atabey 0.0.6 → 0.0.8

package/framework-mcp/dist/tools/file_system/write_file.js

@@ -3,18 +3,23 @@ import path from "path";
 import { safePath, resolveFrameworkDir } from "../../utils/security.js";
 import { writeTextFileAtomic, appendFileSafe } from "../../utils/fs.js";
 import { Metrics } from "../../utils/metrics.js";
-import { verifyCorporateCompliance } from "../../utils/compliance.js";
-export function handleWriteFile(projectRoot, args) {
+import { verifyCorporateCompliance, verifyRiskAndAwaitApproval } from "../../utils/compliance.js";
+import { verifyWritePermission } from "../../utils/permissions.js";
+export async function handleWriteFile(projectRoot, args) {
     if (!args.path || args.content === undefined) {
         const err = "Missing 'path' or 'content' argument.";
         Metrics.logError(projectRoot, "@mcp", "write_file", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     try {
         const filePath = safePath(projectRoot, args.path);
         const content = args.content;
+        // ENFORCE PERMISSION MATRIX
+        verifyWritePermission(projectRoot, args.path);
         // ENFORCE CORPORATE COMPLIANCE
         verifyCorporateCompliance(content, args.path);
+        // ENFORCE RISK & HUMAN APPROVAL GATEWAY
+        await verifyRiskAndAwaitApproval(projectRoot, content, args.path);
         writeTextFileAtomic(filePath, content);
         // AUTO-LOGGING & METRICS
         const tokens = Metrics.estimateTokens(content);
@@ -28,11 +33,11 @@ export function handleWriteFile(projectRoot, args) {
             }
         }
         catch { /* ignore memory logging errors */ }
-        return { content: [{ type: "text", text: `✅ File written: ${args.path}` }] };
+        return { content: [{ type: "text", text: `[OK] File written: ${args.path}` }] };
     }
     catch (e) {
         const err = `Failed to write file: ${String(e)}`;
         Metrics.logError(projectRoot, "@mcp", `write_file:${args.path}`, err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
 }

package/framework-mcp/dist/tools/framework/audit_deps.js

@@ -22,7 +22,7 @@ export function handleAuditDependencies(projectRoot, _args) {
     for (const [group, patterns] of Object.entries(similarityGroups)) {
         const found = depNames.filter(d => patterns.some(p => d.includes(p)));
         if (found.length > 1) {
-            results.push(`⚠️  Potential redundancy in [${group}]: Found ${found.join(", ")}`);
+            results.push(`[WARN]  Potential redundancy in [${group}]: Found ${found.join(", ")}`);
         }
     }
     // 2. Scan for "any" usage in package names (bad practice markers)
@@ -35,7 +35,7 @@ export function handleAuditDependencies(projectRoot, _args) {
                 type: "text",
                 text: results.length > 0
                     ? `Dependency Audit Results:\n\n${results.join("\n")}`
-                    : "✅ Dependencies look clean and consolidated."
+                    : "[OK] Dependencies look clean and consolidated."
             }]
     };
 }

package/framework-mcp/dist/tools/framework/run_tests.js

@@ -9,7 +9,7 @@ export function handleRunTests(projectRoot, args) {
     try {
         const output = execSync(testCommand, { cwd: projectRoot, encoding: "utf8", stdio: "pipe" });
         return {
-            content: [{ type: "text", text: `✅ Tests passed successfully for ${language}!\n\n${output}` }]
+            content: [{ type: "text", text: `[OK] Tests passed successfully for ${language}!\n\n${output}` }]
         };
     }
     catch (error) {
@@ -20,7 +20,7 @@ export function handleRunTests(projectRoot, args) {
             isError: true,
             content: [{
                     type: "text",
-                    text: `❌ Tests FAILED for ${language}!\n\n--- STDOUT ---\n${stdout}\n\n--- STDERR ---\n${stderr}`
+                    text: `[ERROR] Tests FAILED for ${language}!\n\n--- STDOUT ---\n${stdout}\n\n--- STDERR ---\n${stderr}`
                 }]
         };
     }

package/framework-mcp/dist/tools/framework/submit_plan.js

@@ -0,0 +1,13 @@
+import { safeExec } from "../../utils/cli.js";
+export function handleSubmitPlan(projectRoot, args) {
+    if (!args.tasks || !Array.isArray(args.tasks)) {
+        return {
+            isError: true,
+            content: [{ type: "text", text: "[ERROR] Error: 'tasks' array is required for submit_plan." }]
+        };
+    }
+    const planJson = JSON.stringify(args.tasks);
+    // Escape for shell if necessary, but safeExec handles arguments as an array
+    const output = safeExec("npx", ["atabey", "plan:submit", planJson], projectRoot);
+    return { content: [{ type: "text", text: output }] };
+}

package/framework-mcp/dist/tools/framework/update_memory.js

@@ -4,5 +4,5 @@ export function handleUpdateProjectMemory(projectRoot, args) {
     const content = args.content;
     // Using execFileSync with array args prevents command injection
     safeExec("npx", ["atabey", "update_project_memory", section, content], projectRoot);
-    return { content: [{ type: "text", text: `✅ Section ${section} updated.` }] };
+    return { content: [{ type: "text", text: `[OK] Section ${section} updated.` }] };
 }

package/framework-mcp/dist/tools/index.js

@@ -15,6 +15,7 @@ import { handleRunTests } from "./framework/run_tests.js";
 import { handleGetSystemHealth } from "./observability/get_health.js";
 import { handleCheckPorts } from "./observability/check_ports.js";
 import { handleOrchestrateLoop } from "./framework/orchestrate.js";
+import { handleSubmitPlan } from "./framework/submit_plan.js";
 import { handleUpdateContractHash } from "./framework/update_contract_hash.js";
 import { handleReadProjectMemory } from "./memory/read_memory.js";
 import { handleGetMemoryInsights } from "./memory/get_insights.js";
@@ -48,6 +49,7 @@ export const toolHandlers = {
     get_system_health: bind(handleGetSystemHealth),
     check_active_ports: bind(handleCheckPorts),
     orchestrate_loop: bind(handleOrchestrateLoop),
+    submit_plan: bind(handleSubmitPlan),
     send_agent_message: bind(handleSendAgentMessage),
     log_agent_action: bind(handleLogAgentAction),
     update_contract_hash: bind(handleUpdateContractHash),

package/framework-mcp/dist/tools/memory/get_insights.js

@@ -25,7 +25,7 @@ export function handleGetMemoryInsights(projectRoot, _args) {
                 .slice(-5)
                 .join("\n");
         }
-        const insights = `🧠 **Memory Insights**\n- **Phase:** ${activePhase}\n- **Trace:** ${activeTrace}\n\n**Recent Actions:**\n${recentHistory}`;
+        const insights = `[MEMORY] **Memory Insights**\n- **Phase:** ${activePhase}\n- **Trace:** ${activeTrace}\n\n**Recent Actions:**\n${recentHistory}`;
         return { content: [{ type: "text", text: insights }] };
     }
     catch (e) {

package/framework-mcp/dist/tools/messaging/log_action.js

@@ -18,5 +18,5 @@ export function handleLogAgentAction(projectRoot, args) {
     };
     fs.mkdirSync(path.dirname(logPath), { recursive: true });
     fs.appendFileSync(logPath, JSON.stringify(logEntry) + "\n");
-    return { content: [{ type: "text", text: `✅ Action logged for ${agent} to ${path.join(frameworkDir, "logs", `${agentName}.json`)}` }] };
+    return { content: [{ type: "text", text: `[OK] Action logged for ${agent} to ${path.join(frameworkDir, "logs", `${agentName}.json`)}` }] };
 }

package/framework-mcp/dist/tools/messaging/send_message.js

@@ -8,7 +8,7 @@ export async function handleSendAgentMessage(projectRoot, args) {
     if (!to || !category || !content || !traceId) {
         const err = "Missing required messaging arguments (to, category, content, or traceId).";
         Metrics.logError(projectRoot, from, "send_agent_message", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     const frameworkDir = resolveFrameworkDir(projectRoot);
     const messagesDir = path.join(projectRoot, frameworkDir, "messages");
@@ -47,14 +47,14 @@ export async function handleSendAgentMessage(projectRoot, args) {
                 }
             }
             else {
-                return { content: [{ type: "text", text: `❌ Unexpected lock acquisition error: ${error.message || String(err)}` }], isError: true };
+                return { content: [{ type: "text", text: `[ERROR] Unexpected lock acquisition error: ${error.message || String(err)}` }], isError: true };
             }
         }
     }
     if (!acquired) {
         const err = `Could not send message to ${to}: Hermes lock is busy.`;
         Metrics.logError(projectRoot, from, "send_agent_message", err);
-        return { content: [{ type: "text", text: `❌ ${err}` }], isError: true };
+        return { content: [{ type: "text", text: `[ERROR] ${err}` }], isError: true };
     }
     try {
         const defaultPriority = (category === "ALERT" || category === "ACTION") ? "HIGH" : "NORMAL";
@@ -74,12 +74,12 @@ export async function handleSendAgentMessage(projectRoot, args) {
             requiresApproval: finalRequiresApproval
         };
         fs.appendFileSync(messagePath, JSON.stringify(message) + "\n");
-        return { content: [{ type: "text", text: `✅ Message sent to ${to} (from: ${from})` }] };
+        return { content: [{ type: "text", text: `[OK] Message sent to ${to} (from: ${from})` }] };
     }
     catch (e) {
         const err = `Failed to write message: ${String(e)}`;
         Metrics.logError(projectRoot, from, "send_agent_message", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     finally {
         if (acquired && fs.existsSync(lockPath)) {

package/framework-mcp/dist/tools/observability/check_ports.js

@@ -14,7 +14,7 @@ export function handleCheckPorts(projectRoot, args) {
         return {
             content: [{
                     type: "text",
-                    text: `📡 **Active Listening Ports:**\n\n${output || "No active listening ports found matching filter."}`
+                    text: `[SIGNAL] **Active Listening Ports:**\n\n${output || "No active listening ports found matching filter."}`
                 }]
         };
     }

package/framework-mcp/dist/tools/quality/check_lint.js

@@ -17,13 +17,13 @@ export function handleCheckLint(projectRoot, _args) {
                 Metrics.logError(projectRoot, "@mcp", "check_lint", err);
                 resolve({
                     isError: true,
-                    content: [{ type: "text", text: `❌ Lint Errors Found (${language}):\n\n${output}` }]
+                    content: [{ type: "text", text: `[ERROR] Lint Errors Found (${language}):\n\n${output}` }]
                 });
                 return;
             }
             Metrics.logUsage(projectRoot, "@mcp", "check_lint", tokens);
             resolve({
-                content: [{ type: "text", text: `✅ Lint check passed successfully for ${language}:\n\n${output}` }]
+                content: [{ type: "text", text: `[OK] Lint check passed successfully for ${language}:\n\n${output}` }]
             });
         });
     });

package/framework-mcp/dist/tools/search/get_gaps.js

@@ -42,7 +42,7 @@ export function handleGetProjectGaps(projectRoot, args) {
                 type: "text",
                 text: results.length > 0
                     ? `Found ${results.length} gaps/todos:\n\n${results.join("\n")}`
-                    : "✅ No major gaps or TODOs found in the scanned directory."
+                    : "[OK] No major gaps or TODOs found in the scanned directory."
             }]
     };
 }

package/framework-mcp/dist/tools/search/grep_search.js

@@ -11,7 +11,7 @@ export function handleGrepSearch(projectRoot, args) {
     if (!pattern) {
         const err = "Search pattern is required.";
         Metrics.logError(projectRoot, "@mcp", "grep_search", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     const results = [];
     try {
@@ -20,7 +20,7 @@ export function handleGrepSearch(projectRoot, args) {
     catch (e) {
         const err = `Invalid regex pattern: ${String(e)}`;
         Metrics.logError(projectRoot, "@mcp", "grep_search", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     const walk = (dir) => {
         if (results.length > 100)
@@ -62,7 +62,7 @@ export function handleGrepSearch(projectRoot, args) {
     catch (e) {
         const err = `Search failed: ${String(e)}`;
         Metrics.logError(projectRoot, "@mcp", "grep_search", err);
-        return { isError: true, content: [{ type: "text", text: `❌ ${err}` }] };
+        return { isError: true, content: [{ type: "text", text: `[ERROR] ${err}` }] };
     }
     return {
         content: [{

package/framework-mcp/dist/utils/compliance.js

@@ -1,4 +1,7 @@
 import ts from "typescript";
+import fs from "fs";
+import path from "path";
+import { resolveFrameworkDir } from "./security.js";
 /**
  * Enterprise Compliance Guardrail
  * Checks content against corporate standards using AST analysis before allowing file mutations.
@@ -22,7 +25,7 @@ export function verifyCorporateCompliance(content, filePath) {
                 if (["log", "warn", "error"].includes(name)) {
                     // Check if file is exempt
                     if (!filePath.includes("logger.ts") && !filePath.includes("check.ts") && !filePath.includes("cli.ts")) {
-                        errors.push(`❌ Corporate Compliance Breach: 'console.${name}' usage is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+                        errors.push(`[ERROR] Corporate Compliance Breach: 'console.${name}' usage is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
                     }
                 }
             }
@@ -31,7 +34,7 @@ export function verifyCorporateCompliance(content, filePath) {
         if (ts.isTypeReferenceNode(node)) {
             if (ts.isIdentifier(node.typeName) && node.typeName.text === "any") {
                 if (!filePath.includes("definitions.ts") && !filePath.includes("types.ts")) {
-                    errors.push(`❌ Corporate Compliance Breach: 'any' type is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+                    errors.push(`[ERROR] Corporate Compliance Breach: 'any' type is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
                 }
             }
         }
@@ -42,14 +45,14 @@ export function verifyCorporateCompliance(content, filePath) {
                 const forbiddenLibs = ["@chakra-ui", "mui", "@shadcn", "antd", "bootstrap"];
                 const lib = forbiddenLibs.find(l => moduleSpecifier.text.includes(l));
                 if (lib) {
-                    errors.push(`❌ Corporate Compliance Breach: External UI library '${lib}' usage is FORBIDDEN at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}. Build atomic components manually instead.`);
+                    errors.push(`[ERROR] Corporate Compliance Breach: External UI library '${lib}' usage is FORBIDDEN at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}. Build atomic components manually instead.`);
                 }
             }
         }
         // Handle 'any' as a keyword type (e.g., parameter: any)
         if (node.kind === ts.SyntaxKind.AnyKeyword) {
             if (!filePath.includes("definitions.ts") && !filePath.includes("types.ts")) {
-                errors.push(`❌ Corporate Compliance Breach: 'any' keyword is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+                errors.push(`[ERROR] Corporate Compliance Breach: 'any' keyword is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
             }
         }
         ts.forEachChild(node, visit);
@@ -69,10 +72,160 @@ export function verifyCorporateCompliance(content, filePath) {
             if (msg.includes("Email") && (filePath.endsWith("README.md") || filePath.endsWith("package.json") || filePath.includes("CONTRIBUTING"))) {
                 continue;
             }
-            errors.push(`❌ Corporate Compliance Breach: ${msg} detected.`);
+            errors.push(`[ERROR] Corporate Compliance Breach: ${msg} detected.`);
         }
     }
     if (errors.length > 0) {
         throw new Error(errors.join("\n"));
     }
 }
+export function isHighRiskOperation(content, filePath) {
+    const fileName = filePath.toLowerCase();
+    // 1. Database Deletions / Table Drops
+    if (fileName.endsWith(".sql") || fileName.endsWith(".ts") || fileName.endsWith(".js") || fileName.endsWith(".go")) {
+        const dropRegex = /\b(DROP\s+(DATABASE|TABLE|SCHEMA|VIEW|INDEX)|TRUNCATE\s+TABLE)\b/i;
+        if (dropRegex.test(content)) {
+            return { isRisk: true, reason: "Database structural deletion detected (DROP/TRUNCATE)" };
+        }
+    }
+    // 2. Package Updates
+    if (fileName.endsWith("package.json")) {
+        return { isRisk: true, reason: "Dependency/package update operation detected" };
+    }
+    // 3. Deployment / Infrastructure Scripts
+    if (fileName.includes("deploy") ||
+        fileName.includes("dockerfile") ||
+        fileName.includes("docker-compose") ||
+        fileName.includes("k8s") ||
+        fileName.includes("kubernetes") ||
+        fileName.includes("github/workflows")) {
+        return { isRisk: true, reason: "Infrastructure or deployment script mutation detected" };
+    }
+    return { isRisk: false };
+}
+export async function verifyRiskAndAwaitApproval(projectRoot, content, filePath) {
+    const assessment = isHighRiskOperation(content, filePath);
+    if (!assessment.isRisk) {
+        return;
+    }
+    const frameworkDir = resolveFrameworkDir(projectRoot);
+    const absoluteFrameworkPath = path.isAbsolute(frameworkDir)
+        ? frameworkDir
+        : path.resolve(projectRoot, frameworkDir);
+    const statusPath = path.join(absoluteFrameworkPath, "memory", "status.json");
+    const statePath = path.join(absoluteFrameworkPath, "memory", "state.json");
+    const messagesDir = path.join(absoluteFrameworkPath, "messages");
+    const managerMsgPath = path.join(messagesDir, "manager.json");
+    let activeAgent = null;
+    let traceId = "UNKNOWN";
+    // 1. Resolve traceId from state.json
+    if (fs.existsSync(statePath)) {
+        try {
+            const state = JSON.parse(fs.readFileSync(statePath, "utf8"));
+            if (state && state.traceId) {
+                traceId = state.traceId;
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // 2. Resolve active agent from status.json
+    let statusData = {};
+    if (fs.existsSync(statusPath)) {
+        try {
+            statusData = JSON.parse(fs.readFileSync(statusPath, "utf8"));
+            for (const [agentName, info] of Object.entries(statusData)) {
+                if (info.state === "EXECUTING") {
+                    activeAgent = agentName.startsWith("@") ? agentName : `@${agentName}`;
+                    break;
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    if (!activeAgent) {
+        throw new Error(`Security Exception: High-risk operation blocked. ${assessment.reason}. (No active executing agent found)`);
+    }
+    // 3. Update active agent status to WAITING_FOR_APPROVAL
+    const originalTask = statusData[activeAgent.replace("@", "")]?.task || statusData[activeAgent]?.task || "Executing task";
+    const statusKey = activeAgent.replace("@", "");
+    statusData[statusKey] = {
+        state: "WAITING_FOR_APPROVAL",
+        task: `[PAUSED] Waiting for approval: ${assessment.reason} on ${filePath}`
+    };
+    try {
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+    }
+    catch { /* ignore */ }
+    // 4. Create and append ALERT message to messages/manager.json
+    if (!fs.existsSync(messagesDir)) {
+        fs.mkdirSync(messagesDir, { recursive: true });
+    }
+    const alertMsg = {
+        timestamp: new Date().toISOString(),
+        from: activeAgent,
+        to: "@manager",
+        category: "ALERT",
+        content: `High-risk operation: ${assessment.reason} on ${filePath}`,
+        traceId: traceId,
+        status: "PENDING",
+        priority: "HIGH",
+        requiresApproval: true,
+        action: `MUTATION:${filePath}`
+    };
+    try {
+        fs.appendFileSync(managerMsgPath, JSON.stringify(alertMsg) + "\n");
+    }
+    catch (err) {
+        statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+        throw new Error(`Security Exception: Failed to queue approval request. ${String(err)}`, { cause: err });
+    }
+    // 5. Polling Loop: Wait for approval (up to 60 seconds)
+    const pollIntervalMs = 500;
+    const timeoutMs = 60000;
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+        // Non-blocking wait
+        await new Promise(resolve => setTimeout(resolve, pollIntervalMs));
+        if (fs.existsSync(managerMsgPath)) {
+            try {
+                const contentStr = fs.readFileSync(managerMsgPath, "utf8").trim();
+                const lines = contentStr.split("\n");
+                let isApproved = false;
+                let isDenied = false;
+                for (const line of lines) {
+                    if (!line.trim())
+                        continue;
+                    const parsed = JSON.parse(line);
+                    if (parsed.traceId === traceId && parsed.category === "ALERT" && parsed.action === `MUTATION:${filePath}`) {
+                        if (parsed.status === "APPROVED") {
+                            isApproved = true;
+                        }
+                        else if (parsed.status === "PROCESSED" || parsed.status === "DENIED") {
+                            isDenied = true;
+                        }
+                    }
+                }
+                if (isApproved) {
+                    statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+                    fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+                    return;
+                }
+                if (isDenied) {
+                    throw new Error("Security Exception: High-risk operation was explicitly DENIED by user.");
+                }
+            }
+            catch (err) {
+                if (err.message.includes("explicitly DENIED")) {
+                    throw err;
+                }
+            }
+        }
+    }
+    statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+    try {
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+    }
+    catch { /* ignore */ }
+    throw new Error(`Security Exception: High-risk operation timed out waiting for approval. (${assessment.reason})`);
+}

package/framework-mcp/dist/utils/permissions.js

@@ -0,0 +1,71 @@
+import fs from "fs";
+import path from "path";
+import { resolveFrameworkDir } from "./security.js";
+function globToRegex(glob) {
+    const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+    const step1 = escaped.replace(/\*\*/g, "__DBL_STR__");
+    const step2 = step1.replace(/\*/g, "[^/]*");
+    const regexStr = "^" + step2.replace(/__DBL_STR__/g, ".*") + "$";
+    return new RegExp(regexStr);
+}
+/**
+ * Validates if the active agent has write permission for the target file.
+ * Automatically identifies the active agent by checking the status.json store
+ * for the agent in the "EXECUTING" state.
+ */
+export function verifyWritePermission(projectRoot, targetFilePath) {
+    const frameworkDir = resolveFrameworkDir(projectRoot);
+    const absoluteFrameworkPath = path.isAbsolute(frameworkDir)
+        ? frameworkDir
+        : path.resolve(projectRoot, frameworkDir);
+    const matrixPath = path.join(absoluteFrameworkPath, "permission-matrix.json");
+    // If no permission matrix exists, skip enforcement (default allow)
+    if (!fs.existsSync(matrixPath)) {
+        return;
+    }
+    let matrix;
+    try {
+        matrix = JSON.parse(fs.readFileSync(matrixPath, "utf8"));
+    }
+    catch (e) {
+        throw new Error(`Failed to parse permission-matrix.json: ${String(e)}`, { cause: e });
+    }
+    // Determine the active agent from status.json
+    const statusPath = path.join(absoluteFrameworkPath, "memory", "status.json");
+    let activeAgent = null;
+    if (fs.existsSync(statusPath)) {
+        try {
+            const status = JSON.parse(fs.readFileSync(statusPath, "utf8"));
+            // Find an agent that is currently in the EXECUTING state
+            for (const [agentName, info] of Object.entries(status)) {
+                const data = info;
+                if (data.state === "EXECUTING") {
+                    activeAgent = agentName.startsWith("@") ? agentName : `@${agentName}`;
+                    break;
+                }
+            }
+        }
+        catch (e) {
+            // Log warning but don't crash, default to allowing if status can't be parsed
+            process.stderr.write(`[Permissions] Warning: Failed to read status.json: ${String(e)}\n`);
+        }
+    }
+    // If no active executing agent is found, default to allowing
+    if (!activeAgent) {
+        return;
+    }
+    const agentRules = matrix[activeAgent];
+    // If no rules defined for the agent, default to allowing
+    if (!agentRules || !agentRules.write) {
+        return;
+    }
+    // Resolve target path relative to project root for glob matching
+    const relativeTargetPath = path.relative(projectRoot, path.resolve(projectRoot, targetFilePath));
+    const allowed = agentRules.write.some(glob => {
+        const regex = globToRegex(glob);
+        return regex.test(relativeTargetPath);
+    });
+    if (!allowed) {
+        throw new Error(`Permission Denied: Agent ${activeAgent} is not authorized to write to "${relativeTargetPath}". Matrix rules restrict writes to: [${agentRules.write.join(", ")}].`);
+    }
+}

package/framework-mcp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "atabey-mcp",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "Agent Atabey Model Context Protocol (MCP) Server",
   "author": "Yusuf BEKAR",
   "license": "MIT",
@@ -10,6 +10,12 @@
   },
   "homepage": "https://github.com/ysf-bkr/atabey#readme",
   "type": "module",
+  "files": [
+    "dist",
+    "package.json",
+    "README.md",
+    "LICENSE"
+  ],
   "bin": {
     "atabey-mcp": "dist/index.js"
   },

package/mcp.json

@@ -3,7 +3,7 @@
     "atabey": {
       "command": "node",
       "args": [
-        "framework-mcp/dist/index.js"
+        "dist/framework-mcp/src/index.js"
       ],
       "env": {
         "ATABEY_PROJECT_ROOT": "."

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "atabey",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "The Supreme AI Governance & Autonomous Orchestration Framework for Enterprise Development. Supports Polyglot Backends (Go, Java, Python, .NET, Node.js) and Multi-Language Communication (TR/EN).",
   "author": "Yusuf BEKAR",
   "license": "MIT",
@@ -34,19 +34,20 @@
   "files": [
     "bin",
     "dist",
-    "src",
     "templates",
-    "framework-mcp",
     "README.md",
     "LICENSE",
     "mcp.json",
-    "ATABEY.md"
+    "ATABEY.md",
+    "framework-mcp/dist",
+    "framework-mcp/package.json"
   ],
   "engines": {
     "node": ">=18.0.0"
   },
   "scripts": {
-    "build": "tsc && npm run build --prefix framework-mcp",
+    "build": "tsc && npm run build --prefix framework-mcp && npm run build:ui",
+    "build:ui": "npm run build --prefix src/dashboard",
     "atabey:build": "npm run build --prefix framework-mcp",
     "atabey:test": "vitest run",
     "atabey:test:watch": "vitest",
@@ -65,6 +66,9 @@
     "access": "public"
   },
   "dependencies": {
+    "atabey-mcp": "^0.0.8",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "better-sqlite3": "^12.10.1",
     "chalk": "^5.6.2",
     "js-yaml": "^4.2.0",
     "typescript": "^5.9.3",
@@ -72,8 +76,8 @@
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "@modelcontextprotocol/sdk": "^1.29.0",
     "@pandacss/dev": "^1.11.1",
+    "@types/better-sqlite3": "^7.6.13",
     "@types/node": "^25.9.1",
     "eslint": "^10.4.0",
     "globals": "^17.6.0",

package/templates/prompts/contract-design-recipe.md

@@ -16,6 +16,6 @@ This recipe governs the @architect agent's protocol for creating type-safe agree
 2.  **Commitment:** Run `atabey update-contract` to generate new SHA-256 signatures for the updated types.
 3.  **Audit:** Verify that `contract.version.json` accurately reflects the new architecture.
 
-## 📡 Phase 4: Synchronization
+## [SIGNAL] Phase 4: Synchronization
 1.  **Distribution:** Ensure the updated `src/types` directory is correctly linked or copied to both Frontend and Backend projects.
 2.  **Verification:** Trigger @backend and @frontend agents to read the new contract and plan their implementations.

package/templates/prompts/db-management-recipe.md

@@ -1,4 +1,4 @@
-# 🗄️ Engineering Recipe: Database Management & Migrations
+# [DB] Engineering Recipe: Database Management & Migrations
 
 This recipe governs the @database agent's protocol for schema creation, table modifications, and data integrity.
 
@@ -6,7 +6,7 @@ This recipe governs the @database agent's protocol for schema creation, table mo
 1.  **Type Mapping:** Define the new table or column in `src/types/models.ts` using Branded Types for IDs.
 2.  **Validation:** Ensure the interface extends `BaseEntity` (id, createdAt, updatedAt).
 
-## 🚀 Phase 2: Migration Generation
+## [START] Phase 2: Migration Generation
 1.  **Scripting:** Write a reversible migration (up/down) using the project's migration tool (e.g., Kysely or SQL).
 2.  **Atomic Changes:** One migration per logical feature. Never bundle unrelated schema changes.
 3.  **Naming:** Use timestamp-prefixed naming (e.g., `20240101_add_customers_table.ts`).
@@ -19,7 +19,7 @@ This recipe governs the @database agent's protocol for schema creation, table mo
 1.  **Repo Layer:** Create or update the Repository class to include the new query logic.
 2.  **Strict Mode:** Ensure no raw SQL is used; leverage the query builder exclusively.
 
-## ✅ Phase 5: Verification & Zero-Downtime Audit
+## [OK] Phase 5: Verification & Zero-Downtime Audit
 1.  **Dry Run:** If supported, dry-run the migration to check for locking issues.
 2.  **Validation:** Run `atabey verify-contract` to ensure code and schema are synced.
 3.  **Handoff:** Update `PROJECT_MEMORY.md` with the new schema version.