rebar-mcp 2.4.4 → 2.6.0

package/.claude/skills/bmn1us0t4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/SKILL.md

@@ -0,0 +1,21 @@
+---
+name: bmn1us0t4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+description: A test skill
+invocation: undefined
+context: undefined
+---
+
+# bmn1us0t4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+A test skill
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.claude/skills/bmn1uzlg2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/SKILL.md

@@ -0,0 +1,21 @@
+---
+name: bmn1uzlg2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+description: A test skill
+invocation: undefined
+context: undefined
+---
+
+# bmn1uzlg2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+A test skill
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.claude/skills/bnd-mn1us0t9/SKILL.md

@@ -0,0 +1,21 @@
+---
+name: bnd-mn1us0t9
+description: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+invocation: undefined
+context: undefined
+---
+
+# bnd-mn1us0t9
+
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.claude/skills/bnd-mn1uzlg6/SKILL.md

@@ -0,0 +1,21 @@
+---
+name: bnd-mn1uzlg6
+description: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+invocation: undefined
+context: undefined
+---
+
+# bnd-mn1uzlg6
+
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.claude/skills/nl-mn1us0tj/SKILL.md

@@ -0,0 +1,25 @@
+---
+name: nl-mn1us0tj
+description: Line one
+Line two
+Line three
+invocation: undefined
+context: undefined
+---
+
+# nl-mn1us0tj
+
+Line one
+Line two
+Line three
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.claude/skills/nl-mn1uzlgf/SKILL.md

@@ -0,0 +1,25 @@
+---
+name: nl-mn1uzlgf
+description: Line one
+Line two
+Line three
+invocation: undefined
+context: undefined
+---
+
+# nl-mn1uzlgf
+
+Line one
+Line two
+Line three
+
+## Instructions
+
+<!-- Replace this with your skill instructions.
+Good skill instructions:
+1. Define the agent's role clearly
+2. Specify the exact output format
+3. List what to check/do step by step
+4. Include examples of good output
+-->
+

package/.rebar/decisions/2026-03-22/001_write__app_api_test_route.ts.json

@@ -0,0 +1,32 @@
+{
+  "id": "prereview_2026-03-22_001",
+  "timestamp": "2026-03-22T14:23:12.892Z",
+  "operation": "write",
+  "target": "/app/api/test/route.ts",
+  "decision": "block",
+  "severity": "critical",
+  "tier": "pro",
+  "engine": "local",
+  "latencyMs": 2,
+  "patterns": [
+    {
+      "id": "unvalidated-insert",
+      "name": "Unvalidated Database Insert",
+      "severity": "critical",
+      "message": "Database insert with unvalidated input - validate with Zod before inserting"
+    },
+    {
+      "id": "unvalidated-request-body",
+      "name": "Unvalidated Request Body",
+      "severity": "warning",
+      "message": "Request body parsed without Zod validation"
+    },
+    {
+      "id": "api-missing-auth",
+      "name": "API Route Missing Auth",
+      "severity": "warning",
+      "message": "API route without visible authentication check"
+    }
+  ],
+  "reasoning": "1 critical issue(s): Unvalidated Database Insert; 2 warning(s): Unvalidated Request Body, API Route Missing Auth"
+}

package/.rebar/decisions/2026-03-22/002_write__app_api_test_route.ts.json

@@ -0,0 +1,26 @@
+{
+  "id": "prereview_2026-03-22_002",
+  "timestamp": "2026-03-22T14:23:33.241Z",
+  "operation": "write",
+  "target": "/app/api/test/route.ts",
+  "decision": "warn",
+  "severity": "warning",
+  "tier": "pro",
+  "engine": "local",
+  "latencyMs": 1,
+  "patterns": [
+    {
+      "id": "error-message-exposed",
+      "name": "Error Message Exposed",
+      "severity": "warning",
+      "message": "Raw error.message returned to client - may leak internal details"
+    },
+    {
+      "id": "phi-console-error",
+      "name": "PHI Risk: Console Error Object",
+      "severity": "warning",
+      "message": "Console output with error object may leak PHI/PII in logs"
+    }
+  ],
+  "reasoning": "2 warning(s): Error Message Exposed, PHI Risk: Console Error Object"
+}

package/.rebar/decisions/2026-03-22/003_write__lib_db.ts.json

@@ -0,0 +1,26 @@
+{
+  "id": "prereview_2026-03-22_003",
+  "timestamp": "2026-03-22T14:25:40.291Z",
+  "operation": "write",
+  "target": "/lib/db.ts",
+  "decision": "block",
+  "severity": "critical",
+  "tier": "pro",
+  "engine": "local",
+  "latencyMs": 1,
+  "patterns": [
+    {
+      "id": "sql-injection",
+      "name": "SQL Injection Risk",
+      "severity": "critical",
+      "message": "Potential SQL injection via template literal"
+    },
+    {
+      "id": "sql-injection-where",
+      "name": "SQL Injection: WHERE Clause",
+      "severity": "critical",
+      "message": "SQL injection via string interpolation in WHERE clause"
+    }
+  ],
+  "reasoning": "2 critical issue(s): SQL Injection Risk, SQL Injection: WHERE Clause"
+}

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAk2CA,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA6J5D"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAykDA,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAqK5D"}

package/dist/cli.js

@@ -21,12 +21,13 @@ import { generateCodexConfig } from "./services/codex-generator.js";
 import { atomicWrite } from "./services/file-ops.js";
 import { createInterface } from "node:readline";
 import { CONTEXT_WINDOW_TOKENS } from "./constants.js";
-import { runPrereview, loadPrereviewConfig, } from "./services/prereview-engine.js";
+import { runPrereview, loadPrereviewConfig, PREREVIEW_PATTERNS, } from "./services/prereview-engine.js";
 import { runHybridPrereview } from "./services/prereview-llm.js";
 import { loadLicense, loadUsage, canUseLLMReview } from "./services/license.js";
 import { loadMemory, clearMemory, learnFromHistory, exportMemorySummary, } from "./services/prereview-memory.js";
 import { analyzeDecisionHistory, formatAnalyticsReport, exportAnalyticsJSON, generateBlockRateChart, } from "./services/prereview-analytics.js";
-const VERSION = "2.4.4";
+import { COMMAND_COMMIT_PUSH_PR, COMMAND_SIMPLIFY, COMMAND_VERIFY, COMMAND_REVIEW_PLAN, COMMAND_FIX_TESTS, COMMAND_UPDATE_DOCS, AGENT_CODE_SIMPLIFIER, AGENT_VERIFIER, AGENT_EXPLAIN, AGENT_SECURITY_REVIEWER, AGENT_TEST_WRITER, getPostToolUseFormatHook, SAFE_BASH_PERMISSIONS, } from "./services/workflow-templates.js";
+const VERSION = "2.6.0";
 /**
  * Read stdin if available (non-blocking check)
  * Returns the parsed JSON if it's a valid hook input, null otherwise
@@ -1122,6 +1123,196 @@ async function cmdWhy(_options, category) {
     console.log();
     return 0;
 }
+async function cmdPatterns(_options, filter) {
+    // Group patterns by category
+    const categories = {
+        "Security - Secrets": PREREVIEW_PATTERNS.filter(p => p.id.startsWith("secret")),
+        "Security - Dangerous Commands": PREREVIEW_PATTERNS.filter(p => p.id.startsWith("danger")),
+        "Security - Injection": PREREVIEW_PATTERNS.filter(p => p.id.includes("injection") || p.id.includes("sql")),
+        "Input Validation": PREREVIEW_PATTERNS.filter(p => p.id.includes("unvalidated") || p.id.includes("request-body")),
+        "PHI/PII Protection": PREREVIEW_PATTERNS.filter(p => p.id.includes("phi") || p.id.includes("unencrypted")),
+        "API Security": PREREVIEW_PATTERNS.filter(p => p.id.includes("auth") || p.id.includes("rate") || p.id.includes("cors") || p.id.includes("cron")),
+        "Error Handling": PREREVIEW_PATTERNS.filter(p => p.id.includes("error") || p.id.includes("catch") || p.id.includes("swallowed")),
+        "Code Quality": PREREVIEW_PATTERNS.filter(p => p.id.includes("any") || p.id.includes("console") || p.id.includes("todo") || p.id.includes("large")),
+        "Supabase/Database": PREREVIEW_PATTERNS.filter(p => p.id.includes("supabase") || p.id.includes("service-role") || p.id.includes("user-filter")),
+        "AI/Agent Security": PREREVIEW_PATTERNS.filter(p => p.id.includes("prompt") || p.id.includes("memory-injection")),
+        "Framework Patterns": PREREVIEW_PATTERNS.filter(p => p.id.includes("nextjs") || p.id.includes("client-fetch")),
+        "Configuration": PREREVIEW_PATTERNS.filter(p => p.id.includes("hardcoded") || p.id.includes("token")),
+    };
+    // Remove empty categories and patterns that are already categorized
+    const categorizedIds = new Set(Object.values(categories).flat().map(p => p.id));
+    const uncategorized = PREREVIEW_PATTERNS.filter(p => !categorizedIds.has(p.id));
+    if (uncategorized.length > 0) {
+        categories["Other"] = uncategorized;
+    }
+    // Filter by search term if provided
+    const searchTerm = filter?.toLowerCase();
+    console.log("Rebar Enterprise Patterns");
+    console.log("=========================");
+    console.log();
+    let totalShown = 0;
+    let totalBlocking = 0;
+    for (const [category, patterns] of Object.entries(categories)) {
+        const filteredPatterns = searchTerm
+            ? patterns.filter(p => p.name.toLowerCase().includes(searchTerm) ||
+                p.id.toLowerCase().includes(searchTerm) ||
+                p.message.toLowerCase().includes(searchTerm))
+            : patterns;
+        if (filteredPatterns.length === 0)
+            continue;
+        console.log(`\n${category} (${filteredPatterns.length} patterns)`);
+        console.log("-".repeat(category.length + 15));
+        for (const p of filteredPatterns) {
+            const severityIcon = p.severity === "critical" ? "🔴" : p.severity === "warning" ? "🟡" : "🔵";
+            const minLevel = p.minStrictness === "standard" ? "" : ` [${p.minStrictness}+]`;
+            console.log(`  ${severityIcon} ${p.name}${minLevel}`);
+            console.log(`     ${p.message}`);
+            if (p.suggestion) {
+                console.log(`     → ${p.suggestion}`);
+            }
+            if (p.filePatterns && p.filePatterns.length > 0) {
+                console.log(`     Files: ${p.filePatterns.join(", ")}`);
+            }
+            totalShown++;
+            if (p.severity === "critical")
+                totalBlocking++;
+        }
+    }
+    console.log();
+    console.log(`Total: ${totalShown} patterns (${totalBlocking} blocking)`);
+    console.log();
+    console.log("Strictness levels:");
+    console.log("  standard - All critical patterns enforced");
+    console.log("  strict   - Critical + warning patterns enforced");
+    console.log("  paranoid - All patterns enforced, warnings become blocks");
+    return 0;
+}
+async function cmdSetupWorkflow(options) {
+    const projectPath = resolveProjectPath(options.path);
+    console.log("Setting up enterprise workflow (Boris pattern)...");
+    console.log();
+    try {
+        // Analyze project
+        const analysis = await analyzeProject(projectPath);
+        // Create .claude directories
+        const claudeDir = path.join(projectPath, ".claude");
+        const commandsDir = path.join(claudeDir, "commands");
+        const agentsDir = path.join(claudeDir, "agents");
+        await fs.mkdir(commandsDir, { recursive: true });
+        await fs.mkdir(agentsDir, { recursive: true });
+        // Write slash commands
+        const commands = [
+            { name: "commit-push-pr.md", content: COMMAND_COMMIT_PUSH_PR },
+            { name: "simplify.md", content: COMMAND_SIMPLIFY },
+            { name: "verify.md", content: COMMAND_VERIFY },
+            { name: "review-plan.md", content: COMMAND_REVIEW_PLAN },
+            { name: "fix-tests.md", content: COMMAND_FIX_TESTS },
+            { name: "update-docs.md", content: COMMAND_UPDATE_DOCS },
+        ];
+        for (const cmd of commands) {
+            await atomicWrite(path.join(commandsDir, cmd.name), cmd.content);
+        }
+        console.log(`✓ Created ${commands.length} slash commands in .claude/commands/`);
+        for (const cmd of commands) {
+            console.log(`    /${cmd.name.replace(".md", "")}`);
+        }
+        // Write subagents
+        const agents = [
+            { name: "code-simplifier.md", content: AGENT_CODE_SIMPLIFIER },
+            { name: "verifier.md", content: AGENT_VERIFIER },
+            { name: "explain.md", content: AGENT_EXPLAIN },
+            { name: "security-reviewer.md", content: AGENT_SECURITY_REVIEWER },
+            { name: "test-writer.md", content: AGENT_TEST_WRITER },
+        ];
+        for (const agent of agents) {
+            await atomicWrite(path.join(agentsDir, agent.name), agent.content);
+        }
+        console.log(`✓ Created ${agents.length} subagents in .claude/agents/`);
+        // Update settings.json with PostToolUse hook and permissions
+        const settingsPath = path.join(claudeDir, "settings.json");
+        let settings = {};
+        const existingSettings = await readFileSafe(settingsPath);
+        if (existingSettings) {
+            try {
+                settings = JSON.parse(existingSettings);
+            }
+            catch {
+                // Start fresh
+            }
+        }
+        // Add PostToolUse formatting hook if formatter detected
+        const formatHook = getPostToolUseFormatHook(analysis.formatter);
+        if (formatHook) {
+            if (!settings.hooks)
+                settings.hooks = {};
+            const hooks = settings.hooks;
+            if (!hooks.PostToolCall)
+                hooks.PostToolCall = [];
+            const postHooks = hooks.PostToolCall;
+            // Check if format hook already exists
+            const hasFormatHook = postHooks.some((h) => {
+                const hooksArr = h.hooks;
+                return hooksArr?.some((hook) => hook.command?.toString().includes("prettier") ||
+                    hook.command?.toString().includes("biome") ||
+                    hook.command?.toString().includes("black") ||
+                    hook.command?.toString().includes("gofmt"));
+            });
+            if (!hasFormatHook) {
+                postHooks.push({
+                    matcher: formatHook.matcher,
+                    hooks: [
+                        {
+                            type: "command",
+                            command: formatHook.command,
+                        },
+                    ],
+                });
+                console.log(`✓ Added PostToolCall formatting hook (${analysis.formatter})`);
+            }
+        }
+        else {
+            console.log("⚠ No formatter detected — add PostToolCall hook manually");
+        }
+        // Add safe bash permissions
+        if (!settings.permissions)
+            settings.permissions = {};
+        const perms = settings.permissions;
+        const existingAllow = perms.allow || [];
+        const newPerms = SAFE_BASH_PERMISSIONS.filter((p) => !existingAllow.includes(p));
+        perms.allow = [...existingAllow, ...newPerms];
+        console.log(`✓ Added ${newPerms.length} safe bash permissions`);
+        // Write updated settings
+        await atomicWrite(settingsPath, JSON.stringify(settings, null, 2));
+        console.log();
+        console.log("Enterprise workflow setup complete!");
+        console.log();
+        console.log("Available commands:");
+        console.log("  /commit-push-pr   Stage, commit, push, and create PR");
+        console.log("  /simplify         Simplify recently changed code");
+        console.log("  /verify           Run full verification suite");
+        console.log("  /review-plan      Create implementation plan before coding");
+        console.log("  /fix-tests        Find and fix failing tests");
+        console.log("  /update-docs      Update CLAUDE.md with learnings");
+        console.log();
+        console.log("Available agents (invoke with Task tool):");
+        console.log("  code-simplifier   Reduce complexity without changing behavior");
+        console.log("  verifier          End-to-end verification");
+        console.log("  explain           Generate plain-English documentation");
+        console.log("  security-reviewer Review code for vulnerabilities");
+        console.log("  test-writer       Generate comprehensive tests");
+        console.log();
+        console.log("Workflow tips:");
+        console.log("  • Run /verify after every implementation");
+        console.log("  • Run /simplify before committing");
+        console.log("  • Use /review-plan for non-trivial tasks");
+        console.log("  • Update CLAUDE.md when mistakes happen");
+        return 0;
+    }
+    catch (err) {
+        console.error(`Error: ${err instanceof Error ? err.message : String(err)}`);
+        return 1;
+    }
+}
 async function cmdEnablePrereview(options) {
     const projectPath = resolveProjectPath(options.path);
     console.log("Enabling pre-review hooks...");
@@ -1201,12 +1392,16 @@ export async function runCLI(args) {
             return cmdInit(options);
         case "enable-prereview":
             return cmdEnablePrereview(options);
+        case "setup-workflow":
+            return cmdSetupWorkflow(options);
         case "doctor":
             return cmdDoctor(options);
         case "audit":
             return cmdAudit(options);
         case "why":
             return cmdWhy(options, positional[0] || "");
+        case "patterns":
+            return cmdPatterns(options, positional[0]);
         case "set-strictness":
             if (positional.length === 0) {
                 console.error("Usage: rebar set-strictness <standard|strict|paranoid>");
@@ -1285,9 +1480,11 @@ export async function runCLI(args) {
 
 Usage:
   rebar init [options]          Initialize Rebar enforcement in a project
+  rebar setup-workflow          Install enterprise workflow (commands, agents, hooks)
   rebar enable-prereview        Enable pre-review hooks (secret detection, etc.)
   rebar audit [options]         Run quality audit (exit 1 if below threshold)
   rebar why <category>          Explain what's being scored and why
+  rebar patterns [filter]       List all enterprise enforcement patterns
   rebar doctor [options]        Check Rebar setup health
   rebar set-strictness <level>  Change enforcement strictness
   rebar metrics [options]       View quality score history