npm - @danielblomma/cortex-mcp - Versions diffs - 1.7.1 → 2.0.2 - Mend

@danielblomma/cortex-mcp 1.7.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/bin/cortex.mjs +679 -32
package/bin/style.mjs +349 -0
package/package.json +4 -3
package/scaffold/mcp/package-lock.json +834 -671
package/scaffold/mcp/package.json +1 -1
package/scaffold/mcp/src/cli/enterprise-setup.ts +124 -0
package/scaffold/mcp/src/cli/govern.ts +987 -0
package/scaffold/mcp/src/cli/run.ts +306 -0
package/scaffold/mcp/src/cli/telemetry-test.ts +158 -0
package/scaffold/mcp/src/cli/ungoverned-detector.ts +168 -0
package/scaffold/mcp/src/core/audit/query.ts +81 -0
package/scaffold/mcp/src/core/audit/writer.ts +68 -0
package/scaffold/mcp/src/core/config.ts +329 -0
package/scaffold/mcp/src/core/index.ts +34 -0
package/scaffold/mcp/src/core/license.ts +202 -0
package/scaffold/mcp/src/core/policy/enforce.ts +98 -0
package/scaffold/mcp/src/core/policy/injection.ts +229 -0
package/scaffold/mcp/src/core/policy/store.ts +197 -0
package/scaffold/mcp/src/core/rbac/check.ts +40 -0
package/scaffold/mcp/src/core/telemetry/collector.ts +234 -0
package/scaffold/mcp/src/core/validators/builtins.ts +711 -0
package/scaffold/mcp/src/core/validators/config.ts +47 -0
package/scaffold/mcp/src/core/validators/engine.ts +199 -0
package/scaffold/mcp/src/core/validators/evaluators/code_comments.ts +294 -0
package/scaffold/mcp/src/core/validators/evaluators/regex.ts +144 -0
package/scaffold/mcp/src/daemon/client.ts +155 -0
package/scaffold/mcp/src/daemon/egress-proxy.ts +331 -0
package/scaffold/mcp/src/daemon/heartbeat-pusher.ts +147 -0
package/scaffold/mcp/src/daemon/heartbeat-tracker.ts +223 -0
package/scaffold/mcp/src/daemon/host-events-pusher.ts +285 -0
package/scaffold/mcp/src/daemon/main.ts +300 -0
package/scaffold/mcp/src/daemon/paths.ts +41 -0
package/scaffold/mcp/src/daemon/protocol.ts +101 -0
package/scaffold/mcp/src/daemon/server.ts +227 -0
package/scaffold/mcp/src/daemon/sync-checker.ts +213 -0
package/scaffold/mcp/src/daemon/ungoverned-scanner.ts +149 -0
package/scaffold/mcp/src/embed.ts +1 -1
package/scaffold/mcp/src/embeddings.ts +1 -1
package/scaffold/mcp/src/enterprise/audit/push.ts +84 -0
package/scaffold/mcp/src/enterprise/index.ts +415 -0
package/scaffold/mcp/src/enterprise/model/deploy.ts +33 -0
package/scaffold/mcp/src/enterprise/policy/sync.ts +146 -0
package/scaffold/mcp/src/enterprise/privacy/boundary.ts +212 -0
package/scaffold/mcp/src/enterprise/reviews/push.ts +79 -0
package/scaffold/mcp/src/enterprise/telemetry/sync.ts +72 -0
package/scaffold/mcp/src/enterprise/tools/enterprise.ts +1031 -0
package/scaffold/mcp/src/enterprise/tools/walk.ts +79 -0
package/scaffold/mcp/src/enterprise/violations/push.ts +102 -0
package/scaffold/mcp/src/enterprise/workflow/push.ts +60 -0
package/scaffold/mcp/src/enterprise/workflow/state.ts +535 -0
package/scaffold/mcp/src/hooks/pre-compact.ts +54 -0
package/scaffold/mcp/src/hooks/pre-tool-use.ts +96 -0
package/scaffold/mcp/src/hooks/session-end.ts +73 -0
package/scaffold/mcp/src/hooks/session-start.ts +78 -0
package/scaffold/mcp/src/hooks/shared.ts +134 -0
package/scaffold/mcp/src/hooks/stop.ts +60 -0
package/scaffold/mcp/src/hooks/user-prompt-submit.ts +64 -0
package/scaffold/mcp/src/plugin.ts +150 -0
package/scaffold/mcp/src/server.ts +218 -7
package/scaffold/mcp/tests/copilot-shim.test.mjs +146 -0
package/scaffold/mcp/tests/daemon-client.test.mjs +32 -0
package/scaffold/mcp/tests/egress-proxy.test.mjs +239 -0
package/scaffold/mcp/tests/enterprise-config.test.mjs +154 -0
package/scaffold/mcp/tests/govern-install.test.mjs +320 -0
package/scaffold/mcp/tests/govern-repair.test.mjs +157 -0
package/scaffold/mcp/tests/govern-status.test.mjs +538 -0
package/scaffold/mcp/tests/govern.test.mjs +74 -0
package/scaffold/mcp/tests/heartbeat-pusher.test.mjs +154 -0
package/scaffold/mcp/tests/heartbeat-tracker.test.mjs +237 -0
package/scaffold/mcp/tests/host-events-pusher.test.mjs +347 -0
package/scaffold/mcp/tests/policy-check.test.mjs +220 -0
package/scaffold/mcp/tests/repo-name.test.mjs +134 -0
package/scaffold/mcp/tests/run.test.mjs +109 -0
package/scaffold/mcp/tests/sync-checker.test.mjs +188 -0
package/scaffold/mcp/tests/ungoverned-detector.test.mjs +191 -0
package/scaffold/mcp/tests/ungoverned-scanner.test.mjs +198 -0
package/scaffold/scripts/bootstrap.sh +0 -11
package/scaffold/scripts/doctor.sh +24 -4
package/types.js +5 -0

package/scaffold/mcp/src/daemon/sync-checker.ts ADDED Viewed

@@ -0,0 +1,213 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { hostname } from "node:os";
+import { join } from "node:path";
+import { loadEnterpriseConfig } from "../core/config.js";
+import { writeHostAuditEvent } from "./ungoverned-scanner.js";
+/**
+ * Phase 7 sync flow — daemon side.
+ *
+ * The daemon periodically pings cortex-web /api/v1/govern/config to learn
+ * whether a new config version is available. It does NOT re-apply (that
+ * would require root, which the daemon explicitly doesn't have post-Fas-3
+ * privilege drop). Instead it emits an audit event and writes a
+ * notification file that 'cortex enterprise status' surfaces. The
+ * operator must then run 'sudo cortex enterprise sync' to actually
+ * re-fetch + write managed-settings.
+ *
+ * Three audit outcomes per tick:
+ *  - govern_config_unchanged  (304 / same version) — heartbeat that
+ *                              cortex-web is reachable and we're current.
+ *  - govern_config_available  (200 with new version) — operator action needed.
+ *  - govern_config_sync_failed (network / auth error) — also written so
+ *                              admin sees blackouts in audit timeline.
+ */
+const NOTIFICATION_FILENAME = ".govern-update-available.json";
+export type SyncCheckOptions = {
+  cwd: string;
+  cli: "claude" | "codex" | "copilot";
+  now?: () => Date;
+};
+export type SyncCheckOutcome =
+  | { kind: "unchanged"; version: string }
+  | { kind: "available"; latest_version: string; current_version: string | null }
+  | { kind: "failed"; error: string };
+type LocalGovernState = {
+  installs?: Record<
+    string,
+    {
+      version?: string;
+      mode?: string;
+      frameworks?: Array<{ id: string; version: string }>;
+    }
+  >;
+};
+function readLocalGovernState(cwd: string): LocalGovernState {
+  const path = join(cwd, ".context", "govern.local.json");
+  if (!existsSync(path)) return {};
+  try {
+    return JSON.parse(readFileSync(path, "utf8")) as LocalGovernState;
+  } catch {
+    return {};
+  }
+}
+function activeFrameworks(cwd: string): string[] {
+  const state = readLocalGovernState(cwd);
+  for (const inst of Object.values(state.installs ?? {})) {
+    if (inst.frameworks?.length) {
+      return inst.frameworks.map((f) => f.id);
+    }
+  }
+  // Fall back to enterprise.yml's compliance.frameworks
+  const config = loadEnterpriseConfig(join(cwd, ".context"));
+  return config.compliance.frameworks;
+}
+function currentVersion(cwd: string, cli: string): string | null {
+  const state = readLocalGovernState(cwd);
+  return state.installs?.[cli]?.version ?? null;
+}
+export async function checkSyncForCli(
+  options: SyncCheckOptions,
+): Promise<SyncCheckOutcome> {
+  const cwd = options.cwd;
+  const config = loadEnterpriseConfig(join(cwd, ".context"));
+  const apiKey = config.enterprise.api_key.trim();
+  const baseUrl = (config.enterprise.base_url || config.enterprise.endpoint).trim();
+  if (!apiKey || !baseUrl) {
+    return { kind: "failed", error: "enterprise not configured" };
+  }
+  const frameworks = activeFrameworks(cwd);
+  if (frameworks.length === 0) {
+    return { kind: "failed", error: "no active frameworks" };
+  }
+  const url = new URL(baseUrl.replace(/\/$/, "") + "/api/v1/govern/config");
+  url.searchParams.set("cli", options.cli);
+  url.searchParams.set("frameworks", frameworks.join(","));
+  const installedVersion = currentVersion(cwd, options.cli);
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${apiKey}`,
+  };
+  if (installedVersion) headers["If-None-Match"] = `"${installedVersion}"`;
+  let res: Response;
+  try {
+    res = await fetch(url, { headers });
+  } catch (err) {
+    return { kind: "failed", error: err instanceof Error ? err.message : String(err) };
+  }
+  if (res.status === 304) {
+    return { kind: "unchanged", version: installedVersion ?? "unknown" };
+  }
+  if (!res.ok) {
+    return { kind: "failed", error: `HTTP ${res.status} ${res.statusText}` };
+  }
+  const etag = (res.headers.get("etag") ?? "").replace(/"/g, "");
+  if (etag && etag === installedVersion) {
+    return { kind: "unchanged", version: etag };
+  }
+  return {
+    kind: "available",
+    latest_version: etag || "unknown",
+    current_version: installedVersion,
+  };
+}
+function writeUpdateNotification(
+  cwd: string,
+  data: { latest_version: string; current_version: string | null; cli: string; detected_at: string },
+): void {
+  const dir = join(cwd, ".context");
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(
+    join(dir, NOTIFICATION_FILENAME),
+    JSON.stringify(data, null, 2) + "\n",
+    "utf8",
+  );
+}
+export async function runSyncCheckOnce(
+  cwd: string,
+  clis: Array<"claude" | "codex" | "copilot">,
+): Promise<SyncCheckOutcome[]> {
+  const outcomes: SyncCheckOutcome[] = [];
+  const now = new Date().toISOString();
+  for (const cli of clis) {
+    const outcome = await checkSyncForCli({ cwd, cli });
+    outcomes.push(outcome);
+    const eventBase = {
+      timestamp: now,
+      host_id: hostname(),
+      cli,
+    };
+    if (outcome.kind === "unchanged") {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_unchanged",
+        version: outcome.version,
+      }).catch(() => undefined);
+    } else if (outcome.kind === "available") {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_available",
+        latest_version: outcome.latest_version,
+        current_version: outcome.current_version,
+      }).catch(() => undefined);
+      writeUpdateNotification(cwd, {
+        latest_version: outcome.latest_version,
+        current_version: outcome.current_version,
+        cli,
+        detected_at: now,
+      });
+    } else {
+      await writeHostAuditEvent(cwd, {
+        ...eventBase,
+        event_type: "govern_config_sync_failed",
+        error: outcome.error,
+      }).catch(() => undefined);
+    }
+  }
+  return outcomes;
+}
+export type SyncTimerHandle = {
+  stop(): void;
+};
+export function startSyncTimer(
+  cwd: string,
+  intervalMs: number,
+): SyncTimerHandle {
+  const tick = () => {
+    const state = readLocalGovernState(cwd);
+    const clis = Object.keys(state.installs ?? {}) as Array<
+      "claude" | "codex" | "copilot"
+    >;
+    if (clis.length === 0) return;
+    void runSyncCheckOnce(cwd, clis).catch((err) => {
+      process.stderr.write(
+        `[cortex-daemon] sync check failed: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    });
+  };
+  void Promise.resolve().then(tick);
+  const handle = setInterval(tick, intervalMs);
+  if (typeof handle.unref === "function") handle.unref();
+  return {
+    stop() {
+      clearInterval(handle);
+    },
+  };
+}

package/scaffold/mcp/src/daemon/ungoverned-scanner.ts ADDED Viewed

@@ -0,0 +1,149 @@
+import { appendFile, mkdir } from "node:fs/promises";
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { userInfo } from "node:os";
+import {
+  detectUngoverned,
+  enforceFinding,
+  type DetectorOptions,
+  type EnforcementMode,
+  type UngovernedFinding,
+} from "../cli/ungoverned-detector.js";
+export type ScannerOptions = {
+  cwd: string;
+  intervalMs?: number;
+  mode?: EnforcementMode;
+  detectorOptions?: DetectorOptions;
+  onFinding?: (finding: UngovernedFinding & { action: string }) => void;
+};
+const DEFAULT_INTERVAL_MS = 60_000;
+const TIER1_CLIS = new Set(["claude", "codex"]);
+function readMode(cwd: string): EnforcementMode {
+  const stateFile = join(cwd, ".context", "govern.local.json");
+  if (!existsSync(stateFile)) return "advisory";
+  try {
+    const raw = readFileSync(stateFile, "utf8");
+    const parsed = JSON.parse(raw) as {
+      installs?: Record<string, { mode?: EnforcementMode }>;
+    };
+    for (const inst of Object.values(parsed.installs ?? {})) {
+      if (inst.mode === "enforced") return "enforced";
+    }
+    return "advisory";
+  } catch {
+    return "advisory";
+  }
+}
+function readManagedTier1Clis(cwd: string): Set<string> {
+  const stateFile = join(cwd, ".context", "govern.local.json");
+  const managed = new Set<string>();
+  if (!existsSync(stateFile)) return managed;
+  try {
+    const raw = readFileSync(stateFile, "utf8");
+    const parsed = JSON.parse(raw) as {
+      installs?: Record<string, { path?: string }>;
+    };
+    for (const [cli, inst] of Object.entries(parsed.installs ?? {})) {
+      if (!TIER1_CLIS.has(cli)) continue;
+      if (!inst?.path || !existsSync(inst.path)) continue;
+      managed.add(cli);
+    }
+  } catch {
+    return managed;
+  }
+  return managed;
+}
+function filterManagedTier1Findings(
+  findings: UngovernedFinding[],
+  managedTier1Clis: Set<string>,
+): UngovernedFinding[] {
+  if (managedTier1Clis.size === 0) return findings;
+  return findings.filter((finding) => !managedTier1Clis.has(finding.cli));
+}
+export async function writeHostAuditEvent(
+  cwd: string,
+  event: Record<string, unknown>,
+): Promise<void> {
+  const auditDir = join(cwd, ".context", "audit");
+  await mkdir(auditDir, { recursive: true });
+  const date = new Date().toISOString().slice(0, 10);
+  const file = join(auditDir, `host-events-${date}.jsonl`);
+  await appendFile(file, JSON.stringify(event) + "\n");
+}
+export async function runScanOnce(options: ScannerOptions): Promise<UngovernedFinding[]> {
+  const mode = options.mode ?? readMode(options.cwd);
+  const managedTier1Clis = readManagedTier1Clis(options.cwd);
+  const findings = filterManagedTier1Findings(
+    detectUngoverned(options.detectorOptions),
+    managedTier1Clis,
+  );
+  const me = userInfo().username;
+  for (const finding of findings) {
+    const action = enforceFinding(finding, { mode, currentUser: me });
+    const event = {
+      event_type: "ungoverned_ai_session_detected",
+      timestamp: finding.detected_at,
+      host_id: finding.host_id,
+      cli: finding.cli,
+      binary: finding.binary,
+      pid: finding.pid,
+      ppid: finding.ppid,
+      user: finding.user,
+      args: finding.args,
+      parent_chain: finding.parent_chain,
+      mode,
+      action,
+    };
+    try {
+      await writeHostAuditEvent(options.cwd, event);
+    } catch (err) {
+      process.stderr.write(
+        `[cortex-daemon] failed to write ungoverned audit: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    }
+    options.onFinding?.({ ...finding, action });
+  }
+  return findings;
+}
+export type ScannerHandle = {
+  stop(): void;
+  isRunning(): boolean;
+};
+export function startUngovernedScanner(options: ScannerOptions): ScannerHandle {
+  const interval = options.intervalMs ?? DEFAULT_INTERVAL_MS;
+  let running = true;
+  const tick = async () => {
+    if (!running) return;
+    try {
+      await runScanOnce(options);
+    } catch (err) {
+      process.stderr.write(
+        `[cortex-daemon] ungoverned scan failed: ${err instanceof Error ? err.message : String(err)}\n`,
+      );
+    }
+  };
+  void tick();
+  const handle = setInterval(() => void tick(), interval);
+  if (typeof handle.unref === "function") handle.unref();
+  return {
+    stop() {
+      running = false;
+      clearInterval(handle);
+    },
+    isRunning() {
+      return running;
+    },
+  };
+}

package/scaffold/mcp/src/embed.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import crypto from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
-import { env, pipeline } from "@xenova/transformers";
+import { env, pipeline } from "@huggingface/transformers";
 import { readJsonl, asString, asNumber, asBoolean } from "./jsonl.js";
 import type { JsonObject, JsonValue } from "./types.js";

package/scaffold/mcp/src/embeddings.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import fs from "node:fs";
-import { env, pipeline } from "@xenova/transformers";
+import { env, pipeline } from "@huggingface/transformers";
 import { PATHS } from "./paths.js";
 import type { EmbeddingIndex, JsonObject } from "./types.js";

package/scaffold/mcp/src/enterprise/audit/push.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import type { AuditEntry } from "../../core/audit/writer.js";
+import { sanitizeAuditEntryForPush } from "../privacy/boundary.js";
+export type AuditPushContext = {
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+};
+export type AuditPushResult = {
+  success: boolean;
+  count: number;
+  error?: string;
+};
+const pending: AuditEntry[] = [];
+let activeContext: AuditPushContext = {};
+export function setAuditPushContext(context: AuditPushContext): void {
+  activeContext = { ...context };
+}
+export function queueAuditEvent(entry: AuditEntry): void {
+  pending.push(sanitizeAuditEntryForPush({
+    ...entry,
+    repo: entry.repo ?? activeContext.repo,
+    instance_id: entry.instance_id ?? activeContext.instance_id,
+    session_id: entry.session_id ?? activeContext.session_id,
+  }));
+}
+export function pendingCount(): number {
+  return pending.length;
+}
+export async function pushAuditEvents(
+  baseUrl: string,
+  apiKey: string,
+): Promise<AuditPushResult> {
+  if (pending.length === 0) {
+    return { success: true, count: 0 };
+  }
+  const auditUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/audit/push`;
+  let pushedCount = 0;
+  while (pending.length > 0) {
+    const batch = pending.splice(0, 100);
+    try {
+      const response = await fetch(auditUrl, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${apiKey}`,
+          "Content-Type": "application/json",
+          Accept: "application/json",
+        },
+        body: JSON.stringify({
+          repo: activeContext.repo,
+          instance_id: activeContext.instance_id,
+          session_id: activeContext.session_id,
+          events: batch,
+        }),
+        signal: AbortSignal.timeout(10_000),
+      });
+      if (!response.ok) {
+        pending.unshift(...batch);
+        return { success: false, count: pushedCount, error: `HTTP ${response.status}` };
+      }
+      pushedCount += batch.length;
+    } catch (err) {
+      pending.unshift(...batch);
+      return {
+        success: false,
+        count: pushedCount,
+        error: err instanceof Error ? err.message : "unknown error",
+      };
+    }
+  }
+  return { success: true, count: pushedCount };
+}