@danielblomma/cortex-mcp 1.7.2 → 2.0.3

package/scaffold/mcp/tests/ungoverned-scanner.test.mjs

@@ -0,0 +1,198 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { runScanOnce, writeHostAuditEvent, startUngovernedScanner } from "../dist/daemon/ungoverned-scanner.js";
+
+function makeWorkspace(governMode, installs = null) {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-ungoverned-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  if (governMode) {
+    const defaultInstalls = {
+      claude: { mode: governMode, path: "/x", version: "v", frameworks: [], installed_at: "now" },
+    };
+    fs.writeFileSync(
+      path.join(ctx, "govern.local.json"),
+      JSON.stringify({
+        installs: installs ?? defaultInstalls,
+      }),
+    );
+  }
+  return { root, ctx };
+}
+
+test("writeHostAuditEvent appends one JSONL line per call", async () => {
+  const { root } = makeWorkspace();
+  try {
+    await writeHostAuditEvent(root, { event_type: "ungoverned_ai_session_detected", pid: 100 });
+    await writeHostAuditEvent(root, { event_type: "ungoverned_ai_session_detected", pid: 200 });
+
+    const date = new Date().toISOString().slice(0, 10);
+    const file = path.join(root, ".context", "audit", `host-events-${date}.jsonl`);
+    const content = fs.readFileSync(file, "utf8").trim().split("\n");
+    assert.equal(content.length, 2);
+    assert.equal(JSON.parse(content[0]).pid, 100);
+    assert.equal(JSON.parse(content[1]).pid, 200);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("runScanOnce: writes audit event with action=logged in advisory mode", async () => {
+  const { root } = makeWorkspace("advisory");
+  try {
+    const fakeProcs = [
+      { pid: 1, ppid: 0, user: "root", comm: "init", args: "init" },
+      { pid: 100, ppid: 1, user: os.userInfo().username, comm: "claude", args: "claude --prompt hi" },
+    ];
+    const findings = await runScanOnce({
+      cwd: root,
+      detectorOptions: { processes: fakeProcs, hostId: "test-host" },
+    });
+    assert.equal(findings.length, 1);
+
+    const date = new Date().toISOString().slice(0, 10);
+    const file = path.join(root, ".context", "audit", `host-events-${date}.jsonl`);
+    const events = fs.readFileSync(file, "utf8").trim().split("\n").map(JSON.parse);
+    assert.equal(events.length, 1);
+    assert.equal(events[0].event_type, "ungoverned_ai_session_detected");
+    assert.equal(events[0].cli, "claude");
+    assert.equal(events[0].mode, "advisory");
+    assert.equal(events[0].action, "logged");
+    assert.equal(events[0].host_id, "test-host");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("runScanOnce: enforced mode marks action=sigterm but our mock doesn't actually signal real procs", async () => {
+  const { root } = makeWorkspace("enforced");
+  try {
+    const me = os.userInfo().username;
+    const fakeProcs = [
+      { pid: 99999, ppid: 1, user: me, comm: "claude", args: "claude --prompt hi" },
+    ];
+    let killed = null;
+    // Monkey-patch process.kill for the test (the enforce function uses it as default).
+    const origKill = process.kill;
+    process.kill = (pid, sig) => {
+      killed = [pid, sig];
+    };
+    try {
+      const findings = await runScanOnce({
+        cwd: root,
+        detectorOptions: { processes: fakeProcs, hostId: "test-host" },
+      });
+      assert.equal(findings.length, 1);
+    } finally {
+      process.kill = origKill;
+    }
+
+    const date = new Date().toISOString().slice(0, 10);
+    const file = path.join(root, ".context", "audit", `host-events-${date}.jsonl`);
+    const events = fs.readFileSync(file, "utf8").trim().split("\n").map(JSON.parse);
+    assert.equal(events[0].mode, "enforced");
+    assert.equal(events[0].action, "sigterm");
+    assert.deepEqual(killed, [99999, "SIGTERM"]);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("runScanOnce: emits onFinding callback per detection", async () => {
+  const { root } = makeWorkspace("advisory");
+  try {
+    const fakeProcs = [
+      { pid: 200, ppid: 1, user: "alice", comm: "codex", args: "codex --prompt hi" },
+      { pid: 300, ppid: 1, user: "alice", comm: "copilot", args: "copilot --prompt hi" },
+    ];
+    const seen = [];
+    await runScanOnce({
+      cwd: root,
+      mode: "advisory",
+      detectorOptions: { processes: fakeProcs },
+      onFinding: (f) => seen.push({ cli: f.cli, action: f.action }),
+    });
+    assert.equal(seen.length, 2);
+    assert.deepEqual(seen.map((s) => s.cli).sort(), ["codex", "copilot"]);
+    for (const s of seen) assert.equal(s.action, "logged");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("runScanOnce: skips Tier 1 CLIs that already have managed installs", async () => {
+  const { root } = makeWorkspace("enforced");
+  const managedClaudePath = path.join(root, "managed-settings.json");
+  fs.writeFileSync(managedClaudePath, "{}\n");
+  const managedCodexPath = path.join(root, "requirements.toml");
+  fs.writeFileSync(managedCodexPath, "# managed\n");
+  fs.writeFileSync(
+    path.join(root, ".context", "govern.local.json"),
+    JSON.stringify({
+      installs: {
+        claude: {
+          mode: "enforced",
+          path: managedClaudePath,
+          version: "v1",
+          frameworks: [],
+          installed_at: "now",
+        },
+        codex: {
+          mode: "enforced",
+          path: managedCodexPath,
+          version: "v2",
+          frameworks: [],
+          installed_at: "now",
+        },
+      },
+    }),
+  );
+  try {
+    const fakeProcs = [
+      { pid: 200, ppid: 1, user: os.userInfo().username, comm: "claude", args: "claude --prompt hi" },
+      { pid: 300, ppid: 1, user: os.userInfo().username, comm: "codex", args: "codex exec hi" },
+      { pid: 400, ppid: 1, user: os.userInfo().username, comm: "copilot", args: "copilot suggest" },
+    ];
+    const findings = await runScanOnce({
+      cwd: root,
+      mode: "enforced",
+      detectorOptions: { processes: fakeProcs, hostId: "test-host" },
+    });
+    assert.equal(findings.length, 1);
+    assert.equal(findings[0].cli, "copilot");
+
+    const date = new Date().toISOString().slice(0, 10);
+    const file = path.join(root, ".context", "audit", `host-events-${date}.jsonl`);
+    const events = fs.readFileSync(file, "utf8").trim().split("\n").map(JSON.parse);
+    assert.equal(events.length, 1);
+    assert.equal(events[0].cli, "copilot");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("startUngovernedScanner: stop() halts further ticks", async () => {
+  const { root } = makeWorkspace("advisory");
+  try {
+    let calls = 0;
+    const handle = startUngovernedScanner({
+      cwd: root,
+      intervalMs: 50,
+      mode: "advisory",
+      detectorOptions: { processes: [] },
+      onFinding: () => {
+        calls += 1;
+      },
+    });
+    // Wait a moment to allow at least the immediate tick.
+    await new Promise((resolve) => setTimeout(resolve, 20));
+    handle.stop();
+    assert.equal(handle.isRunning(), false);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});

package/scaffold/scripts/bootstrap.sh

@@ -6,16 +6,6 @@ MCP_DIR="$REPO_ROOT/mcp"
 TOTAL_STEPS=6
 STEP_INDEX=0
 
-print_logo() {
-  cat <<'EOF'
-  CCC    OOO   RRRR  TTTTT  EEEEE  X   X
- C   C  O   O  R   R   T    E       X X
- C      O   O  RRRR    T    EEEE     X
- C   C  O   O  R  R    T    E       X X
-  CCC    OOO   R   R   T    EEEEE  X   X
-EOF
-}
-
 step() {
   STEP_INDEX=$((STEP_INDEX + 1))
   echo ""
@@ -26,7 +16,6 @@ info() {
   echo "[cortex] $1"
 }
 
-print_logo
 info "bootstrap start"
 info "repo: $REPO_ROOT"
 info "pipeline: deps -> ingest -> embeddings -> graph -> status"

package/scaffold/scripts/doctor.sh

@@ -44,8 +44,9 @@ else
   fail ".context/config.yaml not found — run: cortex init"
 fi
 
-# Enterprise config
+# Enterprise config — gate on api_key being set (file may exist as a stub).
 ENTERPRISE_CONFIG=""
+ENTERPRISE_ENABLED=0
 if [[ -f "$CONTEXT_DIR/enterprise.yml" ]]; then
   ENTERPRISE_CONFIG="$CONTEXT_DIR/enterprise.yml"
 elif [[ -f "$CONTEXT_DIR/enterprise.yaml" ]]; then
@@ -53,9 +54,28 @@ elif [[ -f "$CONTEXT_DIR/enterprise.yaml" ]]; then
 fi
 
 if [[ -n "$ENTERPRISE_CONFIG" ]]; then
-  pass "enterprise config found: $(basename "$ENTERPRISE_CONFIG")"
+  ENTERPRISE_API_KEY=$(node -e '
+    const fs = require("node:fs");
+    const raw = fs.readFileSync(process.argv[1], "utf8");
+    let section = "", fields = {};
+    for (const line of raw.split("\n")) {
+      const t = line.trimEnd();
+      if (!t || t.startsWith("#")) continue;
+      const sm = t.match(/^(\w+):\s*$/);
+      if (sm) { section = sm[1]; continue; }
+      const kv = t.match(/^\s+(\w+):\s*(.+?)\s*$/);
+      if (kv && section) fields[section + "." + kv[1]] = kv[2].replace(/^["\x27]|["\x27]$/g, "");
+    }
+    console.log(fields["enterprise.api_key"] || "");
+  ' "$ENTERPRISE_CONFIG" 2>/dev/null || echo "")
+  if [[ -n "$ENTERPRISE_API_KEY" ]]; then
+    pass "enterprise config found: $(basename "$ENTERPRISE_CONFIG")"
+    ENTERPRISE_ENABLED=1
+  else
+    info "enterprise config present but no api_key set — see https://cortx.se for more info"
+  fi
 else
-  info "no enterprise config (community mode)"
+  info "no enterprise config (community mode) — see https://cortx.se for more info"
 fi
 
 # ── Index ───────────────────────────────────────────────
@@ -177,7 +197,7 @@ fi
 
 # ── Enterprise ──────────────────────────────────────────
 
-if [[ -n "$ENTERPRISE_CONFIG" ]]; then
+if [[ "$ENTERPRISE_ENABLED" == "1" ]]; then
   echo ""
   echo "  Enterprise"
 

package/types.js

@@ -0,0 +1,5 @@
+// v2.0.0: empty types module preserved for the published `./types` export.
+// Pre-v2 the source lived in mcp/dist/types.js (also empty). External
+// consumers who imported from @danielblomma/cortex-mcp/types continue
+// to resolve, even though there are no runtime exports.
+export {};

package/docs/MCP_MARKETPLACE.md

@@ -1,160 +0,0 @@
-# MCP Marketplace Submission
-
-## Package Information
-
-**Name:** `@danielblomma/cortex-mcp`  
-**Description:** Local, repo-scoped context platform for coding assistants. Semantic search, graph relationships, and architectural rule context.  
-**Author:** Daniel Blomma  
-**License:** MIT  
-**Repository:** https://github.com/DanielBlomma/cortex
-
-## MCP Server Details
-
-### Tools Provided
-
-1. **context.search**
-   - Semantic search across indexed entities (files, rules, ADRs)
-   - Hybrid ranking (semantic + graph + trust + recency)
-   - Optional content return for high-signal snippets
-
-2. **context.get_related**
-   - Graph-based entity relationships
-   - Finds connected rules/files/ADRs with optional edge details
-
-3. **context.get_rules**
-   - Active rules and architectural decisions
-   - Scope-based filtering
-
-4. **context.reload**
-   - Hot-reload graph after code changes
-
-### Advanced Features (Experimental)
-
-Cortex can extract function-level chunks and build call graphs in experimental builds:
-
-- `context.find_callers` - What calls this function?
-- `context.trace_calls` - What does this function call?
-- `context.impact_analysis` - What is impacted if this function changes?
-- Requires JavaScript/TypeScript codebase and semantic chunking/call graph indexing enabled.
-
-Note: these APIs are experimental and are not part of the stable tool contract in this submission.
-
-### Installation
-
-#### For MCP Marketplace Users
-
-```bash
-# Install CLI globally
-npm i -g @danielblomma/cortex-mcp
-
-# Navigate to your project
-cd ~/my-project
-
-# Initialize Cortex in your project
-cortex init --bootstrap
-```
-
-This will:
-- Create `.context/` directory with graph schema
-- Set up MCP server for Claude Desktop/Code
-- Start background sync for automatic updates
-- Build a local context graph for indexed files/rules/ADRs
-
-#### Manual MCP Configuration
-
-If `cortex init` doesn't auto-register, add to Claude's MCP config:
-
-**Claude Desktop** (`~/Library/Application Support/Claude/claude_desktop_config.json`):
-```json
-{
-  "mcpServers": {
-    "cortex": {
-      "command": "cortex",
-      "args": ["mcp"],
-      "env": {
-        "CORTEX_PROJECT_ROOT": "/absolute/path/to/your-project"
-      }
-    }
-  }
-}
-```
-
-**Codex** (`~/.config/codex/mcp-config.json`):
-```json
-{
-  "mcpServers": {
-    "cortex-myproject": {
-      "command": "cortex",
-      "args": ["mcp"],
-      "cwd": "/absolute/path/to/your-project"
-    }
-  }
-}
-```
-
-### Usage
-
-Once installed and initialized, Cortex tools are available in Claude:
-
-```
-"Find files that handle authentication"
-"Show related files for this ADR"
-"What are the active architectural rules for this API?"
-```
-
-### Key Features
-
-- **Semantic search**: ranked retrieval across source files, rules and ADRs
-- **Graph relationships**: quickly discover related entities and constraints
-- **Experimental call graph APIs**: function caller/callee and impact traversal in semantic chunking builds
-- **Local & private**: All data stays on your machine
-- **Incremental updates**: Background sync keeps context fresh
-- **Flexible ingestion**: configurable source paths and ranking signals
-
-### Requirements
-
-- Node.js 18+
-- Git repository (for change tracking)
-- ~50MB disk space per project
-
-### Unique Value Proposition
-
-Unlike other MCP servers that provide external data (GitHub, web search), Cortex provides **deep, structured knowledge of YOUR codebase**:
-
-- Search with semantic ranking across files, rules, and ADRs
-- Understand rule and ADR dependencies in your repo
-- Enforce architectural rules and ADRs
-- Context that evolves with your code
-
-Perfect for:
-- Large codebases where plain keyword search is not enough
-- Refactoring guided by rule and ADR context
-- Onboarding (architectural rules, design decisions)
-- Code review (what constraints and related entities apply?)
-
-### Limitations
-
-- **Setup required**: Not instant plug-and-play (needs `cortex init`)
-- **Per-project**: Each repo needs its own Cortex instance
-- **Local only**: No cloud sync (by design - your code stays private)
-
-### Support
-
-- Issues: https://github.com/DanielBlomma/cortex/issues
-- Docs: https://github.com/DanielBlomma/cortex/blob/main/README.md
-
-## Submission Checklist
-
-- [x] MCP SDK integration (JSON-RPC over stdio)
-- [x] Tools documented with schemas
-- [ ] npm package published (@danielblomma/cortex-mcp)
-- [x] Marketplace-ready README
-- [ ] Example usage screenshots/GIFs
-- [ ] Submit PR to modelcontextprotocol/servers
-
-## Next Steps
-
-1. Publish to npm as `@danielblomma/cortex-mcp`
-2. Test installation from marketplace perspective
-3. Submit to https://github.com/modelcontextprotocol/servers
-4. Add to Anthropic's community registry