@martinloop/mcp 0.1.1 → 0.1.3

package/dist/vendor/adapters/cli-bridge.js

@@ -1,28 +1,33 @@
 import { spawn } from "node:child_process";
-import { isAbsolute } from "node:path";
+import { delimiter, extname, isAbsolute, join, resolve } from "node:path";
+import { existsSync } from "node:fs";
 import { diffStatsFromNumstat } from "./runtime-support.js";
 export async function runSubprocess(command, args, options) {
     return new Promise((resolve) => {
         let timedOut = false;
+        let settled = false;
         const stdoutChunks = [];
         const stderrChunks = [];
         const stdinMode = options.stdinData !== undefined ? "pipe" : "ignore";
+        const resolveOnce = (result) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            resolve(result);
+        };
         let proc;
         try {
-            proc = (options.spawnImpl ?? spawn)(command, args, {
+            const spawnPlan = createSpawnPlan(command, args, options.cwd, options.spawnImpl !== undefined);
+            proc = (options.spawnImpl ?? spawn)(spawnPlan.command, spawnPlan.args, {
                 cwd: options.cwd,
                 stdio: [stdinMode, "pipe", "pipe"],
-                env: process.env,
-                // shell: true is required on Windows to resolve PATH shims (e.g. claude.cmd).
-                // Avoid it for absolute .exe paths because cmd.exe can split paths with spaces.
-                // Prompt content is never passed as a shell argument, it goes via stdin, so
-                // injection risk from the DEP0190 warning does not apply here.
-                shell: shouldUseWindowsShell(command)
+                env: process.env
             });
         }
         catch (error) {
             const message = error instanceof Error ? error.message : String(error);
-            resolve({
+            resolveOnce({
                 exitCode: 1,
                 stdout: "",
                 stderr: message,
@@ -30,38 +35,59 @@ export async function runSubprocess(command, args, options) {
             });
             return;
         }
-        if (options.stdinData !== undefined && proc.stdin) {
-            proc.stdin.write(options.stdinData, "utf8");
-            proc.stdin.end();
-        }
         proc.stdout?.on("data", (chunk) => {
             stdoutChunks.push(chunk);
         });
         proc.stderr?.on("data", (chunk) => {
             stderrChunks.push(chunk);
         });
+        proc.stdin?.on("error", (error) => {
+            // Some CLIs exit before consuming stdin in tests and on fast-fail paths.
+            // Treat the closed pipe as a handled subprocess lifecycle condition.
+            if (error.code === "EPIPE") {
+                return;
+            }
+            stderrChunks.push(Buffer.from(`${error.message}\n`, "utf8"));
+        });
         const timer = setTimeout(() => {
             timedOut = true;
             proc.kill("SIGTERM");
         }, options.timeoutMs);
-        proc.on("close", (code) => {
-            clearTimeout(timer);
-            resolve({
-                exitCode: code ?? 1,
-                stdout: Buffer.concat(stdoutChunks).toString("utf8"),
-                stderr: Buffer.concat(stderrChunks).toString("utf8"),
-                timedOut
-            });
-        });
         proc.on("error", (error) => {
             clearTimeout(timer);
-            resolve({
+            resolveOnce({
                 exitCode: 1,
                 stdout: "",
                 stderr: error.message,
                 timedOut: false
             });
         });
+        proc.on("close", (code) => {
+            clearTimeout(timer);
+            resolveOnce({
+                exitCode: code ?? 1,
+                stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+                stderr: Buffer.concat(stderrChunks).toString("utf8"),
+                timedOut
+            });
+        });
+        if (options.stdinData !== undefined && proc.stdin) {
+            try {
+                proc.stdin.end(options.stdinData, "utf8");
+            }
+            catch (error) {
+                const stdinError = error;
+                if (stdinError.code !== "EPIPE") {
+                    clearTimeout(timer);
+                    resolveOnce({
+                        exitCode: 1,
+                        stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+                        stderr: stdinError.message,
+                        timedOut: false
+                    });
+                }
+            }
+        }
     });
 }
 export async function runVerification(commands, cwd, timeoutMs, verificationStack, spawnImpl) {
@@ -76,9 +102,8 @@ export async function runVerification(commands, cwd, timeoutMs, verificationStac
     }
     const failedSteps = [];
     for (const step of steps) {
-        const parts = step.command.trim().split(/\s+/u);
-        const bin = parts[0];
-        const args = parts.slice(1);
+        const parts = splitCommand(step.command);
+        const [bin, ...args] = parts;
         if (!bin) {
             continue;
         }
@@ -115,8 +140,109 @@ export async function readGitExecutionArtifacts(repoRoot, timeoutMs, spawnImpl)
         ...(diffStats ? { diffStats } : {})
     };
 }
-function shouldUseWindowsShell(command) {
-    return process.platform === "win32" && !isAbsolute(command);
+function createSpawnPlan(command, args, cwd, preserveRawForInjectedSpawn) {
+    if (preserveRawForInjectedSpawn || process.platform !== "win32" || isAbsolute(command)) {
+        return { command, args };
+    }
+    const resolved = resolveWindowsCommand(command, cwd);
+    if (!resolved) {
+        return { command, args };
+    }
+    const extension = extname(resolved).toLowerCase();
+    if (extension === ".cmd" || extension === ".bat") {
+        return {
+            command: process.env.ComSpec || "cmd.exe",
+            args: ["/d", "/s", "/c", [quoteWindowsCmdArg(resolved), ...args.map(quoteWindowsCmdArg)].join(" ")]
+        };
+    }
+    return { command: resolved, args };
+}
+function resolveWindowsCommand(command, cwd) {
+    const hasPathSegment = command.includes("\\") || command.includes("/");
+    const baseCandidates = expandWindowsCommandCandidates(hasPathSegment ? resolve(cwd, command) : command);
+    if (hasPathSegment) {
+        return baseCandidates.find((candidate) => existsSync(candidate));
+    }
+    for (const directory of windowsPathDirectories()) {
+        for (const candidate of baseCandidates) {
+            const fullPath = join(directory, candidate);
+            if (existsSync(fullPath)) {
+                return fullPath;
+            }
+        }
+    }
+    return undefined;
+}
+function expandWindowsCommandCandidates(command) {
+    if (extname(command)) {
+        return [command];
+    }
+    const pathExt = process.env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD";
+    return pathExt
+        .split(";")
+        .map((extension) => extension.trim())
+        .filter(Boolean)
+        .map((extension) => `${command}${extension.toLowerCase()}`);
+}
+function windowsPathDirectories() {
+    const rawPath = process.env.Path ?? process.env.PATH ?? "";
+    return rawPath
+        .split(delimiter)
+        .map((entry) => entry.trim().replace(/^"|"$/g, ""))
+        .filter(Boolean);
+}
+function quoteWindowsCmdArg(value) {
+    const normalized = value.replace(/\r?\n/gu, " ");
+    const escaped = normalized
+        .replace(/\^/gu, "^^")
+        .replace(/"/gu, '^"')
+        .replace(/%/gu, "%%")
+        .replace(/!/gu, "^^!")
+        .replace(/[&|<>()]/gu, (match) => `^${match}`);
+    return `"${escaped}"`;
+}
+export function splitCommand(command) {
+    const tokens = [];
+    let current = "";
+    let quote;
+    const trimmed = command.trim();
+    for (let index = 0; index < trimmed.length; index += 1) {
+        const char = trimmed[index];
+        const next = trimmed[index + 1];
+        if (char === undefined) {
+            continue;
+        }
+        if (char === "\\") {
+            const canEscape = quote !== "'" && (next === quote || next === "\\");
+            if (canEscape && next !== undefined) {
+                current += next;
+                index += 1;
+                continue;
+            }
+        }
+        if (char === '"' || char === "'") {
+            if (!quote) {
+                quote = char;
+                continue;
+            }
+            if (quote === char) {
+                quote = undefined;
+                continue;
+            }
+        }
+        if (!quote && /\s/u.test(char)) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = "";
+            }
+            continue;
+        }
+        current += char;
+    }
+    if (current.length > 0) {
+        tokens.push(current);
+    }
+    return tokens;
 }
 function truncate(text, maxLength) {
     if (text.length <= maxLength) {

package/dist/vendor/adapters/index.d.ts

@@ -2,4 +2,5 @@ export { createDirectProviderAdapter, type DirectProviderAdapterOptions } from "
 export { createStubDirectProviderAdapter, type StubDirectProviderAdapterOptions } from "./stub-direct-provider.js";
 export { createStubAgentCliAdapter, type StubAgentCliAdapterOptions } from "./stub-agent-cli.js";
 export { createAgentCliAdapter, createClaudeCliAdapter, createCodexCliAdapter, type AgentCliAdapterOptions, type ClaudeCliAdapterOptions, type CodexCliAdapterOptions, type CliArgsBuilder } from "./claude-cli.js";
+export { createVerifierOnlyAdapter, type VerifierOnlyAdapterOptions } from "./verifier-only.js";
 export type { SpawnLike, SubprocessResult, VerificationOutcome } from "./cli-bridge.js";

package/dist/vendor/adapters/index.js

@@ -2,4 +2,5 @@ export { createDirectProviderAdapter } from "./direct-provider.js";
 export { createStubDirectProviderAdapter } from "./stub-direct-provider.js";
 export { createStubAgentCliAdapter } from "./stub-agent-cli.js";
 export { createAgentCliAdapter, createClaudeCliAdapter, createCodexCliAdapter } from "./claude-cli.js";
+export { createVerifierOnlyAdapter } from "./verifier-only.js";
 //# sourceMappingURL=index.js.map

package/dist/vendor/adapters/verifier-only.d.ts

@@ -0,0 +1,7 @@
+import type { MartinAdapter } from "../core/index.js";
+export interface VerifierOnlyAdapterOptions {
+    workingDirectory?: string;
+    verifyTimeoutMs?: number;
+    label?: string;
+}
+export declare function createVerifierOnlyAdapter(options?: VerifierOnlyAdapterOptions): MartinAdapter;

package/dist/vendor/adapters/verifier-only.js

@@ -0,0 +1,57 @@
+import { readGitExecutionArtifacts, runVerification } from "./cli-bridge.js";
+import { createAdapterCapabilities, normalizeUsage } from "./runtime-support.js";
+export function createVerifierOnlyAdapter(options = {}) {
+    const workingDirectory = options.workingDirectory ?? process.cwd();
+    const verifyTimeoutMs = options.verifyTimeoutMs ?? 60_000;
+    return {
+        adapterId: "direct:verifier:verify-only",
+        kind: "direct-provider",
+        label: options.label ?? "Verifier-only adapter",
+        metadata: {
+            providerId: "verifier",
+            model: "verify-only",
+            transport: "cli",
+            capabilities: createAdapterCapabilities({
+                usageSettlement: true,
+                diffArtifacts: true
+            })
+        },
+        async execute(request) {
+            const verification = await runVerification(request.context.verificationPlan, workingDirectory, verifyTimeoutMs, request.context.verificationStack);
+            const execution = await readGitExecutionArtifacts(workingDirectory, 5_000);
+            const changedFiles = execution.changedFiles ?? [];
+            if (verification.passed) {
+                return {
+                    status: "completed",
+                    summary: changedFiles.length > 0
+                        ? `Verifier-only run completed but modified files: ${changedFiles.join(", ")}`
+                        : "Verifier-only run completed without file edits.",
+                    usage: normalizeUsage({
+                        actualUsd: 0,
+                        tokensIn: 0,
+                        tokensOut: 0,
+                        provenance: "actual"
+                    }),
+                    verification,
+                    execution
+                };
+            }
+            return {
+                status: "failed",
+                summary: "Verifier-only run failed.",
+                usage: normalizeUsage({
+                    actualUsd: 0,
+                    tokensIn: 0,
+                    tokensOut: 0,
+                    provenance: "actual"
+                }),
+                verification,
+                execution,
+                failure: {
+                    message: verification.summary
+                }
+            };
+        }
+    };
+}
+//# sourceMappingURL=verifier-only.js.map

package/dist/vendor/contracts/index.d.ts

@@ -1,6 +1,6 @@
 export type LoopStatus = "queued" | "running" | "verifying" | "completed" | "failed" | "exited";
 export type LoopLifecycleState = "created" | "running" | "verifying" | "completed" | "budget_exit" | "diminishing_returns" | "stuck_exit" | "human_escalation";
-export type FailureClass = "logic_error" | "hallucination" | "syntax_error" | "type_error" | "test_regression" | "scope_creep" | "no_progress" | "repo_grounding_failure" | "verification_failure" | "environment_mismatch" | "budget_pressure";
+export type FailureClass = "logic_error" | "hallucination" | "syntax_error" | "type_error" | "test_regression" | "scope_creep" | "no_progress" | "repo_grounding_failure" | "verification_failure" | "environment_mismatch" | "budget_pressure" | "safety_leash_blocked";
 export type InterventionType = "compress_context" | "change_model" | "tighten_task" | "switch_adapter" | "run_verifier" | "escalate_human" | "stop_loop";
 export type LoopEventType = "run.started" | "attempt.started" | "attempt.completed" | "failure.classified" | "intervention.selected" | "verification.completed" | "budget.updated" | "run.completed";
 export interface LoopTask {
@@ -9,6 +9,7 @@ export interface LoopTask {
     repoRoot?: string;
     verificationPlan: string[];
     verificationStack?: VerificationStep[];
+    mutationMode?: MutationMode;
     executionProfile?: ExecutionProfile;
     allowedNetworkDomains?: string[];
     approvalPolicy?: ApprovalPolicy;
@@ -20,6 +21,7 @@ export interface LoopTask {
     acceptanceCriteria?: string[];
 }
 export type ExecutionProfile = "strict_local" | "ci_safe" | "staging_controlled" | "research_untrusted";
+export type MutationMode = "edit" | "verify_only";
 export interface ApprovalPolicy {
     dependencyAdds?: boolean;
     migrations?: boolean;

package/dist/vendor/core/compiler.d.ts

@@ -12,6 +12,7 @@ export interface CompilerAdapterRequest {
         objective: string;
         verificationPlan: string[];
         verificationStack?: LoopTask["verificationStack"];
+        mutationMode?: LoopTask["mutationMode"];
         repoRoot?: string;
         allowedPaths?: string[];
         deniedPaths?: string[];
@@ -29,6 +30,7 @@ export interface PromptPacket {
     contract: {
         objective: string;
         verificationPlan: string[];
+        mutationMode?: LoopTask["mutationMode"];
         allowedPaths?: string[];
         deniedPaths?: string[];
         acceptanceCriteria?: string[];

package/dist/vendor/core/compiler.js

@@ -8,10 +8,15 @@ export function compilePromptPacket(request) {
     const priorFailurePatterns = request.previousAttempts
         .filter((a) => a.failureClass && a.intervention)
         .map((a) => `${a.failureClass}:${a.intervention}`);
-    const guidanceParts = [
-        "Only modify files directly required to satisfy the contract.",
-        "Do not touch files outside the allowed paths."
-    ];
+    const guidanceParts = request.context.mutationMode === "verify_only"
+        ? [
+            "Do not modify files.",
+            "Run the verifier only and report whether it passed."
+        ]
+        : [
+            "Only modify files directly required to satisfy the contract.",
+            "Do not touch files outside the allowed paths."
+        ];
     if (request.context.allowedPaths && request.context.allowedPaths.length > 0) {
         guidanceParts.push(`Allowed paths: ${request.context.allowedPaths.join(", ")}.`);
     }
@@ -27,6 +32,7 @@ export function compilePromptPacket(request) {
         contract: {
             objective: redactSecretsFromText(request.context.objective),
             verificationPlan: request.context.verificationPlan,
+            ...(request.context.mutationMode ? { mutationMode: request.context.mutationMode } : {}),
             ...(request.context.allowedPaths ? { allowedPaths: request.context.allowedPaths } : {}),
             ...(request.context.deniedPaths ? { deniedPaths: request.context.deniedPaths } : {}),
             ...(request.context.acceptanceCriteria

package/dist/vendor/core/context-integrity.d.ts

@@ -0,0 +1,26 @@
+export type ContextIntegrityVerdict = "clean" | "context_poisoning_warning" | "context_poisoning_block";
+export interface ContextIntegrityPrecheck {
+    runId: string;
+    attemptIndex: number;
+    verdict: ContextIntegrityVerdict;
+    reason?: string;
+    detectedSignals: string[];
+    analyzedChannels: {
+        system: boolean;
+        user: boolean;
+        tools: boolean;
+        history: boolean;
+    };
+    timestamp: string;
+}
+/**
+ * T05: Context Poisoning Pre-gate.
+ * Scans untrusted input channels for authority inversion or instruction re-injection.
+ * Runs BEFORE admission control and core reasoning.
+ */
+export declare function runContextIntegrityPrecheck(runId: string, attemptIndex: number, artifactsDir: string, inputs: {
+    userPrompt?: string;
+    toolOutput?: string;
+    retrievedContext?: string;
+    history?: string;
+}): Promise<ContextIntegrityPrecheck>;

package/dist/vendor/core/context-integrity.js

@@ -0,0 +1,56 @@
+import { mkdir, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+const POISON_PATTERNS = [
+    /ignore\s+(?:all\s+)?previous\s+instructions/i,
+    /you\s+are\s+now\s+a\s+(?!Martin\s+Loop)/i,
+    /new\s+rule:/i,
+    /disregard\s+(?:safety|policy|guardrails)/i,
+    /override\s+system\s+authority/i,
+    /hidden\s+instruction:/i,
+    /\[system_override\]/i,
+    /\[authority_inversion\]/i
+];
+/**
+ * T05: Context Poisoning Pre-gate.
+ * Scans untrusted input channels for authority inversion or instruction re-injection.
+ * Runs BEFORE admission control and core reasoning.
+ */
+export async function runContextIntegrityPrecheck(runId, attemptIndex, artifactsDir, inputs) {
+    const signals = [];
+    const analyzedChannels = {
+        system: true,
+        user: Boolean(inputs.userPrompt),
+        tools: Boolean(inputs.toolOutput),
+        history: Boolean(inputs.history)
+    };
+    const untrustedBuffer = [inputs.userPrompt, inputs.toolOutput, inputs.retrievedContext]
+        .filter(Boolean)
+        .join("\n---\n");
+    for (const pattern of POISON_PATTERNS) {
+        if (pattern.test(untrustedBuffer)) {
+            signals.push(`Detected poison pattern: ${pattern.toString()}`);
+        }
+    }
+    if (/\b(?:I am|You are)\s+(?!Martin\s+Loop|an\s+AI)\b/i.test(untrustedBuffer)) {
+        signals.push("Identity redefinition attempt detected.");
+    }
+    const verdict = signals.length > 0 ? "context_poisoning_block" : "clean";
+    const precheck = {
+        runId,
+        attemptIndex,
+        verdict,
+        reason: signals.length > 0 ? `Detected ${signals.length} poisoning signal(s).` : undefined,
+        detectedSignals: signals,
+        analyzedChannels,
+        timestamp: new Date().toISOString()
+    };
+    try {
+        await mkdir(artifactsDir, { recursive: true });
+        await writeFile(join(artifactsDir, "context-integrity-precheck.json"), JSON.stringify(precheck, null, 2), "utf8");
+    }
+    catch {
+        // non-fatal — artifact persistence is best-effort
+    }
+    return precheck;
+}
+//# sourceMappingURL=context-integrity.js.map

package/dist/vendor/core/index.d.ts

@@ -1,18 +1,20 @@
-import { type ApprovalPolicy, type CostProvenance, type ExecutionProfile, type FailureClass, type InterventionType, type LoopArtifact, type LoopAttempt, type LoopBudget, type LoopRecord, type LoopTask } from "../contracts/index.js";
+import { type ApprovalPolicy, type CostProvenance, type ExecutionProfile, type FailureClass, type InterventionType, type LoopArtifact, type LoopAttempt, type LoopBudget, type MutationMode, type LoopRecord, type LoopTask } from "../contracts/index.js";
 import { classifyFailure, computeEvidenceVector, evaluatePatchDecision, evaluateCostGovernor, evaluateBudgetPreflight, inferExit, nextPolicyPhase, policyPhaseToLifecycleState, scorePatchDecision, selectRecoveryRecipe, type ExitDecision } from "./policy.js";
 import { evaluateChangeApprovalLeash, evaluateFilesystemLeash, evaluateSecretLeash, redactSecretsFromText, resolveExecutionProfile, evaluateVerificationLeash } from "./leash.js";
 import { buildRepoGroundingIndex, loadOrBuildRepoGroundingIndex, queryRepoGroundingIndex, scanPatchForGroundingViolations } from "./grounding.js";
 import { captureRollbackBoundary, restoreRollbackBoundary } from "./rollback.js";
 import { type RunStore } from "./persistence/index.js";
-export type { ApprovalPolicy, BudgetPreflightEstimate, BudgetSettlement, CostProvenance, EvidenceVector, ExecutionProfile, FailureClass, InterventionType, PatchDecision, PatchDecisionArtifact, PatchDecisionReasonCode, PatchScore, RollbackBoundaryArtifact, RollbackBoundaryStrategy, RollbackFileSnapshot, RollbackOutcomeArtifact, RollbackOutcomeStatus, PolicyPhase } from "../contracts/index.js";
+export type { ApprovalPolicy, BudgetPreflightEstimate, BudgetSettlement, CostProvenance, EvidenceVector, ExecutionProfile, FailureClass, InterventionType, PatchDecision, PatchDecisionArtifact, PatchDecisionReasonCode, PatchScore, MutationMode, RollbackBoundaryArtifact, RollbackBoundaryStrategy, RollbackFileSnapshot, RollbackOutcomeArtifact, RollbackOutcomeStatus, PolicyPhase } from "../contracts/index.js";
 export { classifyFailure, computeEvidenceVector, evaluatePatchDecision, evaluateCostGovernor, evaluateBudgetPreflight, inferExit, nextPolicyPhase, policyPhaseToLifecycleState, scorePatchDecision, selectRecoveryRecipe, evaluateVerificationLeash, evaluateFilesystemLeash, evaluateChangeApprovalLeash, evaluateSecretLeash, resolveExecutionProfile, redactSecretsFromText, buildRepoGroundingIndex, loadOrBuildRepoGroundingIndex, queryRepoGroundingIndex, scanPatchForGroundingViolations, captureRollbackBoundary, restoreRollbackBoundary };
 export type { BudgetPreflightDecision, BudgetPreflightInput, CostGovernorState, EvidenceVectorInput, EvaluatedPatchDecision, ExitDecision, FailureAssessment, PatchDecisionInput, RecoveryDecision, RecoveryRecipe } from "./policy.js";
 export type { ResolvedExecutionProfile, SafetyLeashDecision, SafetyViolation } from "./leash.js";
 export type { GroundingScanResult, GroundingViolation, GroundingViolationKind, RepoGroundingHit, RepoGroundingIndex } from "./grounding.js";
+export { runContextIntegrityPrecheck } from "./context-integrity.js";
+export type { ContextIntegrityPrecheck, ContextIntegrityVerdict } from "./context-integrity.js";
 export { compilePromptPacket } from "./compiler.js";
 export type { PromptPacket, CompilerAdapterRequest } from "./compiler.js";
-export { createFileRunStore, makeLedgerEvent, resolveRunsRoot } from "./persistence/index.js";
-export type { AttemptArtifacts, LedgerEvent, LedgerEventKind, RunContract, RunStore } from "./persistence/index.js";
+export { createFileRunStore, makeLedgerEvent, readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile, resolveRunsRoot } from "./persistence/index.js";
+export type { AttemptArtifacts, LedgerEvent, LedgerEventKind, LoopAttemptRecord, LoopRunRecord, RunContract, RunStore } from "./persistence/index.js";
 export { compileAndPersistContext } from "./persistence/index.js";
 export type { CompileResult } from "./persistence/index.js";
 export interface MartinAdapterRequest {
@@ -23,6 +25,7 @@ export interface MartinAdapterRequest {
         objective: string;
         verificationPlan: string[];
         verificationStack?: LoopTask["verificationStack"];
+        mutationMode?: MutationMode;
         /** Absolute path to the repository root. */
         repoRoot?: string;
         /** Glob patterns for files the agent may modify. Empty = no restriction. */