npm - @smartmemory/compose - Versions diffs - 0.2.6-beta → 0.2.7-beta - Mend

@smartmemory/compose 0.2.6-beta → 0.2.7-beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

package/server/agent-spawn.js CHANGED Viewed

@@ -9,6 +9,7 @@ import path from 'node:path';
 import { getTargetRoot } from './project-root.js';
 import { gracefulKill } from './agent-health.js';
+import { resolveSpawnProfile } from './mcp-tool-policy.js';
 const PROJECT_ROOT = getTargetRoot();
@@ -38,7 +39,7 @@ export function attachAgentSpawnRoutes(app, { projectRoot = PROJECT_ROOT, broadc
   const _agents = new Map();
   // POST /api/agent/spawn — spawn a hidden Claude subagent
   app.post('/api/agent/spawn', requireSensitiveToken, (req, res) => {
-    const { prompt, id } = req.body || {};
+    const { prompt, id, profile, template } = req.body || {};
     if (!prompt || typeof prompt !== 'string') return res.status(400).json({ error: 'prompt is required and must be a string' });
     const agentId = id || `agent-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
@@ -49,6 +50,11 @@ export function attachAgentSpawnRoutes(app, { projectRoot = PROJECT_ROOT, broadc
     const cleanEnv = { ...process.env, NO_COLOR: '1' };
     delete cleanEnv.CLAUDECODE;
+    // COMP-MCP-ENFORCE-1: inject a TRUSTED, spawn-time MCP profile the subagent
+    // cannot rewrite (its compose-mcp child inherits this env). Only restrictive
+    // profiles are injected; an orchestrator/unspecified spawn stays unrestricted.
+    const spawnProfile = resolveSpawnProfile({ profile, template });
+    if (spawnProfile) cleanEnv.COMPOSE_SESSION_PROFILE = spawnProfile;
     const proc = spawn('claude', [
       '-p', prompt,

package/server/compose-mcp-tools.js CHANGED Viewed

@@ -10,6 +10,7 @@ import http from 'node:http';
 import path from 'node:path';
 import { ArtifactManager, ARTIFACT_SCHEMAS } from './artifact-manager.js';
 import { getTargetRoot, getDataDir, resolveProjectPath, switchProject, setCurrentWorkspaceId, loadProjectConfig } from './project-root.js';
+import { resolveProfile, isToolAllowed } from './mcp-tool-policy.js';
 /**
  * COMP-MCP-ENFORCE Slice 3 — kill the `force` escape hatch at the MCP tool
@@ -438,7 +439,7 @@ export async function toolValidateProject(args = {}) {
   });
 }
-export async function toolBindSession({ featureCode }) {
+export async function toolBindSession({ featureCode, profile } = {}) {
   let result;
   try {
     result = await _httpRequest('POST', '/api/session/bind', { featureCode });
@@ -452,6 +453,15 @@ export async function toolBindSession({ featureCode }) {
       : `HTTP ${status}: ${typeof body === 'string' ? body : JSON.stringify(body)}`;
     throw new Error(errMsg);
   }
+  // COMP-MCP-ENFORCE-1: record the bound feature (anchor for phase resolution)
+  // on any non-error reply — including `already_bound` — so reconnects/repeat
+  // binds keep the anchor. Use the server's AUTHORITATIVE featureCode from the
+  // reply (an `already_bound` reply returns the real bound feature, which may
+  // differ from the request arg) so the anchor never drifts. The trusted env
+  // profile is the floor; the bind `profile` arg may only NARROW it.
+  const boundCode = (body && typeof body === 'object' && body.featureCode) || featureCode;
+  if (boundCode) _boundFeatureCode = boundCode;
+  _sessionProfile = resolveProfile(process.env.COMPOSE_SESSION_PROFILE, profile);
   return body;
 }
@@ -627,3 +637,95 @@ export function toolGetWorkspace() {
 export function _getBinding() { return _binding?.id ?? null; }
+// ---------------------------------------------------------------------------
+// COMP-MCP-ENFORCE-1 — phase-scoped MCP tool gate (profile × phase)
+//
+// Trusted profile = spawn-injected COMPOSE_SESSION_PROFILE (the agent cannot
+// rewrite its own launch env); bind_session may only NARROW it. The bound
+// feature anchor (_boundFeatureCode) lets the gate resolve the current phase
+// on-disk and check that re-permitted mutations target the bound feature.
+// All process-global by intent (one MCP child per session).
+// ---------------------------------------------------------------------------
+let _sessionProfile = resolveProfile(process.env.COMPOSE_SESSION_PROFILE, null);
+let _boundFeatureCode = null;
+export function _getSessionProfile() { return _sessionProfile; }
+export function _getBoundFeatureCode() { return _boundFeatureCode; }
+/** @internal test seam */
+export function _testOnly_setSessionContext({ profile, boundFeatureCode } = {}) {
+  if (profile !== undefined) _sessionProfile = profile;
+  if (boundFeatureCode !== undefined) _boundFeatureCode = boundFeatureCode;
+}
+/** The bound feature's current lifecycle phase from vision-state.json, or null. */
+export function resolveBoundPhase() {
+  if (!_boundFeatureCode) return null;
+  try {
+    const { items } = loadVisionState();
+    const item = items.find((i) => i.lifecycle?.featureCode === _boundFeatureCode);
+    return item?.lifecycle?.currentPhase ?? null;
+  } catch {
+    return null;
+  }
+}
+/** Resolve a gated tool's target to a feature code (for the feature-scoped re-permit check). */
+function _resolveTargetFeatureCode(tool, args = {}) {
+  try {
+    if (tool === 'record_completion') return args.feature_code ?? null;
+    if (tool === 'set_feature_status' || tool === 'add_roadmap_entry' || tool === 'propose_followup') {
+      return args.code ?? null;
+    }
+    if (tool === 'complete_feature' || tool === 'kill_feature') {
+      const { items } = loadVisionState();
+      return items.find((i) => i.id === args.id)?.lifecycle?.featureCode ?? null;
+    }
+    if (tool === 'approve_gate') {
+      const { items, gates } = loadVisionState();
+      const gate = gates?.find((g) => g.id === args.gateId);
+      return items.find((i) => i.id === gate?.itemId)?.lifecycle?.featureCode ?? null;
+    }
+  } catch { /* fall through */ }
+  return null;
+}
+function _targetMatchesBoundFeature(tool, args) {
+  if (!_boundFeatureCode) return false;
+  const code = _resolveTargetFeatureCode(tool, args);
+  return code !== null && code === _boundFeatureCode;
+}
+/**
+ * Throw PHASE_TOOL_DENIED if the tool is not allowed for the current
+ * profile×phase. No-op when the capability is off (default) or on a valid
+ * override token. On unresolved CONTEXT the behavior is graduated, NOT blanket
+ * fail-open: an unresolved PROFILE (no/unknown env) normalizes to orchestrator →
+ * unrestricted; an unresolved PHASE only fails open the phase *refinement* — the
+ * profile BASE policy (implementer deny / reviewer allowlist) still applies
+ * (a restricted context with unknown phase stays restricted, which is the safe
+ * reading). `_testCtx` lets tests drive flag/profile/phase/target without disk/env.
+ */
+export function assertToolPhaseAllowed(tool, args = {}, _testCtx) {
+  const guardOn = _testCtx?.phaseScopedTools ?? (loadProjectConfig()?.capabilities?.phaseScopedTools === true);
+  if (!guardOn) return;
+  if (_overrideOk(args)) return;
+  const profile = _testCtx?.profile ?? _sessionProfile;
+  const phase = _testCtx?.phase ?? resolveBoundPhase();
+  const targetMatchesBoundFeature = _testCtx?.targetMatches ?? _targetMatchesBoundFeature(tool, args);
+  const verdict = isToolAllowed({ tool, profile, phase, targetMatchesBoundFeature });
+  if (!verdict.allowed) {
+    const e = new Error(
+      `${tool} is not available to profile '${profile}'` +
+      (phase ? ` in phase '${phase}'` : '') + `: ${verdict.reason}. ` +
+      `Supply a valid override_token to deviate.`,
+    );
+    e.code = 'PHASE_TOOL_DENIED';
+    e.profile = profile;
+    e.phase = phase;
+    throw e;
+  }
+}

package/server/compose-mcp.js CHANGED Viewed

@@ -64,8 +64,12 @@ import {
   toolWriteCheckpoint,
   toolComposeResume,
   _getBinding,
+  assertToolPhaseAllowed,
+  _getSessionProfile,
+  resolveBoundPhase,
 } from './compose-mcp-tools.js';
-import { switchProject, getTargetRoot } from './project-root.js';
+import { isToolAllowed } from './mcp-tool-policy.js';
+import { switchProject, getTargetRoot, loadProjectConfig } from './project-root.js';
 import { resolveWorkspace } from '../lib/resolve-workspace.js';
 // ---------------------------------------------------------------------------
@@ -627,15 +631,41 @@ const server = new Server(
   { capabilities: { tools: {} } }
 );
-server.setRequestHandler(ListToolsRequestSchema, async () => ({
-  tools: TOOLS,
-}));
+server.setRequestHandler(ListToolsRequestSchema, async () => {
+  // COMP-MCP-ENFORCE-1: best-effort surface filter by the session's profile×phase.
+  // The hard guarantee is the CallTool gate below; ListTools just hides what the
+  // current context can't use (no tools/list_changed dependency).
+  const enabled = loadProjectConfig()?.capabilities?.phaseScopedTools === true;
+  if (!enabled) return { tools: TOOLS };
+  const profile = _getSessionProfile();
+  if (profile === 'orchestrator') return { tools: TOOLS };
+  const phase = resolveBoundPhase();
+  // target match is unknowable at list time → list a tool if its profile base
+  // (ignoring the feature-scoped re-permit) would ever permit it in this phase.
+  const tools = TOOLS.filter((t) =>
+    isToolAllowed({ tool: t.name, profile, phase, targetMatchesBoundFeature: true }).allowed);
+  return { tools };
+});
 server.setRequestHandler(CallToolRequestSchema, async (request) => {
   const { name, arguments: args = {} } = request.params;
   const WORKSPACE_EXEMPT = new Set(['set_workspace', 'get_workspace']);
+  // COMP-MCP-ENFORCE-1: phase-scoped tool gate (hard guarantee). No-op when the
+  // capability is off, on a valid override token, or when context is unresolved.
+  try {
+    assertToolPhaseAllowed(name, args);
+  } catch (err) {
+    if (err && err.code === 'PHASE_TOOL_DENIED') {
+      return {
+        content: [{ type: 'text', text: `Error [PHASE_TOOL_DENIED]: ${err.message}` }],
+        isError: true,
+      };
+    }
+    throw err;
+  }
   try {
     if (!WORKSPACE_EXEMPT.has(name)) {
       const ws = resolveWorkspace({ getBinding: _getBinding });

package/server/design-routes.js CHANGED Viewed

@@ -15,6 +15,7 @@ import path from 'node:path';
 import { randomUUID } from 'node:crypto';
 import { parseDecisionBlocks } from '../src/components/vision/designSessionState.js';
 import { StratumMcpClient } from '../lib/stratum-mcp-client.js';
+import { KNOWN_VERSIONS } from '../lib/build-stream-schema.js';
 // Lazy singleton — design conversations share one stratum-mcp connection
 // across the server process lifetime. Concurrent runs are correlation-id scoped.
@@ -144,7 +145,9 @@ ${formattedMessages}`;
     const subStepId = '_agent_run';
     const unsub = stratum.onEvent(correlationId, subStepId, (env) => {
-      if (!env || env.schema_version !== '0.2.5') return;
+      // Accept all KNOWN_VERSIONS (producer emits 0.2.6); pinning '0.2.5' dropped
+      // the current producer's events. Client already validated before dispatch.
+      if (!env || !KNOWN_VERSIONS.has(env.schema_version)) return;
       const m = env.metadata ?? {};
       switch (env.kind) {
         case 'agent_relay':

package/server/mcp-tool-policy.js ADDED Viewed

@@ -0,0 +1,112 @@
+// server/mcp-tool-policy.js
+//
+// COMP-MCP-ENFORCE-1 — pure, declarative profile×phase policy for the compose
+// MCP tool gate. No I/O: callers supply the resolved {profile, phase} and whether
+// the tool's target matches the bound feature. See docs/features/COMP-MCP-ENFORCE-1/.
+/** Agent-template name (server/agent-templates.js) → MCP profile. */
+export const TEMPLATE_PROFILE_MAP = {
+  'read-only-reviewer': 'reviewer',
+  'read-only-researcher': 'reviewer',
+  'security-auditor': 'reviewer',
+  'implementer': 'implementer',
+  'orchestrator': 'orchestrator',
+};
+/**
+ * Tools that are NEVER gated — setup/query prerequisites. Denying these would
+ * strand a restricted session (e.g. workspace selection precedes feature binding).
+ * All read/`get_*`/`validate_*` tools are also implicitly safe but are listed in
+ * the reviewer allowlist; this set is the cross-profile exemption.
+ */
+export const SETUP_TOOLS = new Set([
+  'set_workspace', 'get_workspace', 'bind_session', 'get_current_session',
+]);
+/** Management/approval/completion tools an implementer context must not wield. */
+const IMPLEMENTER_DENY = [
+  'approve_gate', 'complete_feature', 'kill_feature',
+  'set_feature_status', 'add_roadmap_entry', 'record_completion', 'propose_followup',
+];
+/** Reviewer (read-only) may call only these. */
+const REVIEWER_ALLOW = [
+  'get_vision_items', 'get_item_detail', 'get_phase_summary', 'get_blocked_items',
+  'get_current_session', 'get_feature_lifecycle', 'get_feature_artifacts', 'get_feature_links',
+  'get_pending_gates', 'get_changelog_entries', 'get_journal_entries', 'get_completions',
+  'validate_feature', 'validate_project', 'roadmap_diff', 'assess_feature_artifacts',
+  'set_workspace', 'get_workspace', 'bind_session',
+];
+export const PROFILE_POLICY = {
+  orchestrator: { mode: 'unrestricted' },
+  implementer: { mode: 'deny', tools: new Set(IMPLEMENTER_DENY) },
+  reviewer: { mode: 'allowlist', tools: new Set(REVIEWER_ALLOW) },
+};
+/** phase → management tools re-permitted for DENY-mode profiles in that phase. */
+export const PHASE_REFINEMENT = {
+  ship: new Set(['complete_feature', 'record_completion']),
+};
+// Strictness ordering — a bind hint may only NARROW (raise strictness), never widen.
+const RANK = { orchestrator: 0, implementer: 1, reviewer: 2 };
+function _norm(p) {
+  return (p && Object.prototype.hasOwnProperty.call(RANK, p)) ? p : 'orchestrator';
+}
+/**
+ * Resolve the effective profile. `envProfile` (spawn-injected COMPOSE_SESSION_PROFILE)
+ * is the trusted floor; `bindHint` (bind_session arg) may only narrow. Unknown
+ * strings normalize to orchestrator (fail-open).
+ */
+export function resolveProfile(envProfile, bindHint) {
+  const env = _norm(envProfile);
+  const hint = _norm(bindHint);
+  const rank = Math.max(RANK[env], RANK[hint]);
+  return Object.keys(RANK).find((k) => RANK[k] === rank);
+}
+/**
+ * Resolve the value to inject as COMPOSE_SESSION_PROFILE when spawning a
+ * subagent. Accepts an explicit MCP `profile` or an agent-template `template`
+ * (mapped via TEMPLATE_PROFILE_MAP). Returns the restrictive profile string to
+ * inject, or null when the result is unrestricted/unknown (inject nothing →
+ * the subagent runs as orchestrator, preserving current behavior).
+ */
+export function resolveSpawnProfile({ profile, template } = {}) {
+  let p = null;
+  if (profile && Object.prototype.hasOwnProperty.call(RANK, profile)) p = profile;
+  else if (template && TEMPLATE_PROFILE_MAP[template]) p = TEMPLATE_PROFILE_MAP[template];
+  return (p === 'implementer' || p === 'reviewer') ? p : null;
+}
+/**
+ * Decide whether a tool may be called in a context.
+ * @param {{tool:string, profile:string, phase?:string, targetMatchesBoundFeature?:boolean}} ctx
+ * @returns {{allowed:boolean, reason:string}}
+ */
+export function isToolAllowed({ tool, profile, phase, targetMatchesBoundFeature = false }) {
+  const prof = _norm(profile);
+  const policy = PROFILE_POLICY[prof];
+  if (policy.mode === 'unrestricted') return { allowed: true, reason: 'unrestricted profile' };
+  if (SETUP_TOOLS.has(tool)) return { allowed: true, reason: 'setup/query tool (never gated)' };
+  if (policy.mode === 'allowlist') {
+    // Phase NEVER widens an allowlist (reviewer stays read-only in every phase).
+    return policy.tools.has(tool)
+      ? { allowed: true, reason: `allowlisted for ${prof}` }
+      : { allowed: false, reason: `${tool} not in ${prof} allowlist` };
+  }
+  // deny-mode (implementer)
+  if (!policy.tools.has(tool)) return { allowed: true, reason: `not denied for ${prof}` };
+  const refinement = phase ? PHASE_REFINEMENT[phase] : null;
+  if (refinement && refinement.has(tool)) {
+    return targetMatchesBoundFeature
+      ? { allowed: true, reason: `phase '${phase}' re-permits ${tool} on the bound feature` }
+      : { allowed: false, reason: `phase '${phase}' re-permits ${tool} only for the bound feature (target differs)` };
+  }
+  return { allowed: false, reason: `${tool} denied for ${prof} in phase '${phase ?? 'unknown'}'` };
+}

package/dist/assets/channel-BD-5_hPW.js DELETED Viewed

	@@ -1 +0,0 @@
1	- import{ai as o,aj as n}from"./App-j8fWZcGr.js";const t=(a,r)=>o.lang.round(n.parse(a)[r]);export{t as c};

package/dist/assets/classDiagram-4FO5ZUOK-mSW5R7DY.js DELETED Viewed

@@ -1 +0,0 @@

- import{s as a,c as s,a as e,C as t}from"./chunk-727SXJPM-kD07Sqp5.js";import{_ as i}from"./App-j8fWZcGr.js";import"./chunk-FMBD7UC4-Jti_und8.js";import"./chunk-ND2GUHAM-Ipx3noKz.js";import"./chunk-55IACEB6-Bnais1SK.js";import"./chunk-2J33WTMH-CrazA7xu.js";import"./mobile-CG5tLa2S.js";import"./index-uHKnp74B.js";import"./graph-CJVNlri5.js";var b={parser:e,get db(){return new t},renderer:s,styles:a,init:i(r=>{r.class||(r.class={}),r.class.arrowMarkerAbsolute=r.arrowMarkerAbsolute},"init")};export{b as diagram};

package/dist/assets/classDiagram-v2-Q7XG4LA2-mSW5R7DY.js DELETED Viewed

@@ -1 +0,0 @@