@rigstate/mcp 0.4.2 → 0.4.4

package/src/tools/security-checks.ts

@@ -0,0 +1,241 @@
+
+export interface SecurityViolation {
+    id: string;
+    type: string;
+    severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'FATAL';
+    title: string;
+    description: string;
+    recommendation: string;
+}
+
+/**
+ * Checks for SQL Injection Vulnerabilities (SEC-SQL-01)
+ */
+export function checkSqlInjection(content: string): SecurityViolation | null {
+    const sqlKeywords = ['from', 'select', 'insert', 'update', 'delete', 'rpc', 'execute', 'query'];
+    const hasSqlKeywords = sqlKeywords.some(kw => content.toLowerCase().includes(kw));
+
+    if (hasSqlKeywords) {
+        const interpolationRegex = /`[^`]*\${[^`]*`|['"][^'"]*\$\{[^'"]*['"]/;
+        if (interpolationRegex.test(content)) {
+            return {
+                id: 'SEC-SQL-01',
+                type: 'SQL_INJECTION',
+                severity: 'HIGH',
+                title: 'Potential SQL Injection (Dynamic String)',
+                description: 'Detected dynamic string building in a context containing SQL keywords.',
+                recommendation: 'Use prepared statements or the project-standard query builder. Never interpolate user input directly.'
+            };
+        }
+    }
+    return null;
+}
+
+/**
+ * Checks for RLS in Migrations (SEC-RLS-01)
+ */
+export function checkRlsInMigration(filePath: string, content: string): SecurityViolation | null {
+    if (filePath.includes('supabase/migrations/') && filePath.endsWith('.sql')) {
+        const hasCreateTable = /CREATE\s+TABLE/i.test(content);
+        const hasEnableRls = /ENABLE\s+ROW\s+LEVEL\s+SECURITY/i.test(content);
+
+        if (hasCreateTable && !hasEnableRls) {
+            return {
+                id: 'SEC-RLS-01',
+                type: 'DB_INTEGRITY',
+                severity: 'HIGH',
+                title: 'Missing Row Level Security (RLS)',
+                description: 'Migration creates a table but does not enable RLS.',
+                recommendation: 'Add ALTER TABLE "public"."your_table" ENABLE ROW LEVEL SECURITY; for every new table.'
+            };
+        }
+    }
+    return null;
+}
+
+/**
+ * Checks for Hardcoded Secrets (SEC-KEY-01)
+ */
+export function checkHardcodedSecrets(filePath: string, content: string): SecurityViolation[] {
+    const violations: SecurityViolation[] = [];
+    const keyPatterns = [
+        { pattern: /sk_live_[a-zA-Z0-9]{20,}/, name: 'Stripe Secret Key' },
+        { pattern: /sb_publishable_[a-zA-Z0-9]{20,}/, name: 'Supabase Publishable Key' },
+        { pattern: /AIza[0-9A-Za-z\\-_]{35}/, name: 'Google API Key' },
+        { pattern: /"([^"]*(?:password|secret|key|token)[^"]*)"\s*:\s*"[^"]{10,}"/i, name: 'Generic Secret' }
+    ];
+
+    for (const p of keyPatterns) {
+        if (p.pattern.test(content) && !filePath.includes('.env')) {
+            violations.push({
+                id: 'SEC-KEY-01',
+                type: 'SECRET_LEAKAGE',
+                severity: 'FATAL',
+                title: `Hardcoded Secret Detected (${p.name})`,
+                description: `Found a potential secret or API key hardcoded in the source file.`,
+                recommendation: 'Move all secrets to environment variables (.env.local) and use process.env.'
+            });
+        }
+    }
+    return violations;
+}
+
+/**
+ * Checks for XSS Vulnerabilities (SEC-UI-01)
+ */
+export function checkXss(content: string): SecurityViolation | null {
+    if (content.includes('dangerouslySetInnerHTML')) {
+        return {
+            id: 'SEC-UI-01',
+            type: 'XSS_VULNERABILITY',
+            severity: 'MEDIUM',
+            title: 'Dangerous HTML Rendering',
+            description: 'Detected use of dangerouslySetInnerHTML which can lead to XSS.',
+            recommendation: 'Sanitize content with DOMPurify or use safer rendering methods.'
+        };
+    }
+    return null;
+}
+
+/**
+ * Checks for strict identity isolation (SEC-AUTH-04)
+ */
+export function checkIdentityIsolation(filePath: string, content: string): SecurityViolation | null {
+    if ((filePath.includes('app/api/') || filePath.includes('actions/')) && (content.includes('supabase.from') || content.includes('db.select'))) {
+        const hasOwnerFilter = /\.eq\(['"](owner_id|user_id)['"],/.test(content);
+        if (!hasOwnerFilter) {
+            return {
+                id: 'SEC-AUTH-04',
+                type: 'ISOLATION_FAILURE',
+                severity: 'HIGH',
+                title: 'Missing Identity Filter',
+                description: 'Data query lacks a user_id or owner_id filter. Required for multi-tenancy isolation.',
+                recommendation: 'Always filter tenant-specific data using .eq("owner_id", userId).'
+            };
+        }
+    }
+    return null;
+}
+
+// ... Additional checks for Phase 7.4 rules ...
+
+export function checkSensitiveLogging(content: string): SecurityViolation | null {
+    if (content.includes('console.log') && (content.includes('env') || content.includes('process.env') || content.includes('password') || content.includes('user'))) {
+        return {
+            id: 'SEC-LOG-01',
+            type: 'PII_LEAKAGE',
+            severity: 'MEDIUM',
+            title: 'Potential Log Leakage',
+            description: 'Detected console.log of potentially sensitive objects (user, env, password).',
+            recommendation: 'Use a structured logger and ensure sensitive fields are redacted before logging.'
+        };
+    }
+    return null;
+}
+
+export function checkRbac(filePath: string, content: string): SecurityViolation | null {
+    if ((filePath.includes('app/api/') || filePath.includes('actions/')) && !content.includes('role') && !content.includes('permission') && !content.includes('isAdmin')) {
+        return {
+            id: 'SEC-RBAC-01',
+            type: 'AUTHORIZATION_GATHERING',
+            severity: 'MEDIUM',
+            title: 'Missing RBAC Check',
+            description: 'Route/Action seems to lack explicit role or permission-based access control.',
+            recommendation: 'Verify user roles (e.g., admin, editor) before granting access to sensitive endpoints.'
+        };
+    }
+    return null;
+}
+
+export function checkInputValidation(filePath: string, content: string): SecurityViolation | null {
+    if ((filePath.includes('app/api/') || filePath.includes('actions/')) && !content.includes('z.object') && !content.includes('parse')) {
+        if (content.includes('.update(') || content.includes('.insert(')) {
+            return {
+                id: 'SEC-VAL-01',
+                type: 'INPUT_VALIDATION',
+                severity: 'HIGH',
+                title: 'Missing Input Validation',
+                description: 'Database mutation detected without Zod schema validation.',
+                recommendation: 'Use Zod to validate all incoming data before passing it to the database.'
+            };
+        }
+    }
+    return null;
+}
+
+export function checkCleanFailures(content: string): SecurityViolation | null {
+    const errorLeakageRegex = /(?:res\..*(?:error|message|status).*\.message)|(?:throw new Error\(.*\.message\))/;
+    if (errorLeakageRegex.test(content) && content.includes('catch')) {
+        return {
+            id: 'SEC-ERR-01',
+            type: 'ERROR_EXPOSURE',
+            severity: 'MEDIUM',
+            title: 'Raw Database Error Leakage',
+            description: 'Detected raw error messages being sent/thrown to the client.',
+            recommendation: 'Catch errors and return standardized, non-technical messages to the frontend.'
+        };
+    }
+    return null;
+}
+
+export function checkDependencies(filePath: string, content: string): SecurityViolation | null {
+    if (filePath.endsWith('package.json')) {
+        if (content.includes('"*') || content.includes('"latest"')) {
+            return {
+                id: 'SEC-DEPS-01',
+                type: 'DEPENDENCY_BLOAT',
+                severity: 'HIGH',
+                title: 'Unpinned Dependencies',
+                description: 'package.json contains unpinned or "latest" versions.',
+                recommendation: 'Always pin dependencies to specific versions for reproducibility and security.'
+            };
+        }
+    }
+    return null;
+}
+
+// ... Anti-Lazy checks ...
+
+export function checkAntiLazy(filePath: string, content: string): SecurityViolation[] {
+    const violations: SecurityViolation[] = [];
+
+    // SEC-LAZY-01: No 'any'
+    const anyRegex = /: any([,\s)\]\}]|$)/g;
+    if (anyRegex.test(content) && !filePath.includes('node_modules')) {
+        violations.push({
+            id: 'SEC-LAZY-01',
+            type: 'TYPE_LAZINESS',
+            severity: 'HIGH',
+            title: 'Use of "any" Type detected',
+            description: 'Detected use of the "any" type, which bypasses the TypeSytem safety checks.',
+            recommendation: 'Replace "any" with a specific interface, type, or "unknown" with proper narrowing.'
+        });
+    }
+
+    // SEC-LAZY-02: No empty catch
+    const emptyCatchRegex = /catch\s*\([^)]*\)\s*{\s*}/g;
+    if (emptyCatchRegex.test(content)) {
+        violations.push({
+            id: 'SEC-LAZY-02',
+            type: 'ERROR_SWALLOWING',
+            severity: 'HIGH',
+            title: 'Empty Catch Block detected',
+            description: 'Detected a catch block that swallows errors without logging or handling them.',
+            recommendation: 'Always log the error or handle it. Never leave a catch block empty.'
+        });
+    }
+
+    // SEC-LAZY-03: No TODOs
+    if (content.includes('TODO') || content.includes('FIXME')) {
+        violations.push({
+            id: 'SEC-LAZY-03',
+            type: 'INCOMPLETE_WORK',
+            severity: 'MEDIUM',
+            title: 'Technical Debt remnant (TODO/FIXME)',
+            description: 'Detected TODO or FIXME comments in a file being evaluated for completion.',
+            recommendation: 'Resolve the task fully or move the TODO to the project roadmap before committing.'
+        });
+    }
+
+    return violations;
+}

package/src/tools/security-tools.ts

@@ -1,5 +1,32 @@
 import { SupabaseClient } from '@supabase/supabase-js';
 import { AuditRlsStatusInput } from '../lib/types.js';
+import * as Checks from './security-checks.js';
+import { registry } from '../lib/tool-registry.js';
+import { AuditRlsStatusInputSchema, AuditSecurityIntegrityInputSchema } from '../lib/schemas.js';
+
+// ============================================
+// Tool Registration
+// ============================================
+
+registry.register({
+    name: 'audit_rls_status',
+    description: `Sven's Tool: Security Shield. Audits the database to ensure Row Level Security (RLS) is enforced.`,
+    schema: AuditRlsStatusInputSchema,
+    handler: async (args, context) => {
+        const result = await auditRlsStatus(context.supabase, args);
+        return { content: [{ type: 'text', text: result.summary || 'No summary available' }] };
+    }
+});
+
+registry.register({
+    name: 'audit_security_integrity',
+    description: `Frank's Tool: Security Oracle. Performs a diagnostic security audit against the Fortress Matrix.`,
+    schema: AuditSecurityIntegrityInputSchema,
+    handler: async (args, context) => {
+        const result = await auditSecurityIntegrity(context.supabase, args);
+        return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] };
+    }
+});
 
 /**
  * Sven's Tool: Security Shield
@@ -10,7 +37,6 @@ export async function auditRlsStatus(
     input: AuditRlsStatusInput
 ) {
     try {
-        // Query pg_tables to check rowsecurity status
         const { data, error } = await supabase.rpc('execute_sql', {
             query: `
                 SELECT tablename, rowsecurity 
@@ -20,29 +46,13 @@ export async function auditRlsStatus(
             `
         });
 
-        // Fallback if generic execute_sql isn't available (it's often a custom RPC in these setups)
-        // If RPC fails, try generic postgres connection? 
-        // MCP usually connects via HTTP API (PostgREST). PostgREST doesn't expose pg_tables directly unless allowed.
-        // HOWEVER, the user instruction implies we CAN run this. "Utfør en SQL-spørring..."
-        // If using Supabase JS client, we can't run raw SQL unless we use an RPC wrapper.
-        // I will assume an RPC 'execute_sql' exists (common in AI setups) OR I have to trust the instruction 
-        // implies I have a way.
-
-        // Alternative: Use the 'mcp_supabase-mcp-server_execute_sql' pattern? No, we ARE the MCP server.
-        // If we don't have an RPC, we might struggle.
-        // Let's implement a robust check.
-
         if (error) {
-            // Try direct fetch if exposed, which is rare for system tables
             throw new Error(`Database query failed: ${error.message}`);
         }
 
-        // Parse result (assuming result comes back as array of objects)
-        // If data is null/empty but no error?
         const tables = data as Array<{ tablename: string, rowsecurity: boolean }>;
 
         if (!tables) {
-            // If RPC returns void or strange shape, try to warn.
             return {
                 status: 'ERROR',
                 message: 'Could not fetch table list. Ensure execute_sql RPC is available or pg_tables is accessible.'
@@ -73,10 +83,70 @@ export async function auditRlsStatus(
         };
 
     } catch (err: any) {
-        // Fallback: If we can't reach the DB
         return {
             status: 'ERROR',
             message: `Sven could not reach the database structure. Error: ${err.message || err}. check connection strings.`
         };
     }
 }
+
+/**
+ * Frank's Tool: Security Oracle
+ * Performs a diagnostic security audit against the Fortress Matrix.
+ */
+export async function auditSecurityIntegrity(
+    supabase: SupabaseClient,
+    input: { projectId: string, filePath: string, content: string }
+) {
+    const violations: any[] = [];
+    const { content, filePath } = input;
+
+    // Use Modular Checks
+    const sqlViolation = Checks.checkSqlInjection(content);
+    if (sqlViolation) violations.push(sqlViolation);
+
+    const rlsViolation = Checks.checkRlsInMigration(filePath, content);
+    if (rlsViolation) violations.push(rlsViolation);
+
+    const keyViolations = Checks.checkHardcodedSecrets(filePath, content);
+    violations.push(...keyViolations);
+
+    const xssViolation = Checks.checkXss(content);
+    if (xssViolation) violations.push(xssViolation);
+
+    const authViolation = Checks.checkIdentityIsolation(filePath, content);
+    if (authViolation) violations.push(authViolation);
+
+    const logViolation = Checks.checkSensitiveLogging(content);
+    if (logViolation) violations.push(logViolation);
+
+    const rbacViolation = Checks.checkRbac(filePath, content);
+    if (rbacViolation) violations.push(rbacViolation);
+
+    const valViolation = Checks.checkInputValidation(filePath, content);
+    if (valViolation) violations.push(valViolation);
+
+    const errViolation = Checks.checkCleanFailures(content);
+    if (errViolation) violations.push(errViolation);
+
+    const depViolation = Checks.checkDependencies(filePath, content);
+    if (depViolation) violations.push(depViolation);
+
+    const lazyViolations = Checks.checkAntiLazy(filePath, content);
+    violations.push(...lazyViolations);
+
+    const score = Math.max(0, 100 - (violations.length * 10));
+    const passed = !violations.some((v: any) => v.severity === 'HIGH' || v.severity === 'FATAL');
+
+    return {
+        timestamp: new Date().toISOString(),
+        projectId: input.projectId,
+        filePath: input.filePath,
+        passed,
+        score,
+        violations,
+        summary: passed
+            ? 'FRANK: Security audit PASSED. No critical Fortress violations detected.'
+            : `FRANK: Security audit FAILED. Detected ${violations.length} violations against the Fortress Matrix.`
+    };
+}

package/src/tools/submit-idea.ts

@@ -7,6 +7,31 @@
 
 import { SupabaseClient } from '@supabase/supabase-js';
 import type { SubmitIdeaResponse } from '../lib/types.js';
+import { registry } from '../lib/tool-registry.js';
+import { SubmitIdeaInputSchema } from '../lib/schemas.js';
+
+// ============================================
+// Tool Registration
+// ============================================
+
+registry.register({
+    name: 'submit_idea',
+    description: `Submits a new idea to the Idea Lab (saved_ideas table).
+Ideas can later be reviewed, analyzed, and promoted to features.`,
+    schema: SubmitIdeaInputSchema,
+    handler: async (args, context) => {
+        const result = await submitIdea(
+            context.supabase,
+            context.userId,
+            args.projectId,
+            args.title,
+            args.description,
+            args.category,
+            args.tags
+        );
+        return { content: [{ type: 'text', text: result.message }] };
+    }
+});
 
 export async function submitIdea(
     supabase: SupabaseClient,

package/src/tools/sync-ide-rules.ts

@@ -9,6 +9,34 @@ import {
     IDEProvider,
     RuleFile
 } from '@rigstate/rules-engine';
+import { registry } from '../lib/tool-registry.js';
+import { GenerateCursorRulesInputSchema } from '../lib/schemas.js';
+
+// ============================================
+// Tool Registration
+// ============================================
+
+registry.register({
+    name: 'sync_ide_rules',
+    description: `Generates the appropriate rules file content (e.g. .cursorrules, .windsurfrules) 
+based on project context and user settings.`,
+    schema: GenerateCursorRulesInputSchema,
+    handler: async (args, context) => {
+        const result = await syncIdeRules(context.supabase, args.projectId);
+
+        // Format response: Main file content + information about modular files
+        let responseText = `FileName: ${result.fileName}\n\nContent:\n${result.content}`;
+
+        if (result.files && result.files.length > 0) {
+            responseText += `\n\n--- MODULAR FILES GENERATED (${result.files.length}) ---\n`;
+            responseText += result.files.map(f => `- ${f.path}`).join('\n');
+            responseText += `\n\nNote: Please ensure these modular files are also updated if your IDE is following the V3 Rules standard.`;
+        }
+
+        return { content: [{ type: 'text', text: responseText }] };
+    }
+});
+
 
 /**
  * Sync IDE rules for a project.
@@ -37,16 +65,19 @@ export async function syncIdeRules(
     const ide: IDEProvider = (project.preferred_ide as IDEProvider) || 'cursor';
 
     // 3. Fetch Context Data (Parallel for speed)
-    const [stack, roadmapRes, legacyStats, activeAgents] = await Promise.all([
+    const [stack, roadmapRes, legacyStats, activeAgents, dbMetadataRes] = await Promise.all([
         fetchProjectTechStack(supabase, projectId),
         supabase
             .from('roadmap_chunks')
             .select('step_number, title, status, sprint_focus, prompt_content, is_legacy')
             .eq('project_id', projectId),
         fetchLegacyStats(supabase, projectId),
-        fetchActiveAgents(supabase)
+        fetchActiveAgents(supabase),
+        supabase.rpc('get_table_metadata')
     ]);
 
+    const databaseMetadata = dbMetadataRes.data || [];
+
     // 4. Generate Content (Mono-file)
     const content = generateRuleContent(
         { ...project, id: projectId },
@@ -64,7 +95,8 @@ export async function syncIdeRules(
         roadmapRes.data || [],
         ide,
         legacyStats,
-        activeAgents
+        activeAgents,
+        databaseMetadata
     );
 
     return {

package/src/tools/teacher-mode.ts

@@ -4,8 +4,30 @@
  * Allows Frank to send logic corrections and fetch learned behaviors.
  */
 
+import { z } from 'zod';
 import { SupabaseClient } from '@supabase/supabase-js';
 import { v4 as uuidv4 } from 'uuid';
+import { registry } from '../lib/tool-registry.js';
+import { submitSignal } from '../lib/curator/index.js';
+
+// ============================================
+// Schemas
+// ============================================
+
+const RefineLogicSchema = z.object({
+    projectId: z.string().describe('The UUID of the Rigstate project'),
+    originalReasoning: z.string().describe('What Frank originally said or did wrong'),
+    userCorrection: z.string().describe('How Frank should handle this in the future'),
+    scope: z.enum(['project', 'global']).default('project').describe('Whether this correction applies to this project only or all projects (default: project)')
+});
+
+const GetLearnedInstructionsSchema = z.object({
+    projectId: z.string().optional().describe('Optional project ID to include project-specific instructions')
+});
+
+// ============================================
+// Types
+// ============================================
 
 export interface RefineLogicResponse {
     success: boolean;
@@ -25,17 +47,20 @@ export interface LearnedInstructionsResponse {
     formatted: string;
 }
 
+// ============================================
+// Implementation
+// ============================================
+
 /**
  * Send a logic correction to the Rigstate cloud database
  */
 export async function refineLogic(
     supabase: SupabaseClient,
     userId: string,
-    projectId: string,
-    originalReasoning: string,
-    userCorrection: string,
-    scope: 'project' | 'global'
+    args: z.infer<typeof RefineLogicSchema>
 ): Promise<RefineLogicResponse> {
+    const { projectId, originalReasoning, userCorrection, scope } = args;
+
     // Generate a trace ID for this action
     const traceId = uuidv4();
 
@@ -44,14 +69,14 @@ export async function refineLogic(
         .from('projects')
         .select('id, name')
         .eq('id', projectId)
-        .eq('user_id', userId)
+        .eq('owner_id', userId)
         .single();
 
     if (projectError || !project) {
         throw new Error(`Project access denied or not found: ${projectId}`);
     }
 
-    // Save the instruction
+    // Save the instruction to Raw Memory (ai_instructions)
     const { data: instruction, error: insertError } = await supabase
         .from('ai_instructions')
         .insert({
@@ -61,7 +86,7 @@ export async function refineLogic(
             context: originalReasoning,
             is_global: scope === 'global',
             priority: scope === 'global' ? 8 : 6,
-            source_log_id: null // MCP actions don't have a log ID
+            source_log_id: null
         })
         .select('id')
         .single();
@@ -70,6 +95,30 @@ export async function refineLogic(
         throw new Error(`Failed to save instruction: ${insertError.message}`);
     }
 
+    let message = `✅ Correction saved! Frank will apply this ${scope === 'global' ? 'globally' : 'to this project'}.`;
+
+    // Phase 8.5.5 Integration: Global corrections trigger Curator Signal
+    if (scope === 'global') {
+        try {
+            await submitSignal(supabase, userId, {
+                projectId,
+                title: `Teacher Correction: ${userCorrection.substring(0, 30)}...`,
+                instruction: userCorrection,
+                category: 'MAINTAINABILITY', // Default
+                severity: 'MEDIUM',
+                reasoning: `Teacher Mode correction (Trace: ${traceId}). Original reasoning: ${originalReasoning.substring(0, 100)}...`,
+                source_type: 'TEACHER_MODE' // Using a tag via reasoning or title since source_type in schema is rigid?
+                // actually check schema: framework_tags? No source_type is not in schema input, it's fixed in logic.
+                // Wait, submitSignal implementation in curator/index.ts sets source_type: 'mcp_submission'.
+                // I will update the reasoning to indicate Teacher Mode.
+            });
+            message += `\n\n🛡️ CURATOR PROTOCOL: Signal submitted to Sigrid for global verification.`;
+        } catch (e: any) {
+            console.error('Failed to auto-submit to curator:', e);
+            message += `\n(Note: Failed to submit to curator: ${e.message})`;
+        }
+    }
+
     // Log this MCP action with trace
     await supabase
         .from('ai_activity_log')
@@ -91,7 +140,7 @@ export async function refineLogic(
         success: true,
         instructionId: instruction.id,
         traceId,
-        message: `✅ Correction saved! Frank will apply this ${scope === 'global' ? 'globally' : 'to this project'}.`
+        message
     };
 }
 
@@ -101,8 +150,10 @@ export async function refineLogic(
 export async function getLearnedInstructions(
     supabase: SupabaseClient,
     userId: string,
-    projectId?: string
+    args: z.infer<typeof GetLearnedInstructionsSchema>
 ): Promise<LearnedInstructionsResponse> {
+    const { projectId } = args;
+
     // Fetch user-specific instructions
     let query = supabase
         .from('ai_instructions')
@@ -133,10 +184,10 @@ export async function getLearnedInstructions(
         .order('priority', { ascending: false })
         .limit(10);
 
-    const globalInstructions = (globalBase || []).map(g => g.instruction);
+    const globalInstructions = (globalBase || []).map((g: any) => g.instruction);
 
     // Format for context injection
-    const instructions = (userInstructions || []).map(i => ({
+    const instructions = (userInstructions || []).map((i: any) => ({
         instruction: i.instruction as string,
         priority: i.priority as number,
         isGlobal: i.is_global as boolean,
@@ -147,13 +198,13 @@ export async function getLearnedInstructions(
 
     if (globalInstructions.length > 0) {
         formatted += `## GLOBAL RIGSTATE STANDARDS\n`;
-        formatted += globalInstructions.map(g => `- ${g}`).join('\n');
+        formatted += globalInstructions.map((g: string) => `- ${g}`).join('\n');
         formatted += '\n\n';
     }
 
     if (instructions.length > 0) {
         formatted += `## USER CORRECTIONS & TUNING\n`;
-        formatted += instructions.map(i => {
+        formatted += instructions.map((i: any) => {
             const scope = i.isGlobal ? '[GLOBAL]' : '[PROJECT]';
             return `- ${scope} ${i.instruction}`;
         }).join('\n');
@@ -169,3 +220,31 @@ export async function getLearnedInstructions(
         formatted
     };
 }
+
+// ============================================
+// Tool Registration
+// ============================================
+
+registry.register({
+    name: 'refine_logic',
+    description: `Send a logic correction to teach Frank how to handle similar situations.
+Use this when Frank made a reasoning error and you want to correct it.
+The correction will be saved and applied to future interactions.`,
+    schema: RefineLogicSchema,
+    handler: async (args, context) => {
+        const result = await refineLogic(context.supabase, context.userId, args);
+        return { content: [{ type: 'text', text: result.message }] };
+    }
+});
+
+registry.register({
+    name: 'get_learned_instructions',
+    description: `Fetch all learned behaviors and corrections from the database.
+Use this to inject prior corrections into your context window.
+Returns both user-specific and global Rigstate standards.`,
+    schema: GetLearnedInstructionsSchema,
+    handler: async (args, context) => {
+        const result = await getLearnedInstructions(context.supabase, context.userId, args);
+        return { content: [{ type: 'text', text: result.formatted }] };
+    }
+});