v2.2.0: Reality Checks, Schema Export & CI Templates

🚀 Major Features

🕵️ Code-to-Spec Verification (Drift Detection)

nod now goes beyond just checking your documentation. With Reality Checks, the scanner verifies that claims made in your spec (e.g., "Database: Postgres") are actually reflected in your implementation code (e.g., requirements.txt or Dockerfile).

• New Rule Type: Define reality_checks in your YAML profiles to regex-match implementation files against spec values.
• Drift Reporting: New CLI section explicitly flags "Potential Code Contradictions."
• SARIF Updates: Drift failures are tagged as contradiction for security dashboard integration.

🔗 JSON Schema Export

Enable better integration with GRC tools and policy validators. You can now export your loaded ruleset as a standard JSON Schema (Draft-07).

• Usage: nod --export schema
• Allows external tools to validate their policy definitions against nod's expectations.

👷 Native CI/CD Templates

We've added a new templates/ directory containing drop-in configurations for major CI providers, expanding support beyond GitHub Actions:

• GitLab CI: templates/.gitlab-ci.yml
• Azure Pipelines: templates/azure-pipelines.yml

🛠️ CLI & UX Improvements

• --save-to <file>: Save reports directly to a file via arguments (cleaner than shell redirection).
• --quiet (-q): Silent mode suppresses banner art and non-error logs (ideal for CI).
• Registry Shorthand: Use --rules registry:owasp-llm to fetch rules directly from the official library without full URLs.

🧹 Maintenance & Quality

• PEP 8 Compliance: Extensive refactoring of the Scanner engine for standard Python code style.
• Documentation: Added comprehensive docstrings to core classes and updated the README with advanced rule logic examples.

---

Release v2.1.0: Stability & Security Hardening

Release v2.1.0: Stability & Security Hardening

This release focuses on critical engineering improvements to ensure nod works seamlessly in real-world environments. It addresses key issues with PyPI distribution, large repository performance, and JSON validation logic, while introducing a formal test suite.

🔴 Critical Fixes

• Fixed "Broken Pip" Installation: * Added MANIFEST.in and updated the configuration loader to correctly bundle and locate default rule packs (defaults/*.yaml). Installing via pip install nod-linter now works out-of-the-box.
• Smart File Ignoring:
  • Implemented fnmatch support for .nodignore.
  • Added default exclusions for performance-killing directories like node_modules, venv, __pycache__, dist, and build.
• JSON Validation Logic:
  • Fixed a logic flaw where distributed JSON specs were aggregated into text blobs, breaking deep validation. The scanner now correctly parses JSON files individually to support must_match field validation.

🛡️ Security Hardening

• High-Fidelity Secret Detection: * Updated the security_baseline profile. Replaced the generic "hardcoded credential" placeholder with rigorous regex patterns to detect: * AWS Access Keys (AKIA...) * OpenAI Secret Keys (sk-...) * Private Key blocks (-----BEGIN PRIVATE KEY-----) * Generic high-entropy assignments (password = "...").

✨ Usability Polish

• Version Flag: Added nod --version to quickly check the installed release.
• Quiet Mode: Added nod --quiet (or -q) to suppress banners and success messages, ideal for cleaner CI/CD logs.

🏗️ Engineering Maturity

• Automated Test Suite: Introduced tests/test_core.py using unittest to validate core logic, config loading, and regex engines, preventing future regressions.
• Strict Type Hinting: Enhanced code readability and safety with comprehensive PEP 484 type annotations throughout the codebase.

🚦 Upgrade Guide

# Update via pip
pip install --upgrade nod-linter

# Update GitHub Action
uses: mraml/nod@v2.1.0

License: Apache 2.0

Release v2.0.0: The Modular Architecture Update

This major release marks the transition of nod from a standalone script to a production-grade, modular Python package. This architectural overhaul establishes the foundation for a robust plugin ecosystem, easier maintenance, and advanced agentic integrations.

🏗️ Architectural Overhaul

• Modular Package Structure: The monolithic nod.py has been refactored into a scalable src/nod package layout (config, scanner, security, reporters, generator, utils).
• PyPI Ready: Fully configured with pyproject.toml for standard installation via pip install nod-linter (coming soon to PyPI).
• Official Rule Registry: Introduced support for the nod-rules registry.
  • Registry Shorthand: Use --rules registry:standard to automatically fetch rules from the community library without manual URLs.

🚀 New Features & Capabilities

• Agentic Rules Integration:
  • Support for generating .cursorrules and .windsurfrules via --export.
  • This allows nod compliance policies to be directly injected into AI coding assistants (Cursor, Windsurf) as system constraints.
• Signed Baselines (Governance):
  • Freeze: nod --freeze creates a nod.lock file, capturing the cryptographic hash of your current compliance state.
  • Verify: nod --verify detects "Compliance Drift" by checking current specs against the lockfile.
  • Integrity: Supports HMAC signing via NOD_SECRET_KEY.
• Deep Validation:
  • Field Patterns: Validate specific values (e.g., "Retention: 30 days") using regex (must_match).
  • Structure: Ensure sections contain specific subsections (must_contain).
  • Cross-Reference Validation: Ensure traceability between documents (e.g., verifying every Threat-X maps to a Control-X).

🛡️ Security & Hardening

• Strict SSL: Enforced hostname checking and certificate validation for all remote rule fetching.
• Resource Protection: Limits file sizes (5MB) and total aggregation (20MB) to prevent DoS.
• Input Validation: hardened regex handling and file path resolution.

📦 Distribution

• GitHub Action: Updated composite action to install from the new package structure.
• Installation: Now supports pip install . and python -m nod.

🚦 Migration Guide

For existing users (v1.x):

• CLI: The CLI arguments remain backward compatible.
• Action: Update your workflow to use mraml/nod@v2.0.0.
• Rules: defaults/ folder logic has been updated to prioritize the new registry or explicit paths.

License: Apache 2.0

Release v1.9.0: The Agentic & Enterprise Update

Release v1.9.0: The Agentic & Enterprise Update

This release represents a significant leap forward in capabilities, transforming nod from a single-file linter into a comprehensive compliance platform capable of handling distributed documentation and integrating with modern AI workflows.

🚀 Key Features

Distributed Compliance (Directory Scanning):

nod can now scan entire directories (e.g., nod docs/).

Aggregates compliance evidence from multiple files into a single "Virtual Monolith."

Verifies requirement coverage across distributed specs (e.g., Security controls in security.md, Architecture in arch.md).

Tracks exactly which file satisfied a requirement in the audit log.

Deep Validation Engine:

Field Pattern Matching: Validate specific values using regex (e.g., ensure Retention Period is numeric).

Structure Validation: Enforce document structure by requiring specific subsections via must_contain.

Cross-Reference Validation: Ensure traceability between documents (e.g., verifying every Threat-X maps to a Control-X).

Requirement Modes: New mode configuration allows enforcing rules in every file (in_all_files) vs. just once per project (at_least_one).

Agentic Workflow Integration:

Context Export: Generate system prompts for AI agents (Cursor, Windsurf, Ralph) via --export cursor or --export windsurf.

Auto-Fix (--fix): Automatically appends missing compliance sections to a nod-compliance.md file (for directories) or the file itself.

Agent-Friendly Outputs: JSON attestations now include specific remediation summaries tailored for LLM consumption.

Enterprise Governance:

Signed Baselines (--freeze/--verify): Lock compliance state to a nod.lock file and detect drift in CI/CD.

Integrity Signing: Cryptographically sign audit artifacts with HMAC-SHA256 when NOD_SECRET_KEY is present.

Compliance Reporting: New --output compliance format generates executive-style summaries with % completion metrics.

Security & Stability:

Strict SSL: Enforced hostname and certificate validation for remote rule fetching.

Resource Protection: Added file size limits (5MB) and network timeouts to prevent DoS.

SARIF v2.1.0: Full support for GitHub Advanced Security dashboards with security severity scoring.

📦 Updated Rule Packs

EU AI Act: Updated for high-risk system classification and documentation requirements.

NIST AI RMF: Full mapping to Govern, Map, Measure, Manage functions.

OWASP LLM Top 10: Defense rules for prompt injection, data leakage, and model theft.

Security Baseline: Standard encryption and access control requirements.

🚦 Upgrade Guide

Update via pip (once published)

pip install --upgrade nod-linter

Update GitHub Action

uses: mraml/nod@v1.9.0

v.1.8.0: Distributed Compliance & Deep Validation

v1.8.0: Distributed Compliance & Deep Validation

This release introduces "Distributed Compliance," allowing organizations to validate requirements across a folder of specification documents rather than a single monolith. It also adds "Deep Validation" capabilities, enabling regex checks on field values and cross-referencing between documents (e.g., ensuring Threats map to Controls).

🚀 New Features

• Directory Scanning: Run nod docs/ to validate an entire document set.
• Cross-Reference Validation: Ensure traceability between specs (e.g., Threat-1 <-> Control-1).
• Field Pattern Matching: Validate values like "Retention: 30 days" via regex.
• Requirement Modes: Enforce rules in all_files vs at_least_one.

v1.5.0: The Lifecycle Update (Auto-Fix, Deep Validation, and Reporting)

This major release transforms nod from a static checker into a complete compliance platform. We have introduced capabilities to support the entire lifecycle of an AI specification: from generation (--init) to automated repair (--fix) and executive reporting (--output compliance).

This release also introduces Deep Validation logic, allowing for regex pattern matching within fields, structural validation of subsections, and cross-reference checking between documents.
🚀 Major New Features

Scaffolding & Auto-Fix:

    --init: Instantly generate a compliant Markdown template based on your active rules.

    --fix: Automatically append missing headers and required boilerplate to your existing specs.

Directory Scanning ("Distributed Compliance"):

    You can now run nod.py docs/ to scan an entire folder of specifications.

    nod aggregates all files into a "Virtual Monolith" to check if requirements are met anywhere in your project.

Deep Validation Logic:

    Field Patterns: Validate specific values (e.g., "Retention: 30 days") using the must_match regex rule.

    Cross-Reference Validation: Ensure traceability between documents (e.g., verify that every "Threat T-X" has a corresponding "Control C-X").

    Structure Checks: Ensure sections contain specific subsections using must_contain.

Compliance Reporting:

    New --output compliance format generates a human-readable executive summary with % completion metrics.

Agentic Integration:

    --export: Dump your compliance rules as a "System Prompt" to constrain downstream AI agents (like Ralph or Claude) before they generate code.

🛡️ Security & Hardening

Integrity Signing: Added HMAC-SHA256 signing for audit artifacts using NOD_SECRET_KEY.

Strict SSL: Enforced hostname checking and certificate validation for remote rule fetching.

Resource Protection: Added file size limits (5MB) and network timeouts to prevent DoS.

📦 Rule Updates

Expanded defaults/ to include updated profiles for EU AI Act, NIST AI RMF, and OWASP LLM Top 10.

Added support for Rule Stacking (using --rules multiple times to merge community defaults with local overrides).

🚦 Upgrading

Existing users of v1.0.0 can upgrade immediately.

Python: pip install --upgrade .

GitHub Actions: Update your workflow to use mraml/nod@v1.5.0 (or @v1 for latest).

v1.0.0: Initial Release

Release v1.0.0: The AI Compliance Gatekeeper 🛡️

nod is now live! This initial release introduces a platform-agnostic, rule-based linter designed to ensure AI/LLM specifications align with regulatory standards before development begins.

🚀 Key Features

• Scaffolding (--init): Instantly generate compliant Markdown templates based on active rules to solve the "blank page" problem.
• Agent Context Injection (--export): Export compliance rules as "System Prompt" constraints to guide AI agents (like Ralph) during generation.
• Policy-as-Code: Define compliance standards in simple YAML.
• Gap Severity Model: Categorizes issues (CRITICAL, HIGH, MEDIUM, LOW) to prioritize remediation.
• SARIF Output: Native integration with GitHub Advanced Security and GitLab Security Dashboards.
• Exception Management: Formalize risk acceptance using .nodignore.
• Attestation: Generates signed nod-attestation.json for audit trails and agentic self-healing.

📦 Included Rulesets

• EU AI Act: High-Risk classification, human oversight, and documentation requirements.
• NIST AI RMF: Govern, Map, Measure, Manage functions.
• OWASP LLM Top 10: Defenses against prompt injection, data leakage, and model theft.
• Security Baseline: Encryption, Access Control, and Secrets Management.