@planu/cli 4.3.17 → 4.3.18

package/dist/engine/ai-assurance/index.d.ts

@@ -0,0 +1,4 @@
+export * from './spec-assurance.js';
+export * from './new-code-gate.js';
+export type * from '../../types/ai-assurance.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/engine/ai-assurance/index.js

@@ -0,0 +1,3 @@
+export * from './spec-assurance.js';
+export * from './new-code-gate.js';
+//# sourceMappingURL=index.js.map

package/dist/engine/ai-assurance/new-code-gate.d.ts

@@ -0,0 +1,3 @@
+import type { NewCodeFile, NewCodeGateResult } from '../../types/ai-assurance.js';
+export declare function evaluateNewCodeGate(files: NewCodeFile[]): NewCodeGateResult;
+//# sourceMappingURL=new-code-gate.d.ts.map

package/dist/engine/ai-assurance/new-code-gate.js

@@ -0,0 +1,39 @@
+const SPEC_LOGIC_PATH_RE = /(?:src\/tools\/create-spec\/|src\/engine\/.*(?:assurance|validator|quality|elicitation)\/|src\/tools\/validate\.ts$)/;
+const INCIDENTAL_DOMAIN_INFERENCE_RE = /\.(?:includes|match|test)\(\s*['"`](?:billing|payment|payments|auth|database|supabase|ui|frontend)['"`]\s*\)/i;
+const STACK_ONLY_TRIGGER_RE = /\b(?:framework|stack|language|projectDna|dna|detectedStack)\b[^;\n]*(?:billing|payment|payments|auth|database|supabase|ui|frontend)/i;
+export function evaluateNewCodeGate(files) {
+    const findings = files.flatMap((file) => scanFile(file));
+    return {
+        passed: findings.length === 0,
+        findings,
+    };
+}
+function scanFile(file) {
+    if (!SPEC_LOGIC_PATH_RE.test(file.path)) {
+        return [];
+    }
+    const findings = [];
+    const lines = file.content.split(/\r?\n/);
+    lines.forEach((line, index) => {
+        if (STACK_ONLY_TRIGGER_RE.test(line)) {
+            findings.push({
+                rule: 'new-code-stack-only-domain-trigger',
+                file: file.path,
+                line: index + 1,
+                message: 'New code appears to trigger product-domain requirements from detected stack metadata alone.',
+                evidence: line.trim(),
+            });
+        }
+        if (INCIDENTAL_DOMAIN_INFERENCE_RE.test(line)) {
+            findings.push({
+                rule: 'new-code-incidental-domain-inference',
+                file: file.path,
+                line: index + 1,
+                message: 'New code appears to infer product-domain requirements from incidental strings such as folder names.',
+                evidence: line.trim(),
+            });
+        }
+    });
+    return findings;
+}
+//# sourceMappingURL=new-code-gate.js.map

package/dist/engine/ai-assurance/spec-assurance.d.ts

@@ -0,0 +1,3 @@
+import type { SpecAssuranceInput, SpecAssuranceResult } from '../../types/ai-assurance.js';
+export declare function evaluateSpecAssurance(input: SpecAssuranceInput): SpecAssuranceResult;
+//# sourceMappingURL=spec-assurance.d.ts.map

package/dist/engine/ai-assurance/spec-assurance.js

@@ -0,0 +1,138 @@
+const GUARDED_DOMAINS = [
+    {
+        name: 'billing',
+        requestPattern: /\b(billing|payment|payments|paid|checkout|stripe|subscription|pricing)\b/i,
+        specPattern: /\b(billing|payment|payments|checkout|stripe|subscription|pricing)\b/i,
+    },
+    {
+        name: 'authentication',
+        requestPattern: /\b(auth|authentication|authorization|login|jwt|oauth|session)\b/i,
+        specPattern: /\b(auth|authentication|authorization|login|jwt|oauth|session|401|403)\b/i,
+    },
+    {
+        name: 'database',
+        requestPattern: /\b(database|schema|rls|rpc|persistence|persist|query|migration)\b/i,
+        specPattern: /\b(database|schema|rls|rpc|persistence|persist|query|migration)\b/i,
+    },
+    {
+        name: 'ui',
+        requestPattern: /\b(ui|frontend|component|screen|page|form|layout|style|styling)\b/i,
+        specPattern: /\b(ui|frontend|component|screen|page|form|layout|style|styling)\b/i,
+    },
+];
+const PATH_LIKE_DOMAIN_RE = /\b(?:stores|store|modules|features|apps|packages|src)\/([a-z][\w-]*)/gi;
+const INVENTED_STATUS_RE = /\b(?:(?:endpoints?|api|routes?|response|status)\b[^.\n]*(?:401|403|404|500)|(?:401|403|404|500)\b[^.\n]*(?:endpoints?|api|routes?|response|status))\b/i;
+const GENERIC_COVERAGE_RE = /\b(?:coverage|test coverage)\b/i;
+export function evaluateSpecAssurance(input) {
+    const findings = [];
+    const request = input.originalRequest;
+    const spec = input.generatedSpec;
+    findings.push(...findUnrequestedDomains(request, spec));
+    findings.push(...findInventedEndpointRequirements(request, spec));
+    findings.push(...findGenericCoverageRequirement(request, spec));
+    findings.push(...findPathDerivedAssumptions(request, spec));
+    return {
+        passed: findings.every((finding) => finding.severity !== 'error'),
+        findings,
+    };
+}
+function findUnrequestedDomains(request, spec) {
+    const findings = [];
+    for (const domain of GUARDED_DOMAINS) {
+        if (isDomainRequested(domain, request) || !domain.specPattern.test(spec)) {
+            continue;
+        }
+        findings.push({
+            rule: `ai-spec-unrequested-${domain.name}`,
+            severity: 'error',
+            message: `Generated spec introduced ${domain.name} requirements that are not present in the user request.`,
+            evidence: firstMatch(spec, domain.specPattern),
+        });
+    }
+    return findings;
+}
+function findInventedEndpointRequirements(request, spec) {
+    if (/\b(api|endpoint|route|http|status|401|403|404|500)\b/i.test(request)) {
+        return [];
+    }
+    if (!INVENTED_STATUS_RE.test(spec)) {
+        return [];
+    }
+    return [
+        {
+            rule: 'ai-spec-invented-endpoint-status',
+            severity: 'error',
+            message: 'Generated spec introduced endpoint/status-code behavior not present in the user request.',
+            evidence: firstMatch(spec, INVENTED_STATUS_RE),
+        },
+    ];
+}
+function findGenericCoverageRequirement(request, spec) {
+    if (GENERIC_COVERAGE_RE.test(request) || !GENERIC_COVERAGE_RE.test(spec)) {
+        return [];
+    }
+    return [
+        {
+            rule: 'ai-spec-generic-coverage',
+            severity: 'error',
+            message: 'Generated spec introduced a generic coverage requirement not tied to the requested behavior.',
+            evidence: firstMatch(spec, GENERIC_COVERAGE_RE),
+        },
+    ];
+}
+function findPathDerivedAssumptions(request, spec) {
+    const findings = [];
+    const pathTokens = new Set();
+    for (const match of request.matchAll(PATH_LIKE_DOMAIN_RE)) {
+        const token = match[1]?.toLowerCase();
+        if (token) {
+            pathTokens.add(token);
+        }
+    }
+    if (pathTokens.size === 0) {
+        return findings;
+    }
+    for (const token of pathTokens) {
+        const domain = GUARDED_DOMAINS.find((candidate) => candidate.name === token);
+        if (!domain || isDomainRequested(domain, stripPathLikeSegments(request))) {
+            continue;
+        }
+        if (!domain.specPattern.test(spec)) {
+            continue;
+        }
+        findings.push({
+            rule: 'ai-spec-path-derived-assumption',
+            severity: 'error',
+            message: `Generated spec appears to derive ${token} requirements from an incidental repository path.`,
+            evidence: firstMatch(request, PATH_LIKE_DOMAIN_RE),
+        });
+    }
+    return findings;
+}
+function isDomainRequested(domain, request) {
+    const requestWithoutPaths = stripPathLikeSegments(request);
+    if (!domain.requestPattern.test(requestWithoutPaths)) {
+        return false;
+    }
+    const domainTerms = domain.specPattern.source
+        .replaceAll('\\b', '')
+        .replace(/[()?:]/g, '')
+        .split('|')
+        .filter((term) => /^[a-z]+$/i.test(term));
+    for (const term of domainTerms) {
+        const negated = new RegExp(`\\b${term}\\b[^.\\n]*(?:not in scope|out of scope|not required|not part of scope|negative example)`, 'i');
+        if (negated.test(requestWithoutPaths)) {
+            return false;
+        }
+    }
+    return true;
+}
+function stripPathLikeSegments(value) {
+    return value.replace(PATH_LIKE_DOMAIN_RE, ' ');
+}
+function firstMatch(value, pattern) {
+    const flags = pattern.flags.includes('g') ? pattern.flags : `${pattern.flags}g`;
+    const match = new RegExp(pattern.source, flags).exec(value);
+    return match?.[0]?.trim() ?? '';
+}
+//# sourceMappingURL=spec-assurance.js.map

package/dist/engine/quality-gates/gate-catalog.js

@@ -210,6 +210,30 @@ export const GATE_CATALOG = [
         riskLevels: ['low', 'medium', 'high'],
         specTypes: ['all'],
     },
+    {
+        id: 'arch-ai-spec-assurance',
+        category: 'architecture',
+        title: 'AI-generated specs are checked against original user intent before implementation',
+        stacks: ['typescript', 'generic'],
+        riskLevels: ['low', 'medium', 'high'],
+        specTypes: ['feature', 'bugfix', 'infra', 'all'],
+    },
+    {
+        id: 'arch-new-code-domain-inference',
+        category: 'architecture',
+        title: 'New code does not infer product-domain requirements from incidental paths or stack presence',
+        stacks: ['typescript', 'generic'],
+        riskLevels: ['low', 'medium', 'high'],
+        specTypes: ['feature', 'bugfix', 'infra', 'all'],
+    },
+    {
+        id: 'arch-mcp-startup-assurance',
+        category: 'architecture',
+        title: 'MCP startup verifies official tools in first tools/list and excludes bootstrap-only tools',
+        stacks: ['typescript', 'generic'],
+        riskLevels: ['low', 'medium', 'high'],
+        specTypes: ['feature', 'bugfix', 'infra', 'all'],
+    },
     {
         id: 'arch-single-responsibility',
         category: 'architecture',

package/dist/tools/validate.js

@@ -1,6 +1,7 @@
 // tools/validate.ts — Compare spec vs implementation (SPEC-595: elicitation on failures)
 // Uses the validator engine to check coverage, missing items, quality issues.
 import { execSync, execFileSync } from 'node:child_process';
+import { readFileSync } from 'node:fs';
 import { elicitOrFallback, buildEnumSchema } from '../engine/elicitation/elicit-helper.js';
 import { compactObj } from '../engine/compact-obj.js';
 import { resolveProjectId, missingProjectIdError } from './resolve-project-id.js';
@@ -15,6 +16,7 @@ import { parseConventions, scanConventions } from '../engine/convention-scanner/
 import { validateScopeCompliance } from '../engine/scope-boundaries/index.js';
 import { compareWithBaseline } from '../storage/convention-baseline.js';
 import { writeImplementationReviewReport } from '../engine/validator/validation-report-writer.js';
+import { evaluateNewCodeGate } from '../engine/ai-assurance/index.js';
 // Re-export for external use (SPEC-018)
 export { validateContractCompliance };
 /** Build the fallback interactiveQuestion for validation failures. */
@@ -131,6 +133,7 @@ export async function handleValidate(args, server) {
     }
     // 7. Lint check (best-effort — non-blocking)
     const lintCheck = runLintCheck(projectPath, knowledge.lintCommand ?? null);
+    const assuranceGates = runAssuranceGates(projectPath);
     // SPEC-1050: Generate a mandatory implementation-review artifact.
     const validationReport = await writeImplementationReviewReport({
         projectId,
@@ -215,6 +218,7 @@ export async function handleValidate(args, server) {
             })),
         },
         lintCheck,
+        assuranceGates,
         validationReport,
     };
     // SPEC-612: Scope boundary validation — warn if impl files match outOfScope items
@@ -259,6 +263,9 @@ export async function handleValidate(args, server) {
     if (!lintCheck.passed) {
         suggestions.push(`Lint check failed: ${lintCheck.issueCount} issue(s) found via \`${lintCheck.command}\`. Fix before marking as done.`);
     }
+    if (!assuranceGates.newCode.passed) {
+        suggestions.push(`Assurance gate failed: ${String(assuranceGates.newCode.findings.length)} new-code domain inference issue(s) found.`);
+    }
     const outputWithSuggestions = compactObj({
         ...output,
         suggestions: suggestions.length > 0 ? suggestions : undefined,
@@ -417,6 +424,42 @@ function commandOutput(err) {
         .join('\n')
         .trim();
 }
+function runAssuranceGates(projectPath) {
+    return {
+        newCode: evaluateNewCodeGate(readChangedSpecLogicFiles(projectPath)),
+    };
+}
+function readChangedSpecLogicFiles(projectPath) {
+    let changedFiles;
+    try {
+        const output = execFileSync('git', [
+            '-C',
+            projectPath,
+            'diff',
+            '--name-only',
+            'HEAD',
+            '--',
+            'src/tools/create-spec',
+            'src/tools/validate.ts',
+            'src/engine',
+        ], { encoding: 'utf-8', stdio: ['ignore', 'pipe', 'ignore'] });
+        changedFiles = output
+            .split('\n')
+            .map((line) => line.trim())
+            .filter((line) => line.endsWith('.ts'));
+    }
+    catch {
+        return [];
+    }
+    return changedFiles.flatMap((path) => {
+        try {
+            return [{ path, content: readFileSync(`${projectPath}/${path}`, 'utf-8') }];
+        }
+        catch {
+            return [];
+        }
+    });
+}
 function runLintCheck(projectPath, lintCommand) {
     if (lintCommand !== null && !isSafeCommand(lintCommand)) {
         console.warn(`[Planu] validate: lintCommand contains unsafe characters — skipping execution`);

package/dist/types/ai-assurance.d.ts

@@ -0,0 +1,31 @@
+export type SpecAssuranceSeverity = 'error' | 'warning';
+export interface SpecAssuranceFinding {
+    rule: string;
+    severity: SpecAssuranceSeverity;
+    message: string;
+    evidence: string;
+}
+export interface SpecAssuranceResult {
+    passed: boolean;
+    findings: SpecAssuranceFinding[];
+}
+export interface SpecAssuranceInput {
+    originalRequest: string;
+    generatedSpec: string;
+}
+export interface NewCodeFile {
+    path: string;
+    content: string;
+}
+export interface NewCodeGateFinding {
+    rule: string;
+    file: string;
+    line: number;
+    message: string;
+    evidence: string;
+}
+export interface NewCodeGateResult {
+    passed: boolean;
+    findings: NewCodeGateFinding[];
+}
+//# sourceMappingURL=ai-assurance.d.ts.map

package/dist/types/ai-assurance.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ai-assurance.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@planu/cli",
-  "version": "4.3.17",
+  "version": "4.3.18",
   "description": "Planu — MCP Server for Spec Driven Development with native Rust acceleration for hot paths. Cross-platform (Linux/macOS/Windows, x64/arm64, glibc/musl).",
   "type": "module",
   "main": "dist/index.js",
@@ -34,14 +34,14 @@
     "packageName": "@planu/core"
   },
   "optionalDependencies": {
-    "@planu/core-darwin-arm64": "4.3.17",
-    "@planu/core-darwin-x64": "4.3.17",
-    "@planu/core-linux-arm64-gnu": "4.3.17",
-    "@planu/core-linux-arm64-musl": "4.3.17",
-    "@planu/core-linux-x64-gnu": "4.3.17",
-    "@planu/core-linux-x64-musl": "4.3.17",
-    "@planu/core-win32-arm64-msvc": "4.3.17",
-    "@planu/core-win32-x64-msvc": "4.3.17"
+    "@planu/core-darwin-arm64": "4.3.18",
+    "@planu/core-darwin-x64": "4.3.18",
+    "@planu/core-linux-arm64-gnu": "4.3.18",
+    "@planu/core-linux-arm64-musl": "4.3.18",
+    "@planu/core-linux-x64-gnu": "4.3.18",
+    "@planu/core-linux-x64-musl": "4.3.18",
+    "@planu/core-win32-arm64-msvc": "4.3.18",
+    "@planu/core-win32-x64-msvc": "4.3.18"
   },
   "engines": {
     "node": ">=24.0.0"

package/planu-native.json

@@ -1,7 +1,7 @@
 {
   "name": "dev.planu.native",
   "displayName": "Planu Native Lightweight Surface",
-  "version": "4.3.17",
+  "version": "4.3.18",
   "packageName": "@planu/cli",
   "modes": {
     "lightweight": {

package/planu-plugin.json

@@ -2,7 +2,7 @@
   "name": "dev.planu.cli",
   "displayName": "Planu — Spec Driven Development",
   "description": "Manage software specs, estimations, and autonomous SDD workflows. Language-agnostic MCP server for Claude Code.",
-  "version": "4.3.17",
+  "version": "4.3.18",
   "icon": "assets/plugin/icon.svg",
   "command": ["npx", "@planu/cli@latest"],
   "packageName": "@planu/cli",