@kylewadegrove/cutline-mcp-cli 0.4.2 → 0.5.1

package/Dockerfile

@@ -0,0 +1,11 @@
+FROM node:20-slim AS base
+
+WORKDIR /app
+
+# Install the CLI globally from npm (includes bundled servers)
+RUN npm install -g @kylewadegrove/cutline-mcp-cli@latest
+
+# Default to the main constraints server (cutline-server.js)
+# Override with: docker run ... cutline-mcp serve premortem
+ENTRYPOINT ["cutline-mcp"]
+CMD ["serve", "constraints"]

package/README.md

@@ -1,173 +1,243 @@
-# Cutline MCP CLI
+# Cutline MCP — Engineering Guardrails for Vibecoding
 
-Command-line tool for authenticating with Cutline MCP servers.
+**Security, reliability, and scalability constraints for your coding agent.** Free code audits, 9 compliance frameworks, pre-mortem analysis, and a Red-Green-Refactor workflow — all injected directly into Cursor, Claude, Windsurf, or any MCP client.
 
-## Installation
+[![npm](https://img.shields.io/npm/v/@kylewadegrove/cutline-mcp-cli)](https://www.npmjs.com/package/@kylewadegrove/cutline-mcp-cli)
+[![MCP Registry](https://img.shields.io/badge/MCP_Registry-ai.thecutline-blue)](https://registry.modelcontextprotocol.io)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)
+
+## Install
+
+### npm (Recommended)
 
 ```bash
-cd functions/cutline/mcp-cli
-npm install
-npm run build
-npm link  # Makes cutline-mcp available globally
+npm install -g @kylewadegrove/cutline-mcp-cli@latest
 ```
 
-## Usage
+### Docker
+
+```bash
+docker run -i ghcr.io/kylewadegrove/cutline-mcp serve constraints
+```
 
-### Login
+### Claude Desktop (.mcpb)
 
-Authenticate with Cutline and store credentials securely in your OS keychain:
+Download `cutline-mcp.mcpb` from the [latest release](https://github.com/kylewadegrove/cutline/releases) and double-click to install.
+
+## Quick Start
 
 ```bash
+# 1. Authenticate (email only, no password)
 cutline-mcp login
+
+# 2. Initialize your project (writes IDE rules)
+cd /path/to/your/project
+cutline-mcp init
+
+# 3. Connect MCP servers to your IDE
+cutline-mcp setup
 ```
 
-This will:
-1. Open your browser to Cutline's authentication page
-2. After you log in, receive a refresh token
-3. Store the token securely in your system keychain
-4. Display confirmation with your email
+Then ask your AI agent: **"Run an engineering audit on this codebase"**
 
-### Check Status
+## What It Does
 
-View your current authentication status:
+| Capability | Free | Premium |
+|---|---|---|
+| **Engineering Audit** — security, reliability, scalability scan | 3/month | Unlimited |
+| **9 Compliance Frameworks** — SOC 2, PCI-DSS, HIPAA, GDPR, OWASP LLM, FedRAMP, GLBA, FERPA/COPPA | Auto-loaded | Auto-loaded |
+| **Code Audit** — deep scan + RGR remediation plan | — | Unlimited |
+| **Pre-Mortem Analysis** — risks, assumptions, competitive threats | — | Unlimited |
+| **Constraint Graph** — product-specific NFR routing | — | Full access |
+| **AI Personas** — stakeholder feedback on features | — | Full access |
+| **Idea Validation** — fast-track from free web validation | — | Included |
 
-```bash
-cutline-mcp status
-```
+## 54 MCP Tools
 
-Shows:
-- Whether you're authenticated
-- Your email and user ID
-- Token expiration time
-- Subscription status (coming soon)
+### Free Tier
 
-### Logout
+| Tool | Description |
+|---|---|
+| `engineering_audit` | Security, reliability, and scalability scan (3/month) |
+| `exploration_start` | Start a guided product idea exploration |
+| `exploration_chat` | Continue an exploration conversation |
+| `exploration_graduate` | Graduate top idea (teaser for free, full for premium) |
+| `llm_status` | Check AI/LLM provider health |
+| `perf_status` | Check MCP server performance metrics |
 
-Remove stored credentials:
+### Premium Tier (50+ tools)
 
-```bash
-cutline-mcp logout
-```
+**Pre-Mortem & Deep Dive:** `premortem_run`, `premortem_from_idea`, `premortem_queue`, `premortem_status`, `premortem_kick`, `premortem_list`, `premortem_render_pdf`, `premortem_qa`, `premortem_regen_assumptions`, `premortem_regen_experiments`
 
-## How It Works
+**Personas:** `personas_list`, `personas_get`, `personas_chat`
 
-### Security
+**Constraint Graph:** `constraints_query`, `constraints_auto`, `constraints_ingest`, `constraints_list`, `constraints_learn`, `constraints_embed`, `constraints_semantic_query`, `constraints_ingest_persona`, `constraints_ingest_wiki`, `constraints_ingest_doc`, `constraints_heal`
 
-- **Keychain Storage**: Tokens are stored in your OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
-- **Refresh Tokens**: Long-lived refresh tokens are stored, not short-lived ID tokens
-- **Automatic Refresh**: MCP servers automatically exchange refresh tokens for fresh ID tokens
-- **Revocable**: Tokens can be revoked from your Cutline account settings
+**Graph Operations:** `graph_ingest_requirements`, `graph_get_boundaries`, `graph_bind_codebase`, `graph_bind_confirm`, `graph_view`, `graph_conflicts`, `graph_metrics`
 
-### Authentication Flow
+**Code & RGR:** `code_audit`, `rgr_plan`, `rgr_complete_phase`, `export_readiness_badge`
 
-```
-1. User runs: cutline-mcp login
-2. CLI starts local callback server on localhost:8765
-3. CLI opens browser to: https://cutline.app/mcp-auth?callback=http://localhost:8765
-4. User logs in to Cutline (or is already logged in)
-5. Cutline redirects to: http://localhost:8765?token=REFRESH_TOKEN&email=user@example.com
-6. CLI receives token and stores in keychain
-7. CLI displays success message
-```
+**Wiki & Integrations:** `wiki_load`, `wiki_save`, `wiki_apply_edits`, `agent_chat`, `integrations_create_issues`
+
+**Templates:** `template_list`, `template_get`, `template_create`, `template_discover`
 
-### MCP Server Integration
-
-MCP servers automatically read tokens from the keychain:
-
-```typescript
-// In utils.ts
-async function requirePremium(authToken?: string) {
-  // Priority: explicit token > keychain > error
-  let token = authToken;
-  
-  if (!token) {
-    const refreshToken = await getStoredRefreshToken();
-    if (refreshToken) {
-      token = await exchangeRefreshToken(refreshToken);
-    }
-  }
-  
-  if (!token) {
-    throw new Error("Run 'cutline-mcp login' to authenticate");
-  }
-  
-  // ... validate token and subscription
-}
+**Config:** `generate_cutline_md`
+
+## Commands
+
+### `login`
+
+Authenticate with Cutline. Opens your browser for a quick email-only signup (no password needed). Stores credentials in your system keychain.
+
+```bash
+cutline-mcp login
+cutline-mcp login --staging   # Use staging environment
+cutline-mcp login --signup    # Full sign-up page (email + password)
 ```
 
-## Configuration
+### `init`
 
-### Environment Variables
+Generate IDE-specific config files for your project. Adapts to your tier:
 
-- `CUTLINE_AUTH_URL`: Override auth endpoint (default: `https://cutline.app/mcp-auth`)
-- `FIREBASE_API_KEY`: Firebase API key for token exchange
+```bash
+cutline-mcp init
+cutline-mcp init --project-root /path/to/project
+```
 
-### Callback Port
+**Free tier writes:**
+- `.cursor/rules/rgr-workflow.mdc` — RGR cycle with `engineering_audit`
+- `.cursor/rules/ambient-constraints.mdc` — Constraint checking guidance
+- `CLAUDE.local.md` — Same instructions for Claude Code
 
-The CLI uses port `8765` for the OAuth callback. If this port is in use, you'll see an error. Close other applications and try again.
+**Premium tier adds:**
+- `.cursor/rules/cutline.mdc` — Points agent to `.cutline.md`
 
-## Troubleshooting
+All files are gitignored automatically.
 
-### "Port 8765 is already in use"
+### `setup`
 
-Another application is using the callback port. Find and close it:
+Print the MCP server configuration to add to your IDE.
 
 ```bash
-lsof -i :8765
-kill -9 <PID>
+cutline-mcp setup
 ```
 
-### "Authentication timeout"
+### `serve <server>`
 
-The browser didn't complete the OAuth flow within 5 minutes. Try again:
+Start an MCP server (used by IDE MCP configs).
 
 ```bash
-cutline-mcp login
+cutline-mcp serve constraints    # Main server (engineering audit, constraints, graph)
+cutline-mcp serve premortem      # Pre-mortem and deep dive
+cutline-mcp serve exploration    # Idea exploration
+cutline-mcp serve tools          # Utility tools
+cutline-mcp serve output         # Export and rendering
+cutline-mcp serve integrations   # External integrations
 ```
 
-### "Failed to refresh token"
+### `upgrade`
 
-Your stored token may be invalid or revoked. Log out and log in again:
+Open the upgrade page and refresh your session.
 
 ```bash
-cutline-mcp logout
-cutline-mcp login
+cutline-mcp upgrade
 ```
 
-### Keychain Access Denied
+### `status` / `logout`
 
-On macOS, you may need to grant Terminal/IDE access to Keychain:
+```bash
+cutline-mcp status    # Check auth and subscription
+cutline-mcp logout    # Remove stored credentials
+```
 
-1. Open Keychain Access app
-2. Find "cutline-mcp" entry
-3. Right-click → Get Info → Access Control
-4. Add your Terminal/IDE to allowed applications
+## How It Works
+
+### Authentication
+
+```
+1. cutline-mcp login
+2. CLI starts local callback server on localhost:8765
+3. Browser opens — enter email, receive magic link, click it
+4. CLI receives token and stores it in your OS keychain
+```
+
+Existing users who are already signed in complete automatically. Password sign-in is also available.
 
-## Development
+### RGR Workflow
 
-### Build
+The `init` command creates rules that make your AI coding agent follow the Red-Green-Refactor cycle automatically:
+
+1. **Plan** — Check constraints before implementing
+2. **Implement** — Write code addressing the constraints
+3. **Verify** — Run a code audit to check coverage
+4. **Complete** — Mark the phase done to update readiness scores
+
+### Compliance Frameworks
+
+Cutline auto-detects your stack and loads the appropriate compliance constraints:
+
+| Framework | Triggers |
+|---|---|
+| SOC 2 | Always loaded |
+| Security Baseline | Always loaded |
+| PCI-DSS | Stripe, payment libs |
+| HIPAA | Health/FHIR/HL7 libs |
+| GDPR / CCPA | Analytics, auth libs |
+| OWASP LLM Top 10 | OpenAI, LangChain, RAG |
+| FedRAMP | GovCloud, FIPS |
+| GLBA | Plaid, banking SDKs |
+| FERPA / COPPA | Clever, Canvas, EdTech |
+
+## Registry Listings
+
+### Official MCP Registry
 
 ```bash
-npm run build
+# Verify namespace
+mcp-publisher login dns --domain thecutline.ai
+
+# Publish
+mcp-publisher publish
 ```
 
-### Watch Mode
+Config: [`server.json`](./server.json)
+
+### Smithery
+
+Config: [`smithery.yaml`](./smithery.yaml) with [`Dockerfile`](./Dockerfile)
+
+### Claude Desktop Extension
 
 ```bash
-npm run dev
+npm run build:mcpb
+# → cutline-mcp.mcpb (drag into Claude Desktop)
 ```
 
-### Test Locally
+Config: [`mcpb/manifest.json`](./mcpb/manifest.json)
+
+## Troubleshooting
+
+### Port 8765 in use
 
 ```bash
-npm link
-cutline-mcp --help
+lsof -i :8765
+kill -9 <PID>
 ```
 
-## Next Steps
+### Authentication timeout
+
+The browser didn't complete within 10 minutes. Run `cutline-mcp login` again.
 
-- [ ] Add web app `/mcp-auth` endpoint
-- [ ] Implement device registration in Firestore
-- [ ] Add subscription status to `status` command
-- [ ] Publish to npm as `@cutline/mcp-cli`
-- [ ] Create standalone binaries for macOS/Windows/Linux
+### Failed to refresh token
+
+```bash
+cutline-mcp logout
+cutline-mcp login
+```
+
+### Keychain Access Denied (macOS)
+
+1. Open Keychain Access
+2. Find "cutline-mcp" entry
+3. Right-click → Get Info → Access Control
+4. Add your Terminal/IDE to allowed applications

package/dist/auth/callback.js

@@ -1,15 +1,9 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.startCallbackServer = startCallbackServer;
-const express_1 = __importDefault(require("express"));
+import express from 'express';
 const CALLBACK_PORT = 8765;
-const TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
-async function startCallbackServer() {
+const TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes (allows time for email magic link)
+export async function startCallbackServer() {
     return new Promise((resolve, reject) => {
-        const app = (0, express_1.default)();
+        const app = express();
         let server;
         // Timeout handler
         const timeout = setTimeout(() => {
@@ -24,7 +18,6 @@ async function startCallbackServer() {
                 res.status(400).send('Missing token parameter');
                 return;
             }
-            // Send success page
             res.send(`
         <!DOCTYPE html>
         <html>
@@ -38,36 +31,41 @@ async function startCallbackServer() {
                 align-items: center;
                 height: 100vh;
                 margin: 0;
-                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                background: #0a0a0a;
+                color: #fff;
               }
               .container {
-                background: white;
-                padding: 3rem;
+                background: #111;
+                padding: 2.5rem;
                 border-radius: 1rem;
-                box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+                border: 1px solid rgba(0, 255, 65, 0.2);
                 text-align: center;
-                max-width: 400px;
-              }
-              h1 {
-                color: #667eea;
-                margin-bottom: 1rem;
-              }
-              p {
-                color: #666;
-                line-height: 1.6;
-              }
-              .checkmark {
-                font-size: 4rem;
-                color: #4CAF50;
+                max-width: 420px;
               }
+              .checkmark { font-size: 3rem; margin-bottom: 0.5rem; }
+              h1 { color: #00ff41; font-size: 1.4rem; margin-bottom: 0.5rem; }
+              .email { color: #888; font-size: 0.9rem; margin-bottom: 1.5rem; }
+              .steps { text-align: left; margin: 1.5rem 0; padding: 1rem 1.2rem; background: rgba(0,255,65,0.05); border: 1px solid rgba(0,255,65,0.15); border-radius: 0.5rem; }
+              .steps h3 { font-size: 0.8rem; color: #888; margin: 0 0 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; }
+              .step { display: flex; align-items: flex-start; gap: 0.6rem; margin-bottom: 0.6rem; font-size: 0.85rem; color: #ccc; }
+              .step:last-child { margin-bottom: 0; }
+              .num { color: #00ff41; font-weight: 600; min-width: 1.2rem; }
+              code { background: rgba(255,255,255,0.1); padding: 0.15rem 0.4rem; border-radius: 3px; font-size: 0.8rem; }
+              .close { color: #666; font-size: 0.8rem; margin-top: 1rem; }
             </style>
           </head>
           <body>
             <div class="container">
-              <div class="checkmark">✓</div>
-              <h1>Authentication Successful!</h1>
-              <p>You can now close this window and return to your terminal.</p>
-              ${email ? `<p>Logged in as: <strong>${email}</strong></p>` : ''}
+              <div class="checkmark">&#10003;</div>
+              <h1>You're in!</h1>
+              ${email ? `<p class="email">${email}</p>` : ''}
+              <div class="steps">
+                <h3>Next in your terminal</h3>
+                <div class="step"><span class="num">1</span><span>Run <code>cutline-mcp init</code> to generate IDE rules</span></div>
+                <div class="step"><span class="num">2</span><span>Run <code>cutline-mcp setup</code> to connect MCP servers</span></div>
+                <div class="step"><span class="num">3</span><span>Ask your agent: <em>"Run an engineering audit"</em></span></div>
+              </div>
+              <p class="close">You can close this tab.</p>
             </div>
           </body>
         </html>

package/dist/auth/keychain.js

@@ -1,20 +1,12 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.storeRefreshToken = storeRefreshToken;
-exports.getRefreshToken = getRefreshToken;
-exports.deleteRefreshToken = deleteRefreshToken;
-const keytar_1 = __importDefault(require("keytar"));
+import keytar from 'keytar';
 const SERVICE_NAME = 'cutline-mcp';
 const ACCOUNT_NAME = 'refresh-token';
-async function storeRefreshToken(token) {
-    await keytar_1.default.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
+export async function storeRefreshToken(token) {
+    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, token);
 }
-async function getRefreshToken() {
-    return await keytar_1.default.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+export async function getRefreshToken() {
+    return await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
 }
-async function deleteRefreshToken() {
-    return await keytar_1.default.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+export async function deleteRefreshToken() {
+    return await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
 }

package/dist/commands/init.d.ts

@@ -0,0 +1,4 @@
+export declare function initCommand(options: {
+    projectRoot?: string;
+    staging?: boolean;
+}): Promise<void>;