@equilateral_ai/mindmeld 3.5.0 → 3.5.2

package/src/handlers/helpers/mindmeldMcpCore.js

@@ -10,6 +10,15 @@
 
 const { executeQuery } = require('./dbOperations');
 const crypto = require('crypto');
+const { BedrockRuntimeClient, InvokeModelCommand } = require('@aws-sdk/client-bedrock-runtime');
+
+let _bedrockClient = null;
+function getBedrockClient() {
+    if (!_bedrockClient) {
+        _bedrockClient = new BedrockRuntimeClient({ region: 'us-east-2' });
+    }
+    return _bedrockClient;
+}
 
 const SERVER_INFO = {
     name: 'mindmeld',
@@ -30,6 +39,7 @@ const CORS_HEADERS = {
 // ============================================================
 
 const CATEGORY_WEIGHTS = {
+    // Code standard categories
     'serverless-saas-aws': 1.0,
     'frontend-development': 1.0,
     'database': 0.9,
@@ -41,6 +51,16 @@ const CATEGORY_WEIGHTS = {
     'well-architected': 0.7,
     'cost-optimization': 0.7,
     'multi-agent-orchestration': 0.1,
+    // Business domains
+    'ip-strategy': 0.6,
+    'architecture-decisions': 0.8,
+    'go-to-market': 0.6,
+    'operations': 0.5,
+    'legal-process': 0.5,
+    'finance': 0.5,
+    'communication': 0.4,
+    'product-strategy': 0.6,
+    'investor-relations': 0.4,
 };
 
 // ============================================================
@@ -87,12 +107,51 @@ const TOOLS = [
                     type: 'object',
                     properties: {
                         maturity: { type: 'array', items: { type: 'string' }, description: 'Filter by maturity: provisional, solidified, reinforced' },
+                        content_type: { type: 'string', enum: ['code_standard', 'business_invariant'], description: 'Filter by content type. Omit for all.' },
+                        domain: { type: 'string', description: 'Filter by domain (e.g., "ip-strategy", "architecture-decisions"). Omit for all.' },
+                        source: { type: 'string', description: 'Filter by corpus source (e.g., "equilateral-standards", "mcp-extraction", "nist-800-53"). Omit for all.' },
                         standard_name: { type: 'string', description: 'Filter by standard name (partial match)' },
                         limit: { type: 'integer', description: 'Max results (default 20)' }
                     }
                 }
             }
         }
+    },
+    {
+        name: 'mindmeld_ingest_raw_session',
+        description: 'Extract business invariants from a raw conversation transcript using LLM analysis. Returns invariant candidates in BUSINESS-SCHEMA shape with confidence scores. Use dry_run=true to preview before committing.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                session_text: {
+                    type: 'string',
+                    description: 'Raw conversation transcript to extract invariants from'
+                },
+                source_label: {
+                    type: 'string',
+                    description: 'Label for provenance tracking (e.g., "claude-chat-2026-02-24-patent-filing")'
+                },
+                domain_hint: {
+                    type: 'string',
+                    description: 'Optional domain hint to guide classification (e.g., "ip-strategy", "architecture-decisions")'
+                },
+                auto_maturity: {
+                    type: 'string',
+                    enum: ['provisional', 'solidified'],
+                    description: 'Maturity level for extracted invariants. Default: "provisional". Only use "solidified" when multiple independent sessions have validated the same decision.'
+                },
+                dry_run: {
+                    type: 'boolean',
+                    description: 'If true, return extracted candidates without committing to corpus. Default: true'
+                },
+                model: {
+                    type: 'string',
+                    enum: ['haiku', 'sonnet', 'opus'],
+                    description: 'Claude model for extraction. haiku=fast/cheap, sonnet=balanced (default), opus=deepest extraction'
+                }
+            },
+            required: ['session_text', 'source_label']
+        }
     }
 ];
 
@@ -100,10 +159,89 @@ const TOOLS = [
 // Auth: API Token Validation
 // ============================================================
 
+/**
+ * Validate a Cognito JWT access token.
+ * Decodes the JWT, verifies issuer and expiry, looks up user by email.
+ * Full signature verification uses Cognito JWKS (cached).
+ */
+let _jwksCache = null;
+let _jwksCacheTime = 0;
+const COGNITO_ISSUER = 'https://cognito-idp.us-east-2.amazonaws.com/us-east-2_638OhwuV1';
+const JWKS_URL = `${COGNITO_ISSUER}/.well-known/jwks.json`;
+const JWKS_CACHE_TTL = 3600000; // 1 hour
+
+async function fetchJwks() {
+    if (_jwksCache && (Date.now() - _jwksCacheTime) < JWKS_CACHE_TTL) {
+        return _jwksCache;
+    }
+    const https = require('https');
+    return new Promise((resolve, reject) => {
+        https.get(JWKS_URL, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => {
+                try {
+                    _jwksCache = JSON.parse(data);
+                    _jwksCacheTime = Date.now();
+                    resolve(_jwksCache);
+                } catch (e) { reject(e); }
+            });
+        }).on('error', reject);
+    });
+}
+
+function base64UrlDecode(str) {
+    str = str.replace(/-/g, '+').replace(/_/g, '/');
+    while (str.length % 4) str += '=';
+    return Buffer.from(str, 'base64');
+}
+
+async function validateCognitoJwt(token) {
+    // Decode header and payload without verification first
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    let header, payload;
+    try {
+        header = JSON.parse(base64UrlDecode(parts[0]).toString());
+        payload = JSON.parse(base64UrlDecode(parts[1]).toString());
+    } catch (e) { return null; }
+
+    // Check issuer and expiry
+    if (payload.iss !== COGNITO_ISSUER) return null;
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) return null;
+    if (payload.token_use !== 'access') return null;
+
+    // Verify signature using JWKS
+    try {
+        const jwks = await fetchJwks();
+        const key = jwks.keys?.find(k => k.kid === header.kid);
+        if (!key) return null;
+
+        // Build RSA public key from JWK
+        const keyObject = crypto.createPublicKey({ key, format: 'jwk' });
+        const verify = crypto.createVerify('RSA-SHA256');
+        verify.update(`${parts[0]}.${parts[1]}`);
+        if (!verify.verify(keyObject, base64UrlDecode(parts[2]))) return null;
+    } catch (e) {
+        console.error('[MCP] JWT signature verification failed:', e.message);
+        return null;
+    }
+
+    // Extract user info — Cognito access tokens have 'username' and 'sub'
+    return {
+        sub: payload.sub,
+        username: payload.username,
+        email: payload.username, // Cognito username is typically email
+        scope: payload.scope,
+    };
+}
+
 async function validateApiToken(headers) {
-    // Support both header formats:
+    // Support multiple auth methods:
     // 1. X-MindMeld-Token: mm_live_xxx (existing clients, stdio bridge)
-    // 2. Authorization: Bearer mm_live_xxx (Claude.ai connector, standard OAuth)
+    // 2. Authorization: Bearer mm_live_xxx (API token)
+    // 3. Authorization: Bearer <cognito-jwt> (OAuth via Cognito)
     let token = headers['x-mindmeld-token'] || headers['X-MindMeld-Token'];
 
     if (!token) {
@@ -114,9 +252,47 @@ async function validateApiToken(headers) {
     }
 
     if (!token) {
-        return { error: 'auth_invalid', message: 'Authentication required. Provide X-MindMeld-Token header or Authorization: Bearer token.' };
+        return { error: 'auth_required', message: 'Authentication required.' };
     }
 
+    // Check if token looks like a JWT (has 3 dot-separated parts, starts with eyJ)
+    if (token.startsWith('eyJ') && token.split('.').length === 3) {
+        const jwtUser = await validateCognitoJwt(token);
+        if (!jwtUser) {
+            return { error: 'auth_invalid', message: 'Invalid or expired OAuth token' };
+        }
+
+        // Look up user by email/username in our database
+        const result = await executeQuery(`
+            SELECT u.email_address, c.client_id, c.subscription_tier, c.subscription_status,
+                   ue.company_id
+            FROM rapport.users u
+            JOIN rapport.user_entitlements ue ON u.email_address = ue.email_address
+            JOIN rapport.clients c ON ue.client_id = c.client_id
+            WHERE u.email_address = $1 OR u.cognito_sub = $2
+            LIMIT 1
+        `, [jwtUser.email, jwtUser.sub]);
+
+        if (result.rows.length === 0) {
+            return { error: 'auth_invalid', message: 'User not found. Sign up at mindmeld.dev' };
+        }
+
+        const row = result.rows[0];
+        if (!row.subscription_tier || row.subscription_tier === 'free') {
+            return { error: 'auth_invalid', message: 'Active MindMeld subscription required. Subscribe at app.mindmeld.dev' };
+        }
+
+        return {
+            user: {
+                email: row.email_address,
+                client_id: row.client_id,
+                company_id: row.company_id,
+                subscription_tier: row.subscription_tier
+            }
+        };
+    }
+
+    // API token path (mm_live_xxx)
     const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
 
     const result = await executeQuery(`
@@ -164,7 +340,7 @@ function rankStandards(standards, recentCategories) {
         let score = 0;
         score += (standard.correlation || 1.0) * 40;
 
-        const maturityScores = { enforced: 30, validated: 20, recommended: 10, provisional: 5 };
+        const maturityScores = { enforced: 30, reinforced: 25, validated: 20, solidified: 15, recommended: 10, provisional: 5 };
         score += maturityScores[standard.maturity] || 0;
 
         const categoryWeight = CATEGORY_WEIGHTS[standard.category] || 0.5;
@@ -184,6 +360,8 @@ function rankStandards(standards, recentCategories) {
             || (Array.isArray(standard.keywords) && standard.keywords.includes('workflow'));
         if (isWorkflow) score += 10;
 
+        if (standard.rationale) score += 5;
+
         if (recentCategories && recentCategories[standard.category]) {
             const usageCount = recentCategories[standard.category];
             let rawBonus;
@@ -211,11 +389,14 @@ function formatInjection(sessionId, standards) {
     sections.push('Licensed for use within MindMeld platform only. Redistribution prohibited.');
     sections.push('');
 
-    if (standards.length > 0) {
+    const codeStandards = standards.filter(s => s.content_type !== 'business_invariant');
+    const businessInvariants = standards.filter(s => s.content_type === 'business_invariant');
+
+    if (codeStandards.length > 0) {
         sections.push('## Relevant Standards');
         sections.push('');
 
-        for (const standard of standards) {
+        for (const standard of codeStandards) {
             sections.push(`### ${standard.element}`);
             sections.push(`**Category**: ${standard.category}`);
             sections.push(`**Rule**: ${standard.rule}`);
@@ -245,6 +426,30 @@ function formatInjection(sessionId, standards) {
         }
     }
 
+    if (businessInvariants.length > 0) {
+        sections.push('## Business Invariants');
+        sections.push('');
+
+        for (const invariant of businessInvariants) {
+            sections.push(`### ${invariant.element}`);
+            sections.push(`**Domain**: ${invariant.category}`);
+            sections.push(`**Invariant**: ${invariant.rule}`);
+            if (invariant.rationale) {
+                sections.push(`**Rationale**: ${invariant.rationale}`);
+            }
+            if (invariant.consequences) {
+                sections.push(`**If violated**: ${invariant.consequences}`);
+            }
+            if (invariant.exceptions && Array.isArray(invariant.exceptions) && invariant.exceptions.length > 0) {
+                sections.push('**Exceptions**:');
+                for (const ex of invariant.exceptions) {
+                    sections.push(`- ${ex}`);
+                }
+            }
+            sections.push('');
+        }
+    }
+
     sections.push('---');
     sections.push('*Context provided by MindMeld - mindmeld.dev*');
 
@@ -263,6 +468,8 @@ async function callTool(name, args, user) {
             return await toolRecordCorrection(args, user);
         case 'mindmeld_get_standards':
             return await toolGetStandards(args, user);
+        case 'mindmeld_ingest_raw_session':
+            return await toolIngestRawSession(args, user);
         default:
             throw new Error(`Unknown tool: ${name}`);
     }
@@ -272,22 +479,29 @@ async function toolInitSession(args, user) {
     const { project_path, task_description } = args;
     const sessionId = crypto.randomUUID();
 
-    // Try to match project by name for the user's company
+    // Try to match project by name for the user's company, auto-create if not found
     let projectId = null;
-    if (project_path) {
-        const projectName = project_path.split('/').filter(Boolean).pop();
-        try {
-            const projectResult = await executeQuery(`
-                SELECT project_id FROM rapport.projects
-                WHERE company_id = $1 AND LOWER(project_name) = LOWER($2)
-                LIMIT 1
-            `, [user.company_id, projectName]);
-            if (projectResult.rows.length > 0) {
-                projectId = projectResult.rows[0].project_id;
-            }
-        } catch (err) {
-            console.error('[MCP] Project lookup failed:', err.message);
+    const projectName = project_path ? project_path.split('/').filter(Boolean).pop() : 'default';
+    try {
+        const projectResult = await executeQuery(`
+            SELECT project_id FROM rapport.projects
+            WHERE company_id = $1 AND LOWER(project_name) = LOWER($2)
+            LIMIT 1
+        `, [user.company_id, projectName]);
+        if (projectResult.rows.length > 0) {
+            projectId = projectResult.rows[0].project_id;
+        } else {
+            // Auto-create project so session INSERT never fails on NOT NULL
+            const newId = crypto.randomUUID();
+            await executeQuery(`
+                INSERT INTO rapport.projects (project_id, company_id, project_name, description, created_at)
+                VALUES ($1, $2, $3, $4, NOW())
+                ON CONFLICT (project_id) DO NOTHING
+            `, [newId, user.company_id, projectName, `Auto-created from MCP session (${project_path || 'no path'})`]);
+            projectId = newId;
         }
+    } catch (err) {
+        console.error('[MCP] Project lookup/create failed:', err.message);
     }
 
     // Get recency data for scoring boost
@@ -311,9 +525,12 @@ async function toolInitSession(args, user) {
     }
 
     // Default to broad categories (no filesystem scanning in Lambda)
+    // Includes business domains so invariants can surface via recency boost
     const categories = [
         'serverless-saas-aws', 'frontend-development', 'database', 'backend',
-        'compliance-security', 'well-architected', 'cost-optimization', 'deployment', 'testing'
+        'compliance-security', 'well-architected', 'cost-optimization', 'deployment', 'testing',
+        'ip-strategy', 'architecture-decisions', 'go-to-market', 'operations',
+        'legal-process', 'finance', 'communication', 'product-strategy', 'investor-relations'
     ];
 
     // Merge recency categories
@@ -321,16 +538,14 @@ async function toolInitSession(args, user) {
         if (!categories.includes(cat)) categories.push(cat);
     }
 
-    // Query standards
+    // Query standards — tenant-isolated via get_effective_standards()
+    const maturityList = ['enforced', 'validated', 'recommended', 'provisional', 'solidified', 'reinforced'];
     const result = await executeQuery(`
-        SELECT pattern_id, element, title, rule, category, keywords, correlation,
-               maturity, applicable_files, anti_patterns, examples, cost_impact, source
-        FROM rapport.standards_patterns
-        WHERE category = ANY($1::varchar[])
-          AND maturity IN ('enforced', 'validated', 'recommended')
-        ORDER BY CASE WHEN maturity = 'enforced' THEN 1 WHEN maturity = 'validated' THEN 2 ELSE 3 END,
+        SELECT * FROM rapport.get_effective_standards($1, $2::varchar[], $3::varchar[])
+        ORDER BY CASE WHEN maturity = 'enforced' THEN 1 WHEN maturity = 'reinforced' THEN 2
+                      WHEN maturity = 'validated' THEN 3 WHEN maturity = 'solidified' THEN 4 ELSE 5 END,
                  correlation DESC
-    `, [categories]);
+    `, [user.company_id, categories, maturityList]);
 
     if (result.rows.length === 0) {
         return {
@@ -368,21 +583,24 @@ async function toolInitSession(args, user) {
     // Format injection markdown
     const formattedInjection = formatInjection(sessionId, top);
 
-    // Fire-and-forget: record session + standards
-    executeQuery(`
-        INSERT INTO rapport.sessions (session_id, project_id, email_address, started_at, session_data)
-        VALUES ($1, $2, $3, NOW(), $4)
-        ON CONFLICT (session_id) DO NOTHING
-    `, [sessionId, projectId, user.email, JSON.stringify({ source: 'mcp', task_description: task_description || null })])
-        .catch(err => console.error('[MCP] Session record failed:', err.message));
-
-    for (const standard of top) {
-        executeQuery(`
-            INSERT INTO rapport.session_standards (session_id, standard_id, standard_name, relevance_score, created_at)
-            VALUES ($1, $2, $3, $4, NOW())
-            ON CONFLICT (session_id, standard_id) DO UPDATE SET relevance_score = EXCLUDED.relevance_score
-        `, [sessionId, standard.pattern_id, standard.element, standard.relevance_score])
-            .catch(err => console.error('[MCP] Standard record failed:', err.message));
+    // Record session first (must complete before session_standards FK references it)
+    try {
+        await executeQuery(`
+            INSERT INTO rapport.sessions (session_id, project_id, email_address, started_at, session_data)
+            VALUES ($1, $2, $3, NOW(), $4)
+            ON CONFLICT (session_id) DO NOTHING
+        `, [sessionId, projectId, user.email, JSON.stringify({ source: 'mcp', task_description: task_description || null })]);
+
+        // Now safe to insert session_standards — session row exists
+        for (const standard of top) {
+            await executeQuery(`
+                INSERT INTO rapport.session_standards (session_id, standard_id, standard_name, relevance_score, created_at)
+                VALUES ($1, $2, $3, $4, NOW())
+                ON CONFLICT (session_id, standard_id) DO UPDATE SET relevance_score = EXCLUDED.relevance_score
+            `, [sessionId, standard.pattern_id, standard.element, standard.relevance_score]);
+        }
+    } catch (err) {
+        console.error('[MCP] Session/standards record failed:', err.message);
     }
 
     // Get corpus size for summary
@@ -466,21 +684,40 @@ async function toolGetStandards(args, user) {
     const limit = Math.min(parseInt(filter.limit) || 20, 100);
     const maturityFilter = filter.maturity;
     const nameFilter = filter.standard_name;
+    const contentTypeFilter = filter.content_type;
+    const domainFilter = filter.domain;
+    const sourceFilter = filter.source;
 
     let query = `
-        SELECT pattern_id as standard_id, element as name, maturity,
+        SELECT pattern_id as standard_id, element as name, maturity, source,
+               content_type, domain, rule, rationale, consequences, exceptions, source_context,
                COUNT(*) OVER() as total_count,
                (SELECT COUNT(*) FROM rapport.session_standards WHERE standard_id = sp.pattern_id) as session_count
         FROM rapport.standards_patterns sp
-        WHERE 1=1
+        WHERE (company_id IS NULL OR company_id = $1)
     `;
-    const params = [];
+    const params = [user.company_id];
 
     if (maturityFilter && Array.isArray(maturityFilter) && maturityFilter.length > 0) {
         params.push(maturityFilter);
         query += ` AND maturity = ANY($${params.length}::varchar[])`;
     }
 
+    if (contentTypeFilter) {
+        params.push(contentTypeFilter);
+        query += ` AND content_type = $${params.length}`;
+    }
+
+    if (domainFilter) {
+        params.push(domainFilter);
+        query += ` AND domain = $${params.length}`;
+    }
+
+    if (sourceFilter) {
+        params.push(sourceFilter);
+        query += ` AND source = $${params.length}`;
+    }
+
     if (nameFilter) {
         params.push(`%${nameFilter}%`);
         query += ` AND (element ILIKE $${params.length} OR title ILIKE $${params.length})`;
@@ -496,39 +733,311 @@ async function toolGetStandards(args, user) {
     const summaryResult = await executeQuery(`
         SELECT
             COUNT(*) as total_standards,
-            COUNT(*) FILTER (WHERE maturity = 'enforced') as reinforced_count,
-            COUNT(*) FILTER (WHERE maturity = 'validated') as solidified_count,
+            COUNT(*) FILTER (WHERE content_type = 'code_standard' OR content_type IS NULL) as code_standards_count,
+            COUNT(*) FILTER (WHERE content_type = 'business_invariant') as business_invariants_count,
+            COUNT(*) FILTER (WHERE maturity IN ('enforced', 'reinforced')) as reinforced_count,
+            COUNT(*) FILTER (WHERE maturity IN ('validated', 'solidified')) as solidified_count,
             COUNT(*) FILTER (WHERE maturity IN ('recommended', 'provisional')) as provisional_count
         FROM rapport.standards_patterns
     `);
+    const sourcesResult = await executeQuery(`
+        SELECT source, COUNT(*) as count
+        FROM rapport.standards_patterns
+        GROUP BY source
+        ORDER BY count DESC
+    `);
     const summary = summaryResult.rows[0] || {};
+    const sourceBreakdown = {};
+    for (const row of sourcesResult.rows) {
+        sourceBreakdown[row.source || 'unknown'] = parseInt(row.count, 10);
+    }
 
     const response = {
-        standards: result.rows.map(r => ({
-            standard_id: r.standard_id,
-            name: r.name,
-            maturity: r.maturity,
-            rule_count: 1,
-            session_count: parseInt(r.session_count, 10) || 0,
-        })),
+        standards: result.rows.map(r => {
+            const entry = {
+                standard_id: r.standard_id,
+                name: r.name,
+                content_type: r.content_type || 'code_standard',
+                source: r.source,
+                maturity: r.maturity,
+                session_count: parseInt(r.session_count, 10) || 0,
+            };
+            if (r.content_type === 'business_invariant') {
+                entry.domain = r.domain;
+                entry.invariant = r.rule;
+                entry.rationale = r.rationale;
+                entry.consequences = r.consequences;
+                if (r.exceptions && Array.isArray(r.exceptions) && r.exceptions.length > 0) {
+                    entry.exceptions = r.exceptions;
+                }
+                if (r.source_context) entry.source_label = r.source_context;
+            }
+            return entry;
+        }),
         corpus_summary: {
             total_standards: parseInt(summary.total_standards, 10) || 0,
-            total_rules: parseInt(summary.total_standards, 10) || 0,
+            code_standards: parseInt(summary.code_standards_count, 10) || 0,
+            business_invariants: parseInt(summary.business_invariants_count, 10) || 0,
             reinforced_count: parseInt(summary.reinforced_count, 10) || 0,
             solidified_count: parseInt(summary.solidified_count, 10) || 0,
             provisional_count: parseInt(summary.provisional_count, 10) || 0,
+            by_source: sourceBreakdown,
         }
     };
 
     return { content: [{ type: 'text', text: JSON.stringify(response, null, 2) }] };
 }
 
+// ============================================================
+// Tool: Ingest Raw Session (LLM Extraction)
+// ============================================================
+
+async function toolIngestRawSession(args, user) {
+    const {
+        session_text,
+        source_label,
+        domain_hint,
+        auto_maturity = 'provisional',
+        dry_run = true,
+        model = 'sonnet'
+    } = args;
+
+    const MODEL_IDS = {
+        haiku: 'us.anthropic.claude-haiku-4-5-20251001-v1:0',
+        sonnet: 'us.anthropic.claude-sonnet-4-5-20250929-v1:0',
+        opus: 'us.anthropic.claude-opus-4-5-20251101-v1:0'
+    };
+    const modelId = MODEL_IDS[model] || MODEL_IDS.sonnet;
+
+    // Validate input size
+    if (!session_text || session_text.length < 100) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'session_text_too_short',
+            message: 'Conversation text must be at least 100 characters'
+        }) }], isError: true };
+    }
+    if (session_text.length > 200000) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'session_text_too_long',
+            message: 'Conversation text must be under 200,000 characters. Split into smaller segments.'
+        }) }], isError: true };
+    }
+
+    // --- LLM Extraction ---
+    const systemPrompt = `You are an expert at identifying organizational knowledge, business rules, and architectural decisions from conversation transcripts.
+
+Your task: Extract business invariants — rules, constraints, decisions, and standards that an organization should follow consistently.
+
+A business invariant is NOT:
+- A one-time task or action item
+- A personal preference without organizational impact
+- A fact or observation without a prescriptive element
+- Code-level implementation details (those are code standards, not business invariants)
+
+A business invariant IS:
+- A decision that constrains future behavior ("always do X", "never do Y")
+- A rule with organizational reasoning behind it
+- A constraint that has consequences if violated
+- A standard that should be consistently applied across similar situations
+
+For each invariant found, output:
+- id: kebab-case unique identifier
+- domain: one of [ip-strategy, architecture-decisions, go-to-market, operations, legal-process, finance, communication, product-strategy, investor-relations]
+- priority: 10 (critical), 20 (important), or 30 (advisory)
+- invariant: the rule as a single, complete statement
+- rationale: WHY this is the standard (the reasoning, not just the rule)
+- consequences: what goes wrong if this is violated
+- applies_to: array of activities this constrains
+- exceptions: array of when this doesn't apply (empty array if universal)
+- confidence: 0.0-1.0 how confident you are this is a real organizational invariant vs a one-time comment
+
+Output valid JSON only. No markdown, no explanation. Format:
+{ "invariants": [...] }
+
+If no business invariants are found, return { "invariants": [] }.`;
+
+    const userPrompt = domain_hint
+        ? `Extract business invariants from this conversation. Domain hint: ${domain_hint}\n\n---\n\n${session_text}`
+        : `Extract business invariants from this conversation.\n\n---\n\n${session_text}`;
+
+    let candidates;
+    try {
+        const client = getBedrockClient();
+        const command = new InvokeModelCommand({
+            modelId: modelId,
+            contentType: 'application/json',
+            accept: 'application/json',
+            body: JSON.stringify({
+                anthropic_version: 'bedrock-2023-05-31',
+                max_tokens: 16384,
+                system: systemPrompt,
+                messages: [{ role: 'user', content: userPrompt }]
+            })
+        });
+        const response = await client.send(command);
+        const responseBody = JSON.parse(new TextDecoder().decode(response.body));
+        const text = responseBody.content?.[0]?.text || '{"invariants":[]}';
+
+        // Parse JSON (handle markdown code blocks if present)
+        const cleaned = text.replace(/```json\n?/g, '').replace(/```\n?/g, '').trim();
+        candidates = JSON.parse(cleaned).invariants || [];
+    } catch (err) {
+        console.error('[MCP] Bedrock extraction failed:', err.message);
+        return { content: [{ type: 'text', text: JSON.stringify({
+            error: 'extraction_failed',
+            message: `LLM extraction failed: ${err.message}`
+        }) }], isError: true };
+    }
+
+    if (candidates.length === 0) {
+        return { content: [{ type: 'text', text: JSON.stringify({
+            candidates: [],
+            extraction_summary: { total_extracted: 0, message: 'No business invariants found in this conversation' }
+        }) }] };
+    }
+
+    // --- Deduplication against existing corpus ---
+    let existingInvariants = [];
+    try {
+        const existing = await executeQuery(`
+            SELECT pattern_id, element, rule, domain
+            FROM rapport.standards_patterns
+            WHERE content_type = 'business_invariant'
+        `);
+        existingInvariants = existing.rows;
+    } catch (err) {
+        console.error('[MCP] Dedup query failed:', err.message);
+    }
+
+    // Simple dedup: check if candidate ID or invariant text closely matches existing
+    for (const candidate of candidates) {
+        candidate.dedup_status = 'new';
+        for (const existing of existingInvariants) {
+            if (candidate.id === existing.pattern_id) {
+                candidate.dedup_status = 'duplicate_id';
+                candidate.existing_id = existing.pattern_id;
+                break;
+            }
+            // Fuzzy text match: if >60% of words overlap, flag as potential duplicate
+            const candidateWords = new Set(candidate.invariant.toLowerCase().split(/\s+/).filter(w => w.length > 3));
+            const existingWords = new Set(existing.rule.toLowerCase().split(/\s+/).filter(w => w.length > 3));
+            const overlap = [...candidateWords].filter(w => existingWords.has(w)).length;
+            const similarity = overlap / Math.max(candidateWords.size, existingWords.size);
+            if (similarity > 0.6) {
+                candidate.dedup_status = 'potential_duplicate';
+                candidate.existing_id = existing.pattern_id;
+                candidate.similarity = Math.round(similarity * 100);
+                break;
+            }
+        }
+    }
+
+    // --- Commit (if not dry_run) ---
+    let committed = 0;
+    if (!dry_run) {
+        for (const candidate of candidates) {
+            if (candidate.dedup_status === 'duplicate_id') continue;
+            if (candidate.dedup_status === 'potential_duplicate') continue;
+            if (candidate.confidence < 0.5) continue;
+
+            const patternId = candidate.id;
+            const title = patternId.replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+            const keywords = (candidate.applies_to || [])
+                .flatMap(a => a.split(/\s+/))
+                .filter(w => w.length > 2)
+                .slice(0, 10);
+
+            try {
+                const fileName = `mcp-extraction/${source_label}/${patternId}.yaml`;
+                await executeQuery(`
+                    INSERT INTO rapport.standards_patterns (
+                        pattern_id, file_name, element, title, rule, category, domain,
+                        content_type, maturity, correlation, source, scope,
+                        rationale, consequences, exceptions, source_context,
+                        applicable_files, keywords, priority, active,
+                        company_id,
+                        created_at, last_updated
+                    ) VALUES (
+                        $1, $2, $3, $3, $4, $5, $5,
+                        'business_invariant', $6, 1.00, 'mcp-extraction', 'organization',
+                        $7, $8, $9, $10,
+                        $11, $12, $13, TRUE,
+                        $14,
+                        NOW(), NOW()
+                    )
+                    ON CONFLICT (pattern_id) DO UPDATE SET
+                        rule = EXCLUDED.rule,
+                        rationale = EXCLUDED.rationale,
+                        consequences = EXCLUDED.consequences,
+                        exceptions = EXCLUDED.exceptions,
+                        source_context = EXCLUDED.source_context,
+                        last_updated = NOW(),
+                        last_seen_at = NOW(),
+                        occurrence_count = COALESCE(rapport.standards_patterns.occurrence_count, 0) + 1
+                `, [
+                    patternId, fileName, title, candidate.invariant,
+                    candidate.domain, auto_maturity,
+                    candidate.rationale, candidate.consequences,
+                    JSON.stringify(candidate.exceptions || []),
+                    source_label,
+                    candidate.applies_to || [],
+                    keywords,
+                    candidate.priority || 20,
+                    user.company_id
+                ]);
+                candidate.committed = true;
+                committed++;
+            } catch (err) {
+                console.error(`[MCP] Failed to commit ${patternId}:`, err.message);
+                candidate.committed = false;
+                candidate.commit_error = err.message;
+            }
+        }
+    }
+
+    // --- Response ---
+    const result = {
+        candidates: candidates.map(c => ({
+            id: c.id,
+            domain: c.domain,
+            priority: c.priority,
+            invariant: c.invariant,
+            rationale: c.rationale,
+            consequences: c.consequences,
+            applies_to: c.applies_to,
+            exceptions: c.exceptions,
+            confidence: c.confidence,
+            dedup_status: c.dedup_status,
+            existing_id: c.existing_id,
+            similarity: c.similarity,
+            committed: c.committed
+        })),
+        extraction_summary: {
+            total_extracted: candidates.length,
+            new_invariants: candidates.filter(c => c.dedup_status === 'new').length,
+            duplicates: candidates.filter(c => c.dedup_status !== 'new').length,
+            committed: committed,
+            dry_run: dry_run,
+            model: model,
+            source_label: source_label,
+            domains_covered: [...new Set(candidates.map(c => c.domain))],
+            average_confidence: Math.round(
+                candidates.reduce((sum, c) => sum + (c.confidence || 0), 0) / candidates.length * 100
+            ) / 100
+        }
+    };
+
+    return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
+}
+
 // ============================================================
 // JSON-RPC Message Router
 // ============================================================
 
 async function handleJsonRpc(message, user) {
     const { method, params, id } = message;
+    const toolName = method === 'tools/call' ? params?.name : null;
+    console.log(`[MCP] JSON-RPC method=${method}${toolName ? ` tool=${toolName}` : ''} id=${id} user=${user?.email}`);
 
     switch (method) {
         case 'initialize':