npm - @vibekiln/cutline-mcp-cli - Versions diffs - 0.2.0 → 0.3.0 - Mend

@vibekiln/cutline-mcp-cli 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/commands/setup.js +1 -1
package/dist/index.js +1 -1
package/dist/servers/{chunk-LI4AZPSJ.js → chunk-6Y3AEXE3.js} +1 -1
package/dist/servers/{chunk-UBBAYTW3.js → chunk-IDSVMCGM.js} +4 -2
package/dist/servers/cutline-server.js +108 -9
package/dist/servers/{data-client-PYMN6TQ7.js → data-client-PPEF2XUI.js} +1 -1
package/dist/servers/exploration-server.js +1 -1
package/dist/servers/{graph-metrics-DCNR7JZN.js → graph-metrics-KLHCMDFT.js} +1 -1
package/dist/servers/integrations-server.js +1 -1
package/dist/servers/output-server.js +1 -1
package/dist/servers/premortem-server.js +1 -1
package/dist/servers/tools-server.js +1 -1
package/package.json +1 -1

package/dist/commands/setup.js CHANGED Viewed

@@ -27,7 +27,7 @@ const SERVER_NAMES = [
     'output',
     'integrations',
 ];
-const AUDIT_DIMENSIONS = ['engineering', 'security', 'reliability', 'scalability'];
+const AUDIT_DIMENSIONS = ['engineering', 'security', 'reliability', 'scalability', 'compliance'];
 async function detectTier(options) {
     const refreshToken = await getRefreshToken();
     if (!refreshToken)

package/dist/index.js CHANGED Viewed

@@ -55,7 +55,7 @@ program
     .option('--skip-login', 'Skip authentication (use existing credentials)')
     .option('--project-root <path>', 'Project root directory for IDE rules (default: cwd)')
     .option('--hide-audit-dimension <name>', 'Hide one audit dimension in surfaced code audit output (repeatable)', (value, prev) => [...prev, value], [])
-    .option('--hide-audit-dimensions <csv>', 'Hide multiple audit dimensions (comma-separated: engineering,security,reliability,scalability)')
+    .option('--hide-audit-dimensions <csv>', 'Hide multiple audit dimensions (comma-separated: engineering,security,reliability,scalability,compliance)')
     .action((opts) => setupCommand({
     staging: opts.staging,
     skipLogin: opts.skipLogin,

package/dist/servers/{chunk-LI4AZPSJ.js → chunk-6Y3AEXE3.js} RENAMED Viewed

@@ -287,7 +287,7 @@ async function exchangeRefreshToken(refreshToken, firebaseApiKey, maxRetries = 3
   }
   throw lastError || new Error("Token exchange failed after retries");
 }
-var AUDIT_DIMENSIONS = ["engineering", "security", "reliability", "scalability"];
+var AUDIT_DIMENSIONS = ["engineering", "security", "reliability", "scalability", "compliance"];
 function readLocalCutlineConfig() {
   try {
     const configPath = path.join(os.homedir(), ".cutline-mcp", "config.json");

package/dist/servers/{chunk-UBBAYTW3.js → chunk-IDSVMCGM.js} RENAMED Viewed

@@ -565,7 +565,8 @@ function computeGraphMetrics(entities, edges, constraints, bindings, conflicts,
     gdpr: "GDPR/CCPA",
     owasp: "OWASP LLM Top 10",
     glba: "GLBA",
-    ferpa: "FERPA/COPPA"
+    ferpa: "FERPA/COPPA",
+    ios: "iOS App Store"
   };
   const detectedFrameworks = /* @__PURE__ */ new Set();
   for (const c of constraints) {
@@ -879,7 +880,8 @@ function computeGenericGraphMetrics(entities, edges, constraints, bindings) {
     gdpr: "GDPR/CCPA",
     owasp: "OWASP LLM Top 10",
     glba: "GLBA",
-    ferpa: "FERPA/COPPA"
+    ferpa: "FERPA/COPPA",
+    ios: "iOS App Store"
   };
   const detectedFrameworks = /* @__PURE__ */ new Set();
   for (const c of constraints) {

package/dist/servers/cutline-server.js CHANGED Viewed

@@ -75,13 +75,13 @@ import {
   upsertEntities,
   upsertNodes,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 import {
   GraphTraverser,
   computeGenericGraphMetrics,
   computeMetricsFromGraph,
   detectConstraintConflicts
-} from "./chunk-UBBAYTW3.js";
+} from "./chunk-IDSVMCGM.js";
 // ../mcp/dist/mcp/src/cutline-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -416,6 +416,21 @@ var PATH_PATTERNS = [
     categories: ["compliance", "security"],
     domain: "fedramp",
     priority: "high"
+  },
+  {
+    patterns: [
+      /\/ios/i,
+      /\/swift/i,
+      /\/storekit/i,
+      /\/appstore/i,
+      /\/testflight/i,
+      /\.swift$/i,
+      /Info\.plist$/i
+    ],
+    keywords: ["ios", "app-store", "storekit", "iap", "testflight", "swift", "mobile"],
+    categories: ["compliance", "security", "risk"],
+    domain: "ios_app_store",
+    priority: "high"
   }
 ];
 var CODE_PATTERNS = [
@@ -590,6 +605,20 @@ var CODE_PATTERNS = [
     keywords: ["csa", "ccm", "cloud", "aws", "gcp", "azure", "cloud-security"],
     categories: ["compliance", "security"],
     domain: "csa_ccm"
+  },
+  {
+    patterns: [
+      /StoreKit/i,
+      /SKPaymentQueue/i,
+      /SKProductsRequest/i,
+      /ASAuthorizationAppleID/i,
+      /UIApplicationOpenSettingsURLString/i,
+      /ATTrackingManager/i,
+      /\.swift$/i
+    ],
+    keywords: ["ios", "app-store", "storekit", "iap", "apple-signin", "tracking-consent"],
+    categories: ["compliance", "security"],
+    domain: "ios_app_store"
   }
 ];
 function analyzeFilePaths(paths) {
@@ -2978,7 +3007,8 @@ var FRAMEWORK_ID_PREFIXES = {
   gdpr: "GDPR/CCPA",
   owasp: "OWASP LLM Top 10",
   glba: "GLBA",
-  ferpa: "FERPA/COPPA"
+  ferpa: "FERPA/COPPA",
+  ios: "iOS App Store"
 };
 function resolveFramework(constraintId) {
   if (!constraintId.startsWith("constraint:blueprint:"))
@@ -5406,6 +5436,53 @@ var BLUEPRINT_RULES = [
         framework: "ferpa_coppa"
       }
     ]
+  },
+  // ── iOS App Store Review Guidelines (mobile iOS apps) ──────────────────────
+  {
+    trigger: (eco, ctx) => {
+      const iosSignals = /ios|swift|swiftui|xcode|uikit|storekit|appstore|testflight|cocoapods|xcframework/i;
+      const hasLang = eco.languages.some((l) => /swift|objective-c|objc/i.test(l));
+      const hasFramework = eco.frameworks.some((f) => iosSignals.test(f));
+      const hasDep = eco.all_dependencies.some((d) => iosSignals.test(d));
+      const descMatch = ctx?.productDescription ? /\b(ios|iphone|ipad|app\s*store|testflight|storekit|in-app purchase|apple sign in)\b/i.test(ctx.productDescription) : false;
+      const entityMatch = ctx?.existingEntityNames?.some((n) => /\b(ios|mobile|iphone|ipad|app store|iap|storekit)\b/i.test(n)) ?? false;
+      return hasLang || hasFramework || hasDep || descMatch || entityMatch;
+    },
+    constraints: [
+      {
+        id_suffix: "ios_app_store_privacy_disclosure",
+        category: "compliance",
+        summary: "[iOS App Store 5.1] Apps collecting user data MUST provide accurate privacy disclosures and clear in-app data handling flows.",
+        keywords: ["ios", "app-store", "privacy", "disclosure", "tracking", "app-privacy"],
+        severity: "critical",
+        action: "Document data collection in App Privacy labels and align runtime behavior. Gate tracking behind explicit consent where required.",
+        checklist_ref: "IOS-5.1",
+        file_patterns: ["**/ios/**", "**/*.swift", "**/privacy*", "**/tracking/**", "**/analytics/**"],
+        framework: "ios_app_store"
+      },
+      {
+        id_suffix: "ios_app_store_iap_policy",
+        category: "compliance",
+        summary: "[iOS App Store 3.1] Digital goods/services sold in-app MUST use Apple's In-App Purchase flows where required.",
+        keywords: ["ios", "app-store", "iap", "storekit", "payments", "digital-goods"],
+        severity: "warning",
+        action: "Use StoreKit for digital purchases in iOS app surfaces. Avoid bypass payment links that violate App Store rules.",
+        checklist_ref: "IOS-3.1",
+        file_patterns: ["**/ios/**", "**/*.swift", "**/billing/**", "**/payment/**", "**/storekit/**"],
+        framework: "ios_app_store"
+      },
+      {
+        id_suffix: "ios_app_store_account_deletion",
+        category: "compliance",
+        summary: "[iOS App Store 5.1.1(v)] If account creation exists, apps MUST provide in-app account deletion with data handling consistent with policy.",
+        keywords: ["ios", "app-store", "account-deletion", "user-account", "privacy-rights"],
+        severity: "warning",
+        action: "Expose account deletion in-app for iOS users and ensure backend deletion flow is implemented and verifiable.",
+        checklist_ref: "IOS-5.1.1",
+        file_patterns: ["**/ios/**", "**/*.swift", "**/api/account*", "**/api/user*", "**/settings/**"],
+        framework: "ios_app_store"
+      }
+    ]
   }
 ];
 function buildBlueprintConstraints(ecosystem, context) {
@@ -5505,6 +5582,7 @@ Flag if the codebase contains signals that would require specific compliance fra
 - **OWASP LLM**: OpenAI, Anthropic, LangChain, vector DBs (Pinecone, Weaviate), RAG pipelines, AI agents
 - **GLBA**: Plaid, banking SDKs, KYC/AML, lending/mortgage/wealth management code
 - **FERPA/COPPA**: EdTech integrations (Clever, Canvas), student/minor data, classroom/school references
+- **iOS App Store**: iOS/Swift codepaths, App Store/TestFlight distribution, StoreKit/IAP, mobile app privacy policies
 For each detected signal, note:
 - H1. Which framework(s) apply and why
@@ -5552,7 +5630,7 @@ Return a JSON object with exactly these fields:
 - referenceClasses (string[]): Security frameworks or standards that apply (e.g., "OWASP Top 10 2021", "SOC 2 Type II").
 - constraints (object?): Resource constraints \u2014 team, budget_usd, deadline_days, must_ship_scope.
 - checklist_summary (object): Keys are checklist IDs (A1-A8, B1-B6, C1-C7, D1-D8, E1-E4, F1-F3, G-*, H1-H3, I1-I8, J1-J6, K1-K8), values are "pass"|"fail"|"warn"|"not_applicable". This forces systematic coverage.
-- compliance_signals (array of {framework: "pci_dss"|"hipaa"|"fedramp"|"gdpr_ccpa"|"owasp_llm"|"glba"|"ferpa_coppa"|"csa_ccm", signal: string, confidence: number}?): Detected compliance framework signals. Return [] if none.
+- compliance_signals (array of {framework: "pci_dss"|"hipaa"|"fedramp"|"gdpr_ccpa"|"owasp_llm"|"glba"|"ferpa_coppa"|"csa_ccm"|"ios_app_store", signal: string, confidence: number}?): Detected compliance framework signals. Return [] if none.
 Be concrete and specific. Reference file paths and line numbers where possible. If a checklist item cannot be assessed from the provided files, mark it "not_applicable" and note why. Cover ALL sections A through K.`;
 var FULL_SYSTEM_PROMPT = `You are a product analyst reviewing a codebase. Given file contents, an ecosystem fingerprint, and existing constraints, extract structured product context.
@@ -6157,13 +6235,15 @@ async function seedBlueprintConstraints(productId, ecosystem, deps, blueprintCon
   const FRAMEWORK_LABELS = {
     baseline: "Security Baseline",
     soc2: "SOC 2",
+    csa_ccm: "CSA Controls Matrix",
     pci_dss: "PCI-DSS",
     hipaa: "HIPAA",
     fedramp: "FedRAMP",
     gdpr_ccpa: "GDPR/CCPA",
     owasp_llm: "OWASP LLM Top 10",
     glba: "GLBA",
-    ferpa_coppa: "FERPA/COPPA"
+    ferpa_coppa: "FERPA/COPPA",
+    ios_app_store: "iOS App Store"
   };
   const newEntities = [];
   const newEdges = [];
@@ -6979,10 +7059,15 @@ function formatAuditOutput(result, reportId, publicSiteUrl = "https://thecutline
       return "reliability";
     if (["scalability", "performance"].includes(c))
       return "scalability";
+    if (["compliance"].includes(c))
+      return "compliance";
     if (["code_quality", "general"].includes(c))
       return "engineering";
     return "security";
   };
+  const hasComplianceFrameworks = result.frameworksLoaded.length > 0;
+  const complianceCurrent = hasComplianceFrameworks ? Math.round((m.nfr_coverage?.compliance ?? 0) * 100) : void 0;
+  const compliancePrevious = hasComplianceFrameworks ? Math.round((p?.nfr_coverage?.compliance ?? 0) * 100) : void 0;
   const lines = [
     `# Cutline Code Audit`,
     ``,
@@ -7016,12 +7101,19 @@ function formatAuditOutput(result, reportId, publicSiteUrl = "https://thecutline
       label: "Scalability",
       current: m.scalability_readiness_pct ?? 0,
       previous: p?.scalability_readiness_pct
+    },
+    {
+      key: "compliance",
+      label: "Compliance",
+      current: complianceCurrent,
+      previous: compliancePrevious,
+      na: !hasComplianceFrameworks
     }
   ].filter((row) => !hiddenSet.has(row.key));
   lines.push(``, `## Readiness Scores`, ``, `| Pillar | Score |${isRescan ? " Change |" : ""}`, `|--------|-------|${isRescan ? "--------|" : ""}`);
   if (scoreRows.length > 0) {
     for (const row of scoreRows) {
-      lines.push(`| ${row.label} | ${row.current}% |${isRescan ? deltaStr(row.current, row.previous) + " |" : ""}`);
+      lines.push(`| ${row.label} | ${row.na ? "N/A" : `${row.current ?? 0}%`} |${isRescan ? row.na ? " (n/a) |" : deltaStr(row.current, row.previous) + " |" : ""}`);
     }
     lines.push(``);
   } else {
@@ -8279,6 +8371,8 @@ Why AI: ${idea.whyAI}`
             return "reliability";
           if (["scalability", "performance"].includes(c))
             return "scalability";
+          if (["compliance"].includes(c))
+            return "compliance";
           if (["code_quality", "general"].includes(c))
             return "engineering";
           return "security";
@@ -8332,6 +8426,9 @@ Why AI: ${idea.whyAI}`
           if (!hiddenSet.has("scalability")) {
             reportMetrics.scalability_readiness_pct = result.metrics.scalability_readiness_pct ?? 0;
           }
+          if (!hiddenSet.has("compliance")) {
+            reportMetrics.compliance_readiness_pct = result.frameworksLoaded.length > 0 ? Math.round((result.metrics.nfr_coverage?.compliance ?? 0) * 100) : null;
+          }
           const visibleFindings = result.gatedGapDetails.filter((f) => !hiddenSet.has(inferFindingDimension(f.category)));
           const saved = await saveScanReport({
             metrics: reportMetrics,
@@ -9011,7 +9108,8 @@ Meta: ${JSON.stringify(output.meta)}` }
             gdpr: "GDPR/CCPA",
             owasp: "OWASP LLM Top 10",
             glba: "GLBA",
-            ferpa: "FERPA/COPPA"
+            ferpa: "FERPA/COPPA",
+            ios: "iOS App Store"
           };
           const formattedConstraints = topConstraints.map((c) => {
             const framework = detectFramework2(c.id);
@@ -10001,7 +10099,7 @@ ${JSON.stringify(metrics, null, 2)}` }
             getAllNodes(product_id),
             getAllBindings(product_id)
           ]);
-          const { computeMetricsFromGraph: computeMetricsFromGraph2 } = await import("./graph-metrics-DCNR7JZN.js");
+          const { computeMetricsFromGraph: computeMetricsFromGraph2 } = await import("./graph-metrics-KLHCMDFT.js");
           const updatedMetrics = computeMetricsFromGraph2(rgrEntities, rgrEdges, rgrConstraints, rgrBindings, updatedPhases);
           await updateGraphMetadata(product_id, {
             ...meta ?? {
@@ -10427,7 +10525,8 @@ Meta: ${JSON.stringify({
                 gdpr_ccpa: "GDPR/CCPA",
                 owasp_llm: "OWASP LLM Top 10",
                 glba: "GLBA",
-                ferpa_coppa: "FERPA/COPPA"
+                ferpa_coppa: "FERPA/COPPA",
+                ios_app_store: "iOS App Store"
               };
               const names = result.frameworksLoaded.map((f) => fwLabels[f] || f);
               sections.push(`- Compliance frameworks loaded: **${names.join(", ")}**`);

package/dist/servers/{data-client-PYMN6TQ7.js → data-client-PPEF2XUI.js} RENAMED Viewed

@@ -78,7 +78,7 @@ import {
   upsertEdges,
   upsertEntities,
   upsertNodes
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 export {
   addEdges,
   addEntity,

package/dist/servers/exploration-server.js CHANGED Viewed

@@ -14,7 +14,7 @@ import {
   requirePremiumWithAutoAuth,
   updateExplorationSession,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 // ../mcp/dist/mcp/src/exploration-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/dist/servers/{graph-metrics-DCNR7JZN.js → graph-metrics-KLHCMDFT.js} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
   computeGenericGraphMetrics,
   computeGraphMetrics,
   computeMetricsFromGraph
-} from "./chunk-UBBAYTW3.js";
+} from "./chunk-IDSVMCGM.js";
 export {
   applyGenericPrior,
   computeGenericGraphMetrics,

package/dist/servers/integrations-server.js CHANGED Viewed

@@ -13,7 +13,7 @@ import {
   requirePremiumWithAutoAuth,
   validateAuth,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 // ../mcp/dist/mcp/src/integrations-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/dist/servers/output-server.js CHANGED Viewed

@@ -13,7 +13,7 @@ import {
   mapErrorToMcp,
   requirePremiumWithAutoAuth,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 // ../mcp/dist/mcp/src/output-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/dist/servers/premortem-server.js CHANGED Viewed

@@ -27,7 +27,7 @@ import {
   updatePremortem,
   validateAuth,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 // ../mcp/dist/mcp/src/premortem-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/dist/servers/tools-server.js CHANGED Viewed

@@ -21,7 +21,7 @@ import {
   requirePremiumWithAutoAuth,
   validateAuth,
   validateRequestSize
-} from "./chunk-LI4AZPSJ.js";
+} from "./chunk-6Y3AEXE3.js";
 // ../mcp/dist/mcp/src/tools-server.js
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "@vibekiln/cutline-mcp-cli",
-    "version": "0.2.0",
+    "version": "0.3.0",
     "description": "CLI and MCP servers for Cutline — authenticate, then run constraint-aware MCP servers in Cursor or any MCP client.",
     "type": "module",
     "main": "dist/index.js",