@meltstudio/meltctl 4.185.0 → 4.186.0

package/dist/index.js

@@ -14,7 +14,7 @@ var CLI_VERSION;
 var init_version = __esm({
   "src/utils/version.ts"() {
     "use strict";
-    CLI_VERSION = "4.185.0";
+    CLI_VERSION = "4.186.0";
   }
 });
 
@@ -1446,6 +1446,47 @@ function createDevelopersResource(config) {
   };
 }
 
+// ../sdk/dist/resources/endpoint-checks.js
+function createEndpointChecksResource(config) {
+  return {
+    /**
+     * Submit the calling person's endpoint-security self-check (#507). The API
+     * derives `author` from the JWT — there is no target param, so a caller can
+     * only ever write their own posture (same model as `/me`).
+     */
+    async submit(input3) {
+      const { data, status } = await apiFetch(config, "/endpoint-checks", { method: "POST", body: JSON.stringify(input3) });
+      if (status !== 201) {
+        throw new Error(data.error ?? `Failed to submit endpoint check (${status})`);
+      }
+      return data;
+    },
+    /**
+     * The latest check per person — the manager posture matrix. Manager-gated.
+     */
+    async listLatest() {
+      const { data, status } = await apiFetch(config, "/endpoint-checks");
+      if (status === 403) {
+        throw new Error("Access denied. Only Team Managers can list endpoint checks.");
+      }
+      if (status !== 200) {
+        throw new Error(data.error ?? `Failed to list endpoint checks (${status})`);
+      }
+      return data;
+    },
+    /**
+     * The caller's own latest check (or null). Self-scoped by the JWT.
+     */
+    async getMine() {
+      const { data, status } = await apiFetch(config, "/me/endpoint-check");
+      if (status !== 200) {
+        throw new Error(data.error ?? `Failed to fetch endpoint check (${status})`);
+      }
+      return data.check;
+    }
+  };
+}
+
 // ../sdk/dist/client.js
 async function apiFetch(config, path9, options = {}) {
   const response = await fetch(`${config.baseUrl}${path9}`, {
@@ -1479,7 +1520,8 @@ function createMeltClient(config) {
     jobs: createJobsResource(config),
     chat: createChatResource(config),
     me: createMeResource(config),
-    developers: createDevelopersResource(config)
+    developers: createDevelopersResource(config),
+    endpointChecks: createEndpointChecksResource(config)
   };
 }
 
@@ -3468,6 +3510,7 @@ import { z as z8 } from "zod";
 import { z as z9 } from "zod";
 import { z as z10 } from "zod";
 import { z as z11 } from "zod";
+import { z as z12 } from "zod";
 function createAuditsResource2(config) {
   return {
     async submit(input3) {
@@ -4603,6 +4646,45 @@ function createDevelopersResource2(config) {
     }
   };
 }
+function createEndpointChecksResource2(config) {
+  return {
+    /**
+     * Submit the calling person's endpoint-security self-check (#507). The API
+     * derives `author` from the JWT — there is no target param, so a caller can
+     * only ever write their own posture (same model as `/me`).
+     */
+    async submit(input3) {
+      const { data, status } = await apiFetch2(config, "/endpoint-checks", { method: "POST", body: JSON.stringify(input3) });
+      if (status !== 201) {
+        throw new Error(data.error ?? `Failed to submit endpoint check (${status})`);
+      }
+      return data;
+    },
+    /**
+     * The latest check per person — the manager posture matrix. Manager-gated.
+     */
+    async listLatest() {
+      const { data, status } = await apiFetch2(config, "/endpoint-checks");
+      if (status === 403) {
+        throw new Error("Access denied. Only Team Managers can list endpoint checks.");
+      }
+      if (status !== 200) {
+        throw new Error(data.error ?? `Failed to list endpoint checks (${status})`);
+      }
+      return data;
+    },
+    /**
+     * The caller's own latest check (or null). Self-scoped by the JWT.
+     */
+    async getMine() {
+      const { data, status } = await apiFetch2(config, "/me/endpoint-check");
+      if (status !== 200) {
+        throw new Error(data.error ?? `Failed to fetch endpoint check (${status})`);
+      }
+      return data.check;
+    }
+  };
+}
 async function apiFetch2(config, path22, options = {}) {
   const response = await fetch(`${config.baseUrl}${path22}`, {
     ...options,
@@ -4635,7 +4717,8 @@ function createMeltClient2(config) {
     jobs: createJobsResource2(config),
     chat: createChatResource2(config),
     me: createMeResource2(config),
-    developers: createDevelopersResource2(config)
+    developers: createDevelopersResource2(config),
+    endpointChecks: createEndpointChecksResource2(config)
   };
 }
 var auditFindingSchema2 = z2.object({
@@ -5843,6 +5926,59 @@ function registerDailyPlanTools(server, getClient2) {
     withClientArgs(getClient2, submitDailyPlan)
   );
 }
+var controlResult = z12.enum(["pass", "fail", "unknown"]);
+var verbalResult = z12.enum(["confirmed", "no", "unknown"]);
+var submitEndpointCheckShape = {
+  developerName: z12.string().min(1).describe("Full name the report is filed under."),
+  os: z12.enum(["macos", "windows", "linux"]).describe("Detected operating system."),
+  osVersion: z12.string().min(1).describe('e.g. "macOS 26.3" or "Windows 11 23H2".'),
+  diskEncryption: controlResult.describe("Full-disk encryption (FileVault / BitLocker)."),
+  screenLock: controlResult.describe("Screen lock + password on idle."),
+  osUpdates: controlResult.describe("OS current + automatic updates on."),
+  endpointProtection: controlResult.describe("Endpoint protection (SIP/Gatekeeper / Defender)."),
+  firewall: controlResult.describe("Host firewall enabled (post-remediation if done)."),
+  passwordManager: controlResult.describe("A password manager is installed."),
+  mfa: verbalResult.describe("Verbal: MFA on every work account."),
+  dataMinimization: verbalResult.describe("Verbal: cloud-first, no customer data kept locally."),
+  leastPrivilege: verbalResult.describe("Verbal: access scoped to what is needed."),
+  summary: z12.string().min(1).describe("One-line summary of the result."),
+  remediationDone: z12.string().min(1).describe('What was changed this session, e.g. "enabled host firewall" or "none".'),
+  rawReport: z12.string().min(1).describe("The full secrets-free markdown report. NEVER include passwords, keys, or tokens."),
+  // Hardware inventory snapshot (#507) — all optional / best-effort. Pass what
+  // the OS reliably reports; omit anything it can't. Hardware identifiers
+  // (serial, model, device name) ARE intended here; still NO passwords/keys/
+  // tokens/credentials.
+  deviceName: z12.string().optional().describe("Computer name (scutil --get ComputerName / $env:COMPUTERNAME)."),
+  manufacturer: z12.string().optional().describe('e.g. "Apple" or Win32_ComputerSystem.Manufacturer.'),
+  model: z12.string().optional().describe("Model name (SPHardwareDataType / Win32_ComputerSystem.Model)."),
+  modelIdentifier: z12.string().optional().describe('e.g. "Mac15,3" (macOS Model Identifier).'),
+  cpu: z12.string().optional().describe("Chip / processor name (SPHardwareDataType / Win32_Processor.Name)."),
+  cpuCores: z12.number().int().optional().describe("Total number of CPU cores."),
+  memoryGb: z12.number().int().optional().describe("Installed RAM in GB."),
+  storageGb: z12.number().int().optional().describe("Primary disk capacity in GB."),
+  serialNumber: z12.string().optional().describe("Hardware serial number (SPHardwareDataType / Win32_BIOS.SerialNumber)."),
+  batteryCycleCount: z12.number().int().optional().describe("Battery cycle count (SPPowerDataType); omit on desktops."),
+  batteryCondition: z12.string().optional().describe('Battery condition (SPPowerDataType), e.g. "Normal".'),
+  ageHint: z12.string().optional().describe(
+    "Free-form age proxy: model-year, BIOS/OS install date, or a user-stated acquisition date."
+  ),
+  inventoryExtra: z12.record(z12.string(), z12.unknown()).optional().describe("Anything else reliably readable (GPU, OS build, uptime). No secrets.")
+};
+var submitEndpointCheckSchema = z12.object(submitEndpointCheckShape);
+async function submitEndpointCheck(client, input3) {
+  return safe(() => client.endpointChecks.submit(input3));
+}
+function registerEndpointCheckTools(server, getClient2) {
+  server.registerTool(
+    "submit_endpoint_check",
+    {
+      title: "Submit an endpoint-security self-check",
+      description: "Records the calling person's endpoint-security self-check against Melt's baseline (#507). melt-endpoint-check calls this once it has run the read-only checks and produced the report: pass the 9 control results (5 technical pass/fail/unknown + 3 verbal confirmed/no/unknown), the OS, the one-line summary, what was remediated, and the full secrets-free markdown report. Self-scoped \u2014 the author comes from the JWT, so a caller only ever writes their own posture. Latest-check-wins per person. NEVER pass secrets (passwords, keys, tokens, internal hostnames) in any field.",
+      inputSchema: submitEndpointCheckShape
+    },
+    withClientArgs(getClient2, submitEndpointCheck)
+  );
+}
 var VERSION = "0.0.0";
 function createMcpServer(clientOrProvider) {
   const getClient2 = typeof clientOrProvider === "function" ? clientOrProvider : () => Promise.resolve(clientOrProvider);
@@ -5860,6 +5996,7 @@ function createMcpServer(clientOrProvider) {
   registerPortfolioStatusTools(server, getClient2);
   registerFindingsTools(server, getClient2);
   registerDailyPlanTools(server, getClient2);
+  registerEndpointCheckTools(server, getClient2);
   return server;
 }
 async function startServer() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meltstudio/meltctl",
-  "version": "4.185.0",
+  "version": "4.186.0",
   "description": "AI-first development tools for teams - set up AGENTS.md, Claude Code, Cursor, and OpenCode standards",
   "main": "dist/index.js",
   "type": "module",