npm - @cleocode/mcp-server - Versions diffs - 0.86.0 - Mend

@cleocode/mcp-server 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (374) hide show

package/LICENSE +21 -0
package/README.md +306 -0
package/dist/domains/index.d.ts +16 -0
package/dist/domains/index.d.ts.map +1 -0
package/dist/domains/index.js +16 -0
package/dist/domains/index.js.map +1 -0
package/dist/domains/lifecycle.d.ts +147 -0
package/dist/domains/lifecycle.d.ts.map +1 -0
package/dist/domains/lifecycle.js +452 -0
package/dist/domains/lifecycle.js.map +1 -0
package/dist/domains/orchestrate.d.ts +133 -0
package/dist/domains/orchestrate.d.ts.map +1 -0
package/dist/domains/orchestrate.js +465 -0
package/dist/domains/orchestrate.js.map +1 -0
package/dist/domains/release.d.ts +109 -0
package/dist/domains/release.d.ts.map +1 -0
package/dist/domains/release.js +400 -0
package/dist/domains/release.js.map +1 -0
package/dist/domains/research.d.ts +139 -0
package/dist/domains/research.d.ts.map +1 -0
package/dist/domains/research.js +606 -0
package/dist/domains/research.js.map +1 -0
package/dist/domains/session.d.ts +129 -0
package/dist/domains/session.d.ts.map +1 -0
package/dist/domains/session.js +433 -0
package/dist/domains/session.js.map +1 -0
package/dist/domains/system.d.ts +92 -0
package/dist/domains/system.d.ts.map +1 -0
package/dist/domains/system.js +473 -0
package/dist/domains/system.js.map +1 -0
package/dist/domains/tasks.d.ts +180 -0
package/dist/domains/tasks.d.ts.map +1 -0
package/dist/domains/tasks.js +704 -0
package/dist/domains/tasks.js.map +1 -0
package/dist/domains/validate.d.ts +150 -0
package/dist/domains/validate.d.ts.map +1 -0
package/dist/domains/validate.js +568 -0
package/dist/domains/validate.js.map +1 -0
package/dist/gateways/mutate.d.ts +100 -0
package/dist/gateways/mutate.d.ts.map +1 -0
package/dist/gateways/mutate.js +937 -0
package/dist/gateways/mutate.js.map +1 -0
package/dist/gateways/query.d.ts +91 -0
package/dist/gateways/query.d.ts.map +1 -0
package/dist/gateways/query.js +245 -0
package/dist/gateways/query.js.map +1 -0
package/dist/index.d.ts +21 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +299 -0
package/dist/index.js.map +1 -0
package/dist/lib/audit.d.ts +118 -0
package/dist/lib/audit.d.ts.map +1 -0
package/dist/lib/audit.js +311 -0
package/dist/lib/audit.js.map +1 -0
package/dist/lib/background-jobs.d.ts +86 -0
package/dist/lib/background-jobs.d.ts.map +1 -0
package/dist/lib/background-jobs.js +183 -0
package/dist/lib/background-jobs.js.map +1 -0
package/dist/lib/cache.d.ts +78 -0
package/dist/lib/cache.d.ts.map +1 -0
package/dist/lib/cache.js +204 -0
package/dist/lib/cache.js.map +1 -0
package/dist/lib/command-builder.d.ts +52 -0
package/dist/lib/command-builder.d.ts.map +1 -0
package/dist/lib/command-builder.js +280 -0
package/dist/lib/command-builder.js.map +1 -0
package/dist/lib/config.d.ts +42 -0
package/dist/lib/config.d.ts.map +1 -0
package/dist/lib/config.js +248 -0
package/dist/lib/config.js.map +1 -0
package/dist/lib/defaults.d.ts +115 -0
package/dist/lib/defaults.d.ts.map +1 -0
package/dist/lib/defaults.js +61 -0
package/dist/lib/defaults.js.map +1 -0
package/dist/lib/error-handler.d.ts +101 -0
package/dist/lib/error-handler.d.ts.map +1 -0
package/dist/lib/error-handler.js +277 -0
package/dist/lib/error-handler.js.map +1 -0
package/dist/lib/executor.d.ts +110 -0
package/dist/lib/executor.d.ts.map +1 -0
package/dist/lib/executor.js +362 -0
package/dist/lib/executor.js.map +1 -0
package/dist/lib/exit-codes.d.ts +190 -0
package/dist/lib/exit-codes.d.ts.map +1 -0
package/dist/lib/exit-codes.js +1027 -0
package/dist/lib/exit-codes.js.map +1 -0
package/dist/lib/formatter.d.ts +196 -0
package/dist/lib/formatter.d.ts.map +1 -0
package/dist/lib/formatter.js +260 -0
package/dist/lib/formatter.js.map +1 -0
package/dist/lib/gate-validators.d.ts +103 -0
package/dist/lib/gate-validators.d.ts.map +1 -0
package/dist/lib/gate-validators.js +689 -0
package/dist/lib/gate-validators.js.map +1 -0
package/dist/lib/manifest-parser.d.ts +61 -0
package/dist/lib/manifest-parser.d.ts.map +1 -0
package/dist/lib/manifest-parser.js +338 -0
package/dist/lib/manifest-parser.js.map +1 -0
package/dist/lib/manifest.d.ts +177 -0
package/dist/lib/manifest.d.ts.map +1 -0
package/dist/lib/manifest.js +301 -0
package/dist/lib/manifest.js.map +1 -0
package/dist/lib/protocol-enforcement.d.ts +105 -0
package/dist/lib/protocol-enforcement.d.ts.map +1 -0
package/dist/lib/protocol-enforcement.js +331 -0
package/dist/lib/protocol-enforcement.js.map +1 -0
package/dist/lib/protocol-rules.d.ts +55 -0
package/dist/lib/protocol-rules.d.ts.map +1 -0
package/dist/lib/protocol-rules.js +760 -0
package/dist/lib/protocol-rules.js.map +1 -0
package/dist/lib/rate-limiter.d.ts +110 -0
package/dist/lib/rate-limiter.d.ts.map +1 -0
package/dist/lib/rate-limiter.js +208 -0
package/dist/lib/rate-limiter.js.map +1 -0
package/dist/lib/router.d.ts +126 -0
package/dist/lib/router.d.ts.map +1 -0
package/dist/lib/router.js +276 -0
package/dist/lib/router.js.map +1 -0
package/dist/lib/schema.d.ts +55 -0
package/dist/lib/schema.d.ts.map +1 -0
package/dist/lib/schema.js +70 -0
package/dist/lib/schema.js.map +1 -0
package/dist/lib/security.d.ts +156 -0
package/dist/lib/security.d.ts.map +1 -0
package/dist/lib/security.js +347 -0
package/dist/lib/security.js.map +1 -0
package/dist/lib/verification-gates.d.ts +287 -0
package/dist/lib/verification-gates.d.ts.map +1 -0
package/dist/lib/verification-gates.js +548 -0
package/dist/lib/verification-gates.js.map +1 -0
package/dist/types/domain.d.ts +29 -0
package/dist/types/domain.d.ts.map +1 -0
package/dist/types/domain.js +7 -0
package/dist/types/domain.js.map +1 -0
package/dist/types/error.d.ts +101 -0
package/dist/types/error.d.ts.map +1 -0
package/dist/types/error.js +61 -0
package/dist/types/error.js.map +1 -0
package/dist/types/gateway.d.ts +78 -0
package/dist/types/gateway.d.ts.map +1 -0
package/dist/types/gateway.js +7 -0
package/dist/types/gateway.js.map +1 -0
package/dist/types/index.d.ts +21 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +11 -0
package/dist/types/index.js.map +1 -0
package/dist/types/operations/lifecycle.d.ts +140 -0
package/dist/types/operations/lifecycle.d.ts.map +1 -0
package/dist/types/operations/lifecycle.js +8 -0
package/dist/types/operations/lifecycle.js.map +1 -0
package/dist/types/operations/orchestrate.d.ts +140 -0
package/dist/types/operations/orchestrate.d.ts.map +1 -0
package/dist/types/operations/orchestrate.js +8 -0
package/dist/types/operations/orchestrate.js.map +1 -0
package/dist/types/operations/release.d.ts +97 -0
package/dist/types/operations/release.d.ts.map +1 -0
package/dist/types/operations/release.js +7 -0
package/dist/types/operations/release.js.map +1 -0
package/dist/types/operations/research.d.ts +122 -0
package/dist/types/operations/research.d.ts.map +1 -0
package/dist/types/operations/research.js +8 -0
package/dist/types/operations/research.js.map +1 -0
package/dist/types/operations/session.d.ts +108 -0
package/dist/types/operations/session.d.ts.map +1 -0
package/dist/types/operations/session.js +8 -0
package/dist/types/operations/session.js.map +1 -0
package/dist/types/operations/system.d.ts +147 -0
package/dist/types/operations/system.d.ts.map +1 -0
package/dist/types/operations/system.js +8 -0
package/dist/types/operations/system.js.map +1 -0
package/dist/types/operations/tasks.d.ts +186 -0
package/dist/types/operations/tasks.d.ts.map +1 -0
package/dist/types/operations/tasks.js +8 -0
package/dist/types/operations/tasks.js.map +1 -0
package/dist/types/operations/validate.d.ts +170 -0
package/dist/types/operations/validate.d.ts.map +1 -0
package/dist/types/operations/validate.js +8 -0
package/dist/types/operations/validate.js.map +1 -0
package/package.json +67 -0
package/schemas/IMPLEMENTATION-SUMMARY.md +250 -0
package/schemas/README.md +284 -0
package/schemas/common/error.schema.json +54 -0
package/schemas/common/meta.schema.json +39 -0
package/schemas/common/pagination.schema.json +32 -0
package/schemas/index.json +159 -0
package/schemas/requests/lifecycle/check.schema.json +20 -0
package/schemas/requests/lifecycle/gate.fail.schema.json +25 -0
package/schemas/requests/lifecycle/gate.pass.schema.json +28 -0
package/schemas/requests/lifecycle/gates.schema.json +15 -0
package/schemas/requests/lifecycle/history.schema.json +15 -0
package/schemas/requests/lifecycle/prerequisites.schema.json +15 -0
package/schemas/requests/lifecycle/progress.schema.json +29 -0
package/schemas/requests/lifecycle/reset.schema.json +25 -0
package/schemas/requests/lifecycle/skip.schema.json +25 -0
package/schemas/requests/lifecycle/status.schema.json +23 -0
package/schemas/requests/orchestrate/analyze.schema.json +15 -0
package/schemas/requests/orchestrate/context.schema.json +13 -0
package/schemas/requests/orchestrate/next.schema.json +15 -0
package/schemas/requests/orchestrate/parallel.end.schema.json +20 -0
package/schemas/requests/orchestrate/parallel.start.schema.json +20 -0
package/schemas/requests/orchestrate/ready.schema.json +15 -0
package/schemas/requests/orchestrate/skill.list.schema.json +13 -0
package/schemas/requests/orchestrate/spawn.schema.json +25 -0
package/schemas/requests/orchestrate/startup.schema.json +15 -0
package/schemas/requests/orchestrate/status.schema.json +15 -0
package/schemas/requests/orchestrate/validate.schema.json +15 -0
package/schemas/requests/orchestrate/waves.schema.json +15 -0
package/schemas/requests/release/changelog.schema.json +23 -0
package/schemas/requests/release/commit.schema.json +22 -0
package/schemas/requests/release/gates.run.schema.json +17 -0
package/schemas/requests/release/prepare.schema.json +20 -0
package/schemas/requests/release/push.schema.json +20 -0
package/schemas/requests/release/rollback.schema.json +20 -0
package/schemas/requests/release/tag.schema.json +19 -0
package/schemas/requests/research/inject.schema.json +24 -0
package/schemas/requests/research/link.schema.json +25 -0
package/schemas/requests/research/list.schema.json +19 -0
package/schemas/requests/research/manifest.append.schema.json +20 -0
package/schemas/requests/research/manifest.archive.schema.json +19 -0
package/schemas/requests/research/manifest.read.schema.json +21 -0
package/schemas/requests/research/pending.schema.json +14 -0
package/schemas/requests/research/query.schema.json +21 -0
package/schemas/requests/research/show.schema.json +14 -0
package/schemas/requests/research/stats.schema.json +14 -0
package/schemas/requests/session/end.schema.json +13 -0
package/schemas/requests/session/focus.clear.schema.json +7 -0
package/schemas/requests/session/focus.get.schema.json +7 -0
package/schemas/requests/session/focus.set.schema.json +15 -0
package/schemas/requests/session/gc.schema.json +14 -0
package/schemas/requests/session/history.schema.json +16 -0
package/schemas/requests/session/list.schema.json +13 -0
package/schemas/requests/session/resume.schema.json +14 -0
package/schemas/requests/session/show.schema.json +14 -0
package/schemas/requests/session/start.schema.json +23 -0
package/schemas/requests/session/status.schema.json +7 -0
package/schemas/requests/session/suspend.schema.json +13 -0
package/schemas/requests/system/backup.schema.json +19 -0
package/schemas/requests/system/cleanup.schema.json +20 -0
package/schemas/requests/system/config.get.schema.json +14 -0
package/schemas/requests/system/config.set.schema.json +24 -0
package/schemas/requests/system/context.schema.json +7 -0
package/schemas/requests/system/doctor.schema.json +7 -0
package/schemas/requests/system/init.schema.json +18 -0
package/schemas/requests/system/migrate.schema.json +19 -0
package/schemas/requests/system/restore.schema.json +14 -0
package/schemas/requests/system/stats.schema.json +7 -0
package/schemas/requests/system/sync.schema.json +15 -0
package/schemas/requests/system/version.schema.json +7 -0
package/schemas/requests/tasks/analyze.schema.json +14 -0
package/schemas/requests/tasks/archive.schema.json +19 -0
package/schemas/requests/tasks/blockers.schema.json +15 -0
package/schemas/requests/tasks/complete.schema.json +24 -0
package/schemas/requests/tasks/create.schema.json +48 -0
package/schemas/requests/tasks/delete.schema.json +20 -0
package/schemas/requests/tasks/deps.schema.json +21 -0
package/schemas/requests/tasks/exists.schema.json +15 -0
package/schemas/requests/tasks/find.schema.json +22 -0
package/schemas/requests/tasks/get.schema.json +15 -0
package/schemas/requests/tasks/list.schema.json +26 -0
package/schemas/requests/tasks/next.schema.json +21 -0
package/schemas/requests/tasks/promote.schema.json +15 -0
package/schemas/requests/tasks/reopen.schema.json +15 -0
package/schemas/requests/tasks/reorder.schema.json +20 -0
package/schemas/requests/tasks/reparent.schema.json +20 -0
package/schemas/requests/tasks/tree.schema.json +21 -0
package/schemas/requests/tasks/unarchive.schema.json +15 -0
package/schemas/requests/tasks/update.schema.json +41 -0
package/schemas/requests/validate/compliance.record.schema.json +20 -0
package/schemas/requests/validate/compliance.summary.schema.json +18 -0
package/schemas/requests/validate/compliance.violations.schema.json +19 -0
package/schemas/requests/validate/manifest.schema.json +23 -0
package/schemas/requests/validate/output.schema.json +19 -0
package/schemas/requests/validate/protocol.schema.json +20 -0
package/schemas/requests/validate/schema.schema.json +19 -0
package/schemas/requests/validate/task.schema.json +21 -0
package/schemas/requests/validate/test.coverage.schema.json +14 -0
package/schemas/requests/validate/test.run.schema.json +22 -0
package/schemas/requests/validate/test.status.schema.json +14 -0
package/schemas/responses/common-error.schema.json +20 -0
package/schemas/responses/common-success.schema.json +21 -0
package/schemas/responses/lifecycle/check.schema.json +18 -0
package/schemas/responses/lifecycle/gate.fail.schema.json +18 -0
package/schemas/responses/lifecycle/gate.pass.schema.json +18 -0
package/schemas/responses/lifecycle/gates.schema.json +18 -0
package/schemas/responses/lifecycle/history.schema.json +18 -0
package/schemas/responses/lifecycle/prerequisites.schema.json +18 -0
package/schemas/responses/lifecycle/progress.schema.json +18 -0
package/schemas/responses/lifecycle/reset.schema.json +18 -0
package/schemas/responses/lifecycle/skip.schema.json +18 -0
package/schemas/responses/lifecycle/status.schema.json +18 -0
package/schemas/responses/orchestrate/analyze.schema.json +18 -0
package/schemas/responses/orchestrate/context.schema.json +18 -0
package/schemas/responses/orchestrate/next.schema.json +18 -0
package/schemas/responses/orchestrate/parallel.end.schema.json +18 -0
package/schemas/responses/orchestrate/parallel.start.schema.json +18 -0
package/schemas/responses/orchestrate/ready.schema.json +18 -0
package/schemas/responses/orchestrate/skill.list.schema.json +18 -0
package/schemas/responses/orchestrate/spawn.schema.json +18 -0
package/schemas/responses/orchestrate/startup.schema.json +18 -0
package/schemas/responses/orchestrate/status.schema.json +18 -0
package/schemas/responses/orchestrate/validate.schema.json +18 -0
package/schemas/responses/orchestrate/waves.schema.json +18 -0
package/schemas/responses/release/changelog.schema.json +18 -0
package/schemas/responses/release/commit.schema.json +18 -0
package/schemas/responses/release/gates.run.schema.json +18 -0
package/schemas/responses/release/prepare.schema.json +18 -0
package/schemas/responses/release/push.schema.json +18 -0
package/schemas/responses/release/rollback.schema.json +18 -0
package/schemas/responses/release/tag.schema.json +18 -0
package/schemas/responses/research/inject.schema.json +18 -0
package/schemas/responses/research/link.schema.json +18 -0
package/schemas/responses/research/list.schema.json +18 -0
package/schemas/responses/research/manifest.append.schema.json +18 -0
package/schemas/responses/research/manifest.archive.schema.json +18 -0
package/schemas/responses/research/manifest.read.schema.json +18 -0
package/schemas/responses/research/pending.schema.json +18 -0
package/schemas/responses/research/query.schema.json +18 -0
package/schemas/responses/research/show.schema.json +18 -0
package/schemas/responses/research/stats.schema.json +18 -0
package/schemas/responses/session/end.schema.json +18 -0
package/schemas/responses/session/focus.clear.schema.json +18 -0
package/schemas/responses/session/focus.get.schema.json +18 -0
package/schemas/responses/session/focus.set.schema.json +18 -0
package/schemas/responses/session/gc.schema.json +18 -0
package/schemas/responses/session/history.schema.json +18 -0
package/schemas/responses/session/list.schema.json +18 -0
package/schemas/responses/session/resume.schema.json +18 -0
package/schemas/responses/session/show.schema.json +18 -0
package/schemas/responses/session/start.schema.json +18 -0
package/schemas/responses/session/status.schema.json +18 -0
package/schemas/responses/session/suspend.schema.json +18 -0
package/schemas/responses/system/backup.schema.json +18 -0
package/schemas/responses/system/cleanup.schema.json +18 -0
package/schemas/responses/system/config.get.schema.json +18 -0
package/schemas/responses/system/config.set.schema.json +18 -0
package/schemas/responses/system/context.schema.json +18 -0
package/schemas/responses/system/doctor.schema.json +18 -0
package/schemas/responses/system/init.schema.json +18 -0
package/schemas/responses/system/migrate.schema.json +18 -0
package/schemas/responses/system/restore.schema.json +18 -0
package/schemas/responses/system/stats.schema.json +18 -0
package/schemas/responses/system/sync.schema.json +18 -0
package/schemas/responses/system/version.schema.json +18 -0
package/schemas/responses/tasks/analyze.schema.json +18 -0
package/schemas/responses/tasks/archive.schema.json +18 -0
package/schemas/responses/tasks/blockers.schema.json +18 -0
package/schemas/responses/tasks/complete.schema.json +18 -0
package/schemas/responses/tasks/create.schema.json +18 -0
package/schemas/responses/tasks/delete.schema.json +18 -0
package/schemas/responses/tasks/deps.schema.json +18 -0
package/schemas/responses/tasks/exists.schema.json +18 -0
package/schemas/responses/tasks/find.schema.json +18 -0
package/schemas/responses/tasks/get.schema.json +87 -0
package/schemas/responses/tasks/list.schema.json +18 -0
package/schemas/responses/tasks/next.schema.json +18 -0
package/schemas/responses/tasks/promote.schema.json +18 -0
package/schemas/responses/tasks/reopen.schema.json +18 -0
package/schemas/responses/tasks/reorder.schema.json +18 -0
package/schemas/responses/tasks/reparent.schema.json +18 -0
package/schemas/responses/tasks/tree.schema.json +18 -0
package/schemas/responses/tasks/unarchive.schema.json +18 -0
package/schemas/responses/tasks/update.schema.json +18 -0
package/schemas/responses/validate/compliance.record.schema.json +18 -0
package/schemas/responses/validate/compliance.summary.schema.json +18 -0
package/schemas/responses/validate/compliance.violations.schema.json +18 -0
package/schemas/responses/validate/manifest.schema.json +18 -0
package/schemas/responses/validate/output.schema.json +18 -0
package/schemas/responses/validate/protocol.schema.json +18 -0
package/schemas/responses/validate/schema.schema.json +18 -0
package/schemas/responses/validate/task.schema.json +18 -0
package/schemas/responses/validate/test.coverage.schema.json +18 -0
package/schemas/responses/validate/test.run.schema.json +18 -0
package/schemas/responses/validate/test.status.schema.json +18 -0
package/server.json +53 -0

package/dist/lib/router.js ADDED Viewed

@@ -0,0 +1,276 @@
+/**
+ * Domain Router for CLEO MCP Server
+ *
+ * Routes operations to appropriate domain handlers based on:
+ * 1. Gateway type (query vs mutate)
+ * 2. Domain (tasks, session, orchestrate, etc.)
+ * 3. Operation (get, list, create, update, etc.)
+ *
+ * @task T2911
+ * @task T2912
+ * @task T3144 - Security hardening integration
+ */
+import { TasksHandler } from '../domains/tasks.js';
+import { SessionHandler } from '../domains/session.js';
+import { OrchestrateHandler } from '../domains/orchestrate.js';
+import { ResearchHandler } from '../domains/research.js';
+import { LifecycleHandler } from '../domains/lifecycle.js';
+import { ValidateHandler } from '../domains/validate.js';
+import { ReleaseHandler } from '../domains/release.js';
+import { SystemHandler } from '../domains/system.js';
+import { formatError, createError } from './formatter.js';
+import { protocolEnforcer, ProtocolType } from './protocol-enforcement.js';
+import { VerificationGate } from './verification-gates.js';
+import { sanitizeParams, SecurityError } from './security.js';
+import { RateLimiter } from './rate-limiter.js';
+/**
+ * Domain routing validation error
+ */
+export class RouterError extends Error {
+    code;
+    exitCode;
+    constructor(message, code = 'E_ROUTING_ERROR', exitCode = 1) {
+        super(message);
+        this.code = code;
+        this.exitCode = exitCode;
+        this.name = 'RouterError';
+    }
+}
+/**
+ * Main domain router that dispatches operations to appropriate handlers
+ */
+export class DomainRouter {
+    handlers;
+    useProtocolEnforcement;
+    verificationGate;
+    rateLimiter;
+    constructor(executor, useProtocolEnforcement = true, rateLimitConfig) {
+        // Initialize all domain handlers
+        this.handlers = new Map([
+            ['tasks', new TasksHandler(executor)],
+            ['session', new SessionHandler(executor)],
+            ['orchestrate', new OrchestrateHandler(executor)],
+            ['research', new ResearchHandler(executor)],
+            ['lifecycle', new LifecycleHandler(executor)],
+            ['validate', new ValidateHandler(executor)],
+            ['release', new ReleaseHandler(executor)],
+            ['system', new SystemHandler(executor)],
+        ]);
+        this.useProtocolEnforcement = useProtocolEnforcement;
+        this.verificationGate = new VerificationGate(useProtocolEnforcement);
+        this.rateLimiter = new RateLimiter(rateLimitConfig);
+    }
+    /**
+     * Route an operation to the appropriate domain handler
+     */
+    async routeOperation(request) {
+        const startTime = Date.now();
+        try {
+            // Validate the route
+            this.validateRoute(request);
+            // Rate limiting check (Section 13.3)
+            // Support bypassRateLimit param for testing
+            const bypassRateLimit = !!request.params?.bypassRateLimit;
+            const rateLimitResult = bypassRateLimit
+                ? { allowed: true, remaining: Infinity, limit: Infinity, resetMs: 0, category: 'bypassed' }
+                : this.rateLimiter.check(request.gateway, request.domain, request.operation);
+            if (!rateLimitResult.allowed) {
+                return {
+                    _meta: {
+                        gateway: request.gateway,
+                        domain: request.domain,
+                        operation: request.operation,
+                        version: '1.0.0',
+                        timestamp: new Date().toISOString(),
+                        duration_ms: Date.now() - startTime,
+                        rateLimit: {
+                            limit: rateLimitResult.limit,
+                            remaining: rateLimitResult.remaining,
+                            resetMs: rateLimitResult.resetMs,
+                            category: rateLimitResult.category,
+                        },
+                    },
+                    success: false,
+                    error: {
+                        code: 'E_RATE_LIMITED',
+                        exitCode: 429,
+                        message: `Rate limit exceeded for ${rateLimitResult.category} operations. Limit: ${rateLimitResult.limit}/min. Retry after ${Math.ceil(rateLimitResult.resetMs / 1000)}s.`,
+                        details: {
+                            category: rateLimitResult.category,
+                            limit: rateLimitResult.limit,
+                            resetMs: rateLimitResult.resetMs,
+                        },
+                        fix: `Wait ${Math.ceil(rateLimitResult.resetMs / 1000)} seconds before retrying`,
+                    },
+                };
+            }
+            // Sanitize input parameters (T3144)
+            if (request.params) {
+                try {
+                    request = {
+                        ...request,
+                        params: sanitizeParams(request.params),
+                    };
+                }
+                catch (sanitizeError) {
+                    if (sanitizeError instanceof SecurityError) {
+                        const response = formatError(`${request.domain}.${request.operation}`, createError(sanitizeError.code, sanitizeError.message, 2, { context: { field: sanitizeError.field } }));
+                        response._meta.duration_ms = Date.now() - startTime;
+                        return response;
+                    }
+                    throw sanitizeError;
+                }
+            }
+            // Get the handler
+            const handler = this.handlers.get(request.domain);
+            if (!handler) {
+                throw new RouterError(`Unknown domain: ${request.domain}`, 'E_INVALID_DOMAIN', 2);
+            }
+            // Apply verification gate middleware if enabled
+            if (this.useProtocolEnforcement && request.gateway === 'cleo_mutate') {
+                // Build operation context for verification
+                const context = {
+                    domain: request.domain,
+                    operation: request.operation,
+                    gateway: request.gateway,
+                    params: request.params,
+                    taskId: request.params?.taskId,
+                    protocolType: this.inferProtocolType(request),
+                };
+                // Run 4-layer verification gate
+                const gateResult = await this.verificationGate.verifyOperation(context);
+                // If verification fails, return error response
+                if (!gateResult.passed) {
+                    const failedLayer = gateResult.layers[gateResult.blockedAt];
+                    const response = formatError(`${request.domain}.${request.operation}`, createError(failedLayer.violations[0]?.code || 'E_VERIFICATION_FAILED', gateResult.summary, gateResult.exitCode));
+                    response._meta.duration_ms = Date.now() - startTime;
+                    response._meta.verificationGate = {
+                        blockedAt: gateResult.blockedAt,
+                        violations: failedLayer.violations,
+                    };
+                    return response;
+                }
+                // Verification passed, apply protocol enforcement
+                const response = await protocolEnforcer.enforceProtocol(request, async () => {
+                    // Dispatch to appropriate gateway method
+                    if (request.gateway === 'cleo_query') {
+                        return await handler.query(request.operation, request.params);
+                    }
+                    else {
+                        return await handler.mutate(request.operation, request.params);
+                    }
+                });
+                // Add duration and rate limit metadata
+                response._meta.duration_ms = Date.now() - startTime;
+                this.addRateLimitMeta(response, rateLimitResult);
+                return response;
+            }
+            // Dispatch without middleware
+            let response;
+            if (request.gateway === 'cleo_query') {
+                response = await handler.query(request.operation, request.params);
+            }
+            else {
+                response = await handler.mutate(request.operation, request.params);
+            }
+            // Add duration and rate limit metadata
+            response._meta.duration_ms = Date.now() - startTime;
+            this.addRateLimitMeta(response, rateLimitResult);
+            return response;
+        }
+        catch (error) {
+            // Handle routing errors
+            if (error instanceof RouterError) {
+                const response = formatError(`${request.domain}.${request.operation}`, createError(error.code, error.message, error.exitCode));
+                response._meta.duration_ms = Date.now() - startTime;
+                return response;
+            }
+            // Handle unexpected errors
+            const response = formatError(`${request.domain}.${request.operation}`, createError('E_INTERNAL_ERROR', error instanceof Error ? error.message : String(error), 1));
+            response._meta.duration_ms = Date.now() - startTime;
+            return response;
+        }
+    }
+    /**
+     * Validate that the domain/operation combination is valid
+     */
+    validateRoute(request) {
+        const { gateway, domain, operation } = request;
+        // Validate domain exists
+        const handler = this.handlers.get(domain);
+        if (!handler) {
+            throw new RouterError(`Unknown domain: ${domain}`, 'E_INVALID_DOMAIN', 2);
+        }
+        // Get supported operations for this domain
+        const supported = handler.getSupportedOperations();
+        // Validate operation for gateway type
+        const gatewayType = gateway === 'cleo_query' ? 'query' : 'mutate';
+        const validOps = supported[gatewayType];
+        if (!validOps.includes(operation)) {
+            throw new RouterError(`Operation '${operation}' not supported for ${gateway} in domain '${domain}'`, 'E_INVALID_OPERATION', 2);
+        }
+        // Validate gateway/domain combination
+        if (gateway === 'cleo_query' && domain === 'release') {
+            throw new RouterError(`Domain 'release' only supports mutate operations`, 'E_INVALID_GATEWAY', 2);
+        }
+    }
+    /**
+     * Get list of all domains
+     */
+    getDomains() {
+        return Array.from(this.handlers.keys());
+    }
+    /**
+     * Get supported operations for a specific domain
+     */
+    getDomainOperations(domain) {
+        const handler = this.handlers.get(domain);
+        return handler ? handler.getSupportedOperations() : null;
+    }
+    /**
+     * Get the rate limiter instance (for testing/diagnostics)
+     */
+    getRateLimiter() {
+        return this.rateLimiter;
+    }
+    /**
+     * Add rate limit metadata to response _meta
+     */
+    addRateLimitMeta(response, rateLimitResult) {
+        response._meta.rateLimit = {
+            limit: rateLimitResult.limit,
+            remaining: rateLimitResult.remaining,
+            resetMs: rateLimitResult.resetMs,
+            category: rateLimitResult.category,
+        };
+    }
+    /**
+     * Infer protocol type from request context
+     *
+     * Used to determine which protocol validation rules apply.
+     */
+    inferProtocolType(request) {
+        // Orchestrate domain operations map to protocol types
+        if (request.domain === 'orchestrate' && request.operation === 'spawn') {
+            return request.params?.protocolType;
+        }
+        // Research domain operations
+        if (request.domain === 'research') {
+            return ProtocolType.RESEARCH;
+        }
+        // Lifecycle domain operations map to lifecycle stages
+        if (request.domain === 'lifecycle') {
+            return request.params?.stage;
+        }
+        // Release domain operations
+        if (request.domain === 'release') {
+            return ProtocolType.RELEASE;
+        }
+        // Validate domain operations
+        if (request.domain === 'validate') {
+            return ProtocolType.VALIDATION;
+        }
+        return undefined;
+    }
+}
+//# sourceMappingURL=router.js.map

package/dist/lib/router.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"router.js","sourceRoot":"","sources":["../../src/lib/router.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAoB,MAAM,yBAAyB,CAAC;AAC7E,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAuC,MAAM,mBAAmB,CAAC;AAmErF;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IAG3B;IACA;IAHT,YACE,OAAe,EACR,OAAe,iBAAiB,EAChC,WAAmB,CAAC;QAE3B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAA4B;QAChC,aAAQ,GAAR,QAAQ,CAAY;QAG3B,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,QAAQ,CAA6B;IACrC,sBAAsB,CAAU;IAChC,gBAAgB,CAAmB;IACnC,WAAW,CAAc;IAEjC,YAAY,QAAqB,EAAE,yBAAkC,IAAI,EAAE,eAA6C;QACtH,iCAAiC;QACjC,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAwB;YAC7C,CAAC,OAAO,EAAE,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC;YACrC,CAAC,SAAS,EAAE,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzC,CAAC,aAAa,EAAE,IAAI,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACjD,CAAC,UAAU,EAAE,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC3C,CAAC,WAAW,EAAE,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC7C,CAAC,UAAU,EAAE,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC3C,CAAC,SAAS,EAAE,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;YACzC,CAAC,QAAQ,EAAE,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,sBAAsB,GAAG,sBAAsB,CAAC;QACrD,IAAI,CAAC,gBAAgB,GAAG,IAAI,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;QACrE,IAAI,CAAC,WAAW,GAAG,IAAI,WAAW,CAAC,eAAe,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,OAAsB;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,qBAAqB;YACrB,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YAE5B,qCAAqC;YACrC,4CAA4C;YAC5C,MAAM,eAAe,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,eAAe,CAAC;YAC1D,MAAM,eAAe,GAAG,eAAe;gBACrC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,UAAmB,EAAE;gBACpG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;YAE/E,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC7B,OAAO;oBACL,KAAK,EAAE;wBACL,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,OAAO,EAAE,OAAO;wBAChB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;wBACnC,SAAS,EAAE;4BACT,KAAK,EAAE,eAAe,CAAC,KAAK;4BAC5B,SAAS,EAAE,eAAe,CAAC,SAAS;4BACpC,OAAO,EAAE,eAAe,CAAC,OAAO;4BAChC,QAAQ,EAAE,eAAe,CAAC,QAAQ;yBACnC;qBACF;oBACD,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE;wBACL,IAAI,EAAE,gBAAgB;wBACtB,QAAQ,EAAE,GAAG;wBACb,OAAO,EAAE,2BAA2B,eAAe,CAAC,QAAQ,uBAAuB,eAAe,CAAC,KAAK,qBAAqB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI;wBAC1K,OAAO,EAAE;4BACP,QAAQ,EAAE,eAAe,CAAC,QAAQ;4BAClC,KAAK,EAAE,eAAe,CAAC,KAAK;4BAC5B,OAAO,EAAE,eAAe,CAAC,OAAO;yBACjC;wBACD,GAAG,EAAE,QAAQ,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC,0BAA0B;qBACjF;iBACF,CAAC;YACJ,CAAC;YAED,oCAAoC;YACpC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,IAAI,CAAC;oBACH,OAAO,GAAG;wBACR,GAAG,OAAO;wBACV,MAAM,EAAE,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC;qBACvC,CAAC;gBACJ,CAAC;gBAAC,OAAO,aAAa,EAAE,CAAC;oBACvB,IAAI,aAAa,YAAY,aAAa,EAAE,CAAC;wBAC3C,MAAM,QAAQ,GAAG,WAAW,CAC1B,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,EAAE,EACxC,WAAW,CACT,aAAa,CAAC,IAAI,EAClB,aAAa,CAAC,OAAO,EACrB,CAAC,EACD,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,aAAa,CAAC,KAAK,EAAE,EAAE,CAC5C,CACK,CAAC;wBACT,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;wBACpD,OAAO,QAA0B,CAAC;oBACpC,CAAC;oBACD,MAAM,aAAa,CAAC;gBACtB,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAClD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,WAAW,CACnB,mBAAmB,OAAO,CAAC,MAAM,EAAE,EACnC,kBAAkB,EAClB,CAAC,CACF,CAAC;YACJ,CAAC;YAED,gDAAgD;YAChD,IAAI,IAAI,CAAC,sBAAsB,IAAI,OAAO,CAAC,OAAO,KAAK,aAAa,EAAE,CAAC;gBACrE,2CAA2C;gBAC3C,MAAM,OAAO,GAAqB;oBAChC,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,MAA4B;oBACpD,YAAY,EAAE,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;iBAC9C,CAAC;gBAEF,gCAAgC;gBAChC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;gBAExE,+CAA+C;gBAC/C,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;oBACvB,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,SAAU,CAAC,CAAC;oBAC7D,MAAM,QAAQ,GAAG,WAAW,CAC1B,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,EAAE,EACxC,WAAW,CACT,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,uBAAuB,EAC1D,UAAU,CAAC,OAAO,EAClB,UAAU,CAAC,QAAQ,CACpB,CACK,CAAC;oBACT,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBACpD,QAAQ,CAAC,KAAK,CAAC,gBAAgB,GAAG;wBAChC,SAAS,EAAE,UAAU,CAAC,SAAS;wBAC/B,UAAU,EAAE,WAAW,CAAC,UAAU;qBACnC,CAAC;oBACF,OAAO,QAA0B,CAAC;gBACpC,CAAC;gBAED,kDAAkD;gBAClD,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,eAAe,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE;oBAC1E,yCAAyC;oBACzC,IAAI,OAAO,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;wBACrC,OAAO,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBAChE,CAAC;yBAAM,CAAC;wBACN,OAAO,MAAM,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBACjE,CAAC;gBACH,CAAC,CAAC,CAAC;gBAEH,uCAAuC;gBACtC,QAAgB,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAC7D,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;gBACjD,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,8BAA8B;YAC9B,IAAI,QAAwB,CAAC;YAC7B,IAAI,OAAO,CAAC,OAAO,KAAK,YAAY,EAAE,CAAC;gBACrC,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACpE,CAAC;iBAAM,CAAC;gBACN,QAAQ,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACrE,CAAC;YAED,uCAAuC;YACtC,QAAgB,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7D,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;YAEjD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wBAAwB;YACxB,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,WAAW,CAC1B,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,EAAE,EACxC,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,CAAC,CAChD,CAAC;gBACT,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBACpD,OAAO,QAA0B,CAAC;YACpC,CAAC;YAED,2BAA2B;YAC3B,MAAM,QAAQ,GAAG,WAAW,CAC1B,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,SAAS,EAAE,EACxC,WAAW,CACT,kBAAkB,EAClB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EACtD,CAAC,CACF,CACK,CAAC;YACT,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACpD,OAAO,QAA0B,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,OAAsB;QAClC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;QAE/C,yBAAyB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CACnB,mBAAmB,MAAM,EAAE,EAC3B,kBAAkB,EAClB,CAAC,CACF,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;QAEnD,sCAAsC;QACtC,MAAM,WAAW,GAAG,OAAO,KAAK,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;QAClE,MAAM,QAAQ,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAExC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,WAAW,CACnB,cAAc,SAAS,uBAAuB,OAAO,eAAe,MAAM,GAAG,EAC7E,qBAAqB,EACrB,CAAC,CACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,OAAO,KAAK,YAAY,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACrD,MAAM,IAAI,WAAW,CACnB,kDAAkD,EAClD,mBAAmB,EACnB,CAAC,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,mBAAmB,CAAC,MAAc;QAIhC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,QAAwB,EAAE,eAAgC;QAChF,QAAQ,CAAC,KAAa,CAAC,SAAS,GAAG;YAClC,KAAK,EAAE,eAAe,CAAC,KAAK;YAC5B,SAAS,EAAE,eAAe,CAAC,SAAS;YACpC,OAAO,EAAE,eAAe,CAAC,OAAO;YAChC,QAAQ,EAAE,eAAe,CAAC,QAAQ;SACnC,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACK,iBAAiB,CAAC,OAAsB;QAC9C,sDAAsD;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,aAAa,IAAI,OAAO,CAAC,SAAS,KAAK,OAAO,EAAE,CAAC;YACtE,OAAO,OAAO,CAAC,MAAM,EAAE,YAAwC,CAAC;QAClE,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClC,OAAO,YAAY,CAAC,QAAQ,CAAC;QAC/B,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACnC,OAAO,OAAO,CAAC,MAAM,EAAE,KAAiC,CAAC;QAC3D,CAAC;QAED,4BAA4B;QAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,YAAY,CAAC,OAAO,CAAC;QAC9B,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAClC,OAAO,YAAY,CAAC,UAAU,CAAC;QACjC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/lib/schema.d.ts ADDED Viewed

@@ -0,0 +1,55 @@
+/**
+ * JSON Schema constants and validation helpers for CLEO MCP Server
+ *
+ * Defines schema URLs and validation utilities for CLEO data structures.
+ *
+ * @task T2912
+ */
+/**
+ * Schema URL for output response envelope
+ */
+export declare const SCHEMA_URL_OUTPUT = "https://cleo-dev.com/schemas/v1/output.schema.json";
+/**
+ * Schema URL for task objects
+ */
+export declare const SCHEMA_URL_TASK = "https://cleo-dev.com/schemas/v1/task.schema.json";
+/**
+ * Schema URL for session objects
+ */
+export declare const SCHEMA_URL_SESSION = "https://cleo-dev.com/schemas/v1/session.schema.json";
+/**
+ * Schema URL for manifest entries
+ */
+export declare const SCHEMA_URL_MANIFEST = "https://cleo-dev.com/schemas/v1/manifest.schema.json";
+/**
+ * Schema URL for config objects
+ */
+export declare const SCHEMA_URL_CONFIG = "https://cleo-dev.com/schemas/v1/config.schema.json";
+/**
+ * All schema URLs by type
+ */
+export declare const SCHEMA_URLS: {
+    readonly output: "https://cleo-dev.com/schemas/v1/output.schema.json";
+    readonly task: "https://cleo-dev.com/schemas/v1/task.schema.json";
+    readonly session: "https://cleo-dev.com/schemas/v1/session.schema.json";
+    readonly manifest: "https://cleo-dev.com/schemas/v1/manifest.schema.json";
+    readonly config: "https://cleo-dev.com/schemas/v1/config.schema.json";
+};
+/**
+ * Get schema URL by type
+ */
+export declare function getSchemaUrl(type: keyof typeof SCHEMA_URLS): string;
+/**
+ * Validate that an object has the expected schema reference
+ */
+export declare function hasValidSchema(obj: unknown, expectedType: keyof typeof SCHEMA_URLS): boolean;
+/**
+ * Schema validation error
+ */
+export declare class SchemaValidationError extends Error {
+    schemaType: string;
+    field: string;
+    constraint: string;
+    constructor(schemaType: string, field: string, constraint: string);
+}
+//# sourceMappingURL=schema.d.ts.map

package/dist/lib/schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/lib/schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,eAAO,MAAM,iBAAiB,uDAAuD,CAAC;AAEtF;;GAEG;AACH,eAAO,MAAM,eAAe,qDAAqD,CAAC;AAElF;;GAEG;AACH,eAAO,MAAM,kBAAkB,wDAAwD,CAAC;AAExF;;GAEG;AACH,eAAO,MAAM,mBAAmB,yDAAyD,CAAC;AAE1F;;GAEG;AACH,eAAO,MAAM,iBAAiB,uDAAuD,CAAC;AAEtF;;GAEG;AACH,eAAO,MAAM,WAAW;;;;;;CAMd,CAAC;AAEX;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,OAAO,WAAW,GAAG,MAAM,CAEnE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,OAAO,WAAW,GAAG,OAAO,CAS5F;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;IAErC,UAAU,EAAE,MAAM;IAClB,KAAK,EAAE,MAAM;IACb,UAAU,EAAE,MAAM;gBAFlB,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM;CAK5B"}

package/dist/lib/schema.js ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * JSON Schema constants and validation helpers for CLEO MCP Server
+ *
+ * Defines schema URLs and validation utilities for CLEO data structures.
+ *
+ * @task T2912
+ */
+/**
+ * Schema URL for output response envelope
+ */
+export const SCHEMA_URL_OUTPUT = 'https://cleo-dev.com/schemas/v1/output.schema.json';
+/**
+ * Schema URL for task objects
+ */
+export const SCHEMA_URL_TASK = 'https://cleo-dev.com/schemas/v1/task.schema.json';
+/**
+ * Schema URL for session objects
+ */
+export const SCHEMA_URL_SESSION = 'https://cleo-dev.com/schemas/v1/session.schema.json';
+/**
+ * Schema URL for manifest entries
+ */
+export const SCHEMA_URL_MANIFEST = 'https://cleo-dev.com/schemas/v1/manifest.schema.json';
+/**
+ * Schema URL for config objects
+ */
+export const SCHEMA_URL_CONFIG = 'https://cleo-dev.com/schemas/v1/config.schema.json';
+/**
+ * All schema URLs by type
+ */
+export const SCHEMA_URLS = {
+    output: SCHEMA_URL_OUTPUT,
+    task: SCHEMA_URL_TASK,
+    session: SCHEMA_URL_SESSION,
+    manifest: SCHEMA_URL_MANIFEST,
+    config: SCHEMA_URL_CONFIG,
+};
+/**
+ * Get schema URL by type
+ */
+export function getSchemaUrl(type) {
+    return SCHEMA_URLS[type];
+}
+/**
+ * Validate that an object has the expected schema reference
+ */
+export function hasValidSchema(obj, expectedType) {
+    if (typeof obj !== 'object' || obj === null) {
+        return false;
+    }
+    const record = obj;
+    const expectedUrl = SCHEMA_URLS[expectedType];
+    return record.$schema === expectedUrl;
+}
+/**
+ * Schema validation error
+ */
+export class SchemaValidationError extends Error {
+    schemaType;
+    field;
+    constraint;
+    constructor(schemaType, field, constraint) {
+        super(`Schema validation failed for ${schemaType}.${field}: ${constraint}`);
+        this.schemaType = schemaType;
+        this.field = field;
+        this.constraint = constraint;
+        this.name = 'SchemaValidationError';
+    }
+}
+//# sourceMappingURL=schema.js.map

package/dist/lib/schema.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/lib/schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,oDAAoD,CAAC;AAEtF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,kDAAkD,CAAC;AAElF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,qDAAqD,CAAC;AAExF;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,sDAAsD,CAAC;AAE1F;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,oDAAoD,CAAC;AAEtF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,MAAM,EAAE,iBAAiB;IACzB,IAAI,EAAE,eAAe;IACrB,OAAO,EAAE,kBAAkB;IAC3B,QAAQ,EAAE,mBAAmB;IAC7B,MAAM,EAAE,iBAAiB;CACjB,CAAC;AAEX;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,IAA8B;IACzD,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,GAAY,EAAE,YAAsC;IACjF,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,GAA8B,CAAC;IAC9C,MAAM,WAAW,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;IAE9C,OAAO,MAAM,CAAC,OAAO,KAAK,WAAW,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAErC;IACA;IACA;IAHT,YACS,UAAkB,EAClB,KAAa,EACb,UAAkB;QAEzB,KAAK,CAAC,gCAAgC,UAAU,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC,CAAC;QAJrE,eAAU,GAAV,UAAU,CAAQ;QAClB,UAAK,GAAL,KAAK,CAAQ;QACb,eAAU,GAAV,UAAU,CAAQ;QAGzB,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF"}

package/dist/lib/security.d.ts ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * Security Hardening and Input Sanitization for CLEO MCP Server
+ *
+ * Provides input validation, path sanitization, content filtering,
+ * enum checking, and rate limiting for all MCP operations.
+ *
+ * @task T3144
+ * @epic T3125
+ */
+/**
+ * Security validation error thrown when input fails sanitization
+ */
+export declare class SecurityError extends Error {
+    code: string;
+    field?: string | undefined;
+    constructor(message: string, code?: string, field?: string | undefined);
+}
+/**
+ * Sanitize and validate a task ID
+ *
+ * Validates format: ^T[0-9]+$
+ * Rejects empty, malformed, or excessively large IDs
+ *
+ * @param id - Raw task ID input
+ * @returns Sanitized task ID
+ * @throws SecurityError if ID is invalid
+ */
+export declare function sanitizeTaskId(id: string): string;
+/**
+ * Sanitize and validate a file path
+ *
+ * Prevents path traversal attacks by ensuring the resolved path
+ * stays within the project root directory.
+ *
+ * @param path - Raw path input
+ * @param projectRoot - Project root directory (absolute path)
+ * @returns Sanitized absolute path within project root
+ * @throws SecurityError if path escapes project root or is invalid
+ */
+export declare function sanitizePath(path: string, projectRoot: string): string;
+/**
+ * Sanitize content string
+ *
+ * Enforces size limits and strips control characters (except newline, tab, CR).
+ *
+ * @param content - Raw content string
+ * @param maxLength - Maximum allowed length (default: 64KB)
+ * @returns Sanitized content string
+ * @throws SecurityError if content exceeds size limit
+ */
+export declare function sanitizeContent(content: string, maxLength?: number): string;
+/**
+ * Validate that a value is in an allowed enum set
+ *
+ * @param value - Value to validate
+ * @param allowed - Array of allowed values
+ * @param fieldName - Name of the field (for error messages)
+ * @returns The validated value
+ * @throws SecurityError if value is not in allowed set
+ */
+export declare function validateEnum(value: string, allowed: string[], fieldName: string): string;
+/**
+ * Known enum values for CLEO domains
+ */
+export declare const VALID_DOMAINS: readonly ["tasks", "session", "orchestrate", "research", "lifecycle", "validate", "release", "system"];
+export declare const VALID_GATEWAYS: readonly ["cleo_query", "cleo_mutate"];
+export declare const VALID_STATUSES: readonly ["pending", "active", "blocked", "done"];
+export declare const VALID_PRIORITIES: readonly ["low", "medium", "high", "critical"];
+/**
+ * Rate limiter configuration
+ */
+export interface RateLimitConfig {
+    /** Maximum requests allowed in the window */
+    maxRequests: number;
+    /** Time window in milliseconds */
+    windowMs: number;
+}
+/**
+ * Rate limit check result
+ */
+export interface RateLimitResult {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Remaining requests in current window */
+    remaining: number;
+    /** Milliseconds until window resets */
+    resetMs: number;
+    /** Total limit for the window */
+    limit: number;
+}
+/**
+ * Default rate limit configurations per operation type
+ */
+export declare const DEFAULT_RATE_LIMITS: Record<string, RateLimitConfig>;
+/**
+ * In-memory sliding window rate limiter
+ *
+ * Tracks request timestamps per key and enforces configurable limits.
+ */
+export declare class RateLimiter {
+    private windows;
+    private configs;
+    constructor(configs?: Record<string, RateLimitConfig>);
+    /**
+     * Check if a request is allowed under rate limits
+     *
+     * @param key - Rate limit bucket key (e.g., 'query', 'mutate', 'spawn')
+     * @returns Rate limit check result
+     */
+    check(key: string): RateLimitResult;
+    /**
+     * Record a request (call after check returns allowed: true)
+     *
+     * @param key - Rate limit bucket key
+     */
+    record(key: string): void;
+    /**
+     * Check and record in one step
+     *
+     * @param key - Rate limit bucket key
+     * @returns Rate limit check result (recorded if allowed)
+     */
+    consume(key: string): RateLimitResult;
+    /**
+     * Reset rate limit state for a specific key or all keys
+     *
+     * @param key - Optional key to reset (resets all if omitted)
+     */
+    reset(key?: string): void;
+    /**
+     * Get current configuration for a key
+     */
+    getConfig(key: string): RateLimitConfig | undefined;
+    /**
+     * Update configuration for a key
+     */
+    setConfig(key: string, config: RateLimitConfig): void;
+}
+/**
+ * Sanitize all params in a DomainRequest before routing
+ *
+ * Applies appropriate sanitization based on known field names:
+ * - taskId, parent, epicId -> sanitizeTaskId
+ * - path, file -> sanitizePath (if projectRoot provided)
+ * - title, description, notes, content -> sanitizeContent
+ * - status -> validateEnum(VALID_STATUSES)
+ * - priority -> validateEnum(VALID_PRIORITIES)
+ * - domain -> validateEnum(VALID_DOMAINS)
+ *
+ * @param params - Raw request parameters
+ * @param projectRoot - Project root for path sanitization
+ * @returns Sanitized parameters
+ * @throws SecurityError on validation failure
+ */
+export declare function sanitizeParams(params: Record<string, unknown> | undefined, projectRoot?: string): Record<string, unknown> | undefined;
+//# sourceMappingURL=security.d.ts.map

package/dist/lib/security.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/lib/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IAG7B,IAAI,EAAE,MAAM;IACZ,KAAK,CAAC,EAAE,MAAM;gBAFrB,OAAO,EAAE,MAAM,EACR,IAAI,GAAE,MAA+B,EACrC,KAAK,CAAC,EAAE,MAAM,YAAA;CAKxB;AAsBD;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAuCjD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CA4DtE;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,MAAmC,GAC7C,MAAM,CAmBR;AAED;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,EAAE,EACjB,SAAS,EAAE,MAAM,GAChB,MAAM,CAoBR;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,wGAGhB,CAAC;AAEX,eAAO,MAAM,cAAc,wCAAyC,CAAC;AAErE,eAAO,MAAM,cAAc,mDAAoD,CAAC;AAEhF,eAAO,MAAM,gBAAgB,gDAAiD,CAAC;AAE/E;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAI/D,CAAC;AAEF;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,OAAO,CAAoC;IACnD,OAAO,CAAC,OAAO,CAA2C;gBAE9C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC;IAQrD;;;;;OAKG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAiCnC;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAMzB;;;;;OAKG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAUrC;;;;OAIG;IACH,KAAK,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI;IAQzB;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAInD;;OAEG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,IAAI;CAGtD;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EAC3C,WAAW,CAAC,EAAE,MAAM,GACnB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,CA8ErC"}