RubyGems - rosett-ai - Versions diffs - 1.3.3 - Mend

rosett-ai 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (527) hide show

checksums.yaml +7 -0
data/.ai-provenance.yml +119 -0
data/.debride_whitelist +186 -0
data/.fasterer.yml +29 -0
data/.mdl_style.rb +10 -0
data/.mdlrc +3 -0
data/.mutant.yml +49 -0
data/.namespace-allowlist +42 -0
data/.reek.yml +1040 -0
data/.rosett-ai/config.yml +3 -0
data/.rspec +5 -0
data/.rubocop.yml +380 -0
data/.ruby-version +1 -0
data/.yamllint +51 -0
data/.yardopts +12 -0
data/AI-DISCLOSURE.md +48 -0
data/CHANGELOG.md +519 -0
data/CLAUDE.md +141 -0
data/CONTRIBUTING.md +734 -0
data/INSTALL.md +154 -0
data/LICENSE +674 -0
data/LICENSE.md +675 -0
data/QUICKSTART.md +73 -0
data/README.md +366 -0
data/Rakefile +200 -0
data/SECURITY.md +114 -0
data/bin/rai +1 -0
data/cliff.toml +52 -0
data/conf/adopt_redactions.yml +8 -0
data/conf/behaviour/.gitkeep +0 -0
data/conf/compliance/cra_rules.yml +25 -0
data/conf/compliance/license_rules.yml +20 -0
data/conf/design/aaif_alignment.yml +181 -0
data/conf/design/ab_testing.yml +172 -0
data/conf/design/accessibility.yml +84 -0
data/conf/design/ai_authorship.yml +210 -0
data/conf/design/ai_provenance.yml +224 -0
data/conf/design/ai_tool_configuration.yml +207 -0
data/conf/design/architecture.yml +139 -0
data/conf/design/autocompletion.yml +115 -0
data/conf/design/backward_compatibility.yml +112 -0
data/conf/design/behaviour_composition.yml +246 -0
data/conf/design/build_rake_extraction.yml +57 -0
data/conf/design/ci_pipeline.yml +100 -0
data/conf/design/claude_code_configuration.yml +157 -0
data/conf/design/compiler.yml +128 -0
data/conf/design/comply.yml +153 -0
data/conf/design/content_packs.yml +84 -0
data/conf/design/desktop_integration.yml +289 -0
data/conf/design/distribution.yml +216 -0
data/conf/design/doctor.yml +184 -0
data/conf/design/documentation.yml +152 -0
data/conf/design/engine_architecture.yml +257 -0
data/conf/design/error_handling.yml +103 -0
data/conf/design/feature_flags.yml +142 -0
data/conf/design/git_hooks.yml +165 -0
data/conf/design/gui_plugins.yml +475 -0
data/conf/design/i18n.yml +84 -0
data/conf/design/integration_testing.yml +56 -0
data/conf/design/licensing_system.yml +88 -0
data/conf/design/lifecycle_management.yml +208 -0
data/conf/design/mcp_integration.yml +207 -0
data/conf/design/mcp_settings.yml +126 -0
data/conf/design/migration.yml +56 -0
data/conf/design/monitoring_observability.yml +194 -0
data/conf/design/namespace_cleanup.yml +145 -0
data/conf/design/plugin_test_segregation.yml +145 -0
data/conf/design/policy_management.yml +229 -0
data/conf/design/project_management.yml +183 -0
data/conf/design/rai_mcp_asset_discovery.yml +164 -0
data/conf/design/rai_mcp_server.yml +605 -0
data/conf/design/release_management.yml +117 -0
data/conf/design/retrofit.yml +199 -0
data/conf/design/retrospective_analyzer.yml +79 -0
data/conf/design/scope_hierarchy.yml +352 -0
data/conf/design/security.yml +115 -0
data/conf/design/session_retrospective.yml +85 -0
data/conf/design/smart_ui_feedback.yml +89 -0
data/conf/design/structured_logging.yml +148 -0
data/conf/design/styles.yml +123 -0
data/conf/design/test_peer_review.yml +89 -0
data/conf/design/testing.yml +136 -0
data/conf/design/threat_model.yml +108 -0
data/conf/design/ui_framework.yml +111 -0
data/conf/design/usage_optimization.yml +122 -0
data/conf/design/version_management.yml +60 -0
data/conf/design/workflow.yml +227 -0
data/conf/mcp/server_defaults.yml +42 -0
data/conf/mcp/trust.yml +21 -0
data/conf/packaging/core.yml +12 -0
data/conf/packaging/gtk4.yml +11 -0
data/conf/packaging/qt6.yml +11 -0
data/conf/policy/default_deny_list.yml +197 -0
data/conf/review/cli-command-audit.yml +857 -0
data/conf/review/design-docs.yml +1064 -0
data/conf/review/design-questionnaire.yml +153 -0
data/conf/review/questionnaire.yml +146 -0
data/conf/review/rosett-ai-core.yml +2919 -0
data/conf/schemas/ai_config_schema.json +73 -0
data/conf/schemas/behaviour_schema.json +132 -0
data/conf/schemas/compliance_rule_schema.json +63 -0
data/conf/schemas/content_pack_manifest_schema.json +51 -0
data/conf/schemas/design_schema.json +210 -0
data/conf/schemas/engine_manifest_schema.json +144 -0
data/conf/schemas/lockfile_schema.json +74 -0
data/conf/schemas/mcp_server_schema.json +48 -0
data/conf/schemas/packaging_schema.json +70 -0
data/conf/schemas/policy_schema.json +85 -0
data/conf/schemas/provenance_schema.json +84 -0
data/conf/schemas/rai_config_schema.json +56 -0
data/conf/schemas/rai_project_schema.json +20 -0
data/conf/schemas/scope_hierarchy_schema.json +49 -0
data/conf/schemas/target_schema.json +67 -0
data/conf/schemas/tooling_schema.json +65 -0
data/conf/schemas/workflow_schema.json +112 -0
data/conf/targets/agents_md.yml +17 -0
data/conf/targets/claude.yml +12 -0
data/conf/tooling/tools.yml +58 -0
data/dist/rosett-ai-mcp.service +48 -0
data/dist/rosett-ai-mcp.yml.default +45 -0
data/doc/AAIF_POSITIONING.md +58 -0
data/doc/ADOPT.md +224 -0
data/doc/AI_PROVENANCE.md +139 -0
data/doc/ARCHITECTURE.md +920 -0
data/doc/BEHAVIOUR.md +409 -0
data/doc/BUILD.md +138 -0
data/doc/CI_CD_RECIPES.md +171 -0
data/doc/CLAUDE_SESSIONS_MOVED.md +16 -0
data/doc/COMMAND_ANALYSIS.md +229 -0
data/doc/CONFIGURATION.md +281 -0
data/doc/DESIGN_AUDIT.md +235 -0
data/doc/DESIGN_PEER_REVIEW.md +771 -0
data/doc/DESKTOP.md +447 -0
data/doc/ENGINES.md +567 -0
data/doc/ENGINE_DEVELOPMENT_GUIDE.md +417 -0
data/doc/FEATURE_AUDIT.md +218 -0
data/doc/IMPLEMENTATION_PLAN.md +669 -0
data/doc/INCIDENT_REPORT_2026-02-02.md +251 -0
data/doc/MIGRATION_GUIDE.md +88 -0
data/doc/PACKAGING.md +232 -0
data/doc/PROJECT_DASHBOARD.md +153 -0
data/doc/PULP_DEPLOYMENT.md +164 -0
data/doc/QUALITY_FIX_SUMMARY.md +110 -0
data/doc/QUICK_START.md +162 -0
data/doc/REEK_CONFIGURATION.md +166 -0
data/doc/REFERENCE.md +253 -0
data/doc/REFERENCES.md +324 -0
data/doc/SECURITY_REVIEW_CHECKLIST.md +72 -0
data/doc/SESSION_2026-02-28_GTK4_HARDENING.md +359 -0
data/doc/SETUP.md +202 -0
data/doc/TEST_PEER_REVIEW.md +152 -0
data/doc/THREAT_MODEL.md +230 -0
data/doc/USAGE.md +545 -0
data/doc/USER_MANUAL.md +585 -0
data/doc/ai_test_review_checklist.md +110 -0
data/doc/changes/2026-02-18-packaging-fpm.md +155 -0
data/doc/changes/2026-02-19-testing-infrastructure.md +221 -0
data/doc/changes/2026-02-20-security-implementation.md +281 -0
data/doc/changes/2026-02-20-styles-implementation.md +220 -0
data/doc/changes/2026-02-21-architecture-completion.md +95 -0
data/doc/changes/2026-02-21-architecture-ui-layer.md +253 -0
data/doc/changes/2026-02-21-cc-config-implementation.md +108 -0
data/doc/changes/2026-02-21-ci-pipeline-implementation.md +214 -0
data/doc/changes/2026-02-21-compiler-multi-target-pipeline.md +241 -0
data/doc/changes/2026-02-21-config-design-show-commands.md +61 -0
data/doc/changes/2026-02-21-design-implementation-overview.md +455 -0
data/doc/changes/2026-02-21-lifecycle-management.md +196 -0
data/doc/changes/2026-02-21-path-resolver.md +128 -0
data/doc/changes/2026-02-24-ci-tmpdir-mutant-fetch.md +45 -0
data/doc/changes/2026-03-01-ci-bundler-strategy.md +120 -0
data/doc/changes/2026-03-20-security-hardening-phase2.md +163 -0
data/doc/context/SESSION-HANDOFF.md +69 -0
data/doc/context/ai-engine-usage-trends-2026.md +80 -0
data/doc/context/plan-pluggable-engines.md +590 -0
data/doc/decisions/001-flog-deferred.md +32 -0
data/doc/decisions/002-path-resolution-strategy.md +158 -0
data/doc/decisions/003-ui-adapter-selection.md +193 -0
data/doc/decisions/004-design-document-validation.md +179 -0
data/doc/decisions/005-package-splitting-strategy.md +200 -0
data/doc/decisions/006-multi-engine-architecture.md +147 -0
data/doc/decisions/007-engine-agnostic-pivot.md +219 -0
data/doc/decisions/008-ci-bundler-strategy.md +129 -0
data/doc/decisions/009-core-only-v1-release.md +60 -0
data/doc/decisions/010-engine-debian-packaging.md +66 -0
data/doc/decisions/011-context-aware-cli.md +71 -0
data/doc/dependency_decisions.yml +247 -0
data/doc/issues/001-wrapper-missing-environment-variables.md +197 -0
data/doc/issues/002-embedded-ruby-wrong-prefix.md +217 -0
data/doc/issues/003-smoke-test-false-positive.md +127 -0
data/doc/issues/004-market-research-design-updates.md +109 -0
data/doc/issues/005-compile-scope-coexistence.md +161 -0
data/doc/locales/.gitkeep +0 -0
data/doc/man/rai.1.ronn +505 -0
data/doc/operations/packaging.md +133 -0
data/doc/operations/rosett-ai-release.md +65 -0
data/doc/reference/error-catalog.md +107 -0
data/doc/reference/rosett-ai-technical-reference.pdf +0 -0
data/doc/reference/src/Pictures/cover.jpg +0 -0
data/doc/reference/src/Pictures/head1.jpg +0 -0
data/doc/reference/src/Pictures/head2.jpg +0 -0
data/doc/reference/src/Pictures/head3.jpg +0 -0
data/doc/reference/src/Pictures/head4.jpg +0 -0
data/doc/reference/src/Pictures/head5.jpg +0 -0
data/doc/reference/src/Pictures/head6.jpg +0 -0
data/doc/reference/src/Pictures/head7.jpg +0 -0
data/doc/reference/src/Pictures/head8.jpg +0 -0
data/doc/reference/src/StyleInd.ist +4 -0
data/doc/reference/src/bibliography.bib +79 -0
data/doc/reference/src/main.tex +1288 -0
data/doc/reference/src/structure.tex +303 -0
data/doc/rosett-ai-bookmarks.html +301 -0
data/kitchen.yml +46 -0
data/lib/rosett_ai/adopter/executor_resolver.rb +77 -0
data/lib/rosett_ai/adopter/local_analysis_collector.rb +154 -0
data/lib/rosett_ai/adopter/rule_adopter.rb +254 -0
data/lib/rosett_ai/ai_config/config_compiler.rb +111 -0
data/lib/rosett_ai/ai_config/context_window.rb +55 -0
data/lib/rosett_ai/ai_config/cost_controls.rb +44 -0
data/lib/rosett_ai/ai_config/fallback_chain.rb +64 -0
data/lib/rosett_ai/ai_config/model_router.rb +121 -0
data/lib/rosett_ai/ai_config/validator.rb +45 -0
data/lib/rosett_ai/authorship/attribution_compiler.rb +99 -0
data/lib/rosett_ai/authorship/disclosure_policy.rb +81 -0
data/lib/rosett_ai/authorship/review_validator.rb +39 -0
data/lib/rosett_ai/authorship/trailer_generator.rb +88 -0
data/lib/rosett_ai/backup/compressor.rb +180 -0
data/lib/rosett_ai/backup/destination.rb +91 -0
data/lib/rosett_ai/behaviour/manager.rb +156 -0
data/lib/rosett_ai/compiler/backend.rb +86 -0
data/lib/rosett_ai/compiler/backends/agents_md_backend.rb +80 -0
data/lib/rosett_ai/compiler/backends/claude_backend.rb +88 -0
data/lib/rosett_ai/compiler/backends/generic_backend.rb +15 -0
data/lib/rosett_ai/compiler/behaviour_compiler.rb +40 -0
data/lib/rosett_ai/compiler/capability_checker.rb +104 -0
data/lib/rosett_ai/compiler/compilation_pipeline.rb +361 -0
data/lib/rosett_ai/compiler/compiled_output.rb +39 -0
data/lib/rosett_ai/compiler/locale_compiler.rb +250 -0
data/lib/rosett_ai/compiler/target_profile.rb +112 -0
data/lib/rosett_ai/completion/generator.rb +101 -0
data/lib/rosett_ai/completion/shells/bash_generator.rb +126 -0
data/lib/rosett_ai/completion/shells/fish_generator.rb +78 -0
data/lib/rosett_ai/completion/shells/zsh_generator.rb +126 -0
data/lib/rosett_ai/comply/checkers/cra_checker.rb +102 -0
data/lib/rosett_ai/comply/checkers/license_checker.rb +85 -0
data/lib/rosett_ai/comply/checkers/spdx_header_checker.rb +98 -0
data/lib/rosett_ai/comply/reporter.rb +113 -0
data/lib/rosett_ai/comply/runner.rb +50 -0
data/lib/rosett_ai/composition/circular_dependency_detector.rb +56 -0
data/lib/rosett_ai/composition/composer.rb +158 -0
data/lib/rosett_ai/composition/composition_result.rb +64 -0
data/lib/rosett_ai/composition/conflict_detector.rb +53 -0
data/lib/rosett_ai/composition/lockfile.rb +103 -0
data/lib/rosett_ai/composition/merge_strategy.rb +131 -0
data/lib/rosett_ai/composition/priority_sorter.rb +29 -0
data/lib/rosett_ai/composition/scope_resolver.rb +55 -0
data/lib/rosett_ai/config/compile_result.rb +37 -0
data/lib/rosett_ai/config/compiler.rb +13 -0
data/lib/rosett_ai/config/domain_transformer.rb +13 -0
data/lib/rosett_ai/config/key_map.rb +13 -0
data/lib/rosett_ai/config/masking_secret_resolver.rb +40 -0
data/lib/rosett_ai/config/scope_router.rb +13 -0
data/lib/rosett_ai/config/secret_resolver.rb +125 -0
data/lib/rosett_ai/configuration.rb +119 -0
data/lib/rosett_ai/content/content_client.rb +60 -0
data/lib/rosett_ai/content/pack_installer.rb +117 -0
data/lib/rosett_ai/content/pack_manifest.rb +50 -0
data/lib/rosett_ai/content/pack_registry.rb +68 -0
data/lib/rosett_ai/content_packs/manager.rb +50 -0
data/lib/rosett_ai/dbus/compositor_detector.rb +77 -0
data/lib/rosett_ai/dbus/focus_adapters/base.rb +59 -0
data/lib/rosett_ai/dbus/focus_adapters/gnome_adapter.rb +172 -0
data/lib/rosett_ai/dbus/focus_adapters/hyprland_adapter.rb +77 -0
data/lib/rosett_ai/dbus/focus_adapters/i3_adapter.rb +65 -0
data/lib/rosett_ai/dbus/focus_adapters/kwin_adapter.rb +103 -0
data/lib/rosett_ai/dbus/focus_adapters/x11_adapter.rb +105 -0
data/lib/rosett_ai/dbus/focus_monitor_interface.rb +103 -0
data/lib/rosett_ai/dbus/manager_interface.rb +213 -0
data/lib/rosett_ai/dbus/plugin_manager_interface.rb +169 -0
data/lib/rosett_ai/dbus/rate_limiter.rb +89 -0
data/lib/rosett_ai/dbus/service.rb +121 -0
data/lib/rosett_ai/dbus/status_notifier_interface.rb +79 -0
data/lib/rosett_ai/deprecation.rb +79 -0
data/lib/rosett_ai/desktop/dbus_client.rb +259 -0
data/lib/rosett_ai/desktop/gtk4_app.rb +371 -0
data/lib/rosett_ai/desktop/gtk4_preferences.rb +331 -0
data/lib/rosett_ai/desktop/gui_logger.rb +236 -0
data/lib/rosett_ai/doctor/check.rb +92 -0
data/lib/rosett_ai/doctor/checks/cache_health_check.rb +50 -0
data/lib/rosett_ai/doctor/checks/dbus_availability_check.rb +39 -0
data/lib/rosett_ai/doctor/checks/engine_detection_check.rb +46 -0
data/lib/rosett_ai/doctor/checks/file_permission_check.rb +44 -0
data/lib/rosett_ai/doctor/checks/gem_dependency_check.rb +55 -0
data/lib/rosett_ai/doctor/checks/ruby_version_check.rb +50 -0
data/lib/rosett_ai/doctor/checks/stale_config_nncc_check.rb +57 -0
data/lib/rosett_ai/doctor/checks/stale_home_nncc_check.rb +59 -0
data/lib/rosett_ai/doctor.rb +81 -0
data/lib/rosett_ai/documentation/reference_compiler.rb +122 -0
data/lib/rosett_ai/documentation/translator.rb +62 -0
data/lib/rosett_ai/engines/base_config_compiler.rb +203 -0
data/lib/rosett_ai/engines/detector.rb +63 -0
data/lib/rosett_ai/engines/registry.rb +50 -0
data/lib/rosett_ai/error_handler.rb +139 -0
data/lib/rosett_ai/exit_codes.rb +76 -0
data/lib/rosett_ai/feature_flags.rb +102 -0
data/lib/rosett_ai/formatting.rb +33 -0
data/lib/rosett_ai/gem_consistency_checker.rb +199 -0
data/lib/rosett_ai/git_hooks/chain_detector.rb +86 -0
data/lib/rosett_ai/git_hooks/installer.rb +175 -0
data/lib/rosett_ai/git_hooks/script_generator.rb +125 -0
data/lib/rosett_ai/gitlab/validators/supplementary_gitlab_ci_yaml_validator.rb +79 -0
data/lib/rosett_ai/i18n/locale_resolver.rb +46 -0
data/lib/rosett_ai/i18n/utf8_checker.rb +32 -0
data/lib/rosett_ai/init/config_file_writer.rb +24 -0
data/lib/rosett_ai/init/directory_builder.rb +38 -0
data/lib/rosett_ai/init/file_copier.rb +95 -0
data/lib/rosett_ai/init/global_initializer.rb +28 -0
data/lib/rosett_ai/init/local_initializer.rb +27 -0
data/lib/rosett_ai/init/mcp_registrar.rb +109 -0
data/lib/rosett_ai/init/project_initializer.rb +38 -0
data/lib/rosett_ai/licensing/license_key.rb +139 -0
data/lib/rosett_ai/licensing/license_store.rb +64 -0
data/lib/rosett_ai/licensing/license_validator.rb +60 -0
data/lib/rosett_ai/licensing/tier.rb +42 -0
data/lib/rosett_ai/mcp/admin/auditor.rb +88 -0
data/lib/rosett_ai/mcp/admin/health_checker.rb +81 -0
data/lib/rosett_ai/mcp/admin/registry.rb +100 -0
data/lib/rosett_ai/mcp/admin/schema_validator.rb +63 -0
data/lib/rosett_ai/mcp/enforcement/.gitkeep +0 -0
data/lib/rosett_ai/mcp/enforcement/hook_generator.rb +197 -0
data/lib/rosett_ai/mcp/enforcement/validator.rb +215 -0
data/lib/rosett_ai/mcp/governance.rb +160 -0
data/lib/rosett_ai/mcp/http_security_config.rb +158 -0
data/lib/rosett_ai/mcp/instructions.rb +266 -0
data/lib/rosett_ai/mcp/key_hasher.rb +66 -0
data/lib/rosett_ai/mcp/keyfile.rb +221 -0
data/lib/rosett_ai/mcp/middleware/authentication.rb +146 -0
data/lib/rosett_ai/mcp/middleware/content_type.rb +56 -0
data/lib/rosett_ai/mcp/middleware/cors.rb +83 -0
data/lib/rosett_ai/mcp/middleware/origin_validation.rb +73 -0
data/lib/rosett_ai/mcp/middleware/rate_limit.rb +106 -0
data/lib/rosett_ai/mcp/middleware/request_size.rb +51 -0
data/lib/rosett_ai/mcp/plugins.rb +143 -0
data/lib/rosett_ai/mcp/prompts/compilation_prompt.rb +40 -0
data/lib/rosett_ai/mcp/prompts/compliance_prompt.rb +41 -0
data/lib/rosett_ai/mcp/prompts/diagnostics_prompt.rb +41 -0
data/lib/rosett_ai/mcp/prompts/validation_prompt.rb +41 -0
data/lib/rosett_ai/mcp/resources/behaviour_resource.rb +127 -0
data/lib/rosett_ai/mcp/resources/config_resource.rb +72 -0
data/lib/rosett_ai/mcp/resources/design_resource.rb +58 -0
data/lib/rosett_ai/mcp/resources/hooks_resource.rb +74 -0
data/lib/rosett_ai/mcp/resources/provenance_resource.rb +51 -0
data/lib/rosett_ai/mcp/resources/rules_resource.rb +60 -0
data/lib/rosett_ai/mcp/resources/schema_resource.rb +72 -0
data/lib/rosett_ai/mcp/response_helper.rb +46 -0
data/lib/rosett_ai/mcp/security_logger.rb +60 -0
data/lib/rosett_ai/mcp/server.rb +212 -0
data/lib/rosett_ai/mcp/settings/server_installer.rb +112 -0
data/lib/rosett_ai/mcp/settings/trust_manager.rb +142 -0
data/lib/rosett_ai/mcp/tools/adopt_tool.rb +70 -0
data/lib/rosett_ai/mcp/tools/backup_tool.rb +64 -0
data/lib/rosett_ai/mcp/tools/behaviour_display_tool.rb +72 -0
data/lib/rosett_ai/mcp/tools/behaviour_list_tool.rb +56 -0
data/lib/rosett_ai/mcp/tools/behaviour_manage_tool.rb +114 -0
data/lib/rosett_ai/mcp/tools/behaviour_show_tool.rb +62 -0
data/lib/rosett_ai/mcp/tools/compile_status_tool.rb +122 -0
data/lib/rosett_ai/mcp/tools/compile_tool.rb +191 -0
data/lib/rosett_ai/mcp/tools/comply_tool.rb +79 -0
data/lib/rosett_ai/mcp/tools/config_compile_tool.rb +71 -0
data/lib/rosett_ai/mcp/tools/config_status_tool.rb +79 -0
data/lib/rosett_ai/mcp/tools/content_tool.rb +78 -0
data/lib/rosett_ai/mcp/tools/context_query_tool.rb +156 -0
data/lib/rosett_ai/mcp/tools/design_list_tool.rb +57 -0
data/lib/rosett_ai/mcp/tools/design_show_tool.rb +69 -0
data/lib/rosett_ai/mcp/tools/doctor_tool.rb +62 -0
data/lib/rosett_ai/mcp/tools/documentation_status_tool.rb +45 -0
data/lib/rosett_ai/mcp/tools/engines_tool.rb +84 -0
data/lib/rosett_ai/mcp/tools/hook_install_tool.rb +190 -0
data/lib/rosett_ai/mcp/tools/hook_preview_tool.rb +173 -0
data/lib/rosett_ai/mcp/tools/hooks_status_tool.rb +84 -0
data/lib/rosett_ai/mcp/tools/init_tool.rb +87 -0
data/lib/rosett_ai/mcp/tools/license_status_tool.rb +44 -0
data/lib/rosett_ai/mcp/tools/project_tool.rb +117 -0
data/lib/rosett_ai/mcp/tools/provenance_tool.rb +97 -0
data/lib/rosett_ai/mcp/tools/provenance_write_tool.rb +40 -0
data/lib/rosett_ai/mcp/tools/retrofit_tool.rb +81 -0
data/lib/rosett_ai/mcp/tools/rule_search_tool.rb +163 -0
data/lib/rosett_ai/mcp/tools/schema_get_tool.rb +94 -0
data/lib/rosett_ai/mcp/tools/tooling_tool.rb +86 -0
data/lib/rosett_ai/mcp/tools/validate_tool.rb +105 -0
data/lib/rosett_ai/mcp/tools/workflow_execute_tool.rb +74 -0
data/lib/rosett_ai/mcp/tools/workflow_tool.rb +78 -0
data/lib/rosett_ai/migration/detector.rb +117 -0
data/lib/rosett_ai/migration/nncc_config_migrator.rb +94 -0
data/lib/rosett_ai/migration/nncc_project_migrator.rb +90 -0
data/lib/rosett_ai/migration/xdg_migrator.rb +123 -0
data/lib/rosett_ai/package_manager/apt.rb +108 -0
data/lib/rosett_ai/package_manager/base.rb +68 -0
data/lib/rosett_ai/package_manager/gem_backend.rb +90 -0
data/lib/rosett_ai/packaging/variant_config.rb +92 -0
data/lib/rosett_ai/path_resolver.rb +115 -0
data/lib/rosett_ai/plugins/contract.rb +43 -0
data/lib/rosett_ai/plugins/engine_contract.rb +60 -0
data/lib/rosett_ai/plugins/gui_contract.rb +74 -0
data/lib/rosett_ai/plugins/mcp_contract.rb +48 -0
data/lib/rosett_ai/plugins/registry.rb +150 -0
data/lib/rosett_ai/policy/auditor.rb +41 -0
data/lib/rosett_ai/policy/deny_list.rb +71 -0
data/lib/rosett_ai/policy/opt_out_scanner.rb +37 -0
data/lib/rosett_ai/policy/policy_compiler.rb +84 -0
data/lib/rosett_ai/policy/protected_files.rb +47 -0
data/lib/rosett_ai/policy/tier_hierarchy.rb +48 -0
data/lib/rosett_ai/policy/validator.rb +35 -0
data/lib/rosett_ai/profiler.rb +79 -0
data/lib/rosett_ai/project/drift_detector.rb +126 -0
data/lib/rosett_ai/project/manager.rb +115 -0
data/lib/rosett_ai/project/sync_manager.rb +138 -0
data/lib/rosett_ai/project/template_applier.rb +105 -0
data/lib/rosett_ai/project_context.rb +82 -0
data/lib/rosett_ai/provenance/entry.rb +63 -0
data/lib/rosett_ai/provenance/file_source.rb +32 -0
data/lib/rosett_ai/provenance/source.rb +62 -0
data/lib/rosett_ai/provenance/store.rb +153 -0
data/lib/rosett_ai/provenance/tracker.rb +62 -0
data/lib/rosett_ai/provenance/trailer_generator.rb +43 -0
data/lib/rosett_ai/provenance/validator.rb +45 -0
data/lib/rosett_ai/quorum/collector.rb +59 -0
data/lib/rosett_ai/quorum/comparator.rb +81 -0
data/lib/rosett_ai/quorum/dispatcher.rb +57 -0
data/lib/rosett_ai/quorum/strategies/adopt.rb +56 -0
data/lib/rosett_ai/rai_config.rb +107 -0
data/lib/rosett_ai/retrofit/base_parser.rb +66 -0
data/lib/rosett_ai/retrofit/engine.rb +171 -0
data/lib/rosett_ai/retrofit/parsers/agents_md_parser.rb +50 -0
data/lib/rosett_ai/retrofit/parsers/claude_parser.rb +69 -0
data/lib/rosett_ai/retrofit/parsers/cursor_parser.rb +82 -0
data/lib/rosett_ai/retrofit/round_trip_validator.rb +65 -0
data/lib/rosett_ai/retrofit/scanner.rb +47 -0
data/lib/rosett_ai/retrofit/secret_detector.rb +87 -0
data/lib/rosett_ai/secrets_resolver.rb +71 -0
data/lib/rosett_ai/smart_feedback/suggester.rb +83 -0
data/lib/rosett_ai/smart_feedback/thor_middleware.rb +84 -0
data/lib/rosett_ai/structured_logger.rb +110 -0
data/lib/rosett_ai/telemetry/json_lines_writer.rb +50 -0
data/lib/rosett_ai/telemetry/log_rotator.rb +67 -0
data/lib/rosett_ai/telemetry/provider.rb +26 -0
data/lib/rosett_ai/telemetry/reporter.rb +144 -0
data/lib/rosett_ai/telemetry.rb +47 -0
data/lib/rosett_ai/text_sanitizer.rb +62 -0
data/lib/rosett_ai/thor/cli.rb +269 -0
data/lib/rosett_ai/thor/tasks/adopt.rb +250 -0
data/lib/rosett_ai/thor/tasks/backup.rb +420 -0
data/lib/rosett_ai/thor/tasks/behaviour.rb +474 -0
data/lib/rosett_ai/thor/tasks/build.rb +1162 -0
data/lib/rosett_ai/thor/tasks/compile.rb +415 -0
data/lib/rosett_ai/thor/tasks/completion.rb +123 -0
data/lib/rosett_ai/thor/tasks/comply.rb +82 -0
data/lib/rosett_ai/thor/tasks/config.rb +265 -0
data/lib/rosett_ai/thor/tasks/content.rb +193 -0
data/lib/rosett_ai/thor/tasks/dbus.rb +321 -0
data/lib/rosett_ai/thor/tasks/design.rb +258 -0
data/lib/rosett_ai/thor/tasks/desktop.rb +129 -0
data/lib/rosett_ai/thor/tasks/doctor.rb +127 -0
data/lib/rosett_ai/thor/tasks/documentation.rb +321 -0
data/lib/rosett_ai/thor/tasks/engines.rb +167 -0
data/lib/rosett_ai/thor/tasks/hooks.rb +219 -0
data/lib/rosett_ai/thor/tasks/init.rb +259 -0
data/lib/rosett_ai/thor/tasks/license.rb +120 -0
data/lib/rosett_ai/thor/tasks/mcp.rb +535 -0
data/lib/rosett_ai/thor/tasks/migrate.rb +121 -0
data/lib/rosett_ai/thor/tasks/plugins.rb +157 -0
data/lib/rosett_ai/thor/tasks/project.rb +260 -0
data/lib/rosett_ai/thor/tasks/provenance.rb +195 -0
data/lib/rosett_ai/thor/tasks/release.rb +314 -0
data/lib/rosett_ai/thor/tasks/retrofit.rb +90 -0
data/lib/rosett_ai/thor/tasks/tooling.rb +308 -0
data/lib/rosett_ai/thor/tasks/validate.rb +108 -0
data/lib/rosett_ai/thor/tasks/workflow.rb +196 -0
data/lib/rosett_ai/tooling/ci_yaml_validator.rb +37 -0
data/lib/rosett_ai/tooling/version_checker.rb +35 -0
data/lib/rosett_ai/ui/accessible_tui.rb +61 -0
data/lib/rosett_ai/ui/base.rb +46 -0
data/lib/rosett_ai/ui/gtk4.rb +98 -0
data/lib/rosett_ai/ui/kde.rb +40 -0
data/lib/rosett_ai/ui/qt6.rb +40 -0
data/lib/rosett_ai/ui/registry.rb +60 -0
data/lib/rosett_ai/ui/tty_helper.rb +74 -0
data/lib/rosett_ai/ui/tui.rb +59 -0
data/lib/rosett_ai/validators/behaviour_validator.rb +20 -0
data/lib/rosett_ai/validators/design_validator.rb +17 -0
data/lib/rosett_ai/validators/schema_validator.rb +84 -0
data/lib/rosett_ai/validators/tooling_validator.rb +17 -0
data/lib/rosett_ai/version.rb +8 -0
data/lib/rosett_ai/version_consistency_checker.rb +129 -0
data/lib/rosett_ai/workflow/audit_log.rb +86 -0
data/lib/rosett_ai/workflow/engine.rb +142 -0
data/lib/rosett_ai/workflow/manager.rb +82 -0
data/lib/rosett_ai/workflow/schema_validator.rb +71 -0
data/lib/rosett_ai/workflow/step_runner.rb +61 -0
data/lib/rosett_ai/workflow/steps/prompt_step.rb +62 -0
data/lib/rosett_ai/workflow/steps/rai_step.rb +74 -0
data/lib/rosett_ai/workflow/steps/shell_step.rb +53 -0
data/lib/rosett_ai/yaml_loader.rb +78 -0
data/lib/rosett_ai.rb +221 -0
data/lib/rubocop/cop/rosett_ai/shell_interpolation.rb +54 -0
data/lib/rubocop/cop/rosett_ai/unsafe_const_get.rb +60 -0
data/lib/rubocop/cop/rosett_ai/unsafe_send.rb +50 -0
data/lib/rubocop/cop/rosett_ai/unsafe_yaml_load.rb +40 -0
data/lib/rubocop/rosett_ai.rb +9 -0
data/lib/scripts/generated/docker_hub_tags.rb +126 -0
data/locales/.gitkeep +0 -0
data/locales/ar.yml +579 -0
data/locales/en.yml +571 -0
data/locales/fr.yml +567 -0
data/packaging/build-engine-deb.sh +81 -0
data/packaging/scripts/postinst +17 -0
data/packaging/scripts/postrm +19 -0
data/packaging/scripts/prerm +10 -0
data/packaging/wrapper.sh.template +38 -0
data/rosett-ai.gemspec +63 -0
data/rules/.gitkeep +0 -0
data/scripts/publish/pulp_upload.sh +123 -0
data/settings.json +29 -0
data/share/applications/be.neatnerds.rosettai.desktop +29 -0
data/share/dbus-1/interfaces/be.neatnerds.rosettai.xml +103 -0
data/share/dbus-1/services/be.neatnerds.rosettai.service +3 -0
data/share/templates/behaviour/criticalthinking.yml +69 -0
metadata +810 -0

data/lib/rosett_ai/mcp/keyfile.rb ADDED Viewed

@@ -0,0 +1,221 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    # Multi-key authentication store with thread-safe reload.
+    #
+    # Manages a YAML keyfile with salted hashes, expiry dates,
+    # and enable/disable flags. File permissions are enforced
+    # at 0600 or 0400.
+    #
+    # @author hugo
+    # @author claude
+    class Keyfile
+      VERSION = '1.0'
+      MAX_PERMISSIONS = 0o600
+      DEFAULT_FILENAME = 'rosett-ai-mcp-keys.yml'
+      EXPIRY_WARNING_DAYS = 7
+      # @param path [String] path to the keyfile
+      def initialize(path)
+        @path = File.expand_path(path)
+        @mutex = Mutex.new
+        @keys = []
+      end
+      # Load and validate the keyfile.
+      #
+      # @return [self]
+      # @raise [RosettAi::McpError] if file is missing or invalid
+      def load!
+        @mutex.synchronize do
+          validate_file_exists
+          validate_permissions
+          parse_keyfile
+        end
+        self
+      end
+      # Thread-safe reload (for SIGHUP handler).
+      #
+      # @return [void]
+      def reload!
+        load!
+      rescue StandardError => e
+        warn "[rai-mcp] Keyfile reload failed: #{e.message}"
+      end
+      # Find a key entry matching the given plaintext.
+      #
+      # @param plaintext [String] the plaintext API key
+      # @return [Hash, nil] matched key entry or nil
+      def find_key(plaintext)
+        @mutex.synchronize do
+          @keys.find do |entry|
+            next unless entry[:enabled]
+            next if expired?(entry)
+            KeyHasher.verify_key(plaintext, entry[:key_hash])
+          end
+        end
+      end
+      # List enabled keys (without hashes).
+      #
+      # @return [Array<Hash>] enabled key entries
+      def enabled_keys
+        @mutex.synchronize do
+          @keys.select { |k| k[:enabled] }.map { |k| safe_entry(k) }
+        end
+      end
+      # Add a new key to the keyfile.
+      #
+      # @param name [String] key name
+      # @param key_hash [String] salted hash
+      # @param expires_at [String, nil] expiry date (ISO 8601)
+      # @return [void]
+      def add_key(name:, key_hash:, expires_at: nil)
+        @mutex.synchronize do
+          @keys << {
+            name: name,
+            algo: 'sha256_salt',
+            key_hash: key_hash,
+            created_at: Time.now.strftime('%Y-%m-%d'),
+            expires_at: expires_at,
+            enabled: true
+          }
+          write_keyfile
+        end
+      end
+      # Revoke (disable) a key by name.
+      #
+      # @param name [String] key name
+      # @return [Boolean] true if key was found and revoked
+      def revoke_key(name)
+        @mutex.synchronize do
+          entry = @keys.find { |k| k[:name] == name }
+          return false unless entry
+          entry[:enabled] = false
+          write_keyfile
+          true
+        end
+      end
+      # Rotate a key: revoke old, return new hash for replacement.
+      #
+      # @param name [String] key name
+      # @return [Hash, nil] new key entry or nil if not found
+      def rotate_key(name)
+        @mutex.synchronize do
+          old = @keys.find { |k| k[:name] == name }
+          return nil unless old
+          old[:enabled] = false
+          new_key, new_entry = build_replacement_key(name, old[:expires_at])
+          @keys << new_entry
+          write_keyfile
+          { plaintext: new_key, entry: safe_entry(new_entry) }
+        end
+      end
+      # Create an empty keyfile if missing.
+      #
+      # @param path [String] keyfile path
+      # @return [String] expanded path
+      def self.create_if_missing(path)
+        expanded = File.expand_path(path)
+        unless File.exist?(expanded)
+          dir = File.dirname(expanded)
+          FileUtils.mkdir_p(dir)
+          File.write(expanded, { 'version' => VERSION, 'keys' => [] }.to_yaml)
+          File.chmod(0o600, expanded)
+        end
+        expanded
+      end
+      private
+      def validate_file_exists
+        raise RosettAi::McpError, "Keyfile not found: #{@path}" unless File.exist?(@path)
+      end
+      def validate_permissions
+        mode = File.stat(@path).mode & 0o777
+        return if mode <= MAX_PERMISSIONS
+        raise RosettAi::McpError,
+              "Keyfile permissions too open: #{format('%04o', mode)} " \
+              "(max #{format('%04o', MAX_PERMISSIONS)}). Run: chmod 0600 #{@path}"
+      end
+      def parse_keyfile
+        data = YAML.safe_load_file(@path, permitted_classes: [Symbol])
+        raise RosettAi::McpError, 'Invalid keyfile format' unless data.is_a?(Hash)
+        @keys = Array(data['keys']).map { |k| symbolize_key(k) }
+      end
+      def symbolize_key(hash)
+        {
+          name: hash['name'],
+          algo: hash['algo'] || 'sha256_salt',
+          key_hash: hash['key_hash'],
+          created_at: hash['created_at'],
+          expires_at: hash['expires_at'],
+          enabled: hash.fetch('enabled', true)
+        }
+      end
+      def expired?(entry)
+        return false unless entry[:expires_at]
+        Time.parse(entry[:expires_at].to_s) < Time.now
+      rescue ArgumentError
+        false
+      end
+      def safe_entry(entry)
+        entry.except(:key_hash)
+      end
+      def write_keyfile
+        data = {
+          'version' => VERSION,
+          'keys' => @keys.map { |k| stringify_key(k) }
+        }
+        File.write(@path, data.to_yaml)
+        File.chmod(0o600, @path)
+      end
+      def build_replacement_key(name, expires_at)
+        plaintext = KeyHasher.generate_key
+        entry = {
+          name: name,
+          algo: 'sha256_salt',
+          key_hash: KeyHasher.hash_key(plaintext),
+          created_at: Time.now.strftime('%Y-%m-%d'),
+          expires_at: expires_at,
+          enabled: true
+        }
+        [plaintext, entry]
+      end
+      def stringify_key(entry)
+        {
+          'name' => entry[:name],
+          'algo' => entry[:algo],
+          'key_hash' => entry[:key_hash],
+          'created_at' => entry[:created_at],
+          'expires_at' => entry[:expires_at],
+          'enabled' => entry[:enabled]
+        }
+      end
+    end
+  end
+end

data/lib/rosett_ai/mcp/middleware/authentication.rb ADDED Viewed

@@ -0,0 +1,146 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    module Middleware
+      # Rack middleware for API key authentication.
+      #
+      # Supports multi-key keyfile or single env var modes.
+      # Returns 401 Unauthorized for invalid credentials.
+      #
+      # @author hugo
+      # @author claude
+      class Authentication
+        # @param app [#call] the next Rack application
+        # @param config [#type, #key_source, #keyfile_path, #api_key_env] auth config
+        def initialize(app, config: nil)
+          @app = app
+          @config = config
+          @keyfile = nil
+          validate_auth_type
+          load_keyfile if keyfile_mode?
+          install_sighup_handler if keyfile_mode?
+        end
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response triplet
+        def call(env)
+          case auth_type
+          when 'none'
+            env['rosett_ai.authenticated'] = false
+            @app.call(env)
+          when 'api_key'
+            authenticate_api_key(env)
+          else
+            unauthorized('Unsupported authentication type')
+          end
+        end
+        private
+        def auth_type
+          @config.respond_to?(:type) ? @config.type : 'api_key'
+        end
+        def validate_auth_type
+          type = auth_type
+          return if ['api_key', 'none'].include?(type)
+          warn "[rai-mcp] Unsupported auth type: #{type}, falling back to api_key"
+        end
+        def keyfile_mode?
+          return false unless @config.respond_to?(:resolved_key_source)
+          @config.resolved_key_source == 'keyfile'
+        end
+        def load_keyfile
+          path = @config.keyfile_path
+          return unless path
+          @keyfile = Keyfile.new(path)
+          @keyfile.load!
+        end
+        def install_sighup_handler
+          Signal.trap('HUP') { @keyfile&.reload! }
+        rescue ArgumentError
+          # Signal not supported on this platform
+        end
+        def authenticate_api_key(env)
+          if @keyfile
+            token = extract_bearer_token(env) # gitleaks:allow
+            return unauthorized('Missing Authorization header') unless token
+            authenticate_via_keyfile(env, token)
+          else
+            authenticate_via_env(env)
+          end
+        end
+        def authenticate_via_keyfile(env, token)
+          key_entry = @keyfile.find_key(token)
+          if key_entry
+            env['rosett_ai.authenticated'] = true
+            env['rosett_ai.client_id'] = key_entry[:name]
+            SecurityLogger.auth_success(key_entry[:name])
+            @app.call(env)
+          else
+            SecurityLogger.auth_failure('invalid_key')
+            unauthorized('Invalid API key')
+          end
+        end
+        def authenticate_via_env(env)
+          env_var = @config.respond_to?(:api_key_env) ? @config.api_key_env : 'RAI_MCP_API_KEY'
+          expected = ENV.fetch(env_var, nil)
+          unless expected
+            SecurityLogger.log(:warn, 'no_api_key_configured',
+                               env_var: env_var,
+                               message: 'HTTP request received with no API key configured — running unauthenticated')
+            env['rosett_ai.authenticated'] = false
+            return @app.call(env)
+          end
+          token = extract_bearer_token(env) # gitleaks:allow
+          return unauthorized('Missing Authorization header') unless token
+          if Rack::Utils.secure_compare(token, expected)
+            env['rosett_ai.authenticated'] = true
+            env['rosett_ai.client_id'] = 'env_key'
+            SecurityLogger.auth_success('env_key')
+            @app.call(env)
+          else
+            SecurityLogger.auth_failure('invalid_env_key')
+            unauthorized('Invalid API key')
+          end
+        end
+        def extract_bearer_token(env)
+          auth = env['HTTP_AUTHORIZATION']
+          return nil unless auth
+          scheme, token = auth.split(' ', 2) # gitleaks:allow
+          return nil unless scheme&.casecmp('bearer')&.zero?
+          token
+        end
+        def unauthorized(message)
+          body = JSON.generate(
+            jsonrpc: '2.0',
+            error: { code: -32_600, message: "Unauthorized: #{message}" },
+            id: nil
+          )
+          [401, { 'content-type' => 'application/json', 'www-authenticate' => 'Bearer' }, [body]]
+        end
+      end
+    end
+  end
+end

data/lib/rosett_ai/mcp/middleware/content_type.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    module Middleware
+      # Rack middleware that enforces application/json on POST requests.
+      #
+      # Returns 415 Unsupported Media Type for non-JSON POST bodies.
+      #
+      # @author hugo
+      # @author claude
+      class ContentType
+        # @param app [#call] the next Rack application
+        def initialize(app)
+          @app = app
+        end
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response triplet
+        def call(env)
+          return @app.call(env) unless post_request?(env)
+          return @app.call(env) if json_content_type?(env)
+          unsupported_media_type(env)
+        end
+        private
+        def post_request?(env)
+          env['REQUEST_METHOD'] == 'POST'
+        end
+        def json_content_type?(env)
+          content_type = env['CONTENT_TYPE'].to_s
+          content_type.start_with?('application/json')
+        end
+        def unsupported_media_type(env)
+          got = env['CONTENT_TYPE'].to_s
+          body = JSON.generate(
+            jsonrpc: '2.0',
+            error: {
+              code: -32_600,
+              message: "Content-Type must be application/json, got: #{got}"
+            },
+            id: nil
+          )
+          [415, { 'content-type' => 'application/json' }, [body]]
+        end
+      end
+    end
+  end
+end

data/lib/rosett_ai/mcp/middleware/cors.rb ADDED Viewed

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    module Middleware
+      # Rack middleware for CORS header handling and preflight.
+      #
+      # Disabled by default. When enabled, handles OPTIONS preflight
+      # and adds CORS headers to responses.
+      #
+      # @author hugo
+      # @author claude
+      class Cors
+        # @param app [#call] the next Rack application
+        # @param config [#origins, #methods, #headers, #max_age] CORS config
+        DEFAULT_METHODS = ['POST', 'GET', 'DELETE'].freeze
+        DEFAULT_HEADERS = ['Content-Type', 'Authorization', 'Accept', 'Mcp-Session-Id'].freeze
+        DEFAULT_MAX_AGE = 86_400
+        CONFIG_FIELDS = [:origins, :methods, :headers, :max_age].freeze
+        def initialize(app, config: nil)
+          @app = app
+          @origins = resolve_config(config, :origins, [])
+          @methods = resolve_config(config, :methods, DEFAULT_METHODS)
+          @headers = resolve_config(config, :headers, DEFAULT_HEADERS)
+          @max_age = resolve_config(config, :max_age, DEFAULT_MAX_AGE)
+        end
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response triplet
+        def call(env)
+          return handle_preflight(env) if preflight?(env)
+          status, headers, body = @app.call(env)
+          add_cors_headers(headers, env)
+          [status, headers, body]
+        end
+        private
+        def preflight?(env)
+          env['REQUEST_METHOD'] == 'OPTIONS' && env['HTTP_ORIGIN']
+        end
+        def handle_preflight(env)
+          origin = env['HTTP_ORIGIN']
+          return [403, {}, []] unless origin_allowed?(origin)
+          [204, preflight_headers(origin), []]
+        end
+        def preflight_headers(origin)
+          {
+            'access-control-allow-origin' => origin,
+            'access-control-allow-methods' => @methods.join(', '),
+            'access-control-allow-headers' => @headers.join(', '),
+            'access-control-max-age' => @max_age.to_s
+          }
+        end
+        def add_cors_headers(headers, env)
+          origin = env['HTTP_ORIGIN']
+          return unless origin && origin_allowed?(origin)
+          headers['access-control-allow-origin'] = origin
+        end
+        def origin_allowed?(origin)
+          @origins.include?(origin)
+        end
+        def resolve_config(config, field, default)
+          return default unless CONFIG_FIELDS.include?(field) && config.respond_to?(field)
+          config.public_send(field) # rubocop:disable RosettAi/UnsafeSend -- field validated against CONFIG_FIELDS allowlist
+        end
+      end
+    end
+  end
+end

data/lib/rosett_ai/mcp/middleware/origin_validation.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    module Middleware
+      # Rack middleware that validates Origin header against an allowlist.
+      #
+      # Supports glob patterns (e.g., 'http://localhost:*').
+      # Returns 403 Forbidden for disallowed origins.
+      # Localhost-only by default.
+      #
+      # @author hugo
+      # @author claude
+      class OriginValidation
+        DEFAULT_ORIGINS = ['http://localhost:*', 'http://127.0.0.1:*'].freeze
+        # @param app [#call] the next Rack application
+        # @param config [#allowed_origins, #strict_mode] origin config
+        def initialize(app, config: nil)
+          @app = app
+          @allowed_origins = config.respond_to?(:allowed_origins) ? config.allowed_origins : DEFAULT_ORIGINS
+          @strict_mode = config.respond_to?(:strict_mode) ? config.strict_mode : false
+        end
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response triplet
+        def call(env)
+          origin = env['HTTP_ORIGIN']
+          return handle_absent_origin(env) unless origin
+          return @app.call(env) if origin_allowed?(origin)
+          reject_origin(origin)
+        end
+        private
+        def handle_absent_origin(env)
+          if @strict_mode
+            forbidden('Origin header required (strict mode)')
+          else
+            @app.call(env)
+          end
+        end
+        def origin_allowed?(origin)
+          @allowed_origins.any? { |pattern| match_origin?(pattern, origin) }
+        end
+        def match_origin?(pattern, origin)
+          regex = Regexp.new("\\A#{Regexp.escape(pattern).gsub('\\*', '.*')}\\z")
+          regex.match?(origin)
+        end
+        def reject_origin(origin)
+          SecurityLogger.origin_rejected(origin)
+          forbidden("Origin not allowed: #{origin}")
+        end
+        def forbidden(message)
+          body = JSON.generate(
+            jsonrpc: '2.0',
+            error: { code: -32_600, message: message },
+            id: nil
+          )
+          [403, { 'content-type' => 'application/json' }, [body]]
+        end
+      end
+    end
+  end
+end

data/lib/rosett_ai/mcp/middleware/rate_limit.rb ADDED Viewed

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+# SPDX-License-Identifier: GPL-3.0-only
+# Copyright (C) 2026 Hugo Antonio Sepulveda Manriquez / NeatNerds
+module RosettAi
+  module Mcp
+    module Middleware
+      # Rack middleware for token bucket rate limiting.
+      #
+      # Per-IP/per-key rate limiting with separate limits for
+      # authenticated and unauthenticated requests.
+      # Returns 429 Too Many Requests when exhausted.
+      #
+      # @author hugo
+      # @author claude
+      class RateLimit
+        DEFAULT_UNAUTH_RPM = 60
+        DEFAULT_AUTH_RPM = 300
+        BUCKET_WINDOW = 60 # seconds
+        CLEANUP_INTERVAL = 100
+        # @param app [#call] the next Rack application
+        # @param config [#unauthenticated_rpm, #authenticated_rpm] rate config
+        def initialize(app, config: nil)
+          @app = app
+          @unauth_rpm = config.respond_to?(:unauthenticated_rpm) ? config.unauthenticated_rpm : DEFAULT_UNAUTH_RPM
+          @auth_rpm = config.respond_to?(:authenticated_rpm) ? config.authenticated_rpm : DEFAULT_AUTH_RPM
+          @buckets = {}
+          @mutex = Mutex.new
+          @request_count = 0
+        end
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response triplet
+        def call(env)
+          key = bucket_key(env)
+          limit = rate_limit_for(env)
+          if allowed?(key, limit)
+            @app.call(env)
+          else
+            SecurityLogger.rate_limited(key)
+            too_many_requests
+          end
+        end
+        private
+        def bucket_key(env)
+          parts = [env['REMOTE_ADDR'] || 'unknown']
+          parts << env['HTTP_AUTHORIZATION'] if env['HTTP_AUTHORIZATION']
+          parts << env['HTTP_MCP_SESSION_ID'] if env['HTTP_MCP_SESSION_ID']
+          parts.join(':')
+        end
+        def rate_limit_for(env)
+          env['rosett_ai.authenticated'] ? @auth_rpm : @unauth_rpm
+        end
+        def allowed?(key, limit)
+          @mutex.synchronize do
+            @request_count += 1
+            cleanup_buckets if (@request_count % CLEANUP_INTERVAL).zero?
+            bucket = @buckets[key] ||= { tokens: limit, last_reset: Time.now }
+            reset_bucket(bucket, limit) if bucket_expired?(bucket)
+            if bucket[:tokens].positive?
+              bucket[:tokens] -= 1
+              true
+            else
+              false
+            end
+          end
+        end
+        def bucket_expired?(bucket)
+          Time.now - bucket[:last_reset] >= BUCKET_WINDOW
+        end
+        def reset_bucket(bucket, limit)
+          bucket[:tokens] = limit
+          bucket[:last_reset] = Time.now
+        end
+        def cleanup_buckets
+          now = Time.now
+          @buckets.delete_if { |_, bucket| now - bucket[:last_reset] >= BUCKET_WINDOW * 2 }
+        end
+        def too_many_requests
+          body = JSON.generate(
+            jsonrpc: '2.0',
+            error: {
+              code: -32_600,
+              message: 'Too many requests'
+            },
+            id: nil
+          )
+          [429, { 'content-type' => 'application/json', 'retry-after' => '60' }, [body]]
+        end
+      end
+    end
+  end
+end