prism-mcp-server 19.2.2 → 19.2.5

package/README.md

@@ -93,7 +93,7 @@ Every `prism_infer` call tracks which model handled it (local Ollama vs cloud) a
     synalux-27b: 2 calls, 1,500 tokens, avg 1,100ms
 ```
 
-Local calls use actual Ollama token counts; cloud calls use estimates. Metrics are aggregated by the Synalux portal — Prism is a thin client that forwards per-call data and fetches the summary on demand.
+Local calls use actual Ollama token counts (`prompt_eval_count` / `eval_count` from Ollama); cloud calls use char/4 estimates. Metrics are tracked locally — no portal dependency, no env vars, works offline. Per-call data is also forwarded to the Synalux portal as best-effort analytics (independent of the display).
 
 ### Session Drift Detection
 
@@ -363,7 +363,7 @@ All on-device models are free to run locally via Ollama on every tier. A subscri
 | Cloud Coder (Web IDE) | -- | 100/day | 1,000/day | 100,000/day |
 | Cloud search | -- | 50/day | 500/day | 100,000/day |
 | Max output tokens | 512 | 1,024 | 2,048 | 4,096 |
-| Cloud fallback | -- | Claude Sonnet 4 | Claude Sonnet 4 | Priority + Sonnet 4 |
+| Cloud fallback | -- | Claude Opus 4.7 | Claude Opus 4.7 | Priority + Opus 4.7 |
 | Grounding verifier (fact-check AI output) | -- | ✅ | ✅ | ✅ |
 | Memory sync (cloud) | -- | ✅ | ✅ | ✅ |
 | Knowledge / session memory | limited | unlimited | unlimited | unlimited |
@@ -389,6 +389,7 @@ Prism exposes 40+ MCP tools. The core memory loop:
 | `verify_behavior` | Pre-edit scenario challenge — catch bad changes before they happen |
 | `knowledge_ingest` | Teach Prism a codebase or document |
 | `prism_infer` | Local-first inference (route/chat/code modes, thinking, cloud escalation) |
+| `inference_metrics` | Session delegation stats on demand (call count, tokens, local/cloud split) |
 
 ### `prism_infer` — local-first inference with cloud escalation
 
@@ -411,6 +412,40 @@ prism_infer({
 
 Full TypeScript signatures live in [`src/tools/`](src/tools/); architecture in [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md).
 
+### `inference_metrics` — see your local-model usage on demand
+
+Call `inference_metrics` anytime mid-session to see how many `prism_infer` calls ran locally vs cloud, with actual token counts:
+
+```
+📊 Inference Metrics — local-model delegation (this session):
+  Total calls: 5 — Local: 5 (100%) | Cloud: 0 (0%)
+  Tokens: 1,240 in + 380 out = 1,620 total
+  Avg latency: 420ms
+  By model:
+    prism-coder:27b: 3 calls, 1,100 tokens, avg 520ms
+    prism-coder:9b: 2 calls, 520 tokens, avg 270ms
+```
+
+The same block also appears automatically in `session_save_ledger` and `session_save_handoff` responses at session end.
+
+**Note:** This tracks `prism_infer` delegation only — not your host model's (Claude's) own token spend. For that, use Claude Code's `/cost` command.
+
+### Local-model delegation (opt-in)
+
+By default, your AI agent (Claude, Cursor, etc.) handles everything itself. You can optionally enable delegation so the agent offloads cheap, verifiable sub-tasks to local Ollama models at $0:
+
+```bash
+# Enable via Prism config
+prism config set delegation_enabled true
+```
+
+When enabled, the agent's task router may delegate qualifying work — bulk classification, field extraction, mechanical formatting — to `prism_infer` instead of using cloud tokens. The agent always verifies the result and redoes it itself if quality is degraded.
+
+**Guardrails:**
+- **Off by default** — enforced in code, not just convention
+- **Never delegates:** code/text that ships to the user, security/safety logic, planning/reasoning, anything where a silent quality drop isn't obvious
+- **Always verifies:** checks `quality_gate_failed` and `used_cloud` before trusting local output
+
 <details>
 <summary>How Prism survives context compaction</summary>
 
@@ -553,6 +588,7 @@ Routing is automatic: `9b → 4b → cloud fallback` on desktop/server, `2b →
 | `PRISM_SYNALUX_API_KEY` | Paid-tier portal key (`synalux_sk_...`) | -- (local if unset) |
 | `LOCAL_LLM_URL` | Ollama endpoint | `http://localhost:11434` |
 | `PRISM_FORCE_LOCAL` | Force local SQLite regardless of credentials | `false` |
+| `TELEMETRY_WRITE_TOKEN` | Portal analytics token (optional — metrics display works without it) | -- |
 
 With no variables set, Prism runs fully local. Set `PRISM_SYNALUX_API_KEY` (and leave `PRISM_STORAGE=auto`) to use the cloud backend.
 
@@ -561,11 +597,11 @@ With no variables set, Prism runs fully local. Set `PRISM_SYNALUX_API_KEY` (and
 ## Testing
 
 ```bash
-npm test                 # full suite (vitest)
+npm test                 # full suite (vitest) — 95 files, 2841 tests
 npm test -- --coverage   # coverage report
 ```
 
-Coverage spans HRR retrieval, knowledge ingestion, the inference cascade and grounding verifier, compaction, the model picker, and storage round-trips.
+Coverage spans HRR retrieval, knowledge ingestion, the inference cascade and grounding verifier, inference metrics, telemetry allowlist, delegation gate, compaction, the model picker, and storage round-trips.
 
 ---
 

package/dist/server.js

@@ -79,6 +79,7 @@ import { sanitizeMcpOutput } from "./utils/sanitizer.js";
 import { getTracer, initTelemetry } from "./utils/telemetry.js";
 import { context as otelContext, trace, SpanStatusCode } from "@opentelemetry/api";
 import { ddInfo, ddError as ddLogError } from "./utils/ddLogger.js";
+import { inferenceMetricsHandler } from "./utils/inferenceMetrics.js";
 // ─── Import Tool Definitions (schemas) and Handlers (implementations) ─────
 import { WEB_SEARCH_TOOL, BRAVE_WEB_SEARCH_CODE_MODE_TOOL, LOCAL_SEARCH_TOOL, BRAVE_LOCAL_SEARCH_CODE_MODE_TOOL, CODE_MODE_TRANSFORM_TOOL, BRAVE_ANSWERS_TOOL, RESEARCH_PAPER_ANALYSIS_TOOL, webSearchHandler, braveWebSearchCodeModeHandler, localSearchHandler, braveLocalSearchCodeModeHandler, codeModeTransformHandler, braveAnswersHandler, researchPaperAnalysisHandler, } from "./tools/index.js";
 // Session memory tools — only used if Supabase is configured
@@ -112,7 +113,9 @@ VERIFY_BEHAVIOR_TOOL, isVerifyBehaviorArgs,
 // v12: Developer Onboarding & Enterprise Observability
 ONBOARDING_WIZARD_TOOL, EXTRACT_ENTITIES_TOOL, API_ANALYTICS_TOOL, BACKUP_DATABASE_TOOL, CONFIGURE_NOTIFICATIONS_TOOL, QUERY_MEMORY_NATURAL_TOOL, 
 // v15.5: Knowledge Ingestion
-KNOWLEDGE_INGEST_TOOL, sessionSaveLedgerHandler, sessionSaveHandoffHandler, sessionLoadContextHandler, knowledgeSearchHandler, knowledgeForgetHandler, 
+KNOWLEDGE_INGEST_TOOL, 
+// v19.2: Inference Metrics
+INFERENCE_METRICS_TOOL, sessionSaveLedgerHandler, sessionSaveHandoffHandler, sessionLoadContextHandler, knowledgeSearchHandler, knowledgeForgetHandler, 
 // ─── v0.4.0: New tool handlers ───
 compactLedgerHandler, sessionSearchMemoryHandler, backfillEmbeddingsHandler, sessionBackfillLinksHandler, sessionSynthesizeEdgesHandler, sessionCognitiveRouteHandler, 
 // ─── v2.0: Time Travel handlers ───
@@ -246,6 +249,8 @@ function buildSessionMemoryTools(autoloadList) {
         QUERY_MEMORY_NATURAL_TOOL, // query_memory_natural — NL → structured memory search
         // ─── v15.5: Knowledge Ingestion ───
         KNOWLEDGE_INGEST_TOOL, // knowledge_ingest — chunk code, gen Q&A, store in graph
+        // ─── v19.2: Inference Metrics ───
+        INFERENCE_METRICS_TOOL, // inference_metrics — read-only session delegation stats
     ];
 }
 // ─── v0.4.0: Resource Subscription Tracking ──────────────────────
@@ -960,6 +965,9 @@ export function createServer() {
                             throw new Error("Session memory not configured.");
                         result = await knowledgeIngestHandler(args);
                         break;
+                    case "inference_metrics":
+                        result = await inferenceMetricsHandler();
+                        break;
                     default:
                         result = {
                             content: [{ type: "text", text: `Unknown tool: ${name}` }],

package/dist/tools/index.js

@@ -63,6 +63,7 @@ export { verifyBehaviorHandler } from "./behavioralVerifierHandler.js";
 // Chunks source code, generates Q&A via Claude Haiku, stores in knowledge graph.
 // Three entry points: MCP tool, REST API, GitHub webhook.
 export { KNOWLEDGE_INGEST_TOOL } from "./ingestDefinitions.js";
+export { INFERENCE_METRICS_TOOL } from "./sessionMemoryDefinitions.js";
 export { knowledgeIngestHandler, handleGitHubWebhook, ingestKnowledge, isIngestArgs } from "./ingestHandler.js";
 // ── v15.4: prism_infer — local-first inference (RAM-gated cascade) ──
 // Always available. Saves caller's cloud tokens by routing to local

package/dist/tools/ledgerHandlers.js

@@ -40,8 +40,8 @@ isSessionForgetMemoryArgs, // v3.1: TTL retention policy type guard
 isSessionSaveExperienceArgs, isSessionExportMemoryArgs, normalizeExportFormat, isSessionSaveImageArgs, isSessionViewImageArgs } from "./sessionMemoryDefinitions.js";
 // v4.2: File system access for knowledge_sync_rules
 import { writeFile } from "node:fs/promises";
-import { existsSync } from "node:fs";
-import { join } from "node:path";
+import { existsSync, realpathSync, mkdirSync } from "node:fs";
+import { join, sep } from "node:path";
 // v3.1: In-memory debounce lock for auto-compaction.
 // Prevents multiple concurrent Gemini compaction tasks for the same project
 // when many agents call session_save_ledger at the same time.
@@ -1448,7 +1448,13 @@ export async function sessionExportMemoryHandler(args) {
     // to select the correct .obsidian/.logseq sidecar config.
     const requestedFormat = rawFormat;
     const format = normalizeExportFormat(rawFormat);
-    // Validate output directory
+    // Validate output directory — path traversal confinement (v4.3 security)
+    const homeDir = process.env.HOME || process.env.USERPROFILE || "/tmp";
+    const defaultExportDir = join(homeDir, ".prism-mcp", "exports");
+    // Create default export directory if it doesn't exist
+    if (!existsSync(defaultExportDir)) {
+        mkdirSync(defaultExportDir, { recursive: true });
+    }
     if (!existsSync(output_dir)) {
         return {
             content: [{
@@ -1458,6 +1464,72 @@ export async function sessionExportMemoryHandler(args) {
             isError: true,
         };
     }
+    // Resolve symlinks and ".." to get the canonical path
+    const resolvedDir = realpathSync(output_dir);
+    // Build allow-list of safe export roots
+    const allowedRoots = [
+        defaultExportDir,
+        process.cwd(),
+    ];
+    // Scratch root under tmp — but NOT the world-writable tmp root itself.
+    // os.tmpdir() (typically /tmp, mode 1777) is readable and writable by every
+    // local principal: allowing it as an export root would (a) leak unredacted
+    // ledger/handoff contents to other users and (b) let a co-resident attacker
+    // pre-plant a symlink at the predictable export filename and have writeFile
+    // follow it (arbitrary-file overwrite). Confine to an owner-only subdir.
+    const tmpExportDir = join(os.tmpdir(), ".prism-mcp", "exports");
+    if (!existsSync(tmpExportDir)) {
+        mkdirSync(tmpExportDir, { recursive: true, mode: 0o700 });
+    }
+    allowedRoots.push(realpathSync(tmpExportDir));
+    if (process.env.PRISM_EXPORT_ROOT) {
+        const exportRoot = process.env.PRISM_EXPORT_ROOT;
+        if (existsSync(exportRoot)) {
+            allowedRoots.push(realpathSync(exportRoot));
+        }
+    }
+    // Reject sensitive directories (resolve each so macOS /etc → /private/etc matches)
+    const sensitiveRoots = [
+        join(homeDir, ".ssh"),
+        join(homeDir, ".gnupg"),
+        "/etc",
+        "/var",
+        "/etc/cron.d",
+        "/etc/cron.daily",
+        "/etc/sudoers.d",
+    ].map(p => existsSync(p) ? realpathSync(p) : p);
+    // Check allow-list first — explicitly configured roots take precedence
+    const isAllowedRoot = (dir) => allowedRoots.some((root) => {
+        const resolvedRoot = existsSync(root) ? realpathSync(root) : root;
+        return dir === resolvedRoot || dir.startsWith(resolvedRoot + sep);
+    });
+    for (const sensitive of sensitiveRoots) {
+        if (resolvedDir === sensitive || resolvedDir.startsWith(sensitive + sep)) {
+            // Allow explicitly configured roots even under sensitive parents
+            // (e.g. tmpExportDir under /private/var on macOS, or PRISM_EXPORT_ROOT)
+            if (!isAllowedRoot(resolvedDir)) {
+                return {
+                    content: [{
+                            type: "text",
+                            text: `Error: output_dir resolves to a sensitive system directory ("${resolvedDir}"). Export denied.`,
+                        }],
+                    isError: true,
+                };
+            }
+        }
+    }
+    // Verify resolved path falls under an allowed root
+    if (!isAllowedRoot(resolvedDir)) {
+        return {
+            content: [{
+                    type: "text",
+                    text: `Error: output_dir "${resolvedDir}" is outside allowed export roots. ` +
+                        `Allowed: ${allowedRoots.join(", ")}. ` +
+                        `Set PRISM_EXPORT_ROOT env var to add a custom root.`,
+                }],
+            isError: true,
+        };
+    }
     const storage = await getStorage();
     const exportedFiles = [];
     try {
@@ -1527,14 +1599,27 @@ export async function sessionExportMemoryHandler(args) {
             else {
                 content = JSON.stringify(exportPayload, null, 2);
             }
-            if (format === "vault") {
-                await writeFile(outputPath, content);
+            // Exclusive create (flag: "wx") refuses to write if the path already
+            // exists — including a symlink pre-planted at the predictable export
+            // name. On a genuine collision fall back to a timestamped unique name.
+            let finalPath = outputPath;
+            try {
+                await writeFile(finalPath, content, { flag: "wx" });
             }
-            else {
-                await writeFile(outputPath, content, "utf-8");
+            catch (e) {
+                if (e && e.code === "EEXIST") {
+                    const dot = filename.lastIndexOf(".");
+                    const stem = dot > 0 ? filename.slice(0, dot) : filename;
+                    const extPart = dot > 0 ? filename.slice(dot) : "";
+                    finalPath = join(output_dir, `${stem}-${Date.now()}${extPart}`);
+                    await writeFile(finalPath, content, { flag: "wx" });
+                }
+                else {
+                    throw e;
+                }
             }
-            exportedFiles.push(outputPath);
-            debugLog(`[session_export_memory] Wrote ${content.length} bytes to ${outputPath}`);
+            exportedFiles.push(finalPath);
+            debugLog(`[session_export_memory] Wrote ${content.length} bytes to ${finalPath}`);
         }
         const plural = exportedFiles.length > 1 ? "files" : "file";
         return {

package/dist/tools/sessionMemoryDefinitions.js

@@ -1790,3 +1790,15 @@ export function isVerifyBehaviorArgs(a) {
         return false;
     return true;
 }
+// ─── v19.2: Inference Metrics Tool ──────────────────────────
+export const INFERENCE_METRICS_TOOL = {
+    name: "inference_metrics",
+    description: "Returns the current session's local-model inference metrics — call count, " +
+        "local vs cloud split, token totals, per-model breakdown, and average latency. " +
+        "Read-only, no arguments. Reflects prism_infer delegation usage only, not the " +
+        "host model's (Claude's) own token spend (use /cost for that).",
+    inputSchema: {
+        type: "object",
+        properties: {},
+    },
+};

package/dist/utils/inferenceMetrics.js

@@ -70,12 +70,21 @@ export function resetInferenceMetrics() {
     }
     debugLog("[inference-metrics] Session metrics reset");
 }
+export async function inferenceMetricsHandler() {
+    const block = formatInferenceMetrics();
+    return {
+        content: [{
+                type: "text",
+                text: block || "No prism_infer calls this session. Metrics track local-model delegation only — not the host model's (Claude's) token spend.",
+            }],
+    };
+}
 export function formatInferenceMetrics() {
     const snap = getInferenceSnapshot();
     if (snap.totalCalls === 0)
         return "";
     const lines = [
-        `\n📊 Inference Metrics (this session):`,
+        `\n📊 Inference Metrics — local-model delegation (this session):`,
         `  Total calls: ${snap.totalCalls} — Local: ${snap.localCalls} (${snap.localPct}%) | Cloud: ${snap.cloudCalls} (${snap.cloudPct}%)`,
         `  Tokens: ${snap.totalPromptTokens.toLocaleString()} in + ${snap.totalCompletionTokens.toLocaleString()} out = ${snap.totalTokens.toLocaleString()} total`,
         `  Avg latency: ${snap.avgLatencyMs}ms`,

package/dist/utils/notifier.js

@@ -11,6 +11,7 @@
  * Zero external dependencies — uses native fetch API.
  */
 import { debugLog } from "./logger.js";
+import { lookup } from "node:dns/promises";
 // ─── Default Config ──────────────────────────────────────────
 const DEFAULT_CONFIG = {
     enabled: false,
@@ -99,7 +100,7 @@ function isPrivateIP(ip) {
         return true;
     return false;
 }
-function isAllowedUrl(url) {
+async function isAllowedUrl(url) {
     try {
         const parsed = new URL(url);
         // Block non-HTTP(S) schemes
@@ -118,6 +119,18 @@ function isAllowedUrl(url) {
         // Block bracketed IPv6
         if (hostname.startsWith("[") && isPrivateIP(hostname))
             return false;
+        // Resolve hostname and reject if ANY address is private (closes
+        // attacker.example → 169.254.169.254 / 127.0.0.1 bypass)
+        try {
+            const addrs = await lookup(hostname, { all: true });
+            for (const { address } of addrs) {
+                if (isPrivateIP(address))
+                    return false;
+            }
+        }
+        catch {
+            return false;
+        }
         return true;
     }
     catch {
@@ -126,7 +139,7 @@ function isAllowedUrl(url) {
 }
 // ─── Channel Senders ─────────────────────────────────────────
 async function sendWebhook(url, payload) {
-    if (!isAllowedUrl(url)) {
+    if (!(await isAllowedUrl(url))) {
         debugLog(`Webhook URL blocked by SSRF policy: ${url}`);
         return false;
     }
@@ -135,6 +148,7 @@ async function sendWebhook(url, payload) {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify(payload),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;
@@ -145,7 +159,7 @@ async function sendWebhook(url, payload) {
     }
 }
 async function sendSlack(webhookUrl, payload) {
-    if (!isAllowedUrl(webhookUrl)) {
+    if (!(await isAllowedUrl(webhookUrl))) {
         debugLog(`Slack webhook URL blocked by SSRF policy: ${webhookUrl}`);
         return false;
     }
@@ -191,6 +205,7 @@ async function sendSlack(webhookUrl, payload) {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify(slackPayload),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;
@@ -201,7 +216,7 @@ async function sendSlack(webhookUrl, payload) {
     }
 }
 async function sendEmail(endpoint, payload) {
-    if (!isAllowedUrl(endpoint)) {
+    if (!(await isAllowedUrl(endpoint))) {
         debugLog(`Email endpoint URL blocked by SSRF policy: ${endpoint}`);
         return false;
     }
@@ -216,6 +231,7 @@ async function sendEmail(endpoint, payload) {
                 project: payload.project,
                 details: payload.details,
             }),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prism-mcp-server",
-  "version": "19.2.2",
+  "version": "19.2.5",
   "mcpName": "io.github.dcostenco/prism-coder",
   "description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 114 Agent Skills, PHI Guard, Tier Enforcement, Prompt-Based Skill Routing, Zero-Search HDC/HRR retrieval, HRR Semantic Drift Detection across BCBA/Coding/AAC domains, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder 1.7B–32B open-weights LLM fleet.",
   "module": "index.ts",
@@ -129,9 +129,10 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@mozilla/readability": "^0.6.0",
     "@opentelemetry/api": "^1.9.1",
-    "@opentelemetry/exporter-trace-otlp-http": "^0.214.0",
-    "@opentelemetry/resources": "^2.6.1",
-    "@opentelemetry/sdk-trace-node": "^2.6.1",
+    "@opentelemetry/core": "^2.8.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.219.0",
+    "@opentelemetry/resources": "^2.8.0",
+    "@opentelemetry/sdk-trace-node": "^2.8.0",
     "@opentelemetry/semantic-conventions": "^1.40.0",
     "@supabase/supabase-js": "^2.99.3",
     "cheerio": "^1.2.0",