isBuildTarget(target)) addUnique(result.builders, cmd);
   }
-
-  // Jenkins
-  if (fs.existsSync(path.join(dir, 'Jenkinsfile'))) {
-    result.ci = 'jenkins';
+  for (const target of task) {
+    const cmd = `task ${target}`;
+    if (isTestTarget(target)) addUnique(result.testers, cmd);
+    else if (isLintTarget(target)) addUnique(result.linters, cmd);
+    else if (isBuildTarget(target)) addUnique(result.builders, cmd);
   }
-}
-
-/**
- * Extract commands from YAML `run:` steps, handling both inline and block-scalar forms:
- *   run: npm test
- *   run: |
- *     npm test
- *     npm build
- *   run: >-
- *     npm test
- */
-function extractRunCommands(content) {
-  const commands = [];
-  const lines = content.split(/\r?\n/);
-
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i];
-    const m = line.match(/^(\s*)-?\s*run:\s*(.*)$/);
-    if (!m) continue;
-
-    const baseIndent = m[1].length;
-    const rest = m[2].trim();
-
-    // Block scalar: | or |- or |+ or > or >- or >+
-    if (/^[|>][+-]?\s*$/.test(rest)) {
-      // Collect following lines with greater indent
-      const blockLines = [];
-      for (let j = i + 1; j < lines.length; j++) {
-        const ln = lines[j];
-        if (ln.trim() === '') { blockLines.push(''); continue; }
-        const indentMatch = ln.match(/^(\s*)/);
-        if (indentMatch[1].length <= baseIndent) break;
-        blockLines.push(ln.slice(baseIndent + 2));
-      }
-      for (const bl of blockLines) {
-        const trimmed = bl.trim();
-        if (trimmed && !trimmed.startsWith('#')) commands.push(trimmed);
-      }
-    } else if (rest && !rest.startsWith('#')) {
-      // Inline: remove surrounding quotes if any
-      commands.push(rest.replace(/^["']|["']$/g, ''));
-    }
+  for (const target of just) {
+    const cmd = `just ${target}`;
+    if (isTestTarget(target)) addUnique(result.testers, cmd);
+    else if (isLintTarget(target)) addUnique(result.linters, cmd);
+    else if (isBuildTarget(target)) addUnique(result.builders, cmd);
   }
-
-  return commands;
 }
 
-function extractPackageScripts(dir, result) {
-  const pkgPath = path.join(dir, 'package.json');
-  if (!fs.existsSync(pkgPath)) return;
-
-  try {
-    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
-    const scripts = pkg.scripts || {};
-
-    const scriptMap = {
-      test: 'testers',
-      lint: 'linters',
-      build: 'builders',
-      format: 'formatters',
-      typecheck: 'builders',
-      check: 'linters',
-    };
-
-    for (const [key, category] of Object.entries(scriptMap)) {
-      if (scripts[key]) {
-        result[category].push(`npm run ${key}`);
-      }
-    }
-
-    // Also check for specific patterns
-    if (scripts['lint:fix']) result.formatters.push('npm run lint:fix');
-    if (scripts['format:check']) result.linters.push('npm run format:check');
-  } catch { /* skip */ }
+function addUnique(arr, item) {
+  if (!arr.includes(item)) arr.push(item);
 }
 
-function detectLinters(dir, result) {
-  const linterConfigs = [
-    ['.eslintrc', 'eslint'], ['.eslintrc.js', 'eslint'], ['.eslintrc.json', 'eslint'], ['.eslintrc.cjs', 'eslint'],
-    ['eslint.config.js', 'eslint'], ['eslint.config.mjs', 'eslint'], ['eslint.config.cjs', 'eslint'],
-    ['biome.json', 'biome'], ['biome.jsonc', 'biome'],
-    ['.prettierrc', 'prettier'], ['.prettierrc.js', 'prettier'], ['.prettierrc.json', 'prettier'],
-    ['prettier.config.js', 'prettier'], ['prettier.config.mjs', 'prettier'],
-    ['ruff.toml', 'ruff'], ['.ruff.toml', 'ruff'],
-    ['clippy.toml', 'clippy'], ['.clippy.toml', 'clippy'],
-    ['rustfmt.toml', 'rustfmt'], ['.rustfmt.toml', 'rustfmt'],
-    ['tsconfig.json', 'typescript'],
-    ['.mypy.ini', 'mypy'], ['mypy.ini', 'mypy'],
-  ];
-
-  for (const [file, tool] of linterConfigs) {
-    if (fs.existsSync(path.join(dir, file))) {
-      if (!result.linters.includes(tool)) result.linters.push(tool);
-    }
-  }
-
-  // Build/task file detection
-  const taskFiles = ['Makefile', 'Taskfile.yml', 'justfile'];
-  for (const file of taskFiles) {
-    if (fs.existsSync(path.join(dir, file))) {
-      result.builders.push(`${file} detected`);
-    }
-  }
-}
+const TEST_TARGETS = new Set(['test', 'tests', 'spec', 'check', 'ci', 'verify', 'validate']);
+const LINT_TARGETS = new Set(['lint', 'format', 'fmt', 'style', 'typecheck', 'type-check', 'types']);
+const BUILD_TARGETS = new Set(['build', 'compile']);
+const isTestTarget = (t) => TEST_TARGETS.has(t);
+const isLintTarget = (t) => LINT_TARGETS.has(t);
+const isBuildTarget = (t) => BUILD_TARGETS.has(t);
 
 function detectDeployment(dir, result) {
   if (fs.existsSync(path.join(dir, 'Dockerfile'))) result.deployment.push('docker');
-  if (fs.existsSync(path.join(dir, 'docker-compose.yml')) || fs.existsSync(path.join(dir, 'docker-compose.yaml'))) result.deployment.push('docker-compose');
+  if (fs.existsSync(path.join(dir, 'docker-compose.yml')) ||
+      fs.existsSync(path.join(dir, 'docker-compose.yaml')) ||
+      fs.existsSync(path.join(dir, 'compose.yml')) ||
+      fs.existsSync(path.join(dir, 'compose.yaml'))) result.deployment.push('docker-compose');
   if (fs.existsSync(path.join(dir, 'vercel.json')) || fs.existsSync(path.join(dir, '.vercel'))) result.deployment.push('vercel');
   if (fs.existsSync(path.join(dir, 'fly.toml'))) result.deployment.push('fly.io');
   if (fs.existsSync(path.join(dir, 'netlify.toml'))) result.deployment.push('netlify');
   if (fs.existsSync(path.join(dir, 'render.yaml'))) result.deployment.push('render');
+  if (fs.existsSync(path.join(dir, 'railway.json')) || fs.existsSync(path.join(dir, 'railway.toml'))) result.deployment.push('railway');
+  if (fs.existsSync(path.join(dir, 'wrangler.toml'))) result.deployment.push('cloudflare-workers');
+  if (fs.existsSync(path.join(dir, 'app.yaml'))) result.deployment.push('gcp-app-engine');
+  if (fs.existsSync(path.join(dir, 'serverless.yml')) || fs.existsSync(path.join(dir, 'serverless.yaml'))) result.deployment.push('serverless-framework');
+  if (fs.existsSync(path.join(dir, 'template.yaml')) || fs.existsSync(path.join(dir, 'template.yml'))) result.deployment.push('aws-sam');
 
-  // Kubernetes
   try {
     const entries = fs.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {
-      if (entry.isDirectory() && (entry.name === 'k8s' || entry.name === 'kubernetes' || entry.name === 'deploy')) {
+      if (entry.isDirectory() && (entry.name === 'k8s' || entry.name === 'kubernetes' || entry.name === 'deploy' || entry.name === 'manifests')) {
         result.deployment.push('kubernetes');
         break;
       }
     }
   } catch { /* skip */ }
 
-  // Terraform
   try {
     const entries = fs.readdirSync(dir);
     if (entries.some(f => f.endsWith('.tf'))) result.deployment.push('terraform');
   } catch { /* skip */ }
+
+  if (fs.existsSync(path.join(dir, 'Chart.yaml'))) result.deployment.push('helm');
+  if (fs.existsSync(path.join(dir, 'Pulumi.yaml')) || fs.existsSync(path.join(dir, 'Pulumi.yml'))) result.deployment.push('pulumi');
+  if (fs.existsSync(path.join(dir, 'ansible.cfg'))) result.deployment.push('ansible');
 }
 
 function inferGitPatterns(dir, result) {
@@ -301,67 +246,43 @@ function inferGitPatterns(dir, result) {
     const log = execSync('git log --oneline --all -50', { cwd: dir, encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
     const lines = log.trim().split('\n');
 
-    // Detect conventional commits
     const conventional = lines.filter(l => /\b(feat|fix|docs|chore|style|refactor|test|build|ci|perf|revert)[\(:!]/.test(l));
     result.commitConvention = conventional.length > lines.length * 0.3 ? 'conventional' : 'free-form';
 
-    // Detect branch strategy
     const branches = execSync('git branch -a --format="%(refname:short)"', { cwd: dir, encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] });
     const branchList = branches.trim().split('\n');
     const featureBranches = branchList.filter(b => /^(feat|fix|docs|chore|feature|hotfix|release)\//.test(b));
     result.branchStrategy = featureBranches.length > 2 ? 'feature-branches' : 'trunk-based';
-  } catch {
+  } catch (err) {
+    if (err && err.code !== 'ENOENT') {
+      cliWarn(`could not detect git patterns in ${path.basename(dir)}: ${err.message}`);
+    }
     result.branchStrategy = 'unknown';
     result.commitConvention = 'unknown';
   }
 }
 
-function isGateCommand(cmd) {
-  const gatePatterns = [
-    /npm (run |ci|test|install)/, /npx /, /node /,
-    /cargo (test|build|check|clippy)/, /rustfmt/,
-    /go (test|build|vet)/, /golangci-lint/,
-    /pytest/, /python -m/, /ruff/, /mypy/, /flake8/,
-    /gradle/, /mvn /, /maven/,
-    /eslint/, /biome/, /prettier/, /tsc/,
-    /docker (build|compose)/, /make /, /just /,
-  ];
-  return gatePatterns.some(p => p.test(cmd));
-}
-
 function generateGovernance(analysis, cwd) {
   const sections = [];
 
-  // Identity
   sections.push(`# Governance — ${analysis.name}`);
   sections.push(`# Inferred by crag analyze — review and adjust as needed\n`);
   sections.push('## Identity');
   sections.push(`- Project: ${analysis.name}`);
   if (analysis.description) sections.push(`- Description: ${analysis.description}`);
   sections.push(`- Stack: ${analysis.stack.join(', ') || 'unknown'}`);
+  if (analysis.workspaceType) sections.push(`- Workspace: ${analysis.workspaceType}`);
   sections.push('');
 
-  // Gates
   sections.push('## Gates (run in order, stop on failure)');
 
-  // Group gates by type
   const allGates = new Set();
 
-  // From linters
+  // Lint
   if (analysis.linters.length > 0) {
     sections.push('### Lint');
-    for (const linter of analysis.linters) {
-      let cmd;
-      switch (linter) {
-        case 'eslint': cmd = 'npx eslint . --max-warnings 0'; break;
-        case 'biome': cmd = 'npx biome check .'; break;
-        case 'ruff': cmd = 'ruff check .'; break;
-        case 'clippy': cmd = 'cargo clippy -- -D warnings'; break;
-        case 'mypy': cmd = 'mypy .'; break;
-        case 'typescript': cmd = 'npx tsc --noEmit'; break;
-        default: cmd = null;
-      }
-      if (cmd && !allGates.has(cmd)) {
+    for (const cmd of analysis.linters) {
+      if (!allGates.has(cmd)) {
         sections.push(`- ${cmd}`);
         allGates.add(cmd);
       }
@@ -369,73 +290,73 @@ function generateGovernance(analysis, cwd) {
     sections.push('');
   }
 
-  // From testers
+  // Test
   if (analysis.testers.length > 0) {
     sections.push('### Test');
-    for (const tester of analysis.testers) {
-      if (!allGates.has(tester)) {
-        sections.push(`- ${tester}`);
-        allGates.add(tester);
+    for (const cmd of analysis.testers) {
+      if (!allGates.has(cmd)) {
+        sections.push(`- ${cmd}`);
+        allGates.add(cmd);
       }
     }
     sections.push('');
   }
 
-  // From builders
+  // Build
   if (analysis.builders.length > 0) {
     sections.push('### Build');
-    for (const builder of analysis.builders) {
-      if (!builder.includes('detected') && !allGates.has(builder)) {
-        sections.push(`- ${builder}`);
-        allGates.add(builder);
+    for (const cmd of analysis.builders) {
+      if (!allGates.has(cmd)) {
+        sections.push(`- ${cmd}`);
+        allGates.add(cmd);
       }
     }
     sections.push('');
   }
 
-  // From CI gates (if not already covered)
+  // CI — only include gates not already captured by language inference
   const uniqueCiGates = analysis.ciGates.filter(g => !allGates.has(g));
   if (uniqueCiGates.length > 0) {
     sections.push('### CI (inferred from workflow)');
     for (const gate of uniqueCiGates) {
       sections.push(`- ${gate}`);
+      allGates.add(gate);
     }
     sections.push('');
   }
 
-  // Rust-specific gates
-  if (analysis.stack.includes('rust')) {
-    if (!allGates.has('cargo test')) {
-      sections.push('### Rust');
-      sections.push('- cargo test');
-      sections.push('- cargo clippy -- -D warnings');
-      sections.push('');
+  // Documentation-derived gates (advisory — need user confirmation)
+  const newDocGates = (analysis.docGates || [])
+    .filter(g => !allGates.has(g.command));
+  if (newDocGates.length > 0) {
+    sections.push('### Contributor docs (ADVISORY — confirm before enforcing)');
+    for (const { command, source } of newDocGates) {
+      sections.push(`- ${command}  # from ${source}`);
+      allGates.add(command);
     }
+    sections.push('');
   }
 
-  // Go-specific gates
-  if (analysis.stack.includes('go')) {
-    if (!allGates.has('go test ./...')) {
-      sections.push('### Go');
-      sections.push('- go test ./...');
-      sections.push('- go vet ./...');
+  // Workspace members — per-member gates
+  if (analysis.workspace && analysis.workspace.members.length > 0) {
+    for (const member of analysis.workspace.members) {
+      if (member.linters.length === 0 && member.testers.length === 0 && member.builders.length === 0) continue;
+      const pathAnnotation = member.relativePath ? ` (path: ${member.relativePath.replace(/\\/g, '/')})` : '';
+      sections.push(`### ${member.name}${pathAnnotation}`);
+      for (const cmd of [...member.linters, ...member.testers, ...member.builders]) {
+        sections.push(`- ${cmd}`);
+      }
       sections.push('');
     }
   }
 
-  // Node.js syntax check for CLI projects
-  if (analysis.stack.includes('node') && !analysis.stack.includes('next.js') && !analysis.stack.includes('react')) {
-    try {
-      const pkg = JSON.parse(fs.readFileSync(path.join(cwd, 'package.json'), 'utf-8'));
-      if (pkg.bin) {
-        const binFiles = typeof pkg.bin === 'string' ? [pkg.bin] : Object.values(pkg.bin);
-        sections.push('### Syntax');
-        for (const bin of binFiles) {
-          sections.push(`- node --check ${bin}`);
-        }
-        sections.push('');
-      }
-    } catch { /* skip */ }
+  // Advisories
+  if (analysis.advisories && analysis.advisories.length > 0) {
+    sections.push('## Advisories (informational, not enforced)');
+    for (const a of analysis.advisories) {
+      sections.push(`- ${a}  # [ADVISORY]`);
+    }
+    sections.push('');
   }
 
   // Branch Strategy
@@ -458,7 +379,7 @@ function generateGovernance(analysis, cwd) {
   // Deployment
   if (analysis.deployment.length > 0) {
     sections.push('## Deployment');
-    sections.push(`- Target: ${analysis.deployment.join(', ')}`);
+    sections.push(`- Target: ${[...new Set(analysis.deployment)].join(', ')}`);
     if (analysis.ci) sections.push(`- CI: ${analysis.ci}`);
     sections.push('');
   }
@@ -467,15 +388,11 @@ function generateGovernance(analysis, cwd) {
 }
 
 function mergeWithExisting(existing, generated) {
-  // Simple merge: keep existing content, append new sections that don't exist
   const existingSections = new Set();
   for (const match of existing.matchAll(/^## (.+)$/gm)) {
     existingSections.add(match[1].trim().toLowerCase());
   }
 
-  // Walk the generated file and collect new sections in their original order.
-  // Each new section becomes a self-contained block: the heading line plus all
-  // following lines until the next heading or EOF.
   const newBlocks = [];
   const genLines = generated.split('\n');
   let currentBlock = null;
@@ -484,11 +401,9 @@ function mergeWithExisting(existing, generated) {
   for (const line of genLines) {
     const sectionMatch = line.match(/^## (.+)$/);
     if (sectionMatch) {
-      // Flush previous block if it was new
       if (currentBlock && blockIsNew) {
         newBlocks.push(currentBlock.trimEnd());
       }
-      // Start new block
       const section = sectionMatch[1].trim().toLowerCase();
       blockIsNew = !existingSections.has(section);
       currentBlock = blockIsNew ? line + '\n' : null;
@@ -496,7 +411,6 @@ function mergeWithExisting(existing, generated) {
       currentBlock += line + '\n';
     }
   }
-  // Flush final block
   if (currentBlock && blockIsNew) {
     newBlocks.push(currentBlock.trimEnd());
   }