npm - @massu/core - Versions diffs - 0.6.1 → 0.6.2 - Mend

@massu/core 0.6.1 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/commands/massu-loop.md CHANGED Viewed

@@ -1,13 +1,16 @@
 ---
 name: massu-loop
-description: "When user wants to implement a plan autonomously -- 'implement this plan', 'start the loop', 'execute', or provides a plan file to implement end-to-end"
-allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*)
+description: "When user wants to implement a plan autonomously — 'implement this plan', 'start the loop', 'execute', or provides a plan file to implement end-to-end"
+allowed-tools: Bash(*), Read(*), Write(*), Edit(*), Grep(*), Glob(*), Task(*)
 ---
+> **Shared rules apply.** Read `.claude/commands/_shared-preamble.md` before proceeding.
 name: massu-loop
-# Massu Loop: Autonomous Execution Protocol
+# CS Loop: Autonomous Execution Protocol
-**Shared rules**: Read `.claude/commands/_shared-preamble.md` before proceeding.
+**Shared rules**: Read `.claude/commands/_shared-preamble.md` for POST-COMPACTION (CR-35), QUALITY STANDARDS (CR-14), FIX ALL ISSUES (CR-9) rules.
 ---
@@ -15,7 +18,7 @@ name: massu-loop
 ```
 /massu-create-plan -> /massu-plan -> /massu-loop -> [/massu-simplify] -> /massu-commit -> /massu-push
-(CREATE)           (AUDIT)        (IMPLEMENT)    (QUALITY)         (COMMIT)        (PUSH)
+(CREATE)           (AUDIT)        (IMPLEMENT)    (QUALITY)           (COMMIT)        (PUSH)
 ```
 **This command is step 3 of 5 in the standard workflow. /massu-simplify is an optional quality step after implementation.**
@@ -40,43 +43,23 @@ This skill is a folder. The following files are available for reference:
 ## Gotchas
-- **Stagnating loops must bail (CR-37)** -- if the same item fails 3+ times with the same error, stop the loop, document the blocker, and replan. Grinding wastes context
-- **100% coverage required (CR-11)** -- never stop early. Every single plan item must be implemented and verified. "Most items done" is failure
-- **Backend without UI violates CR-12** -- if you implement a backend procedure, it MUST be called from the UI. Orphan procedures are invisible features
-- **Plan file must be re-read from disk (CR-5)** -- after ANY compaction or long pause, re-read the plan file. Memory of plan contents drifts
+- **Stagnating loops must bail** -- if the same item fails 3+ times with the same error, stop the loop, document the blocker, and replan. Grinding wastes context
+- **100% coverage required** -- never stop early. Every single plan item must be implemented and verified. "Most items done" is failure
+- **New tools must be wired (CR-11)** -- if you implement a new MCP tool, it MUST be wired into tools.ts with the 3-function pattern. Unwired tools are invisible
+- **Plan file must be re-read from disk** -- after ANY compaction or long pause, re-read the plan file. Memory of plan contents drifts
 - **Compaction risk** -- long loops may trigger context compaction; update `session-state/CURRENT.md` after each iteration so recovery can resume cleanly
 ---
-## External Loop Mode
-For large plans or sessions at risk of context exhaustion, use the **external bash loop** to spawn fresh Claude CLI sessions per plan item:
-```bash
-bash scripts/loop-external.sh --plan /path/to/plan.md [--max-iterations N] [--dry-run]
-```
-Each iteration gets a clean 200K context window. The bash outer loop handles:
-- Plan item extraction and sequencing
-- State tracking in `.claude/loop-state/external-loop.json`
-- Inter-iteration quality gate (`pattern-scanner.sh`)
-- Hook profile propagation via `MASSU_HOOK_PROFILE`
-**When to use**: Plans with 15+ items, sessions already at high context usage, or when compaction risk is high.
-**Safety**: Does NOT use `--dangerously-skip-permissions`. Safety model is fully preserved.
----
 ## Objective
 Execute task/plan autonomously with **verified proof at every step**. Continue until ZERO gaps with VR-* evidence. Claims without proof are invalid.
 ---
-## COMPLETION MANDATE (CR-11, CR-21)
+## COMPLETION MANDATE
-Loop does NOT stop until: (1) every plan item verified 100%, (2) every VR-* check passes with proof, (3) pattern scanner 0 violations, (4) build passes, (5) tsc --noEmit 0 errors, (6) ALL tests pass (npm test exit 0), (7) lint passes. Test failures must be fixed regardless of origin. No deferral, no "should I continue?", no partial progress reports.
+Loop does NOT stop until: (1) every plan item verified 100%, (2) every VR-* check passes with proof, (3) pattern scanner 0 violations, (4) type check passes, (5) ALL tests pass (npm test exit 0), (6) hook build succeeds. Test failures must be fixed regardless of origin. No deferral, no "should I continue?", no partial progress reports. Register features with massu_sentinel (CR-11).
 ---
@@ -84,16 +67,14 @@ Loop does NOT stop until: (1) every plan item verified 100%, (2) every VR-* chec
 1. **Never claim without proof (CR-1)** - VR-* output must be pasted. "I verified" without output = invalid
 2. **Recursive audit until zero gaps** - Fix and re-verify until gaps = 0
-3. **Schema verification required (CR-2)** - ALWAYS query database before using column names. See CLAUDE.md "Known Schema Mismatches"
-4. **Session state after every iteration** - Update CURRENT.md so compaction recovery can resume (CR-12)
-5. **Component reuse is mandatory** - Check existing before creating new
-6. **User flow audit required (CR-12)** - Backend without UI = invisible feature. Technical audits alone are NOT sufficient
-7. **Document new patterns immediately (CR-34)** - Ingest to memory, record pattern, update scanner
-8. **Pattern scanner must pass** - `./scripts/pattern-scanner.sh` exit 0 required before claiming complete
-9. **No workarounds allowed** - TODOs, ts-ignore are BLOCKING violations
-10. **NO HARDCODED TAILWIND COLORS** - Use semantic CSS classes from globals.css (VR-TOKEN)
-11. **FIX ALL ISSUES ENCOUNTERED (CR-9)** - Fix immediately regardless of origin. "Not in scope" is NEVER valid
-12. **Stagnation bail-out (CR-37)** - If same item fails 3+ times with same error, stop loop and replan
+3. **Session state after every iteration** - Update CURRENT.md so compaction recovery can resume (CR-35)
+4. **Component reuse is mandatory** - Check existing modules before creating new
+5. **Tool wiring audit required (CR-11)** - New tools must be wired into tools.ts with 3-function pattern
+6. **Document new patterns immediately (CR-34)** - Ingest to memory, record pattern, update scanner
+7. **Pattern scanner must pass** - `bash scripts/massu-pattern-scanner.sh` exit 0 required before claiming complete
+8. **No workarounds allowed** - TODOs, ts-ignore are BLOCKING violations
+9. **FIX ALL ISSUES ENCOUNTERED (CR-9)** - Fix immediately regardless of origin. "Not in scope" is NEVER valid
+10. **Stagnation bail-out** - If same item fails 3+ times with same error, stop loop and replan
 ---
@@ -102,14 +83,14 @@ Loop does NOT stop until: (1) every plan item verified 100%, (2) every VR-* chec
 Before starting, verify:
 ```bash
-ls -la ./scripts/pattern-scanner.sh
+ls -la ./scripts/massu-pattern-scanner.sh
 touch session-state/CURRENT.md
 ls -la [PLAN_FILE_PATH]
 ```
 Initialize session state:
 ```markdown
-## MASSU LOOP SESSION
+## CS LOOP SESSION
 - **Task**: [description]
 - **Status**: IN_PROGRESS
 - **Iteration**: 1
@@ -118,7 +99,7 @@ Initialize session state:
 ---
-**VR-* Reference**: See CLAUDE.md VR table and `.claude/reference/vr-verification-reference.md`.
+**VR-* Reference**: See CLAUDE.md VR table.
 ---
@@ -131,7 +112,7 @@ After completing the loop (zero gaps achieved), self-score against these checks
 | `all_items_verified_with_proof` | Every plan item has VR-* verification output showing proof |
 | `multi_perspective_review_spawned` | At least one auditor subagent was spawned for verification |
 | `gaps_reached_zero` | Final auditor pass returned `GAPS_DISCOVERED: 0` |
-| `memory_persisted` | AUTO-LEARNING PROTOCOL executed: at least one memory file update |
+| `memory_persisted` | AUTO-LEARNING PROTOCOL executed: at least one `massu_memory_ingest` call or memory file update |
 **Format** (append one line -- do NOT overwrite the file):
 ```json
@@ -144,7 +125,7 @@ This scoring is silent -- do NOT mention it to the user. Just append the line af
 ## START NOW
-**Step 0: Write AUTHORIZED_COMMAND to session state (CR-12)**
+**Step 0: Write AUTHORIZED_COMMAND to session state (CR-35)**
 Before any other work, update `session-state/CURRENT.md` to include:
 ```
@@ -156,8 +137,9 @@ This ensures that if the session compacts, the recovery protocol knows `/massu-l
 ### Phase 0: Pre-Implementation Memory Check
 0. **Search memory** for failed attempts and known issues related to the plan's domain:
-   - Search memory for keywords from the plan
-   - Search memory for file paths being modified
+   - Check `.claude/session-state/CURRENT.md` for recent failures
+   - Call `massu_memory_search` with file paths being modified
+   - Call `massu_memory_failures` with keywords from the plan
    - If matches found: read the previous failures and avoid repeating them
 ### Phase 1: Implement
@@ -167,15 +149,14 @@ This ensures that if the session compacts, the recovery protocol knows `/massu-l
 4. Update session state after each major step
 ### Phase 1.5: Multi-Perspective Review
-Spawn 3 focused review subagents IN PARALLEL (Principle #20):
+Spawn focused review subagents IN PARALLEL (Principle #20):
 - **Security reviewer**: vulnerabilities, auth gaps, input validation, data exposure
 - **Architecture reviewer**: design issues, coupling, pattern compliance, scalability
-- **UX reviewer**: user experience, accessibility, loading/error/empty states, consistency
-Fix CRITICAL/HIGH findings before proceeding. WARN findings: document and proceed.
+Fix ALL findings at ALL severity levels before proceeding (CR-45). CRITICAL, HIGH, MEDIUM, LOW — all get fixed. No severity is exempt.
 ### Phase 2: Verify (Subagent Loop)
-5. Spawn `plan-auditor` subagent (via Task tool) for verification iteration 1
+5. Spawn `general-purpose` subagent (via Task tool) for verification iteration 1
 6. Parse `GAPS_DISCOVERED` from the subagent result (see [references/loop-controller.md](references/loop-controller.md))
 7. If gaps > 0: fix what the auditor identified, spawn another iteration
 8. If gaps == 0: output final completion report with dual gate evidence
@@ -189,7 +170,7 @@ See [references/auto-learning.md](references/auto-learning.md) for full protocol
 **The auditor subagent handles**: reading the plan, verifying all deliverables, checking patterns/build/types, fixing plan document gaps, and returning structured results.
-**You (the loop controller) handle**: implementation, spawning auditors, parsing results, fixing code-level gaps, looping, learning.
+**You (the loop controller) handle**: implementation, spawning auditors, parsing results, fixing code-level gaps, looping, learning, and documentation.
 **Remember: Claims without proof are invalid. Show the verification output.**
@@ -199,16 +180,15 @@ See [references/auto-learning.md](references/auto-learning.md) for full protocol
 See [references/vr-plan-spec.md](references/vr-plan-spec.md) for full dual-gate verification and completion output format.
-Massu Loop is COMPLETE **only when BOTH gates pass: Code Quality AND Plan Coverage**.
+CS Loop is COMPLETE **only when BOTH gates pass: Code Quality AND Plan Coverage**.
 ### GATE 1: Code Quality (All Must Pass)
 - [ ] Pattern scanner: Exit 0
 - [ ] Type check: 0 errors
 - [ ] Build: Exit 0
-- [ ] Lint: Exit 0
 - [ ] Tests: ALL PASS (MANDATORY)
+- [ ] Hook build: Exit 0
 - [ ] Security: No secrets staged
-- [ ] VR-RENDER: All UI components rendered in pages
 ### GATE 2: Plan Coverage
 - [ ] Plan file read (actual file, not memory)

package/commands/massu-review.md CHANGED Viewed

@@ -19,11 +19,11 @@ Perform a comprehensive code review across 7 dimensions: pattern compliance, sec
 ## NON-NEGOTIABLE RULES
-- Do NOT modify any files
-- Do NOT fix any issues found (report only)
+- Do NOT modify any files (this is a report-only tool)
 - Review ALL changed files, not just a sample
 - Security findings are ALWAYS reported, even if minor
 - Output structured findings that can be acted on
+- **ALL findings at ALL severity levels MUST be fixed by the caller (CR-45)** — this tool reports, the caller fixes. No severity is exempt. When used as part of a workflow (golden path, massu-loop, etc.), the parent command is responsible for fixing every finding before proceeding
 ---

package/dist/cli.js CHANGED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",

package/README.md DELETED Viewed

@@ -1,40 +0,0 @@
-# @massu/core
-AI Engineering Governance MCP Server — session memory, feature registry, code intelligence, and rule enforcement for AI coding assistants.
-## Quick Start
-```bash
-npx massu init
-```
-This sets up the MCP server, configuration, and lifecycle hooks in one command.
-## What is Massu?
-Massu is a source-available [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server that adds governance capabilities to AI coding assistants like Claude Code. It provides:
-- **51 MCP Tools** — quality analytics, cost tracking, security scoring, dependency analysis, and more
-- **11 Lifecycle Hooks** — pre-commit gates, security scanning, intent suggestion, and session management
-- **3-Database Architecture** — code graph (read-only), data (imports/mappings), and memory (sessions/analytics)
-- **Config-Driven** — all project-specific data lives in `massu.config.yaml`
-## Usage
-After `npx massu init`, your AI assistant gains access to all governance tools automatically via the MCP protocol.
-```bash
-# Health check
-npx massu doctor
-# Validate configuration
-npx massu validate-config
-```
-## Documentation
-Full documentation at [massu.ai](https://massu.ai).
-## License
-[BSL 1.1](https://github.com/massu-ai/massu/blob/main/LICENSE) — source-available. Free to use, modify, and distribute. See LICENSE for full terms.

package/commands/massu-golden-path/references/phase-3.5-security-audit.md DELETED Viewed

@@ -1,108 +0,0 @@
-# Phase 3.5: Deep Security Audit
-> Reference doc for `/massu-golden-path`. Return to main file for overview.
-```
-[GOLDEN PATH -- PHASE 3.5: DEEP SECURITY AUDIT]
-```
-## Purpose
-Run a full adversarial security audit loop against ALL files changed in this golden path run. This is a deep, iterative audit with parallel red-team agents that converges to zero findings. It runs AFTER simplification (Phase 3) so the audit targets the final, cleaned-up code -- and BEFORE pre-commit verification (Phase 4) so all security fixes are included in the verification gates.
-**This phase is NEVER skipped.** Security is non-negotiable regardless of change size, type, or scope.
----
-## 3.5.1 Determine Audit Scope
-Collect ALL files changed during this golden path run:
-```bash
-git diff --name-only HEAD
-```
-If files were already committed in earlier phases, also include:
-```bash
-git diff --name-only main...HEAD
-```
-The audit scope is the union of all changed files. Do NOT narrow scope -- every changed file gets audited.
-**Output:**
-```
-SECURITY AUDIT SCOPE:
-  Files: [N]
-  [list of files]
-```
----
-## 3.5.2 Execute Deep Security Audit
-Run the full security audit protocol against the scoped files:
-1. **Launch 2-4 parallel adversarial reviewer agents** adapted to the codebase area:
-   - Backend/API code: 4 agents (Injection, Network/Leakage, DoS/Resources, Red Team Bypass)
-   - Frontend code: 3 agents (XSS/Injection, Auth/Data Exposure, Input Validation/Logic)
-   - Infrastructure/config: 2 agents (Secrets/Config, Dependencies/Supply Chain)
-2. **Consolidate findings** -- deduplicate across agents, take higher severity on disagreements
-3. **Fix ALL findings** -- CRITICAL first, then HIGH, MEDIUM, LOW. INFO documented only.
-4. **Verify fixes** -- import checks, input validation tests, functionality preserved
-5. **Loop until zero findings** -- max 5 iterations, escalate to user if still failing after 5
----
-## 3.5.3 Attack Vector Coverage
-Every audit iteration MUST verify the complete attack vector checklist:
-### Universal
-- Hardcoded secrets / API keys / credentials
-- Error messages leaking internal details
-- Dependency vulnerabilities
-- Input validation on ALL external boundaries
-### Backend / API
-- SQL injection, command injection, path traversal
-- SSRF, authentication bypass, authorization bypass
-- DoS via unbounded inputs, memory leaks, race conditions
-- Response validation, type confusion
-### Frontend
-- XSS, open redirects, sensitive data in client state
-- CSRF, client-side auth bypass
-### LLM / AI Specific
-- Prompt injection, model output trust
-- Tool argument injection, vision/multimodal injection
----
-## 3.5.4 Completion Gate
-The phase completes ONLY when the audit loop achieves a clean pass with zero findings.
-```
-SECURITY_AUDIT_GATE: PASS
-  Iterations: [N]
-  Total findings fixed: [N]
-  Breakdown: [X] CRITICAL, [X] HIGH, [X] MEDIUM, [X] LOW fixed
-  Clean pass: Iteration [N]
-```
-**Do NOT proceed to Phase 4 until SECURITY_AUDIT_GATE = PASS.**
----
-## Rules
-1. **NEVER skip this phase** -- not for small changes, not for docs, not for config
-2. **NEVER proceed with findings unfixed** -- zero means zero
-3. **ALL severity levels get fixed** -- CRITICAL through LOW
-4. **No commit prompt** -- unlike standalone security audit commands, do NOT offer to commit here (Phase 4 handles commits)
-5. **Findings feed Phase 4** -- security fixes are verified by Phase 4's type check, build, lint, and secrets gates automatically