npm - mstro-app - Versions diffs - 0.1.47 - Mend

mstro-app 0.1.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/LICENSE +21 -0
package/README.md +177 -0
package/bin/commands/config.js +145 -0
package/bin/commands/login.js +313 -0
package/bin/commands/logout.js +75 -0
package/bin/commands/status.js +197 -0
package/bin/commands/whoami.js +161 -0
package/bin/configure-claude.js +298 -0
package/bin/mstro.js +581 -0
package/bin/postinstall.js +45 -0
package/bin/release.sh +110 -0
package/dist/server/cli/headless/claude-invoker.d.ts +17 -0
package/dist/server/cli/headless/claude-invoker.d.ts.map +1 -0
package/dist/server/cli/headless/claude-invoker.js +311 -0
package/dist/server/cli/headless/claude-invoker.js.map +1 -0
package/dist/server/cli/headless/index.d.ts +13 -0
package/dist/server/cli/headless/index.d.ts.map +1 -0
package/dist/server/cli/headless/index.js +10 -0
package/dist/server/cli/headless/index.js.map +1 -0
package/dist/server/cli/headless/mcp-config.d.ts +11 -0
package/dist/server/cli/headless/mcp-config.d.ts.map +1 -0
package/dist/server/cli/headless/mcp-config.js +76 -0
package/dist/server/cli/headless/mcp-config.js.map +1 -0
package/dist/server/cli/headless/output-utils.d.ts +33 -0
package/dist/server/cli/headless/output-utils.d.ts.map +1 -0
package/dist/server/cli/headless/output-utils.js +101 -0
package/dist/server/cli/headless/output-utils.js.map +1 -0
package/dist/server/cli/headless/prompt-utils.d.ts +21 -0
package/dist/server/cli/headless/prompt-utils.d.ts.map +1 -0
package/dist/server/cli/headless/prompt-utils.js +84 -0
package/dist/server/cli/headless/prompt-utils.js.map +1 -0
package/dist/server/cli/headless/runner.d.ts +24 -0
package/dist/server/cli/headless/runner.d.ts.map +1 -0
package/dist/server/cli/headless/runner.js +99 -0
package/dist/server/cli/headless/runner.js.map +1 -0
package/dist/server/cli/headless/types.d.ts +106 -0
package/dist/server/cli/headless/types.d.ts.map +1 -0
package/dist/server/cli/headless/types.js +4 -0
package/dist/server/cli/headless/types.js.map +1 -0
package/dist/server/cli/improvisation-session-manager.d.ts +155 -0
package/dist/server/cli/improvisation-session-manager.d.ts.map +1 -0
package/dist/server/cli/improvisation-session-manager.js +415 -0
package/dist/server/cli/improvisation-session-manager.js.map +1 -0
package/dist/server/index.d.ts +2 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +386 -0
package/dist/server/index.js.map +1 -0
package/dist/server/mcp/bouncer-cli.d.ts +3 -0
package/dist/server/mcp/bouncer-cli.d.ts.map +1 -0
package/dist/server/mcp/bouncer-cli.js +99 -0
package/dist/server/mcp/bouncer-cli.js.map +1 -0
package/dist/server/mcp/bouncer-integration.d.ts +36 -0
package/dist/server/mcp/bouncer-integration.d.ts.map +1 -0
package/dist/server/mcp/bouncer-integration.js +301 -0
package/dist/server/mcp/bouncer-integration.js.map +1 -0
package/dist/server/mcp/security-audit.d.ts +52 -0
package/dist/server/mcp/security-audit.d.ts.map +1 -0
package/dist/server/mcp/security-audit.js +118 -0
package/dist/server/mcp/security-audit.js.map +1 -0
package/dist/server/mcp/security-patterns.d.ts +73 -0
package/dist/server/mcp/security-patterns.d.ts.map +1 -0
package/dist/server/mcp/security-patterns.js +247 -0
package/dist/server/mcp/security-patterns.js.map +1 -0
package/dist/server/mcp/server.d.ts +3 -0
package/dist/server/mcp/server.d.ts.map +1 -0
package/dist/server/mcp/server.js +146 -0
package/dist/server/mcp/server.js.map +1 -0
package/dist/server/routes/files.d.ts +9 -0
package/dist/server/routes/files.d.ts.map +1 -0
package/dist/server/routes/files.js +24 -0
package/dist/server/routes/files.js.map +1 -0
package/dist/server/routes/improvise.d.ts +3 -0
package/dist/server/routes/improvise.d.ts.map +1 -0
package/dist/server/routes/improvise.js +72 -0
package/dist/server/routes/improvise.js.map +1 -0
package/dist/server/routes/index.d.ts +10 -0
package/dist/server/routes/index.d.ts.map +1 -0
package/dist/server/routes/index.js +12 -0
package/dist/server/routes/index.js.map +1 -0
package/dist/server/routes/instances.d.ts +10 -0
package/dist/server/routes/instances.d.ts.map +1 -0
package/dist/server/routes/instances.js +47 -0
package/dist/server/routes/instances.js.map +1 -0
package/dist/server/routes/notifications.d.ts +3 -0
package/dist/server/routes/notifications.d.ts.map +1 -0
package/dist/server/routes/notifications.js +136 -0
package/dist/server/routes/notifications.js.map +1 -0
package/dist/server/services/analytics.d.ts +56 -0
package/dist/server/services/analytics.d.ts.map +1 -0
package/dist/server/services/analytics.js +240 -0
package/dist/server/services/analytics.js.map +1 -0
package/dist/server/services/auth.d.ts +26 -0
package/dist/server/services/auth.d.ts.map +1 -0
package/dist/server/services/auth.js +71 -0
package/dist/server/services/auth.js.map +1 -0
package/dist/server/services/client-id.d.ts +10 -0
package/dist/server/services/client-id.d.ts.map +1 -0
package/dist/server/services/client-id.js +61 -0
package/dist/server/services/client-id.js.map +1 -0
package/dist/server/services/credentials.d.ts +39 -0
package/dist/server/services/credentials.d.ts.map +1 -0
package/dist/server/services/credentials.js +110 -0
package/dist/server/services/credentials.js.map +1 -0
package/dist/server/services/files.d.ts +119 -0
package/dist/server/services/files.d.ts.map +1 -0
package/dist/server/services/files.js +560 -0
package/dist/server/services/files.js.map +1 -0
package/dist/server/services/instances.d.ts +52 -0
package/dist/server/services/instances.d.ts.map +1 -0
package/dist/server/services/instances.js +241 -0
package/dist/server/services/instances.js.map +1 -0
package/dist/server/services/pathUtils.d.ts +47 -0
package/dist/server/services/pathUtils.d.ts.map +1 -0
package/dist/server/services/pathUtils.js +124 -0
package/dist/server/services/pathUtils.js.map +1 -0
package/dist/server/services/platform.d.ts +72 -0
package/dist/server/services/platform.d.ts.map +1 -0
package/dist/server/services/platform.js +368 -0
package/dist/server/services/platform.js.map +1 -0
package/dist/server/services/sentry.d.ts +5 -0
package/dist/server/services/sentry.d.ts.map +1 -0
package/dist/server/services/sentry.js +71 -0
package/dist/server/services/sentry.js.map +1 -0
package/dist/server/services/terminal/pty-manager.d.ts +149 -0
package/dist/server/services/terminal/pty-manager.d.ts.map +1 -0
package/dist/server/services/terminal/pty-manager.js +377 -0
package/dist/server/services/terminal/pty-manager.js.map +1 -0
package/dist/server/services/terminal/tmux-manager.d.ts +82 -0
package/dist/server/services/terminal/tmux-manager.d.ts.map +1 -0
package/dist/server/services/terminal/tmux-manager.js +352 -0
package/dist/server/services/terminal/tmux-manager.js.map +1 -0
package/dist/server/services/websocket/autocomplete.d.ts +50 -0
package/dist/server/services/websocket/autocomplete.d.ts.map +1 -0
package/dist/server/services/websocket/autocomplete.js +361 -0
package/dist/server/services/websocket/autocomplete.js.map +1 -0
package/dist/server/services/websocket/file-utils.d.ts +44 -0
package/dist/server/services/websocket/file-utils.d.ts.map +1 -0
package/dist/server/services/websocket/file-utils.js +272 -0
package/dist/server/services/websocket/file-utils.js.map +1 -0
package/dist/server/services/websocket/handler.d.ts +246 -0
package/dist/server/services/websocket/handler.d.ts.map +1 -0
package/dist/server/services/websocket/handler.js +1771 -0
package/dist/server/services/websocket/handler.js.map +1 -0
package/dist/server/services/websocket/index.d.ts +11 -0
package/dist/server/services/websocket/index.d.ts.map +1 -0
package/dist/server/services/websocket/index.js +14 -0
package/dist/server/services/websocket/index.js.map +1 -0
package/dist/server/services/websocket/types.d.ts +214 -0
package/dist/server/services/websocket/types.d.ts.map +1 -0
package/dist/server/services/websocket/types.js +4 -0
package/dist/server/services/websocket/types.js.map +1 -0
package/dist/server/utils/agent-manager.d.ts +69 -0
package/dist/server/utils/agent-manager.d.ts.map +1 -0
package/dist/server/utils/agent-manager.js +269 -0
package/dist/server/utils/agent-manager.js.map +1 -0
package/dist/server/utils/paths.d.ts +25 -0
package/dist/server/utils/paths.d.ts.map +1 -0
package/dist/server/utils/paths.js +38 -0
package/dist/server/utils/paths.js.map +1 -0
package/dist/server/utils/port-manager.d.ts +10 -0
package/dist/server/utils/port-manager.d.ts.map +1 -0
package/dist/server/utils/port-manager.js +60 -0
package/dist/server/utils/port-manager.js.map +1 -0
package/dist/server/utils/port.d.ts +26 -0
package/dist/server/utils/port.d.ts.map +1 -0
package/dist/server/utils/port.js +83 -0
package/dist/server/utils/port.js.map +1 -0
package/hooks/bouncer.sh +138 -0
package/package.json +74 -0
package/server/README.md +191 -0
package/server/cli/headless/claude-invoker.ts +415 -0
package/server/cli/headless/index.ts +39 -0
package/server/cli/headless/mcp-config.ts +87 -0
package/server/cli/headless/output-utils.ts +109 -0
package/server/cli/headless/prompt-utils.ts +108 -0
package/server/cli/headless/runner.ts +133 -0
package/server/cli/headless/types.ts +118 -0
package/server/cli/improvisation-session-manager.ts +531 -0
package/server/index.ts +456 -0
package/server/mcp/README.md +122 -0
package/server/mcp/bouncer-cli.ts +127 -0
package/server/mcp/bouncer-integration.ts +430 -0
package/server/mcp/security-audit.ts +180 -0
package/server/mcp/security-patterns.ts +290 -0
package/server/mcp/server.ts +174 -0
package/server/routes/files.ts +29 -0
package/server/routes/improvise.ts +82 -0
package/server/routes/index.ts +13 -0
package/server/routes/instances.ts +54 -0
package/server/routes/notifications.ts +158 -0
package/server/services/analytics.ts +277 -0
package/server/services/auth.ts +80 -0
package/server/services/client-id.ts +68 -0
package/server/services/credentials.ts +134 -0
package/server/services/files.ts +710 -0
package/server/services/instances.ts +275 -0
package/server/services/pathUtils.ts +158 -0
package/server/services/platform.test.ts +1314 -0
package/server/services/platform.ts +435 -0
package/server/services/sentry.ts +81 -0
package/server/services/terminal/pty-manager.ts +464 -0
package/server/services/terminal/tmux-manager.ts +426 -0
package/server/services/websocket/autocomplete.ts +438 -0
package/server/services/websocket/file-utils.ts +305 -0
package/server/services/websocket/handler.test.ts +20 -0
package/server/services/websocket/handler.ts +2047 -0
package/server/services/websocket/index.ts +40 -0
package/server/services/websocket/types.ts +339 -0
package/server/tsconfig.json +19 -0
package/server/utils/agent-manager.ts +323 -0
package/server/utils/paths.ts +45 -0
package/server/utils/port-manager.ts +70 -0
package/server/utils/port.ts +102 -0

package/server/mcp/security-patterns.ts ADDED Viewed

@@ -0,0 +1,290 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Security Patterns - Single Source of Truth
+ *
+ * Consolidated pattern definitions for fast-path security checks.
+ * All pattern-based security decisions use this module to avoid duplication.
+ *
+ * PHILOSOPHY:
+ * - Most operations should be evaluated by CONTEXT, not by path or extension
+ * - Only truly catastrophic operations (rm -rf /, fork bombs) are auto-denied
+ * - Sensitive operations (system paths, credentials) get AI review with context
+ * - The question is: "Does this operation make sense given user intent?"
+ */
+export interface SecurityPattern {
+  pattern: RegExp;
+  reason?: string;
+}
+/**
+ * Sensitive paths that require AI context review
+ * These aren't auto-denied - they need context analysis to determine intent
+ */
+export const SENSITIVE_PATHS: SecurityPattern[] = [
+  // System directories - might be legitimate (e.g., user asked to configure something)
+  { pattern: /^(Write|Edit):\s*\/etc\//i, reason: 'System configuration - verify user intent' },
+  { pattern: /^(Write|Edit):\s*\/(bin|sbin|usr\/bin|usr\/sbin)\//i, reason: 'System binaries - verify user intent' },
+  { pattern: /^(Write|Edit):\s*\/boot\//i, reason: 'Boot directory - verify user intent' },
+  { pattern: /^(Write|Edit):\s*\/root\//i, reason: 'Root home - verify user intent' },
+  { pattern: /^(Write|Edit):\s*\/System\//i, reason: 'macOS system - verify user intent' },
+  { pattern: /^(Write|Edit):\s*\/Library\/(LaunchDaemons|LaunchAgents)\//i, reason: 'macOS launch services - verify user intent' },
+  // Credential/security files - high sensitivity, need clear user intent
+  { pattern: /^(Write|Edit):\s*.*\/\.ssh\//i, reason: 'SSH configuration - verify user intent' },
+  { pattern: /^(Write|Edit):\s*.*\/\.gnupg\//i, reason: 'GPG keys - verify user intent' },
+  { pattern: /^(Write|Edit):\s*.*\/\.aws\/(credentials|config)/i, reason: 'AWS credentials - verify user intent' },
+  { pattern: /^(Write|Edit):\s*.*\/(\.env|\.env\.local|\.env\.production)$/i, reason: 'Environment secrets - verify user intent' },
+  // Shell profiles - common legitimate edits but also attack vector
+  { pattern: /^(Write|Edit):\s*.*\/(\.bash_profile|\.bashrc|\.zshrc|\.profile|\.zprofile)$/i, reason: 'Shell profile - verify user intent' },
+];
+/**
+ * Critical threats - auto-deny regardless of context
+ *
+ * These are NOT about "dangerous commands" but about commands that:
+ * 1. Are NEVER legitimate in any dev workflow
+ * 2. Have catastrophic, irreversible consequences
+ * 3. The cost of false positive (blocking) is negligible
+ *
+ * Note: Most "dangerous" commands (curl|bash, rm -rf, sudo) go to Haiku
+ * for context review. Only truly never-legitimate commands are here.
+ */
+export const CRITICAL_THREATS: SecurityPattern[] = [
+  // Deleting root or home - no legitimate dev task requires this
+  // If user really wants this, they can run it manually outside Claude
+  {
+    pattern: /rm\s+-rf\s+(\/|~)($|\s)/i,
+    reason: 'Deleting root (/) or home (~) directory is never a legitimate dev task'
+  },
+  {
+    pattern: /:\(\)\{.*\}|:\(\)\{.*:\|:/i,
+    reason: 'Fork bomb detected - would cause system resource exhaustion'
+  },
+  {
+    pattern: /dd\s+if=\/dev\/zero\s+of=\/dev\/sd/i,
+    reason: 'Attempting to overwrite disk device - would destroy data'
+  },
+  {
+    pattern: /mkfs\./i,
+    reason: 'Attempting to format filesystem - would destroy all data'
+  },
+  {
+    pattern: /eval.*\$\(.*base64.*\)/i,
+    reason: 'Obfuscated code execution via base64 - common malware technique'
+  },
+  {
+    pattern: />\s*\/dev\/sd[a-z]/i,
+    reason: 'Direct write to disk device - would corrupt filesystem'
+  },
+  {
+    pattern: /chmod\s+000\s+\//i,
+    reason: 'Attempting to make system directories inaccessible'
+  }
+  // NOTE: curl|bash is NOT here - it goes to Haiku for context review
+  // The question is "did a bad actor inject this?" not "is curl|bash dangerous?"
+];
+/**
+ * Safe operations that can be immediately allowed (confidence: 95%)
+ * These are read-only or obviously safe operations that don't need context review
+ */
+export const SAFE_OPERATIONS: SecurityPattern[] = [
+  // Read operations are always safe - no side effects
+  { pattern: /^Read:/i },
+  { pattern: /^Glob:/i },
+  { pattern: /^Grep:/i },
+  // Write/Edit to user home directory or subdirectories - user requested, allow it
+  // Excludes system paths which go through critical threats check
+  { pattern: /^Write:\s*\/Users\/[^/]+\//i },  // macOS home dirs - Write
+  { pattern: /^Edit:\s*\/Users\/[^/]+\//i },   // macOS home dirs - Edit
+  { pattern: /^Write:\s*\/home\/[^/]+\//i },   // Linux home dirs - Write
+  { pattern: /^Edit:\s*\/home\/[^/]+\//i },    // Linux home dirs - Edit
+  // Safe bash commands - common development workflows
+  // NOTE: curl|bash goes to Haiku for context review, not auto-allowed
+  { pattern: /^Bash:\s*(npm|yarn|pnpm|bun)\s+(install|ci|run|test|build|dev|start|lint|format)($|\s)/i },
+  { pattern: /^Bash:\s*git\s+(status|log|diff|show|branch|clone|pull|fetch|add|stash|checkout)($|\s)/i },
+  { pattern: /^Bash:\s*docker\s+(build|run|ps|logs|compose|images)($|\s)/i },
+  { pattern: /^Bash:\s*(pytest|cargo\s+(build|test|run|check)|go\s+(build|test|run|mod))($|\s)/i },
+  { pattern: /^Bash:\s*(mkdir|cd|ls|pwd|cat|head|tail|wc|sort|uniq|grep|find|which|echo|env)($|\s)/i },
+  // Cleanup of build artifacts - always safe, commonly requested
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?node_modules($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?dist($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?build($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?\.cache($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?\.next($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?target($|\s)/i },
+  { pattern: /^Bash:\s*rm\s+-rf\s+(\.\/)?__pycache__($|\s)/i },
+  // Write/Edit to temp directories - ephemeral, low risk
+  { pattern: /^(Write|Edit):\s*\/tmp\//i },
+  { pattern: /^(Write|Edit):\s*\/var\/tmp\//i },
+];
+/**
+ * Patterns that trigger AI context review
+ * These operations need context analysis to determine if they align with user intent
+ *
+ * The AI should consider:
+ * 1. Did the user explicitly request this operation?
+ * 2. Does it make sense given the task at hand?
+ * 3. Is the content/action appropriate for the target?
+ */
+export const NEEDS_AI_REVIEW: SecurityPattern[] = [
+  // Remote code execution patterns
+  {
+    pattern: /(curl|wget).*\|.*(?:bash|sh)/i,
+    reason: 'Pipe to shell - verify source is trusted and user intended this'
+  },
+  // Elevated privileges
+  {
+    pattern: /sudo/i,
+    reason: 'Elevated privileges - verify user intended this action'
+  },
+  // Destructive operations (except safe build artifact cleanup)
+  {
+    pattern: /rm\s+-rf/i,
+    reason: 'Recursive deletion - verify target matches user intent'
+  },
+  // ALL Write/Edit operations that aren't to /tmp go through context review
+  // This is the key change: we review based on context, not blanket allow/deny
+  {
+    pattern: /^(Write|Edit):\s*(?!\/tmp\/|\/var\/tmp\/)/i,
+    reason: 'File modification - verify aligns with user request'
+  },
+];
+/**
+ * Check if operation matches any pattern in array
+ */
+export function matchesPattern(operation: string, patterns: SecurityPattern[]): SecurityPattern | null {
+  for (const pattern of patterns) {
+    if (pattern.pattern.test(operation)) {
+      return pattern;
+    }
+  }
+  return null;
+}
+/**
+ * Determine if operation requires AI context review
+ *
+ * The philosophy here is:
+ * - SAFE_OPERATIONS: No review needed (read-only, temp files, build artifact cleanup)
+ * - CRITICAL_THREATS: Auto-deny, no review (catastrophic operations)
+ * - Everything else: AI reviews context to determine if it matches user intent
+ */
+const SAFE_RM_PATTERNS = [
+  /rm\s+-rf\s+(\.\/)?node_modules($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?dist($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?build($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?\.cache($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?\.next($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?target($|\s)/i,
+  /rm\s+-rf\s+(\.\/)?__pycache__($|\s)/i,
+];
+export function requiresAIReview(operation: string): boolean {
+  if (matchesPattern(operation, SAFE_OPERATIONS)) return false;
+  if (matchesPattern(operation, CRITICAL_THREATS)) return false;
+  if (matchesPattern(operation, NEEDS_AI_REVIEW)) {
+    return !SAFE_RM_PATTERNS.some(p => p.test(operation));
+  }
+  if (/\$\{.*\}|\$\(.*\)/.test(operation) || /\*\*?/.test(operation)) return true;
+  if (/^Bash:\s*\.\//.test(operation)) return true;
+  return false;
+}
+/**
+ * Check if operation targets a sensitive path
+ * Used to provide additional context to AI reviewer
+ */
+export function isSensitivePath(operation: string): SecurityPattern | null {
+  return matchesPattern(operation, SENSITIVE_PATHS);
+}
+/**
+ * Classify operation risk level for context-aware review
+ *
+ * Risk levels indicate how much scrutiny the AI should apply:
+ * - critical: Catastrophic if wrong (rm -rf /, fork bombs) - auto-deny
+ * - high: Needs clear user intent (sudo, sensitive paths, credentials)
+ * - medium: Normal file operations - verify matches user request
+ * - low: Safe operations - minimal review needed
+ */
+export function classifyRisk(operation: string): {
+  isDestructive: boolean;
+  riskLevel: 'low' | 'medium' | 'high' | 'critical';
+  reasons: string[];
+} {
+  // Critical threats are auto-denied
+  const criticalThreat = matchesPattern(operation, CRITICAL_THREATS);
+  if (criticalThreat) {
+    return {
+      isDestructive: true,
+      riskLevel: 'critical',
+      reasons: [criticalThreat.reason || 'Critical threat detected']
+    };
+  }
+  // Sensitive paths need high scrutiny but aren't auto-denied
+  const sensitivePath = matchesPattern(operation, SENSITIVE_PATHS);
+  if (sensitivePath) {
+    return {
+      isDestructive: false, // Not inherently destructive, just sensitive
+      riskLevel: 'high',
+      reasons: [sensitivePath.reason || 'Sensitive path - requires clear user intent']
+    };
+  }
+  // Other patterns that need elevated review
+  const elevatedPatterns: SecurityPattern[] = [
+    { pattern: /sudo/i, reason: 'Elevated privileges requested' },
+    { pattern: /DROP\s+(TABLE|DATABASE)/i, reason: 'Database deletion' },
+    { pattern: /chmod\s+777/i, reason: 'Dangerous permissions' },
+    { pattern: /(curl|wget).*\|.*(bash|sh)/i, reason: 'Remote code execution' },
+    { pattern: /pkill|killall/i, reason: 'Process termination' },
+  ];
+  for (const pattern of elevatedPatterns) {
+    if (pattern.pattern.test(operation)) {
+      return {
+        isDestructive: true,
+        riskLevel: 'high',
+        reasons: [pattern.reason || 'Elevated risk operation']
+      };
+    }
+  }
+  // Medium risk: only recursive deletions outside safe dirs
+  // NOTE: Write/Edit are NOT flagged as risky - they're normal dev operations
+  if (/rm\s+-rf/i.test(operation)) {
+    // Check if it's actually safe (build artifacts, temp)
+    if (matchesPattern(operation, SAFE_OPERATIONS)) {
+      return { isDestructive: false, riskLevel: 'low', reasons: [] };
+    }
+    return {
+      isDestructive: true,
+      riskLevel: 'medium',
+      reasons: ['Recursive deletion']
+    };
+  }
+  return {
+    isDestructive: false,
+    riskLevel: 'low',
+    reasons: []
+  };
+}

package/server/mcp/server.ts ADDED Viewed

@@ -0,0 +1,174 @@
+#!/usr/bin/env -S npx tsx
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * MCP Bouncer Server
+ *
+ * Provides permission approval/denial for Claude Code tool use via MCP protocol.
+ * Integrates with Mstro's existing bouncer-integration.ts for security analysis.
+ *
+ * Usage:
+ *   claude --print --permission-prompt-tool mcp__mstro-bouncer__approval_prompt \
+ *     --mcp-config mstro-bouncer-mcp.json \
+ *     "your prompt here"
+ */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+} from '@modelcontextprotocol/sdk/types.js';
+import { type BouncerReviewRequest, reviewOperation } from './bouncer-integration.js';
+// Create MCP server
+const server = new Server(
+  {
+    name: 'mstro-bouncer',
+    version: '1.0.0',
+  },
+  {
+    capabilities: {
+      tools: {},
+    },
+  }
+);
+/**
+ * List available tools (required by MCP protocol)
+ */
+server.setRequestHandler(ListToolsRequestSchema, async () => {
+  return {
+    tools: [
+      {
+        name: 'approval_prompt',
+        description: 'Analyze and approve/deny tool use requests from Claude Code. Integrates with Mstro security bouncer for AI-powered risk analysis.',
+        inputSchema: {
+          type: 'object',
+          properties: {
+            tool_name: {
+              type: 'string',
+              description: 'Name of the tool being requested (e.g., "Bash", "Write", "Read")',
+            },
+            input: {
+              type: 'object',
+              description: 'Tool input parameters as JSON object',
+            },
+          },
+          required: ['tool_name', 'input'],
+        },
+      },
+    ],
+  };
+});
+/**
+ * Handle tool calls (approval_prompt)
+ */
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  if (request.params.name !== 'approval_prompt') {
+    throw new Error(`Unknown tool: ${request.params.name}`);
+  }
+  const { tool_name, input } = request.params.arguments as {
+    tool_name: string;
+    input: Record<string, any>;
+  };
+  console.error(`[MCP Bouncer] Analyzing ${tool_name} request...`);
+  // Format operation string for bouncer analysis
+  // Example: "Bash: rm -rf node_modules"
+  let operationString = `${tool_name}:`;
+  // Extract file path with multiple property name support
+  // Claude Code may use file_path, filePath, or path depending on context
+  const getFilePath = (inp: Record<string, any>) =>
+    inp.file_path || inp.filePath || inp.path;
+  if (tool_name === 'Bash' && input.command) {
+    operationString += ` ${input.command}`;
+  } else if (['Write', 'Edit', 'Read'].includes(tool_name)) {
+    const filePath = getFilePath(input);
+    operationString += filePath ? ` ${filePath}` : ` ${JSON.stringify(input)}`;
+  } else {
+    // Generic format: include all input parameters
+    operationString += ` ${JSON.stringify(input)}`;
+  }
+  // Build bouncer request with context
+  const bouncerRequest: BouncerReviewRequest = {
+    operation: operationString,
+    context: {
+      purpose: `Tool use request from Claude`,
+      workingDirectory: process.cwd(),
+      toolName: tool_name,
+      toolInput: input,
+    },
+  };
+  try {
+    // Use existing Mstro bouncer for analysis
+    const decision = await reviewOperation(bouncerRequest);
+    console.error(`[MCP Bouncer] Decision: ${decision.decision} (${decision.confidence}% confidence)`);
+    console.error(`[MCP Bouncer] Reasoning: ${decision.reasoning}`);
+    // Format response for Claude Code
+    const response =
+      decision.decision === 'deny'
+        ? {
+            behavior: 'deny',
+            message: `🚫 ${decision.reasoning}${
+              decision.alternative ? `\n\nAlternative: ${decision.alternative}` : ''
+            }`,
+          }
+        : {
+            behavior: 'allow',
+            updatedInput: input,
+            message:
+              decision.decision === 'warn_allow'
+                ? `⚠️  Allowed with caution: ${decision.reasoning}`
+                : undefined,
+          };
+    return {
+      content: [
+        {
+          type: 'text',
+          text: JSON.stringify(response),
+        },
+      ],
+    };
+  } catch (error: any) {
+    console.error(`[MCP Bouncer] Error: ${error.message}`);
+    // Fail-safe: deny on error
+    return {
+      content: [
+        {
+          type: 'text',
+          text: JSON.stringify({
+            behavior: 'deny',
+            message: `Security analysis failed: ${error.message}. Denying for safety.`,
+          }),
+        },
+      ],
+    };
+  }
+});
+/**
+ * Start the MCP server
+ */
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error('[MCP Bouncer] Server started and ready');
+}
+main().catch((error) => {
+  console.error('[MCP Bouncer] Fatal error:', error);
+  process.exit(1);
+});

package/server/routes/files.ts ADDED Viewed

@@ -0,0 +1,29 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * File Routes
+ *
+ * Handles file listing and autocomplete.
+ */
+import { Hono } from 'hono'
+import type { FileService } from '../services/files.js'
+export function createFileRoutes(fileService: FileService) {
+  const routes = new Hono()
+  routes.get('/', (c) => {
+    try {
+      const filter = c.req.query('filter') || ''
+      const baseDir = (c.req.query('baseDir') || 'scores') as 'working' | 'scores'
+      const files = fileService.getAllFiles(baseDir, filter)
+      return c.json({ files })
+    } catch (error) {
+      return c.json({ error: (error as Error).message }, 500)
+    }
+  })
+  return routes
+}

package/server/routes/improvise.ts ADDED Viewed

@@ -0,0 +1,82 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Improvise History Routes
+ *
+ * Handles improvise session history retrieval.
+ */
+import { join } from 'node:path'
+import { Hono } from 'hono'
+export function createImproviseRoutes(workingDir: string) {
+  const routes = new Hono()
+  routes.get('/sessions', async (c) => {
+    try {
+      const sessionsDir = join(workingDir, '.mstro', 'improvise')
+      const { readdirSync, existsSync, readFileSync } = await import('node:fs')
+      if (!existsSync(sessionsDir)) {
+        return c.json({ sessions: [] })
+      }
+      // Look for history-*.json files in the improvise directory
+      const historyFiles = readdirSync(sessionsDir)
+        .filter((name: string) => name.startsWith('history-') && name.endsWith('.json'))
+        .sort((a: string, b: string) => {
+          // Sort by timestamp in filename (newer first)
+          const timestampA = parseInt(a.replace('history-', '').replace('.json', ''), 10)
+          const timestampB = parseInt(b.replace('history-', '').replace('.json', ''), 10)
+          return timestampB - timestampA
+        })
+      const sessions = historyFiles.map((filename: string) => {
+        const historyPath = join(sessionsDir, filename)
+        try {
+          const historyData = JSON.parse(readFileSync(historyPath, 'utf-8'))
+          const firstPrompt = historyData.movements?.[0]?.userPrompt || ''
+          return {
+            sessionId: historyData.sessionId,
+            startedAt: historyData.startedAt,
+            lastActivityAt: historyData.lastActivityAt,
+            totalTokens: historyData.totalTokens,
+            movementCount: historyData.movements?.length || 0,
+            title: firstPrompt.slice(0, 80) + (firstPrompt.length > 80 ? '...' : ''),
+            movements: historyData.movements || []
+          }
+        } catch {
+          return null
+        }
+      }).filter(Boolean)
+      return c.json({ sessions })
+    } catch (error) {
+      return c.json({ error: (error as Error).message }, 500)
+    }
+  })
+  routes.get('/sessions/:sessionId', async (c) => {
+    try {
+      const { sessionId } = c.req.param()
+      // Extract timestamp from sessionId (e.g., "improv-1234567890" -> "1234567890")
+      const timestamp = sessionId.replace('improv-', '')
+      const historyPath = join(workingDir, '.mstro', 'improvise', `history-${timestamp}.json`)
+      const { existsSync, readFileSync } = await import('node:fs')
+      if (!existsSync(historyPath)) {
+        return c.json({ error: 'Session not found' }, 404)
+      }
+      const historyData = JSON.parse(readFileSync(historyPath, 'utf-8'))
+      return c.json(historyData)
+    } catch (error) {
+      return c.json({ error: (error as Error).message }, 500)
+    }
+  })
+  return routes
+}

package/server/routes/index.ts ADDED Viewed

@@ -0,0 +1,13 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Routes Index
+ *
+ * Re-exports all route creators for easy importing.
+ */
+export { createFileRoutes } from './files.js'
+export { createImproviseRoutes } from './improvise.js'
+export { createInstanceRoutes, createShutdownRoute } from './instances.js'
+export { createNotificationRoutes } from './notifications.js'

package/server/routes/instances.ts ADDED Viewed

@@ -0,0 +1,54 @@
+// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
+// Licensed under the MIT License. See LICENSE file for details.
+/**
+ * Instance Management Routes
+ *
+ * Handles server instance discovery and management.
+ */
+import { Hono } from 'hono'
+import { getClientId } from '../services/client-id.js'
+import { InstanceRegistry } from '../services/instances.js'
+export function createInstanceRoutes(instanceRegistry: InstanceRegistry) {
+  const routes = new Hono()
+  routes.get('/', (c) => {
+    try {
+      const instances = InstanceRegistry.getAllInstances()
+      return c.json({ instances })
+    } catch (error) {
+      return c.json({ error: (error as Error).message }, 500)
+    }
+  })
+  routes.get('/current', (c) => {
+    try {
+      const instance = instanceRegistry.getCurrentInstance()
+      return c.json({
+        instance,
+        clientId: getClientId()
+      })
+    } catch (error) {
+      return c.json({ error: (error as Error).message }, 500)
+    }
+  })
+  return routes
+}
+export function createShutdownRoute(instanceRegistry: InstanceRegistry) {
+  const routes = new Hono()
+  routes.post('/', (c) => {
+    setTimeout(() => {
+      instanceRegistry.unregister()
+      process.exit(0)
+    }, 100)
+    return c.json({ success: true, message: 'Shutting down...' })
+  })
+  return routes
+}