@equilateral_ai/mindmeld 3.5.2 → 4.0.1

package/src/client/dbShim.js

@@ -0,0 +1,16 @@
+/**
+ * Database operations shim for NPM client package.
+ * Core modules import dbOperations at the top level, but hooks never
+ * execute DB queries — they communicate via HTTP to the MindMeld API.
+ * This shim satisfies the require() without shipping pg or connection logic.
+ */
+
+async function executeQuery() {
+    throw new Error('Database operations are not available in the client package. Use the MindMeld API instead.');
+}
+
+function getPool() {
+    return null;
+}
+
+module.exports = { executeQuery, getPool };

package/src/core/AuthManager.js

@@ -32,6 +32,7 @@ class AuthManager {
                 region: options.cognitoRegion || 'us-east-2'
             },
             callbackPorts: options.callbackPorts || [9876, 9877, 9878, 9879, 9880],
+            // AEGIS review: path is config-driven (homedir + hardcoded), not HTTP user input — no traversal risk
             authFile: options.authFile || path.join(os.homedir(), '.mindmeld', 'auth.json')
         };
     }
@@ -58,8 +59,8 @@ class AuthManager {
      */
     async saveAuth(auth) {
         const dir = path.dirname(this.config.authFile);
-        await fsPromises.mkdir(dir, { recursive: true });
-        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2));
+        await fsPromises.mkdir(dir, { recursive: true, mode: 0o700 });
+        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2), { mode: 0o600 });
     }
 
     /**

package/src/handlers/helpers/dbOperations.js

@@ -1,53 +1,16 @@
 /**
- * Database Operations Helper
- * Cached PostgreSQL client (Lambda database standards compliant)
- *
- * CRITICAL: Uses single cached client (NOT connection pool)
- * Follows lambda_database_standards.md
+ * Database operations shim for NPM client package.
+ * Core modules import dbOperations at the top level, but hooks never
+ * execute DB queries — they communicate via HTTP to the MindMeld API.
+ * This shim satisfies the require() without shipping pg or connection logic.
  */
 
-const { Client } = require('pg');
-
-// Cached client for connection reuse across warm invocations
-let cachedClient = null;
-
-/**
- * Get database client (cached)
- * Reuses connection across Lambda invocations
- */
-async function getClient() {
-    if (cachedClient && cachedClient._connected) {
-        return cachedClient;
-    }
-
-    // Create new client with environment variables (resolved at deployment)
-    // AWS RDS requires SSL for all connections
-    cachedClient = new Client({
-        host: process.env.DB_HOST,
-        port: parseInt(process.env.DB_PORT || '5432'),
-        database: process.env.DB_NAME,
-        user: process.env.DB_USER,
-        password: process.env.DB_PASS || process.env.DB_PASSWORD,  // Support both naming conventions
-        ssl: { rejectUnauthorized: false }  // Required for AWS RDS
-    });
-
-    await cachedClient.connect();
-    cachedClient._connected = true;
-
-    console.log('Database client connected');
-
-    return cachedClient;
+async function executeQuery() {
+    throw new Error('Database operations are not available in the client package. Use the MindMeld API instead.');
 }
 
-/**
- * Execute query using cached client
- * @param {string} query - SQL query
- * @param {array} params - Query parameters
- * @returns {Promise<object>} Query result
- */
-async function executeQuery(query, params = []) {
-    const client = await getClient();
-    return client.query(query, params);
+function getPool() {
+    return null;
 }
 
-module.exports = { executeQuery };
+module.exports = { executeQuery, getPool };

package/src/index.js

@@ -4,16 +4,13 @@
  * Intelligent standards injection for AI coding sessions.
  */
 
-const TeamLoadBearingDetector = require('./core/TeamLoadBearingDetector');
-const CollaborationPrompt = require('./collaboration/CollaborationPrompt');
-const { RelevanceDetector } = require('./core/RelevanceDetector');
 const { PatternValidator } = require('./core/PatternValidator');
-const { StandardsIngestion } = require('./core/StandardsIngestion');
 const { AuthManager } = require('./core/AuthManager');
 
 class MindmeldClient {
   constructor(config = {}) {
     this.config = {
+      // AEGIS review: projectPath is config-driven (CLI cwd), not HTTP user input — no traversal risk
       projectPath: config.projectPath || process.cwd(),
       userId: config.userId || process.env.USER || 'unknown',
       apiUrl: config.apiUrl || process.env.MINDMELD_API_URL || 'https://api.mindmeld.dev',
@@ -23,19 +20,7 @@ class MindmeldClient {
       ...config
     };
 
-    // Initialize components
-    this.teamDetector = new TeamLoadBearingDetector();
-    this.collaborationPrompt = new CollaborationPrompt();
-
-    // Phase 2-5 components (Claude Code integration)
-    this.relevanceDetector = new RelevanceDetector({
-      workingDirectory: this.config.projectPath,
-      standardsPath: this.config.standardsPath
-    });
     this.patternValidator = new PatternValidator();
-    this.standardsIngestion = new StandardsIngestion({
-      standardsPath: this.config.standardsPath
-    });
 
     // Project context
     this.currentProject = null;
@@ -167,129 +152,6 @@ class MindmeldClient {
     return null;
   }
 
-  /**
-   * Initialize new project
-   * Creates project via API if authenticated, stores locally as fallback
-   * @param {string} projectName - Name of the project
-   * @param {Object} options - Project options
-   * @param {Array} options.collaborators - List of collaborator emails
-   * @param {boolean} options.private - Whether project is private
-   * @param {string} options.description - Project description
-   * @param {string} options.repoUrl - Repository URL
-   * @returns {Promise<Object>} Created project object
-   */
-  async initializeProject(projectName, options = {}) {
-    const project = this.collaborationPrompt.createProjectConfig(
-      projectName,
-      options.collaborators || [],
-      {
-        private: options.private || false
-      }
-    );
-
-    // Try API first if authenticated
-    if (this.config.authToken && this.config.companyId) {
-      try {
-        const apiUrl = this.config.apiUrl;
-
-        // Build request payload matching projectCreate handler
-        const payload = {
-          Company_ID: this.config.companyId,
-          project_name: projectName,
-          description: options.description || `Project for ${projectName}`,
-          private: options.private || false,
-          repo_url: options.repoUrl || null
-        };
-
-        const response = await this._makeApiRequest(
-          `${apiUrl}/api/projects`,
-          'POST',
-          payload
-        );
-
-        if (response.error) {
-          // Handle specific error cases
-          if (response.status === 409) {
-            console.log('[Rapport] Project already exists, fetching existing...');
-            const existing = await this.getProject(projectName);
-            if (existing) return existing;
-          }
-          console.error('[Rapport] initializeProject API error:', response.error);
-          // Fall through to local storage
-        } else if (response.Records && response.Records.length > 0) {
-          const created = response.Records[0];
-
-          // Add collaborators if specified
-          if (options.collaborators && options.collaborators.length > 0) {
-            for (const email of options.collaborators) {
-              await this._addCollaborator(created.project_id, email);
-            }
-          }
-
-          return {
-            projectId: created.project_id,
-            projectName: created.project_name,
-            companyId: created.company_id,
-            description: created.description,
-            private: created.private,
-            collaborators: options.collaborators || [],
-            createdAt: created.created_at
-          };
-        }
-      } catch (error) {
-        console.error('[Rapport] initializeProject API call failed:', error.message);
-        // Fall through to local storage
-      }
-    }
-
-    // Fallback: store locally
-    await this.storeProjectLocally(project);
-    return project;
-  }
-
-  /**
-   * Add collaborator to project (internal helper)
-   * @private
-   */
-  async _addCollaborator(projectId, email, role = 'collaborator') {
-    try {
-      const apiUrl = this.config.apiUrl;
-      await this._makeApiRequest(
-        `${apiUrl}/api/collaborators`,
-        'POST',
-        { project_id: projectId, email, role }
-      );
-    } catch (error) {
-      console.error(`[Rapport] Failed to add collaborator ${email}:`, error.message);
-    }
-  }
-
-  /**
-   * Store project configuration locally
-   */
-  async storeProjectLocally(project) {
-    const fs = require('fs').promises;
-    const path = require('path');
-
-    const projectDir = path.join(__dirname, '../projects', project.projectId);
-    await fs.mkdir(projectDir, { recursive: true });
-
-    const configPath = path.join(projectDir, 'config.json');
-    await fs.writeFile(configPath, JSON.stringify(project, null, 2));
-
-    // Create collaborators file
-    const collabPath = path.join(projectDir, 'collaborators.json');
-    await fs.writeFile(collabPath, JSON.stringify({
-      projectId: project.projectId,
-      collaborators: project.collaborators,
-      updated: new Date().toISOString()
-    }, null, 2));
-
-    // Create sessions directory
-    const sessionsDir = path.join(projectDir, 'sessions');
-    await fs.mkdir(sessionsDir, { recursive: true });
-  }
-
   /**
    * Load project context including team patterns, load-bearing elements, and recent learning
    * Fetches from API if authenticated, falls back to local storage
@@ -404,79 +266,6 @@ class MindmeldClient {
     }
   }
 
-  /**
-   * Analyze handoff (team-wide)
-   */
-  async analyzeHandoff(handoff, outcome) {
-    if (!this.currentProject) {
-      throw new Error('No project initialized. Call detectProject() first.');
-    }
-
-    return this.teamDetector.analyzeHandoff(
-      this.config.userId,
-      handoff,
-      outcome
-    );
-  }
-
-  /**
-   * Get team load-bearing elements
-   */
-  getTeamLoadBearing() {
-    return this.teamDetector.getTeamLoadBearing();
-  }
-
-  /**
-   * Get team summary
-   */
-  getTeamSummary() {
-    return this.teamDetector.getTeamSummary();
-  }
-
-  // ============================================================================
-  // Phase 5: Claude Code Hook Methods
-  // ============================================================================
-
-  /**
-   * Ensure standards are ingested (cached check)
-   * Fast execution for session-start hook
-   */
-  async ensureStandardsIngested() {
-    try {
-      const check = await this.standardsIngestion.needsIngestion();
-
-      if (check.needed) {
-        console.log(`[Rapport] Standards ingestion needed: ${check.reason}`);
-        await this.standardsIngestion.ingestEquilateralStandards();
-      }
-
-      return check;
-    } catch (error) {
-      console.error('[Rapport] ensureStandardsIngested error:', error.message);
-      return { needed: false, error: error.message };
-    }
-  }
-
-  /**
-   * Get relevant standards for current project context
-   * Used by session-start hook
-   */
-  async getRelevantStandards(projectContext) {
-    try {
-      const context = {
-        workingDirectory: projectContext.workingDirectory || this.config.projectPath,
-        currentFile: projectContext.currentFile || null,
-        recentFiles: projectContext.recentFiles || [],
-        gitHistory: projectContext.gitHistory || null
-      };
-
-      return await this.relevanceDetector.detectRelevantStandards(context);
-    } catch (error) {
-      console.error('[Rapport] getRelevantStandards error:', error.message);
-      return { standards: [], characteristics: {}, categories: [] };
-    }
-  }
-
   /**
    * Get recent learning for project (last N days)
    */
@@ -964,9 +753,5 @@ module.exports = {
   MindmeldClient,
   RapportClient,
   AuthManager,
-  TeamLoadBearingDetector,
-  CollaborationPrompt,
-  RelevanceDetector,
-  PatternValidator,
-  StandardsIngestion
+  PatternValidator
 };

package/src/utils/piiMask.js

@@ -0,0 +1,16 @@
+/**
+ * PII masking utilities for safe logging.
+ * Prevents email, user IDs from leaking to CloudWatch/log aggregators.
+ */
+const maskEmail = (email) => {
+    if (!email) return '[no-email]';
+    const [local, domain] = email.split('@');
+    return `${local.substring(0, 2)}***@${domain || '***'}`;
+};
+
+const maskUserId = (id) => {
+    if (!id) return '[no-id]';
+    return typeof id === 'string' && id.length > 8 ? `${id.substring(0, 8)}...` : String(id);
+};
+
+module.exports = { maskEmail, maskUserId };