prism-mcp-server 6.5.2 → 7.0.0

package/dist/dashboard/server.js

@@ -29,6 +29,7 @@ import { getLLMProvider } from "../utils/llm/factory.js";
 import { buildVaultDirectory } from "../utils/vaultExporter.js";
 import { redactSettings } from "../tools/commonHelpers.js";
 import { handleGraphRoutes } from "./graphRouter.js";
+import { safeCompare, generateToken, isAuthenticated, createRateLimiter, } from "./authUtils.js";
 const PORT = parseInt(process.env.PRISM_DASHBOARD_PORT || "3000", 10);
 /** Read HTTP request body as string (Buffer-based to avoid GC thrash on large imports) */
 function readBody(req) {
@@ -75,50 +76,18 @@ export async function startDashboardServer() {
     const AUTH_ENABLED = AUTH_USER.length > 0 && AUTH_PASS.length > 0;
     const SESSION_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
     const activeSessions = new Map(); // token → expiry timestamp
-    /** Generate a random session token */
-    function generateToken() {
-        const chars = "abcdef0123456789";
-        let token = "";
-        for (let i = 0; i < 64; i++) {
-            token += chars[Math.floor(Math.random() * chars.length)];
-        }
-        return token;
-    }
-    /** Timing-safe string comparison to prevent timing attacks */
-    function safeCompare(a, b) {
-        if (a.length !== b.length)
-            return false;
-        let result = 0;
-        for (let i = 0; i < a.length; i++) {
-            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-        }
-        return result === 0;
-    }
-    /** Check if request is authenticated (returns true if auth is disabled) */
-    function isAuthenticated(req) {
-        if (!AUTH_ENABLED)
-            return true;
-        // Check session cookie first
-        const cookies = req.headers.cookie || "";
-        const match = cookies.match(/prism_session=([a-f0-9]{64})/);
-        if (match) {
-            const token = match[1];
-            const expiry = activeSessions.get(token);
-            if (expiry && expiry > Date.now())
-                return true;
-            // Expired — clean up
-            if (expiry)
-                activeSessions.delete(token);
-        }
-        // Check Basic Auth header
-        const authHeader = req.headers.authorization || "";
-        if (authHeader.startsWith("Basic ")) {
-            const decoded = Buffer.from(authHeader.slice(6), "base64").toString("utf-8");
-            const [user, pass] = decoded.split(":");
-            return safeCompare(user || "", AUTH_USER) && safeCompare(pass || "", AUTH_PASS);
-        }
-        return false;
-    }
+    // Auth config object — injectable for testing via authUtils.ts
+    const authConfig = {
+        authEnabled: AUTH_ENABLED,
+        authUser: AUTH_USER,
+        authPass: AUTH_PASS,
+        activeSessions,
+    };
+    // v6.5.1: Rate limiter for login endpoint — 5 attempts per 60 seconds per IP
+    const loginRateLimiter = createRateLimiter({
+        maxAttempts: 5,
+        windowMs: 60 * 1000,
+    });
     /** Render a styled login page matching the Mind Palace theme */
     function renderLoginPage() {
         return `<!DOCTYPE html>
@@ -170,9 +139,19 @@ return false;}
             `with TLS for remote access.`);
     }
     const httpServer = http.createServer(async (req, res) => {
-        // CORS headers for local dev
-        res.setHeader("Access-Control-Allow-Origin", "*");
-        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+        // v6.5.1: CORS — restrict origin when auth is enabled to prevent CSRF
+        if (AUTH_ENABLED) {
+            const origin = req.headers.origin || "";
+            // Only echo back the origin if present (browser-initiated requests)
+            if (origin) {
+                res.setHeader("Access-Control-Allow-Origin", origin);
+                res.setHeader("Access-Control-Allow-Credentials", "true");
+            }
+        }
+        else {
+            res.setHeader("Access-Control-Allow-Origin", "*");
+        }
+        res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
         res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
         if (req.method === "OPTIONS") {
             res.writeHead(204);
@@ -181,12 +160,20 @@ return false;}
         // ─── v5.1: Auth login endpoint (always accessible) ───
         const reqUrl = new URL(req.url || "/", `http://${req.headers.host}`);
         if (AUTH_ENABLED && reqUrl.pathname === "/api/auth/login" && req.method === "POST") {
+            // v6.5.1: Rate limiting — prevent brute-force attacks
+            const clientIP = (req.socket?.remoteAddress || "unknown").replace(/^::ffff:/, "");
+            if (!loginRateLimiter.isAllowed(clientIP)) {
+                res.writeHead(429, { "Content-Type": "application/json" });
+                return res.end(JSON.stringify({ error: "Too many login attempts. Try again later." }));
+            }
             const body = await readBody(req);
             try {
                 const { user, pass } = JSON.parse(body);
                 if (safeCompare(user || "", AUTH_USER) && safeCompare(pass || "", AUTH_PASS)) {
                     const token = generateToken();
                     activeSessions.set(token, Date.now() + SESSION_TTL_MS);
+                    // Reset rate limiter on successful login
+                    loginRateLimiter.reset(clientIP);
                     res.writeHead(200, {
                         "Content-Type": "application/json",
                         "Set-Cookie": `prism_session=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${SESSION_TTL_MS / 1000}`,
@@ -198,8 +185,23 @@ return false;}
             res.writeHead(401, { "Content-Type": "application/json" });
             return res.end(JSON.stringify({ error: "Invalid credentials" }));
         }
+        // ─── v6.5.1: Logout endpoint — invalidates session server-side ───
+        if (AUTH_ENABLED && reqUrl.pathname === "/api/auth/logout" && req.method === "POST") {
+            // Extract and invalidate the session token from the cookie
+            const cookies = req.headers.cookie || "";
+            const match = cookies.match(/prism_session=([a-f0-9]{64})/);
+            if (match) {
+                activeSessions.delete(match[1]);
+            }
+            res.writeHead(200, {
+                "Content-Type": "application/json",
+                // Clear the cookie on the client side
+                "Set-Cookie": `prism_session=; Path=/; HttpOnly; SameSite=Strict; Max-Age=0`,
+            });
+            return res.end(JSON.stringify({ ok: true }));
+        }
         // ─── v5.1: Auth gate — block unauthenticated requests ───
-        if (AUTH_ENABLED && !isAuthenticated(req)) {
+        if (AUTH_ENABLED && !isAuthenticated(req, authConfig)) {
             // For API calls, return 401 JSON
             if (reqUrl.pathname.startsWith("/api/")) {
                 res.writeHead(401, { "Content-Type": "application/json" });

package/dist/storage/sqlite.js

@@ -20,11 +20,14 @@ import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
 import { randomUUID } from "crypto";
+import { AccessLogBuffer } from "../utils/accessLogBuffer.js";
+import { PRISM_ACTR_BUFFER_FLUSH_MS } from "../config.js";
 import { getSetting as cfgGet, setSetting as cfgSet, getAllSettings as cfgGetAll } from "./configStorage.js";
 import { debugLog } from "../utils/logger.js";
 export class SqliteStorage {
     db;
     dbPath;
+    accessLogBuffer;
     // ─── Lifecycle ─────────────────────────────────────────────
     async initialize(dbPath) {
         // ─── DB Path Resolution ────────────────────────────────────────────
@@ -65,9 +68,18 @@ export class SqliteStorage {
         await this.db.execute("PRAGMA foreign_keys = ON");
         // Run all migrations
         await this.runMigrations();
+        // v7.0: Initialize the ACT-R access log write buffer.
+        // The buffer batches logAccess() calls into periodic single-INSERT flushes
+        // to prevent SQLite SQLITE_BUSY contention (Rule #1).
+        this.accessLogBuffer = new AccessLogBuffer(this.db, PRISM_ACTR_BUFFER_FLUSH_MS);
         debugLog(`[SqliteStorage] Initialized at ${this.dbPath}`);
     }
     async close() {
+        // v7.0: Drain the access log buffer before closing the DB connection.
+        // This ensures any buffered access events are persisted on shutdown.
+        if (this.accessLogBuffer) {
+            await this.accessLogBuffer.dispose();
+        }
         this.db.close();
         debugLog("[SqliteStorage] Closed");
     }
@@ -511,6 +523,39 @@ export class SqliteStorage {
             if (!e.message?.includes("duplicate column name"))
                 throw e;
         }
+        // ─── v7.0 Migration: ACT-R Memory Access Log ──────────────
+        //
+        // REVIEWER NOTE: This table drives the ACT-R base-level activation
+        // formula: B_i = ln(Σ t_j^(-d)). Each row is a single "access" event
+        // recorded fire-and-forget via AccessLogBuffer.
+        //
+        // DESIGN:
+        //   - INTEGER PRIMARY KEY = SQLite implicit rowid (fastest inserts)
+        //   - entry_id NOT NULL FK → session_ledger (ON DELETE CASCADE)
+        //   - accessed_at TEXT ISO-8601 — enables julianday() math in queries
+        //   - context_hash TEXT — optional search query fingerprint for
+        //     future "what queries retrieve this memory?" analytics
+        //
+        // INDEXES:
+        //   - (entry_id, accessed_at DESC): covers the window-function query
+        //     used by getAccessLog(). DESC order makes recent-first scans
+        //     sequential reads (no reverse B-tree traversal).
+        //   - (accessed_at): covers the retention sweep in pruneAccessLog().
+        //
+        // STORAGE: ~80 bytes/row → 100K accesses ≈ 8 MB → laptop-safe.
+        await this.db.execute(`
+      CREATE TABLE IF NOT EXISTS memory_access_log (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        entry_id TEXT NOT NULL,
+        accessed_at TEXT NOT NULL DEFAULT (datetime('now')),
+        context_hash TEXT DEFAULT NULL,
+        FOREIGN KEY (entry_id) REFERENCES session_ledger(id) ON DELETE CASCADE
+      )
+    `);
+        await this.db.execute(`CREATE INDEX IF NOT EXISTS idx_access_log_entry_time
+       ON memory_access_log(entry_id, accessed_at DESC)`);
+        await this.db.execute(`CREATE INDEX IF NOT EXISTS idx_access_log_time
+       ON memory_access_log(accessed_at)`);
         // ─── v6.1 Migration: Integrity Check ──────────────────────
         //
         // REVIEWER NOTE: PRAGMA integrity_check scans the B-tree structure of
@@ -737,6 +782,17 @@ export class SqliteStorage {
                 now,
             ],
         });
+        // ── v7.0 Rule #3: Creation = Access Seeding ─────────────────────
+        // Seed the access log with a single event at creation time so that
+        // brand-new entries have a non-empty access history. Without this,
+        // new entries would have B_i = -∞ (ln(0)) and never surface in
+        // ACT-R re-ranking until they're accessed at least once.
+        //
+        // Uses the buffer for consistency — the creation seed is batched
+        // with other access events and flushed on the next cycle.
+        if (this.accessLogBuffer) {
+            this.accessLogBuffer.push(id, 'creation_seed');
+        }
         // Return Supabase-compatible shape: handlers expect [{ id, ... }]
         return [{ id, project: entry.project, created_at: now }];
     }
@@ -960,12 +1016,14 @@ export class SqliteStorage {
         if (!ids || ids.length === 0)
             return;
         const CHUNK_SIZE = 500;
+        const now = new Date().toISOString(); // JS generates ISO-8601 with Z suffix
         for (let i = 0; i < ids.length; i += CHUNK_SIZE) {
             const chunk = ids.slice(i, i + CHUNK_SIZE);
             const placeholders = chunk.map(() => "?").join(", ");
+            // Pass 'now' as the first argument, followed by the chunk IDs
             await this.db.execute({
-                sql: `UPDATE session_ledger SET last_accessed_at = datetime('now') WHERE id IN (${placeholders})`,
-                args: chunk,
+                sql: `UPDATE session_ledger SET last_accessed_at = ? WHERE id IN (${placeholders})`,
+                args: [now, ...chunk],
             });
         }
     }
@@ -2653,4 +2711,79 @@ export class SqliteStorage {
             `temporal=${temporal}, keyword=${keyword}, provenance=${provenance}`);
         return { temporal, keyword, provenance };
     }
+    // ─── v7.0: ACT-R Access Log Methods ────────────────────────────
+    //
+    // These three methods support the ACT-R base-level activation model.
+    // Read the interface.ts docstrings for the full spec.
+    /**
+     * Record a memory access event (synchronous, fire-and-forget via buffer).
+     * Rule #1: Write contention prevention.
+     */
+    logAccess(entryId, contextHash) {
+        this.accessLogBuffer.push(entryId, contextHash);
+    }
+    /**
+     * Batch-fetch access timestamps for multiple entries using window functions.
+     * Rule #2: Prevents N+1 query explosion.
+     *
+     * SQL STRATEGY:
+     *   Uses ROW_NUMBER() OVER (PARTITION BY entry_id ORDER BY accessed_at DESC)
+     *   to rank accesses per entry, then filters to the top `maxPerEntry`.
+     *   This converts N separate queries into 1 query with O(N*K) work
+     *   where N = entries and K = max accesses per entry.
+     *
+     *   We use a CTE subquery pattern because SQLite doesn't support
+     *   WHERE on a window function alias in the same SELECT scope.
+     */
+    async getAccessLog(entryIds, maxPerEntry = 50) {
+        const result = new Map();
+        if (entryIds.length === 0)
+            return result;
+        // Build parameterized IN clause
+        const placeholders = entryIds.map(() => "?").join(", ");
+        const rows = await this.db.execute({
+            sql: `
+        WITH ranked AS (
+          SELECT
+            entry_id,
+            accessed_at,
+            ROW_NUMBER() OVER (
+              PARTITION BY entry_id
+              ORDER BY accessed_at DESC
+            ) AS rn
+          FROM memory_access_log
+          WHERE entry_id IN (${placeholders})
+        )
+        SELECT entry_id, accessed_at
+        FROM ranked
+        WHERE rn <= ?
+        ORDER BY entry_id, accessed_at DESC
+      `,
+            args: [...entryIds, maxPerEntry],
+        });
+        // Assemble the Map from flat rows
+        for (const row of rows.rows) {
+            const entryId = row.entry_id;
+            const accessedAt = new Date(row.accessed_at);
+            if (!result.has(entryId)) {
+                result.set(entryId, []);
+            }
+            result.get(entryId).push(accessedAt);
+        }
+        return result;
+    }
+    /**
+     * Prune access log entries older than N days.
+     * Called by the sleep-cycle scheduler to bound table growth.
+     */
+    async pruneAccessLog(olderThanDays) {
+        const result = await this.db.execute({
+            sql: `DELETE FROM memory_access_log
+            WHERE accessed_at < datetime('now', ?)`,
+            args: [`-${olderThanDays} days`],
+        });
+        const pruned = result.rowsAffected;
+        debugLog(`[SqliteStorage] pruneAccessLog: removed ${pruned} entries older than ${olderThanDays} days`);
+        return pruned;
+    }
 }

package/dist/storage/supabase.js

@@ -15,6 +15,7 @@
 import { supabasePost, supabaseGet, supabaseRpc, supabasePatch, supabaseDelete, } from "../utils/supabaseApi.js";
 import { gzipSync, gunzipSync } from "node:zlib";
 import { debugLog } from "../utils/logger.js";
+import { PRISM_USER_ID } from "../config.js";
 import { getSetting as cfgGet, setSetting as cfgSet, getAllSettings as cfgGetAll } from "./configStorage.js";
 import { runAutoMigrations } from "./supabaseMigrations.js";
 export class SupabaseStorage {
@@ -1118,4 +1119,80 @@ export class SupabaseStorage {
             return { temporal: 0, keyword: 0, provenance: 0 };
         }
     }
+    // ─── v7.0: ACT-R Access Log (Supabase Parity) ───────────────
+    //
+    // Implements the same StorageBackend contract as SQLite:
+    //   - logAccess: fire-and-forget write
+    //   - getAccessLog: batch top-N timestamps per entry
+    //   - pruneAccessLog: retention delete count
+    //
+    // All operations route through SECURITY DEFINER RPCs for tenant-safe access.
+    logAccess(entryId, contextHash) {
+        supabaseRpc("prism_log_access", {
+            p_user_id: PRISM_USER_ID,
+            p_entry_id: entryId,
+            p_accessed_at: new Date().toISOString(),
+            p_context_hash: contextHash || null,
+        }).catch((e) => {
+            debugLog(`[SupabaseStorage] logAccess fallback/no-op: ${e.message}`);
+        });
+    }
+    async getAccessLog(entryIds, maxPerEntry = 50) {
+        const result = new Map();
+        if (!entryIds || entryIds.length === 0)
+            return result;
+        try {
+            const rows = await supabaseRpc("prism_get_access_log", {
+                p_user_id: PRISM_USER_ID,
+                p_entry_ids: entryIds,
+                p_max_per_entry: maxPerEntry,
+            });
+            const data = Array.isArray(rows) ? rows : [];
+            for (const row of data) {
+                const entryId = row.entry_id;
+                const accessedAtRaw = row.accessed_at;
+                if (!entryId || !accessedAtRaw)
+                    continue;
+                if (!result.has(entryId))
+                    result.set(entryId, []);
+                result.get(entryId).push(new Date(accessedAtRaw));
+            }
+            return result;
+        }
+        catch (e) {
+            debugLog(`[SupabaseStorage] getAccessLog fallback/no-op: ${e.message}`);
+            return result;
+        }
+    }
+    async pruneAccessLog(olderThanDays) {
+        try {
+            const rpcResult = await supabaseRpc("prism_prune_access_log", {
+                p_older_than_days: olderThanDays,
+            });
+            if (typeof rpcResult === "number")
+                return rpcResult;
+            if (Array.isArray(rpcResult) && rpcResult.length > 0) {
+                const first = rpcResult[0];
+                if (typeof first === "number")
+                    return first;
+                if (first && typeof first.deleted_count !== "undefined") {
+                    return Number(first.deleted_count) || 0;
+                }
+                if (first && typeof first.prism_prune_access_log !== "undefined") {
+                    return Number(first.prism_prune_access_log) || 0;
+                }
+            }
+            if (rpcResult && typeof rpcResult.deleted_count !== "undefined") {
+                return Number(rpcResult.deleted_count) || 0;
+            }
+            if (rpcResult && typeof rpcResult.prism_prune_access_log !== "undefined") {
+                return Number(rpcResult.prism_prune_access_log) || 0;
+            }
+            return 0;
+        }
+        catch (e) {
+            debugLog(`[SupabaseStorage] pruneAccessLog fallback/no-op: ${e.message}`);
+            return 0;
+        }
+    }
 }

package/dist/storage/supabaseMigrations.js

@@ -598,6 +598,129 @@ export const MIGRATIONS = [
       GRANT EXECUTE ON FUNCTION public.admin_get_deleted_entries(TEXT, TEXT, INTEGER) TO service_role;
     `
     },
+    {
+        version: 37,
+        name: "actr_access_log_parity",
+        sql: `
+      -- Migration 037: ACT-R Access Log parity for Supabase backend
+
+      CREATE TABLE IF NOT EXISTS public.memory_access_log (
+        id BIGSERIAL PRIMARY KEY,
+        entry_id UUID NOT NULL REFERENCES public.session_ledger(id) ON DELETE CASCADE,
+        accessed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+        context_hash TEXT DEFAULT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_memory_access_log_entry_time
+        ON public.memory_access_log(entry_id, accessed_at DESC);
+      CREATE INDEX IF NOT EXISTS idx_memory_access_log_time
+        ON public.memory_access_log(accessed_at);
+
+      -- Fire-and-forget insert path used by SupabaseStorage.logAccess.
+      -- Uses tenant + visibility gate; invalid entry/user pairs become no-op inserts.
+      CREATE OR REPLACE FUNCTION public.prism_log_access(
+        p_user_id TEXT,
+        p_entry_id UUID,
+        p_accessed_at TIMESTAMPTZ DEFAULT now(),
+        p_context_hash TEXT DEFAULT NULL
+      )
+      RETURNS VOID
+      LANGUAGE sql
+      SECURITY DEFINER
+      SET search_path = public
+      AS $inner$
+        INSERT INTO public.memory_access_log(entry_id, accessed_at, context_hash)
+        SELECT sl.id, COALESCE(p_accessed_at, now()), p_context_hash
+        FROM public.session_ledger sl
+        WHERE sl.id = p_entry_id
+          AND sl.user_id = p_user_id
+          AND sl.deleted_at IS NULL;
+      $inner$;
+
+      -- Batch top-N access log read for ACT-R base-level activation.
+      CREATE OR REPLACE FUNCTION public.prism_get_access_log(
+        p_user_id TEXT,
+        p_entry_ids UUID[],
+        p_max_per_entry INTEGER DEFAULT 50
+      )
+      RETURNS TABLE (
+        entry_id UUID,
+        accessed_at TIMESTAMPTZ
+      )
+      LANGUAGE sql
+      SECURITY DEFINER
+      SET search_path = public
+      AS $inner$
+        WITH ranked AS (
+          SELECT
+            mal.entry_id,
+            mal.accessed_at,
+            ROW_NUMBER() OVER (
+              PARTITION BY mal.entry_id
+              ORDER BY mal.accessed_at DESC
+            ) AS rn
+          FROM public.memory_access_log mal
+          JOIN public.session_ledger sl ON sl.id = mal.entry_id
+          WHERE sl.user_id = p_user_id
+            AND sl.deleted_at IS NULL
+            AND mal.entry_id = ANY(p_entry_ids)
+        )
+        SELECT r.entry_id, r.accessed_at
+        FROM ranked r
+        WHERE r.rn <= GREATEST(COALESCE(p_max_per_entry, 50), 1)
+        ORDER BY r.entry_id, r.accessed_at DESC;
+      $inner$;
+
+      -- Retention prune for scheduler Task 9.
+      CREATE OR REPLACE FUNCTION public.prism_prune_access_log(
+        p_older_than_days INTEGER DEFAULT 90
+      )
+      RETURNS INTEGER
+      LANGUAGE plpgsql
+      SECURITY DEFINER
+      SET search_path = public
+      AS $inner$
+      DECLARE
+        v_deleted INTEGER := 0;
+      BEGIN
+        IF p_older_than_days IS NULL OR p_older_than_days < 1 THEN
+          RAISE EXCEPTION 'p_older_than_days must be >= 1';
+        END IF;
+
+        DELETE FROM public.memory_access_log
+        WHERE accessed_at < now() - (p_older_than_days || ' days')::interval;
+
+        GET DIAGNOSTICS v_deleted = ROW_COUNT;
+        RETURN v_deleted;
+      END;
+      $inner$;
+
+      -- Strict parity with SQLite: seed one access event at ledger creation time.
+      CREATE OR REPLACE FUNCTION public.prism_seed_access_log_on_ledger_insert()
+      RETURNS TRIGGER
+      LANGUAGE plpgsql
+      SECURITY DEFINER
+      SET search_path = public
+      AS $inner$
+      BEGIN
+        INSERT INTO public.memory_access_log(entry_id, accessed_at, context_hash)
+        VALUES (NEW.id, now(), 'creation_seed');
+        RETURN NEW;
+      END;
+      $inner$;
+
+      DROP TRIGGER IF EXISTS trg_prism_seed_access_log ON public.session_ledger;
+      CREATE TRIGGER trg_prism_seed_access_log
+      AFTER INSERT ON public.session_ledger
+      FOR EACH ROW
+      EXECUTE FUNCTION public.prism_seed_access_log_on_ledger_insert();
+
+      GRANT EXECUTE ON FUNCTION public.prism_log_access(TEXT, UUID, TIMESTAMPTZ, TEXT) TO service_role, authenticated;
+      GRANT EXECUTE ON FUNCTION public.prism_get_access_log(TEXT, UUID[], INTEGER) TO service_role, authenticated;
+      GRANT EXECUTE ON FUNCTION public.prism_prune_access_log(INTEGER) TO service_role, authenticated;
+      GRANT EXECUTE ON FUNCTION public.prism_seed_access_log_on_ledger_insert() TO service_role, authenticated;
+    `
+    },
 ];
 /**
  * Current schema version — derived from the MIGRATIONS array.