@rigour-labs/mcp 4.1.1 → 4.2.0

package/dist/index.js

@@ -125,12 +125,12 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
             case "rigour_handoff_accept":
                 result = await handleHandoffAccept(cwd, args.handoffId, args.agentId, requestId);
                 break;
-            // Real-time hooks (v3.0)
+            // Real-time hooks + DLP (v3.0 / v4.2)
             case "rigour_hooks_check":
-                result = await handleHooksCheck(cwd, args.files, args.timeout);
+                result = await handleHooksCheck(cwd, args.files ?? [], args.timeout, args.text, args.agent);
                 break;
             case "rigour_hooks_init":
-                result = await handleHooksInit(cwd, args.tool, args.force, args.dryRun);
+                result = await handleHooksInit(cwd, args.tool, args.force, args.dryRun, args.dlp ?? true);
                 break;
             // Deep analysis (v4.0+)
             case "rigour_check_deep": {

package/dist/tools/definitions.d.ts

@@ -438,6 +438,14 @@ export declare const TOOL_DEFINITIONS: ({
                 type: string;
                 description: string;
             };
+            text: {
+                type: string;
+                description: string;
+            };
+            agent: {
+                type: string;
+                description: string;
+            };
             cwd: {
                 type: "string";
                 description: string;
@@ -470,6 +478,10 @@ export declare const TOOL_DEFINITIONS: ({
                 type: string;
                 description: string;
             };
+            dlp: {
+                type: string;
+                description: string;
+            };
             cwd: {
                 type: "string";
                 description: string;

package/dist/tools/definitions.js

@@ -413,21 +413,23 @@ export const TOOL_DEFINITIONS = [
             openWorldHint: false,
         },
     },
-    // ─── Real-Time Hooks (v3.0) ────────────────────────────
+    // ─── Real-Time Hooks + DLP (v3.0 / v4.2) ───────────────
     {
         name: "rigour_hooks_check",
-        description: "Run the fast hook checker on specific files. Same checks that run inside IDE hooks (Claude, Cursor, Cline, Windsurf). Catches: hardcoded secrets, hallucinated imports, command injection, file size. Completes in <100ms.",
+        description: "Run the fast hook checker on specific files. Same checks that run inside IDE hooks (Claude, Cursor, Cline, Windsurf). Catches: hardcoded secrets, hallucinated imports, command injection, file size. Completes in <100ms. NEW: Pass 'text' param for DLP mode — scans user input for credentials (AWS keys, API tokens, database URLs, private keys, JWTs) before agent processing.",
         inputSchema: {
             type: "object",
             properties: {
                 ...cwdParam(),
                 files: { type: "array", items: { type: "string" }, description: "List of file paths (relative to cwd) to check." },
                 timeout: { type: "number", description: "Optional timeout in milliseconds (default: 5000)." },
+                text: { type: "string", description: "Text to scan for credentials (DLP mode). When provided, scans text instead of files. Use this to validate user input before agent processing." },
+                agent: { type: "string", description: "Agent name for DLP audit trail (e.g., 'claude', 'cursor'). Only used in DLP mode." },
             },
-            required: ["cwd", "files"],
+            required: ["cwd"],
         },
         annotations: {
-            title: "Fast Hook Check",
+            title: "Fast Hook Check + DLP",
             readOnlyHint: true,
             destructiveHint: false,
             idempotentHint: true,
@@ -436,7 +438,7 @@ export const TOOL_DEFINITIONS = [
     },
     {
         name: "rigour_hooks_init",
-        description: "Generate hook configs for AI coding tools (Claude, Cursor, Cline, Windsurf). Installs real-time quality checks that run on every file write.",
+        description: "Generate hook configs for AI coding tools (Claude, Cursor, Cline, Windsurf). Installs real-time quality checks AND DLP (credential interception) hooks by default. DLP hooks intercept credentials in user input BEFORE they reach the AI agent. Pass dlp=false to disable DLP hooks only.",
         inputSchema: {
             type: "object",
             properties: {
@@ -444,11 +446,12 @@ export const TOOL_DEFINITIONS = [
                 tool: { type: "string", description: "Target tool: 'claude', 'cursor', 'cline', or 'windsurf'." },
                 force: { type: "boolean", description: "Overwrite existing hook files (default: false)." },
                 dryRun: { type: "boolean", description: "Preview changes without writing files (default: false)." },
+                dlp: { type: "boolean", description: "Generate DLP (Data Loss Prevention) hooks for pre-input credential interception (default: true). Set false to skip DLP hooks." },
             },
             required: ["cwd", "tool"],
         },
         annotations: {
-            title: "Install IDE Hooks",
+            title: "Install IDE Hooks + DLP",
             readOnlyHint: false,
             destructiveHint: false,
             idempotentHint: true,

package/dist/tools/dlp-handler.d.ts

@@ -0,0 +1,36 @@
+/**
+ * DLP Tool Handlers
+ *
+ * Handlers for: rigour_input_scan, rigour_dlp_init
+ *
+ * AI Agent Data Loss Prevention — scans user input for credentials
+ * before they reach AI agents.
+ *
+ * @since v4.2.0 — AI Agent DLP layer
+ */
+type ToolResult = {
+    content: {
+        type: string;
+        text: string;
+    }[];
+    isError?: boolean;
+};
+/**
+ * rigour_input_scan — Scan text for credentials before agent processing.
+ *
+ * This is the core DLP tool. Agents can call this to validate user input
+ * contains no secrets before processing it.
+ */
+export declare function handleInputScan(cwd: string, text: string, agent?: string, block?: boolean): Promise<ToolResult>;
+/**
+ * rigour_dlp_init — Generate DLP hook configs for AI coding tools.
+ *
+ * Creates pre-input hooks that intercept credentials before they
+ * reach the AI agent.
+ */
+export declare function handleDLPInit(cwd: string, tool: string, force?: boolean, dryRun?: boolean): Promise<ToolResult>;
+/**
+ * rigour_dlp_audit — Query the DLP audit log for recent credential interceptions.
+ */
+export declare function handleDLPAudit(cwd: string, limit?: number): Promise<ToolResult>;
+export {};

package/dist/tools/dlp-handler.js

@@ -0,0 +1,183 @@
+/**
+ * DLP Tool Handlers
+ *
+ * Handlers for: rigour_input_scan, rigour_dlp_init
+ *
+ * AI Agent Data Loss Prevention — scans user input for credentials
+ * before they reach AI agents.
+ *
+ * @since v4.2.0 — AI Agent DLP layer
+ */
+import { scanInputForCredentials, formatDLPAlert, createDLPAuditEntry, generateDLPHookFiles } from '@rigour-labs/core';
+import fs from 'fs-extra';
+import path from 'path';
+/**
+ * rigour_input_scan — Scan text for credentials before agent processing.
+ *
+ * This is the core DLP tool. Agents can call this to validate user input
+ * contains no secrets before processing it.
+ */
+export async function handleInputScan(cwd, text, agent, block) {
+    if (!text || text.trim().length === 0) {
+        return {
+            content: [{
+                    type: 'text',
+                    text: '✓ No input to scan.',
+                }],
+        };
+    }
+    const result = scanInputForCredentials(text, {
+        enabled: true,
+        block_on_detection: block ?? true,
+        audit_log: true,
+    });
+    // Log to audit trail
+    if (result.status !== 'clean') {
+        try {
+            const rigourDir = path.join(cwd, '.rigour');
+            await fs.ensureDir(rigourDir);
+            const eventsPath = path.join(rigourDir, 'events.jsonl');
+            const auditEntry = createDLPAuditEntry(result, {
+                agent: agent ?? 'mcp',
+            });
+            await fs.appendFile(eventsPath, JSON.stringify(auditEntry) + '\n');
+        }
+        catch {
+            // Silent
+        }
+    }
+    if (result.status === 'clean') {
+        return {
+            content: [{
+                    type: 'text',
+                    text: `✓ CLEAN — No credentials detected in input.\nScanned: ${result.scanned_length} chars | Duration: ${result.duration_ms}ms`,
+                }],
+        };
+    }
+    const alert = formatDLPAlert(result);
+    return {
+        content: [{
+                type: 'text',
+                text: alert,
+            }],
+        isError: result.status === 'blocked',
+    };
+}
+/**
+ * rigour_dlp_init — Generate DLP hook configs for AI coding tools.
+ *
+ * Creates pre-input hooks that intercept credentials before they
+ * reach the AI agent.
+ */
+export async function handleDLPInit(cwd, tool, force = false, dryRun = false) {
+    try {
+        const hookTool = tool;
+        const checkerCommand = 'rigour hooks check';
+        const files = generateDLPHookFiles(hookTool, checkerCommand);
+        if (dryRun) {
+            const preview = files.map(f => `${f.path}:\n${f.content.slice(0, 200)}...`).join('\n\n');
+            return {
+                content: [{
+                        type: 'text',
+                        text: `[DRY RUN] Would generate ${files.length} DLP hook file(s) for '${tool}':\n\n${preview}`,
+                    }],
+            };
+        }
+        const written = [];
+        const skipped = [];
+        for (const file of files) {
+            const fullPath = path.join(cwd, file.path);
+            if (!force && await fs.pathExists(fullPath)) {
+                skipped.push(file.path);
+                continue;
+            }
+            await fs.ensureDir(path.dirname(fullPath));
+            await fs.writeFile(fullPath, file.content);
+            if (file.executable) {
+                await fs.chmod(fullPath, 0o755);
+            }
+            written.push(file.path);
+        }
+        const parts = [];
+        if (written.length > 0)
+            parts.push(`✓ Created: ${written.join(', ')}`);
+        if (skipped.length > 0)
+            parts.push(`⊘ Skipped (exists): ${skipped.join(', ')}. Use force=true to overwrite.`);
+        parts.push(`Tool: ${tool}`);
+        parts.push('DLP Protection: AWS keys, API tokens, database URLs, private keys, JWTs, passwords');
+        parts.push('');
+        parts.push('🛑 Credentials will now be intercepted BEFORE reaching the AI agent.');
+        return {
+            content: [{ type: 'text', text: parts.join('\n') }],
+        };
+    }
+    catch (error) {
+        return {
+            content: [{
+                    type: 'text',
+                    text: `DLP hook init failed: ${error.message}`,
+                }],
+            isError: true,
+        };
+    }
+}
+/**
+ * rigour_dlp_audit — Query the DLP audit log for recent credential interceptions.
+ */
+export async function handleDLPAudit(cwd, limit = 20) {
+    try {
+        const eventsPath = path.join(cwd, '.rigour', 'events.jsonl');
+        if (!await fs.pathExists(eventsPath)) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: 'No DLP events found. The audit trail is empty.',
+                    }],
+            };
+        }
+        const content = await fs.readFile(eventsPath, 'utf-8');
+        const lines = content.trim().split('\n').filter(Boolean);
+        // Filter for DLP events only
+        const dlpEvents = lines
+            .map(line => {
+            try {
+                return JSON.parse(line);
+            }
+            catch {
+                return null;
+            }
+        })
+            .filter(event => event?.type === 'dlp_event')
+            .slice(-limit);
+        if (dlpEvents.length === 0) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: 'No DLP interceptions found in the audit trail.',
+                    }],
+            };
+        }
+        const summary = dlpEvents.map((event) => {
+            const types = (event.detections || []).map((d) => d.type).join(', ');
+            const severities = (event.detections || []).map((d) => d.severity).join(', ');
+            return `[${event.timestamp}] ${event.status.toUpperCase()} | Agent: ${event.agent} | Types: ${types} | Severity: ${severities}`;
+        }).join('\n');
+        const totalBlocked = dlpEvents.filter((e) => e.status === 'blocked').length;
+        const totalWarnings = dlpEvents.filter((e) => e.status === 'warning').length;
+        return {
+            content: [{
+                    type: 'text',
+                    text: `DLP Audit Trail (last ${dlpEvents.length} events)\n\nBlocked: ${totalBlocked} | Warnings: ${totalWarnings}\n\n${summary}`,
+                }],
+        };
+    }
+    catch (error) {
+        return {
+            content: [{
+                    type: 'text',
+                    text: `DLP audit query failed: ${error.message}`,
+                }],
+            isError: true,
+        };
+    }
+}

package/dist/tools/hooks-handler.d.ts

@@ -9,10 +9,16 @@ type ToolResult = {
  * rigour_hooks_check — Run the fast hook checker on specific files.
  * This is the same check that runs inside IDE hooks (Claude, Cursor, Cline, Windsurf).
  * Catches: hardcoded secrets, hallucinated imports, command injection, file size.
+ *
+ * NEW in v4.2.0: When `text` param is provided, runs in DLP mode —
+ * scans text for credentials instead of checking files.
  */
-export declare function handleHooksCheck(cwd: string, files: string[], timeout?: number): Promise<ToolResult>;
+export declare function handleHooksCheck(cwd: string, files: string[], timeout?: number, text?: string, agent?: string): Promise<ToolResult>;
 /**
  * rigour_hooks_init — Generate hook configs for AI coding tools.
+ *
+ * NEW in v4.2.0: When `dlp` param is true, also generates pre-input
+ * DLP hooks that intercept credentials before agent processing.
  */
-export declare function handleHooksInit(cwd: string, tool: string, force?: boolean, dryRun?: boolean): Promise<ToolResult>;
+export declare function handleHooksInit(cwd: string, tool: string, force?: boolean, dryRun?: boolean, dlp?: boolean): Promise<ToolResult>;
 export {};

package/dist/tools/hooks-handler.js

@@ -2,18 +2,63 @@
  * Hooks Tool Handlers
  *
  * Handlers for: rigour_hooks_check, rigour_hooks_init
+ * Now includes DLP (Data Loss Prevention) capabilities.
  *
  * @since v3.0.0 — real-time hooks for AI coding tools
+ * @since v4.2.0 — AI Agent DLP layer (credential interception)
  */
 import { runHookChecker, generateHookFiles } from "@rigour-labs/core";
+import { scanInputForCredentials, formatDLPAlert, createDLPAuditEntry, generateDLPHookFiles } from "@rigour-labs/core";
 import fs from "fs-extra";
 import path from "path";
 /**
  * rigour_hooks_check — Run the fast hook checker on specific files.
  * This is the same check that runs inside IDE hooks (Claude, Cursor, Cline, Windsurf).
  * Catches: hardcoded secrets, hallucinated imports, command injection, file size.
+ *
+ * NEW in v4.2.0: When `text` param is provided, runs in DLP mode —
+ * scans text for credentials instead of checking files.
  */
-export async function handleHooksCheck(cwd, files, timeout) {
+export async function handleHooksCheck(cwd, files, timeout, text, agent) {
+    // ── DLP Mode: Scan text for credentials ──────────────────
+    if (text) {
+        const result = scanInputForCredentials(text, {
+            enabled: true,
+            block_on_detection: true,
+            audit_log: true,
+        });
+        // Log to audit trail
+        if (result.status !== 'clean') {
+            try {
+                const rigourDir = path.join(cwd, '.rigour');
+                await fs.ensureDir(rigourDir);
+                const eventsPath = path.join(rigourDir, 'events.jsonl');
+                const auditEntry = createDLPAuditEntry(result, {
+                    agent: agent ?? 'mcp',
+                });
+                await fs.appendFile(eventsPath, JSON.stringify(auditEntry) + '\n');
+            }
+            catch {
+                // Silent
+            }
+        }
+        if (result.status === 'clean') {
+            return {
+                content: [{
+                        type: "text",
+                        text: `✓ CLEAN — No credentials detected in input.\nScanned: ${result.scanned_length} chars | Duration: ${result.duration_ms}ms`,
+                    }],
+            };
+        }
+        return {
+            content: [{
+                    type: "text",
+                    text: formatDLPAlert(result),
+                }],
+            isError: result.status === 'blocked',
+        };
+    }
+    // ── Standard Mode: Check files ───────────────────────────
     const input = { cwd, files };
     if (timeout)
         input.timeout_ms = timeout;
@@ -36,24 +81,31 @@ export async function handleHooksCheck(cwd, files, timeout) {
 }
 /**
  * rigour_hooks_init — Generate hook configs for AI coding tools.
+ *
+ * NEW in v4.2.0: When `dlp` param is true, also generates pre-input
+ * DLP hooks that intercept credentials before agent processing.
  */
-export async function handleHooksInit(cwd, tool, force = false, dryRun = false) {
+export async function handleHooksInit(cwd, tool, force = false, dryRun = false, dlp = true) {
     try {
         const hookTool = tool;
         const checkerCommand = 'rigour hooks check';
+        // Generate post-output hooks (existing)
         const files = generateHookFiles(hookTool, checkerCommand);
+        // Generate DLP pre-input hooks (new)
+        const dlpFiles = dlp ? generateDLPHookFiles(hookTool, checkerCommand) : [];
+        const allFiles = [...files, ...dlpFiles];
         if (dryRun) {
-            const preview = files.map(f => `${f.path}:\n${f.content}`).join('\n\n');
+            const preview = allFiles.map(f => `${f.path}:\n${f.content.slice(0, 300)}...`).join('\n\n');
             return {
                 content: [{
                         type: "text",
-                        text: `[DRY RUN] Would generate ${files.length} hook file(s) for '${tool}':\n\n${preview}`,
+                        text: `[DRY RUN] Would generate ${allFiles.length} hook file(s) for '${tool}'${dlp ? ' (+ DLP)' : ''}:\n\n${preview}`,
                     }],
             };
         }
         const written = [];
         const skipped = [];
-        for (const file of files) {
+        for (const file of allFiles) {
             const fullPath = path.join(cwd, file.path);
             if (!force && await fs.pathExists(fullPath)) {
                 skipped.push(file.path);
@@ -73,6 +125,11 @@ export async function handleHooksInit(cwd, tool, force = false, dryRun = false)
             parts.push(`⊘ Skipped (exists): ${skipped.join(', ')}. Use force=true to overwrite.`);
         parts.push(`Tool: ${tool}`);
         parts.push('Checks: file-size, security-patterns, hallucinated-imports, command-injection');
+        if (dlp) {
+            parts.push('');
+            parts.push('🛑 DLP Protection: AWS keys, API tokens, database URLs, private keys, JWTs, passwords');
+            parts.push('Credentials will be intercepted BEFORE reaching the AI agent.');
+        }
         return {
             content: [{ type: "text", text: parts.join('\n') }],
         };

package/dist/tools/memory-handlers.js

@@ -3,13 +3,85 @@
  *
  * Handlers for: rigour_remember, rigour_recall, rigour_forget
  *
+ * DLP enforcement: rigour_remember scans BOTH key and value for
+ * credentials before persisting. Blocked if secrets detected.
+ *
  * @since v2.17.0 — extracted from monolithic index.ts
+ * @since v4.2.0  — DLP gate on memory persistence
  */
 import { loadMemory, saveMemory } from '../utils/config.js';
+import { scanInputForCredentials, formatDLPAlert, createDLPAuditEntry } from '@rigour-labs/core';
+import fs from 'fs-extra';
+import path from 'path';
+/**
+ * Append a DLP audit event to .rigour/events.jsonl
+ */
+async function appendDLPAudit(cwd, entry) {
+    try {
+        const eventsPath = path.join(cwd, '.rigour', 'events.jsonl');
+        await fs.ensureDir(path.dirname(eventsPath));
+        await fs.appendFile(eventsPath, JSON.stringify(entry) + '\n');
+    }
+    catch {
+        // Audit logging is best-effort, never block on failure
+    }
+}
+/**
+ * Deep-scan a value: if JSON, extract all nested string values and scan each.
+ * Catches agents serializing credentials as JSON to bypass flat-text scanning.
+ */
+function deepScanValue(key, value) {
+    const texts = [key, value];
+    try {
+        const parsed = JSON.parse(value);
+        extractStrings(parsed, texts);
+    }
+    catch { /* not JSON — flat scan is sufficient */ }
+    return texts.join('\n');
+}
+function extractStrings(obj, out) {
+    if (typeof obj === 'string' && obj.length >= 8)
+        out.push(obj);
+    else if (Array.isArray(obj))
+        obj.forEach(v => extractStrings(v, out));
+    else if (obj && typeof obj === 'object') {
+        for (const v of Object.values(obj))
+            extractStrings(v, out);
+    }
+}
 export async function handleRemember(cwd, key, value) {
+    // ── DLP Gate: deep-scan key + value (including JSON interiors) ──
+    const textToScan = deepScanValue(key, value);
+    const dlpResult = scanInputForCredentials(textToScan);
+    if (dlpResult.status === 'blocked') {
+        // Log the blocked attempt
+        const auditEntry = createDLPAuditEntry(dlpResult, {
+            agent: 'rigour_remember',
+            userId: key,
+        });
+        await appendDLPAudit(cwd, { ...auditEntry, memory_key: key });
+        const alert = formatDLPAlert(dlpResult);
+        return {
+            content: [{
+                    type: "text",
+                    text: `🛑 MEMORY BLOCKED — credentials detected in value for key "${key}".\n\n${alert}\n\nRigour prevented storing secrets in persistent memory. Use environment variables instead.`,
+                }],
+        };
+    }
+    // Clean — proceed with storage
     const store = await loadMemory(cwd);
     store.memories[key] = { value, timestamp: new Date().toISOString() };
     await saveMemory(cwd, store);
+    // If there were warnings (non-blocking), include them
+    if (dlpResult.status === 'warning') {
+        const alert = formatDLPAlert(dlpResult);
+        return {
+            content: [{
+                    type: "text",
+                    text: `MEMORY STORED: "${key}" has been saved (with warnings).\n\n${alert}\n\nStored value: ${value}`,
+                }],
+        };
+    }
     return {
         content: [{
                 type: "text",
@@ -24,22 +96,55 @@ export async function handleRecall(cwd, key) {
         if (!memory) {
             return { content: [{ type: "text", text: `NO MEMORY FOUND for key "${key}". Use rigour_remember to store instructions.` }] };
         }
+        // ── DLP Gate on recall: catch credentials stored before DLP existed ──
+        const dlpResult = scanInputForCredentials(memory.value);
+        if (dlpResult.status === 'blocked') {
+            const alert = formatDLPAlert(dlpResult);
+            await appendDLPAudit(cwd, {
+                ...createDLPAuditEntry(dlpResult, { agent: 'rigour_recall' }),
+                memory_key: key,
+                action: 'recall_blocked',
+            });
+            return {
+                content: [{
+                        type: "text",
+                        text: `🛑 RECALL BLOCKED — memory "${key}" contains ${dlpResult.detections.length} credential(s).\n\n${alert}\n\nThis memory was stored before DLP was active. Remove it with rigour_forget("${key}") and use environment variables instead.`,
+                    }],
+            };
+        }
         return { content: [{ type: "text", text: `RECALLED MEMORY [${key}]:\n${memory.value}\n\n(Stored: ${memory.timestamp})` }] };
     }
     const keys = Object.keys(store.memories);
     if (keys.length === 0) {
         return { content: [{ type: "text", text: "NO MEMORIES STORED. Use rigour_remember to persist important instructions." }] };
     }
-    const allMemories = keys.map(k => {
+    // ── DLP scan all memories on bulk recall ──
+    const cleanMemories = [];
+    const taintedKeys = [];
+    for (const k of keys) {
         const mem = store.memories[k];
-        return `## ${k}\n${mem.value}\n(Stored: ${mem.timestamp})`;
-    }).join("\n\n---\n\n");
-    return {
-        content: [{
-                type: "text",
-                text: `RECALLED ALL MEMORIES (${keys.length} items):\n\n${allMemories}\n\n---\nIMPORTANT: Follow these stored instructions throughout this session.`,
-            }],
-    };
+        const dlpResult = scanInputForCredentials(mem.value);
+        if (dlpResult.status === 'blocked') {
+            taintedKeys.push(k);
+        }
+        else {
+            cleanMemories.push(`## ${k}\n${mem.value}\n(Stored: ${mem.timestamp})`);
+        }
+    }
+    let text = '';
+    if (taintedKeys.length > 0) {
+        text += `🛑 ${taintedKeys.length} memory(ies) BLOCKED — contain credentials: ${taintedKeys.join(', ')}\nUse rigour_forget to remove them.\n\n---\n\n`;
+    }
+    if (cleanMemories.length > 0) {
+        text += `RECALLED ${cleanMemories.length} CLEAN MEMORIES:\n\n${cleanMemories.join('\n\n---\n\n')}\n\n---\nIMPORTANT: Follow these stored instructions throughout this session.`;
+    }
+    else if (taintedKeys.length > 0) {
+        text += `No clean memories to recall. All stored memories contain credentials.`;
+    }
+    else {
+        text = "NO MEMORIES STORED. Use rigour_remember to persist important instructions.";
+    }
+    return { content: [{ type: "text", text }] };
 }
 export async function handleForget(cwd, key) {
     const store = await loadMemory(cwd);

package/dist/utils/config.d.ts

@@ -178,6 +178,23 @@ export declare function loadConfig(cwd: string): Promise<{
             check_assertion_free_async: boolean;
             max_mocks_per_test: number;
         };
+        governance: {
+            enabled: boolean;
+            enforce_memory: boolean;
+            enforce_skills: boolean;
+            block_native_memory: boolean;
+            protected_memory_paths: string[];
+            protected_skills_paths: string[];
+            exempt_paths: string[];
+        };
+        input_validation: {
+            enabled: boolean;
+            ignore_patterns: string[];
+            block_on_detection: boolean;
+            min_secret_length: number;
+            custom_patterns: string[];
+            audit_log: boolean;
+        };
     };
     hooks: {
         enabled: boolean;
@@ -185,6 +202,7 @@ export declare function loadConfig(cwd: string): Promise<{
         timeout_ms: number;
         fast_gates: string[];
         block_on_failure: boolean;
+        dlp: boolean;
     };
     output: {
         report_path: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/mcp",
-  "version": "4.1.1",
+  "version": "4.2.0",
   "description": "MCP server for AI code governance — OWASP LLM Top 10 (10/10), real-time hooks, 25+ security patterns, hallucinated import detection, multi-agent governance. Works with Claude, Cursor, Cline, Windsurf, Gemini. Industry presets for HIPAA, SOC2, FedRAMP.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -48,7 +48,7 @@
     "execa": "^8.0.1",
     "fs-extra": "^11.2.0",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "4.1.1"
+    "@rigour-labs/core": "4.2.0"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",