@martinloop/mcp 0.3.0 → 0.3.2

package/dist/vendor/adapters/openai-compatible.js

@@ -144,7 +144,11 @@ export function createOpenAiCompatibleAdapter(options) {
         async execute(request) {
             const prompt = buildPrompt(request);
             const estimated = estimateCost(model, prompt.length, 2000);
-            const baselineChangedFiles = new Set(await readGitChangedFiles(workingDirectory, 5_000));
+            const hasVerificationSteps = request.context.verificationPlan.length > 0 ||
+                (request.context.verificationStack?.length ?? 0) > 0;
+            const baselineChangedFiles = hasVerificationSteps
+                ? new Set(await readGitChangedFiles(workingDirectory, 5_000))
+                : new Set();
             // Preflight: bail if projected cost exceeds remaining budget
             if (request.context.remainingBudgetUsd > 0 &&
                 estimated.actualUsd > request.context.remainingBudgetUsd * 0.95) {
@@ -238,7 +242,9 @@ export function createOpenAiCompatibleAdapter(options) {
             // Run verification
             const verification = await runVerification(request.context.verificationPlan, workingDirectory, verifyTimeoutMs, request.context.verificationStack);
             const execution = {
-                changedFiles: (await readGitChangedFiles(workingDirectory, 5_000)).filter((file) => !baselineChangedFiles.has(file))
+                changedFiles: hasVerificationSteps
+                    ? (await readGitChangedFiles(workingDirectory, 5_000)).filter((file) => !baselineChangedFiles.has(file))
+                    : []
             };
             const pricing = KNOWN_MODEL_PRICING[model] ?? {
                 inputPer1K: FALLBACK_INPUT_PER_1K,

package/dist/vendor/adapters/runtime-support.js

@@ -5,6 +5,7 @@ export function createAdapterCapabilities(overrides = {}) {
         diffArtifacts: false,
         structuredErrors: false,
         cachingSignals: false,
+        workspaceMutations: true,
         ...overrides
     };
 }

package/dist/vendor/adapters/stub-direct-provider.js

@@ -4,6 +4,9 @@ export function createStubDirectProviderAdapter(options) {
         providerId: options.providerId,
         model: options.model,
         label: options.label ?? `Stub direct provider (${options.providerId}/${options.model})`,
+        capabilities: {
+            workspaceMutations: false
+        },
         responder: options.responder
     });
 }

package/dist/vendor/adapters/verifier-only.d.ts

@@ -1,7 +1,9 @@
 import type { MartinAdapter } from "../core/index.js";
+import { type SpawnLike } from "./cli-bridge.js";
 export interface VerifierOnlyAdapterOptions {
     workingDirectory?: string;
     verifyTimeoutMs?: number;
     label?: string;
+    spawnImpl?: SpawnLike;
 }
 export declare function createVerifierOnlyAdapter(options?: VerifierOnlyAdapterOptions): MartinAdapter;

package/dist/vendor/adapters/verifier-only.js

@@ -17,9 +17,15 @@ export function createVerifierOnlyAdapter(options = {}) {
             })
         },
         async execute(request) {
-            const baselineChangedFiles = new Set(await readGitChangedFiles(workingDirectory, 5_000));
-            const verification = await runVerification(request.context.verificationPlan, workingDirectory, verifyTimeoutMs, request.context.verificationStack);
-            const changedFiles = (await readGitChangedFiles(workingDirectory, 5_000)).filter((file) => !baselineChangedFiles.has(file));
+            const shouldTrackVerifierWrites = request.context.verificationPlan.length > 0 ||
+                (request.context.verificationStack?.length ?? 0) > 0;
+            const baselineChangedFiles = shouldTrackVerifierWrites
+                ? new Set(await readGitChangedFiles(workingDirectory, 5_000))
+                : new Set();
+            const verification = await runVerification(request.context.verificationPlan, workingDirectory, verifyTimeoutMs, request.context.verificationStack, options.spawnImpl);
+            const changedFiles = shouldTrackVerifierWrites
+                ? (await readGitChangedFiles(workingDirectory, 5_000)).filter((file) => !baselineChangedFiles.has(file))
+                : [];
             const execution = { changedFiles };
             if (verification.passed) {
                 return {

package/dist/vendor/contracts/index.d.ts

@@ -1,6 +1,7 @@
 export type LoopStatus = "queued" | "running" | "verifying" | "completed" | "failed" | "exited";
 export type LoopLifecycleState = "created" | "running" | "verifying" | "completed" | "budget_exit" | "diminishing_returns" | "stuck_exit" | "human_escalation";
-export type FailureClass = "logic_error" | "hallucination" | "syntax_error" | "type_error" | "test_regression" | "scope_creep" | "no_progress" | "repo_grounding_failure" | "verification_failure" | "environment_mismatch" | "budget_pressure" | "safety_leash_blocked";
+export declare const FAILURE_CLASSES: readonly ["logic_error", "hallucination", "syntax_error", "type_error", "test_regression", "scope_creep", "no_progress", "repo_grounding_failure", "verification_failure", "environment_mismatch", "budget_pressure", "safety_leash_blocked"];
+export type FailureClass = (typeof FAILURE_CLASSES)[number];
 export type InterventionType = "compress_context" | "change_model" | "tighten_task" | "switch_adapter" | "run_verifier" | "escalate_human" | "stop_loop";
 export type LoopEventType = "run.started" | "attempt.started" | "attempt.completed" | "failure.classified" | "intervention.selected" | "verification.completed" | "budget.updated" | "run.completed";
 export interface LoopTask {

package/dist/vendor/contracts/index.js

@@ -1,3 +1,17 @@
+export const FAILURE_CLASSES = [
+    "logic_error",
+    "hallucination",
+    "syntax_error",
+    "type_error",
+    "test_regression",
+    "scope_creep",
+    "no_progress",
+    "repo_grounding_failure",
+    "verification_failure",
+    "environment_mismatch",
+    "budget_pressure",
+    "safety_leash_blocked",
+];
 export { MARTIN_ERROR_CATEGORIES } from "./operator.js";
 export const DEFAULT_BUDGET = {
     maxUsd: 25,

package/dist/vendor/core/context-integrity.js

@@ -10,6 +10,23 @@ const POISON_PATTERNS = [
     /\[system_override\]/i,
     /\[authority_inversion\]/i
 ];
+/**
+ * Identity-redefinition / persona-override patterns.
+ *
+ * These intentionally require an *override framing* (e.g. "now", "no longer",
+ * "forget", "pretend", or an explicit authority-role claim) rather than any
+ * sentence shaped like "you are X" / "I am X" — the latter matches ordinary
+ * benign text (e.g. "You are welcome to try MartinLoop") and produced
+ * false-positive hard aborts.
+ */
+const IDENTITY_REDEFINITION_PATTERNS = [
+    /\byou(?:'re|\s+are)\s+now\s+(?:a|an|the)\b(?!\s+(?:martin\s+loop|ai\s+coding\s+agent))/i,
+    /\byou(?:'re|\s+are)\s+no\s+longer\s+(?!.*\b(?:martin\s+loop|an?\s+ai)\b)/i,
+    /\bforget\s+(?:that\s+)?you(?:'re|\s+are)\s+martin\s+loop\b/i,
+    /\b(?:pretend|imagine)\s+(?:that\s+)?you(?:'re|\s+are)\b/i,
+    /\bact\s+as\s+(?:if\s+you(?:'re|\s+are)\s+)?(?:a|an)\s+(?:different|new|unrestricted|jailbroken)\b/i,
+    /\bi\s+am\s+(?:the|your)\s+(?:new\s+)?(?:system|developer|admin(?:istrator)?|root\s*user|owner|creator|operator)\b/i
+];
 /**
  * T05: Context Poisoning Pre-gate.
  * Scans untrusted input channels for authority inversion or instruction re-injection.
@@ -23,7 +40,12 @@ export async function runContextIntegrityPrecheck(runId, attemptIndex, artifacts
         tools: Boolean(inputs.toolOutput),
         history: Boolean(inputs.history)
     };
-    const untrustedBuffer = [inputs.userPrompt, inputs.toolOutput, inputs.retrievedContext]
+    const untrustedBuffer = [
+        inputs.userPrompt,
+        inputs.toolOutput,
+        inputs.retrievedContext,
+        inputs.history
+    ]
         .filter(Boolean)
         .join("\n---\n");
     for (const pattern of POISON_PATTERNS) {
@@ -31,8 +53,11 @@ export async function runContextIntegrityPrecheck(runId, attemptIndex, artifacts
             signals.push(`Detected poison pattern: ${pattern.toString()}`);
         }
     }
-    if (/\b(?:I am|You are)\s+(?!Martin\s+Loop|an\s+AI)\b/i.test(untrustedBuffer)) {
-        signals.push("Identity redefinition attempt detected.");
+    for (const pattern of IDENTITY_REDEFINITION_PATTERNS) {
+        if (pattern.test(untrustedBuffer)) {
+            signals.push("Identity redefinition attempt detected.");
+            break;
+        }
     }
     const verdict = signals.length > 0 ? "context_poisoning_block" : "clean";
     const precheck = {

package/dist/vendor/core/grounding.d.ts

@@ -16,6 +16,7 @@ export interface RepoGroundingHit {
     matchedTerms: string[];
     symbols: string[];
 }
+export declare function resolveGroundingRoot(env?: NodeJS.ProcessEnv): string;
 export declare function loadOrBuildRepoGroundingIndex(repoRoot: string): Promise<RepoGroundingIndex>;
 export declare function buildRepoGroundingIndex(repoRoot: string): Promise<RepoGroundingIndex>;
 export declare function queryRepoGroundingIndex(index: RepoGroundingIndex, query: string, limit?: number): RepoGroundingHit[];

package/dist/vendor/core/grounding.js

@@ -12,6 +12,10 @@ const IGNORED_DIRS = new Set([
 ]);
 const MAX_FILE_BYTES = 64_000;
 const MAX_FILES = 500;
+export function resolveGroundingRoot(env = process.env) {
+    return env["MARTIN_GROUNDING_DIR"]?.trim() ??
+        join(homedir(), ".martin", "grounding");
+}
 export async function loadOrBuildRepoGroundingIndex(repoRoot) {
     const cachePath = getGroundingCachePath(repoRoot);
     try {
@@ -23,7 +27,7 @@ export async function loadOrBuildRepoGroundingIndex(repoRoot) {
     catch { }
     const index = await buildRepoGroundingIndex(repoRoot);
     try {
-        await mkdir(join(homedir(), ".martin", "grounding"), { recursive: true });
+        await mkdir(resolveGroundingRoot(), { recursive: true });
         await writeFile(cachePath, JSON.stringify(index, null, 2), "utf8");
     }
     catch {
@@ -79,7 +83,7 @@ export function queryRepoGroundingIndex(index, query, limit = 6) {
         .slice(0, limit);
 }
 function getGroundingCachePath(repoRoot) {
-    return join(homedir(), ".martin", "grounding", `${Buffer.from(repoRoot).toString("base64url")}.json`);
+    return join(resolveGroundingRoot(), `${Buffer.from(repoRoot).toString("base64url")}.json`);
 }
 async function walk(repoRoot, currentDir, files, state) {
     if (state.count >= MAX_FILES)

package/dist/vendor/core/index.d.ts

@@ -112,6 +112,7 @@ export interface MartinAdapter {
             diffArtifacts?: boolean;
             structuredErrors?: boolean;
             cachingSignals?: boolean;
+            workspaceMutations?: boolean;
         };
         [key: string]: unknown;
     };

package/dist/vendor/core/index.js

@@ -271,8 +271,20 @@ export async function runMartin(input) {
         // GATHER → ADMIT: run admission control before executing
         currentPhase = "ADMIT";
         // T05: Context Integrity Pre-gate — blocks authority inversion / injection before reasoning
+        //
+        // Untrusted "tool output" re-entering the loop is verifier command output from prior
+        // attempts (e.g. test runners echoing attacker-controlled strings). Pull that text from
+        // already-persisted verification.completed events so the gate scans what actually
+        // re-enters subsequent prompts, matching the documented "tool output / test output" scope.
+        const priorVerifierOutput = loop.events
+            .filter((event) => event.type === "verification.completed")
+            .flatMap((event) => event.payload.steps ?? [])
+            .map((step) => step.detail)
+            .filter((detail) => Boolean(detail))
+            .join("\n---\n");
         const contextPrecheck = await runContextIntegrityPrecheck(loop.loopId, loop.attempts.length + 1, runDir(resolveActiveRunsRoot(input.store), loop.loopId), {
             userPrompt: distilled.focus,
+            toolOutput: priorVerifierOutput || undefined,
             history: loop.attempts.map(a => a.summary).join("\n")
         });
         if (contextPrecheck.verdict === "context_poisoning_block") {
@@ -412,10 +424,14 @@ export async function runMartin(input) {
             },
             previousAttempts: loop.attempts
         };
-        const rollbackBoundary = await captureRollbackBoundary({
-            repoRoot: request.context.repoRoot,
-            capturedAt: attemptStartedAt
-        });
+        const tracksWorkspaceMutations = request.context.repoRoot !== undefined &&
+            executingAdapter.metadata.capabilities?.workspaceMutations !== false;
+        const rollbackBoundary = tracksWorkspaceMutations
+            ? await captureRollbackBoundary({
+                repoRoot: request.context.repoRoot,
+                capturedAt: attemptStartedAt
+            })
+            : undefined;
         const result = await executingAdapter.execute(request);
         const attemptCompletedAt = now();
         const compiledContext = compilePromptPacket(request);
@@ -535,7 +551,8 @@ export async function runMartin(input) {
             payload: {
                 actualUsd: loop.cost.actualUsd,
                 remainingBudgetUsd: costState.remainingBudgetUsd,
-                pressure: costState.pressure
+                pressure: costState.pressure,
+                provenance: getUsageProvenance(result.usage)
             }
         }, { now: now(), idFactory });
         if (input.store) {
@@ -592,7 +609,9 @@ export async function runMartin(input) {
                 }
             }));
         }
-        const changedFiles = resolveChangedFiles(result, request.context.repoRoot);
+        const changedFiles = tracksWorkspaceMutations
+            ? resolveChangedFiles(result, request.context.repoRoot)
+            : [];
         // Evidence is only reliable when the adapter explicitly reported files OR git actually
         // returned a non-empty list. A repoRoot alone is insufficient — git may fail (e.g. not
         // a git repo) and silently return [], which would falsely trigger no_code_change.

package/dist/vendor/core/leash.js

@@ -1,20 +1,56 @@
 import { isAbsolute, relative, resolve } from "node:path";
 const BLOCKED_PATTERNS = [
-    /(^|\s)rm\s+-rf(\s|$)/u,
+    /(^|[\s;&|`(])rm\s+-rf(\s|$)/iu,
     /git\s+reset\s+--hard/iu,
     /git\s+clean\s+-fd/iu,
     /curl\b[^\n|]*\|\s*(sh|bash)/iu,
     /wget\b[^\n|]*\|\s*(sh|bash)/iu,
-    /(^|\s)sudo(\s|$)/u,
-    /(^|\s)mkfs(\.|\s|$)/u,
-    /(^|\s)dd\s+if=/u,
+    /(^|[\s;&|`(])sudo(\s|$)/iu,
+    /(^|[\s;&|`(])mkfs(\.|\s|$)/iu,
+    /(^|[\s;&|`(])dd\s+if=/iu,
     /(shutdown|reboot)(\s|$)/iu,
-    /:\(\)\s*\{\s*:\|:&\s*\}\s*;\s*:/u,
+    /:\(\)\s*\{\s*:\|:&\s*\}\s*;\s*:/iu,
     /chmod\s+-R\s+777\s+\//iu,
     /(kubectl|docker)\s+.*\b(delete|prune|rm)\b/iu,
     /ssh\s+/iu,
-    /scp\s+/iu
+    /scp\s+/iu,
+    // bash/sh -c "<destructive command>" wrappers — flags the wrapper shape directly,
+    // since a naive regex on the outer command misses the destructive inner command.
+    /\b(?:bash|sh|zsh)\s+-c\s+["'`]/iu,
+    // recursive directory deletion via `find ... -delete` / `find ... -exec rm`
+    /\bfind\s+\S+(?:\s+-[a-z-]+(?:\s+\S+)?)*\s+-delete\b/iu,
+    /\bfind\s+\S+(?:\s+-[a-z-]+(?:\s+\S+)?)*\s+-exec\s+rm\b/iu,
+    // scripting-language recursive deletion one-liners
+    /\bshutil\.rmtree\s*\(/iu,
+    /\bos\.(?:remove|rmdir|removedirs|unlink)\s*\(/iu,
+    /\.(?:rm|rmdir|unlink)(?:Sync)?\s*\(/iu,
+    /\brimraf\s*\(/iu,
+    // Windows destructive deletion / formatting patterns
+    /\b(?:cmd(?:\.exe)?\s+\/c\s+)?del(?:\.exe)?\s+\/[^\n]*(?:\bs\b|\bq\b|\bf\b)/iu,
+    /\b(?:cmd(?:\.exe)?\s+\/c\s+)?rmdir(?:\.exe)?\s+\/[^\n]*\bs\b/iu,
+    /\bremove-item\b[^\n]*(?:-recurse|-r)\b[^\n]*(?:-force|-fo)\b/iu,
+    /\b(?:format-volume|diskpart)\b/iu
 ];
+/**
+ * Detects `rm` invocations that combine recursive + force flags regardless of
+ * flag ordering/grouping (`-rf`, `-fr`, `-r -f`, `--recursive --force`),
+ * absolute-path invocation (`/bin/rm`, `/usr/bin/rm`), case, or `${IFS}`-style
+ * shell obfuscation — all of which slip past the literal `rm\s+-rf` pattern.
+ */
+function commandContainsDestructiveRemoval(command) {
+    const normalized = command.replace(/\$\{?IFS\}?/giu, " ").toLowerCase();
+    const rmInvocation = /(?:^|[\s;&|`(])(?:\/(?:usr\/(?:local\/)?)?s?bin\/)?rm\s+([^\n;|`]+)/giu;
+    let match;
+    while ((match = rmInvocation.exec(normalized)) !== null) {
+        const args = match[1] ?? "";
+        const hasRecursive = /(?:^|\s)-[a-z]*r[a-z]*(?:\s|$)|--recursive\b/u.test(args);
+        const hasForce = /(?:^|\s)-[a-z]*f[a-z]*(?:\s|$)|--force\b/u.test(args);
+        if (hasRecursive && hasForce) {
+            return true;
+        }
+    }
+    return false;
+}
 const SECRET_PATTERNS = [
     {
         kind: "secret_value",
@@ -28,7 +64,52 @@ const SECRET_PATTERNS = [
     },
     {
         kind: "secret_value",
-        pattern: /\bghp_[A-Za-z0-9_]{8,}\b/gu,
+        pattern: /\bghp_[A-Za-z0-9_]{16,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:gho|ghu|ghs|ghr)_[A-Za-z0-9_]{16,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bAKIA[0-9A-Z]{16}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[:=]\s*[^\s"'`]+/giu,
+        replacement: "AWS_SECRET_ACCESS_KEY=[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/giu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\bAIza[0-9A-Za-z_-]{30,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /-----BEGIN(?:\s+[A-Z0-9]+)*\s+PRIVATE KEY-----[\s\S]*?-----END(?:\s+[A-Z0-9]+)*\s+PRIVATE KEY-----/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/gu,
+        replacement: "[REDACTED_SECRET]"
+    },
+    {
+        kind: "secret_value",
+        pattern: /\b(?:api[_-]?key|secret|password|passwd|token)\s*[:=]\s*["']?[A-Za-z0-9_\-/+=]{12,}["']?/giu,
         replacement: "[REDACTED_SECRET]"
     }
 ];
@@ -55,7 +136,8 @@ export function evaluateVerificationLeash(task) {
         ...((task.verificationStack ?? []).map((step) => step.command))
     ].filter(Boolean);
     const profile = resolveExecutionProfile(task);
-    const blockedCommands = commands.filter((command) => BLOCKED_PATTERNS.some((pattern) => pattern.test(command)));
+    const blockedCommands = commands.filter((command) => BLOCKED_PATTERNS.some((pattern) => pattern.test(command)) ||
+        commandContainsDestructiveRemoval(command));
     const violations = blockedCommands.map((command) => ({
         kind: "command_blocked",
         command,

package/dist/vendor/core/persistence/integrity.d.ts

@@ -28,7 +28,7 @@ export declare function writeReceiptIntegrityMaterial(input: {
     ledgerEntries: unknown[];
     scope?: ReceiptScope;
     signedAt?: string;
-}): Promise<StoredReceiptIntegrityMaterial>;
+}): Promise<StoredReceiptIntegrityMaterial | undefined>;
 export declare function verifyReceiptIntegrityFromFiles(input: {
     runId: string;
     runsRoot: string;

package/dist/vendor/core/persistence/integrity.js

@@ -7,7 +7,11 @@ const RECEIPT_INTEGRITY_KEY_DIR_MODE = 0o700;
 const RECEIPT_INTEGRITY_KEY_FILE_MODE = 0o600;
 export async function writeReceiptIntegrityMaterial(input) {
     const signedAt = input.signedAt ?? new Date().toISOString();
-    const [key, keyId] = await ensureReceiptIntegrityKey(input.runsRoot, input.runId);
+    const keyMaterial = await ensureReceiptIntegrityKey(input.runsRoot, input.runId);
+    if (!keyMaterial) {
+        return undefined;
+    }
+    const [key, keyId] = keyMaterial;
     const chain = buildReceiptIntegrityChain(input.ledgerEntries);
     const loopRecordRaw = serializeStoredJson(input.loopRecord);
     const ledgerRaw = serializeStoredJsonl(input.ledgerEntries);
@@ -210,11 +214,16 @@ async function ensureReceiptIntegrityKey(runsRoot, runId) {
         return [trimmed, sha256(trimmed).slice(0, 16)];
     }
     const generated = randomBytes(32).toString("hex");
-    await mkdir(dirname(keyPath), { recursive: true, mode: RECEIPT_INTEGRITY_KEY_DIR_MODE });
-    await writeFile(keyPath, `${generated}\n`, {
-        encoding: "utf8",
-        mode: RECEIPT_INTEGRITY_KEY_FILE_MODE
-    });
+    try {
+        await mkdir(dirname(keyPath), { recursive: true, mode: RECEIPT_INTEGRITY_KEY_DIR_MODE });
+        await writeFile(keyPath, `${generated}\n`, {
+            encoding: "utf8",
+            mode: RECEIPT_INTEGRITY_KEY_FILE_MODE
+        });
+    }
+    catch {
+        return undefined;
+    }
     return [generated, sha256(generated).slice(0, 16)];
 }
 async function readReceiptIntegrityKey(runsRoot, runId) {

package/dist/workflow-state.d.ts

@@ -1,3 +1,4 @@
+import type { LoopBudget, ReceiptScope } from "./vendor/contracts/index.js";
 type McpWorkflowStepName = "doctor" | "plan" | "preflight";
 export interface RecordMcpWorkflowStepInput {
     runsRoot: string;
@@ -6,6 +7,10 @@ export interface RecordMcpWorkflowStepInput {
     objective?: string;
     engine?: string;
     verificationPlan?: string[];
+    receiptScope?: ReceiptScope;
+    allowedPaths?: string[];
+    deniedPaths?: string[];
+    budget?: LoopBudget;
 }
 export interface EvaluateMcpRunGateInput {
     runsRoot: string;
@@ -13,6 +18,10 @@ export interface EvaluateMcpRunGateInput {
     objective: string;
     engine?: string;
     verificationPlan?: string[];
+    receiptScope?: ReceiptScope;
+    allowedPaths?: string[];
+    deniedPaths?: string[];
+    budget?: LoopBudget;
 }
 export interface McpRunGateResult {
     allowed: boolean;

package/dist/workflow-state.js

@@ -15,7 +15,10 @@ export async function recordMcpWorkflowStep(input) {
         workingDirectory: normalizeWorkingDirectory(input.workingDirectory),
         ...(input.objective ? { objectiveKey: normalizeObjective(input.objective) } : {}),
         ...(input.engine ? { engine: input.engine } : {}),
-        ...(input.verificationPlan ? { verificationPlanKey: hashVerificationPlan(input.verificationPlan) } : {})
+        ...(input.verificationPlan ? { verificationPlanKey: hashVerificationPlan(input.verificationPlan) } : {}),
+        ...(input.receiptScope ? { scopeKey: hashReceiptScope(input.receiptScope) } : {}),
+        pathScopeKey: hashPathScope(input.allowedPaths ?? [], input.deniedPaths ?? []),
+        ...(input.budget ? { budgetKey: hashBudget(input.budget) } : {})
     };
     await writeWorkflowState(input.runsRoot, state);
 }
@@ -26,18 +29,31 @@ export async function evaluateMcpRunGate(input) {
     const objectiveKey = normalizeObjective(input.objective);
     const engine = input.engine ?? "claude";
     const verificationPlanKey = hashVerificationPlan(input.verificationPlan ?? []);
+    const scopeKey = hashReceiptScope(input.receiptScope ?? {
+        invocationRoot: input.workingDirectory,
+        workingDirectory: input.workingDirectory,
+        repoRoot: input.workingDirectory,
+        runsRoot: input.runsRoot
+    });
+    const pathScopeKey = hashPathScope(input.allowedPaths ?? [], input.deniedPaths ?? []);
+    const budgetKey = input.budget ? hashBudget(input.budget) : undefined;
     const missingSteps = [];
-    if (!isFresh(mcpState["doctor"], DOCTOR_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory)) {
+    if (!isFresh(mcpState["doctor"], DOCTOR_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory &&
+        receipt.scopeKey === scopeKey)) {
         missingSteps.push("doctor");
     }
     if (!isFresh(mcpState["plan"], PLAN_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory &&
+        receipt.scopeKey === scopeKey &&
         receipt.objectiveKey === objectiveKey)) {
         missingSteps.push("plan");
     }
     if (!isFresh(mcpState["preflight"], PREFLIGHT_TTL_MS, (receipt) => receipt.workingDirectory === workingDirectory &&
         receipt.objectiveKey === objectiveKey &&
         receipt.engine === engine &&
-        receipt.verificationPlanKey === verificationPlanKey)) {
+        receipt.verificationPlanKey === verificationPlanKey &&
+        receipt.scopeKey === scopeKey &&
+        receipt.pathScopeKey === pathScopeKey &&
+        (budgetKey === undefined || receipt.budgetKey === budgetKey))) {
         missingSteps.push("preflight");
     }
     if (missingSteps.length === 0) {
@@ -100,3 +116,28 @@ function hashVerificationPlan(verificationPlan) {
     const normalized = verificationPlan.map((step) => step.trim()).filter(Boolean);
     return createHash("sha256").update(JSON.stringify(normalized)).digest("hex").slice(0, 12);
 }
+function hashReceiptScope(receiptScope) {
+    const normalized = {
+        invocationRoot: normalizeWorkingDirectory(receiptScope.invocationRoot ?? receiptScope.workingDirectory ?? ""),
+        workingDirectory: normalizeWorkingDirectory(receiptScope.workingDirectory ?? receiptScope.repoRoot ?? ""),
+        repoRoot: normalizeWorkingDirectory(receiptScope.repoRoot ?? receiptScope.workingDirectory ?? ""),
+        runsRoot: normalizeWorkingDirectory(receiptScope.runsRoot ?? "")
+    };
+    return createHash("sha256").update(JSON.stringify(normalized)).digest("hex").slice(0, 12);
+}
+function hashPathScope(allowedPaths, deniedPaths) {
+    const normalized = {
+        allowedPaths: [...new Set(allowedPaths.map((entry) => entry.trim()).filter(Boolean))].sort(),
+        deniedPaths: [...new Set(deniedPaths.map((entry) => entry.trim()).filter(Boolean))].sort()
+    };
+    return createHash("sha256").update(JSON.stringify(normalized)).digest("hex").slice(0, 12);
+}
+function hashBudget(budget) {
+    const normalized = {
+        maxUsd: Number(budget.maxUsd.toFixed(4)),
+        softLimitUsd: Number(budget.softLimitUsd.toFixed(4)),
+        maxIterations: budget.maxIterations,
+        maxTokens: budget.maxTokens
+    };
+    return createHash("sha256").update(JSON.stringify(normalized)).digest("hex").slice(0, 12);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@martinloop/mcp",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "mcpName": "io.github.Keesan12/martin-loop",
   "private": false,
   "type": "module",
@@ -55,7 +55,7 @@
     "smoke:published": "node ./scripts/smoke-published-package.mjs",
     "smoke:published:pack": "node ./scripts/smoke-published-package.mjs --package-spec=pack",
     "verify:release": "node --test ../../scripts/tests/publish-mcp-workflow.test.mjs ../../scripts/tests/mcp-publish-reliability.test.mjs ../../scripts/tests/mcp-release-docs.test.mjs",
-    "test": "vitest run",
+    "test": "vitest run --maxWorkers=1",
     "lint": "tsc -p tsconfig.json --noEmit",
     "start": "node dist/server.js",
     "inspect:live": "node ./scripts/inspect-live.mjs"

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/Keesan12/martin-loop",
     "source": "github"
   },
-  "version": "0.3.0",
+  "version": "0.3.2",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@martinloop/mcp",
-      "version": "0.3.0",
+      "version": "0.3.2",
       "transport": {
         "type": "stdio"
       }