@thedecipherist/mdd 1.8.1 → 1.8.3

package/README.md

@@ -864,6 +864,7 @@ Every `.mdd/docs/<NN>-<feature-name>.md` file uses this YAML frontmatter:
 | `tags` | 4–8 domain-concept keywords surfaced in `.startup.md` so Claude can detect when a prompt relates to this feature (e.g. `[auth, jwt, login, sessions]`) |
 | `path` | Slash-delimited breadcrumb showing where this feature lives in the product (e.g. `Auth/Login`, `E-commerce/Cart/Checkout`). Used by dashboards and listing tools to group docs into a human-readable tree. Distinct from `depends_on` — this is for navigation, not build order. |
 | `known_issues` | Issues discovered during audits or implementation |
+| `security_read_sites` | Optional. List of `file:line` entries where user-supplied file paths are read. Phase A1 cross-checks each against path-confinement calls - a listed site with no guard is a P1 finding. Leave empty or omit if the feature has no file-read attack surface. |
 
 **`depends_on` rules:**
 - Feature docs only - never list task docs (one-off, frozen, no ongoing contract)
@@ -1011,7 +1012,7 @@ MDD creates `.mdd/settings.json` on first run. It controls which rule files load
 
 **`phaseLogging: true` (default)** - Controls whether MDD writes phase timing data via `mdd-log-phase.sh`. Set to `false` to suppress all phase log output.
 
-**`securityScan: false` (default)** - Enables the security rule generator. See the section below.
+**`securityScan: false` (default)** - Set to `true` to enable the security rule generator. See the section below.
 
 ### Stack-Specific Rule Files
 
@@ -1022,6 +1023,7 @@ mdd-rules-typescript.md   # TypeScript-specific audit criteria and build checkli
 mdd-rules-express.md      # Express error handling, middleware, route validation rules
 mdd-rules-jwt.md          # JWT decode safety, expiry checks, secret validation
 mdd-rules-prisma.md       # Prisma query safety, transaction patterns, migration checks
+mdd-rules-mcp.md          # MCP tool input validation and rejection test enforcement
 ```
 
 Rules are additive - they append criteria to the existing phase rather than replacing anything. If a rule file doesn't exist for a stack entry, MDD warns once and continues. A misconfigured or missing `settings.json` never halts a session.

package/commands/mdd-audit.md

@@ -53,7 +53,9 @@ These checks require comparing feature docs to each other and to disk. They cann
 
 - For each feature, verify every path in `source_files` exists on disk. Missing files = P2 finding.
 - For each feature with `depends_on` that includes a feature with `integration_contracts`: verify this feature's `satisfies_contracts` is not empty. Missing acknowledgment = P2 finding.
+- For each feature with `satisfies_contracts` entries: verify that EVERY file in the feature's `source_files` that performs the contracted operation has the required guard call — not just one file per entry. A single guarded file does not satisfy a contract that covers the whole feature. Any unguarded file = P2 finding (P1 if the contract is a security contract).
 - For each feature with `satisfies_contracts` entries where `status: pending`: flag every pending entry as P1 — contract was documented but never wired.
+- For each feature with `security_read_sites` present and non-empty: read each listed `file:line` and confirm the immediately surrounding code calls the canonical path-confinement function. A listed site with no confinement call = P1 finding.
 - For each feature with `integration_contracts`: verify every listed `caller_feature` exists as a feature doc. Non-existent caller referenced = P3 finding.
 
 Record all findings from this step in a dedicated `audits/doc-findings-<date>.md` file. These are merged into the final report in Phase A5 as a separate "Feature Doc Issues" section.
@@ -188,7 +190,7 @@ Integration context:   .mdd/jobs/audit-<date>/integration-context.md
 - "Immutable" rule arrays exported as plain mutable arrays — not `Object.freeze()` + `readonly`
 - Untrusted MCP/API/CLI input used without validation or sanitization
 - Data cached or stored without masking applied first
-- Local reimplementation of security logic — any function named `isConfined`, `isAllowed`, `isSafe`, `isBlocked`, or similar that replicates what a documented security module already provides. Require replacement with the canonical security module function.
+- Local reimplementation of security logic — any function named `isConfined`, `isAllowed`, `isSafe`, `isBlocked`, or similar that replicates what a documented security module already provides. Require replacement with the canonical security module function. Also check for any object-literal property or anonymous helper that performs path resolution and containment (`resolve` + `relative` + `startsWith('..')`) without delegating to the canonical security module — these are the same violation regardless of whether they are named functions.
 - Contract function undefined — if `integration_contracts` specifies a function name, grep the entire package for that name as an export. If the function does not exist anywhere, flag P1 regardless of whether call sites are present.
 
 **Note:** `satisfies_contracts status: pending` is checked by main in Phase A1, not here — agents cannot read feature docs.

package/commands/mdd-build.md

@@ -107,6 +107,8 @@ Before writing anything, gather context using **3 parallel Explore agents**. Lau
 
 **After all 3 return:** synthesize into a working context in the main conversation. If any agent fails, silently fall back to direct `Read`/`Glob` for that agent's data — never surface agent failures to the user unless all 3 fail.
 
+**Shared-utilities check (when Agent B returns features with `depends_on` entries):** For each dependency feature, scan its `source_files` for shared infrastructure — error types, DB clients, utility functions — that the new feature would likely duplicate. If overlap is found, surface it before asking questions: "Feature `<NN>` already has `<type/client>` in `<file>`. Extract to a shared module before implementing?" Add an extraction block to the build plan if the user agrees. This check runs here — not at Phase 6 — so duplication is caught before documentation is written.
+
 **Detect task type before asking questions.** If `src/` has fewer than 3 TypeScript/source files AND the feature description contains words like `workflow`, `command`, `config`, `docs`, `tooling`, `hook`, `script`, or `prompt` — mark as a **tooling task** and skip the database and API questions entirely.
 
 Then ask the user targeted questions using AskUserQuestion. Ask ALL relevant questions upfront in a single interaction — don't spread them across multiple turns:
@@ -240,6 +242,7 @@ path: <Area/Section>
 integration_contracts: []
 satisfies_contracts: []
 known_issues: []
+security_read_sites: []   # optional: list file:line entries where user-supplied paths are read; Phase A1 cross-checks each against path-confinement calls
 ---
 
 # <NN> — <Feature Title>

package/commands/mdd-rules-mcp.md

@@ -0,0 +1,16 @@
+## MDD Rules - MCP Tools
+
+Rules loaded when `stack.frameworks` includes `mcp`. Applied additively to audit criteria and build checklists.
+
+### Audit Criteria
+
+#### P2 - Missing Input Validation
+- MCP tool handler does not call `validateMcpInput` (or project-equivalent input validation function) as its first statement before any tool logic executes - P2. Unvalidated MCP input is an untrusted external boundary and must be treated the same as HTTP request body input.
+
+#### P3 - No Malformed Input Test
+- MCP tool handler has no test asserting it rejects malformed or missing input - P3. The test must verify the handler returns an error (not throws unhandled) when required fields are absent or the wrong type.
+
+### Build Checklist (Phase 6)
+
+- **validateMcpInput first:** Before writing any tool logic, confirm `validateMcpInput` is imported and called as the first statement in every new tool handler. Use the existing canonical reference tool in the codebase as the template.
+- **Rejection test:** For every new MCP tool, add a test that passes malformed input and asserts the handler returns a structured error response rather than throwing.

package/commands/mdd.md

@@ -160,6 +160,7 @@ For `package.json`, scan both `dependencies` and `devDependencies` for these kno
 | `mongoose` | orm | `mongoose` |
 | `jsonwebtoken`, `jose` | auth | `jwt` |
 | `passport` | auth | `passport` |
+| `@modelcontextprotocol/sdk`, `@anthropic-ai/mcp` | frameworks | `mcp` |
 
 Write detected entries back into `settings.json` under `stack` (non-destructive — only updates `stack`, never touches `overrides`, `phaseLogging`, `autoDiscovery`, or `securityScan`).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thedecipherist/mdd",
-  "version": "1.8.1",
+  "version": "1.8.3",
   "description": "MDD — Manual-Driven Development workflow for Claude Code",
   "type": "module",
   "bin": {