@martinloop/mcp 0.2.0 → 0.2.7

package/dist/vendor/core/red-blue/red-phase.js

@@ -0,0 +1,135 @@
+import { PROBE_COUNTS, RED_PHASE_MODEL, resolveRedBudgetPolicy } from "./risk-tiers.js";
+// ─── Programmatic probes ──────────────────────────────────────────────────────
+function runProgrammaticProbes(patch, paranoid) {
+    const findings = [];
+    // Probe 1: assertion deletion
+    if (/^\-.*(?:expect\(.*\)\.to|assert\.(?:equal|is|ok|strictEqual)|t\.(?:is|truthy|falsy|deepEqual))/m.test(patch.diff)) {
+        findings.push({
+            trapId: "T01",
+            severity: "warn",
+            description: "Patch removes test assertions — possible weak-test false green."
+        });
+    }
+    // Probe 2: grounding evasion pragma
+    if (/@martin-ignore|@ts-nocheck|eslint-disable/i.test(patch.diff)) {
+        findings.push({
+            trapId: "T11",
+            severity: "block",
+            description: "Grounding evasion pragma detected in patch."
+        });
+    }
+    // Probe 3: context poisoning
+    if (/\.martin\/|\.claude\//.test(patch.diff)) {
+        findings.push({
+            trapId: "T07",
+            severity: "block",
+            description: "Patch writes to agent context directory (.martin/ or .claude/)."
+        });
+    }
+    // Probe 4: budget self-report
+    if (/budgetSource.*model_reported|model_reported.*budget/i.test(patch.diff)) {
+        findings.push({
+            trapId: "T10",
+            severity: "block",
+            description: "Patch introduces model-reported budget sourcing."
+        });
+    }
+    if (paranoid) {
+        // Probe 5: scope creep — manifest changes
+        if (/^\+.*"[^"]+"\s*:\s*"[^"]+".*$/m.test(patch.diff) &&
+            /package\.json|Cargo\.toml|go\.mod/i.test(patch.changedFiles.join(","))) {
+            findings.push({
+                trapId: "T03",
+                severity: "warn",
+                description: "Paranoid scan: substantive manifest change detected."
+            });
+        }
+        // Probe 6: silent revert — removal of recently added symbols
+        const removedExportPattern = /^\-.*export\s+(function|const|class)\s+\w+/m;
+        if (removedExportPattern.test(patch.diff)) {
+            findings.push({
+                trapId: "T02",
+                severity: "warn",
+                description: "Paranoid scan: exported symbol removed — potential silent revert."
+            });
+        }
+    }
+    return findings;
+}
+// ─── Red phase runner ─────────────────────────────────────────────────────────
+/**
+ * Runs the Red phase for a given patch and risk tier.
+ *
+ * - baseline: programmatic probes only, no model call
+ * - high_risk: paranoid programmatic scan, no model call
+ * - release_critical: paranoid scan + one Haiku model call
+ */
+export async function runRedPhase(patch, tier, blueBudgetUsd, options = {}) {
+    const policy = resolveRedBudgetPolicy(tier, blueBudgetUsd);
+    const paranoid = tier !== "baseline";
+    let findings = runProgrammaticProbes(patch, paranoid);
+    let modelCallMade = false;
+    let modelUsed;
+    let budgetUsedUsd = 0;
+    const probesRun = PROBE_COUNTS[tier];
+    if (policy.modelCallAllowed && options.modelClient) {
+        const prompt = buildRedPhasePrompt(patch, findings);
+        const result = await options.modelClient.complete(prompt);
+        findings = [...findings, ...result.findings];
+        modelCallMade = true;
+        modelUsed = RED_PHASE_MODEL;
+        budgetUsedUsd += result.costUsd;
+    }
+    const result = {
+        riskTier: tier,
+        probesRun,
+        findingsCount: findings.length,
+        findings,
+        modelCallMade,
+        ...(modelUsed !== undefined ? { modelUsed } : {}),
+        budgetUsedUsd
+    };
+    options.onLedgerEvent?.({
+        type: "red_phase_findings",
+        riskTier: tier,
+        probesRun,
+        findingsCount: findings.length,
+        modelCallMade,
+        timestamp: new Date().toISOString()
+    });
+    return result;
+}
+// ─── Policy helpers ───────────────────────────────────────────────────────────
+/**
+ * Returns true only if the findings contain zero block-severity entries.
+ * A single block finding rejects the patch regardless of warn count.
+ */
+export function shouldAcceptPatch(findings) {
+    return !findings.findings.some((f) => f.severity === "block");
+}
+/**
+ * Convenience builder for RedFindings — useful in tests and policy engine.
+ */
+export function buildRedFindings(input) {
+    return {
+        riskTier: input.riskTier,
+        probesRun: input.probesRun ?? PROBE_COUNTS[input.riskTier],
+        findingsCount: input.findings.length,
+        findings: input.findings,
+        modelCallMade: input.modelCallMade ?? false,
+        ...(input.modelUsed !== undefined ? { modelUsed: input.modelUsed } : {}),
+        budgetUsedUsd: input.budgetUsedUsd ?? 0
+    };
+}
+// ─── Internal helpers ─────────────────────────────────────────────────────────
+function buildRedPhasePrompt(patch, existingFindings) {
+    return [
+        "You are a security-focused code reviewer running adversarial analysis.",
+        "Analyze this patch for adversarial patterns not caught by programmatic probes.",
+        "Return JSON array of findings with: trapId, severity (warn|block), description.",
+        `Already detected: ${JSON.stringify(existingFindings.map(f => f.trapId))}`,
+        `Changed files: ${patch.changedFiles.join(", ")}`,
+        "Diff (truncated to 2000 chars):",
+        patch.diff.slice(0, 2000)
+    ].join("\n");
+}

package/dist/vendor/core/red-blue/risk-tiers.d.ts

@@ -0,0 +1,22 @@
+export type RiskTier = "baseline" | "high_risk" | "release_critical";
+export interface RedBudgetPolicy {
+    riskTier: RiskTier;
+    blueBudgetUsd: number;
+    /** Cap on Red phase spend: 30% / 100% / 150% of Blue */
+    redBudgetCapUsd: number;
+    /** Only release_critical permits a Haiku model call */
+    modelCallAllowed: boolean;
+}
+/**
+ * Returns the Red phase budget policy for a given risk tier and Blue budget.
+ */
+export declare function resolveRedBudgetPolicy(tier: RiskTier, blueBudgetUsd: number): RedBudgetPolicy;
+/**
+ * Probe counts per tier.
+ * baseline = standard 6-probe sweep
+ * high_risk = paranoid 12-probe sweep
+ * release_critical = paranoid 12-probe sweep + model
+ */
+export declare const PROBE_COUNTS: Record<RiskTier, number>;
+/** The only model ever permitted in the Red phase. */
+export declare const RED_PHASE_MODEL: "claude-haiku-4-5-20251001";

package/dist/vendor/core/red-blue/risk-tiers.js

@@ -0,0 +1,32 @@
+// ─── Risk Tier Definitions ────────────────────────────────────────────────────
+// Governs how aggressively Red phase probes a patch and whether a model call
+// is permitted. Budget caps are expressed as fractions of the Blue phase budget.
+const BUDGET_MULTIPLIERS = {
+    baseline: 0.30,
+    high_risk: 1.00,
+    release_critical: 1.50
+};
+/**
+ * Returns the Red phase budget policy for a given risk tier and Blue budget.
+ */
+export function resolveRedBudgetPolicy(tier, blueBudgetUsd) {
+    return {
+        riskTier: tier,
+        blueBudgetUsd,
+        redBudgetCapUsd: blueBudgetUsd * BUDGET_MULTIPLIERS[tier],
+        modelCallAllowed: tier === "release_critical"
+    };
+}
+/**
+ * Probe counts per tier.
+ * baseline = standard 6-probe sweep
+ * high_risk = paranoid 12-probe sweep
+ * release_critical = paranoid 12-probe sweep + model
+ */
+export const PROBE_COUNTS = {
+    baseline: 6,
+    high_risk: 12,
+    release_critical: 12
+};
+/** The only model ever permitted in the Red phase. */
+export const RED_PHASE_MODEL = "claude-haiku-4-5-20251001";

package/dist/vendor/core/rollback.js

@@ -114,8 +114,8 @@ export async function restoreRollbackBoundary(input) {
 }
 function readRepoState(repoRoot) {
     return {
-        trackedDirtyFiles: readGitLines(repoRoot, ["diff", "--name-only", "HEAD"]),
-        untrackedFiles: readGitLines(repoRoot, ["ls-files", "--others", "--exclude-standard"])
+        trackedDirtyFiles: readGitLines(repoRoot, ["diff", "--name-only", "HEAD", "--", "."]),
+        untrackedFiles: readGitLines(repoRoot, ["ls-files", "--others", "--exclude-standard", "--", "."])
     };
 }
 function readGitLines(repoRoot, args) {
@@ -216,4 +216,3 @@ function emptyRepoState() {
 function toErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
-//# sourceMappingURL=rollback.js.map

package/dist/workflow-state.d.ts

@@ -0,0 +1,25 @@
+type McpWorkflowStepName = "doctor" | "plan" | "preflight";
+export interface RecordMcpWorkflowStepInput {
+    runsRoot: string;
+    step: McpWorkflowStepName;
+    workingDirectory: string;
+    objective?: string;
+    engine?: string;
+    verificationPlan?: string[];
+}
+export interface EvaluateMcpRunGateInput {
+    runsRoot: string;
+    workingDirectory: string;
+    objective: string;
+    engine?: string;
+    verificationPlan?: string[];
+}
+export interface McpRunGateResult {
+    allowed: boolean;
+    nextAction: string;
+    summary: string;
+    missingSteps: McpWorkflowStepName[];
+}
+export declare function recordMcpWorkflowStep(input: RecordMcpWorkflowStepInput): Promise<void>;
+export declare function evaluateMcpRunGate(input: EvaluateMcpRunGateInput): Promise<McpRunGateResult>;
+export {};

package/dist/workflow-state.js

@@ -0,0 +1,102 @@
+import { createHash } from "node:crypto";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { join, resolve } from "node:path";
+const WORKFLOW_STATE_DIRECTORY = "_martin";
+const WORKFLOW_STATE_FILENAME = "workflow-state.json";
+const DOCTOR_TTL_MS = 24 * 60 * 60 * 1000;
+const PLAN_TTL_MS = 24 * 60 * 60 * 1000;
+const PREFLIGHT_TTL_MS = 6 * 60 * 60 * 1000;
+export async function recordMcpWorkflowStep(input) {
+    const state = await readWorkflowState(input.runsRoot);
+    state.mcp ??= {};
+    state.mcp[input.step] = {
+        step: input.step,
+        recordedAt: new Date().toISOString(),
+        workingDirectory: normalizeWorkingDirectory(input.workingDirectory),
+        ...(input.objective ? { objectiveKey: normalizeObjective(input.objective) } : {}),
+        ...(input.engine ? { engine: input.engine } : {}),
+        ...(input.verificationPlan ? { verificationPlanKey: hashVerificationPlan(input.verificationPlan) } : {})
+    };
+    await writeWorkflowState(input.runsRoot, state);
+}
+export async function evaluateMcpRunGate(input) {
+    const state = await readWorkflowState(input.runsRoot);
+    const mcpState = state.mcp ?? {};
+    const workingDirectory = normalizeWorkingDirectory(input.workingDirectory);
+    const objectiveKey = normalizeObjective(input.objective);
+    const engine = input.engine ?? "claude";
+    const verificationPlanKey = hashVerificationPlan(input.verificationPlan ?? []);
+    const missingSteps = [];
+    if (!isFresh(mcpState["doctor"], DOCTOR_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory)) {
+        missingSteps.push("doctor");
+    }
+    if (!isFresh(mcpState["plan"], PLAN_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory &&
+        receipt.objectiveKey === objectiveKey)) {
+        missingSteps.push("plan");
+    }
+    if (!isFresh(mcpState["preflight"], PREFLIGHT_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory &&
+        receipt.objectiveKey === objectiveKey &&
+        receipt.engine === engine &&
+        receipt.verificationPlanKey === verificationPlanKey)) {
+        missingSteps.push("preflight");
+    }
+    if (missingSteps.length === 0) {
+        return {
+            allowed: true,
+            nextAction: "martin_run",
+            summary: "Martin MCP governance receipts are present for this task.",
+            missingSteps
+        };
+    }
+    const nextAction = missingSteps[0] === "doctor"
+        ? "Call martin_doctor for this workingDirectory before any real run."
+        : missingSteps[0] === "plan"
+            ? "Call martin_plan with the exact objective before martin_run."
+            : "Call martin_preflight with the exact objective, verifier plan, and engine before martin_run.";
+    return {
+        allowed: false,
+        nextAction,
+        summary: `martin_run is blocked until Martin MCP receipts exist for ${missingSteps.join(", ")}.`,
+        missingSteps
+    };
+}
+async function readWorkflowState(runsRoot) {
+    const statePath = resolveWorkflowStatePath(runsRoot);
+    try {
+        const raw = await readFile(statePath, "utf8");
+        const parsed = JSON.parse(raw);
+        return parsed.version === 1 ? parsed : { version: 1 };
+    }
+    catch {
+        return { version: 1 };
+    }
+}
+async function writeWorkflowState(runsRoot, state) {
+    const statePath = resolveWorkflowStatePath(runsRoot);
+    await mkdir(join(resolve(runsRoot), WORKFLOW_STATE_DIRECTORY), { recursive: true });
+    await writeFile(statePath, JSON.stringify(state, null, 2), "utf8");
+}
+function resolveWorkflowStatePath(runsRoot) {
+    return join(resolve(runsRoot), WORKFLOW_STATE_DIRECTORY, WORKFLOW_STATE_FILENAME);
+}
+function isFresh(receipt, ttlMs, predicate) {
+    if (!receipt || !predicate(receipt)) {
+        return false;
+    }
+    const recordedAt = Date.parse(receipt.recordedAt);
+    if (Number.isNaN(recordedAt)) {
+        return false;
+    }
+    return Date.now() - recordedAt <= ttlMs;
+}
+function normalizeWorkingDirectory(workingDirectory) {
+    const resolved = resolve(workingDirectory);
+    return process.platform === "win32" ? resolved.toLowerCase() : resolved;
+}
+function normalizeObjective(objective) {
+    return objective.trim().replace(/\s+/gu, " ").toLowerCase();
+}
+function hashVerificationPlan(verificationPlan) {
+    const normalized = verificationPlan.map((step) => step.trim()).filter(Boolean);
+    return createHash("sha256").update(JSON.stringify(normalized)).digest("hex").slice(0, 12);
+}

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@martinloop/mcp",
-  "version": "0.2.0",
+  "version": "0.2.7",
   "mcpName": "io.github.Keesan12/martin-loop",
   "private": false,
   "type": "module",
   "description": "Governed MCP server for AI coding agents with budgets, verifier gates, and inspectable runs.",
   "license": "Apache-2.0",
-  "author": "Vakeesan Mahalingam and Gobi Shanthan",
+  "author": "MartinLoop contributors",
   "homepage": "https://martinloop.com/",
   "repository": {
     "type": "git",
@@ -24,9 +24,10 @@
     "claude",
     "codex",
     "martin_doctor",
-    "martin_preflight",
-    "martin_list_runs",
-    "martin_run_dossier"
+    "martin_triage_runs",
+    "martin_run_dossier",
+    "mcp-resources",
+    "mcp-prompts"
   ],
   "bin": {
     "mcp": "./dist/server.js",
@@ -56,15 +57,19 @@
     "verify:release": "node --test ../../scripts/tests/publish-mcp-workflow.test.mjs ../../scripts/tests/mcp-publish-reliability.test.mjs ../../scripts/tests/mcp-release-docs.test.mjs",
     "test": "vitest run",
     "lint": "tsc -p tsconfig.json --noEmit",
-    "start": "node dist/server.js"
+    "start": "node dist/server.js",
+    "inspect:live": "node ./scripts/inspect-live.mjs"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@open-policy-agent/opa-wasm": "^1.10.0",
     "@opentelemetry/api-logs": "^0.214.0",
     "@opentelemetry/exporter-logs-otlp-http": "^0.214.0",
     "@opentelemetry/resources": "^2.6.1",
     "@opentelemetry/sdk-logs": "^0.214.0",
     "ts-morph": "^21.0.0"
+  },
+  "devDependencies": {
+    "@martin/contracts": "workspace:*"
   }
 }

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/Keesan12/martin-loop",
     "source": "github"
   },
-  "version": "0.2.0",
+  "version": "0.2.7",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@martinloop/mcp",
-      "version": "0.2.0",
+      "version": "0.2.7",
       "transport": {
         "type": "stdio"
       }

package/dist/tools/cockpit-support.d.ts

@@ -1,69 +0,0 @@
-import { type LoopRunRecord } from "../vendor/core/index.js";
-export interface RunSelectorInput {
-    loopId?: string;
-    runsDir?: string;
-    latest?: boolean;
-}
-export interface RunSummary {
-    loopId: string;
-    title: string;
-    objective: string;
-    status: string;
-    lifecycleState: string;
-    createdAt: string;
-    updatedAt: string;
-    attempts: number;
-    costUsd: number;
-    avoidedUsd: number;
-    pressure: string;
-    shouldStop: boolean;
-    verificationCount: number;
-}
-export interface VerificationResultSummary {
-    eventId?: string;
-    timestamp?: string;
-    lifecycleState?: string;
-    passed?: boolean;
-    summary?: string;
-}
-export declare function summarizeRun(loop: LoopRunRecord): RunSummary;
-export declare function listRunSummaries(input?: {
-    runsDir?: string;
-    limit?: number;
-}): Promise<RunSummary[]>;
-export declare function loadSelectedRun(input: RunSelectorInput): Promise<LoopRunRecord>;
-export declare function extractVerificationResults(loop: LoopRunRecord): VerificationResultSummary[];
-export declare function getAttempt(loop: LoopRunRecord, attemptIndex: number): import("../vendor/core/index.js").LoopAttemptRecord;
-export declare function buildRunDossier(loop: LoopRunRecord): {
-    loopId: string;
-    generatedAt: string;
-    sections: ({
-        kind: string;
-        content: {
-            title: string;
-            objective: string;
-        };
-    } | {
-        kind: string;
-        content: {
-            budget: {
-                maxUsd: number;
-                softLimitUsd: number;
-                maxIterations: number;
-                maxTokens: number;
-            };
-            cost: {
-                actualUsd: number;
-                tokensIn: number;
-                tokensOut: number;
-                avoidedUsd?: number;
-            };
-        };
-    } | {
-        kind: string;
-        content: import("../vendor/core/index.js").LoopAttemptRecord[];
-    } | {
-        kind: string;
-        content: VerificationResultSummary[];
-    })[];
-};

package/dist/tools/cockpit-support.js

@@ -1,108 +0,0 @@
-import { evaluateCostGovernor } from "../vendor/core/index.js";
-import { loadLoopRecordForStatus, loadLoopRecordsForInspect } from "./run-store.js";
-export function summarizeRun(loop) {
-    const costState = evaluateCostGovernor({
-        budget: loop.budget,
-        cost: {
-            actualUsd: loop.cost.actualUsd,
-            avoidedUsd: loop.cost.avoidedUsd ?? 0,
-            tokensIn: loop.cost.tokensIn,
-            tokensOut: loop.cost.tokensOut
-        },
-        attemptsUsed: loop.attempts.length
-    });
-    return {
-        loopId: loop.loopId,
-        title: loop.task.title,
-        objective: loop.task.objective,
-        status: loop.status,
-        lifecycleState: loop.lifecycleState,
-        createdAt: loop.createdAt,
-        updatedAt: loop.updatedAt,
-        attempts: loop.attempts.length,
-        costUsd: loop.cost.actualUsd,
-        avoidedUsd: loop.cost.avoidedUsd ?? 0,
-        pressure: costState.pressure,
-        shouldStop: costState.shouldStop,
-        verificationCount: extractVerificationResults(loop).length
-    };
-}
-export async function listRunSummaries(input = {}) {
-    const inspection = await loadLoopRecordsForInspect({ runsDir: input.runsDir });
-    const summaries = inspection.loops.map((loop) => summarizeRun(loop));
-    summaries.sort((left, right) => {
-        const leftTime = Date.parse(left.updatedAt ?? left.createdAt);
-        const rightTime = Date.parse(right.updatedAt ?? right.createdAt);
-        return (Number.isFinite(rightTime) ? rightTime : 0) - (Number.isFinite(leftTime) ? leftTime : 0);
-    });
-    return summaries.slice(0, input.limit ?? 20);
-}
-export async function loadSelectedRun(input) {
-    const selectors = [input.loopId ? "loopId" : null, input.latest ? "latest" : null].filter(Boolean);
-    if (selectors.length !== 1) {
-        throw new Error("Provide exactly one of loopId or latest.");
-    }
-    const source = await loadLoopRecordForStatus({
-        ...(input.loopId ? { loopId: input.loopId } : {}),
-        ...(input.latest ? { latest: true } : {}),
-        ...(input.runsDir ? { runsDir: input.runsDir } : {})
-    });
-    return source.loop;
-}
-export function extractVerificationResults(loop) {
-    const events = "events" in loop && Array.isArray(loop.events) ? loop.events : [];
-    return events
-        .filter((event) => event?.type === "verification.completed")
-        .map((event) => {
-        const payload = isRecord(event.payload) ? event.payload : {};
-        return {
-            ...(typeof event.eventId === "string" ? { eventId: event.eventId } : {}),
-            ...(typeof event.timestamp === "string" ? { timestamp: event.timestamp } : {}),
-            ...(typeof event.lifecycleState === "string" ? { lifecycleState: event.lifecycleState } : {}),
-            ...(typeof payload.passed === "boolean" ? { passed: payload.passed } : {}),
-            ...(typeof payload.summary === "string" ? { summary: payload.summary } : {})
-        };
-    });
-}
-export function getAttempt(loop, attemptIndex) {
-    const attempt = loop.attempts.find((candidate) => candidate.index === attemptIndex);
-    if (!attempt) {
-        throw new Error("Attempt not found.");
-    }
-    return attempt;
-}
-export function buildRunDossier(loop) {
-    return {
-        loopId: loop.loopId,
-        generatedAt: new Date().toISOString(),
-        sections: [
-            {
-                kind: "summary",
-                content: summarizeRun(loop)
-            },
-            {
-                kind: "task",
-                content: loop.task
-            },
-            {
-                kind: "budget",
-                content: {
-                    budget: loop.budget,
-                    cost: loop.cost
-                }
-            },
-            {
-                kind: "attempts",
-                content: loop.attempts
-            },
-            {
-                kind: "verification",
-                content: extractVerificationResults(loop)
-            }
-        ]
-    };
-}
-function isRecord(value) {
-    return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-//# sourceMappingURL=cockpit-support.js.map