prism-mcp-server 15.7.2 → 15.7.4

package/README.md

@@ -124,47 +124,35 @@ Three entry points:
 
 See [KNOWLEDGE_INGESTION.md](docs/KNOWLEDGE_INGESTION.md) for full setup guide.
 
-### Cost comparison
+### Routing accuracy
 
-Benchmark: 19 queries (routing + code knowledge + clinical), May 2026:
+**Head-to-head: prism-coder:14b vs Claude Opus** (25-case benchmark, production system prompt, May 2026):
 
-| Architecture | Routing | Code Knowledge | Clinical | Annual Cost (1K/day) |
-|---|---|---|---|---|
-| **Prism cascade** (14b→RAG→Sonnet) | 100% (local) | RAG-powered | Sonnet | **~$330/yr** |
-| Claude Opus for everything | ~30% (no tools) | Training data | Opus | ~$10,600/yr |
-
-**84% cost savings.** Routing is free and 100% accurate. Cloud only for the 20% of queries that need deep reasoning.
-
-The routing cascade validates each response against the known tool names and escalates on empty, truncated, or hallucinated tool calls.
-
-**Routing accuracy** ([102-case Prism eval](tests/benchmarks/prism-routing-100/README.md), v36/v7 system prompt, 3-seed mean, May 2026):
-
-| Model | Accuracy | Cost/req | Latency | Runs on | AAC | Edge cases |
-|---|---|---|---|---|---|---|
-| Claude Sonnet 4 | **99%** | ~$0.01 | 3.2s | Cloud | 100% | 83% |
-| **prism-coder:32b** swe14 | **100.0%** | **$0** | 1.4s | Mac 24GB+ | **100%** | **100%** |
-| **prism-coder:8b** v36 | **100.0%** | **$0** | **0.8s** | iPhone/iPad 8GB | **100%** | **100%** |
-| **prism-coder:14b** v36 | **100.0%** | **$0** | **1.1s** | Mac 24GB+ / iPad Pro 16GB | **100%** | **100%** |
-| Claude Opus 4.7 | **98.3%** | ~$0.05 | 3.0s | Cloud | 100% | 83% |
-| **prism-coder:1.7b** v42 | **100.0%** | **$0** | 1.6s | Any device | **100%** | **100%** |
-| **14B→32B cascade** | **100.0%** | **~$0** | ~1.1s¹ | Mac 24GB+ | **100%** | **100%** |
-
-¹ ~99% of requests served by 14B at 1.1s; 32B for the ~1% 14B misses.
+| Metric | prism-coder:14b | Claude Opus 4 |
+|---|---|---|
+| **Overall accuracy** | **96% (24/25)** | 88% (22/25) |
+| **Tool routing** (15 tests) | **93% (14/15)** | 80% (12/15) |
+| **Abstention** (10 tests) | **100% (10/10)** | **100% (10/10)** |
+| **Avg latency** | **0.8s** | 5.5s |
+| **Cost per query** | **$0** | ~$0.017 |
+| **Annual @ 1K/day** | **$0** | ~$6,100 |
 
-**Extended eval — eval_300** (300 cases, 17 tools + NO_TOOL, 9 categories, 3-seed validated, May 2026):
+prism-coder:14b beats Opus on tool routing — 7x faster, free, runs offline.
 
-| Model | eval_300 strict | Categories |
-|---|---|---|
-| **prism-coder:32b** swe14 | **300/300 (100%)** | abstention 20/20, adversarial 70/70, cascade 25/25, disambiguation 40/40, edge_case 25/25, multi_intent 20/20, natural_phrasing 50/50, param_extraction 25/25, verifier 25/25 |
-| **prism-coder:14b** s17 | **299/300 (99.7%)** | 1 failure in adversarial_trap |
+**eval_300** (300 cases, 17 tools + NO_TOOL, 9 categories, 3-seed validated):
 
-The eval_300 suite covers natural phrasing, adversarial traps (CS/meta questions that should NOT trigger tools), disambiguation between similar tools, edge cases (single-word prompts), multi-intent cascades, parameter extraction, and verifier-style prompts.
+| Model | eval_300 strict | Size | Latency |
+|---|---|---|---|
+| **prism-coder:32b** | **300/300 (100%)** | 19 GB | ~1.4s |
+| **prism-coder:14b** | **299/300 (99.7%)** | 9 GB | ~0.8s |
+| **prism-coder:4b** | **300/300 (100%)** | 2.5 GB | ~0.5s |
+| **prism-coder:1.7b** | **300/300 (100%)** | 2.2 GB | ~1.6s |
 
-**Why this matters for a life-critical AAC app**: a child in a hospital without WiFi, a nonverbal adult on an airplane, or a family on a budget gets Claude-grade routing accuracy with zero cloud dependency — and the AAC path (expressing pain, asking for help) routes correctly **100% of the time across all tiers and all seeds tested**.
+Categories: abstention, adversarial traps, cascade, disambiguation, edge cases, multi-intent, natural phrasing, parameter extraction, verifier prompts.
 
-**What it does NOT mean**: these scores measure routing precision on a narrow 6-tool taxonomy, not general intelligence. Claude outperforms these models on everything outside this task. The value is **offline reliability at zero cost**, not replacing Claude.
+**What this means**: a child in a hospital without WiFi, a nonverbal adult on an airplane, or a family on a budget gets Claude-grade routing accuracy with zero cloud dependency — the AAC path routes correctly **100% of the time across all tiers**.
 
-> **The prompt engineering breakthrough**: Q4_K_M quantized models confuse semantically similar tool names when routing rules use plain keyword lists. Two structural fixes eliminated all confusion: (1) replacing `-> plain text` with `-> respond directly (no tool)`, and (2) adding category labels (`CONVERSATION RECALL:` / `SAVED KNOWLEDGE:`) as semantic anchors stronger than keyword matching. Combined effect: 14B went from 87% → 100% on the 102-case Prism eval (v36/v7 system prompt, 3-seed mean).
+**What it does NOT mean**: these scores measure routing precision on a 17-tool taxonomy, not general intelligence. Claude outperforms on everything outside this task. The value is **offline reliability at zero cost**, not replacing Claude. Code and clinical knowledge come from RAG via `knowledge_search`.
 
 ### 🔍 L3 Grounding Verifier
 When `prism_infer` receives an `evidence` payload, the grounding verifier automatically checks the model's response against the provided evidence before returning to the caller. Unverified or hallucinated claims are flagged. This is the third layer (L3) of the cascade — after tool routing (L1) and confidence gating (L2).
@@ -423,6 +411,28 @@ As of v14.0.0, Prism's algorithm exports are a **stable public contract** under
 | [PrismAAC](https://github.com/dcostenco/prism-aac) | Spreading-activation phrase ranking (recency × frequency × per-user history). Caregiver corrections auto-harvest into the personalization corpus via the audit-hooks postflight harvester. The on-device 7B model + this algorithm stack is what makes PrismAAC defensible. |
 | Synalux portal | Tier-aware model routing using experience bias on prior outcomes per fingerprint. HIPAA-compliant clinical scribe with on-device-first privacy guarantees. |
 
+## CLI Reference
+
+Prism Coder includes a CLI for session management, code review, and sync operations.
+
+```bash
+prism load <project>          # Load session context (same as session_load_context MCP tool)
+prism save                    # Save session state (ledger + handoff)
+prism ledger <project>        # Save a session log entry (same as session_save_ledger)
+prism handoff <project>       # Update live project state for next session
+prism push                    # Push local SQLite data to Supabase cloud
+prism sync                    # Cross-backend data synchronization
+prism search <query>          # Search code across repos (exact, regex, symbol, semantic)
+prism review <files...>       # AI code review — security, performance, style
+prism scan <files...>         # Security scan — secrets, licenses, Dockerfile
+prism dora                    # Show DORA metrics for current project
+prism scm                     # Source control, AI review, security scanning
+prism verify                  # Manage the verification harness
+prism status                  # Check verification state and config drift
+prism generate                # Bless current rubric as canonical
+prism register-models         # Alias dcostenco/prism-coder:* → prism-coder:*
+```
+
 ## Testing
 
 ```bash

package/dist/dashboard/server.js

@@ -870,11 +870,10 @@ return false;}
                         res.writeHead(400, { "Content-Type": "application/json" });
                         return res.end(JSON.stringify({ error: "filename and content are required" }));
                     }
-                    // Write uploaded content to a temp file
-                    const tmpDir = path.join(os.tmpdir(), "prism-import");
-                    fs.mkdirSync(tmpDir, { recursive: true });
-                    const safeFilename = path.basename(filename); // prevent path traversal
-                    const tmpFile = path.join(tmpDir, `upload-${Date.now()}-${safeFilename}`);
+                    // Write uploaded content to a secure temp directory
+                    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "prism-import-"));
+                    const safeFilename = path.basename(filename).replace(/[^a-zA-Z0-9._-]/g, "_");
+                    const tmpFile = path.join(tmpDir, safeFilename);
                     fs.writeFileSync(tmpFile, content, "utf-8");
                     try {
                         const { universalImporter } = await import("../utils/universalImporter.js");

package/dist/dashboard/ui.js

@@ -1842,8 +1842,8 @@ function loadPipelines() {
             var maxIter = (p.parsedSpec && p.parsedSpec.maxIterations) ? p.parsedSpec.maxIterations : '?';
             html += '<div style="padding:0.75rem 1rem;background:rgba(15,23,42,0.6);border-radius:8px;border-left:3px solid ' + statusColor + ';">';
             html += '<div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:0.35rem">';
-            html += '<span style="font-weight:600;color:var(--text-primary)">' + emoji + ' ' + p.status + '</span>';
-            html += '<span style="font-size:0.7rem;font-family:var(--font-mono);color:var(--text-muted)">' + p.id.slice(0, 8) + '…</span>';
+            html += '<span style="font-weight:600;color:var(--text-primary)">' + emoji + ' ' + escapeHtml(p.status) + '</span>';
+            html += '<span style="font-size:0.7rem;font-family:var(--font-mono);color:var(--text-muted)">' + escapeHtml(p.id.slice(0, 8)) + '…</span>';
             html += '</div>';
             html += '<div style="font-size:0.82rem;color:var(--text-secondary);margin-bottom:0.35rem">' + escapeHtml(objective) + '</div>';
             html += '<div style="display:flex;gap:1rem;font-size:0.72rem;color:var(--text-muted);flex-wrap:wrap">';
@@ -1856,7 +1856,7 @@ function loadPipelines() {
                 html += '<div style="font-size:0.72rem;color:var(--accent-rose);margin-top:0.35rem;padding:0.3rem 0.5rem;background:rgba(244,63,94,0.08);border-radius:4px">⚠ ' + escapeHtml(p.error.slice(0, 200)) + '</div>';
             }
             if (isActive) {
-                html += '<div style="margin-top:0.5rem"><button onclick="abortPipeline(this.dataset.id)" data-id="' + p.id + '" class="cleanup-btn" style="font-size:0.72rem">🛑 Abort Pipeline</button></div>';
+                html += '<div style="margin-top:0.5rem"><button onclick="abortPipeline(this.dataset.id)" data-id=''' + escapeHtml(p.id) + ''' class="cleanup-btn" style="font-size:0.72rem">🛑 Abort Pipeline</button></div>';
             }
             html += '</div>';
         }
@@ -4021,7 +4021,7 @@ function loadSchedulerStatus() {
                         parts.push('</div>');
                         errors = [t.ttlSweep.error, t.importanceDecay.error, t.compaction.error, t.deepPurge.error].filter(Boolean);
                         if (errors.length > 0) {
-                            parts.push('<div style="color:var(--accent-rose);margin-top:0.3rem;font-size:0.7rem">⚠️ ' + errors.join(' | ') + '</div>');
+                            parts.push('<div style="color:var(--accent-rose);margin-top:0.3rem;font-size:0.7rem">⚠️ ' + errors.map(escapeHtml).join(' | ') + '</div>');
                         }
                         parts.push('</div>');
                     }
@@ -4199,7 +4199,7 @@ function loadGraphMetrics() {
                             lastRoute = m.cognitive.last_route || '—';
                             lastConcept = m.cognitive.last_concept || '(none)';
                             lastConf = m.cognitive.last_confidence !== null ? Math.round(m.cognitive.last_confidence * 100) + '%' : '—';
-                            parts.push('<br>Last: ' + lastRoute + ' → ' + lastConcept + ' (' + lastConf + ')');
+                            parts.push('<br>Last: ' + escapeHtml(lastRoute) + ' → ' + escapeHtml(lastConcept) + ' (' + lastConf + ')');
                             parts.push('<br><span style="color:var(--text-muted)">' + timeAgo(m.cognitive.last_run_at) + '</span>');
                         }
                         parts.push('</div>');

package/dist/dashboard/webhookRouter.js

@@ -18,12 +18,41 @@
 import { createHmac, timingSafeEqual } from "crypto";
 import { handleGitHubWebhook } from "../tools/ingestHandler.js";
 import { debugLog } from "../utils/logger.js";
+import { ddInfo, ddWarn } from "../utils/ddLogger.js";
 const WEBHOOK_SECRET = process.env.GITHUB_WEBHOOK_SECRET || "";
 const GITHUB_TOKEN = process.env.GITHUB_TOKEN || "";
+const PRISM_INGEST_API_KEY = process.env.PRISM_INGEST_API_KEY || "";
+const IS_PRODUCTION = process.env.NODE_ENV === "production";
+// ─── Rate Limiting (in-memory, per-IP) ─────────────────────────
+const rateLimitMap = new Map();
+const RATE_LIMIT_WINDOW_MS = 60_000;
+const RATE_LIMIT_MAX = 10;
+function checkRateLimit(ip) {
+    const now = Date.now();
+    const entry = rateLimitMap.get(ip);
+    if (!entry || now > entry.resetAt) {
+        rateLimitMap.set(ip, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
+        return true;
+    }
+    entry.count++;
+    return entry.count <= RATE_LIMIT_MAX;
+}
+// Cleanup stale entries every 5 minutes
+setInterval(() => {
+    const now = Date.now();
+    for (const [ip, entry] of rateLimitMap) {
+        if (now > entry.resetAt)
+            rateLimitMap.delete(ip);
+    }
+}, 300_000);
 // ─── Signature Verification ────────────────────────────────────
 function verifySignature(payload, signature) {
     if (!WEBHOOK_SECRET) {
-        debugLog("[webhook] GITHUB_WEBHOOK_SECRET not set — accepting all requests (dev mode)");
+        if (IS_PRODUCTION) {
+            debugLog("[webhook] GITHUB_WEBHOOK_SECRET not set in production — rejecting");
+            return false;
+        }
+        debugLog("[webhook] GITHUB_WEBHOOK_SECRET not set — accepting (dev mode only)");
         return true;
     }
     if (!signature)
@@ -38,8 +67,45 @@ function verifySignature(payload, signature) {
         return false;
     }
 }
+// ─── Input Validation ──────────────────────────────────────────
+const REPO_NAME_RE = /^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/;
+const SAFE_PATH_RE = /^[a-zA-Z0-9._\-\/]+$/;
+function validateRepoName(name) {
+    return REPO_NAME_RE.test(name) && !name.includes("..");
+}
+function validateFilePath(path) {
+    return SAFE_PATH_RE.test(path) && !path.includes("..") && !path.startsWith("/");
+}
+// ─── Ingest API Auth ───────────────────────────────────────────
+function verifyIngestAuth(authHeader) {
+    if (!authHeader)
+        return false;
+    if (!PRISM_INGEST_API_KEY && !WEBHOOK_SECRET) {
+        if (IS_PRODUCTION)
+            return false;
+        return true;
+    }
+    const expectedKey = PRISM_INGEST_API_KEY || WEBHOOK_SECRET;
+    const token = authHeader.replace(/^Bearer\s+/i, "");
+    if (token.length !== expectedKey.length)
+        return false;
+    try {
+        return timingSafeEqual(Buffer.from(token), Buffer.from(expectedKey));
+    }
+    catch {
+        return false;
+    }
+}
 // ─── Fetch File Content from GitHub API ─────────────────────────
 async function fetchFileFromGitHub(repoFullName, filePath, ref) {
+    if (!validateRepoName(repoFullName)) {
+        debugLog(`[webhook] Invalid repo name rejected: ${repoFullName}`);
+        return null;
+    }
+    if (!validateFilePath(filePath)) {
+        debugLog(`[webhook] Invalid file path rejected: ${filePath}`);
+        return null;
+    }
     const headers = {
         "Accept": "application/vnd.github.v3.raw",
         "User-Agent": "prism-mcp-webhook",
@@ -48,8 +114,8 @@ async function fetchFileFromGitHub(repoFullName, filePath, ref) {
         headers["Authorization"] = `Bearer ${GITHUB_TOKEN}`;
     }
     try {
-        const url = `https://api.github.com/repos/${repoFullName}/contents/${filePath}?ref=${ref}`;
-        const res = await fetch(url, { headers });
+        const url = `https://api.github.com/repos/${encodeURIComponent(repoFullName.split("/")[0])}/${encodeURIComponent(repoFullName.split("/")[1])}/contents/${filePath.split("/").map(encodeURIComponent).join("/")}?ref=${encodeURIComponent(ref)}`;
+        const res = await fetch(url, { headers, signal: AbortSignal.timeout(10_000) });
         if (!res.ok)
             return null;
         return await res.text();
@@ -79,6 +145,13 @@ function readBody(req, maxBytes = 10_000_000) {
 export async function handleWebhookRequest(req, res, pathname) {
     // ── GitHub Webhook ─────────────────────────────────────────
     if (pathname === "/api/github/webhook" && req.method === "POST") {
+        const ip = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket?.remoteAddress || "unknown";
+        if (!checkRateLimit(`wh:${ip}`)) {
+            ddWarn("webhook.rate_limited", { ip, endpoint: "github" });
+            res.writeHead(429, { "Content-Type": "application/json", "Retry-After": "60" });
+            res.end(JSON.stringify({ error: "Rate limit exceeded" }));
+            return true;
+        }
         try {
             const body = await readBody(req);
             const signature = req.headers["x-hub-signature-256"];
@@ -89,7 +162,13 @@ export async function handleWebhookRequest(req, res, pathname) {
             }
             const event = req.headers["x-github-event"] || "unknown";
             const payload = JSON.parse(body);
-            debugLog(`[webhook] GitHub event: ${event}, repo: ${payload.repository?.full_name}`);
+            if (!payload.repository?.full_name || !validateRepoName(payload.repository.full_name)) {
+                res.writeHead(400, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ error: "Invalid repository name" }));
+                return true;
+            }
+            debugLog(`[webhook] GitHub event: ${event}, repo: ${payload.repository.full_name}`);
+            ddInfo("webhook.github.received", { event, repo: payload.repository.full_name });
             const result = await handleGitHubWebhook(event, payload, fetchFileFromGitHub);
             res.writeHead(200, { "Content-Type": "application/json" });
             res.end(JSON.stringify(result));
@@ -98,22 +177,27 @@ export async function handleWebhookRequest(req, res, pathname) {
             const msg = err instanceof Error ? err.message : String(err);
             debugLog(`[webhook] Error: ${msg}`);
             res.writeHead(500, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ ok: false, message: msg }));
+            res.end(JSON.stringify({ ok: false, message: "Internal error" }));
         }
         return true;
     }
     // ── Generic Ingest API (open interface) ────────────────────
     if (pathname === "/api/v1/prism/ingest" && req.method === "POST") {
+        const ip = req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket?.remoteAddress || "unknown";
+        if (!checkRateLimit(`ingest:${ip}`)) {
+            res.writeHead(429, { "Content-Type": "application/json", "Retry-After": "60" });
+            res.end(JSON.stringify({ error: "Rate limit exceeded" }));
+            return true;
+        }
         try {
-            const body = await readBody(req);
-            const payload = JSON.parse(body);
-            // Minimal auth: require API key or JWT in Authorization header
             const auth = req.headers["authorization"] || "";
-            if (!auth && WEBHOOK_SECRET) {
+            if (!verifyIngestAuth(auth)) {
                 res.writeHead(401, { "Content-Type": "application/json" });
-                res.end(JSON.stringify({ error: "Authorization required" }));
+                res.end(JSON.stringify({ error: "Invalid or missing API key" }));
                 return true;
             }
+            const body = await readBody(req);
+            const payload = JSON.parse(body);
             const { ingestKnowledge } = await import("../tools/ingestHandler.js");
             const result = await ingestKnowledge({
                 project: payload.project || "default",
@@ -128,7 +212,7 @@ export async function handleWebhookRequest(req, res, pathname) {
         catch (err) {
             const msg = err instanceof Error ? err.message : String(err);
             res.writeHead(500, { "Content-Type": "application/json" });
-            res.end(JSON.stringify({ ok: false, message: msg }));
+            res.end(JSON.stringify({ ok: false, message: "Internal error" }));
         }
         return true;
     }
@@ -139,14 +223,7 @@ export async function handleWebhookRequest(req, res, pathname) {
             status: "ready",
             secret_configured: !!WEBHOOK_SECRET,
             github_token_configured: !!GITHUB_TOKEN,
-            setup_instructions: {
-                step1: "Set GITHUB_WEBHOOK_SECRET environment variable",
-                step2: "In GitHub: Settings → Webhooks → Add webhook",
-                step3: "Payload URL: https://your-domain/api/github/webhook",
-                step4: "Content type: application/json",
-                step5: "Secret: (same as GITHUB_WEBHOOK_SECRET)",
-                step6: "Events: Just the push event",
-            },
+            ingest_key_configured: !!PRISM_INGEST_API_KEY,
         }));
         return true;
     }

package/dist/storage/configStorage.js

@@ -117,7 +117,7 @@ export async function setSetting(key, value) {
                 args: [key, value],
             });
             // Keep the cache in sync so getSettingSync() reflects the new value immediately.
-            if (settingsCache) {
+            if (settingsCache && typeof key === "string" && !["__proto__", "constructor", "prototype"].includes(key)) {
                 settingsCache[key] = value;
             }
             return; // Success — exit

package/dist/tools/commonHelpers.js

@@ -48,6 +48,8 @@ export function applySentinelBlock(existingContent, rulesBlock) {
 export function redactSettings(settings) {
     const redacted = {};
     for (const [k, v] of Object.entries(settings || {})) {
+        if (typeof k !== "string" || k === "__proto__" || k === "constructor" || k === "prototype")
+            continue;
         redacted[k] = REDACT_PATTERNS.some(p => p.test(k)) ? "**REDACTED**" : v;
     }
     return redacted;

package/dist/tools/ingestHandler.js

@@ -98,8 +98,20 @@ async function generateQAPairs(chunk, source) {
 export async function ingestKnowledge(args) {
     const { project, source_label, chunk_size = 4000, } = args;
     let content = args.content || "";
-    if (args.file_path && existsSync(args.file_path)) {
-        content = readFileSync(args.file_path, "utf-8");
+    if (args.file_path) {
+        const resolved = require("path").resolve(args.file_path);
+        const blocked = ["/etc", "/var", "/usr", "/sys", "/proc", "/dev", "/root",
+            "/.ssh", "/.env", "/.git/config", "/private/etc"].some(p => resolved.startsWith(p) || resolved.includes("/."));
+        if (blocked) {
+            return {
+                project, source: source_label || "unknown", chunks_processed: 0,
+                entries_created: 0, status: "failed",
+                errors: ["Path not allowed: system/hidden files are blocked"],
+            };
+        }
+        if (existsSync(resolved)) {
+            content = readFileSync(resolved, "utf-8");
+        }
     }
     if (!content || content.trim().length < 100) {
         return {

package/dist/tools/ledgerHandlers.js

@@ -1433,7 +1433,8 @@ export async function sessionExportMemoryHandler(args) {
             };
             // Serialize
             const ext = format === "markdown" ? "md" : format === "vault" ? "zip" : "json";
-            const filename = `prism-export-${project}-${dateSuffix}.${ext}`;
+            const safeProject = project.replace(/[^a-zA-Z0-9_-]/g, "_");
+            const filename = `prism-export-${safeProject}-${dateSuffix}.${ext}`;
             const outputPath = join(output_dir, filename);
             let content;
             if (format === "vault") {

package/dist/tools/skillRouting.js

@@ -29,7 +29,7 @@ let cached = null;
 let inflight = null;
 async function fetchOnce() {
     try {
-        const res = await fetch(`${SYNALUX_BASE}/api/v1/skills/routing`, {
+        const res = await fetch(`${SYNALUX_BASE}/.well-known/prism/skills-routing.json`, {
             headers: { Accept: 'application/json' },
             // Routing is on every session_load_context, must not block long.
             signal: AbortSignal.timeout(2_500),

package/dist/utils/ddLogger.js

@@ -0,0 +1,74 @@
+/**
+ * Datadog Server-Side Logger
+ *
+ * Sends structured logs to Datadog HTTP Logs API.
+ * No agent needed — direct HTTPS POST to intake.
+ *
+ * Env: DD_API_KEY, DD_SITE (default datadoghq.com)
+ */
+const DD_API_KEY = process.env.DD_API_KEY || "";
+const DD_SITE = process.env.DD_SITE || "datadoghq.com";
+const SERVICE = "prism-mcp";
+const INTAKE_URL = `https://http-intake.logs.${DD_SITE}/api/v2/logs`;
+const queue = [];
+let flushTimer = null;
+const FLUSH_INTERVAL_MS = 5_000;
+const MAX_BATCH = 50;
+function scheduleFlush() {
+    if (flushTimer)
+        return;
+    flushTimer = setTimeout(flush, FLUSH_INTERVAL_MS);
+}
+async function flush() {
+    flushTimer = null;
+    if (queue.length === 0 || !DD_API_KEY)
+        return;
+    const batch = queue.splice(0, MAX_BATCH);
+    try {
+        await fetch(INTAKE_URL, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "DD-API-KEY": DD_API_KEY,
+            },
+            body: JSON.stringify(batch),
+            signal: AbortSignal.timeout(5_000),
+        });
+    }
+    catch {
+        // Silent — don't crash the app if DD is unreachable
+    }
+    if (queue.length > 0)
+        scheduleFlush();
+}
+export function ddLog(level, message, context) {
+    if (!DD_API_KEY)
+        return;
+    queue.push({
+        ddsource: "nodejs",
+        ddtags: `env:${process.env.NODE_ENV || "development"},service:${SERVICE}`,
+        hostname: process.env.HOSTNAME || "prism-mcp",
+        service: SERVICE,
+        status: level,
+        message,
+        ...context,
+        timestamp: new Date().toISOString(),
+    });
+    scheduleFlush();
+}
+export function ddError(message, error, context) {
+    ddLog("error", message, {
+        ...context,
+        error: error ? {
+            message: error.message,
+            stack: error.stack?.split("\n").slice(0, 5).join("\n"),
+            name: error.name,
+        } : undefined,
+    });
+}
+export function ddInfo(message, context) {
+    ddLog("info", message, context);
+}
+export function ddWarn(message, context) {
+    ddLog("warn", message, context);
+}

package/dist/utils/logger.js

@@ -1,12 +1,21 @@
 import { PRISM_DEBUG_LOGGING } from "../config.js";
+/**
+ * Sanitize a string for safe logging — strips control characters,
+ * newlines, and ANSI escape sequences that could be used for log
+ * injection or terminal escape attacks.
+ */
+function sanitizeForLog(msg) {
+    return msg
+        .replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/g, "") // control chars (keep \n \r \t)
+        .replace(/\r?\n/g, " ⏎ ") // newlines → visible marker
+        .replace(/\x1b\[[0-9;]*[a-zA-Z]/g, ""); // ANSI escape sequences
+}
 /**
  * Logs a message to stderr only if PRISM_DEBUG_LOGGING is true.
- * Use this for verbose traces (e.g., initialization, request tracking)
- * that should be hidden from users by default but remain available
- * for troubleshooting.
+ * Input is sanitized to prevent log injection attacks.
  */
 export function debugLog(message) {
     if (PRISM_DEBUG_LOGGING) {
-        console.error(message);
+        console.error(sanitizeForLog(message));
     }
 }

package/dist/utils/notifier.js

@@ -47,6 +47,58 @@ function meetsMinSeverity(severity) {
         SEVERITY_ORDER.indexOf(currentConfig.minSeverity));
 }
 // ─── SSRF Protection ─────────────────────────────────────────
+function isPrivateIP(ip) {
+    // Normalize: strip brackets for IPv6
+    const clean = ip.replace(/^\[|\]$/g, "").toLowerCase();
+    // IPv6 loopback and unspecified
+    if (clean === "::1" || clean === "::" || clean === "0:0:0:0:0:0:0:1" || clean === "0:0:0:0:0:0:0:0")
+        return true;
+    // IPv4-mapped IPv6 — two forms:
+    // Dotted: ::ffff:127.0.0.1 → extract IPv4 directly
+    // Hex:    ::ffff:7f00:1 (Node normalizes dotted to this) → decode hex groups
+    const v4mapped = clean.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+    const v4hex = clean.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
+    let ipv4 = clean;
+    if (v4mapped) {
+        ipv4 = v4mapped[1];
+    }
+    else if (v4hex) {
+        const hi = parseInt(v4hex[1], 16);
+        const lo = parseInt(v4hex[2], 16);
+        ipv4 = `${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`;
+    }
+    // Parse as IPv4 — handles decimal, but reject octal/hex by requiring standard dotted-quad
+    const parts = ipv4.split(".");
+    if (parts.length === 4) {
+        const nums = parts.map(p => {
+            if (!/^\d{1,3}$/.test(p))
+                return -1;
+            return parseInt(p, 10);
+        });
+        if (nums.every(n => n >= 0 && n <= 255)) {
+            const [a, b] = nums;
+            if (a === 0)
+                return true; // 0.0.0.0/8
+            if (a === 10)
+                return true; // 10.0.0.0/8
+            if (a === 127)
+                return true; // 127.0.0.0/8 (all loopback)
+            if (a === 172 && b >= 16 && b <= 31)
+                return true; // 172.16.0.0/12
+            if (a === 192 && b === 168)
+                return true; // 192.168.0.0/16
+            if (a === 169 && b === 254)
+                return true; // 169.254.0.0/16 link-local
+            if (a === 100 && b >= 64 && b <= 127)
+                return true; // 100.64.0.0/10 CGNAT
+        }
+    }
+    // Reject non-standard IP formats (octal 0177.0.0.1, hex 0x7f000001, decimal 2130706433)
+    // If it looks like a number or has 0x/0 prefix, block it
+    if (/^0x[0-9a-f]+$/i.test(clean) || /^0\d+$/.test(clean) || /^\d{4,}$/.test(clean))
+        return true;
+    return false;
+}
 function isAllowedUrl(url) {
     try {
         const parsed = new URL(url);
@@ -54,32 +106,22 @@ function isAllowedUrl(url) {
         if (parsed.protocol !== "http:" && parsed.protocol !== "https:")
             return false;
         const hostname = parsed.hostname.toLowerCase();
-        // Block localhost and loopback
-        if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]")
+        // Block localhost variants
+        if (hostname === "localhost" || hostname === "localhost.localdomain")
             return false;
-        // Block .internal and .local TLDs
-        if (hostname.endsWith(".internal") || hostname.endsWith(".local"))
+        // Block .internal, .local, .arpa TLDs
+        if (hostname.endsWith(".internal") || hostname.endsWith(".local") || hostname.endsWith(".arpa"))
+            return false;
+        // Block private/loopback IPs (covers 0.0.0.0, 127.x, 10.x, 172.16-31.x, 192.168.x, ::1, etc.)
+        if (isPrivateIP(hostname))
+            return false;
+        // Block bracketed IPv6
+        if (hostname.startsWith("[") && isPrivateIP(hostname))
             return false;
-        // Block private IP ranges
-        const ipParts = hostname.split(".").map(Number);
-        if (ipParts.length === 4 && ipParts.every(p => Number.isFinite(p))) {
-            // 10.0.0.0/8
-            if (ipParts[0] === 10)
-                return false;
-            // 172.16.0.0/12
-            if (ipParts[0] === 172 && ipParts[1] >= 16 && ipParts[1] <= 31)
-                return false;
-            // 192.168.0.0/16
-            if (ipParts[0] === 192 && ipParts[1] === 168)
-                return false;
-            // 169.254.0.0/16 (link-local)
-            if (ipParts[0] === 169 && ipParts[1] === 254)
-                return false;
-        }
         return true;
     }
     catch {
-        return false; // Malformed URL
+        return false;
     }
 }
 // ─── Channel Senders ─────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prism-mcp-server",
-  "version": "15.7.2",
+  "version": "15.7.4",
   "mcpName": "io.github.dcostenco/prism-coder",
   "description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 54 Agent Skills, Zero-Search HDC/HRR retrieval, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder:7b / 14b open-weights LLM fleet.",
   "module": "index.ts",