npm - @danielblomma/cortex-mcp - Versions diffs - 1.7.2 → 2.0.2 - Mend

@danielblomma/cortex-mcp 1.7.2 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/bin/cortex.mjs +679 -32
package/bin/style.mjs +349 -0
package/package.json +4 -3
package/scaffold/mcp/src/cli/enterprise-setup.ts +124 -0
package/scaffold/mcp/src/cli/govern.ts +987 -0
package/scaffold/mcp/src/cli/run.ts +306 -0
package/scaffold/mcp/src/cli/telemetry-test.ts +158 -0
package/scaffold/mcp/src/cli/ungoverned-detector.ts +168 -0
package/scaffold/mcp/src/core/audit/query.ts +81 -0
package/scaffold/mcp/src/core/audit/writer.ts +68 -0
package/scaffold/mcp/src/core/config.ts +329 -0
package/scaffold/mcp/src/core/index.ts +34 -0
package/scaffold/mcp/src/core/license.ts +202 -0
package/scaffold/mcp/src/core/policy/enforce.ts +98 -0
package/scaffold/mcp/src/core/policy/injection.ts +229 -0
package/scaffold/mcp/src/core/policy/store.ts +197 -0
package/scaffold/mcp/src/core/rbac/check.ts +40 -0
package/scaffold/mcp/src/core/telemetry/collector.ts +234 -0
package/scaffold/mcp/src/core/validators/builtins.ts +711 -0
package/scaffold/mcp/src/core/validators/config.ts +47 -0
package/scaffold/mcp/src/core/validators/engine.ts +199 -0
package/scaffold/mcp/src/core/validators/evaluators/code_comments.ts +294 -0
package/scaffold/mcp/src/core/validators/evaluators/regex.ts +144 -0
package/scaffold/mcp/src/daemon/client.ts +155 -0
package/scaffold/mcp/src/daemon/egress-proxy.ts +331 -0
package/scaffold/mcp/src/daemon/heartbeat-pusher.ts +147 -0
package/scaffold/mcp/src/daemon/heartbeat-tracker.ts +223 -0
package/scaffold/mcp/src/daemon/host-events-pusher.ts +285 -0
package/scaffold/mcp/src/daemon/main.ts +300 -0
package/scaffold/mcp/src/daemon/paths.ts +41 -0
package/scaffold/mcp/src/daemon/protocol.ts +101 -0
package/scaffold/mcp/src/daemon/server.ts +227 -0
package/scaffold/mcp/src/daemon/sync-checker.ts +213 -0
package/scaffold/mcp/src/daemon/ungoverned-scanner.ts +149 -0
package/scaffold/mcp/src/enterprise/audit/push.ts +84 -0
package/scaffold/mcp/src/enterprise/index.ts +415 -0
package/scaffold/mcp/src/enterprise/model/deploy.ts +33 -0
package/scaffold/mcp/src/enterprise/policy/sync.ts +146 -0
package/scaffold/mcp/src/enterprise/privacy/boundary.ts +212 -0
package/scaffold/mcp/src/enterprise/reviews/push.ts +79 -0
package/scaffold/mcp/src/enterprise/telemetry/sync.ts +72 -0
package/scaffold/mcp/src/enterprise/tools/enterprise.ts +1031 -0
package/scaffold/mcp/src/enterprise/tools/walk.ts +79 -0
package/scaffold/mcp/src/enterprise/violations/push.ts +102 -0
package/scaffold/mcp/src/enterprise/workflow/push.ts +60 -0
package/scaffold/mcp/src/enterprise/workflow/state.ts +535 -0
package/scaffold/mcp/src/hooks/pre-compact.ts +54 -0
package/scaffold/mcp/src/hooks/pre-tool-use.ts +96 -0
package/scaffold/mcp/src/hooks/session-end.ts +73 -0
package/scaffold/mcp/src/hooks/session-start.ts +78 -0
package/scaffold/mcp/src/hooks/shared.ts +134 -0
package/scaffold/mcp/src/hooks/stop.ts +60 -0
package/scaffold/mcp/src/hooks/user-prompt-submit.ts +64 -0
package/scaffold/mcp/src/plugin.ts +150 -0
package/scaffold/mcp/src/server.ts +218 -7
package/scaffold/mcp/tests/copilot-shim.test.mjs +146 -0
package/scaffold/mcp/tests/daemon-client.test.mjs +32 -0
package/scaffold/mcp/tests/egress-proxy.test.mjs +239 -0
package/scaffold/mcp/tests/enterprise-config.test.mjs +154 -0
package/scaffold/mcp/tests/govern-install.test.mjs +320 -0
package/scaffold/mcp/tests/govern-repair.test.mjs +157 -0
package/scaffold/mcp/tests/govern-status.test.mjs +538 -0
package/scaffold/mcp/tests/govern.test.mjs +74 -0
package/scaffold/mcp/tests/heartbeat-pusher.test.mjs +154 -0
package/scaffold/mcp/tests/heartbeat-tracker.test.mjs +237 -0
package/scaffold/mcp/tests/host-events-pusher.test.mjs +347 -0
package/scaffold/mcp/tests/policy-check.test.mjs +220 -0
package/scaffold/mcp/tests/repo-name.test.mjs +134 -0
package/scaffold/mcp/tests/run.test.mjs +109 -0
package/scaffold/mcp/tests/sync-checker.test.mjs +188 -0
package/scaffold/mcp/tests/ungoverned-detector.test.mjs +191 -0
package/scaffold/mcp/tests/ungoverned-scanner.test.mjs +198 -0
package/scaffold/scripts/bootstrap.sh +0 -11
package/scaffold/scripts/doctor.sh +24 -4
package/types.js +5 -0

package/scaffold/mcp/src/enterprise/privacy/boundary.ts ADDED Viewed

@@ -0,0 +1,212 @@
+import type { AuditEntry } from "../../core/audit/writer.js";
+import type { TelemetryMetrics } from "../../core/telemetry/collector.js";
+const REPO_METADATA = [
+  "repo",
+  "instance_id",
+  "session_id",
+] as const;
+export const OUTBOUND_DATA_BOUNDARY = {
+  version: 3,
+  excludes: [
+    "source_code",
+    "raw_prompts",
+    "raw_queries",
+    "embeddings",
+    "graph_data",
+    "full_file_contents",
+  ],
+  telemetry: {
+    retention_days: 30,
+    payload_type: "counts_and_metadata_only",
+    allowed_fields: [
+      "period_start",
+      "period_end",
+      "total_tool_calls",
+      "successful_tool_calls",
+      "failed_tool_calls",
+      "total_duration_ms",
+      "session_starts",
+      "session_ends",
+      "session_duration_ms_total",
+      "searches",
+      "related_lookups",
+      "caller_lookups",
+      "trace_lookups",
+      "impact_analyses",
+      "rule_lookups",
+      "reloads",
+      "total_results_returned",
+      "estimated_tokens_saved",
+      "estimated_tokens_total",
+      "client_version",
+      "repo",
+      "instance_id",
+      "session_id",
+      "tool_metrics",
+    ],
+  },
+  audit: {
+    required_retention_days: 365,
+    diagnostic_retention_days: 30,
+    redaction: "string values are summarized to counts/lengths before outbound push",
+    metadata_fields: REPO_METADATA,
+  },
+  reviews: {
+    metadata_fields: REPO_METADATA,
+  },
+  violations: {
+    metadata_fields: REPO_METADATA,
+  },
+  workflow: {
+    metadata_fields: REPO_METADATA,
+  },
+} as const;
+type TelemetryPushContext = {
+  repo?: string;
+  session_id?: string;
+};
+const MAX_OBJECT_KEYS = 12;
+const MAX_ARRAY_ITEMS = 12;
+const SENSITIVE_KEY_RE =
+  /^(?:query|prompt|content|code|diff|patch|body|text|embedding|embeddings|graph|raw_query|raw_prompt|raw_code|raw_content)$/i;
+function summarizeString(value: string) {
+  return {
+    type: "string",
+    length: value.length,
+    redacted: true,
+  };
+}
+function summarizeArray(value: unknown[], depth: number): Record<string, unknown> {
+  if (depth >= 2) {
+    return {
+      type: "array",
+      count: value.length,
+      redacted: true,
+    };
+  }
+  return {
+    type: "array",
+    count: value.length,
+    sample: value.slice(0, MAX_ARRAY_ITEMS).map((item) => summarizeValue(item, depth + 1)),
+  };
+}
+function summarizeObject(
+  value: Record<string, unknown>,
+  depth: number,
+): Record<string, unknown> {
+  const entries = Object.entries(value).slice(0, MAX_OBJECT_KEYS);
+  if (depth >= 2) {
+    return {
+      type: "object",
+      keys: entries.map(([key]) => key),
+      key_count: Object.keys(value).length,
+      redacted: true,
+    };
+  }
+  return Object.fromEntries(
+    entries.map(([key, item]) => [
+      key,
+      SENSITIVE_KEY_RE.test(key)
+        ? summarizeSensitiveValue(item)
+        : summarizeValue(item, depth + 1),
+    ]),
+  );
+}
+function summarizeSensitiveValue(value: unknown): Record<string, unknown> {
+  if (typeof value === "string") return summarizeString(value);
+  if (Array.isArray(value)) {
+    return {
+      type: "array",
+      count: value.length,
+      redacted: true,
+    };
+  }
+  if (value && typeof value === "object") {
+    return {
+      type: "object",
+      key_count: Object.keys(value as Record<string, unknown>).length,
+      redacted: true,
+    };
+  }
+  return {
+    type: typeof value,
+    redacted: true,
+  };
+}
+function summarizeValue(value: unknown, depth = 0): unknown {
+  if (value === null || typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "string") {
+    return summarizeString(value);
+  }
+  if (Array.isArray(value)) {
+    return summarizeArray(value, depth);
+  }
+  if (value && typeof value === "object") {
+    return summarizeObject(value as Record<string, unknown>, depth);
+  }
+  return {
+    type: typeof value,
+    redacted: true,
+  };
+}
+export function sanitizeOutboundRecord(
+  record: Record<string, unknown> | undefined,
+): Record<string, unknown> {
+  if (!record) return {};
+  return summarizeObject(record, 0);
+}
+export function sanitizeAuditEntryForPush(entry: AuditEntry): AuditEntry {
+  return {
+    ...entry,
+    input: sanitizeOutboundRecord(entry.input),
+    error: entry.error ? `[redacted:${entry.error.length}]` : undefined,
+    metadata: entry.metadata ? sanitizeOutboundRecord(entry.metadata) : undefined,
+  };
+}
+export function buildTelemetryPushPayload(
+  metrics: TelemetryMetrics,
+  context: TelemetryPushContext = {},
+) {
+  return {
+    period_start: metrics.period_start,
+    period_end: metrics.period_end,
+    total_tool_calls: metrics.total_tool_calls,
+    successful_tool_calls: metrics.successful_tool_calls,
+    failed_tool_calls: metrics.failed_tool_calls,
+    total_duration_ms: metrics.total_duration_ms,
+    session_starts: metrics.session_starts,
+    session_ends: metrics.session_ends,
+    session_duration_ms_total: metrics.session_duration_ms_total,
+    searches: metrics.searches,
+    related_lookups: metrics.related_lookups,
+    caller_lookups: metrics.caller_lookups,
+    trace_lookups: metrics.trace_lookups,
+    impact_analyses: metrics.impact_analyses,
+    rule_lookups: metrics.rule_lookups,
+    reloads: metrics.reloads,
+    total_results_returned: metrics.total_results_returned,
+    estimated_tokens_saved: metrics.estimated_tokens_saved,
+    estimated_tokens_total: metrics.estimated_tokens_total,
+    client_version: metrics.client_version,
+    repo: context.repo,
+    instance_id: metrics.instance_id,
+    session_id: context.session_id,
+    tool_metrics: metrics.tool_metrics,
+  };
+}

package/scaffold/mcp/src/enterprise/reviews/push.ts ADDED Viewed

@@ -0,0 +1,79 @@
+export type ReviewPushItem = {
+  policy_id: string;
+  pass: boolean;
+  severity: "error" | "warning" | "info";
+  message: string;
+  detail?: string;
+  reviewed_at: string;
+};
+export type ReviewPushContext = {
+  repo?: string;
+  instance_id?: string;
+  session_id?: string;
+};
+export type ReviewPushResult = {
+  success: boolean;
+  count: number;
+  error?: string;
+};
+const pending: ReviewPushItem[] = [];
+let activeContext: ReviewPushContext = {};
+export function setReviewPushContext(context: ReviewPushContext): void {
+  activeContext = { ...context };
+}
+export function queueReviewResult(item: ReviewPushItem): void {
+  pending.push(item);
+}
+export function pendingCount(): number {
+  return pending.length;
+}
+export async function pushReviewResults(
+  baseUrl: string,
+  apiKey: string,
+): Promise<ReviewPushResult> {
+  if (pending.length === 0) {
+    return { success: true, count: 0 };
+  }
+  const reviewsUrl = `${baseUrl.replace(/\/$/, "")}/api/v1/reviews/push`;
+  const batch = pending.splice(0, 100);
+  try {
+    const response = await fetch(reviewsUrl, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+      },
+      body: JSON.stringify({
+        repo: activeContext.repo,
+        instance_id: activeContext.instance_id,
+        session_id: activeContext.session_id,
+        reviews: batch,
+      }),
+      signal: AbortSignal.timeout(10_000),
+    });
+    if (!response.ok) {
+      pending.unshift(...batch);
+      return { success: false, count: 0, error: `HTTP ${response.status}` };
+    }
+    return { success: true, count: batch.length };
+  } catch (err) {
+    pending.unshift(...batch);
+    return {
+      success: false,
+      count: 0,
+      error: err instanceof Error ? err.message : "unknown error",
+    };
+  }
+}

package/scaffold/mcp/src/enterprise/telemetry/sync.ts ADDED Viewed

@@ -0,0 +1,72 @@
+import type { TelemetryMetrics } from "../../core/telemetry/collector.js";
+import { buildTelemetryPushPayload } from "../privacy/boundary.js";
+export type PushResult = {
+  success: boolean;
+  status?: number;
+  error?: string;
+  pushed_at?: string;
+};
+export type PushContext = {
+  repo?: string;
+  session_id?: string;
+};
+let lastPush: PushResult | null = null;
+export function getLastPush(): PushResult | null {
+  return lastPush;
+}
+/**
+ * Push aggregated metrics to the Cortex Cloud API.
+ * Connected edition only. Returns success/failure.
+ *
+ * The actual cloud API is built in Phase 4 — this sends a POST
+ * with JSON body and expects a 2xx response.
+ */
+export async function pushMetrics(
+  metrics: TelemetryMetrics,
+  endpoint: string,
+  apiKey: string,
+  context: PushContext = {},
+): Promise<PushResult> {
+  if (!endpoint || !apiKey) {
+    const result: PushResult = { success: false, error: "endpoint or api_key not configured" };
+    lastPush = result;
+    return result;
+  }
+  try {
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify(buildTelemetryPushPayload(metrics, context)),
+      signal: AbortSignal.timeout(10000),
+    });
+    const result: PushResult = {
+      success: response.ok,
+      status: response.status,
+      pushed_at: new Date().toISOString(),
+    };
+    if (!response.ok) {
+      result.error = `HTTP ${response.status}`;
+    }
+    lastPush = result;
+    return result;
+  } catch (err) {
+    const result: PushResult = {
+      success: false,
+      error: err instanceof Error ? err.message : "unknown error",
+    };
+    lastPush = result;
+    return result;
+  }
+}