@decantr/mcp-server 2.2.0 → 2.4.0

package/README.md

@@ -12,7 +12,7 @@ Design intelligence for AI-generated UI. Make Claude, Cursor, and Windsurf gener
 
 ![Decantr MCP demo](https://raw.githubusercontent.com/decantr-ai/decantr/main/packages/mcp-server/assets/decantr-demo.gif)
 
-- **Structured design context** -- gives your AI assistant patterns, layouts, component specs, and Brownfield task-time context instead of letting it guess
+- **Structured design context** -- gives your AI assistant patterns, layouts, component specs, Brownfield/Hybrid authority, local law, and task-time context instead of letting it guess
 - **Evidence-backed repair loops** -- gives AI agents Project Health, Evidence Bundles, workspace health, and scoped repair prompts without uploading source
 - **Drift detection** -- catches when generated code deviates from your design intent
 - **Zero config** -- run with `npx`, no API keys or accounts required
@@ -136,7 +136,7 @@ The server exposes Decantr registry, context, benchmark, and verification tools.
 | `decantr_suggest_patterns` | Given a page description plus optional route/source excerpt, get ranked pattern suggestions | `{ "description": "recipe feed with avatars and infinite scroll", "route": "/feed" }` |
 | `decantr_check_drift` | Check if generated code violates the design intent in the Essence spec | `{ "page_id": "overview", "components_used": ["Card", "LineChart"], "theme_used": "auradecantism" }` |
 | `decantr_get_execution_pack` | Read compiled scaffold, section, page, review, or mutation execution packs, with hosted fallback when local context is missing | `{ "pack_type": "page", "id": "overview", "format": "json" }` |
-| `decantr_prepare_task_context` | Resolve compact route/task context before editing a Brownfield or Essence route | `{ "route": "/feed", "task": "improve recipe card loading" }` |
+| `decantr_prepare_task_context` | Resolve compact route/task context, authority lane, local law, evidence, and changed-file impact before editing a Brownfield, Hybrid, or Essence route | `{ "route": "/feed", "task": "improve recipe card loading" }` |
 | `decantr_compile_execution_packs` | Compile a hosted execution-pack bundle from a local or inline essence document | `{ "path": "./decantr.essence.json", "namespace": "@official" }` |
 | `decantr_audit_project` | Run the schema-backed Decantr project audit against essence and compiled packs, with hosted fallback when local pack artifacts are missing | `{ "namespace": "@official" }` |
 | `decantr_critique` | Critique a file against the compiled review contract, with hosted fallback when local review packs are missing | `{ "file_path": "./src/pages/Overview.tsx", "namespace": "@official" }` |
@@ -148,6 +148,12 @@ The server exposes Decantr registry, context, benchmark, and verification tools.
 
 For the broader product surface and support policy, see the root Decantr docs and package support matrix.
 
+## Security And Permissions
+
+The MCP server reads Decantr files and selected project files from the active workspace. Write access is limited to explicit write tools such as `decantr_update_essence` and `decantr_accept_drift`, and paths are contained to the active workspace root.
+
+Registry and pack-resolution tools may call the configured Decantr API. Source upload fallbacks for hosted critique/audit are disabled unless the tool call explicitly passes `allow_hosted_upload: true`. The MCP server does not emit Decantr telemetry. See [security permissions](https://decantr.ai/reference/security-permissions.md).
+
 ## Compatibility
 
 `@decantr/mcp-server` is stable in the `2.x` line for the documented MCP tool surface.
@@ -171,7 +177,7 @@ The AI assistant calls these tools behind the scenes:
 3. `decantr_suggest_patterns` -- recommends `kpi-grid`, `chart-grid`, `data-table`, and `form-sections` for the described pages
 4. `decantr_resolve_pattern` -- fetches layout specs and component lists for each pattern
 5. `decantr_get_execution_pack` -- loads the compiled scaffold/page/review packs as the task contract, falling back to hosted compilation when local pack artifacts are missing
-6. `decantr_prepare_task_context` -- resolves route-local Brownfield context, visual evidence, and theme inventory before editing an existing app
+6. `decantr_prepare_task_context` -- resolves route-local Brownfield/Hybrid context, active authority, accepted local law, changed-file impact, visual evidence, and theme inventory before editing an existing app
 7. `decantr_compile_execution_packs` -- compiles the hosted pack bundle when the task needs a fresh remote contract from the essence document
 8. `decantr_check_drift` -- validates the generated code against the Essence spec before presenting it
 9. `decantr_critique` -- critiques a specific file, falling back to the hosted verifier when the local review pack is missing

package/dist/bin.js

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-import "./chunk-SVLMT45O.js";
+import "./chunk-P2K3R43N.js";

package/dist/{chunk-SVLMT45O.js → chunk-P2K3R43N.js}

@@ -4,6 +4,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 
 // src/tools.ts
+import { execFileSync } from "child_process";
 import { existsSync, readdirSync, readFileSync } from "fs";
 import { readFile as readFile2 } from "fs/promises";
 import { basename as basename2, dirname as dirname2, join as join2, relative as relative2 } from "path";
@@ -137,6 +138,116 @@ function readJsonIfExists(path) {
     return null;
   }
 }
+function changedFilesForTask(projectRoot) {
+  const changed = /* @__PURE__ */ new Set();
+  try {
+    for (const args of [
+      ["diff", "--name-only"],
+      ["diff", "--name-only", "--cached"]
+    ]) {
+      const output = execFileSync("git", args, {
+        cwd: projectRoot,
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "ignore"]
+      });
+      for (const entry of output.split(/\r?\n/)) {
+        const file = entry.trim();
+        if (file) changed.add(file);
+      }
+    }
+  } catch {
+  }
+  return [...changed].sort();
+}
+function impactedRoutesForFiles(projectRoot, files) {
+  const analysis = readJsonIfExists(join2(projectRoot, ".decantr", "analysis.json"));
+  const routeEntries = analysis?.routes?.routes ?? [];
+  const impacted = /* @__PURE__ */ new Set();
+  for (const file of files) {
+    for (const route of routeEntries) {
+      if (route.file && (file === route.file || file.endsWith(route.file))) {
+        if (route.path) impacted.add(route.path);
+      }
+    }
+  }
+  return [...impacted].sort();
+}
+function localLawSummary(projectRoot) {
+  const patterns = readJsonIfExists(join2(projectRoot, ".decantr", "local-patterns.json"));
+  const rules = readJsonIfExists(join2(projectRoot, ".decantr", "rules.json"));
+  return {
+    patterns_path: patterns ? ".decantr/local-patterns.json" : null,
+    rules_path: rules ? ".decantr/rules.json" : null,
+    patterns: patterns?.patterns?.map((pattern) => ({
+      id: pattern.id ?? "unknown",
+      role: pattern.role ?? null,
+      component_paths: pattern.componentPaths ?? []
+    })) ?? [],
+    rules: rules?.rules?.map((rule) => ({
+      id: rule.id ?? "unknown",
+      enabled: rule.enabled ?? false,
+      severity: rule.severity ?? "warn",
+      description: rule.description ?? null
+    })) ?? []
+  };
+}
+function mentionsWord(text, term) {
+  const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  return new RegExp(`\\b${escaped}\\b`, "i").test(text);
+}
+function taskAuthoritySummary(input) {
+  const hasLocalLaw = input.localLaw.patterns.length > 0 || input.localLaw.rules.length > 0;
+  let lane = "Brownfield contract-only";
+  let sourceAuthority = "Existing app is authoritative; Decantr supplies contract context.";
+  let styleAuthority = "Use the existing styling system.";
+  const activeAuthorities = ["existing source", "Essence V4 contract"];
+  if (input.workflowMode === "hybrid-compose") {
+    lane = "Hybrid composition";
+    sourceAuthority = "Existing app plus selected Decantr/local law are authoritative.";
+  } else if (input.workflowMode === "brownfield-attach" && input.adoptionMode === "decantr-css") {
+    lane = "Hybrid with Decantr CSS";
+    sourceAuthority = "Existing app remains authoritative except where Decantr CSS is explicitly adopted.";
+    styleAuthority = "Decantr CSS runtime is active where adopted.";
+    activeAuthorities.push("Decantr CSS runtime");
+  } else if (input.workflowMode === "brownfield-attach" && input.adoptionMode === "style-bridge") {
+    lane = "Hybrid style bridge";
+    sourceAuthority = "Existing app remains authoritative; Decantr intent maps through the style bridge.";
+    styleAuthority = "Use bridge tokens/classes as a mapping layer onto the app styling system.";
+    activeAuthorities.push("style bridge");
+  } else if (input.workflowMode === "brownfield-attach" && hasLocalLaw) {
+    lane = "Hybrid local law";
+    sourceAuthority = "Existing app plus accepted project-owned UI law are authoritative.";
+    styleAuthority = "Use project-owned components, tokens, classes, and accepted local rules.";
+  } else if (input.workflowMode?.startsWith("greenfield")) {
+    lane = input.workflowMode === "greenfield-contract-only" ? "Greenfield contract-only" : "Greenfield scaffold";
+    sourceAuthority = "Essence V4 and generated context are authoritative.";
+    styleAuthority = input.adoptionMode === "contract-only" ? "Use the project-chosen styling system." : "Use Decantr CSS where generated by the adapter.";
+  }
+  if (hasLocalLaw) activeAuthorities.push("accepted local patterns/rules");
+  if (input.hasPackManifest) activeAuthorities.push("hosted execution packs as guidance");
+  const warnings = [];
+  const task = input.task;
+  for (const term of ["angular", "vue", "svelte", "solid", "bootstrap", "shadcn"]) {
+    if (mentionsWord(task, term)) {
+      warnings.push(
+        `Task mentions ${term}; treat it as optional Hybrid guidance unless this workspace already owns that runtime/library or the user explicitly asks for a reviewed adoption plan.`
+      );
+    }
+  }
+  if (input.adoptionMode !== "decantr-css" && (/@decantr\/css/i.test(task) || /\bdecantr css\b/i.test(task) || /\bd-[a-z0-9-]+/i.test(task))) {
+    warnings.push(
+      "This project is not in decantr-css adoption mode. Do not add @decantr/css or d-* classes unless the user explicitly changes adoption mode."
+    );
+  }
+  return {
+    lane,
+    source_authority: sourceAuthority,
+    style_authority: styleAuthority,
+    active_authorities: activeAuthorities,
+    runtime_boundary: "Preserve the current workspace runtime unless the task is explicitly a reviewed migration or isolated integration plan.",
+    warnings
+  };
+}
 function extractPatternIdsFromLayoutItem(item, ids) {
   if (typeof item === "string") {
     ids.add(item);
@@ -2371,6 +2482,10 @@ async function handleTool(name, args) {
       const themeInventory = readJsonIfExists(
         join2(process.cwd(), ".decantr", "theme-inventory.json")
       );
+      const localLaw = localLawSummary(process.cwd());
+      const projectJson = readJsonIfExists(join2(process.cwd(), ".decantr", "project.json"));
+      const changedFiles = changedFilesForTask(process.cwd());
+      const changedRoutes = impactedRoutesForFiles(process.cwd(), changedFiles);
       const patternIds = extractPagePatternIds(page);
       const ranked = rankPatternCandidates(
         {
@@ -2419,10 +2534,26 @@ async function handleTool(name, args) {
           variants: themeInventory.variants,
           path: ".decantr/theme-inventory.json"
         } : null,
+        local_law: localLaw,
+        authority: taskAuthoritySummary({
+          workflowMode: projectJson?.initialized?.workflowMode ?? null,
+          adoptionMode: projectJson?.initialized?.adoptionMode ?? null,
+          localLaw,
+          hasPackManifest: Boolean(manifest),
+          task
+        }),
+        change_impact: {
+          changed_files: changedFiles.slice(0, 40),
+          changed_file_count: changedFiles.length,
+          impacted_routes: changedRoutes
+        },
+        verify_command: "decantr verify --brownfield --local-patterns",
         local_files: {
           page_pack: pageManifest?.markdown ?? null,
           section_pack: sectionManifest?.markdown ?? null,
           section_context: existsSync(sectionContextPath) ? `.decantr/context/section-${section.id}.md` : null,
+          local_patterns: localLaw.patterns_path,
+          local_rules: localLaw.rules_path,
           visual_manifest: existsSync(
             join2(process.cwd(), ".decantr", "evidence", "visual-manifest.json")
           ) ? ".decantr/evidence/visual-manifest.json" : null

package/dist/index.js

@@ -1 +1 @@
-import "./chunk-SVLMT45O.js";
+import "./chunk-P2K3R43N.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decantr/mcp-server",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "mcpName": "io.github.decantr-ai/mcp-server",
   "description": "MCP server for Decantr — exposes design intelligence, packs, and verification to AI coding assistants",
   "keywords": [
@@ -50,7 +50,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@decantr/essence-spec": "2.0.1",
-    "@decantr/verifier": "2.2.0",
+    "@decantr/verifier": "2.3.3",
     "@decantr/registry": "2.2.0"
   },
   "scripts": {