@triedotdev/mcp 1.0.38 → 1.0.40

package/README.md

@@ -4,6 +4,8 @@
 
 Specialized agents scan your code for security, privacy, compliance, and bugs—all running in parallel with intelligent caching and real-time streaming.
 
+Also try the agentic workspace for shipping AI-generated code: https://www.trie.dev
+
 ## Why Trie
 
 Trie is purpose-built for the last mile of shipping AI-generated code.
@@ -12,6 +14,10 @@ The last mile of shipping is where things break—not because your code doesn't
 
 ## What's New (latest updates)
 
+- **Project Info Registry**: Store important project context in `.trie/PROJECT.md` that travels with you across Claude Code, Cursor, GitHub Actions, and CLI. Define your project description, tech stack, conventions, architecture, and custom AI instructions—all in one place.
+
+- **Accessibility Agent (v2.0)**: Comprehensive WCAG 2.1 AA compliance. Detects icon-only buttons, touch targets, skipped headings, positive tabIndex, ARIA validation, color-only indicators, and 20+ more checks with WCAG criterion references.
+
 - **Health Score Triaging**: Your health score (0-100) now actively controls what agents run. Below 50%? All agents run automatically. Agents that found issues before get boosted priority in future scans.
 
 - **Moneybags Agent**: Estimates dollar cost of bugs using IBM/NIST research. Costs scale with your user count—use `--users 10000` to match your scale (default: 250 users).
@@ -28,16 +34,18 @@ The last mile of shipping is where things break—not because your code doesn't
 - [MCP Tools](#mcp-tools)
 - [CLI](#cli)
 - [Built-in Agents](#built-in-agents)
+- [Accessibility Agent (v2.0)](#accessibility-agent-v20)
 - [Moneybags Agent (v1.1)](#moneybags-agent-v11)
 - [Legal Agent (v2.0)](#legal-agent-v20)
 - [Design Engineer (v2.0)](#design-engineer-v20)
 - [Special Agents](#special-agents)
 - [Custom Agents](#custom-agents)
+- [Project Info Registry](#project-info-registry)
 - [AI-Enhanced Mode](#ai-enhanced-mode)
 - [CI/CD Integration](#cicd-integration)
 - [VS Code Extension](#vs-code-extension)
 - [Agent Context System](#agent-context-system)
-- [Production Shipping](#production-shipping)
+- [Production Shipping](#production-shipping) (Production Ready Agent)
 - [Configuration](#configuration)
 - [License](#license)
 
@@ -383,6 +391,7 @@ These tools are available when using Trie via MCP (Cursor, Claude Code, etc.).
 | `trie_watch` | Watch mode—automatically scan files as you code |
 | `trie_fix` | Generate fix recommendations for detected issues |
 | `trie_explain` | Explain code, issues, or changes in plain language |
+| `trie_project` | View and manage project info (.trie/PROJECT.md) |
 
 ### Custom Agent Tools
 
@@ -402,7 +411,7 @@ Run a specific agent directly:
 | `trie_privacy` | GDPR/CCPA/PCI-DSS compliance, PII exposure, logging sensitive data |
 | `trie_soc2` | Access control gaps, missing audit logs, encryption issues |
 | `trie_legal` | Licensing, ToS, accessibility, IP, GDPR/CCPA, e-commerce, marketing, COPPA |
-| `trie_accessibility` | WCAG 2.1 compliance, keyboard nav, screen readers, color contrast |
+| `trie_accessibility` | WCAG 2.1 AA: icon-only buttons, touch targets, heading levels, ARIA validation, focus management, 20+ checks |
 | `trie_architecture` | Code organization, SOLID principles, N+1 queries, scalability |
 | `trie_bugs` | Null safety, edge cases, async issues, common bugs |
 | `trie_types` | Type errors, missing annotations, null checks |
@@ -483,7 +492,7 @@ trie-agent agents
 
 | Agent | Description |
 |-------|-------------|
-| **Accessibility** | WCAG 2.1 compliance, keyboard nav, screen readers, color contrast |
+| **Accessibility** | WCAG 2.1 AA compliance: icon-only buttons, touch targets, heading levels, ARIA validation, color-only indicators, keyboard nav, focus management, 20+ checks |
 | **Design Engineer** | AI slop detection, verified token systems, contrast validation, design health scoring, domain-aware recommendations |
 | **User Testing** | Simulate happy path, security tester, confused user, impatient user |
 | **Visual QA** | Visual regression, responsive design, cross-browser issues |
@@ -501,6 +510,128 @@ trie-agent agents
 
 ---
 
+## Accessibility Agent (v2.0)
+
+The Accessibility Agent has been completely rebuilt to provide comprehensive WCAG 2.1 AA compliance checking—matching and exceeding tools like rams.ai, axe-core, and Lighthouse.
+
+### Severity Levels
+
+| Level | Description | Examples |
+|-------|-------------|----------|
+| **Critical** | Blocks access entirely | Images without alt, icon-only buttons without labels, empty links |
+| **Serious** | Significantly impairs access | Focus outline removed, positive tabIndex, missing ARIA attributes |
+| **Moderate** | Creates barriers | Skipped headings, color-only indicators, small touch targets |
+| **Low** | Best practices | Missing semantic elements, external link warnings |
+
+### What It Detects
+
+#### Critical Issues
+
+| Issue | WCAG | Description |
+|-------|------|-------------|
+| Images without alt text | 1.1.1 | Screen readers cannot describe the image |
+| Icon-only buttons missing aria-label | 4.1.2 | Screen readers announce "button" with no purpose |
+| Non-semantic click handlers | 2.1.1 | `div onClick` without keyboard support blocks keyboard users |
+| Empty links | 2.4.4 | Links with no text content are unusable |
+| Links without href | 2.4.4 | Anchor elements must have destinations |
+
+#### Serious Issues
+
+| Issue | WCAG | Description |
+|-------|------|-------------|
+| Focus outline removed | 2.4.7 | `outline: none` without replacement hides keyboard focus |
+| Positive tabIndex values | 2.4.3 | `tabIndex={5}` disrupts natural tab order |
+| Role without required ARIA | 4.1.2 | `role="slider"` needs `aria-valuenow`, `aria-valuemin`, `aria-valuemax` |
+| Form inputs without labels | 1.3.1 | Inputs must have associated labels or aria-label |
+| Color-only status indicators | 1.4.1 | Red/green for error/success excludes colorblind users |
+| Placeholder as only label | 3.3.2 | Placeholder disappears when user types |
+| Modal without Escape key | 2.1.2 | Keyboard users may be trapped in modal |
+
+#### Moderate Issues
+
+| Issue | WCAG | Description |
+|-------|------|-------------|
+| Skipped heading levels | 2.4.6 | h1 → h3 confuses screen reader navigation |
+| First heading not h1 | 2.4.6 | Pages should start with h1 |
+| Touch targets under 24px | 2.5.8 | Minimum 24×24px for WCAG AA |
+| Missing autocomplete | 1.3.5 | Helps users fill forms faster |
+| Generic link text | 2.4.4 | "Click here" is meaningless out of context |
+| Missing prefers-reduced-motion | 2.3.3 | Animations can trigger vestibular disorders |
+| Status messages without aria-live | 4.1.3 | Toasts/alerts not announced to screen readers |
+
+#### Low Issues
+
+| Issue | WCAG | Description |
+|-------|------|-------------|
+| Touch targets under 44px | 2.5.5 | Recommended 44×44px for AAA |
+| Missing semantic elements | 1.3.1 | `<div class="nav">` should be `<nav>` |
+| External links without warning | 3.2.5 | `target="_blank"` should indicate new window |
+| Disabled elements without explanation | — | Users need to know why action is unavailable |
+
+### ARIA Validation
+
+The agent validates that ARIA roles have their required attributes:
+
+| Role | Required Attributes |
+|------|---------------------|
+| `checkbox` | `aria-checked` |
+| `slider` | `aria-valuenow`, `aria-valuemin`, `aria-valuemax` |
+| `combobox` | `aria-expanded`, `aria-controls` |
+| `progressbar` | `aria-valuenow`, `aria-valuemin`, `aria-valuemax` |
+| `tab` | `aria-selected` |
+| `switch` | `aria-checked` |
+
+### Accessibility Score
+
+Each scan produces an **Accessibility Score** (0-100) based on issue severity:
+
+```
+═══════════════════════════════════════════════════
+ACCESSIBILITY REVIEW: src/components/
+═══════════════════════════════════════════════════
+
+CRITICAL (2 issues)
+───────────────────
+[A11Y] Line 24: Icon-only button missing accessible name
+  <button><CloseIcon /></button>
+  Fix: Add aria-label="Close"
+  WCAG: 4.1.2 Name, Role, Value
+
+SERIOUS (1 issue)
+─────────────────
+[A11Y] Line 48: Focus outline removed without replacement
+  className="outline-none"
+  Fix: Add focus-visible:ring-2 focus-visible:ring-offset-2
+  WCAG: 2.4.7 Focus Visible
+
+MODERATE (2 issues)
+───────────────────
+[A11Y] Line 67: Skipped heading level: h1 to h3
+  <h3>Features</h3>
+  Fix: Use h2 after h1
+  WCAG: 2.4.6 Headings and Labels
+
+═══════════════════════════════════════════════════
+SUMMARY: 2 critical, 1 serious, 2 moderate
+Score: 55/100
+═══════════════════════════════════════════════════
+```
+
+### Usage
+
+```bash
+# Run accessibility scan
+trie scan --agents accessibility
+
+# Full UI scan (accessibility + design)
+trie scan --agents accessibility,design-engineer
+
+# MCP usage
+trie_accessibility
+```
+
+---
+
 ## Moneybags Agent
 
 The Moneybags agent answers the question every CFO asks: **"How much will this bug cost us?"**
@@ -818,6 +949,141 @@ Custom agents are stored in `.trie/agents/` in your project directory.
 
 ---
 
+## Project Info Registry
+
+Store important project-specific information in `.trie/PROJECT.md` that's automatically available to all AI tools.
+
+### Why Project Info?
+
+When you work across multiple tools (Cursor, Claude Code, GitHub Actions, CLI), context gets lost. The Project Info Registry solves this by providing a single source of truth for:
+
+- Project description and purpose
+- Technology stack and frameworks
+- Architecture decisions and patterns
+- Coding conventions and style guidelines
+- Environment info (URLs, API endpoints)
+- Team ownership and contacts
+- Compliance requirements
+- Custom instructions for AI assistants
+
+### Create PROJECT.md
+
+**Using CLI:**
+```bash
+trie-agent project init
+```
+
+**Using MCP (Cursor/Claude Code):**
+```
+trie_project action="init"
+```
+
+This creates a template at `.trie/PROJECT.md` with sections ready to fill in.
+
+### View Project Info
+
+**CLI:**
+```bash
+trie-agent project
+```
+
+**MCP:**
+```
+trie_project action="view"
+```
+
+**MCP Resource:**
+```
+Read trie://project
+```
+
+### Update Sections
+
+**MCP:**
+```
+trie_project action="update" section="Technology Stack" content="- **Language:** TypeScript\n- **Framework:** Next.js 14\n- **Database:** PostgreSQL"
+```
+
+### How It Works
+
+```
+your-project/
+├── .trie/
+│   └── PROJECT.md    ← Your project context
+├── src/
+└── package.json
+```
+
+The PROJECT.md file is:
+- **Committed to git** — context travels with your code
+- **Available via `trie://project`** — AI tools can read it directly
+- **Integrated into `trie://context`** — included in overall project context
+- **Per-project** — each project has its own file
+
+### Template Sections
+
+| Section | What to Include |
+|---------|-----------------|
+| **Project Overview** | What does this project do? Who is it for? |
+| **Technology Stack** | Languages, frameworks, databases, cloud services |
+| **Architecture** | Key patterns, system design, important decisions |
+| **Coding Conventions** | Style rules, naming conventions, patterns to follow |
+| **Environment** | Dev/staging/prod URLs, API endpoints |
+| **Team** | Who owns what, contact info |
+| **Compliance** | GDPR, SOC2, HIPAA requirements |
+| **AI Instructions** | Special instructions for AI assistants |
+
+### Example PROJECT.md
+
+```markdown
+## Project Overview
+
+E-commerce platform for sustainable products. 
+Focus on fast checkout and mobile-first UX.
+
+## Technology Stack
+
+- **Language:** TypeScript
+- **Framework:** Next.js 14 (App Router)
+- **Database:** PostgreSQL with Prisma ORM
+- **Hosting:** Vercel + Supabase
+
+## Architecture
+
+- Server Components by default, Client Components only when needed
+- tRPC for type-safe API calls
+- Zustand for client state
+
+## Coding Conventions
+
+- Use `pnpm` for package management
+- Prefer named exports over default exports
+- Use Tailwind CSS, no inline styles
+- Tests required for payment-related code
+
+## AI Instructions
+
+When working on this project:
+1. Always use Server Components unless client interactivity is needed
+2. Check for accessibility issues (we target WCAG AA)
+3. Payment code must be reviewed by security agent before commit
+```
+
+### Multi-Project Support
+
+Each project has its own `.trie/PROJECT.md`:
+
+```
+~/projects/
+├── project-a/.trie/PROJECT.md  ← Project A's context
+├── project-b/.trie/PROJECT.md  ← Project B's context  
+└── project-c/.trie/PROJECT.md  ← Project C's context
+```
+
+When you open Project A in Cursor, it reads Project A's context. Switch to Project B, and it reads Project B's context. No configuration needed.
+
+---
+
 ## AI-Enhanced Mode
 
 Trie works in two modes:
@@ -933,20 +1199,49 @@ Every time you scan, Trie updates a file in your project (`.trie/AGENTS.md`) wit
 | Push to GitHub | CI/CD knows what to focus on |
 | Ask Trie "what should I fix?" | Gives prioritized answer based on your history |
 
+### File Size Management
+
+The context system uses automatic limits to prevent unbounded growth:
+
+| Limit | Value | What Happens |
+|-------|-------|--------------|
+| Max tracked issues | 500 | Oldest issues pruned when exceeded |
+| Locations per issue | 5 | Only most recent locations kept |
+| Scan history | 20 scans | Older scan records removed |
+| Hot files | 10 files | Only top 10 shown |
+| Issue age | 30 days | Stale resolved issues pruned |
+
+You don't need to manage this - Trie automatically prunes old data on each scan.
+
+### Multiple Projects
+
+Each project has its own isolated context:
+
+| Scenario | How It Works |
+|----------|--------------|
+| Switch between projects | Each project has its own `.trie/` folder |
+| Clone on new machine | Context restored from committed `.trie/` files |
+| Monorepo with workspaces | Each workspace can have its own `.trie/` |
+| Team collaboration | Same context when pulling changes |
+
+Trie auto-detects your project root by looking for `package.json`, `.git`, `Cargo.toml`, `go.mod`, or similar project indicators.
+
 ### For Developers: Technical Details
 
 <details>
 <summary>MCP Resources (click to expand)</summary>
 
 ```
-trie://context        # AGENTS.md content (read this first)
+trie://context        # Combined context (PROJECT.md + scan results)
+trie://project        # User-defined project info (PROJECT.md)
 trie://context/state  # Detailed JSON state
 trie://agents         # Available agents
 trie://config         # Current configuration
 ```
 
 Files stored:
-- `.trie/AGENTS.md` - Human-readable context
+- `.trie/PROJECT.md` - User-defined project context (description, stack, conventions, AI instructions)
+- `.trie/AGENTS.md` - Auto-generated scan context
 - `.trie/state.json` - Machine-readable state for programmatic access
 
 </details>
@@ -955,27 +1250,31 @@ Files stored:
 
 ## Production Shipping
 
-Trie solves the "last mile" of shipping to production. See [PRODUCTION_SHIPPING.md](./PRODUCTION_SHIPPING.md) for the complete guide.
+Trie solves the "last mile" of shipping to production with the **Production Ready** agent.
 
 ### Quick Production Check
 
 ```bash
-# Full production readiness scan
-trie scan --agents security,privacy,bugs,performance --fail-on serious
+# Run production readiness scan
+trie scan --agents production-ready
 
-# Or via MCP
-trie_scan with agents: ["security", "privacy", "bugs", "performance"]
+# Full production scan with cost analysis
+trie scan --agents production-ready,moneybags,security --users 10000
 ```
 
-### What It Covers
+### What Production Ready Checks
 
 | Area | What's Checked |
 |------|----------------|
-| **Security Hardening** | SQL injection, XSS, auth bypass, secrets, dependencies |
-| **Scalability** | Connection pooling, stateless design, N+1 queries |
-| **Architecture** | Circular dependencies, god classes, coupling |
-| **Reliability** | Error handling, health checks, timeouts |
-| **Revenue Protection** | Payment security, data compliance, business logic |
+| **Health Endpoints** | `/health`, `/ready`, `/live` endpoints for orchestrators |
+| **Graceful Shutdown** | SIGTERM handling, connection draining |
+| **Connection Pooling** | Database pool configuration |
+| **Security Headers** | CSP, HSTS, X-Frame-Options, etc. |
+| **Rate Limiting** | API rate limiting configuration |
+| **Monitoring** | Error tracking, APM integration |
+| **Session Storage** | External session store (not in-memory) |
+| **Error Handling** | Global error handlers, no empty catch blocks |
+| **Anti-patterns** | console.log, localhost URLs, TODO comments |
 
 ### CI/CD Gate
 
@@ -984,7 +1283,7 @@ Add to your workflow:
 ```yaml
 - uses: triedotdev/trie-action@v1
   with:
-    agents: security,privacy,bugs,performance,architecture
+    agents: production-ready,security,privacy,moneybags
     fail-on: serious
     upload-sarif: true
 ```