npm - @cleocode/mcp-server - Versions diffs - 0.86.0 - Mend

@cleocode/mcp-server 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (374) hide show

package/LICENSE +21 -0
package/README.md +306 -0
package/dist/domains/index.d.ts +16 -0
package/dist/domains/index.d.ts.map +1 -0
package/dist/domains/index.js +16 -0
package/dist/domains/index.js.map +1 -0
package/dist/domains/lifecycle.d.ts +147 -0
package/dist/domains/lifecycle.d.ts.map +1 -0
package/dist/domains/lifecycle.js +452 -0
package/dist/domains/lifecycle.js.map +1 -0
package/dist/domains/orchestrate.d.ts +133 -0
package/dist/domains/orchestrate.d.ts.map +1 -0
package/dist/domains/orchestrate.js +465 -0
package/dist/domains/orchestrate.js.map +1 -0
package/dist/domains/release.d.ts +109 -0
package/dist/domains/release.d.ts.map +1 -0
package/dist/domains/release.js +400 -0
package/dist/domains/release.js.map +1 -0
package/dist/domains/research.d.ts +139 -0
package/dist/domains/research.d.ts.map +1 -0
package/dist/domains/research.js +606 -0
package/dist/domains/research.js.map +1 -0
package/dist/domains/session.d.ts +129 -0
package/dist/domains/session.d.ts.map +1 -0
package/dist/domains/session.js +433 -0
package/dist/domains/session.js.map +1 -0
package/dist/domains/system.d.ts +92 -0
package/dist/domains/system.d.ts.map +1 -0
package/dist/domains/system.js +473 -0
package/dist/domains/system.js.map +1 -0
package/dist/domains/tasks.d.ts +180 -0
package/dist/domains/tasks.d.ts.map +1 -0
package/dist/domains/tasks.js +704 -0
package/dist/domains/tasks.js.map +1 -0
package/dist/domains/validate.d.ts +150 -0
package/dist/domains/validate.d.ts.map +1 -0
package/dist/domains/validate.js +568 -0
package/dist/domains/validate.js.map +1 -0
package/dist/gateways/mutate.d.ts +100 -0
package/dist/gateways/mutate.d.ts.map +1 -0
package/dist/gateways/mutate.js +937 -0
package/dist/gateways/mutate.js.map +1 -0
package/dist/gateways/query.d.ts +91 -0
package/dist/gateways/query.d.ts.map +1 -0
package/dist/gateways/query.js +245 -0
package/dist/gateways/query.js.map +1 -0
package/dist/index.d.ts +21 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +299 -0
package/dist/index.js.map +1 -0
package/dist/lib/audit.d.ts +118 -0
package/dist/lib/audit.d.ts.map +1 -0
package/dist/lib/audit.js +311 -0
package/dist/lib/audit.js.map +1 -0
package/dist/lib/background-jobs.d.ts +86 -0
package/dist/lib/background-jobs.d.ts.map +1 -0
package/dist/lib/background-jobs.js +183 -0
package/dist/lib/background-jobs.js.map +1 -0
package/dist/lib/cache.d.ts +78 -0
package/dist/lib/cache.d.ts.map +1 -0
package/dist/lib/cache.js +204 -0
package/dist/lib/cache.js.map +1 -0
package/dist/lib/command-builder.d.ts +52 -0
package/dist/lib/command-builder.d.ts.map +1 -0
package/dist/lib/command-builder.js +280 -0
package/dist/lib/command-builder.js.map +1 -0
package/dist/lib/config.d.ts +42 -0
package/dist/lib/config.d.ts.map +1 -0
package/dist/lib/config.js +248 -0
package/dist/lib/config.js.map +1 -0
package/dist/lib/defaults.d.ts +115 -0
package/dist/lib/defaults.d.ts.map +1 -0
package/dist/lib/defaults.js +61 -0
package/dist/lib/defaults.js.map +1 -0
package/dist/lib/error-handler.d.ts +101 -0
package/dist/lib/error-handler.d.ts.map +1 -0
package/dist/lib/error-handler.js +277 -0
package/dist/lib/error-handler.js.map +1 -0
package/dist/lib/executor.d.ts +110 -0
package/dist/lib/executor.d.ts.map +1 -0
package/dist/lib/executor.js +362 -0
package/dist/lib/executor.js.map +1 -0
package/dist/lib/exit-codes.d.ts +190 -0
package/dist/lib/exit-codes.d.ts.map +1 -0
package/dist/lib/exit-codes.js +1027 -0
package/dist/lib/exit-codes.js.map +1 -0
package/dist/lib/formatter.d.ts +196 -0
package/dist/lib/formatter.d.ts.map +1 -0
package/dist/lib/formatter.js +260 -0
package/dist/lib/formatter.js.map +1 -0
package/dist/lib/gate-validators.d.ts +103 -0
package/dist/lib/gate-validators.d.ts.map +1 -0
package/dist/lib/gate-validators.js +689 -0
package/dist/lib/gate-validators.js.map +1 -0
package/dist/lib/manifest-parser.d.ts +61 -0
package/dist/lib/manifest-parser.d.ts.map +1 -0
package/dist/lib/manifest-parser.js +338 -0
package/dist/lib/manifest-parser.js.map +1 -0
package/dist/lib/manifest.d.ts +177 -0
package/dist/lib/manifest.d.ts.map +1 -0
package/dist/lib/manifest.js +301 -0
package/dist/lib/manifest.js.map +1 -0
package/dist/lib/protocol-enforcement.d.ts +105 -0
package/dist/lib/protocol-enforcement.d.ts.map +1 -0
package/dist/lib/protocol-enforcement.js +331 -0
package/dist/lib/protocol-enforcement.js.map +1 -0
package/dist/lib/protocol-rules.d.ts +55 -0
package/dist/lib/protocol-rules.d.ts.map +1 -0
package/dist/lib/protocol-rules.js +760 -0
package/dist/lib/protocol-rules.js.map +1 -0
package/dist/lib/rate-limiter.d.ts +110 -0
package/dist/lib/rate-limiter.d.ts.map +1 -0
package/dist/lib/rate-limiter.js +208 -0
package/dist/lib/rate-limiter.js.map +1 -0
package/dist/lib/router.d.ts +126 -0
package/dist/lib/router.d.ts.map +1 -0
package/dist/lib/router.js +276 -0
package/dist/lib/router.js.map +1 -0
package/dist/lib/schema.d.ts +55 -0
package/dist/lib/schema.d.ts.map +1 -0
package/dist/lib/schema.js +70 -0
package/dist/lib/schema.js.map +1 -0
package/dist/lib/security.d.ts +156 -0
package/dist/lib/security.d.ts.map +1 -0
package/dist/lib/security.js +347 -0
package/dist/lib/security.js.map +1 -0
package/dist/lib/verification-gates.d.ts +287 -0
package/dist/lib/verification-gates.d.ts.map +1 -0
package/dist/lib/verification-gates.js +548 -0
package/dist/lib/verification-gates.js.map +1 -0
package/dist/types/domain.d.ts +29 -0
package/dist/types/domain.d.ts.map +1 -0
package/dist/types/domain.js +7 -0
package/dist/types/domain.js.map +1 -0
package/dist/types/error.d.ts +101 -0
package/dist/types/error.d.ts.map +1 -0
package/dist/types/error.js +61 -0
package/dist/types/error.js.map +1 -0
package/dist/types/gateway.d.ts +78 -0
package/dist/types/gateway.d.ts.map +1 -0
package/dist/types/gateway.js +7 -0
package/dist/types/gateway.js.map +1 -0
package/dist/types/index.d.ts +21 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +11 -0
package/dist/types/index.js.map +1 -0
package/dist/types/operations/lifecycle.d.ts +140 -0
package/dist/types/operations/lifecycle.d.ts.map +1 -0
package/dist/types/operations/lifecycle.js +8 -0
package/dist/types/operations/lifecycle.js.map +1 -0
package/dist/types/operations/orchestrate.d.ts +140 -0
package/dist/types/operations/orchestrate.d.ts.map +1 -0
package/dist/types/operations/orchestrate.js +8 -0
package/dist/types/operations/orchestrate.js.map +1 -0
package/dist/types/operations/release.d.ts +97 -0
package/dist/types/operations/release.d.ts.map +1 -0
package/dist/types/operations/release.js +7 -0
package/dist/types/operations/release.js.map +1 -0
package/dist/types/operations/research.d.ts +122 -0
package/dist/types/operations/research.d.ts.map +1 -0
package/dist/types/operations/research.js +8 -0
package/dist/types/operations/research.js.map +1 -0
package/dist/types/operations/session.d.ts +108 -0
package/dist/types/operations/session.d.ts.map +1 -0
package/dist/types/operations/session.js +8 -0
package/dist/types/operations/session.js.map +1 -0
package/dist/types/operations/system.d.ts +147 -0
package/dist/types/operations/system.d.ts.map +1 -0
package/dist/types/operations/system.js +8 -0
package/dist/types/operations/system.js.map +1 -0
package/dist/types/operations/tasks.d.ts +186 -0
package/dist/types/operations/tasks.d.ts.map +1 -0
package/dist/types/operations/tasks.js +8 -0
package/dist/types/operations/tasks.js.map +1 -0
package/dist/types/operations/validate.d.ts +170 -0
package/dist/types/operations/validate.d.ts.map +1 -0
package/dist/types/operations/validate.js +8 -0
package/dist/types/operations/validate.js.map +1 -0
package/package.json +67 -0
package/schemas/IMPLEMENTATION-SUMMARY.md +250 -0
package/schemas/README.md +284 -0
package/schemas/common/error.schema.json +54 -0
package/schemas/common/meta.schema.json +39 -0
package/schemas/common/pagination.schema.json +32 -0
package/schemas/index.json +159 -0
package/schemas/requests/lifecycle/check.schema.json +20 -0
package/schemas/requests/lifecycle/gate.fail.schema.json +25 -0
package/schemas/requests/lifecycle/gate.pass.schema.json +28 -0
package/schemas/requests/lifecycle/gates.schema.json +15 -0
package/schemas/requests/lifecycle/history.schema.json +15 -0
package/schemas/requests/lifecycle/prerequisites.schema.json +15 -0
package/schemas/requests/lifecycle/progress.schema.json +29 -0
package/schemas/requests/lifecycle/reset.schema.json +25 -0
package/schemas/requests/lifecycle/skip.schema.json +25 -0
package/schemas/requests/lifecycle/status.schema.json +23 -0
package/schemas/requests/orchestrate/analyze.schema.json +15 -0
package/schemas/requests/orchestrate/context.schema.json +13 -0
package/schemas/requests/orchestrate/next.schema.json +15 -0
package/schemas/requests/orchestrate/parallel.end.schema.json +20 -0
package/schemas/requests/orchestrate/parallel.start.schema.json +20 -0
package/schemas/requests/orchestrate/ready.schema.json +15 -0
package/schemas/requests/orchestrate/skill.list.schema.json +13 -0
package/schemas/requests/orchestrate/spawn.schema.json +25 -0
package/schemas/requests/orchestrate/startup.schema.json +15 -0
package/schemas/requests/orchestrate/status.schema.json +15 -0
package/schemas/requests/orchestrate/validate.schema.json +15 -0
package/schemas/requests/orchestrate/waves.schema.json +15 -0
package/schemas/requests/release/changelog.schema.json +23 -0
package/schemas/requests/release/commit.schema.json +22 -0
package/schemas/requests/release/gates.run.schema.json +17 -0
package/schemas/requests/release/prepare.schema.json +20 -0
package/schemas/requests/release/push.schema.json +20 -0
package/schemas/requests/release/rollback.schema.json +20 -0
package/schemas/requests/release/tag.schema.json +19 -0
package/schemas/requests/research/inject.schema.json +24 -0
package/schemas/requests/research/link.schema.json +25 -0
package/schemas/requests/research/list.schema.json +19 -0
package/schemas/requests/research/manifest.append.schema.json +20 -0
package/schemas/requests/research/manifest.archive.schema.json +19 -0
package/schemas/requests/research/manifest.read.schema.json +21 -0
package/schemas/requests/research/pending.schema.json +14 -0
package/schemas/requests/research/query.schema.json +21 -0
package/schemas/requests/research/show.schema.json +14 -0
package/schemas/requests/research/stats.schema.json +14 -0
package/schemas/requests/session/end.schema.json +13 -0
package/schemas/requests/session/focus.clear.schema.json +7 -0
package/schemas/requests/session/focus.get.schema.json +7 -0
package/schemas/requests/session/focus.set.schema.json +15 -0
package/schemas/requests/session/gc.schema.json +14 -0
package/schemas/requests/session/history.schema.json +16 -0
package/schemas/requests/session/list.schema.json +13 -0
package/schemas/requests/session/resume.schema.json +14 -0
package/schemas/requests/session/show.schema.json +14 -0
package/schemas/requests/session/start.schema.json +23 -0
package/schemas/requests/session/status.schema.json +7 -0
package/schemas/requests/session/suspend.schema.json +13 -0
package/schemas/requests/system/backup.schema.json +19 -0
package/schemas/requests/system/cleanup.schema.json +20 -0
package/schemas/requests/system/config.get.schema.json +14 -0
package/schemas/requests/system/config.set.schema.json +24 -0
package/schemas/requests/system/context.schema.json +7 -0
package/schemas/requests/system/doctor.schema.json +7 -0
package/schemas/requests/system/init.schema.json +18 -0
package/schemas/requests/system/migrate.schema.json +19 -0
package/schemas/requests/system/restore.schema.json +14 -0
package/schemas/requests/system/stats.schema.json +7 -0
package/schemas/requests/system/sync.schema.json +15 -0
package/schemas/requests/system/version.schema.json +7 -0
package/schemas/requests/tasks/analyze.schema.json +14 -0
package/schemas/requests/tasks/archive.schema.json +19 -0
package/schemas/requests/tasks/blockers.schema.json +15 -0
package/schemas/requests/tasks/complete.schema.json +24 -0
package/schemas/requests/tasks/create.schema.json +48 -0
package/schemas/requests/tasks/delete.schema.json +20 -0
package/schemas/requests/tasks/deps.schema.json +21 -0
package/schemas/requests/tasks/exists.schema.json +15 -0
package/schemas/requests/tasks/find.schema.json +22 -0
package/schemas/requests/tasks/get.schema.json +15 -0
package/schemas/requests/tasks/list.schema.json +26 -0
package/schemas/requests/tasks/next.schema.json +21 -0
package/schemas/requests/tasks/promote.schema.json +15 -0
package/schemas/requests/tasks/reopen.schema.json +15 -0
package/schemas/requests/tasks/reorder.schema.json +20 -0
package/schemas/requests/tasks/reparent.schema.json +20 -0
package/schemas/requests/tasks/tree.schema.json +21 -0
package/schemas/requests/tasks/unarchive.schema.json +15 -0
package/schemas/requests/tasks/update.schema.json +41 -0
package/schemas/requests/validate/compliance.record.schema.json +20 -0
package/schemas/requests/validate/compliance.summary.schema.json +18 -0
package/schemas/requests/validate/compliance.violations.schema.json +19 -0
package/schemas/requests/validate/manifest.schema.json +23 -0
package/schemas/requests/validate/output.schema.json +19 -0
package/schemas/requests/validate/protocol.schema.json +20 -0
package/schemas/requests/validate/schema.schema.json +19 -0
package/schemas/requests/validate/task.schema.json +21 -0
package/schemas/requests/validate/test.coverage.schema.json +14 -0
package/schemas/requests/validate/test.run.schema.json +22 -0
package/schemas/requests/validate/test.status.schema.json +14 -0
package/schemas/responses/common-error.schema.json +20 -0
package/schemas/responses/common-success.schema.json +21 -0
package/schemas/responses/lifecycle/check.schema.json +18 -0
package/schemas/responses/lifecycle/gate.fail.schema.json +18 -0
package/schemas/responses/lifecycle/gate.pass.schema.json +18 -0
package/schemas/responses/lifecycle/gates.schema.json +18 -0
package/schemas/responses/lifecycle/history.schema.json +18 -0
package/schemas/responses/lifecycle/prerequisites.schema.json +18 -0
package/schemas/responses/lifecycle/progress.schema.json +18 -0
package/schemas/responses/lifecycle/reset.schema.json +18 -0
package/schemas/responses/lifecycle/skip.schema.json +18 -0
package/schemas/responses/lifecycle/status.schema.json +18 -0
package/schemas/responses/orchestrate/analyze.schema.json +18 -0
package/schemas/responses/orchestrate/context.schema.json +18 -0
package/schemas/responses/orchestrate/next.schema.json +18 -0
package/schemas/responses/orchestrate/parallel.end.schema.json +18 -0
package/schemas/responses/orchestrate/parallel.start.schema.json +18 -0
package/schemas/responses/orchestrate/ready.schema.json +18 -0
package/schemas/responses/orchestrate/skill.list.schema.json +18 -0
package/schemas/responses/orchestrate/spawn.schema.json +18 -0
package/schemas/responses/orchestrate/startup.schema.json +18 -0
package/schemas/responses/orchestrate/status.schema.json +18 -0
package/schemas/responses/orchestrate/validate.schema.json +18 -0
package/schemas/responses/orchestrate/waves.schema.json +18 -0
package/schemas/responses/release/changelog.schema.json +18 -0
package/schemas/responses/release/commit.schema.json +18 -0
package/schemas/responses/release/gates.run.schema.json +18 -0
package/schemas/responses/release/prepare.schema.json +18 -0
package/schemas/responses/release/push.schema.json +18 -0
package/schemas/responses/release/rollback.schema.json +18 -0
package/schemas/responses/release/tag.schema.json +18 -0
package/schemas/responses/research/inject.schema.json +18 -0
package/schemas/responses/research/link.schema.json +18 -0
package/schemas/responses/research/list.schema.json +18 -0
package/schemas/responses/research/manifest.append.schema.json +18 -0
package/schemas/responses/research/manifest.archive.schema.json +18 -0
package/schemas/responses/research/manifest.read.schema.json +18 -0
package/schemas/responses/research/pending.schema.json +18 -0
package/schemas/responses/research/query.schema.json +18 -0
package/schemas/responses/research/show.schema.json +18 -0
package/schemas/responses/research/stats.schema.json +18 -0
package/schemas/responses/session/end.schema.json +18 -0
package/schemas/responses/session/focus.clear.schema.json +18 -0
package/schemas/responses/session/focus.get.schema.json +18 -0
package/schemas/responses/session/focus.set.schema.json +18 -0
package/schemas/responses/session/gc.schema.json +18 -0
package/schemas/responses/session/history.schema.json +18 -0
package/schemas/responses/session/list.schema.json +18 -0
package/schemas/responses/session/resume.schema.json +18 -0
package/schemas/responses/session/show.schema.json +18 -0
package/schemas/responses/session/start.schema.json +18 -0
package/schemas/responses/session/status.schema.json +18 -0
package/schemas/responses/session/suspend.schema.json +18 -0
package/schemas/responses/system/backup.schema.json +18 -0
package/schemas/responses/system/cleanup.schema.json +18 -0
package/schemas/responses/system/config.get.schema.json +18 -0
package/schemas/responses/system/config.set.schema.json +18 -0
package/schemas/responses/system/context.schema.json +18 -0
package/schemas/responses/system/doctor.schema.json +18 -0
package/schemas/responses/system/init.schema.json +18 -0
package/schemas/responses/system/migrate.schema.json +18 -0
package/schemas/responses/system/restore.schema.json +18 -0
package/schemas/responses/system/stats.schema.json +18 -0
package/schemas/responses/system/sync.schema.json +18 -0
package/schemas/responses/system/version.schema.json +18 -0
package/schemas/responses/tasks/analyze.schema.json +18 -0
package/schemas/responses/tasks/archive.schema.json +18 -0
package/schemas/responses/tasks/blockers.schema.json +18 -0
package/schemas/responses/tasks/complete.schema.json +18 -0
package/schemas/responses/tasks/create.schema.json +18 -0
package/schemas/responses/tasks/delete.schema.json +18 -0
package/schemas/responses/tasks/deps.schema.json +18 -0
package/schemas/responses/tasks/exists.schema.json +18 -0
package/schemas/responses/tasks/find.schema.json +18 -0
package/schemas/responses/tasks/get.schema.json +87 -0
package/schemas/responses/tasks/list.schema.json +18 -0
package/schemas/responses/tasks/next.schema.json +18 -0
package/schemas/responses/tasks/promote.schema.json +18 -0
package/schemas/responses/tasks/reopen.schema.json +18 -0
package/schemas/responses/tasks/reorder.schema.json +18 -0
package/schemas/responses/tasks/reparent.schema.json +18 -0
package/schemas/responses/tasks/tree.schema.json +18 -0
package/schemas/responses/tasks/unarchive.schema.json +18 -0
package/schemas/responses/tasks/update.schema.json +18 -0
package/schemas/responses/validate/compliance.record.schema.json +18 -0
package/schemas/responses/validate/compliance.summary.schema.json +18 -0
package/schemas/responses/validate/compliance.violations.schema.json +18 -0
package/schemas/responses/validate/manifest.schema.json +18 -0
package/schemas/responses/validate/output.schema.json +18 -0
package/schemas/responses/validate/protocol.schema.json +18 -0
package/schemas/responses/validate/schema.schema.json +18 -0
package/schemas/responses/validate/task.schema.json +18 -0
package/schemas/responses/validate/test.coverage.schema.json +18 -0
package/schemas/responses/validate/test.run.schema.json +18 -0
package/schemas/responses/validate/test.status.schema.json +18 -0
package/server.json +53 -0

package/dist/lib/security.js ADDED Viewed

@@ -0,0 +1,347 @@
+/**
+ * Security Hardening and Input Sanitization for CLEO MCP Server
+ *
+ * Provides input validation, path sanitization, content filtering,
+ * enum checking, and rate limiting for all MCP operations.
+ *
+ * @task T3144
+ * @epic T3125
+ */
+import { resolve, normalize, relative, isAbsolute } from 'path';
+/**
+ * Security validation error thrown when input fails sanitization
+ */
+export class SecurityError extends Error {
+    code;
+    field;
+    constructor(message, code = 'E_SECURITY_VIOLATION', field) {
+        super(message);
+        this.code = code;
+        this.field = field;
+        this.name = 'SecurityError';
+    }
+}
+/**
+ * Task ID pattern: T followed by one or more digits
+ */
+const TASK_ID_PATTERN = /^T[0-9]+$/;
+/**
+ * Maximum task ID numeric value (prevent absurdly large IDs)
+ */
+const MAX_TASK_ID_NUMBER = 999999;
+/**
+ * Control character pattern (C0 and C1 control chars, excluding newline/tab/cr)
+ */
+const CONTROL_CHAR_PATTERN = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x9F]/g;
+/**
+ * Default maximum content length (64KB)
+ */
+const DEFAULT_MAX_CONTENT_LENGTH = 64 * 1024;
+/**
+ * Sanitize and validate a task ID
+ *
+ * Validates format: ^T[0-9]+$
+ * Rejects empty, malformed, or excessively large IDs
+ *
+ * @param id - Raw task ID input
+ * @returns Sanitized task ID
+ * @throws SecurityError if ID is invalid
+ */
+export function sanitizeTaskId(id) {
+    if (typeof id !== 'string') {
+        throw new SecurityError('Task ID must be a string', 'E_INVALID_TASK_ID', 'taskId');
+    }
+    // Trim whitespace
+    const trimmed = id.trim();
+    if (trimmed.length === 0) {
+        throw new SecurityError('Task ID cannot be empty', 'E_INVALID_TASK_ID', 'taskId');
+    }
+    if (!TASK_ID_PATTERN.test(trimmed)) {
+        throw new SecurityError(`Invalid task ID format: "${trimmed}". Must match pattern T[0-9]+ (e.g., T123)`, 'E_INVALID_TASK_ID', 'taskId');
+    }
+    // Check numeric portion isn't absurdly large
+    const numericPart = parseInt(trimmed.slice(1), 10);
+    if (numericPart > MAX_TASK_ID_NUMBER) {
+        throw new SecurityError(`Task ID numeric value exceeds maximum (${MAX_TASK_ID_NUMBER}): ${trimmed}`, 'E_INVALID_TASK_ID', 'taskId');
+    }
+    return trimmed;
+}
+/**
+ * Sanitize and validate a file path
+ *
+ * Prevents path traversal attacks by ensuring the resolved path
+ * stays within the project root directory.
+ *
+ * @param path - Raw path input
+ * @param projectRoot - Project root directory (absolute path)
+ * @returns Sanitized absolute path within project root
+ * @throws SecurityError if path escapes project root or is invalid
+ */
+export function sanitizePath(path, projectRoot) {
+    if (typeof path !== 'string') {
+        throw new SecurityError('Path must be a string', 'E_INVALID_PATH', 'path');
+    }
+    if (typeof projectRoot !== 'string' || projectRoot.length === 0) {
+        throw new SecurityError('Project root must be a non-empty string', 'E_INVALID_PATH', 'projectRoot');
+    }
+    const trimmedPath = path.trim();
+    if (trimmedPath.length === 0) {
+        throw new SecurityError('Path cannot be empty', 'E_INVALID_PATH', 'path');
+    }
+    // Check for null bytes (common injection vector)
+    if (trimmedPath.includes('\0')) {
+        throw new SecurityError('Path contains null bytes', 'E_PATH_TRAVERSAL', 'path');
+    }
+    // Normalize the project root
+    const normalizedRoot = resolve(projectRoot);
+    // Resolve the path relative to project root
+    let resolvedPath;
+    if (isAbsolute(trimmedPath)) {
+        resolvedPath = normalize(trimmedPath);
+    }
+    else {
+        resolvedPath = resolve(normalizedRoot, trimmedPath);
+    }
+    // Ensure the resolved path is within the project root
+    const relativePath = relative(normalizedRoot, resolvedPath);
+    // If relative path starts with '..' or is absolute, it escapes the root
+    if (relativePath.startsWith('..') || isAbsolute(relativePath)) {
+        throw new SecurityError(`Path traversal detected: "${path}" resolves outside project root`, 'E_PATH_TRAVERSAL', 'path');
+    }
+    return resolvedPath;
+}
+/**
+ * Sanitize content string
+ *
+ * Enforces size limits and strips control characters (except newline, tab, CR).
+ *
+ * @param content - Raw content string
+ * @param maxLength - Maximum allowed length (default: 64KB)
+ * @returns Sanitized content string
+ * @throws SecurityError if content exceeds size limit
+ */
+export function sanitizeContent(content, maxLength = DEFAULT_MAX_CONTENT_LENGTH) {
+    if (typeof content !== 'string') {
+        throw new SecurityError('Content must be a string', 'E_INVALID_CONTENT', 'content');
+    }
+    if (content.length > maxLength) {
+        throw new SecurityError(`Content exceeds maximum length (${maxLength} characters): got ${content.length}`, 'E_CONTENT_TOO_LARGE', 'content');
+    }
+    // Strip control characters (preserve \n, \t, \r)
+    return content.replace(CONTROL_CHAR_PATTERN, '');
+}
+/**
+ * Validate that a value is in an allowed enum set
+ *
+ * @param value - Value to validate
+ * @param allowed - Array of allowed values
+ * @param fieldName - Name of the field (for error messages)
+ * @returns The validated value
+ * @throws SecurityError if value is not in allowed set
+ */
+export function validateEnum(value, allowed, fieldName) {
+    if (typeof value !== 'string') {
+        throw new SecurityError(`${fieldName} must be a string`, 'E_INVALID_ENUM', fieldName);
+    }
+    const trimmed = value.trim();
+    if (!allowed.includes(trimmed)) {
+        throw new SecurityError(`Invalid ${fieldName}: "${trimmed}". Allowed values: ${allowed.join(', ')}`, 'E_INVALID_ENUM', fieldName);
+    }
+    return trimmed;
+}
+/**
+ * Known enum values for CLEO domains
+ */
+export const VALID_DOMAINS = [
+    'tasks', 'session', 'orchestrate', 'research',
+    'lifecycle', 'validate', 'release', 'system',
+];
+export const VALID_GATEWAYS = ['cleo_query', 'cleo_mutate'];
+export const VALID_STATUSES = ['pending', 'active', 'blocked', 'done'];
+export const VALID_PRIORITIES = ['low', 'medium', 'high', 'critical'];
+/**
+ * Default rate limit configurations per operation type
+ */
+export const DEFAULT_RATE_LIMITS = {
+    query: { maxRequests: 100, windowMs: 60_000 },
+    mutate: { maxRequests: 30, windowMs: 60_000 },
+    spawn: { maxRequests: 10, windowMs: 60_000 },
+};
+/**
+ * In-memory sliding window rate limiter
+ *
+ * Tracks request timestamps per key and enforces configurable limits.
+ */
+export class RateLimiter {
+    windows = new Map();
+    configs = new Map();
+    constructor(configs) {
+        // Initialize with provided or default configs
+        const effectiveConfigs = configs ?? DEFAULT_RATE_LIMITS;
+        for (const [key, config] of Object.entries(effectiveConfigs)) {
+            this.configs.set(key, config);
+        }
+    }
+    /**
+     * Check if a request is allowed under rate limits
+     *
+     * @param key - Rate limit bucket key (e.g., 'query', 'mutate', 'spawn')
+     * @returns Rate limit check result
+     */
+    check(key) {
+        const config = this.configs.get(key);
+        if (!config) {
+            // No config for this key - allow by default
+            return { allowed: true, remaining: Infinity, resetMs: 0, limit: Infinity };
+        }
+        const now = Date.now();
+        const windowStart = now - config.windowMs;
+        // Get or create window
+        let timestamps = this.windows.get(key);
+        if (!timestamps) {
+            timestamps = [];
+            this.windows.set(key, timestamps);
+        }
+        // Prune expired timestamps
+        const validTimestamps = timestamps.filter(t => t > windowStart);
+        this.windows.set(key, validTimestamps);
+        const remaining = Math.max(0, config.maxRequests - validTimestamps.length);
+        const oldestInWindow = validTimestamps.length > 0 ? validTimestamps[0] : now;
+        const resetMs = Math.max(0, oldestInWindow + config.windowMs - now);
+        return {
+            allowed: validTimestamps.length < config.maxRequests,
+            remaining,
+            resetMs,
+            limit: config.maxRequests,
+        };
+    }
+    /**
+     * Record a request (call after check returns allowed: true)
+     *
+     * @param key - Rate limit bucket key
+     */
+    record(key) {
+        const timestamps = this.windows.get(key) ?? [];
+        timestamps.push(Date.now());
+        this.windows.set(key, timestamps);
+    }
+    /**
+     * Check and record in one step
+     *
+     * @param key - Rate limit bucket key
+     * @returns Rate limit check result (recorded if allowed)
+     */
+    consume(key) {
+        const result = this.check(key);
+        if (result.allowed) {
+            this.record(key);
+            // Adjust remaining after recording
+            result.remaining = Math.max(0, result.remaining - 1);
+        }
+        return result;
+    }
+    /**
+     * Reset rate limit state for a specific key or all keys
+     *
+     * @param key - Optional key to reset (resets all if omitted)
+     */
+    reset(key) {
+        if (key) {
+            this.windows.delete(key);
+        }
+        else {
+            this.windows.clear();
+        }
+    }
+    /**
+     * Get current configuration for a key
+     */
+    getConfig(key) {
+        return this.configs.get(key);
+    }
+    /**
+     * Update configuration for a key
+     */
+    setConfig(key, config) {
+        this.configs.set(key, config);
+    }
+}
+/**
+ * Sanitize all params in a DomainRequest before routing
+ *
+ * Applies appropriate sanitization based on known field names:
+ * - taskId, parent, epicId -> sanitizeTaskId
+ * - path, file -> sanitizePath (if projectRoot provided)
+ * - title, description, notes, content -> sanitizeContent
+ * - status -> validateEnum(VALID_STATUSES)
+ * - priority -> validateEnum(VALID_PRIORITIES)
+ * - domain -> validateEnum(VALID_DOMAINS)
+ *
+ * @param params - Raw request parameters
+ * @param projectRoot - Project root for path sanitization
+ * @returns Sanitized parameters
+ * @throws SecurityError on validation failure
+ */
+export function sanitizeParams(params, projectRoot) {
+    if (!params) {
+        return params;
+    }
+    const sanitized = { ...params };
+    for (const [key, value] of Object.entries(sanitized)) {
+        if (value === undefined || value === null) {
+            continue;
+        }
+        // Task ID fields
+        if (typeof value === 'string' &&
+            (key === 'taskId' || key === 'parent' || key === 'epicId')) {
+            sanitized[key] = sanitizeTaskId(value);
+            continue;
+        }
+        // Task ID arrays (depends)
+        if (key === 'depends' && Array.isArray(value)) {
+            sanitized[key] = value.map((v) => {
+                if (typeof v === 'string') {
+                    return sanitizeTaskId(v);
+                }
+                return v;
+            });
+            continue;
+        }
+        // Path fields
+        if (typeof value === 'string' &&
+            (key === 'path' || key === 'file') &&
+            projectRoot) {
+            sanitized[key] = sanitizePath(value, projectRoot);
+            continue;
+        }
+        // Content fields (with size limits)
+        if (typeof value === 'string' &&
+            (key === 'title' || key === 'description' || key === 'content')) {
+            const maxLen = key === 'title' ? 200 : DEFAULT_MAX_CONTENT_LENGTH;
+            sanitized[key] = sanitizeContent(value, maxLen);
+            continue;
+        }
+        // Notes can be string or array of strings
+        if (key === 'notes') {
+            if (typeof value === 'string') {
+                sanitized[key] = sanitizeContent(value);
+            }
+            else if (Array.isArray(value)) {
+                sanitized[key] = value.map((v) => typeof v === 'string' ? sanitizeContent(v) : v);
+            }
+            continue;
+        }
+        // Status enum
+        if (typeof value === 'string' && key === 'status') {
+            sanitized[key] = validateEnum(value, [...VALID_STATUSES], 'status');
+            continue;
+        }
+        // Priority enum
+        if (typeof value === 'string' && key === 'priority') {
+            sanitized[key] = validateEnum(value, [...VALID_PRIORITIES], 'priority');
+            continue;
+        }
+    }
+    return sanitized;
+}
+//# sourceMappingURL=security.js.map

package/dist/lib/security.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/lib/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEhE;;GAEG;AACH,MAAM,OAAO,aAAc,SAAQ,KAAK;IAG7B;IACA;IAHT,YACE,OAAe,EACR,OAAe,sBAAsB,EACrC,KAAc;QAErB,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAiC;QACrC,UAAK,GAAL,KAAK,CAAS;QAGrB,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,eAAe,GAAG,WAAW,CAAC;AAEpC;;GAEG;AACH,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC;;GAEG;AACH,MAAM,oBAAoB,GAAG,wCAAwC,CAAC;AAEtE;;GAEG;AACH,MAAM,0BAA0B,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,aAAa,CACrB,0BAA0B,EAC1B,mBAAmB,EACnB,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAE1B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CACrB,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,aAAa,CACrB,4BAA4B,OAAO,4CAA4C,EAC/E,mBAAmB,EACnB,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnD,IAAI,WAAW,GAAG,kBAAkB,EAAE,CAAC;QACrC,MAAM,IAAI,aAAa,CACrB,0CAA0C,kBAAkB,MAAM,OAAO,EAAE,EAC3E,mBAAmB,EACnB,QAAQ,CACT,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,WAAmB;IAC5D,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,aAAa,CACrB,uBAAuB,EACvB,gBAAgB,EAChB,MAAM,CACP,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,aAAa,CACrB,yCAAyC,EACzC,gBAAgB,EAChB,aAAa,CACd,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAEhC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,aAAa,CACrB,sBAAsB,EACtB,gBAAgB,EAChB,MAAM,CACP,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,aAAa,CACrB,0BAA0B,EAC1B,kBAAkB,EAClB,MAAM,CACP,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,cAAc,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IAE5C,4CAA4C;IAC5C,IAAI,YAAoB,CAAC;IACzB,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5B,YAAY,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,OAAO,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,CAAC;IAED,sDAAsD;IACtD,MAAM,YAAY,GAAG,QAAQ,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;IAE5D,wEAAwE;IACxE,IAAI,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,aAAa,CACrB,6BAA6B,IAAI,iCAAiC,EAClE,kBAAkB,EAClB,MAAM,CACP,CAAC;IACJ,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAe,EACf,YAAoB,0BAA0B;IAE9C,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,aAAa,CACrB,0BAA0B,EAC1B,mBAAmB,EACnB,SAAS,CACV,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,aAAa,CACrB,mCAAmC,SAAS,qBAAqB,OAAO,CAAC,MAAM,EAAE,EACjF,qBAAqB,EACrB,SAAS,CACV,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,OAAO,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAa,EACb,OAAiB,EACjB,SAAiB;IAEjB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,aAAa,CACrB,GAAG,SAAS,mBAAmB,EAC/B,gBAAgB,EAChB,SAAS,CACV,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,aAAa,CACrB,WAAW,SAAS,MAAM,OAAO,sBAAsB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAC3E,gBAAgB,EAChB,SAAS,CACV,CAAC;IACJ,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU;IAC7C,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ;CACpC,CAAC;AAEX,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,YAAY,EAAE,aAAa,CAAU,CAAC;AAErE,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAU,CAAC;AAEhF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAU,CAAC;AA0B/E;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAoC;IAClE,KAAK,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC7C,MAAM,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;IAC7C,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE;CAC7C,CAAC;AAEF;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACd,OAAO,GAA0B,IAAI,GAAG,EAAE,CAAC;IAC3C,OAAO,GAAiC,IAAI,GAAG,EAAE,CAAC;IAE1D,YAAY,OAAyC;QACnD,8CAA8C;QAC9C,MAAM,gBAAgB,GAAG,OAAO,IAAI,mBAAmB,CAAC;QACxD,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC7D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAW;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,4CAA4C;YAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;QAC7E,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;QAE1C,uBAAuB;QACvB,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,2BAA2B;QAC3B,MAAM,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;QAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAC3E,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC7E,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,cAAc,GAAG,MAAM,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC;QAEpE,OAAO;YACL,OAAO,EAAE,eAAe,CAAC,MAAM,GAAG,MAAM,CAAC,WAAW;YACpD,SAAS;YACT,OAAO;YACP,KAAK,EAAE,MAAM,CAAC,WAAW;SAC1B,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,GAAW;QAChB,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC/C,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,OAAO,CAAC,GAAW;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjB,mCAAmC;YACnC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,GAAY;QAChB,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,GAAW;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,GAAW,EAAE,MAAuB;QAC5C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAChC,CAAC;CACF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,cAAc,CAC5B,MAA2C,EAC3C,WAAoB;IAEpB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,SAAS,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;IAEzD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACrD,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC1C,SAAS;QACX,CAAC;QAED,iBAAiB;QACjB,IACE,OAAO,KAAK,KAAK,QAAQ;YACzB,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,CAAC,EAC1D,CAAC;YACD,SAAS,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YACvC,SAAS;QACX,CAAC;QAED,2BAA2B;QAC3B,IAAI,GAAG,KAAK,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC/B,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1B,OAAO,cAAc,CAAC,CAAC,CAAC,CAAC;gBAC3B,CAAC;gBACD,OAAO,CAAC,CAAC;YACX,CAAC,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,cAAc;QACd,IACE,OAAO,KAAK,KAAK,QAAQ;YACzB,CAAC,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,MAAM,CAAC;YAClC,WAAW,EACX,CAAC;YACD,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;YAClD,SAAS;QACX,CAAC;QAED,oCAAoC;QACpC,IACE,OAAO,KAAK,KAAK,QAAQ;YACzB,CAAC,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,SAAS,CAAC,EAC/D,CAAC;YACD,MAAM,MAAM,GAAG,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,0BAA0B,CAAC;YAClE,SAAS,CAAC,GAAG,CAAC,GAAG,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;YAChD,SAAS;QACX,CAAC;QAED,0CAA0C;QAC1C,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,SAAS,CAAC,GAAG,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/B,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC/C,CAAC;YACJ,CAAC;YACD,SAAS;QACX,CAAC;QAED,cAAc;QACd,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClD,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,GAAG,cAAc,CAAC,EAAE,QAAQ,CAAC,CAAC;YACpE,SAAS;QACX,CAAC;QAED,gBAAgB;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YACpD,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,GAAG,gBAAgB,CAAC,EAAE,UAAU,CAAC,CAAC;YACxE,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/lib/verification-gates.d.ts ADDED Viewed

@@ -0,0 +1,287 @@
+/**
+ * Verification Gate System for CLEO MCP Server
+ *
+ * @task T2936
+ * @epic T2908
+ *
+ * Implements 4-layer validation gate system:
+ * Layer 1: Schema Validation (JSON Schema compliance)
+ * Layer 2: Semantic Validation (Business rules)
+ * Layer 3: Referential Validation (Cross-entity integrity)
+ * Layer 4: Protocol Validation (RCSD-IVTR lifecycle)
+ *
+ * Reference: docs/specs/MCP-SERVER-SPECIFICATION.md Section 7
+ */
+import { ExitCode, ErrorCategory, ErrorSeverity } from './exit-codes.js';
+import { ProtocolType } from './protocol-enforcement.js';
+/**
+ * Gate layer enumeration
+ */
+export declare enum GateLayer {
+    SCHEMA = 1,
+    SEMANTIC = 2,
+    REFERENTIAL = 3,
+    PROTOCOL = 4
+}
+/**
+ * Gate status for each layer
+ */
+export declare enum GateStatus {
+    PENDING = "pending",
+    PASSED = "passed",
+    FAILED = "failed",
+    BLOCKED = "blocked",
+    SKIPPED = "skipped"
+}
+/**
+ * Violation detail for a specific gate layer
+ */
+export interface GateViolation {
+    layer: GateLayer;
+    severity: ErrorSeverity;
+    code: string;
+    message: string;
+    field?: string;
+    value?: unknown;
+    constraint?: string;
+    fix?: string;
+}
+/**
+ * Result from a single gate layer validation
+ */
+export interface LayerResult {
+    layer: GateLayer;
+    status: GateStatus;
+    passed: boolean;
+    violations: GateViolation[];
+    duration_ms: number;
+}
+/**
+ * Complete verification result across all 4 layers
+ */
+export interface VerificationResult {
+    passed: boolean;
+    layers: Record<GateLayer, LayerResult>;
+    totalViolations: number;
+    exitCode: ExitCode;
+    category: ErrorCategory;
+    summary: string;
+    blockedAt?: GateLayer;
+}
+/**
+ * Operation context for gate validation
+ */
+export interface OperationContext {
+    domain: string;
+    operation: string;
+    gateway: 'cleo_query' | 'cleo_mutate';
+    params?: Record<string, unknown>;
+    taskId?: string;
+    protocolType?: ProtocolType;
+}
+/**
+ * Main Verification Gate class
+ *
+ * Orchestrates 4-layer validation and determines pass/fail status.
+ * Each layer must pass before proceeding to the next.
+ */
+export declare class VerificationGate {
+    private protocolEnforcer;
+    private strictMode;
+    constructor(strictMode?: boolean);
+    /**
+     * Execute all 4 gate layers sequentially
+     *
+     * Stops at first failure unless in advisory mode.
+     */
+    verifyOperation(context: OperationContext): Promise<VerificationResult>;
+    /**
+     * Run a single validation layer with timing
+     */
+    private runLayer;
+    /**
+     * Build success result when all gates pass
+     */
+    private buildSuccessResult;
+    /**
+     * Build failure result when a gate fails
+     */
+    private buildFailureResult;
+    /**
+     * Determine semantic layer exit code from violations
+     */
+    private determineSemanticExitCode;
+    /**
+     * Determine referential layer exit code from violations
+     */
+    private determineReferentialExitCode;
+    /**
+     * Determine protocol layer exit code from violations
+     */
+    private determineProtocolExitCode;
+    /**
+     * Check if an operation requires gate validation
+     *
+     * All mutate operations require validation.
+     * Query operations skip validation for performance.
+     */
+    static requiresValidation(context: OperationContext): boolean;
+    /**
+     * Get human-readable layer name
+     */
+    static getLayerName(layer: GateLayer): string;
+}
+/**
+ * Factory function for creating verification gates
+ */
+export declare function createVerificationGate(strictMode?: boolean): VerificationGate;
+/**
+ * Export gate layer sequence for external use
+ */
+export declare const GATE_SEQUENCE: readonly [GateLayer.SCHEMA, GateLayer.SEMANTIC, GateLayer.REFERENTIAL, GateLayer.PROTOCOL];
+/**
+ * Workflow gate names per MCP-SERVER-SPECIFICATION.md Section 7.1
+ *
+ * Sequence: implemented → testsPassed → qaPassed → cleanupDone → securityPassed → documented
+ *
+ * @task T3141
+ */
+export declare enum WorkflowGateName {
+    IMPLEMENTED = "implemented",
+    TESTS_PASSED = "testsPassed",
+    QA_PASSED = "qaPassed",
+    CLEANUP_DONE = "cleanupDone",
+    SECURITY_PASSED = "securityPassed",
+    DOCUMENTED = "documented"
+}
+/**
+ * Workflow gate status values per Section 7.3
+ *
+ * - null: Not yet attempted
+ * - passed: Gate passed successfully
+ * - failed: Gate failed (blocks downstream)
+ * - blocked: Cannot attempt (dependencies not met)
+ */
+export type WorkflowGateStatus = null | 'passed' | 'failed' | 'blocked';
+/**
+ * Agent responsible for each gate per Section 7.2
+ */
+export type WorkflowGateAgent = 'coder' | 'testing' | 'qa' | 'cleanup' | 'security' | 'docs';
+/**
+ * Individual workflow gate definition per Section 7.2
+ */
+export interface WorkflowGateDefinition {
+    name: WorkflowGateName;
+    agent: WorkflowGateAgent;
+    dependsOn: WorkflowGateName[];
+    description: string;
+}
+/**
+ * State of a single workflow gate
+ */
+export interface WorkflowGateState {
+    name: WorkflowGateName;
+    status: WorkflowGateStatus;
+    agent: WorkflowGateAgent;
+    updatedAt: string | null;
+    failureReason?: string;
+}
+/**
+ * Complete workflow gate definitions per Section 7.2
+ */
+export declare const WORKFLOW_GATE_DEFINITIONS: WorkflowGateDefinition[];
+/**
+ * Ordered workflow gate sequence per Section 7.1
+ */
+export declare const WORKFLOW_GATE_SEQUENCE: WorkflowGateName[];
+/**
+ * WorkflowGateTracker
+ *
+ * Tracks the status of all 6 workflow verification gates for a task.
+ * Implements Section 7.4 failure cascade behavior: when a gate fails,
+ * all downstream gates reset to null.
+ *
+ * @task T3141
+ */
+export declare class WorkflowGateTracker {
+    private gates;
+    constructor();
+    /**
+     * Get the status of a specific gate
+     */
+    getGateStatus(gateName: WorkflowGateName): WorkflowGateStatus;
+    /**
+     * Get the full state of a specific gate
+     */
+    getGateState(gateName: WorkflowGateName): WorkflowGateState | undefined;
+    /**
+     * Get all gate states
+     */
+    getAllGates(): WorkflowGateState[];
+    /**
+     * Check if a gate can be attempted (all dependencies passed)
+     */
+    canAttempt(gateName: WorkflowGateName): boolean;
+    /**
+     * Mark a gate as passed.
+     *
+     * Returns false if the gate cannot be attempted (dependencies not met).
+     */
+    passGate(gateName: WorkflowGateName, agent?: string): boolean;
+    /**
+     * Mark a gate as failed.
+     *
+     * Per Section 7.4: When a gate fails, all downstream gates reset to null.
+     */
+    failGate(gateName: WorkflowGateName, reason?: string): boolean;
+    /**
+     * Reset a gate and all downstream gates to null.
+     *
+     * Used for failure cascade per Section 7.4.
+     */
+    private cascadeReset;
+    /**
+     * Update blocked status for all gates based on current state.
+     *
+     * A gate is blocked if it hasn't been attempted (null) and its
+     * dependencies are not all passed.
+     */
+    updateBlockedStatus(): void;
+    /**
+     * Check if all gates have passed
+     */
+    allPassed(): boolean;
+    /**
+     * Get all gates that are currently blocked or have null status
+     */
+    getPendingGates(): WorkflowGateState[];
+    /**
+     * Get the next gate that can be attempted
+     */
+    getNextAttemptable(): WorkflowGateName | null;
+    /**
+     * Get downstream gates of a given gate (not including the gate itself)
+     */
+    getDownstreamGates(gateName: WorkflowGateName): WorkflowGateName[];
+    /**
+     * Serialize gate states to a plain record
+     */
+    toRecord(): Record<string, WorkflowGateStatus>;
+    /**
+     * Restore gate states from a record
+     */
+    fromRecord(record: Record<string, WorkflowGateStatus>): void;
+    /**
+     * Check if a gate name is valid
+     */
+    private isValidGate;
+}
+/**
+ * Validate a workflow gate name string
+ */
+export declare function isValidWorkflowGateName(name: string): name is WorkflowGateName;
+/**
+ * Get the definition for a workflow gate
+ */
+export declare function getWorkflowGateDefinition(name: WorkflowGateName): WorkflowGateDefinition | undefined;
+//# sourceMappingURL=verification-gates.d.ts.map

package/dist/lib/verification-gates.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"verification-gates.d.ts","sourceRoot":"","sources":["../../src/lib/verification-gates.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACzE,OAAO,EAAoB,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAS3E;;GAEG;AACH,oBAAY,SAAS;IACnB,MAAM,IAAI;IACV,QAAQ,IAAI;IACZ,WAAW,IAAI;IACf,QAAQ,IAAI;CACb;AAED;;GAEG;AACH,oBAAY,UAAU;IACpB,OAAO,YAAY;IACnB,MAAM,WAAW;IACjB,MAAM,WAAW;IACjB,OAAO,YAAY;IACnB,OAAO,YAAY;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,SAAS,CAAC;IACjB,QAAQ,EAAE,aAAa,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,SAAS,CAAC;IACjB,MAAM,EAAE,UAAU,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,aAAa,EAAE,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,QAAQ,EAAE,aAAa,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,YAAY,GAAG,aAAa,CAAC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,UAAU,CAAU;gBAEhB,UAAU,GAAE,OAAc;IAKtC;;;;OAIG;IACG,eAAe,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAoD7E;;OAEG;YACW,QAAQ;IA6BtB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAW1B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAuC1B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAYjC;;OAEG;IACH,OAAO,CAAC,4BAA4B;IASpC;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAiBjC;;;;;OAKG;IACH,MAAM,CAAC,kBAAkB,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;IAU7D;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,SAAS,GAAG,MAAM;CAS9C;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,GAAE,OAAc,GAAG,gBAAgB,CAEnF;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,4FAKhB,CAAC;AAMX;;;;;;GAMG;AACH,oBAAY,gBAAgB;IAC1B,WAAW,gBAAgB;IAC3B,YAAY,gBAAgB;IAC5B,SAAS,aAAa;IACtB,YAAY,gBAAgB;IAC5B,eAAe,mBAAmB;IAClC,UAAU,eAAe;CAC1B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,kBAAkB,GAAG,IAAI,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;AAExE;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG,SAAS,GAAG,IAAI,GAAG,SAAS,GAAG,UAAU,GAAG,MAAM,CAAC;AAE7F;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,IAAI,EAAE,gBAAgB,CAAC;IACvB,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,gBAAgB,EAAE,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,gBAAgB,CAAC;IACvB,MAAM,EAAE,kBAAkB,CAAC;IAC3B,KAAK,EAAE,iBAAiB,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,eAAO,MAAM,yBAAyB,EAAE,sBAAsB,EAqC7D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,EAAE,gBAAgB,EAOpD,CAAC;AAWF;;;;;;;;GAQG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,KAAK,CAA2C;;IAcxD;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,gBAAgB,GAAG,kBAAkB;IAK7D;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,gBAAgB,GAAG,iBAAiB,GAAG,SAAS;IAIvE;;OAEG;IACH,WAAW,IAAI,iBAAiB,EAAE;IAIlC;;OAEG;IACH,UAAU,CAAC,QAAQ,EAAE,gBAAgB,GAAG,OAAO;IAa/C;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO;IAe7D;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO;IAc9D;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAcpB;;;;;OAKG;IACH,mBAAmB,IAAI,IAAI;IAc3B;;OAEG;IACH,SAAS,IAAI,OAAO;IAOpB;;OAEG;IACH,eAAe,IAAI,iBAAiB,EAAE;IAMtC;;OAEG;IACH,kBAAkB,IAAI,gBAAgB,GAAG,IAAI;IAU7C;;OAEG;IACH,kBAAkB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,gBAAgB,EAAE;IAMlE;;OAEG;IACH,QAAQ,IAAI,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC;IAQ9C;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,GAAG,IAAI;IAS5D;;OAEG;IACH,OAAO,CAAC,WAAW;CAGpB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,IAAI,gBAAgB,CAE9E;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,gBAAgB,GACrB,sBAAsB,GAAG,SAAS,CAEpC"}