@rigstate/mcp 0.4.2 → 0.4.4

package/src/lib/context-engine.ts

@@ -0,0 +1,85 @@
+/**
+ * Phase 8.5.5: Context Engine
+ * 
+ * Bridges the gap between the Curator Database and the Agent's working memory.
+ * Performs semantic/keyword lookup to inject relevant rules into the context.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import { queryGlobalAntidotes } from './curator/index.js';
+
+export interface ContextInjectionInput {
+    frameworks: string[];
+    libraries: string[];
+    taskDescription?: string; // Optional: for future task-specific lookup
+}
+
+export async function injectGlobalContext(
+    supabase: SupabaseClient,
+    userId: string,
+    input: ContextInjectionInput
+): Promise<string> {
+    // 1. Identify relevant tags from stack
+    const searchTags = [
+        ...input.frameworks.map(f => f.split(' ')[0].toLowerCase()),
+        ...input.libraries.map(l => l.split(' ')[0].toLowerCase())
+    ].filter(Boolean);
+
+    // 2. Query Curator for Critical/High severity antidotes matching tags
+    // We want HIGH trust items (trust_score >= 80) or IMMUTABLE items.
+    // Since queryGlobalAntidotes is a bit generic, we might want a more specialized query here
+    // for "Active Constraints", but reusing it is a good MVP.
+
+    // We fetch ALL Fortress Rules (Immutable) regardless of score/tags? 
+    // Usually Fortress Rules are universal or highly critical.
+
+    const { data: fortressRules } = await supabase
+        .from('global_antidotes')
+        .select('title, instruction, slug')
+        .eq('is_immutable', true)
+        .eq('is_active', true);
+
+    // Fetch High Trust Contextual Rules
+    let contextQuery = supabase
+        .from('global_antidotes')
+        .select('title, instruction, framework_tags, severity')
+        .eq('is_active', true)
+        .gte('trust_score', 80) // High trust only
+        .eq('is_immutable', false); // Exclude fortress (already fetched)
+
+    if (searchTags.length > 0) {
+        // PG operator for array overlap: framework_tags && searchTags
+        contextQuery = contextQuery.overlaps('framework_tags', searchTags);
+    } else {
+        // If no tags, maybe just generic ones? Or skip?
+        // Let's limit to generic if no tags
+        contextQuery = contextQuery.is('framework_tags', null);
+    }
+
+    const { data: contextualRules } = await contextQuery.limit(5);
+
+    // 3. Format Output
+    let output = '';
+
+    if (fortressRules && fortressRules.length > 0) {
+        output += `\n\n## 🏰 FORTRESS RULES (NON-NEGOTIABLE)\n`;
+        output += `These rules are immutable and must be followed without exception:\n`;
+        fortressRules.forEach(rule => {
+            output += `- **${rule.title}**: ${rule.instruction}\n`;
+        });
+    }
+
+    if (contextualRules && contextualRules.length > 0) {
+        output += `\n## 🛡️ INTELLIGENT CONTEXT (High Trust Antidotes)\n`;
+        output += `Learned best practices for your stack (${searchTags.join(', ')}):\n`;
+        contextualRules.forEach(rule => {
+            output += `- [${rule.severity}] **${rule.title}**: ${rule.instruction}\n`;
+        });
+    }
+
+    if (!output) {
+        output = `\n(No specific curator context found for stack: ${searchTags.join(', ')})`;
+    }
+
+    return output;
+}

package/src/lib/curator/actions/fortress.ts

@@ -0,0 +1,77 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { z } from 'zod';
+import { CheckFortressSchema } from '../schemas.js';
+
+/**
+ * Check instruction against fortress rules
+ */
+export async function checkFortress(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof CheckFortressSchema>
+) {
+    // Load fortress rules
+    const { data: fortressRules } = await supabase
+        .from('global_antidotes')
+        .select('slug, title, instruction')
+        .eq('is_immutable', true)
+        .eq('is_active', true);
+
+    if (!fortressRules || fortressRules.length === 0) {
+        return {
+            passed: true,
+            conflicts: [],
+            message: '✅ No fortress rules configured. Instruction passes by default.'
+        };
+    }
+
+    const conflicts: Array<{ rule: string; title: string; explanation: string }> = [];
+    const instructionLower = input.instruction.toLowerCase();
+
+    // Conflict patterns (simplified)
+    const conflictPatterns: Record<string, RegExp[]> = {
+        rls_required: [/disable\s+r(ow\s+level\s+)?s(ecurity)?/i, /skip\s+rls/i, /bypass\s+rls/i],
+        no_client_secrets: [/api\s+keys?\s+in\s+(frontend|client)/i, /hardcode\s+secret/i],
+        input_validation: [/skip\s+validation/i, /trust\s+all\s+input/i],
+        auth_required: [/skip\s+auth/i, /bypass\s+auth/i, /disable\s+auth/i]
+    };
+
+    for (const rule of fortressRules) {
+        const patterns = conflictPatterns[rule.slug];
+        if (patterns) {
+            for (const pattern of patterns) {
+                if (pattern.test(instructionLower)) {
+                    conflicts.push({
+                        rule: rule.slug,
+                        title: rule.title,
+                        explanation: `Instruction conflicts with fortress rule: ${rule.instruction.substring(0, 100)}...`
+                    });
+                    break;
+                }
+            }
+        }
+    }
+
+    if (conflicts.length > 0) {
+        return {
+            passed: false,
+            conflicts,
+            message: `❌ FORTRESS CONFLICT DETECTED
+
+${conflicts.length} conflict(s) found:
+${conflicts.map((c, i) => `${i + 1}. [${c.rule}] ${c.title}
+   ${c.explanation}`).join('\n\n')}
+
+⚠️ This instruction cannot be added to the registry as it violates immutable security rules.`
+        };
+    }
+
+    return {
+        passed: true,
+        conflicts: [],
+        message: `✅ FORTRESS CHECK PASSED
+
+Instruction does not conflict with any fortress rules.
+Checked against ${fortressRules.length} immutable rules.`
+    };
+}

package/src/lib/curator/actions/query.ts

@@ -0,0 +1,73 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { z } from 'zod';
+import { QueryGlobalAntidotesSchema } from '../schemas.js';
+
+/**
+ * Sigrid's Tool: Query Global Antidotes
+ * Search and retrieve antidotes from the global registry.
+ */
+export async function queryGlobalAntidotes(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof QueryGlobalAntidotesSchema>
+) {
+    let query = supabase
+        .from('global_antidotes')
+        .select('id, slug, title, instruction, example, anti_example, category, severity, framework_tags, trust_score, occurrence_count, is_immutable')
+        .eq('is_active', true);
+
+    if (input.categories && input.categories.length > 0) {
+        query = query.in('category', input.categories);
+    }
+
+    if (input.severities && input.severities.length > 0) {
+        query = query.in('severity', input.severities);
+    }
+
+    if (input.framework_tags && input.framework_tags.length > 0) {
+        query = query.overlaps('framework_tags', input.framework_tags);
+    }
+
+    if (input.min_trust_score !== undefined) {
+        query = query.gte('trust_score', input.min_trust_score);
+    }
+
+    if (input.search_text) {
+        query = query.or(`title.ilike.%${input.search_text}%,instruction.ilike.%${input.search_text}%`);
+    }
+
+    const { data, error } = await query
+        .order('severity', { ascending: true }) // CRITICAL first
+        .order('trust_score', { ascending: false })
+        .limit(input.limit || 20);
+
+    if (error) throw new Error(`Query failed: ${error.message}`);
+
+    if (!data || data.length === 0) {
+        return {
+            antidotes: [],
+            formatted: `=== GLOBAL ANTIDOTES REGISTRY ===
+No antidotes found matching your criteria.
+================================`
+        };
+    }
+
+    const formatted = data.map((a, i) => {
+        const immutableBadge = a.is_immutable ? ' 🏰 FORTRESS' : '';
+        const tags = a.framework_tags ? ` [${a.framework_tags.join(', ')}]` : '';
+        return `${i + 1}. [${a.severity}] ${a.title}${immutableBadge}
+   Category: ${a.category}${tags}
+   Trust: ${a.trust_score}/100 | Occurrences: ${a.occurrence_count}
+   ${a.instruction.substring(0, 200)}${a.instruction.length > 200 ? '...' : ''}`;
+    }).join('\n\n');
+
+    return {
+        antidotes: data,
+        formatted: `=== GLOBAL ANTIDOTES REGISTRY ===
+Found ${data.length} antidotes:
+
+${formatted}
+
+================================`
+    };
+}

package/src/lib/curator/actions/stats.ts

@@ -0,0 +1,70 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { z } from 'zod';
+import { GetCuratorStatsSchema } from '../schemas.js';
+
+/**
+ * Get Curator Statistics
+ */
+export async function getCuratorStats(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof GetCuratorStatsSchema>
+) {
+    // Get antidote counts
+    const { data: antidotes, count: totalCount } = await supabase
+        .from('global_antidotes')
+        .select('id, category, severity, is_immutable', { count: 'exact' })
+        .eq('is_active', true);
+
+    const fortressCount = antidotes?.filter(a => a.is_immutable).length || 0;
+
+    // Get quarantine count
+    const { count: quarantineCount } = await supabase
+        .from('curation_quarantine')
+        .select('id', { count: 'exact', head: true })
+        .is('decision', null);
+
+    // Get today's activity
+    const today = new Date();
+    today.setHours(0, 0, 0, 0);
+    const { data: todayActivity } = await supabase
+        .from('curation_audit_log')
+        .select('action')
+        .gte('created_at', today.toISOString());
+
+    const activityCounts = todayActivity?.reduce((acc: Record<string, number>, log: any) => {
+        acc[log.action] = (acc[log.action] || 0) + 1;
+        return acc;
+    }, {}) || {};
+
+    // Category distribution
+    const categoryDistribution = antidotes?.reduce((acc: Record<string, number>, a) => {
+        acc[a.category] = (acc[a.category] || 0) + 1;
+        return acc;
+    }, {}) || {};
+
+    return {
+        stats: {
+            total_antidotes: totalCount || 0,
+            fortress_rules: fortressCount,
+            pending_quarantine: quarantineCount || 0,
+            today_approved: activityCounts['AUTO_APPROVED'] || 0,
+            today_rejected: activityCounts['AUTO_REJECTED'] || 0,
+            today_quarantined: activityCounts['QUARANTINE_ADDED'] || 0,
+            categories: categoryDistribution
+        },
+        formatted: `=== CURATOR REGISTRY STATS ===
+📊 Global Antidotes: ${totalCount || 0}
+🏰 Fortress Rules: ${fortressCount}
+⏳ Pending Review: ${quarantineCount || 0}
+
+📅 Today's Activity:
+   ✅ Approved: ${activityCounts['AUTO_APPROVED'] || 0}
+   ❌ Rejected: ${activityCounts['AUTO_REJECTED'] || 0}
+   ⏸️ Quarantined: ${activityCounts['QUARANTINE_ADDED'] || 0}
+
+📁 By Category:
+${Object.entries(categoryDistribution).map(([cat, count]) => `   • ${cat}: ${count}`).join('\n')}
+==============================`
+    };
+}

package/src/lib/curator/actions/submit.ts

@@ -0,0 +1,190 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { z } from 'zod';
+import { SubmitSignalSchema } from '../schemas.js';
+
+/**
+ * Sigrid's Tool: Submit Signal for Curation
+ * Submit a new intelligence signal for processing through the curation pipeline.
+ */
+export async function submitSignal(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof SubmitSignalSchema>
+) {
+    // 1. Verify project ownership
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('id')
+        .eq('id', input.projectId)
+        .eq('owner_id', userId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error('Project not found or access denied');
+    }
+
+    // 2. Simple fingerprint for deduplication check (basic version for MCP)
+    const fingerprintBase = `${input.instruction}::${input.category}`.toLowerCase();
+    const simpleHash = fingerprintBase.split('').reduce((a, b) => {
+        a = ((a << 5) - a) + b.charCodeAt(0);
+        return a & a;
+    }, 0).toString(16);
+
+    // 3. Check for existing similar antidotes
+    const { data: existing } = await supabase
+        .from('global_antidotes')
+        .select('id, slug, title')
+        .ilike('instruction', `%${input.instruction.substring(0, 100)}%`)
+        .eq('is_active', true)
+        .limit(1);
+
+    if (existing && existing.length > 0) {
+        return handleReinforcement(supabase, existing[0]);
+    }
+
+    // 4. Check against fortress rules
+    const fortressResult = await checkFortressConflicts(supabase, userId, input, simpleHash);
+    if (!fortressResult.success) {
+        return fortressResult;
+    }
+
+    // 5. Submit to Quarantine
+    return submitToQuarantine(supabase, userId, input, simpleHash);
+}
+
+// Helpers
+async function handleReinforcement(supabase: SupabaseClient, existing: any) {
+    // Signal reinforces existing antidote - update last reinforced timestamp
+    await supabase
+        .from('global_antidotes')
+        .update({ last_reinforced_at: new Date().toISOString() })
+        .eq('id', existing.id);
+
+    return {
+        success: true,
+        action: 'reinforced',
+        message: `✅ Signal reinforces existing antidote: "${existing.title}" (${existing.slug}).
+The occurrence count has been increased, boosting the antidote's authority.`,
+        antidote_id: existing.id
+    };
+}
+
+async function checkFortressConflicts(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof SubmitSignalSchema>,
+    hash: string
+) {
+    const fortressKeywords = {
+        rls_required: ['disable rls', 'skip rls', 'bypass rls', 'rls off'],
+        no_client_secrets: ['api key in client', 'hardcode secret', 'embed api key'],
+        input_validation: ['skip validation', 'trust input', 'no validation'],
+        auth_required: ['skip auth', 'bypass auth', 'disable auth']
+    };
+
+    const instructionLower = input.instruction.toLowerCase();
+    for (const [rule, keywords] of Object.entries(fortressKeywords)) {
+        for (const keyword of keywords) {
+            if (instructionLower.includes(keyword)) {
+                // Log violation
+                await supabase.from('fortress_violations').insert({
+                    fortress_rule_slug: rule,
+                    violated_by_signal_hash: hash,
+                    conflict_type: 'DIRECT_CONTRADICTION',
+                    severity: 'CRITICAL',
+                    conflicting_instruction: input.instruction,
+                    source_user_id: userId,
+                    source_project_id: input.projectId
+                });
+
+                return {
+                    success: false,
+                    action: 'blocked',
+                    message: `❌ FORTRESS VIOLATION: Signal conflicts with immutable rule "${rule}".
+This instruction attempts to weaken a core security principle and has been rejected.
+The violation has been logged for security audit.`
+                };
+            }
+        }
+    }
+    return { success: true };
+}
+
+async function submitToQuarantine(
+    supabase: SupabaseClient,
+    userId: string,
+    input: z.infer<typeof SubmitSignalSchema>,
+    hash: string
+) {
+    // Calculate basic trust score (simplified)
+    let trustScore = 50; // Base score
+    if (input.example) trustScore += 10;
+    if (input.anti_example) trustScore += 10;
+    if (input.instruction.length > 100) trustScore += 5;
+    if (input.reasoning) trustScore += 5;
+    if (input.category === 'SECURITY' && input.severity === 'CRITICAL') trustScore += 10;
+
+    // Add to quarantine for human review (signals from MCP always go to quarantine)
+    const { data: quarantine, error: quarantineError } = await supabase
+        .from('curation_quarantine')
+        .insert({
+            signal_hash: hash,
+            signal_content: {
+                title: input.title,
+                instruction: input.instruction,
+                category: input.category,
+                severity: input.severity,
+                example: input.example,
+                anti_example: input.anti_example,
+                framework_tags: input.framework_tags,
+                source_type: input.source_type || 'mcp_submission',
+                source_context: {
+                    user_id: userId,
+                    project_id: input.projectId,
+                    reasoning: input.reasoning
+                }
+            },
+            trust_score: trustScore,
+            trust_breakdown: {
+                final_score: trustScore,
+                components: {
+                    completeness: input.example && input.anti_example ? 25 : 15,
+                    source_trust: 20,
+                    semantic_quality: 15,
+                    reinforcement_bonus: 0
+                }
+            },
+            reason: 'MCP_SUBMISSION',
+            suggested_action: trustScore >= 70 ? 'APPROVE' : trustScore >= 50 ? 'MERGE' : 'REJECT',
+            source_user_id: userId,
+            source_project_id: input.projectId
+        })
+        .select('id')
+        .single();
+
+    if (quarantineError) throw new Error(`Failed to submit signal: ${quarantineError.message}`);
+
+    // Log audit entry
+    await supabase.from('curation_audit_log').insert({
+        action: 'SIGNAL_SUBMITTED',
+        reason: `MCP signal submitted: "${input.title}" (trust: ${trustScore})`,
+        actor_type: 'SYSTEM',
+        actor_id: userId,
+        signal_hash: hash,
+        quarantine_id: quarantine?.id,
+        metadata: { projectId: input.projectId, category: input.category }
+    });
+
+    return {
+        success: true,
+        action: 'quarantined',
+        trust_score: trustScore,
+        quarantine_id: quarantine?.id,
+        message: `✅ Signal submitted for curation.
+Trust Score: ${trustScore}/100
+Status: QUARANTINED (pending human review)
+Suggested Action: ${trustScore >= 70 ? 'APPROVE' : trustScore >= 50 ? 'MERGE' : 'NEEDS_REVIEW'}
+
+Sigrid will process this signal and notify you of the result.`
+    };
+}

package/src/lib/curator/index.ts

@@ -0,0 +1,10 @@
+/**
+ * Phase 8.5: The Curator Protocol
+ * Logic and Actions
+ */
+
+export * from './schemas.js';
+export * from './actions/query.js';
+export * from './actions/submit.js';
+export * from './actions/stats.js';
+export * from './actions/fortress.js';

package/src/lib/curator/schemas.ts

@@ -0,0 +1,37 @@
+import { z } from 'zod';
+
+// ============================================
+// Input Schemas
+// ============================================
+
+export const QueryGlobalAntidotesSchema = z.object({
+    categories: z.array(z.string()).optional().describe('Filter by categories (SECURITY, ARCHITECTURE, UX, PERFORMANCE, ACCESSIBILITY, MAINTAINABILITY)'),
+    severities: z.array(z.string()).optional().describe('Filter by severity (CRITICAL, HIGH, MEDIUM, LOW)'),
+    framework_tags: z.array(z.string()).optional().describe('Filter by framework tags (e.g., ["nextjs", "react", "supabase"])'),
+    min_trust_score: z.number().optional().describe('Minimum trust score (0-100)'),
+    search_text: z.string().optional().describe('Search in title and instruction'),
+    limit: z.number().optional().describe('Max results (default: 20)')
+});
+
+export const SubmitSignalSchema = z.object({
+    projectId: z.string().describe('The UUID of the Rigstate project'),
+    title: z.string().min(10).max(100).describe('Short, descriptive title (10-100 chars)'),
+    instruction: z.string().min(50).max(2000).describe('The canonical instruction (50-2000 chars)'),
+    category: z.enum(['SECURITY', 'ARCHITECTURE', 'UX', 'PERFORMANCE', 'ACCESSIBILITY', 'MAINTAINABILITY']).describe('The category of this antidote'),
+    severity: z.enum(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW']).describe('Severity level'),
+    example: z.string().optional().describe('Good example demonstrating the instruction'),
+    anti_example: z.string().optional().describe('Bad example showing what NOT to do'),
+    framework_tags: z.array(z.string()).optional().describe('Relevant framework tags'),
+    reasoning: z.string().optional().describe('Why this signal should be added'),
+    source_type: z.string().optional().describe('Internal source type override (e.g. TEACHER_MODE)')
+});
+
+export const GetCuratorStatsSchema = z.object({
+    projectId: z.string().optional().describe('Optional project ID for context')
+});
+
+export const CheckFortressSchema = z.object({
+    projectId: z.string().describe('The UUID of the Rigstate project'),
+    instruction: z.string().describe('The instruction to check against fortress rules'),
+    category: z.enum(['SECURITY', 'ARCHITECTURE', 'UX', 'PERFORMANCE', 'ACCESSIBILITY', 'MAINTAINABILITY']).describe('Category of instruction')
+});