@equilateral_ai/mindmeld 3.5.3 → 4.0.2

package/scripts/repo-analyzer.js

@@ -14,6 +14,7 @@
 
 const fs = require('fs').promises;
 const path = require('path');
+const { execSync } = require('child_process');
 
 // ============================================================================
 // SECURITY ANTI-PATTERNS (from securityScanner.js)
@@ -335,7 +336,8 @@ class RepoAnalyzer {
         low: [],
         summary: {}
       },
-      recommendations: []
+      recommendations: [],
+      contributors: []
     };
   }
 
@@ -371,7 +373,11 @@ class RepoAnalyzer {
         await this.scanSecurity(maxFiles);
       }
 
-      // 5. Generate recommendations
+      // 5. Extract contributor profiles from git history
+      if (verbose) console.log('👥 Extracting contributor profiles...');
+      await this.extractContributors();
+
+      // 6. Generate recommendations
       if (verbose) console.log('💡 Generating recommendations...');
       this.generateRecommendations();
 
@@ -633,6 +639,109 @@ class RepoAnalyzer {
     };
   }
 
+  /**
+   * Extract contributor profiles from git history
+   */
+  async extractContributors() {
+    try {
+      execSync('git rev-parse --is-inside-work-tree', { cwd: this.projectPath, stdio: 'pipe' });
+    } catch (_) {
+      return;
+    }
+
+    try {
+      const shortlog = execSync('git shortlog -sne --all', {
+        cwd: this.projectPath,
+        encoding: 'utf-8',
+        timeout: 30000
+      }).trim();
+
+      if (!shortlog) return;
+
+      const contributors = [];
+      for (const line of shortlog.split('\n')) {
+        const match = line.trim().match(/^\s*(\d+)\s+(.+?)\s+<(.+?)>\s*$/);
+        if (!match) continue;
+        contributors.push({
+          total_commits: parseInt(match[1], 10),
+          name: match[2],
+          email: match[3]
+        });
+      }
+
+      for (const contributor of contributors.slice(0, 50)) {
+        try {
+          const firstCommit = execSync(
+            `git log --reverse --format=%aI --author="${contributor.email}" | head -1`,
+            { cwd: this.projectPath, encoding: 'utf-8', timeout: 10000, shell: true }
+          ).trim();
+
+          const lastCommit = execSync(
+            `git log --format=%aI --author="${contributor.email}" -1`,
+            { cwd: this.projectPath, encoding: 'utf-8', timeout: 10000 }
+          ).trim();
+
+          contributor.first_commit_date = firstCommit || null;
+          contributor.last_commit_date = lastCommit || null;
+
+          if (firstCommit) {
+            const first = new Date(firstCommit);
+            const now = new Date();
+            contributor.tenure_months = Math.floor(
+              (now.getTime() - first.getTime()) / (30.44 * 24 * 3600 * 1000)
+            );
+          } else {
+            contributor.tenure_months = 0;
+          }
+        } catch (_) {
+          contributor.first_commit_date = null;
+          contributor.last_commit_date = null;
+          contributor.tenure_months = 0;
+        }
+      }
+
+      // File ownership — sample up to 200 files
+      const ownership = {};
+      try {
+        const files = execSync('git ls-files | head -200', {
+          cwd: this.projectPath,
+          encoding: 'utf-8',
+          timeout: 10000,
+          shell: true
+        }).trim().split('\n').filter(Boolean);
+
+        for (const file of files) {
+          try {
+            const author = execSync(`git log --format=%ae -1 -- "${file}"`, {
+              cwd: this.projectPath,
+              encoding: 'utf-8',
+              timeout: 5000
+            }).trim();
+            if (author) {
+              ownership[author] = (ownership[author] || 0) + 1;
+            }
+          } catch (_) { /* skip file */ }
+        }
+      } catch (_) { /* file ownership optional */ }
+
+      for (const contributor of contributors.slice(0, 50)) {
+        contributor.files_owned = ownership[contributor.email] || 0;
+
+        if (contributor.total_commits >= 10 && contributor.tenure_months >= 3) {
+          contributor.computed_maturity = 'contributor';
+          contributor.maturity_basis = `Git bootstrap: ${contributor.total_commits} commits, ${contributor.tenure_months} months tenure`;
+        } else {
+          contributor.computed_maturity = 'observer';
+          contributor.maturity_basis = `${contributor.total_commits} commits, ${contributor.tenure_months} months tenure`;
+        }
+      }
+
+      this.results.contributors = contributors.slice(0, 50);
+    } catch (err) {
+      console.error('Git contributor extraction failed:', err.message);
+    }
+  }
+
   /**
    * Generate recommendations based on analysis
    */
@@ -823,6 +932,13 @@ class RepoAnalyzer {
       lines.push(`\n✅ No security issues found in ${sec.filesScanned} files scanned`);
     }
 
+    if (r.contributors && r.contributors.length > 0) {
+      lines.push(`\n👥 Contributors: ${r.contributors.length} found`);
+      for (const c of r.contributors.slice(0, 10)) {
+        lines.push(`   - ${c.name} <${c.email}> (${c.total_commits} commits, ${c.tenure_months}mo, ${c.computed_maturity})`);
+      }
+    }
+
     if (r.recommendations.length) {
       lines.push(`\n💡 Recommendations:`);
       for (const rec of r.recommendations) {

package/src/client/dbShim.js

@@ -0,0 +1,16 @@
+/**
+ * Database operations shim for NPM client package.
+ * Core modules import dbOperations at the top level, but hooks never
+ * execute DB queries — they communicate via HTTP to the MindMeld API.
+ * This shim satisfies the require() without shipping pg or connection logic.
+ */
+
+async function executeQuery() {
+    throw new Error('Database operations are not available in the client package. Use the MindMeld API instead.');
+}
+
+function getPool() {
+    return null;
+}
+
+module.exports = { executeQuery, getPool };

package/src/core/AuthManager.js

@@ -32,6 +32,7 @@ class AuthManager {
                 region: options.cognitoRegion || 'us-east-2'
             },
             callbackPorts: options.callbackPorts || [9876, 9877, 9878, 9879, 9880],
+            // AEGIS review: path is config-driven (homedir + hardcoded), not HTTP user input — no traversal risk
             authFile: options.authFile || path.join(os.homedir(), '.mindmeld', 'auth.json')
         };
     }
@@ -58,8 +59,8 @@ class AuthManager {
      */
     async saveAuth(auth) {
         const dir = path.dirname(this.config.authFile);
-        await fsPromises.mkdir(dir, { recursive: true });
-        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2));
+        await fsPromises.mkdir(dir, { recursive: true, mode: 0o700 });
+        await fsPromises.writeFile(this.config.authFile, JSON.stringify(auth, null, 2), { mode: 0o600 });
     }
 
     /**

package/src/handlers/helpers/dbOperations.js

@@ -1,53 +1,16 @@
 /**
- * Database Operations Helper
- * Cached PostgreSQL client (Lambda database standards compliant)
- *
- * CRITICAL: Uses single cached client (NOT connection pool)
- * Follows lambda_database_standards.md
+ * Database operations shim for NPM client package.
+ * Core modules import dbOperations at the top level, but hooks never
+ * execute DB queries — they communicate via HTTP to the MindMeld API.
+ * This shim satisfies the require() without shipping pg or connection logic.
  */
 
-const { Client } = require('pg');
-
-// Cached client for connection reuse across warm invocations
-let cachedClient = null;
-
-/**
- * Get database client (cached)
- * Reuses connection across Lambda invocations
- */
-async function getClient() {
-    if (cachedClient && cachedClient._connected) {
-        return cachedClient;
-    }
-
-    // Create new client with environment variables (resolved at deployment)
-    // AWS RDS requires SSL for all connections
-    cachedClient = new Client({
-        host: process.env.DB_HOST,
-        port: parseInt(process.env.DB_PORT || '5432'),
-        database: process.env.DB_NAME,
-        user: process.env.DB_USER,
-        password: process.env.DB_PASS || process.env.DB_PASSWORD,  // Support both naming conventions
-        ssl: { rejectUnauthorized: false }  // Required for AWS RDS
-    });
-
-    await cachedClient.connect();
-    cachedClient._connected = true;
-
-    console.log('Database client connected');
-
-    return cachedClient;
+async function executeQuery() {
+    throw new Error('Database operations are not available in the client package. Use the MindMeld API instead.');
 }
 
-/**
- * Execute query using cached client
- * @param {string} query - SQL query
- * @param {array} params - Query parameters
- * @returns {Promise<object>} Query result
- */
-async function executeQuery(query, params = []) {
-    const client = await getClient();
-    return client.query(query, params);
+function getPool() {
+    return null;
 }
 
-module.exports = { executeQuery };
+module.exports = { executeQuery, getPool };

package/src/index.js

@@ -4,16 +4,13 @@
  * Intelligent standards injection for AI coding sessions.
  */
 
-const TeamLoadBearingDetector = require('./core/TeamLoadBearingDetector');
-const CollaborationPrompt = require('./collaboration/CollaborationPrompt');
-const { RelevanceDetector } = require('./core/RelevanceDetector');
 const { PatternValidator } = require('./core/PatternValidator');
-const { StandardsIngestion } = require('./core/StandardsIngestion');
 const { AuthManager } = require('./core/AuthManager');
 
 class MindmeldClient {
   constructor(config = {}) {
     this.config = {
+      // AEGIS review: projectPath is config-driven (CLI cwd), not HTTP user input — no traversal risk
       projectPath: config.projectPath || process.cwd(),
       userId: config.userId || process.env.USER || 'unknown',
       apiUrl: config.apiUrl || process.env.MINDMELD_API_URL || 'https://api.mindmeld.dev',
@@ -23,19 +20,7 @@ class MindmeldClient {
       ...config
     };
 
-    // Initialize components
-    this.teamDetector = new TeamLoadBearingDetector();
-    this.collaborationPrompt = new CollaborationPrompt();
-
-    // Phase 2-5 components (Claude Code integration)
-    this.relevanceDetector = new RelevanceDetector({
-      workingDirectory: this.config.projectPath,
-      standardsPath: this.config.standardsPath
-    });
     this.patternValidator = new PatternValidator();
-    this.standardsIngestion = new StandardsIngestion({
-      standardsPath: this.config.standardsPath
-    });
 
     // Project context
     this.currentProject = null;
@@ -167,129 +152,6 @@ class MindmeldClient {
     return null;
   }
 
-  /**
-   * Initialize new project
-   * Creates project via API if authenticated, stores locally as fallback
-   * @param {string} projectName - Name of the project
-   * @param {Object} options - Project options
-   * @param {Array} options.collaborators - List of collaborator emails
-   * @param {boolean} options.private - Whether project is private
-   * @param {string} options.description - Project description
-   * @param {string} options.repoUrl - Repository URL
-   * @returns {Promise<Object>} Created project object
-   */
-  async initializeProject(projectName, options = {}) {
-    const project = this.collaborationPrompt.createProjectConfig(
-      projectName,
-      options.collaborators || [],
-      {
-        private: options.private || false
-      }
-    );
-
-    // Try API first if authenticated
-    if (this.config.authToken && this.config.companyId) {
-      try {
-        const apiUrl = this.config.apiUrl;
-
-        // Build request payload matching projectCreate handler
-        const payload = {
-          Company_ID: this.config.companyId,
-          project_name: projectName,
-          description: options.description || `Project for ${projectName}`,
-          private: options.private || false,
-          repo_url: options.repoUrl || null
-        };
-
-        const response = await this._makeApiRequest(
-          `${apiUrl}/api/projects`,
-          'POST',
-          payload
-        );
-
-        if (response.error) {
-          // Handle specific error cases
-          if (response.status === 409) {
-            console.log('[Rapport] Project already exists, fetching existing...');
-            const existing = await this.getProject(projectName);
-            if (existing) return existing;
-          }
-          console.error('[Rapport] initializeProject API error:', response.error);
-          // Fall through to local storage
-        } else if (response.Records && response.Records.length > 0) {
-          const created = response.Records[0];
-
-          // Add collaborators if specified
-          if (options.collaborators && options.collaborators.length > 0) {
-            for (const email of options.collaborators) {
-              await this._addCollaborator(created.project_id, email);
-            }
-          }
-
-          return {
-            projectId: created.project_id,
-            projectName: created.project_name,
-            companyId: created.company_id,
-            description: created.description,
-            private: created.private,
-            collaborators: options.collaborators || [],
-            createdAt: created.created_at
-          };
-        }
-      } catch (error) {
-        console.error('[Rapport] initializeProject API call failed:', error.message);
-        // Fall through to local storage
-      }
-    }
-
-    // Fallback: store locally
-    await this.storeProjectLocally(project);
-    return project;
-  }
-
-  /**
-   * Add collaborator to project (internal helper)
-   * @private
-   */
-  async _addCollaborator(projectId, email, role = 'collaborator') {
-    try {
-      const apiUrl = this.config.apiUrl;
-      await this._makeApiRequest(
-        `${apiUrl}/api/collaborators`,
-        'POST',
-        { project_id: projectId, email, role }
-      );
-    } catch (error) {
-      console.error(`[Rapport] Failed to add collaborator ${email}:`, error.message);
-    }
-  }
-
-  /**
-   * Store project configuration locally
-   */
-  async storeProjectLocally(project) {
-    const fs = require('fs').promises;
-    const path = require('path');
-
-    const projectDir = path.join(__dirname, '../projects', project.projectId);
-    await fs.mkdir(projectDir, { recursive: true });
-
-    const configPath = path.join(projectDir, 'config.json');
-    await fs.writeFile(configPath, JSON.stringify(project, null, 2));
-
-    // Create collaborators file
-    const collabPath = path.join(projectDir, 'collaborators.json');
-    await fs.writeFile(collabPath, JSON.stringify({
-      projectId: project.projectId,
-      collaborators: project.collaborators,
-      updated: new Date().toISOString()
-    }, null, 2));
-
-    // Create sessions directory
-    const sessionsDir = path.join(projectDir, 'sessions');
-    await fs.mkdir(sessionsDir, { recursive: true });
-  }
-
   /**
    * Load project context including team patterns, load-bearing elements, and recent learning
    * Fetches from API if authenticated, falls back to local storage
@@ -404,79 +266,6 @@ class MindmeldClient {
     }
   }
 
-  /**
-   * Analyze handoff (team-wide)
-   */
-  async analyzeHandoff(handoff, outcome) {
-    if (!this.currentProject) {
-      throw new Error('No project initialized. Call detectProject() first.');
-    }
-
-    return this.teamDetector.analyzeHandoff(
-      this.config.userId,
-      handoff,
-      outcome
-    );
-  }
-
-  /**
-   * Get team load-bearing elements
-   */
-  getTeamLoadBearing() {
-    return this.teamDetector.getTeamLoadBearing();
-  }
-
-  /**
-   * Get team summary
-   */
-  getTeamSummary() {
-    return this.teamDetector.getTeamSummary();
-  }
-
-  // ============================================================================
-  // Phase 5: Claude Code Hook Methods
-  // ============================================================================
-
-  /**
-   * Ensure standards are ingested (cached check)
-   * Fast execution for session-start hook
-   */
-  async ensureStandardsIngested() {
-    try {
-      const check = await this.standardsIngestion.needsIngestion();
-
-      if (check.needed) {
-        console.log(`[Rapport] Standards ingestion needed: ${check.reason}`);
-        await this.standardsIngestion.ingestEquilateralStandards();
-      }
-
-      return check;
-    } catch (error) {
-      console.error('[Rapport] ensureStandardsIngested error:', error.message);
-      return { needed: false, error: error.message };
-    }
-  }
-
-  /**
-   * Get relevant standards for current project context
-   * Used by session-start hook
-   */
-  async getRelevantStandards(projectContext) {
-    try {
-      const context = {
-        workingDirectory: projectContext.workingDirectory || this.config.projectPath,
-        currentFile: projectContext.currentFile || null,
-        recentFiles: projectContext.recentFiles || [],
-        gitHistory: projectContext.gitHistory || null
-      };
-
-      return await this.relevanceDetector.detectRelevantStandards(context);
-    } catch (error) {
-      console.error('[Rapport] getRelevantStandards error:', error.message);
-      return { standards: [], characteristics: {}, categories: [] };
-    }
-  }
-
   /**
    * Get recent learning for project (last N days)
    */
@@ -964,9 +753,5 @@ module.exports = {
   MindmeldClient,
   RapportClient,
   AuthManager,
-  TeamLoadBearingDetector,
-  CollaborationPrompt,
-  RelevanceDetector,
-  PatternValidator,
-  StandardsIngestion
+  PatternValidator
 };

package/src/utils/piiMask.js

@@ -0,0 +1,16 @@
+/**
+ * PII masking utilities for safe logging.
+ * Prevents email, user IDs from leaking to CloudWatch/log aggregators.
+ */
+const maskEmail = (email) => {
+    if (!email) return '[no-email]';
+    const [local, domain] = email.split('@');
+    return `${local.substring(0, 2)}***@${domain || '***'}`;
+};
+
+const maskUserId = (id) => {
+    if (!id) return '[no-id]';
+    return typeof id === 'string' && id.length > 8 ? `${id.substring(0, 8)}...` : String(id);
+};
+
+module.exports = { maskEmail, maskUserId };