npm - prism-mcp-server - Versions diffs - 19.2.4 → 19.2.5 - Mend

prism-mcp-server 19.2.4 → 19.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +34 -0
package/dist/tools/ledgerHandlers.js +94 -9
package/dist/utils/notifier.js +20 -4
package/package.json +5 -4

package/README.md CHANGED Viewed

@@ -412,6 +412,40 @@ prism_infer({
 Full TypeScript signatures live in [`src/tools/`](src/tools/); architecture in [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md).
+### `inference_metrics` — see your local-model usage on demand
+Call `inference_metrics` anytime mid-session to see how many `prism_infer` calls ran locally vs cloud, with actual token counts:
+```
+📊 Inference Metrics — local-model delegation (this session):
+  Total calls: 5 — Local: 5 (100%) | Cloud: 0 (0%)
+  Tokens: 1,240 in + 380 out = 1,620 total
+  Avg latency: 420ms
+  By model:
+    prism-coder:27b: 3 calls, 1,100 tokens, avg 520ms
+    prism-coder:9b: 2 calls, 520 tokens, avg 270ms
+```
+The same block also appears automatically in `session_save_ledger` and `session_save_handoff` responses at session end.
+**Note:** This tracks `prism_infer` delegation only — not your host model's (Claude's) own token spend. For that, use Claude Code's `/cost` command.
+### Local-model delegation (opt-in)
+By default, your AI agent (Claude, Cursor, etc.) handles everything itself. You can optionally enable delegation so the agent offloads cheap, verifiable sub-tasks to local Ollama models at $0:
+```bash
+# Enable via Prism config
+prism config set delegation_enabled true
+```
+When enabled, the agent's task router may delegate qualifying work — bulk classification, field extraction, mechanical formatting — to `prism_infer` instead of using cloud tokens. The agent always verifies the result and redoes it itself if quality is degraded.
+**Guardrails:**
+- **Off by default** — enforced in code, not just convention
+- **Never delegates:** code/text that ships to the user, security/safety logic, planning/reasoning, anything where a silent quality drop isn't obvious
+- **Always verifies:** checks `quality_gate_failed` and `used_cloud` before trusting local output
 <details>
 <summary>How Prism survives context compaction</summary>

package/dist/tools/ledgerHandlers.js CHANGED Viewed

@@ -40,8 +40,8 @@ isSessionForgetMemoryArgs, // v3.1: TTL retention policy type guard
 isSessionSaveExperienceArgs, isSessionExportMemoryArgs, normalizeExportFormat, isSessionSaveImageArgs, isSessionViewImageArgs } from "./sessionMemoryDefinitions.js";
 // v4.2: File system access for knowledge_sync_rules
 import { writeFile } from "node:fs/promises";
-import { existsSync } from "node:fs";
-import { join } from "node:path";
+import { existsSync, realpathSync, mkdirSync } from "node:fs";
+import { join, sep } from "node:path";
 // v3.1: In-memory debounce lock for auto-compaction.
 // Prevents multiple concurrent Gemini compaction tasks for the same project
 // when many agents call session_save_ledger at the same time.
@@ -1448,7 +1448,13 @@ export async function sessionExportMemoryHandler(args) {
     // to select the correct .obsidian/.logseq sidecar config.
     const requestedFormat = rawFormat;
     const format = normalizeExportFormat(rawFormat);
-    // Validate output directory
+    // Validate output directory — path traversal confinement (v4.3 security)
+    const homeDir = process.env.HOME || process.env.USERPROFILE || "/tmp";
+    const defaultExportDir = join(homeDir, ".prism-mcp", "exports");
+    // Create default export directory if it doesn't exist
+    if (!existsSync(defaultExportDir)) {
+        mkdirSync(defaultExportDir, { recursive: true });
+    }
     if (!existsSync(output_dir)) {
         return {
             content: [{
@@ -1458,6 +1464,72 @@ export async function sessionExportMemoryHandler(args) {
             isError: true,
         };
     }
+    // Resolve symlinks and ".." to get the canonical path
+    const resolvedDir = realpathSync(output_dir);
+    // Build allow-list of safe export roots
+    const allowedRoots = [
+        defaultExportDir,
+        process.cwd(),
+    ];
+    // Scratch root under tmp — but NOT the world-writable tmp root itself.
+    // os.tmpdir() (typically /tmp, mode 1777) is readable and writable by every
+    // local principal: allowing it as an export root would (a) leak unredacted
+    // ledger/handoff contents to other users and (b) let a co-resident attacker
+    // pre-plant a symlink at the predictable export filename and have writeFile
+    // follow it (arbitrary-file overwrite). Confine to an owner-only subdir.
+    const tmpExportDir = join(os.tmpdir(), ".prism-mcp", "exports");
+    if (!existsSync(tmpExportDir)) {
+        mkdirSync(tmpExportDir, { recursive: true, mode: 0o700 });
+    }
+    allowedRoots.push(realpathSync(tmpExportDir));
+    if (process.env.PRISM_EXPORT_ROOT) {
+        const exportRoot = process.env.PRISM_EXPORT_ROOT;
+        if (existsSync(exportRoot)) {
+            allowedRoots.push(realpathSync(exportRoot));
+        }
+    }
+    // Reject sensitive directories (resolve each so macOS /etc → /private/etc matches)
+    const sensitiveRoots = [
+        join(homeDir, ".ssh"),
+        join(homeDir, ".gnupg"),
+        "/etc",
+        "/var",
+        "/etc/cron.d",
+        "/etc/cron.daily",
+        "/etc/sudoers.d",
+    ].map(p => existsSync(p) ? realpathSync(p) : p);
+    // Check allow-list first — explicitly configured roots take precedence
+    const isAllowedRoot = (dir) => allowedRoots.some((root) => {
+        const resolvedRoot = existsSync(root) ? realpathSync(root) : root;
+        return dir === resolvedRoot || dir.startsWith(resolvedRoot + sep);
+    });
+    for (const sensitive of sensitiveRoots) {
+        if (resolvedDir === sensitive || resolvedDir.startsWith(sensitive + sep)) {
+            // Allow explicitly configured roots even under sensitive parents
+            // (e.g. tmpExportDir under /private/var on macOS, or PRISM_EXPORT_ROOT)
+            if (!isAllowedRoot(resolvedDir)) {
+                return {
+                    content: [{
+                            type: "text",
+                            text: `Error: output_dir resolves to a sensitive system directory ("${resolvedDir}"). Export denied.`,
+                        }],
+                    isError: true,
+                };
+            }
+        }
+    }
+    // Verify resolved path falls under an allowed root
+    if (!isAllowedRoot(resolvedDir)) {
+        return {
+            content: [{
+                    type: "text",
+                    text: `Error: output_dir "${resolvedDir}" is outside allowed export roots. ` +
+                        `Allowed: ${allowedRoots.join(", ")}. ` +
+                        `Set PRISM_EXPORT_ROOT env var to add a custom root.`,
+                }],
+            isError: true,
+        };
+    }
     const storage = await getStorage();
     const exportedFiles = [];
     try {
@@ -1527,14 +1599,27 @@ export async function sessionExportMemoryHandler(args) {
             else {
                 content = JSON.stringify(exportPayload, null, 2);
             }
-            if (format === "vault") {
-                await writeFile(outputPath, content);
+            // Exclusive create (flag: "wx") refuses to write if the path already
+            // exists — including a symlink pre-planted at the predictable export
+            // name. On a genuine collision fall back to a timestamped unique name.
+            let finalPath = outputPath;
+            try {
+                await writeFile(finalPath, content, { flag: "wx" });
             }
-            else {
-                await writeFile(outputPath, content, "utf-8");
+            catch (e) {
+                if (e && e.code === "EEXIST") {
+                    const dot = filename.lastIndexOf(".");
+                    const stem = dot > 0 ? filename.slice(0, dot) : filename;
+                    const extPart = dot > 0 ? filename.slice(dot) : "";
+                    finalPath = join(output_dir, `${stem}-${Date.now()}${extPart}`);
+                    await writeFile(finalPath, content, { flag: "wx" });
+                }
+                else {
+                    throw e;
+                }
             }
-            exportedFiles.push(outputPath);
-            debugLog(`[session_export_memory] Wrote ${content.length} bytes to ${outputPath}`);
+            exportedFiles.push(finalPath);
+            debugLog(`[session_export_memory] Wrote ${content.length} bytes to ${finalPath}`);
         }
         const plural = exportedFiles.length > 1 ? "files" : "file";
         return {

package/dist/utils/notifier.js CHANGED Viewed

@@ -11,6 +11,7 @@
  * Zero external dependencies — uses native fetch API.
  */
 import { debugLog } from "./logger.js";
+import { lookup } from "node:dns/promises";
 // ─── Default Config ──────────────────────────────────────────
 const DEFAULT_CONFIG = {
     enabled: false,
@@ -99,7 +100,7 @@ function isPrivateIP(ip) {
         return true;
     return false;
 }
-function isAllowedUrl(url) {
+async function isAllowedUrl(url) {
     try {
         const parsed = new URL(url);
         // Block non-HTTP(S) schemes
@@ -118,6 +119,18 @@ function isAllowedUrl(url) {
         // Block bracketed IPv6
         if (hostname.startsWith("[") && isPrivateIP(hostname))
             return false;
+        // Resolve hostname and reject if ANY address is private (closes
+        // attacker.example → 169.254.169.254 / 127.0.0.1 bypass)
+        try {
+            const addrs = await lookup(hostname, { all: true });
+            for (const { address } of addrs) {
+                if (isPrivateIP(address))
+                    return false;
+            }
+        }
+        catch {
+            return false;
+        }
         return true;
     }
     catch {
@@ -126,7 +139,7 @@ function isAllowedUrl(url) {
 }
 // ─── Channel Senders ─────────────────────────────────────────
 async function sendWebhook(url, payload) {
-    if (!isAllowedUrl(url)) {
+    if (!(await isAllowedUrl(url))) {
         debugLog(`Webhook URL blocked by SSRF policy: ${url}`);
         return false;
     }
@@ -135,6 +148,7 @@ async function sendWebhook(url, payload) {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify(payload),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;
@@ -145,7 +159,7 @@ async function sendWebhook(url, payload) {
     }
 }
 async function sendSlack(webhookUrl, payload) {
-    if (!isAllowedUrl(webhookUrl)) {
+    if (!(await isAllowedUrl(webhookUrl))) {
         debugLog(`Slack webhook URL blocked by SSRF policy: ${webhookUrl}`);
         return false;
     }
@@ -191,6 +205,7 @@ async function sendSlack(webhookUrl, payload) {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify(slackPayload),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;
@@ -201,7 +216,7 @@ async function sendSlack(webhookUrl, payload) {
     }
 }
 async function sendEmail(endpoint, payload) {
-    if (!isAllowedUrl(endpoint)) {
+    if (!(await isAllowedUrl(endpoint))) {
         debugLog(`Email endpoint URL blocked by SSRF policy: ${endpoint}`);
         return false;
     }
@@ -216,6 +231,7 @@ async function sendEmail(endpoint, payload) {
                 project: payload.project,
                 details: payload.details,
             }),
+            redirect: "error",
             signal: AbortSignal.timeout(10_000),
         });
         return response.ok;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "prism-mcp-server",
-  "version": "19.2.4",
+  "version": "19.2.5",
   "mcpName": "io.github.dcostenco/prism-coder",
   "description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 114 Agent Skills, PHI Guard, Tier Enforcement, Prompt-Based Skill Routing, Zero-Search HDC/HRR retrieval, HRR Semantic Drift Detection across BCBA/Coding/AAC domains, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder 1.7B–32B open-weights LLM fleet.",
   "module": "index.ts",
@@ -129,9 +129,10 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@mozilla/readability": "^0.6.0",
     "@opentelemetry/api": "^1.9.1",
-    "@opentelemetry/exporter-trace-otlp-http": "^0.214.0",
-    "@opentelemetry/resources": "^2.6.1",
-    "@opentelemetry/sdk-trace-node": "^2.6.1",
+    "@opentelemetry/core": "^2.8.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.219.0",
+    "@opentelemetry/resources": "^2.8.0",
+    "@opentelemetry/sdk-trace-node": "^2.8.0",
     "@opentelemetry/semantic-conventions": "^1.40.0",
     "@supabase/supabase-js": "^2.99.3",
     "cheerio": "^1.2.0",