@rigstate/mcp 0.5.6 → 0.5.7

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@rigstate/mcp",
-    "version": "0.5.6",
+    "version": "0.5.7",
     "description": "Rigstate MCP Server - Model Context Protocol for AI Editors",
     "type": "module",
     "main": "./dist/index.js",

package/src/lib/tool-registry.ts

@@ -38,7 +38,7 @@ class ToolRegistry {
      */
     register<T extends z.ZodType>(tool: ToolDefinition<T>) {
         if (this.tools.has(tool.name)) {
-            console.warn(`Tool '${tool.name}' is already registered. Overwriting.`);
+            console.error(`Tool '${tool.name}' is already registered. Overwriting.`);
         }
         this.tools.set(tool.name, tool);
     }

package/src/tools/analyze-database-performance.ts

@@ -130,7 +130,7 @@ export async function analyzeDatabasePerformance(
             }
 
         } catch (e) {
-            console.warn(`Skipping file ${filePath}: ${e}`);
+            console.error(`Skipping file ${filePath}: ${e}`);
         }
     }
 

package/src/tools/arch-tools.ts

@@ -1,5 +1,5 @@
-import { promises as fs } from 'fs';
-import * as path from 'path';
+import { promises as fs, existsSync, statSync } from 'node:fs';
+import * as path from 'node:path';
 import { AnalyzeDependencyGraphInput } from '../lib/types.js';
 import { registry } from '../lib/tool-registry.js';
 import { AnalyzeDependencyGraphInputSchema } from '../lib/schemas.js';
@@ -24,7 +24,6 @@ registry.register({
  */
 export async function analyzeDependencyGraph(input: AnalyzeDependencyGraphInput) {
     // Determine root. Input path is relative to CWD usually.
-    // If input.path is absolute, use it. Otherwise resolve from CWD.
     const searchPath = path.isAbsolute(input.path)
         ? input.path
         : path.resolve(process.cwd(), input.path);
@@ -37,33 +36,54 @@ export async function analyzeDependencyGraph(input: AnalyzeDependencyGraphInput)
         };
     }
 
-    // 1. Scan files
+    // 1. Scan package.json for External Deps
+    let externalDeps: Record<string, string> = {};
+    const pkgPath = path.join(process.cwd(), 'package.json');
+    if (existsSync(pkgPath)) {
+        try {
+            const pkgContent = await fs.readFile(pkgPath, 'utf-8');
+            const pkg = JSON.parse(pkgContent);
+            externalDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+        } catch (e) {
+            console.error('Failed to parse package.json', e);
+        }
+    }
+
+    // 2. Scan TypeScripts files for Internal Deps
     const allFiles = await getAllFiles(searchPath);
-    const tsFiles = allFiles.filter(f => /\.(ts|tsx|js|jsx)$/.test(f) && !f.includes('node_modules') && !f.includes('.next') && !f.includes('dist'));
+    const tsFiles = allFiles.filter(f => /\.(ts|tsx|js|jsx)$/.test(f) && !f.includes('node_modules') && !f.includes('dist') && !f.includes('.next'));
 
-    // 2. Build Graph
+    // 3. Build Graph
     const graph: Record<string, string[]> = {};
-    const fileSet = new Set(tsFiles);
 
     for (const file of tsFiles) {
         const content = await fs.readFile(file, 'utf-8');
         const imports = extractImports(content);
 
+        // Resolve imports to file paths relative to searchPath
         const validDeps: string[] = [];
+        const fileDir = path.dirname(file);
 
         for (const imp of imports) {
-            const resolved = resolveImport(file, imp, searchPath);
-            if (resolved && fileSet.has(resolved)) {
-                validDeps.push(resolved);
+            // Check if it's an external dep
+            if (Object.keys(externalDeps).some(d => imp === d || imp.startsWith(d + '/'))) {
+                continue; // Skip external deps in internal graph for now
+            }
+
+            // Local import resolution logic (String based only, no require!)
+            if (imp.startsWith('.') || imp.startsWith('@/')) {
+                const resolved = resolveImportString(file, imp, searchPath);
+                if (resolved && tsFiles.includes(resolved)) {
+                    validDeps.push(path.relative(searchPath, resolved));
+                }
             }
         }
 
-        // Use relative paths for the graph to make it readable
         const relFile = path.relative(searchPath, file);
-        graph[relFile] = validDeps.map(d => path.relative(searchPath, d));
+        graph[relFile] = validDeps;
     }
 
-    // 3. Detect Cycles
+    // 4. Detect Cycles
     const cycles = detectCycles(graph);
 
     return {
@@ -71,13 +91,14 @@ export async function analyzeDependencyGraph(input: AnalyzeDependencyGraphInput)
         analyzedPath: searchPath,
         metrics: {
             totalFiles: tsFiles.length,
-            circularDependencies: cycles.length
+            circularDependencies: cycles.length,
+            externalDependencies: Object.keys(externalDeps).length
         },
         cycles: cycles,
         status: cycles.length > 0 ? 'VIOLATION' : 'PASS',
         summary: cycles.length > 0
-            ? `FAILED. Detected ${cycles.length} circular dependencies. These must be resolved to maintain architectural integrity.`
-            : `PASSED. No circular dependencies detected in ${tsFiles.length} files.`
+            ? `FAILED. Detected ${cycles.length} circular dependencies. Einar demands resolution!`
+            : `PASSED. Architecture is sound. No circular dependencies in ${tsFiles.length} files.`
     };
 }
 
@@ -92,59 +113,53 @@ async function getAllFiles(dir: string): Promise<string[]> {
     return files.flat();
 }
 
-/**
- * Simple regex extraction of import statements.
- * Matches: import ... from '...'
- * Matches: import '...'
- * Matches: export ... from '...'
- */
 function extractImports(content: string): string[] {
+    // Regex to match import ... from "..." or import "..."
     const regex = /from\s+['"]([^'"]+)['"]|import\s+['"]([^'"]+)['"]/g;
     const imports: string[] = [];
     let match;
     while ((match = regex.exec(content)) !== null) {
-        // match[1] is 'from "..."; match[2] is import "...";
         imports.push(match[1] || match[2]);
     }
     return imports;
 }
 
-/**
- * Naive resolver.
- * Handles:
- * - Relative: ./foo, ../bar
- * - Alias: @/ -> searchPath/ (Assumes Next.js style)
- * - Extensions: tries .ts, .tsx, .js, index.ts, etc.
- */
-function resolveImport(importer: string, importPath: string, root: string): string | null {
-    if (!importPath.startsWith('.') && !importPath.startsWith('@/')) {
-        return null; // Ignore node_modules
-    }
-
-    let searchDir = path.dirname(importer);
+function resolveImportString(importer: string, importPath: string, root: string): string | null {
+    let targetDir = path.dirname(importer);
     let target = importPath;
 
     if (importPath.startsWith('@/')) {
         target = importPath.replace('@/', '');
-        searchDir = root; // Assume root is where @/ points to (src or project root)
-        // Adjust for src if root includes src, ensuring we don't double dip? 
-        // Actually, usually @/ maps to src/ or root. We'll try relative to 'root'.
+        targetDir = root; // Assume @ maps to root of scan path
     }
 
-    const startPath = path.resolve(searchDir, target);
+    // Construct potential path
+    const naivePath = path.resolve(targetDir, target);
+
+    // Check extensions
+    const extensions = ['.ts', '.tsx', '.js', '.jsx', '/index.ts', '/index.tsx'];
+
+    // We already have the full file list in memory in the main function, 
+    // but here we do a quick disk check since we are inside a helper.
+    // For a REALLY robust solution, we should pass the fileSet to this function,
+    // but checking disk is fine for this tool.
 
-    // Try extensions
-    const extensions = ['.ts', '.tsx', '.js', '.jsx', '/index.ts', '/index.tsx', '/index.js', ''];
     for (const ext of extensions) {
-        const candidate = startPath + ext;
-        if (require('fs').existsSync(candidate) && !require('fs').statSync(candidate).isDirectory()) {
+        const candidate = naivePath + ext;
+        if (existsSync(candidate) && !statSync(candidate).isDirectory()) {
             return candidate;
         }
     }
 
+    // Check if it matches exactly (e.g. file.ts was imported as file.ts)
+    if (existsSync(naivePath) && !statSync(naivePath).isDirectory()) {
+        return naivePath;
+    }
+
     return null;
 }
 
+
 function detectCycles(graph: Record<string, string[]>): string[][] {
     const visited = new Set<string>();
     const recursionStack = new Set<string>();
@@ -160,7 +175,7 @@ function detectCycles(graph: Record<string, string[]>): string[][] {
             if (!visited.has(dep)) {
                 dfs(dep, path);
             } else if (recursionStack.has(dep)) {
-                // Cycle detected
+                // Cycle found
                 const cycleStart = path.indexOf(dep);
                 if (cycleStart !== -1) {
                     cycles.push([...path.slice(cycleStart), dep]);

package/src/tools/complete-roadmap-task.ts

@@ -110,7 +110,7 @@ export async function completeRoadmapTask(
         });
 
     if (reportError) {
-        console.warn('Failed to save mission report:', reportError.message);
+        console.error('Failed to save mission report:', reportError.message);
     }
 
     // 5. SOVEREIGN HARVESTING: Trigger Reflection & Skill Extraction (Brynjar)

package/src/tools/list-features.ts

@@ -17,10 +17,10 @@ export const listFeaturesTool: ToolDefinition<typeof InputSchema> = {
 Useful for understanding the strategic context and major milestones.`,
     schema: InputSchema,
     handler: async ({ projectId }, { supabase, userId }) => {
-        // 1. Verify project ownership
+        // 1. Fetch project to verify access and get fallback spec
         const { data: project, error: projectError } = await supabase
             .from('projects')
-            .select('id')
+            .select('id, functional_spec')
             .eq('id', projectId)
             .eq('owner_id', userId)
             .single();
@@ -29,38 +29,51 @@ Useful for understanding the strategic context and major milestones.`,
             throw new Error('Project not found or access denied');
         }
 
-        // 2. Fetch features
-        const { data: features, error } = await supabase
-            .from('features')
-            .select('id, name, description, priority, status')
+        // 2. Primary Strategy: Fetch from 'project_features'
+        const { data: dbFeatures, error: dbError } = await supabase
+            .from('project_features')
+            .select('id, name, description, status')
             .eq('project_id', projectId)
-            .neq('status', 'ARCHIVED')
-            .order('created_at', { ascending: false }); // Sort by newest (or priority if column existed properly typed)
+            .neq('status', 'shadow') // Exclude shadow features by default unless asked
+            .order('created_at', { ascending: false });
 
-        // Note: 'horizon' was not in my simple schema mental model, removed to be safe or use 'status' as proxy.
-        // Assuming strict schema adherence.
-        // If priority column is text, sorting by it strictly might be weird if not enum. 
-        // Let's trust 'created_at' for stability for now.
+        let featuresList: any[] = [];
+        let source = 'DB';
 
-        if (error) {
-            throw new Error(`Failed to fetch features: ${error.message}`);
+        if (!dbError && dbFeatures && dbFeatures.length > 0) {
+            featuresList = dbFeatures.map(f => ({
+                ...f,
+                title: f.name // Map back to title specifically for uniform handling below
+            }));
+        } else {
+            // 3. Fallback Strategy: Extract from 'functional_spec'
+            source = 'FALLBACK_SPEC';
+            // Log warning (In a real system, use a structured logger. Here we console.error to stderr)
+            console.error(`[WARN] Project ${projectId}: 'project_features' empty or missing. Falling back to 'functional_spec'.`);
+
+            const spec = project.functional_spec as any;
+            if (spec && typeof spec === 'object' && Array.isArray(spec.features)) {
+                featuresList = spec.features.map((f: any) => ({
+                    id: 'legacy',
+                    title: f.name || f.title,
+                    description: f.description,
+                    status: f.status || 'proposed'
+                }));
+            }
+        }
+
+        // 4. Format Response
+        if (featuresList.length === 0) {
+            return { content: [{ type: 'text', text: 'No active features found (checked DB and Spec).' }] };
         }
 
-        // 3. Format response
-        const formatted = (features || []).length > 0
-            ? (features || []).map(f => {
-                const priorityStr = f.priority === 'MVP' ? '[MVP] ' : '';
-                return `- ${priorityStr}${f.name} (${f.status})`;
-            }).join('\n')
-            : 'No active features found.';
+        const formatted = `=== PROJECT FEATURES (Source: ${source}) ===\n` +
+            featuresList.map(f => {
+                return `- ${f.title} [${f.status}]`;
+            }).join('\n');
 
         return {
-            content: [
-                {
-                    type: 'text',
-                    text: formatted
-                }
-            ]
+            content: [{ type: 'text', text: formatted }]
         };
     }
 };

package/src/tools/query-brain.ts

@@ -34,37 +34,35 @@ architecture rules, decisions, and constraints.`,
     }
 });
 
-// Generate embedding using the preferred provider (OpenRouter or Google)
+// Generate embedding using the Rigstate Intelligence API (Proxy)
 async function generateQueryEmbedding(query: string): Promise<number[] | null> {
-    const openRouterKey = process.env.OPENROUTER_API_KEY;
-    const googleKey = process.env.GOOGLE_GENERATIVE_AI_API_KEY;
+    const apiKey = process.env.RIGSTATE_API_KEY;
+    const apiUrl = process.env.RIGSTATE_API_URL || 'http://localhost:3000/api/v1';
 
-    if (!openRouterKey && !googleKey) {
+    if (!apiKey) {
         return null;
     }
 
     try {
-        const { embed } = await import('ai');
-
-        if (openRouterKey) {
-            const { createOpenRouter } = await import('@openrouter/ai-sdk-provider');
-            const openrouter = createOpenRouter({ apiKey: openRouterKey });
-
-            // Use Gemini embedding via OpenRouter to maintain 768 dimensions
-            const { embedding } = await embed({
-                model: openrouter.embedding('google/text-embedding-004'),
-                value: query.replace(/\n/g, ' '),
-            });
-            return embedding;
-        } else {
-            const { google } = await import('@ai-sdk/google');
-            const { embedding } = await embed({
-                model: google.embedding('text-embedding-004'),
-                value: query.replace(/\n/g, ' '),
-            });
-            return embedding;
+        const response = await fetch(`${apiUrl}/intelligence/embed`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${apiKey}`
+            },
+            body: JSON.stringify({ text: query })
+        });
+
+        if (!response.ok) {
+            const errorText = await response.text();
+            console.error(`Embedding API error (${response.status}):`, errorText);
+            return null;
         }
+
+        const result = await response.json() as any;
+        return result.data?.embedding || null;
     } catch (error) {
+        console.error('Failed to generate embedding via Proxy:', error);
         return null;
     }
 }
@@ -136,6 +134,22 @@ export async function queryBrain(
         }));
     }
 
+    // --- NEW: FETCH RELEVANT FEATURES ---
+    // Simple fuzzy search until we vector embedding for features.
+    let relevantFeatures: any[] = [];
+    try {
+        const { data: features } = await supabase
+            .from('project_features')
+            .select('name, status, description')
+            .eq('project_id', projectId)
+            .or(`name.ilike.%${query}%,description.ilike.%${query}%`)
+            .limit(3);
+
+        if (features) relevantFeatures = features;
+    } catch (e) {
+        console.warn('Feature fetch failed in brain query', e);
+    }
+
     // Format memories into a readable context block
     const contextLines = memories.map((m) => {
         const voteIndicator = m.netVotes && m.netVotes < 0 ? ` [⚠️ POORLY RATED: ${m.netVotes}]` : '';
@@ -146,19 +160,23 @@ export async function queryBrain(
 
     const searchType = embedding ? 'TRIPLE-HYBRID (Vector + FTS + Fuzzy)' : 'HYBRID (FTS + Fuzzy)';
 
-    const formatted = memories.length > 0
-        ? `=== PROJECT BRAIN: RELEVANT MEMORIES ===
+    let formatted = `=== PROJECT BRAIN: RELEVANT MEMORIES ===
 Search Mode: ${searchType}
-Query: "${query}"
-Found ${memories.length} relevant memories:
+Query: "${query}"`;
 
-${contextLines.join('\n')}
+    if (relevantFeatures.length > 0) {
+        formatted += `\n\n=== RELATED FEATURES ===\n` +
+            relevantFeatures.map((f: any) => `- ${f.name} [${f.status}]`).join('\n');
+    }
+
+    formatted += `\n\nFound ${memories.length} relevant memories:\n\n${contextLines.join('\n')}\n\n==========================================`;
 
-==========================================`
-        : `=== PROJECT BRAIN ===
+    if (memories.length === 0 && relevantFeatures.length === 0) {
+        formatted = `=== PROJECT BRAIN ===
 Query: "${query}"
-No relevant memories found for this query.
+No relevant memories or features found.
 =======================`;
+    }
 
     return {
         query,

package/src/tools/security-checks-arch.ts

@@ -0,0 +1,85 @@
+
+export interface SecurityViolation {
+    id: string;
+    type: string;
+    severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'FATAL';
+    title: string;
+    description: string;
+    recommendation: string;
+}
+
+/**
+ * Checks for Architectural Integrity (SEC-ARCH-01, SEC-ARCH-02, SEC-ARCH-03)
+ */
+export function checkArchitectureIntegrity(filePath: string, content: string): SecurityViolation[] {
+    const violations: SecurityViolation[] = [];
+
+    // Define UI context: Components, Hooks, and client-side pages (rough heuristic)
+    // We exclude 'api', 'actions', 'lib', 'utils' from this restriction generally, 
+    // though 'lib'/ 'utils' should also be clean ideally. Let's focus on strict UI layers.
+    const isUI = filePath.includes('/components/') || filePath.includes('/hooks/') || (filePath.includes('/app/') && !filePath.includes('/api/') && !filePath.includes('actions.ts') && !filePath.includes('route.ts'));
+
+    // SEC-ARCH-01: Illegal Supabase Client in UI
+    // Rule: /(import.*from\s+['"]@supabase\/supabase-js['"])/g
+    if (isUI) {
+        const illegalImportRegex = /(import.*from\s+['"]@supabase\/supabase-js['"])/g;
+        if (illegalImportRegex.test(content)) {
+            violations.push({
+                id: 'SEC-ARCH-01',
+                type: 'ARCHITECTURE_VIOLATION',
+                severity: 'FATAL',
+                title: 'Illegal Supabase Client in UI',
+                description: 'Direct import of @supabase/supabase-js in a UI component/hook is strictly forbidden. It bypasses the server boundary.',
+                recommendation: 'Use the `createClient` helper from our utils or Server Actions for data access.'
+            });
+        }
+    }
+
+    // SEC-ARCH-02: Direct Query Pattern in UI
+    // Rule: /\.(from|select|insert|update|delete|rpc)\s*\(/g
+    // Refinement: We specifically target 'supabase.from' effectively or chained calls. 
+    // To avoid false positives like Array.from, we can perform a simple check.
+    if (isUI) {
+        const dbActionRegex = /\.(from|select|insert|update|delete|rpc)\s*\(/g;
+        const matches = content.match(dbActionRegex);
+        if (matches) {
+            // Filter out 'Array.from' specifically to permit standard JS patterns
+            const suspicious = matches.some(m => !m.includes('.from') || (m.includes('.from') && content.includes('supabase.from')));
+
+            if (suspicious || (matches.length > 0 && content.includes('supabase'))) {
+                violations.push({
+                    id: 'SEC-ARCH-02',
+                    type: 'ARCHITECTURE_VIOLATION',
+                    severity: 'FATAL',
+                    title: 'Direct Database Query in UI',
+                    description: 'Detected direct database query pattern (select/insert/update/delete) in a UI component. This exposes logic to the client.',
+                    recommendation: 'Move all data fetching logic to Server Components or Server Actions.'
+                });
+            }
+        }
+    }
+
+    // SEC-ARCH-03: Missing 'use server'
+    // Heuristic: If file is in an 'actions' folder OR exports functions ending in 'Action'/'Mutation', 
+    // it MUST have 'use server' at the top.
+    const isActionFile = filePath.includes('/actions/') || filePath.includes('actions.ts');
+
+    if (isActionFile) {
+        // Check first 200 chars for 'use server'
+        const header = content.slice(0, 200);
+        const hasUseServer = /['"]use server['"]/.test(header);
+
+        if (!hasUseServer) {
+            violations.push({
+                id: 'SEC-ARCH-03',
+                type: 'ARCHITECTURE_VIOLATION',
+                severity: 'FATAL',
+                title: 'Missing "use server" Directive',
+                description: 'File appears to be a Server Action module but lacks the "use server" directive.',
+                recommendation: 'Add "use server" at the very top of the file.'
+            });
+        }
+    }
+
+    return violations;
+}

package/src/tools/security-checks.ts

@@ -239,3 +239,4 @@ export function checkAntiLazy(filePath: string, content: string): SecurityViolat
 
     return violations;
 }
+

package/src/tools/security-tools.ts

@@ -1,6 +1,7 @@
 import { SupabaseClient } from '@supabase/supabase-js';
 import { AuditRlsStatusInput } from '../lib/types.js';
 import * as Checks from './security-checks.js';
+import * as ArchChecks from './security-checks-arch.js';
 import { registry } from '../lib/tool-registry.js';
 import { AuditRlsStatusInputSchema, AuditSecurityIntegrityInputSchema } from '../lib/schemas.js';
 
@@ -135,6 +136,9 @@ export async function auditSecurityIntegrity(
     const lazyViolations = Checks.checkAntiLazy(filePath, content);
     violations.push(...lazyViolations);
 
+    const archViolations = ArchChecks.checkArchitectureIntegrity(filePath, content);
+    violations.push(...archViolations);
+
     const score = Math.max(0, 100 - (violations.length * 10));
     const passed = !violations.some((v: any) => v.severity === 'HIGH' || v.severity === 'FATAL');