@flyingrobots/graft 0.3.1

package/CHANGELOG.md

@@ -0,0 +1,218 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/),
+and this project adheres to [Semantic Versioning](https://semver.org/).
+
+## [0.3.1] - 2026-04-05
+
+### Changed
+
+- **CI**: release workflow now publishes to npm via OIDC provenance.
+- **Docs**: regenerated README, GUIDE, BEARING, and VISION signposts
+  to reflect v0.3.0 features (12 tools, budget governor, reason codes).
+
+## [0.3.0] - 2026-04-05
+
+### Added
+
+- **Budget-aware governor**: `set_budget(bytes)` declares a session
+  byte budget. Thresholds tighten as budget drains — no single read
+  may consume more than 5% of remaining budget. New `BUDGET_CAP`
+  reason code. Budget info in receipts.
+- **Explain tool**: `explain(code)` returns human-readable meaning and
+  recommended action for any reason code.
+- **Policy check middleware**: tools with `policyCheck: true` get
+  automatic `evaluatePolicy` before the handler runs. Applied to
+  `read_range`.
+- **CachedFile value object**: immutable file snapshot bundles content,
+  hash, outline, jump table, and actual metrics from a single read.
+  Eliminates TOCTOU snapshot races by construction.
+- **guardedPort() factory**: Proxy-based stream boundary guard wraps
+  all methods on a port interface. One line to guard a whole port.
+- **Receipt compression ratio**: `compressionRatio` field in receipts
+  (returnedBytes / fileBytes). Instant context efficiency signal.
+- **Diff summary lines**: each file in `graft_diff` output includes a
+  one-line structural stat for quick triage.
+
+### Fixed
+
+- **Strict MCP argument validation**: Zod schemas now reject unknown
+  keys at the MCP edge instead of silently stripping them.
+- **run_capture log-write isolation**: filesystem failures when
+  persisting capture logs no longer mask successful command output.
+- **Cache-hit policy re-check**: `safe_read` now re-evaluates policy
+  on cache hits, preventing stale cached data from bypassing refusals.
+
+## [0.2.2] - 2026-04-04
+
+### Added
+
+- **Docker support**: run graft as an MCP server without installing
+  Node. `docker run -i --rm -v "$PWD:/workspace" flyingrobots/graft`.
+  Node 22 Alpine, non-root user.
+- **Canonical JSON codec**: all JSON serialization uses deterministic
+  sorted keys and compact output via `CanonicalJsonCodec`. Enables
+  stable hashes and diffable logs. `JsonCodec` port for hexagonal
+  compliance.
+
+### Fixed
+
+- **JSON serialization safety**: codec preserves `Date` and custom
+  `toJSON` semantics, detects circular references, handles shared
+  object references without false cycle detection.
+
+## [0.2.1] - 2026-04-04
+
+### Added
+
+- **Value objects** (cycle 0016): OutlineEntry, JumpEntry, DiffEntry,
+  OutlineDiff, and Tripwire converted from plain interfaces to frozen
+  SSJS classes with constructor validation and private `_brand` fields.
+  Completes SSJS P1 migration for all domain types.
+- **PostToolUse hook for Read**: educates agents on context cost after
+  large file reads, showing what safe_read would have returned and the
+  savings in KB.
+- **Shared hook utilities** (`src/hooks/shared.ts`): validated input
+  parsing, stdin reader with 1 MB size guard, safe relative path
+  resolution, and `runHook` harness with full stack trace logging.
+- **18 project invariants** documented in `docs/invariants/`.
+
+### Fixed
+
+- **Trim-and-validate**: value object constructors trim names before
+  validation, preventing whitespace-only strings from passing as valid.
+- **Input validation**: hooks now validate JSON structure at runtime
+  instead of using unsafe `as` type assertions.
+- **Path traversal guard**: hooks reject file paths outside the project
+  `cwd` (passes through to native Read instead of evaluating policy on
+  arbitrary paths).
+- **UTF-8 safety**: stdin reader accumulates raw buffers before decoding
+  to prevent multi-byte character corruption at chunk boundaries.
+- **Stack traces**: hook error handler logs `err.stack` instead of
+  `err.message` for debuggability.
+- **Node engine**: bump minimum to `>=20.11.0` for `import.meta.dirname`
+  support (used across test suite and eslint config).
+
+## [0.2.0] - 2026-04-03
+
+### Changed
+
+- **Server decomposition** (cycle 0010): split 541-line MCP server
+  god file into focused modules. `server.ts` is now 110 lines of pure
+  registration and plumbing. New modules:
+  - `metrics.ts` — `Metrics` class replaces 6 loose counters
+  - `cache.ts` — `Observation` class + `ObservationCache` with
+    `isStale()`, `touch()`, `record()`, `check()`, `get()`
+  - `receipt.ts` — `buildReceiptResult()` with stabilization loop
+  - `context.ts` — `ToolContext` interface + `ToolHandler` type
+  - `tools/*.ts` — 9 files, one per tool handler (state.ts has both
+    save + load)
+- **FileSystem port** (cycle 0011): hexagonal compliance — core logic
+  no longer imports `node:fs` directly. New `FileSystem` interface in
+  `src/ports/filesystem.ts` with Node adapter in `src/adapters/node-fs.ts`.
+  All operations and metrics use the port; testable with mock filesystems.
+- **Outline quality audit** (cycle 0012): 7 real-world fixture files,
+  40 test assertions proving outline extraction works on React
+  components, Express routers, barrel files, god classes, dense
+  generics, and decorated classes.
+
+### Added
+
+- **Arrow function export extraction**: `export const fn = () => {}`
+  now gets `kind: "function"` with parameter/return type signature
+  instead of generic `kind: "export"`.
+- **Enum extraction**: `enum` declarations appear in outlines with
+  `kind: "enum"`.
+- **Re-export extraction**: named, type, and wildcard re-exports
+  now appear in outlines. Barrel files are no longer invisible.
+- **Claude Code hooks** (cycle 0015): PreToolUse hook blocks banned
+  files (secrets, binaries, lockfiles, `.graftignore` matches).
+  PostToolUse hook educates agents on context cost after large file
+  reads, suggesting `safe_read` as an alternative.
+
+### Fixed
+
+- **Byte metrics**: receipt builder now uses `Buffer.byteLength()`
+  instead of `text.length` for returnedBytes and cumulative byte
+  accounting. Was counting UTF-16 code units as bytes.
+- **Path traversal guard**: all path-accepting tools now use
+  `ctx.resolvePath()` which rejects relative paths that escape the
+  project root via `..` segments.
+- **Doctor thresholds drift**: doctor tool now imports
+  `STATIC_THRESHOLDS` from policy instead of hardcoding values.
+- **run_capture tail validation**: clamp tail to minimum 1 to prevent
+  zero/negative values from producing undefined behavior.
+- **safe_read result.actual guard**: check `result.actual !== undefined`
+  before using it for cache recording (actual is optional on error
+  projections).
+
+## [0.1.0] - 2026-04-03
+
+### Added
+
+- **Policy engine**: dual thresholds (150 lines + 12 KB), 5 ban
+  categories (binary, lockfile, minified, build output, secret),
+  `.graftignore` support, session-depth dynamic caps (20/10/4 KB).
+- **Parser**: tree-sitter WASM outline extraction for JS/TS with
+  jump tables, signature bounding, and broken-file recovery.
+- **Session tracker**: 4 tripwires (SESSION_LONG, EDIT_BASH_LOOP,
+  RUNAWAY_TOOLS, LATE_LARGE_READ) with session depth reporting.
+- **Metrics logger**: NDJSON decision logging with retention/rotation.
+- **Operations**: safe_read, file_outline, read_range, state_save/load.
+- **MCP server**: all 8 Phase 1 commands as MCP tools over stdio,
+  session tracking (tripwires + dynamic caps automatic), doctor and
+  stats tools. Entry point at `src/mcp/stdio.ts`.
+- **Re-read suppression**: session-level observation cache — second
+  read of an unchanged file returns cached outline instead of
+  re-reading. Tracks readCount, estimatedBytesAvoided, lastReadAt.
+  Works for both safe_read and file_outline. Stats includes
+  totalCacheHits and totalBytesAvoidedByCache.
+- **Receipt mode**: every MCP response includes a `_receipt` block
+  with sessionId, monotonic seq, projection, reason, fileBytes,
+  returnedBytes, and cumulative counters (reads, outlines, refusals,
+  cacheHits, bytesReturned, bytesAvoided). Blacklight can grep API
+  transcripts to prove graft works.
+- **Changed-since-last-read**: when a file changes between reads,
+  graft returns a structural diff (added/removed/changed symbols)
+  alongside the new outline. New `changed_since` MCP tool for
+  explicit delta queries without triggering a full safe_read.
+- Now 16 machine-stable reason codes — added `REREAD_UNCHANGED`
+  (cycle 0003) and `CHANGED_SINCE_LAST_READ` (cycle 0005).
+- **Structural git diff** (`graft_diff`): symbol-level diff between
+  any two git refs. Uses `git rev-parse --verify` + `git cat-file -e`
+  for stable ref/object detection.
+- **run_capture implemented**: tee shell output to log file, return
+  last N lines. Full output at `.graft/logs/capture.log`.
+- **MCP tool descriptions**: all 10 tools have agent-facing
+  descriptions in their schema for discovery via `listTools`.
+- **bin/graft.js**: CLI entry point for `npx @flyingrobots/graft`.
+- 16 machine-stable reason codes.
+- 227 tests across 20 test files.
+- 7 cycles completed, 3 legends (CORE, WARP, CLEAN_CODE).
+
+### Fixed
+
+- **Diff path policy check**: both `safe_read` and `changed_since`
+  now run `evaluatePolicy` before returning structural data,
+  preventing leaks if policy rules change after initial observation.
+  Note: `safe_read` always evaluates policy; `changed_since` was
+  added in this release and now also evaluates policy.
+- **Nested symbol diff**: classes/interfaces now recursively diff
+  children. A method added inside a class shows as a changed class
+  with a childDiff detailing the nested change.
+- **Snapshot race**: diff and changed_since paths now use
+  extractOutline with the already-read content instead of
+  re-reading the file via fileOutline.
+- **Pre-push hook**: parses stdin for the remote ref being pushed to
+  instead of checking the local branch name.
+- **oldSignature consistency**: DiffEntry.oldSignature now uses the
+  same entrySignature fallback (name when no signature) as the
+  comparison logic.
+- **Stale lastReadAt**: diff responses now return the updated
+  timestamp from the observation cache instead of the old one.
+- **Dead DiffEntry fields**: removed unused start/end from DiffEntry.
+- Add `@types/node` and `@types/picomatch` (required by TypeScript 6).
+- Fix session-depth table in design doc ("Messages Remaining" →
+  "Messages Elapsed").

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by the Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding any notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 James Ross
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/NOTICE

@@ -0,0 +1,4 @@
+Graft
+Copyright 2026 James Ross
+
+Licensed under the Apache License, Version 2.0.

package/README.md

@@ -0,0 +1,119 @@
+<div align="center">
+    <img src="./docs/assets/graft.svg" />
+    <h3>Context governor for coding agents</h3>
+</div>
+
+Graft enforces read policy so coding agents consume the smallest
+structurally correct view of a codebase instead of dumping entire
+files into their context window. Agent-first, but the structural
+tools (outlines, diffs, symbol history) are useful to anyone.
+
+## Why
+
+Empirical analysis of 1,091 real coding sessions (Blacklight) found
+that **Read accounts for 96.2 GB of context burden** — 6.6x all
+other tools combined. 58% of reads are full-file. The fattest 2.4%
+of reads produce 24% of raw bytes. Dynamic read caps + session
+management reduce this by **75.1%**.
+
+## Install
+
+```bash
+npm install -g @flyingrobots/graft
+```
+
+Or use directly:
+
+```bash
+npx @flyingrobots/graft
+```
+
+Or run in Docker (no Node required):
+
+```bash
+docker run -i --rm -v "$PWD:/workspace" flyingrobots/graft
+```
+
+## Quick start
+
+```json
+{
+  "mcpServers": {
+    "graft": {
+      "command": "npx",
+      "args": ["-y", "@flyingrobots/graft"]
+    }
+  }
+}
+```
+
+Add this to your MCP config — works with Claude Code, Cursor,
+Windsurf, Continue, Cline, and any MCP-compatible client.
+
+See **[Setup Guide](docs/GUIDE.md)** for per-editor instructions,
+Claude Code hooks, `.graftignore` configuration, troubleshooting,
+and details on what the agent experiences.
+
+## What it does
+
+When an agent asks to read a file, Graft applies policy:
+
+- **Small files** are returned as-is.
+- **Large files** are returned as a structural outline with a jump
+  table so the agent can request specific ranges.
+- **Banned files** (binaries, lockfiles, minified bundles, secrets)
+  are refused with a machine-readable reason code and suggested next
+  steps.
+- **Re-reads** of unchanged files return a cached outline (no wasted
+  context). Changed files return a structural diff (added/removed/
+  changed symbols).
+- **Ranges** are bounded — no stealth `cat` of a 10,000-line file.
+- **Session depth** tightens caps as the context window fills.
+- **Budget governor** — agent declares a byte budget, thresholds
+  tighten as it drains. No single read may consume more than 5% of
+  remaining budget.
+- **Tripwires** signal when the session is going off the rails.
+- **Receipts** on every response with compression ratio for usage
+  analysis.
+
+Every decision is logged. Every refusal is explainable. All output
+is structured JSON.
+
+## Tools
+
+| Tool | Purpose |
+|---|---|
+| `safe_read` | Policy-enforced file read (content, outline, refusal, or diff) |
+| `file_outline` | Structural skeleton with jump table |
+| `read_range` | Bounded range read (max 250 lines), policy-gated |
+| `graft_diff` | Structural diff between git refs with per-file summary lines |
+| `changed_since` | Check if a file changed since last read (peek or consume) |
+| `run_capture` | Shell output capture — tee to log, tail to agent |
+| `state_save` | Save session working state (max 8 KB) |
+| `state_load` | Restore session working state |
+| `set_budget` | Declare session byte budget — governor tightens as it drains |
+| `explain` | Human-readable help for any reason code |
+| `doctor` | Runtime health check |
+| `stats` | Decision metrics summary |
+
+## Reason codes
+
+Every refusal or policy decision includes a machine-readable reason
+code. Use `explain(code)` to get meaning and recommended action.
+
+| Code | Meaning |
+|------|---------|
+| `CONTENT` | File within thresholds — full content returned |
+| `OUTLINE` | File exceeds thresholds — structural outline returned |
+| `SESSION_CAP` | Session-depth byte cap triggered |
+| `BUDGET_CAP` | Budget-proportional cap triggered |
+| `BINARY` | Binary file refused |
+| `LOCKFILE` | Machine-generated lockfile refused |
+| `MINIFIED` | Minified file refused |
+| `BUILD_OUTPUT` | Build output directory refused |
+| `SECRET` | Potential secrets file refused |
+| `GRAFTIGNORE` | Matches .graftignore pattern |
+
+## License
+
+Apache 2.0 — see [LICENSE](LICENSE).

package/bin/graft.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env -S node --import tsx
+
+// Graft MCP server — stdio transport
+// Usage: npx @flyingrobots/graft
+
+import { createGraftServer } from "../src/mcp/server.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+const graft = createGraftServer();
+const transport = new StdioServerTransport();
+await graft.getMcpServer().connect(transport);