@equilateral_ai/mindmeld 3.3.0 → 3.4.0

package/src/handlers/user/apiTokenCreate.js

@@ -0,0 +1,71 @@
+/**
+ * API Token Create Handler
+ *
+ * Creates a new MCP API token for the authenticated user.
+ * Token plaintext is returned ONCE — only the SHA-256 hash is stored.
+ *
+ * POST /api/user/api-tokens
+ * Auth: Cognito JWT required
+ * Body: { name?: string }
+ */
+
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const crypto = require('crypto');
+
+async function apiTokenCreate({ body, requestContext }) {
+    const email = requestContext.authorizer?.claims?.email
+        || requestContext.authorizer?.jwt?.claims?.email;
+
+    if (!email) {
+        return createErrorResponse(401, 'Authentication required');
+    }
+
+    const tokenName = body.name || 'Default';
+
+    // Look up user's client and company
+    const userResult = await executeQuery(`
+        SELECT u.client_id, ue.company_id
+        FROM rapport.users u
+        LEFT JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
+        WHERE u.email_address = $1
+        LIMIT 1
+    `, [email]);
+
+    if (userResult.rows.length === 0) {
+        return createErrorResponse(404, 'User not found');
+    }
+
+    const { client_id, company_id } = userResult.rows[0];
+
+    // Verify active subscription
+    const clientResult = await executeQuery(
+        'SELECT subscription_tier FROM rapport.clients WHERE client_id = $1',
+        [client_id]
+    );
+
+    if (clientResult.rows.length === 0 || !clientResult.rows[0].subscription_tier || clientResult.rows[0].subscription_tier === 'free') {
+        return createErrorResponse(403, 'Active MindMeld subscription required to create API tokens');
+    }
+
+    // Generate token: mm_live_ + 40 random hex chars
+    const tokenId = crypto.randomUUID();
+    const tokenRandom = crypto.randomBytes(20).toString('hex');
+    const plaintext = `mm_live_${tokenRandom}`;
+    const tokenPrefix = plaintext.substring(0, 12);
+    const tokenHash = crypto.createHash('sha256').update(plaintext).digest('hex');
+
+    await executeQuery(`
+        INSERT INTO rapport.api_tokens (token_id, token_hash, token_prefix, email_address, client_id, company_id, token_name)
+        VALUES ($1, $2, $3, $4, $5, $6, $7)
+    `, [tokenId, tokenHash, tokenPrefix, email, client_id, company_id || null, tokenName]);
+
+    return createSuccessResponse({
+        token_id: tokenId,
+        token: plaintext,
+        token_prefix: tokenPrefix,
+        name: tokenName,
+        message: 'Save this token — it will not be shown again.'
+    }, 'API token created');
+}
+
+exports.handler = wrapHandler(apiTokenCreate);

package/src/handlers/user/apiTokenList.js

@@ -0,0 +1,64 @@
+/**
+ * API Token List/Revoke Handler
+ *
+ * GET /api/user/api-tokens — List tokens (prefix only, never plaintext)
+ * DELETE /api/user/api-tokens?token_id=xxx — Revoke a token
+ *
+ * Auth: Cognito JWT required
+ */
+
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+
+async function apiTokenList({ body, queryParams, requestContext, httpMethod }) {
+    const email = requestContext.authorizer?.claims?.email
+        || requestContext.authorizer?.jwt?.claims?.email;
+
+    if (!email) {
+        return createErrorResponse(401, 'Authentication required');
+    }
+
+    // DELETE — revoke a token
+    if (httpMethod === 'DELETE') {
+        const tokenId = queryParams.token_id || body.token_id;
+        if (!tokenId) {
+            return createErrorResponse(400, 'token_id is required');
+        }
+
+        const result = await executeQuery(`
+            UPDATE rapport.api_tokens
+            SET status = 'revoked', revoked_at = NOW()
+            WHERE token_id = $1 AND email_address = $2 AND status = 'active'
+            RETURNING token_id
+        `, [tokenId, email]);
+
+        if (result.rows.length === 0) {
+            return createErrorResponse(404, 'Token not found or already revoked');
+        }
+
+        return createSuccessResponse({ token_id: tokenId }, 'Token revoked');
+    }
+
+    // GET — list tokens
+    const result = await executeQuery(`
+        SELECT token_id, token_prefix, token_name, status,
+               last_used_at, request_count, created_at, revoked_at
+        FROM rapport.api_tokens
+        WHERE email_address = $1
+        ORDER BY created_at DESC
+    `, [email]);
+
+    return createSuccessResponse({
+        tokens: result.rows.map(r => ({
+            token_id: r.token_id,
+            prefix: r.token_prefix,
+            name: r.token_name,
+            status: r.status,
+            last_used: r.last_used_at,
+            request_count: r.request_count,
+            created_at: r.created_at,
+            revoked_at: r.revoked_at
+        }))
+    }, `${result.rows.length} token(s) found`);
+}
+
+exports.handler = wrapHandler(apiTokenList);

package/src/handlers/user/userSplashGet.js

@@ -7,8 +7,8 @@
  *
  * Returns:
  * - show_splash: whether to display the splash (false if already acknowledged this week)
- * - summary: weekly activity metrics
- * - is_greenfield: true if user has < 7 days of activity
+ * - summary: weekly activity metrics from sessions + session_standards
+ * - is_greenfield: true if user has < 7 days of session history
  * - tips: getting-started tips for greenfield users
  */
 
@@ -22,7 +22,7 @@ async function getUserSplash({ requestContext }) {
         return createErrorResponse(401, 'Authentication required');
     }
 
-    // Calculate current week boundaries (Monday to Sunday)
+    // Calculate current week boundaries (Monday to Sunday UTC)
     const now = new Date();
     const dayOfWeek = now.getUTCDay();
     const mondayOffset = dayOfWeek === 0 ? -6 : 1 - dayOfWeek;
@@ -62,119 +62,136 @@ async function getUserSplash({ requestContext }) {
         );
     }
 
-    // Determine if user is greenfield (< 7 days of activity)
+    // Determine if user is greenfield (< 7 days of session history)
     let isGreenfield = true;
     try {
         const activityCheck = await executeQuery(`
-            SELECT MIN(created_at) as first_activity
-            FROM rapport.audit_trail
+            SELECT MIN(started_at) as first_session
+            FROM rapport.sessions
             WHERE email_address = $1
         `, [email]);
 
-        if (activityCheck.rowCount > 0 && activityCheck.rows[0].first_activity) {
-            const firstActivity = new Date(activityCheck.rows[0].first_activity);
-            const daysSinceFirstActivity = Math.floor((now.getTime() - firstActivity.getTime()) / (1000 * 60 * 60 * 24));
-            isGreenfield = daysSinceFirstActivity < 7;
+        if (activityCheck.rowCount > 0 && activityCheck.rows[0].first_session) {
+            const firstSession = new Date(activityCheck.rows[0].first_session);
+            const daysSinceFirst = Math.floor((now.getTime() - firstSession.getTime()) / (1000 * 60 * 60 * 24));
+            isGreenfield = daysSinceFirst < 7;
         }
     } catch (err) {
         console.log('[Splash] Could not determine greenfield status:', err.message);
     }
 
-    // Aggregate weekly activity metrics
-    let patternsHarvested = 0;
-    try {
-        const patternsResult = await executeQuery(`
-            SELECT COUNT(*) as count
-            FROM rapport.patterns
-            WHERE created_by = $1
-            AND created_at >= $2
-            AND created_at <= $3
-        `, [email, weekStart.toISOString(), weekEnd.toISOString()]);
-
-        patternsHarvested = parseInt(patternsResult.rows[0].count, 10) || 0;
-    } catch (err) {
-        console.log('[Splash] Patterns query failed:', err.message);
-    }
+    // Aggregate weekly metrics from sessions + session_standards
+    const weekStartISO = weekStart.toISOString();
+    const weekEndISO = weekEnd.toISOString();
 
-    let standardsInjected = 0;
+    // Session stats (count, duration, projects)
+    let sessionsCount = 0;
+    let totalDurationMinutes = 0;
+    let activeProjects = 0;
     try {
-        const injectionsResult = await executeQuery(`
-            SELECT COUNT(*) as count
-            FROM rapport.audit_trail
+        const sessionResult = await executeQuery(`
+            SELECT
+                COUNT(*) as session_count,
+                COALESCE(ROUND(SUM(duration_seconds) / 60.0), 0) as total_minutes,
+                COUNT(DISTINCT project_id) as project_count
+            FROM rapport.sessions
             WHERE email_address = $1
-            AND action = 'standards_injected'
-            AND created_at >= $2
-            AND created_at <= $3
-        `, [email, weekStart.toISOString(), weekEnd.toISOString()]);
-
-        standardsInjected = parseInt(injectionsResult.rows[0].count, 10) || 0;
+            AND started_at >= $2
+            AND started_at <= $3
+        `, [email, weekStartISO, weekEndISO]);
+
+        if (sessionResult.rowCount > 0) {
+            sessionsCount = parseInt(sessionResult.rows[0].session_count, 10) || 0;
+            totalDurationMinutes = parseInt(sessionResult.rows[0].total_minutes, 10) || 0;
+            activeProjects = parseInt(sessionResult.rows[0].project_count, 10) || 0;
+        }
     } catch (err) {
-        console.log('[Splash] Injections query failed:', err.message);
+        console.log('[Splash] Session stats query failed:', err.message);
     }
 
-    let standardsPromoted = 0;
+    // Standards stats (injected, followed, violated)
+    let standardsInjected = 0;
+    let standardsFollowed = 0;
+    let violationsDetected = 0;
     try {
-        const promotionsResult = await executeQuery(`
-            SELECT COUNT(*) as count
-            FROM rapport.audit_trail
-            WHERE email_address = $1
-            AND action = 'standard_promoted'
-            AND created_at >= $2
-            AND created_at <= $3
-        `, [email, weekStart.toISOString(), weekEnd.toISOString()]);
-
-        standardsPromoted = parseInt(promotionsResult.rows[0].count, 10) || 0;
+        const standardsResult = await executeQuery(`
+            SELECT
+                COUNT(*) as total_injected,
+                COUNT(*) FILTER (WHERE ss.followed = true) as total_followed,
+                COUNT(*) FILTER (WHERE ss.violated = true) as total_violated
+            FROM rapport.session_standards ss
+            JOIN rapport.sessions s ON s.session_id = ss.session_id
+            WHERE s.email_address = $1
+            AND s.started_at >= $2
+            AND s.started_at <= $3
+        `, [email, weekStartISO, weekEndISO]);
+
+        if (standardsResult.rowCount > 0) {
+            standardsInjected = parseInt(standardsResult.rows[0].total_injected, 10) || 0;
+            standardsFollowed = parseInt(standardsResult.rows[0].total_followed, 10) || 0;
+            violationsDetected = parseInt(standardsResult.rows[0].total_violated, 10) || 0;
+        }
     } catch (err) {
-        console.log('[Splash] Promotions query failed:', err.message);
+        console.log('[Splash] Standards stats query failed:', err.message);
     }
 
-    let violationsDetected = 0;
+    // Patterns harvested (keep existing query — patterns table exists)
+    let patternsHarvested = 0;
     try {
-        const violationsResult = await executeQuery(`
+        const patternsResult = await executeQuery(`
             SELECT COUNT(*) as count
-            FROM rapport.audit_trail
-            WHERE email_address = $1
-            AND action = 'violation_detected'
+            FROM rapport.patterns
+            WHERE created_by = $1
             AND created_at >= $2
             AND created_at <= $3
-        `, [email, weekStart.toISOString(), weekEnd.toISOString()]);
+        `, [email, weekStartISO, weekEndISO]);
 
-        violationsDetected = parseInt(violationsResult.rows[0].count, 10) || 0;
+        patternsHarvested = parseInt(patternsResult.rows[0].count, 10) || 0;
     } catch (err) {
-        console.log('[Splash] Violations query failed:', err.message);
+        console.log('[Splash] Patterns query failed:', err.message);
     }
 
-    let activeProjects = 0;
+    // Recent category distribution (what the user has been working on)
+    let recentCategories = {};
     try {
-        const projectsResult = await executeQuery(`
-            SELECT COUNT(DISTINCT project_id) as count
-            FROM rapport.audit_trail
-            WHERE email_address = $1
-            AND created_at >= $2
-            AND created_at <= $3
-            AND project_id IS NOT NULL
-        `, [email, weekStart.toISOString(), weekEnd.toISOString()]);
-
-        activeProjects = parseInt(projectsResult.rows[0].count, 10) || 0;
+        const categoryResult = await executeQuery(`
+            SELECT sp.category, COUNT(*) as usage_count
+            FROM rapport.session_standards ss
+            JOIN rapport.sessions s ON s.session_id = ss.session_id
+            JOIN rapport.standards_patterns sp ON sp.pattern_id = ss.standard_id
+            WHERE s.email_address = $1
+                AND s.started_at >= $2
+                AND s.started_at <= $3
+            GROUP BY sp.category
+            ORDER BY usage_count DESC
+            LIMIT 5
+        `, [email, weekStartISO, weekEndISO]);
+
+        for (const row of categoryResult.rows) {
+            recentCategories[row.category] = parseInt(row.usage_count, 10);
+        }
     } catch (err) {
-        console.log('[Splash] Active projects query failed:', err.message);
+        console.log('[Splash] Recent categories query failed:', err.message);
     }
 
     // Build tips for greenfield users
     const tips = isGreenfield ? [
-        'Connect a GitHub repository to start harvesting patterns from your codebase.',
         'MindMeld automatically injects relevant standards into your AI coding sessions.',
+        'Use /mm-load <domain> to pre-load standards before starting work (e.g., /mm-load Frontend).',
+        'Use /mm-workflows to see available step-by-step procedures.',
         'Patterns discovered in your code can be promoted to team-wide standards.',
-        'Check the Standards page to browse and configure which standards apply to your projects.',
-        'Visit the Dashboard regularly to track your team\'s standards adoption progress.'
+        'Use /mm-status to check your system health and API connectivity.'
     ] : [];
 
     const summary = {
-        patterns_harvested: patternsHarvested,
+        sessions_count: sessionsCount,
+        total_duration_minutes: totalDurationMinutes,
         standards_injected: standardsInjected,
-        standards_promoted: standardsPromoted,
+        standards_followed: standardsFollowed,
         violations_detected: violationsDetected,
         active_projects: activeProjects,
+        recent_categories: recentCategories,
+        patterns_harvested: patternsHarvested,
         week_start: weekStartStr,
         week_end: weekEndStr
     };

package/src/handlers/users/cognitoPostConfirmation.js

@@ -111,7 +111,7 @@ async function handler(event, context) {
 
             console.log('Personal company created:', companyId);
 
-            // 4. Create admin entitlement
+            // 4. Create admin entitlement for personal workspace
             const entitlementQuery = `
                 INSERT INTO rapport.user_entitlements (
                     email_address,
@@ -128,6 +128,42 @@ async function handler(event, context) {
 
             console.log('Entitlement created for:', email);
 
+            // 5. Check for and accept pending enterprise invitations
+            const pendingInvites = await executeQuery(`
+                SELECT invitation_id, client_id, company_id, role
+                FROM rapport.enterprise_invitations
+                WHERE email = $1 AND status = 'pending'
+            `, [email.toLowerCase()]);
+
+            if (pendingInvites.rows.length > 0) {
+                console.log(`Found ${pendingInvites.rows.length} pending enterprise invitation(s)`);
+
+                for (const invite of pendingInvites.rows) {
+                    // Create entitlement for the enterprise company
+                    const isAdmin = invite.role === 'admin';
+                    await executeQuery(`
+                        INSERT INTO rapport.user_entitlements (
+                            email_address,
+                            client_id,
+                            company_id,
+                            admin,
+                            member
+                        )
+                        VALUES ($1, $2, $3, $4, true)
+                        ON CONFLICT (email_address, company_id) DO NOTHING
+                    `, [email, invite.client_id, invite.company_id, isAdmin]);
+
+                    // Mark invitation as accepted
+                    await executeQuery(`
+                        UPDATE rapport.enterprise_invitations
+                        SET status = 'accepted', accepted_at = NOW()
+                        WHERE invitation_id = $1
+                    `, [invite.invitation_id]);
+
+                    console.log(`Accepted enterprise invitation for company: ${invite.company_id} (role: ${invite.role})`);
+                }
+            }
+
             await executeQuery('COMMIT');
 
             console.log('Post-confirmation complete for:', email);

package/src/handlers/users/cognitoPreSignUp.js

@@ -0,0 +1,114 @@
+/**
+ * Cognito PreSignUp Handler
+ * Blocks bot registrations before user creation in Cognito
+ * Auto-confirms Google OAuth users and admin-invited users
+ *
+ * Triggered by: Cognito User Pool pre-signup trigger
+ *
+ * Note: Cognito trigger must be configured manually in Cognito console
+ * as SAM cannot reference external user pools
+ */
+
+const { executeQuery } = require('./helpers');
+
+const DISPOSABLE_DOMAINS = new Set([
+    'mailinator.com', 'guerrillamail.com', 'tempmail.com',
+    'throwaway.email', 'yopmail.com', 'sharklasers.com',
+    'guerrillamailblock.com', 'grr.la', 'maildrop.cc',
+    'dispostable.com', 'temp-mail.org', '10minutemail.com',
+    'trashmail.com', 'fakeinbox.com', 'mailnesia.com',
+    'tempinbox.com', 'mailcatch.com', 'throwam.com'
+]);
+
+/**
+ * Detect dot-stuffed Gmail addresses used by signup bots
+ * Gmail ignores dots in the local part, so bots insert random dots
+ * to generate unique-looking addresses that all deliver to the same inbox
+ */
+function isDotStuffedGmail(email) {
+    const atIndex = email.lastIndexOf('@');
+    if (atIndex === -1) return false;
+
+    const localPart = email.substring(0, atIndex).toLowerCase();
+    const domain = email.substring(atIndex + 1).toLowerCase();
+
+    if (domain !== 'gmail.com' && domain !== 'googlemail.com') return false;
+
+    const dotCount = (localPart.match(/\./g) || []).length;
+    const cleanLength = localPart.replace(/\./g, '').length;
+
+    if (cleanLength === 0) return true;
+
+    // 4+ dots in a short local part is a strong bot signal
+    if (dotCount >= 4 && cleanLength < 20) return true;
+
+    // More than 30% dots relative to actual characters
+    if (dotCount > 0 && dotCount / cleanLength > 0.3) return true;
+
+    return false;
+}
+
+/**
+ * Check if email uses a known disposable email domain
+ */
+function isDisposableEmail(email) {
+    const domain = email.toLowerCase().split('@')[1];
+    return DISPOSABLE_DOMAINS.has(domain);
+}
+
+async function handler(event) {
+    console.log('PreSignUp trigger:', JSON.stringify({
+        triggerSource: event.triggerSource,
+        userName: event.userName,
+        email: event.request?.userAttributes?.email
+    }));
+
+    // Auto-confirm external provider signups (Google OAuth)
+    // Google provides verified email — no Cognito verification needed
+    if (event.triggerSource === 'PreSignUp_ExternalProvider') {
+        console.log(`[PreSignUp] Auto-confirming external provider user: ${event.request?.userAttributes?.email}`);
+        event.response.autoConfirmUser = true;
+        event.response.autoVerifyEmail = true;
+        return event;
+    }
+
+    // Only validate user-initiated signups (not admin-created)
+    if (event.triggerSource !== 'PreSignUp_SignUp') {
+        return event;
+    }
+
+    const email = event.request?.userAttributes?.email;
+    if (!email) {
+        throw new Error('Email address is required for registration');
+    }
+
+    if (isDisposableEmail(email)) {
+        console.log(`[PreSignUp] Blocked disposable email: ${email}`);
+        throw new Error('Please use a permanent email address to register.');
+    }
+
+    if (isDotStuffedGmail(email)) {
+        console.log(`[PreSignUp] Blocked dot-stuffed Gmail: ${email}`);
+        throw new Error('This email address format is not accepted. Please use your primary email address.');
+    }
+
+    // Auto-confirm users who have been invited (entitlement already exists)
+    try {
+        const result = await executeQuery(
+            'SELECT 1 FROM rapport.user_entitlements WHERE email_address = $1 LIMIT 1',
+            [email.toLowerCase()]
+        );
+        if (result.rows.length > 0) {
+            console.log(`[PreSignUp] Auto-confirming invited user: ${email}`);
+            event.response.autoConfirmUser = true;
+            event.response.autoVerifyEmail = true;
+        }
+    } catch (err) {
+        // DB check failed — don't block signup, just skip auto-confirm
+        console.error(`[PreSignUp] Entitlement check failed for ${email}:`, err.message);
+    }
+
+    return event;
+}
+
+module.exports = { handler };

package/src/handlers/users/userGet.js

@@ -22,7 +22,7 @@ async function getUser({ requestContext }) {
             return createErrorResponse(401, 'Authentication required');
         }
 
-        // Get user with their primary client subscription
+        // Get user with their primary client subscription and company
         const query = `
             SELECT
                 u.email_address,
@@ -35,11 +35,14 @@ async function getUser({ requestContext }) {
                 c.subscription_tier,
                 c.subscription_status,
                 c.subscription_ends_at,
-                c.stripe_customer_id
+                c.stripe_customer_id,
+                ue.company_id
             FROM rapport.users u
             LEFT JOIN rapport.clients c ON u.client_id = c.client_id
+            LEFT JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
             WHERE u.email_address = $1
             AND u.active = true
+            LIMIT 1
         `;
 
         const result = await executeQuery(query, [email]);
@@ -51,20 +54,20 @@ async function getUser({ requestContext }) {
         const user = result.rows[0];
         const tierConfig = getTierConfig(user.subscription_tier || 'free');
 
-        // Get usage counts
+        // Get usage counts scoped to user's entitled companies
         const usageQuery = `
             SELECT
                 (SELECT COUNT(*) FROM rapport.user_entitlements WHERE client_id = $1) as collaborators,
                 (SELECT COUNT(*) FROM rapport.projects p
-                 JOIN rapport.companies co ON p.company_id = co.company_id
-                 WHERE co.client_id = $1 AND p.archived = false) as projects,
+                 JOIN rapport.user_entitlements ue ON p.company_id = ue.company_id
+                 WHERE ue.email_address = $2 AND p.archived = false) as projects,
                 (SELECT COUNT(*) FROM rapport.invariants i
                  JOIN rapport.projects p ON i.project_id = p.project_id
-                 JOIN rapport.companies co ON p.company_id = co.company_id
-                 WHERE co.client_id = $1) as invariants
+                 JOIN rapport.user_entitlements ue ON p.company_id = ue.company_id
+                 WHERE ue.email_address = $2) as invariants
         `;
 
-        const usageResult = await executeQuery(usageQuery, [user.client_id]);
+        const usageResult = await executeQuery(usageQuery, [user.client_id, email]);
         const usage = usageResult.rows[0];
 
         return createSuccessResponse(
@@ -74,6 +77,7 @@ async function getUser({ requestContext }) {
                     first_name: user.first_name,
                     last_name: user.last_name,
                     client_id: user.client_id,
+                    company_id: user.company_id,
                     client_name: user.client_name,
                     user_status: user.user_status,
                     member_since: user.create_date,