@vibekiln/cutline-mcp-cli 0.8.0 → 0.9.0

package/dist/servers/cutline-server.js

@@ -2291,6 +2291,19 @@ function healBindings(entities, bindings, filePaths) {
     total_entities: entities.length
   };
 }
+function findBoundEntities(filePath, bindings) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const matched = /* @__PURE__ */ new Set();
+  for (const binding of bindings) {
+    for (const pattern of binding.file_patterns) {
+      if (globMatch(normalized, pattern)) {
+        matched.add(binding.entity_id);
+        break;
+      }
+    }
+  }
+  return [...matched];
+}
 function tokenize(name2) {
   return name2.toLowerCase().replace(/[^a-z0-9\s]/g, " ").split(/\s+/).filter((t) => t.length > 2);
 }
@@ -4442,6 +4455,17 @@ var UNIVERSAL_CONSTRAINTS = [
     file_patterns: ["**/auth/**", "**/api/session*", "**/api/login*", "**/middleware/**", "**/config/**"],
     framework: "baseline"
   },
+  {
+    id_suffix: "password_reset_token_expiry",
+    category: "security",
+    summary: "Password reset tokens/links MUST be single-use and time-limited. Expired or reused reset tokens must fail closed.",
+    keywords: ["password-reset", "token", "expiry", "single-use", "account-takeover"],
+    severity: "critical",
+    action: "Enforce reset token TTL and one-time use semantics. Invalidate outstanding reset tokens after successful password change.",
+    checklist_ref: "A10",
+    file_patterns: ["**/auth/**", "**/api/reset*", "**/api/forgot*", "**/api/password*"],
+    framework: "baseline"
+  },
   {
     id_suffix: "backup_testing",
     category: "stability",
@@ -4687,6 +4711,83 @@ var RELIABILITY_CONSTRAINTS = [
     checklist_ref: "J10",
     file_patterns: ["**/utils/**", "**/lib/**", "**/services/**", "**/api/**"],
     framework: "baseline"
+  },
+  {
+    id_suffix: "startup_env_schema_validation",
+    category: "stability",
+    summary: "Runtime environment variables MUST be validated against an explicit schema at startup, and app boot must fail fast on invalid critical config.",
+    keywords: ["env", "startup", "schema", "validation", "fail-fast", "configuration"],
+    severity: "critical",
+    action: "Create startup env schema checks for server and public runtime variables. Crash startup when required production config is missing or malformed.",
+    checklist_ref: "J11",
+    file_patterns: ["**/config/**", "**/env/**", "**/server/**", "**/.env*"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "ui_error_boundaries",
+    category: "stability",
+    summary: "Critical user-facing UI surfaces MUST be wrapped in error boundaries to prevent full-app white screens during component crashes.",
+    keywords: ["error-boundary", "react", "ui", "crash", "fallback", "reliability"],
+    severity: "warning",
+    action: "Add error boundaries around major routes/layouts and high-risk widgets. Provide fallback UI and telemetry when boundaries catch errors.",
+    checklist_ref: "J12",
+    file_patterns: ["**/components/**", "**/pages/**", "**/app/**", "**/*error*"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "health_readiness_endpoints",
+    category: "stability",
+    summary: "Services MUST expose dedicated liveness and readiness endpoints (e.g., /api/health and /api/readyz) for monitoring and deployment safety checks.",
+    keywords: ["health", "readyz", "liveness", "readiness", "monitoring", "probe"],
+    severity: "critical",
+    action: "Implement lightweight health/readiness endpoints with no sensitive payload data. Integrate endpoints into uptime monitoring and deployment probes.",
+    checklist_ref: "J13",
+    file_patterns: ["**/api/health*", "**/api/ready*", "**/monitoring/**", "**/deploy/**"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "structured_production_logging",
+    category: "stability",
+    summary: "Production logging MUST be structured and include correlation/request IDs, with automatic redaction of tokens, API keys, and credentials.",
+    keywords: ["logging", "structured", "correlation-id", "request-id", "redaction", "observability"],
+    severity: "critical",
+    action: "Emit JSON logs in production and propagate request/correlation IDs across handlers and background jobs. Apply secret-redaction middleware before log emission.",
+    checklist_ref: "J14",
+    file_patterns: ["**/logger/**", "**/api/**", "**/middleware/**", "**/monitoring/**"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "typed_ai_generated_code",
+    category: "stability",
+    summary: "AI-generated production code MUST use TypeScript (or equivalent static typing) and pass strict type-check gates before merge.",
+    keywords: ["ai-generated", "typescript", "typing", "typecheck", "ci-gate", "quality"],
+    severity: "warning",
+    action: "Require strict type-check in CI for generated code changes and block merges on type errors. Prefer typed templates for agent-generated modules.",
+    checklist_ref: "J15",
+    file_patterns: ["**/*.ts", "**/*.tsx", "**/ai/**", "**/agents/**", "**/.github/**"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "async_email_dispatch",
+    category: "performance",
+    summary: "Transactional emails SHOULD be dispatched asynchronously (queue/background workers) so request handlers do not block on provider latency.",
+    keywords: ["email", "async", "queue", "worker", "latency", "smtp", "request-path"],
+    severity: "warning",
+    action: "Move email delivery to async jobs/queues and return request responses before provider completion. Add retry/backoff for transient send failures.",
+    checklist_ref: "J16",
+    file_patterns: ["**/api/**", "**/jobs/**", "**/workers/**", "**/email/**", "**/notifications/**"],
+    framework: "baseline"
+  },
+  {
+    id_suffix: "cdn_media_delivery",
+    category: "performance",
+    summary: "User-uploaded media MUST be stored in object storage and delivered through CDN caching, not served directly from app servers.",
+    keywords: ["cdn", "media", "uploads", "object-storage", "cache", "bandwidth"],
+    severity: "warning",
+    action: "Store uploads in object storage (S3/GCS/etc.) and serve via CDN URLs with cache headers. Keep app servers out of large media delivery paths.",
+    checklist_ref: "J17",
+    file_patterns: ["**/api/upload*", "**/storage/**", "**/media/**", "**/cdn/**", "**/config/**"],
+    framework: "baseline"
   }
 ];
 var IAC_CONSTRAINTS = [
@@ -7489,6 +7590,59 @@ function inferEntityNameFromTask(task) {
 function normalizeName(value) {
   return value.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_|_$/g, "");
 }
+function canonicalizeBindings(bindings, entities) {
+  const entityTypes = new Map(entities.map((e) => [e.id, e.type]));
+  const normalized = [];
+  for (const raw of bindings) {
+    const legacyRaw = raw;
+    const entityId = typeof raw.entity_id === "string" ? raw.entity_id : typeof legacyRaw.entityId === "string" ? legacyRaw.entityId : void 0;
+    if (!entityId || !entityTypes.has(entityId))
+      continue;
+    if (!Array.isArray(raw.file_patterns) || raw.file_patterns.length === 0)
+      continue;
+    const filePatterns = raw.file_patterns.filter((v) => typeof v === "string");
+    if (filePatterns.length === 0)
+      continue;
+    normalized.push({
+      id: typeof raw.id === "string" ? raw.id : `bind:${entityId}`,
+      entity_id: entityId,
+      entity_type: typeof raw.entity_type === "string" ? raw.entity_type : entityTypes.get(entityId),
+      file_patterns: filePatterns,
+      confidence: typeof raw.confidence === "number" ? raw.confidence : 0.5,
+      manual: Boolean(raw.manual)
+    });
+  }
+  return normalized;
+}
+function rankEntitiesForFilePath(filePath, entities) {
+  const normalizedPath = filePath.toLowerCase().replace(/\\/g, "/");
+  const fileStem = normalizedPath.split("/").pop()?.replace(/\.[^.]+$/, "") ?? "";
+  const pathTokens = new Set(normalizedPath.replace(/\.[^.]+$/, "").split(/[\/._-]/).filter((t) => t.length >= 3));
+  const scored = entities.map((entity) => {
+    const labels = [entity.name, ...entity.aliases].filter(Boolean);
+    if (labels.length === 0)
+      return { entity, score: 0 };
+    let score = 0;
+    for (const label of labels) {
+      const labelNorm = normalizeName(label);
+      const labelTokens = labelNorm.split("_").filter((t) => t.length >= 3);
+      if (labelTokens.length === 0)
+        continue;
+      const matchedTokens = labelTokens.filter((t) => pathTokens.has(t)).length;
+      if (matchedTokens > 0) {
+        score = Math.max(score, matchedTokens / labelTokens.length);
+      }
+      if (normalizedPath.includes(labelNorm.replace(/_/g, "/"))) {
+        score = Math.max(score, 0.9);
+      }
+      if (fileStem === labelNorm || fileStem.includes(labelNorm) || labelNorm.includes(fileStem)) {
+        score = Math.max(score, 0.8);
+      }
+    }
+    return { entity, score };
+  }).filter((item) => item.score >= 0.45).sort((a, b) => b.score - a.score);
+  return scored.map((item) => item.entity);
+}
 async function seedScopeEntityFromAuto(params) {
   const { product_id, name: name2, entity_type, description, parent_id, tags, similarity_threshold } = params;
   const slug = normalizeName(name2).slice(0, 40);
@@ -9557,7 +9711,6 @@ ${recommendation}`;
                   used_category_prefilter: usePreFilter,
                   phase: autoPhase,
                   rgr_plan: autoRgrPlan || void 0,
-                  requested_outcome: requestedOutcome,
                   scope_expansion: scopeExpansion,
                   scope_seeded: scopeSeedResult || void 0,
                   requested_outcome: requestedOutcome
@@ -10414,20 +10567,22 @@ ${JSON.stringify(metrics, null, 2)}` }
               }]
             };
           }
-          const rgrTraverser = new GraphTraverser(rgrEntities, rgrEdges, rgrConstraints, rgrBindings);
+          const normalizedBindings = canonicalizeBindings(rgrBindings, rgrEntities);
+          const rgrTraverser = new GraphTraverser(rgrEntities, rgrEdges, rgrConstraints, normalizedBindings);
           const rgrMatched = rgrTraverser.findEntitiesByFilePath(file_path);
           if (rgrMatched.length === 0) {
-            const segs = file_path.split("/").pop()?.replace(/\.[^.]+$/, "")?.split(/[-_]/) ?? [];
-            for (const seg of segs) {
-              if (seg.length > 2) {
-                const found = rgrTraverser.findEntityByName(seg);
-                if (found) {
-                  rgrMatched.push(found);
-                  break;
-                }
+            const reverseMatchedIds = findBoundEntities(file_path, normalizedBindings);
+            for (const id of reverseMatchedIds) {
+              const found = rgrEntities.find((entity) => entity.id === id);
+              if (found) {
+                rgrMatched.push(found);
               }
             }
           }
+          if (rgrMatched.length === 0) {
+            const rankedFallback = rankEntitiesForFilePath(file_path, rgrEntities).slice(0, 2);
+            rgrMatched.push(...rankedFallback);
+          }
           if (rgrMatched.length === 0) {
             const governance2 = buildGovernanceEnvelope({
               decision: "revise",

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@vibekiln/cutline-mcp-cli",
-    "version": "0.8.0",
+    "version": "0.9.0",
     "description": "CLI and MCP servers for Cutline — authenticate, then run constraint-aware MCP servers in Cursor or any MCP client.",
     "type": "module",
     "main": "dist/index.js",