@rigstate/mcp 0.4.2

package/src/tools/run-architecture-audit.ts

@@ -0,0 +1,203 @@
+/**
+ * Tool: run_architecture_audit
+ * 
+ * Audits code against project memories and architecture rules.
+ * Returns violations or "Pass" status.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import type { ArchitectureAuditResponse, AuditViolation } from '../lib/types.js';
+
+// Vulnerability patterns for static analysis
+const VULNERABILITY_PATTERNS: {
+    type: string;
+    severity: 'LOW' | 'MEDIUM' | 'HIGH';
+    patterns: RegExp[];
+    title: string;
+    description: string;
+    recommendation: string;
+}[] = [
+        {
+            type: 'SQL_INJECTION',
+            severity: 'HIGH',
+            patterns: [
+                /\$queryRaw\s*`[^`]*\$\{/gi,
+                /execute\s*\(\s*[`'"][^`'"]*\$\{/gi,
+                /query\s*\(\s*[`'"][^`'"]*\+/gi,
+            ],
+            title: 'Potential SQL Injection',
+            description: 'String interpolation in raw SQL queries can lead to SQL injection.',
+            recommendation: 'Use parameterized queries or prepared statements instead of string interpolation.'
+        },
+        {
+            type: 'XSS',
+            severity: 'HIGH',
+            patterns: [
+                /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/gi,
+                /innerHTML\s*=/gi,
+            ],
+            title: 'Potential XSS Vulnerability',
+            description: 'Using dangerouslySetInnerHTML or innerHTML can expose your app to XSS attacks.',
+            recommendation: 'Sanitize HTML content using a library like DOMPurify before rendering.'
+        },
+        {
+            type: 'SECRETS_LEAK',
+            severity: 'HIGH',
+            patterns: [
+                /['"]sk_live_[a-zA-Z0-9]{20,}['"]/gi,
+                /['"]sk_test_[a-zA-Z0-9]{20,}['"]/gi,
+                /api[_-]?key\s*[:=]\s*['"][^'"]{20,}['"]/gi,
+                /password\s*[:=]\s*['"][^'"]+['"]/gi,
+            ],
+            title: 'Potential Secret Leak',
+            description: 'Hardcoded secrets or API keys detected in source code.',
+            recommendation: 'Use environment variables for secrets. Never commit credentials to version control.'
+        },
+        {
+            type: 'UNVALIDATED_INPUT',
+            severity: 'MEDIUM',
+            patterns: [
+                /['"]use server['"]\s*[\s\S]*?export\s+async\s+function\s+\w+\s*\([^)]*:\s*any\)/gi,
+            ],
+            title: 'Unvalidated Server Action Input',
+            description: 'Server action accepts untyped input, which may lead to injection attacks.',
+            recommendation: 'Add Zod schema validation at the start of your server action.'
+        },
+        {
+            type: 'MISSING_AUTH',
+            severity: 'MEDIUM',
+            patterns: [
+                /export\s+async\s+function\s+(GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{[^}]*(?!auth|session|getUser)/gi,
+            ],
+            title: 'Potentially Missing Authentication',
+            description: 'API route handler may not be checking authentication.',
+            recommendation: 'Add authentication check at the start of your API handler.'
+        }
+    ];
+
+function extractLineNumber(content: string, match: RegExpMatchArray): number {
+    const upToMatch = content.substring(0, match.index || 0);
+    return (upToMatch.match(/\n/g) || []).length + 1;
+}
+
+export async function runArchitectureAudit(
+    supabase: SupabaseClient,
+    userId: string,
+    projectId: string,
+    filePath: string,
+    content: string
+): Promise<ArchitectureAuditResponse> {
+    // First, verify project ownership
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('id, name')
+        .eq('id', projectId)
+        .eq('owner_id', userId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error('Project not found or access denied');
+    }
+
+    const violations: AuditViolation[] = [];
+
+    // Run static pattern analysis
+    for (const pattern of VULNERABILITY_PATTERNS) {
+        for (const regex of pattern.patterns) {
+            const matches = content.matchAll(new RegExp(regex.source, regex.flags));
+            for (const match of matches) {
+                const lineNumber = extractLineNumber(content, match);
+                violations.push({
+                    type: pattern.type,
+                    severity: pattern.severity,
+                    title: pattern.title,
+                    description: pattern.description,
+                    lineNumber,
+                    recommendation: pattern.recommendation
+                });
+            }
+        }
+    }
+
+    // Fetch project memories for context-aware checks
+    const { data: memories } = await supabase
+        .from('project_memories')
+        .select('content, category, tags')
+        .eq('project_id', projectId)
+        .eq('is_active', true)
+        .in('category', ['constraint', 'architecture', 'tech_stack', 'decision'])
+        .order('importance', { ascending: false })
+        .limit(10);
+
+    // Check against project constraints
+    if (memories && memories.length > 0) {
+        for (const memory of memories) {
+            // Check for common constraint patterns
+            const lowerContent = content.toLowerCase();
+            const lowerMemory = memory.content.toLowerCase();
+
+            // Check "never use X" patterns
+            const neverMatch = lowerMemory.match(/never\s+use\s+(\w+)/i);
+            if (neverMatch && lowerContent.includes(neverMatch[1])) {
+                violations.push({
+                    type: 'CONSTRAINT_VIOLATION',
+                    severity: 'MEDIUM',
+                    title: 'Project Constraint Violation',
+                    description: `Code may violate project constraint: "${memory.content.substring(0, 100)}..."`,
+                    recommendation: 'Review the project brain for architectural constraints.'
+                });
+            }
+
+            // Check "always use X" patterns
+            const alwaysMatch = lowerMemory.match(/always\s+use\s+(\w+)/i);
+            if (alwaysMatch && !lowerContent.includes(alwaysMatch[1])) {
+                violations.push({
+                    type: 'CONSTRAINT_VIOLATION',
+                    severity: 'LOW',
+                    title: 'Missing Required Pattern',
+                    description: `Code may be missing required pattern: "${memory.content.substring(0, 100)}..."`,
+                    recommendation: 'Check if this file should follow the project standard.'
+                });
+            }
+        }
+    }
+
+    // Calculate score (100 - penalties)
+    let score = 100;
+    for (const v of violations) {
+        if (v.severity === 'HIGH') score -= 25;
+        else if (v.severity === 'MEDIUM') score -= 10;
+        else score -= 5;
+    }
+    score = Math.max(0, score);
+
+    // Build summary
+    const passed = violations.length === 0;
+    let summary: string;
+
+    if (passed) {
+        summary = `✅ PASSED - No violations found in ${filePath}\nScore: ${score}/100`;
+    } else {
+        const highCount = violations.filter(v => v.severity === 'HIGH').length;
+        const medCount = violations.filter(v => v.severity === 'MEDIUM').length;
+        const lowCount = violations.filter(v => v.severity === 'LOW').length;
+
+        summary = `⚠️ AUDIT FAILED - ${violations.length} violation(s) found in ${filePath}
+Score: ${score}/100
+• HIGH: ${highCount}
+• MEDIUM: ${medCount}
+• LOW: ${lowCount}
+
+Violations:
+${violations.map((v, i) => `${i + 1}. [${v.severity}] ${v.title}${v.lineNumber ? ` (line ${v.lineNumber})` : ''}
+   ${v.description}
+   → ${v.recommendation}`).join('\n\n')}`;
+    }
+
+    return {
+        passed,
+        score,
+        violations,
+        summary
+    };
+}

package/src/tools/save-decision.ts

@@ -0,0 +1,77 @@
+/**
+ * Tool: save_decision
+ * 
+ * Saves a new decision/ADR to the project's brain (project_memories).
+ * High-importance memory for architectural decisions.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import type { SaveDecisionResponse } from '../lib/types.js';
+
+export async function saveDecision(
+    supabase: SupabaseClient,
+    userId: string,
+    projectId: string,
+    title: string,
+    decision: string,
+    rationale?: string,
+    category: string = 'decision',
+    tags: string[] = []
+): Promise<SaveDecisionResponse> {
+    // First, verify project ownership
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('id, name')
+        .eq('id', projectId)
+        .eq('owner_id', userId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error('Project not found or access denied');
+    }
+
+    // Build the full content with title, decision, and rationale
+    const contentParts = [`# ${title}`, '', decision];
+    if (rationale) {
+        contentParts.push('', '## Rationale', rationale);
+    }
+    const fullContent = contentParts.join('\n');
+
+    // Build summary (truncated version for quick context)
+    const summary = decision.length > 150
+        ? decision.substring(0, 147) + '...'
+        : decision;
+
+    // Insert the memory with high importance (ADR = 9/10)
+    const { data: memory, error: insertError } = await supabase
+        .from('project_memories')
+        .insert({
+            project_id: projectId,
+            content: fullContent,
+            summary: summary,
+            category: category,
+            tags: ['ADR', ...tags],
+            importance: 9, // High importance for decisions
+            source_type: 'mcp', // Track source as MCP
+            is_active: true
+        })
+        .select('id')
+        .single();
+
+    if (insertError) {
+        // Handle specific database errors
+        if (insertError.code === '23503') {
+            throw new Error('Project no longer exists');
+        }
+        if (insertError.code === '42501') {
+            throw new Error('Permission denied: Cannot write to this project');
+        }
+        throw new Error(`Failed to save decision: ${insertError.message}`);
+    }
+
+    return {
+        success: true,
+        memoryId: memory.id,
+        message: `✅ Decision "${title}" saved to project "${project.name}" with importance 9/10`
+    };
+}

package/src/tools/security-tools.ts

@@ -0,0 +1,82 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { AuditRlsStatusInput } from '../lib/types.js';
+
+/**
+ * Sven's Tool: Security Shield
+ * Audits the database to ensure Row Level Security (RLS) is enforced.
+ */
+export async function auditRlsStatus(
+    supabase: SupabaseClient,
+    input: AuditRlsStatusInput
+) {
+    try {
+        // Query pg_tables to check rowsecurity status
+        const { data, error } = await supabase.rpc('execute_sql', {
+            query: `
+                SELECT tablename, rowsecurity 
+                FROM pg_tables 
+                WHERE schemaname = 'public' 
+                ORDER BY tablename;
+            `
+        });
+
+        // Fallback if generic execute_sql isn't available (it's often a custom RPC in these setups)
+        // If RPC fails, try generic postgres connection? 
+        // MCP usually connects via HTTP API (PostgREST). PostgREST doesn't expose pg_tables directly unless allowed.
+        // HOWEVER, the user instruction implies we CAN run this. "Utfør en SQL-spørring..."
+        // If using Supabase JS client, we can't run raw SQL unless we use an RPC wrapper.
+        // I will assume an RPC 'execute_sql' exists (common in AI setups) OR I have to trust the instruction 
+        // implies I have a way.
+
+        // Alternative: Use the 'mcp_supabase-mcp-server_execute_sql' pattern? No, we ARE the MCP server.
+        // If we don't have an RPC, we might struggle.
+        // Let's implement a robust check.
+
+        if (error) {
+            // Try direct fetch if exposed, which is rare for system tables
+            throw new Error(`Database query failed: ${error.message}`);
+        }
+
+        // Parse result (assuming result comes back as array of objects)
+        // If data is null/empty but no error?
+        const tables = data as Array<{ tablename: string, rowsecurity: boolean }>;
+
+        if (!tables) {
+            // If RPC returns void or strange shape, try to warn.
+            return {
+                status: 'ERROR',
+                message: 'Could not fetch table list. Ensure execute_sql RPC is available or pg_tables is accessible.'
+            };
+        }
+
+        const unsecuredTables = tables.filter(t => !t.rowsecurity);
+        const securedTables = tables.filter(t => t.rowsecurity);
+
+        const score = tables.length > 0
+            ? Math.round((securedTables.length / tables.length) * 100)
+            : 100;
+
+        return {
+            timestamp: new Date().toISOString(),
+            projectId: input.projectId,
+            securityScore: score,
+            metrics: {
+                totalTables: tables.length,
+                securedTables: securedTables.length,
+                unsecuredTables: unsecuredTables.length
+            },
+            unsecuredTables: unsecuredTables.map(t => t.tablename),
+            status: unsecuredTables.length === 0 ? 'SECURE' : 'VULNERABLE',
+            summary: unsecuredTables.length === 0
+                ? `PASSED. All ${tables.length} tables have RLS enabled. Sven approves.`
+                : `CRITICAL. ${unsecuredTables.length} tables are missing RLS: ${unsecuredTables.map(t => t.tablename).join(', ')}. Immediate action required.`
+        };
+
+    } catch (err: any) {
+        // Fallback: If we can't reach the DB
+        return {
+            status: 'ERROR',
+            message: `Sven could not reach the database structure. Error: ${err.message || err}. check connection strings.`
+        };
+    }
+}

package/src/tools/submit-idea.ts

@@ -0,0 +1,66 @@
+/**
+ * Tool: submit_idea
+ * 
+ * Submits a new idea to the Idea Lab (saved_ideas table).
+ * Ideas can later be reviewed, analyzed, and promoted to features.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import type { SubmitIdeaResponse } from '../lib/types.js';
+
+export async function submitIdea(
+    supabase: SupabaseClient,
+    userId: string,
+    projectId: string,
+    title: string,
+    description: string,
+    category: string = 'feature',
+    tags: string[] = []
+): Promise<SubmitIdeaResponse> {
+    // First, verify project ownership
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('id, name')
+        .eq('id', projectId)
+        .eq('owner_id', userId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error('Project not found or access denied');
+    }
+
+    // Insert the idea into saved_ideas
+    const { data: idea, error: insertError } = await supabase
+        .from('saved_ideas')
+        .insert({
+            project_id: projectId,
+            title: title,
+            description: description,
+            category: category,
+            tags: ['mcp', ...tags],
+            status: 'draft', // Start as draft for review
+            // No session_id since this comes from MCP, not a lab session
+        })
+        .select('id')
+        .single();
+
+    if (insertError) {
+        // Handle specific database errors
+        if (insertError.code === '23503') {
+            throw new Error('Project no longer exists');
+        }
+        if (insertError.code === '42501') {
+            throw new Error('Permission denied: Cannot write to this project');
+        }
+        if (insertError.code === '23505') {
+            throw new Error('An idea with this title already exists');
+        }
+        throw new Error(`Failed to submit idea: ${insertError.message}`);
+    }
+
+    return {
+        success: true,
+        ideaId: idea.id,
+        message: `💡 Idea "${title}" submitted to Idea Lab for project "${project.name}". Status: Draft (awaiting review)`
+    };
+}

package/src/tools/sync-ide-rules.ts

@@ -0,0 +1,76 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import {
+    generateRuleContent,
+    generateRuleFiles,
+    fetchLegacyStats,
+    fetchActiveAgents,
+    fetchProjectTechStack,
+    getFileNameForIDE,
+    IDEProvider,
+    RuleFile
+} from '@rigstate/rules-engine';
+
+/**
+ * Sync IDE rules for a project.
+ * Uses the centralized rules-engine for consistent generation across all consumers.
+ * 
+ * @param supabase - Supabase client instance
+ * @param projectId - The project ID to generate rules for
+ * @returns Object with fileName, content, and the new modular files[] array
+ */
+export async function syncIdeRules(
+    supabase: SupabaseClient,
+    projectId: string
+): Promise<{ fileName: string; content: string; files: RuleFile[] }> {
+    // 1. Fetch Project & Preferred IDE
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('*')
+        .eq('id', projectId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error(`Project ${projectId} not found.`);
+    }
+
+    // 2. Determine IDE (Preference -> Fallback)
+    const ide: IDEProvider = (project.preferred_ide as IDEProvider) || 'cursor';
+
+    // 3. Fetch Context Data (Parallel for speed)
+    const [stack, roadmapRes, legacyStats, activeAgents] = await Promise.all([
+        fetchProjectTechStack(supabase, projectId),
+        supabase
+            .from('roadmap_chunks')
+            .select('step_number, title, status, sprint_focus, prompt_content, is_legacy')
+            .eq('project_id', projectId),
+        fetchLegacyStats(supabase, projectId),
+        fetchActiveAgents(supabase)
+    ]);
+
+    // 4. Generate Content (Mono-file)
+    const content = generateRuleContent(
+        { ...project, id: projectId },
+        stack,
+        roadmapRes.data || [],
+        ide,
+        legacyStats,
+        activeAgents
+    );
+
+    // 5. Generate Modular Files (v3.0)
+    const fileResult = generateRuleFiles(
+        { ...project, id: projectId },
+        stack,
+        roadmapRes.data || [],
+        ide,
+        legacyStats,
+        activeAgents
+    );
+
+    return {
+        fileName: getFileNameForIDE(ide),
+        content,
+        files: fileResult.files
+    };
+}
+

package/src/tools/teacher-mode.ts

@@ -0,0 +1,171 @@
+/**
+ * Rigstate MCP Server - Teacher Mode Tools
+ * 
+ * Allows Frank to send logic corrections and fetch learned behaviors.
+ */
+
+import { SupabaseClient } from '@supabase/supabase-js';
+import { v4 as uuidv4 } from 'uuid';
+
+export interface RefineLogicResponse {
+    success: boolean;
+    instructionId: string;
+    traceId: string;
+    message: string;
+}
+
+export interface LearnedInstructionsResponse {
+    instructions: Array<{
+        instruction: string;
+        priority: number;
+        isGlobal: boolean;
+        createdAt: string;
+    }>;
+    globalInstructions: string[];
+    formatted: string;
+}
+
+/**
+ * Send a logic correction to the Rigstate cloud database
+ */
+export async function refineLogic(
+    supabase: SupabaseClient,
+    userId: string,
+    projectId: string,
+    originalReasoning: string,
+    userCorrection: string,
+    scope: 'project' | 'global'
+): Promise<RefineLogicResponse> {
+    // Generate a trace ID for this action
+    const traceId = uuidv4();
+
+    // Verify project access
+    const { data: project, error: projectError } = await supabase
+        .from('projects')
+        .select('id, name')
+        .eq('id', projectId)
+        .eq('user_id', userId)
+        .single();
+
+    if (projectError || !project) {
+        throw new Error(`Project access denied or not found: ${projectId}`);
+    }
+
+    // Save the instruction
+    const { data: instruction, error: insertError } = await supabase
+        .from('ai_instructions')
+        .insert({
+            user_id: userId,
+            project_id: scope === 'global' ? null : projectId,
+            instruction: userCorrection,
+            context: originalReasoning,
+            is_global: scope === 'global',
+            priority: scope === 'global' ? 8 : 6,
+            source_log_id: null // MCP actions don't have a log ID
+        })
+        .select('id')
+        .single();
+
+    if (insertError) {
+        throw new Error(`Failed to save instruction: ${insertError.message}`);
+    }
+
+    // Log this MCP action with trace
+    await supabase
+        .from('ai_activity_log')
+        .insert({
+            user_id: userId,
+            project_id: projectId,
+            activity_type: 'mcp_correction',
+            summary: `MCP: ${userCorrection.slice(0, 100)}...`,
+            intelligence_trace: {
+                source: 'mcp',
+                traceId,
+                scope,
+                originalReasoning: originalReasoning.slice(0, 500)
+            },
+            metadata: { mcp_trace_id: traceId }
+        });
+
+    return {
+        success: true,
+        instructionId: instruction.id,
+        traceId,
+        message: `✅ Correction saved! Frank will apply this ${scope === 'global' ? 'globally' : 'to this project'}.`
+    };
+}
+
+/**
+ * Fetch learned behaviors from the database
+ */
+export async function getLearnedInstructions(
+    supabase: SupabaseClient,
+    userId: string,
+    projectId?: string
+): Promise<LearnedInstructionsResponse> {
+    // Fetch user-specific instructions
+    let query = supabase
+        .from('ai_instructions')
+        .select('instruction, priority, is_global, created_at')
+        .eq('user_id', userId)
+        .eq('is_active', true)
+        .order('priority', { ascending: false })
+        .limit(20);
+
+    // Filter by project or global only
+    if (projectId) {
+        query = query.or(`is_global.eq.true,project_id.eq.${projectId}`);
+    } else {
+        query = query.eq('is_global', true);
+    }
+
+    const { data: userInstructions, error: userError } = await query;
+
+    if (userError) {
+        throw new Error(`Failed to fetch instructions: ${userError.message}`);
+    }
+
+    // Fetch global base instructions (system-wide)
+    const { data: globalBase, error: globalError } = await supabase
+        .from('global_base_instructions')
+        .select('instruction')
+        .eq('is_active', true)
+        .order('priority', { ascending: false })
+        .limit(10);
+
+    const globalInstructions = (globalBase || []).map(g => g.instruction);
+
+    // Format for context injection
+    const instructions = (userInstructions || []).map(i => ({
+        instruction: i.instruction as string,
+        priority: i.priority as number,
+        isGlobal: i.is_global as boolean,
+        createdAt: i.created_at as string
+    }));
+
+    let formatted = '';
+
+    if (globalInstructions.length > 0) {
+        formatted += `## GLOBAL RIGSTATE STANDARDS\n`;
+        formatted += globalInstructions.map(g => `- ${g}`).join('\n');
+        formatted += '\n\n';
+    }
+
+    if (instructions.length > 0) {
+        formatted += `## USER CORRECTIONS & TUNING\n`;
+        formatted += instructions.map(i => {
+            const scope = i.isGlobal ? '[GLOBAL]' : '[PROJECT]';
+            return `- ${scope} ${i.instruction}`;
+        }).join('\n');
+    }
+
+    if (!formatted) {
+        formatted = 'No learned behaviors yet. Frank will start learning as you provide corrections.';
+    }
+
+    return {
+        instructions,
+        globalInstructions,
+        formatted
+    };
+}