prism-mcp-server 17.0.0 → 17.1.0

package/dist/utils/phiGuard.js

@@ -0,0 +1,88 @@
+/**
+ * PHI Guard — detect and redact Protected Health Information before storage/logging.
+ *
+ * HIPAA §164.502: PHI must not be disclosed except as permitted.
+ * This module scans text for common PHI patterns (SSN, DOB, MRN, phone,
+ * email, patient names in clinical context) and redacts them.
+ *
+ * Detection events are logged to stderr (picked up by DD agent) with
+ * the pattern type and character position — never the actual PHI value.
+ *
+ * Usage:
+ *   import { scanAndRedactPHI, hasPHI } from './phiGuard.js';
+ *   const { redacted, detections } = scanAndRedactPHI(userText);
+ *   // `redacted` is safe to store/log; `detections` lists what was found
+ */
+// Patterns ordered by specificity (most specific first)
+const PHI_PATTERNS = [
+    // SSN: 123-45-6789 or 123456789
+    { name: 'SSN', regex: /\b\d{3}-\d{2}-\d{4}\b/g, replacement: '[SSN-REDACTED]' },
+    { name: 'SSN', regex: /\b\d{9}\b(?=\s|$|[,.])/g, replacement: '[SSN-REDACTED]' },
+    // Date of birth patterns: DOB: 01/15/1990, born 1990-01-15, birthday 01/15/90
+    { name: 'DOB', regex: /\b(?:dob|date\s*of\s*birth|born|birthday)\s*[:=]?\s*\d{1,2}[/\-]\d{1,2}[/\-]\d{2,4}\b/gi, replacement: '[DOB-REDACTED]' },
+    { name: 'DOB', regex: /\b(?:dob|date\s*of\s*birth|born|birthday)\s*[:=]?\s*\d{4}[/\-]\d{1,2}[/\-]\d{1,2}\b/gi, replacement: '[DOB-REDACTED]' },
+    // Medical Record Number: MRN: 12345678, MRN#12345
+    { name: 'MRN', regex: /\b(?:mrn|medical\s*record)\s*[#:=]?\s*\d{4,12}\b/gi, replacement: '[MRN-REDACTED]' },
+    // US Phone: (301) 433-1943, 301-433-1943, +1-301-433-1943
+    { name: 'PHONE', regex: /\b(?:\+?1[-.]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, replacement: '[PHONE-REDACTED]' },
+    // Email in clinical context: patient email, client email
+    { name: 'EMAIL', regex: /\b(?:patient|client|parent|caregiver)\s*(?:email|e-mail)\s*[:=]?\s*[\w.+-]+@[\w.-]+\.\w{2,}\b/gi, replacement: '[EMAIL-REDACTED]' },
+    // Patient/client name patterns: "Patient: John Doe", "Client Name: Jane Smith"
+    { name: 'PATIENT_NAME', regex: /\b(?:patient|client)\s*(?:name)?\s*[:=]\s*[A-Z][a-z]+\s+[A-Z][a-z]+/gi, replacement: '[NAME-REDACTED]' },
+    // Insurance ID: Ins#, Policy#, Member ID
+    { name: 'INSURANCE_ID', regex: /\b(?:ins(?:urance)?|policy|member)\s*(?:id|#|number)\s*[:=]?\s*[A-Z0-9]{6,20}\b/gi, replacement: '[INSURANCE-REDACTED]' },
+    // Diagnosis codes in patient context: "diagnosed with F84.0", "ICD: F32.1"
+    { name: 'DIAGNOSIS', regex: /\b(?:diagnos\w*|icd|dx)\s*(?:[:=]|with)?\s*[A-Z]\d{2}(?:\.\d{1,2})?\b/gi, replacement: '[DX-REDACTED]' },
+];
+/**
+ * Scan text for PHI patterns and return redacted version + detection list.
+ * Never logs or stores the actual PHI values — only type + position.
+ */
+export function scanAndRedactPHI(text) {
+    if (typeof text !== 'string' || !text) {
+        return { redacted: text || '', detections: [], hasPHI: false };
+    }
+    const detections = [];
+    let redacted = text;
+    for (const { name, regex, replacement } of PHI_PATTERNS) {
+        // Reset regex state for global patterns
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            detections.push({
+                type: name,
+                position: match.index,
+                length: match[0].length,
+            });
+        }
+        redacted = redacted.replace(regex, replacement);
+    }
+    if (detections.length > 0) {
+        // Log detection event — type + count only, NEVER the actual value
+        const summary = detections.reduce((acc, d) => {
+            acc[d.type] = (acc[d.type] || 0) + 1;
+            return acc;
+        }, {});
+        const summaryStr = Object.entries(summary).map(([k, v]) => `${k}=${v}`).join(' ');
+        console.error(`[PHI-GUARD] Detected and redacted PHI: ${summaryStr}`);
+    }
+    return {
+        redacted,
+        detections,
+        hasPHI: detections.length > 0,
+    };
+}
+/**
+ * Quick check — does the text contain PHI patterns?
+ * Faster than full redaction when you only need a boolean.
+ */
+export function hasPHI(text) {
+    if (typeof text !== 'string' || !text)
+        return false;
+    for (const { regex } of PHI_PATTERNS) {
+        regex.lastIndex = 0;
+        if (regex.test(text))
+            return true;
+    }
+    return false;
+}

package/dist/utils/synaluxSearch.js

@@ -0,0 +1,195 @@
+/**
+ * Synalux Portal Search & Scrape Client
+ * ─────────────────────────────────────────────────────────────
+ * Routes web search and scrape calls through the Synalux portal
+ * so API keys (Brave, Firecrawl, etc.) live server-side. The
+ * portal endpoints:
+ *
+ *   POST /api/v1/prism/search  — { query, limit? }
+ *        returns { status, results: [{title, url, description}], source }
+ *
+ *   POST /api/v1/prism/scrape  — { url, formats?, onlyMainContent?, waitFor? }
+ *        returns { status, content }
+ *
+ * Auth uses the shared JWT exchange from synaluxJwt.ts (same
+ * refresh-token dance as SynaluxStorage, but without requiring
+ * the full storage class). Falls back gracefully: callers check
+ * SYNALUX_SEARCH_AVAILABLE before calling.
+ */
+import { debugLog } from "./logger.js";
+import { getSynaluxJwt, invalidateSynaluxJwt } from "./synaluxJwt.js";
+import { PRISM_SYNALUX_BASE_URL, SYNALUX_CONFIGURED, } from "../config.js";
+// ─── Public availability flag ────────────────────────────────
+/** True when Synalux portal credentials are configured. */
+export const SYNALUX_SEARCH_AVAILABLE = SYNALUX_CONFIGURED;
+// ─── Internal helpers ────────────────────────────────────────
+/**
+ * POST to a portal endpoint with JWT auth. Retries once on 401
+ * (JWT may have just expired). Throws on network or HTTP errors.
+ */
+async function portalPost(path, body, timeoutMs = 15_000) {
+    const baseUrl = PRISM_SYNALUX_BASE_URL.replace(/\/+$/, "");
+    const url = `${baseUrl}${path}`;
+    const send = async (jwt) => {
+        return fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${jwt}`,
+                "X-Prism-Client": "prism-mcp-search",
+            },
+            body: JSON.stringify(body),
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+    };
+    let jwt = await getSynaluxJwt();
+    if (!jwt) {
+        throw new Error("[synaluxSearch] JWT exchange failed — no token available");
+    }
+    let res = await send(jwt);
+    // Retry once on 401 (stale JWT)
+    if (res.status === 401) {
+        debugLog("[synaluxSearch] 401 on first attempt, re-exchanging JWT");
+        invalidateSynaluxJwt();
+        jwt = await getSynaluxJwt();
+        if (!jwt) {
+            throw new Error("[synaluxSearch] JWT re-exchange failed after 401");
+        }
+        res = await send(jwt);
+    }
+    if (!res.ok) {
+        const text = await res.text().catch(() => "(no body)");
+        throw new Error(`[synaluxSearch] ${path} HTTP ${res.status}: ${text}`);
+    }
+    return (await res.json());
+}
+// ─── Public API ──────────────────────────────────────────────
+/**
+ * Web search via Synalux portal. Returns formatted text matching
+ * the shape of performWebSearch() in braveApi.ts.
+ */
+export async function synaluxWebSearch(query, count = 10) {
+    debugLog(`[synaluxSearch] web search: q="${query}", limit=${count}`);
+    const data = await portalPost("/api/v1/prism/search", {
+        query,
+        limit: Math.min(count, 20),
+    });
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] portal error: ${data.error || "unknown"}`);
+    }
+    const results = (data.results || []).map((r) => ({
+        title: r.title || "",
+        description: r.description || "",
+        url: r.url || "",
+    }));
+    debugLog(`[synaluxSearch] got ${results.length} results (source=${data.source || "portal"})`);
+    return results
+        .map((r) => `Title: ${r.title}\nDescription: ${r.description}\nURL: ${r.url}`)
+        .join("\n\n");
+}
+/**
+ * Web search via Synalux portal — returns raw JSON string.
+ * Used by code-mode handlers that pass raw data to the QuickJS sandbox.
+ */
+export async function synaluxWebSearchRaw(query, count = 10) {
+    debugLog(`[synaluxSearch] web search raw: q="${query}", limit=${count}`);
+    const data = await portalPost("/api/v1/prism/search", {
+        query,
+        limit: Math.min(count, 20),
+    });
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] portal error: ${data.error || "unknown"}`);
+    }
+    // Re-shape into the Brave-compatible format that code-mode handlers expect
+    const braveCompatible = {
+        web: {
+            results: (data.results || []).map((r) => ({
+                title: r.title || "",
+                description: r.description || "",
+                url: r.url || "",
+            })),
+        },
+    };
+    debugLog(`[synaluxSearch] raw: ${braveCompatible.web.results.length} results`);
+    return JSON.stringify(braveCompatible);
+}
+/**
+ * Local/POI search via Synalux portal.
+ * Returns formatted text matching performLocalSearch() shape.
+ */
+export async function synaluxLocalSearch(query, count = 5) {
+    debugLog(`[synaluxSearch] local search: q="${query}", count=${count}`);
+    const data = await portalPost("/api/v1/prism/local-search", {
+        query,
+        count: Math.min(count, 20),
+    });
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] portal error: ${data.error || "unknown"}`);
+    }
+    const results = data.results || [];
+    debugLog(`[synaluxSearch] local: got ${results.length} results`);
+    return results
+        .map((r) => `Name: ${r.name || "N/A"}\nAddress: ${r.address || "N/A"}\nPhone: ${r.phone || "N/A"}\nRating: ${r.rating || "N/A"}\nHours: ${r.hours || "N/A"}\nDescription: ${r.description || "No description available"}`)
+        .join("\n---\n");
+}
+/**
+ * Local/POI search raw — returns JSON string for code-mode sandbox.
+ */
+export async function synaluxLocalSearchRaw(query, count = 5) {
+    debugLog(`[synaluxSearch] local search raw: q="${query}", count=${count}`);
+    const data = await portalPost("/api/v1/prism/local-search", {
+        query,
+        count: Math.min(count, 20),
+    });
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] portal error: ${data.error || "unknown"}`);
+    }
+    const results = data.results || [];
+    debugLog(`[synaluxSearch] local raw: ${results.length} results`);
+    // Build envelope compatible with code-mode sandbox expectations
+    const envelope = {
+        source: "local",
+        query,
+        count,
+        poisData: { results },
+        descriptionsData: {
+            descriptions: Object.fromEntries(results.map((r, i) => [String(i), r.description || ""])),
+        },
+    };
+    return JSON.stringify(envelope);
+}
+/**
+ * AI-grounded answers via Synalux portal.
+ */
+export async function synaluxBraveAnswers(query, model) {
+    debugLog(`[synaluxSearch] answers: q="${query}", model=${model || "default"}`);
+    const body = { query };
+    if (model)
+        body.model = model;
+    const data = await portalPost("/api/v1/prism/answers", body);
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] portal error: ${data.error || "unknown"}`);
+    }
+    if (!data.answer) {
+        throw new Error("[synaluxSearch] answers endpoint returned empty answer");
+    }
+    return data.answer;
+}
+/**
+ * Scrape a URL via Synalux portal. Returns the extracted content string.
+ */
+export async function synaluxScrape(url, options) {
+    debugLog(`[synaluxSearch] scrape: url="${url}"`);
+    const body = { url };
+    if (options?.formats)
+        body.formats = options.formats;
+    if (options?.onlyMainContent !== undefined)
+        body.onlyMainContent = options.onlyMainContent;
+    if (options?.waitFor !== undefined)
+        body.waitFor = options.waitFor;
+    const data = await portalPost("/api/v1/prism/scrape", body);
+    if (data.status === "error") {
+        throw new Error(`[synaluxSearch] scrape error: ${data.error || "unknown"}`);
+    }
+    return data.content || "";
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "prism-mcp-server",
-  "version": "17.0.0",
+  "version": "17.1.0",
   "mcpName": "io.github.dcostenco/prism-coder",
-  "description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 54 Agent Skills, Zero-Search HDC/HRR retrieval, HRR Semantic Drift Detection across BCBA/Coding/AAC domains, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder:7b / 14b open-weights LLM fleet.",
+  "description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 114 Agent Skills, Zero-Search HDC/HRR retrieval, HRR Semantic Drift Detection across BCBA/Coding/AAC domains, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder:7b / 14b open-weights LLM fleet.",
   "module": "index.ts",
   "type": "module",
   "main": "dist/server.js",