@equilateral_ai/mindmeld 3.4.0 → 3.5.1

package/src/handlers/helpers/mindmeldMcpCore.js

@@ -0,0 +1,1103 @@
+/**
+ * MindMeld MCP Core — Shared business logic for MCP handlers
+ *
+ * Extracted from mindmeldMcpHandler.js so both the API Gateway handler
+ * and the Lambda Function URL streaming handler can share the same
+ * JSON-RPC router, auth, tool implementations, and scoring.
+ *
+ * Auth: X-MindMeld-Token header OR Authorization: Bearer token
+ */
+
+const { executeQuery } = require('./dbOperations');
+const crypto = require('crypto');
+const { BedrockRuntimeClient, InvokeModelCommand } = require('@aws-sdk/client-bedrock-runtime');
+
+let _bedrockClient = null;
+function getBedrockClient() {
+    if (!_bedrockClient) {
+        _bedrockClient = new BedrockRuntimeClient({ region: 'us-east-2' });
+    }
+    return _bedrockClient;
+}
+
+const SERVER_INFO = {
+    name: 'mindmeld',
+    version: '0.2.0',
+    description: 'Standards injection and governance for AI-assisted development'
+};
+
+const PROTOCOL_VERSION = '2025-03-26';
+
+const CORS_HEADERS = {
+    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Methods': 'POST, GET, DELETE, OPTIONS',
+    'Access-Control-Allow-Headers': 'Content-Type, Accept, Mcp-Session-Id, X-MindMeld-Token, Authorization',
+};
+
+// ============================================================
+// Category Weights (same as standardsRelevantPost.js)
+// ============================================================
+
+const CATEGORY_WEIGHTS = {
+    // Code standard categories
+    'serverless-saas-aws': 1.0,
+    'frontend-development': 1.0,
+    'database': 0.9,
+    'backend': 0.9,
+    'compliance-security': 0.9,
+    'deployment': 0.8,
+    'testing': 0.7,
+    'real-time-systems': 0.7,
+    'well-architected': 0.7,
+    'cost-optimization': 0.7,
+    'multi-agent-orchestration': 0.1,
+    // Business domains
+    'ip-strategy': 0.6,
+    'architecture-decisions': 0.8,
+    'go-to-market': 0.6,
+    'operations': 0.5,
+    'legal-process': 0.5,
+    'finance': 0.5,
+    'communication': 0.4,
+    'product-strategy': 0.6,
+    'investor-relations': 0.4,
+};
+
+// ============================================================
+// Tool Definitions
+// ============================================================
+
+const TOOLS = [
+    {
+        name: 'mindmeld_init_session',
+        description: 'Initialize a MindMeld standards injection session. Scans project context, identifies relevant standards, returns injected rules and session token.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                project_path: { type: 'string', description: 'Absolute path to the project root' },
+                task_description: { type: 'string', description: 'Optional: what the developer intends to work on this session' },
+                team_id: { type: 'string', description: 'Team identifier for corpus lookup. Uses personal corpus if omitted.' }
+            },
+            required: ['project_path']
+        }
+    },
+    {
+        name: 'mindmeld_record_correction',
+        description: 'Record a correction to AI output. Feeds the standards maturity pipeline. Corrections drive pattern detection and eventually promote to Provisional standards.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                session_id: { type: 'string', description: 'Session token from mindmeld_init_session' },
+                original_output: { type: 'string', description: 'What the AI generated' },
+                corrected_output: { type: 'string', description: 'What the developer changed it to' },
+                correction_note: { type: 'string', description: 'Optional: developer explanation of why the correction was made' },
+                file_context: { type: 'string', description: 'Optional: filename or path where correction occurred' }
+            },
+            required: ['session_id', 'original_output', 'corrected_output']
+        }
+    },
+    {
+        name: 'mindmeld_get_standards',
+        description: 'On-demand lookup for specific standards or maturity status. Use for UI display, not injection — mindmeld_init_session handles injection.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                team_id: { type: 'string', description: 'Team identifier (optional, resolved from token)' },
+                filter: {
+                    type: 'object',
+                    properties: {
+                        maturity: { type: 'array', items: { type: 'string' }, description: 'Filter by maturity: provisional, solidified, reinforced' },
+                        content_type: { type: 'string', enum: ['code_standard', 'business_invariant'], description: 'Filter by content type. Omit for all.' },
+                        domain: { type: 'string', description: 'Filter by domain (e.g., "ip-strategy", "architecture-decisions"). Omit for all.' },
+                        source: { type: 'string', description: 'Filter by corpus source (e.g., "equilateral-standards", "mcp-extraction", "nist-800-53"). Omit for all.' },
+                        standard_name: { type: 'string', description: 'Filter by standard name (partial match)' },
+                        limit: { type: 'integer', description: 'Max results (default 20)' }
+                    }
+                }
+            }
+        }
+    },
+    {
+        name: 'mindmeld_ingest_raw_session',
+        description: 'Extract business invariants from a raw conversation transcript using LLM analysis. Returns invariant candidates in BUSINESS-SCHEMA shape with confidence scores. Use dry_run=true to preview before committing.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                session_text: {
+                    type: 'string',
+                    description: 'Raw conversation transcript to extract invariants from'
+                },
+                source_label: {
+                    type: 'string',
+                    description: 'Label for provenance tracking (e.g., "claude-chat-2026-02-24-patent-filing")'
+                },
+                domain_hint: {
+                    type: 'string',
+                    description: 'Optional domain hint to guide classification (e.g., "ip-strategy", "architecture-decisions")'
+                },
+                auto_maturity: {
+                    type: 'string',
+                    enum: ['provisional', 'solidified'],
+                    description: 'Maturity level for extracted invariants. Default: "provisional". Only use "solidified" when multiple independent sessions have validated the same decision.'
+                },
+                dry_run: {
+                    type: 'boolean',
+                    description: 'If true, return extracted candidates without committing to corpus. Default: true'
+                },
+                model: {
+                    type: 'string',
+                    enum: ['haiku', 'sonnet', 'opus'],
+                    description: 'Claude model for extraction. haiku=fast/cheap, sonnet=balanced (default), opus=deepest extraction'
+                }
+            },
+            required: ['session_text', 'source_label']
+        }
+    }
+];
+
+// ============================================================
+// Auth: API Token Validation
+// ============================================================
+
+/**
+ * Validate a Cognito JWT access token.
+ * Decodes the JWT, verifies issuer and expiry, looks up user by email.
+ * Full signature verification uses Cognito JWKS (cached).
+ */
+let _jwksCache = null;
+let _jwksCacheTime = 0;
+const COGNITO_ISSUER = 'https://cognito-idp.us-east-2.amazonaws.com/us-east-2_638OhwuV1';
+const JWKS_URL = `${COGNITO_ISSUER}/.well-known/jwks.json`;
+const JWKS_CACHE_TTL = 3600000; // 1 hour
+
+async function fetchJwks() {
+    if (_jwksCache && (Date.now() - _jwksCacheTime) < JWKS_CACHE_TTL) {
+        return _jwksCache;
+    }
+    const https = require('https');
+    return new Promise((resolve, reject) => {
+        https.get(JWKS_URL, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => {
+                try {
+                    _jwksCache = JSON.parse(data);
+                    _jwksCacheTime = Date.now();
+                    resolve(_jwksCache);
+                } catch (e) { reject(e); }
+            });
+        }).on('error', reject);
+    });
+}
+
+function base64UrlDecode(str) {
+    str = str.replace(/-/g, '+').replace(/_/g, '/');
+    while (str.length % 4) str += '=';
+    return Buffer.from(str, 'base64');
+}
+
+async function validateCognitoJwt(token) {
+    // Decode header and payload without verification first
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    let header, payload;
+    try {
+        header = JSON.parse(base64UrlDecode(parts[0]).toString());
+        payload = JSON.parse(base64UrlDecode(parts[1]).toString());
+    } catch (e) { return null; }
+
+    // Check issuer and expiry
+    if (payload.iss !== COGNITO_ISSUER) return null;
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) return null;
+    if (payload.token_use !== 'access') return null;
+
+    // Verify signature using JWKS
+    try {
+        const jwks = await fetchJwks();
+        const key = jwks.keys?.find(k => k.kid === header.kid);
+        if (!key) return null;
+
+        // Build RSA public key from JWK
+        const keyObject = crypto.createPublicKey({ key, format: 'jwk' });
+        const verify = crypto.createVerify('RSA-SHA256');
+        verify.update(`${parts[0]}.${parts[1]}`);
+        if (!verify.verify(keyObject, base64UrlDecode(parts[2]))) return null;
+    } catch (e) {
+        console.error('[MCP] JWT signature verification failed:', e.message);
+        return null;
+    }
+
+    // Extract user info — Cognito access tokens have 'username' and 'sub'
+    return {
+        sub: payload.sub,
+        username: payload.username,
+        email: payload.username, // Cognito username is typically email
+        scope: payload.scope,
+    };
+}
+
+async function validateApiToken(headers) {
+    // Support multiple auth methods:
+    // 1. X-MindMeld-Token: mm_live_xxx (existing clients, stdio bridge)
+    // 2. Authorization: Bearer mm_live_xxx (API token)
+    // 3. Authorization: Bearer <cognito-jwt> (OAuth via Cognito)
+    let token = headers['x-mindmeld-token'] || headers['X-MindMeld-Token'];
+
+    if (!token) {
+        const authHeader = headers['authorization'] || headers['Authorization'];
+        if (authHeader && authHeader.startsWith('Bearer ')) {
+            token = authHeader.substring(7).trim();
+        }
+    }
+
+    if (!token) {
+        return { error: 'auth_required', message: 'Authentication required.' };
+    }
+
+    // Check if token looks like a JWT (has 3 dot-separated parts, starts with eyJ)
+    if (token.startsWith('eyJ') && token.split('.').length === 3) {
+        const jwtUser = await validateCognitoJwt(token);
+        if (!jwtUser) {
+            return { error: 'auth_invalid', message: 'Invalid or expired OAuth token' };
+        }
+
+        // Look up user by email/username in our database
+        const result = await executeQuery(`
+            SELECT u.email_address, c.client_id, c.subscription_tier, c.subscription_status,
+                   ue.company_id
+            FROM rapport.users u
+            JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
+            JOIN rapport.clients c ON ue.client_id = c.client_id
+            WHERE u.email_address = $1 OR u.cognito_sub = $2
+            LIMIT 1
+        `, [jwtUser.email, jwtUser.sub]);
+
+        if (result.rows.length === 0) {
+            return { error: 'auth_invalid', message: 'User not found. Sign up at mindmeld.dev' };
+        }
+
+        const row = result.rows[0];
+        if (!row.subscription_tier || row.subscription_tier === 'free') {
+            return { error: 'auth_invalid', message: 'Active MindMeld subscription required. Subscribe at app.mindmeld.dev' };
+        }
+
+        return {
+            user: {
+                email: row.email_address,
+                client_id: row.client_id,
+                company_id: row.company_id,
+                subscription_tier: row.subscription_tier
+            }
+        };
+    }
+
+    // API token path (mm_live_xxx)
+    const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+
+    const result = await executeQuery(`
+        SELECT t.token_id, t.email_address, t.client_id, t.company_id,
+               c.subscription_tier, c.subscription_status
+        FROM rapport.api_tokens t
+        JOIN rapport.clients c ON t.client_id = c.client_id
+        WHERE t.token_hash = $1
+          AND t.status = 'active'
+    `, [tokenHash]);
+
+    if (result.rows.length === 0) {
+        return { error: 'auth_invalid', message: 'Invalid or expired API token' };
+    }
+
+    const row = result.rows[0];
+
+    // Require active subscription (no free tier)
+    if (!row.subscription_tier || row.subscription_tier === 'free') {
+        return { error: 'auth_invalid', message: 'Active MindMeld subscription required. Subscribe at app.mindmeld.dev' };
+    }
+
+    // Fire-and-forget: update usage stats
+    executeQuery(
+        'UPDATE rapport.api_tokens SET last_used_at = NOW(), request_count = request_count + 1 WHERE token_id = $1',
+        [row.token_id]
+    ).catch(() => {});
+
+    return {
+        user: {
+            email: row.email_address,
+            client_id: row.client_id,
+            company_id: row.company_id,
+            subscription_tier: row.subscription_tier
+        }
+    };
+}
+
+// ============================================================
+// Relevance Scoring (same algorithm as standardsRelevantPost.js)
+// ============================================================
+
+function rankStandards(standards, recentCategories) {
+    return standards.map(standard => {
+        let score = 0;
+        score += (standard.correlation || 1.0) * 40;
+
+        const maturityScores = { enforced: 30, reinforced: 25, validated: 20, solidified: 15, recommended: 10, provisional: 5 };
+        score += maturityScores[standard.maturity] || 0;
+
+        const categoryWeight = CATEGORY_WEIGHTS[standard.category] || 0.5;
+        score += categoryWeight * 20;
+
+        if (standard.applicable_files && standard.applicable_files.length > 0) score += 5;
+        if (standard.cost_impact && standard.cost_impact.severity === 'critical') score += 10;
+
+        if (standard.anti_patterns) {
+            const apCount = Array.isArray(standard.anti_patterns)
+                ? standard.anti_patterns.length
+                : Object.keys(standard.anti_patterns).length;
+            if (apCount > 0) score += 5;
+        }
+
+        const isWorkflow = (standard.rule && standard.rule.startsWith('WORKFLOW:'))
+            || (Array.isArray(standard.keywords) && standard.keywords.includes('workflow'));
+        if (isWorkflow) score += 10;
+
+        if (standard.rationale) score += 5;
+
+        if (recentCategories && recentCategories[standard.category]) {
+            const usageCount = recentCategories[standard.category];
+            let rawBonus;
+            if (usageCount >= 8) rawBonus = 25;
+            else if (usageCount >= 4) rawBonus = 18;
+            else rawBonus = 10;
+            score += rawBonus * categoryWeight;
+        }
+
+        return { ...standard, relevance_score: Math.round(score * 10) / 10 };
+    }).sort((a, b) => b.relevance_score - a.relevance_score);
+}
+
+// ============================================================
+// Formatted Injection (same format as hooks/session-start.js)
+// ============================================================
+
+function formatInjection(sessionId, standards) {
+    const sections = [];
+
+    sections.push('# MindMeld Standards Injection');
+    sections.push(`<!-- session:${sessionId} -->`);
+    sections.push('');
+    sections.push('\u00A9 2025 Equilateral AI (Pareidolia LLC). All rights reserved.');
+    sections.push('Licensed for use within MindMeld platform only. Redistribution prohibited.');
+    sections.push('');
+
+    const codeStandards = standards.filter(s => s.content_type !== 'business_invariant');
+    const businessInvariants = standards.filter(s => s.content_type === 'business_invariant');
+
+    if (codeStandards.length > 0) {
+        sections.push('## Relevant Standards');
+        sections.push('');
+
+        for (const standard of codeStandards) {
+            sections.push(`### ${standard.element}`);
+            sections.push(`**Category**: ${standard.category}`);
+            sections.push(`**Rule**: ${standard.rule}`);
+
+            if (standard.examples && standard.examples.length > 0) {
+                const example = standard.examples[0];
+                const exampleCode = typeof example === 'string' ? example : (example?.code || example?.description || '');
+                if (exampleCode) {
+                    sections.push('');
+                    sections.push('**Example**:');
+                    sections.push('```javascript');
+                    sections.push(exampleCode);
+                    sections.push('```');
+                }
+            }
+
+            if (standard.anti_patterns && standard.anti_patterns.length > 0) {
+                sections.push('');
+                sections.push('**Anti-patterns**:');
+                for (const ap of standard.anti_patterns) {
+                    const desc = typeof ap === 'string' ? ap : (ap?.description || '');
+                    if (desc) sections.push(`- \u274C ${desc}`);
+                }
+            }
+
+            sections.push('');
+        }
+    }
+
+    if (businessInvariants.length > 0) {
+        sections.push('## Business Invariants');
+        sections.push('');
+
+        for (const invariant of businessInvariants) {
+            sections.push(`### ${invariant.element}`);
+            sections.push(`**Domain**: ${invariant.category}`);
+            sections.push(`**Invariant**: ${invariant.rule}`);
+            if (invariant.rationale) {
+                sections.push(`**Rationale**: ${invariant.rationale}`);
+            }
+            if (invariant.consequences) {
+                sections.push(`**If violated**: ${invariant.consequences}`);
+            }
+            if (invariant.exceptions && Array.isArray(invariant.exceptions) && invariant.exceptions.length > 0) {
+                sections.push('**Exceptions**:');
+                for (const ex of invariant.exceptions) {
+                    sections.push(`- ${ex}`);
+                }
+            }
+            sections.push('');
+        }
+    }
+
+    sections.push('---');
+    sections.push('*Context provided by MindMeld - mindmeld.dev*');
+
+    return sections.join('\n');
+}
+
+// ============================================================
+// Tool Implementations
+// ============================================================
+
+async function callTool(name, args, user) {
+    switch (name) {
+        case 'mindmeld_init_session':
+            return await toolInitSession(args, user);
+        case 'mindmeld_record_correction':
+            return await toolRecordCorrection(args, user);
+        case 'mindmeld_get_standards':
+            return await toolGetStandards(args, user);
+        case 'mindmeld_ingest_raw_session':
+            return await toolIngestRawSession(args, user);
+        default:
+            throw new Error(`Unknown tool: ${name}`);
+    }
+}
+
+async function toolInitSession(args, user) {
+    const { project_path, task_description } = args;
+    const sessionId = crypto.randomUUID();
+
+    // Try to match project by name for the user's company, auto-create if not found
+    let projectId = null;
+    const projectName = project_path ? project_path.split('/').filter(Boolean).pop() : 'default';
+    try {
+        const projectResult = await executeQuery(`
+            SELECT project_id FROM rapport.projects
+            WHERE company_id = $1 AND LOWER(project_name) = LOWER($2)
+            LIMIT 1
+        `, [user.company_id, projectName]);
+        if (projectResult.rows.length > 0) {
+            projectId = projectResult.rows[0].project_id;
+        } else {
+            // Auto-create project so session INSERT never fails on NOT NULL
+            const newId = crypto.randomUUID();
+            await executeQuery(`
+                INSERT INTO rapport.projects (project_id, company_id, project_name, description, created_at)
+                VALUES ($1, $2, $3, $4, NOW())
+                ON CONFLICT (project_id) DO NOTHING
+            `, [newId, user.company_id, projectName, `Auto-created from MCP session (${project_path || 'no path'})`]);
+            projectId = newId;
+        }
+    } catch (err) {
+        console.error('[MCP] Project lookup/create failed:', err.message);
+    }
+
+    // Get recency data for scoring boost
+    const recentCategories = {};
+    try {
+        const recencyResult = await executeQuery(`
+            SELECT sp.category, COUNT(*) as usage_count
+            FROM rapport.session_standards ss
+            JOIN rapport.sessions s ON s.session_id = ss.session_id
+            JOIN rapport.standards_patterns sp ON sp.pattern_id = ss.standard_id
+            WHERE s.email_address = $1
+                AND s.started_at >= NOW() - INTERVAL '7 days'
+            GROUP BY sp.category
+            ORDER BY usage_count DESC LIMIT 5
+        `, [user.email]);
+        for (const row of recencyResult.rows) {
+            recentCategories[row.category] = parseInt(row.usage_count, 10);
+        }
+    } catch (err) {
+        console.error('[MCP] Recency query failed:', err.message);
+    }
+
+    // Default to broad categories (no filesystem scanning in Lambda)
+    // Includes business domains so invariants can surface via recency boost
+    const categories = [
+        'serverless-saas-aws', 'frontend-development', 'database', 'backend',
+        'compliance-security', 'well-architected', 'cost-optimization', 'deployment', 'testing',
+        'ip-strategy', 'architecture-decisions', 'go-to-market', 'operations',
+        'legal-process', 'finance', 'communication', 'product-strategy', 'investor-relations'
+    ];
+
+    // Merge recency categories
+    for (const cat of Object.keys(recentCategories)) {
+        if (!categories.includes(cat)) categories.push(cat);
+    }
+
+    // Query standards — tenant-isolated via get_effective_standards()
+    const maturityList = ['enforced', 'validated', 'recommended', 'provisional', 'solidified', 'reinforced'];
+    const result = await executeQuery(`
+        SELECT * FROM rapport.get_effective_standards($1, $2::varchar[], $3::varchar[])
+        ORDER BY CASE WHEN maturity = 'enforced' THEN 1 WHEN maturity = 'reinforced' THEN 2
+                      WHEN maturity = 'validated' THEN 3 WHEN maturity = 'solidified' THEN 4 ELSE 5 END,
+                 correlation DESC
+    `, [user.company_id, categories, maturityList]);
+
+    if (result.rows.length === 0) {
+        return {
+            content: [{ type: 'text', text: JSON.stringify({ error: 'corpus_empty', message: 'No standards found in corpus' }) }],
+            isError: true
+        };
+    }
+
+    // Rank, deduplicate, apply diversity caps
+    let ranked = rankStandards(result.rows, recentCategories);
+
+    const seenElements = new Set();
+    ranked = ranked.filter(s => {
+        if (seenElements.has(s.element)) return false;
+        seenElements.add(s.element);
+        return true;
+    });
+
+    const MAX_PER_CATEGORY = 2;
+    const MAX_PER_TITLE = 1;
+    const top = [];
+    const categoryCounts = {};
+    const titleCounts = {};
+    for (const standard of ranked) {
+        const cat = standard.category;
+        const title = standard.title || standard.element;
+        categoryCounts[cat] = (categoryCounts[cat] || 0) + 1;
+        titleCounts[title] = (titleCounts[title] || 0) + 1;
+        if (categoryCounts[cat] <= MAX_PER_CATEGORY && titleCounts[title] <= MAX_PER_TITLE) {
+            top.push(standard);
+            if (top.length >= 10) break;
+        }
+    }
+
+    // Format injection markdown
+    const formattedInjection = formatInjection(sessionId, top);
+
+    // Record session first (must complete before session_standards FK references it)
+    try {
+        await executeQuery(`
+            INSERT INTO rapport.sessions (session_id, project_id, email_address, started_at, session_data)
+            VALUES ($1, $2, $3, NOW(), $4)
+            ON CONFLICT (session_id) DO NOTHING
+        `, [sessionId, projectId, user.email, JSON.stringify({ source: 'mcp', task_description: task_description || null })]);
+
+        // Now safe to insert session_standards — session row exists
+        for (const standard of top) {
+            await executeQuery(`
+                INSERT INTO rapport.session_standards (session_id, standard_id, standard_name, relevance_score, created_at)
+                VALUES ($1, $2, $3, $4, NOW())
+                ON CONFLICT (session_id, standard_id) DO UPDATE SET relevance_score = EXCLUDED.relevance_score
+            `, [sessionId, standard.pattern_id, standard.element, standard.relevance_score]);
+        }
+    } catch (err) {
+        console.error('[MCP] Session/standards record failed:', err.message);
+    }
+
+    // Get corpus size for summary
+    let corpusSize = result.rows.length;
+    try {
+        const countResult = await executeQuery('SELECT COUNT(*) as cnt FROM rapport.standards_patterns');
+        corpusSize = parseInt(countResult.rows[0].cnt, 10);
+    } catch (err) {
+        // Use result count as fallback
+    }
+
+    const response = {
+        session_id: sessionId,
+        injected_rules: top.map(s => ({
+            rule_id: s.pattern_id,
+            standard: s.element,
+            maturity: s.maturity,
+            text: s.rule,
+            relevance_score: s.relevance_score
+        })),
+        injection_summary: {
+            rule_count: top.length,
+            token_estimate: Math.ceil(formattedInjection.length / 4),
+            standards_matched: ranked.length,
+            corpus_size: corpusSize
+        },
+        formatted_injection: formattedInjection
+    };
+
+    return { content: [{ type: 'text', text: JSON.stringify(response, null, 2) }] };
+}
+
+async function toolRecordCorrection(args, user) {
+    const { session_id, original_output, corrected_output, correction_note, file_context } = args;
+    const correctionId = crypto.randomUUID();
+
+    // Simple pattern match: check if correction keywords match any existing standard rules
+    let matchedStandardId = null;
+    let patternDetected = false;
+    try {
+        // Extract significant words from the correction
+        const correctionWords = corrected_output.toLowerCase().split(/\s+/).filter(w => w.length > 4);
+        if (correctionWords.length > 0) {
+            const searchTerms = correctionWords.slice(0, 5).join(' | ');
+            const matchResult = await executeQuery(`
+                SELECT pattern_id, element FROM rapport.standards_patterns
+                WHERE to_tsvector('english', rule) @@ to_tsquery('english', $1)
+                LIMIT 1
+            `, [searchTerms]);
+            if (matchResult.rows.length > 0) {
+                matchedStandardId = matchResult.rows[0].pattern_id;
+                patternDetected = true;
+            }
+        }
+    } catch (err) {
+        console.error('[MCP] Pattern match failed:', err.message);
+    }
+
+    // Store correction
+    await executeQuery(`
+        INSERT INTO rapport.mcp_corrections
+            (correction_id, session_id, email_address, company_id, original_output,
+             corrected_output, correction_note, file_context, matched_standard_id, status)
+        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, 'recorded')
+    `, [correctionId, session_id, user.email, user.company_id,
+        original_output, corrected_output, correction_note || null,
+        file_context || null, matchedStandardId]);
+
+    const response = {
+        correction_id: correctionId,
+        pattern_detected: patternDetected,
+        matched_standard: matchedStandardId,
+        status: 'recorded'
+    };
+
+    return { content: [{ type: 'text', text: JSON.stringify(response, null, 2) }] };
+}
+
+async function toolGetStandards(args, user) {
+    const filter = args.filter || {};
+    const limit = Math.min(parseInt(filter.limit) || 20, 100);
+    const maturityFilter = filter.maturity;
+    const nameFilter = filter.standard_name;
+    const contentTypeFilter = filter.content_type;
+    const domainFilter = filter.domain;
+    const sourceFilter = filter.source;
+
+    let query = `
+        SELECT pattern_id as standard_id, element as name, maturity, source,
+               content_type, domain, rule, rationale, consequences, exceptions, source_context,
+               COUNT(*) OVER() as total_count,
+               (SELECT COUNT(*) FROM rapport.session_standards WHERE standard_id = sp.pattern_id) as session_count
+        FROM rapport.standards_patterns sp
+        WHERE (company_id IS NULL OR company_id = $1)
+    `;
+    const params = [user.company_id];
+
+    if (maturityFilter && Array.isArray(maturityFilter) && maturityFilter.length > 0) {
+        params.push(maturityFilter);
+        query += ` AND maturity = ANY($${params.length}::varchar[])`;
+    }
+
+    if (contentTypeFilter) {
+        params.push(contentTypeFilter);
+        query += ` AND content_type = $${params.length}`;
+    }
+
+    if (domainFilter) {
+        params.push(domainFilter);
+        query += ` AND domain = $${params.length}`;
+    }
+
+    if (sourceFilter) {
+        params.push(sourceFilter);
+        query += ` AND source = $${params.length}`;
+    }
+
+    if (nameFilter) {
+        params.push(`%${nameFilter}%`);
+        query += ` AND (element ILIKE $${params.length} OR title ILIKE $${params.length})`;
+    }
+
+    query += ` ORDER BY maturity DESC, element ASC`;
+    params.push(limit);
+    query += ` LIMIT $${params.length}`;
+
+    const result = await executeQuery(query, params);
+
+    // Corpus summary
+    const summaryResult = await executeQuery(`
+        SELECT
+            COUNT(*) as total_standards,
+            COUNT(*) FILTER (WHERE content_type = 'code_standard' OR content_type IS NULL) as code_standards_count,
+            COUNT(*) FILTER (WHERE content_type = 'business_invariant') as business_invariants_count,
+            COUNT(*) FILTER (WHERE maturity IN ('enforced', 'reinforced')) as reinforced_count,
+            COUNT(*) FILTER (WHERE maturity IN ('validated', 'solidified')) as solidified_count,
+            COUNT(*) FILTER (WHERE maturity IN ('recommended', 'provisional')) as provisional_count
+        FROM rapport.standards_patterns
+    `);
+    const sourcesResult = await executeQuery(`
+        SELECT source, COUNT(*) as count
+        FROM rapport.standards_patterns
+        GROUP BY source
+        ORDER BY count DESC
+    `);
+    const summary = summaryResult.rows[0] || {};
+    const sourceBreakdown = {};
+    for (const row of sourcesResult.rows) {
+        sourceBreakdown[row.source || 'unknown'] = parseInt(row.count, 10);
+    }
+
+    const response = {
+        standards: result.rows.map(r => {
+            const entry = {
+                standard_id: r.standard_id,
+                name: r.name,
+                content_type: r.content_type || 'code_standard',
+                source: r.source,
+                maturity: r.maturity,
+                session_count: parseInt(r.session_count, 10) || 0,
+            };
+            if (r.content_type === 'business_invariant') {
+                entry.domain = r.domain;
+                entry.invariant = r.rule;
+                entry.rationale = r.rationale;
+                entry.consequences = r.consequences;
+                if (r.exceptions && Array.isArray(r.exceptions) && r.exceptions.length > 0) {
+                    entry.exceptions = r.exceptions;
+                }
+                if (r.source_context) entry.source_label = r.source_context;
+            }
+            return entry;
+        }),
+        corpus_summary: {
+            total_standards: parseInt(summary.total_standards, 10) || 0,
+            code_standards: parseInt(summary.code_standards_count, 10) || 0,
+            business_invariants: parseInt(summary.business_invariants_count, 10) || 0,
+            reinforced_count: parseInt(summary.reinforced_count, 10) || 0,
+            solidified_count: parseInt(summary.solidified_count, 10) || 0,
+            provisional_count: parseInt(summary.provisional_count, 10) || 0,
+            by_source: sourceBreakdown,
+        }
+    };
+
+    return { content: [{ type: 'text', text: JSON.stringify(response, null, 2) }] };
+}
+
+// ============================================================
+// Tool: Ingest Raw Session (LLM Extraction)
+// ============================================================
+
+async function toolIngestRawSession(args, user) {
+    const {
+        session_text,
+        source_label,
+        domain_hint,
+        auto_maturity = 'provisional',
+        dry_run = true,
+        model = 'sonnet'
+    } = args;
+
+    const MODEL_IDS = {
+        haiku: 'us.anthropic.claude-haiku-4-5-20251001-v1:0',
+        sonnet: 'us.anthropic.claude-sonnet-4-5-20250929-v1:0',
+        opus: 'us.anthropic.claude-opus-4-5-20251101-v1:0'
+    };
+    const modelId = MODEL_IDS[model] || MODEL_IDS.sonnet;
+
+    // Validate input size
+    if (!session_text || session_text.length < 100) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'session_text_too_short',
+            message: 'Conversation text must be at least 100 characters'
+        }) }], isError: true };
+    }
+    if (session_text.length > 200000) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'session_text_too_long',
+            message: 'Conversation text must be under 200,000 characters. Split into smaller segments.'
+        }) }], isError: true };
+    }
+
+    // --- LLM Extraction ---
+    const systemPrompt = `You are an expert at identifying organizational knowledge, business rules, and architectural decisions from conversation transcripts.
+
+Your task: Extract business invariants — rules, constraints, decisions, and standards that an organization should follow consistently.
+
+A business invariant is NOT:
+- A one-time task or action item
+- A personal preference without organizational impact
+- A fact or observation without a prescriptive element
+- Code-level implementation details (those are code standards, not business invariants)
+
+A business invariant IS:
+- A decision that constrains future behavior ("always do X", "never do Y")
+- A rule with organizational reasoning behind it
+- A constraint that has consequences if violated
+- A standard that should be consistently applied across similar situations
+
+For each invariant found, output:
+- id: kebab-case unique identifier
+- domain: one of [ip-strategy, architecture-decisions, go-to-market, operations, legal-process, finance, communication, product-strategy, investor-relations]
+- priority: 10 (critical), 20 (important), or 30 (advisory)
+- invariant: the rule as a single, complete statement
+- rationale: WHY this is the standard (the reasoning, not just the rule)
+- consequences: what goes wrong if this is violated
+- applies_to: array of activities this constrains
+- exceptions: array of when this doesn't apply (empty array if universal)
+- confidence: 0.0-1.0 how confident you are this is a real organizational invariant vs a one-time comment
+
+Output valid JSON only. No markdown, no explanation. Format:
+{ "invariants": [...] }
+
+If no business invariants are found, return { "invariants": [] }.`;
+
+    const userPrompt = domain_hint
+        ? `Extract business invariants from this conversation. Domain hint: ${domain_hint}\n\n---\n\n${session_text}`
+        : `Extract business invariants from this conversation.\n\n---\n\n${session_text}`;
+
+    let candidates;
+    try {
+        const client = getBedrockClient();
+        const command = new InvokeModelCommand({
+            modelId: modelId,
+            contentType: 'application/json',
+            accept: 'application/json',
+            body: JSON.stringify({
+                anthropic_version: 'bedrock-2023-05-31',
+                max_tokens: 16384,
+                system: systemPrompt,
+                messages: [{ role: 'user', content: userPrompt }]
+            })
+        });
+        const response = await client.send(command);
+        const responseBody = JSON.parse(new TextDecoder().decode(response.body));
+        const text = responseBody.content?.[0]?.text || '{"invariants":[]}';
+
+        // Parse JSON (handle markdown code blocks if present)
+        const cleaned = text.replace(/```json\n?/g, '').replace(/```\n?/g, '').trim();
+        candidates = JSON.parse(cleaned).invariants || [];
+    } catch (err) {
+        console.error('[MCP] Bedrock extraction failed:', err.message);
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'extraction_failed',
+            message: `LLM extraction failed: ${err.message}`
+        }) }], isError: true };
+    }
+
+    if (candidates.length === 0) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            candidates: [],
+            extraction_summary: { total_extracted: 0, message: 'No business invariants found in this conversation' }
+        }) }] };
+    }
+
+    // --- Deduplication against existing corpus ---
+    let existingInvariants = [];
+    try {
+        const existing = await executeQuery(`
+            SELECT pattern_id, element, rule, domain
+            FROM rapport.standards_patterns
+            WHERE content_type = 'business_invariant'
+        `);
+        existingInvariants = existing.rows;
+    } catch (err) {
+        console.error('[MCP] Dedup query failed:', err.message);
+    }
+
+    // Simple dedup: check if candidate ID or invariant text closely matches existing
+    for (const candidate of candidates) {
+        candidate.dedup_status = 'new';
+        for (const existing of existingInvariants) {
+            if (candidate.id === existing.pattern_id) {
+                candidate.dedup_status = 'duplicate_id';
+                candidate.existing_id = existing.pattern_id;
+                break;
+            }
+            // Fuzzy text match: if >60% of words overlap, flag as potential duplicate
+            const candidateWords = new Set(candidate.invariant.toLowerCase().split(/\s+/).filter(w => w.length > 3));
+            const existingWords = new Set(existing.rule.toLowerCase().split(/\s+/).filter(w => w.length > 3));
+            const overlap = [...candidateWords].filter(w => existingWords.has(w)).length;
+            const similarity = overlap / Math.max(candidateWords.size, existingWords.size);
+            if (similarity > 0.6) {
+                candidate.dedup_status = 'potential_duplicate';
+                candidate.existing_id = existing.pattern_id;
+                candidate.similarity = Math.round(similarity * 100);
+                break;
+            }
+        }
+    }
+
+    // --- Commit (if not dry_run) ---
+    let committed = 0;
+    if (!dry_run) {
+        for (const candidate of candidates) {
+            if (candidate.dedup_status === 'duplicate_id') continue;
+            if (candidate.dedup_status === 'potential_duplicate') continue;
+            if (candidate.confidence < 0.5) continue;
+
+            const patternId = candidate.id;
+            const title = patternId.replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+            const keywords = (candidate.applies_to || [])
+                .flatMap(a => a.split(/\s+/))
+                .filter(w => w.length > 2)
+                .slice(0, 10);
+
+            try {
+                const fileName = `mcp-extraction/${source_label}/${patternId}.yaml`;
+                await executeQuery(`
+                    INSERT INTO rapport.standards_patterns (
+                        pattern_id, file_name, element, title, rule, category, domain,
+                        content_type, maturity, correlation, source, scope,
+                        rationale, consequences, exceptions, source_context,
+                        applicable_files, keywords, priority, active,
+                        company_id,
+                        created_at, last_updated
+                    ) VALUES (
+                        $1, $2, $3, $3, $4, $5, $5,
+                        'business_invariant', $6, 1.00, 'mcp-extraction', 'organization',
+                        $7, $8, $9, $10,
+                        $11, $12, $13, TRUE,
+                        $14,
+                        NOW(), NOW()
+                    )
+                    ON CONFLICT (pattern_id) DO UPDATE SET
+                        rule = EXCLUDED.rule,
+                        rationale = EXCLUDED.rationale,
+                        consequences = EXCLUDED.consequences,
+                        exceptions = EXCLUDED.exceptions,
+                        source_context = EXCLUDED.source_context,
+                        last_updated = NOW(),
+                        last_seen_at = NOW(),
+                        occurrence_count = COALESCE(rapport.standards_patterns.occurrence_count, 0) + 1
+                `, [
+                    patternId, fileName, title, candidate.invariant,
+                    candidate.domain, auto_maturity,
+                    candidate.rationale, candidate.consequences,
+                    JSON.stringify(candidate.exceptions || []),
+                    source_label,
+                    candidate.applies_to || [],
+                    keywords,
+                    candidate.priority || 20,
+                    user.company_id
+                ]);
+                candidate.committed = true;
+                committed++;
+            } catch (err) {
+                console.error(`[MCP] Failed to commit ${patternId}:`, err.message);
+                candidate.committed = false;
+                candidate.commit_error = err.message;
+            }
+        }
+    }
+
+    // --- Response ---
+    const result = {
+        candidates: candidates.map(c => ({
+            id: c.id,
+            domain: c.domain,
+            priority: c.priority,
+            invariant: c.invariant,
+            rationale: c.rationale,
+            consequences: c.consequences,
+            applies_to: c.applies_to,
+            exceptions: c.exceptions,
+            confidence: c.confidence,
+            dedup_status: c.dedup_status,
+            existing_id: c.existing_id,
+            similarity: c.similarity,
+            committed: c.committed
+        })),
+        extraction_summary: {
+            total_extracted: candidates.length,
+            new_invariants: candidates.filter(c => c.dedup_status === 'new').length,
+            duplicates: candidates.filter(c => c.dedup_status !== 'new').length,
+            committed: committed,
+            dry_run: dry_run,
+            model: model,
+            source_label: source_label,
+            domains_covered: [...new Set(candidates.map(c => c.domain))],
+            average_confidence: Math.round(
+                candidates.reduce((sum, c) => sum + (c.confidence || 0), 0) / candidates.length * 100
+            ) / 100
+        }
+    };
+
+    return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
+}
+
+// ============================================================
+// JSON-RPC Message Router
+// ============================================================
+
+async function handleJsonRpc(message, user) {
+    const { method, params, id } = message;
+    const toolName = method === 'tools/call' ? params?.name : null;
+    console.log(`[MCP] JSON-RPC method=${method}${toolName ? ` tool=${toolName}` : ''} id=${id} user=${user?.email}`);
+
+    switch (method) {
+        case 'initialize':
+            return {
+                jsonrpc: '2.0',
+                id,
+                result: {
+                    protocolVersion: PROTOCOL_VERSION,
+                    capabilities: {
+                        tools: { listChanged: false }
+                    },
+                    serverInfo: SERVER_INFO
+                }
+            };
+
+        case 'notifications/initialized':
+            return null;
+
+        case 'ping':
+            return { jsonrpc: '2.0', id, result: {} };
+
+        case 'tools/list':
+            return { jsonrpc: '2.0', id, result: { tools: TOOLS } };
+
+        case 'tools/call': {
+            const { name, arguments: args } = params;
+            try {
+                const result = await callTool(name, args || {}, user);
+                return { jsonrpc: '2.0', id, result };
+            } catch (error) {
+                console.error(`[MCP] Tool ${name} error:`, error.message);
+                return {
+                    jsonrpc: '2.0',
+                    id,
+                    result: {
+                        content: [{ type: 'text', text: JSON.stringify({ error: 'tool_error', message: error.message }) }],
+                        isError: true
+                    }
+                };
+            }
+        }
+
+        default:
+            return {
+                jsonrpc: '2.0',
+                id,
+                error: { code: -32601, message: `Method not found: ${method}` }
+            };
+    }
+}
+
+module.exports = {
+    SERVER_INFO,
+    PROTOCOL_VERSION,
+    CORS_HEADERS,
+    TOOLS,
+    CATEGORY_WEIGHTS,
+    validateApiToken,
+    handleJsonRpc,
+    callTool,
+    rankStandards,
+    formatInjection,
+};