@equilateral_ai/mindmeld 3.4.0 → 3.5.1

package/hooks/session-start.js

@@ -427,7 +427,7 @@ async function loadAuthToken() {
  * @returns {Promise<Object>} Cognito constructor options or empty object (uses prod defaults)
  */
 async function loadCognitoConfig() {
-  // 1. Check .mindmeld/config.json first (always points to prod)
+  // 1. Check .mindmeld/config.json first (explicit project config, always wins)
   try {
     const mindmeldConfigPath = path.join(process.cwd(), '.mindmeld', 'config.json');
     const content = await fs.readFile(mindmeldConfigPath, 'utf-8');
@@ -442,21 +442,28 @@ async function loadCognitoConfig() {
     // No .mindmeld/config.json or no auth section
   }
 
-  // 2. Fallback to .myworld.json (may point to dev — for backwards compatibility)
-  try {
-    const configPath = path.join(process.cwd(), '.myworld.json');
-    const content = await fs.readFile(configPath, 'utf-8');
-    const config = JSON.parse(content);
-    const auth = config.deployments?.backend?.auth;
-    if (auth?.domain && auth?.client_id) {
-      return {
-        cognitoDomain: `${auth.domain}.auth.us-east-2.amazoncognito.com`,
-        cognitoClientId: auth.client_id
-      };
+  // 2. Fallback to .myworld.json — but only for consumer projects.
+  //    If this IS the MindMeld source repo, .myworld.json has dev Cognito
+  //    config that would authenticate against the wrong user pool.
+  const isSourceRepo = await isMindMeldSourceRepo();
+  if (!isSourceRepo) {
+    try {
+      const configPath = path.join(process.cwd(), '.myworld.json');
+      const content = await fs.readFile(configPath, 'utf-8');
+      const config = JSON.parse(content);
+      const auth = config.deployments?.backend?.auth;
+      if (auth?.domain && auth?.client_id) {
+        return {
+          cognitoDomain: `${auth.domain}.auth.us-east-2.amazoncognito.com`,
+          cognitoClientId: auth.client_id
+        };
+      }
+    } catch (error) {
+      // No .myworld.json
     }
-  } catch (error) {
-    // No .myworld.json — use production defaults
   }
+
+  // 3. Production defaults (AuthManager has these built-in)
   return {};
 }
 
@@ -483,15 +490,40 @@ function spawnBackgroundLogin() {
   }
 }
 
+/**
+ * Detect if we're running inside the MindMeld source repository (developer context)
+ * vs. a consumer project that uses MindMeld for standards injection.
+ *
+ * When developing MindMeld itself, .myworld.json contains deployment config pointing
+ * at dev/staging environments. The hook should still use production for its own
+ * standards and auth — dev URLs are for the product, not for the hook's API calls.
+ *
+ * @returns {Promise<boolean>} True if this is the MindMeld source repo
+ */
+async function isMindMeldSourceRepo() {
+  try {
+    const configPath = path.join(process.cwd(), '.myworld.json');
+    const content = await fs.readFile(configPath, 'utf-8');
+    const config = JSON.parse(content);
+    const productName = (config.project?.product || '').toLowerCase();
+    return productName === 'mindmeld';
+  } catch (error) {
+    return false;
+  }
+}
+
 /**
  * Load API configuration
- * Priority: .mindmeld/config.json → .myworld.json → env var → production default
- * The hook should always talk to the production MindMeld API for standards/patterns,
- * regardless of which environment the developer is building against.
+ * Priority: .mindmeld/config.json → .myworld.json (consumer only) → env var → production default
+ *
+ * When running inside the MindMeld source repo, .myworld.json is skipped because it
+ * contains dev/staging deployment config for the product — not config for the hook's
+ * own API calls, which should always target production.
+ *
  * @returns {Promise<{apiUrl: string}>}
  */
 async function loadApiConfig() {
-  // 1. Check .mindmeld/config.json first (always points to prod)
+  // 1. Check .mindmeld/config.json first (explicit project config, always wins)
   try {
     const mindmeldConfigPath = path.join(process.cwd(), '.mindmeld', 'config.json');
     const content = await fs.readFile(mindmeldConfigPath, 'utf-8');
@@ -503,20 +535,28 @@ async function loadApiConfig() {
     // No .mindmeld/config.json or no apiUrl
   }
 
-  // 2. Fallback to .myworld.json (may point to dev)
-  try {
-    const configPath = path.join(process.cwd(), '.myworld.json');
-    const content = await fs.readFile(configPath, 'utf-8');
-    const config = JSON.parse(content);
-    const backend = config.deployments?.backend;
-    return {
-      apiUrl: backend?.api?.base_url || 'https://api.mindmeld.dev'
-    };
-  } catch (error) {
-    return {
-      apiUrl: process.env.MINDMELD_API_URL || 'https://api.mindmeld.dev'
-    };
+  // 2. Fallback to .myworld.json — but only for consumer projects.
+  //    If this IS the MindMeld source repo, .myworld.json has dev deployment
+  //    URLs that would send hook API calls to the wrong environment.
+  const isSourceRepo = await isMindMeldSourceRepo();
+  if (!isSourceRepo) {
+    try {
+      const configPath = path.join(process.cwd(), '.myworld.json');
+      const content = await fs.readFile(configPath, 'utf-8');
+      const config = JSON.parse(content);
+      const backend = config.deployments?.backend;
+      if (backend?.api?.base_url) {
+        return { apiUrl: backend.api.base_url };
+      }
+    } catch (error) {
+      // No .myworld.json
+    }
   }
+
+  // 3. Environment variable or production default
+  return {
+    apiUrl: process.env.MINDMELD_API_URL || 'https://api.mindmeld.dev'
+  };
 }
 
 /**
@@ -565,7 +605,9 @@ async function fetchRelevantStandardsFromAPI(apiUrl, authToken, characteristics,
         try {
           const parsed = JSON.parse(data);
           if (res.statusCode >= 400) {
-            reject(new Error(parsed.message || `HTTP ${res.statusCode}`));
+            const err = new Error(parsed.message || `HTTP ${res.statusCode}`);
+            err.statusCode = res.statusCode;
+            reject(err);
           } else {
             resolve(parsed.data?.standards || parsed.standards || []);
           }
@@ -767,6 +809,14 @@ async function injectContext() {
       // Subscription enforcement — do NOT fall through to file-based injection
       console.error('[MindMeld] Active subscription required. Subscribe at app.mindmeld.dev');
       return '';
+    } else if (standardsResult.status === 'rejected' &&
+               (standardsResult.reason.statusCode === 401 || standardsResult.reason.message === 'Unauthorized')) {
+      // Auth token expired or invalid — trigger re-auth and use file-based fallback
+      console.error('[MindMeld] Auth token expired. Triggering re-authentication...');
+      spawnBackgroundLogin();
+      const categories = mindmeld.relevanceDetector.mapCharacteristicsToCategories(characteristics);
+      relevantStandards = await mindmeld.relevanceDetector.loadStandardsFromFiles(categories, characteristics);
+      console.error(`[MindMeld] ${relevantStandards.length} standards from file fallback (scored)`);
     } else {
       if (standardsResult.status === 'rejected') {
         console.error(`[MindMeld] API fallback: ${standardsResult.reason.message}`);
@@ -893,6 +943,20 @@ async function cacheSubagentContext(standards, teamPatterns, projectName) {
   console.error(`[MindMeld] Cached subagent context (${sections.length} lines)`);
 }
 
+/**
+ * Get maturity tier prefix for a standard
+ * @param {string|undefined} maturityTier - The maturity_tier from the standard
+ * @returns {string} Prefix string based on tier
+ */
+function getMaturityPrefix(maturityTier) {
+  switch (maturityTier) {
+    case 'reinforced': return '**[MUST FOLLOW]** ';
+    case 'solidified': return '**[SHOULD FOLLOW]** ';
+    case 'provisional':
+    default: return '**[CONSIDER]** ';
+  }
+}
+
 /**
  * Format context injection for Claude Code
  * @param {object} data - Context data to inject
@@ -968,8 +1032,15 @@ function formatContextInjection(data) {
   const standards = [];
   const workflows = [];
 
+  const businessInvariants = [];
   if (relevantStandards && relevantStandards.length > 0) {
     for (const item of relevantStandards) {
+      // Separate business invariants from code standards
+      if (item.content_type === 'business_invariant') {
+        businessInvariants.push(item);
+        continue;
+      }
+
       // Detect workflows: check type flag, rule prefix, keywords, or structured examples
       const isWorkflow = item.type === 'workflow' ||
         (item.rule && item.rule.startsWith('WORKFLOW:')) ||
@@ -990,7 +1061,9 @@ function formatContextInjection(data) {
     sections.push('');
 
     for (const standard of standards) {
-      sections.push(`### ${standard.element}`);
+      const tierPrefix = getMaturityPrefix(standard.maturity_tier);
+      const lbPrefix = standard.load_bearing ? '[CRITICAL] ' : '';
+      sections.push(`### ${tierPrefix}${lbPrefix}${standard.element}`);
       sections.push(`**Category**: ${standard.category}`);
       // Add fingerprint to rule text
       sections.push(`**Rule**: ${standard.rule} ${fingerprintStr}`);
@@ -1018,6 +1091,11 @@ function formatContextInjection(data) {
         }
       }
 
+      if (standard.consequence_tier === 'IRREVERSIBLE' || standard.consequence_tier === 'EXTERNAL_SIDE_EFFECT') {
+        sections.push('');
+        sections.push('⚠️ CONSEQUENCE: This standard involves irreversible/external actions. Verify before proceeding.');
+      }
+
       sections.push('');
     }
   }
@@ -1033,7 +1111,8 @@ function formatContextInjection(data) {
         ? workflow.examples[0]
         : null;
 
-      sections.push(`### ${workflow.element} ${fingerprintStr}`);
+      const tierPrefix = getMaturityPrefix(workflow.maturity_tier);
+      sections.push(`### ${tierPrefix}${workflow.element} ${fingerprintStr}`);
       sections.push(`**Category**: ${workflow.category}`);
 
       if (workflowData) {
@@ -1085,6 +1164,32 @@ function formatContextInjection(data) {
     }
   }
 
+  // Business invariants (rendered with rationale and consequences)
+  if (businessInvariants.length > 0) {
+    sections.push('## Business Invariants');
+    sections.push('');
+
+    for (const invariant of businessInvariants) {
+      const tierPrefix = getMaturityPrefix(invariant.maturity_tier);
+      sections.push(`### ${tierPrefix}${invariant.element}`);
+      sections.push(`**Domain**: ${invariant.category}`);
+      sections.push(`**Invariant**: ${invariant.rule} ${fingerprintStr}`);
+      if (invariant.rationale) {
+        sections.push(`**Rationale**: ${invariant.rationale}`);
+      }
+      if (invariant.consequences) {
+        sections.push(`**If violated**: ${invariant.consequences}`);
+      }
+      if (invariant.exceptions && Array.isArray(invariant.exceptions) && invariant.exceptions.length > 0) {
+        sections.push('**Exceptions**:');
+        for (const ex of invariant.exceptions) {
+          sections.push(`- ${ex}`);
+        }
+      }
+      sections.push('');
+    }
+  }
+
   // Team patterns (high correlation only)
   if (teamPatterns && teamPatterns.length > 0) {
     sections.push('## Team Patterns');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@equilateral_ai/mindmeld",
-  "version": "3.4.0",
+  "version": "3.5.1",
   "description": "Intelligent standards injection for AI coding sessions - context-aware, self-documenting, scales to large codebases",
   "main": "src/index.js",
   "bin": {

package/scripts/auth-login.js

@@ -6,7 +6,9 @@
  * when no auth token is found. Opens browser for Cognito PKCE login,
  * waits for callback, saves tokens to ~/.mindmeld/auth.json.
  *
- * Reads .myworld.json from CWD to detect dev vs prod Cognito pool.
+ * Uses .mindmeld/config.json or .myworld.json (consumer projects only) for
+ * Cognito config. When running inside the MindMeld source repo, skips
+ * .myworld.json dev config and uses production defaults.
  *
  * Usage:
  *   node scripts/auth-login.js
@@ -19,23 +21,58 @@ const path = require('path');
 const { AuthManager } = require('../src/core/AuthManager');
 
 /**
- * Load Cognito config from .myworld.json if present
+ * Detect if we're running inside the MindMeld source repository
  */
-function loadCognitoConfig() {
+function isMindMeldSourceRepo() {
     try {
         const configPath = path.join(process.cwd(), '.myworld.json');
         const content = fs.readFileSync(configPath, 'utf-8');
         const config = JSON.parse(content);
-        const auth = config.deployments?.backend?.auth;
-        if (auth?.domain && auth?.client_id) {
+        return (config.project?.product || '').toLowerCase() === 'mindmeld';
+    } catch (error) {
+        return false;
+    }
+}
+
+/**
+ * Load Cognito config — .mindmeld/config.json first, then .myworld.json
+ * for consumer projects only. MindMeld source repo uses production defaults.
+ */
+function loadCognitoConfig() {
+    // 1. Explicit project config (always wins)
+    try {
+        const mindmeldConfigPath = path.join(process.cwd(), '.mindmeld', 'config.json');
+        const content = fs.readFileSync(mindmeldConfigPath, 'utf-8');
+        const config = JSON.parse(content);
+        if (config.auth?.cognitoDomain && config.auth?.cognitoClientId) {
             return {
-                cognitoDomain: `${auth.domain}.auth.us-east-2.amazoncognito.com`,
-                cognitoClientId: auth.client_id
+                cognitoDomain: config.auth.cognitoDomain,
+                cognitoClientId: config.auth.cognitoClientId
             };
         }
     } catch (error) {
-        // No .myworld.json — use production defaults
+        // No .mindmeld/config.json or no auth section
     }
+
+    // 2. .myworld.json — only for consumer projects
+    if (!isMindMeldSourceRepo()) {
+        try {
+            const configPath = path.join(process.cwd(), '.myworld.json');
+            const content = fs.readFileSync(configPath, 'utf-8');
+            const config = JSON.parse(content);
+            const auth = config.deployments?.backend?.auth;
+            if (auth?.domain && auth?.client_id) {
+                return {
+                    cognitoDomain: `${auth.domain}.auth.us-east-2.amazoncognito.com`,
+                    cognitoClientId: auth.client_id
+                };
+            }
+        } catch (error) {
+            // No .myworld.json
+        }
+    }
+
+    // 3. Production defaults (AuthManager has these built-in)
     return {};
 }
 

package/src/core/StandardsIngestion.js

@@ -921,7 +921,9 @@ class StandardsIngestion {
             examples = EXCLUDED.examples,
             cost_impact = EXCLUDED.cost_impact,
             keywords = EXCLUDED.keywords,
-            last_updated = NOW()
+            last_updated = NOW(),
+            last_seen_at = NOW(),
+            occurrence_count = COALESCE(rapport.standards_patterns.occurrence_count, 0) + 1
         `, [
           pattern.pattern_id,
           pattern.file_name,

package/src/handlers/collaborators/collaboratorList.js

@@ -6,7 +6,7 @@
  * Auth: Cognito JWT required
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, handleError } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, handleError, verifyProjectAccess } = require('./helpers');
 
 /**
  * List project collaborators
@@ -26,15 +26,9 @@ async function listCollaborators({ queryStringParameters: queryParams = {}, requ
             return createErrorResponse(400, 'projectId is required');
         }
 
-        // Check user has access to project
-        const accessQuery = `
-            SELECT pc.role
-            FROM rapport.project_collaborators pc
-            WHERE pc.project_id = $1 AND pc.email_address = $2
-        `;
-        const accessCheck = await executeQuery(accessQuery, [projectId, email]);
-
-        if (accessCheck.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(projectId, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'You do not have access to this project');
         }
 

package/src/handlers/correlations/correlationsProjectGet.js

@@ -13,7 +13,7 @@
  *   - Pattern effectiveness for project
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 const { CorrelationAnalyzer } = require('./core/CorrelationAnalyzer');
 
 exports.handler = wrapHandler(async (event, context) => {
@@ -33,21 +33,12 @@ exports.handler = wrapHandler(async (event, context) => {
     const queryParams = event.queryStringParameters || {};
     const lookbackDays = parseInt(queryParams.lookbackDays) || 30;
 
-    // Verify user has access to this project
-    const accessResult = await executeQuery(`
-        SELECT p.project_id, p.project_name, p.company_id
-        FROM rapport.projects p
-        JOIN rapport.project_collaborators pc ON p.project_id = pc.project_id
-        WHERE p.project_id = $1
-        AND pc.email_address = $2
-    `, [projectId, email]);
-
-    if (accessResult.rows.length === 0) {
+    // Verify user has access to this project (collaborator or company member)
+    const project = await verifyProjectAccess(projectId, email);
+    if (!project) {
         return createErrorResponse(403, 'Access denied to this project');
     }
 
-    const project = accessResult.rows[0];
-
     // Initialize analyzer
     const analyzer = new CorrelationAnalyzer();
 

package/src/handlers/github/githubDiscoverPatterns.js

@@ -12,7 +12,7 @@
  * - Maps tech stack to relevant YAML standards categories
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 const { LLMPatternDetector } = require('./core/LLMPatternDetector');
 const crypto = require('crypto');
 const https = require('https');
@@ -247,13 +247,9 @@ async function githubDiscoverPatterns({ body, requestContext }) {
 
         const targetBranch = branch || 'main';
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [project_id, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(project_id, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 

package/src/handlers/github/githubPatternsReview.js

@@ -6,7 +6,7 @@
  * Body: { project_id, approvals: [{ discovery_id, approved }] }
  */
 
-const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse } = require('./helpers');
+const { wrapHandler, executeQuery, createSuccessResponse, createErrorResponse, verifyProjectAccess } = require('./helpers');
 
 async function githubPatternsReview({ body, requestContext }) {
     try {
@@ -21,13 +21,9 @@ async function githubPatternsReview({ body, requestContext }) {
             return createErrorResponse(400, 'project_id and approvals array are required');
         }
 
-        // Verify user has access to project
-        const accessResult = await executeQuery(`
-            SELECT role FROM rapport.project_collaborators
-            WHERE project_id = $1 AND email_address = $2
-        `, [project_id, email]);
-
-        if (accessResult.rowCount === 0) {
+        // Verify user has access to project (collaborator or company member)
+        const projectAccess = await verifyProjectAccess(project_id, email);
+        if (!projectAccess) {
             return createErrorResponse(403, 'Access denied to project');
         }
 

package/src/handlers/helpers/decisionFrames.js

@@ -0,0 +1,29 @@
+const { executeQuery } = require('./index');
+
+async function createFrame({ projectId, sessionId, standardIds, confidence, context }) {
+    const result = await executeQuery(`
+        INSERT INTO rapport.decision_frames (project_id, session_id, standard_ids, confidence, context)
+        VALUES ($1, $2, $3, $4, $5)
+        RETURNING frame_id, created_at
+    `, [projectId, sessionId || null, standardIds, confidence || 0, JSON.stringify(context || {})]);
+    return result.rows[0];
+}
+
+async function getFrame(frameId) {
+    const result = await executeQuery(`
+        SELECT * FROM rapport.decision_frames WHERE frame_id = $1
+    `, [frameId]);
+    return result.rows[0] || null;
+}
+
+async function getProjectFrames(projectId, limit = 20) {
+    const result = await executeQuery(`
+        SELECT * FROM rapport.decision_frames
+        WHERE project_id = $1
+        ORDER BY created_at DESC
+        LIMIT $2
+    `, [projectId, limit]);
+    return result.rows;
+}
+
+module.exports = { createFrame, getFrame, getProjectFrames };

package/src/handlers/helpers/index.js

@@ -44,6 +44,9 @@ const {
     getAddonPriceId
 } = require('./subscriptionTiers');
 const checkSuperAdmin = require('./checkSuperAdmin');
+const { verifyProjectAccess, verifyProjectRole } = require('./projectAccess');
+const { getPredictedStandards, logStandardsActivation } = require('./predictiveCache');
+const { createFrame, getFrame, getProjectFrames } = require('./decisionFrames');
 const {
     AuditEventType,
     EntityType,
@@ -112,6 +115,17 @@ module.exports = {
 
     // Authorization
     checkSuperAdmin,
+    verifyProjectAccess,
+    verifyProjectRole,
+
+    // Predictive standards caching
+    getPredictedStandards,
+    logStandardsActivation,
+
+    // Decision frames
+    createFrame,
+    getFrame,
+    getProjectFrames,
 
     // Audit logging
     AuditEventType,