@creative-ia/cortex 1.0.5

package/README.md

@@ -0,0 +1,41 @@
+# Cortex by Creative IA
+
+Centro de inteligencia para arquitetura de software.
+
+Servidor MCP (Model Context Protocol) com 23 ferramentas para:
+- Arquitetura e padroes de codigo (L1-L4)
+- Processos de arquitetura de software
+- Engenharia reversa de repositorios
+- Knowledge base organizacional
+- Documentacao e wiki automatizada
+
+## Instalacao
+
+```bash
+npm install -g @creative-ia/cortex
+```
+
+## Configuracao (mcp.json)
+
+```json
+{
+  "mcpServers": {
+    "cortex-local": {
+      "command": "cortex-mcp",
+      "env": {
+        "GITHUB_TOKEN": "ghp_xxx",
+        "AZURE_DEVOPS_PAT": "xxx"
+      },
+      "disabled": false
+    }
+  }
+}
+```
+
+## Licenca
+
+Proprietario — Creative IA. Uso requer licenca valida.
+
+## Suporte
+
+creativeia50@gmail.com

package/dist/config/cloud-proxy.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Cloud Proxy — Delega chamadas de tools para o endpoint nuvem via HTTPS.
+ *
+ * Quando CORTEX_API_URL esta definido, as tools que dependem de AWS
+ * (DynamoDB, S3, SSM, CloudWatch, Bedrock) sao executadas na nuvem.
+ * O server local envia a chamada via JSON-RPC e retorna o resultado.
+ *
+ * Isso elimina a necessidade de credenciais AWS no cliente.
+ */
+export declare function isCloudProxyEnabled(): boolean;
+/**
+ * Chama uma tool no endpoint nuvem via JSON-RPC over HTTPS.
+ * Retorna o texto da resposta ou lanca erro.
+ */
+export declare function callCloudTool(toolName: string, args: Record<string, unknown>): Promise<string>;

package/dist/config/cloud-proxy.js

@@ -0,0 +1,63 @@
+/**
+ * Cloud Proxy — Delega chamadas de tools para o endpoint nuvem via HTTPS.
+ *
+ * Quando CORTEX_API_URL esta definido, as tools que dependem de AWS
+ * (DynamoDB, S3, SSM, CloudWatch, Bedrock) sao executadas na nuvem.
+ * O server local envia a chamada via JSON-RPC e retorna o resultado.
+ *
+ * Isso elimina a necessidade de credenciais AWS no cliente.
+ */
+const CORTEX_API_URL = process.env.CORTEX_API_URL;
+export function isCloudProxyEnabled() {
+    return !!CORTEX_API_URL;
+}
+/**
+ * Chama uma tool no endpoint nuvem via JSON-RPC over HTTPS.
+ * Retorna o texto da resposta ou lanca erro.
+ */
+export async function callCloudTool(toolName, args) {
+    if (!CORTEX_API_URL) {
+        throw new Error("CORTEX_API_URL not configured");
+    }
+    const licenseKey = args.licenseKey || process.env.LICENSE_KEY || "";
+    const body = JSON.stringify({
+        jsonrpc: "2.0",
+        id: Date.now(),
+        method: "tools/call",
+        params: {
+            name: toolName,
+            arguments: args,
+        },
+    });
+    const res = await fetch(CORTEX_API_URL, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "X-License-Key": licenseKey,
+        },
+        body,
+        signal: AbortSignal.timeout(55000), // 55s (Lambda tem 60s timeout)
+    });
+    if (!res.ok) {
+        throw new Error(`Cloud proxy error: HTTP ${res.status}`);
+    }
+    const raw = await res.text();
+    // Endpoint pode retornar SSE (event: message\ndata: {...}) ou JSON direto
+    let json;
+    if (raw.startsWith("event:")) {
+        const dataLine = raw.split("\n").find((l) => l.startsWith("data:"));
+        json = JSON.parse(dataLine ? dataLine.slice(5).trim() : "{}");
+    }
+    else {
+        json = JSON.parse(raw);
+    }
+    if (json.error) {
+        throw new Error(json.error.message || `Cloud error code ${json.error.code}`);
+    }
+    // Extrair texto da resposta MCP
+    const content = json.result?.content;
+    if (!content || content.length === 0) {
+        return "";
+    }
+    return content.map((c) => c.text || "").join("\n");
+}

package/dist/config/cloudwatch-store.d.ts

@@ -0,0 +1,13 @@
+export declare function writeLog(level: string, message: string, meta?: Record<string, unknown>): Promise<void>;
+export declare function filterLogs(params: {
+    pattern?: string;
+    startTime?: number;
+    endTime?: number;
+    limit?: number;
+}): Promise<string[]>;
+export declare function queryLogs(params: {
+    query: string;
+    startTime?: number;
+    endTime?: number;
+    limit?: number;
+}): Promise<string[][]>;

package/dist/config/cloudwatch-store.js

@@ -0,0 +1,66 @@
+/**
+ * CloudWatch Logs — Escrita e consulta de logs do MCP Server.
+ * Log group: /creative-ia50/mcp-server
+ */
+import { CloudWatchLogsClient, CreateLogStreamCommand, PutLogEventsCommand, FilterLogEventsCommand, StartQueryCommand, GetQueryResultsCommand, } from "@aws-sdk/client-cloudwatch-logs";
+const isLocal = process.env.USE_LOCALSTACK === "true";
+const cwl = new CloudWatchLogsClient({
+    region: process.env.AWS_REGION || "sa-east-1",
+    ...(isLocal && {
+        endpoint: "http://localhost:4566",
+        credentials: { accessKeyId: "test", secretAccessKey: "test" },
+    }),
+});
+const LOG_GROUP = process.env.LOG_GROUP || "/creative-ia50/mcp-server";
+// Ensure log stream exists for today
+async function ensureStream(streamName) {
+    try {
+        await cwl.send(new CreateLogStreamCommand({ logGroupName: LOG_GROUP, logStreamName: streamName }));
+    }
+    catch { /* already exists */ }
+}
+// Write a log event
+export async function writeLog(level, message, meta) {
+    const stream = `mcp-server/${new Date().toISOString().slice(0, 10)}`;
+    await ensureStream(stream);
+    const event = JSON.stringify({ level, message, ...meta, timestamp: new Date().toISOString() });
+    await cwl.send(new PutLogEventsCommand({
+        logGroupName: LOG_GROUP,
+        logStreamName: stream,
+        logEvents: [{ timestamp: Date.now(), message: event }],
+    }));
+}
+// Filter logs by pattern
+export async function filterLogs(params) {
+    const now = Date.now();
+    const res = await cwl.send(new FilterLogEventsCommand({
+        logGroupName: LOG_GROUP,
+        filterPattern: params.pattern || "",
+        startTime: params.startTime || now - 24 * 60 * 60 * 1000, // default: last 24h
+        endTime: params.endTime || now,
+        limit: params.limit || 50,
+    }));
+    return (res.events || []).map(e => e.message || "");
+}
+// Run CloudWatch Insights query
+export async function queryLogs(params) {
+    const now = Date.now();
+    const start = await cwl.send(new StartQueryCommand({
+        logGroupName: LOG_GROUP,
+        queryString: params.query,
+        startTime: Math.floor((params.startTime || now - 24 * 60 * 60 * 1000) / 1000),
+        endTime: Math.floor((params.endTime || now) / 1000),
+        limit: params.limit || 50,
+    }));
+    if (!start.queryId)
+        return [];
+    // Poll for results (max 10s)
+    for (let i = 0; i < 20; i++) {
+        await new Promise(r => setTimeout(r, 500));
+        const res = await cwl.send(new GetQueryResultsCommand({ queryId: start.queryId }));
+        if (res.status === "Complete" || res.status === "Failed" || res.status === "Cancelled") {
+            return (res.results || []).map(row => row.map(f => `${f.field}: ${f.value}`));
+        }
+    }
+    return [];
+}

package/dist/config/license.d.ts

@@ -0,0 +1,29 @@
+export interface License {
+    licenseKey: string;
+    clientName: string;
+    plan: string;
+    status: string;
+    role: "admin" | "user";
+    expiresAt: string;
+    allowedTools: Set<string>;
+    allowedDomains?: Set<string>;
+    createdAt: string;
+}
+export interface LicenseCheck {
+    valid: boolean;
+    reason?: string;
+    license?: License;
+}
+/**
+ * Ponto de entrada unico — escolhe modo automaticamente.
+ */
+export declare function validateLicense(licenseKey: string, toolName?: string): Promise<LicenseCheck>;
+/**
+ * Verifica se a licença tem acesso a um domain específico.
+ * Admin tem acesso a tudo. User só aos domains em allowedDomains.
+ */
+export declare function canAccessDomain(license: License, domain: string): boolean;
+/**
+ * Filtra lista de domains para apenas os permitidos pela licença.
+ */
+export declare function filterAllowedDomains(license: License, domains: string[]): string[];

package/dist/config/license.js

@@ -0,0 +1,165 @@
+/**
+ * License Validator — Valida licença do cliente.
+ *
+ * Dois modos:
+ * 1. DynamoDB direto (Lambda / dev com AWS_PROFILE) — quando CORTEX_API_URL nao esta definido
+ * 2. HTTP remoto (cliente local via npx) — quando CORTEX_API_URL esta definido
+ *    Chama o endpoint nuvem para validar, com cache em memoria (TTL 5min)
+ *
+ * RBAC:
+ * - role "admin" → acesso total a todos os domains e tools
+ * - role "user"  → acesso restrito aos domains em allowedDomains
+ */
+import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
+import { DynamoDBDocumentClient, GetCommand } from "@aws-sdk/lib-dynamodb";
+const isLocal = process.env.USE_LOCALSTACK === "true";
+const CORTEX_API_URL = process.env.CORTEX_API_URL; // ex: https://zsul3dtu25.execute-api.sa-east-1.amazonaws.com/prod/mcp
+const ddb = CORTEX_API_URL
+    ? null // nao precisa de DynamoDB quando valida via HTTP
+    : DynamoDBDocumentClient.from(new DynamoDBClient({
+        region: process.env.AWS_REGION || "sa-east-1",
+        ...(isLocal && {
+            endpoint: "http://localhost:4566",
+            credentials: { accessKeyId: "test", secretAccessKey: "test" },
+        }),
+    }));
+const TABLE = process.env.LICENSE_TABLE || "creative-ia50-licenses";
+const licenseCache = new Map();
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutos
+/**
+ * Validacao remota via HTTP — chama get_config no endpoint nuvem.
+ * Se o endpoint responde com sucesso, a licenca e valida.
+ */
+async function validateLicenseRemote(licenseKey, _toolName) {
+    // Verificar cache
+    const cached = licenseCache.get(licenseKey);
+    if (cached && Date.now() < cached.expiresAt) {
+        return cached.check;
+    }
+    try {
+        const body = JSON.stringify({
+            jsonrpc: "2.0",
+            id: 1,
+            method: "tools/call",
+            params: {
+                name: "get_config",
+                arguments: { licenseKey },
+            },
+        });
+        const res = await fetch(CORTEX_API_URL, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "X-License-Key": licenseKey,
+            },
+            body,
+            signal: AbortSignal.timeout(10000), // 10s timeout
+        });
+        if (!res.ok) {
+            return { valid: false, reason: `License validation failed (HTTP ${res.status})` };
+        }
+        const raw = await res.text();
+        // Endpoint pode retornar SSE (event: message\ndata: {...}) ou JSON direto
+        let json;
+        if (raw.startsWith("event:")) {
+            const dataLine = raw.split("\n").find((l) => l.startsWith("data:"));
+            json = JSON.parse(dataLine ? dataLine.slice(5).trim() : "{}");
+        }
+        else {
+            json = JSON.parse(raw);
+        }
+        // Se retornou erro MCP
+        if (json.error) {
+            return { valid: false, reason: json.error.message || "License validation failed" };
+        }
+        // Se retornou "Access denied" no conteudo
+        const text = json.result?.content?.[0]?.text || "";
+        if (text.startsWith("Access denied")) {
+            return { valid: false, reason: text };
+        }
+        // Licenca valida — criar objeto License minimo para compatibilidade
+        const license = {
+            licenseKey,
+            clientName: "remote-client",
+            plan: "remote",
+            status: "active",
+            role: "admin", // server nuvem ja validou permissoes
+            expiresAt: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toISOString(),
+            allowedTools: new Set(["*"]),
+            createdAt: new Date().toISOString(),
+        };
+        const check = { valid: true, license };
+        // Cachear resultado
+        licenseCache.set(licenseKey, { check, expiresAt: Date.now() + CACHE_TTL_MS });
+        return check;
+    }
+    catch (err) {
+        return { valid: false, reason: `License validation error: ${err.message}` };
+    }
+}
+/**
+ * Validacao local via DynamoDB direto.
+ */
+async function validateLicenseDynamo(licenseKey, toolName) {
+    try {
+        const res = await ddb.send(new GetCommand({ TableName: TABLE, Key: { licenseKey } }));
+        if (!res.Item) {
+            return { valid: false, reason: "License not found" };
+        }
+        const license = res.Item;
+        if (!license.role)
+            license.role = "user";
+        if (license.allowedTools && !(license.allowedTools instanceof Set)) {
+            license.allowedTools = new Set(license.allowedTools);
+        }
+        if (license.allowedDomains && !(license.allowedDomains instanceof Set)) {
+            license.allowedDomains = new Set(license.allowedDomains);
+        }
+        if (license.status !== "active") {
+            return { valid: false, reason: `License status: ${license.status}` };
+        }
+        if (new Date(license.expiresAt) < new Date()) {
+            return { valid: false, reason: "License expired" };
+        }
+        if (toolName && license.allowedTools && !license.allowedTools.has(toolName)) {
+            return { valid: false, reason: `Tool '${toolName}' not included in license plan` };
+        }
+        return { valid: true, license };
+    }
+    catch (err) {
+        return { valid: false, reason: `License validation error: ${err.message}` };
+    }
+}
+/**
+ * Ponto de entrada unico — escolhe modo automaticamente.
+ */
+export async function validateLicense(licenseKey, toolName) {
+    if (!licenseKey) {
+        return { valid: false, reason: "License key is required" };
+    }
+    if (CORTEX_API_URL) {
+        return validateLicenseRemote(licenseKey, toolName);
+    }
+    return validateLicenseDynamo(licenseKey, toolName);
+}
+/**
+ * Verifica se a licença tem acesso a um domain específico.
+ * Admin tem acesso a tudo. User só aos domains em allowedDomains.
+ */
+export function canAccessDomain(license, domain) {
+    if (license.role === "admin")
+        return true;
+    if (!license.allowedDomains)
+        return false;
+    return license.allowedDomains.has(domain);
+}
+/**
+ * Filtra lista de domains para apenas os permitidos pela licença.
+ */
+export function filterAllowedDomains(license, domains) {
+    if (license.role === "admin")
+        return domains;
+    if (!license.allowedDomains)
+        return [];
+    return domains.filter((d) => license.allowedDomains.has(d));
+}

package/dist/config/ssm-store.d.ts

@@ -0,0 +1,2 @@
+export declare function getParam(name: string): Promise<string | null>;
+export declare function getAllParams(): Promise<Record<string, string>>;

package/dist/config/ssm-store.js

@@ -0,0 +1,38 @@
+/**
+ * SSM Parameter Store — Registry de configuração do MCP Server.
+ * Lê parâmetros de /creative-ia50/mcp-server/*
+ */
+import { SSMClient, GetParameterCommand, GetParametersByPathCommand } from "@aws-sdk/client-ssm";
+const isLocal = process.env.USE_LOCALSTACK === "true";
+const ssm = new SSMClient({
+    region: process.env.AWS_REGION || "sa-east-1",
+    ...(isLocal && {
+        endpoint: "http://localhost:4566",
+        credentials: { accessKeyId: "test", secretAccessKey: "test" },
+    }),
+});
+const PREFIX = "/creative-ia50/mcp-server";
+export async function getParam(name) {
+    try {
+        const res = await ssm.send(new GetParameterCommand({ Name: `${PREFIX}/${name}` }));
+        return res.Parameter?.Value || null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function getAllParams() {
+    const result = {};
+    try {
+        const res = await ssm.send(new GetParametersByPathCommand({
+            Path: PREFIX,
+            Recursive: true,
+        }));
+        for (const p of res.Parameters || []) {
+            const key = p.Name?.replace(`${PREFIX}/`, "") || "";
+            result[key] = p.Value || "";
+        }
+    }
+    catch { /* empty */ }
+    return result;
+}

package/dist/config/telemetry.d.ts

@@ -0,0 +1,17 @@
+interface TelemetryEvent {
+    tool: string;
+    status: "success" | "error";
+    durationMs: number;
+    summary?: string;
+    error?: string;
+    meta?: Record<string, unknown>;
+}
+/**
+ * Envia evento de telemetria para ambos destinos (fire-and-forget).
+ */
+export declare function reportTelemetry(event: TelemetryEvent): void;
+/**
+ * Wrapper que executa uma tool local e registra telemetria automaticamente.
+ */
+export declare function withTelemetry<T>(toolName: string, fn: () => Promise<T>, summarize?: (result: T) => string, meta?: Record<string, unknown>): Promise<T>;
+export {};

package/dist/config/telemetry.js

@@ -0,0 +1,93 @@
+/**
+ * Telemetry — Registra execucao de tools locais na nuvem + Datadog Collector.
+ *
+ * Dual-destination:
+ *   1. CloudWatch via cloud proxy (log_event) — registro centralizado
+ *   2. Datadog Collector via HTTP POST — observabilidade visual (dashboard)
+ *
+ * Fire-and-forget: nao bloqueia a resposta ao cliente.
+ * Se falhar, silencia o erro (telemetria nao pode quebrar a tool).
+ */
+import { callCloudTool, isCloudProxyEnabled } from "./cloud-proxy.js";
+const LICENSE_KEY = process.env.LICENSE_KEY || "";
+const DATADOG_COLLECTOR_URL = process.env.DATADOG_COLLECTOR_URL || "";
+/**
+ * Envia evento para o Datadog Collector (rum-collector) via HTTP POST.
+ * Formato compativel com /api/v2/backend-logs.
+ */
+function sendToCollector(event) {
+    if (!DATADOG_COLLECTOR_URL)
+        return;
+    const payload = {
+        service: "cortex-mcp",
+        env: process.env.CORTEX_ENV || "local",
+        level: event.status === "error" ? "error" : "info",
+        message: `[tool:${event.tool}] ${event.status} in ${event.durationMs}ms${event.summary ? ` — ${event.summary}` : ""}`,
+        timestamp: new Date().toISOString(),
+        duration_ms: event.durationMs,
+        method: "TOOL",
+        path: event.tool,
+        status_code: event.status === "error" ? 500 : 200,
+        error_message: event.error || null,
+        user_id: LICENSE_KEY || null,
+        tool: event.tool,
+        ...(event.meta || {}),
+    };
+    const url = `${DATADOG_COLLECTOR_URL.replace(/\/$/, "")}/api/v2/backend-logs`;
+    fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload),
+        signal: AbortSignal.timeout(5000),
+    }).catch(() => {
+        // Silencia — collector pode estar offline
+    });
+}
+/**
+ * Envia evento de telemetria para ambos destinos (fire-and-forget).
+ */
+export function reportTelemetry(event) {
+    // Destino 1: CloudWatch via cloud proxy
+    if (isCloudProxyEnabled() && LICENSE_KEY) {
+        const message = `[telemetry] tool=${event.tool} status=${event.status} duration=${event.durationMs}ms${event.summary ? ` summary=${event.summary}` : ""}${event.error ? ` error=${event.error}` : ""}`;
+        callCloudTool("log_event", {
+            licenseKey: LICENSE_KEY,
+            level: event.status === "error" ? "error" : "info",
+            message,
+            meta: {
+                tool: event.tool,
+                status: event.status,
+                durationMs: event.durationMs,
+                ...(event.meta || {}),
+            },
+        }).catch(() => {
+            // Silencia — telemetria nao pode quebrar a tool
+        });
+    }
+    // Destino 2: Datadog Collector (rum-collector)
+    sendToCollector(event);
+}
+/**
+ * Wrapper que executa uma tool local e registra telemetria automaticamente.
+ */
+export async function withTelemetry(toolName, fn, summarize, meta) {
+    const start = Date.now();
+    try {
+        const result = await fn();
+        const durationMs = Date.now() - start;
+        const summary = summarize ? summarize(result) : undefined;
+        reportTelemetry({ tool: toolName, status: "success", durationMs, summary, meta });
+        return result;
+    }
+    catch (err) {
+        const durationMs = Date.now() - start;
+        reportTelemetry({
+            tool: toolName,
+            status: "error",
+            durationMs,
+            error: err.message,
+            meta,
+        });
+        throw err;
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};