npm - @smartmemory/compose - Versions diffs - 0.1.0 - Mend

@smartmemory/compose 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (181) hide show

package/LICENSE +21 -0
package/README.md +1014 -0
package/bin/compose.js +1515 -0
package/dist/assets/_baseUniq-CQwX6VLz.js +1 -0
package/dist/assets/arc-SxJ2J1sh.js +1 -0
package/dist/assets/architectureDiagram-Q4EWVU46-BykunY1F.js +36 -0
package/dist/assets/blockDiagram-DXYQGD6D-ohAKBOUw.js +132 -0
package/dist/assets/c4Diagram-AHTNJAMY-DBDC3ENB.js +10 -0
package/dist/assets/channel-DGElom1e.js +1 -0
package/dist/assets/chunk-4BX2VUAB-Cv93Z7uM.js +1 -0
package/dist/assets/chunk-4TB4RGXK-DE0WBDkj.js +206 -0
package/dist/assets/chunk-55IACEB6-CE1EXenG.js +1 -0
package/dist/assets/chunk-EDXVE4YY-DA7Ana6H.js +1 -0
package/dist/assets/chunk-FMBD7UC4-CTDIPA3p.js +15 -0
package/dist/assets/chunk-OYMX7WX6-uGBaPaTX.js +231 -0
package/dist/assets/chunk-QZHKN3VN-CYlnXuUO.js +1 -0
package/dist/assets/chunk-YZCP3GAM-ojGkzcZK.js +1 -0
package/dist/assets/classDiagram-6PBFFD2Q-KqWP9wWZ.js +1 -0
package/dist/assets/classDiagram-v2-HSJHXN6E-KqWP9wWZ.js +1 -0
package/dist/assets/clone-DUJKJXd7.js +1 -0
package/dist/assets/cose-bilkent-S5V4N54A-Bktn9hL-.js +1 -0
package/dist/assets/dagre-KV5264BT-DFaSzuRF.js +4 -0
package/dist/assets/defaultLocale-DX6XiGOO.js +1 -0
package/dist/assets/diagram-5BDNPKRD-DnfmDzEm.js +10 -0
package/dist/assets/diagram-G4DWMVQ6-Bm8W9YnG.js +24 -0
package/dist/assets/diagram-MMDJMWI5-B5-TSKvp.js +43 -0
package/dist/assets/diagram-TYMM5635-ls4rqlky.js +24 -0
package/dist/assets/erDiagram-SMLLAGMA-giG6WO-r.js +85 -0
package/dist/assets/flowDiagram-DWJPFMVM-XvlUuz-7.js +162 -0
package/dist/assets/ganttDiagram-T4ZO3ILL-hLBV57oV.js +292 -0
package/dist/assets/gitGraphDiagram-UUTBAWPF-BHu3s_Gn.js +106 -0
package/dist/assets/graph-D0Cfv00Y.js +1 -0
package/dist/assets/index-CUd6pFGF.css +1 -0
package/dist/assets/index-DReRlzZI.js +1144 -0
package/dist/assets/infoDiagram-42DDH7IO-DbqRsOo3.js +2 -0
package/dist/assets/init-Gi6I4Gst.js +1 -0
package/dist/assets/ishikawaDiagram-UXIWVN3A-DnCdx7zb.js +70 -0
package/dist/assets/journeyDiagram-VCZTEJTY-CfD7eNcP.js +139 -0
package/dist/assets/kanban-definition-6JOO6SKY-BYaO9-mK.js +89 -0
package/dist/assets/katex-DkKDou_j.js +257 -0
package/dist/assets/layout-Bj72wOEB.js +1 -0
package/dist/assets/linear-BRFo114D.js +1 -0
package/dist/assets/min-GCHnKlJS.js +1 -0
package/dist/assets/mindmap-definition-QFDTVHPH-n0PMebY4.js +96 -0
package/dist/assets/ordinal-Cboi1Yqb.js +1 -0
package/dist/assets/pieDiagram-DEJITSTG-pN4CljHF.js +30 -0
package/dist/assets/quadrantDiagram-34T5L4WZ-DNoAy8-D.js +7 -0
package/dist/assets/requirementDiagram-MS252O5E-BhtY05PT.js +84 -0
package/dist/assets/sankeyDiagram-XADWPNL6-B6AD-16A.js +10 -0
package/dist/assets/sequenceDiagram-FGHM5R23-DShHM-uk.js +157 -0
package/dist/assets/stateDiagram-FHFEXIEX-DMxn7HTo.js +1 -0
package/dist/assets/stateDiagram-v2-QKLJ7IA2-o6PnCs4e.js +1 -0
package/dist/assets/timeline-definition-GMOUNBTQ-Cdu6uq52.js +120 -0
package/dist/assets/vennDiagram-DHZGUBPP-CpK29iRe.js +34 -0
package/dist/assets/wardley-RL74JXVD-BQgSkdcO.js +162 -0
package/dist/assets/wardleyDiagram-NUSXRM2D-DJHYev6O.js +20 -0
package/dist/assets/xychartDiagram-5P7HB3ND-1d75pbaO.js +7 -0
package/dist/index.html +30 -0
package/lib/agent-chains.js +65 -0
package/lib/agent-string.js +86 -0
package/lib/budget-ledger.js +86 -0
package/lib/build-all.js +162 -0
package/lib/build-dag.js +120 -0
package/lib/build-stream-writer.js +190 -0
package/lib/build.js +2997 -0
package/lib/capability-checker.js +53 -0
package/lib/cert-inject.js +38 -0
package/lib/cli-progress.js +483 -0
package/lib/constants.js +69 -0
package/lib/cross-layer-audit.js +84 -0
package/lib/debug-discipline.js +173 -0
package/lib/feature-json.js +106 -0
package/lib/gate-prompt.js +291 -0
package/lib/gate-tiers.js +194 -0
package/lib/health-history.js +119 -0
package/lib/health-score.js +227 -0
package/lib/ideabox.js +570 -0
package/lib/import.js +244 -0
package/lib/migrate-roadmap.js +94 -0
package/lib/model-pricing.js +67 -0
package/lib/new.js +413 -0
package/lib/pipeline-cli.js +489 -0
package/lib/plan-parser.js +103 -0
package/lib/qa-scoping.js +474 -0
package/lib/questionnaire.js +200 -0
package/lib/resolve-port.js +7 -0
package/lib/result-normalizer.js +349 -0
package/lib/review-lenses.js +166 -0
package/lib/roadmap-gen.js +210 -0
package/lib/roadmap-parser.js +176 -0
package/lib/server-probe.js +23 -0
package/lib/staleness.js +87 -0
package/lib/step-prompt.js +260 -0
package/lib/step-validator.js +49 -0
package/lib/stratum-mcp-client.js +365 -0
package/lib/team-flag.js +46 -0
package/lib/test-bootstrap.js +401 -0
package/lib/triage.js +274 -0
package/lib/vision-writer.js +391 -0
package/package.json +111 -0
package/pipelines/bug-fix.stratum.yaml +230 -0
package/pipelines/build.stratum.yaml +498 -0
package/pipelines/content.stratum.yaml +112 -0
package/pipelines/coverage-sweep.stratum.yaml +52 -0
package/pipelines/refactor.stratum.yaml +169 -0
package/pipelines/research.stratum.yaml +88 -0
package/pipelines/review-fix.stratum.yaml +109 -0
package/presets/team-feature.stratum.yaml +105 -0
package/presets/team-research.stratum.yaml +108 -0
package/presets/team-review.stratum.yaml +106 -0
package/scripts/agent-activity-hook.sh +31 -0
package/scripts/agent-error-hook.sh +28 -0
package/scripts/analyze-orphans.mjs +50 -0
package/scripts/find-orphans.mjs +26 -0
package/scripts/fix-phases.mjs +49 -0
package/scripts/generate-stratum-spec.mjs +137 -0
package/scripts/import-roadmap.mjs +116 -0
package/scripts/phase-audit.mjs +33 -0
package/scripts/run-pipeline.mjs +314 -0
package/scripts/session-end-hook.sh +18 -0
package/scripts/session-start-hook.sh +38 -0
package/scripts/vision-hook.sh +104 -0
package/scripts/vision-track.mjs +554 -0
package/scripts/wire-all-orphans.mjs +108 -0
package/scripts/wire-orphans.mjs +164 -0
package/server/activity-routes.js +123 -0
package/server/agent-health.js +197 -0
package/server/agent-hooks.js +102 -0
package/server/agent-mcp.js +10 -0
package/server/agent-registry.js +95 -0
package/server/agent-server.js +290 -0
package/server/agent-spawn.js +251 -0
package/server/agent-templates.js +77 -0
package/server/artifact-manager.js +247 -0
package/server/artifact-templates/architecture.md +28 -0
package/server/artifact-templates/blueprint.md +21 -0
package/server/artifact-templates/design.md +36 -0
package/server/artifact-templates/plan.md +25 -0
package/server/artifact-templates/prd.md +43 -0
package/server/artifact-templates/report.md +40 -0
package/server/block-tracker.js +90 -0
package/server/build-stream-bridge.js +502 -0
package/server/coalescing-buffer.js +46 -0
package/server/compose-mcp-tools.js +479 -0
package/server/compose-mcp.js +324 -0
package/server/connectors/agent-connector.js +78 -0
package/server/connectors/claude-sdk-connector.js +198 -0
package/server/connectors/codex-connector.js +240 -0
package/server/connectors/connector-discovery.js +18 -0
package/server/connectors/connector-runtime.js +13 -0
package/server/connectors/opencode-connector.js +200 -0
package/server/design-routes.js +540 -0
package/server/design-session.js +161 -0
package/server/feature-scan.js +593 -0
package/server/file-watcher.js +284 -0
package/server/find-root.js +29 -0
package/server/graph-export.js +343 -0
package/server/ideabox-cache.js +77 -0
package/server/ideabox-routes.js +294 -0
package/server/index.js +156 -0
package/server/model-tiers.js +49 -0
package/server/pipeline-routes.js +288 -0
package/server/policy-evaluator.js +36 -0
package/server/project-root.js +122 -0
package/server/security.js +23 -0
package/server/session-manager.js +403 -0
package/server/session-routes.js +190 -0
package/server/session-store.js +107 -0
package/server/settings-routes.js +35 -0
package/server/settings-store.js +234 -0
package/server/stratum-api.js +102 -0
package/server/stratum-client.js +192 -0
package/server/stratum-sync.js +193 -0
package/server/summarizer.js +139 -0
package/server/supervisor.js +196 -0
package/server/vision-routes.js +668 -0
package/server/vision-server.js +393 -0
package/server/vision-store.js +360 -0
package/server/vision-utils.js +179 -0
package/server/worktree-gc.js +137 -0
package/templates/ROADMAP.md +46 -0

package/server/pipeline-routes.js ADDED Viewed

@@ -0,0 +1,288 @@
+/**
+ * pipeline-routes.js — Pipeline authoring REST routes.
+ *
+ * Routes:
+ *   GET  /api/pipeline/templates          — list available pipeline templates
+ *   GET  /api/pipeline/templates/:id/spec — full YAML spec for a template
+ *   POST /api/pipeline/draft              — create a draft from template or inline spec
+ *   GET  /api/pipeline/draft              — get current draft
+ *   POST /api/pipeline/draft/approve      — approve and persist current draft
+ *   POST /api/pipeline/draft/reject       — reject and discard current draft
+ */
+import { readdirSync, readFileSync, writeFileSync, unlinkSync, existsSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import YAML from 'yaml';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Read all *.stratum.yaml files from the pipelines dir and return those
+ * with a valid metadata block.
+ */
+function loadTemplates(pipelinesDir) {
+  const templates = [];
+  let files;
+  try {
+    files = readdirSync(pipelinesDir).filter(f => f.endsWith('.stratum.yaml'));
+  } catch {
+    return templates;
+  }
+  for (const file of files) {
+    try {
+      const raw = readFileSync(join(pipelinesDir, file), 'utf-8');
+      const parsed = YAML.parse(raw);
+      if (parsed?.metadata?.id) {
+        templates.push({
+          id: parsed.metadata.id,
+          label: parsed.metadata.label || parsed.metadata.id,
+          description: parsed.metadata.description || '',
+          category: parsed.metadata.category || 'general',
+          steps: typeof parsed.metadata.steps === 'number' ? parsed.metadata.steps : 0,
+          estimated_minutes: typeof parsed.metadata.estimated_minutes === 'number' ? parsed.metadata.estimated_minutes : 0,
+          _file: file,
+        });
+      }
+    } catch {
+      // skip unparseable files
+    }
+  }
+  return templates;
+}
+/**
+ * Extract steps from a parsed spec, version-aware.
+ * v0.3: workflow.steps or flows.<name>.steps
+ * v0.1: flows.<name>.steps or functions (as step list)
+ */
+function extractSteps(parsed) {
+  // v0.3 with workflow.steps
+  if (parsed?.workflow?.steps) {
+    return parsed.workflow.steps.map(s => ({ id: s.id, ...s }));
+  }
+  // flows.<name>.steps (both v0.1 and v0.3)
+  if (parsed?.flows) {
+    for (const flowName of Object.keys(parsed.flows)) {
+      const flow = parsed.flows[flowName];
+      if (Array.isArray(flow?.steps) && flow.steps.length > 0) {
+        return flow.steps.map(s => ({ id: s.id, ...s }));
+      }
+    }
+  }
+  // Fallback: list functions as pseudo-steps (v0.1 function-only specs)
+  if (parsed?.functions) {
+    return Object.keys(parsed.functions).map(id => ({ id }));
+  }
+  return [];
+}
+// ---------------------------------------------------------------------------
+// In-memory draft state (single draft at a time)
+// ---------------------------------------------------------------------------
+let currentDraft = null;
+const DRAFT_FILE = 'pipeline-draft.json';
+function saveDraft(dataDir, draft) {
+  currentDraft = draft;
+  mkdirSync(dataDir, { recursive: true });
+  writeFileSync(join(dataDir, DRAFT_FILE), JSON.stringify(draft, null, 2));
+}
+function loadDraft(dataDir) {
+  if (currentDraft) return currentDraft;
+  const p = join(dataDir, DRAFT_FILE);
+  if (!existsSync(p)) return null;
+  try {
+    currentDraft = JSON.parse(readFileSync(p, 'utf-8'));
+    return currentDraft;
+  } catch {
+    return null;
+  }
+}
+function clearDraft(dataDir) {
+  currentDraft = null;
+  const p = join(dataDir, DRAFT_FILE);
+  try { if (existsSync(p)) unlinkSync(p); } catch { /* ignore */ }
+}
+// ---------------------------------------------------------------------------
+// Route attachment
+// ---------------------------------------------------------------------------
+/**
+ * Attach pipeline authoring routes to an Express app.
+ *
+ * @param {object} app — Express app
+ * @param {{
+ *   broadcastMessage: function,
+ *   scheduleBroadcast: function,
+ *   getDataDir: function,
+ *   getPipelinesDir: function,
+ *   stratumClient?: { validate: function } | null,
+ * }} deps
+ */
+export function attachPipelineRoutes(app, { broadcastMessage, scheduleBroadcast, getDataDir, getPipelinesDir, stratumClient }) {
+  // GET /api/pipeline/templates
+  app.get('/api/pipeline/templates', (_req, res) => {
+    const templates = loadTemplates(getPipelinesDir());
+    // Strip internal _file field
+    const clean = templates.map(({ _file, ...rest }) => rest);
+    res.json({ templates: clean });
+  });
+  // GET /api/pipeline/templates/:id/spec
+  app.get('/api/pipeline/templates/:id/spec', (req, res) => {
+    const templates = loadTemplates(getPipelinesDir());
+    const tmpl = templates.find(t => t.id === req.params.id);
+    if (!tmpl) return res.status(404).json({ error: `Template "${req.params.id}" not found` });
+    const spec = readFileSync(join(getPipelinesDir(), tmpl._file), 'utf-8');
+    res.json({ spec });
+  });
+  // POST /api/pipeline/draft
+  app.post('/api/pipeline/draft', (req, res) => {
+    const { templateId, spec: inlineSpec, metadata: inlineMeta } = req.body || {};
+    const dataDir = getDataDir();
+    let spec;
+    let metadata;
+    let parsed;
+    if (templateId) {
+      // Load from template
+      const templates = loadTemplates(getPipelinesDir());
+      const tmpl = templates.find(t => t.id === templateId);
+      if (!tmpl) return res.status(404).json({ error: `Template "${templateId}" not found` });
+      spec = readFileSync(join(getPipelinesDir(), tmpl._file), 'utf-8');
+      try {
+        parsed = YAML.parse(spec);
+      } catch (e) {
+        return res.status(400).json({ error: `Failed to parse template: ${e.message}` });
+      }
+      metadata = parsed.metadata || tmpl;
+    } else if (inlineSpec) {
+      // Inline spec
+      spec = inlineSpec;
+      try {
+        parsed = YAML.parse(spec);
+      } catch (e) {
+        return res.status(400).json({ error: `Invalid YAML: ${e.message}` });
+      }
+      metadata = parsed?.metadata || inlineMeta;
+      if (!metadata || !metadata.id) {
+        return res.status(400).json({ error: 'Spec must include a metadata block with at least an id field, or metadata must be provided separately' });
+      }
+    } else {
+      return res.status(400).json({ error: 'Provide either templateId or spec + metadata' });
+    }
+    const steps = extractSteps(parsed);
+    const draftId = randomUUID();
+    const draft = {
+      draftId,
+      spec,
+      metadata,
+      steps,
+      createdAt: new Date().toISOString(),
+      status: 'pending',
+    };
+    saveDraft(dataDir, draft);
+    broadcastMessage({ type: 'pipelineDraft', ...draft });
+    res.json(draft);
+  });
+  // GET /api/pipeline/draft
+  app.get('/api/pipeline/draft', (_req, res) => {
+    const draft = loadDraft(getDataDir());
+    res.json({ draft: draft ?? null });
+  });
+  // POST /api/pipeline/draft/approve
+  app.post('/api/pipeline/draft/approve', async (req, res) => {
+    const { draftId } = req.body || {};
+    const dataDir = getDataDir();
+    const draft = loadDraft(dataDir);
+    if (!draft) return res.status(404).json({ error: 'No draft to approve' });
+    if (draft.draftId !== draftId) return res.status(409).json({ error: 'Draft ID mismatch' });
+    // Validate spec before approval
+    if (stratumClient && typeof stratumClient.validate === 'function') {
+      try {
+        const result = await stratumClient.validate(draft.spec);
+        if (result?.valid === false) {
+          return res.status(422).json({ error: `Spec validation failed: ${result.error || 'unknown error'}` });
+        }
+      } catch (err) {
+        // Stratum unavailable at runtime — fall back to YAML parse check
+        try {
+          YAML.parse(draft.spec);
+        } catch (parseErr) {
+          return res.status(422).json({ error: `Invalid YAML: ${parseErr.message}` });
+        }
+      }
+    } else {
+      // No stratum client — basic YAML parse check
+      try {
+        YAML.parse(draft.spec);
+      } catch (parseErr) {
+        return res.status(422).json({ error: `Invalid YAML: ${parseErr.message}` });
+      }
+    }
+    // Write approved spec to approved-specs/
+    const approvedDir = join(dataDir, 'approved-specs');
+    mkdirSync(approvedDir, { recursive: true });
+    const specPath = join(approvedDir, `${draftId}.yaml`);
+    writeFileSync(specPath, draft.spec);
+    // Only delete draft AFTER spec file written
+    clearDraft(dataDir);
+    broadcastMessage({
+      type: 'pipelineDraftResolved',
+      draftId,
+      outcome: 'approved',
+      specPath,
+    });
+    res.json({ ok: true, specPath });
+  });
+  // POST /api/pipeline/draft/reject
+  app.post('/api/pipeline/draft/reject', (req, res) => {
+    const { draftId } = req.body || {};
+    const dataDir = getDataDir();
+    const draft = loadDraft(dataDir);
+    if (!draft) return res.status(404).json({ error: 'No draft to reject' });
+    if (draft.draftId !== draftId) return res.status(409).json({ error: 'Draft ID mismatch' });
+    clearDraft(dataDir);
+    broadcastMessage({
+      type: 'pipelineDraftResolved',
+      draftId,
+      outcome: 'rejected',
+    });
+    res.json({ ok: true });
+  });
+}

package/server/policy-evaluator.js ADDED Viewed

@@ -0,0 +1,36 @@
+/**
+ * Policy Evaluator — determines gate behavior for phase transitions.
+ *
+ * Pure function, no state, no side effects. Reads from the merged
+ * settings object (SettingsStore.get() shape).
+ *
+ * Policy modes:
+ *   gate — human approval required (default)
+ *   flag — auto-approve, emit stream event for audit
+ *   skip — silent pass-through, no gate record
+ */
+/**
+ * Evaluate the policy for a phase transition.
+ *
+ * @param {object} settings — merged settings (must have .policies object)
+ * @param {string} stepId   — the Stratum step ID
+ * @param {object} [opts]
+ * @param {string} [opts.toPhase]   — target phase (takes precedence over stepId for lookup)
+ * @param {string} [opts.fromPhase] — source phase (informational, not used for lookup)
+ * @returns {{ mode: 'gate'|'flag'|'skip', reason: string }}
+ */
+export function evaluatePolicy(settings, stepId, opts = {}) {
+  const phase = opts.toPhase ?? stepId;
+  const mode = settings?.policies?.[phase] ?? null;
+  if (mode === null || mode === undefined) {
+    return { mode: 'gate', reason: `no policy for '${phase}', defaulting to gate` };
+  }
+  if (mode !== 'gate' && mode !== 'flag' && mode !== 'skip') {
+    return { mode: 'gate', reason: `unknown policy '${mode}' for '${phase}', defaulting to gate` };
+  }
+  return { mode, reason: `phase '${phase}' policy is '${mode}'` };
+}

package/server/project-root.js ADDED Viewed

@@ -0,0 +1,122 @@
+/**
+ * project-root.js — Resolve COMPOSE_HOME and TARGET_ROOT.
+ *
+ * COMPOSE_HOME: where Compose's own code lives (server/, node_modules/, etc.)
+ * TARGET_ROOT:  the project being developed. Resolved by:
+ *   1. COMPOSE_TARGET env var (explicit override)
+ *   2. Walk up from cwd looking for .compose/, .stratum.yaml, or .git
+ *   3. Fall back to cwd
+ *
+ * All project paths are accessed via getTargetRoot() / getDataDir() so they
+ * update when switchProject() is called at runtime.
+ */
+import path from 'node:path';
+import fs from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { findProjectRoot } from './find-root.js';
+export { findProjectRoot } from './find-root.js';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+/** Where Compose's own code lives. Never changes. */
+export const COMPOSE_HOME = path.resolve(__dirname, '..');
+// ---------------------------------------------------------------------------
+// Mutable project binding
+// ---------------------------------------------------------------------------
+let _targetRoot = (() => {
+  if (process.env.COMPOSE_TARGET) {
+    const resolved = path.resolve(process.env.COMPOSE_TARGET);
+    if (!fs.existsSync(resolved)) {
+      console.error(`[project-root] COMPOSE_TARGET=${process.env.COMPOSE_TARGET} does not exist`);
+      process.exit(1);
+    }
+    return resolved;
+  }
+  return findProjectRoot(process.cwd()) || process.cwd();
+})();
+let _dataDir = path.join(_targetRoot, '.compose', 'data');
+let _configCache = null;
+/** The target project being developed. */
+export function getTargetRoot() { return _targetRoot; }
+/** Data directory for Compose state. Lives in the target project. */
+export function getDataDir() { return _dataDir; }
+// ---------------------------------------------------------------------------
+// Switch project at runtime
+// ---------------------------------------------------------------------------
+const _switchListeners = [];
+/**
+ * Register a callback for project switches.
+ * @param {(targetRoot: string, dataDir: string) => void} fn
+ */
+export function onProjectSwitch(fn) {
+  _switchListeners.push(fn);
+}
+/**
+ * Switch to a different project directory.
+ * @param {string} newRoot — absolute path to the new project
+ * @returns {{ targetRoot: string, dataDir: string }}
+ */
+export function switchProject(newRoot) {
+  const resolved = path.resolve(newRoot);
+  if (!fs.existsSync(resolved)) {
+    throw new Error(`Project path does not exist: ${resolved}`);
+  }
+  _targetRoot = resolved;
+  _dataDir = path.join(resolved, '.compose', 'data');
+  _configCache = null;
+  fs.mkdirSync(_dataDir, { recursive: true });
+  console.log(`[project-root] Switched to: ${resolved}`);
+  for (const fn of _switchListeners) {
+    try { fn(_targetRoot, _dataDir); } catch (e) { console.error('[project-root] Switch listener error:', e.message); }
+  }
+  return { targetRoot: _targetRoot, dataDir: _dataDir };
+}
+/** Ensure the data directory exists. */
+export function ensureDataDir() {
+  fs.mkdirSync(getDataDir(), { recursive: true });
+}
+// ---------------------------------------------------------------------------
+// Project config
+// ---------------------------------------------------------------------------
+const DEFAULT_CONFIG = Object.freeze({
+  version: 1,
+  capabilities: Object.freeze({ stratum: true, lifecycle: true }),
+  paths: Object.freeze({ docs: 'docs', features: 'docs/features', journal: 'docs/journal' }),
+});
+function cloneConfig(obj) {
+  return JSON.parse(JSON.stringify(obj));
+}
+export function loadProjectConfig() {
+  if (_configCache) return cloneConfig(_configCache);
+  const configPath = path.join(getTargetRoot(), '.compose', 'compose.json');
+  try {
+    _configCache = JSON.parse(fs.readFileSync(configPath, 'utf-8'));
+    return cloneConfig(_configCache);
+  } catch {
+    _configCache = DEFAULT_CONFIG;
+    return cloneConfig(DEFAULT_CONFIG);
+  }
+}
+export function resolveProjectPath(key) {
+  const config = loadProjectConfig();
+  const rel = config.paths?.[key];
+  if (!rel) return path.join(getTargetRoot(), DEFAULT_CONFIG.paths[key] || key);
+  return path.join(getTargetRoot(), rel);
+}

package/server/security.js ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Shared guard for sensitive local endpoints.
+ *
+ * Usage:
+ * 1) In normal dev flow, server/supervisor.js auto-generates COMPOSE_API_TOKEN.
+ * 2) If running servers directly, set COMPOSE_API_TOKEN in the environment.
+ * 3) Send header: x-compose-token: <COMPOSE_API_TOKEN>
+ */
+export function requireSensitiveToken(req, res, next) {
+  const expected = process.env.COMPOSE_API_TOKEN;
+  if (!expected) {
+    return res.status(503).json({
+      error: 'Sensitive endpoint disabled: missing COMPOSE_API_TOKEN (run via supervisor or set it manually)',
+    });
+  }
+  const provided = req.get('x-compose-token');
+  if (!provided || provided !== expected) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+  next();
+}