martin-loop 0.1.5 → 1.3.0

package/dist/vendor/core/gateway/registry.js

@@ -0,0 +1,97 @@
+import { getTracer } from "../otel/tracer.js";
+export class McpServerRegistry {
+    servers = new Map();
+    constructor(initialServers = []) {
+        for (const server of initialServers) {
+            this.register(server);
+        }
+    }
+    register(server) {
+        if (!server.id || !server.url) {
+            throw new Error(`Invalid MCP server configuration for: ${server.name}`);
+        }
+        this.servers.set(server.id, server);
+    }
+    unregister(serverId) {
+        return this.servers.delete(serverId);
+    }
+    getServer(serverId) {
+        return this.servers.get(serverId);
+    }
+    listServers() {
+        return Array.from(this.servers.values());
+    }
+    evaluateToolPolicy(attempt) {
+        const tracer = getTracer();
+        const span = tracer.startSpan("martin.gateway_policy", {
+            "tool.name": attempt.toolName,
+            "server.id": attempt.serverId,
+            "context.loop": attempt.context.loopId
+        });
+        const finish = (decision) => {
+            tracer.endSpan(span, decision.action === "deny" ? "ERROR" : "OK");
+            return decision;
+        };
+        const server = this.getServer(attempt.serverId);
+        if (!server) {
+            return finish({
+                action: "deny",
+                reason: `Server ID '${attempt.serverId}' not registered.`
+            });
+        }
+        if (server.trustTier === "untrusted" &&
+            attempt.context.executionProfile === "ci_safe") {
+            return finish({
+                action: "deny",
+                reason: "Untrusted MCP servers are disabled under ci_safe profile."
+            });
+        }
+        // Direct blocklist
+        if (this.matchesPattern(attempt.toolName, server.blockedTools)) {
+            return finish({
+                action: "deny",
+                reason: `Tool '${attempt.toolName}' is blocked by server policy.`
+            });
+        }
+        // Allowlist
+        if (server.allowedTools.length > 0 &&
+            !this.matchesPattern(attempt.toolName, server.allowedTools)) {
+            return finish({
+                action: "deny",
+                reason: `Tool '${attempt.toolName}' is not in the server allowlist.`
+            });
+        }
+        // Dangerous patterns require dry-run ("simulate") if not strongly verified
+        if (server.trustTier !== "system") {
+            const stringifiedArgs = JSON.stringify(attempt.args);
+            if (stringifiedArgs.includes("rm -rf") ||
+                stringifiedArgs.includes("drop table")) {
+                return finish({
+                    action: "simulate",
+                    mockResponse: {
+                        success: true,
+                        stdout: "",
+                        stderr: "DRY-RUN: Command intercepted and skipped."
+                    }
+                });
+            }
+        }
+        return finish({ action: "allow" });
+    }
+    matchesPattern(tool, patterns) {
+        for (const p of patterns) {
+            if (p === "*")
+                return true;
+            if (p.endsWith("*")) {
+                const prefix = p.slice(0, -1);
+                if (tool.startsWith(prefix))
+                    return true;
+            }
+            else if (p === tool) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/vendor/core/gateway/transport.d.ts

@@ -0,0 +1,31 @@
+import type { McpServerConfig } from "./registry.js";
+import type { McpTokenVault } from "./vault.js";
+export interface JsonRpcRequest {
+    jsonrpc: "2.0";
+    id: string | number;
+    method: string;
+    params?: unknown;
+}
+export interface JsonRpcResponse<T = unknown> {
+    jsonrpc: "2.0";
+    id: string | number;
+    result?: T;
+    error?: {
+        code: number;
+        message: string;
+        data?: unknown;
+    };
+}
+export declare class McpTransportError extends Error {
+    readonly status?: number | undefined;
+    readonly data?: unknown | undefined;
+    constructor(message: string, status?: number | undefined, data?: unknown | undefined);
+}
+export declare class McpHttpTransport {
+    private readonly vault?;
+    constructor(vault?: McpTokenVault | undefined);
+    /**
+     * Dispatches a raw JSON-RPC 2.0 request to an external MCP HTTP server.
+     */
+    executeCommand<T = unknown>(server: McpServerConfig, method: string, params: Record<string, unknown>, requestId: string): Promise<T>;
+}

package/dist/vendor/core/gateway/transport.js

@@ -0,0 +1,82 @@
+export class McpTransportError extends Error {
+    status;
+    data;
+    constructor(message, status, data) {
+        super(message);
+        this.status = status;
+        this.data = data;
+        this.name = "McpTransportError";
+    }
+}
+export class McpHttpTransport {
+    vault;
+    constructor(vault) {
+        this.vault = vault;
+    }
+    /**
+     * Dispatches a raw JSON-RPC 2.0 request to an external MCP HTTP server.
+     */
+    async executeCommand(server, method, params, requestId) {
+        const payload = {
+            jsonrpc: "2.0",
+            id: requestId,
+            method,
+            params
+        };
+        const headers = new Headers({
+            "Content-Type": "application/json",
+            "User-Agent": "Martin-Loop-Gateway/0.1.0"
+        });
+        if (server.headers) {
+            for (const [key, value] of Object.entries(server.headers)) {
+                headers.set(key, value);
+            }
+        }
+        if (this.vault) {
+            const dynamicHeaders = await this.vault.resolveHeaders(server.id);
+            for (const [key, value] of Object.entries(dynamicHeaders)) {
+                headers.set(key, value);
+            }
+        }
+        try {
+            // 30s timeout so the loop doesn't hang indefinitely on a bad server
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 30000);
+            const response = await fetch(server.url, {
+                method: "POST",
+                headers,
+                body: JSON.stringify(payload),
+                signal: controller.signal
+            });
+            clearTimeout(timeout);
+            if (!response.ok) {
+                throw new McpTransportError(`HTTP Error ${response.status}: Failed to reach MCP Server '${server.id}'`, response.status);
+            }
+            const rawJson = await response.text();
+            let rpcResponse;
+            try {
+                rpcResponse = JSON.parse(rawJson);
+            }
+            catch {
+                throw new McpTransportError(`Invalid JSON received from MCP Server '${server.id}'`);
+            }
+            if (rpcResponse.error) {
+                throw new McpTransportError(`MCP Server Internal Error: ${rpcResponse.error.message}`, undefined, rpcResponse.error.data);
+            }
+            // JSON-RPC 2.0 requires `result` to exist on success
+            if (rpcResponse.result === undefined) {
+                throw new McpTransportError(`Malformed JSON-RPC response from '${server.id}': Missing result.`);
+            }
+            return rpcResponse.result;
+        }
+        catch (e) {
+            if (e instanceof McpTransportError) {
+                throw e;
+            }
+            const err = e;
+            const errMessage = err.name === "AbortError" ? "Request Timeout" : err.message;
+            throw new McpTransportError(`Network error dispatching to MCP Server '${server.id}': ${errMessage}`);
+        }
+    }
+}
+//# sourceMappingURL=transport.js.map

package/dist/vendor/core/gateway/vault.d.ts

@@ -0,0 +1,19 @@
+export interface McpTokenVault {
+    /**
+     * Resolves authentication headers for a given server dynamically.
+     * Can be implemented via OAuth, Secret Managers, or static config.
+     */
+    resolveHeaders(serverId: string): Promise<Record<string, string>>;
+}
+export declare class StaticTokenVault implements McpTokenVault {
+    private readonly staticHeaders;
+    constructor(staticHeaders: Map<string, Record<string, string>>);
+    resolveHeaders(serverId: string): Promise<Record<string, string>>;
+}
+export declare class OAuthProxyVault implements McpTokenVault {
+    private readonly oauthTokenEndpoint;
+    private readonly clientId;
+    private readonly clientSecret;
+    constructor(oauthTokenEndpoint: string, clientId: string, clientSecret: string);
+    resolveHeaders(serverId: string): Promise<Record<string, string>>;
+}

package/dist/vendor/core/gateway/vault.js

@@ -0,0 +1,29 @@
+export class StaticTokenVault {
+    staticHeaders;
+    constructor(staticHeaders) {
+        this.staticHeaders = staticHeaders;
+    }
+    async resolveHeaders(serverId) {
+        return this.staticHeaders.get(serverId) ?? {};
+    }
+}
+export class OAuthProxyVault {
+    oauthTokenEndpoint;
+    clientId;
+    clientSecret;
+    constructor(oauthTokenEndpoint, clientId, clientSecret) {
+        this.oauthTokenEndpoint = oauthTokenEndpoint;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+    }
+    async resolveHeaders(serverId) {
+        // Basic dynamic OAuth token fetch simulation for multi-tenant isolation
+        // Without actually making real un-mocked requests that could crash tests
+        const token = Buffer.from(`${this.clientId}:${this.clientSecret}-${serverId}`).toString("base64");
+        return {
+            Authorization: `Bearer ${token}`,
+            "X-Martin-Scope": "dynamic-vault"
+        };
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vendor/core/graph/adapters.d.ts

@@ -0,0 +1,43 @@
+import type { RepoHotspot } from "./hotspots.js";
+export interface MartinGraphAdapter {
+    queryRegressions(targetFiles: string[], objective: string): Promise<RepoHotspot[]>;
+    ingestRun(record: unknown): Promise<void>;
+}
+/**
+ * Abstract interface to ensure the system can hot-swap external graph engines
+ * (like Neo4j) without rewriting the core calculation logic when workspace scale grows.
+ */
+export declare abstract class AbstractGraphStore implements MartinGraphAdapter {
+    abstract queryRegressions(targetFiles: string[], objective: string): Promise<RepoHotspot[]>;
+    abstract ingestRun(record: unknown): Promise<void>;
+}
+export declare class JsonAdjacencyGraphAdapter extends AbstractGraphStore {
+    private readonly adjacencyFilePath;
+    constructor(adjacencyFilePath: string);
+    queryRegressions(targetFiles: string[], _objective: string): Promise<RepoHotspot[]>;
+    ingestRun(_record: unknown): Promise<void>;
+}
+/**
+ * GitBlameGraphAdapter
+ *
+ * Derives repository hotspots from live git history — no static JSON file required.
+ *
+ * For each target file, runs `git log --oneline --follow -- <file>` to count
+ * how many commits have touched it. Files with a commit count >= the configured
+ * threshold are returned as hotspots. The regression count is the git commit count,
+ * which is a reliable, repo-native signal of churn / instability.
+ *
+ * Fail-open: any git error (not a repo, file not tracked, git not installed) returns
+ * an empty result for that file — never throws.
+ */
+export declare class GitBlameGraphAdapter extends AbstractGraphStore {
+    private readonly repoRoot;
+    /** Files with >= this many commits are classified as hotspots. Default: 5 */
+    private readonly commitThreshold;
+    constructor(repoRoot: string, 
+    /** Files with >= this many commits are classified as hotspots. Default: 5 */
+    commitThreshold?: number);
+    queryRegressions(targetFiles: string[], _objective: string): Promise<RepoHotspot[]>;
+    ingestRun(_record: unknown): Promise<void>;
+    private countCommits;
+}

package/dist/vendor/core/graph/adapters.js

@@ -0,0 +1,91 @@
+import { execFile } from "node:child_process";
+import { promises as fs } from "node:fs";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+/**
+ * Abstract interface to ensure the system can hot-swap external graph engines
+ * (like Neo4j) without rewriting the core calculation logic when workspace scale grows.
+ */
+export class AbstractGraphStore {
+}
+export class JsonAdjacencyGraphAdapter extends AbstractGraphStore {
+    adjacencyFilePath;
+    constructor(adjacencyFilePath) {
+        super();
+        this.adjacencyFilePath = adjacencyFilePath;
+    }
+    async queryRegressions(targetFiles, _objective) {
+        try {
+            const data = await fs.readFile(this.adjacencyFilePath, "utf8");
+            const adjacencyList = JSON.parse(data);
+            const hotspots = [];
+            for (const file of targetFiles) {
+                if (adjacencyList[file] && adjacencyList[file].regressionCount > 0) {
+                    hotspots.push(adjacencyList[file]);
+                }
+            }
+            return hotspots;
+        }
+        catch {
+            // If the adjacency file does not exist yet, or parsing fails, return empty context natively
+            return [];
+        }
+    }
+    async ingestRun(_record) {
+        // In a real execution, we parse the record for "verification_failed" events
+        // and upsert the files into the JSON map.
+        // Stubbed for standard interface completion.
+    }
+}
+/**
+ * GitBlameGraphAdapter
+ *
+ * Derives repository hotspots from live git history — no static JSON file required.
+ *
+ * For each target file, runs `git log --oneline --follow -- <file>` to count
+ * how many commits have touched it. Files with a commit count >= the configured
+ * threshold are returned as hotspots. The regression count is the git commit count,
+ * which is a reliable, repo-native signal of churn / instability.
+ *
+ * Fail-open: any git error (not a repo, file not tracked, git not installed) returns
+ * an empty result for that file — never throws.
+ */
+export class GitBlameGraphAdapter extends AbstractGraphStore {
+    repoRoot;
+    commitThreshold;
+    constructor(repoRoot, 
+    /** Files with >= this many commits are classified as hotspots. Default: 5 */
+    commitThreshold = 5) {
+        super();
+        this.repoRoot = repoRoot;
+        this.commitThreshold = commitThreshold;
+    }
+    async queryRegressions(targetFiles, _objective) {
+        const hotspots = [];
+        for (const file of targetFiles) {
+            const count = await this.countCommits(file);
+            if (count >= this.commitThreshold) {
+                hotspots.push({
+                    file,
+                    regressionCount: count,
+                    associatedTaskTypes: ["churn", "high-frequency-change"]
+                });
+            }
+        }
+        return hotspots;
+    }
+    async ingestRun(_record) {
+        // Live adapter — reads directly from git history, no ingest needed.
+    }
+    async countCommits(file) {
+        try {
+            const { stdout } = await execFileAsync("git", ["log", "--oneline", "--follow", "--", file], { cwd: this.repoRoot });
+            return stdout.trim().split("\n").filter(Boolean).length;
+        }
+        catch {
+            // git not available, file not tracked, or not inside a git repo — safe fallback
+            return 0;
+        }
+    }
+}
+//# sourceMappingURL=adapters.js.map

package/dist/vendor/core/graph/hotspots.d.ts

@@ -0,0 +1,22 @@
+import type { LoopMemoryStore } from "../memory/palace.js";
+import type { MartinGraphAdapter } from "./adapters.js";
+export interface RepoHotspot {
+    file: string;
+    regressionCount: number;
+    lastFailureClass?: string;
+    associatedTaskTypes: string[];
+}
+export interface GraphContextAssembly {
+    hotspotsDetected: RepoHotspot[];
+    suggestedContextAdditions: string[];
+}
+export declare class MartinGraph {
+    private readonly memoryStore?;
+    private readonly graphAdapter?;
+    constructor(memoryStore?: LoopMemoryStore | undefined, graphAdapter?: MartinGraphAdapter | undefined);
+    /**
+     * Translates a raw array of memory briefs into a structural hotspot map identifying
+     * files that frequently fail verification or cause rollbacks.
+     */
+    assembleHotspotContext(targetFiles: string[], objective: string): Promise<GraphContextAssembly>;
+}

package/dist/vendor/core/graph/hotspots.js

@@ -0,0 +1,30 @@
+export class MartinGraph {
+    memoryStore;
+    graphAdapter;
+    constructor(memoryStore, graphAdapter) {
+        this.memoryStore = memoryStore;
+        this.graphAdapter = graphAdapter;
+    }
+    /**
+     * Translates a raw array of memory briefs into a structural hotspot map identifying
+     * files that frequently fail verification or cause rollbacks.
+     */
+    async assembleHotspotContext(targetFiles, objective) {
+        if (!this.memoryStore && !this.graphAdapter) {
+            return { hotspotsDetected: [], suggestedContextAdditions: [] };
+        }
+        try {
+            // Pull real statistics from the underlying database / persistence layer
+            const hotspots = this.graphAdapter
+                ? await this.graphAdapter.queryRegressions(targetFiles, objective)
+                : [];
+            const riskyFiles = hotspots.filter((h) => h.regressionCount > 2);
+            const suggestedContextAdditions = riskyFiles.map((h) => `CRITICAL: The file '${h.file}' has regressed ${h.regressionCount} times in similar past tasks. Double-check types and imports before patching.`);
+            return { hotspotsDetected: hotspots, suggestedContextAdditions };
+        }
+        catch {
+            return { hotspotsDetected: [], suggestedContextAdditions: [] };
+        }
+    }
+}
+//# sourceMappingURL=hotspots.js.map

package/dist/vendor/core/graph/index.d.ts

@@ -0,0 +1 @@
+export * from "./hotspots.js";

package/dist/vendor/core/graph/index.js

@@ -0,0 +1,2 @@
+export * from "./hotspots.js";
+//# sourceMappingURL=index.js.map

package/dist/vendor/core/honey/honey-tokens.d.ts

@@ -0,0 +1,32 @@
+export interface HoneyTokenSet {
+    runId: string;
+    tokens: string[];
+}
+export interface Patch {
+    patchId: string;
+    diff: string;
+    changedFiles: string[];
+}
+export interface HoneyTokenViolation {
+    trapId: "T13";
+    severity: "block";
+    description: string;
+    matchedToken: string;
+}
+/**
+ * Generates 3 HMAC-derived canary symbols per run.
+ *
+ * Properties:
+ * - Deterministic: same runId + secret always produces same tokens
+ * - Isolated: different runIds produce different tokens (no cross-run reuse)
+ * - Format: __martin_canary_{hmac_prefix}__
+ */
+export declare function generateHoneyTokenSet(runId: string, secret: string): HoneyTokenSet;
+/**
+ * Scans a patch diff for any honey token references.
+ * Pure string grep — zero model calls, zero API cost.
+ *
+ * Returns T13 GroundingViolation if a canary token appears in the patch,
+ * null if the patch is clean.
+ */
+export declare function scanPatchForHoneyTokens(patch: Patch, tokens: HoneyTokenSet): HoneyTokenViolation | null;

package/dist/vendor/core/honey/honey-tokens.js

@@ -0,0 +1,44 @@
+import { createHmac } from "node:crypto";
+// ─── Token Generation ─────────────────────────────────────────────────────────
+/**
+ * Generates 3 HMAC-derived canary symbols per run.
+ *
+ * Properties:
+ * - Deterministic: same runId + secret always produces same tokens
+ * - Isolated: different runIds produce different tokens (no cross-run reuse)
+ * - Format: __martin_canary_{hmac_prefix}__
+ */
+export function generateHoneyTokenSet(runId, secret) {
+    const tokens = [];
+    for (let i = 0; i < 3; i++) {
+        const hmac = createHmac("sha256", secret)
+            .update(`${runId}:canary:${i}`)
+            .digest("hex");
+        // Use a deterministic 16-char prefix per slot to keep tokens distinct
+        const prefix = hmac.slice(i * 8, i * 8 + 16);
+        tokens.push(`__martin_canary_${prefix}__`);
+    }
+    return { runId, tokens };
+}
+// ─── Scan ─────────────────────────────────────────────────────────────────────
+/**
+ * Scans a patch diff for any honey token references.
+ * Pure string grep — zero model calls, zero API cost.
+ *
+ * Returns T13 GroundingViolation if a canary token appears in the patch,
+ * null if the patch is clean.
+ */
+export function scanPatchForHoneyTokens(patch, tokens) {
+    for (const token of tokens.tokens) {
+        if (patch.diff.includes(token)) {
+            return {
+                trapId: "T13",
+                severity: "block",
+                description: `Honey token reference detected in patch ${patch.patchId} — instant rejection.`,
+                matchedToken: token
+            };
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=honey-tokens.js.map

package/dist/vendor/core/index.d.ts

@@ -13,8 +13,8 @@ export { runContextIntegrityPrecheck } from "./context-integrity.js";
 export type { ContextIntegrityPrecheck, ContextIntegrityVerdict } from "./context-integrity.js";
 export { compilePromptPacket } from "./compiler.js";
 export type { PromptPacket, CompilerAdapterRequest } from "./compiler.js";
-export { createFileRunStore, makeLedgerEvent, resolveRunsRoot } from "./persistence/index.js";
-export type { AttemptArtifacts, LedgerEvent, LedgerEventKind, RunContract, RunStore } from "./persistence/index.js";
+export { createFileRunStore, makeLedgerEvent, readAllLoopRecords, readLatestLoopRecord, readLatestLoopRecordFromFile, readLoopRecordsFromFile, resolveRunsRoot } from "./persistence/index.js";
+export type { AttemptArtifacts, LedgerEvent, LedgerEventKind, LoopAttemptRecord, LoopRunRecord, RunContract, RunStore } from "./persistence/index.js";
 export { compileAndPersistContext } from "./persistence/index.js";
 export type { CompileResult } from "./persistence/index.js";
 export interface MartinAdapterRequest {