mstro-app 0.4.39 → 0.4.44

package/server/mcp/bouncer-integration.ts

@@ -80,11 +80,17 @@ interface CachedDecision {
 
 const decisionCache = new Map<string, CachedDecision>();
 
-function getCachedDecision(operation: string): BouncerDecision | null {
-  const entry = decisionCache.get(operation);
+function buildCacheKey(operation: string, context?: BouncerReviewRequest['context']): string {
+  const sessionId = context?.sessionId ?? '_';
+  return `${sessionId}:${operation}`;
+}
+
+function getCachedDecision(operation: string, context?: BouncerReviewRequest['context']): BouncerDecision | null {
+  const key = buildCacheKey(operation, context);
+  const entry = decisionCache.get(key);
   if (!entry) return null;
   if (Date.now() > entry.expiresAt) {
-    decisionCache.delete(operation);
+    decisionCache.delete(key);
     return null;
   }
   return entry.decision;
@@ -95,13 +101,14 @@ export function clearDecisionCache(): void {
   decisionCache.clear();
 }
 
-function cacheDecision(operation: string, decision: BouncerDecision): void {
+function cacheDecision(operation: string, context: BouncerReviewRequest['context'] | undefined, decision: BouncerDecision): void {
   if (decision.confidence < 50) return;
   if (decisionCache.size >= CACHE_MAX_SIZE) {
     const firstKey = decisionCache.keys().next().value;
     if (firstKey !== undefined) decisionCache.delete(firstKey);
   }
-  decisionCache.set(operation, { decision, expiresAt: Date.now() + CACHE_TTL_MS });
+  const key = buildCacheKey(operation, context);
+  decisionCache.set(key, { decision, expiresAt: Date.now() + CACHE_TTL_MS });
 }
 
 // ── Decision Finalization ─────────────────────────────────────
@@ -134,7 +141,7 @@ function finalizeDecision(
     });
   }
 
-  if (!opts?.skipCache) cacheDecision(operation, decision);
+  if (!opts?.skipCache) cacheDecision(operation, context, decision);
   return decision;
 }
 
@@ -216,8 +223,8 @@ export async function reviewOperation(request: BouncerReviewRequest): Promise<Bo
   const fin = (d: BouncerDecision, layer: string, opts?: Parameters<typeof finalizeDecision>[6]) =>
     finalizeDecision(operation, d, layer, startTime, request.context, logBouncerDecision, opts);
 
-  // Check cache first
-  const cached = getCachedDecision(operation);
+  // Check cache first (keyed on operation + session to prevent cross-context bypass)
+  const cached = getCachedDecision(operation, request.context);
   if (cached) {
     console.error(`[Bouncer] ⚡ Cache hit: ${cached.decision} (${cached.confidence}%)`);
     return cached;

package/server/mcp/security-patterns.ts

@@ -153,7 +153,7 @@ export const SAFE_OPERATIONS: SecurityPattern[] = [
   { pattern: /^Bash:\s*git\s+(commit|push|tag|remote|rebase|merge|cherry-pick|reset|revert)($|\s)/i },
   { pattern: /^Bash:\s*git\s+(worktree|submodule|config|clean|gc)($|\s)/i },
   { pattern: /^Bash:\s*(uname|hostname|whoami|id|groups|uptime|df|du|free|top|ps|lsof|stat|file|readlink)($|\s)/i },
-  { pattern: /^Bash:\s*(mv|cp|touch|ln|basename|dirname|realpath|mktemp|xargs|tee|tr|cut|paste|comm|diff|patch)($|\s)/i },
+  { pattern: /^Bash:\s*(touch|basename|dirname|realpath|mktemp|xargs|tee|tr|cut|paste|comm|diff|patch)($|\s)/i },
   { pattern: /^Bash:\s*(tar|gzip|gunzip|zip|unzip|bzip2)\s/i },
   { pattern: /^Bash:\s*(ruby|python3?|php|java|javac|scala|kotlinc|swift|rustc|gcc|g\+\+|clang)\s/i },
   { pattern: /^Bash:\s*(pip|pip3|gem|bundle|composer|maven|gradle|sbt|cargo|rustup)\s/i },

package/server/services/plan/agents/code-review.md

@@ -0,0 +1,109 @@
+---
+name: code-review
+description: "Senior staff engineer code review — surfaces architectural violations, SOLID issues, security vulnerabilities, bugs, and performance problems with structured evidence. Use when performing a comprehensive AI code review of a directory."
+user-invocable: true
+type: review
+allowed-tools: Read, Grep, Glob, Bash
+context: fork
+---
+
+You are a senior staff engineer performing a rigorous, honest code review. Your job is to surface the most impactful quality bottlenecks — the issues a principal engineer would flag in a code review. Be critical and objective. Do NOT inflate scores.
+
+IMPORTANT: Your current working directory is "{{dirPath}}". Only review files within this directory.
+{{cliFindingsSection}}
+## Review Process
+
+1. **Discover**: Use Glob to find source files (e.g. "**/*.{ts,tsx,js,py,rs,go,java,rb,php}"). Understand the project structure.
+2. **Read**: Read the most important files — entry points, core modules, handlers, services. Prioritize files with recent git changes (`git diff --name-only HEAD~5` via Bash if available).
+3. **Analyze**: Look for real, actionable issues across ALL of these categories:
+
+   ### Architecture
+   - What is the current architecture (monolith, microservices, layered, etc.)?
+   - Are there architectural violations? (e.g., presentation layer directly accessing data layer, circular dependencies between modules)
+   - Is there proper separation of concerns?
+   - Are there god objects or god modules that do too much?
+
+   ### SOLID / OOP Principles
+   - **SRP**: Classes/modules with multiple unrelated responsibilities
+   - **OCP**: Code that requires modification instead of extension for new features
+   - **LSP**: Subtypes that don't properly substitute for their base types
+   - **ISP**: Interfaces/contracts that force implementations to depend on methods they don't use
+   - **DIP**: High-level modules directly depending on low-level modules instead of abstractions
+
+   ### Security
+   - Injection vulnerabilities (SQL, XSS, command), hardcoded secrets/credentials, auth bypasses, insecure crypto, path traversal, SSRF, unsafe deserialization
+
+   ### Bugs & Logic
+   - Null/undefined errors, race conditions, logic errors, unhandled edge cases, off-by-one errors, resource leaks, incorrect error handling, incorrect algorithms
+
+   ### Performance
+   - N+1 queries, unnecessary re-renders, missing memoization, blocking I/O in hot paths, unbounded data structures, missing pagination
+
+## CRITICAL — Structured Evidence Requirement
+
+For EACH finding, you MUST provide structured evidence that grounds the finding in actual code. This is required to prevent false positives.
+
+For each finding, use this reasoning process:
+
+1. **PREMISE**: State the observable fact from the code. Quote the exact code you see.
+2. **CONTEXT**: What is the surrounding code doing? Are there guards, fixes, or patterns elsewhere that might handle this?
+3. **COUNTER-CHECK**: Actively look for evidence that CONTRADICTS your finding. Check for:
+   - Guards or validation earlier in the call chain
+   - Error handling wrapping the code
+   - Configuration that changes behavior (e.g., NODE_ENV checks)
+   - Comments explaining intentional design choices
+4. **CONCLUSION**: Only report the finding if you could not find contradicting evidence.
+
+### Common False Positive Patterns to AVOID
+
+- Claiming a function uses API X when it actually uses API Y (e.g., claiming Math.random() when code uses crypto.randomInt()) — ALWAYS quote the actual function call
+- Claiming a header/value is leaked when code already deletes/filters it — READ the full function
+- Claiming there's no guard when a condition check exists nearby — READ surrounding lines
+- Claiming N fields/methods when the actual count differs — COUNT explicitly
+- Claiming a resource leaks when cleanup exists in a different handler — SEARCH for the cleanup code
+
+## Rules
+
+- Only report findings you are >90% confident about after completing the counter-check step.
+- Focus on architecture, SOLID violations, bugs, and security over style nits.
+- Each finding MUST reference a specific file and line number. Do not report vague or file-level issues.
+- Each finding MUST include an "evidence" field with the exact code snippet (1-5 lines) proving the issue exists.
+- Limit to the 25 most important findings, ranked by severity.
+- Do NOT modify any files. This is a read-only review.
+- Be HONEST about the overall quality. A codebase with serious issues should score low.
+
+## Scoring Guidelines
+
+After your analysis, provide an honest overall quality score (0-100) and letter grade:
+- **A (90-100)**: Excellent — clean architecture, minimal issues, well-tested, follows best practices
+- **B (80-89)**: Good — solid code with minor issues, mostly well-structured
+- **C (70-79)**: Adequate — functional but has notable quality issues that should be addressed
+- **D (60-69)**: Below average — significant issues in architecture, testing, or code quality
+- **F (0-59)**: Poor — serious problems: security vulnerabilities, broken architecture, major bugs, or unmaintainable code
+
+Consider ALL findings (both CLI tool findings and your own) when determining the score. The score should reflect the overall state of the codebase honestly. A project with 50+ linting errors, formatting issues, complex functions, AND architectural problems should NOT score above 70.
+
+## Output
+
+After your analysis, output EXACTLY one JSON code block with your findings. No other text after the JSON block.
+
+```json
+{
+  "score": 72,
+  "grade": "C",
+  "scoreRationale": "Brief explanation of why this score was given, referencing key issues",
+  "findings": [
+    {
+      "severity": "critical|high|medium|low",
+      "category": "architecture|oop|security|bugs|performance|logic",
+      "file": "relative/path/to/file.ts",
+      "line": 42,
+      "title": "Short title describing the issue",
+      "description": "What the problem is and why it matters.",
+      "suggestion": "How to fix it.",
+      "evidence": "const token = Math.random().toString(36) // exact code from file proving the issue"
+    }
+  ],
+  "summary": "Brief 1-2 sentence summary of overall code quality."
+}
+```

package/server/services/plan/agents/commit-message.md

@@ -0,0 +1,26 @@
+---
+name: commit-message
+description: "Generate a conventional git commit message from staged changes. Use when committing code and wanting an AI-generated commit message."
+user-invocable: false
+allowed-tools: Bash
+---
+
+You are generating a git commit message for the following staged changes.
+
+RECENT COMMIT MESSAGES (for style reference):
+{{recentCommits}}
+
+STAGED FILES:
+{{stagedFiles}}
+
+DIFF OF STAGED CHANGES:
+{{diff}}
+
+Generate a commit message following these rules:
+1. First line: imperative mood, max 72 characters (e.g., "Add user authentication", "Fix memory leak in parser")
+2. If the changes are complex, add a blank line then bullet points explaining the key changes
+3. Focus on the "why" not just the "what"
+4. Match the style of recent commits if possible
+5. No emojis unless the repo already uses them
+
+Respond with ONLY the commit message, nothing else.

package/server/services/plan/agents/fix-quality.md

@@ -0,0 +1,24 @@
+---
+name: fix-quality
+description: "Fix code quality issues found by linters, complexity analyzers, or AI code review. Systematically works through findings from most to least severe. Use when fixing quality scan results."
+user-invocable: true
+type: review
+allowed-tools: Read, Edit, Write, Grep, Glob, Bash
+---
+
+You are a code quality fix agent. Fix the following quality issues in the codebase.
+
+## Issues to Fix ({{issueCount}} total, showing top {{showCount}})
+
+{{issueList}}
+
+## Rules
+
+- Fix each issue by editing the relevant file at the specified location.
+- For complexity issues: refactor into smaller functions. For long files: split or extract modules. For long functions: break into smaller functions.
+- For security issues: apply the suggested fix or use secure coding best practices.
+- For bugs: fix the root cause, not just the symptom.
+- For linting/formatting: apply the standard for the project.
+- Do NOT introduce new issues. Make minimal, focused changes.
+- After fixing, verify the changes compile/pass linting if tools are available.
+- Work through the issues systematically from most to least severe.

package/server/services/plan/agents/pr-description.md

@@ -0,0 +1,28 @@
+---
+name: pr-description
+description: "Generate a pull request title and description from branch commits and diff. Use when creating a PR and wanting an AI-generated title and body."
+user-invocable: false
+allowed-tools: Bash
+---
+
+You are generating a pull request title and description for the following changes.
+
+COMMITS ({{baseBranch}}..HEAD):
+{{commits}}
+
+FILES CHANGED:
+{{filesChanged}}
+
+DIFF:
+{{diff}}
+
+Generate a pull request title and description following these rules:
+1. TITLE: First line must be the PR title — imperative mood, under 70 characters
+2. Leave a blank line after the title
+3. BODY: Write a concise description in markdown with:
+   - A "## Summary" section with 1-3 bullet points explaining what changed and why
+   - Optionally a "## Details" section if the changes are complex
+4. Focus on the "why" not just the "what"
+5. No emojis
+
+Respond with ONLY the title and description, nothing else.

package/server/services/plan/composer.ts

@@ -11,8 +11,8 @@
 
 import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
-import { runWithFileLogger } from '../../cli/headless/headless-logger.js';
-import { HeadlessRunner, type ToolUseEvent } from '../../cli/headless/index.js';
+import type { ToolUseEvent } from '../../cli/headless/index.js';
+import { ResilientRunner } from '../../cli/headless/resilient-runner.js';
 import type { HandlerContext } from '../websocket/handler-context.js';
 import type { WSContext } from '../websocket/types.js';
 import { defaultPmDir, getNextId, parseBoardDirectory, parsePlanDirectory, resolvePmDir } from './parser.js';
@@ -196,6 +196,7 @@ created: "YYYY-MM-DD"
 blocked_by: []             # Use backlog-relative paths: backlog/IS-NNN.md
 blocks: []                 # Use backlog-relative paths: backlog/IS-NNN.md
 review_gate: auto
+output_type: auto          # code = modify source files, document = produce written artifact, auto = infer
 output_file: null
 ---
 
@@ -228,6 +229,14 @@ Implementation guidance.
 - If an issue requires work across multiple subsystems, split it into one issue per subsystem with blocked_by edges between them
 - Research/investigation issues should be separate from implementation issues
 
+## output_type rules (critical — determines how the AI executes and reviews each issue)
+
+- Set \`output_type: document\` for research, design, analysis, writing, planning, learning, or educational issues — anything that produces a written artifact rather than code changes
+- Set \`output_type: code\` for issues that MUST modify source code files (implementation, bug fixes, refactoring)
+- Set \`output_type: auto\` when unsure — the system will infer from "Files to Modify" (if the section lists real source paths it's treated as code, otherwise as document)
+- When output_type is \`document\`, "Files to Modify" entries are treated as references, not files to edit. The AI produces a document artifact and is reviewed on document quality.
+- When output_type is \`code\`, "Files to Modify" lists actual source files the AI must edit. The review gate verifies source files were changed.
+
 ## Epic creation rules
 
 - Create an EP-*.md file in ${cc.backlogPath} with type: epic and a children: [] field in front matter
@@ -246,12 +255,13 @@ User request: ${userPrompt}`;
       data: { message: 'Starting project planning...' },
     });
 
-    const runner = new HeadlessRunner({
+    const runner = new ResilientRunner({
       workingDir: executionDir || workingDir,
-      directPrompt: enrichedPrompt,
-      stallWarningMs: 300_000,   // 5 min — compose usually finishes quickly
-      stallKillMs: 900_000,      // 15 min
-      stallHardCapMs: 1_800_000, // 30 min hard cap
+      prompt: enrichedPrompt,
+      policy: 'STANDARD',
+      stallWarningMs: 300_000,
+      stallKillMs: 900_000,
+      stallHardCapMs: 1_800_000,
       verbose: true,
       outputCallback: (text: string) => {
         ctx.send(ws, {
@@ -271,6 +281,8 @@ User request: ${userPrompt}`;
           }
         };
       })(),
+      logLabel: 'pm-compose',
+      logDir: cc.effectiveBoardId ? join(pmDir, 'boards', cc.effectiveBoardId, 'logs') : undefined,
     });
 
     ctx.broadcastToAll({
@@ -278,8 +290,7 @@ User request: ${userPrompt}`;
       data: { message: 'Claude is planning your project...' },
     });
 
-    const boardLogDir = cc.effectiveBoardId ? join(pmDir, 'boards', cc.effectiveBoardId, 'logs') : undefined;
-    const result = await runWithFileLogger('pm-compose', () => runner.run(), boardLogDir);
+    const result = await runner.run();
 
     ctx.broadcastToAll({
       type: 'planPromptProgress',