prism-mcp-server 7.3.1 → 7.3.3

package/dist/verification/gatekeeper.js

@@ -0,0 +1,39 @@
+import { VerificationGateError } from "../errors.js";
+export class Gatekeeper {
+    /**
+     * Reviews a ValidationResult and determines if execution is permitted to continue.
+     * Throws `VerificationGateError` strictly on "abort" if bypass isn't provided.
+     *
+     * @param result - The output of the VerificationRunner
+     * @param options - Configuration including audit bypasses
+     * @returns `true` if downstream pipeline execution is allowed
+     */
+    static executeGate(result, options) {
+        const isBypass = options?.forceBypass === true;
+        const validatedResult = { ...result };
+        if (isBypass) {
+            console.warn(`\n⚠️  [OVERRIDDEN] Verification Gate bypassed via administrator override.`);
+            // Enforce immutability and record audit trail context via environment variables
+            validatedResult.gate_override = true;
+            const actor = process.env.USER || process.env.USERNAME || 'unknown_user';
+            validatedResult.override_reason = validatedResult.override_reason || `CLI --force bypass by ${actor}`;
+            return { canContinue: true, validatedResult };
+        }
+        switch (validatedResult.gate_action) {
+            case "continue":
+                if (validatedResult.critical_failures > 0) {
+                    console.warn(`\n⚠️  [CONTINUE] Harness passed but ${validatedResult.critical_failures} critical assertion(s) failed.`);
+                }
+                return { canContinue: true, validatedResult };
+            case "block":
+                console.error(`\n🚫 [BLOCK] Harness blocked execution. ${(validatedResult.pass_rate * 100).toFixed(1)}% pass rate.`);
+                return { canContinue: false, validatedResult };
+            case "abort":
+                console.error(`\n💥 [ABORT] Critical failures detected. Pipeline aborted.`);
+                throw new VerificationGateError(`Pipeline blocked by verification harness. Gate action evaluated to ABORT. Pass rate: ${(validatedResult.pass_rate * 100).toFixed(1)}%`, validatedResult);
+            default:
+                console.error(`\n⚠️  [UNKNOWN ACTION] Invalid gate action type: ${validatedResult.gate_action}. Failsafe blocking.`);
+                return { canContinue: false, validatedResult };
+        }
+    }
+}

package/dist/verification/renameDetector.js

@@ -0,0 +1,170 @@
+/**
+ * Rename Detection Heuristic Engine
+ *
+ * Isolated module that detects probable test assertion renames by computing
+ * similarity scores between removed and added tests. This module is ONLY
+ * invoked when rename detection is explicitly enabled via --rename-detection
+ * flag or PRISM_RENAME_DETECTION=true env var.
+ *
+ * When this module is NOT invoked, the strict-by-ID deterministic behavior
+ * of v7.3.2 is preserved byte-for-byte.
+ *
+ * Algorithm: Greedy bipartite matching on composite similarity scores.
+ * - Field overlap via Jaccard coefficient over non-ID field values
+ * - Description similarity via normalized Levenshtein distance
+ * - Greedy highest-score-first, one-to-one matching (no test matched twice)
+ *
+ * @module renameDetector
+ */
+// ─── Constants ────────────────────────────────────────────────────────────────
+/** Minimum allowed threshold (too low = excessive false positives) */
+export const MIN_THRESHOLD = 0.50;
+/** Maximum allowed threshold (too high = nothing ever matches) */
+export const MAX_THRESHOLD = 0.95;
+/** Default similarity threshold when not specified */
+export const DEFAULT_THRESHOLD = 0.70;
+// ─── Similarity Functions ─────────────────────────────────────────────────────
+/**
+ * Compute normalized Levenshtein distance between two strings.
+ * Returns 0.0 (completely different) to 1.0 (identical).
+ */
+export function levenshteinSimilarity(a, b) {
+    if (a === b)
+        return 1.0;
+    if (a.length === 0 || b.length === 0)
+        return 0.0;
+    const maxLen = Math.max(a.length, b.length);
+    // Wagner-Fischer algorithm for edit distance
+    const prev = new Array(b.length + 1);
+    const curr = new Array(b.length + 1);
+    for (let j = 0; j <= b.length; j++)
+        prev[j] = j;
+    for (let i = 1; i <= a.length; i++) {
+        curr[0] = i;
+        for (let j = 1; j <= b.length; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            curr[j] = Math.min(curr[j - 1] + 1, // insertion
+            prev[j] + 1, // deletion
+            prev[j - 1] + cost);
+        }
+        // Swap rows
+        for (let j = 0; j <= b.length; j++) {
+            prev[j] = curr[j];
+        }
+    }
+    const distance = prev[b.length];
+    return 1.0 - distance / maxLen;
+}
+/**
+ * Compute Jaccard similarity coefficient over the non-ID field values
+ * of two TestAssertion objects.
+ * Returns 0.0 (no overlap) to 1.0 (identical field values).
+ */
+export function fieldJaccardSimilarity(a, b) {
+    const keysA = Object.keys(a).filter(k => k !== 'id');
+    const keysB = Object.keys(b).filter(k => k !== 'id');
+    const allKeys = new Set([...keysA, ...keysB]);
+    if (allKeys.size === 0)
+        return 1.0; // Both empty — trivially identical
+    let matches = 0;
+    for (const key of allKeys) {
+        const valA = JSON.stringify(a[key]);
+        const valB = JSON.stringify(b[key]);
+        if (valA === valB)
+            matches++;
+    }
+    return matches / allKeys.size;
+}
+/**
+ * Compute composite similarity between two TestAssertions.
+ * Weights: 40% Jaccard field overlap + 60% Levenshtein on description.
+ *
+ * The heavier description weight reflects the observation that operators
+ * typically rename tests when restructuring but preserve the intent —
+ * the description carries the most semantic signal.
+ */
+export function compositeSimilarity(removed, added) {
+    const jaccard = fieldJaccardSimilarity(removed, added);
+    const descSim = levenshteinSimilarity(removed.description || '', added.description || '');
+    return 0.4 * jaccard + 0.6 * descSim;
+}
+/**
+ * Compute field-level changed_keys between two TestAssertions (excluding id).
+ */
+function computeChangedKeys(removed, added) {
+    const allKeys = new Set([
+        ...Object.keys(removed).filter(k => k !== 'id'),
+        ...Object.keys(added).filter(k => k !== 'id'),
+    ]);
+    const changed = [];
+    for (const key of allKeys) {
+        if (JSON.stringify(removed[key]) !== JSON.stringify(added[key])) {
+            changed.push(key);
+        }
+    }
+    changed.sort();
+    return changed;
+}
+// ─── Core Detection ───────────────────────────────────────────────────────────
+/**
+ * Clamp and validate the threshold value.
+ */
+export function clampThreshold(threshold) {
+    return Math.max(MIN_THRESHOLD, Math.min(MAX_THRESHOLD, threshold));
+}
+/**
+ * Detect probable renames between removed and added test assertion sets.
+ *
+ * Uses greedy bipartite matching: compute all pairwise similarity scores,
+ * sort descending, and greedily assign one-to-one matches above threshold.
+ * This is O(n*m) where n=|removed|, m=|added| — acceptable for test suites
+ * which are typically <100 assertions.
+ *
+ * @param added   Tests present locally but not in stored harness
+ * @param removed Tests present in stored harness but not locally
+ * @param threshold Minimum similarity to consider a rename (0.50-0.95)
+ * @returns Detected renames and residual unmatched tests
+ */
+export function detectRenames(added, removed, threshold = DEFAULT_THRESHOLD) {
+    const effectiveThreshold = clampThreshold(threshold);
+    // Edge case: nothing to match
+    if (added.length === 0 || removed.length === 0) {
+        return { renamed: [], residualAdded: [...added], residualRemoved: [...removed] };
+    }
+    const pairs = [];
+    for (let ri = 0; ri < removed.length; ri++) {
+        for (let ai = 0; ai < added.length; ai++) {
+            const sim = compositeSimilarity(removed[ri], added[ai]);
+            if (sim >= effectiveThreshold) {
+                pairs.push({ removedIdx: ri, addedIdx: ai, similarity: sim });
+            }
+        }
+    }
+    // Step 2: Sort descending by similarity (greedy — highest first)
+    pairs.sort((a, b) => b.similarity - a.similarity);
+    // Step 3: Greedy one-to-one matching
+    const matchedRemoved = new Set();
+    const matchedAdded = new Set();
+    const renamed = [];
+    for (const pair of pairs) {
+        if (matchedRemoved.has(pair.removedIdx) || matchedAdded.has(pair.addedIdx)) {
+            continue; // Already matched — skip
+        }
+        matchedRemoved.add(pair.removedIdx);
+        matchedAdded.add(pair.addedIdx);
+        const removedTest = removed[pair.removedIdx];
+        const addedTest = added[pair.addedIdx];
+        renamed.push({
+            removed: removedTest,
+            added: addedTest,
+            similarity: Math.round(pair.similarity * 1000) / 1000, // 3 decimal places
+            changed_keys: computeChangedKeys(removedTest, addedTest),
+        });
+    }
+    // Step 4: Build residuals — unmatched tests stay in added/removed
+    const residualAdded = added.filter((_, i) => !matchedAdded.has(i));
+    const residualRemoved = removed.filter((_, i) => !matchedRemoved.has(i));
+    // Sort renamed by old_id for deterministic output within the heuristic domain
+    renamed.sort((a, b) => a.removed.id.localeCompare(b.removed.id));
+    return { renamed, residualAdded, residualRemoved };
+}

package/dist/verification/runner.js

@@ -1,6 +1,6 @@
 import * as fs from "fs";
 import { getQuickJS } from "quickjs-emscripten";
-import { TestSuiteSchema, } from "./schema.js";
+import { TestSuiteSchema, computeRubricHash, } from "./schema.js";
 import { evaluateSeverityGates, resolveEffectiveSeverity } from "./severityPolicy.js";
 // ─── Utilities ──────────────────────────────────────────────
 /** Deeply match objects (expected ⊆ actual) */
@@ -8,6 +8,10 @@ function deepMatch(actual, expected) {
     if (typeof expected !== 'object' || expected === null) {
         return actual === expected;
     }
+    // H1 fix: Guard against null/undefined/primitive actual before iterating
+    if (typeof actual !== 'object' || actual === null) {
+        return false;
+    }
     for (const key of Object.keys(expected)) {
         if (typeof actual[key] === 'object') {
             if (!deepMatch(actual[key], expected[key]))
@@ -187,6 +191,16 @@ const DEFAULT_CONFIG = {
 };
 // ─── v7.2.0: Enhanced Verification Runner ───────────────────
 export class VerificationRunner {
+    /**
+     * Validates that the provided tests match the expected rubric hash from the harness.
+     * Throws an error if the hash does not match, ensuring test integrity.
+     */
+    static verifyRubricHash(tests, harness) {
+        const computed = computeRubricHash(tests);
+        if (computed !== harness.rubric_hash) {
+            throw new Error(`Rubric hash mismatch. Expected ${harness.rubric_hash}, but computeRubricHash returned ${computed}. The tests have been modified since the harness was created.`);
+        }
+    }
     /**
      * v7.2.0 enhanced suite runner.
      *
@@ -195,16 +209,21 @@ export class VerificationRunner {
      * - Retry logic for transient failures
      * - Dependency chain resolution
      * - Structured VerificationResult with per-layer breakdown
+     * - Rubric hash validation if a harness is provided
      */
     static async runSuite(jsonContent, options) {
         const startTime = Date.now();
         const config = options?.config ?? DEFAULT_CONFIG;
         const filterLayers = options?.layers ?? config.layers;
         const minSeverity = options?.minSeverity;
+        const harness = options?.harness;
         let assertionResults = [];
         try {
             const parsed = JSON.parse(jsonContent);
             const suite = TestSuiteSchema.parse(parsed);
+            if (harness) {
+                VerificationRunner.verifyRubricHash(suite.tests, harness);
+            }
             const { preparedById, orderedIds, precomputed } = prepareAssertions(suite.tests, filterLayers, minSeverity, config);
             const outcomes = new Map();
             const resultById = new Map(precomputed);
@@ -438,11 +457,14 @@ export class VerificationRunner {
                 ops++;
                 return ops > 10000;
             });
-            // v7.2.0 FIX: Properly inject inputs as a JSON string literal,
-            // then JSON.parse inside the VM. The previous approach broke on
-            // object/array inputs due to unquoted interpolation.
+            // C3 fix: Use vm.newString() + vm.setProp() to safely pass JSON
+            // into the VM without any string escaping. This prevents injection
+            // attacks from crafted input values containing quotes or backslashes.
             const inputsJson = JSON.stringify(inputs);
-            const parseResult = vm.evalCode(`JSON.parse('${inputsJson.replace(/\\/g, '\\\\').replace(/'/g, "\\'")}')`);
+            const inputsJsonHandle = vm.newString(inputsJson);
+            vm.setProp(vm.global, "__inputsJson", inputsJsonHandle);
+            inputsJsonHandle.dispose();
+            const parseResult = vm.evalCode(`JSON.parse(__inputsJson)`);
             if (parseResult.error) {
                 const err = vm.dump(parseResult.error);
                 parseResult.error.dispose();

package/dist/verification/schema.js

@@ -1,4 +1,5 @@
 import { z } from "zod";
+import { createHash } from "crypto";
 // ─── v7.2.0: Severity Levels ────────────────────────────────
 //  warn  → log and continue
 //  gate  → block progression until resolved
@@ -44,3 +45,20 @@ export const TestAssertionSchema = z.object({
 export const TestSuiteSchema = z.object({
     tests: z.array(TestAssertionSchema)
 });
+// ─── v7.2.0: Rubric Hash Utility ─────────────────────────────
+/**
+ * Compute a deterministic SHA-256 hash over the test assertions.
+ *
+ * Sorts by `id` before hashing so that insertion order does NOT affect
+ * the result. This ensures the hash is stable across environments
+ * even when tests are stored in different orders.
+ *
+ * @param tests - The array of TestAssertion to hash
+ * @returns Lowercase hex SHA-256 digest
+ */
+export function computeRubricHash(tests) {
+    const sorted = [...tests].sort((a, b) => a.id.localeCompare(b.id));
+    return createHash("sha256")
+        .update(JSON.stringify(sorted))
+        .digest("hex");
+}

package/dist/verification/severityPolicy.js

@@ -17,7 +17,11 @@ function severityRank(s) {
         case "warn": return 0;
         case "gate": return 1;
         case "abort": return 2;
-        default: return 0;
+        default: {
+            // M4 fix: Exhaustive check — future SeverityLevel additions will cause a compile error
+            const _exhaustive = s;
+            return _exhaustive;
+        }
     }
 }
 /**

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "prism-mcp-server",
-  "version": "7.3.1",
+  "version": "7.3.3",
   "mcpName": "io.github.dcostenco/prism-mcp",
   "description": "The Mind Palace for AI Agents — fail-closed Dark Factory autonomous pipelines (3-gate parse→type→scope validation), persistent memory (SQLite/Supabase), ACT-R cognitive retrieval, behavioral learning & IDE rules sync, multi-agent Hivemind, time travel, visual dashboard. Zero-config local mode.",
   "module": "index.ts",
   "type": "module",
   "main": "dist/server.js",
   "bin": {
+    "prism": "dist/cli.js",
     "prism-mcp-server": "dist/server.js",
     "prism-import": "dist/utils/universalImporter.js"
   },
@@ -15,6 +16,7 @@
   ],
   "scripts": {
     "build": "tsc",
+    "lint:dashboard": "node scripts/lint-dashboard-es5.cjs",
     "start": "node dist/server.js",
     "test": "vitest run",
     "test:watch": "vitest",
@@ -107,6 +109,7 @@
     "@supabase/supabase-js": "^2.99.3",
     "@tavily/core": "^0.6.0",
     "cheerio": "^1.2.0",
+    "commander": "^14.0.3",
     "dotenv": "^16.5.0",
     "fflate": "^0.8.2",
     "jsdom": "^29.0.1",